diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te
index eb8edf7d..38d3dc82 100644
--- a/legacy/whitechapel_pro/file.te
+++ b/legacy/whitechapel_pro/file.te
@@ -12,7 +12,6 @@ userdebug_or_eng(`
')
# sysfs
-type sysfs_ota, sysfs_type, fs_type;
type bootdevice_sysdev, dev_type;
type sysfs_wifi, sysfs_type, fs_type;
type sysfs_bcmdhd, sysfs_type, fs_type;
diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts
index 464852e2..dccae4e5 100644
--- a/legacy/whitechapel_pro/genfs_contexts
+++ b/legacy/whitechapel_pro/genfs_contexts
@@ -26,9 +26,6 @@ genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_coun
genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0
genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0
-# OTA
-genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0
-
# Storage
genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0
genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0
diff --git a/legacy/whitechapel_pro/keys.conf b/legacy/whitechapel_pro/keys.conf
index 9766e571..acc82e47 100644
--- a/legacy/whitechapel_pro/keys.conf
+++ b/legacy/whitechapel_pro/keys.conf
@@ -1,6 +1,3 @@
-[@GOOGLE]
-ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/app.x509.pem
-
[@UWB]
ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
diff --git a/legacy/whitechapel_pro/mac_permissions.xml b/legacy/whitechapel_pro/mac_permissions.xml
index da4dc908..956da955 100644
--- a/legacy/whitechapel_pro/mac_permissions.xml
+++ b/legacy/whitechapel_pro/mac_permissions.xml
@@ -21,9 +21,6 @@
- The default tag is consulted last if needed.
-->
-
-
-
diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te
index 521c0950..bbdd2a0c 100644
--- a/radio/hal_radioext_default.te
+++ b/radio/hal_radioext_default.te
@@ -6,6 +6,7 @@ hwbinder_use(hal_radioext_default)
get_prop(hal_radioext_default, hwservicemanager_prop)
add_hwservice(hal_radioext_default, hal_radioext_hwservice)
+binder_call(hal_radioext_default, servicemanager)
binder_call(hal_radioext_default, grilservice_app)
binder_call(hal_radioext_default, hal_bluetooth_btlinux)
diff --git a/legacy/whitechapel_pro/certs/app.x509.pem b/vendor/certs/app.x509.pem
similarity index 100%
rename from legacy/whitechapel_pro/certs/app.x509.pem
rename to vendor/certs/app.x509.pem
diff --git a/vendor/certs/camera_eng.x509.pem b/vendor/certs/camera_eng.x509.pem
new file mode 100644
index 00000000..011a9ec4
--- /dev/null
+++ b/vendor/certs/camera_eng.x509.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
+NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
+UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
+TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
+rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
+TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
+pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
+DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
+ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
+rscXTxYEf4Tqovc=
+-----END CERTIFICATE-----
diff --git a/vendor/certs/camera_fishfood.x509.pem b/vendor/certs/camera_fishfood.x509.pem
new file mode 100644
index 00000000..fb11572f
--- /dev/null
+++ b/vendor/certs/camera_fishfood.x509.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n
+bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w
+HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv
+b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93
+bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/
+jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B
+IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe
+tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td
+0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg
+Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b
+aIOMFB0Km9HbEZHLKg33kOoMsS2zpA==
+-----END CERTIFICATE-----
diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te
new file mode 100644
index 00000000..4199b078
--- /dev/null
+++ b/vendor/debug_camera_app.te
@@ -0,0 +1,23 @@
+type debug_camera_app, domain, coredomain;
+
+userdebug_or_eng(`
+ app_domain(debug_camera_app)
+ net_domain(debug_camera_app)
+
+ allow debug_camera_app app_api_service:service_manager find;
+ allow debug_camera_app audioserver_service:service_manager find;
+ allow debug_camera_app cameraserver_service:service_manager find;
+ allow debug_camera_app mediaextractor_service:service_manager find;
+ allow debug_camera_app mediametrics_service:service_manager find;
+ allow debug_camera_app mediaserver_service:service_manager find;
+
+ # Allows GCA-Eng & GCA-Next access the GXP device.
+ allow debug_camera_app gxp_device:chr_file rw_file_perms;
+
+ # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
+ allow debug_camera_app edgetpu_app_service:service_manager find;
+ allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+ # Allows GCA_Eng & GCA-Next to access the PowerHAL.
+ hal_client_domain(debug_camera_app, hal_power)
+')
diff --git a/vendor/file.te b/vendor/file.te
index f12ac3d9..cf4ad9f1 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -39,8 +39,10 @@ userdebug_or_eng(`
typeattribute proc_vendor_sched mlstrustedobject;
')
+# sysfs
type sysfs_fabric, sysfs_type, fs_type;
type sysfs_em_profile, sysfs_type, fs_type;
+type sysfs_ota, sysfs_type, fs_type;
# GSA
type sysfs_gsa_log, sysfs_type, fs_type;
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 586f4b98..5acd7ba9 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -479,3 +479,6 @@ genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:ob
genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0
+
+# OTA
+genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0
diff --git a/vendor/keys.conf b/vendor/keys.conf
new file mode 100644
index 00000000..290a62b5
--- /dev/null
+++ b/vendor/keys.conf
@@ -0,0 +1,8 @@
+[@GOOGLE]
+ALL : device/google/zuma-sepolicy/vendor/certs/app.x509.pem
+
+[@CAMERAENG]
+ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem
+
+[@CAMERAFISHFOOD]
+ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem
diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml
new file mode 100644
index 00000000..8e8c3c23
--- /dev/null
+++ b/vendor/mac_permissions.xml
@@ -0,0 +1,33 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts
index 9ed2e666..8f5eea15 100644
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@@ -16,6 +16,15 @@ user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldispl
# Google Camera
user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
+
# Qorvo UWB system app
# TODO(b/222204912): Should this run under uwb user?
user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all