diff --git a/LICENSE b/LICENSE
index 8eddf19d0568ff3af1bcd1ca9163e875da8cbc0d..21795c929b88afa5e7b1a2a84e620d9cf123b910 100644
--- a/LICENSE
+++ b/LICENSE
@@ -9,5 +9,6 @@
./container_escape_detection
./module_sample
./pac/
+ ./dec
As for the specific use of the licenses, please refer to the relevant description in the documents.
diff --git a/OAT.xml b/OAT.xml
index f4ef13823b6d0d5a44d2d5a611e565e8231992e8..dfa276cdb30319b153acd22e192be2350b397128 100644
--- a/OAT.xml
+++ b/OAT.xml
@@ -66,7 +66,9 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
+
@@ -76,7 +78,9 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
+
@@ -99,7 +103,8 @@ Note:If the text contains special characters, please escape them according to th
-
+
+
diff --git a/dec/Kconfig b/dec/Kconfig
new file mode 100644
index 0000000000000000000000000000000000000000..9f9cbda17d8db0c87fcb90434d4a5b9d82705277
--- /dev/null
+++ b/dec/Kconfig
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+#
+config SECURITY_DEC
+ bool "Data enhance control features"
+
+ default y
+ help
+ This option enables file operation permission verification
+ at VFS layer.
+
+ If unsure, say N.
diff --git a/dec/Makefile b/dec/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..efd9cfef5993875569cbca81e83f99d476f471b7
--- /dev/null
+++ b/dec/Makefile
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+#
+obj-$(CONFIG_SECURITY_DEC) += \
+ dec_misc.o
+
+ccflags-$(CONFIG_SECURITY_DEC) += \
+ -I$(srctree)/fs/dec
+
+$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h
+
+quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+ cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+
+targets += flask.h av_permissions.h
+$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE
+ $(call if_changed,flask)
diff --git a/dec/apply_dec.sh b/dec/apply_dec.sh
new file mode 100644
index 0000000000000000000000000000000000000000..6f63fb5e8d525b0bec012df1732819a53e08cdfc
--- /dev/null
+++ b/dec/apply_dec.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+
+set -e
+
+OHOS_SOURCE_ROOT=$1
+KERNEL_BUILD_ROOT=$2
+PRODUCT_NAME=$3
+KERNEL_VERSION=$4
+DEC_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/dec
+
+function main()
+{
+ pushd .
+
+ if [ ! -d "$KERNEL_BUILD_ROOT/fs/dec" ]; then
+ mkdir $KERNEL_BUILD_ROOT/fs/dec
+ fi
+
+ cd $KERNEL_BUILD_ROOT/fs/dec
+ ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/dec $DEC_SOURCE_ROOT)/* ./
+
+ popd
+}
+
+main
diff --git a/dec/dec_misc.c b/dec/dec_misc.c
new file mode 100644
index 0000000000000000000000000000000000000000..534ce5ce622bf8c82e28feefafbad0c13945fd12
--- /dev/null
+++ b/dec/dec_misc.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "dec_misc.h"
+
+static int vfs_deal_policy_cmd(unsigned int cmd, void __user *arg)
+{
+ pr_info("vfs dec deal policy cmd:%u\n", cmd);
+ int ret = 0;
+ struct dec_policy_info info = { 0 };
+
+ ret = copy_from_user(&info, arg, sizeof(info));
+ if (ret != 0) {
+ pr_err("copy from user failed\n");
+ return -EFAULT;
+ }
+
+ pr_info("tokenid:%lu path_num:%u persist_flag:%d\n", info.tokenid, info.path_num, info.persist_flag);
+
+ return ret;
+}
+
+static int vfs_destroy_dec_policy(void __user *arg)
+{
+ int ret = 0;
+ uint64_t tokenid;
+
+ ret = copy_from_user(&tokenid, arg, sizeof(tokenid));
+ if (ret != 0) {
+ pr_err("destroy dec policy copy from caller failed\n");
+ return -EFAULT;
+ }
+
+ pr_info("destroy dec policy tokenid:%ld\n", tokenid);
+ return 0;
+}
+
+static long dec_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ pr_info("dec ioctl cmd:%u\n", cmd);
+ int ret = 0;
+
+ switch (cmd) {
+ case SET_DEC_POLICY_CMD:
+ case DEL_DEC_POLICY_CMD:
+ case QUERY_DEC_POLICY_CMD:
+ case CHECK_DEC_POLICY_CMD:
+ case CONSTRAINT_DEC_POLICY_CMD:
+ case DENY_DEC_POLICY_CMD:
+ ret = vfs_deal_policy_cmd(cmd, (void __user *)arg);
+ break;
+ case DESTROY_DEC_POLICY_CMD:
+ ret = vfs_destroy_dec_policy((void __user *)arg);
+ break;
+ default:
+ ret = -EINVAL;
+ break;
+ }
+
+ return 0;
+}
+
+static int dec_open(struct inode *inode, struct file *filp)
+{
+ pr_info("dec open\n");
+ return 0;
+}
+
+static int dec_release(struct inode *inode, struct file *filp)
+{
+ pr_info("dec close\n");
+ return 0;
+}
+
+static const struct file_operations dec_fops = {
+ .owner = THIS_MODULE,
+ .open = dec_open,
+ .release = dec_release,
+ .unlocked_ioctl = dec_ioctl,
+ .compat_ioctl = dec_ioctl,
+};
+
+static struct miscdevice dec_misc = {
+ .minor = MISC_DYNAMIC_MINOR,
+ .name = "dec",
+ .fops = &dec_fops,
+};
+
+static int __init dec_init(void)
+{
+ int err = 0;
+
+ err = misc_register(&dec_misc);
+ if (err < 0) {
+ pr_err("dec device init failed\n");
+ return err;
+ }
+
+ pr_err("dec device init success\n");
+ return 0;
+}
+
+static void __exit dec_exit(void)
+{
+ misc_deregister(&dec_misc);
+ pr_info("dec exited");
+}
+
+/* module entry points */
+module_init(dec_init);
+module_exit(dec_exit);
+
+MODULE_LICENSE("GPL");
diff --git a/dec/dec_misc.h b/dec/dec_misc.h
new file mode 100644
index 0000000000000000000000000000000000000000..1154ece0904126309605e2195957acd9689e8a0e
--- /dev/null
+++ b/dec/dec_misc.h
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ */
+
+#ifndef _DEC_MISC_H
+#define _DEC_MISC_H
+
+#include
+#include
+#include
+
+#define MAX_PATH_NUM 8
+
+#define DEV_DEC_MINOR 0x25
+#define DEC_IOCTL_BASE 's'
+#define SET_POLICY_ID 1
+#define DEL_POLICY_ID 2
+#define QUERY_POLICY_ID 3
+#define CHECK_POLICY_ID 4
+#define DESTROY_POLICY_ID 5
+#define CONSTRAINT_POLICY_ID 6
+#define DENY_POLICY_ID 7
+
+struct path_info {
+ char* path;
+ uint32_t path_len;
+ uint32_t mode;
+ bool ret_flag;
+};
+
+struct dec_policy_info {
+ uint64_t tokenid;
+ struct path_info path[MAX_PATH_NUM];
+ uint32_t path_num;
+ bool persist_flag;
+};
+
+#define SET_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, SET_POLICY_ID, struct dec_policy_info)
+#define DEL_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, DEL_POLICY_ID, struct dec_policy_info)
+#define QUERY_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, QUERY_POLICY_ID, struct dec_policy_info)
+#define CHECK_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, CHECK_POLICY_ID, struct dec_policy_info)
+#define CONSTRAINT_DEC_POLICY_CMD \
+ _IOW(DEC_IOCTL_BASE, CONSTRAINT_POLICY_ID, struct dec_policy_info)
+#define DENY_DEC_POLICY_CMD \
+ _IOWR(DEC_IOCTL_BASE, DENY_POLICY_ID, struct dec_policy_info)
+#define DESTROY_DEC_POLICY_CMD \
+ _IOW(DEC_IOCTL_BASE, DESTROY_POLICY_ID, uint64_t)
+
+#endif /* _DEC_MISC_H */
\ No newline at end of file