Merge "Revert^2 "Add microfuchsia selinux policies"" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index c9c06e3..5b2a75e 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -286,3 +286,10 @@
         "com.android.telephonymodules-file_contexts",
     ],
 }
+
+filegroup {
+    name: "com.android.configinfrastructure-file_contexts",
+    srcs: [
+        "com.android.configinfrastructure-file_contexts",
+    ],
+}
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
new file mode 100644
index 0000000..23e7b89
--- /dev/null
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -0,0 +1 @@
+(/.*)?                   u:object_r:system_file:s0
\ No newline at end of file
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 865051c..9891388 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -80,7 +80,7 @@
 		"android.hardware.media.c2.IComponentStore/software":                      []string{"libcodec2-aidl-fuzzer"},
 		"android.hardware.memtrack.IMemtrack/default":                             EXCEPTION_NO_FUZZER,
 		"android.hardware.net.nlinterceptor.IInterceptor/default":                 EXCEPTION_NO_FUZZER,
-		"android.hardware.nfc.INfc/default":                                       EXCEPTION_NO_FUZZER,
+		"android.hardware.nfc.INfc/default":                                       []string{"nfc_service_fuzzer"},
 		"android.hardware.oemlock.IOemLock/default":                               EXCEPTION_NO_FUZZER,
 		"android.hardware.power.IPower/default":                                   EXCEPTION_NO_FUZZER,
 		"android.hardware.power.stats.IPowerStats/default":                        EXCEPTION_NO_FUZZER,
@@ -194,6 +194,7 @@
 		"android.system.vmtethering.IVmTethering":                             EXCEPTION_NO_FUZZER,
 		"ambient_context":               EXCEPTION_NO_FUZZER,
 		"app_binding":                   EXCEPTION_NO_FUZZER,
+		"app_function":                  EXCEPTION_NO_FUZZER,
 		"app_hibernation":               EXCEPTION_NO_FUZZER,
 		"app_integrity":                 EXCEPTION_NO_FUZZER,
 		"app_prediction":                EXCEPTION_NO_FUZZER,
@@ -391,6 +392,7 @@
 		"procstats":                              EXCEPTION_NO_FUZZER,
 		"profcollectd":                           EXCEPTION_NO_FUZZER,
 		"profiling_service":                      EXCEPTION_NO_FUZZER,
+		"protolog":                               EXCEPTION_NO_FUZZER,
 		"radio.phonesubinfo":                     EXCEPTION_NO_FUZZER,
 		"radio.phone":                            EXCEPTION_NO_FUZZER,
 		"radio.sms":                              EXCEPTION_NO_FUZZER,
@@ -447,6 +449,7 @@
 		"SurfaceFlingerAIDL":                     EXCEPTION_NO_FUZZER,
 		"suspend_control":                        []string{"suspend_service_fuzzer"},
 		"suspend_control_internal":               []string{"suspend_service_internal_fuzzer"},
+		"supervision":                            EXCEPTION_NO_FUZZER,
 		"system_config":                          EXCEPTION_NO_FUZZER,
 		"system_server_dumper":                   EXCEPTION_NO_FUZZER,
 		"system_update":                          EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c8f9cb..cf74619 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -37,6 +37,7 @@
 /sys                                                              sysfs
 /apex                                                             apex_mnt_dir
 /bootstrap-apex                                                   apex_mnt_dir
+/mnt/vm                                                           vm_data_file
 
 /postinstall                                                      postinstall_mnt_dir
 /postinstall/apex                                                 postinstall_apex_mnt_dir
@@ -1269,8 +1270,6 @@
 /metadata/bootstat/test                                           metadata_bootstat_file
 /metadata/staged-install                                          staged_install_file
 /metadata/staged-install/test                                     staged_install_file
-/metadata/userspacereboot                                         userspace_reboot_metadata_file
-/metadata/userspacereboot/test                                    userspace_reboot_metadata_file
 /metadata/watchdog                                                watchdog_metadata_file
 /metadata/watchdog/test                                           watchdog_metadata_file
 /metadata/repair-mode                                             repair_mode_metadata_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index dc3b6a0..3dc73e5 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -24,6 +24,7 @@
         "RELEASE_AVF_ENABLE_NETWORK",
         "RELEASE_AVF_ENABLE_MICROFUCHSIA",
         "RELEASE_READ_FROM_NEW_STORAGE",
+        "RELEASE_SUPERVISION_SERVICE",
         "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
         "RELEASE_UNLOCKED_STORAGE_API",
     ],
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index 7486c32..5ce168c 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -20767,6 +20767,7 @@
   # TODO(b/196225233): Remove hal_uwb_vendor_server
   -hal_uwb_vendor_server
   -hal_nlinterceptor_server
+  -hal_tv_tuner_server
 } self:{ capability cap_userns } { net_admin net_raw };
 
 # Unless a HAL's job is to communicate over the network, or control network
@@ -20789,6 +20790,7 @@
   -hal_uwb_vendor_server
   -hal_nlinterceptor_server
   -hal_bluetooth_server
+  -hal_tv_tuner_server
 } domain:{ udp_socket rawip_socket } *;
 
 neverallow {
@@ -20802,6 +20804,7 @@
   -hal_telephony_server
   -hal_nlinterceptor_server
   -hal_bluetooth_server
+  -hal_tv_tuner_server
 } {
   domain
   
diff --git a/private/app.te b/private/app.te
index 1dd7fda..cc69e5e 100644
--- a/private/app.te
+++ b/private/app.te
@@ -488,6 +488,8 @@
 allow appdomain runas_exec:file getattr;
 # Others are either allowed elsewhere or not desired.
 
+get_prop(appdomain, high_barometer_quality_prop)
+
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.
 allow appdomain adbd:unix_stream_socket connectto;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 6874821..2b3adc0 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -13,5 +13,7 @@
     binderfs_logs_transaction_history
     proc_compaction_proactiveness
     proc_cgroups
+    supervision_service
     sysfs_udc
+    app_function_service
   ))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 455cbff..6c52dba 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -32,6 +32,7 @@
     security_state_service
     sensitive_content_protection_service
     setupwizard_mode_prop
+    supervision_service
     sysfs_sync_on_suspend
     tv_ad_service
     threadnetwork_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 0c2acb9..6f07391 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -40,10 +40,14 @@
   apex_virt_data_file
   shell_data_file
   vendor_microdroid_file
+  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
 }:file { getattr read ioctl lock };
 
 # Allow searching the directory where the composite disk images are.
-allow crosvm virtualizationservice_data_file:dir search;
+allow crosvm {
+    virtualizationservice_data_file
+    is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
+}:dir search;
 
 # When running a VM as root we get spurious capability denials.
 # Suppress them.
@@ -74,6 +78,7 @@
   privapp_data_file
   apex_compos_data_file
   apex_virt_data_file
+  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
 }:file write;
 
 # Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
@@ -153,6 +158,7 @@
   app_data_file
   privapp_data_file
   is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
   userdebug_or_eng(`-shell_data_file')
 }:file open;
 
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index 4a964fd..9e98bae 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@@ -74,6 +74,7 @@
   system_data_file
   system_data_root_file
   system_file
+  system_lib_file
   tmpfs
   vendor_file
 }:dir mounton;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 20341e4..13b7b9f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -537,6 +537,7 @@
   linkerconfig_file
   mirror_data_file
   mnt_user_file
+  vm_data_file
 }:dir getattr;
 
 # Allow dumpstate to talk to bufferhubd over binder
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index 4e332f6..484077c 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te
@@ -5,4 +5,15 @@
     type early_virtmgr_exec, system_file_type, exec_type, file_type;
 
     use_bootstrap_libs(early_virtmgr)
+
+    allow early_virtmgr vm_data_file:dir create_dir_perms;
+    allow early_virtmgr vm_data_file:file create_file_perms;
+
+    ###
+    ### Neverallow rules
+    ###
+
+    # Only crosvm and early_virtmgr can access vm_data_file
+    neverallow { domain -crosvm -early_virtmgr -init } vm_data_file:dir no_w_dir_perms;
+    neverallow { domain -crosvm -early_virtmgr } vm_data_file:file no_rw_file_perms;
 ')
diff --git a/private/file.te b/private/file.te
index d30465b..038e899 100644
--- a/private/file.te
+++ b/private/file.te
@@ -117,6 +117,9 @@
 # virtualizationmanager, which runs at a more constrained MLS level.
 type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
+# /mnt/vm
+type vm_data_file, file_type, core_data_file_type;
+
 # /data/system/environ
 type environ_system_data_file, file_type, data_file_type, core_data_file_type;
 
diff --git a/private/file_contexts b/private/file_contexts
index 76f412a..d49be64 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -432,7 +432,6 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
 
-/(vendor|system/vendor)/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
 /(vendor|system/vendor)/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
 /(vendor|system/vendor)/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
 
@@ -462,6 +461,8 @@
 # secure-element service: vendor uuid mapping config file
 /(odm|vendor/odm|vendor|system/vendor)/etc/hal_uuid_map_(.*)?\.xml    u:object_r:vendor_uuid_mapping_config_file:s0
 
+# APEX packages
+/(odm|vendor/odm|vendor|system/vendor)/apex(/[^/]+){0,2}              u:object_r:vendor_apex_file:s0
 
 # Input configuration
 /(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl        u:object_r:vendor_keylayout_file:s0
@@ -876,7 +877,6 @@
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
-/metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 /metadata/watchdog(/.*)?    u:object_r:watchdog_metadata_file:s0
 /metadata/repair-mode(/.*)?    u:object_r:repair_mode_metadata_file:s0
 /metadata/aconfig(/.*)?    u:object_r:aconfig_storage_metadata_file:s0
@@ -921,3 +921,7 @@
 # dexopt_chroot_setup inside chroot, in addition to the files and directories
 # matching the pattern below.
 /mnt/pre_reboot_dexopt(/.*)?  u:object_r:pre_reboot_dexopt_file:s0
+
+#############################
+# For early boot VM
+/mnt/vm u:object_r:vm_data_file:s0
diff --git a/private/init.te b/private/init.te
index e4bafd8..8ab1aab 100644
--- a/private/init.te
+++ b/private/init.te
@@ -115,6 +115,8 @@
 userdebug_or_eng(`
   allow init kmsg_debug_device:chr_file { open write relabelto };
 ')
+# /mnt/vm, also permissions to mkdir / mount / chmod / chown
+allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton };
 
 # allow init to mount and unmount debugfs in debug builds
 userdebug_or_eng(`
@@ -305,6 +307,7 @@
     -storage_area_app_dir
     -storage_area_content_file
   ')
+  -vm_data_file
   -bpffs_type
   -exec_type
   -misc_logd_file
@@ -324,6 +327,7 @@
     -storage_area_app_dir
     -storage_area_content_file
   ')
+  -vm_data_file
   -bpffs_type
   -credstore_data_file
   -exec_type
@@ -351,6 +355,7 @@
     -storage_area_app_dir
     -storage_area_content_file
   ')
+  -vm_data_file
   -bpffs_type
   -exec_type
   -gsi_data_file
@@ -383,6 +388,7 @@
     -storage_area_app_dir
     -storage_area_content_file
   ')
+  -vm_data_file
   -bpffs_type
   -exec_type
   -gsi_data_file
@@ -408,6 +414,7 @@
     -storage_area_app_dir
     -storage_area_content_file
   ')
+  -vm_data_file
   -bpffs_type
   -exec_type
   -gsi_data_file
@@ -439,6 +446,7 @@
     -storage_area_app_dir
     -storage_area_content_file
   ')
+  -vm_data_file
   -privapp_data_file
 }:dir_file_class_set relabelto;
 
diff --git a/private/lmkd.te b/private/lmkd.te
index 5369c79..8d22552 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -86,9 +86,6 @@
 # Allow lmkd to write to statsd.
 unix_socket_send(lmkd, statsdw, statsd)
 
-# Allow lmkd to create io_uring
-allow lmkd self:anon_inode { create map read write };
-
 ### neverallow rules
 
 # never honor LD_PRELOAD
diff --git a/private/netd.te b/private/netd.te
index 37581a6..8b6ea4c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -79,13 +79,6 @@
 allow netd system_file:file lock;
 dontaudit netd system_file:dir write;
 
-# Allow netd to write to qtaguid ctrl file.
-# TODO: Add proper rules to prevent other process to access qtaguid_proc file
-# after migration complete
-allow netd proc_qtaguid_ctrl:file rw_file_perms;
-# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
-allow netd qtaguid_device:chr_file r_file_perms;
-
 r_dir_file(netd, proc_net_type)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net_type:file rw_file_perms;
diff --git a/private/property.te b/private/property.te
index 7907dbc..acb8d79 100644
--- a/private/property.te
+++ b/private/property.te
@@ -79,6 +79,7 @@
 
 # Properties which should only be written by vendor_init
 system_vendor_config_prop(avf_virtualizationservice_prop)
+system_vendor_config_prop(high_barometer_quality_prop)
 
 typeattribute log_prop log_property_type;
 typeattribute log_tag_prop log_property_type;
@@ -429,6 +430,14 @@
   neverallow {
     domain
     -init
+    -vendor_init
+  } {
+    high_barometer_quality_prop
+    }:property_service set;
+
+  neverallow {
+    domain
+    -init
     -dumpstate
     userdebug_or_eng(`-system_suspend')
     } {
@@ -752,7 +761,9 @@
 neverallow {
   domain
   -init
+  -keystore
   -shell
+  -system_server
   -rkpdapp
 } remote_prov_prop:property_service set;
 
diff --git a/private/property_contexts b/private/property_contexts
index 7a27625..f0a4281 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -361,7 +361,7 @@
 ro.virtual_ab.num_merge_threads u:object_r:virtual_ab_prop:s0 exact int
 ro.virtual_ab.num_verify_threads u:object_r:virtual_ab_prop:s0 exact int
 ro.virtual_ab.cow_op_merge_size u:object_r:virtual_ab_prop:s0 exact int
-ro.virtual_ab.verify_threshold_block_size u:object_r:virtual_ab_prop:s0 exact int
+ro.virtual_ab.verify_threshold_size u:object_r:virtual_ab_prop:s0 exact int
 ro.virtual_ab.verify_block_size u:object_r:virtual_ab_prop:s0 exact int
 
 # OEMs can set this prop at build time to configure how many seconds to delay
@@ -408,6 +408,11 @@
 audio.offload.video             u:object_r:audio_config_prop:s0 exact bool
 audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
 
+# Timecheck configuration
+audio.timecheck.disabled                  u:object_r:audio_config_prop:s0 exact bool
+audio.timecheck.timeout_duration_ms       u:object_r:audio_config_prop:s0 exact int
+audio.timecheck.second_chance_duration_ms u:object_r:audio_config_prop:s0 exact int
+
 # spatializer tuning
 audio.spatializer.priority               u:object_r:audio_config_prop:s0 exact int
 audio.spatializer.effect.affinity        u:object_r:audio_config_prop:s0 exact int
@@ -1681,6 +1686,10 @@
 # Properties for sensor service
 sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
 
+# Whether the device has a high quality barometer as defined on the CDD.
+# Set by OEMs, read for xTS verifier tests
+sensor.barometer.high_quality.implemented  u:object_r:high_barometer_quality_prop:s0 exact bool
+
 # Properties for game manager service
 persist.graphics.game_default_frame_rate.enabled  u:object_r:game_manager_config_prop:s0 exact bool
 
diff --git a/private/service.te b/private/service.te
index 80d5168..a3754e4 100644
--- a/private/service.te
+++ b/private/service.te
@@ -13,6 +13,7 @@
 type mediatuner_service,            app_api_service, service_manager_type;
 type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
 type profcollectd_service,          service_manager_type;
+type protolog_service,              system_api_service, system_server_service, service_manager_type;
 type resolver_service,              system_server_service, service_manager_type;
 type rkpd_registrar_service,        service_manager_type;
 type rkpd_refresh_service,          service_manager_type;
@@ -21,6 +22,10 @@
 type statsbootstrap_service,        system_server_service, service_manager_type;
 type statscompanion_service,        system_server_service, service_manager_type;
 type statsmanager_service,          system_api_service, system_server_service, service_manager_type;
+
+is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
+    type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
 type tracingproxy_service,          system_server_service, service_manager_type;
 type transparency_service,          system_server_service, service_manager_type;
 
diff --git a/private/service_contexts b/private/service_contexts
index f81491a..78d2c5a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -179,6 +179,7 @@
 ')
 ambient_context                           u:object_r:ambient_context_service:s0
 app_binding                               u:object_r:app_binding_service:s0
+app_function                              u:object_r:app_function_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0
 app_integrity                             u:object_r:app_integrity_service:s0
 app_prediction                            u:object_r:app_prediction_service:s0
@@ -372,6 +373,7 @@
 powerstats                                u:object_r:powerstats_service:s0
 power                                     u:object_r:power_service:s0
 profiling_service                         u:object_r:profiling_service:s0
+protolog                                  u:object_r:protolog_service:s0
 print                                     u:object_r:print_service:s0
 processinfo                               u:object_r:processinfo_service:s0
 procstats                                 u:object_r:procstats_service:s0
@@ -429,6 +431,10 @@
 storagestats                              u:object_r:storagestats_service:s0
 # sdk_sandbox here refers to the service name, not the domain name.
 sdk_sandbox                               u:object_r:sdk_sandbox_service:s0
+
+is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
+    supervision                               u:object_r:supervision_service:s0
+')
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 SurfaceFlingerAIDL                        u:object_r:surfaceflinger_service:s0
 suspend_control                           u:object_r:system_suspend_control_service:s0
diff --git a/private/shell.te b/private/shell.te
index f896541..18e3462 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -203,6 +203,9 @@
 # TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to
 # a separate process.
 binder_call(shell, virtualizationservice)
+# Allow the shell to inspect whether AVF remote attestation is supported
+# through the system property.
+get_prop(shell, avf_virtualizationservice_prop)
 
 # Allow reading the outcome of perf_event_open LSM support test for CTS.
 get_prop(shell, init_perf_lsm_hooks_prop)
diff --git a/private/system_server.te b/private/system_server.te
index 1c9f732..0385df3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1561,10 +1561,6 @@
 } password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
 
-# Only system_server/init should access /metadata/userspacereboot.
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
-
 # Only system server should access /metadata/aconfig
 neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
 neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
diff --git a/private/vold.te b/private/vold.te
index 2c1fb8f..339877d 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -235,7 +235,7 @@
 allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE BLKROSET BLKROGET };
 # For vold Process::killProcessesWithOpenFiles function.
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
diff --git a/public/service.te b/public/service.te
index 6ba1dcc..0982629 100644
--- a/public/service.te
+++ b/public/service.te
@@ -68,6 +68,9 @@
 type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
 type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type app_binding_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+    type app_function_service, app_api_service, system_server_service, service_manager_type;
+')
 type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
 type app_integrity_service, system_api_service, system_server_service, service_manager_type;
 type app_prediction_service, app_api_service, system_server_service, service_manager_type;
diff --git a/tools/Android.bp b/tools/Android.bp
index e216652..f8935a6 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -44,7 +44,7 @@
     name: "checkfc",
     defaults: ["sepolicy_tools_defaults"],
     srcs: ["checkfc.c"],
-    static_libs: ["libselinux"],
+    shared_libs: ["libselinux"],
 }
 
 cc_binary_host {
diff --git a/tools/fuzzer_bindings_check.py b/tools/fuzzer_bindings_check.py
index 55859ac..65b54de 100644
--- a/tools/fuzzer_bindings_check.py
+++ b/tools/fuzzer_bindings_check.py
@@ -50,8 +50,8 @@
        if service_name not in bindings:
          sys.exit("\nerror: Service '{0}' is being added, but we have no fuzzer on file for it. "
                   "Fuzzers are listed at $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
-                  "NOTE: automatic service fuzzers are currently not supported in Java (b/232439254) "
-                  "and Rust (b/164122727). In this case, please ignore this for now and add an entry for your"
+                  "NOTE: automatic service fuzzers are currently not supported in Java (b/287102710.)"
+                  "In this case, please ignore this for now and add an entry for your"
                   "new service in service_fuzzer_bindings.go \n\n"
                   "If you are writing a new service, it may be subject to attack from other "
                   "potentially malicious processes. A fuzzer can be written automatically "
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 745ab13..4b88206 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -382,7 +382,6 @@
     char *p, *start;
     int result;
 
-    int non_comment_len = 0, cur_non_comment_len = 0;
     char *cur_non_comment_text = calloc(1, (end - text) + 1);
     char *non_comment_text = cur_non_comment_text;
     if (!cur_non_comment_text)