diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9dd2ee73f6e92d6d7b71d3b9b07e884b56e8c7eb..fb4a9e6c8f842197d65c97f37bc4034b01445471 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -634,7 +634,9 @@
(typeattributeset system_app_data_file_26_0 (system_app_data_file))
(typeattributeset system_app_service_26_0 (system_app_service))
(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_data_file_26_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 06f4c912201323470b24e11c528b8501e9d3c2cd..2272903e6830fa5f266db6d9f70089b5b0fbb96e 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1351,7 +1351,9 @@
(typeattributeset system_app_data_file_27_0 (system_app_data_file))
(typeattributeset system_app_service_27_0 (system_app_service))
(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0 (system_data_file))
+(typeattributeset system_data_file_27_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_27_0 (system_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
diff --git a/private/file_contexts b/private/file_contexts
index 25d0d9d70c1071216fb078538b158919d531e477..321cfbe7295bb2f8e7f472435523c0b35f00769b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -425,6 +425,9 @@
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index 389fdf4f96ec02bfce3a275f3d4ccdc55f6aa32d..9ac5d8761223a44e6ec5f0069ceaffbbaac544be 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -53,7 +53,15 @@ neverallow perfetto dev_type:blk_file { read write };
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
-neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
diff --git a/private/traced.te b/private/traced.te
index bb7a09191b5316c223f81da7a60678eb0e101d12..531ecc29cad320e0dd9a511d31b2bdc5109b873e 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -27,8 +27,15 @@ neverallow traced domain:process ptrace;
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 15c51d4cd8561d64cc55fa7cb4002f9740d37abf..26e005100a23554acb73e29ad6113f1c32c5a67f 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -44,7 +44,14 @@ neverallow traced_probes dev_type:blk_file { read write };
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
neverallow traced system_data_file:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 58e510ed8bfcc08ade800b78a50f4ffebaeac714..af1f44232638e05d86068b4b93e5df8b1edf7d60 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -9,7 +9,10 @@ allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs {
+ system_data_file
+ vendor_data_file
+}:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 67eafc286fcc82c9b3e1b2e1e67433770c5a06d0..6f50552197ba91d549ddde4ed65e2e108dd36fd6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -208,11 +208,15 @@ r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, sysfs_usb);
# files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_file. Vendor components need the search
# permission on system_data_file for path traversal to /data/vendor.
allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
@@ -791,6 +795,9 @@ full_treble_only(`
} {
data_file_type
-core_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
}:dir *;
')
@@ -819,6 +826,7 @@ full_treble_only(`
} {
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
-zoneinfo_data_file
}:dir *;
')
@@ -834,6 +842,30 @@ full_treble_only(`
}:dir ~{ getattr search };
')
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write };
+')
+
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
diff --git a/public/file.te b/public/file.te
index d1feb3acedcc227f402fb8a60822db351fb4f824..0aa7ece238be2f92a1e5558588c39e116153a36c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -160,6 +160,8 @@ type logcat_exec, exec_type, file_type;
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
diff --git a/public/vold.te b/public/vold.te
index 0107ebd4cd8e30f189cb756170ee5c7bd57eaa95..95847cf648c8ad64d7f3537884a71431f4f7eb13 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -113,6 +113,9 @@ allow vold efs_file:file rw_file_perms;
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
# for secdiscard
allow vold system_data_file:file read;