Merge changes Icd71c967,I3fd90ad9

* changes:
  Do not permit appdomain to create/write to download_file.
  Remove duplicated rules between appdomain and isolated_app.

app.te

@@ -66,7 +66,6 @@ binder_call(appdomain, appdomain)
 
 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)
-binder_call(appdomain, isolated_app)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
@@ -82,8 +81,8 @@ allow appdomain cache_backup_file:file { read write getattr };
 allow appdomain system_data_file:lnk_file getattr;
 
 # Allow all applications to read downloaded files
+allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
-file_type_auto_trans(appdomain, download_file, download_file)
 
 # Allow applications to communicate with netd via /dev/socket/dnsproxyd
 # to do DNS resolution

isolated_app.te

@@ -13,9 +13,6 @@ type isolated_app, domain;
 permissive isolated_app;
 app_domain(isolated_app)
 
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services