Merge "Setting up SELinux policy for Emergency number database"
diff --git a/Android.bp b/Android.bp
index b3e26ba..4973c13 100644
--- a/Android.bp
+++ b/Android.bp
@@ -71,27 +71,95 @@
 }
 
 se_cil_compat_map {
-    name: "26.0.cil",
+    name: "plat_26.0.cil",
+    stem: "26.0.cil",
     bottom_half: [":26.0.board.compat.map"],
-    top_half: "27.0.cil",
+    top_half: "plat_27.0.cil",
 }
 
 se_cil_compat_map {
-    name: "27.0.cil",
+    name: "plat_27.0.cil",
+    stem: "27.0.cil",
     bottom_half: [":27.0.board.compat.map"],
-    top_half: "28.0.cil",
+    top_half: "plat_28.0.cil",
 }
 
 se_cil_compat_map {
-    name: "28.0.cil",
+    name: "plat_28.0.cil",
+    stem: "28.0.cil",
     bottom_half: [":28.0.board.compat.map"],
-    top_half: "29.0.cil",
+    top_half: "plat_29.0.cil",
 }
 
 se_cil_compat_map {
-    name: "29.0.cil",
+    name: "plat_29.0.cil",
+    stem: "29.0.cil",
     bottom_half: [":29.0.board.compat.map"],
-    // top_half: "30.0.cil",
+    // top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+    name: "system_ext_26.0.cil",
+    stem: "26.0.cil",
+    bottom_half: [":26.0.board.compat.map"],
+    top_half: "system_ext_27.0.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "system_ext_27.0.cil",
+    stem: "27.0.cil",
+    bottom_half: [":27.0.board.compat.map"],
+    top_half: "system_ext_28.0.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "system_ext_28.0.cil",
+    stem: "28.0.cil",
+    bottom_half: [":28.0.board.compat.map"],
+    top_half: "system_ext_29.0.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "system_ext_29.0.cil",
+    stem: "29.0.cil",
+    bottom_half: [":29.0.board.compat.map"],
+    // top_half: "system_ext_30.0.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_26.0.cil",
+    stem: "26.0.cil",
+    bottom_half: [":26.0.board.compat.map"],
+    top_half: "product_27.0.cil",
+    product_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_27.0.cil",
+    stem: "27.0.cil",
+    bottom_half: [":27.0.board.compat.map"],
+    top_half: "product_28.0.cil",
+    product_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_28.0.cil",
+    stem: "28.0.cil",
+    bottom_half: [":28.0.board.compat.map"],
+    top_half: "product_29.0.cil",
+    product_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_29.0.cil",
+    stem: "29.0.cil",
+    bottom_half: [":29.0.board.compat.map"],
+    // top_half: "product_30.0.cil",
+    product_specific: true,
 }
 
 se_cil_compat_map {
diff --git a/Android.mk b/Android.mk
index a2a65da..e3b4143 100644
--- a/Android.mk
+++ b/Android.mk
@@ -145,6 +145,16 @@
                         genfs_contexts \
                         port_contexts
 
+# Security classes and permissions defined outside of system/sepolicy.
+security_class_extension_files := $(call build_policy, security_classes access_vectors, \
+  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+  $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+ifneq (,$(strip $(security_class_extension_files)))
+  $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
+endif
+
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
   # Checks if there are public system_ext policy files.
   policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
@@ -216,12 +226,12 @@
 # Convert a file_context file for a non-flattened APEX into a file for
 # flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
 # $(1): path to the input file_contexts file for non-flattened APEX
-# $(2): name of the APEX
-# $(3): path to the generated file_contexs file for flattened APEX
+# $(2): path to the flattened APEX
+# $(3): path to the generated file_contexts file for flattened APEX
 # $(4): variable where $(3) is added to
 define build_flattened_apex_file_contexts
 $(4) += $(3)
-$(3): PRIVATE_APEX_PATH := /system/apex/$(subst .,\\.,$(2))
+$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2))
 $(3): $(1)
 	$(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
 endef
@@ -249,7 +259,7 @@
 # divergence between Treble and non-Treble devices.
 LOCAL_REQUIRED_MODULES += \
     plat_mapping_file \
-    $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+    $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
     $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
     plat_sepolicy.cil \
     plat_sepolicy_and_mapping.sha256 \
@@ -355,7 +365,10 @@
 endif
 
 ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file
+LOCAL_REQUIRED_MODULES += \
+    system_ext_mapping_file \
+    $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
 endif
 
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -378,7 +391,10 @@
 endif
 
 ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_mapping_file
+LOCAL_REQUIRED_MODULES += \
+    product_mapping_file \
+    $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
 endif
 
 ifdef HAS_PRODUCT_SEPOLICY_DIR
@@ -572,6 +588,7 @@
 $(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(system_ext_pub_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -737,6 +754,7 @@
 $(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(system_ext_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -1398,15 +1416,16 @@
 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
   local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
 endif
-ifeq ($(TARGET_FLATTEN_APEX),true)
-  $(foreach _pair,$(APEX_FILE_CONTEXTS_INFOS),\
-    $(eval _apex_name := $(call word-colon,1,$(_pair)))\
-    $(eval _fc_name := $(call word-colon,2,$(_pair)))\
-    $(eval _input := $(LOCAL_PATH)/apex/$(_fc_name)-file_contexts)\
-    $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
-    $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
-   )
-endif
+
+# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed
+$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\
+  $(eval _apex_name := $(call word-colon,1,$(_tuple)))\
+  $(eval _apex_path := $(call word-colon,2,$(_tuple)))\
+  $(eval _fc_path := $(call word-colon,3,$(_tuple)))\
+  $(eval _input := $(_fc_path))\
+  $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
+  $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\
+  )
 
 file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
 $(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
diff --git a/apex/Android.bp b/apex/Android.bp
new file mode 100644
index 0000000..8eedfab
--- /dev/null
+++ b/apex/Android.bp
@@ -0,0 +1,133 @@
+// Copyright (C) 2019 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+filegroup {
+  name: "apex.test-file_contexts",
+  srcs: [
+    "apex.test-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.adbd-file_contexts",
+  srcs: [
+    "com.android.adbd-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.art.debug-file_contexts",
+  srcs: [
+    "com.android.art.debug-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.art.release-file_contexts",
+  srcs: [
+    "com.android.art.release-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.bootanimation-file_contexts",
+  srcs: [
+    "com.android.bootanimation-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.cellbroadcast-file_contexts",
+  srcs: [
+    "com.android.cellbroadcast-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.conscrypt-file_contexts",
+  srcs: [
+    "com.android.conscrypt-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.i18n-file_contexts",
+  srcs: [
+    "com.android.i18n-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.media-file_contexts",
+  srcs: [
+    "com.android.media-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.media.swcodec-file_contexts",
+  srcs: [
+    "com.android.media.swcodec-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.neuralnetworks-file_contexts",
+  srcs: [
+    "com.android.neuralnetworks-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.os.statsd-file_contexts",
+  srcs: [
+    "com.android.os.statsd-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.permission-file_contexts",
+  srcs: [
+    "com.android.permission-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.resolv-file_contexts",
+  srcs: [
+    "com.android.resolv-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.runtime-file_contexts",
+  srcs: [
+    "com.android.runtime-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.tzdata-file_contexts",
+  srcs: [
+    "com.android.tzdata-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.vndk-file_contexts",
+  srcs: [
+    "com.android.vndk-file_contexts",
+  ],
+}
diff --git a/apex/com.android.adbd-file_contexts b/apex/com.android.adbd-file_contexts
new file mode 100644
index 0000000..3488de2
--- /dev/null
+++ b/apex/com.android.adbd-file_contexts
@@ -0,0 +1,2 @@
+(/.*)?                   u:object_r:system_file:s0
+/bin/adbd                u:object_r:adbd_exec:s0
diff --git a/apex/com.android.appsearch-file_contexts b/apex/com.android.appsearch-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.appsearch-file_contexts
@@ -0,0 +1 @@
+(/.*)?           u:object_r:system_file:s0
diff --git a/apex/com.android.cellbroadcast-file_contexts b/apex/com.android.cellbroadcast-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.cellbroadcast-file_contexts
@@ -0,0 +1 @@
+(/.*)?                u:object_r:system_file:s0
diff --git a/apex/com.android.ipsec-file_contexts b/apex/com.android.ipsec-file_contexts
new file mode 100644
index 0000000..270f0e1
--- /dev/null
+++ b/apex/com.android.ipsec-file_contexts
@@ -0,0 +1,2 @@
+(/.*)?                          u:object_r:system_file:s0
+/lib(64)?(/.*)?                 u:object_r:system_lib_file:s0
diff --git a/apex/com.android.permission-file_contexts b/apex/com.android.permission-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.permission-file_contexts
@@ -0,0 +1 @@
+(/.*)?                u:object_r:system_file:s0
diff --git a/apex/com.android.wifi-file_contexts b/apex/com.android.wifi-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.wifi-file_contexts
@@ -0,0 +1 @@
+(/.*)?                u:object_r:system_file:s0
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 6eef2f2..f304e62 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -51,7 +51,7 @@
 func cilCompatMapFactory() android.Module {
 	c := &cilCompatMap{}
 	c.AddProperties(&c.properties)
-	android.InitAndroidModule(c)
+	android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
 	return c
 }
 
@@ -65,6 +65,8 @@
 	// other modules that produce source files like genrule or filegroup using
 	// the syntax ":module". srcs has to be non-empty.
 	Bottom_half []string
+	// name of the output
+	Stem *string
 }
 
 type cilCompatMap struct {
@@ -72,6 +74,7 @@
 	properties cilCompatMapProperties
 	// (.intermediate) module output path as installation source.
 	installSource android.Path
+	installPath   android.InstallPath
 }
 
 type CilCompatMapGenerator interface {
@@ -100,11 +103,13 @@
 				continue
 			}
 			if fg, ok := module.(*fileGroup); ok {
-				// Core compatibility mapping files are under system/sepolicy/private.
-				expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
-				// Partner extensions to the compatibility mapping in must be located in
-				// BOARD_PLAT_PRIVATE_SEPOLICY_DIR
-				expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
+				if ctx.ProductSpecific() {
+					expandedSrcFiles = append(expandedSrcFiles, fg.ProductPrivateSrcs()...)
+				} else if ctx.SystemExtSpecific() {
+					expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
+				} else {
+					expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
+				}
 			} else {
 				ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup", m)
 			}
@@ -117,6 +122,8 @@
 }
 
 func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+	c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
+
 	srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
 
 	for _, src := range srcFiles {
@@ -166,7 +173,10 @@
 		Class:      "ETC",
 	}
 	ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
-		fmt.Fprintln(w, "LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping")
+		fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
+		if c.properties.Stem != nil {
+			fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
+		}
 	})
 	return ret
 }
diff --git a/definitions.mk b/definitions.mk
index 6bb4f24..2ecdbdc 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -13,6 +13,7 @@
 	-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
 	-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
 	-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
+	-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
 	$(PRIVATE_TGT_RECOVERY) \
 	-s $(PRIVATE_POLICY_FILES) > $@
 endef
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 5bec849..51cbd28 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -283,6 +283,7 @@
   hal_graphics_composer_server
   hal_health_server
   hal_omx_server
+  hal_power_stats_server
   hal_sensors_server
   hal_vr_server
 }:process { signal };
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 3509cfc..111923f 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -396,5 +396,7 @@
 ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
diff --git a/prebuilts/api/29.0/public/service.te b/prebuilts/api/29.0/public/service.te
index 92f8a09..a2193d0 100644
--- a/prebuilts/api/29.0/public/service.te
+++ b/prebuilts/api/29.0/public/service.te
@@ -10,7 +10,7 @@
 type fingerprintd_service,      service_manager_type;
 type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
-type gpu_service,               service_manager_type;
+type gpu_service,               app_api_service, service_manager_type;
 type idmap_service,             service_manager_type;
 type iorapd_service,            service_manager_type;
 type incident_service,          service_manager_type;
diff --git a/private/access_vectors b/private/access_vectors
index 275b9af..66c1b79 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -446,6 +446,7 @@
 {
 	nlmsg_read
 	nlmsg_write
+	nlmsg_readpriv
 }
 
 class netlink_tcpdiag_socket
diff --git a/private/apexd.te b/private/apexd.te
index 14778b2..31371d9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -114,6 +114,9 @@
   domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
 ')
 
+# Allow apexd to be invoked with logwrapper from init during userspace reboot.
+allow apexd devpts:chr_file { read write };
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/app.te b/private/app.te
index 0d9a2b4..e8397ef 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,8 @@
 # the implementation of ActivityManager.isDeviceInTestHarnessMode()
 get_prop(appdomain, test_harness_prop)
 
+userdebug_or_eng(`perfetto_producer({ appdomain })')
+
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0c8bd4c..eb798e3 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -37,9 +37,8 @@
 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
 
-# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
-# but otherwise disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } net_dns_prop:file read;
 
 # Shared libraries created by trusted components within an app home
 # directory can be dlopen()ed. To maintain the W^X property, these files
diff --git a/private/bug_map b/private/bug_map
index dd897e0..bcfd646 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,3 +1,4 @@
+bluetooth storage_stub_file dir b/145267097
 dnsmasq netd fifo_file b/77868789
 dnsmasq netd unix_stream_socket b/77868789
 init app_data_file file b/77873135
@@ -23,10 +24,15 @@
 netd untrusted_app_25 unix_stream_socket b/77870037
 netd untrusted_app_27 unix_stream_socket b/77870037
 platform_app nfc_data_file dir b/74331887
+platform_app storage_stub_file dir b/145267097
+priv_app storage_stub_file dir b/145267097
 system_server crash_dump process b/73128755
 system_server overlayfs_file file b/142390309
 system_server sdcardfs file b/77856826
-system_server storage_stub_file dir b/112609936
+system_server storage_stub_file dir b/145267097
 system_server zygote process b/77856826
+untrusted_app storage_stub_file dir b/145267097
+untrusted_app_25 storage_stub_file dir b/145267097
+untrusted_app_27 storage_stub_file dir b/145267097
 vold system_data_file file b/124108085
 zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/26.0/26.0.compat.cil
+++ b/private/compat/26.0/26.0.compat.cil
@@ -2,3 +2,4 @@
 (typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
 (allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
 (allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/27.0/27.0.compat.cil
+++ b/private/compat/27.0/27.0.compat.cil
@@ -2,3 +2,4 @@
 (typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
 (allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
 (allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -2,3 +2,4 @@
 (typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
 (allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
 (allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index edf38c7..c447715 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1742,7 +1742,10 @@
 (typeattributeset surfaceflinger_service_29_0 (surfaceflinger_service))
 (typeattributeset surfaceflinger_tmpfs_29_0 (surfaceflinger_tmpfs))
 (typeattributeset swap_block_device_29_0 (swap_block_device))
-(typeattributeset sysfs_29_0 (sysfs))
+(typeattributeset sysfs_29_0
+  ( sysfs
+    sysfs_suspend_stats
+    sysfs_wakeup))
 (typeattributeset sysfs_android_usb_29_0 (sysfs_android_usb))
 (typeattributeset sysfs_batteryinfo_29_0 (sysfs_batteryinfo))
 (typeattributeset sysfs_bluetooth_writable_29_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index 628abfc..af4da8a 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 88257f1..88e6efd 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,25 +5,41 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
+    app_search_service
+    auth_service
     ashmem_libcutils_device
+    blob_store_service
     boringssl_self_test
     charger_prop
     cold_boot_done_prop
     platform_compat_service
     ctl_apexd_prop
+    device_config_storage_native_boot_prop
     device_config_sys_traced_prop
+    gmscore_app
     hal_can_bus_hwservice
     hal_can_controller_hwservice
     hal_tv_tuner_hwservice
+    hal_vibrator_service
     init_svc_debug_prop
+    iorap_prefetcherd
+    iorap_prefetcherd_data_file
+    iorap_prefetcherd_exec
+    iorap_prefetcherd_tmpfs
     linker_prop
+    mock_ota_prop
     ota_metadata_file
+    ota_prop
     art_apex_dir
+    service_manager_service
     system_group_file
+    system_jvmti_agent_prop
     system_passwd_file
+    timezonedetector_service
+    userspace_reboot_prop
+    userspace_reboot_exported_prop
     vendor_apex_file
     vendor_boringssl_self_test
     vendor_install_recovery
     vendor_install_recovery_exec
-    virtual_ab_prop
-    wifi_stack_service))
+    virtual_ab_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index af91028..dac061a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -56,6 +56,7 @@
         -idmap
         -init
         -installd
+        -iorap_prefetcherd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
@@ -73,6 +74,7 @@
         -idmap
         -init
         -installd
+        -iorap_prefetcherd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
diff --git a/private/domain.te b/private/domain.te
index 98251d0..2389ec9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -73,6 +73,8 @@
     get_prop({coredomain appdomain shell}, exported3_default_prop)
     get_prop({coredomain appdomain shell}, exported3_radio_prop)
     get_prop({coredomain appdomain shell}, exported3_system_prop)
+    get_prop({coredomain shell}, userspace_reboot_exported_prop)
+    get_prop({coredomain shell}, userspace_reboot_prop)
     get_prop({domain -coredomain -appdomain}, vendor_default_prop)
 ')
 
@@ -105,7 +107,7 @@
 } self:global_capability_class_set sys_ptrace;
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
 
 neverallow {
   domain
@@ -136,6 +138,7 @@
   -app_zygote
   -dexoptanalyzer
   -installd
+  -iorap_prefetcherd
   -profman
   -rs # spawned by appdomain, so carryover the exception above
   -runas
@@ -157,6 +160,7 @@
   -appdomain
   -app_zygote
   -installd
+  -iorap_prefetcherd
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:file_class_set open;
 
@@ -201,6 +205,7 @@
     domain
     -appdomain
     with_asan(`-asan_extract')
+    -iorap_prefetcherd
     -shell
     userdebug_or_eng(`-su')
     -system_server_startup # for memfd backed executable regions
@@ -284,6 +289,7 @@
 # this list should be a superset of the one above.
 neverallow ~{
   dac_override_allowed
+  iorap_prefetcherd
   traced_probes
   userdebug_or_eng(`heapprofd')
 } self:global_capability_class_set dac_read_search;
@@ -317,4 +323,5 @@
   -uncrypt
   -tee
   -hal_bootctl_server
+  -fastbootd
 } self:global_capability_class_set sys_rawio;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 5ea0d43..72e508e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -53,3 +53,10 @@
 # For dumping dynamic partition information.
 set_prop(dumpstate, lpdumpd_prop)
 binder_call(dumpstate, lpdumpd)
+
+# For dumping device-mapper and snapshot information.
+allow dumpstate gsid_exec:file rx_file_perms;
+set_prop(dumpstate, ctl_gsid_prop)
+binder_call(dumpstate, gsid)
+
+r_dir_file(dumpstate, ota_metadata_file)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index ecedaba..508653c 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -51,9 +51,7 @@
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow ephemeral_app traced:fd use;
-allow ephemeral_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(ephemeral_app, traced_producer, traced)
+perfetto_producer(ephemeral_app)
 
 # Allow heap profiling if the app opts in by being marked
 # profileable/debuggable.
diff --git a/private/file_contexts b/private/file_contexts
index 9b7bdcc..2ec5b2f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -289,6 +289,7 @@
 /system/bin/viewcompiler     u:object_r:viewcompiler_exec:s0
 /system/bin/profman(d)?     u:object_r:profman_exec:s0
 /system/bin/iorapd          u:object_r:iorapd_exec:s0
+/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -357,9 +358,9 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
 
-/vendor/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
-/vendor/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
-/vendor/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
+/(vendor|system/vendor)/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
+/(vendor|system/vendor)/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
+/(vendor|system/vendor)/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
 
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
@@ -383,9 +384,9 @@
 /(odm|vendor/odm)/framework(/.*)?             u:object_r:vendor_framework_file:s0
 
 # Input configuration
-/(odm|vendor|vendor/odm)/usr/keylayout(/.*)?\.kl            u:object_r:vendor_keylayout_file:s0
-/(odm|vendor|vendor/odm)/usr/keychars(/.*)?\.kcm            u:object_r:vendor_keychars_file:s0
-/(odm|vendor|vendor/odm)/usr/idc(/.*)?\.idc                 u:object_r:vendor_idc_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl        u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm        u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc             u:object_r:vendor_idc_file:s0
 
 /oem(/.*)?              u:object_r:oemfs:s0
 /oem/overlay(/.*)?      u:object_r:vendor_overlay_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index aafaf53..2559525 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -24,8 +24,3 @@
 # already registered algorithm with that name. If it fails, the kernel creates
 # an implementation of the algorithm from templates.
 dontaudit fsverity_init kernel:system module_request;
-
-# TODO(b/132323675): remove once kernel bug is fixed.
-userdebug_or_eng(`
-  dontaudit fsverity_init self:capability sys_admin;
-')
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6be0ba6..855f2d6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -115,6 +115,7 @@
 genfscon sysfs /class/rfkill/rfkill3/state        u:object_r:sysfs_bluetooth_writable:s0
 genfscon sysfs /class/rtc                         u:object_r:sysfs_rtc:s0
 genfscon sysfs /class/switch                      u:object_r:sysfs_switch:s0
+genfscon sysfs /class/wakeup                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
 genfscon sysfs /devices/virtual/android_usb     u:object_r:sysfs_android_usb:s0
 genfscon sysfs /devices/virtual/block/            u:object_r:sysfs_devices_block:s0
@@ -127,11 +128,13 @@
 genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
 genfscon sysfs /devices/virtual/net             u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
+genfscon sysfs /devices/virtual/wakeup          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /fs/f2fs                           u:object_r:sysfs_fs_f2fs:s0
 genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
 genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
 genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
 genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
 genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
new file mode 100644
index 0000000..b2e5d16
--- /dev/null
+++ b/private/gmscore_app.te
@@ -0,0 +1,111 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+typeattribute gmscore_app coredomain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `gmscore_app` and remove this line once we are confident about this having
+# the right set of permissions.
+userdebug_or_eng(`permissive gmscore_app;')
+
+app_domain(gmscore_app)
+
+allow gmscore_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(gmscore_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(gmscore_app, sysfs_zram)
+
+r_dir_file(gmscore_app, rootfs)
+
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow gmscore_app config_gz:file { open read getattr };
+
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(gmscore_app, update_engine)
+allow gmscore_app update_engine_service:service_manager find;
+
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(gmscore_app, storaged)
+allow gmscore_app storaged_service:service_manager find;
+
+# Allow GMS core to access system_update_service (e.g. to publish pending
+# system update info).
+allow gmscore_app system_update_service:service_manager find;
+
+# Allow GMS core to communicate with statsd.
+binder_call(gmscore_app, statsd)
+
+# Allow GMS core to generate unique hardware IDs
+allow gmscore_app keystore:keystore_key gen_unique_id;
+
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow gmscore_app selinuxfs:file r_file_perms;
+
+# suppress denials for non-API accesses.
+dontaudit gmscore_app exec_type:file r_file_perms;
+dontaudit gmscore_app device:dir r_dir_perms;
+dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app net_dns_prop:file r_file_perms;
+dontaudit gmscore_app proc:file r_file_perms;
+dontaudit gmscore_app proc_interrupts:file r_file_perms;
+dontaudit gmscore_app proc_modules:file r_file_perms;
+dontaudit gmscore_app proc_net:file r_file_perms;
+dontaudit gmscore_app proc_stat:file r_file_perms;
+dontaudit gmscore_app proc_version:file r_file_perms;
+dontaudit gmscore_app sysfs:dir r_dir_perms;
+dontaudit gmscore_app sysfs:file r_file_perms;
+dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
+dontaudit gmscore_app sysfs_dm:file r_file_perms;
+dontaudit gmscore_app sysfs_loop:file r_file_perms;
+dontaudit gmscore_app wifi_prop:file r_file_perms;
+dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+
+# Access the network
+net_domain(gmscore_app)
+
+# Allow loading executable code from writable priv-app home
+# directories. This is a W^X violation, however, it needs
+# to be supported for now for the following reasons.
+# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
+#   1) com.android.opengl.shaders_cache
+#   2) com.android.skia.shaders_cache
+#   3) com.android.renderscript.cache
+# * /data/user_de/0/com.google.android.gms/app_chimera
+# TODO: Tighten (b/112357170)
+allow gmscore_app privapp_data_file:file execute;
+
+allow gmscore_app privapp_data_file:lnk_file create_file_perms;
+
+# /proc access
+allow gmscore_app proc_vmstat:file r_file_perms;
+
+# Allow interaction with gpuservice
+binder_call(gmscore_app, gpuservice)
+allow gmscore_app gpu_service:service_manager find;
+
+# find services that expose both @SystemAPI and normal APIs.
+allow gmscore_app app_api_service:service_manager find;
+allow gmscore_app system_api_service:service_manager find;
+allow gmscore_app audioserver_service:service_manager find;
+allow gmscore_app cameraserver_service:service_manager find;
+allow gmscore_app drmserver_service:service_manager find;
+allow gmscore_app mediadrmserver_service:service_manager find;
+allow gmscore_app mediaextractor_service:service_manager find;
+allow gmscore_app mediametrics_service:service_manager find;
+allow gmscore_app mediaserver_service:service_manager find;
+allow gmscore_app network_watchlist_service:service_manager find;
+allow gmscore_app nfc_service:service_manager find;
+allow gmscore_app oem_lock_service:service_manager find;
+allow gmscore_app persistent_data_block_service:service_manager find;
+allow gmscore_app radio_service:service_manager find;
+allow gmscore_app recovery_service:service_manager find;
+allow gmscore_app stats_service:service_manager find;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow gmscore_app shell_data_file:file r_file_perms;
+allow gmscore_app shell_data_file:dir r_dir_perms;
diff --git a/private/gsid.te b/private/gsid.te
index cc255ca..306efb8 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -75,6 +75,8 @@
   -gsid
   -init
   -update_engine_common
+  -recovery
+  -fastbootd
 } gsid_prop:property_service set;
 
 # gsid needs to store images on /data, but cannot use file I/O. If it did, the
@@ -130,6 +132,7 @@
     -init
     -gsid
     -fastbootd
+    -recovery
     -vold
 } gsi_metadata_file:dir *;
 
diff --git a/private/heapprofd.te b/private/heapprofd.te
index fca3c58..ec3e4d0 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -35,9 +35,7 @@
 
 # Write trace data to the Perfetto traced daemon. This requires connecting to
 # its producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
+perfetto_producer(heapprofd)
 
 # When handling profiling for all processes, heapprofd needs to read
 # executables/libraries/etc to do stack unwinding.
diff --git a/private/incidentd.te b/private/incidentd.te
index 0c57f0f..26f436a 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -150,6 +150,12 @@
 # Allow incident to call back to incident with status updates.
 binder_call(incidentd, incident)
 
+# Read device serial number from system properties
+# This is used to track reports from lab testing devices
+userdebug_or_eng(`
+  get_prop(incidentd, serialno_prop)
+')
+
 ###
 ### neverallow rules
 ###
diff --git a/private/init.te b/private/init.te
index 374b207..3edd021 100644
--- a/private/init.te
+++ b/private/init.te
@@ -32,3 +32,9 @@
 
 # Allow the BoringSSL self test to request a reboot upon failure
 set_prop(init, powerctl_prop)
+
+# Only init is allowed to set userspace reboot related properties.
+set_prop(init, userspace_reboot_prop)
+set_prop(init, userspace_reboot_exported_prop)
+neverallow { domain -init } userspace_reboot_prop:property_service set;
+neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
new file mode 100644
index 0000000..9ddb512
--- /dev/null
+++ b/private/iorap_prefecherd.te
@@ -0,0 +1,4 @@
+typeattribute iorap_prefetcherd coredomain;
+
+init_daemon_domain(iorap_prefetcherd)
+tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
index 91f4ddc..ba8ece3 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -2,3 +2,5 @@
 
 init_daemon_domain(iorapd)
 tmpfs_domain(iorapd)
+
+domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94b58de..15c0f3f 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -56,9 +56,7 @@
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow isolated_app traced:fd use;
-allow isolated_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(isolated_app, traced_producer, traced)
+perfetto_producer(isolated_app)
 
 # Allow heap profiling if the main app has been marked as profileable or
 # debuggable.
diff --git a/private/keystore.te b/private/keystore.te
index 7f71028..ee6dbdf 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,9 +11,5 @@
 # This is used for the ConfirmationUI async callback.
 allow keystore platform_app:binder call;
 
-# Offer the Wifi Keystore HwBinder service
-typeattribute keystore wifi_keystore_service_server;
-add_hwservice(keystore, system_wifi_keystore_hwservice)
-
 # Allow to check whether security logging is enabled.
 get_prop(keystore, device_logging_prop)
diff --git a/private/logd.te b/private/logd.te
index f24cb80..ca92e20 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,5 +35,4 @@
   -shell
   userdebug_or_eng(`-su')
   -system_app
-  -network_stack
 } runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 635cf4e..d74ab95 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -5,6 +5,8 @@
 
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
+hal_client_domain(mediaserver, hal_configstore)
+hal_client_domain(mediaserver, hal_drm)
 hal_client_domain(mediaserver, hal_omx)
 hal_client_domain(mediaserver, hal_codec2)
 
diff --git a/private/network_stack.te b/private/network_stack.te
index 4fd31bd..a1d97b7 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,4 +1,4 @@
-############### Networking service app - NetworkStack.apk ##############
+# Networking service app
 typeattribute network_stack coredomain;
 
 app_domain(network_stack);
@@ -29,41 +29,9 @@
 
 binder_call(network_stack, netd);
 
-############### Wifi Service app - WifiStack.apk ##############
-# Data file accesses.
-# Manage /data/misc/wifi & /data/misc_ce/<user_id>/wifi.
-allow network_stack wifi_data_file:dir create_dir_perms;
-allow network_stack wifi_data_file:file create_file_perms;
-
-# Property accesses
-userdebug_or_eng(`
-  set_prop(network_stack, wifi_log_prop)
-
-  # Allow network_stack to read dmesg
-  # TODO(b/137085509): Remove this.
-  allow network_stack kernel:system syslog_read;
-')
-
-# Binder IPC.
-allow network_stack audioserver_service:service_manager find;
-allow network_stack network_score_service:service_manager find;
-allow network_stack network_stack_service:service_manager find;
-allow network_stack radio_service:service_manager find;
-allow network_stack wificond_service:service_manager find;
-allow network_stack wifiscanner_service:service_manager find;
-binder_call(network_stack, system_server)
-binder_call(network_stack, wificond)
-
-# HwBinder IPC.
-hal_client_domain(network_stack, hal_wifi)
-hal_client_domain(network_stack, hal_wifi_hostapd)
-hal_client_domain(network_stack, hal_wifi_supplicant)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow network_stack debugfs_tracing_instances:dir search;
-allow network_stack debugfs_wifi_tracing:dir search;
-allow network_stack debugfs_wifi_tracing:file rw_file_perms;
-
-# dumpstate support
-allow network_stack dumpstate:fd use;
-allow network_stack dumpstate:fifo_file write;
+# Create/use netlink_tcpdiag_socket to get tcp info
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+############### Tethering Service app - Tethering.apk ##############
+hal_client_domain(network_stack, hal_tetheroffload)
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
diff --git a/private/perfetto.te b/private/perfetto.te
index e95defa..2183b6d 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -13,10 +13,7 @@
 
 # Connect to the Perfetto traced daemon as a producer. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow perfetto traced:fd use;
-allow perfetto traced_tmpfs:file { read write getattr map };
-unix_socket_connect(perfetto, traced_producer, traced)
-
+perfetto_producer(perfetto)
 
 # Allow to write and unlink traces into /data/misc/perfetto-traces.
 allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
@@ -37,9 +34,12 @@
 allow perfetto adbd:fd use;
 allow perfetto adbd:unix_stream_socket { read write };
 
-# Allow adbd to reap perfetto
+# Allow adbd to reap perfetto.
 allow perfetto adbd:process { sigchld };
 
+# Allow perfetto to write to statsd.
+unix_socket_send(perfetto, statsdw, statsd)
+
 # Allow to access /dev/pts when launched in an adb shell.
 allow perfetto devpts:chr_file rw_file_perms;
 
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
new file mode 100644
index 0000000..9d88248
--- /dev/null
+++ b/private/permissioncontroller_app.te
@@ -0,0 +1,39 @@
+###
+### A domain for further sandboxing the GooglePermissionController app.
+###
+type permissioncontroller_app, domain, coredomain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `permissioncontroller_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive permissioncontroller_app;')
+
+app_domain(permissioncontroller_app)
+
+# Allow interaction with gpuservice
+binder_call(permissioncontroller_app, gpuservice)
+allow permissioncontroller_app gpu_service:service_manager find;
+
+# Allow interaction with role_service
+allow permissioncontroller_app role_service:service_manager find;
+
+# Allow interaction with usagestats_service
+allow permissioncontroller_app usagestats_service:service_manager find;
+
+# Allow interaction with activity_service
+allow permissioncontroller_app activity_service:service_manager find;
+
+allow permissioncontroller_app activity_task_service:service_manager find;
+allow permissioncontroller_app audio_service:service_manager find;
+allow permissioncontroller_app autofill_service:service_manager find;
+allow permissioncontroller_app content_capture_service:service_manager find;
+allow permissioncontroller_app device_policy_service:service_manager find;
+allow permissioncontroller_app incidentcompanion_service:service_manager find;
+allow permissioncontroller_app location_service:service_manager find;
+allow permissioncontroller_app media_session_service:service_manager find;
+allow permissioncontroller_app surfaceflinger_service:service_manager find;
+allow permissioncontroller_app telecom_service:service_manager find;
+allow permissioncontroller_app trust_service:service_manager find;
diff --git a/private/platform_app.te b/private/platform_app.te
index c255605..45de3cb 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -76,7 +76,7 @@
 binder_call(platform_app, gpuservice)
 
 # Allow platform apps to log via statsd.
-allow platform_app statsd:binder call;
+binder_call(platform_app statsd)
 
 # Access to /data/preloads
 allow platform_app preloads_data_file:file r_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index f9409b9..a9e9980 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -27,6 +27,10 @@
 # * /data/user_de/0/com.google.android.gms/app_chimera
 # TODO: Tighten (b/112357170)
 allow priv_app privapp_data_file:file execute;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app privapp_data_file:file execute;
+')
 
 allow priv_app privapp_data_file:lnk_file create_file_perms;
 
@@ -101,6 +105,10 @@
 
 # Allow GMS core to open kernel config for OTA matching through libvintf
 allow priv_app config_gz:file { open read getattr };
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app config_gz:file { open read getattr };
+')
 
 # access the mac address
 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
@@ -108,17 +116,42 @@
 # Allow GMS core to communicate with update_engine for A/B update.
 binder_call(priv_app, update_engine)
 allow priv_app update_engine_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app update_engine:binder { call transfer };
+  auditallow update_engine priv_app:binder transfer;
+  auditallow priv_app update_engine:fd use;
+  auditallow priv_app update_engine_service:service_manager find;
+')
 
 # Allow GMS core to communicate with dumpsys storaged.
 binder_call(priv_app, storaged)
 allow priv_app storaged_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app storaged:binder { call transfer };
+  auditallow storaged priv_app:binder transfer;
+  auditallow priv_app storaged:fd use;
+  auditallow priv_app storaged_service:service_manager find;
+')
+
 
 # Allow GMS core to access system_update_service (e.g. to publish pending
 # system update info).
 allow priv_app system_update_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app system_update_service:service_manager find;
+')
 
 # Allow GMS core to communicate with statsd.
 binder_call(priv_app, statsd)
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app statsd:binder { call transfer };
+  auditallow statsd priv_app:binder transfer;
+  auditallow priv_app statsd:fd use;
+')
 
 # Allow Phone to read/write cached ringtones (opened by system).
 allow priv_app ringtone_file:file { getattr read write };
@@ -131,17 +164,23 @@
 
 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
 allow priv_app keystore:keystore_key gen_unique_id;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app keystore:keystore_key gen_unique_id;
+')
 
 # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
 allow priv_app selinuxfs:file r_file_perms;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app selinuxfs:file r_file_perms;
+')
 
 read_runtime_log_tags(priv_app)
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow priv_app traced:fd use;
-allow priv_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(priv_app, traced_producer, traced)
+perfetto_producer(priv_app)
 
 # Allow priv_apps to request and collect incident reports.
 # (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
@@ -170,6 +209,7 @@
 dontaudit priv_app sysfs:dir read;
 dontaudit priv_app sysfs:file read;
 dontaudit priv_app sysfs_android_usb:file read;
+dontaudit priv_app sysfs_dm:file r_file_perms;
 dontaudit priv_app wifi_prop:file read;
 dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
 
diff --git a/private/property_contexts b/private/property_contexts
index 55445ec..d909dfc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,6 +22,7 @@
 hw.                     u:object_r:system_prop:s0
 ro.hw.                  u:object_r:system_prop:s0
 sys.                    u:object_r:system_prop:s0
+sys.init.userspace_reboot   u:object_r:userspace_reboot_prop:s0
 sys.cppreopt            u:object_r:cppreopt_prop:s0
 sys.linker.             u:object_r:linker_prop:s0
 sys.lpdumpd             u:object_r:lpdumpd_prop:s0
@@ -59,12 +60,14 @@
 persist.log.tag         u:object_r:log_tag_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
 persist.netd.stable_secret      u:object_r:netd_stable_secret_prop:s0
+persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
 persist.sys.theme       u:object_r:theme_prop:s0
 persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0
 persist.sys.audit_safemode      u:object_r:safemode_prop:s0
+persist.sys.dalvik.jvmtiagent   u:object_r:system_jvmti_agent_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
@@ -192,6 +195,7 @@
 persist.device_config.runtime_native.        u:object_r:device_config_runtime_native_prop:s0
 persist.device_config.runtime_native_boot.   u:object_r:device_config_runtime_native_boot_prop:s0
 persist.device_config.media_native.          u:object_r:device_config_media_native_prop:s0
+persist.device_config.storage_native_boot.   u:object_r:device_config_storage_native_boot_prop:s0
 
 # Properties that relate to legacy server configurable flags
 persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
@@ -217,3 +221,6 @@
 # Virtual A/B properties
 ro.virtual_ab.enabled   u:object_r:virtual_ab_prop:s0
 ro.virtual_ab.retrofit  u:object_r:virtual_ab_prop:s0
+
+# Property to set/clear the warm reset flag after an OTA update.
+ota.warm_reset  u:object_r:ota_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index c74bd2c..3838578 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -113,9 +113,10 @@
 neverallow user=((?!system).)* domain=system_app
 neverallow user=((?!system).)* type=system_app_data_file
 
-# anything with a non-known uid with a specified name should have a specified seinfo
-neverallow user=_app name=.* seinfo=""
-neverallow user=_app name=.* seinfo=default
+# any non priv-app with a non-known uid with a specified name should have a specified
+# seinfo
+neverallow user=_app isPrivApp=false name=.* seinfo=""
+neverallow user=_app isPrivApp=false name=.* seinfo=default
 
 # neverallow shared relro to any other domain
 # and neverallow any other uid into shared_relro
@@ -143,7 +144,7 @@
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
@@ -156,6 +157,12 @@
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 2f2f4c7..fa52a05 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,5 @@
+android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+
 accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
@@ -9,13 +11,16 @@
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_prediction                            u:object_r:app_prediction_service:s0
+app_search                                u:object_r:app_search_service:s0
 apexservice                               u:object_r:apex_service:s0
+blob_store                                u:object_r:blob_store_service:s0
 gsiservice                                u:object_r:gsi_service:s0
 appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
 assetatlas                                u:object_r:assetatlas_service:s0
 attention                                 u:object_r:attention_service:s0
 audio                                     u:object_r:audio_service:s0
+auth                                      u:object_r:auth_service:s0
 autofill                                  u:object_r:autofill_service:s0
 backup                                    u:object_r:backup_service:s0
 batteryproperties                         u:object_r:batteryproperties_service:s0
@@ -32,6 +37,7 @@
 com.android.net.IProxyService             u:object_r:IProxyService_service:s0
 companiondevice                           u:object_r:companion_device_service:s0
 platform_compat                           u:object_r:platform_compat_service:s0
+platform_compat_native                    u:object_r:platform_compat_service:s0
 connectivity                              u:object_r:connectivity_service:s0
 connmetrics                               u:object_r:connmetrics_service:s0
 consumer_ir                               u:object_r:consumer_ir_service:s0
@@ -167,6 +173,7 @@
 sensor_privacy                            u:object_r:sensor_privacy_service:s0
 serial                                    u:object_r:serial_service:s0
 servicediscovery                          u:object_r:servicediscovery_service:s0
+manager                                   u:object_r:service_manager_service:s0
 settings                                  u:object_r:settings_service:s0
 shortcut                                  u:object_r:shortcut_service:s0
 simphonebook_msim                         u:object_r:radio_service:s0
@@ -187,10 +194,12 @@
 task                                      u:object_r:task_service:s0
 telecom                                   u:object_r:telecom_service:s0
 telephony.registry                        u:object_r:registry_service:s0
+telephony_ims                             u:object_r:radio_service:s0
 testharness                               u:object_r:testharness_service:s0
 textclassification                        u:object_r:textclassification_service:s0
 textservices                              u:object_r:textservices_service:s0
 time_detector                             u:object_r:timedetector_service:s0
+time_zone_detector                        u:object_r:timezonedetector_service:s0
 timezone                                  u:object_r:timezone_service:s0
 thermalservice                            u:object_r:thermal_service:s0
 trust                                     u:object_r:trust_service:s0
@@ -217,6 +226,5 @@
 wificond                                  u:object_r:wificond_service:s0
 wifiaware                                 u:object_r:wifiaware_service:s0
 wifirtt                                   u:object_r:rttmanager_service:s0
-wifi_stack                                u:object_r:wifi_stack_service:s0
 window                                    u:object_r:window_service:s0
 *                                         u:object_r:default_android_service:s0
diff --git a/private/shell.te b/private/shell.te
index 67610b1..975fde4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -34,9 +34,7 @@
 
 # Allow shell binaries to write trace data to Perfetto. Used for testing and
 # cmdline utils.
-allow shell traced:fd use;
-allow shell traced_tmpfs:file { read write getattr map };
-unix_socket_connect(shell, traced_producer, traced)
+perfetto_producer(shell)
 
 domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
 
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 78bf6fd..0f0313c 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -12,10 +12,10 @@
 allow snapshotctl gsi_service:service_manager find;
 binder_call(snapshotctl, gsid)
 
-# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
 allow snapshotctl metadata_file:dir search;
 allow snapshotctl ota_metadata_file:dir rw_dir_perms;
-allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+allow snapshotctl ota_metadata_file:file create_file_perms;
 
 # Allow to get A/B slot suffix from device tree or kernel cmdline.
 r_dir_file(snapshotctl, sysfs_dt_firmware_android);
@@ -30,3 +30,7 @@
 
 # Needed to mutate device-mapper nodes.
 allow snapshotctl self:global_capability_class_set sys_admin;
+
+# Snapshotctl talk to boot control HAL to set merge status.
+hwbinder_use(snapshotctl)
+hal_client_domain(snapshotctl, hal_bootctl)
diff --git a/private/stats.te b/private/stats.te
index 81ec1cf..ea9530c 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -40,6 +40,7 @@
 neverallow {
   domain
   -dumpstate
+  -gmscore_app
   -incidentd
   -platform_app
   -priv_app
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index daba163..e696fe5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -68,9 +68,7 @@
 ')
 
 # Needed to register as a Perfetto producer.
-allow surfaceflinger traced:fd use;
-allow surfaceflinger traced_tmpfs:file { read write getattr map };
-unix_socket_connect(surfaceflinger, traced_producer, traced)
+perfetto_producer(surfaceflinger)
 
 # Use socket supplied by adbd, for cmd gpu vkjson etc.
 allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_server.te b/private/system_server.te
index 84f5bc7..fa59ef8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -265,6 +265,7 @@
   mediametrics
   mediaserver
   mediaswcodec
+  netd
   sdcardd
   statsd
   surfaceflinger
@@ -297,6 +298,8 @@
 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
 allow system_server mediadrmserver:udp_socket rw_socket_perms;
 
+userdebug_or_eng(`perfetto_producer({ system_server })')
+
 # Get file context
 allow system_server file_contexts_file:file r_file_perms;
 # access for mac_permissions
@@ -602,6 +605,7 @@
 set_prop(system_server, device_config_runtime_native_boot_prop)
 set_prop(system_server, device_config_runtime_native_prop)
 set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_storage_native_boot_prop)
 set_prop(system_server, device_config_sys_traced_prop)
 
 # BootReceiver to read ro.boot.bootreason
@@ -632,6 +636,9 @@
 # Read gsid.image_running.
 get_prop(system_server, gsid_prop)
 
+# Read the property that mocks an OTA
+get_prop(system_server, mock_ota_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
@@ -891,6 +898,8 @@
 userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;
 ')
+# Allow system server to load JVMTI agents under control of a property.
+get_prop(system_server,system_jvmti_agent_prop)
 
 # UsbDeviceManager uses /dev/usb-ffs
 allow system_server functionfs:dir search;
@@ -899,6 +908,10 @@
 # system_server contains time / time zone detection logic so reads the associated properties.
 get_prop(system_server, time_prop)
 
+# system_server reads this property to know it should expect the lmkd sends notification to it
+# on low memory kills.
+get_prop(system_server, system_lmk_prop)
+
 ###
 ### Neverallow rules
 ###
@@ -954,6 +967,7 @@
   device_config_runtime_native_boot_prop
   device_config_runtime_native_prop
   device_config_media_native_prop
+  device_config_storage_native_boot_prop
   device_config_sys_traced_prop
 }:property_service set;
 
@@ -976,7 +990,12 @@
 # system_server should never use JIT functionality
 # See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
 # in the section titled "A Short ROP Chain" for why.
-neverallow system_server self:process execmem;
+# However, in emulator builds without OpenGL passthrough, we use software
+# rendering via SwiftShader, which requires JIT support. These builds are
+# never shipped to users.
+ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
+  `allow system_server self:process execmem;',
+  `neverallow system_server self:process execmem;')
 neverallow system_server ashmem_device:chr_file execute;
 
 # TODO: deal with tmpfs_domain pub/priv split properly
@@ -1006,12 +1025,29 @@
 allow system_server apex_data_file:dir { getattr search };
 allow system_server apex_data_file:file r_file_perms;
 
+# Allow the system server to read files under /vendor/apex. This is where
+# vendor APEX packages might be installed and system_server needs to parse
+# these packages to inspect the signatures and other metadata.
+allow system_server vendor_apex_file:dir { getattr search };
+allow system_server vendor_apex_file:file r_file_perms;
+
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
 # communicate which slots are available for use.
 allow system_server metadata_file:dir search;
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+# JVMTI agent settings are only readable from the system server.
+neverallow {
+  domain
+  -system_server
+  -dumpstate
+  -init
+  -vendor_init
+} {
+  system_jvmti_agent_prop
+}:file no_rw_file_perms;
+
 # Read/Write /proc/pressure/memory
 allow system_server proc_pressure_mem:file rw_file_perms;
 
diff --git a/private/system_suspend.te b/private/system_suspend.te
index e93a73d..d33dc8e 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -10,6 +10,12 @@
 # Access to /sys/power/{ wakeup_count, state } suspend interface.
 allow system_suspend sysfs_power:file rw_file_perms;
 
+# Access to wakeup and suspend stats.
+r_dir_file(system_suspend, sysfs_suspend_stats)
+r_dir_file(system_suspend, sysfs_wakeup)
+# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
+allow system_suspend sysfs_type:dir search;
+
 neverallow {
     domain
     -atrace # tracing
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 97a7e6e..28538da 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -6,9 +6,7 @@
 
 # Write trace data to the Perfetto traced damon. This requires connecting to its
 # producer socket and obtaining a (per-process) tmpfs fd.
-allow traced_probes traced:fd use;
-allow traced_probes traced_tmpfs:file { read write getattr map };
-unix_socket_connect(traced_probes, traced_producer, traced)
+perfetto_producer(traced_probes)
 
 # Allow traced_probes to access tracefs.
 allow traced_probes debugfs_tracing:dir r_dir_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 45aeddc..2091f2e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@
 net_domain(untrusted_app_25)
 bluetooth_domain(untrusted_app_25)
 
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
 # b/35917228 - /proc/misc access
 # This will go away in a future Android release
 allow untrusted_app_25 proc_misc:file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 116d761..f37cadc 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -135,9 +135,7 @@
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow untrusted_app_all traced:fd use;
-allow untrusted_app_all traced_tmpfs:file { read write getattr map };
-unix_socket_connect(untrusted_app_all, traced_producer, traced)
+perfetto_producer(untrusted_app_all)
 
 # Allow heap profiling if the app opts in by being marked
 # profileable/debuggable.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e7f27b9..348d3ce 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -21,7 +21,6 @@
     rollback_data_file
     storaged_data_file
     vold_data_file
-    wifi_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
     backup_data_file
@@ -32,7 +31,6 @@
     storaged_data_file
     system_data_file
     vold_data_file
-    wifi_data_file
 }:file { getattr unlink };
 
 dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/vzwomatrigger_app.te b/private/vzwomatrigger_app.te
new file mode 100644
index 0000000..4a7d3f7
--- /dev/null
+++ b/private/vzwomatrigger_app.te
@@ -0,0 +1,14 @@
+###
+### A domain for further sandboxing the VzwOmaTrigger app.
+###
+type vzwomatrigger_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `vzwomatrigger_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive vzwomatrigger_app;')
+
+app_domain(vzwomatrigger_app)
diff --git a/private/zygote.te b/private/zygote.te
index d5e5420..5d7ecac 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -100,11 +100,8 @@
 allow zygote storage_file:dir { search mounton };
 
 # Allow mounting and creating files, dirs on sdcardfs.
-# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
-# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
-# sdcardfs simply wraps files stored under /data/media.)
-allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
+allow zygote { sdcard_type }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type }:file { create_file_perms };
 
 # Allow zygote to expand app files while preloading libraries
 allow zygote mnt_expand_file:dir getattr;
diff --git a/public/app.te b/public/app.te
index ea3cf15..b771b5f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -364,7 +364,7 @@
 ###
 
 # Superuser capabilities.
-# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
 neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 
 # Block device access.
@@ -390,7 +390,7 @@
 neverallow appdomain tee_device:chr_file { read write };
 
 # Privileged netlink socket interfaces.
-neverallow appdomain
+neverallow { appdomain -network_stack }
     domain:{
         netlink_tcpdiag_socket
         netlink_nflog_socket
@@ -488,8 +488,9 @@
 neverallow appdomain
     systemkeys_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -network_stack }
-    wifi_data_file:dir_file_class_set *;
+neverallow appdomain
+    wifi_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow appdomain
     dhcp_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
@@ -512,7 +513,7 @@
     proc:dir_file_class_set write;
 
 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain userdebug_or_eng(`-network_stack') } kernel:system { syslog_read syslog_mod syslog_console };
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
 # SELinux is not an API for apps to use
 neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/audioserver.te b/public/audioserver.te
index 2ad86e3..a8a33cc 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -1,3 +1,6 @@
 # audioserver - audio services daemon
 type audioserver, domain;
 type audioserver_tmpfs, file_type;
+
+# Allow audioserver to signal audio HAL processes and dump their stacks.
+allow audioserver hal_audio_server:process signal;
diff --git a/public/charger.te b/public/charger.te
index 48d6ad8..4b341ea 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -44,3 +44,5 @@
 set_prop(charger, exported3_system_prop)
 
 get_prop(charger, charger_prop)
+
+hal_client_domain(charger, hal_health)
diff --git a/public/domain.te b/public/domain.te
index 9ebe4e0..e50ef75 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -539,8 +539,10 @@
   -hal_camera_server
   -hal_cas_server
   -hal_drm_server
+  userdebug_or_eng(`-incidentd')
   -init
   -mediadrmserver
+  -mediaserver
   -recovery
   -shell
   -system_server
@@ -927,6 +929,7 @@
         -system_lib_file
         -system_linker_exec
         -crash_dump_exec
+        -iorap_prefetcherd_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
     }:file { entrypoint execute execute_no_trans };
@@ -969,6 +972,7 @@
     # TODO(b/37168747): clean up fwk access to /vendor
     -crash_dump
     -init # starts vendor executables
+    -iorap_prefetcherd
     -kernel # loads /vendor/firmware
     userdebug_or_eng(`-heapprofd')
     -shell
@@ -1269,7 +1273,7 @@
 # Enforce restrictions on kernel module origin.
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file rootfs }:system module_load;
+neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
 
 # Only allow filesystem caps to be set at build time. Runtime changes
 # to filesystem capabilities are not permitted.
@@ -1296,6 +1300,7 @@
     -bootanim
     -crash_dump
     -init
+    -iorap_prefetcherd
     -kernel
     -heapprofd
     -ueventd
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 39abc5e..f08885a 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -107,6 +107,12 @@
     allow fastbootd labeledfs:filesystem { mount unmount };
     get_prop(fastbootd, persistent_properties_ready_prop)
   ')
+
+  # Allow using libfiemap/gsid directly (no binder in recovery).
+  set_prop(fastbootd, gsid_prop)
+  allow fastbootd gsi_metadata_file:dir search;
+  allow fastbootd ota_metadata_file:dir rw_dir_perms;
+  allow fastbootd ota_metadata_file:file create_file_perms;
 ')
 
 ###
diff --git a/public/file.te b/public/file.te
index 8a8a0bc..401e016 100644
--- a/public/file.te
+++ b/public/file.te
@@ -93,9 +93,11 @@
 type sysfs_net, fs_type, sysfs_type;
 type sysfs_power, fs_type, sysfs_type;
 type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_suspend_stats, fs_type, sysfs_type;
 type sysfs_switch, fs_type, sysfs_type;
 type sysfs_transparent_hugepage, fs_type, sysfs_type;
 type sysfs_usb, fs_type, sysfs_type;
+type sysfs_wakeup, fs_type, sysfs_type;
 type sysfs_wakeup_reasons, fs_type, sysfs_type;
 type sysfs_fs_ext4_features, sysfs_type, fs_type;
 type sysfs_fs_f2fs, sysfs_type, fs_type;
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index b42005a..af7d96a 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -10,6 +10,7 @@
 set_prop(flags_health_check, device_config_netd_native_prop)
 set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
 set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
 set_prop(flags_health_check, device_config_sys_traced_prop)
 
 allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
diff --git a/public/gmscore_app.te b/public/gmscore_app.te
new file mode 100644
index 0000000..b574bf3
--- /dev/null
+++ b/public/gmscore_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+
+type gmscore_app, domain;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index d4da8df..40d9c6b 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -4,6 +4,11 @@
 
 hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
 
+add_service(hal_vibrator_server, hal_vibrator_service)
+binder_call(hal_vibrator_server, servicemanager)
+
+allow hal_vibrator_client hal_vibrator_service:service_manager find;
+
 # vibrator sysfs rw access
 allow hal_vibrator sysfs_vibrator:file rw_file_perms;
 allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/public/init.te b/public/init.te
index 06a33a6..2d0db1e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -28,6 +28,8 @@
 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
+# allow init to establish connection and communicate with lmkd
+unix_socket_connect(init, lmkd, lmkd)
 # Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
 allow init { null_device ptmx_device random_device } : chr_file relabelto;
 # /dev/device-mapper, /dev/block(/.*)?
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
new file mode 100644
index 0000000..ad9db14
--- /dev/null
+++ b/public/iorap_prefetcherd.te
@@ -0,0 +1,54 @@
+# volume manager
+type iorap_prefetcherd, domain;
+type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
+type iorap_prefetcherd_tmpfs, file_type;
+
+r_dir_file(iorap_prefetcherd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
+
+# iorap_prefetcherd temporarily changes its priority when running benchmarks
+allow iorap_prefetcherd self:global_capability_class_set sys_nice;
+
+# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
+allow iorap_prefetcherd iorapd:fd use;
+allow iorap_prefetcherd iorapd:fifo_file { read write };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_prefetcherd self:capability dac_read_search;
+
+typeattribute iorap_prefetcherd mlstrustedsubject;
+
+# Grant logcat access
+allow iorap_prefetcherd logcat_exec:file { open read };
+
+# Grant access to open most of the files under /
+allow iorap_prefetcherd apk_data_file:dir { open read search };
+allow iorap_prefetcherd apk_data_file:file { open read };
+allow iorap_prefetcherd app_data_file:dir { open read search };
+allow iorap_prefetcherd app_data_file:file { open read };
+allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
+allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
+allow iorap_prefetcherd packages_list_file:dir { open read search };
+allow iorap_prefetcherd packages_list_file:file { open read };
+allow iorap_prefetcherd privapp_data_file:dir { open read search };
+allow iorap_prefetcherd privapp_data_file:file { open read };
+allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
+allow iorap_prefetcherd same_process_hal_file:file { open read };
+allow iorap_prefetcherd system_data_file:dir { open read search };
+allow iorap_prefetcherd system_data_file:file { open read };
+allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_data_file:dir { open read search };
+allow iorap_prefetcherd user_profile_data_file:file { open read };
+allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
+allow iorap_prefetcherd vendor_overlay_file:file { open read };
+# Note: Do not add any /vendor labels because they can be customized
+# by the vendor and we won't know about them beforehand.
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
+neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/kernel.te b/public/kernel.te
index 46864b8..42fe2c4 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -107,7 +107,7 @@
 ')
 
 # required by VTS lidbm unit test
-allow kernel appdomain_tmpfs:file read;
+allow kernel appdomain_tmpfs:file { read write };
 
 ###
 ### neverallow rules
diff --git a/public/lmkd.te b/public/lmkd.te
index c1c553d..b852f44 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -10,19 +10,17 @@
 # b/16236289
 allow lmkd self:global_capability_class_set ipc_lock;
 
-## Open and write to /proc/PID/oom_score_adj
+## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
 ## TODO: maybe scope this down?
-r_dir_file(lmkd, appdomain)
-allow lmkd appdomain:file write;
-r_dir_file(lmkd, system_server)
-allow lmkd system_server:file write;
+r_dir_file(lmkd, domain)
+allow lmkd domain:file write;
 
 ## Writes to /sys/module/lowmemorykiller/parameters/minfree
 r_dir_file(lmkd, sysfs_lowmemorykiller)
 allow lmkd sysfs_lowmemorykiller:file w_file_perms;
 
-# setsched and send kill signals
-allow lmkd appdomain:process { setsched sigkill };
+# setsched and send kill signals to any registered process
+allow lmkd domain:process { setsched sigkill };
 # TODO: delete this line b/131761776
 allow lmkd kernel:process { setsched };
 
@@ -69,3 +67,4 @@
 
 # never honor LD_PRELOAD
 neverallow * lmkd:process noatsecure;
+neverallow lmkd self:global_capability_class_set sys_ptrace;
diff --git a/public/logpersist.te b/public/logpersist.te
index c7cab80..c8e6af4 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -1,6 +1,10 @@
 # android debug logging, logpersist domains
 type logpersist, domain;
 
+# logcatd is a shell script that execs logcat with various parameters.
+allow logpersist shell_exec:file rx_file_perms;
+allow logpersist logcat_exec:file rx_file_perms;
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/net.te b/public/net.te
index afa2a9c..bdef072 100644
--- a/public/net.te
+++ b/public/net.te
@@ -19,6 +19,9 @@
 allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.
 allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant
+# this permission to everything that previously had the nlmsg_read permission.
+allow netdomain self:netlink_route_socket nlmsg_readpriv;
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/property.te b/public/property.te
index f82ab89..33e2ed4 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,24 +1,6 @@
 # Properties used only in /system
 system_internal_prop(apexd_prop)
 system_internal_prop(bootloader_boot_reason_prop)
-system_internal_prop(boottime_prop)
-system_internal_prop(bpf_progs_loaded_prop)
-system_internal_prop(charger_prop)
-system_internal_prop(cold_boot_done_prop)
-system_internal_prop(ctl_adbd_prop)
-system_internal_prop(ctl_apexd_prop)
-system_internal_prop(ctl_bootanim_prop)
-system_internal_prop(ctl_bugreport_prop)
-system_internal_prop(ctl_console_prop)
-system_internal_prop(ctl_dumpstate_prop)
-system_internal_prop(ctl_fuse_prop)
-system_internal_prop(ctl_gsid_prop)
-system_internal_prop(ctl_interface_restart_prop)
-system_internal_prop(ctl_interface_stop_prop)
-system_internal_prop(ctl_mdnsd_prop)
-system_internal_prop(ctl_restart_prop)
-system_internal_prop(ctl_rildaemon_prop)
-system_internal_prop(ctl_sigstop_prop)
 system_internal_prop(device_config_activity_manager_native_boot_prop)
 system_internal_prop(device_config_boot_count_prop)
 system_internal_prop(device_config_input_native_boot_prop)
@@ -27,61 +9,92 @@
 system_internal_prop(device_config_reset_performed_prop)
 system_internal_prop(device_config_runtime_native_boot_prop)
 system_internal_prop(device_config_runtime_native_prop)
+system_internal_prop(device_config_storage_native_boot_prop)
 system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(dynamic_system_prop)
 system_internal_prop(firstboot_prop)
 system_internal_prop(gsid_prop)
-system_internal_prop(heapprofd_enabled_prop)
 system_internal_prop(init_svc_debug_prop)
 system_internal_prop(last_boot_reason_prop)
-system_internal_prop(llkd_prop)
-system_internal_prop(lpdumpd_prop)
-system_internal_prop(mmc_prop)
-system_internal_prop(net_dns_prop)
 system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(overlay_prop)
-system_internal_prop(persistent_properties_ready_prop)
 system_internal_prop(pm_prop)
-system_internal_prop(safemode_prop)
-system_internal_prop(system_lmk_prop)
-system_internal_prop(system_trace_prop)
-system_internal_prop(test_boot_reason_prop)
-system_internal_prop(time_prop)
-system_internal_prop(traced_enabled_prop)
-system_internal_prop(traced_lazy_prop)
-system_internal_prop(virtual_ab_prop)
+system_internal_prop(userspace_reboot_prop)
+
+compatible_property_only(`
+    # DO NOT ADD ANY PROPERTIES HERE
+    system_internal_prop(boottime_prop)
+    system_internal_prop(bpf_progs_loaded_prop)
+    system_internal_prop(charger_prop)
+    system_internal_prop(cold_boot_done_prop)
+    system_internal_prop(ctl_adbd_prop)
+    system_internal_prop(ctl_apexd_prop)
+    system_internal_prop(ctl_bootanim_prop)
+    system_internal_prop(ctl_bugreport_prop)
+    system_internal_prop(ctl_console_prop)
+    system_internal_prop(ctl_dumpstate_prop)
+    system_internal_prop(ctl_fuse_prop)
+    system_internal_prop(ctl_gsid_prop)
+    system_internal_prop(ctl_interface_restart_prop)
+    system_internal_prop(ctl_interface_stop_prop)
+    system_internal_prop(ctl_mdnsd_prop)
+    system_internal_prop(ctl_restart_prop)
+    system_internal_prop(ctl_rildaemon_prop)
+    system_internal_prop(ctl_sigstop_prop)
+    system_internal_prop(dynamic_system_prop)
+    system_internal_prop(heapprofd_enabled_prop)
+    system_internal_prop(llkd_prop)
+    system_internal_prop(lpdumpd_prop)
+    system_internal_prop(mmc_prop)
+    system_internal_prop(mock_ota_prop)
+    system_internal_prop(net_dns_prop)
+    system_internal_prop(overlay_prop)
+    system_internal_prop(persistent_properties_ready_prop)
+    system_internal_prop(safemode_prop)
+    system_internal_prop(system_lmk_prop)
+    system_internal_prop(system_trace_prop)
+    system_internal_prop(test_boot_reason_prop)
+    system_internal_prop(time_prop)
+    system_internal_prop(traced_enabled_prop)
+    system_internal_prop(traced_lazy_prop)
+    system_internal_prop(virtual_ab_prop)
+')
 
 # Properties which can't be written outside system
-system_restricted_prop(config_prop)
-system_restricted_prop(cppreopt_prop)
-system_restricted_prop(dalvik_prop)
-system_restricted_prop(debuggerd_prop)
-system_restricted_prop(default_prop)
-system_restricted_prop(device_logging_prop)
-system_restricted_prop(dhcp_prop)
-system_restricted_prop(dumpstate_prop)
-system_restricted_prop(exported2_default_prop)
-system_restricted_prop(exported3_system_prop)
-system_restricted_prop(exported_dumpstate_prop)
-system_restricted_prop(exported_fingerprint_prop)
-system_restricted_prop(exported_secure_prop)
-system_restricted_prop(exported_vold_prop)
-system_restricted_prop(ffs_prop)
-system_restricted_prop(fingerprint_prop)
-system_restricted_prop(heapprofd_prop)
 system_restricted_prop(linker_prop)
-system_restricted_prop(net_radio_prop)
 system_restricted_prop(nnapi_ext_deny_product_prop)
-system_restricted_prop(pan_result_prop)
-system_restricted_prop(persist_debug_prop)
 system_restricted_prop(restorecon_prop)
-system_restricted_prop(shell_prop)
 system_restricted_prop(system_boot_reason_prop)
-system_restricted_prop(system_radio_prop)
-system_restricted_prop(test_harness_prop)
-system_restricted_prop(theme_prop)
-system_restricted_prop(use_memfd_prop)
-system_restricted_prop(vold_prop)
+system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(userspace_reboot_exported_prop)
+
+compatible_property_only(`
+    # DO NOT ADD ANY PROPERTIES HERE
+    system_restricted_prop(config_prop)
+    system_restricted_prop(cppreopt_prop)
+    system_restricted_prop(dalvik_prop)
+    system_restricted_prop(debuggerd_prop)
+    system_restricted_prop(default_prop)
+    system_restricted_prop(device_logging_prop)
+    system_restricted_prop(dhcp_prop)
+    system_restricted_prop(dumpstate_prop)
+    system_restricted_prop(exported2_default_prop)
+    system_restricted_prop(exported3_system_prop)
+    system_restricted_prop(exported_dumpstate_prop)
+    system_restricted_prop(exported_fingerprint_prop)
+    system_restricted_prop(exported_secure_prop)
+    system_restricted_prop(exported_vold_prop)
+    system_restricted_prop(ffs_prop)
+    system_restricted_prop(fingerprint_prop)
+    system_restricted_prop(heapprofd_prop)
+    system_restricted_prop(net_radio_prop)
+    system_restricted_prop(pan_result_prop)
+    system_restricted_prop(persist_debug_prop)
+    system_restricted_prop(shell_prop)
+    system_restricted_prop(system_radio_prop)
+    system_restricted_prop(test_harness_prop)
+    system_restricted_prop(theme_prop)
+    system_restricted_prop(use_memfd_prop)
+    system_restricted_prop(vold_prop)
+')
 
 # Properties with no restrictions
 system_public_prop(audio_prop)
@@ -120,6 +133,7 @@
 system_public_prop(log_tag_prop)
 system_public_prop(lowpan_prop)
 system_public_prop(nfc_prop)
+system_public_prop(ota_prop)
 system_public_prop(powerctl_prop)
 system_public_prop(radio_prop)
 system_public_prop(serialno_prop)
@@ -128,6 +142,74 @@
 system_public_prop(wifi_log_prop)
 system_public_prop(wifi_prop)
 
+# Properties which are public for devices launching with Android O or earlier
+# This should not be used for any new properties.
+not_compatible_property(`
+    # DO NOT ADD ANY PROPERTIES HERE
+    system_public_prop(boottime_prop)
+    system_public_prop(bpf_progs_loaded_prop)
+    system_public_prop(charger_prop)
+    system_public_prop(cold_boot_done_prop)
+    system_public_prop(ctl_adbd_prop)
+    system_public_prop(ctl_apexd_prop)
+    system_public_prop(ctl_bootanim_prop)
+    system_public_prop(ctl_bugreport_prop)
+    system_public_prop(ctl_console_prop)
+    system_public_prop(ctl_dumpstate_prop)
+    system_public_prop(ctl_fuse_prop)
+    system_public_prop(ctl_gsid_prop)
+    system_public_prop(ctl_interface_restart_prop)
+    system_public_prop(ctl_interface_stop_prop)
+    system_public_prop(ctl_mdnsd_prop)
+    system_public_prop(ctl_restart_prop)
+    system_public_prop(ctl_rildaemon_prop)
+    system_public_prop(ctl_sigstop_prop)
+    system_public_prop(dynamic_system_prop)
+    system_public_prop(heapprofd_enabled_prop)
+    system_public_prop(llkd_prop)
+    system_public_prop(lpdumpd_prop)
+    system_public_prop(mmc_prop)
+    system_public_prop(mock_ota_prop)
+    system_public_prop(net_dns_prop)
+    system_public_prop(overlay_prop)
+    system_public_prop(persistent_properties_ready_prop)
+    system_public_prop(safemode_prop)
+    system_public_prop(system_lmk_prop)
+    system_public_prop(system_trace_prop)
+    system_public_prop(test_boot_reason_prop)
+    system_public_prop(time_prop)
+    system_public_prop(traced_enabled_prop)
+    system_public_prop(traced_lazy_prop)
+    system_public_prop(virtual_ab_prop)
+
+    system_public_prop(config_prop)
+    system_public_prop(cppreopt_prop)
+    system_public_prop(dalvik_prop)
+    system_public_prop(debuggerd_prop)
+    system_public_prop(default_prop)
+    system_public_prop(device_logging_prop)
+    system_public_prop(dhcp_prop)
+    system_public_prop(dumpstate_prop)
+    system_public_prop(exported2_default_prop)
+    system_public_prop(exported3_system_prop)
+    system_public_prop(exported_dumpstate_prop)
+    system_public_prop(exported_fingerprint_prop)
+    system_public_prop(exported_secure_prop)
+    system_public_prop(exported_vold_prop)
+    system_public_prop(ffs_prop)
+    system_public_prop(fingerprint_prop)
+    system_public_prop(heapprofd_prop)
+    system_public_prop(net_radio_prop)
+    system_public_prop(pan_result_prop)
+    system_public_prop(persist_debug_prop)
+    system_public_prop(shell_prop)
+    system_public_prop(system_radio_prop)
+    system_public_prop(test_harness_prop)
+    system_public_prop(theme_prop)
+    system_public_prop(use_memfd_prop)
+    system_public_prop(vold_prop)
+')
+
 type vendor_default_prop, property_type;
 
 typeattribute log_prop log_property_type;
@@ -209,6 +291,7 @@
 typeattribute logd_prop          core_property_type;
 typeattribute net_radio_prop     core_property_type;
 typeattribute nfc_prop           core_property_type;
+typeattribute ota_prop           core_property_type;
 typeattribute pan_result_prop    core_property_type;
 typeattribute persist_debug_prop core_property_type;
 typeattribute powerctl_prop      core_property_type;
@@ -235,6 +318,7 @@
   -logd_prop
   -net_radio_prop
   -nfc_prop
+  -ota_prop
   -pan_result_prop
   -persist_debug_prop
   -powerctl_prop
@@ -525,6 +609,7 @@
     -device_config_runtime_native_boot_prop
     -device_config_runtime_native_prop
     -device_config_media_native_prop
+    -device_config_storage_native_boot_prop
     -device_config_sys_traced_prop
     -dynamic_system_prop
     -gsid_prop
@@ -541,10 +626,12 @@
     -lowpan_prop
     -lpdumpd_prop
     -mmc_prop
+    -mock_ota_prop
     -net_dns_prop
     -net_radio_prop
     -netd_stable_secret_prop
     -nfc_prop
+    -ota_prop
     -overlay_prop
     -pan_result_prop
     -persist_debug_prop
diff --git a/public/property_contexts b/public/property_contexts
index cae5ebc..2951d33 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -11,11 +11,13 @@
 camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
 dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -33,6 +35,7 @@
 dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -61,6 +64,8 @@
 dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -116,7 +121,7 @@
 ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
 ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
 ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.flags u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
 ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
 ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
 ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -266,6 +271,7 @@
 ro.secure u:object_r:exported_secure_prop:s0 exact int
 service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
 sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
 sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
 vold.decrypt u:object_r:exported_vold_prop:s0 exact string
 
@@ -419,6 +425,8 @@
 ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/radio.te b/public/radio.te
index 4527707..34eaf83 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -35,6 +35,7 @@
 allow radio app_api_service:service_manager find;
 allow radio system_api_service:service_manager find;
 allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
 
 # Perform HwBinder IPC.
 hwbinder_use(radio)
diff --git a/public/recovery.te b/public/recovery.te
index 2b77bc3..1193354 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -142,6 +142,12 @@
   # These are needed to update dynamic partitions in recovery.
   r_dir_file(recovery, sysfs_dm)
   allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+  # Allow using libfiemap/gsid directly (no binder in recovery).
+  set_prop(recovery, gsid_prop)
+  allow recovery gsi_metadata_file:dir search;
+  allow recovery ota_metadata_file:dir rw_dir_perms;
+  allow recovery ota_metadata_file:file create_file_perms;
 ')
 
 ###
diff --git a/public/service.te b/public/service.te
index f69e5e3..f746727 100644
--- a/public/service.te
+++ b/public/service.te
@@ -25,6 +25,7 @@
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type secure_element_service,    service_manager_type;
+type service_manager_service,   service_manager_type;
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
 type system_app_service,        service_manager_type;
@@ -44,15 +45,18 @@
 type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type app_binding_service, system_server_service, service_manager_type;
 type app_prediction_service, app_api_service, system_server_service, service_manager_type;
+type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type auth_service, app_api_service, system_server_service, service_manager_type;
 type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type battery_service, system_server_service, service_manager_type;
 type binder_calls_stats_service, system_server_service, service_manager_type;
+type blob_store_service, app_api_service, system_server_service, service_manager_type;
 type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type broadcastradio_service, system_server_service, service_manager_type;
 type cameraproxy_service, system_server_service, service_manager_type;
@@ -165,6 +169,7 @@
 type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type timedetector_service, system_server_service, service_manager_type;
 type timezone_service, system_server_service, service_manager_type;
+type timezonedetector_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;
 type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -181,7 +186,6 @@
 type wifip2p_service, app_api_service, system_server_service, service_manager_type;
 type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
 type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wifi_stack_service, system_server_service, service_manager_type;
 type wificond_service, service_manager_type;
 type wifiaware_service, app_api_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
@@ -189,6 +193,12 @@
 type wpantund_service, system_api_service, service_manager_type;
 
 ###
+### HAL Services
+###
+
+type hal_vibrator_service, vendor_service, service_manager_type;
+
+###
 ### Neverallow rules
 ###
 
diff --git a/public/servicemanager.te b/public/servicemanager.te
index df20941..10347d9 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -21,5 +21,7 @@
 # nonplat_service_contexts only accessible on non full-treble devices
 not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
 
+add_service(servicemanager, service_manager_service)
+
 # Check SELinux permissions.
 selinux_check_access(servicemanager)
diff --git a/public/shell.te b/public/shell.te
index 56196c3..532d05f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -82,6 +82,8 @@
 set_prop(shell, ctl_gsid_prop)
 # Allow shell to enable Dynamic System Update
 set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
 
 userdebug_or_eng(`
   # "systrace --boot" support - allow boottrace service to run
diff --git a/public/te_macros b/public/te_macros
index b97a6bb..88e71d8 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -714,6 +714,15 @@
   neverallow heapprofd $1:process signal;
 ')
 
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+define(`perfetto_producer', `
+  allow $1 traced:fd use;
+  allow $1 traced_tmpfs:file { read write getattr map };
+  unix_socket_connect($1, traced_producer, traced)
+')
+
 ###########################################
 # dump_hal(hal_type)
 # Ability to dump the hal debug info
@@ -734,7 +743,7 @@
 # Also, exported properties must be explicitly marked as "restricted" or "public",
 # depending on the accessibility outside the owner.
 # For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on device.mk.
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
 # See {partition}_{accessibility}_prop macros below.
 #
 # CTS uses these rules only for devices launching with R or later.
diff --git a/public/update_engine.te b/public/update_engine.te
index 5410bde..8aafe34 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -58,6 +58,9 @@
 # Allow to start gsid service.
 set_prop(update_engine, ctl_gsid_prop)
 
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
 # update_engine tries to determine the parent path for all devices (e.g.
 # /dev/block/by-name) by reading the default fstab and looking for the misc
 # device. ReadDefaultFstab() checks whether a GSI is running by checking
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8d40cdd..f881aeb 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -27,6 +27,9 @@
 # Allow update_verifier to reboot the device.
 set_prop(update_verifier, powerctl_prop)
 
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
+
 # Use Boot Control HAL
 hal_client_domain(update_verifier, hal_bootctl)
 
diff --git a/public/vendor_init.te b/public/vendor_init.te
index f458d77..710ff71 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -206,12 +206,14 @@
       -device_config_runtime_native_boot_prop
       -device_config_runtime_native_prop
       -device_config_media_native_prop
+      -device_config_storage_native_boot_prop
       -device_config_sys_traced_prop
       -restorecon_prop
       -netd_stable_secret_prop
       -firstboot_prop
       -pm_prop
       -system_boot_reason_prop
+      -system_jvmti_agent_prop
       -bootloader_boot_reason_prop
       -last_boot_reason_prop
       -apexd_prop
@@ -219,6 +221,8 @@
       -nnapi_ext_deny_product_prop
       -init_svc_debug_prop
       -linker_prop
+      -userspace_reboot_exported_prop
+      -userspace_reboot_prop
     })
 ')
 
@@ -257,6 +261,8 @@
 get_prop(vendor_init, exported3_system_prop)
 get_prop(vendor_init, theme_prop)
 
+get_prop(vendor_init, ota_prop)
+
 ###
 ### neverallow rules
 ###
diff --git a/public/vold.te b/public/vold.te
index 9e68d65..9f4489d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -92,6 +92,8 @@
 # Access to storage that backs emulated FUSE daemons for migration optimization
 allow vold media_rw_data_file:dir create_dir_perms;
 allow vold media_rw_data_file:file create_file_perms;
+# Allow mounting (lower filesystem) on parts of media for performance
+allow vold media_rw_data_file:dir mounton;
 
 # Allow mounting of storage devices
 allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
@@ -174,6 +176,7 @@
 set_prop(vold, powerctl_prop)
 set_prop(vold, ctl_fuse_prop)
 set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index e11d45d..cfca60e 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,7 +4,6 @@
 
 binder_use(wificond)
 binder_call(wificond, system_server)
-binder_call(wificond, network_stack)
 
 add_service(wificond, wificond_service)
 
@@ -30,3 +29,14 @@
 # dumpstate support
 allow wificond dumpstate:fd use;
 allow wificond dumpstate:fifo_file write;
+
+#### Offer the Wifi Keystore HwBinder service ###
+hwbinder_use(wificond)
+get_prop(wificond, hwservicemanager_prop)
+typeattribute wificond wifi_keystore_service_server;
+add_hwservice(wificond, system_wifi_keystore_hwservice)
+
+# Allow keystore binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
+allow wificond keystore:binder call;
+allow wificond keystore:keystore_key get;
diff --git a/tests/Android.bp b/tests/Android.bp
index d27f333..926b5e4 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -11,7 +11,6 @@
         "libbase",
         "libsepol",
     ],
-    stl: "libc++_static",
     sanitize: {
         never: true,
     },
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 5e8e054..0195e5f 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -54,7 +54,7 @@
 # targeting the $(version) SELinux release.  This ensures that our policy will build
 # when used on a device that has non-platform policy targetting the $(version) release.
 $(version)_compat := $(intermediates)/$(version)_compat
-$(version)_mapping.cil := $(call intermediates-dir-for,ETC,$(version).cil)/$(version).cil
+$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
 $(version)_mapping.ignore.cil := \
     $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
 $(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2d25677..9dc2903 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -6,9 +6,9 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service  u:object_r:hal_can_socketcan_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service  u:object_r:hal_evs_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service  u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service)  u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service      u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service      u:object_r:hal_bootctl_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
@@ -22,8 +22,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy       u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service            u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy       u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service            u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy       u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service   u:object_r:hal_gnss_default_exec:s0
@@ -33,11 +33,13 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service    u:object_r:hal_graphics_composer_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service         u:object_r:hal_health_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service         u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service         u:object_r:hal_health_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service       u:object_r:hal_health_storage_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service     u:object_r:hal_input_classifier_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service             u:object_r:hal_ir_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service      u:object_r:hal_keymaster_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service      u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service      u:object_r:hal_keymaster_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service          u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy     u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service         u:object_r:hal_lowpan_default_exec:s0
@@ -60,6 +62,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service        u:object_r:hal_tv_tuner_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example    u:object_r:hal_vibrator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service  u:object_r:hal_wifi_offload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index e605ecb..dcb03a8 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -5,3 +5,8 @@
 # may be started by init
 type hal_vehicle_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_vehicle_default)
+
+# communication with CAN bus HAL
+allow hal_vehicle_default hal_can_bus_hwservice:hwservice_manager find;
+allow hal_vehicle_default hal_can_socketcan:binder { call transfer };
+allow hal_can_socketcan hal_vehicle_default:binder { call transfer };