From 8790099a0167fc16c51ea35c315ce4dbb81fcbec Mon Sep 17 00:00:00 2001
From: huhui <huhui54@huawei.com>
Date: Tue, 10 Jun 2025 20:50:54 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E5=A4=87=E4=BB=BD=E5=85=8B=E9=9A=86?=
 =?UTF-8?q?=E6=A1=86=E6=9E=B6=E6=94=AF=E6=8C=81=E6=96=87=E4=BB=B6=E6=89=AB?=
 =?UTF-8?q?=E6=8F=8F=E8=83=BD=E5=8A=9B=EF=BC=8C=E6=96=B0=E5=A2=9ESEHarmony?=
 =?UTF-8?q?=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: huhui <huhui54@huawei.com>
---
 sepolicy/base/public/domain.te                |  6 +++---
 sepolicy/base/public/hap_domain.te            |  6 +++---
 .../app_file_service/public/backup_sa.te      | 14 +++++++++++++
 .../app_file_service/system/backup_sa.te      | 21 +++++++++++++++++--
 4 files changed, 39 insertions(+), 8 deletions(-)
 create mode 100644 sepolicy/ohos_policy/filemanagement/app_file_service/public/backup_sa.te

diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te
index f047f2338..a04a5ab49 100644
--- a/sepolicy/base/public/domain.te
+++ b/sepolicy/base/public/domain.te
@@ -222,7 +222,7 @@ neverallow { domain -init -appspawn -rgm_violator_ohos_filesystem_remount } *:fi
 neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nwebspawn -nativespawn updater_only(`-updater') -rgm_violator_ohos_filesystem_unmount -module_update_service } *:filesystem unmount;
 neverallow { domain -init -storage_daemon -rgm_violator_filesystem_relabelfrom -appspawn } *:filesystem relabelfrom;
 neverallow { domain -init -storage_daemon -appspawn -rgm_violator_filesystem_relabelto } *:filesystem relabelto;
-neverallow { domain -storage_daemon -installs -init updater_only(`-updater') } *:filesystem quotaget;
+neverallow { domain -storage_daemon -installs -init updater_only(`-updater') -backup_sa } *:filesystem quotaget;
 neverallow { domain -storage_daemon -init updater_only(`-updater') } *:filesystem quotamod;
 
 neverallow { domain updater_only(`-updater -updater_binary -init')} rootfs:file { create write setattr relabelto append unlink link rename };
@@ -297,7 +297,7 @@ neverallow { domain -appspawn  -chipset_init -init -ueventd -installs -storage_d
 neverallow { domain -appspawn -cjappspawn -init  -chipset_init -ueventd -memmgrservice -resource_schedule_executor
              -installs updater_only(`-updater')
              -storage_daemon -usb_host -cap_violator_dacoverride developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_capability_dacoverride -violator_sa_capability_dac_override } self:{ capability cap_userns } dac_override;
-neverallow { domain -chipset_init -appspawn -cjappspawn -init -hidumper_service -hiview -storage_daemon -hiprofiler_plugins -file_guard_server debug_only(`-hiperf') -cap_violator_dacreadsearch updater_only(`-updater') -wifi_host  developer_only(`-hdcd -hnp -hap_domain_self_violators') -hnp_violator -distributedfiledaemon -memmgrservice -rgm_violator_ohos_capability_dacreadsearch } self:{ capability cap_userns } dac_read_search;
+neverallow { domain -chipset_init -appspawn -cjappspawn -init -hidumper_service -hiview -storage_daemon -hiprofiler_plugins -file_guard_server debug_only(`-hiperf') -cap_violator_dacreadsearch updater_only(`-updater') -wifi_host  developer_only(`-hdcd -hnp -hap_domain_self_violators') -hnp_violator -distributedfiledaemon -memmgrservice -rgm_violator_ohos_capability_dacreadsearch -backup_sa } self:{ capability cap_userns } dac_read_search;
 neverallow { domain -init -chipset_init -ueventd -installs -storage_daemon -cap_violator_fowner updater_only(`-updater') -rgm_violator_ohos_capability_fowner } self:{ capability cap_userns } fowner;
 neverallow { domain -chipset_init -appspawn -init -ueventd -storage_daemon -cap_violator_fsetid updater_only(`-updater') -rgm_violator_ohos_capability_fsetid } self:{ capability cap_userns } fsetid;
 neverallow { domain -init -memmgrservice -appspawn -nativespawn -cjappspawn -storage_daemon -compiler_service -nwebspawn -faultloggerd -hiview -foundation -resource_schedule_executor -native_daemon -cap_violator_kill -rgm_violator_ohos_capability_kill -kernel } self:{ capability cap_userns } kill;
@@ -317,7 +317,7 @@ neverallow { domain -init -chipset_init -appspawn -rgm_violator_ohos_capability_
 neverallow { domain -appspawn -hiview -hidumper_service -memmgrservice -storage_daemon -hiprofiler_cmd -hiprofiler_plugins -native_daemon -hiperf
     -foundation -cap_violator_sysptrace debug_only(`-hiebpf') -SP_daemon -rgm_violator_ohos_capability_sysptrace developer_only(`-test_server') } self:{ capability cap_userns } sys_ptrace;
 neverallow * self:{ capability cap_userns } sys_pacct;
-neverallow { domain -kernel -init -chipset_init -storage_daemon -installs -appspawn -nwebspawn -nativespawn -cjappspawn -netsysnative -file_guard_server debug_only(`-hiprofiler_plugins -hiebpf') updater_only(`-updater') -rgm_violator_ohos_capability_sysadmin -rgm_violator_cap_sysadmin -module_update_service -prerogative_app } self:{ capability cap_userns } sys_admin;
+neverallow { domain -kernel -init -chipset_init -storage_daemon -installs -appspawn -nwebspawn -nativespawn -cjappspawn -netsysnative -file_guard_server debug_only(`-hiprofiler_plugins -hiebpf') updater_only(`-updater') -rgm_violator_ohos_capability_sysadmin -rgm_violator_cap_sysadmin -module_update_service -prerogative_app -backup_sa } self:{ capability cap_userns } sys_admin;
 neverallow { domain -init -chipset_init } self:{ capability cap_userns } sys_boot;
 neverallow { domain -render_service -cap_violator_sysnice -composer_host -a2dp_host -resource_schedule_executor -appspawn -blue_host -audio_server } self:{ capability cap_userns } sys_nice;
 neverallow { domain -init -chipset_init -memmgrservice -netsysnative  debug_only(`-hiebpf') } self:{ capability cap_userns } sys_resource;
diff --git a/sepolicy/base/public/hap_domain.te b/sepolicy/base/public/hap_domain.te
index 09926ac8d..ebd48e608 100644
--- a/sepolicy/base/public/hap_domain.te
+++ b/sepolicy/base/public/hap_domain.te
@@ -192,19 +192,19 @@ neverallow { hap_domain } *:security { compute_av check_context };
 neverallow hap_domain fs_attr:filesystem ~getattr;
 
 #limit access to system_core_hap_data_file
-neverallow { domain -appspawn -hap_domain -installs -storage_daemon -distributeddata -download_server -system_core_hap_data_file_attr_violator_dir -distributedfiledaemon updater_only(`-updater') } system_core_hap_data_file_attr:dir_file_class_set { create unlink open };
+neverallow { domain -appspawn -hap_domain -installs -storage_daemon -distributeddata -download_server -system_core_hap_data_file_attr_violator_dir -distributedfiledaemon updater_only(`-updater') -backup_sa } system_core_hap_data_file_attr:dir_file_class_set { create unlink open };
 
 neverallow { system_basic_hap_attr normal_hap_attr } system_core_hap_data_file_attr:dir_file_class_set { create unlink open };
 
 #limit access to system_basic_hap_data_file
-neverallow { domain -appspawn -hap_domain -installs -storage_daemon  -distributeddata -hiview -download_server -system_basic_hap_data_file_attr_violator_dir -distributedfiledaemon -file_migrate_hap_data_file_attr_violator_opt updater_only(`-updater') } system_basic_hap_data_file_attr:dir_file_class_set { create unlink open };
+neverallow { domain -appspawn -hap_domain -installs -storage_daemon  -distributeddata -hiview -download_server -system_basic_hap_data_file_attr_violator_dir -distributedfiledaemon -file_migrate_hap_data_file_attr_violator_opt updater_only(`-updater') -backup_sa } system_basic_hap_data_file_attr:dir_file_class_set { create unlink open };
 
 neverallow { normal_hap_attr -normal_hap_system_basic_hap_data_file_violators } system_basic_hap_data_file_attr:dir_file_class_set { create unlink open };
 
 #limit access to normal_hap_data_file_attr
 neverallow { domain -hap_domain -installs -distributeddata -storage_daemon -hiview -download_server developer_only(`-input_isolate_debug_hap') -input_isolate_hap -appspawn -distributedfiledaemon -file_migrate_hap_data_file_attr_violator_opt -rgm_violator_normal_hap_data_file_attr_dir_file_create_unlink updater_only(`-updater') } normal_hap_data_file_attr:dir_file_class_set { create unlink };
 
-neverallow { domain -hap_domain -installs -appspawn -nwebspawn -nativespawn -cjappspawn -distributeddata -storage_daemon -hiview -download_server developer_only(`-input_isolate_debug_hap') -input_isolate_hap -cloudfiledaemon -normal_hap_data_file_attr_violator_dir -rgm_violator_normal_hap_data_file_attr_dir -distributedfiledaemon -pasteboard_service developer_only(`-hdcd') updater_only(`-updater') -init -distributed_isolate_hap } normal_hap_data_file_attr:dir *;
+neverallow { domain -hap_domain -installs -appspawn -nwebspawn -nativespawn -cjappspawn -distributeddata -storage_daemon -hiview -download_server developer_only(`-input_isolate_debug_hap') -input_isolate_hap -cloudfiledaemon -normal_hap_data_file_attr_violator_dir -rgm_violator_normal_hap_data_file_attr_dir -distributedfiledaemon -pasteboard_service developer_only(`-hdcd') updater_only(`-updater') -init -distributed_isolate_hap -backup_sa } normal_hap_data_file_attr:dir *;
 
 neverallow { domain -hap_domain -installs -distributeddata -storage_daemon -hiview -download_server -input_isolate_hap -cloudfiledaemon -normal_hap_data_file_attr_violator_file_open -rgm_violator_normal_hap_data_file_attr_file_open -distributedfiledaemon -file_migrate_hap_data_file_attr_violator_opt developer_only(`-hdcd -input_isolate_debug_hap') updater_only(`-updater') -init -distributed_isolate_hap } normal_hap_data_file_attr:file_class_set open;
 
diff --git a/sepolicy/ohos_policy/filemanagement/app_file_service/public/backup_sa.te b/sepolicy/ohos_policy/filemanagement/app_file_service/public/backup_sa.te
new file mode 100644
index 000000000..e7fa9cc19
--- /dev/null
+++ b/sepolicy/ohos_policy/filemanagement/app_file_service/public/backup_sa.te
@@ -0,0 +1,14 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+type backup_sa, sadomain, domain;
diff --git a/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te b/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te
index 10cbfcb75..de6a48bf4 100644
--- a/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te
+++ b/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te
@@ -11,8 +11,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-type backup_sa, sadomain, domain;
-
 allow backup_sa sa_accesstoken_manager_service:samgr_class { get };
 allow backup_sa sa_foundation_abilityms:samgr_class { get };
 allow backup_sa sa_foundation_bms:samgr_class { get };
@@ -72,3 +70,22 @@ allow backup_sa data_log:file { create getattr open read append };
 allow backup_sa distributeddata:binder { call };
 allow backup_sa distributeddata:fd { use };
 allow backup_sa inputmethod_service:binder { call };
+
+allow backup_sa normal_hap_data_file_attr:dir { getattr open read search };
+allow backup_sa system_basic_hap_data_file_attr:dir { getattr open read search };
+allow backup_sa system_core_hap_data_file_attr:dir { getattr open read search };
+
+allow backup_sa data_app_el1_file:dir { getattr search };
+allow backup_sa data_app_el2_file:dir { getattr search };
+allow backup_sa data_app_el3_file:dir { getattr search };
+allow backup_sa data_app_el4_file:dir { getattr search };
+allow backup_sa data_app_el5_file:dir { getattr search };
+allow backup_sa hmdfs:dir { open read search };
+allow backup_sa data_service_el2_hmdfs:dir { read search };
+allow backup_sa data_user_file:dir { read search };
+allow backup_sa backup_sa:capability { dac_read_search };
+allow backup_sa backup_sa:capability { sys_admin };
+allow backup_sa dev_block_file:dir { search };
+allow backup_sa dev_block_file:lnk_file { read };
+allow backup_sa dev_block_volfile:lnk_file { search };
+allow backup_sa labeledfs:filesystem { quotaget };
-- 
Gitee


From b952c16ed26aea446fc1ad8ebd728967c80a7243 Mon Sep 17 00:00:00 2001
From: huhui <huhui54@huawei.com>
Date: Tue, 10 Jun 2025 21:31:34 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E5=A4=87=E4=BB=BD=E5=85=8B=E9=9A=86?=
 =?UTF-8?q?=E6=A1=86=E6=9E=B6=E6=94=AF=E6=8C=81=E6=96=87=E4=BB=B6=E6=89=AB?=
 =?UTF-8?q?=E6=8F=8F=E8=83=BD=E5=8A=9B=EF=BC=8C=E6=96=B0=E5=A2=9ESEHarmony?=
 =?UTF-8?q?=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: huhui <huhui54@huawei.com>
---
 .../filemanagement/app_file_service/system/backup_sa.te         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te b/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te
index de6a48bf4..29a07994f 100644
--- a/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te
+++ b/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te
@@ -87,5 +87,5 @@ allow backup_sa backup_sa:capability { dac_read_search };
 allow backup_sa backup_sa:capability { sys_admin };
 allow backup_sa dev_block_file:dir { search };
 allow backup_sa dev_block_file:lnk_file { read };
-allow backup_sa dev_block_volfile:lnk_file { search };
+allow backup_sa dev_block_volfile:dir { search };
 allow backup_sa labeledfs:filesystem { quotaget };
-- 
Gitee