Need a way for applications to ask permission to read/write in pictures/videos folders on SD card

Thanks for the report! Marking confirmed for now, since it is obviously needed, but it needs further discussion. Once that has happened, I'll adjust.

Per discussions on ubuntu-phone@ (https://lists.launchpad.net/ubuntu-phone/msg10456.html), the directory structure for these global directories is:

/media/$user/$label/Pictures
/media/$user/$label/Music
/media/$user/$label/Videos

'$label' is confirmed to not allow '/' in the name. Because the directories may be on a vfat filesystem, we want the policy to be able to handle case-insensitive names.

As such, we'll adjust the policy groups accordingly to do things like this:
  # SD card: /media/<user>/<label>/...
  owner /media/*/*/[Mm][Uu][Ss][Ii][Cc]/ r,
  owner /media/*/*/[Mm][Uu][Ss][Ii][Cc]/** rwk,

  # SD card: /media/<user>/<label>/...
  owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/ r,
  owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/** rwk,

  # SD card: /media/<user>/<label>/...
  owner /media/*/*/[Vv][Ii][Dd][Ee][Oo][Ss]/ r,
  owner /media/*/*/[Vv][Ii][Dd][Ee][Oo][Ss]/** rwk,

IMPORTANT: the policy will not allow creating these directories (just like it doesn't for the ones in ~), so something else will have to create them.

RE: "IMPORTANT: the policy will not allow creating these directories (just like it doesn't for the ones in ~), so something else will have to create them."

I can't think of anything else that would create them. Is it an issue to let the apps create them when/if they need to?

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.39

---------------
apparmor-easyprof-ubuntu (1.2.39) utopic; urgency=medium

  * ubuntu/{music,pictures,video}_files*: allow access to global SD card
    directories (LP: #1391930)
  * ubuntu/ubuntu-scope-network, pending/ubuntu-scope-local-content: allow
    scopes to read data from the apps data dir (LP: #1384286)
 -- Jamie Strandboge <email address hidden> Thu, 13 Nov 2014 09:54:18 -0600

1.2.39 was pushed to rtm last week.

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.1

---------------
apparmor-easyprof-ubuntu (1.3.1) vivid; urgency=medium

  * ubuntu/ubuntu-sdk:
    - explicitly deny reads on ~/.cache/QML/Apps/ to silence noisy denials.
      Undo this when LP: 1381620 is fixed in qtdeclarative-opensource-src
    - explicitly deny dbus bind on name="org.freedesktop.Application" since
      it is noisy. Undo this when LP: 1378823 is fixed in ubuntu-ui-toolkit
  * ubuntu/1.3/ubuntu-sdk: drop html5-container policy. html5 apps should use
    webapp-container and specify the 'webview' policy group with 1.3 (15.04)
    policy (LP: #1392461)
  * ubuntu/ubuntu-scope-network, pending/ubuntu-scope-local-content: allow
    scopes to read data from the apps data dir (LP: #1384286)
  * adjust all dbus rules to use peer=(label=unconfined) to prevent
    coordinated communications between apps over DBus (LP: #1383824)
  * ubuntu/{music,pictures,video}_files*: allow access to global SD card
    directories (LP: #1391930)
  * debian/control: Depends on apparmor >= 2.8.98-0ubuntu2~ for the dbus peer
    changes (we need at least apparmor_parser 2.9.beta4 for these)
 -- Jamie Strandboge <email address hidden> Mon, 15 Dec 2014 15:53:32 +0000

utopic has seen the end of its life and is no longer receiving any updates. Marking the utopic task for this ticket as "Won't Fix".