diff --git a/bundle.json b/bundle.json
index 5792a2c7479782bdd06eea73a601e0cd4c20b16a..1f107e726fab9c2373ae411da51b7856313e30d7 100644
--- a/bundle.json
+++ b/bundle.json
@@ -28,6 +28,8 @@
       "components": [
         "ability_base",
         "access_token",
+        "appspawn",
+        "bundle_framework",
         "cJSON",
         "c_utils",
         "common_event_service",
diff --git a/frameworks/inner_api/sandbox_manager/test/BUILD.gn b/frameworks/inner_api/sandbox_manager/test/BUILD.gn
index 6eb1ed156dc114173df8bafcb308ac6a15b51745..c14fd5f06456c767e3175daf2ec746bbc52283ee 100644
--- a/frameworks/inner_api/sandbox_manager/test/BUILD.gn
+++ b/frameworks/inner_api/sandbox_manager/test/BUILD.gn
@@ -58,6 +58,9 @@ ohos_unittest("libsandbox_manager_sdk_test") {
     "access_token:libaccesstoken_sdk",
     "access_token:libnativetoken",
     "access_token:libtoken_setproc",
+    "appspawn:appspawn_dec_util",
+    "bundle_framework:appexecfwk_base",
+    "bundle_framework:appexecfwk_core",
     "cJSON:cjson",
     "c_utils:utils",
     "common_event_service:cesfwk_innerkits",
diff --git a/services/sandbox_manager/BUILD.gn b/services/sandbox_manager/BUILD.gn
index 2978a92d23c0abecd4c81dbaee2b84e06c71c3d5..9175870ea33057d4fd82abd50fff28ed2af7ff2c 100644
--- a/services/sandbox_manager/BUILD.gn
+++ b/services/sandbox_manager/BUILD.gn
@@ -84,6 +84,9 @@ if (is_standard_system) {
     external_deps = [
       "ability_base:want",
       "access_token:libaccesstoken_sdk",
+      "appspawn:appspawn_dec_util",
+      "bundle_framework:appexecfwk_base",
+      "bundle_framework:appexecfwk_core",
       "cJSON:cjson",
       "c_utils:utils",
       "common_event_service:cesfwk_core",
diff --git a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
index b78c465c614660c6457ea248d2d4e22e4e116f95..4072b9c2a73c836ed4636fa5834e54db097e9c59 100644
--- a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
+++ b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
@@ -136,6 +136,13 @@ public:
      * @return int32_t
      */
     int32_t UnSetAllPolicyByToken(const uint32_t tokenId, uint64_t timestamp = 0);
+    /**
+     * @brief clean policys when package changed
+     * @param bundleName bundle name
+     * @param userID a given userid
+     * @return int32_t
+     */
+    int32_t CleanPolicyByPackageChanged(const std::string &bundleName, int32_t userID);
 private:
     /**
      * @brief Clean policy list on MAC
@@ -274,6 +281,7 @@ private:
         std::vector<size_t> &validIndex, std::vector<PolicyInfo> &validPolicies);
     std::vector<std::string> splitPath(const std::string &path);
     bool CheckPathWithinRule(const std::string &path);
+    int32_t CleanPolicyByPathlist(uint32_t tokenId, std::vector<std::string> &list);
 };
 } // namespace SandboxManager
 } // namespace AccessControl
diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
index fea611f3d3fca489a112bb032c4f8ddf9e7013f5..b9642270dccfaf46b894b965f35cd5797302d31d 100644
--- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
+++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
@@ -80,6 +80,7 @@ private:
     void OnAddSystemAbility(int32_t systemAbilityId, const std::string& deviceId) override;
     bool StartByEventAction(const SystemAbilityOnDemandReason& startReason);
     bool IsFileManagerCalling(uint32_t tokenCaller);
+    bool PackageChangedEventAction(const SystemAbilityOnDemandReason &startReason);
 
     std::mutex stateMutex_;
     ServiceRunningState state_;
diff --git a/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp b/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
index 8f986fcf216d403dbcd26929ab32cebcf27b3744..8552231e23fe0b7c4b2fec86c95c31cb56e8b408 100644
--- a/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
+++ b/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
@@ -19,6 +19,7 @@
 #include <string>
 #include "policy_info_manager.h"
 #include "sandbox_manager_log.h"
+#include "accesstoken_kit.h"
 
 namespace OHOS {
 namespace AccessControl {
@@ -43,6 +44,7 @@ bool SandboxManagerCommonEventSubscriber::RegisterEvent()
     skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED);
     skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED);
     skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_DATA_CLEARED);
+    skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_CHANGED);
     EventFwk::CommonEventSubscribeInfo subscribeInfo(*skill);
     auto info = std::make_shared<EventFwk::CommonEventSubscribeInfo>(*skill);
     g_subscriber = std::make_shared<SandboxManagerCommonEventSubscriber>(*info);
@@ -85,6 +87,13 @@ void SandboxManagerCommonEventSubscriber::OnReceiveEvent(const EventFwk::CommonE
         PolicyInfoManager::GetInstance().RemoveBundlePolicy(tokenId);
         SANDBOXMANAGER_LOG_INFO(LABEL, "RemovebundlePolicy, tokenid = %{public}d.", tokenId);
     }
+
+    if (action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_CHANGED) {
+        std::string bundleName = want.GetElement().GetBundleName();
+        int32_t userID = want.GetParams().GetIntParam("userId", -1);
+        SANDBOXMANAGER_LOG_INFO(LABEL, "OnReceive Package changed %{public}s, %{public}d", bundleName.c_str(), userID);
+        (void)PolicyInfoManager::GetInstance().CleanPolicyByPackageChanged(bundleName, userID);
+    }
 }
 } // namespace SandboxManager
 } // namespace AccessControl
diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
index 4419e09ccc6c2080ffd54eb9a9aff710f6261e11..5171ae06906421d0765bb0f3cbc2fc256a466a7d 100644
--- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
+++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
@@ -38,6 +38,10 @@
 #include "os_account_manager.h"
 #include "media_path_support.h"
 #include "data_size_report_adapter.h"
+#include "bundle_mgr_interface.h"
+#include "dec_api.h"
+#include "iservice_registry.h"
+#include "system_ability_definition.h"
 
 namespace OHOS {
 namespace AccessControl {
@@ -1191,6 +1195,78 @@ int32_t PolicyInfoManager::MatchPolicy(
     }
     return SANDBOX_MANAGER_OK;
 }
+int32_t PolicyInfoManager::CleanPolicyByPathlist(uint32_t tokenId, std::vector<std::string> &list)
+{
+    SANDBOXMANAGER_LOG_INFO(LABEL, "pathlist size = %{public}zu", list.size());
+    std::vector<PolicyInfo> policy;
+    std::vector<uint32_t> u32Res;
+    for (std::string &p : list) {
+        PolicyInfo info;
+        info.path = p;
+        SANDBOXMANAGER_LOG_INFO(LABEL, "path = %{public}s", p.c_str());
+        /* The default config of appspawn is read and write */
+        info.mode = OperateMode::WRITE_MODE + OperateMode::READ_MODE;
+        policy.emplace_back(info);
+        (void)UnSetPolicy(tokenId, info);
+    }
+
+    return RemovePolicy(tokenId, policy, u32Res);
+}
+
+static sptr<AppExecFwk::IBundleMgr> GetBundleMgrsa()
+{
+    auto systemAbilityManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
+    if (systemAbilityManager == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "GetBundleMgr GetSystemAbilityManager is null.");
+        return nullptr;
+    }
+    auto bundleMgrSa = systemAbilityManager->GetSystemAbility(BUNDLE_MGR_SERVICE_SYS_ABILITY_ID);
+    if (bundleMgrSa == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "GetBundleMgr GetSystemAbility is null.");
+        return nullptr;
+    }
+
+    return iface_cast<AppExecFwk::IBundleMgr>(bundleMgrSa);
+}
+
+int32_t PolicyInfoManager::CleanPolicyByPackageChanged(const std::string &bundleName, int32_t userID)
+{
+    auto bundleMgr = GetBundleMgrsa();
+    if (bundleMgr == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Get bundleMgr failed.");
+        return PERMISSION_DENIED;
+    }
+
+    std::vector<int32_t> appIndexes;
+    ErrCode err = bundleMgr->GetCloneAppIndexes(bundleName, appIndexes, userID);
+    if (err != ERR_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "get appindex error %{public}s, err: %{public}d", bundleName.c_str(), err);
+        return PERMISSION_DENIED;
+    }
+    SANDBOXMANAGER_LOG_INFO(LABEL, "get appindex size = %{public}zu", appIndexes.size());
+    appIndexes.emplace_back(0);
+
+    std::map<std::string, std::vector<std::string>> decPathMap = GetDecPathMap();
+    for (int32_t appIndex : appIndexes) {
+        uint32_t tokenId =  Security::AccessToken::AccessTokenKit::GetHapTokenID(userID, bundleName, appIndex);
+        if (tokenId == Security::AccessToken::INVALID_TOKENID) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "GetHapTokenID failed uid = %{public}d, %{public}s",
+                userID, bundleName.c_str());
+            continue;
+        }
+        for (auto &[permission, pathList] : decPathMap) {
+            SANDBOXMANAGER_LOG_INFO(LABEL, "check %{public}s permission", permission.c_str());
+            int ret = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenId, permission);
+            if (ret != Security::AccessToken::PERMISSION_GRANTED) {
+                SANDBOXMANAGER_LOG_INFO(LABEL, "need clean %{public}s permission", permission.c_str());
+                (void)CleanPolicyByPathlist(tokenId, pathList);
+            } else {
+                SANDBOXMANAGER_LOG_INFO(LABEL, "no need clean %{public}s permission", permission.c_str());
+            }
+        }
+    }
+    return SANDBOX_MANAGER_OK;
+}
 } // namespace SandboxManager
 } // namespace AccessControl
 } // namespace OHOS
diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
index 9d2450e31a83119d34b57b23652d5ab925895487..12d36a262fa1a1ec63adee23bc2697fd344c0b1c 100644
--- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
+++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
@@ -666,6 +666,53 @@ void SandboxManagerService::DelayUnloadService()
 #endif
 }
 
+bool SandboxManagerService::PackageChangedEventAction(const SystemAbilityOnDemandReason &startReason)
+{
+    auto wantMap = startReason.GetExtraData().GetWant();
+    std::string bundleName;
+    int32_t userId;
+    for (auto i = wantMap.begin(); i != wantMap.end(); ++i) {
+        std::string key = std::string(i->first.data());
+        std::string value = std::string(i->second.data());
+        if (key == "bundleName") {
+            if (value.empty()) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Error empty bundleName received.");
+                return false;
+            }
+            bundleName = value;
+        }
+        if (key == "userId") {
+            if (value.empty()) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Error empty userId received.");
+                return false;
+            }
+            if (std::isdigit(value[0]) == 0) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid digit userId string received.");
+                return false;
+            }
+            size_t idx = 0;
+            userId = std::stoul(value, &idx);
+            if (idx != value.length()) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Convert failed, userId = %{public}s.", value.c_str());
+                return false;
+            }
+            if (userId == 0) {
+                SANDBOXMANAGER_LOG_ERROR(LABEL, "Receive invalid userId.");
+                return false;
+            }
+        }
+    }
+
+    SANDBOXMANAGER_LOG_INFO(LABEL, "bundleName = %{public}s.%{public}d", bundleName.c_str(), userId);
+    int32_t ret = PolicyInfoManager::GetInstance().CleanPolicyByPackageChanged(bundleName, userId);
+    if (ret != SANDBOX_MANAGER_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "%{public}s  clean policy failed", bundleName.c_str());
+        return false;
+    }
+
+    return true;
+}
+
 bool SandboxManagerService::StartByEventAction(const SystemAbilityOnDemandReason& startReason)
 {
     std::string reasonName = startReason.GetName();
@@ -705,6 +752,9 @@ bool SandboxManagerService::StartByEventAction(const SystemAbilityOnDemandReason
         }
         SANDBOXMANAGER_LOG_INFO(LABEL, "RemovebundlePolicy, tokenID = %{public}u.", tokenId);
     }
+    if (reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_CHANGED) {
+        return PackageChangedEventAction(startReason);
+    }
     return true;
 }
 
diff --git a/services/sandbox_manager/main/sa_profile/proc_non_resident/sandbox_manager_service.json b/services/sandbox_manager/main/sa_profile/proc_non_resident/sandbox_manager_service.json
index a5c45f98c93628fe1bb29f9a9f30a38608d921c3..5004feb40d5f7288193ca885c751853e35c2c472 100644
--- a/services/sandbox_manager/main/sa_profile/proc_non_resident/sandbox_manager_service.json
+++ b/services/sandbox_manager/main/sa_profile/proc_non_resident/sandbox_manager_service.json
@@ -18,6 +18,9 @@
             },
             {
                 "name": "usual.event.PACKAGE_DATA_CLEARED"
+            },
+            {
+                "name": "usual.event.PACKAGE_CHANGED"
             }]
         },
         "stop-on-demand": {
diff --git a/services/sandbox_manager/proc_non_resident_cfg/sandbox_manager_service.cfg b/services/sandbox_manager/proc_non_resident_cfg/sandbox_manager_service.cfg
index dfff5fb8d1fe442ab1c1bbab0bb11491b78dbae9..9d686e5a9d4df1c4fbd917d9bd1964508db9452e 100644
--- a/services/sandbox_manager/proc_non_resident_cfg/sandbox_manager_service.cfg
+++ b/services/sandbox_manager/proc_non_resident_cfg/sandbox_manager_service.cfg
@@ -13,6 +13,7 @@
         "uid" : "sandbox_manager",
         "gid" : ["sandbox_manager"],
         "permission" : [
+            "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED"
         ],
         "secon" : "u:r:sandbox_manager_service:s0"
     }
diff --git a/services/sandbox_manager/proc_resident_cfg/sandbox_manager_service.cfg b/services/sandbox_manager/proc_resident_cfg/sandbox_manager_service.cfg
index 7f9d494491ba826e9e150d736f4ea1229bcc3737..ac46f8d5d4eb3b760ee03da25b2ad5734cf6700f 100644
--- a/services/sandbox_manager/proc_resident_cfg/sandbox_manager_service.cfg
+++ b/services/sandbox_manager/proc_resident_cfg/sandbox_manager_service.cfg
@@ -11,6 +11,7 @@
         "uid" : "sandbox_manager",
         "gid" : ["sandbox_manager"],
         "permission" : [
+            "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED"
         ],
         "secon" : "u:r:sandbox_manager_service:s0"
     }
diff --git a/services/sandbox_manager/test/BUILD.gn b/services/sandbox_manager/test/BUILD.gn
index df9a2f1288bdfe73db7a7c802d877869c8c33966..3196e530d66b268abbb042f474fd6bc771822670 100644
--- a/services/sandbox_manager/test/BUILD.gn
+++ b/services/sandbox_manager/test/BUILD.gn
@@ -94,6 +94,9 @@ ohos_unittest("libsandbox_manager_service_standard_test") {
     "access_token:libaccesstoken_sdk",
     "access_token:libnativetoken",
     "access_token:libtoken_setproc",
+    "appspawn:appspawn_dec_util",
+    "bundle_framework:appexecfwk_base",
+    "bundle_framework:appexecfwk_core",
     "cJSON:cjson",
     "c_utils:utils",
     "common_event_service:cesfwk_core",
diff --git a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni
index 5e215c52c47ed7cab60a780c18bdf2e612a53562..5ad8636039563075e394282a9acde4402856cbaa 100644
--- a/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni
+++ b/test/fuzztest/services/sandbox_manager/sandbox_manager_service_fuzz.gni
@@ -59,6 +59,9 @@ sandbox_manager_external_deps = [
   "access_token:libaccesstoken_sdk",
   "access_token:libnativetoken",
   "access_token:libtoken_setproc",
+  "appspawn:appspawn_dec_util",
+  "bundle_framework:appexecfwk_base",
+  "bundle_framework:appexecfwk_core",
   "cJSON:cjson",
   "c_utils:utils",
   "common_event_service:cesfwk_core",