From 931d91ae48349ee4afbfeb77b1aeb015dd467053 Mon Sep 17 00:00:00 2001
From: y1585740638 <yulei99@huawei.com>
Date: Wed, 26 Jun 2024 15:21:09 +0800
Subject: [PATCH] tdd

Signed-off-by: y1585740638 <yulei99@huawei.com>
Change-Id: I51a99238cb419d0b1fba95ae4ffd8c3d2ab6c130
---
 bundle.json                                   |   5 +-
 .../include/i_sandbox_manager.h               |   7 +-
 ...andboxmanager_service_ipc_interface_code.h |   4 +
 .../include/sandbox_manager_client.h          |   7 +-
 .../include/sandbox_manager_err_code.h        |   2 +
 .../include/sandbox_manager_kit.h             |  33 +-
 .../include/sandbox_manager_proxy.h           |  10 +-
 .../libsandbox_manager_sdk.map                |  11 +-
 .../src/sandbox_manager_client.cpp            |  45 +-
 .../src/sandbox_manager_kit.cpp               |  45 +-
 .../src/sandbox_manager_proxy.cpp             | 148 ++-
 .../src/sandbox_manager_kit_coverage_test.cpp |   5 +-
 .../unittest/src/sandbox_manager_kit_test.cpp | 847 +++++++++++++++++-
 sandbox_manager.gni                           |   4 +
 services/sandbox_manager/BUILD.gn             |   6 +
 .../cpp/include/database/sandbox_manager_db.h |   1 +
 .../main/cpp/include/mac/mac_adapter.h        |  44 +
 .../cpp/include/service/policy_info_manager.h |  78 +-
 .../include/service/sandbox_manager_const.h   |   1 +
 .../include/service/sandbox_manager_service.h |   7 +-
 .../include/service/sandbox_manager_stub.h    |   6 +
 .../cpp/src/database/sandbox_manager_db.cpp   |  24 +
 .../main/cpp/src/mac/mac_adapter.cpp          | 268 ++++++
 .../sandbox_manager_event_subscriber.cpp      |   4 +-
 .../cpp/src/service/policy_info_manager.cpp   | 346 ++++++-
 .../src/service/sandbox_manager_service.cpp   |  91 +-
 .../cpp/src/service/sandbox_manager_stub.cpp  | 165 +++-
 .../sa_profile/sandbox_manager_service.json   |   3 +
 .../unittest/sandbox_manager_service_test.cpp |  11 +-
 29 files changed, 2078 insertions(+), 150 deletions(-)
 create mode 100644 services/sandbox_manager/main/cpp/include/mac/mac_adapter.h
 create mode 100644 services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp

diff --git a/bundle.json b/bundle.json
index b019454..4da7fb7 100644
--- a/bundle.json
+++ b/bundle.json
@@ -13,7 +13,10 @@
     "name": "sandbox_manager",
     "subsystem": "accesscontrol",
     "syscap": [],
-    "features": [ "sandbox_manager_feature_coverage = false" ],
+    "features": [
+      "sandbox_manager_feature_coverage = false",
+      "sandbox_manager_mac_enable = true"
+    ],
     "adapted_system_type": [ "standard" ],
     "rom": "10000KB",
     "ram": "5000KB",
diff --git a/frameworks/sandbox_manager/include/i_sandbox_manager.h b/frameworks/sandbox_manager/include/i_sandbox_manager.h
index b6c32bb..dbee2a2 100644
--- a/frameworks/sandbox_manager/include/i_sandbox_manager.h
+++ b/frameworks/sandbox_manager/include/i_sandbox_manager.h
@@ -31,17 +31,22 @@ public:
 
     static const int SA_ID_SANDBOX_MANAGER_SERVICE = SANDBOX_MANAGER_SERVICE_ID;
 
+    virtual int32_t CleanPersistPolicyByPath(const std::vector<std::string>& filePaths) = 0;
     virtual int32_t PersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) = 0;
     virtual int32_t UnPersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) = 0;
     virtual int32_t PersistPolicyByTokenId(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) = 0;
     virtual int32_t UnPersistPolicyByTokenId(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) = 0;
-    virtual int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag) = 0;
+    virtual int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag,
+                              std::vector<uint32_t> &result) = 0;
+    virtual int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) = 0;
+    virtual int32_t CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result) = 0;
     virtual int32_t StartAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) = 0;
     virtual int32_t StopAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) = 0;
     virtual int32_t CheckPersistPolicy(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result) = 0;
+    virtual int32_t StartAccessingByTokenId(uint64_t tokenId) = 0;
 };
 } // namespace SandboxManager
 } // namespace AccessControl
diff --git a/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h b/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h
index 15fe30f..c677dbb 100644
--- a/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h
+++ b/frameworks/sandbox_manager/include/sandboxmanager_service_ipc_interface_code.h
@@ -24,11 +24,15 @@ enum class SandboxManagerInterfaceCode {
     PERSIST_PERMISSION = 0xffb0,
     UNPERSIST_PERMISSION,
     SET_POLICY,
+    UN_SET_POLICY,
+    CHECK_POLICY,
     START_ACCESSING_URI,
     STOP_ACCESSING_URI,
     CHECK_PERSIST_PERMISSION,
+    START_ACCESSING_BY_TOKENID,
     PERSIST_PERMISSION_BY_TOKENID,
     UNPERSIST_PERMISSION_BY_TOKENID,
+    CLEAN_PERSIST_POLICY_BY_PATH,
 };
 } // namespace SandboxManager
 } // namespace AccessControl
diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h
index aebae4c..67acd39 100644
--- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h
+++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_client.h
@@ -40,9 +40,13 @@ public:
     static SandboxManagerClient &GetInstance();
     virtual ~SandboxManagerClient();
 
+    int32_t CleanPersistPolicyByPath(const std::vector<std::string>& filePaths);
     int32_t PersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result);
     int32_t UnPersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result);
-    int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag);
+    int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag,
+                      std::vector<uint32_t> &result);
+    int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy);
+    int32_t CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result);
     int32_t StartAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result);
     int32_t StopAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result);
     int32_t CheckPersistPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result);
@@ -50,6 +54,7 @@ public:
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result);
     int32_t UnPersistPolicyByTokenId(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result);
+    int32_t StartAccessingByTokenId(uint64_t tokenId);
 
     void FinishStartSASuccess(const sptr<IRemoteObject> &remoteObject);
     void FinishStartSAFail();
diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h
index 2b26c4b..a6215c3 100644
--- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h
+++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_err_code.h
@@ -30,6 +30,8 @@ enum SandboxManagerErrCode : int32_t {
     SANDBOX_MANAGER_DB_ERR,
     SANDBOX_MANAGER_DB_RETURN_EMPTY,
     SANDBOX_MANAGER_DB_RECORD_NOT_EXIST,
+
+    SANDBOX_MANAGER_MAC_ADAPTER_ERR,
 };
 } // SandboxManager
 } // AccessControl
diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h
index 9506077..9f779b4 100644
--- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h
+++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_kit.h
@@ -17,6 +17,7 @@
 #define SANDBOXMANAGER_KIT_H
 
 #include "policy_info.h"
+#include <vector>
 
 namespace OHOS {
 namespace AccessControl {
@@ -26,6 +27,12 @@ namespace SandboxManager {
  */
 class SandboxManagerKit {
 public:
+    /**
+     * @brief Clear the persistence policy
+     * @param policy vector of string, file path
+     * @return SandboxManagerErrCode, see sandbox_manager_err_code.h
+     */
+    static int32_t CleanPersistPolicyByPath(const std::vector<std::string>& filePaths);
     /**
      * @brief Persist policys with caller's tokenId
      * @param policy vector of PolicyInfo, see policy_info.h
@@ -65,7 +72,24 @@ public:
      * @param result insert result of each policy, result is SandboxRetType in policy_info.h
      * @return SandboxManagerErrCode, see sandbox_manager_err_code.h
      */
-    static int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag);
+    static int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag,
+                             std::vector<uint32_t> &result);
+    /**
+     * @brief UnSet policy with a given tokenId from MAC layer
+     * @param tokenId a given tokenId
+     * @param policy vector of PolicyInfo, see policy_info.h
+     * @param result unset result of each policy
+     * @return SandboxManagerErrCode, see sandbox_manager_err_code.h
+     */
+    static int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy);
+    /**
+     * @brief Check policy with a given tokenId from MAC layer
+     * @param tokenId a given tokenId
+     * @param policy vector of PolicyInfo, see policy_info.h
+     * @param result check result of each policy
+     * @return true if policy exist, else false
+     */
+    static int32_t CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result);
     /**
      * @brief Set existing persisted policys with caller's tokenId to MAC layer
      *        not existed policy would be ignored, but have a return in result
@@ -90,6 +114,13 @@ public:
      */
     static int32_t CheckPersistPolicy(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result);
+
+    /**
+     * @brief load all policys by tokenid that auto-loaded flag = 1
+     * @param tokenId a given tokenId
+     * @return SandboxManagerErrCode, see sandbox_manager_err_code.h
+     */
+    static int32_t StartAccessingByTokenId(uint64_t tokenId);
 };
 } // SandboxManager
 } // AccessControl
diff --git a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h
index ebce0a2..7f35fd4 100644
--- a/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h
+++ b/interfaces/innerkits/sandbox_manager/include/sandbox_manager_proxy.h
@@ -31,10 +31,13 @@ public:
     explicit SandboxManagerProxy(const sptr<IRemoteObject> &impl);
     ~SandboxManagerProxy() override;
 
+    int32_t CleanPersistPolicyByPath(const std::vector<std::string>& filePaths) override;
     int32_t PersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t UnPersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
-    int32_t SetPolicy(
-        uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag) override;
+    int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag,
+                      std::vector<uint32_t> &result) override;
+    int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) override;
+    int32_t CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result) override;
     int32_t StartAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t StopAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t CheckPersistPolicy(
@@ -43,8 +46,9 @@ public:
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t UnPersistPolicyByTokenId(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
-
+    int32_t StartAccessingByTokenId(uint64_t tokenId) override;
 private:
+    bool SendRequest(SandboxManagerInterfaceCode code, MessageParcel &data, MessageParcel &reply, MessageOption &option);
     bool SendRequest(SandboxManagerInterfaceCode code, MessageParcel &data, MessageParcel &reply);
     static inline BrokerDelegator<SandboxManagerProxy> delegator_;
 };
diff --git a/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map b/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map
index f787881..79deb19 100644
--- a/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map
+++ b/interfaces/innerkits/sandbox_manager/libsandbox_manager_sdk.map
@@ -14,20 +14,27 @@
 1.0 {
   global:
     extern "C++" {
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CleanPersistPolicyByPath(std::__h::vector<std::__h::basic_string<char, std::__h::char_traits<char>, std::__h::allocator<char>>, std::__h::allocator<std::__h::basic_string<char, std::__h::char_traits<char>, std::__h::allocator<char>>>> const&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::PersistPolicy(unsigned long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::PersistPolicy(unsigned long long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(unsigned long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(unsigned long long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::PersistPolicy(std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnPersistPolicy(std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
-        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, unsigned long)";
-        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, unsigned long long)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingPolicy(std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StopAccessingPolicy(std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPersistPolicy(unsigned long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<bool, std::__h::allocator<bool>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPersistPolicy(unsigned long long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<bool, std::__h::allocator<bool>>&)";
         "OHOS::AccessControl::SandboxManager::SandboxManagerClient::GetInstance()";
         "OHOS::AccessControl::SandboxManager::SandboxManagerClient::InitProxy()";
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingByTokenId(unsigned long long)";
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::StartAccessingByTokenId(unsigned long)";
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, unsigned long long, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::SetPolicy(unsigned long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, unsigned long, std::__h::vector<unsigned int, std::__h::allocator<unsigned int>>&)";
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPolicy(unsigned long long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<bool, std::__h::allocator<bool>>&)";
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::CheckPolicy(unsigned long, std::__h::vector<OHOS::AccessControl::SandboxManager::PolicyInfo, std::__h::allocator<OHOS::AccessControl::SandboxManager::PolicyInfo>> const&, std::__h::vector<bool, std::__h::allocator<bool>>&)";
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicy(unsigned long long, OHOS::AccessControl::SandboxManager::PolicyInfo const&)";
+        "OHOS::AccessControl::SandboxManager::SandboxManagerKit::UnSetPolicy(unsigned long, OHOS::AccessControl::SandboxManager::PolicyInfo const&)";
         "";
         "";
     };
diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp
index 8018aaa..2664e2e 100644
--- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp
+++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_client.cpp
@@ -44,6 +44,15 @@ SandboxManagerClient::SandboxManagerClient()
 SandboxManagerClient::~SandboxManagerClient()
 {}
 
+int32_t SandboxManagerClient::CleanPersistPolicyByPath(const std::vector<std::string>& filePaths)
+{
+    auto proxy = GetProxy(true);
+    if (proxy == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Proxy is null");
+        return SANDBOX_MANAGER_SERVICE_NOT_EXIST;
+    }
+    return proxy->CleanPersistPolicyByPath(filePaths);
+}
 
 int32_t SandboxManagerClient::PersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
 {
@@ -87,14 +96,36 @@ int32_t SandboxManagerClient::UnPersistPolicyByTokenId(
     return proxy->UnPersistPolicyByTokenId(tokenId, policy, result);
 }
 
-int32_t SandboxManagerClient::SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag)
+int32_t SandboxManagerClient::SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                        uint64_t policyFlag, std::vector<uint32_t> &result)
 {
     auto proxy = GetProxy(true);
     if (proxy == nullptr) {
         SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null");
         return SANDBOX_MANAGER_SERVICE_NOT_EXIST;
     }
-    return proxy->SetPolicy(tokenId, policy, policyFlag);
+    return proxy->SetPolicy(tokenId, policy, policyFlag, result);
+}
+
+int32_t SandboxManagerClient::UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy)
+{
+    auto proxy = GetProxy(true);
+    if (proxy == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null");
+        return SANDBOX_MANAGER_SERVICE_NOT_EXIST;
+    }
+    return proxy->UnSetPolicy(tokenId, policy);
+}
+
+int32_t SandboxManagerClient::CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                          std::vector<bool> &result)
+{
+    auto proxy = GetProxy(true);
+    if (proxy == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null");
+        return false;
+    }
+    return proxy->CheckPolicy(tokenId, policy, result);
 }
 
 int32_t SandboxManagerClient::StartAccessingPolicy(
@@ -129,6 +160,16 @@ int32_t SandboxManagerClient::CheckPersistPolicy(
     return proxy->CheckPersistPolicy(tokenId, policy, result);
 }
 
+int32_t SandboxManagerClient::StartAccessingByTokenId(uint64_t tokenId)
+{
+    auto proxy = GetProxy(true);
+    if (proxy == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "proxy is null");
+        return SANDBOX_MANAGER_SERVICE_NOT_EXIST;
+    }
+    return proxy->StartAccessingByTokenId(tokenId);
+}
+
 bool SandboxManagerClient::StartLoadSandboxManagerSa()
 {
     {
diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp
index 2f5c120..6ff984b 100644
--- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp
+++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_kit.cpp
@@ -30,6 +30,17 @@ static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
 }
 const uint64_t POLICY_VECTOR_SIZE_LIMIT = 500;
 
+int32_t SandboxManagerKit::CleanPersistPolicyByPath(const std::vector<std::string>& filePaths)
+{
+    SANDBOXMANAGER_LOG_DEBUG(LABEL, "Called");
+    size_t filePathSize = filePaths.size();
+    if (filePathSize == 0 || filePathSize > POLICY_VECTOR_SIZE_LIMIT) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "FilePathSize = %{public}u", static_cast<uint32_t>(filePathSize));
+        return SandboxManagerErrCode::INVALID_PARAMTER;
+    }
+    return SandboxManagerClient::GetInstance().CleanPersistPolicyByPath(filePaths);
+}
+
 int32_t SandboxManagerKit::PersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
 {
     SANDBOXMANAGER_LOG_DEBUG(LABEL, "called");
@@ -82,14 +93,34 @@ int32_t SandboxManagerKit::UnPersistPolicy(
     return SandboxManagerClient::GetInstance().UnPersistPolicyByTokenId(tokenId, policy, result);
 }
 
-int32_t SandboxManagerKit::SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag)
+int32_t SandboxManagerKit::SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                     uint64_t policyFlag, std::vector<uint32_t> &result)
 {
     SANDBOXMANAGER_LOG_DEBUG(LABEL, "called");
     size_t policySize = policy.size();
     if ((policySize == 0) || (policySize > POLICY_VECTOR_SIZE_LIMIT) || (tokenId == 0)) {
         return SandboxManagerErrCode::INVALID_PARAMTER;
     }
-    return SandboxManagerClient::GetInstance().SetPolicy(tokenId, policy, policyFlag);
+    return SandboxManagerClient::GetInstance().SetPolicy(tokenId, policy, policyFlag, result);
+}
+
+int32_t SandboxManagerKit::UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy)
+{
+    SANDBOXMANAGER_LOG_DEBUG(LABEL, "called");
+    if (tokenId == 0) {
+        return SandboxManagerErrCode::INVALID_PARAMTER;
+    }
+    return SandboxManagerClient::GetInstance().UnSetPolicy(tokenId, policy);
+}
+
+int32_t SandboxManagerKit::CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                       std::vector<bool> &result)
+{
+    SANDBOXMANAGER_LOG_DEBUG(LABEL, "called");
+    if (tokenId == 0) {
+        return SandboxManagerErrCode::INVALID_PARAMTER;
+    }
+    return SandboxManagerClient::GetInstance().CheckPolicy(tokenId, policy, result);
 }
 
 int32_t SandboxManagerKit::StartAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
@@ -128,6 +159,16 @@ int32_t SandboxManagerKit::CheckPersistPolicy(
     result.clear();
     return SandboxManagerClient::GetInstance().CheckPersistPolicy(tokenId, policy, result);
 }
+
+int32_t SandboxManagerKit::StartAccessingByTokenId(uint64_t tokenId)
+{
+    SANDBOXMANAGER_LOG_DEBUG(LABEL, "called");
+    if (tokenId == 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid input token.");
+        return SandboxManagerErrCode::INVALID_PARAMTER;
+    }
+    return SandboxManagerClient::GetInstance().StartAccessingByTokenId(tokenId);
+}
 } // SandboxManager
 } // AccessControl
 } // OHOS
\ No newline at end of file
diff --git a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp
index 52a625a..0ed4ef2 100644
--- a/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp
+++ b/interfaces/innerkits/sandbox_manager/src/sandbox_manager_proxy.cpp
@@ -15,11 +15,14 @@
 
 #include "sandbox_manager_proxy.h"
 
+#include <cstddef>
 #include <string>
 #include "iremote_object.h"
 #include "iremote_proxy.h"
+#include "message_option.h"
 #include "message_parcel.h"
 #include "parcel.h"
+#include "policy_info_parcel.h"
 #include "policy_info_vector_parcel.h"
 #include "sandboxmanager_service_ipc_interface_code.h"
 #include "sandbox_manager_err_code.h"
@@ -45,6 +48,12 @@ bool SandboxManagerProxy::SendRequest(SandboxManagerInterfaceCode code,
     MessageParcel &data, MessageParcel &reply)
 {
     MessageOption option(MessageOption::TF_SYNC);
+    return SendRequest(code, data, reply, option);
+}
+
+bool SandboxManagerProxy::SendRequest(SandboxManagerInterfaceCode code,
+    MessageParcel &data, MessageParcel &reply, MessageOption &option)
+{
     sptr<IRemoteObject> remote = Remote();
     if (remote == nullptr) {
         SANDBOXMANAGER_LOG_ERROR(LABEL, "remote service null.");
@@ -59,6 +68,36 @@ bool SandboxManagerProxy::SendRequest(SandboxManagerInterfaceCode code,
     return true;
 }
 
+int32_t SandboxManagerProxy::CleanPersistPolicyByPath(const std::vector<std::string>& filePaths)
+{
+    MessageParcel data;
+    if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+
+    if (!data.WriteUint32(filePaths.size())) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Failed to write filePaths size.");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+
+    for (const std::string& filePath: filePaths) {
+        if (!data.WriteString(filePath)) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "Failed to write filePath.");
+            return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+        }
+    }
+    
+    MessageParcel reply;
+    MessageOption option(MessageOption::TF_ASYNC);
+    if (!SendRequest(SandboxManagerInterfaceCode::CLEAN_PERSIST_POLICY_BY_PATH, data, reply)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Remote fail");
+        return SANDBOX_MANAGER_SERVICE_REMOTE_ERR;
+    }
+
+    return SANDBOX_MANAGER_OK;
+}
+
 int32_t SandboxManagerProxy::PersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
 {
     MessageParcel data;
@@ -205,7 +244,7 @@ int32_t SandboxManagerProxy::UnPersistPolicyByTokenId(
 }
 
 int32_t SandboxManagerProxy::SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
-    uint64_t policyFlag)
+                                       uint64_t policyFlag, std::vector<uint32_t> &result)
 {
     MessageParcel data;
     if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) {
@@ -230,12 +269,51 @@ int32_t SandboxManagerProxy::SetPolicy(uint64_t tokenId, const std::vector<Polic
     }
 
     MessageParcel reply;
-    MessageOption option(MessageOption::TF_SYNC);
     if (!SendRequest(SandboxManagerInterfaceCode::SET_POLICY, data, reply)) {
         SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail");
         return SANDBOX_MANAGER_SERVICE_REMOTE_ERR;
     }
 
+    int32_t remoteRet;
+    if (!reply.ReadInt32(remoteRet)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "read ret fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+    result.clear();
+    if (remoteRet == SANDBOX_MANAGER_OK) {
+        if (!reply.ReadUInt32Vector(&result)) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager result parcel fail");
+            return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+        }
+    }
+    return remoteRet;
+}
+int32_t SandboxManagerProxy::UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy)
+{
+    MessageParcel data;
+    if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+    if (!data.WriteUint64(tokenId)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+
+    PolicyInfoParcel policyInfoParcel;
+    policyInfoParcel.policyInfo = policy;
+    if (!data.WriteParcelable(&policyInfoParcel)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoParcel fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+
+    MessageParcel reply;
+    MessageOption option(MessageOption::TF_SYNC);
+    if (!SendRequest(SandboxManagerInterfaceCode::UN_SET_POLICY, data, reply)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail");
+        return SANDBOX_MANAGER_SERVICE_REMOTE_ERR;
+    }
+
     int32_t remoteRet;
     if (!reply.ReadInt32(remoteRet)) {
         SANDBOXMANAGER_LOG_ERROR(LABEL, "read ret fail");
@@ -244,6 +322,48 @@ int32_t SandboxManagerProxy::SetPolicy(uint64_t tokenId, const std::vector<Polic
     return remoteRet;
 }
 
+int32_t SandboxManagerProxy::CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                      std::vector<bool> &result)
+{
+    MessageParcel data;
+    if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+    if (!data.WriteUint64(tokenId)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+
+    PolicyInfoVectorParcel policyInfoVectorParcel;
+    policyInfoVectorParcel.policyVector = policy;
+    if (!data.WriteParcelable(&policyInfoVectorParcel)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write policyInfoVectorParcel fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+
+    MessageParcel reply;
+    MessageOption option(MessageOption::TF_SYNC);
+    if (!SendRequest(SandboxManagerInterfaceCode::CHECK_POLICY, data, reply)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail");
+        return SANDBOX_MANAGER_SERVICE_REMOTE_ERR;
+    }
+
+    int32_t remoteRet;
+    if (!reply.ReadInt32(remoteRet)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "read ret fail");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+    result.clear();
+    if (remoteRet == SANDBOX_MANAGER_OK) {
+        if (!reply.ReadBoolVector(&result)) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager result parcel fail");
+            return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+        }
+    }
+    return remoteRet;
+}
+
 int32_t SandboxManagerProxy::StartAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
 {
     MessageParcel data;
@@ -260,7 +380,6 @@ int32_t SandboxManagerProxy::StartAccessingPolicy(const std::vector<PolicyInfo>
     }
     
     MessageParcel reply;
-    MessageOption option(MessageOption::TF_SYNC);
     if (!SendRequest(SandboxManagerInterfaceCode::START_ACCESSING_URI, data, reply)) {
         SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail");
         return SANDBOX_MANAGER_SERVICE_REMOTE_ERR;
@@ -295,7 +414,6 @@ int32_t SandboxManagerProxy::StopAccessingPolicy(const std::vector<PolicyInfo> &
     }
     
     MessageParcel reply;
-    MessageOption option(MessageOption::TF_SYNC);
     if (!SendRequest(SandboxManagerInterfaceCode::STOP_ACCESSING_URI, data, reply)) {
         SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail");
         return SANDBOX_MANAGER_SERVICE_REMOTE_ERR;
@@ -335,7 +453,6 @@ int32_t SandboxManagerProxy::CheckPersistPolicy(uint64_t tokenId, const std::vec
     }
 
     MessageParcel reply;
-    MessageOption option(MessageOption::TF_SYNC);
     if (!SendRequest(SandboxManagerInterfaceCode::CHECK_PERSIST_PERMISSION, data, reply)) {
         SANDBOXMANAGER_LOG_ERROR(LABEL, "remote fail");
         return SANDBOX_MANAGER_SERVICE_REMOTE_ERR;
@@ -353,6 +470,27 @@ int32_t SandboxManagerProxy::CheckPersistPolicy(uint64_t tokenId, const std::vec
     }
     return remoteRet;
 }
+
+int32_t SandboxManagerProxy::StartAccessingByTokenId(uint64_t tokenId)
+{
+    MessageParcel data;
+    if (!data.WriteInterfaceToken(ISandboxManager::GetDescriptor())) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write descriptor fail.");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+    if (!data.WriteUint64(tokenId)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Write tokenId fail.");
+        return SANDBOX_MANAGER_SERVICE_PARCEL_ERR;
+    }
+
+    MessageParcel reply;
+    MessageOption option(MessageOption::TF_ASYNC);
+    if (!SendRequest(SandboxManagerInterfaceCode::START_ACCESSING_BY_TOKENID, data, reply, option)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Remote fail.");
+        return SANDBOX_MANAGER_SERVICE_REMOTE_ERR;
+    }
+    return SANDBOX_MANAGER_OK;
+}
 } // namespace SandboxManager
 } // namespace AccessControl
 } // namespace OHOS
\ No newline at end of file
diff --git a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp
index 3a0fc37..d832836 100644
--- a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp
+++ b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_coverage_test.cpp
@@ -16,6 +16,7 @@
 #include "sandbox_manager_kit_coverage_test.h"
 
 #include <cstdint>
+#include <string>
 #include <vector>
 #include "access_token.h"
 #include "accesstoken_kit.h"
@@ -71,6 +72,8 @@ HWTEST_F(SandboxManagerKitCoverageTest, PersistPolicy001, TestSize.Level1)
     std::vector<uint32_t> result;
 
     EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(policy, result));
+    std::vector<std::string> filePaths;
+    EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::CleanPersistPolicyByPath(filePaths));
 
     std::vector<PolicyInfo> policyEmpty;
     EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(policyEmpty, result));
@@ -152,7 +155,7 @@ HWTEST_F(SandboxManagerKitCoverageTest, SetPolicy001, TestSize.Level1)
     }
     std::vector<uint32_t> result;
 
-    EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::SetPolicy(GetSelfTokenID(), policy, 0));
+    EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::SetPolicy(GetSelfTokenID(), policy, 0, result));
     EXPECT_EQ(0, result.size());
 }
 
diff --git a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp
index b91f6ba..fe3bb83 100644
--- a/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp
+++ b/interfaces/innerkits/sandbox_manager/test/unittest/src/sandbox_manager_kit_test.cpp
@@ -15,6 +15,7 @@
 
 #include "sandbox_manager_kit_test.h"
 
+#include "gtest/gtest.h"
 #include <cstdint>
 #include <vector>
 #include "access_token.h"
@@ -40,6 +41,8 @@ namespace SandboxManager {
 namespace {
 const std::string SET_POLICY_PERMISSION = "ohos.permission.SET_SANDBOX_POLICY";
 const std::string ACCESS_PERSIST_PERMISSION = "ohos.permission.FILE_ACCESS_PERSIST";
+const Security::AccessToken::AccessTokenID INVALID_TOKENID = 537123456;
+uint64_t g_selfTokenId;
 uint64_t g_mockToken;
 Security::AccessToken::PermissionStateFull g_testState1 = {
     .permissionName = SET_POLICY_PERMISSION,
@@ -70,41 +73,9 @@ Security::AccessToken::HapPolicyParams g_testPolicyPrams = {
 };
 };
 
-void NativeTokenGet()
-{
-    uint64_t fullTokenId;
-    const char **perms = new const char *[1];
-    perms[0] = "ohos.permission.DISTRIBUTED_DATASYNC";
-
-    NativeTokenInfoParams infoInstance = {
-        .dcapsNum = 0,
-        .permsNum = 1,
-        .aclsNum = 0,
-        .dcaps = nullptr,
-        .perms = perms,
-        .acls = nullptr,
-        .aplStr = "system_core",
-    };
-
-    infoInstance.processName = "TestCase";
-    fullTokenId = GetAccessTokenId(&infoInstance);
-    EXPECT_EQ(0, SetSelfTokenID(fullTokenId));
-    Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
-    delete[] perms;
-}
-
 void SandboxManagerKitTest::SetUpTestCase()
 {
-    NativeTokenGet();
-    Security::AccessToken::AccessTokenID tokenID =
-        Security::AccessToken::AccessTokenKit::GetNativeTokenId("foundation");
-    EXPECT_NE(0, tokenID);
-    EXPECT_EQ(0, SetSelfTokenID(tokenID));
-    Security::AccessToken::AccessTokenIDEx tokenIdEx = {0};
-    tokenIdEx = Security::AccessToken::AccessTokenKit::AllocHapToken(g_testInfoParms, g_testPolicyPrams);
-    EXPECT_NE(0, tokenIdEx.tokenIdExStruct.tokenID);
-    g_mockToken = tokenIdEx.tokenIdExStruct.tokenID;
-    EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIdExStruct.tokenID));
+    g_selfTokenId = GetSelfTokenID();
 }
 
 void SandboxManagerKitTest::TearDownTestCase()
@@ -114,10 +85,16 @@ void SandboxManagerKitTest::TearDownTestCase()
 
 void SandboxManagerKitTest::SetUp()
 {
+    Security::AccessToken::AccessTokenIDEx tokenIdEx = {0};
+    tokenIdEx = Security::AccessToken::AccessTokenKit::AllocHapToken(g_testInfoParms, g_testPolicyPrams);
+    EXPECT_NE(0, tokenIdEx.tokenIdExStruct.tokenID);
+    g_mockToken = tokenIdEx.tokenIdExStruct.tokenID;
+    EXPECT_EQ(0, SetSelfTokenID(tokenIdEx.tokenIdExStruct.tokenID));
 }
 
 void SandboxManagerKitTest::TearDown()
 {
+    EXPECT_EQ(0, SetSelfTokenID(g_selfTokenId));
 }
 
 /**
@@ -652,24 +629,28 @@ HWTEST_F(SandboxManagerKitTest, PersistPolicy014, TestSize.Level1)
     };
     EXPECT_EQ(INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result));
-    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag));
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER,
+        SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag));
     tokenId = 1;
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result));
-    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag));
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER,
+        SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag));
 
     tokenId = 0;
     policy.emplace_back(infoParent);
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result));
-    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag));
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER,
+        SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag));
     tokenId = 1;
     EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result));
     EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result));
-    EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag));
+    EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER,
+        SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result));
     EXPECT_NE(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag));
 
     for (int i = 0; i < 500; i++) {
@@ -678,15 +659,799 @@ HWTEST_F(SandboxManagerKitTest, PersistPolicy014, TestSize.Level1)
     tokenId = 0;
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result));
-    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag));
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER,
+        SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag));
     tokenId = 1;
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::PersistPolicy(tokenId, policy, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnPersistPolicy(tokenId, policy, result));
-    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag));
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER,
+        SandboxManagerKit::SetPolicy(tokenId, policy, policyFlag, result));
     EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPersistPolicy(tokenId, policy, flag));
 }
 
-} //SandboxManager
-} //AccessControl
+/**
+ * @tc.name: CheckPolicyTest001
+ * @tc.desc: Check allowed policy
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CheckPolicyTest001, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policyA;
+    uint64_t policyFlag = 0;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policyA.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    infoParent.mode = OperateMode::READ_MODE;
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    infoParent.mode = OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyC;
+    policyC.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyD;
+    policyD.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    infoParent.path = "/data/log/hilog";
+    infoParent.mode = OperateMode::READ_MODE;
+    std::vector<PolicyInfo> policyE;
+    policyE.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyE, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    infoParent.mode = OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyF;
+    policyF.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyF, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyG;
+    policyG.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyG, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0]));
+}
+
+/**
+ * @tc.name: CheckPolicyTest002
+ * @tc.desc: Check parent directory policy with r+w
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CheckPolicyTest002, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policyA;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policyA.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    infoParent.path = "/data",
+    infoParent.mode = OperateMode::READ_MODE;
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    infoParent.mode = OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyC;
+    policyC.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyD;
+    policyD.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0]));
+}
+
+/**
+ * @tc.name: CheckPolicyTest003
+ * @tc.desc: Check parent directory policy with r
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CheckPolicyTest003, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policyA;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE
+    };
+    policyA.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    infoParent.mode = OperateMode::READ_MODE;
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    infoParent.mode = OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyC;
+    policyC.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyD;
+    policyD.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    infoParent.path = "/data/log/hilog";
+    infoParent.mode = OperateMode::READ_MODE;
+    std::vector<PolicyInfo> policyE;
+    policyE.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyE, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0]));
+}
+
+/**
+ * @tc.name: CheckPolicyTest004
+ * @tc.desc: Check parent directory policy with w
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CheckPolicyTest004, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policyA;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::WRITE_MODE
+    };
+    policyA.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    infoParent.mode = OperateMode::READ_MODE;
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    infoParent.mode = OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyC;
+    policyC.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    infoParent.mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyD;
+    policyD.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    infoParent.path = "/data/log/hilog";
+    infoParent.mode = OperateMode::WRITE_MODE;
+    std::vector<PolicyInfo> policyE;
+    policyE.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyE, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0]));
+}
+
+/**
+ * @tc.name: CheckPolicyTest005
+ * @tc.desc: Check parent directory policy with w
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CheckPolicyTest005, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policyA;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParentA = {
+        .path = "/data/log",
+        .mode = OperateMode::WRITE_MODE
+    };
+    PolicyInfo infoParentB = {
+        .path = "/data/log/hilog",
+        .mode = OperateMode::WRITE_MODE
+    };
+    PolicyInfo infoParentC = {
+        .path = "/system/usr",
+        .mode = OperateMode::WRITE_MODE
+    };
+    policyA.emplace_back(infoParentA);
+    policyA.emplace_back(infoParentB);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParentA);
+    policyB.emplace_back(infoParentB);
+    policyB.emplace_back(infoParentC);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(3, result.size());
+    EXPECT_TRUE(result[0]);
+    EXPECT_TRUE(result[1]);
+    EXPECT_FALSE(result[2]);
+}
+
+/**
+ * @tc.name: CheckPolicyTest006
+ * @tc.desc: Check allowed policy with invalid tokenID
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CheckPolicyTest006, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(INVALID_TOKENID, policy, result));
+    EXPECT_EQ(0, result.size());
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_selfTokenId, policy, result));
+    EXPECT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0]));
+}
+
+/**
+ * @tc.name: CheckPolicyTest007
+ * @tc.desc: Check allowed policy with invalid policy
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CheckPolicyTest007, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policyA;
+    std::vector<bool> result;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE
+    };
+    policyA.emplace_back(infoParent);
+    for (int i = 0; i < 500; i++) {
+        policyA.emplace_back(infoParent);
+    }
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result));
+    EXPECT_EQ(0, result.size());
+
+    PolicyInfo infoParent1 = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE
+    };
+    for (int i = 0; i < 100; i++) {
+        infoParent1.path += "/data/log";
+    }
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParent1);
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result));
+    EXPECT_EQ(0, result.size());
+
+    std::vector<PolicyInfo> policyC;
+    infoParent.mode = 0;
+    policyC.emplace_back(infoParent);
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(g_mockToken, policyC, result));
+    EXPECT_EQ(0, result.size());
+
+    std::vector<PolicyInfo> policyD;
+    // err mode number
+    infoParent.mode = OperateMode::WRITE_MODE + OperateMode::WRITE_MODE;
+    policyD.emplace_back(infoParent);
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CheckPolicy(g_mockToken, policyD, result));
+    EXPECT_EQ(0, result.size());
+}
+
+/**
+ * @tc.name: UnSetPolicyTest001
+ * @tc.desc: Unset policy with invalid tokenID
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, UnSetPolicyTest001, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::UnSetPolicy(INVALID_TOKENID, policy[0]));
+#ifdef MAC_ENABLE
+    EXPECT_EQ(SandboxManagerErrCode::SANDBOX_MANAGER_MAC_ADAPTER_ERR,
+        SandboxManagerKit::UnSetPolicy(g_selfTokenId, policy[0]));
+#else
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_selfTokenId, policy[0]));
+#endif
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0]));
+}
+
+/**
+ * @tc.name: UnSetPolicyTest002
+ * @tc.desc: Unset allowed policy
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, UnSetPolicyTest002, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    std::vector<uint32_t> retType;
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0]));
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::StartAccessingPolicy(policy, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0]));
+}
+
+/**
+ * @tc.name: UnSetPolicyTest003
+ * @tc.desc: Unset parent policy
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, UnSetPolicyTest003, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    infoParent.path = "/data";
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParent);
+#ifdef MAC_ENABLE
+    EXPECT_EQ(SandboxManagerErrCode::SANDBOX_MANAGER_MAC_ADAPTER_ERR,
+        SandboxManagerKit::UnSetPolicy(g_mockToken, policyB[0]));
+#else
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyB[0]));
+#endif
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0]));
+}
+
+/**
+ * @tc.name: UnSetPolicyTest004
+ * @tc.desc: Unset policy without permission
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, UnSetPolicyTest004 , TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId));
+    EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0]));
+    ASSERT_EQ(0, SetSelfTokenID(g_mockToken));
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policy[0]));
+}
+
+/**
+ * @tc.name: CleanPersistPolicyByPathTest001
+ * @tc.desc: Clean persist policy by path
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest001, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    std::vector<uint32_t> retType;
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    std::vector<std::string> filePaths;
+    filePaths.emplace_back(infoParent.path);
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPersistPolicyByPath(filePaths));
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+}
+
+/**
+ * @tc.name: CleanPersistPolicyByPathTest002
+ * @tc.desc: Clean child persist policy by path
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest002, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    std::vector<uint32_t> retType;
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    infoParent.path = "/data/log/hilog";
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParent);
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policyB, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    std::vector<std::string> filePaths;
+    infoParent.path = "/data/log";
+    filePaths.emplace_back(infoParent.path);
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPersistPolicyByPath(filePaths));
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+}
+
+/**
+ * @tc.name: CleanPersistPolicyByPathTest003
+ * @tc.desc: Clean child persist policy by path
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest003, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    std::vector<uint32_t> retType;
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    infoParent.path = "/data/log/hilog";
+    std::vector<PolicyInfo> policyB;
+    policyB.emplace_back(infoParent);
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policyB, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    std::vector<std::string> filePaths;
+    filePaths.emplace_back(infoParent.path);
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPersistPolicyByPath(filePaths));
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_FALSE(result[0]);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+}
+
+/**
+ * @tc.name: CleanPersistPolicyByPathTest004
+ * @tc.desc: Clean persist policy by path with invalid path
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest004, TestSize.Level1)
+{
+    std::string filePath = "/data/log";
+    std::vector<std::string> filePaths;
+    for (int i = 0; i < 500; i++) {
+        filePaths.emplace_back(filePath);
+    }
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::CleanPersistPolicyByPath(filePaths));
+}
+
+/**
+ * @tc.name: CleanPersistPolicyByPathTest005
+ * @tc.desc: Clean persist policy by path with invalid path
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, CleanPersistPolicyByPathTest005, TestSize.Level1)
+{
+        std::vector<PolicyInfo> policy;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParent = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policy.emplace_back(infoParent);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policy, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policy, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    std::vector<uint32_t> retType;
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policy, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId));
+    std::vector<std::string> filePaths;
+    filePaths.emplace_back(infoParent.path);
+    EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::CleanPersistPolicyByPath(filePaths));
+    ASSERT_EQ(0, SetSelfTokenID(g_mockToken));
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CleanPersistPolicyByPath(filePaths));
+}
+
+/**
+ * @tc.name: StartAccessingByTokenIdTest001
+ * @tc.desc: Start accessing by invalid tokenId
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, StartAccessingByTokenIdTest001, TestSize.Level1)
+{
+    EXPECT_EQ(SandboxManagerErrCode::INVALID_PARAMTER, SandboxManagerKit::StartAccessingByTokenId(0));
+}
+
+/**
+ * @tc.name: StartAccessingByTokenIdTest002
+ * @tc.desc: Start accessing without permission
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, StartAccessingByTokenIdTest002, TestSize.Level1)
+{
+    ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId));
+    EXPECT_EQ(PERMISSION_DENIED, SandboxManagerKit::StartAccessingByTokenId(0));
+}
+
+/**
+ * @tc.name: StartAccessingByTokenIdTest003
+ * @tc.desc: Start accessing by tokenID
+ * @tc.type: FUNC
+ * @tc.require:
+ */
+HWTEST_F(SandboxManagerKitTest, StartAccessingByTokenIdTest003, TestSize.Level1)
+{
+    std::vector<PolicyInfo> policyA;
+    uint64_t policyFlag = 1;
+    std::vector<uint32_t> policyResult;
+    PolicyInfo infoParentA = {
+        .path = "/data/log",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policyA.emplace_back(infoParentA);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyA, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<PolicyInfo> policyB;
+    PolicyInfo infoParentB = {
+        .path = "/system/usr",
+        .mode = OperateMode::READ_MODE | OperateMode::WRITE_MODE
+    };
+    policyB.emplace_back(infoParentB);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::SetPolicy(g_mockToken, policyB, policyFlag, policyResult));
+    ASSERT_EQ(1, policyResult.size());
+    EXPECT_TRUE(policyResult[0]);
+
+    std::vector<bool> result;
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    Security::AccessToken::AccessTokenID tokenID =
+        Security::AccessToken::AccessTokenKit::GetNativeTokenId("foundation");
+    EXPECT_NE(0, tokenID);
+    EXPECT_EQ(0, SetSelfTokenID(tokenID));
+
+    std::vector<uint32_t> retType;
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policyA, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    ASSERT_EQ(0, SetSelfTokenID(g_selfTokenId));
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::PersistPolicy(g_mockToken, policyB, retType));
+    ASSERT_EQ(1, retType.size());
+    EXPECT_EQ(OPERATE_SUCCESSFULLY, retType[0]);
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyA[0]));
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::UnSetPolicy(g_mockToken, policyB[0]));
+
+    EXPECT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::StartAccessingByTokenId(g_mockToken));
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyA, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policyA, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+    ASSERT_EQ(SANDBOX_MANAGER_OK, SandboxManagerKit::CheckPersistPolicy(g_mockToken, policyB, result));
+    ASSERT_EQ(1, result.size());
+    EXPECT_TRUE(result[0]);
+}
+} // SandboxManager
+} // AccessControl
 } // OHOS
\ No newline at end of file
diff --git a/sandbox_manager.gni b/sandbox_manager.gni
index c4d52ec..3aa1257 100644
--- a/sandbox_manager.gni
+++ b/sandbox_manager.gni
@@ -16,3 +16,7 @@ module_output_path_interface_sandbox =
     "sandbox_manager/interface/"
 module_output_path_service_sandbox =
     "sandbox_manager/service"
+
+declare_args() {
+  sandbox_manager_mac_enable = true
+}
\ No newline at end of file
diff --git a/services/sandbox_manager/BUILD.gn b/services/sandbox_manager/BUILD.gn
index 8fe24a3..e45cb7d 100644
--- a/services/sandbox_manager/BUILD.gn
+++ b/services/sandbox_manager/BUILD.gn
@@ -57,6 +57,12 @@ if (is_standard_system) {
 
     cflags_cc = [ "-DHILOG_ENABLE" ]
 
+    if (sandbox_manager_mac_enable) {
+      sources += [ "main/cpp/src/mac/mac_adapter.cpp" ]
+      include_dirs += [ "main/cpp/include/mac" ]
+      cflags_cc += [ "-DMAC_ENABLE" ]
+    }
+
     configs = [ "${sandbox_manager_path}/config:coverage_flags" ]
 
     deps = [
diff --git a/services/sandbox_manager/main/cpp/include/database/sandbox_manager_db.h b/services/sandbox_manager/main/cpp/include/database/sandbox_manager_db.h
index 8494dc9..40916f2 100644
--- a/services/sandbox_manager/main/cpp/include/database/sandbox_manager_db.h
+++ b/services/sandbox_manager/main/cpp/include/database/sandbox_manager_db.h
@@ -51,6 +51,7 @@ public:
 
     int32_t Modify(const DataType type, const GenericValues &modifyValues, const GenericValues &conditions);
 
+    int32_t FindSubPath(const DataType type, const std::string& filePath, std::vector<GenericValues>& results);
     int32_t Find(const DataType type, const GenericValues &conditions,
         const GenericValues &symbols, std::vector<GenericValues> &results);
 
diff --git a/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h b/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h
new file mode 100644
index 0000000..00dc61a
--- /dev/null
+++ b/services/sandbox_manager/main/cpp/include/mac/mac_adapter.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SANDBOX_MANAGER_MAC_ADAPTER_H
+#define SANDBOX_MANAGER_MAC_ADAPTER_H
+
+#include <string>
+#include "policy_info.h"
+
+namespace OHOS {
+namespace AccessControl {
+namespace SandboxManager {
+class MacAdapter {
+public:
+    explicit MacAdapter();
+    virtual ~MacAdapter();
+    bool Init();
+
+    int32_t SetSandboxPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag,
+                             std::vector<uint32_t> &result);
+    int32_t UnSetSandboxPolicy(uint64_t tokenId, const PolicyInfo &policy);
+    int32_t UnSetSandboxPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result);
+    int32_t QuerySandboxPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result);
+    int32_t CheckSandboxPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result);
+
+private:
+    int32_t fd_ = -1;
+};
+} // namespace SandboxManager
+} // namespace AccessControl
+} // namespace OHOS
+#endif // SANDBOX_MANAGER_MAC_ADAPTER_H
\ No newline at end of file
diff --git a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
index 7ed3a1f..d24d7cb 100644
--- a/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
+++ b/services/sandbox_manager/main/cpp/include/service/policy_info_manager.h
@@ -19,6 +19,9 @@
 #include <cstdint>
 #include <string>
 #include <vector>
+#ifdef MAC_ENABLE
+#include "mac_adapter.h"
+#endif
 #include "generic_values.h"
 #include "policy_info.h"
 
@@ -31,7 +34,7 @@ public:
     static PolicyInfoManager &GetInstance();
     PolicyInfoManager() = default;
     virtual ~PolicyInfoManager() = default;
-    void Init();
+    bool Init();
     /**
      * @brief Insert policys to database
      * @param tokenId token id of the object
@@ -67,14 +70,71 @@ public:
      *      / SANDBOX_MANAGER_DB_RETURN_EMPTY
      */
     int32_t RemovePolicy(const uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result);
+    /**
+     * @brief set policies of a certain tokenId
+     * @param tokenId token id of the object
+     * @param policy vector of PolicyInfo, see policy_info.h
+     * @param result set result of each policy
+     * @return SANDBOX_MANAGER_MAC_ADAPTER_ERR / SANDBOX_MANAGER_OK
+     */
+    int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag,
+                      std::vector<uint32_t> &result);
+    /**
+     * @brief unset policies of a certain tokenId
+     * @param tokenId token id of the object
+     * @param policy PolicyInfo, see policy_info.h
+     * @return SANDBOX_MANAGER_MAC_ADAPTER_ERR / SANDBOX_MANAGER_OK
+     */
+    int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy);
+    /**
+     * @brief check policies of a certain tokenId
+     * @param tokenId token id of the object
+     * @param policy vector of PolicyInfo, see policy_info.h
+     * @param result check result of each policy
+     * @return SANDBOX_MANAGER_MAC_ADAPTER_ERR / SANDBOX_MANAGER_OK
+     */
+    int32_t CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result);
     /**
      * @brief remove all policys of a certain tokenId (bundle)
      * @param tokenId token id of the object
      * @return bool
      */
     bool RemoveBundlePolicy(const uint64_t tokenId);
- 
+    /**
+     * @brief activate all policys of input token that flag = 1
+     * @param tokenId token id of the object
+     * @return int32_t
+     */
+    int32_t StartAccessingByTokenId(const uint64_t tokenId);
+    /**
+     * @brief activate input persist policys
+     * @param tokenId token id of the object
+     * @param policy vector of PolicyInfo, see policy_info.h
+     * @param result  remove result of each policy
+     * @return int32_t
+     */
+    int32_t StartAccessingPolicy(const uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &results);
+    /**
+     * @brief deactivate input persist policys
+     * @param tokenId token id of the object
+     * @param policy vector of PolicyInfo, see policy_info.h
+     * @param result  remove result of each policy
+     * @return int32_t
+     */
+    int32_t StopAccessingPolicy(const uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &results);
+    /**
+     * @brief Clear the persistence policy
+     * @param policy vector of string, file path
+     * @return SANDBOX_MANAGER_OK
+     */
+    int32_t CleanPersistPolicyByPath(const std::vector<std::string>& filePaths);
 private:
+    /**
+     * @brief Clean policy list on MAC
+     * @param GenericValues vector
+     */
+    void CleanPolicyOnMac(const std::vector<GenericValues>& results);
+
     /**
      * @brief find a record with same token and policy path (mode not inclued)
      * @param tokenId token id of the object
@@ -100,6 +160,15 @@ private:
      * @return
      */
     void TransferPolicyToGeneric(const uint64_t tokenId, const PolicyInfo &policy, GenericValues &generic);
+
+    /**
+     * @brief transfer a GenericValues and token to policy style
+     * @param tokenId token id of the object
+     * @param policy input GenericValues
+     * @param generic transfer result
+     * @return
+     */
+    void TransferGenericToPolicy(const GenericValues &generic, uint64_t& tokenId, PolicyInfo &policy);
     /**
      * @brief cal depth of a given path string
      * @param path path of file system
@@ -128,6 +197,11 @@ private:
      * @return INVALID_PATH / INVALID_MODE / SANDBOX_MANAGER_OK
      */
     int32_t CheckPolicyValidity(const PolicyInfo &policy);
+
+private:
+#ifdef MAC_ENABLE
+    MacAdapter macAdapter_;
+#endif
 };
 } // namespace SandboxManager
 } // namespace AccessControl
diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h
index 2912e47..b44c506 100644
--- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h
+++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_const.h
@@ -31,6 +31,7 @@ const std::string SET_POLICY_PERMISSION_NAME = "ohos.permission.SET_SANDBOX_POLI
 const std::string ACCESS_PERSIST_PERMISSION_NAME = "ohos.permission.FILE_ACCESS_PERSIST";
 
 const uint32_t POLICY_VECTOR_SIZE_LIMIT = 500;
+const int32_t FOUNDATION_UID = 5523;
 } // namespace SandboxManager
 } // namespace AccessControl
 } // namespace OHOS
diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
index 5a34ed3..709605f 100644
--- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
+++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_service.h
@@ -41,17 +41,22 @@ public:
     void OnStop() override;
     void OnStart(const SystemAbilityOnDemandReason& startReason) override;
 
+    int32_t CleanPersistPolicyByPath(const std::vector<std::string>& filePaths) override;
     int32_t PersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t UnPersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t PersistPolicyByTokenId(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t UnPersistPolicyByTokenId(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
-    int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag)   override;
+    int32_t SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag,
+                      std::vector<uint32_t> &result) override;
+    int32_t UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy) override;
+    int32_t CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result) override;
     int32_t StartAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t StopAccessingPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result) override;
     int32_t CheckPersistPolicy(
         uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<bool> &result) override;
+    int32_t StartAccessingByTokenId(uint64_t tokenId) override;
     void onRemovePackage(uint64_t tokenId);
 
     void DelayUnloadService() override;
diff --git a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h
index 97d0191..be0370e 100644
--- a/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h
+++ b/services/sandbox_manager/main/cpp/include/service/sandbox_manager_stub.h
@@ -36,20 +36,26 @@ public:
     virtual void DelayUnloadService() = 0;
 
 private:
+    void CleanPersistPolicyByPathInner(MessageParcel &data, MessageParcel &reply);
     void PersistPolicyInner(MessageParcel &data, MessageParcel &reply);
     void UnPersistPolicyInner(MessageParcel &data, MessageParcel &reply);
     void PersistPolicyByTokenIdInner(MessageParcel &data, MessageParcel &reply);
     void UnPersistPolicyByTokenIdInner(MessageParcel &data, MessageParcel &reply);
     void SetPolicyInner(MessageParcel &data, MessageParcel &reply);
+    void UnSetPolicyInner(MessageParcel &data, MessageParcel &reply);
+    void CheckPolicyInner(MessageParcel &data, MessageParcel &reply);
     void StartAccessingPolicyInner(MessageParcel &data, MessageParcel &reply);
     void StopAccessingPolicyInner(MessageParcel &data, MessageParcel &reply);
     void CheckPersistPolicyInner(MessageParcel &data, MessageParcel &reply);
+    void StartAccessingByTokenIdInner(MessageParcel &data, MessageParcel &reply);
     void SetPolicyOpFuncInMap();
 
     bool CheckPermission(const uint64_t tokenId, const std::string &permission);
+    bool IsFileManagerCalling(const uint32_t tokenCaller);
 
     using RequestFuncType = void (SandboxManagerStub::*)(MessageParcel &data, MessageParcel &reply);
     std::map<uint32_t, RequestFuncType> requestFuncMap_;
+    uint32_t tokenFileManagerId_ = 0;
 };
 } // namespace SandboxManager
 } // namespace AccessControl
diff --git a/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp b/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp
index 6b46ee3..527a080 100644
--- a/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp
+++ b/services/sandbox_manager/main/cpp/src/database/sandbox_manager_db.cpp
@@ -16,6 +16,7 @@
 #include "sandbox_manager_db.h"
 
 #include <cstdint>
+#include <string>
 #include "policy_field_const.h"
 #include "sandbox_manager_log.h"
 
@@ -128,6 +129,29 @@ int32_t SandboxManagerDb::Modify(const DataType type, const GenericValues& modif
     return (ret == Statement::State::DONE) ? SUCCESS : FAILURE;
 }
 
+int32_t SandboxManagerDb::FindSubPath(
+    const DataType type, const std::string& filePath, std::vector<GenericValues>& results)
+{
+    OHOS::Utils::UniqueReadGuard<OHOS::Utils::RWLock> lock(this->rwLock_);
+     auto it = dataTypeToSqlTable_.find(type);
+    if (it == dataTypeToSqlTable_.end()) {
+        return FAILURE;
+    }
+    std::string sql = "select * from " + it->second.tableName_ + " where " + PolicyFiledConst::FIELD_PATH
+        + " like " + filePath + "/%" + "or" + PolicyFiledConst::FIELD_PATH + "=" + filePath;
+    auto statement = Prepare(sql);
+
+    while (statement.Step() == Statement::State::ROW) {
+        int columnCount = statement.GetColumnCount();
+        GenericValues value;
+        for (int i = 0; i < columnCount; i++) {
+            value.Put(statement.GetColumnName(i), statement.GetValue(i, false));
+        }
+        results.emplace_back(value);
+    }
+    return SUCCESS;
+}
+
 int32_t SandboxManagerDb::Find(const DataType type, const GenericValues& conditions,
     const GenericValues& symbols, std::vector<GenericValues>& results)
 {
diff --git a/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp
new file mode 100644
index 0000000..4886f2d
--- /dev/null
+++ b/services/sandbox_manager/main/cpp/src/mac/mac_adapter.cpp
@@ -0,0 +1,268 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mac_adapter.h"
+#include <fcntl.h>
+#include <stdint.h>
+#include <string>
+#include <sys/ioctl.h>
+#include <unistd.h>
+#include <vector>
+#include "sandbox_manager_err_code.h"
+#include "sandbox_manager_log.h"
+
+namespace OHOS {
+namespace AccessControl {
+namespace SandboxManager {
+static constexpr OHOS::HiviewDFX::HiLogLabel LABEL = {
+    LOG_CORE, ACCESSCONTROL_DOMAIN_SANDBOXMANAGER, "SandboxManagerMacAdapter"
+};
+
+constexpr const char* DEV_NODE = "/dev/dec";
+const size_t MAX_POLICY_NUM = 32;
+
+struct PathInfo {
+    char *path = nullptr;
+    uint32_t pathLen = 0;
+    uint32_t mode = 0;
+    bool result = false;
+};
+
+struct SandboxPolicyInfo {
+    uint64_t tokenId = 0;
+    struct PathInfo pathInfos[MAX_POLICY_NUM];
+    uint32_t pathNum = 0;
+    bool persist = false;
+};
+
+#define SANDBOX_IOCTL_BASE 's'
+#define SET_POLICY 1
+#define UN_SET_POLICY 2
+#define QUERY_POLICY 3
+#define CHECK_POLICY 4
+
+#define SET_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, SET_POLICY, struct SandboxPolicyInfo)
+#define UN_SET_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, UN_SET_POLICY, struct SandboxPolicyInfo)
+#define QUERY_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, QUERY_POLICY, struct SandboxPolicyInfo)
+#define CHECK_POLICY_CMD _IOWR(SANDBOX_IOCTL_BASE, CHECK_POLICY, struct SandboxPolicyInfo)
+
+MacAdapter::MacAdapter() {}
+
+MacAdapter::~MacAdapter()
+{
+    if (fd_ >= 0) {
+        close(fd_);
+        fd_ = -1;
+    }
+}
+
+bool MacAdapter::Init()
+{
+    fd_ = open(DEV_NODE, O_RDWR);
+    if (fd_ < 0) {
+        SANDBOXMANAGER_LOG_INFO(LABEL, "Open node failed, errno=%{public}d.", errno);
+        return false;
+    }
+    return true;
+}
+
+int32_t MacAdapter::SetSandboxPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                     uint64_t policyFlag, std::vector<uint32_t> &result)
+{
+    if (fd_ < 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet.");
+        return SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+    }
+
+    size_t policyNum = policy.size();
+
+    for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) {
+        size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset);
+
+        struct SandboxPolicyInfo info;
+        info.tokenId = tokenId;
+        info.pathNum = curBatchSize;
+        info.persist = policyFlag == 1 ? true : false;
+
+        for (size_t i = 0; i < curBatchSize; ++i) {
+            info.pathInfos[i].path = const_cast<char *>(policy[offset + i].path.c_str());
+            info.pathInfos[i].pathLen = policy[offset + i].path.length();
+            info.pathInfos[i].mode = policy[offset + i].mode;
+        }
+
+        if (ioctl(fd_, SET_POLICY_CMD, &info) < 0) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "Set policy failed at batch %{public}zu, errno=%{public}d.",
+                                     offset / MAX_POLICY_NUM, errno);
+        }
+        for (size_t i = 0; i < curBatchSize; ++i) {
+            result[offset + i] = info.pathInfos[i].result ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+        }
+    }
+    uint32_t failCount =
+        std::count_if(result.begin(), result.end(), [](uint32_t res) { return res != SANDBOX_MANAGER_OK; });
+    if (failCount > 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Set policy failed, failCount=%{public}u.", failCount);
+    }
+    return failCount == 0 ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+}
+
+int32_t MacAdapter::QuerySandboxPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                       std::vector<bool> &result)
+{
+    if (fd_ < 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet.");
+        return SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+    }
+
+    result.clear();
+
+    size_t policyNum = policy.size();
+
+    for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) {
+        size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset);
+
+        struct SandboxPolicyInfo info;
+        info.tokenId = tokenId;
+        info.pathNum = curBatchSize;
+
+        for (size_t i = 0; i < curBatchSize; ++i) {
+            info.pathInfos[i].path = const_cast<char *>(policy[offset + i].path.c_str());
+            info.pathInfos[i].pathLen = policy[offset + i].path.length();
+            info.pathInfos[i].mode = policy[offset + i].mode;
+        }
+
+        if (ioctl(fd_, QUERY_POLICY_CMD, &info) < 0) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "Query policy failed at batch %{public}zu, errno=%{public}d.",
+                                     offset / MAX_POLICY_NUM, errno);
+        }
+        for (size_t i = 0; i < curBatchSize; ++i) {
+            result[offset + i] = info.pathInfos[i].result;
+        }
+    }
+
+    uint32_t failCount = std::count(result.begin(), result.end(), false);
+    if (failCount > 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Query policy failed, failCount=%{public}u.", failCount);
+    }
+    return failCount == 0 ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+}
+
+int32_t MacAdapter::CheckSandboxPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                       std::vector<bool> &result)
+{
+    if (fd_ < 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet.");
+        return SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+    }
+
+    result.clear();
+
+    size_t policyNum = policy.size();
+
+    for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) {
+        size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset);
+
+        struct SandboxPolicyInfo info;
+        info.tokenId = tokenId;
+        info.pathNum = curBatchSize;
+
+        for (size_t i = 0; i < curBatchSize; ++i) {
+            info.pathInfos[i].path = const_cast<char *>(policy[offset + i].path.c_str());
+            info.pathInfos[i].pathLen = policy[offset + i].path.length();
+            info.pathInfos[i].mode = policy[offset + i].mode;
+        }
+
+        if (ioctl(fd_, CHECK_POLICY_CMD, &info) < 0) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy failed at batch %{public}zu, errno=%{public}d.",
+                                     offset / MAX_POLICY_NUM, errno);
+        }
+        for (size_t i = 0; i < curBatchSize; ++i) {
+            result[offset + i] = info.pathInfos[i].result;
+        }
+    }
+
+    uint32_t failCount = std::count(result.begin(), result.end(), false);
+    if (failCount > 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Check policy failed, failCount=%{public}u.", failCount);
+    }
+    return failCount == 0 ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+}
+
+int32_t MacAdapter::UnSetSandboxPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                       std::vector<bool> &result)
+{
+    if (fd_ < 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet.");
+        return SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+    }
+
+    result.clear();
+
+    size_t policyNum = policy.size();
+
+    for (size_t offset = 0; offset < policyNum; offset += MAX_POLICY_NUM) {
+        size_t curBatchSize = std::min(MAX_POLICY_NUM, policyNum - offset);
+
+        struct SandboxPolicyInfo info;
+        info.tokenId = tokenId;
+        info.pathNum = curBatchSize;
+
+        for (size_t i = 0; i < curBatchSize; ++i) {
+            info.pathInfos[i].path = const_cast<char *>(policy[offset + i].path.c_str());
+            info.pathInfos[i].pathLen = policy[offset + i].path.length();
+            info.pathInfos[i].mode = policy[offset + i].mode;
+        }
+
+        if (ioctl(fd_, UN_SET_POLICY_CMD, &info) < 0) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed at batch %{public}zu, errno=%{public}d.",
+                                     offset / MAX_POLICY_NUM, errno);
+        }
+        for (size_t i = 0; i < curBatchSize; ++i) {
+            result[offset + i] = info.pathInfos[i].result;
+        }
+    }
+
+    uint32_t failCount = std::count(result.begin(), result.end(), false);
+    if (failCount > 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed, failCount=%{public}u.", failCount);
+    }
+    return failCount == 0 ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+}
+
+int32_t MacAdapter::UnSetSandboxPolicy(uint64_t tokenId, const PolicyInfo &policy)
+{
+    if (fd_ < 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Not init yet.");
+        return SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+    }
+
+    struct SandboxPolicyInfo info;
+    info.tokenId = tokenId;
+    info.pathNum = 1;
+
+    info.pathInfos[0].path = const_cast<char *>(policy.path.c_str());
+    info.pathInfos[0].pathLen = policy.path.length();
+    info.pathInfos[0].mode = policy.mode;
+
+    if (ioctl(fd_, UN_SET_POLICY_CMD, &info) < 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Unset policy failed, errno=%{public}d.", errno);
+        return SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+    }
+
+    return info.pathInfos[0].result ? SANDBOX_MANAGER_OK : SANDBOX_MANAGER_MAC_ADAPTER_ERR;
+}
+} // namespace SandboxManager
+} // namespace AccessControl
+} // namespace OHOS
\ No newline at end of file
diff --git a/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp b/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
index 6b26eac..8b93823 100644
--- a/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
+++ b/services/sandbox_manager/main/cpp/src/sensitive/sandbox_manager_event_subscriber.cpp
@@ -42,6 +42,7 @@ bool SandboxManagerCommonEventSubscriber::RegisterEvent()
     auto skill = std::make_shared<EventFwk::MatchingSkills>();
     skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED);
     skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED);
+    skill->AddEvent(EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_DATA_CLEARED);
     EventFwk::CommonEventSubscribeInfo subscribeInfo(*skill);
     auto info = std::make_shared<EventFwk::CommonEventSubscribeInfo>(*skill);
     g_subscriber = std::make_shared<SandboxManagerCommonEventSubscriber>(*info);
@@ -74,7 +75,8 @@ void SandboxManagerCommonEventSubscriber::OnReceiveEvent(const EventFwk::CommonE
     std::string action = want.GetAction();
     SANDBOXMANAGER_LOG_INFO(LABEL, "Receive event = %{public}s.", action.c_str());
     if (action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED ||
-        action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED) {
+        action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED ||
+        action == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_DATA_CLEARED) {
         uint64_t tokenId = static_cast<uint64_t>(want.GetParams().GetIntParam("accessTokenId", 0));
         if (tokenId == 0) {
             SANDBOXMANAGER_LOG_ERROR(LABEL, "Error tokenid = %{public}" PRIu64".", tokenId);
diff --git a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
index b1b23f3..c586b39 100644
--- a/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
+++ b/services/sandbox_manager/main/cpp/src/service/policy_info_manager.cpp
@@ -15,9 +15,14 @@
 
 #include "policy_info_manager.h"
 
+#include <algorithm>
 #include <cinttypes>
+#include <cstddef>
 #include <cstdint>
+#include <iterator>
+#include <stdint.h>
 #include <string>
+#include <utility>
 #include <vector>
 #include "accesstoken_kit.h"
 #include "generic_values.h"
@@ -43,52 +48,144 @@ PolicyInfoManager &PolicyInfoManager::GetInstance()
     return instance;
 }
 
-void PolicyInfoManager::Init()
+bool PolicyInfoManager::Init()
 {
     SandboxManagerDb::GetInstance();
+#ifdef MAC_ENABLE
+    if (!macAdapter_.Init()) {
+        return false;
+    }
+#endif
+    return true;
+}
+
+void PolicyInfoManager::CleanPolicyOnMac(const std::vector<GenericValues>& results)
+{
+#ifdef MAC_ENABLE
+    std::map<uint64_t, std::vector<PolicyInfo>> allPersistPolic;
+    for (auto& res : results) {
+        uint64_t tokenId;
+        PolicyInfo policy;
+        TransferGenericToPolicy(res, tokenId, policy);
+        auto it = allPersistPolic.find(tokenId);
+        if (it == allPersistPolic.end()) {
+            std::vector<PolicyInfo> polcys;
+            polcys.emplace_back(policy);
+            allPersistPolic.insert(std::make_pair(tokenId, polcys));
+        } else {
+            it->second.emplace_back(policy);
+        }
+    }
+
+    for (auto it : allPersistPolic) {
+        std::vector<bool> result;
+        int32_t count = 0;
+        macAdapter_.UnSetSandboxPolicy(it.first, it.second, result);
+        for (bool res : result) {
+            if (!res) {
+                ++count;
+            }
+        }
+        SANDBOXMANAGER_LOG_INFO(LABEL, "Mac UnSetSandboxPolicy size = %{public}zu, fail size = %{public}d.",
+            it.second.size(), count);
+    }
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
+#endif
+}
+int32_t PolicyInfoManager::CleanPersistPolicyByPath(const std::vector<std::string>& filePaths)
+{
+    //Gets the persistence policy to be cleaned up
+    std::vector<GenericValues> results;
+    for (std::string path : filePaths) {
+        uint32_t length = path.length();
+        if (length == 0 || length > POLICY_PATH_LIMIT) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy path check fail: %{public}s.", path.c_str());
+            continue;
+        }
+        std::string pathTmp = AdjustPath(path);
+        SandboxManagerDb::GetInstance().FindSubPath(
+            SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, pathTmp, results);
+    }
+    if (results.empty()) {
+        SANDBOXMANAGER_LOG_INFO(LABEL, "No deleted persistence policy was found.");
+        return SANDBOX_MANAGER_OK;
+    }
+
+    //clean MAC
+    CleanPolicyOnMac(results);
+
+    //clear the persistence policy
+    for (auto& res: results) {
+        int32_t ret = SandboxManagerDb::GetInstance().Remove(
+            SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, res);
+        if (ret != SandboxManagerDb::SUCCESS) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "%{public}s delete fail!",
+                res.GetString(PolicyFiledConst::FIELD_PATH).c_str());
+        }
+    }
+    return SANDBOX_MANAGER_OK;
 }
 
 int32_t PolicyInfoManager::AddPolicy(const uint64_t tokenId, const std::vector<PolicyInfo> &policy,
     std::vector<uint32_t> &result, const uint32_t flag)
 {
-    uint64_t policySize = policy.size();
-    if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) {
-        return INVALID_PARAMTER;
-    }
+#ifdef MAC_ENABLE
+    size_t policySize = policy.size();
     result.resize(policySize);
-    
+    // check validity
+    std::vector<size_t> queryPolicyIndex;
     for (size_t i = 0; i < policySize; i++) {
         int32_t checkPolicyRet = CheckPolicyValidity(policy[i]);
         if (checkPolicyRet != SANDBOX_MANAGER_OK) {
             result[i] = static_cast<uint32_t>(checkPolicyRet);
             continue;
         }
-        // find duplicate record (have same tokenId, path), delete it
-        PolicyInfo findresult;
-        int32_t exactFindRet = ExactFind(tokenId, policy[i], findresult);
-        if (exactFindRet == SANDBOX_MANAGER_DB_ERR) {
-            return SANDBOX_MANAGER_DB_ERR;
-        }
-
-        if (exactFindRet == SANDBOX_MANAGER_OK && findresult.mode == policy[i].mode) {
-            result[i] = SandboxRetType::OPERATE_SUCCESSFULLY;
-            continue;
+        queryPolicyIndex.emplace_back(i);
+    }
+    // query mac kernel
+    size_t queryPolicyIndexSize = queryPolicyIndex.size();
+    std::vector<bool> queryResults(queryPolicyIndexSize);
+    std::vector<PolicyInfo> queryPolicys(queryPolicyIndexSize);
+    std::transform(queryPolicyIndex.begin(), queryPolicyIndex.end(),
+        queryPolicys.begin(), [policy](const size_t index){return policy[index];});
+    int32_t ret = macAdapter_.QuerySandboxPolicy(tokenId, queryPolicys, queryResults);
+    if (ret != SANDBOX_MANAGER_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter query error.");
+        result.clear();
+        return ret;
+    }
+    // add to database
+    std::vector<GenericValues> addPolicyGeneric;
+    std::vector<size_t> addPolicyIndex;
+    for (size_t i = 0; i < queryPolicyIndexSize; i++) {
+        if (queryResults[i]) {
+            GenericValues record;
+            TransferPolicyToGeneric(tokenId, policy[queryPolicyIndex[i]], record);
+            record.Put(PolicyFiledConst::FIELD_FLAG, static_cast<int64_t>(flag));
+            addPolicyGeneric.emplace_back(record);
+            addPolicyIndex.emplace_back(i);
+        } else {
+            result[queryPolicyIndex[i]] = SandboxRetType::FORBIDDEN_TO_BE_PERSISTED;
         }
+    }
 
-        GenericValues addRecord;
-        TransferPolicyToGeneric(tokenId, policy[i], addRecord);
-        addRecord.Put(PolicyFiledConst::FIELD_FLAG, static_cast<int64_t>(flag));
-
-        std::vector<GenericValues> recordVec = {addRecord};
-        int32_t ret = SandboxManagerDb::GetInstance().Add(
-            SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, recordVec);
-        if (ret != SandboxManagerDb::SUCCESS) {
-            SANDBOXMANAGER_LOG_ERROR(LABEL, "database operate error");
-            return SANDBOX_MANAGER_DB_ERR;
-        }
-        result[i] = SandboxRetType::OPERATE_SUCCESSFULLY;
+    ret = SandboxManagerDb::GetInstance().Add(
+            SandboxManagerDb::SANDBOX_MANAGER_PERSISTED_POLICY, addPolicyGeneric);
+    if (ret != SandboxManagerDb::SUCCESS) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "database operate error");
+        result.clear();
+        return SANDBOX_MANAGER_DB_ERR;
     }
+    // write results
+    for (size_t each: addPolicyIndex) {
+        result[each] = SandboxRetType::OPERATE_SUCCESSFULLY;
+    }
+    return SANDBOX_MANAGER_OK;
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
     return SANDBOX_MANAGER_OK;
+#endif
 }
 
 int32_t PolicyInfoManager::MatchSinglePolicy(const uint64_t tokenId, const PolicyInfo &policy, uint32_t &result)
@@ -163,6 +260,7 @@ int32_t PolicyInfoManager::MatchPolicy(const uint64_t tokenId, const std::vector
 int32_t PolicyInfoManager::RemovePolicy(
     const uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
 {
+#ifdef MAC_ENABLE
     // remove only token, path, mode equal
     uint64_t policySize = policy.size();
     if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT) {
@@ -177,13 +275,18 @@ int32_t PolicyInfoManager::RemovePolicy(
             result[i] = static_cast<uint32_t>(checkPolicyRet);
             continue;
         }
-        
         PolicyInfo exactFindRes;
         int32_t ret = ExactFind(tokenId, policy[i], exactFindRes);
         if (ret == SANDBOX_MANAGER_DB_RETURN_EMPTY) {
             result[i] = SandboxRetType::POLICY_HAS_NOT_BEEN_PERSISTED;
             continue;
         }
+        
+        ret = macAdapter_.UnSetSandboxPolicy(tokenId, policy[i]);
+        if (ret != SANDBOX_MANAGER_OK) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter unset error.");
+            return ret;
+        }
 
         GenericValues condition;
         TransferPolicyToGeneric(tokenId, policy[i], condition);
@@ -195,6 +298,42 @@ int32_t PolicyInfoManager::RemovePolicy(
         }
     }
     return SANDBOX_MANAGER_OK;
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
+    return SANDBOX_MANAGER_OK;
+#endif
+}
+
+int32_t PolicyInfoManager::SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag,
+                                     std::vector<uint32_t> &result)
+{
+#ifdef MAC_ENABLE
+    return macAdapter_.SetSandboxPolicy(tokenId, policy, policyFlag, result);
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
+    return SANDBOX_MANAGER_OK;
+#endif
+}
+
+int32_t PolicyInfoManager::UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy)
+{
+#ifdef MAC_ENABLE
+    return macAdapter_.UnSetSandboxPolicy(tokenId, policy);
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
+    return SANDBOX_MANAGER_OK;
+#endif
+}
+
+int32_t PolicyInfoManager::CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                       std::vector<bool> &result)
+{
+#ifdef MAC_ENABLE
+    return macAdapter_.CheckSandboxPolicy(tokenId, policy, result);
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
+    return SANDBOX_MANAGER_OK;
+#endif
 }
 
 bool PolicyInfoManager::RemoveBundlePolicy(const uint64_t tokenId)
@@ -211,6 +350,139 @@ bool PolicyInfoManager::RemoveBundlePolicy(const uint64_t tokenId)
     return true;
 }
 
+int32_t PolicyInfoManager::StartAccessingByTokenId(const uint64_t tokenId)
+{
+#ifdef MAC_ENABLE
+    GenericValues conditions;
+    GenericValues symbols;
+
+    conditions.Put(PolicyFiledConst::FIELD_TOKENID, static_cast<int64_t>(tokenId));
+    symbols.Put(PolicyFiledConst::FIELD_TOKENID, std::string("="));
+    conditions.Put(PolicyFiledConst::FIELD_FLAG, 1);
+    symbols.Put(PolicyFiledConst::FIELD_FLAG, std::string("="));
+
+    std::vector<GenericValues> dbResults;
+    int32_t ret = RangeFind(conditions, symbols, dbResults);
+    if (ret == SANDBOX_MANAGER_DB_ERR) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Database operate error");
+        return SANDBOX_MANAGER_DB_ERR;
+    }
+    size_t searchSize = dbResults.size();
+    if (searchSize == 0) {
+        SANDBOXMANAGER_LOG_INFO(LABEL, "Database find result empty");
+        return SANDBOX_MANAGER_DB_RETURN_EMPTY;
+    }
+
+    std::vector<PolicyInfo> policys(searchSize);
+    for (size_t i = 0; i <searchSize; i++) {
+        PolicyInfo policy;
+        policy.path = dbResults[i].GetString(PolicyFiledConst::FIELD_PATH);
+        policy.mode = static_cast<uint64_t>(dbResults[i].GetInt(PolicyFiledConst::FIELD_MODE));
+        policys[i] = policy;
+    }
+    std::vector<uint32_t> macResults;
+    ret = macAdapter_.SetSandboxPolicy(tokenId, policys, 0, macResults);
+    if (ret != SANDBOX_MANAGER_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter set policy error.");
+        return ret;
+    }
+    return SANDBOX_MANAGER_OK;
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
+    return true;
+#endif
+}
+
+int32_t PolicyInfoManager::StartAccessingPolicy(
+    const uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &results)
+{
+#ifdef MAC_ENABLE
+    size_t policySize = policy.size();
+    results.resize(policySize);
+    // check database, check validity in MatchPolicy
+    std::vector<uint32_t> matchResults(policy.size());
+    int32_t ret = MatchPolicy(tokenId, policy, matchResults);
+    if (ret != SANDBOX_MANAGER_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "MatchPolicy error.");
+        results.clear();
+        return ret;
+    }
+    // set to mac
+    std::vector<size_t> accessingIndex;
+    for (size_t i = 0; i < policySize; i++) {
+        if (matchResults[i] == SandboxRetType::OPERATE_SUCCESSFULLY) {
+            accessingIndex.emplace_back(i);
+        } else {
+            results[i] = matchResults[i];
+        }
+    }
+    size_t accessingIndexSize = accessingIndex.size();
+    std::vector<PolicyInfo> accessingPolicy(accessingIndexSize);
+    std::transform(accessingIndex.begin(), accessingIndex.end(),
+        accessingPolicy.begin(), [policy](size_t index){return policy[index];});
+    std::vector<uint32_t> macResults(accessingIndexSize);
+    ret = macAdapter_.SetSandboxPolicy(tokenId, accessingPolicy, 0, macResults);
+    if (ret != SANDBOX_MANAGER_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter set policy error.");
+        results.clear();
+        return ret;
+    }
+    // write ok flag
+    for (size_t i = 0; i < accessingIndexSize; i++) {
+        results[accessingIndex[i]] = macResults[i];
+    }
+    return SANDBOX_MANAGER_OK;
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
+    return SANDBOX_MANAGER_OK;
+#endif
+}
+
+int32_t PolicyInfoManager::StopAccessingPolicy(
+    const uint64_t tokenId, const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &results)
+{
+#ifdef MAC_ENABLE
+    size_t policySize = policy.size();
+    results.resize(policySize);
+    // check database, check validity in MatchPolicy
+    std::vector<uint32_t> matchResults(policy.size());
+    int32_t ret = MatchPolicy(tokenId, policy, matchResults);
+    if (ret != SANDBOX_MANAGER_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "MatchPolicy error.");
+        results.clear();
+        return ret;
+    }
+    // set to mac
+    std::vector<size_t> accessingIndex;
+    for (size_t i = 0; i < policySize; i++) {
+        if (matchResults[i] == SandboxRetType::OPERATE_SUCCESSFULLY) {
+            accessingIndex.emplace_back(i);
+        } else {
+            results[i] = matchResults[i];
+        }
+    }
+    size_t accessingIndexSize = accessingIndex.size();
+    std::vector<PolicyInfo> accessingPolicy(accessingIndexSize);
+    std::transform(accessingIndex.begin(), accessingIndex.end(),
+        accessingPolicy.begin(), [policy](size_t index){return policy[index];});
+    std::vector<bool> macResults(accessingIndexSize);
+    ret = macAdapter_.UnSetSandboxPolicy(tokenId, accessingPolicy, macResults);
+    if (ret != SANDBOX_MANAGER_OK) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "MacAdapter unset policy error.");
+        results.clear();
+        return ret;
+    }
+    // write ok flag
+    for (size_t i = 0; i < accessingIndexSize; i++) {
+        results[accessingIndex[i]] = macResults[i];
+    }
+    return SANDBOX_MANAGER_OK;
+#else
+    SANDBOXMANAGER_LOG_INFO(LABEL, "Mac not enable, default success.");
+    return SANDBOX_MANAGER_OK;
+#endif
+}
+
 int32_t PolicyInfoManager::RangeFind(const GenericValues &conditions, const GenericValues &symbols,
     std::vector<GenericValues> &results)
 {
@@ -260,6 +532,12 @@ void PolicyInfoManager::TransferPolicyToGeneric(const uint64_t tokenId, const Po
     generic.Put(PolicyFiledConst::FIELD_DEPTH, GetDepth(path));
     generic.Put(PolicyFiledConst::FIELD_MODE, static_cast<int64_t>(policy.mode));
 }
+void PolicyInfoManager::TransferGenericToPolicy(const GenericValues &generic, uint64_t& tokenId, PolicyInfo &policy)
+{
+    policy.path = generic.GetString(PolicyFiledConst::FIELD_PATH);
+    policy.mode = static_cast<uint64_t>(generic.GetInt(PolicyFiledConst::FIELD_MODE));
+    tokenId = static_cast<uint64_t>(generic.GetInt(PolicyFiledConst::FIELD_TOKENID));
+}
 
 int64_t PolicyInfoManager::GetDepth(const std::string &path)
 {
@@ -293,8 +571,14 @@ bool PolicyInfoManager::IsPolicyMatch(const PolicyInfo &searchPolicy, const uint
     uint64_t referMode;
     searchMode = searchPolicy.mode & MODE_FILTER;
     referMode = referPolicy.mode & MODE_FILTER;
-    // mode should strict equal
-    modeMatch = (searchMode == referMode);
+    // refer RW, search R or W shoule return true
+    if (referMode == searchMode) {
+        modeMatch = true;
+    } else if (referMode > searchMode) {
+        modeMatch = ((referMode & searchMode) != 0);
+    } else {
+        modeMatch = false;
+    }
     return pathMatch && modeMatch;
 }
 
diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
index 245fc16..6166ba1 100644
--- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
+++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_service.cpp
@@ -23,6 +23,7 @@
 #include "common_event_support.h"
 #include "ipc_skeleton.h"
 #include "iservice_registry.h"
+#include "policy_info.h"
 #include "policy_info_manager.h"
 #include "sandbox_manager_const.h"
 #include "sandbox_manager_err_code.h"
@@ -126,6 +127,11 @@ void SandboxManagerService::OnStart(const SystemAbilityOnDemandReason& startReas
     }
 }
 
+int32_t SandboxManagerService::CleanPersistPolicyByPath(const std::vector<std::string>& filePaths)
+{
+    return PolicyInfoManager::GetInstance().CleanPersistPolicyByPath(filePaths);
+}
+
 int32_t SandboxManagerService::PersistPolicy(const std::vector<PolicyInfo> &policy, std::vector<uint32_t> &result)
 {
     uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID();
@@ -134,8 +140,12 @@ int32_t SandboxManagerService::PersistPolicy(const std::vector<PolicyInfo> &poli
         SANDBOXMANAGER_LOG_ERROR(LABEL, "Policy vector size error, size = %{public}zu.", policy.size());
         return INVALID_PARAMTER;
     }
-    result.resize(policySize);
-    return PolicyInfoManager::GetInstance().AddPolicy(callingTokenId, policy, result);
+
+    uint32_t flag = 0;
+    if (IPCSkeleton::GetCallingUid() == FOUNDATION_UID) {
+        flag = 1;
+    }
+    return PolicyInfoManager::GetInstance().AddPolicy(callingTokenId, policy, result, flag);
 }
 
 int32_t SandboxManagerService::UnPersistPolicy(
@@ -148,7 +158,6 @@ int32_t SandboxManagerService::UnPersistPolicy(
         return INVALID_PARAMTER;
     }
 
-    result.resize(policySize);
     return PolicyInfoManager::GetInstance().RemovePolicy(callingTokenId, policy, result);
 }
 
@@ -162,8 +171,12 @@ int32_t SandboxManagerService::PersistPolicyByTokenId(
             policy.size(), tokenId);
         return INVALID_PARAMTER;
     }
-    result.resize(policySize);
-    return PolicyInfoManager::GetInstance().AddPolicy(tokenId, policy, result);
+
+    uint32_t flag = 0;
+    if (IPCSkeleton::GetCallingUid() == FOUNDATION_UID) {
+        flag = 1;
+    }
+    return PolicyInfoManager::GetInstance().AddPolicy(tokenId, policy, result, flag);
 }
 
 int32_t SandboxManagerService::UnPersistPolicyByTokenId(
@@ -177,11 +190,11 @@ int32_t SandboxManagerService::UnPersistPolicyByTokenId(
         return INVALID_PARAMTER;
     }
 
-    result.resize(policySize);
     return PolicyInfoManager::GetInstance().RemovePolicy(tokenId, policy, result);
 }
 
-int32_t SandboxManagerService::SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy, uint64_t policyFlag)
+int32_t SandboxManagerService::SetPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                         uint64_t policyFlag, std::vector<uint32_t> &result)
 {
     size_t policySize = policy.size();
     if (policySize == 0 || policySize > POLICY_VECTOR_SIZE_LIMIT || tokenId == 0) {
@@ -190,13 +203,28 @@ int32_t SandboxManagerService::SetPolicy(uint64_t tokenId, const std::vector<Pol
         return INVALID_PARAMTER;
     }
 
-    if (policyFlag == IS_POLICY_ALLOWED_TO_BE_PRESISTED) {
-        SANDBOXMANAGER_LOG_INFO(LABEL, "Allow to set persistant.");
-    } else {
-        SANDBOXMANAGER_LOG_INFO(LABEL, "Not allow to set persistant.");
+    return PolicyInfoManager::GetInstance().SetPolicy(tokenId, policy, policyFlag, result);
+}
+
+int32_t SandboxManagerService::UnSetPolicy(uint64_t tokenId, const PolicyInfo &policy)
+{
+    if (tokenId == 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed.");
+        return INVALID_PARAMTER;
     }
-    // set to Mac here, FORBIDDEN_TO_BE_PERSISTED
-    return SANDBOX_MANAGER_OK;
+
+    return PolicyInfoManager::GetInstance().UnSetPolicy(tokenId, policy);
+}
+
+int32_t SandboxManagerService::CheckPolicy(uint64_t tokenId, const std::vector<PolicyInfo> &policy,
+                                           std::vector<bool> &result)
+{
+    if (tokenId == 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Check tokenId failed.");
+        return INVALID_PARAMTER;
+    }
+
+    return PolicyInfoManager::GetInstance().CheckPolicy(tokenId, policy, result);
 }
 
 int32_t SandboxManagerService::StartAccessingPolicy(
@@ -209,16 +237,7 @@ int32_t SandboxManagerService::StartAccessingPolicy(
         return INVALID_PARAMTER;
     }
 
-    std::vector<uint32_t> matchResult(policy.size());
-
-    int32_t ret = PolicyInfoManager::GetInstance().MatchPolicy(callingTokenId, policy, matchResult);
-    if (ret != SANDBOX_MANAGER_OK) {
-        return ret;
-    }
-
-    // setURI here
-    result = matchResult;
-    return SANDBOX_MANAGER_OK;
+    return PolicyInfoManager::GetInstance().StartAccessingPolicy(callingTokenId, policy, result);
 }
 
 int32_t SandboxManagerService::StopAccessingPolicy(
@@ -231,15 +250,7 @@ int32_t SandboxManagerService::StopAccessingPolicy(
         return INVALID_PARAMTER;
     }
 
-    std::vector<uint32_t> matchResult(policy.size());
-    int32_t ret = PolicyInfoManager::GetInstance().MatchPolicy(callingTokenId, policy, matchResult);
-    if (ret != SANDBOX_MANAGER_OK) {
-        return ret;
-    }
-
-    // stopURI here
-    result = matchResult;
-    return SANDBOX_MANAGER_OK;
+    return PolicyInfoManager::GetInstance().StopAccessingPolicy(callingTokenId, policy, result);
 }
 
 int32_t SandboxManagerService::CheckPersistPolicy(
@@ -265,10 +276,21 @@ int32_t SandboxManagerService::CheckPersistPolicy(
     return SANDBOX_MANAGER_OK;
 }
 
+int32_t SandboxManagerService::StartAccessingByTokenId(uint64_t tokenId)
+{
+    if (tokenId == 0) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Invalid Tokenid.");
+        return INVALID_PARAMTER;
+    }
+    return PolicyInfoManager::GetInstance().StartAccessingByTokenId(tokenId);
+}
+
 bool SandboxManagerService::Initialize()
 {
     DelayUnloadService();
-    PolicyInfoManager::GetInstance().Init();
+    if (!PolicyInfoManager::GetInstance().Init()) {
+        return false;
+    }
     AddSystemAbilityListener(COMMON_EVENT_SERVICE_ID);
     return true;
 }
@@ -309,7 +331,8 @@ bool SandboxManagerService::StartByEventAction(const SystemAbilityOnDemandReason
     std::string reasonName = startReason.GetName();
     SANDBOXMANAGER_LOG_INFO(LABEL, "Start by common event, event = %{public}s.", reasonName.c_str());
     if (reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_REMOVED ||
-        reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED) {
+        reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_FULLY_REMOVED ||
+        reasonName == EventFwk::CommonEventSupport::COMMON_EVENT_PACKAGE_DATA_CLEARED) {
         auto wantMap = startReason.GetExtraData().GetWant();
         auto iter = startReason.GetExtraData().GetWant().find("accessTokenId");
         if (iter == startReason.GetExtraData().GetWant().end()) {
diff --git a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp
index e017a0f..642228a 100644
--- a/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp
+++ b/services/sandbox_manager/main/cpp/src/service/sandbox_manager_stub.cpp
@@ -17,11 +17,13 @@
 
 #include <cinttypes>
 #include <cstdint>
+#include <string>
 #include <unistd.h>
 #include <vector>
 #include "accesstoken_kit.h"
 #include "ipc_skeleton.h"
 #include "policy_info.h"
+#include "policy_info_parcel.h"
 #include "policy_info_vector_parcel.h"
 #include "sandbox_manager_const.h"
 #include "sandbox_manager_err_code.h"
@@ -66,6 +68,34 @@ int32_t SandboxManagerStub::OnRemoteRequest(
     return NO_ERROR;
 }
 
+void SandboxManagerStub::CleanPersistPolicyByPathInner(MessageParcel &data, MessageParcel &reply)
+{
+    uint32_t callingTokenId = IPCSkeleton::GetCallingTokenID();
+    if (!IsFileManagerCalling(callingTokenId)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Permission denied(tokenID=%{public}d)", callingTokenId);
+        reply.WriteInt32(PERMISSION_DENIED);
+        return;
+    }
+
+    std::vector<std::string> filePaths;
+    uint32_t size = 0;
+    if (!data.ReadUint32(size)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Reply sandbox manager data file path fail");
+        return;
+    }
+    for (uint32_t i = 0; i < size; i++) {
+        std::string filePath;
+        if (!data.ReadString(filePath)) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "Reply sandbox manager data file path fail");
+            return;
+        }
+        filePaths.emplace_back(filePath);
+    }
+    
+    this->CleanPersistPolicyByPath(filePaths);
+    return;
+}
+
 void SandboxManagerStub::PersistPolicyInner(MessageParcel &data, MessageParcel &reply)
 {
     uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID();
@@ -76,7 +106,7 @@ void SandboxManagerStub::PersistPolicyInner(MessageParcel &data, MessageParcel &
 
     sptr<PolicyInfoVectorParcel> policyInfoVectorParcel = data.ReadParcelable<PolicyInfoVectorParcel>();
     if (policyInfoVectorParcel == nullptr) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
@@ -109,7 +139,7 @@ void SandboxManagerStub::UnPersistPolicyInner(MessageParcel &data, MessageParcel
 
     sptr<PolicyInfoVectorParcel> policyInfoVectorParcel = data.ReadParcelable<PolicyInfoVectorParcel>();
     if (policyInfoVectorParcel == nullptr) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "read sandbox manager data parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
@@ -142,13 +172,13 @@ void SandboxManagerStub::PersistPolicyByTokenIdInner(MessageParcel &data, Messag
     }
     uint64_t tokenId;
     if (!data.ReadUint64(tokenId)) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "read tokenId parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
     sptr<PolicyInfoVectorParcel> policyInfoVectorParcel = data.ReadParcelable<PolicyInfoVectorParcel>();
     if (policyInfoVectorParcel == nullptr) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "read sandbox manager data parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
@@ -175,18 +205,18 @@ void SandboxManagerStub::UnPersistPolicyByTokenIdInner(MessageParcel &data, Mess
 {
     uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID();
     if (!CheckPermission(callingTokenId, ACCESS_PERSIST_PERMISSION_NAME)) {
-        reply.WriteUint32(PERMISSION_DENIED);
+        reply.WriteInt32(PERMISSION_DENIED);
         return;
     }
     uint64_t tokenId;
     if (!data.ReadUint64(tokenId)) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
     sptr<PolicyInfoVectorParcel> policyInfoVectorParcel = data.ReadParcelable<PolicyInfoVectorParcel>();
     if (policyInfoVectorParcel == nullptr) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
@@ -214,37 +244,108 @@ void SandboxManagerStub::SetPolicyInner(MessageParcel &data, MessageParcel &repl
 {
     uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID();
     if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) {
-        reply.WriteUint32(PERMISSION_DENIED);
+        reply.WriteInt32(PERMISSION_DENIED);
         return;
     }
 
     uint64_t tokenId;
     if (!data.ReadUint64(tokenId)) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
 
     sptr<PolicyInfoVectorParcel> policyInfoVectorParcel = data.ReadParcelable<PolicyInfoVectorParcel>();
     if (policyInfoVectorParcel == nullptr) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
 
     uint64_t policyFlag;
     if (!data.ReadUint64(policyFlag)) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "read policyFlag parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read policyFlag parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
-    
-    int32_t ret = this->SetPolicy(tokenId, policyInfoVectorParcel->policyVector, policyFlag);
+
+    std::vector<uint32_t> result;
+    int32_t ret = this->SetPolicy(tokenId, policyInfoVectorParcel->policyVector, policyFlag, result);
     if (!reply.WriteInt32(ret)) {
         SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager ret parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
+    if (ret == SANDBOX_MANAGER_OK) {
+        if (!reply.WriteUInt32Vector(result)) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager result parcel fail");
+            reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+            return;
+        }
+    }
+    return;
+}
+
+void SandboxManagerStub::UnSetPolicyInner(MessageParcel &data, MessageParcel &reply)
+{
+    uint64_t callingTokenId = IPCSkeleton::GetCallingTokenID();
+    if (!CheckPermission(callingTokenId, SET_POLICY_PERMISSION_NAME)) {
+        reply.WriteInt32(PERMISSION_DENIED);
+        return;
+    }
+
+    uint64_t tokenId;
+    if (!data.ReadUint64(tokenId)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail");
+        reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+        return;
+    }
+
+    sptr<PolicyInfoParcel> policyInfoParcel = data.ReadParcelable<PolicyInfoParcel>();
+    if (policyInfoParcel == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail");
+        reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+        return;
+    }
+
+    int32_t ret = this->UnSetPolicy(tokenId, policyInfoParcel->policyInfo);
+    if (!reply.WriteInt32(ret)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager ret parcel fail");
+        reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+        return;
+    }
+    return;
+}
+
+void SandboxManagerStub::CheckPolicyInner(MessageParcel &data, MessageParcel &reply)
+{
+    uint64_t tokenId;
+    if (!data.ReadUint64(tokenId)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail");
+        reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+        return;
+    }
+
+    sptr<PolicyInfoVectorParcel> policyInfoVectorParcel = data.ReadParcelable<PolicyInfoVectorParcel>();
+    if (policyInfoVectorParcel == nullptr) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail");
+        reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+        return;
+    }
+    std::vector<bool> result;
+    int32_t ret = this->CheckPolicy(tokenId, policyInfoVectorParcel->policyVector, result);
+    if (!reply.WriteInt32(ret)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager ret parcel fail");
+        reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+        return;
+    }
+    if (ret == SANDBOX_MANAGER_OK) {
+        if (!reply.WriteBoolVector(result)) {
+            SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager result parcel fail");
+            reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+            return;
+        }
+    }
     return;
 }
 
@@ -258,7 +359,7 @@ void SandboxManagerStub::StartAccessingPolicyInner(MessageParcel &data, MessageP
 
     sptr<PolicyInfoVectorParcel> policyInfoVectorParcel = data.ReadParcelable<PolicyInfoVectorParcel>();
     if (policyInfoVectorParcel == nullptr) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
@@ -319,14 +420,14 @@ void SandboxManagerStub::CheckPersistPolicyInner(MessageParcel &data, MessagePar
 {
     uint64_t tokenId;
     if (!data.ReadUint64(tokenId)) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply tokenId parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
 
     sptr<PolicyInfoVectorParcel> policyInfoVectorParcel = data.ReadParcelable<PolicyInfoVectorParcel>();
     if (policyInfoVectorParcel == nullptr) {
-        SANDBOXMANAGER_LOG_ERROR(LABEL, "reply sandbox manager data parcel fail");
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read sandbox manager data parcel fail");
         reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
         return;
     }
@@ -349,8 +450,26 @@ void SandboxManagerStub::CheckPersistPolicyInner(MessageParcel &data, MessagePar
     return;
 }
 
+void SandboxManagerStub::StartAccessingByTokenIdInner(MessageParcel &data, MessageParcel &reply)
+{
+    if (IPCSkeleton::GetCallingUid() != FOUNDATION_UID) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Not foundation-AMS userid, permision denied.");
+        return;
+    }
+    uint64_t tokenId;
+    if (!data.ReadUint64(tokenId)) {
+        SANDBOXMANAGER_LOG_ERROR(LABEL, "Read tokenId parcel fail");
+        reply.WriteInt32(SANDBOX_MANAGER_SERVICE_PARCEL_ERR);
+        return;
+    }
+    this->StartAccessingByTokenId(tokenId);
+    return;
+}
+
 void SandboxManagerStub::SetPolicyOpFuncInMap()
 {
+    requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::CLEAN_PERSIST_POLICY_BY_PATH)] =
+        &SandboxManagerStub::CleanPersistPolicyByPathInner;
     requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::PERSIST_PERMISSION)] =
         &SandboxManagerStub::PersistPolicyInner;
     requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::UNPERSIST_PERMISSION)] =
@@ -361,12 +480,18 @@ void SandboxManagerStub::SetPolicyOpFuncInMap()
         &SandboxManagerStub::UnPersistPolicyByTokenIdInner;
     requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::SET_POLICY)] =
         &SandboxManagerStub::SetPolicyInner;
+    requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::UN_SET_POLICY)] =
+        &SandboxManagerStub::UnSetPolicyInner;
+    requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::CHECK_POLICY)] =
+        &SandboxManagerStub::CheckPolicyInner;
     requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::START_ACCESSING_URI)] =
         &SandboxManagerStub::StartAccessingPolicyInner;
     requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::STOP_ACCESSING_URI)] =
         &SandboxManagerStub::StopAccessingPolicyInner;
     requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::CHECK_PERSIST_PERMISSION)] =
         &SandboxManagerStub::CheckPersistPolicyInner;
+    requestFuncMap_[static_cast<uint32_t>(SandboxManagerInterfaceCode::START_ACCESSING_BY_TOKENID)] =
+        &SandboxManagerStub::StartAccessingByTokenIdInner;
 }
 
 SandboxManagerStub::SandboxManagerStub()
@@ -389,6 +514,14 @@ bool SandboxManagerStub::CheckPermission(const uint64_t tokenId, const std::stri
     SANDBOXMANAGER_LOG_ERROR(LABEL, "Check permission token:%{public}" PRIu64" fail", tokenId);
     return false;
 }
+bool SandboxManagerStub::IsFileManagerCalling(const uint32_t tokenCaller)
+{
+    if (tokenFileManagerId_ == 0) {
+        tokenFileManagerId_ = Security::AccessToken::AccessTokenKit::GetNativeTokenId(
+            "file_manager_service");
+    }
+    return tokenCaller == tokenFileManagerId_;
+}
 } // namespace SandboxManager
 } // namespace AccessControl
 } // namespace OHOS
\ No newline at end of file
diff --git a/services/sandbox_manager/main/sa_profile/sandbox_manager_service.json b/services/sandbox_manager/main/sa_profile/sandbox_manager_service.json
index 669be81..fe4223c 100644
--- a/services/sandbox_manager/main/sa_profile/sandbox_manager_service.json
+++ b/services/sandbox_manager/main/sa_profile/sandbox_manager_service.json
@@ -15,6 +15,9 @@
 			},
 			{
 				"name": "usual.event.PACKAGE_FULLY_REMOVED"
+			},
+			{
+				"name": "usual.event.PACKAGE_DATA_CLEARED"
 			}]
 		}
 	}]
diff --git a/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp b/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp
index 454f782..1ef380d 100644
--- a/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp
+++ b/services/sandbox_manager/test/unittest/sandbox_manager_service_test.cpp
@@ -166,22 +166,23 @@ HWTEST_F(SandboxManagerServiceTest, SandboxManagerServiceTest002, TestSize.Level
     std::vector<PolicyInfo> policy;
     std::vector<uint32_t> result0;
     uint64_t policyFlag = 0;
-    EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag));
+    std::vector<uint32_t> policyResult;
+    EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, policyResult));
     uint64_t sizeLimit = 0;
     EXPECT_EQ(sizeLimit, result0.size());
 
     policy.resize(POLICY_VECTOR_SIZE_LIMIT + 1);
     std::vector<uint32_t> result;
     
-    EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag));
+    EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, policyResult));
     sizeLimit = 0;
     EXPECT_EQ(sizeLimit, result.size());
 
     policy.resize(1);
-    EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag));
+    EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, policyResult));
     policyFlag = 1;
-    EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag));
-    EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(0, policy, policyFlag));
+    EXPECT_EQ(SANDBOX_MANAGER_OK, sandboxManagerService_->SetPolicy(selfTokenId_, policy, policyFlag, policyResult));
+    EXPECT_EQ(INVALID_PARAMTER, sandboxManagerService_->SetPolicy(0, policy, policyFlag, policyResult));
 }
 
 /**
-- 
Gitee