diff --git a/Android.mk b/Android.mk
index bd93326..4e4a641 100644
--- a/Android.mk
+++ b/Android.mk
@@ -316,6 +316,11 @@
     selinux_denial_metadata \
 
 endif
+
+# Builds an addtional userdebug sepolicy into the debug ramdisk.
+LOCAL_REQUIRED_MODULES += \
+    userdebug_plat_sepolicy.cil \
+
 include $(BUILD_PHONY_PACKAGE)
 
 #################################
@@ -517,6 +522,47 @@
 #################################
 include $(CLEAR_VARS)
 
+LOCAL_MODULE := userdebug_plat_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
+$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
+$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+	$(transform-policy-to-conf)
+	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+  $(HOST_OUT_EXECUTABLES)/secilc \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+  $(built_sepolicy_neverallows)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+		$(POLICYVERS) -o $@.tmp $<
+	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+	$(hide) mv $@.tmp $@
+
+userdebug_plat_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
 ifdef HAS_PRODUCT_SEPOLICY
 LOCAL_MODULE := product_sepolicy.cil
 LOCAL_MODULE_CLASS := ETC
diff --git a/private/apexd.te b/private/apexd.te
index b3aabea..d0ec9f4 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -50,6 +50,10 @@
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };
 
+# allow apexd to read files from /vendor/apex
+allow apexd vendor_apex_file:dir r_dir_perms;
+allow apexd vendor_apex_file:file r_file_perms;
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
diff --git a/private/bug_map b/private/bug_map
index a69fc52..4b29fde 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -26,8 +26,6 @@
 system_server sdcardfs file 77856826
 system_server storage_stub_file dir 112609936
 system_server zygote process 77856826
-untrusted_app_27 mnt_user_file dir 118185801
 usbd usbd capability 72472544
 vold system_data_file file 124108085
-vrcore_app mnt_user_file dir 118185801
 zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 45e1dd9..3c6ba08 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -195,6 +195,7 @@
     usbd
     usbd_exec
     usbd_tmpfs
+    vendor_apex_file
     vendor_init
     vendor_shell
     vold_metadata_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 0e830f8..3b9bd52 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -171,6 +171,7 @@
     usbd
     usbd_exec
     usbd_tmpfs
+    vendor_apex_file
     vendor_default_prop
     vendor_init
     vendor_security_patch_level_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 2ea4d2c..f07103d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -137,6 +137,7 @@
     traced_lazy_prop
     uri_grants_service
     use_memfd_prop
+    vendor_apex_file
     vendor_cgroup_desc_file
     vendor_idc_file
     vendor_keychars_file
diff --git a/private/file_contexts b/private/file_contexts
index 4f0690b..9e7bba7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -352,6 +352,8 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
 
+/vendor/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
+
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
 
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index a773f96..ca3b515 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -15,8 +15,10 @@
 allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
 
 # For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
-allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+allow netutils_wrapper netd_service:service_manager find;
+allow netutils_wrapper dnsresolver_service:service_manager find;
+binder_use(netutils_wrapper);
+binder_call(netutils_wrapper, netd);
 
 # For vendor code that update the iptables rules at runtime. They need to reload
 # the whole chain including the xt_bpf rules. They need to access to the pinned
diff --git a/public/domain.te b/public/domain.te
index 634a5c5..a415646 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1003,6 +1003,7 @@
     vendor_file_type
     -same_process_hal_file
     -vendor_app_file
+    -vendor_apex_file
     -vendor_configs_file
     -vendor_framework_file
     -vendor_idc_file
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 1db4694..2906b5b 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -82,8 +82,10 @@
   hal_graphics_composer_server
   hal_health_server
   hal_omx_server
+  hal_power_server
   hal_power_stats_server
   hal_sensors_server
+  hal_thermal_server
   hal_vr_server
 }:process signal;
 
diff --git a/public/file.te b/public/file.te
index c8953de..d906b7f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -286,6 +286,8 @@
 type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
 # /data/app-staging
 type staging_data_file, file_type, data_file_type, core_data_file_type;
+# /vendor/apex
+type vendor_apex_file, vendor_file_type, file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index c2549ff..1ef6cad 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -8,6 +8,7 @@
 
 # Allow NN HAL service to use a client-provided fd residing in /data/data/.
 allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
+allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
 
 # Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
 allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
diff --git a/public/idmap.te b/public/idmap.te
index d76558a..92c649c 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,7 +2,7 @@
 type idmap, domain;
 type idmap_exec, system_file_type, exec_type, file_type;
 
-# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
+# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
 # Use open file to /data/resource-cache file inherited from installd.
 allow idmap installd:fd use;
 allow idmap resourcecache_data_file:file create_file_perms;
@@ -15,6 +15,10 @@
 allow idmap apk_data_file:file r_file_perms;
 allow idmap apk_data_file:dir search;
 
+# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
+
 # Allow apps access to /vendor/app
 r_dir_file(idmap, vendor_app_file)
 
diff --git a/public/init.te b/public/init.te
index bde7ac6..c5b88d2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -52,8 +52,8 @@
 # setrlimit
 allow init self:global_capability_class_set sys_resource;
 
-# Remove /dev/.booting, created before initial policy load or restorecon /dev.
-allow init tmpfs:file unlink;
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
 
 # Access pty created for fsck.
 allow init devpts:chr_file { read write open };
diff --git a/public/kernel.te b/public/kernel.te
index 50e72c2..99ad014 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -85,8 +85,11 @@
 # Needed because APEX uses the loopback driver, which issues requests from
 # a kernel thread in earlier kernel version.
 allow kernel apexd:fd use;
-allow kernel apex_data_file:file read;
-allow kernel staging_data_file:file read;
+allow kernel {
+  apex_data_file
+  staging_data_file
+  vendor_apex_file
+}:file read;
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 77aefe1..dbdb051 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -68,6 +68,7 @@
 add_service(mediaserver, mediaserver_service)
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
+allow mediaserver audio_service:service_manager find;
 allow mediaserver audioserver_service:service_manager find;
 allow mediaserver cameraserver_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index 859cb65..c4a9136 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -138,6 +138,7 @@
     -dumpstate
     -network_stack
     -netd
+    -netutils_wrapper
 } netd_service:service_manager find;
 
 # only system_server, dumpstate and network stack app may find dnsresolver service
@@ -147,6 +148,7 @@
     -dumpstate
     -network_stack
     -netd
+    -netutils_wrapper
 } dnsresolver_service:service_manager find;
 
 # only netd can create the bpf maps
diff --git a/public/property_contexts b/public/property_contexts
index 5bf95e5..0884f87 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -270,6 +270,7 @@
 ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
 ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
 ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
 ro.carrier u:object_r:exported_default_prop:s0 exact string
 ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
 ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 8890ca0..390ec0b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -39,6 +39,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service            u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service            u:object_r:hal_nfc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service            u:object_r:mediacodec_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service          u:object_r:hal_power_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service   u:object_r:hal_power_stats_default_exec:s0