Merge "Allow ephemeral apps to read/write external storage" am: b7f86a72

am: 2dcb16e6

Change-Id: I218dacfbe93f77345bfcfd0909c6831fb1549565

private/ephemeral_app.te

@@ -22,6 +22,9 @@ allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file
 allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
 
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
 # services
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
@@ -54,3 +57,7 @@ neverallow ephemeral_app sysfs:file *;
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;

public/app.te

@@ -197,8 +197,8 @@ allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_
 
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html