Start partitioning off privapp_data_file from app_data_file

Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837

private/app_neverallows.te

@@ -100,6 +100,7 @@ neverallow { all_untrusted_apps -mediaprovider } {
   -sdcard_type
   file_type
   -app_data_file            # The apps sandbox itself
+  -privapp_data_file
   -media_rw_data_file       # Internal storage. Known that apps can
                             # leave artfacts here after uninstall.
   -user_profile_data_file   # Access to profile files

private/compat/26.0/26.0.cil

@@ -31,7 +31,7 @@
 (typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
 (typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
 (typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file))
+(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
 (typeattributeset app_fuse_file_26_0 (app_fuse_file))
 (typeattributeset app_fusefs_26_0 (app_fusefs))
 (typeattributeset appops_service_26_0 (appops_service))

private/compat/27.0/27.0.cil

@@ -737,7 +737,7 @@
 (typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
 (typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
 (typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file))
+(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
 (typeattributeset app_fuse_file_27_0 (app_fuse_file))
 (typeattributeset app_fusefs_27_0 (app_fusefs))
 (typeattributeset appops_service_27_0 (appops_service))

private/compat/28.0/28.0.cil

@@ -872,7 +872,7 @@
 (typeattributeset apk_private_data_file_28_0 (apk_private_data_file))
 (typeattributeset apk_private_tmp_file_28_0 (apk_private_tmp_file))
 (typeattributeset apk_tmp_file_28_0 (apk_tmp_file))
-(typeattributeset app_data_file_28_0 (app_data_file))
+(typeattributeset app_data_file_28_0 (app_data_file privapp_data_file))
 (typeattributeset app_fuse_file_28_0 (app_fuse_file))
 (typeattributeset app_fusefs_28_0 (app_fusefs))
 (typeattributeset appops_service_28_0 (appops_service))

private/dexoptanalyzer.te

@@ -19,12 +19,12 @@ allow dexoptanalyzer installd:fd use;
 
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
-allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.
-dontaudit dexoptanalyzer app_data_file:dir audit_access;
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
 
 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };

private/domain.te

@@ -128,7 +128,7 @@ neverallow {
   domain
   -appdomain
   -installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
 
 # Only the following processes should be directly accessing private app
 # directories.
@@ -145,7 +145,7 @@ neverallow {
   -runas
   -system_server
   -vold
-} app_data_file:dir *;
+} { privapp_data_file app_data_file }:dir *;
 
 # Only apps should be modifying app data. init and installd are exempted for
 # restorecon and package install/uninstall.
@@ -154,7 +154,7 @@ neverallow {
   -appdomain
   -init
   -installd
-} app_data_file:dir ~r_dir_perms;
+} { privapp_data_file app_data_file }:dir ~r_dir_perms;
 
 neverallow {
   domain
@@ -163,16 +163,16 @@ neverallow {
   -mediaserver # b/80300620
   userdebug_or_eng(`-perfprofd')
   -vold # b/80418809
-} app_data_file:file_class_set open;
+} { privapp_data_file app_data_file }:file_class_set open;
 
 neverallow {
   domain
   -appdomain
   -installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
 
 neverallow {
   domain
   -init
   -installd
-} app_data_file:dir_file_class_set { relabelfrom relabelto };
+} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };

private/ephemeral_app.te

@@ -21,7 +21,7 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow ephemeral_app app_data_file:file {r_file_perms execute};
+allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
 
 # services
 allow ephemeral_app audioserver_service:service_manager find;
@@ -50,7 +50,7 @@ allow ephemeral_app system_server:udp_socket {
 ### neverallow rules
 ###
 
-neverallow ephemeral_app app_data_file:file execute_no_trans;
+neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

private/isolated_app.te

@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock };
 
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
@@ -61,7 +61,7 @@ unix_socket_connect(isolated_app, traced_producer, traced)
 neverallow isolated_app tun_device:chr_file open;
 
 # Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
+neverallow isolated_app { app_data_file privapp_data_file }:file open;
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?

private/mls

@@ -55,9 +55,9 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
 # Subject must dominate object unless the subject is trusted.
 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
-	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+	     ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
-	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+	     ( (t2 != app_data_file and t2 != privapp_data_file) or l1 dom l2 or t1 == mlstrustedsubject);
 
 #
 # Constraints for file types other than app data files.
@@ -66,18 +66,18 @@ mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
 # Read operations: Subject must dominate object unless the subject
 # or the object is trusted.
 mlsconstrain dir { read getattr search }
-	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
-	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 # Write operations: Subject must be equivalent to the object unless the
 # subject or the object is trusted.
 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
-	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
-	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 # Special case for FIFOs.
 # These can be unnamed pipes, in which case they will be labeled with the

private/priv_app.te

@@ -19,7 +19,7 @@ allow priv_app self:process ptrace;
 
 # Some apps ship with shared libraries that they write out
 # to their sandbox directory and then dlopen().
-allow priv_app app_data_file:file execute;
+allow priv_app { app_data_file privapp_data_file }:file execute;
 
 allow priv_app app_api_service:service_manager find;
 allow priv_app audioserver_service:service_manager find;

private/storaged.te

@@ -29,7 +29,7 @@ allow storaged shell:fifo_file write;
 
 # Needed for GMScore to call dumpsys storaged
 allow storaged priv_app:fd use;
-allow storaged app_data_file:file write;
+allow storaged { privapp_data_file app_data_file }:file write;
 allow storaged permission_service:service_manager find;
 
 # Binder permissions

private/surfaceflinger.te

@@ -55,7 +55,7 @@ set_prop(surfaceflinger, ctl_bootanim_prop)
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
-allow surfaceflinger app_data_file:file { read write };
+allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
 
 # Allow writing surface traces to /data/misc/wmtrace.
 userdebug_or_eng(`

private/system_server.te

@@ -446,7 +446,16 @@ allow system_server zoneinfo_data_file:file create_file_perms;
 
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+allow system_server {
+  system_app_data_file
+  bluetooth_data_file
+  nfc_data_file
+  radio_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:dir { getattr read search };
+
 # Also permit for unlabeled /data/data subdirectories and
 # for unlabeled asec containers on upgrades from 4.2.
 allow system_server unlabeled:dir r_dir_perms;
@@ -459,7 +468,15 @@ allow system_server system_app_data_file:file create_file_perms;
 
 # Receive and use open app data files passed over binder IPC.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+allow system_server {
+  system_app_data_file
+  bluetooth_data_file
+  nfc_data_file
+  radio_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:file { getattr read write append };
 
 # Access to /data/media for measuring disk usage.
 allow system_server media_rw_data_file:dir { search getattr open read };
@@ -821,7 +838,13 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # file descriptor.
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+neverallow system_server {
+  bluetooth_data_file
+  nfc_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:file { open create unlink link };
 
 # Forking and execing is inherently dangerous and racy. See, for
 # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them

private/untrusted_app_all.te

@@ -23,7 +23,7 @@
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
 
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;

private/webview_zygote.te

@@ -95,6 +95,7 @@ neverallow webview_zygote property_type:property_service set;
 # Should not have any access to app data files.
 neverallow webview_zygote {
     app_data_file
+    privapp_data_file
     system_app_data_file
     bluetooth_data_file
     nfc_data_file

public/app.te

@@ -66,8 +66,8 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:notdevfile_class_set create_file_perms;
 
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;

public/dex2oat.te

@@ -33,7 +33,7 @@ allow dex2oat user_profile_data_file:file { getattr read lock };
 
 # Allow dex2oat to compile app's secondary dex files which were reported back to
 # the framework.
-allow dex2oat app_data_file:file { getattr read write lock };
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock };
 
 ##################
 # A/B OTA Dexopt #
@@ -63,4 +63,4 @@ allow dex2oat ota_data_file:file { create w_file_perms setattr };
 # Neverallow #
 ##############
 
-neverallow dex2oat app_data_file:notdevfile_class_set open;
+neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;

public/domain.te

@@ -777,6 +777,7 @@ full_treble_only(`
     unlabeled # used only by core domains
     core_data_file_type
     -app_data_file
+    -privapp_data_file
     -pdx_endpoint_socket_type # used by VR layer
     -pdx_channel_socket_type # used by VR layer
   }:sock_file ~{ append getattr ioctl read write };
@@ -1195,7 +1196,7 @@ neverallow {
   -appdomain
   -installd
   -uncrypt  # TODO: see if we can remove
-} app_data_file:lnk_file read;
+} { app_data_file privapp_data_file }:lnk_file read;
 
 neverallow {
   domain

public/drmserver.te

@@ -21,7 +21,7 @@ allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr };
 allow drmserver sdcard_type:file { read write getattr };
 r_dir_file(drmserver, efs_file)
 

public/file.te

@@ -283,6 +283,8 @@ type method_trace_data_file, file_type, data_file_type, core_data_file_type, mls
 
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type, core_data_file_type;
+# /data/data subdirectories - priv-app sandboxes
+type privapp_data_file, file_type, data_file_type, core_data_file_type;
 # /data/data subdirectory for system UID apps.
 type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.

public/init.te

@@ -145,6 +145,7 @@ allow init {
   -exec_type
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -system_app_data_file
   -system_file
   -vendor_file_type
@@ -157,6 +158,7 @@ allow init {
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -171,6 +173,7 @@ allow init {
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -runtime_event_log_tags_file
   -shell_data_file
   -system_app_data_file
@@ -186,6 +189,7 @@ allow init {
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -200,6 +204,7 @@ allow init {
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -211,7 +216,7 @@ allow init cache_file:lnk_file r_file_perms;
 
 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
 # does init really need to relabel app data?
-userdebug_or_eng(`auditallow init app_data_file:dir_file_class_set relabelto;')
+userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
@@ -508,7 +513,7 @@ neverallow init { file_type fs_type -init_exec }:file entrypoint;
 
 # Never read/follow symlinks created by shell or untrusted apps.
 neverallow init shell_data_file:lnk_file read;
-neverallow init app_data_file:lnk_file read;
+neverallow init { app_data_file privapp_data_file }:lnk_file read;
 
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;

public/installd.te

@@ -103,6 +103,7 @@ allow installd {
     radio_data_file
     shell_data_file
     app_data_file
+    privapp_data_file
 }:dir { create_dir_perms relabelfrom relabelto };
 
 allow installd {
@@ -112,6 +113,7 @@ allow installd {
     radio_data_file
     shell_data_file
     app_data_file
+    privapp_data_file
 }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
 
 # Similar for the files under /data/misc/profiles/

public/kernel.te

@@ -62,7 +62,7 @@ allow kernel mediaprovider:fd use;
 #  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
 #  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
 allow kernel vold:fd use;
-allow kernel app_data_file:file read;
+allow kernel { app_data_file privapp_data_file }:file read;
 allow kernel asec_image_file:file read;
 
 # Allow reading loop device in update_engine_unittests. (b/28319454)

public/logd.te

@@ -58,7 +58,7 @@ neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
 neverallow logd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+neverallow logd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
 
 # Only init is allowed to enter the logd domain via exec()
 neverallow { domain -init } logd:process transition;

public/logpersist.te

@@ -13,7 +13,7 @@ neverallow logpersist dev_type:blk_file { read write };
 neverallow logpersist domain:process ptrace;
 
 # Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
+neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
 
 # Only init should be allowed to enter the logpersist domain via exec()
 # Following is a list of debug domains we know that transition to logpersist

public/mediaextractor.te

@@ -25,7 +25,7 @@ crash_dump_fallback(mediaextractor)
 # allow mediaextractor read permissions for file sources
 allow mediaextractor sdcardfs:file { getattr read };
 allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor app_data_file:file { getattr read };
+allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
 
 # Read resources from open apk files passed over Binder
 allow mediaextractor apk_data_file:file { read getattr };

public/mediametrics.te

@@ -15,7 +15,7 @@ r_dir_file(mediametrics, cgroup)
 allow mediametrics proc_meminfo:file r_file_perms;
 
 # allows interactions with dumpsys to GMScore
-allow mediametrics app_data_file:file write;
+allow mediametrics { app_data_file privapp_data_file }:file write;
 
 # allow access to package manager for uid->apk mapping
 allow mediametrics package_native_service:service_manager find;

public/mediaserver.te

@@ -28,10 +28,10 @@ binder_service(mediaserver)
 allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
 # TODO(b/80190017, b/80300620): remove direct access to private app data
-userdebug_or_eng(`auditallow mediaserver app_data_file:dir search;')
-allow mediaserver app_data_file:dir search;
-userdebug_or_eng(`auditallow mediaserver app_data_file:file open;')
-allow mediaserver app_data_file:file rw_file_perms;
+userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:dir search;')
+allow mediaserver { app_data_file privapp_data_file }:dir search;
+userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:file open;')
+allow mediaserver { app_data_file privapp_data_file }:file rw_file_perms;
 allow mediaserver sdcard_type:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;

public/netd.te

@@ -128,7 +128,7 @@ neverallow netd { domain }:process ptrace;
 neverallow netd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
 
 # only system_server and dumpstate may find netd service
 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;

public/perfprofd.te

@@ -21,8 +21,8 @@ userdebug_or_eng(`
   allow perfprofd system_file:file rx_file_perms;
 
   # perfprofd reads a config file from /data/data/com.google.android.gms/files
-  allow perfprofd app_data_file:file r_file_perms;
-  allow perfprofd app_data_file:dir search;
+  allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
+  allow perfprofd { privapp_data_file app_data_file }:dir search;
   allow perfprofd self:global_capability_class_set { dac_override };
 
   # perfprofd opens a file for writing in /data/misc/perfprofd

public/profman.te

@@ -19,11 +19,11 @@ allow profman installd:fd use;
 # Allow profman to analyze profiles for the secondary dex files. These
 # are application dex files reported back to the framework when using
 # BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
-allow profman app_data_file:dir { getattr read search };
+allow profman { privapp_data_file app_data_file }:file { getattr read write lock };
+allow profman { privapp_data_file app_data_file }:dir { getattr read search };
 
 ###
 ### neverallow rules
 ###
 
-neverallow profman app_data_file:notdevfile_class_set open;
+neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;

public/recovery_persist.te

@@ -23,5 +23,5 @@ neverallow recovery_persist domain:process ptrace;
 neverallow recovery_persist system_file:dir_file_class_set write;
 
 # Write to files in /data/data
-neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
 

public/recovery_refresh.te

@@ -21,4 +21,4 @@ neverallow recovery_refresh domain:process ptrace;
 neverallow recovery_refresh system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;

public/vendor_init.te

@@ -216,7 +216,7 @@ neverallow { domain -init } vendor_init:process transition;
 neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
 
 # Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init app_data_file:lnk_file read;
+neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
 neverallow vendor_init shell_data_file:lnk_file read;
 # Init should not be creating subdirectories in /data/local/tmp
 neverallow vendor_init shell_data_file:dir { write add_name remove_name };

public/vold.te

@@ -82,10 +82,10 @@ allow vold tmpfs:dir mounton;
 allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 # TODO(b/80418809): remove direct access to private app data
-userdebug_or_eng(`auditallow vold app_data_file:dir search;')
-allow vold app_data_file:dir search;
-userdebug_or_eng(`auditallow vold app_data_file:file rw_file_perms;')
-allow vold app_data_file:file rw_file_perms;
+userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
+allow vold { app_data_file privapp_data_file }:dir search;
+userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:file rw_file_perms;')
+allow vold { app_data_file privapp_data_file }:file rw_file_perms;
 allow vold loop_control_device:chr_file rw_file_perms;
 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };