Merge "debuggerd: add socksetopt to seccomp policy" into main
diff --git a/fastboot/device/commands.cpp b/fastboot/device/commands.cpp
index e929f42..d605393 100644
--- a/fastboot/device/commands.cpp
+++ b/fastboot/device/commands.cpp
@@ -661,6 +661,17 @@
         if (!android::gsi::DisableGsi()) {
             return device->WriteStatus(FastbootResult::FAIL, strerror(errno));
         }
+    } else if (args[1] == "status") {
+        std::string active_dsu;
+        if (!android::gsi::IsGsiRunning()) {
+            device->WriteInfo("Not running");
+        } else if (!android::gsi::GetActiveDsu(&active_dsu)) {
+            return device->WriteFail(strerror(errno));
+        } else {
+            device->WriteInfo("Running active DSU: " + active_dsu);
+        }
+    } else {
+        return device->WriteFail("Invalid arguments");
     }
     return device->WriteStatus(FastbootResult::OKAY, "Success");
 }
diff --git a/fastboot/fastboot.cpp b/fastboot/fastboot.cpp
index 21f99f6..d7e3db6 100644
--- a/fastboot/fastboot.cpp
+++ b/fastboot/fastboot.cpp
@@ -2573,14 +2573,12 @@
                     std::make_unique<ResizeTask>(fp.get(), partition, size, fp->slot_override);
             resize_task->Run();
         } else if (command == "gsi") {
-            std::string arg = next_arg(&args);
-            if (arg == "wipe") {
-                fb->RawCommand("gsi:wipe", "wiping GSI");
-            } else if (arg == "disable") {
-                fb->RawCommand("gsi:disable", "disabling GSI");
-            } else {
-                syntax_error("expected 'wipe' or 'disable'");
+            if (args.empty()) syntax_error("invalid gsi command");
+            std::string cmd("gsi");
+            while (!args.empty()) {
+                cmd += ":" + next_arg(&args);
             }
+            fb->RawCommand(cmd, "");
         } else if (command == "wipe-super") {
             std::string image;
             if (args.empty()) {
diff --git a/fs_mgr/libsnapshot/Android.bp b/fs_mgr/libsnapshot/Android.bp
index 04b5a02..b0f2b84 100644
--- a/fs_mgr/libsnapshot/Android.bp
+++ b/fs_mgr/libsnapshot/Android.bp
@@ -446,6 +446,38 @@
     ],
 }
 
+cc_binary {
+    name: "create_snapshot",
+    host_supported: true,
+    device_supported: false,
+
+    srcs: ["libsnapshot_cow/create_cow.cpp"],
+
+    cflags: [
+        "-Wall",
+        "-Werror",
+    ],
+
+    static_libs: [
+        "liblog",
+        "libbase",
+        "libext4_utils",
+        "libsnapshot_cow",
+        "libcrypto",
+        "libbrotli",
+        "libz",
+        "liblz4",
+        "libzstd",
+        "libgflags",
+    ],
+    shared_libs: [
+    ],
+
+    header_libs: [
+        "libstorage_literals_headers",
+    ],
+}
+
 python_library_host {
     name: "snapshot_proto_python",
     srcs: [
diff --git a/fs_mgr/libsnapshot/libsnapshot_cow/create_cow.cpp b/fs_mgr/libsnapshot/libsnapshot_cow/create_cow.cpp
new file mode 100644
index 0000000..4e07fe3
--- /dev/null
+++ b/fs_mgr/libsnapshot/libsnapshot_cow/create_cow.cpp
@@ -0,0 +1,359 @@
+#include <linux/types.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <sys/resource.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <condition_variable>
+#include <cstring>
+#include <future>
+#include <iostream>
+#include <limits>
+#include <mutex>
+#include <string>
+#include <thread>
+#include <unordered_map>
+#include <vector>
+
+#include <android-base/file.h>
+#include <android-base/logging.h>
+#include <android-base/stringprintf.h>
+#include <android-base/unique_fd.h>
+#include <ext4_utils/ext4_utils.h>
+#include <storage_literals/storage_literals.h>
+
+#include <android-base/chrono_utils.h>
+#include <android-base/scopeguard.h>
+#include <android-base/strings.h>
+
+#include <gflags/gflags.h>
+#include <libsnapshot/cow_writer.h>
+
+#include <openssl/sha.h>
+
+DEFINE_string(source, "", "Source partition image");
+DEFINE_string(target, "", "Target partition image");
+DEFINE_string(compression, "lz4",
+              "Compression algorithm. Default is set to lz4. Available options: lz4, zstd, gz");
+
+namespace android {
+namespace snapshot {
+
+using namespace android::storage_literals;
+using namespace android;
+using android::base::unique_fd;
+
+using android::snapshot::CreateCowWriter;
+using android::snapshot::ICowWriter;
+
+class CreateSnapshot {
+  public:
+    CreateSnapshot(const std::string& src_file, const std::string& target_file,
+                   const std::string& patch_file, const std::string& compression);
+    bool CreateSnapshotPatch();
+
+  private:
+    /* source.img */
+    std::string src_file_;
+    /* target.img */
+    std::string target_file_;
+    /* snapshot-patch generated */
+    std::string patch_file_;
+
+    /*
+     * Active file which is being parsed by this instance.
+     * It will either be source.img or target.img.
+     */
+    std::string parsing_file_;
+    bool create_snapshot_patch_ = false;
+
+    const int kNumThreads = 6;
+    const size_t kBlockSizeToRead = 1_MiB;
+
+    std::unordered_map<std::string, int> source_block_hash_;
+    std::mutex source_block_hash_lock_;
+
+    std::unique_ptr<ICowWriter> writer_;
+    std::mutex write_lock_;
+
+    std::unique_ptr<uint8_t[]> zblock_;
+
+    std::string compression_ = "lz4";
+    unique_fd fd_;
+
+    const int BLOCK_SZ = 4_KiB;
+    void SHA256(const void* data, size_t length, uint8_t out[32]);
+    bool IsBlockAligned(uint64_t read_size) { return ((read_size & (BLOCK_SZ - 1)) == 0); }
+    bool ReadBlocks(off_t offset, const int skip_blocks, const uint64_t dev_sz);
+    std::string ToHexString(const uint8_t* buf, size_t len);
+
+    bool CreateSnapshotFile();
+    bool FindSourceBlockHash();
+    bool PrepareParse(std::string& parsing_file, const bool createSnapshot);
+    bool ParsePartition();
+    bool WriteSnapshot(const void* buffer, uint64_t block, std::string& block_hash);
+};
+
+void CreateSnapshotLogger(android::base::LogId, android::base::LogSeverity severity, const char*,
+                          const char*, unsigned int, const char* message) {
+    if (severity == android::base::ERROR) {
+        fprintf(stderr, "%s\n", message);
+    } else {
+        fprintf(stdout, "%s\n", message);
+    }
+}
+
+CreateSnapshot::CreateSnapshot(const std::string& src_file, const std::string& target_file,
+                               const std::string& patch_file, const std::string& compression)
+    : src_file_(src_file), target_file_(target_file), patch_file_(patch_file) {
+    if (!compression.empty()) {
+        compression_ = compression;
+    }
+}
+
+bool CreateSnapshot::PrepareParse(std::string& parsing_file, const bool createSnapshot) {
+    parsing_file_ = parsing_file;
+    create_snapshot_patch_ = createSnapshot;
+
+    if (createSnapshot) {
+        fd_.reset(open(patch_file_.c_str(), O_RDWR | O_CREAT | O_TRUNC, 0666));
+        if (fd_ < 0) {
+            PLOG(ERROR) << "Failed to open the snapshot-patch file: " << patch_file_;
+            return false;
+        }
+
+        zblock_ = std::make_unique<uint8_t[]>(BLOCK_SZ);
+        std::memset(zblock_.get(), 0, BLOCK_SZ);
+
+        CowOptions options;
+        options.compression = compression_;
+        options.num_compress_threads = 2;
+        options.batch_write = true;
+        options.cluster_ops = 600;
+        writer_ = CreateCowWriter(2, options, std::move(fd_));
+    }
+    return true;
+}
+
+/*
+ * Create per-block sha256 hash of source partition
+ */
+bool CreateSnapshot::FindSourceBlockHash() {
+    if (!PrepareParse(src_file_, false)) {
+        return false;
+    }
+    return ParsePartition();
+}
+
+/*
+ * Create snapshot file by comparing sha256 per block
+ * of target.img with the constructed per-block sha256 hash
+ * of source partition.
+ */
+bool CreateSnapshot::CreateSnapshotFile() {
+    if (!PrepareParse(target_file_, true)) {
+        return false;
+    }
+    return ParsePartition();
+}
+
+/*
+ * Creates snapshot patch file by comparing source.img and target.img
+ */
+bool CreateSnapshot::CreateSnapshotPatch() {
+    if (!FindSourceBlockHash()) {
+        return false;
+    }
+    return CreateSnapshotFile();
+}
+
+void CreateSnapshot::SHA256(const void* data, size_t length, uint8_t out[32]) {
+    SHA256_CTX c;
+    SHA256_Init(&c);
+    SHA256_Update(&c, data, length);
+    SHA256_Final(out, &c);
+}
+
+std::string CreateSnapshot::ToHexString(const uint8_t* buf, size_t len) {
+    char lookup[] = "0123456789abcdef";
+    std::string out(len * 2 + 1, '\0');
+    char* outp = out.data();
+    for (; len > 0; len--, buf++) {
+        *outp++ = (char)lookup[*buf >> 4];
+        *outp++ = (char)lookup[*buf & 0xf];
+    }
+    return out;
+}
+
+bool CreateSnapshot::WriteSnapshot(const void* buffer, uint64_t block, std::string& block_hash) {
+    if (std::memcmp(zblock_.get(), buffer, BLOCK_SZ) == 0) {
+        std::lock_guard<std::mutex> lock(write_lock_);
+        return writer_->AddZeroBlocks(block, 1);
+    }
+
+    auto iter = source_block_hash_.find(block_hash);
+    if (iter != source_block_hash_.end()) {
+        std::lock_guard<std::mutex> lock(write_lock_);
+        return writer_->AddCopy(block, iter->second, 1);
+    }
+    std::lock_guard<std::mutex> lock(write_lock_);
+    return writer_->AddRawBlocks(block, buffer, BLOCK_SZ);
+}
+
+bool CreateSnapshot::ReadBlocks(off_t offset, const int skip_blocks, const uint64_t dev_sz) {
+    unique_fd fd(TEMP_FAILURE_RETRY(open(parsing_file_.c_str(), O_RDONLY)));
+    if (fd < 0) {
+        LOG(ERROR) << "open failed: " << parsing_file_;
+        return false;
+    }
+
+    loff_t file_offset = offset;
+    const uint64_t read_sz = kBlockSizeToRead;
+    std::unique_ptr<uint8_t[]> buffer = std::make_unique<uint8_t[]>(read_sz);
+
+    while (true) {
+        size_t to_read = std::min((dev_sz - file_offset), read_sz);
+
+        if (!android::base::ReadFullyAtOffset(fd.get(), buffer.get(), to_read, file_offset)) {
+            LOG(ERROR) << "Failed to read block from block device: " << parsing_file_
+                       << " at offset: " << file_offset << " read-size: " << to_read
+                       << " block-size: " << dev_sz;
+            return false;
+        }
+
+        if (!IsBlockAligned(to_read)) {
+            LOG(ERROR) << "unable to parse the un-aligned request: " << to_read;
+            return false;
+        }
+
+        size_t num_blocks = to_read / BLOCK_SZ;
+        uint64_t buffer_offset = 0;
+        off_t foffset = file_offset;
+
+        while (num_blocks) {
+            const void* bufptr = (char*)buffer.get() + buffer_offset;
+            uint64_t blkindex = foffset / BLOCK_SZ;
+
+            uint8_t checksum[32];
+            SHA256(bufptr, BLOCK_SZ, checksum);
+            std::string hash = ToHexString(checksum, sizeof(checksum));
+
+            if (create_snapshot_patch_ && !WriteSnapshot(bufptr, blkindex, hash)) {
+                LOG(ERROR) << "WriteSnapshot failed for block: " << blkindex;
+                return false;
+            } else {
+                std::lock_guard<std::mutex> lock(source_block_hash_lock_);
+                {
+                    if (source_block_hash_.count(hash) == 0) {
+                        source_block_hash_[hash] = blkindex;
+                    }
+                }
+            }
+            buffer_offset += BLOCK_SZ;
+            foffset += BLOCK_SZ;
+            num_blocks -= 1;
+        }
+
+        file_offset += (skip_blocks * kBlockSizeToRead);
+        if (file_offset >= dev_sz) {
+            break;
+        }
+    }
+
+    return true;
+}
+
+bool CreateSnapshot::ParsePartition() {
+    unique_fd fd(TEMP_FAILURE_RETRY(open(parsing_file_.c_str(), O_RDONLY)));
+    if (fd < 0) {
+        LOG(ERROR) << "open failed: " << parsing_file_;
+        return false;
+    }
+
+    uint64_t dev_sz = lseek(fd.get(), 0, SEEK_END);
+    if (!dev_sz) {
+        LOG(ERROR) << "Could not determine block device size: " << parsing_file_;
+        return false;
+    }
+
+    if (!IsBlockAligned(dev_sz)) {
+        LOG(ERROR) << "dev_sz: " << dev_sz << " is not block aligned";
+        return false;
+    }
+
+    int num_threads = kNumThreads;
+
+    std::vector<std::future<bool>> threads;
+    off_t start_offset = 0;
+    const int skip_blocks = num_threads;
+
+    while (num_threads) {
+        threads.emplace_back(std::async(std::launch::async, &CreateSnapshot::ReadBlocks, this,
+                                        start_offset, skip_blocks, dev_sz));
+        start_offset += kBlockSizeToRead;
+        num_threads -= 1;
+        if (start_offset >= dev_sz) {
+            break;
+        }
+    }
+
+    bool ret = true;
+    for (auto& t : threads) {
+        ret = t.get() && ret;
+    }
+
+    if (ret && create_snapshot_patch_ && !writer_->Finalize()) {
+        LOG(ERROR) << "Finzalize failed";
+        return false;
+    }
+
+    return ret;
+}
+
+}  // namespace snapshot
+}  // namespace android
+
+constexpr char kUsage[] = R"(
+NAME
+    create_snapshot - Create snapshot patches by comparing two partition images
+
+SYNOPSIS
+    create_snapshot --source=<source.img> --target=<target.img> --compression="<compression-algorithm"
+
+    source.img -> Source partition image
+    target.img -> Target partition image
+    compressoin -> compression algorithm. Default set to lz4. Supported types are gz, lz4, zstd.
+
+EXAMPLES
+
+   $ create_snapshot $SOURCE_BUILD/system.img $TARGET_BUILD/system.img
+   $ create_snapshot $SOURCE_BUILD/product.img $TARGET_BUILD/product.img --compression="zstd"
+
+)";
+
+int main(int argc, char* argv[]) {
+    android::base::InitLogging(argv, &android::snapshot::CreateSnapshotLogger);
+    ::gflags::SetUsageMessage(kUsage);
+    ::gflags::ParseCommandLineFlags(&argc, &argv, true);
+
+    if (FLAGS_source.empty() || FLAGS_target.empty()) {
+        LOG(INFO) << kUsage;
+        return 0;
+    }
+
+    std::string fname = android::base::Basename(FLAGS_target.c_str());
+    auto parts = android::base::Split(fname, ".");
+    std::string snapshotfile = parts[0] + ".patch";
+    android::snapshot::CreateSnapshot snapshot(FLAGS_source, FLAGS_target, snapshotfile,
+                                               FLAGS_compression);
+
+    if (!snapshot.CreateSnapshotPatch()) {
+        LOG(ERROR) << "Snapshot creation failed";
+        return -1;
+    }
+
+    LOG(INFO) << "Snapshot patch: " << snapshotfile << " created successfully";
+    return 0;
+}
diff --git a/init/Android.bp b/init/Android.bp
index d4852d6..4c25ad7 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -174,7 +174,6 @@
         "libprotobuf-cpp-lite",
         "libpropertyinfoserializer",
         "libpropertyinfoparser",
-        "libsigningutils",
         "libsnapshot_cow",
         "libsnapshot_init",
         "libxml2",
@@ -183,7 +182,6 @@
     ],
     shared_libs: [
         "libbase",
-        "libcrypto",
         "libcutils",
         "libdl",
         "libext4_utils",
@@ -199,7 +197,6 @@
         "libselinux",
         "libunwindstack",
         "libutils",
-        "libziparchive",
     ],
     header_libs: ["bionic_libc_platform_headers"],
     bootstrap: true,
diff --git a/init/property_service.cpp b/init/property_service.cpp
index f5de17d..2064fae 100644
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@@ -1247,9 +1247,6 @@
         // Don't check for failure here, since we don't always have all of these partitions.
         // E.g. In case of recovery, the vendor partition will not have mounted and we
         // still need the system / platform properties to function.
-        if (access("/dev/selinux/apex_property_contexts", R_OK) != -1) {
-            LoadPropertyInfoFromFile("/dev/selinux/apex_property_contexts", &property_infos);
-        }
         if (access("/system_ext/etc/selinux/system_ext_property_contexts", R_OK) != -1) {
             LoadPropertyInfoFromFile("/system_ext/etc/selinux/system_ext_property_contexts",
                                      &property_infos);
@@ -1273,7 +1270,6 @@
         LoadPropertyInfoFromFile("/vendor_property_contexts", &property_infos);
         LoadPropertyInfoFromFile("/product_property_contexts", &property_infos);
         LoadPropertyInfoFromFile("/odm_property_contexts", &property_infos);
-        LoadPropertyInfoFromFile("/dev/selinux/apex_property_contexts", &property_infos);
     }
 
     auto serialized_contexts = std::string();
diff --git a/init/selinux.cpp b/init/selinux.cpp
index ac102eb..9095b85 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -26,29 +26,26 @@
 // The monolithic policy variant is for legacy non-treble devices that contain a single SEPolicy
 // file located at /sepolicy and is directly loaded into the kernel SELinux subsystem.
 
-// The split policy is for supporting treble devices and updateable apexes.  It splits the SEPolicy
-// across files on /system/etc/selinux (the 'plat' portion of the policy), /vendor/etc/selinux
-// (the 'vendor' portion of the policy), /system_ext/etc/selinux, /product/etc/selinux,
-// /odm/etc/selinux, and /dev/selinux (the apex portion of policy).  This is necessary to allow
-// images to be updated independently of the vendor image, while maintaining contributions from
-// multiple partitions in the SEPolicy.  This is especially important for VTS testing, where the
-// SEPolicy on the Google System Image may not be identical to the system image shipped on a
-// vendor's device.
+// The split policy is for supporting treble devices.  It splits the SEPolicy across files on
+// /system/etc/selinux (the 'plat' portion of the policy) and /vendor/etc/selinux (the 'vendor'
+// portion of the policy).  This is necessary to allow the system image to be updated independently
+// of the vendor image, while maintaining contributions from both partitions in the SEPolicy.  This
+// is especially important for VTS testing, where the SEPolicy on the Google System Image may not be
+// identical to the system image shipped on a vendor's device.
 
 // The split SEPolicy is loaded as described below:
 // 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or
 //    /odm/etc/selinux/precompiled_sepolicy if odm parition is present.  Stored along with this file
-//    are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext, /product, and apex
-//    that were used to compile this precompiled policy.  The system partition contains a similar
-//    sha256 of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext,
-//    product, and apex contain sha256 hashes of their SEPolicy. Init loads this
+//    are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext and /product that
+//    were used to compile this precompiled policy.  The system partition contains a similar sha256
+//    of the parts of the SEPolicy that it currently contains.  Symmetrically, system_ext and
+//    product paritition contain sha256 hashes of their SEPolicy.  The init loads this
 //    precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on
-//    /vendor or /odm match the hashes for system, system_ext, product, and apex SEPolicy,
-//    respectively.
-// 2) If these hashes do not match, then either /system or /system_ext /product, or apex (or some of
-//    them) have been updated out of sync with /vendor (or /odm if it is present) and the init needs
-//    to compile the SEPolicy.  /system contains the SEPolicy compiler, secilc, and it is used by
-//    the OpenSplitPolicy() function below to compile the SEPolicy to a temp directory and load it.
+//    /vendor or /odm match the hashes for system, system_ext and product SEPolicy, respectively.
+// 2) If these hashes do not match, then either /system or /system_ext or /product (or some of them)
+//    have been updated out of sync with /vendor (or /odm if it is present) and the init needs to
+//    compile the SEPolicy.  /system contains the SEPolicy compiler, secilc, and it is used by the
+//    OpenSplitPolicy() function below to compile the SEPolicy to a temp directory and load it.
 //    That function contains even more documentation with the specific implementation details of how
 //    the SEPolicy is compiled if needed.
 
@@ -61,15 +58,12 @@
 #include <stdlib.h>
 #include <sys/wait.h>
 #include <unistd.h>
-#include <fstream>
 
-#include <CertUtils.h>
 #include <android-base/chrono_utils.h>
 #include <android-base/file.h>
 #include <android-base/logging.h>
 #include <android-base/parseint.h>
 #include <android-base/result.h>
-#include <android-base/scopeguard.h>
 #include <android-base/strings.h>
 #include <android-base/unique_fd.h>
 #include <fs_avb/fs_avb.h>
@@ -77,7 +71,6 @@
 #include <libgsi/libgsi.h>
 #include <libsnapshot/snapshot.h>
 #include <selinux/android.h>
-#include <ziparchive/zip_archive.h>
 
 #include "block_dev_initializer.h"
 #include "debug_ramdisk.h"
@@ -245,7 +238,6 @@
              precompiled_sepolicy + ".system_ext_sepolicy_and_mapping.sha256"},
             {"/product/etc/selinux/product_sepolicy_and_mapping.sha256",
              precompiled_sepolicy + ".product_sepolicy_and_mapping.sha256"},
-            {"/dev/selinux/apex_sepolicy.sha256", precompiled_sepolicy + ".apex_sepolicy.sha256"},
     };
 
     for (const auto& [actual_id_path, precompiled_id_path] : sepolicy_hashes) {
@@ -324,7 +316,7 @@
     // * vendor -- policy needed due to logic contained in the vendor image,
     // * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy
     //   with newer versions of platform policy.
-    // * (optional) policy needed due to logic on product, system_ext, odm, or apex.
+    // * (optional) policy needed due to logic on product, system_ext, or odm images.
     // secilc is invoked to compile the above three policy files into a single monolithic policy
     // file. This file is then loaded into the kernel.
 
@@ -420,12 +412,6 @@
     if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {
         odm_policy_cil_file.clear();
     }
-
-    // apex_sepolicy.cil is default but optional.
-    std::string apex_policy_cil_file("/dev/selinux/apex_sepolicy.cil");
-    if (access(apex_policy_cil_file.c_str(), F_OK) == -1) {
-        apex_policy_cil_file.clear();
-    }
     const std::string version_as_string = std::to_string(SEPOLICY_VERSION);
 
     // clang-format off
@@ -468,9 +454,6 @@
     if (!odm_policy_cil_file.empty()) {
         compile_args.push_back(odm_policy_cil_file.c_str());
     }
-    if (!apex_policy_cil_file.empty()) {
-        compile_args.push_back(apex_policy_cil_file.c_str());
-    }
     compile_args.push_back(nullptr);
 
     if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
@@ -497,194 +480,6 @@
     return true;
 }
 
-constexpr const char* kSigningCertRelease =
-        "/system/etc/selinux/com.android.sepolicy.cert-release.der";
-const std::string kSepolicyApexMetadataDir = "/metadata/sepolicy/";
-const std::string kSepolicyApexSystemDir = "/system/etc/selinux/apex/";
-const std::string kSepolicyZip = "SEPolicy.zip";
-const std::string kSepolicySignature = "SEPolicy.zip.sig";
-
-const std::string kTmpfsDir = "/dev/selinux/";
-
-// Files that are deleted after policy is compiled/loaded.
-const std::vector<std::string> kApexSepolicyTmp{"apex_sepolicy.cil", "apex_sepolicy.sha256"};
-// Files that need to persist because they are used by userspace processes.
-const std::vector<std::string> kApexSepolicy{"apex_file_contexts", "apex_property_contexts",
-                                             "apex_service_contexts", "apex_seapp_contexts",
-                                             "apex_test"};
-
-Result<void> CreateTmpfsDir() {
-    mode_t mode = 0744;
-    struct stat stat_data;
-    if (stat(kTmpfsDir.c_str(), &stat_data) != 0) {
-        if (errno != ENOENT) {
-            return ErrnoError() << "Could not stat " << kTmpfsDir;
-        }
-        if (mkdir(kTmpfsDir.c_str(), mode) != 0) {
-            return ErrnoError() << "Could not mkdir " << kTmpfsDir;
-        }
-    } else {
-        if (!S_ISDIR(stat_data.st_mode)) {
-            return Error() << kTmpfsDir << " exists and is not a directory.";
-        }
-        LOG(WARNING) << "Directory " << kTmpfsDir << " already exists";
-    }
-
-    // Need to manually call chmod because mkdir will create a folder with
-    // permissions mode & ~umask.
-    if (chmod(kTmpfsDir.c_str(), mode) != 0) {
-        return ErrnoError() << "Could not chmod " << kTmpfsDir;
-    }
-
-    return {};
-}
-
-Result<void> PutFileInTmpfs(ZipArchiveHandle archive, const std::string& fileName) {
-    ZipEntry entry;
-    std::string dstPath = kTmpfsDir + fileName;
-
-    int ret = FindEntry(archive, fileName, &entry);
-    if (ret != 0) {
-        // All files are optional. If a file doesn't exist, return without error.
-        return {};
-    }
-
-    unique_fd fd(TEMP_FAILURE_RETRY(
-            open(dstPath.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR)));
-    if (fd == -1) {
-        return ErrnoError() << "Failed to open " << dstPath;
-    }
-
-    ret = ExtractEntryToFile(archive, &entry, fd.get());
-    if (ret != 0) {
-        return Error() << "Failed to extract entry \"" << fileName << "\" ("
-                       << entry.uncompressed_length << " bytes) to \"" << dstPath
-                       << "\": " << ErrorCodeString(ret);
-    }
-
-    return {};
-}
-
-Result<void> GetPolicyFromApex(const std::string& dir) {
-    LOG(INFO) << "Loading APEX Sepolicy from " << dir + kSepolicyZip;
-    unique_fd fd(open((dir + kSepolicyZip).c_str(), O_RDONLY | O_BINARY | O_CLOEXEC));
-    if (fd < 0) {
-        return ErrnoError() << "Failed to open package " << dir + kSepolicyZip;
-    }
-
-    ZipArchiveHandle handle;
-    int ret = OpenArchiveFd(fd.get(), (dir + kSepolicyZip).c_str(), &handle,
-                            /*assume_ownership=*/false);
-    if (ret < 0) {
-        return Error() << "Failed to open package " << dir + kSepolicyZip << ": "
-                       << ErrorCodeString(ret);
-    }
-
-    auto handle_guard = android::base::make_scope_guard([&handle] { CloseArchive(handle); });
-
-    auto create = CreateTmpfsDir();
-    if (!create.ok()) {
-        return create.error();
-    }
-
-    for (const auto& file : kApexSepolicy) {
-        auto extract = PutFileInTmpfs(handle, file);
-        if (!extract.ok()) {
-            return extract.error();
-        }
-    }
-    for (const auto& file : kApexSepolicyTmp) {
-        auto extract = PutFileInTmpfs(handle, file);
-        if (!extract.ok()) {
-            return extract.error();
-        }
-    }
-    return {};
-}
-
-Result<void> SepolicyCheckSignature(const std::string& dir) {
-    std::string signature;
-    if (!android::base::ReadFileToString(dir + kSepolicySignature, &signature)) {
-        return ErrnoError() << "Failed to read " << kSepolicySignature;
-    }
-
-    std::fstream sepolicyZip(dir + kSepolicyZip, std::ios::in | std::ios::binary);
-    if (!sepolicyZip) {
-        return Error() << "Failed to open " << kSepolicyZip;
-    }
-    sepolicyZip.seekg(0);
-    std::string sepolicyStr((std::istreambuf_iterator<char>(sepolicyZip)),
-                            std::istreambuf_iterator<char>());
-
-    auto releaseKey = extractPublicKeyFromX509(kSigningCertRelease);
-    if (!releaseKey.ok()) {
-        return releaseKey.error();
-    }
-
-    return verifySignature(sepolicyStr, signature, *releaseKey);
-}
-
-Result<void> SepolicyVerify(const std::string& dir) {
-    auto sepolicySignature = SepolicyCheckSignature(dir);
-    if (!sepolicySignature.ok()) {
-        return Error() << "Apex SEPolicy failed signature check";
-    }
-    return {};
-}
-
-void CleanupApexSepolicy() {
-    for (const auto& file : kApexSepolicyTmp) {
-        std::string path = kTmpfsDir + file;
-        unlink(path.c_str());
-    }
-}
-
-// Updatable sepolicy is shipped within an zip within an APEX. Because
-// it needs to be available before Apexes are mounted, apexd copies
-// the zip from the APEX and stores it in /metadata/sepolicy. If there is
-// no updatable sepolicy in /metadata/sepolicy, then the updatable policy is
-// loaded from /system/etc/selinux/apex. Init performs the following
-// steps on boot:
-//
-// 1. Validates the zip by checking its signature against a public key that is
-// stored in /system/etc/selinux.
-// 2. Extracts files from zip and stores them in /dev/selinux.
-// 3. Checks if the apex_sepolicy.sha256 matches the sha256 of precompiled_sepolicy.
-// if so, the precompiled sepolicy is used. Otherwise, an on-device compile of the policy
-// is used. This is the same flow as on-device compilation of policy for Treble.
-// 4. Cleans up files in /dev/selinux which are no longer needed.
-// 5. Restorecons the remaining files in /dev/selinux.
-// 6. Sets selinux into enforcing mode and continues normal booting.
-//
-void PrepareApexSepolicy() {
-    // If apex sepolicy zip exists in /metadata/sepolicy, use that, otherwise use version on
-    // /system. If neither exists, do nothing.
-    std::string dir;
-    if (access((kSepolicyApexMetadataDir + kSepolicyZip).c_str(), F_OK) == 0) {
-        dir = kSepolicyApexMetadataDir;
-    } else if (access((kSepolicyApexSystemDir + kSepolicyZip).c_str(), F_OK) == 0) {
-        dir = kSepolicyApexSystemDir;
-    } else {
-        LOG(INFO) << "APEX Sepolicy not found";
-        return;
-    }
-
-    auto sepolicyVerify = SepolicyVerify(dir);
-    if (!sepolicyVerify.ok()) {
-        LOG(INFO) << "Error: " << sepolicyVerify.error();
-        // If signature verification fails, fall back to version on /system.
-        // This file doesn't need to be verified because it lives on the system partition which
-        // is signed and protected by verified boot.
-        dir = kSepolicyApexSystemDir;
-    }
-
-    auto apex = GetPolicyFromApex(dir);
-    if (!apex.ok()) {
-        // TODO(b/199914227) Make failure fatal. For now continue booting with non-apex sepolicy.
-        LOG(ERROR) << apex.error();
-    }
-}
-
 void ReadPolicy(std::string* policy) {
     PolicyFile policy_file;
 
@@ -961,12 +756,9 @@
 
     LOG(INFO) << "Opening SELinux policy";
 
-    PrepareApexSepolicy();
-
     // Read the policy before potentially killing snapuserd.
     std::string policy;
     ReadPolicy(&policy);
-    CleanupApexSepolicy();
 
     auto snapuserd_helper = SnapuserdSelinuxHelper::CreateIfNeeded();
     if (snapuserd_helper) {
@@ -982,13 +774,6 @@
         snapuserd_helper->FinishTransition();
         snapuserd_helper = nullptr;
     }
-
-    // This restorecon is intentionally done before SelinuxSetEnforcement because the permissions
-    // needed to transition files from tmpfs to *_contexts_file context should not be granted to
-    // any process after selinux is set into enforcing mode.
-    if (selinux_android_restorecon("/dev/selinux/", SELINUX_ANDROID_RESTORECON_RECURSE) == -1) {
-        PLOG(FATAL) << "restorecon failed of /dev/selinux failed";
-    }
 }
 
 int SetupSelinux(char** argv) {
diff --git a/libutils/Android.bp b/libutils/Android.bp
index 162f0f4..2c05fbc 100644
--- a/libutils/Android.bp
+++ b/libutils/Android.bp
@@ -185,10 +185,21 @@
         support_system_process: true,
     },
 
-    header_abi_checker: {
-        // AFDO affects weak symbols.
-        diff_flags: ["-allow-adding-removing-weak-symbols"],
-        ref_dump_dirs: ["abi-dumps"],
+    target: {
+        product: {
+            header_abi_checker: {
+                // AFDO affects weak symbols.
+                diff_flags: ["-allow-adding-removing-weak-symbols"],
+                ref_dump_dirs: ["abi-dumps"],
+            },
+        },
+        vendor: {
+            header_abi_checker: {
+                // AFDO affects weak symbols.
+                diff_flags: ["-allow-adding-removing-weak-symbols"],
+                ref_dump_dirs: ["abi-dumps"],
+            },
+        },
     },
 }