diff --git a/mac_permissions.mk b/mac_permissions.mk
index 566c82b..7827286 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -26,12 +26,12 @@
 all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
 
 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
 $(all_plat_mac_perms_files) $(all_plat_keys)
 	@mkdir -p $(dir $@)
 	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
 		MAINLINE_SEPOLICY_DEV_CERTIFICATES="$(MAINLINE_SEPOLICY_DEV_CERTIFICATES)" \
-		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+		$(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
 
 all_plat_keys :=
 all_plat_mac_perms_files :=
@@ -63,10 +63,10 @@
 	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
 
 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
 $(all_system_ext_mac_perms_files)
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
 
 system_ext_mac_perms_keys.tmp :=
 all_system_ext_mac_perms_files :=
@@ -97,10 +97,10 @@
 	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
 
 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
 $(all_product_mac_perms_files)
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
 
 product_mac_perms_keys.tmp :=
 all_product_mac_perms_files :=
@@ -131,11 +131,11 @@
 	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
 
 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
 $(all_vendor_mac_perms_files)
 	@mkdir -p $(dir $@)
 	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
-		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+		$(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
 
 vendor_mac_perms_keys.tmp :=
 all_vendor_mac_perms_files :=
@@ -166,10 +166,10 @@
 	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
 
 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
 $(all_odm_mac_perms_files)
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
 
 odm_mac_perms_keys.tmp :=
 all_odm_mac_perms_files :=
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 2be2a4e..78cd37e 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -29,13 +29,14 @@
 # TODO: get rid of init & vendor_init
 neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
 neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
 neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
 neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
 
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
diff --git a/private/composd.te b/private/composd.te
index e41533b..41f1a9b 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,6 +13,10 @@
 # Start a VM
 virtualizationservice_use(composd)
 
+# Allow preparing staging directory for odrefresh
+allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+
 # Access our APEX data files
 allow composd apex_module_data_file:dir search;
 allow composd apex_compos_data_file:dir create_dir_perms;
diff --git a/private/domain.te b/private/domain.te
index 5b9a5b1..24e05b5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -315,9 +315,10 @@
 
 neverallow {
   domain
-  # art processes
+  # art-related processes
   -odrefresh
   -odsign
+  -composd
   # others
   -apexd
   -init
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index f370025..0e1b1a0 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -62,3 +62,8 @@
 allow mediaprovider_app gpu_device:dir search;
 
 dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
+
+# bpfprog access for FUSE BPF
+allow mediaprovider_app fs_bpf:dir search;
+allow mediaprovider_app fs_bpf:file read;
+allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
diff --git a/tools/Android.bp b/tools/Android.bp
index a6a15a5..c480dc2 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -59,8 +59,7 @@
     srcs: ["version_policy.c"],
 }
 
-cc_prebuilt_binary {
-    name: "insertkeys.py",
+python_binary_host {
+    name: "insertkeys",
     srcs: ["insertkeys.py"],
-    host_supported: true,
 }
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
index 51b4ab6..24f0dac 100755
--- a/tools/insertkeys.py
+++ b/tools/insertkeys.py
@@ -1,8 +1,8 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 from xml.sax import saxutils, handler, make_parser
 from optparse import OptionParser
-import ConfigParser
+import configparser
 import logging
 import base64
 import sys
@@ -32,7 +32,7 @@
         if not os.path.isfile(path):
             sys.exit("Path " + path + " does not exist or is not a file!")
 
-        pkFile = open(path, 'rb').readlines()
+        pkFile = open(path, 'r').readlines()
         base64Key = ""
         lineNo = 1
         certNo = 1
@@ -66,7 +66,7 @@
                 self._base64Key.append(base64Key)
                 try:
                     # Pkgmanager and setool see hex strings with lowercase, lets be consistent
-                    self._base16Key.append(base64.b16encode(base64.b64decode(base64Key)).lower())
+                    self._base16Key.append(base64.b16encode(base64.b64decode(base64Key)).decode('ascii').lower())
                 except TypeError:
                     sys.exit("Invalid certificate, certificate "+ str(certNo) + " found in file: "
                             + path)
@@ -79,7 +79,7 @@
 
             # If we haven't started the certificate, then we should not encounter any data
             elif not inCert:
-                if line is not "":
+                if line != "":
                     sys.exit("Detected erroneous line \""+ line + "\" on " + str(lineNo)
                         + " in pem file: " + path)
 
@@ -107,7 +107,7 @@
     def getBase64Keys(self):
         return self._base64Key
 
-class ParseConfig(ConfigParser.ConfigParser):
+class ParseConfig(configparser.ConfigParser):
 
     # This must be lowercase
     OPTION_WILDCARD_TAG = "all"
@@ -160,15 +160,16 @@
     XML_ENCODING_TAG = '<?xml version="1.0" encoding="iso-8859-1"?>'
 
     def __init__(self, keyMap, out=sys.stdout):
-
         handler.ContentHandler.__init__(self)
         self._keyMap = keyMap
         self._out = out
+
+    def prologue(self):
         self._out.write(ReplaceTags.XML_ENCODING_TAG)
         self._out.write("<!-- AUTOGENERATED FILE DO NOT MODIFY -->")
         self._out.write("<policy>")
 
-    def __del__(self):
+    def epilogue(self):
         self._out.write("</policy>")
 
     def startElement(self, tag, attrs):
@@ -210,8 +211,6 @@
 
 if __name__ == "__main__":
 
-    # Intentional double space to line up equls signs and opening " for
-    # readability.
     usage  = "usage: %prog [options] CONFIG_FILE MAC_PERMISSIONS_FILE [MAC_PERMISSIONS_FILE...]\n"
     usage += "This tool allows one to configure an automatic inclusion\n"
     usage += "of signing keys into the mac_permision.xml file(s) from the\n"
@@ -262,6 +261,9 @@
         logging.info(k + " : " + str(key_map[k]))
     # Generate the XML file with markup replaced with keys
     parser = make_parser()
-    parser.setContentHandler(ReplaceTags(key_map, output_file))
+    handler = ReplaceTags(key_map, output_file)
+    parser.setContentHandler(handler)
+    handler.prologue()
     for f in args[1:]:
         parser.parse(f)
+    handler.epilogue()