Consistent external storage policy.

Apps, shell and adbd should all have identical access to external
storage.  Also document where we have files and/or symlinks.

Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe

adbd.te

@@ -86,3 +86,10 @@ allow adbd kernel:security read_policy;
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
 allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir search;
+allow adbd mnt_user_file:lnk_file r_file_perms;

app.te

@@ -124,11 +124,11 @@ allow appdomain media_rw_data_file:file { read getattr };
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow appdomain radio_data_file:file { read write getattr };
 
-# See visible storage
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
 allow appdomain storage_file:dir r_dir_perms;
-allow appdomain storage_file:file r_file_perms;
-allow appdomain mnt_user_file:dir r_dir_perms;
-# Follow the /storage/self/primary symlink
+allow appdomain storage_file:lnk_file r_file_perms;
+allow appdomain mnt_user_file:dir search;
 allow appdomain mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage

shell.te

@@ -74,6 +74,3 @@ allow shell domain:process getattr;
 # and read other files created by init process under /data/bootchart
 allow shell bootchart_data_file:dir rw_dir_perms;
 allow shell bootchart_data_file:file create_file_perms;
-
-# Follow the /storage/self/primary symlink
-allow shell storage_file:lnk_file r_file_perms;