commit c8d2d1d25827089f3d54a3868f9a1a3dcd45f395
author John Wu <topjohnwu@google.com> Wed May 25 17:53:17 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed May 25 17:53:17 2022 +0000
tree 93afd2b0942d4d18c403d61b5b69923faa15ac69
parent e7d1f3225039ce9b1d0a3794d08775cc9cfe539b
parent cabed18a473ed4e474f6b93bbaad453db3efd0d6

Merge "Remove key migration related changes"

prebuilts/api/33.0/private/bluetooth.te

diff --git a/prebuilts/api/33.0/private/bluetooth.te b/prebuilts/api/33.0/private/bluetooth.te
index d548e80..0b001e2 100644
--- a/prebuilts/api/33.0/private/bluetooth.te
+++ b/prebuilts/api/33.0/private/bluetooth.te
@@ -46,6 +46,9 @@
 allow bluetooth proc_filesystems:file r_file_perms;
 get_prop(bluetooth, incremental_prop)
 
+# For Bluetooth to check security logging state
+get_prop(bluetooth, device_logging_prop)
+
 # Allow write access to bluetooth specific properties
 set_prop(bluetooth, binder_cache_bluetooth_server_prop);
 neverallow { domain -bluetooth -init }

prebuilts/api/33.0/private/file.te

diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 1afa50f..4161dc9 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -19,6 +19,8 @@
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
 type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
 

prebuilts/api/33.0/private/file_contexts

diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index af51799..e21c18c 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -691,6 +691,10 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+
 # App data snapshots (managed by installd).
 /data/misc_de/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
 /data/misc_ce/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0

prebuilts/api/33.0/private/installd.te

diff --git a/prebuilts/api/33.0/private/installd.te b/prebuilts/api/33.0/private/installd.te
index 251a14f..538641d 100644
--- a/prebuilts/api/33.0/private/installd.te
+++ b/prebuilts/api/33.0/private/installd.te
@@ -48,3 +48,6 @@
 allow installd staging_data_file:dir { open read remove_name rmdir search write };
 
 allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };

prebuilts/api/33.0/private/sdk_sandbox.te

diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index b18b7dd..7ca323f 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -39,7 +39,10 @@
 allow sdk_sandbox system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
 allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
 
@@ -88,3 +91,29 @@
 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
 
 neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+    domain
+    -init
+    -installd
+    -sdk_sandbox
+    -system_server
+    -vold_prepare_subdirs
+    -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;

prebuilts/api/33.0/private/system_server.te

diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 6d9d960..ba097f2 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -72,6 +72,9 @@
 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
 allow system_server sysfs_fs_f2fs:file r_file_perms;
 
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
 # For art.
 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;

prebuilts/api/33.0/private/vold_prepare_subdirs.te

diff --git a/prebuilts/api/33.0/private/vold_prepare_subdirs.te b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
index 818660c..ddb2828 100644
--- a/prebuilts/api/33.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
 allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
+  sdk_sandbox_system_data_file
   system_data_file
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
     rollback_data_file
     storaged_data_file
     sdk_sandbox_data_file
+    sdk_sandbox_system_data_file
     system_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };

prebuilts/api/33.0/private/zygote.te

diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index ea983fd..41245c2 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -62,9 +62,10 @@
 # Bind mount on /data/data and mounted volumes
 allow zygote { system_data_file mnt_expand_file }:dir mounton;
 
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
 allow zygote tmpfs:{ dir lnk_file } relabelfrom;
 allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
 
 # Zygote opens /mnt/expand to mount CE DE storage on each vol
 allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@
   app_data_file_type
   system_data_file
   mnt_expand_file
+  sdk_sandbox_system_data_file
 }:dir getattr;
 
 # Allow zygote to create JIT memory.
@@ -235,6 +237,9 @@
 allow zygote vendor_apex_file:dir { getattr search };
 allow zygote vendor_apex_file:file { getattr };
 
+# Allow zygote to query for compression/features.
+r_dir_file(zygote, sysfs_fs_f2fs)
+
 ###
 ### neverallow rules
 ###

prebuilts/api/33.0/public/vendor_init.te

diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -272,6 +272,8 @@
 get_prop(vendor_init, theme_prop)
 set_prop(vendor_init, dck_prop)
 
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
 
 ###
 ### neverallow rules

private/atrace.te

diff --git a/private/atrace.te b/private/atrace.te
index ca0e527..50ab392 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,7 +31,6 @@
   -dumpstate_service
   -incident_service
   -installd_service
-  -iorapd_service
   -lpdump_service
   -mdns_service
   -netd_service

private/bluetooth.te

diff --git a/private/bluetooth.te b/private/bluetooth.te
index d548e80..0b001e2 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -46,6 +46,9 @@
 allow bluetooth proc_filesystems:file r_file_perms;
 get_prop(bluetooth, incremental_prop)
 
+# For Bluetooth to check security logging state
+get_prop(bluetooth, device_logging_prop)
+
 # Allow write access to bluetooth specific properties
 set_prop(bluetooth, binder_cache_bluetooth_server_prop);
 neverallow { domain -bluetooth -init }

private/compat/33.0/33.0.cil

diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 4439277..3a096be 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1,3 +1,16 @@
+;; types removed from current policy
+(type iorap_inode2filename)
+(type iorap_inode2filename_exec)
+(type iorap_inode2filename_tmpfs)
+(type iorap_prefetcherd)
+(type iorap_prefetcherd_exec)
+(type iorap_prefetcherd_tmpfs)
+(type iorapd)
+(type iorapd_data_file)
+(type iorapd_exec)
+(type iorapd_service)
+(type iorapd_tmpfs)
+
 (expandtypeattribute (DockObserver_service_33_0) true)
 (expandtypeattribute (IProxyService_service_33_0) true)
 (expandtypeattribute (aac_drc_prop_33_0) true)

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index e4c9a52..56e1730 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -91,8 +91,6 @@
         -idmap
         -init
         -installd
-        -iorap_inode2filename
-        -iorap_prefetcherd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
@@ -111,8 +109,6 @@
         -idmap
         -init
         -installd
-        -iorap_inode2filename
-        -iorap_prefetcherd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index f95df34..5f369e3 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -181,8 +181,6 @@
   -app_zygote
   -dexoptanalyzer
   -installd
-  -iorap_inode2filename
-  -iorap_prefetcherd
   -profman
   -rs # spawned by appdomain, so carryover the exception above
   -runas
@@ -205,7 +203,6 @@
   -appdomain
   -app_zygote
   -installd
-  -iorap_prefetcherd
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:file_class_set open;
 
@@ -230,7 +227,6 @@
   -system_server
   -apexd
   -installd
-  -iorap_inode2filename
   -priv_app
   -virtualizationservice
 } staging_data_file:dir *;
@@ -243,7 +239,6 @@
   -adbd
   -kernel
   -installd
-  -iorap_inode2filename
   -priv_app
   -shell
   -virtualizationservice
@@ -273,7 +268,6 @@
     domain
     -appdomain
     with_asan(`-asan_extract')
-    -iorap_prefetcherd
     -shell
     userdebug_or_eng(`-su')
     -system_server_startup # for memfd backed executable regions
@@ -394,8 +388,6 @@
 # this list should be a superset of the one above.
 neverallow ~{
   dac_override_allowed
-  iorap_inode2filename
-  iorap_prefetcherd
   traced_perf
   traced_probes
   heapprofd
@@ -475,8 +467,6 @@
     -heapprofd
     userdebug_or_eng(`-profcollectd')
     -init
-    -iorap_inode2filename
-    -iorap_prefetcherd
     -kernel
     userdebug_or_eng(`-simpleperf_boot')
     -traced_perf
@@ -514,8 +504,6 @@
     -crash_dump
     -crosvm # loads vendor-specific disk images
     -init # starts vendor executables
-    -iorap_inode2filename
-    -iorap_prefetcherd
     -kernel # loads /vendor/firmware
     -heapprofd
     userdebug_or_eng(`-profcollectd')
@@ -619,7 +607,6 @@
   -appdomain # finer-grained rules for appdomain are listed below
   -system_server #populate com.android.providers.settings/databases/settings.db.
   -installd # creation of app sandbox
-  -iorap_inode2filename
   -traced_probes # resolve inodes for i/o tracing.
                  # only needs open and read, the rest is neverallow in
                  # traced_probes.te.

private/file.te

diff --git a/private/file.te b/private/file.te
index 1afa50f..4161dc9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,6 +19,8 @@
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
 type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
 

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 0c45a88..5490059 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -323,9 +323,6 @@
 /system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
 /system/bin/viewcompiler     u:object_r:viewcompiler_exec:s0
-/system/bin/iorapd          u:object_r:iorapd_exec:s0
-/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
-/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -340,7 +337,7 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service    u:object_r:fwk_bufferhub_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service          u:object_r:system_suspend_exec:s0
+/system/bin/hw/android\.system\.suspend-service               u:object_r:system_suspend_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
@@ -658,7 +655,6 @@
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
-/data/misc/iorapd(/.*)?         u:object_r:iorapd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/misc/update_engine_log(/.*)?  u:object_r:update_engine_log_data_file:s0
 /data/system/dropbox(/.*)?      u:object_r:dropbox_data_file:s0
@@ -700,6 +696,10 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+
 # App data snapshots (managed by installd).
 /data/misc_de/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
 /data/misc_ce/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
@@ -779,9 +779,6 @@
 /data/misc_de/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc_ce/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
 
-# iorapd per-user data
-/data/misc_ce/[0-9]+/iorapd(/.*)?           u:object_r:iorapd_data_file:s0
-
 # Backup service persistent per-user bookkeeping
 /data/system_ce/[0-9]+/backup(/.*)?		u:object_r:backup_data_file:s0
 # Backup service temporary per-user data for inter-change with apps

private/installd.te

diff --git a/private/installd.te b/private/installd.te
index 251a14f..538641d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -48,3 +48,6 @@
 allow installd staging_data_file:dir { open read remove_name rmdir search write };
 
 allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };

private/iorap_inode2filename.te

diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };

private/iorap_prefecherd.te

diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)

private/iorapd.te

diff --git a/private/iorapd.te b/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)

private/mlstrustedsubject.te

diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 22482d9..0aed4d3 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -7,22 +7,16 @@
 neverallow {
   mlstrustedsubject
   -installd
-  -iorap_prefetcherd
-  -iorap_inode2filename
 } { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
 
 neverallow {
   mlstrustedsubject
   -installd
-  -iorap_prefetcherd
-  -iorap_inode2filename
 } { app_data_file privapp_data_file }:dir ~{ read getattr search };
 
 neverallow {
   mlstrustedsubject
   -installd
-  -iorap_prefetcherd
-  -iorap_inode2filename
   -system_server
   -adbd
   -runas

private/network_stack.te

diff --git a/private/network_stack.te b/private/network_stack.te
index b105938..449e987 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -56,6 +56,9 @@
 allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
 allow network_stack bpfloader:bpf { map_read map_write prog_run };
 
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
 # Unfortunately init/vendor_init have all sorts of extra privs
 neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;

private/sdk_sandbox.te

diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d30d3d9..20d3adf 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -105,7 +105,10 @@
 allow sdk_sandbox system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
 allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
 
@@ -154,3 +157,29 @@
 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
 
 neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+    domain
+    -init
+    -installd
+    -sdk_sandbox
+    -system_server
+    -vold_prepare_subdirs
+    -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 0869b0f..1094151 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -197,7 +197,6 @@
 input_method                              u:object_r:input_method_service:s0
 input                                     u:object_r:input_service:s0
 installd                                  u:object_r:installd_service:s0
-iorapd                                    u:object_r:iorapd_service:s0
 iphonesubinfo_msim                        u:object_r:radio_service:s0
 iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 01956f4..df03566 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -87,7 +87,6 @@
   -dnsresolver_service
   -dumpstate_service
   -installd_service
-  -iorapd_service
   -lpdump_service
   -mdns_service
   -netd_service
@@ -103,7 +102,6 @@
   dnsresolver_service
   dumpstate_service
   installd_service
-  iorapd_service
   mdns_service
   netd_service
   virtual_touchpad_service
@@ -113,6 +111,9 @@
 # suppress denials caused by debugfs_tracing
 dontaudit system_app debugfs_tracing:file rw_file_perms;
 
+# Ignore access to zram when Debug.getMemInfo is called.
+dontaudit system_app sysfs_zram:dir search;
+
 allow system_app keystore:keystore_key {
     get_state
     get

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 06cc055..d3b7790 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -72,6 +72,9 @@
 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
 allow system_server sysfs_fs_f2fs:file r_file_perms;
 
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
 # For art.
 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -177,6 +180,9 @@
 # Set and get routes directly via netlink.
 allow system_server self:netlink_route_socket nlmsg_write;
 
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
 # Kill apps.
 allow system_server appdomain:process { getpgid sigkill signal };
 # signull allowed for kill(pid, 0) existence test.
@@ -287,7 +293,6 @@
 binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
 binder_call(system_server, netd)
 userdebug_or_eng(`binder_call(system_server, profcollectd)')
 binder_call(system_server, statsd)
@@ -903,7 +908,6 @@
 allow system_server incident_service:service_manager find;
 allow system_server incremental_service:service_manager find;
 allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
 allow system_server keystore_maintenance_service:service_manager find;
 allow system_server keystore_metrics_service:service_manager find;
 allow system_server keystore_service:service_manager find;
@@ -1423,6 +1427,8 @@
 
 # Read/Write /proc/pressure/memory
 allow system_server proc_pressure_mem:file rw_file_perms;
+# Read /proc/pressure/cpu and /proc/pressure/io
+allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
 
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.

private/traced.te

diff --git a/private/traced.te b/private/traced.te
index ec31a20..6810c35 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,7 +1,4 @@
 # Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
 type traced_exec, system_file_type, exec_type, file_type;
 
 # Allow init to exec the daemon.
@@ -41,11 +38,6 @@
 binder_use(traced);
 binder_call(traced, system_server);
 
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
 # Allow traced to use shared memory supplied by producers. Typically, traced
 # (i.e. the tracing service) creates the shared memory used for data transfer
 # from the producer. This rule allows an alternative scheme, where the producer

private/vold_prepare_subdirs.te

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 24007ed..dcd5a9e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
 allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
+  sdk_sandbox_system_data_file
   system_data_file
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -25,8 +26,9 @@
     fingerprint_vendor_data_file
     iris_vendor_data_file
     rollback_data_file
-    sdk_sandbox_data_file
     storaged_data_file
+    sdk_sandbox_data_file
+    sdk_sandbox_system_data_file
     system_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index 9368621..baffcc4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -98,12 +98,13 @@
 # when setting up app data isolation.
 allow zygote tmpfs:lnk_file create;
 
-# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their
+# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
 # standard labels.  Note: it seems that not all dirs are actually relabeled yet,
 # but it works anyway since all domains can search tmpfs:dir.
 allow zygote tmpfs:{ dir lnk_file } relabelfrom;
 allow zygote system_userdir_file:dir relabelto;
 allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
 
 # Read if sdcardfs is supported
 allow zygote proc_filesystems:file r_file_perms;
@@ -247,6 +248,9 @@
 allow zygote vendor_apex_file:dir { getattr search };
 allow zygote vendor_apex_file:file { getattr };
 
+# Allow zygote to query for compression/features.
+r_dir_file(zygote, sysfs_fs_f2fs)
+
 ###
 ### neverallow rules
 ###

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index bc3f373..4f60d9d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -950,8 +950,6 @@
         -system_lib_file
         -system_linker_exec
         -crash_dump_exec
-        -iorap_prefetcherd_exec
-        -iorap_inode2filename_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
     }:file { entrypoint execute execute_no_trans };
@@ -1019,7 +1017,6 @@
     system_file_type
     -crash_dump_exec
     -file_contexts_file
-    -iorap_inode2filename_exec
     -netutils_wrapper_exec
     -property_contexts_file
     -system_event_log_tags_file
@@ -1192,7 +1189,6 @@
   -dumpstate
   -init
   -installd
-  -iorap_inode2filename
   -simpleperf_app_runner
   -system_server # why?
   userdebug_or_eng(`-uncrypt')

public/dumpstate.te

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c75f30..52eb3ff 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -309,9 +309,6 @@
 # Allow dumpstate to talk to installd over binder
 binder_call(dumpstate, installd);
 
-# Allow dumpstate to talk to iorapd over binder.
-binder_call(dumpstate, iorapd)
-
 # Allow dumpstate to run ip xfrm policy
 allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
 

public/e2fs.te

diff --git a/public/e2fs.te b/public/e2fs.te
index dd5bd69..20f70d9 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,7 +9,7 @@
 allow e2fs metadata_block_device:blk_file rw_file_perms;
 allow e2fs dm_device:blk_file rw_file_perms;
 allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
-  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
 };
 
 allow e2fs {

public/file.te

diff --git a/public/file.te b/public/file.te
index 009e86d..f0ddb37 100644
--- a/public/file.te
+++ b/public/file.te
@@ -452,7 +452,6 @@
 type wifi_data_file, file_type, data_file_type, core_data_file_type;
 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
 type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
 type tee_data_file, file_type, data_file_type;
 type update_engine_data_file, file_type, data_file_type, core_data_file_type;
 type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;

public/fsck.te

diff --git a/public/fsck.te b/public/fsck.te
index 1fb5d0d..4fb3817 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -32,6 +32,7 @@
 allowxperm fsck dev_type:blk_file ioctl {
   BLKDISCARDZEROES
   BLKROGET
+  BLKREPORTZONE
 };
 
 # To determine if it is safe to run fsck on a filesystem, e2fsck
@@ -48,8 +49,10 @@
 allow fsck {
   proc_mounts
   proc_swaps
+  sysfs_dm
 }:file r_file_perms;
 allow fsck rootfs:dir r_dir_perms;
+allow fsck sysfs_dm:dir r_dir_perms;
 
 ###
 ### neverallow rules

public/hal_neuralnetworks.te

diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 04d0b59..c7049fd 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -7,6 +7,8 @@
 allow hal_neuralnetworks hal_allocator:fd use;
 allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
 allow hal_neuralnetworks hal_graphics_allocator:fd use;
+allow hal_neuralnetworks gpu_device:chr_file rw_file_perms;
+allow hal_neuralnetworks gpu_device:dir r_dir_perms;
 
 # Allow NN HAL service to use a client-provided fd residing in /data/data/.
 allow hal_neuralnetworks_server app_data_file:file { read write getattr map };

public/init.te

diff --git a/public/init.te b/public/init.te
index cc28098..d99172f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -214,7 +214,6 @@
   -app_data_file
   -credstore_data_file
   -exec_type
-  -iorapd_data_file
   -keystore_data_file
   -media_userdir_file
   -misc_logd_file
@@ -236,7 +235,6 @@
   -app_data_file
   -exec_type
   -gsi_data_file
-  -iorapd_data_file
   -credstore_data_file
   -keystore_data_file
   -misc_logd_file
@@ -263,7 +261,6 @@
   -app_data_file
   -exec_type
   -gsi_data_file
-  -iorapd_data_file
   -credstore_data_file
   -keystore_data_file
   -misc_logd_file
@@ -283,7 +280,6 @@
   -app_data_file
   -exec_type
   -gsi_data_file
-  -iorapd_data_file
   -credstore_data_file
   -keystore_data_file
   -misc_logd_file

public/ioctl_defines

diff --git a/public/ioctl_defines b/public/ioctl_defines
index 11f7f3e..1e79682 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -166,6 +166,8 @@
 define(`BLKPG', `0x00001269')
 define(`BLKRAGET', `0x00001263')
 define(`BLKRASET', `0x00001262')
+define(`BLKREPORTZONE', `0xc0101282')
+define(`BLKRESETZONE', `0x40101283')
 define(`BLKROGET', `0x0000125e')
 define(`BLKROSET', `0x0000125d')
 define(`BLKROTATIONAL', `0x0000127e')

public/iorap.te

diff --git a/public/iorap.te b/public/iorap.te
new file mode 100644
index 0000000..0671c34
--- /dev/null
+++ b/public/iorap.te
@@ -0,0 +1,4 @@
+# Define these types for now, as they may be used in device-specific policy.
+type iorapd;
+type iorap_inode2filename;
+type iorap_prefetcherd;

public/iorap_inode2filename.te

diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
deleted file mode 100644
index 6f119ee..0000000
--- a/public/iorap_inode2filename.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# iorap.inode2filename -> look up file paths from an inode
-type iorap_inode2filename, domain;
-type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
-type iorap_inode2filename_tmpfs, file_type;
-
-r_dir_file(iorap_inode2filename, rootfs)
-
-# Allow usage of pipes (child stdout -> parent pipe).
-allow iorap_inode2filename iorapd:fd use;
-allow iorap_inode2filename iorapd:fifo_file { read write getattr };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_inode2filename self:capability dac_read_search;
-
-typeattribute iorap_inode2filename mlstrustedsubject;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename apex_data_file:dir { getattr open read search };
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
-allow iorap_inode2filename apex_mnt_dir:file { getattr };
-allow iorap_inode2filename apk_data_file:dir { getattr open read search };
-allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
-allow iorap_inode2filename backup_data_file:dir  { getattr open read search };
-allow iorap_inode2filename backup_data_file:file  { getattr };
-allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
-allow iorap_inode2filename bootchart_data_file:file { getattr };
-allow iorap_inode2filename metadata_file:dir { getattr open read search search };
-allow iorap_inode2filename metadata_file:file { getattr };
-allow iorap_inode2filename packages_list_file:dir { getattr open read search };
-allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename property_data_file:dir { getattr open read search };
-allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
-allow iorap_inode2filename resourcecache_data_file:file { getattr };
-allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:file { getattr };
-allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
-allow iorap_inode2filename same_process_hal_file:file { getattr };
-allow iorap_inode2filename sepolicy_file:file { getattr };
-allow iorap_inode2filename staging_data_file:dir { getattr open read search };
-allow iorap_inode2filename staging_data_file:file { getattr };
-allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
-allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_data_file:file { getattr };
-allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
-allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:file { getattr };
-allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:file { getattr };
-allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
-allow iorap_inode2filename unlabeled:file { getattr };
-allow iorap_inode2filename vendor_file:dir { getattr open read search };
-allow iorap_inode2filename vendor_file:file { getattr };
-allow iorap_inode2filename vendor_overlay_file:file { getattr };
-allow iorap_inode2filename zygote_exec:file { getattr };
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
-neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;

public/iorap_prefetcherd.te

diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
deleted file mode 100644
index 4b218fb..0000000
--- a/public/iorap_prefetcherd.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# volume manager
-type iorap_prefetcherd, domain;
-type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
-type iorap_prefetcherd_tmpfs, file_type;
-
-r_dir_file(iorap_prefetcherd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
-
-# iorap_prefetcherd temporarily changes its priority when running benchmarks
-allow iorap_prefetcherd self:global_capability_class_set sys_nice;
-
-# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
-allow iorap_prefetcherd iorapd:fd use;
-allow iorap_prefetcherd iorapd:fifo_file { read write };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_prefetcherd self:capability dac_read_search;
-
-typeattribute iorap_prefetcherd mlstrustedsubject;
-
-# Grant logcat access
-allow iorap_prefetcherd logcat_exec:file { open read };
-
-# Grant access to open most of the files under /
-allow iorap_prefetcherd apk_data_file:dir { open read search };
-allow iorap_prefetcherd apk_data_file:file { open read };
-allow iorap_prefetcherd app_data_file:dir { open read search };
-allow iorap_prefetcherd app_data_file:file { open read };
-allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
-allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
-allow iorap_prefetcherd packages_list_file:dir { open read search };
-allow iorap_prefetcherd packages_list_file:file { open read };
-allow iorap_prefetcherd privapp_data_file:dir { open read search };
-allow iorap_prefetcherd privapp_data_file:file { open read };
-allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
-allow iorap_prefetcherd same_process_hal_file:file { open read };
-allow iorap_prefetcherd system_data_file:dir { open read search };
-allow iorap_prefetcherd system_data_file:file { open read };
-allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:file { open read };
-allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
-allow iorap_prefetcherd vendor_overlay_file:file { open read };
-# Note: Do not add any /vendor labels because they can be customized
-# by the vendor and we won't know about them beforehand.
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
-neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;

public/iorapd.te

diff --git a/public/iorapd.te b/public/iorapd.te
deleted file mode 100644
index 8fded0c..0000000
--- a/public/iorapd.te
+++ /dev/null
@@ -1,94 +0,0 @@
-# volume manager
-type iorapd, domain;
-type iorapd_exec, exec_type, file_type, system_file_type;
-type iorapd_tmpfs, file_type;
-
-r_dir_file(iorapd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorapd proc_drop_caches:file rw_file_perms;
-
-# Give iorapd a place where only iorapd can store files; everyone else is off limits
-allow iorapd iorapd_data_file:dir create_dir_perms;
-allow iorapd iorapd_data_file:file create_file_perms;
-
-# Allow iorapd to publish a binder service and make binder calls.
-binder_use(iorapd)
-add_service(iorapd, iorapd_service)
-
-# Allow iorapd to call into the system server so it can check permissions.
-binder_call(iorapd, system_server)
-allow iorapd permission_service:service_manager find;
-# IUserManager
-allow iorapd user_service:service_manager find;
-# IPackageManagerNative
-allow iorapd package_native_service:service_manager find;
-# Allow dumpstate (bugreport) to call into iorapd.
-allow iorapd dumpstate:fd use;
-allow iorapd dumpstate:fifo_file write;
-
-# TODO: does each of the service_manager allow finds above need the binder_call?
-
-# iorapd temporarily changes its priority when running benchmarks
-allow iorapd self:global_capability_class_set sys_nice;
-
-# Allow to access Perfetto traced's privileged consumer socket to start/stop
-# tracing sessions and read trace data.
-unix_socket_connect(iorapd, traced_consumer, traced)
-
-# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
-allow iorapd system_file:file rx_file_perms;
-
-# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
-allow iorapd iorap_inode2filename:process signull;
-allow iorapd iorap_prefetcherd:process signull;
-
-# Allowing system_server to check for the existence and size of files under iorapd
-# dir without collecting any sensitive app data.
-# This is used to predict if iorapd is doing prefetching or not.
-allow system_server iorapd_data_file:dir { getattr open read search };
-allow system_server iorapd_data_file:file getattr;
-
-###
-### neverallow rules
-###
-
-neverallow {
-    domain
-    -iorapd
-} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
-    domain
-    -init
-    -iorapd
-    -system_server
-} iorapd_data_file:dir *;
-
-neverallow {
-    domain
-    -kernel
-    -iorapd
-} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
-    domain
-    -init
-    -kernel
-    -vendor_init
-    -iorapd
-    -system_server
-} { iorapd_data_file }:notdevfile_class_set *;
-
-# Only system_server and shell (for dumpsys) can interact with iorapd over binder
-neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
-neverallow iorapd {
-  domain
-  -servicemanager
-  -system_server
-  userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;

public/service.te

diff --git a/public/service.te b/public/service.te
index 0fd2360..8dc3e04 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,7 +19,6 @@
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               app_api_service, ephemeral_app_api_service, service_manager_type;
 type idmap_service,             service_manager_type;
-type iorapd_service,            service_manager_type;
 type incident_service,          service_manager_type;
 type installd_service,          service_manager_type;
 type credstore_service,         app_api_service, service_manager_type;

public/shell.te

diff --git a/public/shell.te b/public/shell.te
index 4175c86..8570260 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -84,7 +84,6 @@
   -gatekeeper_service
   -incident_service
   -installd_service
-  -iorapd_service
   -mdns_service
   -netd_service
   -system_suspend_control_internal_service

public/traced.te

diff --git a/public/traced.te b/public/traced.te
index 922d46e..48da0d8 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,3 +1,4 @@
 type traced, domain, coredomain, mlstrustedsubject;
 type traced_tmpfs, file_type;
 
+

public/traceur_app.te

diff --git a/public/traceur_app.te b/public/traceur_app.te
index 1ab150d..22f6c3b 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -10,7 +10,6 @@
   -gatekeeper_service
   -incident_service
   -installd_service
-  -iorapd_service
   -lpdump_service
   -mdns_service
   -netd_service

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -272,6 +272,8 @@
 get_prop(vendor_init, theme_prop)
 set_prop(vendor_init, dck_prop)
 
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
 
 ###
 ### neverallow rules

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 07f0fd3..41f95d3 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -156,7 +156,7 @@
 allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
 # For vold Process::killProcessesWithOpenFiles function.
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
@@ -334,7 +334,6 @@
   -system_suspend_server
   -hal_bootctl_server
   -hwservicemanager
-  -iorapd_service
   -keystore
   -servicemanager
   -system_server