diff --git a/LICENSE b/LICENSE
index 97c58d4662c37e15a56f149eedfb98c00e604414..7ba43f742611747e018d799e751d239c638d15ef 100644
--- a/LICENSE
+++ b/LICENSE
@@ -3,5 +3,6 @@
./xpm/
./qos_auth/
./ucollection/
+ ./vma/
As for the specific use of the licenses, please refer to the relevant description in the documents.
diff --git a/OAT.xml b/OAT.xml
index 55a93aaac5d9767f9e9f8ec15add42c0fa350918..ca03774be441364a225dfbcbdb5bfe92c90f2ec7 100644
--- a/OAT.xml
+++ b/OAT.xml
@@ -59,10 +59,12 @@ Note:If the text contains special characters, please escape them according to th
+
+
diff --git a/vma/Kconfig b/vma/Kconfig
new file mode 100755
index 0000000000000000000000000000000000000000..ab6cb621d9dac860862dcde8d4669704d030cf5f
--- /dev/null
+++ b/vma/Kconfig
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+# Config for hide excutable memory address of render process manager
+#
+config HIDE_RENDER_ADDRESS
+ default n
+ bool "Hide excutable memory address in proc/[render]/maps "
+ help
+ Select show address about anonymous area of the render process memory
+ with -rx- permissions or not.
diff --git a/vma/Makefile b/vma/Makefile
new file mode 100755
index 0000000000000000000000000000000000000000..d5f1b87d7aa37a534affc3cc8d713fb3d99bd537
--- /dev/null
+++ b/vma/Makefile
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+# Makefile for hide excutable memory address of render objess manager module
+#
+obj-$(CONFIG_HIDE_RENDER_ADDRESS) += vma_render.o
+
+ccflags-$(CONFIG_HIDE_RENDER_ADDRESS) += \
+ -I$(srctree)/fs/proc \
+ -I$(srctree)/security/selinux/include \
+ -I$(srctree)/security/selinux
+
+$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h
+
+quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+ cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+
+targets += flask.h av_permissions.h
+$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE
+ $(call if_changed,flask)
diff --git a/vma/README_zh.md b/vma/README_zh.md
new file mode 100644
index 0000000000000000000000000000000000000000..2d181a8553c9423c62ca7e726b6327fe77439afc
--- /dev/null
+++ b/vma/README_zh.md
@@ -0,0 +1,47 @@
+## 背景
+
+当前linux内核proc文件系统的机制,在maps文件里面输出了进程的内存映射信息,对于渲染进程而言,此进程的JIT区域具有可执行权限的内存地址也同时暴露在proc文件系统中。
+
+为防止黑客通过读取proc下的rx内存地址, 把shellcode写入这块可执行内存区域,通过将这块内存地址隐藏起来的方式来提高黑客攻破render进程的难度。
+
+## VMA(render vma address manager)模块
+
+VMA模块通过检查渲染进程映射的匿名内存是否具有可执行的权限,来针对性的将映射后的内存地址的start和end值设置为NULL,以此达到隐藏内存地址的目的
+
+### 1.进程类型检查
+
+通过进程的selinux安全上下文来判定当前proc/[pid]/maps中的pid对应的进程是否为渲染进程
+
+### 2.匿名内存区域权限检查
+
+内存区域的权限由vm_flags_t结构体的 flags成员呈现,通过检查flags是否具有-x-权限来决定是否将其所对应的地址隐藏起来。
+
+## 目录
+
+VMA执行权限管控的主要代码目录结构如下:
+
+```
+# 代码路径 /kernel/linux/common_modules/vma
+├── vma_render.h # vma 头文件
+├── vma_render.c # vma 管控代码
+├── Konfig
+├── Makefile
+```
+
+## VMA配置指导
+
+1. VMA使能
+ `CONFIG_HIDE_RENDER_ADDRESS=y`
+
+2. VMA禁用
+ `CONFIG_HIDE_RENDER_ADDRESS=n`
+
+## 相关仓
+
+[内核子系统](https://gitee.com/openharmony/docs/blob/master/zh-cn/readme/%E5%86%85%E6%A0%B8%E5%AD%90%E7%B3%BB%E7%BB%9F.md)
+
+[kernel_linux_5.10](https://gitee.com/openharmony/kernel_linux_5.10)
+
+[kernel_linux_config](https://gitee.com/openharmony/kernel_linux_config)
+
+[device_board_hihope](https://gitee.com/openharmony/device_board_hihope)
diff --git a/vma/apply_vma.sh b/vma/apply_vma.sh
new file mode 100755
index 0000000000000000000000000000000000000000..25b4df1df8eea790a31c049bc20a541884bf0d27
--- /dev/null
+++ b/vma/apply_vma.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+#SPDX-License-Identifier: GPL-2.0
+#Copyright (c) 2022 Huawei Device Co., Ltd.
+#
+#Description: Create a symbolic link for vma_render in Linux 5.10
+#
+
+set -e
+
+OHOS_SOURCE_ROOT=$1
+KERNEL_BUILD_ROOT=$2
+PRODUCT_NAME=$3
+KERNEL_VERSION=$4
+XPM_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/vma
+
+function main()
+{
+ pushd .
+
+ if [ ! -d "$KERNEL_BUILD_ROOT/fs/proc/vma" ]; then
+ mkdir $KERNEL_BUILD_ROOT/fs/proc/vma
+ fi
+
+ cd $KERNEL_BUILD_ROOT/fs/proc/vma
+ ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/proc/vma/ $VMA_SOURCE_ROOT)/* ./
+
+ popd
+}
+
+main
diff --git a/vma/vma_render.c b/vma/vma_render.c
new file mode 100644
index 0000000000000000000000000000000000000000..58710303fc40bdebec83e504f7904ae53b00d824
--- /dev/null
+++ b/vma/vma_render.c
@@ -0,0 +1,86 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ */
+
+#include "vma_render.h"
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include
+#include
+
+#include "avc.h"
+#include "objsec.h"
+
+
+static int is_render_task_vma(struct seq_file *m, struct vm_area_struct *vma)
+{
+ bool is_exec = false;
+ bool is_anon = false;;
+ const char *name = NULL;
+ vm_flags_t flags = vma->vm_flags;
+
+ if (flags & VM_EXEC) {
+ is_exec = true;
+ }
+
+ name = arch_vma_name(vma);
+ if (!name) {
+ struct anon_vma_name *anon_name;
+ anon_name = anon_vma_name(vma);
+ if (anon_name) {
+ is_anon = true;
+ }
+ }
+
+ return is_anon && is_exec;
+}
+
+static int vma_avc_has_perm(u16 tclass, u32 requested, struct seq_file *m)
+{
+ struct av_decision avd;
+ struct inode *inode_task = file_inode(m->file);
+ struct task_struct *task = get_proc_task(inode_task);
+ u32 secid;
+ security_cred_getsecid(task->cred, &secid);
+ u32 sid = secid;
+
+ return avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested,
+ AVC_STRICT, &avd);
+}
+
+static void render_vma_header_prefix(unsigned long *start, unsigned long *end, vm_flags_t *flags,
+ struct seq_file *m, struct vm_area_struct *vma) {
+ int ret;
+ ret = vma_avc_has_perm(SECCLASS_VMA, VMA__HIDE_EXEC_ANON_MEM, m);
+ if (!ret && is_render_task_vma(m, vma)) {
+ *start = NULL;
+ *end = NULL;
+ *flags = NULL;
+ }
+}
+
+static void render_vma_header_prefix_lhck_register(void)
+{
+ REGISTER_HCK_LITE_HOOK(render_vma_header_prefix_lhck, render_vma_header_prefix);
+}
+
+int __init vma_hooks_init(void)
+{
+ render_vma_header_prefix_lhck_register();
+ return 0;
+}
+
+void __exit vma_hooks_exit(void)
+{
+}
+
+module_init(vma_hooks_init);
+module_exit(vma_hooks_exit);
diff --git a/vma/vma_render.h b/vma/vma_render.h
new file mode 100644
index 0000000000000000000000000000000000000000..fe8cb9d3871b2c2a2fc18ebe2c9f4eee24dff664
--- /dev/null
+++ b/vma/vma_render.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ */
+
+#ifndef _VMA_RENDER
+#define _VMA_RENDER
+#include
+
+#ifdef CONFIG_HIDE_RENDER_ADDRESS
+int __init vma_hooks_init(void);
+#endif
+
+#endif /* _VMA_RENDER */