diff --git a/public/app.te b/public/app.te
index 0617e739002cf1e03c82c9b2fe7f74e16a14bcab..985e358ac4ae29322cff132cde6a13ad006b4478 100644
--- a/public/app.te
+++ b/public/app.te
@@ -37,8 +37,8 @@ allow appdomain dalvikcache_data_file:dir { search getattr };
 allow appdomain dalvikcache_data_file:file r_file_perms;
 
 # Read the /sdcard and /mnt/sdcard symlinks
-allow appdomain rootfs:lnk_file r_file_perms;
-allow appdomain tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
 
 # Search /storage/emulated tmpfs mount.
 allow appdomain tmpfs:dir r_dir_perms;
@@ -174,36 +174,36 @@ allow appdomain system_data_file:lnk_file r_file_perms;
 allow appdomain system_data_file:file { getattr read };
 
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow appdomain media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
 
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow appdomain radio_data_file:file { read write getattr };
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
 
 # Allow access to external storage; we have several visible mount points under /storage
 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow appdomain storage_file:dir r_dir_perms;
-allow appdomain storage_file:lnk_file r_file_perms;
-allow appdomain mnt_user_file:dir r_dir_perms;
-allow appdomain mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app } mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
-allow appdomain fuse:dir create_dir_perms;
-allow appdomain fuse:file create_file_perms;
-allow appdomain sdcardfs:dir create_dir_perms;
-allow appdomain sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app } fuse:dir create_dir_perms;
+allow { appdomain -isolated_app } fuse:file create_file_perms;
+allow { appdomain -isolated_app } sdcardfs:dir create_dir_perms;
+allow { appdomain -isolated_app } sdcardfs:file create_file_perms;
 
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework
-allow appdomain vfat:dir r_dir_perms;
-allow appdomain vfat:file rw_file_perms;
+allow { appdomain -isolated_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app } vfat:file rw_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
 # USB devices are first opened by the system server (USBDeviceManagerService)
 # and the file descriptor is passed to the right Activity via binder.
-allow appdomain usb_device:chr_file { read write getattr ioctl };
-allow appdomain usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app } usbaccessory_device:chr_file { read write getattr };
 
 # For art.
 allow appdomain dalvikcache_data_file:file execute;
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 14e7f293d10f68ec7480f3a565b84a30bd8e445d..081849ed10064e209d91f4e3aabba6e6a0d68517 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -76,3 +76,10 @@ neverallow isolated_app *:{
   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
   netlink_rdma_socket netlink_crypto_socket
 } *;
+
+# Do not allow isolated_app to access external storage
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:file_class_set *;
+
+# Do not allow USB access
+neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;