diff --git a/public/attributes b/public/attributes
index 8138a3fa2205d839aa723ea59b3c725df8ad9482..77823cfa673832c890d94cc33e380ae0ea68e98f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -32,6 +32,7 @@ attribute data_file_type;
 expandattribute data_file_type false;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
+expandattribute core_data_file_type false;
 # All types in /vendor
 attribute vendor_file_type;
 
@@ -130,6 +131,7 @@ attribute coredomain;
 
 # All socket devices owned by core domain components
 attribute coredomain_socket;
+expandattribute coredomain_socket false;
 
 # All vendor domains which violate the requirement of not using Binder
 # TODO(b/35870313): Remove this once there are no violations
diff --git a/public/domain.te b/public/domain.te
index 308311c18e601aeee0e5332977610cd8d6e5a69e..c09ee505f0d6086655c3fa0d32cf94f39dd42c10 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -670,7 +670,6 @@ full_treble_only(`
 
 # On full TREBLE devices, socket communications between core components and vendor components are
 # not permitted.
-full_treble_only(`
   # Most general rules first, more specific rules below.
 
   # Core domains are not permitted to initiate communications to vendor domain sockets.
@@ -678,6 +677,7 @@ full_treble_only(`
   # to obtain an already established socket via some public/official/stable API and then exchange
   # data with its peer over that socket. The wire format in this scenario is dicatated by the API
   # and thus does not break the core-vendor separation.
+full_treble_only(`
   neverallow_establish_socket_comms({
     coredomain
     -init
@@ -687,7 +687,9 @@ full_treble_only(`
     -coredomain
     -socket_between_core_and_vendor_violators
   });
+')
   # Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
   neverallow_establish_socket_comms({
     domain
     -coredomain
@@ -703,20 +705,25 @@ full_treble_only(`
     -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
     -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
   });
+')
 
   # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
   neverallow_establish_socket_comms({
     domain
     -coredomain
     -netdomain
     -socket_between_core_and_vendor_violators
   }, netd);
+')
 
   # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
   neverallow {
     domain
     -coredomain
     -appdomain # appdomain restrictions below
+    -data_between_core_and_vendor_violators # b/70393317
     -socket_between_core_and_vendor_violators
     -vendor_init
   } {
@@ -724,6 +731,8 @@ full_treble_only(`
     core_data_file_type
     unlabeled # used only by core domains
   }:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
   neverallow {
     appdomain
     -coredomain
@@ -735,8 +744,10 @@ full_treble_only(`
     -pdx_endpoint_socket_type # used by VR layer
     -pdx_channel_socket_type # used by VR layer
   }:sock_file ~{ append getattr ioctl read write };
+')
 
   # Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
   neverallow {
     coredomain
     -init
diff --git a/public/file.te b/public/file.te
index 02a43608e76c111812e58fc3bcda08b4003438ee..932ecbf8b9703851f7385b383e586c0ca09e0e5a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -317,7 +317,7 @@ type property_socket, file_type, coredomain_socket, mlstrustedobject;
 type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
 type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_java_trace_socket, file_type, mlstrustedobject;
@@ -327,7 +327,7 @@ type traced_consumer_socket, file_type, coredomain_socket;
 type uncrypt_socket, file_type, coredomain_socket;
 type vold_socket, file_type, coredomain_socket;
 type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
 type zygote_socket, file_type, coredomain_socket;
 # UART (for GPS) control proc file
 type gps_control, file_type;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 275debb0ba519085d3f3d0c50460e0b210efda27..ea9ba10f3dca4b8a6db3231bdc3d3af9b839395d 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -23,6 +23,10 @@ def TestDebugfsTypeViolations(pol):
 def TestVendorTypeViolations(pol):
     return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
 
+def TestCoreDataTypeViolations(pol):
+    return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor/",
+            "/data/vendor_ce/", "/data/vendor_de/"], "core_data_file_type")
+
 ###
 # extend OptionParser to allow the same option flag to be used multiple times.
 # This is used to allow multiple file_contexts files and tests to be
@@ -40,7 +44,9 @@ class MultipleOption(Option):
         else:
             Option.take_action(self, action, dest, opt, value, values, parser)
 
-Tests = ["TestDataTypeViolators"]
+Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
+        "TestDebugfsTypeViolations", "TestVendorTypeViolations",
+        "TestCoreDataTypeViolations"]
 
 if __name__ == '__main__':
     usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -87,6 +93,8 @@ if __name__ == '__main__':
         results += TestDebugfsTypeViolations(pol)
     if options.test is None or "TestVendorTypeViolations" in options.test:
         results += TestVendorTypeViolations(pol)
+    if options.test is None or "TestCoreDataTypeViolations" in options.test:
+        results += TestCoreDataTypeViolations(pol)
 
     if len(results) > 0:
         sys.exit(results)
diff --git a/vendor/file.te b/vendor/file.te
index 3350b1e0b6badfdd70c716d39eb40acb1fb4fad8..6bebfb5022bd63459d188716aadf461fb3148809 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,2 @@
 # Socket types
-type hostapd_socket, file_type, data_file_type;
+type hostapd_socket, file_type, data_file_type, core_data_file_type;