From 903afc717abbf0ffbbd7c8a63ebfb0d362deb0a2 Mon Sep 17 00:00:00 2001 From: zhang-daiyue Date: Fri, 12 May 2023 03:19:17 +0000 Subject: [PATCH] fixed 8bbabe8 from https://gitee.com/zhang-daiyue/security_selinux/pulls/2232 Add selinux label for medialibrary process Signed-off-by: zhang-daiyue Change-Id: I280d3abc0fa87cc67d082c11e69b454dfd575a90 --- .../system/medialibrary_hap.te | 20 +++++++++++++++++++ .../userfile_manager/system/normal_hap.te | 5 ----- .../userfile_manager/system/sehap_contexts | 15 ++++++++++++++ 3 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 sepolicy/ohos_policy/filemanagement/userfile_manager/system/medialibrary_hap.te create mode 100644 sepolicy/ohos_policy/filemanagement/userfile_manager/system/sehap_contexts diff --git a/sepolicy/ohos_policy/filemanagement/userfile_manager/system/medialibrary_hap.te b/sepolicy/ohos_policy/filemanagement/userfile_manager/system/medialibrary_hap.te new file mode 100644 index 000000000..edfcb9277 --- /dev/null +++ b/sepolicy/ohos_policy/filemanagement/userfile_manager/system/medialibrary_hap.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type medialibrary_hap, normal_hap_attr, hap_domain, domain; + +type medialibrary_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; + +allow medialibrary_hap mimetype_file:file { open read getattr }; +allow medialibrary_hap privacy_service:binder call; +allow medialibrary_hap distributedfiledaemon:binder transfer; diff --git a/sepolicy/ohos_policy/filemanagement/userfile_manager/system/normal_hap.te b/sepolicy/ohos_policy/filemanagement/userfile_manager/system/normal_hap.te index 0ed34230b..51f52eff4 100644 --- a/sepolicy/ohos_policy/filemanagement/userfile_manager/system/normal_hap.te +++ b/sepolicy/ohos_policy/filemanagement/userfile_manager/system/normal_hap.te @@ -18,12 +18,7 @@ neverallow { never_execute_file }; -allow normal_hap_attr hmdfs:dir create_dir_perms; -allow normal_hap_attr hmdfs:{file lnk_file} create_file_perms; allow hap_domain data_user_file:dir create_dir_perms; allow hap_domain data_user_file:file create_file_perms; -allow normal_hap_attr privacy_service:binder call; allow hap_domain epfs:dir create_dir_perms; allow hap_domain epfs:{file lnk_file} create_file_perms; - -allow normal_hap_attr mimetype_file:file { open read getattr }; diff --git a/sepolicy/ohos_policy/filemanagement/userfile_manager/system/sehap_contexts b/sepolicy/ohos_policy/filemanagement/userfile_manager/system/sehap_contexts new file mode 100644 index 000000000..d62693699 --- /dev/null +++ b/sepolicy/ohos_policy/filemanagement/userfile_manager/system/sehap_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apl=normal name=com.ohos.medialibrary.medialibrarydata domain=medialibrary_hap type=medialibrary_hap_data_file +apl=normal name=com.ohos.medialibrary.medialibrarydata:fileAccess domain=medialibrary_hap type=medialibrary_hap_data_file -- Gitee