diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 26d884ef3d9a8c08ef75b559e3a800dd67a9111c..3e58ccf98b7e3a8197095428ba8f9f59e42809ed 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -22,6 +22,9 @@ allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file
 allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
 
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
 # services
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
@@ -54,3 +57,7 @@ neverallow ephemeral_app sysfs:file *;
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
diff --git a/public/app.te b/public/app.te
index 23c5ab8feb59f5913786309a768bca79fd006035..f16a23efdf41b7993d6b24a500ef074581eeeff1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -197,8 +197,8 @@ allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_
 
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html