diff --git a/apex/Android.bp b/apex/Android.bp
index 2dcae6f..7203d9d 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -24,11 +24,6 @@
 // TODO(b/236681553): Remove com.android.bluetooth-file_contexts
 
 filegroup {
-  name: "apex_file_contexts_files",
-  srcs: ["*-file_contexts"],
-}
-
-filegroup {
   name: "apex.test-file_contexts",
   srcs: [
     "apex.test-file_contexts",
@@ -43,6 +38,13 @@
 }
 
 filegroup {
+  name: "com.android.threadnetwork-file_contexts",
+  srcs: [
+    "com.android.threadnetwork-file_contexts",
+  ],
+}
+
+filegroup {
   name: "com.android.sdkext-file_contexts",
   srcs: [
     "com.android.sdkext-file_contexts",
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
new file mode 100644
index 0000000..1aabee9
--- /dev/null
+++ b/apex/com.android.threadnetwork-file_contexts
@@ -0,0 +1,4 @@
+(/.*)?                         u:object_r:system_file:s0
+/bin/otbr-agent                u:object_r:ot_daemon_exec:s0
+/bin/ot-ctl                    u:object_r:ot_ctl_exec:s0
+/bin/ot-rcp                    u:object_r:ot_rcp_exec:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 587fe91..2416dc9 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -18,7 +18,6 @@
 	"fmt"
 	"io"
 	"os"
-	"strings"
 
 	"github.com/google/blueprint"
 	"github.com/google/blueprint/proptools"
@@ -50,15 +49,6 @@
 	Recovery_available *bool
 }
 
-type fileContextsProperties struct {
-	// flatten_apex can be used to specify additional sources of file_contexts.
-	// Apex paths, /system/apex/{apex_name}, will be amended to the paths of file_contexts
-	// entries.
-	Flatten_apex struct {
-		Srcs []string `android:"path"`
-	}
-}
-
 type seappProperties struct {
 	// Files containing neverallow rules.
 	Neverallow_files []string `android:"path"`
@@ -70,13 +60,12 @@
 type selinuxContextsModule struct {
 	android.ModuleBase
 
-	properties             selinuxContextsProperties
-	fileContextsProperties fileContextsProperties
-	seappProperties        seappProperties
-	build                  func(ctx android.ModuleContext, inputs android.Paths) android.Path
-	deps                   func(ctx android.BottomUpMutatorContext)
-	outputPath             android.Path
-	installPath            android.InstallPath
+	properties      selinuxContextsProperties
+	seappProperties seappProperties
+	build           func(ctx android.ModuleContext, inputs android.Paths) android.Path
+	deps            func(ctx android.BottomUpMutatorContext)
+	outputPath      android.Path
+	installPath     android.InstallPath
 }
 
 var (
@@ -164,7 +153,6 @@
 	m := &selinuxContextsModule{}
 	m.AddProperties(
 		&m.properties,
-		&m.fileContextsProperties,
 		&m.seappProperties,
 	)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
@@ -304,26 +292,6 @@
 	if m.properties.Fc_sort == nil {
 		m.properties.Fc_sort = proptools.BoolPtr(true)
 	}
-
-	rule := android.NewRuleBuilder(pctx, ctx)
-
-	if ctx.Config().FlattenApex() {
-		for _, path := range android.PathsForModuleSrc(ctx, m.fileContextsProperties.Flatten_apex.Srcs) {
-			out := pathForModuleOut(ctx, "flattened_apex", path.Rel())
-			apex_path := "/system/apex/" + strings.Replace(
-				strings.TrimSuffix(path.Base(), "-file_contexts"),
-				".", "\\\\.", -1)
-
-			rule.Command().
-				Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
-				Input(path).
-				FlagWithOutput("> ", out)
-
-			inputs = append(inputs, out)
-		}
-	}
-
-	rule.Build(m.Name(), "flattened_apex_file_contexts")
 	return m.buildGeneralContexts(ctx, inputs)
 }
 
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7eef4ea..fae0106 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -153,15 +153,15 @@
 		"aidl_lazy_cb_test":  EXCEPTION_NO_FUZZER,
 		"alarm":              EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.evs.IEvsEnumerator/default":          EXCEPTION_NO_FUZZER,
-		"android.os.UpdateEngineService":                                  EXCEPTION_NO_FUZZER,
-		"android.os.UpdateEngineStableService":                            EXCEPTION_NO_FUZZER,
+		"android.os.UpdateEngineService":                                  []string{"update_engine_service_fuzzer"},
+		"android.os.UpdateEngineStableService":                            []string{"update_engine_service_fuzzer"},
 		"android.frameworks.automotive.display.ICarDisplayProxy/default":  EXCEPTION_NO_FUZZER,
 		"android.security.apc":                                            EXCEPTION_NO_FUZZER,
 		"android.security.authorization":                                  []string{"authorization_service_fuzzer"},
 		"android.security.compat":                                         EXCEPTION_NO_FUZZER,
 		"android.security.dice.IDiceMaintenance":                          EXCEPTION_NO_FUZZER,
 		"android.security.dice.IDiceNode":                                 EXCEPTION_NO_FUZZER,
-		"android.security.identity":                                       EXCEPTION_NO_FUZZER,
+		"android.security.identity":                                       []string{"credstore_service_fuzzer"},
 		"android.security.keystore":                                       EXCEPTION_NO_FUZZER,
 		"android.security.legacykeystore":                                 EXCEPTION_NO_FUZZER,
 		"android.security.maintenance":                                    EXCEPTION_NO_FUZZER,
@@ -458,7 +458,7 @@
 		"wifip2p":                      EXCEPTION_NO_FUZZER,
 		"wifiscanner":                  EXCEPTION_NO_FUZZER,
 		"wifi":                         EXCEPTION_NO_FUZZER,
-		"wifinl80211":                  EXCEPTION_NO_FUZZER,
+		"wifinl80211":                  []string{"wificond_service_fuzzer"},
 		"wifiaware":                    EXCEPTION_NO_FUZZER,
 		"wifirtt":                      EXCEPTION_NO_FUZZER,
 		"window":                       EXCEPTION_NO_FUZZER,
diff --git a/contexts/Android.bp b/contexts/Android.bp
index d5cd8ae..5982ae6 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -79,10 +79,6 @@
             srcs: [":file_contexts_overlayfs_files{.plat_private}"],
         },
     },
-
-    flatten_apex: {
-        srcs: [":apex_file_contexts_files"],
-    },
 }
 
 file_contexts {
@@ -97,11 +93,6 @@
             srcs: [":file_contexts_overlayfs_files{.plat_private}"],
         },
     },
-
-    flatten_apex: {
-        srcs: [":apex_file_contexts_files"],
-    },
-
     recovery: true,
 }
 
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 12bb8f7..f24f31d 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -233,7 +233,7 @@
 
 se_policy_binary {
     name: "microdroid_precompiled_sepolicy",
-    stem: "precompiled_sepolicy",
+    stem: "microdroid_precompiled_sepolicy",
     srcs: [
         ":microdroid_plat_sepolicy.cil",
         ":microdroid_plat_mapping_file",
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index c940eca..118425a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -252,6 +252,10 @@
 # Properties that microdroid doesn't have but some still want to read.
 dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
 
+# Allow all processes to "read" non_existing_prop to suppress libc's access denial logs.
+# dontaudit is not enough; it's still fine because they can't be written, by neverallow rules
+get_prop(domain, non_existing_prop)
+
 ###
 ### neverallow rules
 ###
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index de32003..98c483a 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -5,6 +5,7 @@
 system_public_prop(dalvik_dynamic_config_prop)
 system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(non_existing_prop)
 
 typeattribute dalvik_config_prop         dalvik_config_prop_type;
 typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
@@ -61,3 +62,8 @@
     -microdroid_manager
     -crash_dump
 } {microdroid_config_prop}:file no_rw_file_perms;
+
+neverallow {
+    domain
+    -init
+} non_existing_prop:property_service set;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index e74d6d2..2bd5a22 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -145,6 +145,7 @@
 libc.debug.hooks.enable   u:object_r:libc_debug_prop:s0 exact string
 
 arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag.             u:object_r:non_existing_prop:s0 prefix string
 
 persist.sys.timezone u:object_r:timezone_prop:s0 exact string
 
@@ -171,3 +172,21 @@
 dalvik.vm.restore-dex2oat-threads             u:object_r:dalvik_dynamic_config_prop:s0 exact int
 
 apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
+
+# These non_existing_prop properties are unused in microdroid, but added here to suppress libc's
+# access denial logs.
+libc.debug.gwp_asan.              u:object_r:non_existing_prop:s0 prefix string
+persist.libc.debug.gwp_asan.      u:object_r:non_existing_prop:s0 prefix string
+persist.adb.tls_server.enable     u:object_r:non_existing_prop:s0 exact bool
+persist.adb.watchdog.timeout_secs u:object_r:non_existing_prop:s0 exact int
+persist.adb.watchdog              u:object_r:non_existing_prop:s0 exact bool
+persist.device_config.            u:object_r:non_existing_prop:s0 prefix string
+persist.sys.test_harness          u:object_r:non_existing_prop:s0 exact bool
+ro.arch                           u:object_r:non_existing_prop:s0 exact string
+ro.boot.vsock_tombstone_port      u:object_r:non_existing_prop:s0 exact int
+ro.product.device                 u:object_r:non_existing_prop:s0 exact string
+ro.product.model                  u:object_r:non_existing_prop:s0 exact string
+ro.product.name                   u:object_r:non_existing_prop:s0 exact string
+ro.product.vndk.version           u:object_r:non_existing_prop:s0 exact string
+ro.secure                         u:object_r:non_existing_prop:s0 exact bool
+ro.serialno                       u:object_r:non_existing_prop:s0 exact string
diff --git a/private/apexd.te b/private/apexd.te
index b74d4ee..f158ef6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -102,8 +102,8 @@
 allow apexd staging_data_file:file relabelto;
 
 # allow apexd to read files from /vendor/apex
-allow apexd vendor_apex_file:dir r_dir_perms;
-allow apexd vendor_apex_file:file r_file_perms;
+r_dir_file(apexd, vendor_apex_file)
+r_dir_file(apexd, vendor_apex_metadata_file)
 
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
diff --git a/private/app.te b/private/app.te
index 754c802..3f8560a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -47,6 +47,7 @@
 get_prop(appdomain, dck_prop)
 get_prop(appdomain, persist_wm_debug_prop)
 get_prop(appdomain, persist_sysui_builder_extras_prop)
+get_prop(appdomain, persist_sysui_ranking_update_prop)
 
 # Allow the heap dump ART plugin to the count of sessions waiting for OOME
 get_prop(appdomain, traced_oome_heap_session_count_prop)
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 6552d63..e3869cd 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -20,6 +20,9 @@
 # For JIT
 allow app_zygote self:process execmem;
 
+# Allow exec mapping from tmpfs (memfds) for binary translation
+allow app_zygote app_zygote_tmpfs:file execute;
+
 # Allow app_zygote to stat the files that it opens. It must
 # be able to inspect them so that it can reopen them on fork
 # if necessary: b/30963384.
@@ -74,6 +77,8 @@
 
 # Allow app_zygote access to /vendor/overlay
 r_dir_file(app_zygote, vendor_overlay_file)
+# Allow app_zygote to read vendor_overlay_file from vendor apex as well
+allow app_zygote vendor_apex_metadata_file:dir { getattr search };
 
 allow app_zygote system_data_file:lnk_file r_file_perms;
 allow app_zygote system_data_file:file { getattr read map };
diff --git a/private/artd.te b/private/artd.te
index ef54d8c..5fcd43a 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -39,9 +39,11 @@
 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
 
-# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
 allow artd oemfs:dir { getattr search };
 r_dir_file(artd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow artd vendor_apex_metadata_file:dir { getattr search };
 
 # Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
 r_dir_file(artd, vendor_framework_file)
diff --git a/private/atrace.te b/private/atrace.te
index 50ab392..1712648 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -77,3 +77,5 @@
   allow atrace debugfs_tracing_debug:dir r_dir_perms;
   allow atrace debugfs_tracing_debug:file rw_file_perms;
 ')
+
+dontaudit atrace debugfs_tracing_debug:file audit_access;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 8fa3985..204048e 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2544,7 +2544,10 @@
 (typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
 (typeattributeset vendor_app_file_33_0 (vendor_app_file))
 (typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
-(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
+(typeattributeset vendor_configs_file_33_0
+  ( vendor_configs_file
+    vendor_apex_metadata_file
+))
 (typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
 (typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
 (typeattributeset vendor_file_33_0 (vendor_file))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index c73eefa..d84d8ea 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -57,6 +57,7 @@
     ota_build_prop
     permissive_mte_prop
     persist_sysui_builder_extras_prop
+    persist_sysui_ranking_update_prop
     prng_seeder
     recovery_usb_config_prop
     remote_provisioning_service
diff --git a/private/crosvm.te b/private/crosvm.te
index f1012b7..8a6bd24 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -69,6 +69,7 @@
 # Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
 allow crosvm adbd:fd use;
 allow crosvm adbd:unix_stream_socket { read write };
+allow crosvm devpts:chr_file { read write getattr ioctl };
 
 # crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
 dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 2299ba0..4f15d5a 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -6,6 +6,7 @@
 
 # Read /apex
 allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
 
 # Create /data/system/environ/classpath file
 allow derive_classpath environ_system_data_file:dir rw_dir_perms;
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index f46c614..c47f0a5 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -6,6 +6,7 @@
 
 # Read /apex
 allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
 
 # Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
 set_prop(derive_sdk, module_sdkextensions_prop)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 23f7444..379e32c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -12,6 +12,8 @@
 allow dex2oat vendor_framework_file:file { getattr open read map };
 # Access /vendor/overlay
 r_dir_file(dex2oat, vendor_overlay_file);
+# Vendor overlay can be found in vendor apex
+allow dex2oat vendor_apex_metadata_file:dir { getattr search };
 
 allow dex2oat tmpfs:file { read getattr map };
 
diff --git a/private/domain.te b/private/domain.te
index f98a285..692c962 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -609,6 +609,7 @@
     -same_process_hal_file
     -vendor_app_file
     -vendor_apex_file
+    -vendor_apex_metadata_file
     -vendor_configs_file
     -vendor_service_contexts_file
     -vendor_framework_file
diff --git a/private/file.te b/private/file.te
index f6781b0..e48fc4c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -131,5 +131,8 @@
 # in to satisfy MLS constraints for trusted domains.
 type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
 
+# /data/misc/threadnetwork
+type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
+
 # /sys/firmware/devicetree/base/avf
 type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index c9c51e4..123e4ed 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -655,6 +655,7 @@
 /data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/textclassifier(/.*)?       u:object_r:textclassifier_data_file:s0
+/data/misc/threadnetwork(/.*)?        u:object_r:threadnetwork_data_file:s0
 /data/misc/train-info(/.*)?     u:object_r:stats_data_file:s0
 /data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
 /data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index fd083c2..9554a76 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -6,8 +6,8 @@
 /data/asan/odm/lib64(/.*)?                 u:object_r:system_lib_file:s0
 /data/asan/product/lib(/.*)?               u:object_r:system_lib_file:s0
 /data/asan/product/lib64(/.*)?             u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib(/.*)?     u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib64(/.*)?   u:object_r:system_lib_file:s0
+/data/asan/(system_ext|system/system_ext)/lib(/.*)?     u:object_r:system_lib_file:s0
+/data/asan/(system_ext|system/system_ext)/lib64(/.*)?   u:object_r:system_lib_file:s0
 /system/asan.options           u:object_r:system_asan_options_file:s0
 /system/bin/asan_extract       u:object_r:asan_extract_exec:s0
 /system/bin/asanwrapper        u:object_r:asanwrapper_exec:s0
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 7e78c19..bd46ca4 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,6 +19,9 @@
 # Allow linkerconfig to read apex-info-list.xml
 allow linkerconfig apex_info_file:file r_file_perms;
 
+# Allow linkerconfig to read apex_manifest.pb file from vendor apex
+r_dir_file(linkerconfig, vendor_apex_metadata_file)
+
 # Allow linkerconfig to be called in the otapreopt_chroot
 allow linkerconfig otapreopt_chroot:fd use;
 allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
diff --git a/private/mediatuner.te b/private/mediatuner.te
index bfb264e..5871bea 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te
@@ -20,6 +20,9 @@
 # Read ro.tuner.lazyhal
 get_prop(mediatuner, tuner_config_prop)
 
+# Read tuner.server.enable
+get_prop(mediatuner, tuner_server_ctl_prop)
+
 ###
 ### neverallow rules
 ###
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
new file mode 100644
index 0000000..12e7ce2
--- /dev/null
+++ b/private/ot_ctl.te
@@ -0,0 +1,11 @@
+#
+# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
+#
+
+type ot_ctl, domain, coredomain;
+type ot_ctl_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(ot_ctl)
+
+# Allow the ot_ctl to read/write the socket file.
+allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
new file mode 100644
index 0000000..98e1a0a
--- /dev/null
+++ b/private/ot_daemon.te
@@ -0,0 +1,24 @@
+#
+# ot_daemon is the native Thread network stack on the host (Android) side.
+# Refer to https://www.threadgroup.org for Thread network knowledge.
+#
+
+# ot_daemon
+type ot_daemon, domain, coredomain;
+type ot_daemon_exec, exec_type, file_type, system_file_type;
+
+# Allow init ot_daemon
+init_daemon_domain(ot_daemon)
+# Allow the ot_daemon to use the net domain.
+net_domain(ot_daemon)
+
+# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
+allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
+allow ot_daemon threadnetwork_data_file:file create_file_perms;
+allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+
+# used for simulation
+userdebug_or_eng(`
+create_pty(ot_daemon);
+domain_auto_trans(ot_daemon, ot_rcp_exec, ot_rcp);
+')
diff --git a/private/ot_rcp.te b/private/ot_rcp.te
new file mode 100644
index 0000000..0f6f1d3
--- /dev/null
+++ b/private/ot_rcp.te
@@ -0,0 +1,15 @@
+#
+# ot_rcp is the simulated Thread Radio Coprocessor device which is used by ot_daemon.
+#
+
+type ot_rcp, domain, coredomain;
+type ot_rcp_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+allow ot_rcp ot_daemon:fd use;
+allow ot_rcp ot_daemon:fifo_file rw_file_perms;
+allow ot_rcp ot_daemon_devpts:chr_file {read write};
+allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp port:udp_socket name_bind;
+allow ot_rcp node:udp_socket node_bind;
+')
diff --git a/private/platform_app.te b/private/platform_app.te
index 6d49502..1bd0020 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -48,6 +48,9 @@
 userdebug_or_eng(`
   set_prop(platform_app, persist_sysui_builder_extras_prop)
 ')
+userdebug_or_eng(`
+  set_prop(platform_app, persist_sysui_ranking_update_prop)
+')
 
 # com.android.captiveportallogin reads /proc/vmstat
 allow platform_app {
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 2fdc941..cdf403c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -47,6 +47,8 @@
 r_dir_file(postinstall_dexopt, vendor_app_file)
 # Read vendor overlay files (APKs) as input to dex2oat.
 r_dir_file(postinstall_dexopt, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
 # Access to app oat directory.
 r_dir_file(postinstall_dexopt, dalvikcache_data_file)
 
diff --git a/private/property.te b/private/property.te
index 35f9bc7..66c9cea 100644
--- a/private/property.te
+++ b/private/property.te
@@ -55,6 +55,7 @@
 system_restricted_prop(device_config_virtualization_framework_native_prop)
 system_restricted_prop(log_file_logger_prop)
 system_restricted_prop(persist_sysui_builder_extras_prop)
+system_restricted_prop(persist_sysui_ranking_update_prop)
 
 ###
 ### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index 2399163..64e738f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1323,6 +1323,7 @@
 ro.surface_flinger.display_update_imminent_timeout_ms     u:object_r:surfaceflinger_prop:s0 exact int
 ro.surface_flinger.uclamp.min                             u:object_r:surfaceflinger_prop:s0 exact int
 ro.surface_flinger.ignore_hdr_camera_layers               u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.clear_slots_with_set_layer_buffer      u:object_r:surfaceflinger_prop:s0 exact bool
 
 ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
 ro.sf.lcd_density           u:object_r:surfaceflinger_prop:s0 exact int
@@ -1562,4 +1563,5 @@
 ro.usb.uvc.enabled      u:object_r:usb_uvc_enabled_prop:s0 exact bool
 
 # System UI notification properties
+persist.sysui.notification.ranking_update_ashmem u:object_r:persist_sysui_ranking_update_prop:s0 exact bool
 persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
diff --git a/private/rs.te b/private/rs.te
index a9b2edd..906373b 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -19,6 +19,8 @@
 allow rs vendor_file:dir r_dir_perms;
 r_dir_file(rs, vendor_overlay_file)
 r_dir_file(rs, vendor_app_file)
+# Vendor overlay can be found in vendor apex
+allow rs vendor_apex_metadata_file:dir { getattr search };
 
 # Read contents of app apks
 r_dir_file(rs, apk_data_file)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4454bd7..abd6c7b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -183,8 +183,8 @@
 user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
 user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/shell.te b/private/shell.te
index 85d09f9..1b859d1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -136,6 +136,7 @@
 allow shell apex_info_file:file r_file_perms;
 allow shell vendor_apex_file:file r_file_perms;
 allow shell vendor_apex_file:dir r_dir_perms;
+allow shell vendor_apex_metadata_file:dir r_dir_perms;
 
 # Allow shell to read updated APEXes under /data/apex
 allow shell apex_data_file:dir search;
@@ -246,4 +247,6 @@
 
 # Allow shell to set persist.sysui.notification.builder_extras_override property
 userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
+# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
+userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
 
diff --git a/private/system_server.te b/private/system_server.te
index 4356c26..d30f657 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -842,6 +842,8 @@
 
 # Read persist.sysui.notification.builder_extras_override property
 get_prop(system_server, persist_sysui_builder_extras_prop)
+# Read persist.sysui.notification.ranking_update_ashmem property
+get_prop(system_server, persist_sysui_ranking_update_prop)
 
 # Read ro.tuner.lazyhal
 get_prop(system_server, tuner_config_prop)
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index bfad8e7..b6bcd98 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -7,6 +7,9 @@
 allow virtualizationmanager adbd:fd use;
 allow virtualizationmanager adbd:unix_stream_socket { read write };
 
+# Allow writing VM logs to the shell console
+allow virtualizationmanager devpts:chr_file { read write getattr ioctl };
+
 # Let the virtualizationmanager domain use Binder.
 binder_use(virtualizationmanager)
 
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3473eca..0556950 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -35,6 +35,9 @@
 allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
 allow webview_zygote apex_module_data_file:dir search;
 
+# To load overlay from /apex (vendor APEXes)
+allow webview_zygote vendor_apex_metadata_file:dir search;
+
 # Allow webview_zygote to create JIT memory.
 allow webview_zygote self:process execmem;
 
diff --git a/private/zygote.te b/private/zygote.te
index d61a431..c5cc73a 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -247,9 +247,11 @@
 # preloaded classes
 get_prop(zygote, persist_wm_debug_prop)
 
-# Allow zygote to read persist_sysui_builder_extras_prop to toggle experimental features in
-# core preloaded classes
+# Allow zygote to read persist_sysui_builder_extras_prop
+# and persist_sysui_ranking_update_prop
+# to toggle experimental features in core preloaded classes
 get_prop(zygote, persist_sysui_builder_extras_prop)
+get_prop(zygote, persist_sysui_ranking_update_prop)
 
 # Allow zygote to read /apex/apex-info-list.xml
 allow zygote apex_info_file:file r_file_perms;
@@ -258,6 +260,7 @@
 # preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
 allow zygote vendor_apex_file:dir { getattr search };
 allow zygote vendor_apex_file:file { getattr };
+allow zygote vendor_apex_metadata_file:dir { search };
 
 # Allow zygote to query for compression/features.
 r_dir_file(zygote, sysfs_fs_f2fs)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index cc3678c..4877f14 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -56,7 +56,7 @@
 allow dumpstate domain:process getattr;
 
 # Signal java processes to dump their stack
-allow dumpstate { appdomain system_server zygote }:process signal;
+allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
 
 # Signal native processes to dump their stack.
 allow dumpstate {
diff --git a/public/file.te b/public/file.te
index 7aad936..f7fafcb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -381,6 +381,8 @@
 type staging_data_file, file_type, data_file_type, core_data_file_type;
 # /vendor/apex
 type vendor_apex_file, vendor_file_type, file_type;
+# apex_manifest.pb in vendor apex
+type vendor_apex_metadata_file, vendor_file_type, file_type;
 # /data/system/shutdown-checkpoints
 type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
 
diff --git a/public/installd.te b/public/installd.te
index 216704d..88f6aab 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -33,6 +33,8 @@
 r_dir_file(installd, vendor_framework_file)
 # Scan through Runtime Resource Overlay APKs in /vendor/overlay
 r_dir_file(installd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow installd vendor_apex_metadata_file:dir { getattr search };
 # Get file context
 allow installd file_contexts_file:file r_file_perms;
 # Get seapp_context
diff --git a/public/te_macros b/public/te_macros
index 63805de..c4ebc63 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1047,6 +1047,7 @@
 define(`use_apex_info', `
   allow $1 apex_mnt_dir:dir r_dir_perms;
   allow $1 apex_info_file:file r_file_perms;
+  r_dir_file($1, vendor_apex_metadata_file)
 ')
 
 ####################################
diff --git a/public/vold.te b/public/vold.te
index 3d204e1..c0fdf50 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -177,10 +177,13 @@
 allow vold labeledfs:filesystem { mount unmount remount };
 
 # Create and mount on /data/tmp_mnt and management of expansion mounts
+#
+# Also rename per-user encrypted directories such as /data/user/10 from their
+# temporary name ("10.new") to their final name ("10").
 allow vold {
     system_data_file
     system_data_root_file
-}:dir { create rw_dir_perms mounton setattr rmdir };
+}:dir { create_dir_perms mounton };
 allow vold system_data_file:lnk_file getattr;
 
 # Vold create users in /data/vendor_{ce,de}/[0-9]+
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 7173223..e380ebd 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -8,3 +8,8 @@
 allow hal_fingerprint_default fwk_sensor_service:service_manager find;
 
 set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
+
+userdebug_or_eng(`
+  # Allow fingerprint hal to read app-created pipes (to respond shell commands from test apps)
+  allow hal_fingerprint_default appdomain:fifo_file read;
+')