Merge "Add com.android.resolv-file_contexts to /system/sepolicy/apex"
diff --git a/Android.mk b/Android.mk
index e1d5f47..b701886 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,14 +11,6 @@
 MLS_SENS=1
 MLS_CATS=1024
 
-ifdef BOARD_SEPOLICY_REPLACE
-$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_IGNORE
-$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
 ifdef BOARD_SEPOLICY_UNION
 $(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
 endif
diff --git a/apex/apex.test_file_contexts b/apex/apex.test-file_contexts
similarity index 62%
rename from apex/apex.test_file_contexts
rename to apex/apex.test-file_contexts
index bd71a2a..3dffd86 100644
--- a/apex/apex.test_file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,2 +1,3 @@
 /manifest\.json   u:object_r:system_file:s0
 (/.*)?            u:object_r:system_file:s0
+/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.media_file_contexts b/apex/com.android.media-file_contexts
similarity index 100%
rename from apex/com.android.media_file_contexts
rename to apex/com.android.media-file_contexts
diff --git a/apex/com.android.runtime_file_contexts b/apex/com.android.runtime.debug-file_contexts
similarity index 100%
rename from apex/com.android.runtime_file_contexts
rename to apex/com.android.runtime.debug-file_contexts
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
new file mode 100644
index 0000000..79b8754
--- /dev/null
+++ b/apex/com.android.runtime.release-file_contexts
@@ -0,0 +1,13 @@
+#############################
+# APEX module manifest.
+#
+/manifest\.json          u:object_r:system_file:s0
+
+#############################
+# System files
+#
+(/.*)?                   u:object_r:system_file:s0
+/bin/dex2oat             u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer      u:object_r:dexoptanalyzer_exec:s0
+/bin/profman             u:object_r:profman_exec:s0
+/lib(64)?(/.*)?          u:object_r:system_lib_file:s0
diff --git a/apex/com.android.tzdata_file_contexts b/apex/com.android.tzdata-file_contexts
similarity index 100%
rename from apex/com.android.tzdata_file_contexts
rename to apex/com.android.tzdata-file_contexts
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ab080c2..7936147 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -51,6 +51,15 @@
   -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;
 
+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
 # enforced via levelFrom=user in seapp_contexts and the mls
@@ -93,7 +102,7 @@
   ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
   atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
-  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
 } *;
 
 # Do not allow untrusted apps access to /cache
@@ -123,12 +132,10 @@
 # No untrusted component should be touching /dev/fuse
 neverallow all_untrusted_apps fuse_device:chr_file *;
 
-# Do not allow untrusted apps to directly open or
-# issue ioctls to the tun_device
-neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
-# Additionally, assert that the following ioctls are never reachable.
-# This should already be blocked by the neverallow rule above, but this
-# is added for robustness, and to prove equivalence to the kernel patch at
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
 # https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
 neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
   SIOCGIFHWADDR
diff --git a/private/atrace.te b/private/atrace.te
index a60370d..9cbe71a 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -13,6 +13,11 @@
 allow atrace debugfs_tracing:file rw_file_perms;
 allow atrace debugfs_trace_marker:file getattr;
 
+# Allow atrace to write data when a pipe is used for stdout/stderr
+# This is used by Perfetto to capture the output on error in atrace.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file write;
+
 # atrace sets debug.atrace.* properties
 set_prop(atrace, debug_prop)
 
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ae9241b..5ba2adf 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -37,6 +37,7 @@
     ctl_sigstop_prop
     device_config_boot_count_prop
     device_config_reset_performed_prop
+    device_config_flags_health_check_prop
     e2fs
     e2fs_exec
     exfat
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index f4645ee..38d7d03 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -35,6 +35,7 @@
     ctl_sigstop_prop
     device_config_boot_count_prop
     device_config_reset_performed_prop
+    device_config_flags_health_check_prop
     exfat
     exported2_config_prop
     exported2_default_prop
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index cd8b813..d3019ec 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -2,8 +2,10 @@
 (type audio_seq_device)
 (type audio_timer_device)
 (type commontime_management_service)
+(type cpuctl_device)
 (type full_device)
 (type i2c_device)
+(type kmem_device)
 (type mediacodec)
 (type mediacodec_exec)
 (type mtd_device)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 617291e..cf72e37 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -17,8 +17,11 @@
     apexd_prop
     apexd_tmpfs
     biometric_service
+    cpu_variant_prop
+    dev_cpu_variant
     device_config_boot_count_prop
     device_config_reset_performed_prop
+    device_config_flags_health_check_prop
     face_service
     fastbootd
     flags_health_check
@@ -33,7 +36,9 @@
     hal_system_suspend_default_tmpfs
     heapprofd
     heapprofd_exec
+    heapprofd_prop
     heapprofd_socket
+    idmap_service
     intelligence_service
     iris_service
     llkd
diff --git a/private/coredomain.te b/private/coredomain.te
index 23224c3..2fbbbfd 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -13,3 +13,106 @@
     -vold
 } sysfs_leds:file *;
 ')
+
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+  # /proc
+  neverallow {
+    coredomain
+    -vold
+  } proc:file no_rw_file_perms;
+
+  # /sys
+  neverallow {
+    coredomain
+    -init
+    -ueventd
+    -vold
+  } sysfs:file no_rw_file_perms;
+
+  # /dev
+  neverallow {
+    coredomain
+    -fsck
+    -init
+    -ueventd
+  } device:{ blk_file file } no_rw_file_perms;
+
+  # debugfs
+  neverallow {
+    coredomain
+    -dumpstate
+    -init
+    -system_server
+  } debugfs:file no_rw_file_perms;
+
+  # tracefs
+  neverallow {
+    coredomain
+    -atrace
+    -dumpstate
+    -init
+    userdebug_or_eng(`-perfprofd')
+    -traced_probes
+    -shell
+    -traceur_app
+  } debugfs_tracing:file no_rw_file_perms;
+
+  # inotifyfs
+  neverallow {
+    coredomain
+    -init
+  } inotify:file no_rw_file_perms;
+
+  # pstorefs
+  neverallow {
+    coredomain
+    -bootstat
+    -charger
+    -dumpstate
+    -healthd
+    userdebug_or_eng(`-incidentd')
+    -init
+    -logd
+    -logpersist
+    -recovery_persist
+    -recovery_refresh
+    -shell
+    -system_server
+  } pstorefs:file no_rw_file_perms;
+
+  # configfs
+  neverallow {
+    coredomain
+    -init
+    -system_server
+  } configfs:file no_rw_file_perms;
+
+  # functionfs
+  neverallow {
+    coredomain
+    -adbd
+    -init
+    -mediaprovider
+    -system_server
+  } functionfs:file no_rw_file_perms;
+
+  # usbfs and binfmt_miscfs
+  neverallow {
+    coredomain
+    -init
+  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+')
+
+# Audit coredomain access to /dev nodes that might no longer be needed after
+# Treble.
+userdebug_or_eng(`
+    auditallow coredomain {
+        audio_device
+        iio_device
+        radio_device
+        tee_device
+    }:chr_file { open read append write ioctl };
+')
diff --git a/private/domain.te b/private/domain.te
index 8e3c4e6..6a71a14 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -5,6 +5,12 @@
 domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
 allow domain crash_dump:process sigchld;
 
+# Allow every process to check the heapprofd.enable properties to determine
+# whether to load the heap profiling library. This does not necessarily enable
+# heap profiling, as initialization will fail if it does not have the
+# necessary SELinux permissions.
+get_prop(domain, heapprofd_prop);
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {
@@ -28,98 +34,6 @@
   userdebug_or_eng(`-domain')
 } debugfs_tracing_debug:file no_rw_file_perms;
 
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
-  # /proc
-  neverallow {
-    coredomain
-    -vold
-  } proc:file no_rw_file_perms;
-
-  # /sys
-  neverallow {
-    coredomain
-    -init
-    -ueventd
-    -vold
-  } sysfs:file no_rw_file_perms;
-
-  # /dev
-  neverallow {
-    coredomain
-    -fsck
-    -init
-    -ueventd
-  } device:{ blk_file file } no_rw_file_perms;
-
-  # debugfs
-  neverallow {
-    coredomain
-    -dumpstate
-    -init
-    -system_server
-  } debugfs:file no_rw_file_perms;
-
-  # tracefs
-  neverallow {
-    coredomain
-    -atrace
-    -dumpstate
-    -init
-    userdebug_or_eng(`-perfprofd')
-    -traced_probes
-    -shell
-    -traceur_app
-  } debugfs_tracing:file no_rw_file_perms;
-
-  # inotifyfs
-  neverallow {
-    coredomain
-    -init
-  } inotify:file no_rw_file_perms;
-
-  # pstorefs
-  neverallow {
-    coredomain
-    -bootstat
-    -charger
-    -dumpstate
-    -healthd
-    userdebug_or_eng(`-incidentd')
-    -init
-    -logd
-    -logpersist
-    -recovery_persist
-    -recovery_refresh
-    -shell
-    -system_server
-  } pstorefs:file no_rw_file_perms;
-
-  # configfs
-  neverallow {
-    coredomain
-    -init
-    -system_server
-  } configfs:file no_rw_file_perms;
-
-  # functionfs
-  neverallow {
-    coredomain
-    -adbd
-    -init
-    -mediaprovider
-    -system_server
-  } functionfs:file no_rw_file_perms;
-
-  # usbfs and binfmt_miscfs
-  neverallow {
-    coredomain
-    -init
-  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-')
-
 # System_server owns dropbox data, and init creates/restorecons the directory
 # Disallow direct access by other processes.
 neverallow { domain -init -system_server } dropbox_data_file:dir *;
@@ -140,7 +54,6 @@
   -adbd
   -appdomain
   -dexoptanalyzer
-  -init
   -installd
   userdebug_or_eng(`-perfprofd')
   -profman
@@ -148,12 +61,11 @@
   -system_server
 } { privapp_data_file app_data_file }:dir *;
 
-# Only apps should be modifying app data. init and installd are exempted for
+# Only apps should be modifying app data. installd is exempted for
 # restorecon and package install/uninstall.
 neverallow {
   domain
   -appdomain
-  -init
   -installd
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;
 
@@ -172,7 +84,6 @@
 
 neverallow {
   domain
-  -init
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
 
diff --git a/private/dumpstate.te b/private/dumpstate.te
index d1fbacc..293998d 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -28,6 +28,9 @@
 # Allow dumpstate to make binder calls to statsd
 binder_call(dumpstate, statsd)
 
+# Allow dumpstate to talk to gpuservice over binder
+binder_call(dumpstate, gpuservice);
+
 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
 
diff --git a/private/file_contexts b/private/file_contexts
index 6d64c9b..acd5df9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -82,10 +82,8 @@
 /dev/block/ram[0-9]*	u:object_r:ram_device:s0
 /dev/block/zram[0-9]*	u:object_r:ram_device:s0
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
-/dev/cam		u:object_r:camera_device:s0
 /dev/console		u:object_r:console_device:s0
-/dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
-/dev/memcg(/.*)?        u:object_r:cgroup:s0
+/dev/cpu_variant:.*     u:object_r:dev_cpu_variant:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
@@ -98,9 +96,7 @@
 /dev/iio:device[0-9]+   u:object_r:iio_device:s0
 /dev/ion		u:object_r:ion_device:s0
 /dev/keychord   u:object_r:keychord_device:s0
-/dev/kmem		u:object_r:kmem_device:s0
 /dev/loop-control	u:object_r:loop_control_device:s0
-/dev/mem		u:object_r:kmem_device:s0
 /dev/modem.*		u:object_r:radio_device:s0
 /dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pmsg0		u:object_r:pmsg_device:s0
@@ -277,6 +273,7 @@
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 79249b3..30ad7f1 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -3,6 +3,8 @@
 
 init_daemon_domain(heapprofd)
 
+set_prop(heapprofd, heapprofd_prop);
+
 userdebug_or_eng(`
   # Allow to send signal to processes.
   # This excludes SIGKILL, SIGSTOP and SIGCHLD,
diff --git a/private/idmap.te b/private/idmap.te
index 73abf35..c982783 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
 typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/incidentd.te b/private/incidentd.te
index 7ad3a30..658db07 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -45,6 +45,10 @@
 userdebug_or_eng(`allow incidentd pstorefs:dir search');
 userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
 
+# section id 3023, allow obtaining stats report
+allow incidentd stats_service:service_manager find;
+binder_call(incidentd, statsd)
+
 # Create and write into /data/misc/incidents
 allow incidentd incident_data_file:dir rw_dir_perms;
 allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 1b56c5c..3759488 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -133,5 +133,5 @@
   rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
   ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
-  qipcrtr_socket smc_socket
+  qipcrtr_socket smc_socket xdp_socket
 } create;
diff --git a/private/perfetto.te b/private/perfetto.te
index c068dc5..4d8720a 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -20,12 +20,11 @@
 binder_call(perfetto, system_server)
 allow perfetto dropbox_service:service_manager find;
 
-# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
-# print out on stdout/stderr.
-allow perfetto statsd:fd use;
-allow perfetto statsd:fifo_file { getattr read write };
-allow perfetto shell:fd use;
-allow perfetto shell:fifo_file { getattr read write };
+# Allow perfetto to read the trace config from statsd and shell
+# (both root and non-root) on stdin and also to write the resulting trace to
+# stdout.
+allow perfetto { statsd shell su }:fd use;
+allow perfetto { statsd shell su }:fifo_file { getattr read write };
 
 # Allow to communicate use, read and write over the adb connection.
 allow perfetto adbd:fd use;
diff --git a/private/property_contexts b/private/property_contexts
index 390c845..adede99 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -143,6 +143,9 @@
 lowpan.                 u:object_r:lowpan_prop:s0
 ro.lowpan.              u:object_r:lowpan_prop:s0
 
+# heapprofd properties
+heapprofd.              u:object_r:heapprofd_prop:s0
+
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0
 
@@ -165,5 +168,6 @@
 # Properties that relate to server configurable flags
 device_config.reset_performed           u:object_r:device_config_reset_performed_prop:s0
 persist.device_config.attempted_boot_count        u:object_r:device_config_boot_count_prop:s0
+persist.device_config.global_settings.native_flags_health_check_enabled u:object_r:device_config_flags_health_check_prop:s0
 
 apexd.                  u:object_r:apexd_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index cdf6521..0089f6f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -62,11 +62,12 @@
 android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
 gfxinfo                                   u:object_r:gfxinfo_service:s0
 graphicsstats                             u:object_r:graphicsstats_service:s0
-gpuservice                                u:object_r:gpu_service:s0
+gpu                                       u:object_r:gpu_service:s0
 hardware                                  u:object_r:hardware_service:s0
 hardware_properties                       u:object_r:hardware_properties_service:s0
 hdmi_control                              u:object_r:hdmi_control_service:s0
 ians                                      u:object_r:radio_service:s0
+idmap                                     u:object_r:idmap_service:s0
 incident                                  u:object_r:incident_service:s0
 inputflinger                              u:object_r:inputflinger_service:s0
 input_method                              u:object_r:input_method_service:s0
diff --git a/private/stats.te b/private/stats.te
index 818d9f9..2c7199d 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -37,10 +37,10 @@
 ### neverallow rules
 ###
 
-# Only system_server, system_app, traceur_app, and stats command can find the stats service.
 neverallow {
   domain
   -dumpstate
+  -incidentd
   -priv_app
   -shell
   -stats
diff --git a/private/statsd.te b/private/statsd.te
index 1e4c5b3..16d3aeb 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -14,3 +14,6 @@
 allow statsd {
   statscompanion_service
 }:service_manager find;
+
+# Allow incidentd to obtain the statsd incident section.
+allow statsd incidentd:fifo_file write;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8652ee8..c50faef 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -89,6 +89,7 @@
 allow surfaceflinger power_service:service_manager find;
 allow surfaceflinger vr_manager_service:service_manager find;
 allow surfaceflinger window_service:service_manager find;
+allow surfaceflinger inputflinger_service:service_manager find;
 
 
 # allow self to set SCHED_FIFO
@@ -98,6 +99,7 @@
 r_dir_file(surfaceflinger, system_file)
 allow surfaceflinger tmpfs:dir r_dir_perms;
 allow surfaceflinger system_server:fd use;
+allow surfaceflinger system_server:unix_stream_socket { read write };
 allow surfaceflinger ion_device:chr_file r_file_perms;
 
 # pdx IPC
diff --git a/private/system_server.te b/private/system_server.te
index 01f0211..621385c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -142,8 +142,6 @@
 allow system_server stats_data_file:file unlink;
 
 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-auditallow system_server debugfs:file r_file_perms;
 allow system_server debugfs_wakeup_sources:file r_file_perms;
 
 # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
@@ -186,6 +184,7 @@
 binder_call(system_server, dumpstate)
 binder_call(system_server, fingerprintd)
 binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
 binder_call(system_server, netd)
@@ -566,6 +565,11 @@
 # cppreopt property
 set_prop(system_server, cppreopt_prop)
 
+# server configurable flags properties
+# STOPSHIP: Remove the ability for system_server to set property
+# device_config_flags_health_check_prop before release. (b/119627143)
+set_prop(system_server, device_config_flags_health_check_prop)
+
 # BootReceiver to read ro.boot.bootreason
 get_prop(system_server, bootloader_boot_reason_prop)
 # PowerManager to read sys.boot.reason
@@ -584,6 +588,10 @@
 # such as camera shutter enforcement
 get_prop(system_server, exported_audio_prop)
 
+# system server reads this property to keep track of whether server configurable flags have been
+# reset during current boot.
+get_prop(system_server, device_config_reset_performed_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
@@ -656,6 +664,7 @@
 allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
 allow system_server incident_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
@@ -704,6 +713,7 @@
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
 allow system_server frp_block_device:blk_file rw_file_perms;
+allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
@@ -892,6 +902,16 @@
 # Only allow crash_dump to connect to system_ndebug_socket.
 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
 
+# Only allow init, system_server, flags_health_check to set properties for server configurable flags
+neverallow {
+  domain
+  -init
+  -system_server
+  -flags_health_check
+} {
+  device_config_flags_health_check_prop
+}:property_service set;
+
 # system_server should never be executing dex2oat. This is either
 # a bug (for example, bug 16317188), or represents an attempt by
 # system server to dynamically load a dex file, something we do not
@@ -922,6 +942,10 @@
 allow system_server system_server_startup_tmpfs:file { read write map };
 allow system_server system_server_startup:unix_dgram_socket write;
 
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index e173293..f84d698 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -53,9 +53,8 @@
 # their userspace TRACE macros.
 domain_auto_trans(traced_probes, atrace_exec, atrace);
 
-# This is needed for: path="/system/bin/linker64"
-# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
-allow atrace traced_probes:fd use;
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
 
 # Allow traced_probes to access /proc files for system stats.
 # Note: trace data is NOT exposed to anything other than shell and privileged
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index d264aaf..7c266a5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,3 +49,8 @@
 # for targetApi<=25. This is also allowed for targetAPIs 26, 27,
 # and 28 in untrusted_app_27.te.
 allow untrusted_app_25 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7b9060d..b8fd22e 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,3 +30,8 @@
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 75f70ac..f9deff0 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -32,6 +32,9 @@
 allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
 allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
 
+# Allow webview_zygote to create JIT memory.
+allow webview_zygote self:process execmem;
+
 # Allow webview_zygote to stat the files that it opens. It must
 # be able to inspect them so that it can reopen them on fork
 # if necessary: b/30963384.
@@ -132,6 +135,7 @@
   pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
   rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
   alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+  xdp_socket
 } *;
 
 # Do not allow access to Bluetooth-related system properties.
diff --git a/private/zygote.te b/private/zygote.te
index 491f079..d1e0f55 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -48,6 +48,9 @@
 # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
 allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
 
+# Allow zygote to create JIT memory.
+allow zygote self:process execmem;
+
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain
 # used by installd or stay in-domain for zygote?
diff --git a/public/apexd.te b/public/apexd.te
index 0f0f5ac..f990879 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -6,8 +6,8 @@
 add_service(apexd, apex_service)
 set_prop(apexd, apexd_prop)
 
-neverallow { domain -init -apexd } apex_service:service_manager find;
-neverallow { domain -init -apexd } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server } apexd:binder call;
 
 neverallow domain apexd:process ptrace;
 
diff --git a/public/app.te b/public/app.te
index 96b8c07..40dee5d 100644
--- a/public/app.te
+++ b/public/app.te
@@ -119,9 +119,6 @@
 allow appdomain vendor_public_lib_file:dir r_dir_perms;
 allow appdomain vendor_public_lib_file:file { execute read open getattr map };
 
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write map };
 
@@ -337,7 +334,8 @@
 
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
 
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.
diff --git a/public/device.te b/public/device.te
index 36a060b..e55c86d 100644
--- a/public/device.te
+++ b/public/device.te
@@ -18,14 +18,12 @@
 type rtc_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
-type cpuctl_device, dev_type;
 type fscklogs, dev_type;
 # GPU (used by most UI apps)
 type gpu_device, dev_type, mlstrustedobject;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
-type kmem_device, dev_type;
 type port_device, dev_type;
 type lowpan_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 0a47bc6..09eb3e6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -111,19 +111,6 @@
     get_prop({coredomain appdomain shell}, exported3_default_prop)
     get_prop({coredomain appdomain shell}, exported3_radio_prop)
     get_prop({coredomain appdomain shell}, exported3_system_prop)
-    userdebug_or_eng(`
-        get_prop(su, core_property_type)
-        get_prop(su, exported_dalvik_prop)
-        get_prop(su, exported_ffs_prop)
-        get_prop(su, exported_system_radio_prop)
-        get_prop(su, exported2_config_prop)
-        get_prop(su, exported2_radio_prop)
-        get_prop(su, exported2_system_prop)
-        get_prop(su, exported2_vold_prop)
-        get_prop(su, exported3_default_prop)
-        get_prop(su, exported3_radio_prop)
-        get_prop(su, exported3_system_prop)
-    ')
     get_prop({domain -coredomain -appdomain}, vendor_default_prop)
 ')
 
@@ -249,6 +236,9 @@
 # /proc/cpuinfo
 allow domain proc_cpuinfo:file r_file_perms;
 
+# /dev/cpu_variant:.*
+allow domain dev_cpu_variant:file r_file_perms;
+
 # jemalloc needs to read /proc/sys/vm/overcommit_memory
 allow domain proc_overcommit_memory:file r_file_perms;
 
@@ -341,7 +331,7 @@
 with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
 # read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
 ###
@@ -434,14 +424,6 @@
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
-  domain
-  -shell # For CTS and is restricted to getattr in shell.te
-  -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
 #Ensure that nothing in userspace can access /dev/port
 neverallow {
   domain
@@ -1408,8 +1390,8 @@
 # Do not allow access to the generic debugfs label. This is too broad.
 # Instead, if access to part of debugfs is desired, it should have a
 # more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
 
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
diff --git a/public/file.te b/public/file.te
index 87636d3..3d09537 100644
--- a/public/file.te
+++ b/public/file.te
@@ -183,6 +183,8 @@
 # Vold files within /metadata
 type vold_metadata_file, file_type;
 
+# Type for /dev/cpu_variant:.*.
+type dev_cpu_variant, file_type;
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 9a5ceeb..a626895 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -5,6 +5,11 @@
 set_prop(flags_health_check, device_config_boot_count_prop)
 set_prop(flags_health_check, device_config_reset_performed_prop)
 
+# STOPSHIP: Remove the ability for flags_health_check to set property
+# device_config_flags_health_check_prop before release. (b/119627143)
+set_prop(flags_health_check, device_config_flags_health_check_prop)
+
+allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
 allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
@@ -21,5 +26,4 @@
 # server_configurable_flags_data_file is used for storing whether server configurable flags which
 # have been reset during current booting. Mistakenly modified by unrelated components can
 # cause bad server configurable flags synced back to device.
-
 neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/public/global_macros b/public/global_macros
index 00f9fb3..962bca9 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -10,7 +10,7 @@
 define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
 define(`dir_file_class_set', `{ dir file_class_set }')
 
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa..d76558a 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
 type idmap, domain;
 type idmap_exec, system_file_type, exec_type, file_type;
 
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
 # Use open file to /data/resource-cache file inherited from installd.
 allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
 
 # Ignore reading /proc/<pid>/maps after a fork.
 dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@
 
 # Allow apps access to /vendor/overlay
 r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/init.te b/public/init.te
index c2938ad..2a8036a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -94,7 +94,6 @@
 allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 allow init cgroup:file rw_file_perms;
-allow init cpuctl_device:dir { create mounton };
 
 # /config
 allow init configfs:dir mounton;
@@ -223,9 +222,15 @@
 
 allow init cache_file:lnk_file r_file_perms;
 
-allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-# does init really need to relabel app data?
-userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
+allow init {
+  file_type
+  -system_file_type
+  -vendor_file_type
+  -exec_type
+  -app_data_file
+  -privapp_data_file
+}:dir_file_class_set relabelto;
+
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
@@ -275,7 +280,6 @@
 allow init {
   dev_type
   -keychord_device
-  -kmem_device
   -port_device
 }:chr_file setattr;
 
diff --git a/public/inputflinger.te b/public/inputflinger.te
index f206c05..c3f4da8 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -9,7 +9,6 @@
 
 wakelock_use(inputflinger)
 
-add_service(inputflinger, inputflinger_service)
 allow inputflinger input_device:dir r_dir_perms;
 allow inputflinger input_device:chr_file rw_file_perms;
 
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 8f58868..e86becf 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -23,7 +23,7 @@
 crash_dump_fallback(mediaextractor)
 
 # allow mediaextractor read permissions for file sources
-allow mediaextractor sdcardfs:file { getattr read };
+allow mediaextractor sdcard_type:file { getattr read };
 allow mediaextractor media_rw_data_file:file { getattr read };
 allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
 
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8b6d6cc..0ccd168 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -55,5 +55,3 @@
 # Allow otapreopt to use file descriptors from otapreopt_chroot.
 # TODO: Probably we can actually close file descriptors...
 allow postinstall_dexopt otapreopt_chroot:fd use;
-
-allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/public/property.te b/public/property.te
index bdd57d6..fcbf365 100644
--- a/public/property.te
+++ b/public/property.te
@@ -6,6 +6,7 @@
 type bootloader_boot_reason_prop, property_type;
 type config_prop, property_type, core_property_type;
 type cppreopt_prop, property_type, core_property_type;
+type cpu_variant_prop, property_type;
 type ctl_adbd_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_bugreport_prop, property_type;
@@ -28,6 +29,7 @@
 type default_prop, property_type, core_property_type;
 type device_config_boot_count_prop, property_type;
 type device_config_reset_performed_prop, property_type;
+type device_config_flags_health_check_prop, property_type;
 type device_logging_prop, property_type;
 type dhcp_prop, property_type, core_property_type;
 type dumpstate_options_prop, property_type;
@@ -36,6 +38,7 @@
 type ffs_prop, property_type, core_property_type;
 type fingerprint_prop, property_type, core_property_type;
 type firstboot_prop, property_type;
+type heapprofd_prop, property_type;
 type hwservicemanager_prop, property_type;
 type last_boot_reason_prop, property_type;
 type system_lmk_prop, property_type;
@@ -393,6 +396,8 @@
     -firstboot_prop
     -device_config_reset_performed_prop
     -device_config_boot_count_prop
+    -device_config_flags_health_check_prop
+    -heapprofd_prop
     -hwservicemanager_prop
     -last_boot_reason_prop
     -system_lmk_prop
diff --git a/public/property_contexts b/public/property_contexts
index 36357b7..f2362d5 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -255,6 +255,10 @@
 media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
 persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
 rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
+ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
 ro.board.platform u:object_r:exported_default_prop:s0 exact string
 ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
 ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
diff --git a/public/racoon.te b/public/racoon.te
index 7d1247a..6888740 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -10,6 +10,7 @@
 binder_use(racoon)
 
 allow racoon tun_device:chr_file r_file_perms;
+allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
 allow racoon cgroup:dir { add_name create };
 allow racoon kernel:system module_request;
 
diff --git a/public/service.te b/public/service.te
index 8024a78..55f8d75 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,8 +10,8 @@
 type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
+type idmap_service,             service_manager_type;
 type iorapd_service,            service_manager_type;
-type inputflinger_service,      service_manager_type;
 type incident_service,          service_manager_type;
 type installd_service,          service_manager_type;
 type keystore_service,          service_manager_type;
@@ -173,4 +173,5 @@
 type wificond_service, service_manager_type;
 type wifiaware_service, app_api_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
+type inputflinger_service, system_api_service, system_server_service, service_manager_type;
 type wpantund_service, system_api_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index cef1b0a..26f44f6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@
 neverallow shell {
   fuse_device
   hw_random_device
-  kmem_device
   port_device
 }:chr_file ~getattr;
 
diff --git a/public/su.te b/public/su.te
index dad9c49..4a401b8 100644
--- a/public/su.te
+++ b/public/su.te
@@ -21,7 +21,7 @@
   dontaudit su kernel:security *;
   dontaudit su { kernel file_type }:system *;
   dontaudit su self:memprotect *;
-  dontaudit su domain:process *;
+  dontaudit su domain:{ process process2 } *;
   dontaudit su domain:fd *;
   dontaudit su domain:dir *;
   dontaudit su domain:lnk_file *;
diff --git a/public/ueventd.te b/public/ueventd.te
index 0863302..cc4e30b 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@
 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
 
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
 
 # Nobody should be able to ptrace ueventd
 neverallow * ueventd:process ptrace;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index ccc3352..078a41b 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -64,3 +64,12 @@
 
 # read / write metadata on super device to resize partitions
 allow update_engine_common super_block_device:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common {
+    system_block_device
+    super_block_device
+}:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 2b9c733..9aa1194 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -55,6 +55,8 @@
   -vold_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
 allow vendor_init {
   file_type
   -core_data_file_type
@@ -129,7 +131,6 @@
 allow vendor_init {
   dev_type
   -keychord_device
-  -kmem_device
   -port_device
   -lowpan_device
   -hw_random_device
@@ -175,6 +176,7 @@
       property_type
       -device_config_boot_count_prop
       -device_config_reset_performed_prop
+      -device_config_flags_health_check_prop
       -restorecon_prop
       -netd_stable_secret_prop
       -firstboot_prop
@@ -190,6 +192,7 @@
 allow vendor_init file_contexts_file:file r_file_perms;
 
 set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, cpu_variant_prop)
 set_prop(vendor_init, debug_prop)
 set_prop(vendor_init, exported_audio_prop)
 set_prop(vendor_init, exported_bluetooth_prop)
diff --git a/public/vold.te b/public/vold.te
index 3848c35..d26c836 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -7,12 +7,6 @@
 allow vold cache_file:file { getattr read };
 allow vold cache_file:lnk_file r_file_perms;
 
-# Read access to pseudo filesystems.
-r_dir_file(vold, proc_net_type)
-userdebug_or_eng(`
-  auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
 r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.