diff --git a/private/bug_map b/private/bug_map
index 6f78f4a..cb49904 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -29,7 +29,6 @@
 postinstall postinstall capability 77958490
 postinstall_dexopt postinstall_dexopt capability 77958490
 postinstall_dexopt user_profile_data_file file 77958490
-priv_app system_data_file dir 72811052
 profman apk_data_file dir 77922323
 radio statsdw_socket sock_file 78456764
 statsd hal_health_default binder 77919007
@@ -38,7 +37,5 @@
 system_server logd_socket sock_file 64734187
 system_server sdcardfs file 77856826
 system_server zygote process 77856826
-untrusted_app_25 system_data_file dir 72550646
-untrusted_app_27 system_data_file dir 72550646
 usbd usbd capability 72472544
 zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b678221..f72118d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -3,7 +3,8 @@
 ;;   previous ones.  Add here to pass checkapi tests.
 (typeattribute new_objects)
 (typeattributeset new_objects
-  ( adb_service
+  ( activity_task_service
+    adb_service
     adbd_exec
     atrace
     binder_calls_stats_service
@@ -117,6 +118,7 @@
     thermalserviced
     thermalserviced_exec
     thermalserviced_tmpfs
+    timedetector_service
     timezone_service
     tombstoned_java_trace_socket
     tombstone_wifi_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 06f85fc..9b6ce30 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -3,7 +3,8 @@
 ;;   previous ones.  Add here to pass checkapi tests.
 (typeattribute new_objects)
 (typeattributeset new_objects
-  ( adb_service
+  ( activity_task_service
+    adb_service
     atrace
     binder_calls_stats_service
     blank_screen
@@ -94,6 +95,7 @@
     system_boot_reason_prop
     system_update_service
     test_boot_reason_prop
+    timedetector_service
     tombstone_wifi_data_file
     trace_data_file
     traced
diff --git a/private/platform_app.te b/private/platform_app.te
index eec503a..41dc915 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -66,6 +66,7 @@
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app thermal_service:service_manager find;
+allow platform_app timedetector_service:service_manager find;
 allow platform_app timezone_service:service_manager find;
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 3355502..37d864f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -182,6 +182,12 @@
 allow priv_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
+# denial to prevent apps from spamming the logs.
+dontaudit priv_app system_data_file:dir write;
+
 ###
 ### neverallow rules
 ###
diff --git a/private/service_contexts b/private/service_contexts
index 8b9b862..287cf2f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,6 +1,7 @@
 accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
+activity_task                             u:object_r:activity_task_service:s0
 adb                                       u:object_r:adb_service:s0
 alarm                                     u:object_r:alarm_service:s0
 android.os.UpdateEngineService            u:object_r:update_engine_service:s0
@@ -162,6 +163,7 @@
 telephony.registry                        u:object_r:registry_service:s0
 textclassification                        u:object_r:textclassification_service:s0
 textservices                              u:object_r:textservices_service:s0
+time_detector                             u:object_r:timedetector_service:s0
 timezone                                  u:object_r:timezone_service:s0
 thermalservice                            u:object_r:thermal_service:s0
 trust                                     u:object_r:trust_service:s0
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 7f9d315..b04e5e0 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,10 @@
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
 
+; Apps, except isolated apps, are clients of OMX-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index b2c4f40..c9bf65f 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -150,3 +150,9 @@
     -proc_net_vpn
   }:{ dir file lnk_file } { getattr open read };
 ')
+
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
+# denial to prevent third party apps from spamming the logs.
+dontaudit untrusted_app_all system_data_file:dir write;
diff --git a/public/app.te b/public/app.te
index 35c2008..1dca49c 100644
--- a/public/app.te
+++ b/public/app.te
@@ -219,15 +219,6 @@
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
-# TODO(b/80317992): use hal_client_domain on individual domains or have tests
-#     that the required individual permissions are all granted
-hwbinder_use({ appdomain  -isolated_app })
-allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
-get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-binder_call({ appdomain -isolated_app }, hal_omx_server)
-
 # Talk with graphics composer fences
 allow appdomain hal_graphics_composer:fd use;
 
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 037066e..d979103 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -3,7 +3,7 @@
 binder_call(hal_audio_server, hal_audio_client)
 
 add_hwservice(hal_audio_server, hal_audio_hwservice)
-allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_audio, hal_audio_hwservice)
 
 allow hal_audio ion_device:chr_file r_file_perms;
 
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index 438db53..dc4aaa0 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -3,5 +3,4 @@
 binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
 
 add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
-
-allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_audiocontrol, hal_audiocontrol_hwservice)
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index 81b0c04..f58b8aa 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -2,4 +2,4 @@
 binder_call(hal_authsecret_client, hal_authsecret_server)
 
 add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
-allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_authsecret, hal_authsecret_hwservice)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 373dbec..b0c68bf 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -3,7 +3,7 @@
 binder_call(hal_bluetooth_server, hal_bluetooth_client)
 
 add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
-allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_bluetooth, hal_bluetooth_hwservice)
 
 wakelock_use(hal_bluetooth);
 
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 181de4a..a901cf2 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,6 +3,6 @@
 binder_call(hal_bootctl_server, hal_bootctl_client)
 
 add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
-allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_bootctl, hal_bootctl_hwservice)
 
 dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/public/hal_broadcastradio.te b/public/hal_broadcastradio.te
index 24d4908..45adb4a 100644
--- a/public/hal_broadcastradio.te
+++ b/public/hal_broadcastradio.te
@@ -1,4 +1,4 @@
 binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
 
 add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
-allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 43f74b4..4e80794 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -3,7 +3,7 @@
 binder_call(hal_camera_server, hal_camera_client)
 
 add_hwservice(hal_camera_server, hal_camera_hwservice)
-allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_camera, hal_camera_hwservice)
 
 allow hal_camera device:dir r_dir_perms;
 allow hal_camera video_device:dir r_dir_perms;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7f65358..0ba39ed 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -3,7 +3,7 @@
 binder_call(hal_cas_server, hal_cas_client)
 
 add_hwservice(hal_cas_server, hal_cas_hwservice)
-allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_cas, hal_cas_hwservice)
 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
 
 # Permit reading device's serial number from system properties
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
index 228e864..9a7e697 100644
--- a/public/hal_confirmationui.te
+++ b/public/hal_confirmationui.te
@@ -2,4 +2,4 @@
 binder_call(hal_confirmationui_client, hal_confirmationui_server)
 
 add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
-allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index f11bfc8..0f23ae5 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -3,4 +3,4 @@
 binder_call(hal_contexthub_server, hal_contexthub_client)
 
 add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
-allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_contexthub, hal_contexthub_hwservice)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a46dd91..0a03a95 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -3,7 +3,7 @@
 binder_call(hal_drm_server, hal_drm_client)
 
 add_hwservice(hal_drm_server, hal_drm_hwservice)
-allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_drm, hal_drm_hwservice)
 
 allow hal_drm hidl_memory_hwservice:hwservice_manager find;
 
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 2853567..75e59f3 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -3,7 +3,7 @@
 binder_call(hal_dumpstate_server, hal_dumpstate_client)
 
 add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
-allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_dumpstate, hal_dumpstate_hwservice)
 
 # write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
 allow hal_dumpstate shell_data_file:file write;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index ebe0b0c..240f1dd 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -3,7 +3,7 @@
 binder_call(hal_fingerprint_server, hal_fingerprint_client)
 
 add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
-allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_fingerprint, hal_fingerprint_hwservice)
 
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 123acf5..0ff8f08 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,7 +1,7 @@
 binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
 
 add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_gatekeeper, hal_gatekeeper_hwservice)
 
 # TEE access.
 allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index b59cd1d..7e206a8 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -3,4 +3,4 @@
 binder_call(hal_gnss_server, hal_gnss_client)
 
 add_hwservice(hal_gnss_server, hal_gnss_hwservice)
-allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_gnss, hal_gnss_hwservice)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index e2b04ae..753b816 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -2,7 +2,7 @@
 binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
 
 add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_graphics_allocator, hal_graphics_allocator_hwservice)
 allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
 
 # GPU device access
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 2df4612..e6854f6 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -3,7 +3,7 @@
 binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
 
 add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
-allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_graphics_composer, hal_graphics_composer_hwservice)
 
 # Coordinate with hal_graphics_mapper
 allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
diff --git a/public/hal_health.te b/public/hal_health.te
index c0a0f80..f6d5d3b 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -3,7 +3,7 @@
 binder_call(hal_health_server, hal_health_client)
 
 add_hwservice(hal_health_server, hal_health_hwservice)
-allow hal_health_client hal_health_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_health, hal_health_hwservice)
 
 # Read access to system files for HALs in
 # /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index b1bfdd8..022d5ee 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -3,4 +3,4 @@
 binder_call(hal_ir_server, hal_ir_client)
 
 add_hwservice(hal_ir_server, hal_ir_hwservice)
-allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_ir, hal_ir_hwservice)
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index dc5f6d0..664f277 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,7 +2,7 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
 add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
-allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_keymaster, hal_keymaster_hwservice)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
 allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 5b93dd1..841b17a 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -3,7 +3,7 @@
 binder_call(hal_light_server, hal_light_client)
 
 add_hwservice(hal_light_server, hal_light_hwservice)
-allow hal_light_client hal_light_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_light, hal_light_hwservice)
 
 allow hal_light sysfs_leds:lnk_file read;
 allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_lowpan.te b/public/hal_lowpan.te
index af491b1..5bb36f9 100644
--- a/public/hal_lowpan.te
+++ b/public/hal_lowpan.te
@@ -5,7 +5,7 @@
 add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
 
 # Allow hal_lowpan_client to be able to find the hal_lowpan_server
-allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_lowpan, hal_lowpan_hwservice)
 
 # hal_lowpan domain can write/read to/from lowpan_prop
 set_prop(hal_lowpan_server, lowpan_prop)
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index b2cc9cd..8185fd1 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -2,4 +2,4 @@
 binder_call(hal_memtrack_client, hal_memtrack_server)
 
 add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
-allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_memtrack, hal_memtrack_hwservice)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index c697ac2..149f768 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -3,6 +3,6 @@
 binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
 
 add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
-allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_neuralnetworks, hal_neuralnetworks_hwservice)
 allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
 allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 3bcdf5e..caa4c82 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -3,7 +3,7 @@
 binder_call(hal_nfc_server, hal_nfc_client)
 
 add_hwservice(hal_nfc_server, hal_nfc_hwservice)
-allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_nfc, hal_nfc_hwservice)
 
 # Set NFC properties (used by bcm2079x HAL).
 set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 3fb5a18..d118f43 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -2,4 +2,4 @@
 binder_call(hal_oemlock_client, hal_oemlock_server)
 
 add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
-allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_oemlock, hal_oemlock_hwservice)
diff --git a/public/hal_omx.te b/public/hal_omx.te
index cf03690..375f386 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -27,11 +27,13 @@
 # via PDX. Thus, there is no need to use pdx_client macro.
 allow hal_omx_server bufferhubd:fd use;
 
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_client hal_omx_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_omx, hal_omx_hwservice)
+hal_attribute_hwservice_client(hal_omx, hal_codec2_hwservice)
+
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 
 binder_call(hal_omx_client, hal_omx_server)
+binder_call(hal_omx_server, hal_omx_client)
 
 ###
 ### neverallow rules
diff --git a/public/hal_power.te b/public/hal_power.te
index fcba3d2..26fbd4c 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -3,4 +3,4 @@
 binder_call(hal_power_server, hal_power_client)
 
 add_hwservice(hal_power_server, hal_power_hwservice)
-allow hal_power_client hal_power_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_power, hal_power_hwservice)
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
index e3046d1..8410c77 100644
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@@ -3,4 +3,4 @@
 binder_call(hal_secure_element_server, hal_secure_element_client)
 
 add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
-allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_secure_element, hal_secure_element_hwservice)
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 9d7cbe9..603eead 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -2,7 +2,7 @@
 binder_call(hal_sensors_client, hal_sensors_server)
 
 add_hwservice(hal_sensors_server, hal_sensors_hwservice)
-allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_sensors, hal_sensors_hwservice)
 
 # Allow sensor hals to access ashmem memory allocated by apps
 allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 21b6e02..a20350b 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,7 +3,7 @@
 binder_call(hal_telephony_server, hal_telephony_client)
 
 add_hwservice(hal_telephony_server, hal_telephony_hwservice)
-allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_telephony, hal_telephony_hwservice)
 
 allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
 
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index 48d67a2..d44573a 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -2,7 +2,7 @@
 binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
 binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
 
-allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_tetheroffload, hal_tetheroffload_hwservice)
 
 # allow the client to pass the server already open netlink sockets
 allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index b1764f1..105e882 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -3,4 +3,4 @@
 binder_call(hal_thermal_server, hal_thermal_client)
 
 add_hwservice(hal_thermal_server, hal_thermal_hwservice)
-allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_thermal, hal_thermal_hwservice)
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
index 7719cae..9ee2e3e 100644
--- a/public/hal_tv_cec.te
+++ b/public/hal_tv_cec.te
@@ -3,4 +3,4 @@
 binder_call(hal_tv_cec_server, hal_tv_cec_client)
 
 add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
-allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 31a0067..cee55bd 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -3,4 +3,4 @@
 binder_call(hal_tv_input_server, hal_tv_input_client)
 
 add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
-allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_tv_input, hal_tv_input_hwservice)
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 9cfd516..52fdce2 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -3,7 +3,7 @@
 binder_call(hal_usb_server, hal_usb_client)
 
 add_hwservice(hal_usb_server, hal_usb_hwservice)
-allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_usb, hal_usb_hwservice)
 
 allow hal_usb self:netlink_kobject_uevent_socket create;
 allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index e412758..41683b0 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -3,7 +3,7 @@
 binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
 
 add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice)
-allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_usb_gadget, hal_usb_gadget_hwservice)
 
 # Configuring usb gadget functions
 allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
index a59f8d2..d021da3 100644
--- a/public/hal_vehicle.te
+++ b/public/hal_vehicle.te
@@ -4,4 +4,4 @@
 
 add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
 
-allow hal_vehicle_client hal_vehicle_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_vehicle, hal_vehicle_hwservice)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 9ce34ca..ba6830d 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -2,7 +2,7 @@
 binder_call(hal_vibrator_client, hal_vibrator_server)
 
 add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
-allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_vibrator, hal_vibrator_hwservice)
 
 # vibrator sysfs rw access
 allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 3cb392d..4afe3cd 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -3,4 +3,4 @@
 binder_call(hal_vr_server, hal_vr_client)
 
 add_hwservice(hal_vr_server, hal_vr_hwservice)
-allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_vr, hal_vr_hwservice)
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index b80ba29..405321d 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -2,4 +2,4 @@
 binder_call(hal_weaver_client, hal_weaver_server)
 
 add_hwservice(hal_weaver_server, hal_weaver_hwservice)
-allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_weaver, hal_weaver_hwservice)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 8f5b77b..45738e2 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -3,7 +3,7 @@
 binder_call(hal_wifi_server, hal_wifi_client)
 
 add_hwservice(hal_wifi_server, hal_wifi_hwservice)
-allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_wifi, hal_wifi_hwservice)
 
 r_dir_file(hal_wifi, proc_net_type)
 r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 73bf037..ea84a36 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -3,7 +3,7 @@
 binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
 
 add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
-allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
 
 allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
 
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index f74ed05..1b75711 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -3,7 +3,7 @@
 binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
 
 add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
-allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_wifi_offload, hal_wifi_offload_hwservice)
 
 r_dir_file(hal_wifi_offload, proc_net_type)
 r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 3d61766..87a061f 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -3,7 +3,7 @@
 binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
 
 add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
-allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
 
 # in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
 allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/property_contexts b/public/property_contexts
index e74d936..fdc2da9 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -221,6 +221,7 @@
 ro.board.platform u:object_r:exported_default_prop:s0 exact string
 ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
 ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
 ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
 ro.carrier u:object_r:exported_default_prop:s0 exact string
 ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
diff --git a/public/service.te b/public/service.te
index 394e334..1166025 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
 type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type adb_service, system_server_service, service_manager_type;
 type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -140,6 +141,7 @@
 type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timedetector_service, system_server_service, service_manager_type;
 type timezone_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;
 type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index e5c476a..ffb8428 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -603,3 +603,15 @@
   allow $1 hidl_base_hwservice:hwservice_manager add;
   neverallow { domain -$1 } $2:hwservice_manager add;
 ')
+
+###########################################
+# hal_attribute_hwservice_client(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_hwservice_client', `
+  allow $1_client $2:hwservice_manager find;
+  neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+')