From 3d348fd60c2219bfdab782c006aaf9ab9e553766 Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Thu, 19 Jan 2017 10:42:40 -0800
Subject: [PATCH] Allow ephemeral apps to read/write external storage

Ephemeral apps cannot open files from external storage, but can be given
access to files via the file picker.

Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd.
Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8
---
 private/ephemeral_app.te | 7 +++++++
 public/app.te            | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 26d884ef3..3e58ccf98 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -22,6 +22,9 @@ allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file
 allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
 
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
 # services
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
@@ -54,3 +57,7 @@ neverallow ephemeral_app sysfs:file *;
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
diff --git a/public/app.te b/public/app.te
index 23c5ab8fe..f16a23efd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -197,8 +197,8 @@ allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_
 
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-- 
GitLab