Merge "traced_probes: allow traced_probes to access diskstats info"
diff --git a/Android.mk b/Android.mk
index 8220fd5..618f7f0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -260,19 +260,6 @@
 SHAREDLIB_EXT=so
 endif
 
-# Convert a file_context file for a non-flattened APEX into a file for
-# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
-# $(1): path to the input file_contexts file for non-flattened APEX
-# $(2): path to the flattened APEX
-# $(3): path to the generated file_contexts file for flattened APEX
-# $(4): variable where $(3) is added to
-define build_flattened_apex_file_contexts
-$(4) += $(3)
-$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2))
-$(3): $(1)
-	$(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
-endef
-
 #################################
 
 include $(CLEAR_VARS)
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 88cd32b..d91ef21 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -217,6 +217,7 @@
 		"country_detector":                                                EXCEPTION_NO_FUZZER,
 		"coverage":                                                        EXCEPTION_NO_FUZZER,
 		"cpuinfo":                                                         EXCEPTION_NO_FUZZER,
+		"cpu_monitor":                                                     EXCEPTION_NO_FUZZER,
 		"credential":                                                      EXCEPTION_NO_FUZZER,
 		"crossprofileapps":                                                EXCEPTION_NO_FUZZER,
 		"dataloader_manager":                                              EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/bug_map b/microdroid/system/private/bug_map
index 5b042ae..e69de29 100644
--- a/microdroid/system/private/bug_map
+++ b/microdroid/system/private/bug_map
@@ -1,35 +0,0 @@
-dnsmasq netd fifo_file b/77868789
-dnsmasq netd unix_stream_socket b/77868789
-gmscore_app system_data_file dir b/146166941
-init app_data_file file b/77873135
-init cache_file blk_file b/77873135
-init logpersist file b/77873135
-init nativetest_data_file dir b/77873135
-init pstorefs dir b/77873135
-init shell_data_file dir b/77873135
-init shell_data_file file b/77873135
-init shell_data_file lnk_file b/77873135
-init shell_data_file sock_file b/77873135
-init system_data_file chr_file b/77873135
-isolated_app privapp_data_file dir b/119596573
-isolated_app app_data_file dir b/120394782
-mediaextractor app_data_file file b/77923736
-mediaextractor radio_data_file file b/77923736
-mediaprovider cache_file blk_file b/77925342
-mediaprovider mnt_media_rw_file dir b/77925342
-mediaprovider shell_data_file dir b/77925342
-mediaswcodec ashmem_device chr_file b/142679232
-netd priv_app unix_stream_socket b/77870037
-netd untrusted_app unix_stream_socket b/77870037
-netd untrusted_app_25 unix_stream_socket b/77870037
-netd untrusted_app_27 unix_stream_socket b/77870037
-netd untrusted_app_29 unix_stream_socket b/77870037
-platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
-system_server overlayfs_file file b/142390309
-system_server sdcardfs file b/77856826
-system_server zygote process b/77856826
-untrusted_app untrusted_app netlink_route_socket b/155595000
-vold system_data_file file b/124108085
-zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index f4bb79b..6dd97d0 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -11,7 +11,7 @@
 dontaudit compos self:global_capability_class_set dac_override;
 
 # Allow settings system properties that ART expects.
-set_prop(compos, dalvik_config_prop)
+set_prop(compos, dalvik_config_prop_type)
 set_prop(compos, device_config_runtime_native_boot_prop)
 
 # Allow running odrefresh in its own domain
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 6a43b56..3eae8c0 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -63,4 +63,5 @@
   }:process { ptrace signal sigchld sigstop sigkill };
 ')
 
+neverallow crash_dump self:process ptrace;
 neverallow crash_dump no_crash_dump_domain:process ptrace;
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index bd93f6e..1639640 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -31,7 +31,7 @@
 allow dex2oat apex_info_file:file r_file_perms;
 
 # Allow reading dalvik system properties that may affect compilation
-get_prop(dex2oat, dalvik_config_prop)
+get_prop(dex2oat, dalvik_config_prop_type)
 get_prop(dex2oat, device_config_runtime_native_boot_prop)
 
 # Don't audit because we don't configure the compiler through these
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index a8fff90..1e8529b 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -185,10 +185,6 @@
 # named pipes, and named sockets). We start off with a safe set.
 allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
 
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
 # Allow a process to make a determination whether a file descriptor
 # for a plain file or pipe (fifo_file) is a tty. Note that granting
 # this allowlist to domain does not grant the ioctl permission to
@@ -229,8 +225,6 @@
 allow { domain } cgroup_v2:dir w_dir_perms;
 allow { domain } cgroup_v2:file w_file_perms;
 
-allow domain cgroup_rc_file:dir search;
-allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;
 allow domain task_profiles_api_file:file r_file_perms;
 
@@ -533,12 +527,6 @@
 neverallow domain cgroup:file create;
 neverallow domain cgroup_v2:file create;
 
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
-  domain
-} ashmem_device:chr_file open;
-
 neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
 
 # Linux lockdown "integrity" level is enforced for user builds.
@@ -550,3 +538,6 @@
 
 # Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
 neverallow domain encryptedstore_file:file no_x_file_perms;
+
+# Only crash_dump is allowed to access ptrace
+neverallow { domain -crash_dump } domain:process ptrace;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index a06a9cf..c6ed654 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -1,7 +1,6 @@
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
 allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
 allow encryptedstore_file encryptedstore_fs:filesystem associate;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index fa81c90..3498680 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -32,8 +32,6 @@
 # Devices
 #
 /dev(/.*)?		u:object_r:device:s0
-/dev/ashmem		u:object_r:ashmem_device:s0
-/dev/ashmem(.*)?	u:object_r:ashmem_libcutils_device:s0
 /dev/block(/.*)?	u:object_r:block_device:s0
 /dev/block/dm-[0-9]+	u:object_r:dm_device:s0
 /dev/block/loop[0-9]*	u:object_r:loop_device:s0
@@ -41,14 +39,8 @@
 /dev/block/ram[0-9]*	u:object_r:ram_device:s0
 /dev/block/zram[0-9]*	u:object_r:ram_device:s0
 /dev/console		u:object_r:console_device:s0
-/dev/dma_heap(/.*)?     u:object_r:dmabuf_heap_device:s0
-/dev/dma_heap/system    u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-uncached    u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure(.*)	 u:object_r:dmabuf_system_secure_heap_device:s0
 /dev/dm-user(/.*)?	u:object_r:dm_user_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
-/dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
-/dev/cgroup_info(/.*)?  u:object_r:cgroup_rc_file:s0
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/hvc0               u:object_r:serial_device:s0
 /dev/hvc1               u:object_r:serial_device:s0
@@ -59,7 +51,6 @@
 /dev/ptmx		u:object_r:ptmx_device:s0
 /dev/kmsg		u:object_r:kmsg_device:s0
 /dev/kmsg_debug	u:object_r:kmsg_debug_device:s0
-/dev/kvm		u:object_r:kvm_device:s0
 /dev/null		u:object_r:null_device:s0
 /dev/open-dice0         u:object_r:open_dice_device:s0
 /dev/random		u:object_r:random_device:s0
@@ -73,17 +64,10 @@
 /dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
 /dev/socket/traced_consumer	u:object_r:traced_consumer_socket:s0
 /dev/socket/traced_producer	u:object_r:traced_producer_socket:s0
-/dev/sys/block/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
-/dev/sys/fs/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
-/dev/tun		u:object_r:tun_device:s0
-/dev/uhid		u:object_r:uhid_device:s0
-/dev/uinput		u:object_r:uhid_device:s0
-/dev/uio[0-9]*		u:object_r:uio_device:s0
 /dev/urandom		u:object_r:random_device:s0
-/dev/vhost-vsock	u:object_r:kvm_device:s0
 /dev/vsock		u:object_r:vsock_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 5ad30e5..408418c 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -27,7 +27,6 @@
 allow init {
   dev_type
   -hw_random_device
-  -kvm_device
 }:chr_file setattr;
 
 # /dev/__null__ node created by init.
@@ -40,9 +39,6 @@
 # /dev/__properties__/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
 # /dev/socket
 allow init { device socket_device dm_user_device }:dir relabelto;
 # Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
@@ -114,7 +110,6 @@
 allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
 allow init cgroup_desc_file:file r_file_perms;
 allow init cgroup_desc_api_file:file r_file_perms;
 allow init cgroup_v2:dir { mounton create_dir_perms};
@@ -181,7 +176,6 @@
   file_type
   -apex_info_file
   -exec_type
-  -runtime_event_log_tags_file
   -shell_data_file
   -system_file_type
   -vendor_file_type
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 8635ed4..23b5033 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -122,6 +122,10 @@
 # Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
 allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
 
+# Allow microdroid_manager to read AVF debug policy
+allow microdroid_manager sysfs_dt_avf:dir search;
+allow microdroid_manager sysfs_dt_avf:file { open read };
+
 # Domains other than microdroid can't write extra_apks
 neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
 neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c236637..0acf046 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -37,7 +37,7 @@
 
 # Allow odrefresh to read all dalvik system properties. odrefresh needs to record the relevant ones
 # in the output for later verification check.
-get_prop(odrefresh, dalvik_config_prop)
+get_prop(odrefresh, dalvik_config_prop_type)
 get_prop(odrefresh, device_config_runtime_native_boot_prop)
 
 # Silently ignore the write to properties, e.g. for setting boot animation progress.
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 638b246..3077301 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -2,6 +2,7 @@
 
 # Declare ART properties for CompOS
 system_public_prop(dalvik_config_prop)
+system_public_prop(dalvik_dynamic_config_prop)
 system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index dd43a81..e74d6d2 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -152,10 +152,22 @@
 
 heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
 
-# ART properties for CompOS
+# ART properties for CompOS.
 dalvik.vm.                                  u:object_r:dalvik_config_prop:s0 prefix
 ro.dalvik.vm.                               u:object_r:dalvik_config_prop:s0 prefix
 persist.device_config.runtime_native.       u:object_r:device_config_runtime_native_prop:s0 prefix
 persist.device_config.runtime_native_boot.  u:object_r:device_config_runtime_native_boot_prop:s0 prefix
 
+# A list of ART properties that can be set dynamically.
+dalvik.vm.background-dex2oat-cpu-set          u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.background-dex2oat-threads          u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.boot-dex2oat-cpu-set                u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.boot-dex2oat-threads                u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.dex2oat-cpu-set                     u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.dex2oat-threads                     u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.image-dex2oat-cpu-set               u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads               u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.restore-dex2oat-cpu-set             u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads             u:object_r:dalvik_dynamic_config_prop:s0 exact int
+
 apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index d6c3c0d..038be00 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -1,8 +1,5 @@
 typeattribute shell coredomain;
 
-# allow shell input injection
-allow shell uhid_device:chr_file rw_file_perms;
-
 # Perform SELinux access checks, needed for CTS
 selinux_check_access(shell)
 selinux_check_context(shell)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index cfefc67..5b6f82e 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -150,3 +150,6 @@
 
 # Domains that are blocked from producing a crash dump
 attribute no_crash_dump_domain;
+
+# All types of ART properties.
+attribute dalvik_config_prop_type;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 8c6f777..1a64b62 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,24 +1,17 @@
-type ashmem_device, dev_type;
-type ashmem_libcutils_device, dev_type;
 type block_device, dev_type;
 type console_device, dev_type;
 type device, dev_type, fs_type;
 type dm_device, dev_type;
 type dm_user_device, dev_type;
-type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
 type fuse_device, dev_type;
 type hw_random_device, dev_type;
 type kmsg_debug_device, dev_type;
 type kmsg_device, dev_type;
-type kvm_device, dev_type;
 type loop_control_device, dev_type;
 type loop_device, dev_type;
 type null_device, dev_type;
 type open_dice_device, dev_type;
 type owntty_device, dev_type;
-type ppp_device, dev_type;
 type properties_device, dev_type;
 type properties_serial, dev_type;
 type property_info, dev_type;
@@ -30,10 +23,6 @@
 type log_device, dev_type;
 type socket_device, dev_type;
 type tty_device, dev_type;
-type tun_device, dev_type;
-type uhid_device, dev_type;
-type uio_device, dev_type;
-type userdata_sysdev, dev_type;
 type vd_device, dev_type;
 type vsock_device, dev_type;
 type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index d9a6e44..d53de79 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -8,14 +8,12 @@
 type authfs_service_socket, file_type, coredomain_socket;
 type cgroup_desc_api_file, file_type, system_file_type;
 type cgroup_desc_file, file_type, system_file_type;
-type cgroup_rc_file, file_type;
 type extra_apk_file, file_type;
 type file_contexts_file, file_type, system_file_type;
 type linkerconfig_file, file_type;
 type nativetest_data_file, file_type, data_file_type, core_data_file_type;
 type property_contexts_file, file_type, system_file_type;
 type property_socket, file_type, coredomain_socket;
-type runtime_event_log_tags_file, file_type;
 type sepolicy_file, file_type, system_file_type;
 type service_contexts_file, file_type, system_file_type;
 type shell_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index fa5db03..3db899a 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -49,7 +49,6 @@
 allow vendor_init {
   file_type
   -exec_type
-  -runtime_event_log_tags_file
   -system_file_type
   -unlabeled
   -vendor_file_type
@@ -144,6 +143,5 @@
 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
   dev_type
-  -kvm_device
   -hw_random_device
 }:chr_file setattr;
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index e284e19..8f193fb 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -351,6 +351,8 @@
 audio.spatializer.priority               u:object_r:audio_config_prop:s0 exact int
 audio.spatializer.effect.affinity        u:object_r:audio_config_prop:s0 exact int
 audio.spatializer.effect.util_clamp_min  u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.pose_predictor_type    u:object_r:audio_config_prop:s0 exact enum 0 1 2 3
+audio.spatializer.prediction_duration_ms u:object_r:audio_config_prop:s0 exact int
 
 ro.audio.ignore_effects   u:object_r:audio_config_prop:s0 exact bool
 ro.audio.monitorRotation  u:object_r:audio_config_prop:s0 exact bool
diff --git a/private/app.te b/private/app.te
index 5c3472d..fa40b52 100644
--- a/private/app.te
+++ b/private/app.te
@@ -34,7 +34,7 @@
 get_prop(appdomain, test_harness_prop)
 
 get_prop(appdomain, boot_status_prop)
-get_prop(appdomain, dalvik_config_prop)
+get_prop(appdomain, dalvik_config_prop_type)
 get_prop(appdomain, media_config_prop)
 get_prop(appdomain, packagemanager_config_prop)
 get_prop(appdomain, radio_control_prop)
@@ -46,6 +46,7 @@
 get_prop(appdomain, adbd_config_prop)
 get_prop(appdomain, dck_prop)
 get_prop(appdomain, persist_wm_debug_prop)
+get_prop(appdomain, persist_sysui_builder_extras_prop)
 
 # Allow ART to be configurable via device_config properties
 # (ART "runs" inside the app process)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 6bdc259..eecda30 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -33,14 +33,14 @@
 neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
 
 neverallow { domain            } bpffs_type:file ~{ create getattr map open read rename setattr write };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               read;
-neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        read;
-neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   read;
-neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    read;
-neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   read;
-neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     read;
+neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               { getattr read };
+neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    { getattr read };
+neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
+neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   { getattr read };
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     { getattr read };
 neverallow { domain -bpfloader -gpuservice                          -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
 
 neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index afcebba..8fa3985 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1545,7 +1545,10 @@
 (typeattributeset ctl_sigstop_prop_33_0 (ctl_sigstop_prop))
 (typeattributeset ctl_start_prop_33_0 (ctl_start_prop))
 (typeattributeset ctl_stop_prop_33_0 (ctl_stop_prop))
-(typeattributeset dalvik_config_prop_33_0 (dalvik_config_prop))
+(typeattributeset dalvik_config_prop_33_0
+  ( dalvik_config_prop
+    dalvik_dynamic_config_prop
+))
 (typeattributeset dalvik_prop_33_0 (dalvik_prop))
 (typeattributeset dalvik_runtime_prop_33_0 (dalvik_runtime_prop))
 (typeattributeset dalvikcache_data_file_33_0 (dalvikcache_data_file))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3b61f73..cfbe2da 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -10,6 +10,9 @@
     artd
     bt_device
     build_attestation_prop
+    composd_vm_art_prop
+    composd_vm_vendor_prop
+    cpu_monitor_service
     credential_service
     device_as_webcam
     device_config_camera_native_prop
@@ -48,6 +51,7 @@
     fuseblkd
     fuseblkd_exec
     permissive_mte_prop
+    persist_sysui_builder_extras_prop
     prng_seeder
     recovery_usb_config_prop
     remote_provisioning_service
@@ -55,6 +59,7 @@
     servicemanager_prop
     shutdown_checkpoints_system_data_file
     stats_config_data_file
+    sysfs_fs_fuse_features
     system_net_netd_service
     timezone_metadata_prop
     traced_oome_heap_session_count_prop
diff --git a/private/composd.te b/private/composd.te
index 96991c6..409b2cb 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -30,9 +30,16 @@
 domain_auto_trans(composd, fd_server_exec, compos_fd_server)
 allow composd compos_fd_server:process signal;
 
+# Read properties used to configure the CompOS VM
+get_prop(composd, composd_vm_art_prop)
+get_prop(composd, composd_vm_vendor_prop)
+
 # Read ART's properties
-get_prop(composd, dalvik_config_prop)
+get_prop(composd, dalvik_config_prop_type)
 get_prop(composd, device_config_runtime_native_boot_prop)
 
 # We never create any artifact files directly
 neverallow composd apex_art_data_file:file create;
+
+# ART sets these properties via init script, nothing else should
+neverallow { domain -init } composd_vm_art_prop:property_service set;
diff --git a/private/coredomain.te b/private/coredomain.te
index 96ce488..f8b2ee5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,7 +1,7 @@
 get_prop(coredomain, apex_ready_prop)
 get_prop(coredomain, boot_status_prop)
 get_prop(coredomain, camera_config_prop)
-get_prop(coredomain, dalvik_config_prop)
+get_prop(coredomain, dalvik_config_prop_type)
 get_prop(coredomain, dalvik_runtime_prop)
 get_prop(coredomain, exported_pm_prop)
 get_prop(coredomain, ffs_config_prop)
diff --git a/private/crosvm.te b/private/crosvm.te
index df97235..f1012b7 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -2,14 +2,20 @@
 type crosvm_exec, system_file_type, exec_type, file_type;
 type crosvm_tmpfs, file_type;
 
-# Let crosvm open /dev/kvm.
-allow crosvm kvm_device:chr_file rw_file_perms;
+# Let crosvm open VM manager devices such as /dev/kvm.
+allow crosvm vm_manager_device_type:chr_file rw_file_perms;
 
 # Most other domains shouldn't access /dev/kvm.
 neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
 neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
 neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
 
+# Most other domains shouldn't access other vm managers either.
+# These restrictions need to be slightly looser than for kvm_device to allow
+# for different implementations.
+neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
+neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
+
 # Let crosvm create temporary files.
 tmpfs_domain(crosvm)
 
diff --git a/private/domain.te b/private/domain.te
index 1e5e0f5..1c27662 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -56,6 +56,9 @@
 # Everyone can access the IncFS list of features.
 r_dir_file(domain, sysfs_fs_incfs_features);
 
+# Everyone can access the fuse list of features.
+r_dir_file(domain, sysfs_fs_fuse_features);
+
 # Path resolution access in cgroups.
 allow domain cgroup:dir search;
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
diff --git a/private/file.te b/private/file.te
index 539e63e..f6781b0 100644
--- a/private/file.te
+++ b/private/file.te
@@ -104,7 +104,7 @@
 # /dev/kvm
 # The type needs to be mlstrustedobject to allow for being accessed from
 # crosvm, which runs at a more constrained MLS level.
-type kvm_device, dev_type, mlstrustedobject;
+type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;
 
 # /apex/com.android.virt/bin/fd_server
 type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f5a92ac..8e35c46 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -150,6 +150,7 @@
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /fs/f2fs                           u:object_r:sysfs_fs_f2fs:s0
 genfscon sysfs /fs/fuse/bpf_prog_type_fuse        u:object_r:sysfs_fs_fuse_bpf:s0
+genfscon sysfs /fs/fuse/features                  u:object_r:sysfs_fs_fuse_features:s0
 genfscon sysfs /fs/incremental-fs/features        u:object_r:sysfs_fs_incfs_features:s0
 genfscon sysfs /fs/incremental-fs/instances       u:object_r:sysfs_fs_incfs_metrics:s0
 genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
diff --git a/private/init.te b/private/init.te
index 72dedd2..9d3a2c3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -120,6 +120,6 @@
   dev_type
   -hw_random_device
   -keychord_device
-  -kvm_device
+  -vm_manager_device_type
   -port_device
 }:chr_file setattr;
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index bb9da6c..200af1b 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -95,6 +95,7 @@
   -sysfs_devices_system_cpu
   -sysfs_transparent_hugepage
   -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
+  -sysfs_fs_fuse_features
   -sysfs_fs_incfs_features
 }:file no_rw_file_perms;
 
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index bde6195..4ed4b36 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -32,6 +32,9 @@
 # permitted.
 allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
 
+# Allow access to the toybox: b/275024392
+allow isolated_compute_app toolbox_exec:file rx_file_perms;
+
 #####
 ##### Neverallow
 #####
diff --git a/private/netd.te b/private/netd.te
index ae43e47..8be8212 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -7,7 +7,7 @@
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 
 allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
 allow netd { fs_bpf                      fs_bpf_netd_shared }:file write;
 
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 900b35c..01f1915 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -26,7 +26,7 @@
 # the whole chain including the xt_bpf rules. They need to access to the pinned
 # program when reloading the rule.
 allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
 allow netutils_wrapper { fs_bpf                    }:file write;
 allow netutils_wrapper bpfloader:bpf prog_run;
 
diff --git a/private/network_stack.te b/private/network_stack.te
index dfee019..d9135a1 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -61,7 +61,7 @@
 allow network_stack network_stack_service:service_manager find;
 # allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
 allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
 allow network_stack bpfloader:bpf { map_read map_write prog_run };
 
 # Use XFRM (IPsec) netlink sockets
diff --git a/private/perfetto.te b/private/perfetto.te
index 45fa60b..a87f2ad 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -22,6 +22,10 @@
 allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
 allow perfetto perfetto_traces_data_file:file create_file_perms;
 
+# Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport*
+allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
+allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+
 # Allow perfetto to access the proxy service for reporting traces.
 allow perfetto tracingproxy_service:service_manager find;
 binder_use(perfetto)
@@ -117,6 +121,7 @@
   # neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
   -perfetto_traces_data_file
+  -perfetto_traces_bugreport_data_file
   -perfetto_configs_data_file
   with_native_coverage(`-method_trace_data_file')
 }:dir *;
@@ -124,6 +129,7 @@
 neverallow perfetto {
   data_file_type
   -perfetto_traces_data_file
+  -perfetto_traces_bugreport_data_file
   -perfetto_configs_data_file
   with_native_coverage(`-method_trace_data_file')
 }:file ~write;
diff --git a/private/platform_app.te b/private/platform_app.te
index 5d16d85..6d49502 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -45,6 +45,10 @@
 ')
 neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;
 
+userdebug_or_eng(`
+  set_prop(platform_app, persist_sysui_builder_extras_prop)
+')
+
 # com.android.captiveportallogin reads /proc/vmstat
 allow platform_app {
   proc_vmstat
@@ -122,5 +126,7 @@
 ### Neverallow rules
 ###
 
+neverallow { domain -init userdebug_or_eng(`-shell -platform_app') } persist_sysui_builder_extras_prop:property_service set;
+
 # app domains which access /dev/fuse should not run as platform_app
 neverallow platform_app fuse_device:chr_file *;
diff --git a/private/property.te b/private/property.te
index 9e49c30..35f9bc7 100644
--- a/private/property.te
+++ b/private/property.te
@@ -54,6 +54,7 @@
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
 system_restricted_prop(log_file_logger_prop)
+system_restricted_prop(persist_sysui_builder_extras_prop)
 
 ###
 ### Neverallow rules
@@ -275,7 +276,7 @@
     -vendor_init
   } {
     core_property_type
-    dalvik_config_prop
+    dalvik_config_prop_type
     extended_core_property_type
     exported3_system_prop
     systemsound_config_prop
diff --git a/private/property_contexts b/private/property_contexts
index 00b1347..603c70b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -373,6 +373,8 @@
 audio.spatializer.priority               u:object_r:audio_config_prop:s0 exact int
 audio.spatializer.effect.affinity        u:object_r:audio_config_prop:s0 exact int
 audio.spatializer.effect.util_clamp_min  u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.pose_predictor_type    u:object_r:audio_config_prop:s0 exact enum 0 1 2 3
+audio.spatializer.prediction_duration_ms u:object_r:audio_config_prop:s0 exact int
 
 ro.audio.ignore_effects   u:object_r:audio_config_prop:s0 exact bool
 ro.audio.monitorRotation  u:object_r:audio_config_prop:s0 exact bool
@@ -405,31 +407,27 @@
 ro.vendor.camera.extensions.package u:object_r:camera2_extensions_prop:s0 exact string
 ro.vendor.camera.extensions.service u:object_r:camera2_extensions_prop:s0 exact string
 
-# ART properties
+# ART properties.
 dalvik.vm.                 u:object_r:dalvik_config_prop:s0
 ro.dalvik.vm.              u:object_r:dalvik_config_prop:s0
 ro.zygote                  u:object_r:dalvik_config_prop:s0 exact string
 
 # A set of ART properties listed explicitly for compatibility purposes.
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
+ro.dalvik.vm.native.bridge                    u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.always_debuggable                   u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.appimageformat                      u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.backgroundgctype                    u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-cpu-set                u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-threads                u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.boot-image                          u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.bgdexopt.new-classes-percent        u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.bgdexopt.new-methods-percent        u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.checkjni                            u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.dex2oat-Xms                         u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.dex2oat-Xmx                         u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-cpu-set                     u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.dex2oat-filter                      u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.dex2oat-flags                       u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.dex2oat-max-image-block-size        u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.dex2oat-minidebuginfo               u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.dex2oat-resolve-startup-strings     u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-threads                     u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.dex2oat-very-large                  u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.dex2oat-swap                        u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.dex2oat64.enabled                   u:object_r:dalvik_config_prop:s0 exact bool
@@ -448,10 +446,8 @@
 dalvik.vm.hot-startup-method-samples          u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.image-dex2oat-Xms                   u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.image-dex2oat-Xmx                   u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-cpu-set               u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.image-dex2oat-filter                u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.image-dex2oat-flags                 u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-threads               u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.isa.arm.features                    u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.isa.arm.variant                     u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.isa.arm64.features                  u:object_r:dalvik_config_prop:s0 exact string
@@ -481,11 +477,21 @@
 dalvik.vm.profilebootclasspath                u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.ps-min-save-period-ms               u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.ps-resolved-classes-delay-ms        u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.restore-dex2oat-cpu-set             u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads             u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.usejit                              u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry               u:object_r:dalvik_config_prop:s0 exact int
 
+# A list of ART properties that can be set dynamically.
+dalvik.vm.background-dex2oat-cpu-set          u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.background-dex2oat-threads          u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.boot-dex2oat-cpu-set                u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.boot-dex2oat-threads                u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.dex2oat-cpu-set                     u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.dex2oat-threads                     u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.image-dex2oat-cpu-set               u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads               u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.restore-dex2oat-cpu-set             u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads             u:object_r:dalvik_dynamic_config_prop:s0 exact int
+
 persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
 
 keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
@@ -1483,6 +1489,10 @@
 # virtualization service properties
 virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
 
+# composd properties
+composd.vm.art.memory_mib.config u:object_r:composd_vm_art_prop:s0 exact uint
+composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int
+
 # properties for the virtual Face HAL
 persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
 persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
@@ -1538,3 +1548,6 @@
 
 # UVC Gadget property
 ro.usb.uvc.enabled      u:object_r:usb_uvc_enabled_prop:s0 exact bool
+
+# System UI notification properties
+persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index cfcf2a4..fc4fce3 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -42,7 +42,7 @@
     -codec2_config_prop
     -config_prop
     -cppreopt_prop
-    -dalvik_config_prop
+    -dalvik_config_prop_type
     -dalvik_prop
     -dalvik_runtime_prop
     -dck_prop
diff --git a/private/shell.te b/private/shell.te
index cdbf7c2..85d09f9 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -243,3 +243,7 @@
 
 # Allow shell to write GWP-ASan properties even on user builds.
 set_prop(shell, gwp_asan_prop)
+
+# Allow shell to set persist.sysui.notification.builder_extras_override property
+userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
+
diff --git a/private/stats.te b/private/stats.te
index 89b9488..5790faa 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -56,4 +56,5 @@
   -system_app
   -system_server
   -traceur_app
+  -traced_probes
 } stats_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 27e5594..20e6427 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -836,6 +836,9 @@
 # Read persist.wm.debug. properties
 get_prop(system_server, persist_wm_debug_prop)
 
+# Read persist.sysui.notification.builder_extras_override property
+get_prop(system_server, persist_sysui_builder_extras_prop)
+
 # Read ro.tuner.lazyhal
 get_prop(system_server, tuner_config_prop)
 # Write tuner.server.enable
@@ -1175,7 +1178,7 @@
 # the map after snapshot is recorded, and to read, update and run the maps and programs used for
 # time in state accounting
 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
 allow system_server bpfloader:bpf { map_read map_write prog_run };
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
 allow system_server self:key_socket create;
@@ -1527,3 +1530,6 @@
 # Only system server can write the font files.
 neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
 neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+
+# Allow system server to set dynamic ART properties.
+set_prop(system_server, dalvik_dynamic_config_prop)
diff --git a/private/traced.te b/private/traced.te
index 171e092..fc75239 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -24,9 +24,6 @@
 # Allow the service to create new files within /data/misc/perfetto-traces.
 allow traced perfetto_traces_data_file:file create_file_perms;
 allow traced perfetto_traces_data_file:dir rw_dir_perms;
-# ... and /data/misc/perfetto-traces/bugreport*
-allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
-allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
 
 # Allow traceur to pass open file descriptors to traced, so traced can directly
 # write into the output file without doing roundtrips over IPC.
@@ -89,7 +86,6 @@
 neverallow traced {
   data_file_type
   -perfetto_traces_data_file
-  -perfetto_traces_bugreport_data_file
   -system_data_file
   -system_data_root_file
   -media_userdir_file
@@ -104,7 +100,6 @@
 neverallow traced {
   data_file_type
   -perfetto_traces_data_file
-  -perfetto_traces_bugreport_data_file
   -trace_data_file
   with_native_coverage(`-method_trace_data_file')
 }:file ~write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 86f5067..0d68fa3 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -103,8 +103,10 @@
 # On debug builds allow to ingest system logs into the trace.
 userdebug_or_eng(`read_logd(traced_probes)')
 
-# Allow traced_probes to talk to statsd for logging metrics.
+# Allow traced_probes to talk to statsd for logging metrics and recording atoms.
 unix_socket_send(traced_probes, statsdw, statsd)
+binder_call(traced_probes, statsd)
+allow traced_probes stats_service:service_manager find;
 
 ###
 ### Neverallow rules
diff --git a/private/vendor_init.te b/private/vendor_init.te
index acbd84e..1680f96 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -19,7 +19,7 @@
 allow vendor_init {
   dev_type
   -keychord_device
-  -kvm_device
+  -vm_manager_device_type
   -port_device
   -lowpan_device
   -hw_random_device
diff --git a/public/attributes b/public/attributes
index 0b5f596..1e2dabb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -417,6 +417,9 @@
 attribute dmabuf_heap_device_type;
 expandattribute dmabuf_heap_device_type false;
 
+# Types for VM managers
+attribute vm_manager_device_type;
+
 # All types used for DSU metadata files.
 attribute gsi_metadata_file_type;
 
@@ -430,3 +433,6 @@
 # permissions to maintain the health loop, writing to kernel log, handling
 # inputs and drawing screens, etc.
 attribute charger_type;
+
+# All types of ART properties.
+attribute dalvik_config_prop_type;
diff --git a/public/file.te b/public/file.te
index 9ca6802..da76aee 100644
--- a/public/file.te
+++ b/public/file.te
@@ -123,6 +123,7 @@
 type sysfs_fs_ext4_features, sysfs_type, fs_type;
 type sysfs_fs_f2fs, sysfs_type, fs_type;
 type sysfs_fs_fuse_bpf, sysfs_type, fs_type;
+type sysfs_fs_fuse_features, sysfs_type, fs_type;
 type sysfs_fs_incfs_features, sysfs_type, fs_type;
 type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
 type sysfs_vendor_sched, sysfs_type, fs_type;
diff --git a/public/iorap.te b/public/iorap.te
deleted file mode 100644
index 0671c34..0000000
--- a/public/iorap.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Define these types for now, as they may be used in device-specific policy.
-type iorapd;
-type iorap_inode2filename;
-type iorap_prefetcherd;
diff --git a/public/property.te b/public/property.te
index 74dd0f5..4427822 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
 system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
+system_restricted_prop(composd_vm_art_prop)
 system_restricted_prop(device_config_camera_native_prop)
 system_restricted_prop(device_config_edgetpu_native_prop)
 system_restricted_prop(device_config_nnapi_native_prop)
@@ -142,6 +143,7 @@
 system_vendor_config_prop(camerax_extensions_prop)
 system_vendor_config_prop(charger_config_prop)
 system_vendor_config_prop(codec2_config_prop)
+system_vendor_config_prop(composd_vm_vendor_prop)
 system_vendor_config_prop(cpu_variant_prop)
 system_vendor_config_prop(dalvik_config_prop)
 system_vendor_config_prop(debugfs_restriction_prop)
@@ -205,6 +207,7 @@
 system_public_prop(ctl_interface_start_prop)
 system_public_prop(ctl_start_prop)
 system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_dynamic_config_prop)
 system_public_prop(dalvik_runtime_prop)
 system_public_prop(debug_prop)
 system_public_prop(device_config_memory_safety_native_boot_prop)
@@ -365,3 +368,5 @@
 typeattribute usb_prop           core_property_type;
 typeattribute vold_prop          core_property_type;
 
+typeattribute dalvik_config_prop         dalvik_config_prop_type;
+typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
diff --git a/public/service.te b/public/service.te
index e8f97bb..3dc9d85 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@
 # with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
 type coverage_service, system_server_service, service_manager_type;
 type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type cpu_monitor_service, system_server_service, service_manager_type;
 type credential_service, app_api_service, ephemeral_app_api_service, system_api_service, system_server_service, service_manager_type;
 type dataloader_manager_service, system_server_service, service_manager_type;
 type dbinfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index e1c24c6..71597cc 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -34,6 +34,7 @@
 binder_call(statsd, appdomain)
 binder_call(statsd, incidentd)
 binder_call(statsd, system_server)
+binder_call(statsd, traced_probes)
 
 # Allow statsd to interact with gpuservice
 allow statsd gpu_service:service_manager find;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 683ab61..288d035 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -235,6 +235,7 @@
 set_prop(vendor_init, camera2_extensions_prop)
 set_prop(vendor_init, camerax_extensions_prop)
 set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_dynamic_config_prop)
 set_prop(vendor_init, dalvik_runtime_prop)
 set_prop(vendor_init, debug_prop)
 set_prop(vendor_init, exported_bluetooth_prop)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 1d380ab..2c52e2c 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -347,7 +347,8 @@
       "hal_neuralnetworks_service":["service_manager"],
       "servicemanager":["fd"],
       "speech_recognition_service":["service_manager"],
-      "mediaserver_service" :["service_manager"]
+      "mediaserver_service" :["service_manager"],
+      "toolbox_exec": ["file"],
   }
 
   def resolveHalServerSubtype(target):
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 59d6c39..0bdb7fd 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -29,3 +29,6 @@
 # allow to monitor uevents and access video devices
 allow hal_evs_default device:dir r_dir_perms;
 allow hal_evs_default video_device:chr_file rw_file_perms;
+
+# allow to access graphics related properties
+get_prop(hal_evs_default, graphics_config_prop);