diff --git a/private/crosvm.te b/private/crosvm.te
index c750b5036..5971b91ee 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -31,6 +31,7 @@ allow crosvm {
   staging_data_file
   apk_data_file
   app_data_file
+  privapp_data_file
   apex_compos_data_file
   shell_data_file
 }:file { getattr read ioctl lock };
@@ -44,24 +45,12 @@ allow crosvm virtualizationservice_data_file:dir search;
 # Note that the open permission is not given as the socket is passed by FD.
 allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
 
-# Don't allow crosvm to open files that it doesn't own.
-# This is important because a malicious application could try to start a VM with a composite disk
-# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
-# open them on its behalf. By preventing crosvm from opening any other files we prevent this
-# potential privilege escalation. See http://b/192453819 for more discussion.
-neverallow crosvm {
-  virtualizationservice_data_file
-  staging_data_file
-  apk_data_file
-  app_data_file
-  userdebug_or_eng(`-shell_data_file')
-}:file open;
-
 # The instance image and the composite image should be writable as well because they could represent
 # mutable disks.
 allow crosvm {
   virtualizationservice_data_file
   app_data_file
+  privapp_data_file
   apex_compos_data_file
 }:file write;
 
@@ -79,6 +68,20 @@ dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
 # when the vm is created by the `vm` tool) and handed over to crosvm as FD.
 allow crosvm shell_data_file:file write;
 
+# Don't allow crosvm to open files that it doesn't own.
+# This is important because a malicious application could try to start a VM with a composite disk
+# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
+# open them on its behalf. By preventing crosvm from opening any other files we prevent this
+# potential privilege escalation. See http://b/192453819 for more discussion.
+neverallow crosvm {
+  virtualizationservice_data_file
+  staging_data_file
+  apk_data_file
+  app_data_file
+  privapp_data_file
+  userdebug_or_eng(`-shell_data_file')
+}:file open;
+
 # Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
 full_treble_only(`
   neverallow crosvm {
@@ -93,13 +96,14 @@ full_treble_only(`
   }:file *;
 ')
 
-# app_data_file and shell_data_file is the only app_data_file_type that is
-# allowed for crosvm to read.  Note that the use of app_data_file is allowed
-# only for the instance disk image.  This is enforced inside the
-# virtualizationservice by checking the file context of all disk image files.
+# Only allow crosvm to read app data files for clients that can start
+# VMs. Note that the use of app data files is further restricted
+# inside the virtualizationservice by checking the label of all disk
+# image files.
 neverallow crosvm {
   app_data_file_type
   -app_data_file
+  -privapp_data_file
   -shell_data_file
 }:file read;
 
diff --git a/private/priv_app.te b/private/priv_app.te
index 9d7a0f6bf..4dcd1fbe5 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -201,6 +201,11 @@ domain_auto_trans(priv_app, rs_exec, rs)
 # created by things like renderscript or via other mechanisms.
 allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
 
+# Allow privileged apps to create a VM. Note that access is still
+# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission.
+virtualizationservice_use(priv_app)
+
 ###
 ### neverallow rules
 ###
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 26077f376..0b4b919e2 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -171,11 +171,13 @@ userdebug_or_eng(`
   allow untrusted_app_all self:lockdown integrity;
 ')
 
-# Allow running a VM for test/demo purposes. Note that access the service is
-# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
-# permission. The protection level of the permission is `signature|development`
-# so that it can only be granted to either platform-key signed apps or
-# test-only apps having `android:testOnly="true"` in its manifest.
+# Allow running a VM for test/demo purposes. Note that access to the
+# service is still guarded with the
+# `android.permission.MANAGE_VIRTUAL_MACHINE` permission. The
+# protection level of the permission is
+# `signature|privileged|development` so that it can only be granted to
+# either platform-key signed apps, privileged apps, or test-only apps
+# having `android:testOnly="true"` in their manifest.
 virtualizationservice_use(untrusted_app_all)
 
 with_native_coverage(`
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 6e6b45961..3e057fe07 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -44,6 +44,7 @@ allow virtualizationservice apk_data_file:file { getattr read };
 allow virtualizationservice {
   app_data_file
   apex_compos_data_file
+  privapp_data_file
 }:file { getattr read write };
 
 # shell_data_file is used for automated tests and manual debugging.