diff --git a/prebuilts/api/28.0/plat_pub_versioned.cil b/prebuilts/api/28.0/plat_pub_versioned.cil
index d98a249a0b..50df7caea1 100644
--- a/prebuilts/api/28.0/plat_pub_versioned.cil
+++ b/prebuilts/api/28.0/plat_pub_versioned.cil
@@ -4,7 +4,7 @@
 (typeattribute domain)
 (typeattributeset domain (adbd_28_0 audioserver_28_0 blkid_28_0 blkid_untrusted_28_0 bluetooth_28_0 bootanim_28_0 bootstat_28_0 bufferhubd_28_0 cameraserver_28_0 charger_28_0 clatd_28_0 cppreopts_28_0 crash_dump_28_0 dex2oat_28_0 dhcp_28_0 dnsmasq_28_0 drmserver_28_0 dumpstate_28_0 e2fs_28_0 ephemeral_app_28_0 fingerprintd_28_0 fsck_28_0 fsck_untrusted_28_0 gatekeeperd_28_0 healthd_28_0 hwservicemanager_28_0 idmap_28_0 incident_28_0 incident_helper_28_0 incidentd_28_0 init_28_0 inputflinger_28_0 install_recovery_28_0 installd_28_0 isolated_app_28_0 kernel_28_0 keystore_28_0 lmkd_28_0 logd_28_0 logpersist_28_0 mdnsd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediametrics_28_0 mediaprovider_28_0 mediaserver_28_0 modprobe_28_0 mtp_28_0 netd_28_0 netutils_wrapper_28_0 nfc_28_0 otapreopt_chroot_28_0 otapreopt_slot_28_0 performanced_28_0 perfprofd_28_0 platform_app_28_0 postinstall_28_0 postinstall_dexopt_28_0 ppp_28_0 preopt2cachename_28_0 priv_app_28_0 profman_28_0 racoon_28_0 radio_28_0 recovery_28_0 recovery_persist_28_0 recovery_refresh_28_0 runas_28_0 sdcardd_28_0 secure_element_28_0 servicemanager_28_0 sgdisk_28_0 shared_relro_28_0 shell_28_0 slideshow_28_0 su_28_0 surfaceflinger_28_0 system_app_28_0 system_server_28_0 tee_28_0 thermalserviced_28_0 tombstoned_28_0 toolbox_28_0 traced_probes_28_0 traceur_app_28_0 tzdatacheck_28_0 ueventd_28_0 uncrypt_28_0 untrusted_app_28_0 untrusted_app_27_28_0 untrusted_app_25_28_0 untrusted_v2_app_28_0 update_engine_28_0 update_verifier_28_0 usbd_28_0 vdc_28_0 vendor_init_28_0 vendor_shell_28_0 virtual_touchpad_28_0 vndservicemanager_28_0 vold_28_0 vold_prepare_subdirs_28_0 vr_hwc_28_0 watchdogd_28_0 webview_zygote_28_0 wificond_28_0 wpantund_28_0 zygote_28_0))
 (typeattribute fs_type)
-(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0))
+(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_deny_new_usb_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0))
 (typeattribute contextmount_type)
 (typeattributeset contextmount_type (oemfs_28_0 app_fusefs_28_0))
 (typeattribute file_type)
@@ -21,7 +21,7 @@
 (typeattributeset vendor_file_type (vendor_hal_file_28_0 vendor_file_28_0 vendor_app_file_28_0 vendor_configs_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0 vendor_framework_file_28_0 vendor_overlay_file_28_0 mediacodec_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0))
 (typeattribute proc_type)
 (expandtypeattribute (proc_type) false)
-(typeattributeset proc_type (proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0))
+(typeattributeset proc_type (proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_deny_new_usb_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0))
 (typeattribute sysfs_type)
 (typeattributeset sysfs_type (sysfs_usermodehelper_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0))
 (typeattribute debugfs_type)
@@ -856,6 +856,9 @@
 (type proc_cpuinfo)
 (typeattribute proc_cpuinfo_28_0)
 (roletype object_r proc_cpuinfo_28_0)
+(type proc_deny_new_usb)
+(typeattribute proc_deny_new_usb_28_0)
+(roletype object_r proc_deny_new_usb_28_0)
 (type proc_dirty)
 (typeattribute proc_dirty_28_0)
 (roletype object_r proc_dirty_28_0)
diff --git a/prebuilts/api/28.0/vendor_sepolicy.cil b/prebuilts/api/28.0/vendor_sepolicy.cil
index e116208149..73ca9419e8 100644
--- a/prebuilts/api/28.0/vendor_sepolicy.cil
+++ b/prebuilts/api/28.0/vendor_sepolicy.cil
@@ -9,7 +9,7 @@
 (genfscon sysfs /devices/pnp0/00:00/rtc (u object_r sysfs_rtc ((s0) (s0))))
 (typeattributeset dev_type (device_28_0 alarm_device_28_0 ashmem_device_28_0 audio_device_28_0 audio_timer_device_28_0 audio_seq_device_28_0 binder_device_28_0 hwbinder_device_28_0 vndbinder_device_28_0 block_device_28_0 camera_device_28_0 dm_device_28_0 keychord_device_28_0 loop_control_device_28_0 loop_device_28_0 pmsg_device_28_0 radio_device_28_0 ram_device_28_0 rtc_device_28_0 vold_device_28_0 console_device_28_0 cpuctl_device_28_0 fscklogs_28_0 full_device_28_0 gpu_device_28_0 graphics_device_28_0 hw_random_device_28_0 input_device_28_0 kmem_device_28_0 port_device_28_0 lowpan_device_28_0 mtd_device_28_0 mtp_device_28_0 nfc_device_28_0 ptmx_device_28_0 kmsg_device_28_0 kmsg_debug_device_28_0 null_device_28_0 random_device_28_0 secure_element_device_28_0 sensors_device_28_0 serial_device_28_0 socket_device_28_0 owntty_device_28_0 tty_device_28_0 video_device_28_0 vcs_device_28_0 zero_device_28_0 fuse_device_28_0 iio_device_28_0 ion_device_28_0 qtaguid_device_28_0 watchdog_device_28_0 uhid_device_28_0 uio_device_28_0 tun_device_28_0 usbaccessory_device_28_0 usb_device_28_0 properties_device_28_0 properties_serial_28_0 property_info_28_0 i2c_device_28_0 hci_attach_dev_28_0 rpmsg_device_28_0 root_block_device_28_0 frp_block_device_28_0 system_block_device_28_0 recovery_block_device_28_0 boot_block_device_28_0 userdata_block_device_28_0 cache_block_device_28_0 swap_block_device_28_0 metadata_block_device_28_0 misc_block_device_28_0 ppp_device_28_0 tee_device_28_0 qemu_device))
 (typeattributeset domain (adbd_28_0 audioserver_28_0 blkid_28_0 blkid_untrusted_28_0 bluetooth_28_0 bootanim_28_0 bootstat_28_0 bufferhubd_28_0 cameraserver_28_0 charger_28_0 clatd_28_0 cppreopts_28_0 crash_dump_28_0 dex2oat_28_0 dhcp_28_0 dnsmasq_28_0 drmserver_28_0 dumpstate_28_0 e2fs_28_0 ephemeral_app_28_0 fingerprintd_28_0 fsck_28_0 fsck_untrusted_28_0 gatekeeperd_28_0 healthd_28_0 hwservicemanager_28_0 idmap_28_0 incident_28_0 incident_helper_28_0 incidentd_28_0 init_28_0 inputflinger_28_0 install_recovery_28_0 installd_28_0 isolated_app_28_0 kernel_28_0 keystore_28_0 lmkd_28_0 logd_28_0 logpersist_28_0 mdnsd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediametrics_28_0 mediaprovider_28_0 mediaserver_28_0 modprobe_28_0 mtp_28_0 netd_28_0 netutils_wrapper_28_0 nfc_28_0 otapreopt_chroot_28_0 otapreopt_slot_28_0 performanced_28_0 perfprofd_28_0 platform_app_28_0 postinstall_28_0 postinstall_dexopt_28_0 ppp_28_0 preopt2cachename_28_0 priv_app_28_0 profman_28_0 racoon_28_0 radio_28_0 recovery_28_0 recovery_persist_28_0 recovery_refresh_28_0 runas_28_0 sdcardd_28_0 secure_element_28_0 servicemanager_28_0 sgdisk_28_0 shared_relro_28_0 shell_28_0 slideshow_28_0 su_28_0 surfaceflinger_28_0 system_app_28_0 system_server_28_0 tee_28_0 thermalserviced_28_0 tombstoned_28_0 toolbox_28_0 traced_probes_28_0 traceur_app_28_0 tzdatacheck_28_0 ueventd_28_0 uncrypt_28_0 untrusted_app_28_0 untrusted_app_27_28_0 untrusted_app_25_28_0 untrusted_v2_app_28_0 update_engine_28_0 update_verifier_28_0 usbd_28_0 vdc_28_0 vendor_init_28_0 vendor_shell_28_0 virtual_touchpad_28_0 vndservicemanager_28_0 vold_28_0 vold_prepare_subdirs_28_0 vr_hwc_28_0 watchdogd_28_0 webview_zygote_28_0 wificond_28_0 wpantund_28_0 zygote_28_0 hal_audio_default hal_audiocontrol_default hal_authsecret_default hal_bluetooth_default hal_bootctl_default hal_broadcastradio_default hal_camera_default hal_cas_default hal_configstore_default hal_confirmationui_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_evs_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_lowpan_default hal_memtrack_default hal_nfc_default hal_power_default hal_radio_config_default hal_radio_default hal_secure_element_default hal_sensors_default hal_tetheroffload_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vehicle_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_hostapd_default hal_wifi_offload_default hal_wifi_supplicant_default rild vendor_modprobe createns dhcpclient dhcpserver execns goldfish_setup hal_drm_clearkey hal_drm_widevine hostapd_nohidl ipv6proxy qemu_props))
-(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0 sysfs_writable nsfs firmware_file))
+(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_deny_new_usb_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0 sysfs_writable nsfs firmware_file))
 (typeattributeset contextmount_type (oemfs_28_0 app_fusefs_28_0 firmware_file))
 (typeattributeset file_type (adbd_exec_28_0 bootanim_exec_28_0 bootstat_exec_28_0 bufferhubd_exec_28_0 cameraserver_exec_28_0 clatd_exec_28_0 cppreopts_exec_28_0 crash_dump_exec_28_0 dex2oat_exec_28_0 dhcp_exec_28_0 dnsmasq_exec_28_0 drmserver_exec_28_0 drmserver_socket_28_0 dumpstate_exec_28_0 e2fs_exec_28_0 unlabeled_28_0 system_file_28_0 vendor_hal_file_28_0 vendor_file_28_0 vendor_app_file_28_0 vendor_configs_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0 vendor_framework_file_28_0 vendor_overlay_file_28_0 metadata_file_28_0 vold_metadata_file_28_0 runtime_event_log_tags_file_28_0 logcat_exec_28_0 coredump_file_28_0 system_data_file_28_0 vendor_data_file_28_0 unencrypted_data_file_28_0 install_data_file_28_0 drm_data_file_28_0 adb_data_file_28_0 anr_data_file_28_0 tombstone_data_file_28_0 tombstone_wifi_data_file_28_0 apk_data_file_28_0 apk_tmp_file_28_0 apk_private_data_file_28_0 apk_private_tmp_file_28_0 dalvikcache_data_file_28_0 ota_data_file_28_0 ota_package_file_28_0 user_profile_data_file_28_0 profman_dump_data_file_28_0 resourcecache_data_file_28_0 shell_data_file_28_0 property_data_file_28_0 bootchart_data_file_28_0 heapdump_data_file_28_0 nativetest_data_file_28_0 ringtone_file_28_0 preloads_data_file_28_0 preloads_media_file_28_0 dhcp_data_file_28_0 mnt_media_rw_file_28_0 mnt_user_file_28_0 mnt_expand_file_28_0 storage_file_28_0 mnt_media_rw_stub_file_28_0 storage_stub_file_28_0 mnt_vendor_file_28_0 postinstall_mnt_dir_28_0 postinstall_file_28_0 adb_keys_file_28_0 audio_data_file_28_0 audioserver_data_file_28_0 bluetooth_data_file_28_0 bluetooth_logs_data_file_28_0 bootstat_data_file_28_0 boottrace_data_file_28_0 camera_data_file_28_0 gatekeeper_data_file_28_0 incident_data_file_28_0 keychain_data_file_28_0 keystore_data_file_28_0 media_data_file_28_0 media_rw_data_file_28_0 misc_user_data_file_28_0 net_data_file_28_0 network_watchlist_data_file_28_0 nfc_data_file_28_0 radio_data_file_28_0 recovery_data_file_28_0 shared_relro_file_28_0 systemkeys_data_file_28_0 textclassifier_data_file_28_0 trace_data_file_28_0 vpn_data_file_28_0 wifi_data_file_28_0 zoneinfo_data_file_28_0 vold_data_file_28_0 perfprofd_data_file_28_0 tee_data_file_28_0 update_engine_data_file_28_0 update_engine_log_data_file_28_0 method_trace_data_file_28_0 app_data_file_28_0 system_app_data_file_28_0 cache_file_28_0 cache_backup_file_28_0 cache_private_backup_file_28_0 cache_recovery_file_28_0 efs_file_28_0 wallpaper_file_28_0 shortcut_manager_icons_28_0 icon_file_28_0 asec_apk_file_28_0 asec_public_file_28_0 asec_image_file_28_0 backup_data_file_28_0 bluetooth_efs_file_28_0 fingerprintd_data_file_28_0 fingerprint_vendor_data_file_28_0 app_fuse_file_28_0 adbd_socket_28_0 bluetooth_socket_28_0 dnsproxyd_socket_28_0 dumpstate_socket_28_0 fwmarkd_socket_28_0 lmkd_socket_28_0 logd_socket_28_0 logdr_socket_28_0 logdw_socket_28_0 mdns_socket_28_0 mdnsd_socket_28_0 misc_logd_file_28_0 mtpd_socket_28_0 netd_socket_28_0 property_socket_28_0 racoon_socket_28_0 rild_socket_28_0 rild_debug_socket_28_0 system_wpa_socket_28_0 system_ndebug_socket_28_0 tombstoned_crash_socket_28_0 tombstoned_java_trace_socket_28_0 tombstoned_intercept_socket_28_0 traced_producer_socket_28_0 traced_consumer_socket_28_0 uncrypt_socket_28_0 wpa_socket_28_0 zygote_socket_28_0 gps_control_28_0 pdx_display_dir_28_0 pdx_performance_dir_28_0 pdx_bufferhub_dir_28_0 pdx_display_client_endpoint_socket_28_0 pdx_display_manager_endpoint_socket_28_0 pdx_display_screenshot_endpoint_socket_28_0 pdx_display_vsync_endpoint_socket_28_0 pdx_performance_client_endpoint_socket_28_0 pdx_bufferhub_client_endpoint_socket_28_0 file_contexts_file_28_0 mac_perms_file_28_0 property_contexts_file_28_0 seapp_contexts_file_28_0 sepolicy_file_28_0 service_contexts_file_28_0 nonplat_service_contexts_file_28_0 hwservice_contexts_file_28_0 vndservice_contexts_file_28_0 audiohal_data_file_28_0 fingerprintd_exec_28_0 fsck_exec_28_0 gatekeeperd_exec_28_0 healthd_exec_28_0 hwservicemanager_exec_28_0 idmap_exec_28_0 init_exec_28_0 inputflinger_exec_28_0 install_recovery_exec_28_0 installd_exec_28_0 keystore_exec_28_0 lmkd_exec_28_0 logd_exec_28_0 mediacodec_exec_28_0 mediadrmserver_exec_28_0 mediaextractor_exec_28_0 mediametrics_exec_28_0 mediaserver_exec_28_0 mtp_exec_28_0 netd_exec_28_0 netutils_wrapper_exec_28_0 otapreopt_chroot_exec_28_0 otapreopt_slot_exec_28_0 performanced_exec_28_0 perfprofd_exec_28_0 ppp_exec_28_0 preopt2cachename_exec_28_0 profman_exec_28_0 racoon_exec_28_0 recovery_persist_exec_28_0 recovery_refresh_exec_28_0 runas_exec_28_0 sdcardd_exec_28_0 servicemanager_exec_28_0 sgdisk_exec_28_0 shell_exec_28_0 su_exec_28_0 thermalserviced_exec_28_0 tombstoned_exec_28_0 toolbox_exec_28_0 tzdatacheck_exec_28_0 uncrypt_exec_28_0 update_engine_exec_28_0 update_verifier_exec_28_0 usbd_exec_28_0 vdc_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0 virtual_touchpad_exec_28_0 vold_exec_28_0 vold_prepare_subdirs_exec_28_0 vr_hwc_exec_28_0 webview_zygote_exec_28_0 wificond_exec_28_0 wpantund_exec_28_0 zygote_exec_28_0 hostapd_data_file wpa_data_file hal_audio_default_exec hal_audio_default_tmpfs hal_audiocontrol_default_exec hal_audiocontrol_default_tmpfs hal_authsecret_default_exec hal_authsecret_default_tmpfs hal_bluetooth_default_exec hal_bluetooth_default_tmpfs hal_bootctl_default_exec hal_bootctl_default_tmpfs hal_broadcastradio_default_exec hal_broadcastradio_default_tmpfs hal_camera_default_exec hal_camera_default_tmpfs hal_cas_default_exec hal_cas_default_tmpfs hal_configstore_default_exec hal_configstore_default_tmpfs hal_confirmationui_default_exec hal_confirmationui_default_tmpfs hal_contexthub_default_exec hal_contexthub_default_tmpfs hal_drm_default_exec hal_drm_default_tmpfs hal_dumpstate_default_exec hal_dumpstate_default_tmpfs hal_evs_default_exec hal_evs_default_tmpfs hal_fingerprint_default_exec hal_fingerprint_default_tmpfs hal_gatekeeper_default_exec hal_gatekeeper_default_tmpfs hal_gnss_default_exec hal_gnss_default_tmpfs hal_graphics_allocator_default_exec hal_graphics_allocator_default_tmpfs hal_graphics_composer_default_exec hal_graphics_composer_default_tmpfs hal_health_default_exec hal_health_default_tmpfs hal_ir_default_exec hal_ir_default_tmpfs hal_keymaster_default_exec hal_keymaster_default_tmpfs hal_light_default_exec hal_light_default_tmpfs hal_lowpan_default_exec hal_lowpan_default_tmpfs hal_memtrack_default_exec hal_memtrack_default_tmpfs hal_nfc_default_exec hal_nfc_default_tmpfs mediacodec_tmpfs hal_power_default_exec hal_power_default_tmpfs hal_radio_config_default_exec hal_radio_config_default_tmpfs hal_radio_default_exec hal_radio_default_tmpfs hal_secure_element_default_exec hal_secure_element_default_tmpfs hal_sensors_default_exec hal_sensors_default_tmpfs hal_tetheroffload_default_exec hal_tetheroffload_default_tmpfs hal_thermal_default_exec hal_thermal_default_tmpfs hal_tv_cec_default_exec hal_tv_cec_default_tmpfs hal_tv_input_default_exec hal_tv_input_default_tmpfs hal_usb_default_exec hal_usb_default_tmpfs hal_vehicle_default_exec hal_vehicle_default_tmpfs hal_vibrator_default_exec hal_vibrator_default_tmpfs hal_vr_default_exec hal_vr_default_tmpfs hal_wifi_default_exec hal_wifi_default_tmpfs hal_wifi_hostapd_default_exec hal_wifi_hostapd_default_tmpfs hal_wifi_offload_default_exec hal_wifi_offload_default_tmpfs hal_wifi_supplicant_default_exec hal_wifi_supplicant_default_tmpfs rild_exec rild_tmpfs tee_exec tee_tmpfs vndservicemanager_exec vndservicemanager_tmpfs createns_exec createns_tmpfs dhcpclient_exec dhcpclient_tmpfs dhcpserver_exec dhcpserver_tmpfs execns_exec execns_tmpfs varrun_file mediadrm_vendor_data_file goldfish_setup_exec goldfish_setup_tmpfs hal_drm_clearkey_exec hal_drm_clearkey_tmpfs hal_drm_widevine_exec hal_drm_widevine_tmpfs hostapd_nohidl_exec hostapd_nohidl_tmpfs ipv6proxy_exec ipv6proxy_tmpfs qemu_props_exec qemu_props_tmpfs persist_file))
 (typeattributeset exec_type (adbd_exec_28_0 bootanim_exec_28_0 bootstat_exec_28_0 bufferhubd_exec_28_0 cameraserver_exec_28_0 clatd_exec_28_0 cppreopts_exec_28_0 crash_dump_exec_28_0 dex2oat_exec_28_0 dhcp_exec_28_0 dnsmasq_exec_28_0 drmserver_exec_28_0 dumpstate_exec_28_0 e2fs_exec_28_0 logcat_exec_28_0 fingerprintd_exec_28_0 fsck_exec_28_0 gatekeeperd_exec_28_0 healthd_exec_28_0 hwservicemanager_exec_28_0 idmap_exec_28_0 init_exec_28_0 inputflinger_exec_28_0 install_recovery_exec_28_0 installd_exec_28_0 keystore_exec_28_0 lmkd_exec_28_0 logd_exec_28_0 mediacodec_exec_28_0 mediadrmserver_exec_28_0 mediaextractor_exec_28_0 mediametrics_exec_28_0 mediaserver_exec_28_0 mtp_exec_28_0 netd_exec_28_0 netutils_wrapper_exec_28_0 otapreopt_chroot_exec_28_0 otapreopt_slot_exec_28_0 performanced_exec_28_0 perfprofd_exec_28_0 ppp_exec_28_0 preopt2cachename_exec_28_0 profman_exec_28_0 racoon_exec_28_0 recovery_persist_exec_28_0 recovery_refresh_exec_28_0 runas_exec_28_0 sdcardd_exec_28_0 servicemanager_exec_28_0 sgdisk_exec_28_0 shell_exec_28_0 su_exec_28_0 thermalserviced_exec_28_0 tombstoned_exec_28_0 toolbox_exec_28_0 tzdatacheck_exec_28_0 uncrypt_exec_28_0 update_engine_exec_28_0 update_verifier_exec_28_0 usbd_exec_28_0 vdc_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0 virtual_touchpad_exec_28_0 vold_exec_28_0 vold_prepare_subdirs_exec_28_0 vr_hwc_exec_28_0 webview_zygote_exec_28_0 wificond_exec_28_0 wpantund_exec_28_0 zygote_exec_28_0 hal_audio_default_exec hal_audiocontrol_default_exec hal_authsecret_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_broadcastradio_default_exec hal_camera_default_exec hal_cas_default_exec hal_configstore_default_exec hal_confirmationui_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_evs_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_lowpan_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_radio_config_default_exec hal_radio_default_exec hal_secure_element_default_exec hal_sensors_default_exec hal_tetheroffload_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vehicle_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_hostapd_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec rild_exec tee_exec vndservicemanager_exec createns_exec dhcpclient_exec dhcpserver_exec execns_exec goldfish_setup_exec hal_drm_clearkey_exec hal_drm_widevine_exec hostapd_nohidl_exec ipv6proxy_exec qemu_props_exec))
diff --git a/prebuilts/api/29.0/plat_pub_versioned.cil b/prebuilts/api/29.0/plat_pub_versioned.cil
index b80abeb36d..4e10b6df3d 100644
--- a/prebuilts/api/29.0/plat_pub_versioned.cil
+++ b/prebuilts/api/29.0/plat_pub_versioned.cil
@@ -587,6 +587,7 @@
 (type proc_buddyinfo)
 (type proc_cmdline)
 (type proc_cpuinfo)
+(type proc_deny_new_usb)
 (type proc_dirty)
 (type proc_diskstats)
 (type proc_drop_caches)
@@ -1790,6 +1791,7 @@
 (typeattribute proc_buddyinfo_29_0)
 (typeattribute proc_cmdline_29_0)
 (typeattribute proc_cpuinfo_29_0)
+(typeattribute proc_deny_new_usb_29_0)
 (typeattribute proc_dirty_29_0)
 (typeattribute proc_diskstats_29_0)
 (typeattribute proc_drop_caches_29_0)
diff --git a/prebuilts/api/30.0/private/app_zygote.te b/prebuilts/api/30.0/private/app_zygote.te
index 9285323221..6d2ee18b34 100644
--- a/prebuilts/api/30.0/private/app_zygote.te
+++ b/prebuilts/api/30.0/private/app_zygote.te
@@ -53,11 +53,6 @@ allow app_zygote zygote:process sigchld;
 r_dir_file(app_zygote, dalvikcache_data_file);
 allow app_zygote dalvikcache_data_file:file execute;
 
-# Allow reading/executing installed binaries to enable preloading
-# application data
-allow app_zygote apk_data_file:dir r_dir_perms;
-allow app_zygote apk_data_file:file { r_file_perms execute };
-
 # /oem accesses.
 allow app_zygote oemfs:dir search;
 
diff --git a/prebuilts/api/30.0/private/compat/26.0/26.0.cil b/prebuilts/api/30.0/private/compat/26.0/26.0.cil
index 498bca5a77..0a2d8eb9ac 100644
--- a/prebuilts/api/30.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/30.0/private/compat/26.0/26.0.cil
@@ -468,6 +468,7 @@
     proc_asound
     proc_buddyinfo
     proc_cmdline
+    proc_deny_new_usb
     proc_dirty
     proc_diskstats
     proc_extra_free_kbytes
diff --git a/prebuilts/api/30.0/private/compat/27.0/27.0.cil b/prebuilts/api/30.0/private/compat/27.0/27.0.cil
index 0d883c0c74..c8f209a9b2 100644
--- a/prebuilts/api/30.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/30.0/private/compat/27.0/27.0.cil
@@ -1182,6 +1182,7 @@
     proc_asound
     proc_buddyinfo
     proc_cmdline
+    proc_deny_new_usb
     proc_dirty
     proc_diskstats
     proc_extra_free_kbytes
diff --git a/prebuilts/api/30.0/private/compat/28.0/28.0.cil b/prebuilts/api/30.0/private/compat/28.0/28.0.cil
index 321e9387ed..ba3263e6b0 100644
--- a/prebuilts/api/30.0/private/compat/28.0/28.0.cil
+++ b/prebuilts/api/30.0/private/compat/28.0/28.0.cil
@@ -543,6 +543,7 @@
 (expandtypeattribute (proc_buddyinfo_28_0) true)
 (expandtypeattribute (proc_cmdline_28_0) true)
 (expandtypeattribute (proc_cpuinfo_28_0) true)
+(expandtypeattribute (proc_deny_new_usb_28_0) true)
 (expandtypeattribute (proc_dirty_28_0) true)
 (expandtypeattribute (proc_diskstats_28_0) true)
 (expandtypeattribute (proc_drop_caches_28_0) true)
@@ -1392,6 +1393,7 @@
 (typeattributeset proc_buddyinfo_28_0 (proc_buddyinfo))
 (typeattributeset proc_cmdline_28_0 (proc_cmdline))
 (typeattributeset proc_cpuinfo_28_0 (proc_cpuinfo))
+(typeattributeset proc_deny_new_usb_28_0 (proc_deny_new_usb))
 (typeattributeset proc_dirty_28_0 (proc_dirty))
 (typeattributeset proc_diskstats_28_0 (proc_diskstats))
 (typeattributeset proc_drop_caches_28_0 (proc_drop_caches))
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.cil
index 5231498e18..03f98bbf9a 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.cil
@@ -594,6 +594,7 @@
 (expandtypeattribute (proc_buddyinfo_29_0) true)
 (expandtypeattribute (proc_cmdline_29_0) true)
 (expandtypeattribute (proc_cpuinfo_29_0) true)
+(expandtypeattribute (proc_deny_new_usb_29_0) true)
 (expandtypeattribute (proc_dirty_29_0) true)
 (expandtypeattribute (proc_diskstats_29_0) true)
 (expandtypeattribute (proc_drop_caches_29_0) true)
@@ -1573,6 +1574,7 @@
 (typeattributeset proc_buddyinfo_29_0 (proc_buddyinfo))
 (typeattributeset proc_cmdline_29_0 (proc_cmdline))
 (typeattributeset proc_cpuinfo_29_0 (proc_cpuinfo))
+(typeattributeset proc_deny_new_usb_29_0 (proc_deny_new_usb))
 (typeattributeset proc_dirty_29_0 (proc_dirty))
 (typeattributeset proc_diskstats_29_0 (proc_diskstats))
 (typeattributeset proc_drop_caches_29_0 (proc_drop_caches))
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index 7116dadfd9..bbad79ac32 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -237,7 +237,6 @@ neverallow {
     -iorap_prefetcherd
     -shell
     userdebug_or_eng(`-su')
-    -system_server_startup # for memfd backed executable regions
     -app_zygote
     -webview_zygote
     -zygote
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index 89232bc01e..5200452fe3 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -36,12 +36,15 @@ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
 genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
 genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
 genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/deny_new_usb u:object_r:proc_deny_new_usb:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index fcad29e2af..556b675364 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -58,6 +58,7 @@ persist.audio.          u:object_r:audio_prop:s0
 persist.bluetooth.      u:object_r:bluetooth_prop:s0
 persist.nfc_cfg.        u:object_r:nfc_prop:s0
 persist.debug.          u:object_r:persist_debug_prop:s0
+persist.keyguard.camera u:object_r:system_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
 ro.logd.                u:object_r:logd_prop:s0
 persist.logd.security   u:object_r:device_logging_prop:s0
@@ -98,6 +99,8 @@ test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
 sys.lmk.                u:object_r:system_lmk_prop:s0
 sys.trace.              u:object_r:system_trace_prop:s0
 
+security.deny_new_usb   u:object_r:system_prop:s0
+
 # Fastbootd protocol control property
 fastbootd.protocol    u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
 
diff --git a/prebuilts/api/30.0/private/seapp_contexts b/prebuilts/api/30.0/private/seapp_contexts
index e8951230dd..d9defab91a 100644
--- a/prebuilts/api/30.0/private/seapp_contexts
+++ b/prebuilts/api/30.0/private/seapp_contexts
@@ -139,7 +139,7 @@ neverallow user=shell name=((?!com\.android\.shell).)*
 # Ephemeral Apps must run in the ephemeral_app domain
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 
-isSystemServer=true domain=system_server_startup
+isSystemServer=true domain=system_server
 
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 66c46ed97d..c6098ca6a7 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -1071,11 +1071,6 @@ neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file exec
 # TODO: deal with tmpfs_domain pub/priv split properly
 neverallow system_server system_server_tmpfs:file execute;
 
-# Resources handed off by system_server_startup
-allow system_server system_server_startup:fd use;
-allow system_server system_server_startup_tmpfs:file { read write map };
-allow system_server system_server_startup:unix_dgram_socket write;
-
 # Allow system server to communicate to apexd
 allow system_server apex_service:service_manager find;
 allow system_server apexd:binder call;
diff --git a/prebuilts/api/30.0/private/system_server_startup.te b/prebuilts/api/30.0/private/system_server_startup.te
deleted file mode 100644
index 902941ed4d..0000000000
--- a/prebuilts/api/30.0/private/system_server_startup.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type system_server_startup, domain, coredomain;
-type system_server_startup_tmpfs, file_type;
-
-tmpfs_domain(system_server_startup)
-
-# Create JIT memory
-allow system_server_startup self:process execmem;
-allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
-
-# Allow system_server_startup to run setcon() and enter the
-# system_server domain
-allow system_server_startup self:process setcurrent;
-allow system_server_startup system_server:process dyntransition;
-
-# Child of the zygote.
-allow system_server_startup zygote:process sigchld;
diff --git a/prebuilts/api/30.0/private/webview_zygote.te b/prebuilts/api/30.0/private/webview_zygote.te
index 969ab9cc92..22c5a970b1 100644
--- a/prebuilts/api/30.0/private/webview_zygote.te
+++ b/prebuilts/api/30.0/private/webview_zygote.te
@@ -10,11 +10,6 @@ typeattribute webview_zygote mlstrustedsubject;
 # a domain macro.
 tmpfs_domain(webview_zygote);
 
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
 # Access to the WebView relro file.
 allow webview_zygote shared_relro_file:dir search;
 allow webview_zygote shared_relro_file:file r_file_perms;
diff --git a/prebuilts/api/30.0/private/zygote.te b/prebuilts/api/30.0/private/zygote.te
index 5f08f8d6b1..dec3228fc5 100644
--- a/prebuilts/api/30.0/private/zygote.te
+++ b/prebuilts/api/30.0/private/zygote.te
@@ -15,7 +15,7 @@ allow zygote self:global_capability_class_set setpcap;
 
 # Switch SELinux context to app domains.
 allow zygote self:process setcurrent;
-allow zygote system_server_startup:process dyntransition;
+allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
 allow zygote webview_zygote:process dyntransition;
 allow zygote app_zygote:process dyntransition;
@@ -209,11 +209,11 @@ get_prop(zygote, media_variant_prop)
 # written on appdomain are applied to all app processes.
 # This is achieved by ensuring that it is impossible for zygote to
 # setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup, webview_zygote and
+# with appdomain plus system_server, webview_zygote and
 # app_zygote.
 neverallow zygote ~{
   appdomain
-  system_server_startup
+  system_server
   webview_zygote
   app_zygote
 }:process dyntransition;
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 91257e2376..5750df1c43 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -24,6 +24,7 @@ type proc_asound, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
 type proc_cmdline, fs_type, proc_type;
 type proc_cpuinfo, fs_type, proc_type;
+type proc_deny_new_usb, fs_type, proc_type;
 type proc_dirty, fs_type, proc_type;
 type proc_diskstats, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te
index 403b4c5e60..28caa8e955 100644
--- a/prebuilts/api/30.0/public/init.te
+++ b/prebuilts/api/30.0/public/init.te
@@ -351,6 +351,7 @@ allow init {
 
 allow init {
   proc_abi
+  proc_deny_new_usb
   proc_dirty
   proc_hostname
   proc_hung_task
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 9285323221..6d2ee18b34 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -53,11 +53,6 @@ allow app_zygote zygote:process sigchld;
 r_dir_file(app_zygote, dalvikcache_data_file);
 allow app_zygote dalvikcache_data_file:file execute;
 
-# Allow reading/executing installed binaries to enable preloading
-# application data
-allow app_zygote apk_data_file:dir r_dir_perms;
-allow app_zygote apk_data_file:file { r_file_perms execute };
-
 # /oem accesses.
 allow app_zygote oemfs:dir search;
 
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 498bca5a77..0a2d8eb9ac 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -468,6 +468,7 @@
     proc_asound
     proc_buddyinfo
     proc_cmdline
+    proc_deny_new_usb
     proc_dirty
     proc_diskstats
     proc_extra_free_kbytes
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 0d883c0c74..c8f209a9b2 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1182,6 +1182,7 @@
     proc_asound
     proc_buddyinfo
     proc_cmdline
+    proc_deny_new_usb
     proc_dirty
     proc_diskstats
     proc_extra_free_kbytes
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 321e9387ed..ba3263e6b0 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -543,6 +543,7 @@
 (expandtypeattribute (proc_buddyinfo_28_0) true)
 (expandtypeattribute (proc_cmdline_28_0) true)
 (expandtypeattribute (proc_cpuinfo_28_0) true)
+(expandtypeattribute (proc_deny_new_usb_28_0) true)
 (expandtypeattribute (proc_dirty_28_0) true)
 (expandtypeattribute (proc_diskstats_28_0) true)
 (expandtypeattribute (proc_drop_caches_28_0) true)
@@ -1392,6 +1393,7 @@
 (typeattributeset proc_buddyinfo_28_0 (proc_buddyinfo))
 (typeattributeset proc_cmdline_28_0 (proc_cmdline))
 (typeattributeset proc_cpuinfo_28_0 (proc_cpuinfo))
+(typeattributeset proc_deny_new_usb_28_0 (proc_deny_new_usb))
 (typeattributeset proc_dirty_28_0 (proc_dirty))
 (typeattributeset proc_diskstats_28_0 (proc_diskstats))
 (typeattributeset proc_drop_caches_28_0 (proc_drop_caches))
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 5231498e18..03f98bbf9a 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -594,6 +594,7 @@
 (expandtypeattribute (proc_buddyinfo_29_0) true)
 (expandtypeattribute (proc_cmdline_29_0) true)
 (expandtypeattribute (proc_cpuinfo_29_0) true)
+(expandtypeattribute (proc_deny_new_usb_29_0) true)
 (expandtypeattribute (proc_dirty_29_0) true)
 (expandtypeattribute (proc_diskstats_29_0) true)
 (expandtypeattribute (proc_drop_caches_29_0) true)
@@ -1573,6 +1574,7 @@
 (typeattributeset proc_buddyinfo_29_0 (proc_buddyinfo))
 (typeattributeset proc_cmdline_29_0 (proc_cmdline))
 (typeattributeset proc_cpuinfo_29_0 (proc_cpuinfo))
+(typeattributeset proc_deny_new_usb_29_0 (proc_deny_new_usb))
 (typeattributeset proc_dirty_29_0 (proc_dirty))
 (typeattributeset proc_diskstats_29_0 (proc_diskstats))
 (typeattributeset proc_drop_caches_29_0 (proc_drop_caches))
diff --git a/private/domain.te b/private/domain.te
index 7116dadfd9..bbad79ac32 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -237,7 +237,6 @@ neverallow {
     -iorap_prefetcherd
     -shell
     userdebug_or_eng(`-su')
-    -system_server_startup # for memfd backed executable regions
     -app_zygote
     -webview_zygote
     -zygote
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 89232bc01e..5200452fe3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -36,12 +36,15 @@ genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
 genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
 genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_fifos u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_regular u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
 genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/deny_new_usb u:object_r:proc_deny_new_usb:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
diff --git a/private/property_contexts b/private/property_contexts
index fcad29e2af..556b675364 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -58,6 +58,7 @@ persist.audio.          u:object_r:audio_prop:s0
 persist.bluetooth.      u:object_r:bluetooth_prop:s0
 persist.nfc_cfg.        u:object_r:nfc_prop:s0
 persist.debug.          u:object_r:persist_debug_prop:s0
+persist.keyguard.camera u:object_r:system_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
 ro.logd.                u:object_r:logd_prop:s0
 persist.logd.security   u:object_r:device_logging_prop:s0
@@ -98,6 +99,8 @@ test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
 sys.lmk.                u:object_r:system_lmk_prop:s0
 sys.trace.              u:object_r:system_trace_prop:s0
 
+security.deny_new_usb   u:object_r:system_prop:s0
+
 # Fastbootd protocol control property
 fastbootd.protocol    u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
 
diff --git a/private/seapp_contexts b/private/seapp_contexts
index e8951230dd..d9defab91a 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -139,7 +139,7 @@ neverallow user=shell name=((?!com\.android\.shell).)*
 # Ephemeral Apps must run in the ephemeral_app domain
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 
-isSystemServer=true domain=system_server_startup
+isSystemServer=true domain=system_server
 
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
diff --git a/private/system_server.te b/private/system_server.te
index 66c46ed97d..c6098ca6a7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1071,11 +1071,6 @@ neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file exec
 # TODO: deal with tmpfs_domain pub/priv split properly
 neverallow system_server system_server_tmpfs:file execute;
 
-# Resources handed off by system_server_startup
-allow system_server system_server_startup:fd use;
-allow system_server system_server_startup_tmpfs:file { read write map };
-allow system_server system_server_startup:unix_dgram_socket write;
-
 # Allow system server to communicate to apexd
 allow system_server apex_service:service_manager find;
 allow system_server apexd:binder call;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
deleted file mode 100644
index 902941ed4d..0000000000
--- a/private/system_server_startup.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type system_server_startup, domain, coredomain;
-type system_server_startup_tmpfs, file_type;
-
-tmpfs_domain(system_server_startup)
-
-# Create JIT memory
-allow system_server_startup self:process execmem;
-allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
-
-# Allow system_server_startup to run setcon() and enter the
-# system_server domain
-allow system_server_startup self:process setcurrent;
-allow system_server_startup system_server:process dyntransition;
-
-# Child of the zygote.
-allow system_server_startup zygote:process sigchld;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 969ab9cc92..22c5a970b1 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,11 +10,6 @@ typeattribute webview_zygote mlstrustedsubject;
 # a domain macro.
 tmpfs_domain(webview_zygote);
 
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
 # Access to the WebView relro file.
 allow webview_zygote shared_relro_file:dir search;
 allow webview_zygote shared_relro_file:file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 5f08f8d6b1..dec3228fc5 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -15,7 +15,7 @@ allow zygote self:global_capability_class_set setpcap;
 
 # Switch SELinux context to app domains.
 allow zygote self:process setcurrent;
-allow zygote system_server_startup:process dyntransition;
+allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
 allow zygote webview_zygote:process dyntransition;
 allow zygote app_zygote:process dyntransition;
@@ -209,11 +209,11 @@ get_prop(zygote, media_variant_prop)
 # written on appdomain are applied to all app processes.
 # This is achieved by ensuring that it is impossible for zygote to
 # setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup, webview_zygote and
+# with appdomain plus system_server, webview_zygote and
 # app_zygote.
 neverallow zygote ~{
   appdomain
-  system_server_startup
+  system_server
   webview_zygote
   app_zygote
 }:process dyntransition;
diff --git a/public/file.te b/public/file.te
index 91257e2376..5750df1c43 100644
--- a/public/file.te
+++ b/public/file.te
@@ -24,6 +24,7 @@ type proc_asound, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
 type proc_cmdline, fs_type, proc_type;
 type proc_cpuinfo, fs_type, proc_type;
+type proc_deny_new_usb, fs_type, proc_type;
 type proc_dirty, fs_type, proc_type;
 type proc_diskstats, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
diff --git a/public/init.te b/public/init.te
index 403b4c5e60..28caa8e955 100644
--- a/public/init.te
+++ b/public/init.te
@@ -351,6 +351,7 @@ allow init {
 
 allow init {
   proc_abi
+  proc_deny_new_usb
   proc_dirty
   proc_hostname
   proc_hung_task