diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
index 3dfb8a6490426a3d2a029f5cc84e9f301cefc94d..5d919710e4994d5d2b7e4f025f7933fb8abc22dc 100644
--- a/prebuilts/api/28.0/private/file_contexts
+++ b/prebuilts/api/28.0/private/file_contexts
@@ -515,6 +515,12 @@
# LocalTransport (backup) uses this subtree
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+#############################
+# Metadata files
+#
+/metadata(/.*)? u:object_r:metadata_file:s0
+/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
index ce26d73a69efedc4663de19afb358d5d7d2b2444..7e2ea50922d57e7f47ecab254847feb6016a9376 100644
--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
@@ -141,7 +141,6 @@ genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_m
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -158,7 +157,6 @@ genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -200,6 +198,8 @@ genfscon tracefs /events/binder/binder_lock/ u:objec
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -226,6 +226,8 @@ genfscon debugfs /tracing/events/binder/binder_lock/
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/prebuilts/api/28.0/public/attributes b/prebuilts/api/28.0/public/attributes
index 7a0c07a7287a1a070fd074e6fd11e096eb048033..6a66c031aa85f5232b356cfa4c727e3edb2419e9 100644
--- a/prebuilts/api/28.0/public/attributes
+++ b/prebuilts/api/28.0/public/attributes
@@ -166,6 +166,12 @@ expandattribute data_between_core_and_vendor_violators false;
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index 735524e0c327097648a9bebf50eb6e36b8f38f72..dafc06f99bb85f5b0ff568b3af12e8324fd45e87 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
@@ -477,6 +477,10 @@ allow init system_data_file:lnk_file r_file_perms;
# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
###
### neverallow rules
###
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
index de8e4bec92d2f8480b5e305744dfbe4be8975fbe..c31210c0b55e31518862e125bf8da2ea2cfae5dc 100644
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@@ -279,3 +279,96 @@ compatible_property_only(`
wifi_prop
}:file no_rw_file_perms;
')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_mdnsd_prop
+ -ctl_rildaemon_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')
diff --git a/prebuilts/api/28.0/public/ueventd.te b/prebuilts/api/28.0/public/ueventd.te
index c41adb35d8f25eaef9c0d4ad2adca3d07dbad5b4..9b9eacb252a23d237e17a6e43db4b114799d86fc 100644
--- a/prebuilts/api/28.0/public/ueventd.te
+++ b/prebuilts/api/28.0/public/ueventd.te
@@ -36,6 +36,9 @@ allow ueventd file_contexts_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+allow ueventd proc_cmdline:file r_file_perms;
+
#####
##### neverallow rules
#####
diff --git a/private/file_contexts b/private/file_contexts
index 3dfb8a6490426a3d2a029f5cc84e9f301cefc94d..5d919710e4994d5d2b7e4f025f7933fb8abc22dc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -515,6 +515,12 @@
# LocalTransport (backup) uses this subtree
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+#############################
+# Metadata files
+#
+/metadata(/.*)? u:object_r:metadata_file:s0
+/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ce26d73a69efedc4663de19afb358d5d7d2b2444..7e2ea50922d57e7f47ecab254847feb6016a9376 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -141,7 +141,6 @@ genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_m
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -158,7 +157,6 @@ genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -200,6 +198,8 @@ genfscon tracefs /events/binder/binder_lock/ u:objec
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -226,6 +226,8 @@ genfscon debugfs /tracing/events/binder/binder_lock/
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/public/attributes b/public/attributes
index 7a0c07a7287a1a070fd074e6fd11e096eb048033..6a66c031aa85f5232b356cfa4c727e3edb2419e9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -166,6 +166,12 @@ expandattribute data_between_core_and_vendor_violators false;
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
diff --git a/public/init.te b/public/init.te
index 735524e0c327097648a9bebf50eb6e36b8f38f72..dafc06f99bb85f5b0ff568b3af12e8324fd45e87 100644
--- a/public/init.te
+++ b/public/init.te
@@ -477,6 +477,10 @@ allow init system_data_file:lnk_file r_file_perms;
# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index de8e4bec92d2f8480b5e305744dfbe4be8975fbe..c31210c0b55e31518862e125bf8da2ea2cfae5dc 100644
--- a/public/property.te
+++ b/public/property.te
@@ -279,3 +279,96 @@ compatible_property_only(`
wifi_prop
}:file no_rw_file_perms;
')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_mdnsd_prop
+ -ctl_rildaemon_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')
diff --git a/public/ueventd.te b/public/ueventd.te
index c41adb35d8f25eaef9c0d4ad2adca3d07dbad5b4..9b9eacb252a23d237e17a6e43db4b114799d86fc 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -36,6 +36,9 @@ allow ueventd file_contexts_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+allow ueventd proc_cmdline:file r_file_perms;
+
#####
##### neverallow rules
#####