Allow ephemeral apps to read/write external storage

Ephemeral apps cannot open files from external storage, but can be given
access to files via the file picker.

Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd.
Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8

private/ephemeral_app.te

@@ -22,6 +22,9 @@ allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file
 allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
 
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
 # services
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
@@ -54,3 +57,7 @@ neverallow ephemeral_app sysfs:file *;
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;

public/app.te

@@ -197,8 +197,8 @@ allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_
 
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html