Allow ephemeral apps to read/write external storage Ephemeral apps cannot open files from external storage, but can be given access to files via the file picker. Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd. Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8

commit: 3d348fd60c2219bfdab782c006aaf9ab9e553766 [log] [tgz]
author: Chad Brubaker <cbrubaker@google.com> Thu Jan 19 10:42:40 2017 -0800
committer: Chad Brubaker <cbrubaker@google.com> Thu Jan 19 13:26:26 2017 -0800
tree: 3d31c8eea00e8a16eac67bb9a5992eabca7e7371
parent: a06807fdb38d27674016272c024c12bd79fae03d [diff]
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 26d884e..3e58ccf 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -22,6 +22,9 @@
 allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
 
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
 # services
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
@@ -54,3 +57,7 @@
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
commit	3d348fd60c2219bfdab782c006aaf9ab9e553766	[log] [tgz]
author	Chad Brubaker <cbrubaker@google.com>	Thu Jan 19 10:42:40 2017 -0800
committer	Chad Brubaker <cbrubaker@google.com>	Thu Jan 19 13:26:26 2017 -0800
tree	3d31c8eea00e8a16eac67bb9a5992eabca7e7371
parent	a06807fdb38d27674016272c024c12bd79fae03d [diff]