Merge "Allow wpa_supplicant to access KeyStore2"

commit: ae69347dbeacb243d7a77f02514a09e635f97387 [log] [tgz]
author: Pavel Grafov <pgrafov@google.com> Fri Mar 05 07:03:57 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Mar 05 07:03:57 2021 +0000
tree: 813f98ac0f3c6a62d7fd38431313eb47ca9e8212
parent: 05a80a5e72eb796b68a191becdf5a013ed8b47a9 [diff]
parent: b99c1924af3e67cf896996a2773fcec6bff0c3bf [diff]
diff --git a/Android.bp b/Android.bp
index ac2e516..8fa57ca 100644
--- a/Android.bp
+++ b/Android.bp

@@ -492,3 +492,246 @@
         "//test/vts-testcase/security/system_property",
     ],
 }
+
+// This is a minimized cil modules to test microdroid.
+// TODO(b/178993690): migrate cil files to Android.bp and remove below
+filegroup {
+    name: "microdroid_sepolicy_build_files",
+    srcs: [
+        // This order is important. Should be identical to sepolicy_build_files in Android.mk
+        "private/security_classes",
+        "private/initial_sids",
+        "private/access_vectors",
+        "public/global_macros",
+        "public/neverallow_macros",
+        "private/mls_macros",
+        "private/mls_decl",
+        "private/mls",
+        "private/policy_capabilities",
+        "public/te_macros",
+        "public/attributes",
+        "private/attributes",
+        "public/ioctl_defines",
+        "public/ioctl_macros",
+        "public/*.te",
+        "private/*.te",
+        "private/roles_decl",
+        "public/roles",
+        "private/users",
+        "private/initial_sid_contexts",
+        "private/fs_use",
+        "private/genfs_contexts",
+        "private/port_contexts",
+    ],
+}
+
+filegroup {
+    name: "microdroid_sepolicy_public_and_reqd_mask_build_files",
+    srcs: [
+        // This order is important. Should be identical to sepolicy_build_files in Android.mk
+        "reqd_mask/security_classes",
+        "reqd_mask/initial_sids",
+        "reqd_mask/access_vectors",
+        "public/global_macros",
+        "public/neverallow_macros",
+        "reqd_mask/mls_macros",
+        "reqd_mask/mls_decl",
+        "reqd_mask/mls",
+        "public/te_macros",
+        "public/attributes",
+        "public/ioctl_defines",
+        "public/ioctl_macros",
+        "public/*.te",
+        "reqd_mask/*.te",
+        "reqd_mask/roles_decl",
+        "public/roles",
+        "reqd_mask/roles",
+        "reqd_mask/users",
+        "reqd_mask/initial_sid_contexts",
+    ],
+}
+
+filegroup {
+    name: "microdroid_sepolicy_reqd_mask_build_files",
+    srcs: [
+        // This order is important. Should be identical to sepolicy_build_files in Android.mk
+        "reqd_mask/security_classes",
+        "reqd_mask/initial_sids",
+        "reqd_mask/access_vectors",
+        "reqd_mask/mls_macros",
+        "reqd_mask/mls_decl",
+        "reqd_mask/mls",
+        "reqd_mask/*.te",
+        "reqd_mask/roles_decl",
+        "reqd_mask/roles",
+        "reqd_mask/users",
+        "reqd_mask/initial_sid_contexts",
+    ],
+}
+
+// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
+// these configurations should be fine to test microdroid on normal devices with full treble.
+// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
+// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
+// migrated into Soong, these will have correct values.
+policy_to_conf_flags = "$(location m4) --fatal-warnings " +
+"-D mls_num_sens=1 -D mls_num_cats=1024 " +
+"-D target_build_variant=userdebug " +
+"-D target_with_asan=false " +
+"-D target_with_native_coverage=false " +
+"-D target_full_treble=true " +
+"-D target_compatible_property=true " +
+"-D target_treble_sysprop_neverallow=true " +
+"-D target_enforce_sysprop_owner=true "
+
+genrule {
+    name: "microdroid_plat_sepolicy.cil_gen",
+    srcs: [":microdroid_sepolicy_build_files"],
+    tools: ["m4", "checkpolicy"],
+    out: ["plat_sepolicy.cil"],
+    cmd: policy_to_conf_flags +
+        "-s $(locations :microdroid_sepolicy_build_files) > $(out).conf" +
+        "&& $(location checkpolicy) -M -C -c 30 -o $(out) $(out).conf",
+    visibility: ["//visibility:private"],
+}
+
+prebuilt_etc {
+    name: "microdroid_plat_sepolicy.cil",
+    src: ":microdroid_plat_sepolicy.cil_gen",
+    filename: "plat_sepolicy.cil",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+genrule {
+    name: "microdroid_reqd_policy_mask.cil_gen",
+    srcs: [":microdroid_sepolicy_reqd_mask_build_files"],
+    tools: ["m4", "checkpolicy"],
+    out: ["reqd_policy_mask.cil"],
+    cmd: policy_to_conf_flags +
+        "-s $(in) > $(out).conf" +
+        "&& $(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf",
+    visibility: ["//visibility:private"],
+}
+
+genrule {
+    name: "microdroid_plat_mapping_file_gen",
+    srcs: [":microdroid_sepolicy_public_and_reqd_mask_build_files", ":microdroid_reqd_policy_mask.cil_gen"],
+    tools: ["m4", "checkpolicy", "build_sepolicy", "version_policy"],
+    out: ["10000.0.cil"],
+    cmd: policy_to_conf_flags +
+        "-s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf" +
+        "&& $(location checkpolicy) -M -C -c 30 -o $(out).pub $(out).conf" +
+        "&& $(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out).pub" +
+        "&& $(location version_policy) -b $(out).pub -m -n 10000.0 -o $(out)",
+    visibility: ["//visibility:private"],
+}
+
+prebuilt_etc {
+    name: "microdroid_plat_mapping_file",
+    src: ":microdroid_plat_mapping_file_gen",
+    filename: "10000.0.cil",
+    relative_install_path: "selinux/mapping",
+    installable: false,
+}
+
+///////////////////////////////////////////////////////////////////
+genrule {
+    name: "microdroid_pub_policy.cil_gen",
+    srcs: [
+        ":microdroid_sepolicy_public_and_reqd_mask_build_files",
+        ":microdroid_reqd_policy_mask.cil_gen",
+    ],
+    tools: ["m4", "checkpolicy", "build_sepolicy"],
+    out: ["pub_policy.cil"],
+    cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " +
+        "$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " +
+        "$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)",
+    visibility: ["//visibility:private"],
+}
+
+genrule {
+    name: "microdroid_plat_pub_versioned.cil_gen",
+    srcs: [":microdroid_pub_policy.cil_gen"],
+    tools: ["version_policy"],
+    out: ["plat_pub_versioned.cil"],
+    cmd: "$(location version_policy) " +
+        "-b $(location :microdroid_pub_policy.cil_gen) " +
+        "-t $(location :microdroid_pub_policy.cil_gen) " +
+        "-n 10000.0 " +
+        "-o $(out)",
+    visibility: ["//visibility:private"],
+}
+
+filegroup {
+    name: "microdroid_vendor_sepolicy_build_files",
+    srcs: [
+        "reqd_mask/security_classes",
+        "reqd_mask/initial_sids",
+        "reqd_mask/access_vectors",
+        "public/global_macros",
+        "public/neverallow_macros",
+        "reqd_mask/mls_macros",
+        "reqd_mask/mls_decl",
+        "reqd_mask/mls",
+        "public/te_macros",
+        "public/attributes",
+        "public/ioctl_defines",
+        "public/ioctl_macros",
+        "public/*.te",
+        "reqd_mask/*.te",
+        "vendor/*.te",
+        "reqd_mask/roles_decl",
+        "public/roles",
+        "reqd_mask/roles",
+        "reqd_mask/users",
+        "reqd_mask/initial_sid_contexts",
+    ],
+}
+
+genrule {
+    name: "microdroid_vendor_sepolicy.cil_gen",
+    srcs: [
+        ":microdroid_vendor_sepolicy_build_files",
+        ":microdroid_plat_pub_versioned.cil_gen",
+        ":microdroid_pub_policy.cil_gen",
+        ":microdroid_reqd_policy_mask.cil_gen",
+    ],
+    tools: [
+        "m4",
+        "build_sepolicy",
+        "checkpolicy",
+        "secilc",
+        "version_policy",
+    ],
+    out: ["vendor_sepolicy.cil"],
+    cmd: policy_to_conf_flags + " -s $(locations :microdroid_vendor_sepolicy_build_files) > $(out).conf && " +
+        "$(location build_sepolicy) " +
+        "--android_host_path $$(dirname $(location build_sepolicy)) " +
+        "build_cil " +
+        "--input_policy_conf $(out).conf " +
+        "--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
+        "--base_policy $(location :microdroid_pub_policy.cil_gen) " +
+        "--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
+        "--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " +
+        "--treble_sepolicy_vers 10000.0 " +
+        "--policy_vers 30 " +
+        "--output_cil $(out)",
+    visibility: ["//visibility:private"],
+}
+
+prebuilt_etc {
+    name: "microdroid_vendor_sepolicy.cil",
+    src: ":microdroid_vendor_sepolicy.cil_gen",
+    filename: "vendor_sepolicy.cil",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_plat_pub_versioned.cil",
+    src: ":microdroid_plat_pub_versioned.cil_gen",
+    filename: "plat_pub_versioned.cil",
+    relative_install_path: "selinux",
+    installable: false,
+}

diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 5d32e11..d7a0798 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go

@@ -364,7 +364,76 @@
 	return m.buildGeneralContexts(ctx, inputs)
 }
 
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+	shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+	ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
+
+	rule := android.NewRuleBuilder(pctx, ctx)
+
+	// This list is from vts_treble_sys_prop_test.
+	allowedPropertyPrefixes := []string{
+		"ctl.odm.",
+		"ctl.vendor.",
+		"ctl.start$odm.",
+		"ctl.start$vendor.",
+		"ctl.stop$odm.",
+		"ctl.stop$vendor.",
+		"init.svc.odm.",
+		"init.svc.vendor.",
+		"ro.boot.",
+		"ro.hardware.",
+		"ro.odm.",
+		"ro.vendor.",
+		"odm.",
+		"persist.odm.",
+		"persist.vendor.",
+		"vendor.",
+	}
+
+	// persist.camera is also allowed for devices launching with R or eariler
+	if shippingApiLevel.LessThanOrEqualTo(ApiLevelR) {
+		allowedPropertyPrefixes = append(allowedPropertyPrefixes, "persist.camera.")
+	}
+
+	var allowedContextPrefixes []string
+
+	if shippingApiLevel.GreaterThanOrEqualTo(ApiLevelR) {
+		// This list is from vts_treble_sys_prop_test.
+		allowedContextPrefixes = []string{
+			"vendor_",
+			"odm_",
+		}
+	}
+
+	var ret android.Paths
+	for _, input := range inputs {
+		cmd := rule.Command().
+			BuiltTool("check_prop_prefix").
+			FlagWithInput("--property-contexts ", input).
+			FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+			FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+
+		if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+			cmd.Flag("--strict")
+		}
+
+		out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String())
+		rule.Command().Text("cp -f").Input(input).Output(out)
+		ret = append(ret, out)
+	}
+	rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
+	return ret
+}
+
 func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+	// vendor/odm properties are enforced for devices launching with Android Q or later. So, if
+	// vendor/odm, make sure that only vendor/odm properties exist.
+	shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+	ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
+	if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
+		inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+	}
+
 	builtCtxFile := m.buildGeneralContexts(ctx, inputs)
 
 	var apiFiles android.Paths

diff --git a/private/access_vectors b/private/access_vectors
index 1420360..a02a2a8 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -714,7 +714,10 @@
 class keystore2
 {
 	add_auth
+	change_password
+	change_user
 	clear_ns
+	clear_uid
 	get_state
 	list
 	lock

diff --git a/private/apexd.te b/private/apexd.te
index c3da0fe..a2a77ab 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -5,6 +5,8 @@
 # Allow creating, reading and writing of APEX files/dirs in the APEX data dir
 allow apexd apex_data_file:dir create_dir_perms;
 allow apexd apex_data_file:file create_file_perms;
+# Allow relabeling file created in /data/apex/decompressed
+allow apexd apex_data_file:file relabelfrom;
 
 # Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
 allow apexd metadata_file:dir search;
@@ -20,6 +22,8 @@
 allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
 allow apexd apex_rollback_data_file:dir create_dir_perms;
 allow apexd apex_rollback_data_file:file create_file_perms;
+allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
 allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
 allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
 
@@ -78,6 +82,8 @@
 # allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };
+# # Allow relabeling file created in /data/apex/decompressed
+allow apexd staging_data_file:file relabelto;
 
 # allow apexd to read files from /vendor/apex
 allow apexd vendor_apex_file:dir r_dir_perms;

diff --git a/private/app.te b/private/app.te
index 710b94d..2ade955 100644
--- a/private/app.te
+++ b/private/app.te

@@ -74,6 +74,11 @@
 # Allow APFE device info to read Virtual A/B props.
 get_prop(appdomain, virtual_ab_prop)
 
+# Allow access to tombstones if an fd to one is given to you.
+# This is restricted by unix permissions, so an app must go through system_server to get one.
+allow appdomain tombstone_data_file:file { getattr read };
+neverallow appdomain tombstone_data_file:file ~{ getattr read };
+
 # Sensitive app domains are not allowed to execute from /data
 # to prevent persistence attacks and ensure all code is executed
 # from read-only locations.

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf0fa67..aff3a0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -228,6 +228,7 @@
 
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
 
 # /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
 # must not use it.

diff --git a/private/bpfloader.te b/private/bpfloader.te
index b2e5992..ae9b52c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -4,27 +4,32 @@
 typeattribute bpfloader coredomain;
 
 # These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { create search write add_name };
-allow bpfloader fs_bpf:file { create setattr read };
+allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
+allow fs_bpf_tethering fs_bpf:filesystem associate;
 
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
 
-allow bpfloader self:capability { chown sys_admin };
+allow bpfloader self:capability { chown sys_admin net_admin };
+
+set_prop(bpfloader, bpf_progs_loaded_prop)
 
 ###
 ### Neverallow rules
 ###
 
-# TODO: get rid of init & vendor_init
-neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
-neverallow domain fs_bpf:dir { reparent rename rmdir };
+# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
 
 # TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
-neverallow { domain -bpfloader } fs_bpf:file create;
-neverallow domain fs_bpf:file { rename unlink };
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
+neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
@@ -32,9 +37,7 @@
 
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
-neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
 
 # No domain should be allowed to ptrace bpfloader
 neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-
-set_prop(bpfloader, bpf_progs_loaded_prop)

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 3830fc0..9dff2c6 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil

@@ -1809,7 +1809,9 @@
 (typeattributeset print_service_30_0 (print_service))
 (typeattributeset priv_app_30_0 (priv_app))
 (typeattributeset privapp_data_file_30_0 (privapp_data_file))
-(typeattributeset proc_30_0 (proc))
+(typeattributeset proc_30_0
+  ( proc
+    proc_bootconfig))
 (typeattributeset proc_abi_30_0 (proc_abi))
 (typeattributeset proc_asound_30_0 (proc_asound))
 (typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index a58703c..3793195 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -11,6 +11,8 @@
     apex_art_data_file
     apex_art_staging_data_file
     apex_info_file
+    apex_ota_reserved_file
+    apex_scheduling_data_file
     app_hibernation_service
     appcompat_data_file
     arm64_memtag_prop
@@ -22,6 +24,7 @@
     debugfs_mm_events_tracing
     device_config_profcollect_native_boot_prop
     device_config_connectivity_prop
+    device_config_swcodec_native_prop
     device_state_service
     dm_user_device
     dmabuf_heap_device
@@ -30,6 +33,8 @@
     domain_verification_service
     dumpstate_tmpfs
     framework_watchdog_config_prop
+    fs_bpf_tethering
+    fwk_stats_service
     game_service
     font_data_file
     gki_apex_prepostinstall
@@ -47,12 +52,16 @@
     hal_keymint_service
     hal_neuralnetworks_service
     hal_power_stats_service
+    hal_remotelyprovisionedcomponent_service
+    hal_secureclock_service
+    hal_sharedsecret_service
     hal_weaver_service
     keystore_compat_hal_service
     keystore2_key_contexts_file
     legacy_permission_service
     location_time_zone_manager_service
     media_communication_service
+    media_metrics_service
     mediatuner_exec
     mediatuner_service
     mediatuner
@@ -74,8 +83,12 @@
     profcollectd_data_file
     profcollectd_exec
     profcollectd_service
+    qemu_hw_prop
+    qemu_sf_lcd_density_prop
     radio_core_data_file
     reboot_readiness_service
+    remote_prov_app
+    remoteprovisioning_service
     resolver_service
     search_ui_service
     shell_test_data_file
@@ -95,10 +108,13 @@
     texttospeech_service
     transformer_service
     update_engine_stable_service
+    userdata_sysdev
+    usermanager_service
     userspace_reboot_metadata_file
     vcn_management_service
     vibrator_manager_service
     vpn_management_service
+    vpnprofilestore_service
     watchdog_metadata_file
     wifi_key
     zygote_config_prop))

diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index d5728d1..a99f8a2 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te

@@ -29,6 +29,10 @@
 # Allow dexoptanalyzer to use file descriptors from odrefresh.
 allow dexoptanalyzer odrefresh:fd use;
 
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow dexoptanalyzer odsign:fd use;
+allow dexoptanalyzer odsign_devpts:chr_file { read write };
+
 allow dexoptanalyzer installd:fd use;
 allow dexoptanalyzer installd:fifo_file { getattr write };
 

diff --git a/private/domain.te b/private/domain.te
index 57e93e4..94bd059 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -54,6 +54,10 @@
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup:file w_file_perms;
 
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;

diff --git a/private/dumpstate.te b/private/dumpstate.te
index 16f4add..13e3b4c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te

@@ -11,6 +11,12 @@
 
 allow dumpstate storaged_exec:file rx_file_perms;
 
+# /data/misc/a11ytrace for accessibility traces
+userdebug_or_eng(`
+  allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
+  allow dumpstate accessibility_trace_data_file:file r_file_perms;
+')
+
 # /data/misc/wmtrace for wm traces
 userdebug_or_eng(`
   allow dumpstate wm_trace_data_file:dir r_dir_perms;

diff --git a/private/file.te b/private/file.te
index fd50649..4b0f48a 100644
--- a/private/file.te
+++ b/private/file.te

@@ -7,6 +7,9 @@
 # /data/misc/wmtrace for wm traces
 type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc/a11ytrace for accessibility traces
+type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
+
 # /data/misc/perfetto-traces for perfetto traces
 type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
 

diff --git a/private/file_contexts b/private/file_contexts
index 8399cc8..35b93a1 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -173,6 +173,8 @@
 /dev/socket/usap_pool_primary	u:object_r:zygote_socket:s0
 /dev/socket/usap_pool_secondary	u:object_r:zygote_socket:s0
 /dev/spdif_out.*	u:object_r:audio_device:s0
+/dev/sys/block/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
+/dev/sys/fs/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
@@ -519,6 +521,8 @@
 /data/apex(/.*)?		u:object_r:apex_data_file:s0
 /data/apex/active/(.*)?		u:object_r:staging_data_file:s0
 /data/apex/backup/(.*)?		u:object_r:staging_data_file:s0
+/data/apex/decompressed/(.*)?    u:object_r:staging_data_file:s0
+/data/apex/ota_reserved(/.*)?       u:object_r:apex_ota_reserved_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
 # Traditional /data/app/[packageName]-[randomString]/base.apk location
 /data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0
@@ -556,9 +560,11 @@
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
+/data/misc/a11ytrace(/.*)?        u:object_r:accessibility_trace_data_file:s0
 /data/misc/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc/apexdata/com\.android\.art(/.*)?    u:object_r:apex_art_data_file:s0
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_scheduling_data_file:s0
 /data/misc/apexdata/com\.android\.wifi(/.*)?    u:object_r:apex_wifi_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0

diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 983bad6..55d1a9a 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te

@@ -14,6 +14,7 @@
 set_prop(flags_health_check, device_config_statsd_native_prop)
 set_prop(flags_health_check, device_config_statsd_native_boot_prop)
 set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_swcodec_native_prop)
 set_prop(flags_health_check, device_config_sys_traced_prop)
 set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
 set_prop(flags_health_check, device_config_configuration_prop)

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 05dc06f..21a1ae9 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -3,6 +3,7 @@
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
@@ -228,13 +229,18 @@
 genfscon tracefs /saved_cmdlines_size                                    u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/sched/sched_switch/                             u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/sched/sched_wakeup/                             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup_new/                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_waking/                             u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/sched/sched_blocked_reason/                     u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/sched/sched_cpu_hotplug/                        u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/sched/sched_process_exit/                       u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/sched/sched_process_free/                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_pi_setprio/                         u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cgroup/                                         u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_enable/                             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_disable/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
@@ -250,6 +256,7 @@
 genfscon tracefs /events/binder/binder_locked/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/binder/binder_unlock/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/binder/binder_transaction_alloc_buf/            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_set_priority/                     u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/lowmemorykiller/                                u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/sync/                                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/fence/                                          u:object_r:debugfs_tracing:s0
@@ -262,6 +269,7 @@
 genfscon tracefs /events/ion/ion_stat/                                   u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/mm_event/mm_event_record/                       u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/oom/oom_score_adj_update/                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/mark_victim/                                u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/task/task_rename/                               u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/task/task_newtask/                              u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/ftrace/print/                                   u:object_r:debugfs_tracing:s0
@@ -272,6 +280,9 @@
 genfscon tracefs /events/cpuhp/cpuhp_exit/                               u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/ipi/                                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/irq/                                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_enable/                                 u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_disable/                                u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_set_rate/                               u:object_r:debugfs_tracing:s0
 
 genfscon debugfs /tracing/trace_clock                                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/buffer_size_kb                                         u:object_r:debugfs_tracing:s0
@@ -281,12 +292,18 @@
 genfscon debugfs /tracing/saved_cmdlines_size                                    u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/sched/sched_switch/                             u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/sched/sched_wakeup/                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup_new/                         u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_waking/                             u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/sched/sched_blocked_reason/                     u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/                        u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_exit/                               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_free/                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_pi_setprio/                         u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cgroup/                                         u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_enable/                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_disable/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
@@ -301,7 +318,8 @@
 genfscon debugfs /tracing/events/binder/binder_lock/                             u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/binder/binder_locked/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/binder/binder_unlock/                           u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/                    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_set_priority/                     u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/lowmemorykiller/                                u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/sync/                                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/fence/                                          u:object_r:debugfs_tracing:s0
@@ -314,6 +332,7 @@
 genfscon debugfs /tracing/events/ion/ion_stat/                                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/mm_event/mm_event_record/                               u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/oom/oom_score_adj_update/                               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/mark_victim/                                        u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/task/task_rename/                                       u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/task/task_newtask/                                      u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/ftrace/print/                                   u:object_r:debugfs_tracing:s0
@@ -324,6 +343,9 @@
 genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/                               u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/ipi/                                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/irq/                                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_enable/                                 u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_disable/                                u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_set_rate/                               u:object_r:debugfs_tracing:s0
 
 genfscon debugfs /kcov								 u:object_r:debugfs_kcov:s0
 
@@ -349,3 +371,4 @@
 genfscon usbfs / u:object_r:usbfs:s0
 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
 genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0

diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index ff7444f..af94906 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te

@@ -58,6 +58,10 @@
 dontaudit gmscore_app mirror_data_file:dir search;
 dontaudit gmscore_app mnt_vendor_file:dir search;
 
+# Don't audit memtrack hal denials (b/177664629)
+dontaudit gmscore_app hal_memtrack_hwservice:hwservice_manager find;
+dontaudit gmscore_app hal_memtrack_service:service_manager find;
+
 # Access the network
 net_domain(gmscore_app)
 
@@ -75,6 +79,10 @@
 # TODO: Tighten (b/112357170)
 allow gmscore_app privapp_data_file:file execute;
 
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
 allow gmscore_app privapp_data_file:lnk_file create_file_perms;
 
 # /proc access

diff --git a/private/heapprofd.te b/private/heapprofd.te
index d34830c..246f936 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te

@@ -45,6 +45,7 @@
 r_dir_file(heapprofd, apk_data_file)
 r_dir_file(heapprofd, dalvikcache_data_file)
 r_dir_file(heapprofd, vendor_file_type)
+r_dir_file(heapprofd, shell_test_data_file)
 # Some dex files are not world-readable.
 # We are still constrained by the SELinux rules above.
 allow heapprofd self:global_capability_class_set dac_read_search;

diff --git a/private/init.te b/private/init.te
index 02d45a1..348673b 100644
--- a/private/init.te
+++ b/private/init.te

@@ -16,6 +16,7 @@
   domain_trans(init, rootfs, fastbootd)
   domain_trans(init, rootfs, recovery)
   domain_trans(init, rootfs, linkerconfig)
+  domain_trans(init, rootfs, snapuserd)
 ')
 domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
@@ -79,3 +80,6 @@
 
 # Only init can write ro.property_service.version
 neverallow { -init } property_service_version_prop:property_service set;
+
+# Only init can set keystore.boot_level
+neverallow { -init } keystore_listen_prop:property_service set;

diff --git a/private/keystore.te b/private/keystore.te
index 5cded8a..85f1517 100644
--- a/private/keystore.te
+++ b/private/keystore.te

@@ -23,3 +23,4 @@
 # Keystore need access to the keystore_key context files to load the keystore key backend.
 allow keystore keystore2_key_contexts_file:file r_file_perms;
 
+get_prop(keystore, keystore_listen_prop)

diff --git a/private/logpersist.te b/private/logpersist.te
index ac324df..ab2c9c6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te

@@ -4,6 +4,7 @@
 userdebug_or_eng(`
 
   r_dir_file(logpersist, cgroup)
+  r_dir_file(logpersist, cgroup_v2)
 
   allow logpersist misc_logd_file:file create_file_perms;
   allow logpersist misc_logd_file:dir rw_dir_perms;

diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 7f626c4..7bcf5c8 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te

@@ -7,3 +7,4 @@
 allow mediaextractor system_server_tmpfs:file { getattr map read write };
 
 get_prop(mediaextractor, device_config_media_native_prop)
+get_prop(mediaextractor, device_config_swcodec_native_prop)

diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
index cef802d..02079c1 100644
--- a/private/mediaswcodec.te
+++ b/private/mediaswcodec.te

@@ -3,3 +3,4 @@
 init_daemon_domain(mediaswcodec)
 
 get_prop(mediaswcodec, device_config_media_native_prop)
+get_prop(mediaswcodec, device_config_swcodec_native_prop)

diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 5f4a943..372bde6 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te

@@ -36,6 +36,9 @@
 allow mediatranscoding app_data_file:file { getattr read write };
 allow mediatranscoding shell_data_file:file { getattr read write };
 
+# allow mediatranscoding service write permission to statsd socket
+unix_socket_send(mediatranscoding, statsdw, statsd)
+
 # mediatranscoding should never execute any executable without a
 # domain transition
 neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;

diff --git a/private/mediatuner.te b/private/mediatuner.te
index 8088f3b..413d2e5 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te

@@ -14,6 +14,7 @@
 add_service(mediatuner, mediatuner_service)
 allow mediatuner system_server:fd use;
 allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
+allow mediatuner package_native_service:service_manager find;
 binder_call(mediatuner, system_server)
 
 ###

diff --git a/private/network_stack.te b/private/network_stack.te
index f130e80..9598fa5 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te

@@ -29,6 +29,13 @@
 
 binder_call(network_stack, netd);
 
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
+
 # Create/use netlink_tcpdiag_socket to get tcp info
 allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
 ############### Tethering Service app - Tethering.apk ##############
@@ -37,13 +44,15 @@
 allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow network_stack network_stack_service:service_manager find;
 # allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack fs_bpf:dir search;
-allow network_stack fs_bpf:file { read write };
+allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
 allow network_stack bpfloader:bpf { map_read map_write prog_run };
 
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow network_stack self:key_socket create;
+# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# TODO: remove netd once netd/tethering mainline module split is complete
+# Unfortunately init/vendor_init have all sorts of extra privs
+neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:file *;
 
-# Grant read permission of connectivity namespace system property prefix.
-get_prop(network_stack, device_config_connectivity_prop)
+neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:file ~{ map open read setattr };

diff --git a/private/odrefresh.te b/private/odrefresh.te
index 097098b..9c615fa 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te

@@ -5,7 +5,7 @@
 # Allow odrefresh to create files and directories for on device signing.
 allow odrefresh apex_module_data_file:dir { getattr search };
 allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
+allow odrefresh apex_art_data_file:file create_file_perms;
 
 # Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
 # sets up files here and passes file descriptors for dex2oat to write to.

diff --git a/private/platform_app.te b/private/platform_app.te
index 7bf14c8..a112081 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -90,6 +90,9 @@
 # allow platform apps to read keyguard.no_require_sim
 get_prop(platform_app, keyguard_config_prop)
 
+# allow platform apps to read qemu.hw.mainkeys
+get_prop(platform_app, qemu_hw_prop)
+
 # allow platform apps to create symbolic link
 allow platform_app app_data_file:lnk_file create_file_perms;
 

diff --git a/private/priv_app.te b/private/priv_app.te
index 4b0218e..e5889d1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -25,6 +25,10 @@
 # TODO: Tighten (b/112357170)
 allow priv_app privapp_data_file:file execute;
 
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
 allow priv_app privapp_data_file:lnk_file create_file_perms;
 
 # Priv apps can find services that expose both @SystemAPI and normal APIs.
@@ -156,11 +160,12 @@
 r_dir_file(priv_app, sysfs_fs_incfs_features)
 
 # allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, fill missing blocks and get the app status
+# the Incremental File System, fill missing blocks and get the app status and loading progress
 allowxperm priv_app apk_data_file:file ioctl {
   INCFS_IOCTL_READ_SIGNATURE
   INCFS_IOCTL_FILL_BLOCKS
   INCFS_IOCTL_GET_BLOCK_COUNT
+  INCFS_IOCTL_GET_FILLED_BLOCKS
 };
 
 # allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
@@ -235,6 +240,7 @@
 
 # Do not allow priv_app access to cgroups.
 neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
 
 # Do not allow loading executable code from non-privileged
 # application home directories. Code loading across a security boundary

diff --git a/private/profcollectd.te b/private/profcollectd.te
index f1ba7a72..875ef5b 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te

@@ -7,7 +7,7 @@
 
   # profcollectd opens a file for writing in /data/misc/profcollectd.
   allow profcollectd profcollectd_data_file:file create_file_perms;
-  allow profcollectd profcollectd_data_file:dir rw_dir_perms;
+  allow profcollectd profcollectd_data_file:dir create_dir_perms;
 
   # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
   allow profcollectd self:perf_event { cpu kernel open read write };
@@ -19,6 +19,10 @@
   allow profcollectd system_file_type:file r_file_perms;
   allow profcollectd vendor_file_type:file r_file_perms;
 
+  # Allow profcollectd to read system bootstrap libs.
+  allow profcollectd system_bootstrap_lib_file:dir search;
+  allow profcollectd system_bootstrap_lib_file:file r_file_perms;
+
   # Allow profcollectd to access tracefs.
   allow profcollectd debugfs_tracing:dir r_dir_perms;
   allow profcollectd debugfs_tracing:file rw_file_perms;

diff --git a/private/property.te b/private/property.te
index 5dc75b8..34c0fd8 100644
--- a/private/property.te
+++ b/private/property.te

@@ -9,11 +9,13 @@
 system_internal_prop(device_config_window_manager_native_boot_prop)
 system_internal_prop(device_config_configuration_prop)
 system_internal_prop(device_config_connectivity_prop)
+system_internal_prop(device_config_swcodec_native_prop)
 system_internal_prop(fastbootd_protocol_prop)
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)
 system_internal_prop(init_service_status_private_prop)
 system_internal_prop(init_svc_debug_prop)
+system_internal_prop(keystore_listen_prop)
 system_internal_prop(last_boot_reason_prop)
 system_internal_prop(localization_prop)
 system_internal_prop(lower_kptr_restrict_prop)

diff --git a/private/property_contexts b/private/property_contexts
index 8778016..22e0ff6 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -186,6 +186,12 @@
 dalvik.                 u:object_r:dalvik_prop:s0
 ro.dalvik.              u:object_r:dalvik_prop:s0
 
+# qemu_hw_prop is read/written by both system and vendor.
+qemu.hw.mainkeys        u:object_r:qemu_hw_prop:s0
+
+# qemu_sf_lcd_density_prop is read/written by both system and vendor.
+qemu.sf.lcd_density     u:object_r:qemu_sf_lcd_density_prop:s0 exact int
+
 # Shared between system server and wificond
 wifi.                   u:object_r:wifi_prop:s0
 wlan.                   u:object_r:wifi_prop:s0
@@ -231,6 +237,7 @@
 persist.device_config.statsd_native.                u:object_r:device_config_statsd_native_prop:s0
 persist.device_config.statsd_native_boot.           u:object_r:device_config_statsd_native_boot_prop:s0
 persist.device_config.storage_native_boot.          u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.swcodec_native.               u:object_r:device_config_swcodec_native_prop:s0
 persist.device_config.window_manager_native_boot.   u:object_r:device_config_window_manager_native_boot_prop:s0
 
 # Properties that relate to legacy server configurable flags
@@ -264,6 +271,9 @@
 ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
 # Property to set/clear the warm reset flag after an OTA update.
 ota.warm_reset  u:object_r:ota_prop:s0
+# The vbmeta digest for the inactive slot. It can be set after installing
+# ota updates to the b partition of a/b devices.
+ota.other.vbmeta_digest  u:object_r:ota_prop:s0 exact string
 
 # Module properties
 com.android.sdkext.                  u:object_r:module_sdkextensions_prop:s0
@@ -979,12 +989,14 @@
 ro.surface_flinger.set_touch_timer_ms                     u:object_r:surfaceflinger_prop:s0 exact int
 ro.surface_flinger.set_display_power_timer_ms             u:object_r:surfaceflinger_prop:s0 exact int
 ro.surface_flinger.support_kernel_idle_timer              u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.supports_background_blur               u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.use_smart_90_for_video                 u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.color_space_agnostic_dataspace         u:object_r:surfaceflinger_prop:s0 exact int
 ro.surface_flinger.refresh_rate_switching                 u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.enable_frame_rate_override             u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_layer_caching                   u:object_r:surfaceflinger_prop:s0 exact bool
 
 ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
 ro.sf.lcd_density           u:object_r:surfaceflinger_prop:s0 exact int
@@ -1063,6 +1075,9 @@
 # TODO remove this property when Keystore 2.0 migration is complete b/171563717
 persist.android.security.keystore2.enable    u:object_r:keystore2_enable_prop:s0 exact bool
 
+# Broadcast boot stages, which keystore listens to
+keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+
 partition.system.verified     u:object_r:verity_status_prop:s0 exact string
 partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
 partition.product.verified    u:object_r:verity_status_prop:s0 exact string

diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
new file mode 100644
index 0000000..e877981
--- /dev/null
+++ b/private/remote_prov_app.te

@@ -0,0 +1,10 @@
+type remote_prov_app, domain;
+typeattribute remote_prov_app coredomain;
+
+app_domain(remote_prov_app)
+net_domain(remote_prov_app)
+
+allow remote_prov_app {
+    activity_service
+    remoteprovisioning_service
+}:service_manager find;

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 929f073..b8e42ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -143,6 +143,7 @@
 isSystemServer=true domain=system_server_startup
 
 user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file

diff --git a/private/service_contexts b/private/service_contexts
index ed457ee..f522323 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -9,12 +9,16 @@
 android.hardware.memtrack.IMemtrack/default                          u:object_r:hal_memtrack_service:s0
 android.hardware.oemlock.IOemLock/default                            u:object_r:hal_oemlock_service:s0
 android.hardware.power.IPower/default                                u:object_r:hal_power_service:s0
-android.hardware.power.stats.IPowerStats/default                      u:object_r:hal_power_stats_service:s0
+android.hardware.power.stats.IPowerStats/default                     u:object_r:hal_power_stats_service:s0
 android.hardware.rebootescrow.IRebootEscrow/default                  u:object_r:hal_rebootescrow_service:s0
 android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0
 android.hardware.vibrator.IVibrator/default                          u:object_r:hal_vibrator_service:s0
 android.hardware.vibrator.IVibratorManager/default                   u:object_r:hal_vibrator_service:s0
 android.hardware.weaver.IWeaver/default                              u:object_r:hal_weaver_service:s0
+android.frameworks.stats.IStats/default                              u:object_r:fwk_stats_service:s0
 
 accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0
@@ -31,6 +35,9 @@
 android.security.compat                   u:object_r:keystore_compat_hal_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
+android.security.usermanager              u:object_r:usermanager_service:s0
+android.security.vpnprofilestore          u:object_r:vpnprofilestore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.keystore2                  u:object_r:keystore_service:s0
 app_binding                               u:object_r:app_binding_service:s0
@@ -162,6 +169,7 @@
 media.drm                                 u:object_r:mediadrmserver_service:s0
 media.tuner                               u:object_r:mediatuner_service:s0
 media_communication                       u:object_r:media_communication_service:s0
+media_metrics                             u:object_r:media_metrics_service:s0
 media_projection                          u:object_r:media_projection_service:s0
 media_resource_monitor                    u:object_r:media_session_service:s0
 media_router                              u:object_r:media_router_service:s0

diff --git a/private/shell.te b/private/shell.te
index 0cdf43d..94a2c2e 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -48,6 +48,12 @@
 # Allow shell to run adb shell cmd stats commands. Needed for CTS.
 binder_call(shell, statsd);
 
+# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
+userdebug_or_eng(`
+  allow shell accessibility_trace_data_file:dir rw_dir_perms;
+  allow shell accessibility_trace_data_file:file { r_file_perms unlink };
+')
+
 # Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
 allow shell perfetto_traces_data_file:dir rw_dir_perms;
 allow shell perfetto_traces_data_file:file { r_file_perms unlink };
@@ -177,3 +183,6 @@
 
 # Allow shell to read the dm-verity props on user builds.
 get_prop(shell, verity_status_prop)
+
+# Allow shell to read Virtual A/B related properties
+get_prop(shell, virtual_ab_prop)

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 37601b9..640306f 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -58,6 +58,9 @@
 set_prop(surfaceflinger, ctl_bootanim_prop)
 set_prop(surfaceflinger, surfaceflinger_display_prop)
 
+# Get properties.
+get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
+
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
 allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
@@ -100,6 +103,7 @@
 allow surfaceflinger self:global_capability_class_set sys_nice;
 allow surfaceflinger proc_meminfo:file r_file_perms;
 r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
 r_dir_file(surfaceflinger, system_file)
 allow surfaceflinger tmpfs:dir r_dir_perms;
 allow surfaceflinger system_server:fd use;

diff --git a/private/system_app.te b/private/system_app.te
index f9d3c1c..36208bf 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -146,7 +146,6 @@
 allow system_app wifi_key:keystore2_key {
     delete
     get_info
-    grant
     rebind
     update
     use
@@ -159,6 +158,7 @@
 
 # Settings app writes to /dev/stune/foreground/tasks.
 allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)

diff --git a/private/system_server.te b/private/system_server.te
index 115aff3..c0c7c16 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -192,6 +192,14 @@
 # Read /sys/kernel/dma_heap/*.
 allow system_server sysfs_dma_heap:file r_file_perms;
 
+# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
+allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
+allow system_server sysfs_dmabuf_stats:file r_file_perms;
+
+# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
+# for dumpsys meminfo
+allow system_server dmabuf_heap_device:dir r_dir_perms;
+
 # The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms_no_ioctl;
 
@@ -295,6 +303,7 @@
 
 # List HAL interfaces to get ANR traces.
 allow system_server hwservicemanager:hwservice_manager list;
+allow system_server servicemanager:service_manager list;
 
 # Send signals to trigger ANR traces.
 allow system_server {
@@ -667,6 +676,7 @@
 set_prop(system_server, device_config_statsd_native_prop)
 set_prop(system_server, device_config_statsd_native_boot_prop)
 set_prop(system_server, device_config_storage_native_boot_prop)
+set_prop(system_server, device_config_swcodec_native_prop)
 set_prop(system_server, device_config_sys_traced_prop)
 set_prop(system_server, device_config_window_manager_native_boot_prop)
 set_prop(system_server, device_config_configuration_prop)
@@ -761,9 +771,6 @@
 allow system_server usb_device:chr_file rw_file_perms;
 allow system_server usb_device:dir r_dir_perms;
 
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
 # Read and delete files under /dev/fscklogs.
 r_dir_file(system_server, fscklogs)
 allow system_server fscklogs:dir { write remove_name };
@@ -823,6 +830,7 @@
 allow system_server storaged_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
+allow system_server usermanager_service:service_manager find;
 allow system_server vold_service:service_manager find;
 allow system_server wifinl80211_service:service_manager find;
 userdebug_or_eng(`
@@ -854,7 +862,10 @@
 
 allow system_server keystore:keystore2 {
 	add_auth
+	change_password
+	change_user
 	clear_ns
+	clear_uid
 	get_state
 	lock
 	reset
@@ -871,14 +882,25 @@
 	use
 };
 
+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
 allow system_server frp_block_device:blk_file rw_file_perms;
 allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
 
-# Clean up old cgroups
+# Create new process groups and clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir create_dir_perms;
+allow system_server cgroup_v2:file { r_file_perms setattr };
 
 # /oem access
 r_dir_file(system_server, oemfs)
@@ -910,6 +932,10 @@
   # Allow writing and removing window traces in /data/misc/wmtrace.
   allow system_server wm_trace_data_file:dir rw_dir_perms;
   allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+
+  # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
+  allow system_server accessibility_trace_data_file:dir rw_dir_perms;
+  allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
 ')
 
 # For AppFuse.
@@ -957,9 +983,8 @@
 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
 
 r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir rw_dir_perms;
-allow system_server cgroup_v2:file rw_file_perms;
 
 # Access to /dev/dma_heap/system
 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
@@ -1128,6 +1153,7 @@
   device_config_media_native_prop
   device_config_storage_native_boot_prop
   device_config_sys_traced_prop
+  device_config_swcodec_native_prop
   device_config_window_manager_native_boot_prop
 }:property_service set;
 
@@ -1202,6 +1228,8 @@
 allow system_server apex_module_data_file:dir { getattr search };
 allow system_server apex_permission_data_file:dir create_dir_perms;
 allow system_server apex_permission_data_file:file create_file_perms;
+allow system_server apex_scheduling_data_file:dir create_dir_perms;
+allow system_server apex_scheduling_data_file:file create_file_perms;
 allow system_server apex_wifi_data_file:dir create_dir_perms;
 allow system_server apex_wifi_data_file:file create_file_perms;
 
@@ -1308,3 +1336,6 @@
 # Only system server can write the font files.
 neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
 neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)

diff --git a/private/system_suspend.te b/private/system_suspend.te
index acb45ba..caf8955 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te

@@ -1,11 +1,10 @@
-type system_suspend, domain, coredomain, system_suspend_server;
+type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
 
 type system_suspend_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(system_suspend)
 
-# To serve ISuspendControlService and ISuspendControlServiceInternal.
+# To serve ISuspendControlService.
 binder_use(system_suspend)
-add_service(system_suspend, system_suspend_control_internal_service)
 add_service(system_suspend, system_suspend_control_service)
 
 # Access to /sys/power/{ wakeup_count, state } suspend interface.
@@ -31,15 +30,6 @@
 neverallow {
     domain
     -atrace # tracing
-    -dumpstate # bug reports
-    -system_suspend # implements system_suspend_control_internal_service
-    -system_server # configures system_suspend via ISuspendControlServiceInternal
-    -traceur_app # tracing
-} system_suspend_control_internal_service:service_manager find;
-
-neverallow {
-    domain
-    -atrace # tracing
     -bluetooth # support Bluetooth activity attribution (BTAA)
     -dumpstate # bug reports
     -system_suspend # implements system_suspend_control_service

diff --git a/private/update_engine.te b/private/update_engine.te
index 8e09154..d828e1f 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te

@@ -24,3 +24,8 @@
 # Allow to communicate with the snapuserd service, for dm-user snapshots.
 allow update_engine snapuserd:unix_stream_socket connectto;
 allow update_engine snapuserd_socket:sock_file write;
+
+# Allow to communicate with apexd for calculating and reserving space for
+# capex decompression
+allow update_engine apex_service:service_manager find;
+binder_call(update_engine, apexd)

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index b4e95b8..1414f6c 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te

@@ -20,6 +20,7 @@
     apex_module_data_file
     apex_permission_data_file
     apex_rollback_data_file
+    apex_scheduling_data_file
     apex_wifi_data_file
     backup_data_file
     face_vendor_data_file
@@ -36,6 +37,7 @@
     apex_module_data_file
     apex_permission_data_file
     apex_rollback_data_file
+    apex_scheduling_data_file
     apex_wifi_data_file
     backup_data_file
     face_vendor_data_file

diff --git a/private/zygote.te b/private/zygote.te
index 23fed52..83323c9 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -108,6 +108,8 @@
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
 allow zygote self:global_capability_class_set sys_admin;
 
 # Allow zygote to stat the files that it opens. The zygote must
@@ -190,7 +192,10 @@
 get_prop(zygote, device_config_window_manager_native_boot_prop)
 
 # ingore spurious denials
-dontaudit zygote self:global_capability_class_set sys_resource;
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
 
 # Ignore spurious denials calling access() on fuse
 # TODO(b/151316657): avoid the denials
@@ -208,6 +213,9 @@
 # Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
 get_prop(zygote, packagemanager_config_prop)
 
+# Allow zygote to read qemu.sf.lcd_density
+get_prop(zygote, qemu_sf_lcd_density_prop)
+
 # Allow zygote to read /apex/apex-info-list.xml
 allow zygote apex_info_file:file r_file_perms;
 

diff --git a/public/apexd.te b/public/apexd.te
index 429791f..53bc569 100644
--- a/public/apexd.te
+++ b/public/apexd.te

@@ -5,7 +5,7 @@
 binder_use(apexd)
 add_service(apexd, apex_service)
 
-neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
+neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
 
 neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;

diff --git a/public/app.te b/public/app.te
index 39d67af..67a996a 100644
--- a/public/app.te
+++ b/public/app.te

@@ -318,6 +318,9 @@
 # Allow app to access shared memory created by camera HAL1
 allow { appdomain -isolated_app } hal_camera:fd use;
 
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
 # RenderScript always-passthrough HAL
 allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
 allow appdomain same_process_hal_file:file { execute read open getattr map };

diff --git a/public/attributes b/public/attributes
index 8ba17cd..384533b 100644
--- a/public/attributes
+++ b/public/attributes

@@ -376,6 +376,7 @@
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
+attribute system_suspend_internal_server;
 attribute system_suspend_server;
 attribute wifi_keystore_service_server;
 

diff --git a/public/cameraserver.te b/public/cameraserver.te
index 13ef1f7..365af78 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te

@@ -26,6 +26,7 @@
 allow cameraserver batterystats_service:service_manager find;
 allow cameraserver cameraproxy_service:service_manager find;
 allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver package_native_service:service_manager find;
 allow cameraserver processinfo_service:service_manager find;
 allow cameraserver scheduling_policy_service:service_manager find;
 allow cameraserver sensor_privacy_service:service_manager find;

diff --git a/public/charger.te b/public/charger.te
index f57853a..37359e3 100644
--- a/public/charger.te
+++ b/public/charger.te

@@ -7,6 +7,7 @@
 # Read access to pseudo filesystems.
 r_dir_file(charger, rootfs)
 r_dir_file(charger, cgroup)
+r_dir_file(charger, cgroup_v2)
 
 # Allow to read /sys/class/power_supply directory
 allow charger sysfs_type:dir r_dir_perms;

diff --git a/public/credstore.te b/public/credstore.te
index db16a8d..a2376d2 100644
--- a/public/credstore.te
+++ b/public/credstore.te

@@ -14,3 +14,4 @@
 allow credstore dropbox_service:service_manager find;
 
 r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)

diff --git a/public/device.te b/public/device.te
index d98806a..e2dc511 100644
--- a/public/device.te
+++ b/public/device.te

@@ -117,3 +117,6 @@
 # separate device node. gsid, however, accesses the original devide node
 # created through uevents, so we use a separate label.
 type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;

diff --git a/public/dhcp.te b/public/dhcp.te
index 67fd038..1d875ab 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te

@@ -4,6 +4,7 @@
 net_domain(dhcp)
 
 allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
 allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
 allow dhcp self:packet_socket create_socket_perms_no_ioctl;
 allow dhcp self:netlink_route_socket nlmsg_write;

diff --git a/public/domain.te b/public/domain.te
index 29b0258..3666fbc 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -403,13 +403,11 @@
 # that could be set from init.rc.
 neverallow { domain -init } kernel:security setsecparam;
 
-# Only init, ueventd, shell and system_server should be able to access HW RNG
+# Only the kernel hwrng thread should be able to read from the HW RNG.
 neverallow {
   domain
-  -init
-  -shell # For CTS and is restricted to getattr in shell.te
-  -system_server
-  -ueventd
+  -shell # For CTS, restricted to just getattr in shell.te
+  -ueventd # To create the /dev/hw_random file
 } hw_random_device:chr_file *;
 # b/78174219 b/64114943
 neverallow {
@@ -478,7 +476,9 @@
 
 neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
 neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:file *;
+neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
 
 # Only the init property service should write to /data/property and /dev/__properties__
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
@@ -685,6 +685,7 @@
     -nfc_service
     -radio_service
     -virtual_touchpad_service
+    -vpnprofilestore_service
     -vr_hwc_service
     -vr_manager_service
     userdebug_or_eng(`-hal_face_service')
@@ -1320,10 +1321,12 @@
 
 # cgroupfs directories can be created, but not files within them.
 neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
 
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
 dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
 
 # These are only needed in permissive mode - in enforcing mode the
 # directory write check fails and so these are never attempted.

diff --git a/public/drmserver.te b/public/drmserver.te
index a24ad41..eede0fc 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te

@@ -61,4 +61,5 @@
 selinux_check_access(drmserver)
 
 r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
 r_dir_file(drmserver, system_file)

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c5086f..45540b3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -134,6 +134,7 @@
 
 # Read /dev/cpuctl and /dev/cpuset
 r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
 
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)

diff --git a/public/file.te b/public/file.te
index 181979c..4e17f12 100644
--- a/public/file.te
+++ b/public/file.te

@@ -21,6 +21,7 @@
 type proc_bluetooth_writable, fs_type, proc_type;
 type proc_abi, fs_type, proc_type;
 type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
 type proc_cmdline, fs_type, proc_type;
 type proc_cpuinfo, fs_type, proc_type;
@@ -113,6 +114,7 @@
 type sysfs_fs_f2fs, sysfs_type, fs_type;
 type sysfs_fs_incfs_features, sysfs_type, fs_type;
 type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
 type configfs, fs_type;
 # /sys/devices/cs_etm
 type sysfs_devices_cs_etm, fs_type, sysfs_type;
@@ -379,8 +381,10 @@
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type, core_data_file_type;
 type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
 type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
 type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
 type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
 type appcompat_data_file, file_type, data_file_type, core_data_file_type;
 type audio_data_file, file_type, data_file_type, core_data_file_type;

diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 7295c24..d48c5f8 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te

@@ -39,3 +39,4 @@
 allow gatekeeperd hardware_properties_service:service_manager find;
 
 r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)

diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index be9975f..a1f3d7f 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te

@@ -3,3 +3,4 @@
 binder_call(hal_bootctl_server, hal_bootctl_client)
 
 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
+allow hal_bootctl_server proc_bootconfig:file r_file_perms;

diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7de6a13..e699a6b 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te

@@ -16,6 +16,10 @@
 allow hal_cas cgroup:dir { search write };
 allow hal_cas cgroup:file w_file_perms;
 
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
 # Allow access to ion memory allocation device
 allow hal_cas ion_device:chr_file rw_file_perms;
 allow hal_cas hal_graphics_allocator:fd use;

diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5987491..bb1bd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te

@@ -20,6 +20,10 @@
 allow hal_drm cgroup:dir { search write };
 allow hal_drm cgroup:file w_file_perms;
 
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
 # Allow access to ion memory allocation device
 allow hal_drm ion_device:chr_file rw_file_perms;
 allow hal_drm hal_graphics_allocator:fd use;

diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 99b6065..444cfda 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te

@@ -14,6 +14,7 @@
 allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
 
 r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
 r_dir_file(hal_fingerprint, sysfs)
 
 

diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index 7570188..e56ab99 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te

@@ -1,4 +1,5 @@
 binder_call(hal_keymint_client, hal_keymint_server)
 
 hal_attribute_service(hal_keymint, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
 binder_call(hal_keymint_server, servicemanager)

diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 4cb0c5a..f0cf075 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te

@@ -11,6 +11,8 @@
 allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
 allow hal_telephony_server cgroup:dir create_dir_perms;
 allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
 allow hal_telephony_server radio_device:chr_file rw_file_perms;
 allow hal_telephony_server radio_device:blk_file r_file_perms;
 allow hal_telephony_server efs_file:dir create_dir_perms;

diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 77a3317..7361af1 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te

@@ -13,6 +13,7 @@
 allow hal_wifi_supplicant kernel:system module_request;
 allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
 allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
 allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
 allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;

diff --git a/public/healthd.te b/public/healthd.te
index 8673846..05acb84 100644
--- a/public/healthd.te
+++ b/public/healthd.te

@@ -11,6 +11,7 @@
 allow healthd sysfs:dir r_dir_perms;
 r_dir_file(healthd, rootfs)
 r_dir_file(healthd, cgroup)
+r_dir_file(healthd, cgroup_v2)
 
 allow healthd self:global_capability_class_set { sys_tty_config };
 allow healthd self:global_capability_class_set sys_boot;

diff --git a/public/init.te b/public/init.te
index 59e6b4e..1287ca3 100644
--- a/public/init.te
+++ b/public/init.te

@@ -103,7 +103,6 @@
     postinstall_mnt_dir
     mirror_data_file
 }:dir mounton;
-allow init cgroup_v2:dir { mounton create_dir_perms };
 
 # Mount bpf fs on sys/fs/bpf
 allow init fs_bpf:dir mounton;
@@ -132,6 +131,8 @@
 allow init cgroup_desc_file:file r_file_perms;
 allow init cgroup_desc_api_file:file r_file_perms;
 allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
 
 # /config
 allow init configfs:dir mounton;
@@ -308,7 +309,6 @@
   devpts
   dm_device
   hwbinder_device
-  hw_random_device
   input_device
   kmsg_device
   null_device
@@ -323,6 +323,7 @@
 # chown/chmod on devices.
 allow init {
   dev_type
+  -hw_random_device
   -keychord_device
   -port_device
 }:chr_file setattr;
@@ -349,6 +350,7 @@
 
 allow init {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+  proc_bootconfig
   proc_cmdline
   proc_diskstats
   proc_kmsg # Open /proc/kmsg for logd service.
@@ -382,6 +384,7 @@
 # init chmod/chown access to /proc files.
 allow init {
   proc_cmdline
+  proc_bootconfig
   proc_kmsg
   proc_net
   proc_pagetypeinfo
@@ -532,10 +535,6 @@
 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
 allow init swap_block_device:blk_file rw_file_perms;
 
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
 # Create and access /dev files without a specific type,
 # e.g. /dev/.coldboot_done, /dev/.booting
 # TODO:  Move these files into their own type unless they are
@@ -603,6 +602,9 @@
 # stat the root dir of fuse filesystems (for the mount handler)
 allow init fuse:dir { search getattr };
 
+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
 ###
 ### neverallow rules
 ###

diff --git a/public/inputflinger.te b/public/inputflinger.te
index c3f4da8..b62c06d 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te

@@ -13,3 +13,4 @@
 allow inputflinger input_device:chr_file rw_file_perms;
 
 r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)

diff --git a/public/installd.te b/public/installd.te
index b9c7b3e..61c8bce 100644
--- a/public/installd.te
+++ b/public/installd.te

@@ -26,6 +26,7 @@
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)

diff --git a/public/keystore.te b/public/keystore.te
index 8c64090..ae7ed91 100644
--- a/public/keystore.te
+++ b/public/keystore.te

@@ -13,16 +13,20 @@
 allow keystore keystore_exec:file { getattr };
 
 add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
+add_service(keystore, usermanager_service)
+add_service(keystore, vpnprofilestore_service)
 
 # Check SELinux permissions.
 selinux_check_access(keystore)
 
 r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
 
 ###
 ### Neverallow rules

diff --git a/public/lmkd.te b/public/lmkd.te
index c9f2e64..de6052d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te

@@ -26,9 +26,11 @@
 
 # Clean up old cgroups
 allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
 
 # Allow to read memcg stats
 allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
 
 # Set self to SCHED_FIFO
 allow lmkd self:global_capability_class_set sys_nice;

diff --git a/public/logd.te b/public/logd.te
index b0acb14..8187179 100644
--- a/public/logd.te
+++ b/public/logd.te

@@ -4,6 +4,7 @@
 
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
 

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1f34030..06f7928 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te

@@ -20,6 +20,7 @@
 hal_client_domain(mediaextractor, hal_allocator)
 
 r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
 allow mediaextractor proc_meminfo:file r_file_perms;
 
 crash_dump_fallback(mediaextractor)

diff --git a/public/mediametrics.te b/public/mediametrics.te
index 0e56b07..468c0d0 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te

@@ -12,6 +12,7 @@
 allow mediametrics system_server:fd use;
 
 r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
 allow mediametrics proc_meminfo:file r_file_perms;
 
 # allows interactions with dumpsys to GMScore

diff --git a/public/mediaserver.te b/public/mediaserver.te
index d32b9d9..388001d 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te

@@ -9,6 +9,7 @@
 
 r_dir_file(mediaserver, sdcard_type)
 r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
 
 # stat /proc/self
 allow mediaserver proc:lnk_file getattr;

diff --git a/public/netd.te b/public/netd.te
index ff0bff6..4472938 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -64,8 +64,9 @@
 
 r_dir_file(netd, cgroup_v2)
 
-allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write };
+# TODO: remove 'fs_bpf_tethering' once netd/tethering mainline module split is completed.
+allow netd { fs_bpf fs_bpf_tethering }:dir search;
+allow netd { fs_bpf fs_bpf_tethering }:file { read write };
 
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.

diff --git a/public/performanced.te b/public/performanced.te
index 7dcb5ea..d694fda 100644
--- a/public/performanced.te
+++ b/public/performanced.te

@@ -28,3 +28,4 @@
 
 # Access /dev/cpuset/cpuset.cpus
 r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)

diff --git a/public/property.te b/public/property.te
index 37884f0..506e985 100644
--- a/public/property.te
+++ b/public/property.te

@@ -191,6 +191,8 @@
 system_public_prop(nfc_prop)
 system_public_prop(ota_prop)
 system_public_prop(powerctl_prop)
+system_public_prop(qemu_hw_prop)
+system_public_prop(qemu_sf_lcd_density_prop)
 system_public_prop(radio_control_prop)
 system_public_prop(radio_prop)
 system_public_prop(serialno_prop)

diff --git a/public/racoon.te b/public/racoon.te
index 6888740..e4b299e 100644
--- a/public/racoon.te
+++ b/public/racoon.te

@@ -12,6 +12,7 @@
 allow racoon tun_device:chr_file r_file_perms;
 allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
 allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
 allow racoon kernel:system module_request;
 
 allow racoon self:key_socket create_socket_perms_no_ioctl;

diff --git a/public/sdcardd.te b/public/sdcardd.te
index 1ae3770..bb1c919 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te

@@ -2,6 +2,7 @@
 type sdcardd_exec, system_file_type, exec_type, file_type;
 
 allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;  # TODO: deprecated in M
 allow sdcardd sdcardfs:filesystem remount;

diff --git a/public/service.te b/public/service.te
index 928016b..f6a47bc 100644
--- a/public/service.te
+++ b/public/service.te

@@ -29,6 +29,7 @@
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
+type remoteprovisioning_service,   service_manager_type;
 type secure_element_service,    service_manager_type;
 type service_manager_service,   service_manager_type;
 type storaged_service,          service_manager_type;
@@ -38,8 +39,10 @@
 type system_suspend_control_service, service_manager_type;
 type update_engine_service,     service_manager_type;
 type update_engine_stable_service, service_manager_type;
+type usermanager_service,       service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
+type vpnprofilestore_service,   service_manager_type;
 type vr_hwc_service,            service_manager_type;
 type vrflinger_vsync_service,   service_manager_type;
 
@@ -113,6 +116,7 @@
 type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type face_service, app_api_service, system_server_service, service_manager_type;
 type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_stats_service, system_server_service, service_manager_type;
 type game_service, app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -134,6 +138,7 @@
 type lock_settings_service, system_api_service, system_server_service, service_manager_type;
 type looper_stats_service, system_server_service, service_manager_type;
 type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -249,6 +254,9 @@
 type hal_power_service, vendor_service, protected_service, service_manager_type;
 type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
 type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
+type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
+type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
 type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
 type hal_weaver_service, vendor_service, protected_service, service_manager_type;
 

diff --git a/public/shell.te b/public/shell.te
index 1e73e49..29c07a4 100644
--- a/public/shell.te
+++ b/public/shell.te

@@ -30,6 +30,7 @@
 allow shell shell_test_data_file:file create_file_perms;
 allow shell shell_test_data_file:file rx_file_perms;
 allow shell shell_test_data_file:lnk_file create_file_perms;
+allow shell shell_test_data_file:sock_file create_file_perms;
 
 # Read and delete from /data/local/traces.
 allow shell trace_data_file:file { r_file_perms unlink };
@@ -125,6 +126,7 @@
 allow shell cgroup_desc_file:file r_file_perms;
 allow shell cgroup_desc_api_file:file r_file_perms;
 allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 

diff --git a/public/stats_service_server.te b/public/stats_service_server.te
index 564ae23..ab8e58a 100644
--- a/public/stats_service_server.te
+++ b/public/stats_service_server.te

@@ -1 +1,4 @@
 add_hwservice(stats_service_server, fwk_stats_hwservice)
+add_service(stats_service_server, fwk_stats_service)
+
+binder_use(stats_service_server)

diff --git a/public/system_suspend_internal_server.te b/public/system_suspend_internal_server.te
new file mode 100644
index 0000000..67bff77
--- /dev/null
+++ b/public/system_suspend_internal_server.te

@@ -0,0 +1,11 @@
+# To serve ISuspendControlServiceInternal.
+add_service(system_suspend_internal_server, system_suspend_control_internal_service)
+
+neverallow {
+    domain
+    -atrace # tracing
+    -dumpstate # bug reports
+    -system_suspend_internal_server # implements system_suspend_control_internal_service
+    -system_server # configures system_suspend via ISuspendControlServiceInternal
+    -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;

diff --git a/public/te_macros b/public/te_macros
index c6035f8..50532c1 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -602,6 +602,7 @@
   allow keystore $1:process getattr;
   allow $1 apc_service:service_manager find;
   allow $1 keystore_service:service_manager find;
+  allow $1 vpnprofilestore_service:service_manager find;
   binder_call($1, keystore)
   binder_call(keystore, $1)
 ')

diff --git a/public/update_engine.te b/public/update_engine.te
index b7cf827..206d29c 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te

@@ -29,6 +29,14 @@
 allow update_engine update_engine_log_data_file:dir create_dir_perms;
 allow update_engine update_engine_log_data_file:file create_file_perms;
 
+# TODO(b/172911822): remove these access when we have transferred
+# reservation responsibility to apexd
+
+# Allow reserving space on /data/apex/ota_reserved for apex decompression
+allow update_engine apex_ota_reserved_file:dir create_dir_perms;
+allow update_engine apex_ota_reserved_file:file create_file_perms;
+allow update_engine apex_data_file:dir search;
+
 # Don't allow kernel module loading, just silence the logs.
 dontaudit update_engine kernel:system module_request;
 

diff --git a/public/userdata_sysdev.te b/public/userdata_sysdev.te
new file mode 100644
index 0000000..9974f36
--- /dev/null
+++ b/public/userdata_sysdev.te

@@ -0,0 +1 @@
+allow userdata_sysdev sysfs:filesystem associate;

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 685317b..a54befb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te

@@ -16,6 +16,8 @@
 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;
 allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
 
 # /config
 allow vendor_init configfs:dir mounton;
@@ -195,6 +197,9 @@
 allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
 allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
 
+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
 # Everything is labeled as rootfs in recovery mode. Vendor init has to execute
 # the dynamic linker and shared libraries.
 recovery_only(`
@@ -233,6 +238,7 @@
 set_prop(vendor_init, logd_prop)
 set_prop(vendor_init, log_tag_prop)
 set_prop(vendor_init, log_prop)
+set_prop(vendor_init, qemu_hw_prop)
 set_prop(vendor_init, radio_control_prop)
 set_prop(vendor_init, rebootescrow_hal_prop)
 set_prop(vendor_init, serialno_prop)

diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 0f3f825..98ec3b4 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te

@@ -12,3 +12,4 @@
 dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
 dontaudit vendor_misc_writer metadata_file:dir search;
 dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
+dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;

diff --git a/public/vold.te b/public/vold.te
index 030e572..b6d1443 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -23,6 +23,7 @@
 r_dir_file(vold, metadata_file)
 allow vold {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+  proc_bootconfig
   proc_cmdline
   proc_drop_caches
   proc_filesystems

diff --git a/public/wificond.te b/public/wificond.te
index 6a1932b..254fcbc 100644
--- a/public/wificond.te
+++ b/public/wificond.te

@@ -35,3 +35,9 @@
 # Allow keystore binder access to serve the HwBinder service.
 allow wificond keystore_service:service_manager find;
 allow wificond keystore:keystore_key get;
+
+# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond wifi_key:keystore2_key {
+    get_info
+    use
+};

diff --git a/tests/Android.bp b/tests/Android.bp
index 5925fc2..6a86188 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp

@@ -87,3 +87,8 @@
     ],
     defaults: ["py2_only"],
 }
+
+python_binary_host {
+    name: "check_prop_prefix",
+    srcs: ["check_prop_prefix.py"],
+}

diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
new file mode 100644
index 0000000..68511ce
--- /dev/null
+++ b/tests/check_prop_prefix.py

@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import re
+import sys
+
+# A line should look like:
+# {prop_name} u:object_r:{context_name}:s0
+line_regex = re.compile(r'^(\S+)\s+u:object_r:([^:]+):s0.*$')
+
+# Parses a line in property_contexts and return a (prop, ctx) tuple.
+# Raises an error for any malformed entries.
+def parse_line(line):
+    matched = line_regex.match(line)
+    if not matched:
+        raise ValueError('malformed entry "' + line + '" in property_contexts')
+
+    return matched.group(1, 2)
+
+def parse_args():
+    parser = argparse.ArgumentParser(
+        description="Finds any violations in property_contexts, with given allowed prefixes. "
+        "If any violations are found, return a nonzero (failure) exit code.")
+    parser.add_argument("--property-contexts", help="Path to property_contexts file.")
+    parser.add_argument("--allowed-property-prefix", action="extend", nargs="*",
+        help="Allowed property prefixes. If empty, any properties are allowed.")
+    parser.add_argument("--allowed-context-prefix", action="extend", nargs="*",
+        help="Allowed context prefixes. If empty, any contexts are allowed.")
+    parser.add_argument('--strict', action='store_true',
+        help="Make the script fail if any violations are found.")
+
+    return parser.parse_args()
+
+args = parse_args()
+
+violations = []
+
+with open(args.property_contexts, 'r') as f:
+    lines = f.read().split('\n')
+
+for line in lines:
+    tokens = line.strip()
+    # if this line empty or a comment, skip
+    if tokens == '' or tokens[0] == '#':
+        continue
+
+    prop, context = parse_line(line)
+
+    violated = False
+
+    if args.allowed_property_prefix and not prop.startswith(tuple(args.allowed_property_prefix)):
+        violated = True
+
+    if args.allowed_context_prefix and not context.startswith(tuple(args.allowed_context_prefix)):
+        violated = True
+
+    if violated:
+        violations.append(line)
+
+if len(violations) > 0:
+    print('******************************')
+    print('%d violations found:' % len(violations))
+    print('\n'.join(violations))
+    print('******************************')
+    print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+    print('This is enforced by VTS, so please fix such offending properties.')
+    if args.allowed_property_prefix:
+        print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
+    if args.allowed_context_prefix:
+        print('Allowed context prefixes for %s: %s' % (args.property_contexts, args.allowed_context_prefix))
+    if args.strict:
+        print('You can temporarily disable this check with setting BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk.')
+        print('But property namespace is enforced by VTS, and you will need to fix such violations to pass VTS.')
+        print('See test/vts-testcase/security/system_property/vts_treble_sys_prop_test.py for the detail of the VTS.')
+        sys.exit(1)

diff --git a/vendor/file_contexts b/vendor/file_contexts
index d05431c..785f4cb 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -73,7 +73,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service        u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service        u:object_r:hal_tv_cec_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service      u:object_r:hal_tv_input_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service   u:object_r:hal_tv_tuner_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service            u:object_r:hal_usb_default_exec:s0

diff --git a/vendor/hal_keymint_default.te b/vendor/hal_keymint_default.te
index d86b7b4..3b86a1b 100644
--- a/vendor/hal_keymint_default.te
+++ b/vendor/hal_keymint_default.te

@@ -4,4 +4,7 @@
 type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_keymint_default)
 
+hal_attribute_service(hal_keymint, hal_secureclock_service)
+hal_attribute_service(hal_keymint, hal_sharedsecret_service)
+
 get_prop(hal_keymint_default, vendor_security_patch_level_prop);
commit	ae69347dbeacb243d7a77f02514a09e635f97387	[log] [tgz]
author	Pavel Grafov <pgrafov@google.com>	Fri Mar 05 07:03:57 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Mar 05 07:03:57 2021 +0000
tree	813f98ac0f3c6a62d7fd38431313eb47ca9e8212
parent	05a80a5e72eb796b68a191becdf5a013ed8b47a9 [diff]
parent	b99c1924af3e67cf896996a2773fcec6bff0c3bf [diff]