Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / b3eeec1ac93e30d1b7291f6e96048f282b96d0e8^2..b3eeec1ac93e30d1b7291f6e96048f282b96d0e8 / .
commitb3eeec1ac93e30d1b7291f6e96048f282b96d0e8[log] [tgz]
authorJeffrey Vander Stoep <jeffv@google.com>Thu Feb 01 10:07:34 2024 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Feb 01 10:07:34 2024 +0000
tree8ace0ae76ea12951008dd355ab13bb82238297b4
parentd3f08120bcc99f58d31c7f40f70086fea8a2295a [diff]
parent76e2176de8866ba50ec65cd7a9b3b6fc11a19bc1 [diff]
Merge "sepolicy: Grant hal_bluetooth_server to access tcp sockets" into main
diff --git a/Android.bp b/Android.bp
index fe755d4..88107cc 100644
--- a/Android.bp
+++ b/Android.bp

@@ -337,36 +337,6 @@
     product_specific: true,
 }
 
-// HACK to support pre-vFRC vendor blobs
-// TODO(b/314010177): remove after new ToT (1000000.0) fully propagates
-se_versioned_policy {
-    name: "plat_mapping_file_10000.0",
-    base: ":plat_pub_policy.cil",
-    mapping: true,
-    version: "10000.0",
-    relative_install_path: "mapping", // install to /system/etc/selinux/mapping
-}
-
-se_versioned_policy {
-    name: "system_ext_mapping_file_10000.0",
-    base: ":system_ext_pub_policy.cil",
-    mapping: true,
-    version: "10000.0",
-    filter_out: [":plat_mapping_file"],
-    relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
-    system_ext_specific: true,
-}
-
-se_versioned_policy {
-    name: "product_mapping_file_10000.0",
-    base: ":pub_policy.cil",
-    mapping: true,
-    version: "10000.0",
-    filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
-    relative_install_path: "mapping", // install to /product/etc/selinux/mapping
-    product_specific: true,
-}
-
 //////////////////////////////////
 // vendor/odm sepolicy
 //////////////////////////////////

diff --git a/Android.mk b/Android.mk
index 8cdedbe..2e327c2 100644
--- a/Android.mk
+++ b/Android.mk

@@ -210,12 +210,6 @@
     plat_sepolicy.cil \
     secilc \
 
-# HACK to support pre-vFRC vendor blobs
-# TODO(b/314010177): remove after new ToT (1000000.0) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += plat_mapping_file_10000.0
-endif
-
 ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
 LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
 endif
@@ -284,12 +278,6 @@
 LOCAL_REQUIRED_MODULES += \
     system_ext_mapping_file
 
-# HACK to support pre-vFRC vendor blobs
-# TODO(b/314010177): remove after new ToT (1000000.0) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file_10000.0
-endif
-
 system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
 
 LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
@@ -338,12 +326,6 @@
 LOCAL_REQUIRED_MODULES += \
     product_mapping_file
 
-# HACK to support pre-vFRC vendor blobs
-# TODO(b/314010177): remove after new ToT (1000000.0) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += product_mapping_file_10000.0
-endif
-
 product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
 
 LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
@@ -463,15 +445,13 @@
 # The file_contexts.bin is built in the following way:
 # 1. Collect all file_contexts files in THIS repository and process them with
 #    m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
-#    modules with m4 with a tmp file called file_contexts.modules.tmp.
-# 3. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all device specific file_contexts files and process them with m4
 #    into a tmp file called file_contexts.device.tmp.
-# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
 #    file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
-#    file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
-# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 4. Concatenate file_contexts.local.tmp and  file_contexts.device.sorted.tmp
+#    into file_contexts.concat.tmp.
+# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
 #    file_contexts.bin.
 #
 #  Note: That a newline file is placed between each file_context file found to
@@ -507,10 +487,6 @@
 file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
 $(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
 
-# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
-# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
-file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
-
 device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
 
 ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -534,8 +510,7 @@
 
 file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
 $(call merge-fc-files,\
-  $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
-  $(file_contexts.concat.tmp))
+  $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
 
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -549,7 +524,6 @@
 file_contexts.device.sorted.tmp :=
 file_contexts.device.tmp :=
 file_contexts.local.tmp :=
-file_contexts.modules.tmp :=
 
 ##################################
 # Tests for Treble compatibility of current platform policy and vendor policy of

diff --git a/apex/com.android.webview.bootstrap-file_contexts b/apex/com.android.webview.bootstrap-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.webview.bootstrap-file_contexts

@@ -0,0 +1 @@
+(/.*)?           u:object_r:system_file:s0

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9e84fd0..7f1f0be 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -158,6 +158,7 @@
 		"account":            EXCEPTION_NO_FUZZER,
 		"activity":           EXCEPTION_NO_FUZZER,
 		"activity_task":      EXCEPTION_NO_FUZZER,
+		"adaptive_auth":      EXCEPTION_NO_FUZZER,
 		"adb":                EXCEPTION_NO_FUZZER,
 		"adservices_manager": EXCEPTION_NO_FUZZER,
 		"aidl_lazy_test_1":   EXCEPTION_NO_FUZZER,
@@ -263,6 +264,7 @@
 		"dumpstate":                                                       EXCEPTION_NO_FUZZER,
 		"dynamic_system":                                                  EXCEPTION_NO_FUZZER,
 		"econtroller":                                                     EXCEPTION_NO_FUZZER,
+		"ecm_enhanced_confirmation":                                       EXCEPTION_NO_FUZZER,
 		"emergency_affordance":                                            EXCEPTION_NO_FUZZER,
 		"euicc_card_controller":                                           EXCEPTION_NO_FUZZER,
 		"external_vibrator_service":                                       EXCEPTION_NO_FUZZER,
@@ -418,7 +420,7 @@
 		"slice":                        EXCEPTION_NO_FUZZER,
 		"smartspace":                   EXCEPTION_NO_FUZZER,
 		"speech_recognition":           EXCEPTION_NO_FUZZER,
-		"stats":                        EXCEPTION_NO_FUZZER,
+		"stats":                        []string{"statsd_service_fuzzer"},
 		"statsbootstrap":               EXCEPTION_NO_FUZZER,
 		"statscompanion":               EXCEPTION_NO_FUZZER,
 		"statsmanager":                 EXCEPTION_NO_FUZZER,

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 9558425..f75312a 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test

@@ -200,6 +200,9 @@
 /dev/socket/mdns                                                  mdns_socket
 /dev/socket/mdnsd                                                 mdnsd_socket
 /dev/socket/mtpd                                                  mtpd_socket
+/dev/socket/ot-daemon/                                            ot_daemon_socket
+/dev/socket/ot-daemon/thread-wpan                                 ot_daemon_socket
+/dev/socket/ot-daemon/100                                         ot_daemon_socket
 /dev/socket/pdx/system/buffer_hub                                 pdx_bufferhub_dir
 /dev/socket/pdx/system/buffer_hub/client                          pdx_bufferhub_client_endpoint_socket
 /dev/socket/pdx/system/performance                                pdx_performance_dir
@@ -915,8 +918,10 @@
 /data/misc/apexdata/com.android.permission/test                   apex_system_server_data_file
 /data/misc/apexdata/com.android.scheduling                        apex_system_server_data_file
 /data/misc/apexdata/com.android.scheduling/test                   apex_system_server_data_file
-/data/misc/apexdata/com.android.tethering                         apex_system_server_data_file
-/data/misc/apexdata/com.android.tethering/test                    apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering                         apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/test                    apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/threadnetwork           apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/threadnetwork/test      apex_tethering_data_file
 /data/misc/apexdata/com.android.uwb                               apex_system_server_data_file
 /data/misc/apexdata/com.android.uwb/test                          apex_system_server_data_file
 /data/misc/apexdata/com.android.wifi                              apex_system_server_data_file
@@ -977,6 +982,8 @@
 /data/misc/net/test                                               net_data_file
 /data/misc/network_watchlist                                      network_watchlist_data_file
 /data/misc/network_watchlist/test                                 network_watchlist_data_file
+/data/misc/telephonyconfig                                        radio_data_file
+/data/misc/telephonyconfig/test                                   radio_data_file
 /data/misc/nfc/logs                                               nfc_logs_data_file
 /data/misc/nfc/logs/test                                          nfc_logs_data_file
 /data/misc/odrefresh                                              odrefresh_data_file
@@ -1017,8 +1024,6 @@
 /data/misc/systemkeys/test                                        systemkeys_data_file
 /data/misc/textclassifier                                         textclassifier_data_file
 /data/misc/textclassifier/test                                    textclassifier_data_file
-/data/misc/threadnetwork                                          threadnetwork_data_file
-/data/misc/threadnetwork/test                                     threadnetwork_data_file
 /data/misc/train-info                                             stats_data_file
 /data/misc/train-info/test                                        stats_data_file
 /data/misc/user                                                   misc_user_data_file

diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index f55711e..13ce685 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts

@@ -7,6 +7,9 @@
 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,new-instance u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,strict-boot u:object_r:proc_dt_avf:s0
 genfscon proc /diskstats u:object_r:proc_diskstats:s0
 genfscon proc /filesystems u:object_r:proc_filesystems:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0

diff --git a/microdroid/system/private/init_debug_policy.te b/microdroid/system/private/init_debug_policy.te
index a9c5f4a..384f5d5 100644
--- a/microdroid/system/private/init_debug_policy.te
+++ b/microdroid/system/private/init_debug_policy.te

@@ -27,6 +27,5 @@
 set_prop(init_debug_policy, init_debug_policy_prop)
 
 # Allow init_debug_policy to read AVF debug policy
-allow init_debug_policy sysfs_dt_avf:dir search;
-allow init_debug_policy sysfs_dt_avf:file r_file_perms;
-
+r_dir_file(init_debug_policy, proc_dt_avf)
+r_dir_file(init_debug_policy, sysfs_dt_avf)

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index b84474a..d1a5c6f 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -18,10 +18,8 @@
 allow microdroid_manager dm_device:blk_file r_file_perms;
 
 # microdroid_manager can query AVF flags in the device tree
-allow microdroid_manager sysfs_dt_avf:file r_file_perms;
-
-# Allow microdroid_manager to read AVF debug policy
-allow microdroid_manager sysfs_dt_avf:dir search;
+r_dir_file(microdroid_manager, proc_dt_avf)
+r_dir_file(microdroid_manager, sysfs_dt_avf)
 
 # Read config from the open-dice driver.
 allow microdroid_manager open_dice_device:chr_file rw_file_perms;

diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 57852c2..201a07e 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te

@@ -84,6 +84,7 @@
 type proc_dirty, fs_type, proc_type;
 type proc_diskstats, fs_type, proc_type;
 type proc_drop_caches, fs_type, proc_type;
+type proc_dt_avf, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
 type proc_filesystems, fs_type, proc_type;
 type proc_hostname, fs_type, proc_type;

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 0ad2c6b..be6f77c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -41,7 +41,7 @@
 neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
 neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   { getattr read };
 neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     { getattr read };
-neverallow { domain -bpfloader                                                                                            -uprobestats } fs_bpf_uprobe_private:file   { getattr read };
+neverallow { domain -bpfloader                                                                                            -uprobestats } fs_bpf_uprobestats:file   { getattr read };
 neverallow { domain -bpfloader -gpuservice                          -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
 
 neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
@@ -68,7 +68,7 @@
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
-neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
 
 neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
 

diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index aa8a56c..b10103e 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil

@@ -1,3 +1,7 @@
+;; types removed from current policy
+(type racoon)
+(type racoon_exec)
+
 ;; mapping information from ToT policy's types to 34.0 policy's types.
 (expandtypeattribute (DockObserver_service_34_0) true)
 (expandtypeattribute (IProxyService_service_34_0) true)

diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 583b249..c1cd3ee 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil

@@ -10,6 +10,7 @@
     ota_build_prop
     snapuserd_log_data_file
     fwk_vibrator_control_service
+    ecm_enhanced_confirmation_service
     hal_authgraph_service
     hal_secretkeeper_service
     hal_codec2_service
@@ -20,6 +21,7 @@
     hidraw_device
     virtual_camera_service
     ot_daemon_service
+    ot_daemon_socket
     pm_archiving_enabled_prop
     remote_auth_service
     security_state_service
@@ -35,4 +37,5 @@
     drm_forcel3_prop
     proc_percpu_pagelist_high_fraction
     vendor_microdroid_file
+    threadnetwork_config_prop
   ))

diff --git a/private/crosvm.te b/private/crosvm.te
index ed89b87..6cd3969 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -45,9 +45,6 @@
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;
 
-# Allow crosvm to mlock guest memory.
-allow crosvm self:capability ipc_lock;
-
 # Let crosvm access its control socket as created by VS.
 #   read, write, getattr: listener socket polling
 #   accept: listener socket accepting new connection

diff --git a/private/file.te b/private/file.te
index de2581d..450fe2c 100644
--- a/private/file.te
+++ b/private/file.te

@@ -8,7 +8,7 @@
 type fs_bpf_netd_readonly, fs_type, bpffs_type;
 type fs_bpf_netd_shared, fs_type, bpffs_type;
 type fs_bpf_loader, fs_type, bpffs_type;
-type fs_bpf_uprobe_private, fs_type, bpffs_type;
+type fs_bpf_uprobestats, fs_type, bpffs_type;
 
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -77,12 +77,14 @@
 # /data/misc/apexdata/com.android.virt
 type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 
+# /data/misc/apexdata/com.android.tethering
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
 # legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
 # for backward compatibility b/217581286
 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
-type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 
 # /data/font/files
@@ -134,11 +136,9 @@
 # in to satisfy MLS constraints for trusted domains.
 type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
 
-# /data/misc/threadnetwork
-type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
-
-# /sys/firmware/devicetree/base/avf
+# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
 type sysfs_dt_avf, fs_type, sysfs_type;
+type proc_dt_avf, fs_type, proc_type;
 
 # Type for /system/fonts/font_fallback.xm
 type system_font_fallback_file, system_file_type, file_type;

diff --git a/private/file_contexts b/private/file_contexts
index a1bc85f..765bb7b 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -167,6 +167,7 @@
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
 /dev/socket/mtpd	u:object_r:mtpd_socket:s0
+/dev/socket/ot-daemon(/.*)?  u:object_r:ot_daemon_socket:s0
 /dev/socket/pdx/system/buffer_hub	u:object_r:pdx_bufferhub_dir:s0
 /dev/socket/pdx/system/buffer_hub/client	u:object_r:pdx_bufferhub_client_endpoint_socket:s0
 /dev/socket/pdx/system/performance	u:object_r:pdx_performance_dir:s0
@@ -179,7 +180,6 @@
 /dev/socket/prng_seeder	u:object_r:prng_seeder_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/property_service_for_system  u:object_r:property_socket:s0
-/dev/socket/racoon	u:object_r:racoon_socket:s0
 /dev/socket/recovery    u:object_r:recovery_socket:s0
 /dev/socket/rild	u:object_r:rild_socket:s0
 /dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
@@ -321,7 +321,6 @@
 /system/bin/dmesgd	u:object_r:dmesgd_exec:s0
 /system/bin/mtpd	u:object_r:mtp_exec:s0
 /system/bin/pppd	u:object_r:ppp_exec:s0
-/system/bin/racoon	u:object_r:racoon_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/linker(64)? u:object_r:system_linker_exec:s0
@@ -625,7 +624,7 @@
 /data/misc/apexdata/com\.android\.virt(/.*)?          u:object_r:apex_virt_data_file:s0
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_system_server_data_file:s0
-/data/misc/apexdata/com\.android\.tethering(/.*)?     u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)?     u:object_r:apex_tethering_data_file:s0
 /data/misc/apexdata/com\.android\.uwb(/.*)?           u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.wifi(/.*)?          u:object_r:apex_system_server_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
@@ -657,6 +656,7 @@
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0
 /data/misc/net(/.*)?            u:object_r:net_data_file:s0
 /data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/telephonyconfig(/.*)? u:object_r:radio_data_file:s0
 /data/misc/nfc/logs(/.*)?       u:object_r:nfc_logs_data_file:s0
 /data/misc/odrefresh(/.*)?      u:object_r:odrefresh_data_file:s0
 /data/misc/odsign(/.*)?         u:object_r:odsign_data_file:s0
@@ -678,7 +678,6 @@
 /data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/textclassifier(/.*)?       u:object_r:textclassifier_data_file:s0
-/data/misc/threadnetwork(/.*)?        u:object_r:threadnetwork_data_file:s0
 /data/misc/train-info(/.*)?     u:object_r:stats_data_file:s0
 /data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
 /data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 41c60df..6a1caf3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -8,6 +8,7 @@
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
 genfscon proc /diskstats u:object_r:proc_diskstats:s0
 genfscon proc /filesystems u:object_r:proc_filesystems:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
@@ -419,4 +420,4 @@
 genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
 genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
 genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
-genfscon bpf /uprobe_private u:object_r:fs_bpf_uprobe_private:s0
+genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0

diff --git a/private/keys.conf b/private/keys.conf
index 18c1a8c..fc50ef3 100644
--- a/private/keys.conf
+++ b/private/keys.conf

@@ -23,6 +23,9 @@
 [@NETWORK_STACK]
 ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
 
+[@NFC]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/nfc.x509.pem
+
 [@SHARED]
 ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
 

diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index c9a9aca..fa8ffcf 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml

@@ -69,4 +69,9 @@
     <signer signature="@NETWORK_STACK" >
       <seinfo value="network_stack" />
     </signer>
+
+    <!-- NFC key in AOSP -->
+    <signer signature="@NFC" >
+      <seinfo value="nfc" />
+    </signer>
 </policy>

diff --git a/private/mediaserver.te b/private/mediaserver.te
index 92ec40d..5fc13a8 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te

@@ -29,3 +29,7 @@
 allow mediaserver stats_service:service_manager find;
 allow mediaserver statsmanager_service:service_manager find;
 binder_call(mediaserver, statsd)
+
+# Allow mediaserver to communicate with Surface provided
+# by virtual camera.
+binder_call(mediaserver, virtual_camera)

diff --git a/private/netd.te b/private/netd.te
index 8be8212..6d1c10c 100644
--- a/private/netd.te
+++ b/private/netd.te

@@ -6,9 +6,9 @@
 # Allow netd to spawn dnsmasq in it's own domain
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
-allow netd { fs_bpf                      fs_bpf_netd_shared }:file write;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netd { fs_bpf                      fs_bpf_netd_shared               }:file write;
 
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
 # the map created by bpfloader

diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 01f1915..a26181f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te

@@ -25,9 +25,9 @@
 # For vendor code that update the iptables rules at runtime. They need to reload
 # the whole chain including the xt_bpf rules. They need to access to the pinned
 # program when reloading the rule.
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
-allow netutils_wrapper { fs_bpf                    }:file write;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netutils_wrapper { fs_bpf                                  }:file write;
 allow netutils_wrapper bpfloader:bpf prog_run;
 
 # For /data/misc/net access to ndc and ip

diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 457e1bf..341fa9c 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te

@@ -12,10 +12,13 @@
 # Allow the ot_daemon to use the net domain.
 net_domain(ot_daemon)
 
-# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
-allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
-allow ot_daemon threadnetwork_data_file:file create_file_perms;
-allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering
+allow ot_daemon apex_module_data_file:dir search;
+
+# Allow the ot_daemon to access files and subdirectories under
+# /data/misc/apexdata/com\.android\.tethering
+allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
+allow ot_daemon apex_tethering_data_file:file create_file_perms;
 
 # Allow OT daemon to read/write the Thread tunnel interface
 allow ot_daemon tun_device:chr_file {read write};

diff --git a/private/property.te b/private/property.te
index 87b0446..a098d05 100644
--- a/private/property.te
+++ b/private/property.te

@@ -61,6 +61,7 @@
 system_internal_prop(hypervisor_virtualizationmanager_prop)
 system_internal_prop(game_manager_config_prop)
 system_internal_prop(hidl_memory_prop)
+system_internal_prop(suspend_debug_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -342,8 +343,26 @@
   } {
     suspend_prop
   }:property_service set;
+
+  neverallow {
+    domain
+    -init
+  } {
+    suspend_debug_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -init
+    -dumpstate
+    userdebug_or_eng(`-system_suspend')
+    } {
+      suspend_debug_prop
+    }:file no_rw_file_perms;
 ')
 
+dontaudit system_suspend suspend_debug_prop:file r_file_perms;
+
 compatible_property_only(`
   # Neverallow coredomain to set vendor properties
   neverallow {

diff --git a/private/property_contexts b/private/property_contexts
index 8860024..be72223 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -119,6 +119,9 @@
 suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
 suspend.disable_sync_on_suspend u:object_r:suspend_prop:s0 exact bool
 
+# Suspend service debug properties
+suspend.debug.wakestats_log.enabled u:object_r:suspend_debug_prop:s0 exact bool
+
 # Fastbootd protocol control property
 fastbootd.protocol    u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
 
@@ -538,6 +541,7 @@
 
 persist.bluetooth.a2dp_offload.cap                          u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
 persist.bluetooth.a2dp_offload.disabled                     u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.leaudio_offload.disabled                  u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
 persist.bluetooth.bluetooth_audio_hal.disabled              u:object_r:bluetooth_audio_hal_prop:s0 exact bool
 persist.bluetooth.btsnoopenable                             u:object_r:exported_bluetooth_prop:s0 exact bool
 persist.bluetooth.btsnoopdefaultmode                        u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
@@ -1557,7 +1561,6 @@
 persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_hal_prop:s0 exact int
 vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_hal_prop:s0 exact bool
 vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
 vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
 vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
 vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
@@ -1565,8 +1568,9 @@
 vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
 vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
 vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact string
 vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
 
 # properties for the virtual Fingerprint HAL
@@ -1624,3 +1628,5 @@
 # Properties for app archiving
 pm.archiving.enabled      u:object_r:pm_archiving_enabled_prop:s0 exact bool
 
+# Properties for ThreadNetworkService
+threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string

diff --git a/private/racoon.te b/private/racoon.te
deleted file mode 100644
index 42ea7c9..0000000
--- a/private/racoon.te
+++ /dev/null

@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 957d005..2219631 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -184,7 +184,9 @@
 user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
 user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+# NFC stack signed with platform cert needed for maintaining backwards comptibility for -next release config.
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=nfc seinfo=nfc domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro levelFrom=all

diff --git a/private/service.te b/private/service.te
index e97eb8c..36d6ccf 100644
--- a/private/service.te
+++ b/private/service.te

@@ -1,3 +1,4 @@
+type adaptive_auth_service,         system_server_service, service_manager_type;
 type ambient_context_service,       app_api_service, system_server_service, service_manager_type;
 type attention_service,             system_server_service, service_manager_type;
 type bg_install_control_service,    system_api_service, system_server_service, service_manager_type;

diff --git a/private/service_contexts b/private/service_contexts
index 5d3aaa7..863ffde 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -139,6 +139,7 @@
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 activity_task                             u:object_r:activity_task_service:s0
+adaptive_auth                             u:object_r:adaptive_auth_service:s0
 adb                                       u:object_r:adb_service:s0
 adservices_manager                        u:object_r:adservices_manager_service:s0
 aidl_lazy_test_1                          u:object_r:aidl_lazy_test_service:s0
@@ -242,6 +243,7 @@
 dumpstate                                 u:object_r:dumpstate_service:s0
 dynamic_system                            u:object_r:dynamic_system_service:s0
 econtroller                               u:object_r:radio_service:s0
+ecm_enhanced_confirmation                 u:object_r:ecm_enhanced_confirmation_service:s0
 emergency_affordance                      u:object_r:emergency_affordance_service:s0
 euicc_card_controller                     u:object_r:radio_service:s0
 external_vibrator_service                 u:object_r:external_vibrator_service:s0

diff --git a/private/snapuserd.te b/private/snapuserd.te
index 8cd9e63..3752e01 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te

@@ -33,6 +33,9 @@
 allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
 allow snapuserd snapuserd_proxy_socket:sock_file write;
 
+# Required for setting GID to system while calling SetTaskProfile() API
+allow snapuserd self:global_capability_class_set { setgid };
+
 # This arises due to first-stage init opening /dev/null without F_CLOEXEC
 # (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
 # again, the descriptor leaks into the new process.

diff --git a/private/system_app.te b/private/system_app.te
index e08941d..338d852 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -83,6 +83,12 @@
 # Allow system apps to interact with incidentd
 binder_call(system_app, incidentd)
 
+# Allow system apps (Settings) to call into update_engine
+# in order to apply update to switch from 4k kernel to 16K and vice-versa
+binder_use(system_app)
+allow system_app update_engine_stable_service:service_manager find;
+binder_call(system_app, update_engine)
+
 # Allow system app to interact with Dumpstate HAL
 hal_client_domain(system_app, hal_dumpstate)
 

diff --git a/private/system_server.te b/private/system_server.te
index 62430b1..ad45d0e 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -262,7 +262,6 @@
 unix_socket_connect(system_server, lmkd, lmkd)
 unix_socket_connect(system_server, mtpd, mtp)
 unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
 unix_socket_connect(system_server, uncrypt, uncrypt)
 
 # Allow system_server to write to statsd.
@@ -310,6 +309,7 @@
 hal_client_domain(system_server, hal_audio)
 hal_client_domain(system_server, hal_authgraph)
 hal_client_domain(system_server, hal_authsecret)
+hal_client_domain(system_server, hal_bluetooth)
 hal_client_domain(system_server, hal_broadcastradio)
 hal_client_domain(system_server, hal_codec2)
 hal_client_domain(system_server, hal_configstore)
@@ -1418,19 +1418,19 @@
 # These are modules where the code runs in system_server, so we need full access.
 allow system_server apex_system_server_data_file:dir create_dir_perms;
 allow system_server apex_system_server_data_file:file create_file_perms;
+allow system_server apex_tethering_data_file:dir create_dir_perms;
+allow system_server apex_tethering_data_file:file create_file_perms;
 # Legacy labels that we still need to support (b/217581286)
 allow system_server {
   apex_appsearch_data_file
   apex_permission_data_file
   apex_scheduling_data_file
-  apex_tethering_data_file
   apex_wifi_data_file
 }:dir create_dir_perms;
 allow system_server {
   apex_appsearch_data_file
   apex_permission_data_file
   apex_scheduling_data_file
-  apex_tethering_data_file
   apex_wifi_data_file
 }:file create_file_perms;
 
@@ -1565,3 +1565,18 @@
 # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
 set_prop(system_server, game_manager_config_prop)
 
+# ThreadNetworkService reads Thread Network properties
+get_prop(system_server, threadnetwork_config_prop)
+
+# Do not allow any domain other than init and system server to set the property
+neverallow {
+  domain
+  -init
+  -vendor_init
+  -dumpstate
+  -system_server
+} threadnetwork_config_prop:file no_rw_file_perms;
+
+# Allow system server to read pm.archiving.enabled prop
+# TODO(azilio): Remove system property after archiving testing is completed.
+get_prop(system_server, pm_archiving_enabled_prop)

diff --git a/private/system_suspend.te b/private/system_suspend.te
index 683d913..a525866 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te

@@ -22,6 +22,11 @@
 # Access to suspend_hal system properties
 get_prop(system_suspend, suspend_prop)
 
+# Access to system_suspend debug system properties
+userdebug_or_eng(`
+  get_prop(system_suspend, suspend_debug_prop)
+')
+
 # To call BTAA registered callbacks
 allow system_suspend bluetooth:binder call;
 

diff --git a/private/update_engine.te b/private/update_engine.te
index c9511f7..862a62a 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te

@@ -22,6 +22,10 @@
 # Allow update_engine to call the callback function provided by GKI update hook.
 binder_call(update_engine, gki_apex_prepostinstall)
 
+# Allow update_engine to call the callback function by settings app
+# for the kernel update triggered using 16k developer option
+binder_call(update_engine, system_app)
+
 # Allow to communicate with the snapuserd service, for dm-user snapshots.
 allow update_engine snapuserd:unix_stream_socket connectto;
 allow update_engine snapuserd_socket:sock_file write;

diff --git a/private/uprobestats.te b/private/uprobestats.te
index 78595f6..f6dd906 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te

@@ -7,8 +7,8 @@
 # Allow init to start uprobestats.
 init_daemon_domain(uprobestats)
 
-allow uprobestats fs_bpf_uprobe_private:file { read write };
-allow uprobestats fs_bpf_uprobe_private:dir search;
+allow uprobestats fs_bpf_uprobestats:file { read write };
+allow uprobestats fs_bpf_uprobestats:dir search;
 allow uprobestats bpfloader:bpf { map_read map_write prog_run };
 allow uprobestats self:capability2 perfmon;
 allow uprobestats self:perf_event { cpu open write };

diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 4c4ac7a..dde98c0 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te

@@ -12,6 +12,15 @@
 binder_call(virtual_camera, cameraserver)
 binder_call(virtual_camera, system_server)
 
+# Allow virtual_camera to communicate with
+# mediaserver (required for using Surface originating
+# from virtual camera in mediaserver).
+binder_call(virtual_camera, mediaserver)
+
+# Required for the codecs to be able to decode
+# video into surface provided by virtual camera.
+hal_client_domain(virtual_camera, hal_codec2)
+hal_client_domain(virtual_camera, hal_omx)
 
 # Allow virtualCamera to call apps via binder.
 binder_call(virtual_camera, appdomain)

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d0fe571..3aaff5b 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te

@@ -83,9 +83,9 @@
 allow virtualizationmanager tombstone_data_file:file { append getattr };
 allow virtualizationmanager tombstoned:fd use;
 
-# Allow virtualizationmanager to read AVF debug policy
-allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file r_file_perms;
+# Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy
+r_dir_file(virtualizationmanager, proc_dt_avf)
+r_dir_file(virtualizationmanager, sysfs_dt_avf)
 
 # virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
 # from pVM to HAL.

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4d8ac6b..972f376 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -29,6 +29,10 @@
 binder_call(virtualizationservice, system_server)
 allow virtualizationservice permission_service:service_manager find;
 
+# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd.
+binder_call(virtualizationservice, remote_provisioning_service)
+allow virtualizationservice remote_provisioning_service:service_manager find;
+
 # Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
 # to mlock VM memory and page tables.
 allow virtualizationservice self:capability sys_resource;

diff --git a/public/file.te b/public/file.te
index 01143f7..2a84dd0 100644
--- a/public/file.te
+++ b/public/file.te

@@ -539,6 +539,7 @@
 type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
 type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
 type mtpd_socket, file_type, coredomain_socket;
+type ot_daemon_socket, file_type, coredomain_socket;
 type property_socket, file_type, coredomain_socket, mlstrustedobject;
 type racoon_socket, file_type, coredomain_socket;
 type recovery_socket, file_type, coredomain_socket;

diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index 60cda48..0bdcc23 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te

@@ -29,4 +29,4 @@
 # codec2 aidl graphic buffer allocation waitable object
 allow hal_codec2_server su:fifo_file read;
 allow hal_codec2_server mediaserver:fifo_file read;
-allow hal_codec2_server untrusted_app_all:fifo_file read;
+allow hal_codec2_server { appdomain -isolated_app_all }:fifo_file read;

diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index cf50e3a..621a0b8 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te

@@ -33,6 +33,7 @@
   # TODO(b/196225233): Remove hal_uwb_vendor_server
   -hal_uwb_vendor_server
   -hal_nlinterceptor_server
+  -hal_bluetooth_server
 } domain:{ udp_socket rawip_socket } *;
 
 neverallow {

diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index b3b26c1..dc45500 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te

@@ -11,6 +11,9 @@
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
+# get aac_drc_* properties
+get_prop(mediaswcodec, aac_drc_prop)
+
 crash_dump_fallback(mediaswcodec)
 
 # mediaswcodec_server should never execute any executable without a

diff --git a/public/property.te b/public/property.te
index b072b5b..c513434 100644
--- a/public/property.te
+++ b/public/property.te

@@ -181,6 +181,7 @@
 system_vendor_config_prop(suspend_prop)
 system_vendor_config_prop(systemsound_config_prop)
 system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(threadnetwork_config_prop)
 system_vendor_config_prop(tombstone_config_prop)
 system_vendor_config_prop(usb_config_prop)
 system_vendor_config_prop(userspace_reboot_config_prop)

diff --git a/public/racoon.te b/public/racoon.te
deleted file mode 100644
index b0383f0..0000000
--- a/public/racoon.te
+++ /dev/null

@@ -1,27 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, system_file_type, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
-allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)

diff --git a/public/service.te b/public/service.te
index 1c7605e..5c63e9e 100644
--- a/public/service.te
+++ b/public/service.te

@@ -118,6 +118,7 @@
 type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type domain_verification_service, app_api_service, system_server_service, service_manager_type;
 type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type ecm_enhanced_confirmation_service, app_api_service, system_server_service, service_manager_type;
 type external_vibrator_service, system_server_service, service_manager_type;
 type file_integrity_service, app_api_service, system_server_service, service_manager_type;
 type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;