diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
index 4b9d87d4b591b61a7f4c82a38f012d935f85533a..6f2b820b78b8f44be70e47ad22d40fd6cfa56264 100644
--- a/prebuilts/api/26.0/private/app.te
+++ b/prebuilts/api/26.0/private/app.te
@@ -225,8 +225,8 @@ allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
diff --git a/prebuilts/api/26.0/private/file_contexts b/prebuilts/api/26.0/private/file_contexts
index aefd95fd3ffded05e853bb358cee7acab4ea6017..4485b9537f98a2af908f255c4e6d4046c4ca2b5e 100644
--- a/prebuilts/api/26.0/private/file_contexts
+++ b/prebuilts/api/26.0/private/file_contexts
@@ -38,7 +38,6 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
-/file_contexts\.bin u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -523,6 +522,7 @@
/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/saved_cmdlines_size u:object_r:tracing_shell_writable_debug:s0
#############################
# asec containers
diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te
index 34cbadcfcd395cf659977ceeb822c76747acc91a..d2b370a21b244e639d80b16f2bd29c7ae74554cd 100644
--- a/prebuilts/api/26.0/public/domain.te
+++ b/prebuilts/api/26.0/public/domain.te
@@ -497,6 +497,7 @@ neverallow {
-recovery
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
@@ -555,6 +556,7 @@ full_treble_only(`
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
+ neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
@@ -613,6 +615,7 @@ full_treble_only(`
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
+ neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
neverallow_establish_socket_comms({
@@ -644,6 +647,10 @@ full_treble_only(`
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ pdx_endpoint_socket_type
+ pdx_channel_socket_type
+ } unlabeled:service_manager list; #TODO: b/62658302
# Core domains are not permitted to create/open sockets owned by vendor domains
neverallow {
@@ -728,6 +735,7 @@ full_treble_only(`
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
+ neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/prebuilts/api/26.0/public/radio.te b/prebuilts/api/26.0/public/radio.te
index 87329d913c485eef39ed475e64875449554f2d3f..6f29a705d362c185412e02b36e02e46610fb8d7f 100644
--- a/prebuilts/api/26.0/public/radio.te
+++ b/prebuilts/api/26.0/public/radio.te
@@ -5,9 +5,8 @@ net_domain(radio)
bluetooth_domain(radio)
binder_service(radio)
-# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
-# Talks to rild via the rild socket.
-unix_socket_connect(radio, rild, rild)
+# Talks to rild via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, rild)')
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
diff --git a/prebuilts/api/26.0/public/te_macros b/prebuilts/api/26.0/public/te_macros
index b1937d85d7395033f245e7757222c660d9ed3872..d65eb889ca28da46c9f285780e9df1c7facd049a 100644
--- a/prebuilts/api/26.0/public/te_macros
+++ b/prebuilts/api/26.0/public/te_macros
@@ -550,6 +550,7 @@ define(`use_drmservice', `
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+ neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
')
###########################################
@@ -561,6 +562,7 @@ define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
+ neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
')
##########################################