diff --git a/private/app.te b/private/app.te
index da60086f3..34cd2f0d7 100644
--- a/private/app.te
+++ b/private/app.te
@@ -267,6 +267,9 @@ allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_
 # Access via already open fds is ok even for mlstrustedsubject.
 allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
 
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;
 
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 1f84eca1f..7ad8febf3 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -35,9 +35,6 @@ allow mediaprovider_app mediametrics_service:service_manager find;
 # Talk to regular app services
 allow mediaprovider_app app_api_service:service_manager find;
 
-# Read SDK sandbox data files
-allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
-
 # Talk to the GPU service
 binder_call(mediaprovider_app, gpuservice)
 
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 9a3f05f75..6e7ba5025 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -28,6 +28,9 @@ allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
 allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
 
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
 ###
 ### neverallow rules
 ###
@@ -64,7 +67,7 @@ neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
 
 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
 neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
 
 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;