Android splits SELinux into system and vendor policies. Both of these must conform to the extensive neverallow rules. The vendor policies are defined as part of implementing hardware support for a dev...
Android extended SELinux with support for ioctl command allowlists to reduce kernel attack surface. These ioctl command allowlists are used for sockets and many other core kernel devices to limit attack surface. It's also used with drivers in the vendor policies such as GPU ioctl command allowlists.
1