From 252bd2c91ec0679ed53d1590641269bb48ade894 Mon Sep 17 00:00:00 2001 From: caochuan Date: Mon, 24 Mar 2025 11:06:22 +0800 Subject: [PATCH 01/15] add ringtone selinux Signed-off-by: caochuan --- .../multimedia/media_library/system/medialibrary_hap.te | 2 +- .../multimedia/ringtone/system/ringtonelibrary_hap.te | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te b/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te index 42033cf3b..b4c75c58b 100644 --- a/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te +++ b/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te @@ -22,7 +22,7 @@ allow medialibrary_hap paramservice_socket:sock_file { write }; allow medialibrary_hap kernel:unix_stream_socket { connectto }; allow medialibrary_hap data_app_el2_file:file { append }; -neverallow { hap_domain -medialibrary_hap -system_basic_hap -init -samgr -hdf_devmgr } media_library_param:parameter_service { set }; +neverallow { hap_domain -ringtonelibrary_hap -medialibrary_hap -system_basic_hap -init -samgr -hdf_devmgr } media_library_param:parameter_service { set }; allow medialibrary_hap hmdfs:dir { ioctl }; allowxperm medialibrary_hap hmdfs:dir ioctl { 0xf547 0xf546 }; diff --git a/sepolicy/ohos_policy/multimedia/ringtone/system/ringtonelibrary_hap.te b/sepolicy/ohos_policy/multimedia/ringtone/system/ringtonelibrary_hap.te index c1b1f4cdf..ec84d0bd1 100644 --- a/sepolicy/ohos_policy/multimedia/ringtone/system/ringtonelibrary_hap.te +++ b/sepolicy/ohos_policy/multimedia/ringtone/system/ringtonelibrary_hap.te @@ -19,3 +19,7 @@ binder_call(ringtonelibrary_hap, privacy_service); allow storage_manager system_basic_hap:binder { call }; allow ringtonelibrary_hap mimetype_file:file { open read getattr }; allow ringtonelibrary_hap hmdfs:file {open read write getattr }; +allow ringtonelibrary_hap media_library_param:parameter_service { set }; +allow ringtonelibrary_hap kernel:unix_stream_socket { connectto }; +allow ringtonelibrary_hap paramservice_socket:sock_file { write }; +allow ringtonelibrary_hap media_library_param:file { map open read }; -- Gitee From d2ac619cd22e0d52092f2a234731cea93349ffa4 Mon Sep 17 00:00:00 2001 From: wzhhhh Date: Thu, 27 Mar 2025 12:22:40 +0800 Subject: [PATCH 02/15] =?UTF-8?q?DP=E9=85=8D=E7=BD=AE=E8=AF=BB=E5=8F=96sys?= =?UTF-8?q?=5Ffile=E6=9D=83=E9=99=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wangzhaohao --- .../deviceprofile/device_profile_core/system/deviceprofile.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te b/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te index fc119edfb..28869efeb 100755 --- a/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te +++ b/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te @@ -22,4 +22,6 @@ allow distributedsche data_service_el1_file:dir { ioctl }; allowxperm distributedsche data_service_el1_file:dir ioctl { 0xf546 0xf547 }; allow distributedsche sa_asset_service:samgr_class { get }; allow distributedsche asset_service:binder { call transfer }; +allow distributedsche sys_file:file { read }; +allow distributedsche sys_file:file { open }; -- Gitee From bfa823a7ce7cdde7fda1174a801046e50afe011d Mon Sep 17 00:00:00 2001 From: zhenghui Date: Sat, 29 Mar 2025 11:48:22 +0800 Subject: [PATCH 03/15] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E9=87=8A=E6=94=BEoldTy?= =?UTF-8?q?peContext?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhenghui --- framework/policycoreutils/src/hap_restorecon.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/framework/policycoreutils/src/hap_restorecon.cpp b/framework/policycoreutils/src/hap_restorecon.cpp index 8b1d3ab3e..58a4ebfb4 100644 --- a/framework/policycoreutils/src/hap_restorecon.cpp +++ b/framework/policycoreutils/src/hap_restorecon.cpp @@ -522,6 +522,7 @@ int HapContext::HapDomainSetcontext(HapDomainInfo& hapDomainInfo) context_t con = nullptr; con = context_new(oldTypeContext); if (con == nullptr) { + FreeContext(oldTypeContext, con); return -SELINUX_PTR_NULL; } -- Gitee From 38ac9d1a603e17c773edabe0e56910297b76d4e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=B0=A2=E5=87=AF=E6=98=8E?= Date: Sat, 15 Mar 2025 10:39:11 +0800 Subject: [PATCH 04/15] =?UTF-8?q?modify=20te=20filename=20Signed-off-by:?= =?UTF-8?q?=20=E8=B0=A2=E5=87=AF=E6=98=8E=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../system/{persist_custom_preload_param.te => custom_param.te} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sepolicy/ohos_policy/customization/config_policy/system/{persist_custom_preload_param.te => custom_param.te} (100%) diff --git a/sepolicy/ohos_policy/customization/config_policy/system/persist_custom_preload_param.te b/sepolicy/ohos_policy/customization/config_policy/system/custom_param.te similarity index 100% rename from sepolicy/ohos_policy/customization/config_policy/system/persist_custom_preload_param.te rename to sepolicy/ohos_policy/customization/config_policy/system/custom_param.te -- Gitee From fda7b029f9e5cb993c38784ca342f949a951140b Mon Sep 17 00:00:00 2001 From: liuyifei Date: Wed, 2 Apr 2025 17:35:16 +0800 Subject: [PATCH 05/15] add attributes for data_hilogd_file Signed-off-by: liuyifei --- .../ohos_policy/hiviewdfx/hilog/public/attributes | 14 ++++++++++++++ .../ohos_policy/hiviewdfx/hilog/system/hilogd.te | 3 ++- 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 sepolicy/ohos_policy/hiviewdfx/hilog/public/attributes diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/public/attributes b/sepolicy/ohos_policy/hiviewdfx/hilog/public/attributes new file mode 100644 index 000000000..ba62fde7d --- /dev/null +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute data_hilogd_file_viloator; diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te index e07ed0ef5..fb6a54738 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te @@ -92,7 +92,8 @@ neverallow { domain -installs developer_only(`-wukong') - developer_only(`-hiprofiler_plugins') + developer_only(`-hiprofiler_plugins') + -data_hilogd_file_viloator -init -hilogd -hiview # write is covered next -- Gitee From a721db15ee3623c8ed7eab7fa5ad9c7a5d6d4b05 Mon Sep 17 00:00:00 2001 From: liuhaotian Date: Thu, 27 Mar 2025 19:06:34 +0800 Subject: [PATCH 06/15] add selinux for media_service Signed-off-by: liuhaotian Change-Id: I1d6d4489dcc34e9d84f497d27387a95561a00829 --- .../dfs_service/system/cloudfiledaemon.te | 2 ++ .../dfs_service/system/media_service.te | 15 +++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 sepolicy/ohos_policy/filemanagement/dfs_service/system/media_service.te diff --git a/sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te b/sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te index d59faf8e2..3c3fc044c 100644 --- a/sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te +++ b/sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te @@ -97,3 +97,5 @@ allow cloudfiledaemon sa_resource_schedule:samgr_class { get }; allow resource_schedule_service cloudfiledaemon:binder { call }; allow cloudfiledaemon media_service:dir { search }; allow cloudfiledaemon media_service:file { getattr open read }; +allow cloudfiledaemon sa_media_service:samgr_class { get }; +allow cloudfiledaemon media_service:binder { call transfer }; diff --git a/sepolicy/ohos_policy/filemanagement/dfs_service/system/media_service.te b/sepolicy/ohos_policy/filemanagement/dfs_service/system/media_service.te new file mode 100644 index 000000000..0eaff1fb6 --- /dev/null +++ b/sepolicy/ohos_policy/filemanagement/dfs_service/system/media_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_service cloudfiledaemon:binder { transfer }; +allow media_service cloudfiledaemon:fd { use }; -- Gitee From b03aa4db20a5ba3be1d85c35af21b12eb84fa1f0 Mon Sep 17 00:00:00 2001 From: lanhaoyu Date: Thu, 3 Apr 2025 14:00:59 +0800 Subject: [PATCH 07/15] Apply for permission Signed-off-by: lanhaoyu --- .../bundlemanager/bundle_framework/system/installs.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sepolicy/ohos_policy/bundlemanager/bundle_framework/system/installs.te b/sepolicy/ohos_policy/bundlemanager/bundle_framework/system/installs.te index 3e0b774a0..4d4e5d85a 100644 --- a/sepolicy/ohos_policy/bundlemanager/bundle_framework/system/installs.te +++ b/sepolicy/ohos_policy/bundlemanager/bundle_framework/system/installs.te @@ -172,3 +172,5 @@ allow installs data_hilogd_file:dir { read_dir_perms_without_ioctl unlink relabe allow installs data_hilogd_file:file { read_file_perms_without_ioctl }; allow installs data_log:dir { read_dir_perms_without_ioctl unlink relabelto }; allow installs data_log:file { read_file_perms_without_ioctl }; +allow installs data_app_el2_file:file { ioctl open write }; +allowxperm installs data_app_el2_file:file ioctl { 0x5413 }; -- Gitee From d6cf7e1a08756cf19312e86e4dd544584f36e885 Mon Sep 17 00:00:00 2001 From: luzhiye Date: Fri, 18 Apr 2025 09:24:45 +0000 Subject: [PATCH 08/15] =?UTF-8?q?=20=E6=96=B0=E5=A2=9Eusb=E6=9C=89?= =?UTF-8?q?=E7=BA=BF=E5=85=8B=E9=9A=86selinux=E6=9D=83=E9=99=90=205.1.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: luzhiye --- sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te index 1972aa183..3c3f9d5dc 100644 --- a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te +++ b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te @@ -58,7 +58,7 @@ allow usb_service data_service_file:dir { search }; allow usb_service data_service_el1_file:dir { search }; allow usb_service data_service_el1_file:file { ioctl open read write getattr }; neverallow { domain -SP_daemon -system_core_hap_attr -system_basic_hap_attr -usb_service -usb_setting_param_attr } usb_setting_param:file { map open read }; -neverallow { domain -system_core_hap_attr -system_basic_hap_attr -usb_setting_param_attr } usb_setting_param:parameter_service {set}; +neverallow { domain -system_core_hap_attr -system_basic_hap_attr -usb_service -usb_setting_param_attr } usb_setting_param:parameter_service { set }; allow usb_service bootevent_param:file { map read open }; allow usb_service bootevent_samgr_param:file { map open read }; allow usb_service build_version_param:file { map open read }; @@ -128,3 +128,6 @@ allow usb_service dev_bus:dir { search }; allow normal_hap usb_service:binder { transfer }; allow usb_service normal_hap_attr :binder { call transfer }; allow usb_service normal_hap_attr:fd { use }; +allow usb_service paramservice_socket:sock_file { write }; +allow usb_service kernel:unix_stream_socket { connectto }; +allow usb_service usb_setting_param_attr:parameter_service { set }; \ No newline at end of file -- Gitee From 2b1091d79dd3fdf2f53cb3cf5ead114e5d085e68 Mon Sep 17 00:00:00 2001 From: luzhiye Date: Sat, 19 Apr 2025 02:04:55 +0000 Subject: [PATCH 09/15] update sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te. Signed-off-by: luzhiye --- sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te index 3c3f9d5dc..5a1ddc7a4 100644 --- a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te +++ b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te @@ -130,4 +130,4 @@ allow usb_service normal_hap_attr :binder { call transfer }; allow usb_service normal_hap_attr:fd { use }; allow usb_service paramservice_socket:sock_file { write }; allow usb_service kernel:unix_stream_socket { connectto }; -allow usb_service usb_setting_param_attr:parameter_service { set }; \ No newline at end of file +allow usb_service usb_setting_param_attr:parameter_service { set }; -- Gitee From ba8bcc1d3049dffe25a8c3a5ca7b7afd62986821 Mon Sep 17 00:00:00 2001 From: Axi_Beft Date: Fri, 25 Apr 2025 17:14:25 +0800 Subject: [PATCH 10/15] data_share add qos Signed-off-by: Axi_Beft --- .../distributeddatamgr/system/distributeddata.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te b/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te index 850ea01d7..ec2006bc8 100644 --- a/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te +++ b/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te @@ -230,3 +230,5 @@ allow distributeddata data_service_el2_pasteboard_service:file { read write crea allowxperm distributeddata data_service_el2_pasteboard_service:dir ioctl { 0xf546 }; allowxperm distributeddata data_service_el2_pasteboard_service:file ioctl { 0xf50c 0xf546 }; allow distributeddata usb_service:binder { transfer }; +allow distributeddata concurrent_task_service:binder { call }; +allow distributeddata sa_concurrent_task_service:samgr_class { get }; -- Gitee From 5743cd560bca92dd219b20feb63f59a11ec13383 Mon Sep 17 00:00:00 2001 From: zzhcharmer Date: Sun, 27 Apr 2025 15:21:01 +0800 Subject: [PATCH 11/15] =?UTF-8?q?=E5=9B=9E=E9=80=805.1=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zzhcharmer --- .../policycoreutils/src/hap_restorecon.cpp | 17 ---------- .../policycoreutils/include/hap_restorecon.h | 1 - scripts/build_contexts.py | 3 +- sepolicy/base/public/normal_hap.te | 4 +-- test/unittest/hap_restorecon/unit_test.cpp | 33 +------------------ 5 files changed, 4 insertions(+), 54 deletions(-) diff --git a/framework/policycoreutils/src/hap_restorecon.cpp b/framework/policycoreutils/src/hap_restorecon.cpp index 58a4ebfb4..56a38a8f6 100644 --- a/framework/policycoreutils/src/hap_restorecon.cpp +++ b/framework/policycoreutils/src/hap_restorecon.cpp @@ -60,7 +60,6 @@ static const std::string EXTENSION_PREFIX = "extension="; static const std::string DEBUGGABLE = "debuggable"; static const std::string DLPSANDBOX = "dlp_sandbox"; static const std::string INPUT_ISOLATE = "input_isolate"; -static const std::string CUSTOMSANDBOX = "custom_sandbox"; static const char *DEFAULT_CONTEXT = "u:object_r:unlabeled:s0"; static const int CONTEXTS_LENGTH_MIN = 20; // sizeof("apl=x domain= type=") static const int CONTEXTS_LENGTH_MAX = 1024; @@ -145,8 +144,6 @@ static struct SehapInfo DecodeString(const std::string &line, bool &isValid) contextBuff.extra |= SELINUX_HAP_DLP; } else if (extra == INPUT_ISOLATE) { contextBuff.extra |= SELINUX_HAP_INPUT_ISOLATE; - } else if (extra == CUSTOMSANDBOX) { - contextBuff.extra |= SELINUX_HAP_CUSTOM_SANDBOX; } else { selinux_log(SELINUX_ERROR, "invalid extra %s\n", extra.c_str()); isValid = false; @@ -190,12 +187,6 @@ static std::string GetHapContextKey(const struct SehapInfo *hapInfo) } } else if (hapInfo->extra & SELINUX_HAP_DLP) { keyPara = hapInfo->apl + "." + DLPSANDBOX; - } else if (hapInfo->extra & SELINUX_HAP_CUSTOM_SANDBOX) { - if (hapInfo->debuggable) { - keyPara = hapInfo->apl + "." + DEBUGGABLE + "." + CUSTOMSANDBOX + "." + hapInfo->name; - } else { - keyPara = hapInfo->apl + "." + CUSTOMSANDBOX + "." + hapInfo->name; - } } else if (hapInfo->debuggable) { keyPara = hapInfo->apl + "." + DEBUGGABLE; } else if (!hapInfo->name.empty()) { @@ -584,14 +575,6 @@ int HapContext::HapContextsLookup(const HapContextParams ¶ms, bool isDomain, } else if (params.hapFlags & SELINUX_HAP_DLP) { keyPara = params.apl + "." + DLPSANDBOX; selinux_log(SELINUX_INFO, "dlpsandbox hap, keyPara: %s", keyPara.c_str()); - } else if (params.hapFlags & SELINUX_HAP_CUSTOM_SANDBOX) { - if (params.hapFlags & SELINUX_HAP_DEBUGGABLE) { - keyPara = params.apl + "." + DEBUGGABLE + "." + CUSTOMSANDBOX + "." + params.packageName; - selinux_log(SELINUX_INFO, "customsandbox debug hap, keyPara: %s", keyPara.c_str()); - } else { - keyPara = params.apl + "." + CUSTOMSANDBOX + "." + params.packageName; - selinux_log(SELINUX_INFO, "customsandbox hap, keyPara: %s", keyPara.c_str()); - } } else if (params.hapFlags & SELINUX_HAP_RESTORECON_PREINSTALLED_APP) { keyPara = params.apl + "." + params.packageName; selinux_log(SELINUX_INFO, "preinstall hap, keyPara: %s", keyPara.c_str()); diff --git a/interfaces/policycoreutils/include/hap_restorecon.h b/interfaces/policycoreutils/include/hap_restorecon.h index ce73b2428..7f3a80968 100644 --- a/interfaces/policycoreutils/include/hap_restorecon.h +++ b/interfaces/policycoreutils/include/hap_restorecon.h @@ -28,7 +28,6 @@ #define SELINUX_HAP_DEBUGGABLE 2 // whether it is a debuggable hap #define SELINUX_HAP_DLP 4 // whether it is dlp hap #define SELINUX_HAP_INPUT_ISOLATE 8 // whether it is input_isolate hap -#define SELINUX_HAP_CUSTOM_SANDBOX 16 // whether it is custom sandbox hap // parameters of each SehapInfo in file sehap_contexts struct SehapInfo { diff --git a/scripts/build_contexts.py b/scripts/build_contexts.py index 45820bfa2..1a223e073 100755 --- a/scripts/build_contexts.py +++ b/scripts/build_contexts.py @@ -193,8 +193,7 @@ def sehap_check_line(line, line_index, contexts_write, domain, contexts_file): pattern = re.compile( r'apl=(system_core|system_basic|normal)\s+' - r'(debuggable=\S+\s+)?' - r'(name=\S+\s+)?' + r'((name|debuggable)=\S+\s+)?' r'(extra=\S+\s+)?' r'(extension=\S+\s+)?' r'domain=(\S+)\s+' diff --git a/sepolicy/base/public/normal_hap.te b/sepolicy/base/public/normal_hap.te index ac21aa49f..74bf59989 100644 --- a/sepolicy/base/public/normal_hap.te +++ b/sepolicy/base/public/normal_hap.te @@ -21,8 +21,8 @@ irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv isdn_socket phonet_socket ieee802154_socket caif_socket nfc_socket vsock_socket vsock_host_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } *; -neverallow { normal_hap_attr -violator_hap_netlink_kobject_uevent_socket } *:netlink_kobject_uevent_socket *; -neverallow { normal_hap_attr -violator_hap_netlink_kobject_uevent_socket } domain:netlink_kobject_uevent_socket *; +neverallow { normal_hap_attr developer_only(`-violator_hap_netlink_kobject_uevent_socket') } *:netlink_kobject_uevent_socket *; +neverallow { normal_hap_attr developer_only(`-violator_hap_netlink_kobject_uevent_socket') } domain:netlink_kobject_uevent_socket *; neverallow normal_hap_attr *:{ netlink_route_socket netlink_selinux_socket } ioctl; diff --git a/test/unittest/hap_restorecon/unit_test.cpp b/test/unittest/hap_restorecon/unit_test.cpp index c7859cf8d..4c6401f0e 100644 --- a/test/unittest/hap_restorecon/unit_test.cpp +++ b/test/unittest/hap_restorecon/unit_test.cpp @@ -58,7 +58,6 @@ const static std::string INVALID_APL = "invalid_apl"; const static std::string TEST_HAP_BUNDLE_NAME = "com.hap.selftest"; const static std::string TEST_HAP_BUNDLE_NAME_WITH_NO_CONTEXTS = "com.ohos.test"; const static std::string TEST_HAP_BUNDLE_NAME_FOR_INVALID_CONTEXTS = "com.hap.selftest_invalid"; -const static std::string TEST_HAP_BUNDLE_NAME_FOR_TEST_SANDBOX = "com.hap.test_sandbox"; const static std::string TEST_HAP_DATA_FILE_LABEL = "u:object_r:selftest_hap_data_file:s0"; @@ -76,8 +75,6 @@ const static std::string TEST_EXTENSION = "extension_test_ability"; const static std::string TEST_SAME_EXTENSION = "extension_same_ability"; const static std::string TEST_DEBUG_EXTENSION = "extension_test_debug_ability"; const static std::string TEST_NORMAL_DOMAIN_WITH_CATEGORY = "o:r:normal_hap:s0:x214,x486,x514,x868,x1024"; -const static std::string TEST_SANDBOX_HAP_DOMAIN = "u:r:test_sandbox_hap:s0"; -const static std::string TEST_SANDBOX_HAP_DATA_TYPE = "u:r:test_sandbox_hap_data_file:s0"; const static uint32_t TEST_UID = 20190166; const static std::string SEHAP_CONTEXTS_FILE = "/data/test/sehap_contexts"; @@ -203,11 +200,7 @@ static void GenerateTestFile() "apl=normal domain=extension_test_hap extension=extension_test_ability", "apl=normal domain=extension_test_same_hap extension=extension_same_ability", "apl=normal debuggable=true domain=extension_test_debug_hap extension=extension_test_debug_ability", - "apl=normal name=com.hap.selftest domain=extension_test_preinstall_hap extension=extension_test_ability", - "apl=normal name=com.hap.test_sandbox extra=custom_sandbox domain=test_sandbox_hap \ - type=test_sandbox_hap_data_file", - "apl=normal debuggable=true name=com.hap.test_sandbox extra=custom_sandbox domain=test_sandbox_hap \ - type=test_sandbox_hap_data_file"}; + "apl=normal name=com.hap.selftest domain=extension_test_preinstall_hap extension=extension_test_ability"}; ASSERT_EQ(true, WriteFile(SEHAP_CONTEXTS_FILE, sehapInfo)); } @@ -726,18 +719,6 @@ HWTEST_F(SelinuxUnitTest, HapContextsLookup001, TestSize.Level1) EXPECT_EQ(SELINUX_SUCC, test.HapContextsLookup(params, true, con)); EXPECT_STREQ(context_str(con), DLP_HAP_DOMAIN.c_str()); - params.apl = NORMAL_APL; - params.packageName = TEST_HAP_BUNDLE_NAME_FOR_TEST_SANDBOX; - params.hapFlags = SELINUX_HAP_CUSTOM_SANDBOX; - EXPECT_EQ(SELINUX_SUCC, test.HapContextsLookup(params, true, con)); - EXPECT_STREQ(context_str(con), TEST_SANDBOX_HAP_DOMAIN.c_str()); - - params.apl = NORMAL_APL; - params.packageName = TEST_HAP_BUNDLE_NAME_FOR_TEST_SANDBOX; - params.hapFlags = SELINUX_HAP_CUSTOM_SANDBOX | SELINUX_HAP_DEBUGGABLE; - EXPECT_EQ(SELINUX_SUCC, test.HapContextsLookup(params, true, con)); - EXPECT_STREQ(context_str(con), TEST_SANDBOX_HAP_DOMAIN.c_str()); - params.apl = NORMAL_APL; params.packageName = EMPTY_STRING; params.hapFlags = 0; @@ -791,18 +772,6 @@ HWTEST_F(SelinuxUnitTest, HapContextsLookup002, TestSize.Level1) EXPECT_EQ(SELINUX_SUCC, test.HapContextsLookup(params, false, con)); EXPECT_STREQ(context_str(con), DLP_HAP_DATA_TYPE.c_str()); - params.apl = NORMAL_APL; - params.packageName = TEST_HAP_BUNDLE_NAME_FOR_TEST_SANDBOX; - params.hapFlags = SELINUX_HAP_CUSTOM_SANDBOX; - EXPECT_EQ(SELINUX_SUCC, test.HapContextsLookup(params, false, con)); - EXPECT_STREQ(context_str(con), TEST_SANDBOX_HAP_DATA_TYPE.c_str()); - - params.apl = NORMAL_APL; - params.packageName = TEST_HAP_BUNDLE_NAME_FOR_TEST_SANDBOX; - params.hapFlags = SELINUX_HAP_CUSTOM_SANDBOX | SELINUX_HAP_DEBUGGABLE; - EXPECT_EQ(SELINUX_SUCC, test.HapContextsLookup(params, false, con)); - EXPECT_STREQ(context_str(con), TEST_SANDBOX_HAP_DATA_TYPE.c_str()); - freecon(oldTypeContext); context_free(con); } -- Gitee From c3859568700f1fd4dbc02e49d32fddca6f3426b9 Mon Sep 17 00:00:00 2001 From: 15091282640 Date: Fri, 8 Aug 2025 17:05:18 +0800 Subject: [PATCH 12/15] =?UTF-8?q?=E5=90=88=E5=85=A5=E9=83=A8=E5=88=86?= =?UTF-8?q?=E7=AD=96=E7=95=A5=EF=BC=8C=E7=B3=BB=E7=BB=9F=E5=90=AF=E5=8A=A8?= =?UTF-8?q?=E6=AD=A3=E5=B8=B8=EF=BC=8C=E6=97=A0=E7=BA=BF=E9=81=A5=E6=8E=A7?= =?UTF-8?q?=E5=99=A8=E6=97=A0=E6=B3=95=E6=8E=A7=E5=88=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sepolicy/base/public/domain.te | 43 +++++----- sepolicy/base/public/file.te | 1 + sepolicy/base/public/hap_domain.te | 10 +-- sepolicy/base/public/init.te | 5 ++ sepolicy/base/public/parameter.te | 2 + sepolicy/base/public/sadomain.te | 2 +- sepolicy/base/public/system_core_hap.te | 19 +++++ sepolicy/base/public/type.te | 11 ++- sepolicy/base/system/system_domain.te | 16 ++-- sepolicy/base/te/accessibility.te | 1 + sepolicy/base/te/audio_server.te | 6 ++ sepolicy/base/te/bootanimation.te | 18 ++++ sepolicy/base/te/camera_service.te | 10 +++ sepolicy/base/te/console.te | 11 +++ sepolicy/base/te/deviceauth_service.te | 3 + sepolicy/base/te/deviceinfoservice.te | 2 +- sepolicy/base/te/dhardware.te | 9 ++ sepolicy/base/te/distributedsche.te | 4 + sepolicy/base/te/drm_service.te | 1 + sepolicy/base/te/dslm_service.te | 5 ++ sepolicy/base/te/faultloggerd.te | 2 + sepolicy/base/te/foundation.te | 3 + sepolicy/base/te/hilogd.te | 2 + sepolicy/base/te/hiview.te | 16 ++++ sepolicy/base/te/huks_service.te | 3 + sepolicy/base/te/inputmethod_service.te | 7 ++ sepolicy/base/te/kernel.te | 2 +- sepolicy/base/te/memmgrservice.te | 4 + sepolicy/base/te/mmi_uinput_service.te | 2 + sepolicy/base/te/multimodalinput.te | 6 +- sepolicy/base/te/netmanager.te | 6 ++ sepolicy/base/te/netsysnative.te | 3 + sepolicy/base/te/nwebspawn.te | 3 + sepolicy/base/te/processdump.te | 6 ++ sepolicy/base/te/render_service.te | 11 ++- sepolicy/base/te/resource_schedule_service.te | 4 + sepolicy/base/te/samgr.te | 2 +- sepolicy/base/te/sensors.te | 1 + sepolicy/base/te/softbus_server.te | 14 ++- sepolicy/base/te/storage_manager.te | 3 + sepolicy/base/te/su.te | 43 ++++++++++ sepolicy/base/te/system_basic_hap.te | 10 +++ sepolicy/base/te/system_core_hap.te | 3 + sepolicy/base/te/time_service.te | 8 ++ sepolicy/base/te/wifi_hal_service.te | 1 + .../sandbox_manager/system/init.te | 1 + .../sandbox_manager/system/sandbox_manager.te | 3 + .../account/os_account/system/accountmgr.te | 4 + .../account/os_account/system/useriam.te | 1 + .../system/intell_voice_service.te | 6 +- .../arkXtest/arkXtest/system/param_watcher.te | 6 +- .../bundle_framework/system/installs.te | 3 +- .../public/service_contexts | 14 +++ .../cast_engine_service/public/type.te | 14 +++ .../system/audio_server.te | 15 ++++ .../system/cast_engine_service.te | 60 +++++++++++++ .../system/device_manager.te | 14 +++ .../cast_engine_service/system/init.te | 15 ++++ .../cast_engine_service/system/normal_hap.te | 15 ++++ .../system/softbus_server.te | 14 +++ .../system/system_basic_hap.te | 15 ++++ .../system/system_core_hap.te | 15 ++++ .../bluetooth/system/blue_host.te | 9 ++ .../bluetooth/system/bluetooth_service.te | 19 ++++- .../bluetooth/system/rcu_host.te | 85 +++++++++++++++++++ .../netmanager/system/netmanager.te | 1 + .../wifi/system/wifi_manager_service.te | 3 + .../developtools/hdc/public/type.te | 1 + .../developtools/hdc/system/hdcd.te | 2 +- .../developtools/profiler/system/other.te | 9 +- .../developtools/smartperf/system/console.te | 4 +- .../system/distributeddata.te | 8 ++ .../fileshare/public/service.te | 14 +++ .../fileshare/public/type.te | 14 +++ .../fileshare/system/service_contexts | 14 +++ .../device_manager/system/device_manager.te | 3 + .../system/dhardware.te | 3 +- .../distributed_input/system/dhardware.te | 3 + .../distributedsche/system/distributedsche.te | 6 +- .../distributedschedule/samgr/system/samgr.te | 2 +- .../drivers/adapter/public/hdf_service.te | 1 + .../adapter/public/hdf_service_contexts | 2 + .../drivers/adapter/public/type.te | 1 + .../drivers/adapter/vendor/hdf_devmgr.te | 7 ++ .../system/hdf_ext_devmgr.te | 8 ++ .../peripheral/audio/vendor/audio_host.te | 6 ++ .../peripheral/camera/vendor/camera_host.te | 1 + .../clearplay/vendor/clearplay_host.te | 2 + .../peripheral/clearplay/vendor/init.te | 1 + .../display/vendor/allocator_host.te | 12 +++ .../display/vendor/composer_host.te | 10 +++ .../input/vendor/input_user_host.te | 1 + .../vendor/intell_voice_host.te | 3 + .../peripheral/power/vendor/power_host.te | 2 + .../useriam/vendor/pin_auth_host.te | 2 + .../peripheral/wlan/vendor/wifi_host.te | 1 + .../dsoftbus/system/softbus_server.te | 2 +- .../app_file_service/system/backup_sa.te | 8 ++ .../file_api/system/hap_domain.te | 2 +- .../storage_service/system/storage_daemon.te | 1 + .../hiviewdfx/hilog/public/hilog.te | 15 ++++ .../hiviewdfx/hilog/system/hilog.te | 7 +- .../hiviewdfx/hilog/system/hilogd.te | 2 + .../hiviewdfx/hiview/system/init.te | 2 +- .../system/input_isolate_hap.te | 2 + .../system/inputmethod_service.te | 1 + .../multimedia/audio/public/type.te | 2 +- .../multimedia/audio/system/audio_server.te | 6 ++ .../av_codec/system/av_codec_service.te | 2 + .../multimedia/av_codec/system/init.te | 1 + .../camera/system/camera_service.te | 2 +- .../media_library/system/medialibrary_hap.te | 2 + .../system/bgtaskmgr_service.te | 4 +- .../system/concurrent_task_service.te | 7 ++ .../system/resource_schedule_service.te | 4 +- .../system/ressched_executor.te | 6 ++ .../access_token/system/access_token.te | 3 + .../security/access_token/system/privacy.te | 3 + .../security/asset/system/asset_service.te | 7 ++ .../code_signature/system/key_enable.te | 3 + .../security/code_signature/system/su.te | 1 + .../system/dlp_permission_service.te | 7 ++ .../security_guard/system/security_guard.te | 8 ++ .../sharing_service/system/sharing_service.te | 9 ++ .../startup/appspawn/system/appspawn.te | 9 ++ .../startup/init/public/chipset_init.te | 12 +++ .../startup/init/public/parameter.te | 2 +- .../ohos_policy/startup/init/system/init.te | 19 +++-- .../startup/init/system/param_watcher.te | 3 + .../startup/init/system/ueventd.te | 11 ++- .../startup/init/system/watchdog_service.te | 2 + .../tee/tee_client/system/cadaemon.te | 6 ++ .../tee/tee_client/vendor/teecd.te | 1 + .../ohos_policy/update/updater/system/init.te | 9 +- .../update/updater/system/updater.te | 2 +- .../update/updater/system/updater_binary.te | 4 +- .../update/updater/system/write_updater.te | 3 +- .../update/updater_sa/system/time_service.te | 1 + .../usb/usb_manager/system/usb_service.te | 7 ++ .../useriam/user_auth/system/useriam.te | 1 + .../web/webview/system/normal_hap.te | 2 +- 141 files changed, 946 insertions(+), 86 deletions(-) create mode 100755 sepolicy/base/te/su.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/public/service_contexts create mode 100755 sepolicy/ohos_policy/cast_engine_service/public/type.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/system/audio_server.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/system/cast_engine_service.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/system/device_manager.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/system/init.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/system/normal_hap.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/system/softbus_server.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/system/system_basic_hap.te create mode 100755 sepolicy/ohos_policy/cast_engine_service/system/system_core_hap.te create mode 100755 sepolicy/ohos_policy/communication/bluetooth/system/rcu_host.te create mode 100755 sepolicy/ohos_policy/distributeddatamgr/fileshare/public/service.te create mode 100755 sepolicy/ohos_policy/distributeddatamgr/fileshare/public/type.te create mode 100755 sepolicy/ohos_policy/distributeddatamgr/fileshare/system/service_contexts create mode 100755 sepolicy/ohos_policy/hiviewdfx/hilog/public/hilog.te diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te index 5d9e2c2b5..34b34920b 100644 --- a/sepolicy/base/public/domain.te +++ b/sepolicy/base/public/domain.te @@ -99,9 +99,9 @@ neverallow { domain -init -appspawn -nwebspawn -cjappspawn -nativespawn -rgm_vio #neverallow { domain -init -foundation } data_file:dir { write add_name remove_name }; # /data/local/tmp dir using for debug. -neverallow { domain developer_only(`-wukong -atm -snapshot_display -bm -data_local_tmp_violator_dir -mediatool') -hdcd -SP_daemon -installs -init -hiprofilerd -hiprofiler_plugins -native_daemon -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -sh -uitest updater_only(`-updater') } data_local_tmp:dir never_write_dir; +neverallow { domain developer_only(`-wukong -atm -snapshot_display -bm -data_local_tmp_violator_dir -mediatool') -hdcd -SP_daemon -installs -init -hiprofilerd -hiprofiler_plugins -native_daemon -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -sh -uitest updater_only(`-updater') -wifi_hal_service -su } data_local_tmp:dir never_write_dir; -neverallow { domain developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir -mediatool') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') } data_local_tmp:dir { open search }; +neverallow { domain developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir -mediatool') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') -wifi_hal_service -su } data_local_tmp:dir { open search }; # only samgr can be binder manager. neverallow { domain -samgr } *:binder set_context_mgr; @@ -173,7 +173,7 @@ neverallow * ~hdf_service_attr:hdf_devmgr_class ~list; neverallow * ~hdf_devmgr:hdf_devmgr_class list; # Please set parammeter label in parameter_contexts -neverallow domain default_param:parameter_service *; +neverallow { domain -composer_host } default_param:parameter_service *; # Please set service label in service_contexts neverallow domain default_service:samgr_class *; @@ -186,7 +186,7 @@ neverallow limit_domain *:file *; neverallow domain limit_domain:binder *; # every file should have a label. The unlabeled file shouldn't be accessed. -neverallow { domain -appspawn -init -kernel updater_only(`-updater') -unlabeled_dir_file_violators -rgm_violator_ohos_unlabeled_file -installs -storage_daemon } unlabeled:dir_file_class_set *; +neverallow { domain -appspawn -init -kernel updater_only(`-updater') -unlabeled_dir_file_violators -rgm_violator_ohos_unlabeled_file -installs -storage_daemon -su } unlabeled:dir_file_class_set *; # keep selinuxfs safe. neverallow * kernel:security { load_policy setenforce setbool }; @@ -207,25 +207,25 @@ neverallow * self:process { execstack execheap }; # allow at /home/last/bb/h1/cc/out/rk3568/obj/base/security/selinux/ohos.cil:11230 # (allow riladapter_host dev_file (chr_file (ioctl read write open))) # -neverallow { domain -init -ueventd -riladapter_host debug_only(`-softbus_server') -dev_file_violator -rgm_violator_ohos_dev_char_file } dev_file:{ file chr_file blk_file } *; +neverallow { domain -init -ueventd -riladapter_host debug_only(`-softbus_server') -dev_file_violator -rgm_violator_ohos_dev_char_file -blue_host -rcu_host -composer_host -system_basic_hap -allocator_host -render_service -audio_host -bootanimation -chipset_init } dev_file:{ file chr_file blk_file } *; #todo change file label for sock file #neverallow { domain -ueventd -riladapter_host } dev_file:sock_file *; -neverallow { domain -kernel -init -chipset_init -misc -updater_sa -storage_daemon -partitionslot_host updater_only(`-updater ') -updater_binary -dev_attr_violator -sys_installer_sa -write_updater -rgm_violator_ohos_dev_blk_file -module_update_service } dev_attr:blk_file { open read write }; +neverallow { domain -kernel -init -chipset_init -misc -updater_sa -storage_daemon -partitionslot_host -updater -updater_binary -dev_attr_violator -sys_installer_sa -write_updater -rgm_violator_ohos_dev_blk_file -module_update_service } dev_attr:blk_file { open read write }; neverallow { updater_sa sys_installer_sa write_updater } {dev_attr -updater_block_file}:blk_file { open read write }; neverallow { module_update_service } {dev_attr -dev_block_file}:blk_file { open read write }; # fs operation limit neverallow { domain -filesystem_violator } *:filesystem ~{ getattr mount remount unmount relabelfrom relabelto quotaget quotamod }; -neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nativespawn_mount_filesystem_violator -netsysnative -rgm_violator_filesystem_mount updater_only(`-updater') -module_update_service } *:filesystem mount; +neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nativespawn_mount_filesystem_violator -netsysnative -rgm_violator_filesystem_mount -updater -module_update_service } *:filesystem mount; neverallow { domain -init -appspawn -rgm_violator_ohos_filesystem_remount } *:filesystem remount; -neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nwebspawn -nativespawn updater_only(`-updater') -rgm_violator_ohos_filesystem_unmount -module_update_service } *:filesystem unmount; +neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nwebspawn -nativespawn -updater -rgm_violator_ohos_filesystem_unmount -module_update_service } *:filesystem unmount; neverallow { domain -init -storage_daemon -rgm_violator_filesystem_relabelfrom -appspawn } *:filesystem relabelfrom; neverallow { domain -init -storage_daemon -appspawn } *:filesystem relabelto; neverallow { domain -storage_daemon -installs -init updater_only(`-updater') } *:filesystem quotaget; neverallow { domain -storage_daemon -init updater_only(`-updater') } *:filesystem quotamod; -neverallow { domain updater_only(`-updater -updater_binary -init')} rootfs:file { create write setattr relabelto append unlink link rename }; +neverallow { domain updater_only(`-updater_binary -init') -updater } rootfs:file { create write setattr relabelto append unlink link rename }; neverallow { domain -init -proc_sys_writer } { proc_attr sysfs_attr }:dir { add_name create link rename remove_name reparent rmdir write }; @@ -272,11 +272,11 @@ neverallow { appspawn storage_daemon udevd resource_schedule_service ispserver } #ensure no write access to readonly filesystem. -neverallow { domain updater_only(`-init -updater -updater_binary')} { rootfs system_file_attr vendor_file_attr }:dir never_write_dir; -neverallow { domain updater_only(`-init -updater -updater_binary')} { rootfs system_file_attr vendor_file_attr }:file never_write_file; +neverallow { domain updater_only(`-init -updater_binary') -appspawn -updater } { rootfs system_file_attr vendor_file_attr }:dir never_write_dir; +neverallow { domain updater_only(`-init -updater_binary') -updater } { rootfs system_file_attr vendor_file_attr }:file never_write_file; #limit domain access to sh_exec -neverallow { domain developer_only(`-wukong -aa -hdcd -sh -hnp -hnp_hap_domain_attr') -init -faultloggerd -riladapter_host -appspawn +neverallow { domain developer_only(`-wukong -aa -hdcd -sh -hnp -hnp_hap_domain_attr') -init -faultloggerd -riladapter_host -appspawn -su debug_only(`-hiprofiler_cmd -hiprofiler_plugins -hiprofilerd -native_daemon -camera_host -aa') -hidumper_service -SP_daemon -test_server -netsysnative -wifi_hal_service -sh_exec_violator -rgm_violator_ohos_sh_exec_file_execute -cupsd -print_driver} sh_exec:file execute; @@ -294,36 +294,37 @@ neverallow isolated_render {domain -isolated_render}:process ptrace; # means that only init can have the caps of chown. # TODO:debug/release neverallow { domain -appspawn -chipset_init -init -ueventd -installs -storage_daemon -cap_violator_chown -rgm_violator_cap_chown updater_only(`-updater') -distributedfiledaemon -rgm_violator_ohos_capability_chown -download_server -media_service -prerogative_app} self:{ capability cap_userns } chown; -neverallow { domain -appspawn -cjappspawn -init -chipset_init -ueventd -memmgrservice -resource_schedule_executor +neverallow { domain -appspawn -cjappspawn -init -chipset_init -ueventd -memmgrservice -resource_schedule_executor -wifi_host -installs updater_only(`-updater') - -storage_daemon -usb_host -cap_violator_dacoverride developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_capability_dacoverride } self:{ capability cap_userns } dac_override; -neverallow { domain -chipset_init -appspawn -cjappspawn -init -hidumper_service -hiview -storage_daemon -hiprofiler_plugins -file_guard_server debug_only(`-hiperf') -cap_violator_dacreadsearch updater_only(`-updater') -wifi_host developer_only(`-hdcd -hnp -hap_domain_self_violators') -hnp_violator -distributedfiledaemon -memmgrservice -rgm_violator_ohos_capability_dacreadsearch } self:{ capability cap_userns } dac_read_search; + -storage_daemon -usb_host -cap_violator_dacoverride developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_capability_dacoverride -system_core_hap -hilog -console } self:{ capability cap_userns } dac_override; +neverallow { domain -system_core_hap -chipset_init -appspawn -cjappspawn -init -hidumper_service -hiview -storage_daemon -hiprofiler_plugins -file_guard_server debug_only(`-hiperf') -cap_violator_dacreadsearch updater_only(`-updater') -wifi_host developer_only(`-hdcd -hnp') -distributedfiledaemon -memmgrservice -rgm_violator_ohos_capability_dacreadsearch } self:{ capability cap_userns } dac_read_search; +neverallow { domain -chipset_init -appspawn -cjappspawn -init -hidumper_service -hiview -storage_daemon -hiprofiler_plugins -file_guard_server debug_only(`-hiperf') -cap_violator_dacreadsearch updater_only(`-updater') -wifi_host developer_only(`-hdcd -hnp -hap_domain_self_violators') -hnp_violator -distributedfiledaemon -memmgrservice -rgm_violator_ohos_capability_dacreadsearch -system_core_hap } self:{ capability cap_userns } dac_read_search; neverallow { domain -init -chipset_init -ueventd -installs -storage_daemon -cap_violator_fowner updater_only(`-updater') -rgm_violator_ohos_capability_fowner } self:{ capability cap_userns } fowner; neverallow { domain -chipset_init -appspawn -init -ueventd -storage_daemon -cap_violator_fsetid updater_only(`-updater') -rgm_violator_ohos_capability_fsetid } self:{ capability cap_userns } fsetid; neverallow { domain -init -memmgrservice -appspawn -nativespawn -cjappspawn -storage_daemon -compiler_service -nwebspawn -faultloggerd -hiview -foundation -resource_schedule_executor -native_daemon -cap_violator_kill -rgm_violator_ohos_capability_kill -kernel } self:{ capability cap_userns } kill; -neverallow { domain -init -chipset_init -appspawn -compiler_service -nwebspawn -nativespawn -cjappspawn -storage_daemon -cap_violator_setuid updater_only(`-updater') -rgm_violator_ohos_capability_setuid -rgm_violator_cap_setuid } self:{ capability cap_userns } setuid; +neverallow { domain -init -chipset_init -appspawn -compiler_service -nwebspawn -nativespawn -cjappspawn -storage_daemon -cap_violator_setuid updater_only(`-updater') -rgm_violator_ohos_capability_setuid -rgm_violator_cap_setuid -su } self:{ capability cap_userns } setuid; neverallow { domain -init -chipset_init -ueventd -appspawn -compiler_service -nwebspawn -nativespawn -cjappspawn -storage_daemon debug_only(`-hiperf -hiprofilerd -hiprofiler_plugins -hiprofiler_cmd -native_daemon -bytrace -hitrace') updater_only(` -updater ') -rgm_violator_ohos_capability_setgid -rgm_violator_cap_setgid -cap_violator_setgid } self:{ capability cap_userns } setgid; neverallow { domain -init -chipset_init -rgm_violator_ohos_capability_setpcap } self:{ capability cap_userns } setpcap; neverallow * self:{ capability cap_userns } linux_immutable; neverallow { domain -wifi_manager_service -netsysnative -cap_violator_netbindservice } self:{ capability cap_userns } net_bind_service; neverallow * self:{ capability cap_userns } net_broadcast; -neverallow { domain -init -appspawn -nativespawn -chipset_init -ueventd -wifi_hal_service -wifi_manager_service -softbus_server -netsysnative -storage_daemon -udevd -blue_host -netmanager -riladapter_host -bluetooth_service -cap_violator_netadmin -wifi_host -resource_schedule_executor -rgm_violator_ohos_capability_netadmin } self:{ capability cap_userns } net_admin; +neverallow { domain -init -appspawn -nativespawn -chipset_init -ueventd -wifi_hal_service -wifi_manager_service -softbus_server -netsysnative -storage_daemon -udevd -blue_host -netmanager -riladapter_host -bluetooth_service -cap_violator_netadmin -wifi_host -resource_schedule_executor -rgm_violator_ohos_capability_netadmin -updater -console } self:{ capability cap_userns } net_admin; neverallow { domain -wifi_hal_service -wifi_manager_service -netmanager -netsysnative -cap_violator_netraw -distributedfiledaemon -wifi_host -rgm_violator_ohos_capability_netraw } self:{ capability cap_userns } net_raw; neverallow { domain -hiperf } self:{ capability cap_userns } ipc_lock; neverallow * self:{ capability cap_userns } ipc_owner; -neverallow { domain -cap_violator_sysmodule } self:{ capability cap_userns } sys_module; +neverallow { domain -cap_violator_sysmodule -init } self:{ capability cap_userns } sys_module; neverallow { domain -init -chipset_init -cap_violator_sysrawio} self:{ capability cap_userns } sys_rawio; neverallow { domain -init -chipset_init -appspawn -rgm_violator_ohos_capability_syschroot } self:{ capability cap_userns } sys_chroot; -neverallow { domain -appspawn -hiview -hidumper_service -memmgrservice -storage_daemon -hiprofiler_cmd -hiprofiler_plugins -native_daemon -hiperf +neverallow { domain -appspawn -hiview -hidumper_service -memmgrservice -storage_daemon -hiprofiler_cmd -hiprofiler_plugins -native_daemon -hiperf -init -foundation -cap_violator_sysptrace debug_only(`-hiebpf') -SP_daemon -rgm_violator_ohos_capability_sysptrace } self:{ capability cap_userns } sys_ptrace; neverallow * self:{ capability cap_userns } sys_pacct; neverallow { domain -kernel -init -chipset_init -storage_daemon -installs -appspawn -nwebspawn -nativespawn -cjappspawn -netsysnative -file_guard_server debug_only(`-hiprofiler_plugins -hiebpf') updater_only(`-updater') -rgm_violator_ohos_capability_sysadmin -rgm_violator_cap_sysadmin -module_update_service -prerogative_app } self:{ capability cap_userns } sys_admin; neverallow { domain -init -chipset_init } self:{ capability cap_userns } sys_boot; -neverallow { domain -render_service -cap_violator_sysnice -composer_host -a2dp_host -resource_schedule_executor -appspawn -blue_host } self:{ capability cap_userns } sys_nice; +neverallow { domain -render_service -cap_violator_sysnice -composer_host -a2dp_host -resource_schedule_executor -appspawn -blue_host -system_core_hap -kernel} self:{ capability cap_userns } sys_nice; neverallow { domain -init -chipset_init -memmgrservice -netsysnative debug_only(`-hiebpf') } self:{ capability cap_userns } sys_resource; neverallow { domain -time_service updater_only(`-updater') } self:{ capability cap_userns } sys_time; neverallow * self:{ capability cap_userns } sys_tty_config; -neverallow { domain -ueventd -kernel -storage_daemon -rgm_violator_ohos_capability_mknod } self:{ capability cap_userns } mknod; +neverallow { domain -ueventd -kernel -storage_daemon -rgm_violator_ohos_capability_mknod -updater } self:{ capability cap_userns } mknod; neverallow * self:{ capability cap_userns } lease; neverallow * self:{ capability cap_userns } audit_write; neverallow * self:{ capability cap_userns } audit_control; diff --git a/sepolicy/base/public/file.te b/sepolicy/base/public/file.te index 550014711..56eaf64a5 100644 --- a/sepolicy/base/public/file.te +++ b/sepolicy/base/public/file.te @@ -269,6 +269,7 @@ type dev_hdf_i2c_mgr, dev_attr; type dev_hdf_test, dev_attr; type dev_i2c_test, dev_attr; type dev_bbox, dev_attr; +type dev_ion, dev_attr; type dev_bus, dev_attr; type dev_dev_cec0, dev_attr; type dev_full, dev_attr; diff --git a/sepolicy/base/public/hap_domain.te b/sepolicy/base/public/hap_domain.te index 59f2096ad..c522be706 100644 --- a/sepolicy/base/public/hap_domain.te +++ b/sepolicy/base/public/hap_domain.te @@ -83,8 +83,8 @@ allow hap_domain hdf_devmgr:binder call; #neverallow #never use caps for haps. -neverallow { hap_domain -hap_domain_kernel_violators } self:{ capability capability2 } *; - +neverallow { hap_domain -hap_domain_kernel_violators -system_core_hap} self:{ capability capability2 } *; +neverallow { hap_domain -system_core_hap } self:{ capability capability2 } *; #haps can't modify files of other domain. neverallow hap_domain { domain -hap_domain }:file never_write_file; @@ -102,16 +102,16 @@ neverallow hap_domain dev_attr:blk_file ioctl; #limit hap access dev file. neverallow hap_domain { dev_attr -dev_ptmx -dev_ucollection -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file - -dev_zero_file -dev_mali -tty_device -dev_fuse_file -dev_bbox + -dev_zero_file -dev_mali -tty_device -dev_fuse_file -dev_bbox -dev_ion -dev_graphics_file -dev_tun_file -dev_attr_violator_chr_file_rw -dev_bus_usb_file -dev_usb_accessory_file }:chr_file { open ioctl read write}; neverallow { hap_domain -hap_domain_dev_ptmx_violators } dev_ptmx:chr_file { open ioctl read write}; neverallow normal_hap { dev_attr -dev_at_file -dev_bbox -dev_binder_file -dev_null_file -dev_random_file -dev_zero_file -dev_ucollection - -dev_attr_violator_chr_file_rw -dev_ashmem_file -dev_dri_file -dev_mali developer_only(`-violator_chr_file_open') }:chr_file open; + -dev_attr_violator_chr_file_rw -dev_ashmem_file -dev_dri_file -dev_mali -dev_ion -dev_graphics_file developer_only(`-violator_chr_file_open') }:chr_file open; neverallow normal_hap { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_null_file -dev_random_file -dev_tun_file -dev_zero_file - -dev_ucollection -dev_attr_violator_chr_file_rw -dev_dri_file -dev_mali -dev_bus_usb_file -dev_usb_accessory_file developer_only(`-violator_chr_file_read') }:chr_file read; + -dev_ucollection -dev_attr_violator_chr_file_rw -dev_dri_file -dev_mali -dev_bus_usb_file -dev_usb_accessory_file -dev_ion -dev_graphics_file developer_only(`-violator_chr_file_read') }:chr_file read; neverallow normal_hap { dev_attr -dev_ashmem_file -dev_at_file -dev_bbox -dev_binder_file -dev_null_file -dev_random_file -dev_tun_file -dev_zero_file -dev_ucollection -dev_attr_violator_chr_file_rw -dev_dri_file -dev_mali -dev_bus_usb_file -dev_usb_accessory_file developer_only(`-violator_chr_file_write') }:chr_file write; diff --git a/sepolicy/base/public/init.te b/sepolicy/base/public/init.te index 6132b028b..8b3b0c463 100644 --- a/sepolicy/base/public/init.te +++ b/sepolicy/base/public/init.te @@ -39,3 +39,8 @@ neverallow init { file_attr fs_attr -system_bin_file -toybox_exec -sdc_exec -hnp #todo #neverallow init sys_file:file { open read write }; + +allow init init:capability { sys_ptrace }; +allow init distributedsche:file { write }; +allow init system_usr_file:dir { search }; +allow init system_usr_file:file { getattr read open map }; diff --git a/sepolicy/base/public/parameter.te b/sepolicy/base/public/parameter.te index e3f56fd79..bd0e00082 100644 --- a/sepolicy/base/public/parameter.te +++ b/sepolicy/base/public/parameter.te @@ -40,6 +40,8 @@ type default_param, parameter_attr; type accessibility_param, parameter_attr; type musl_param, parameter_attr; +type developtools_hdc_auth_param, parameter_attr; + type build_version_param, parameter_attr; type startup_param, parameter_attr; type bootevent_param, parameter_attr; diff --git a/sepolicy/base/public/sadomain.te b/sepolicy/base/public/sadomain.te index 2992f783b..91d8b8ea0 100644 --- a/sepolicy/base/public/sadomain.te +++ b/sepolicy/base/public/sadomain.te @@ -31,7 +31,7 @@ allow sadomain sa_dataobs_mgr_service_service:samgr_class { get }; neverallow { domain -samgr } self:binder set_context_mgr; # let every sa join sadomain # TODO:remove hdfdomain after SA dynamic loading support. -neverallow { domain -sadomain -SP_daemon -init -ark_aot_compiler -hap_domain -isolated_render -isolated_gpu -input_isolate_hap -hdfdomain -samgr_binder_violator -key_enable developer_only(`-bm -input_isolate_debug_hap -uitest -edm -wukong -mediatool') debug_only(`-edm') } samgr:binder transfer; +neverallow { domain -sadomain -SP_daemon -init -ark_aot_compiler -hap_domain -isolated_render -isolated_gpu -input_isolate_hap -hdfdomain -samgr_binder_violator -key_enable -bm developer_only(`-bm -input_isolate_debug_hap -uitest -edm -wukong -mediatool') debug_only(`-edm') } samgr:binder transfer; neverallow { sadomain hap_domain } dev_tee_file:chr_file { open read append write ioctl }; diff --git a/sepolicy/base/public/system_core_hap.te b/sepolicy/base/public/system_core_hap.te index 5fcf9b2cc..64ccf2ec1 100644 --- a/sepolicy/base/public/system_core_hap.te +++ b/sepolicy/base/public/system_core_hap.te @@ -14,3 +14,22 @@ neverallow system_core_hap_attr dev_kmsg_file:chr_file never_rw_file; neverallow system_core_hap_attr data_local_tmp:file { open read ioctl lock }; + +allow system_core_hap_attr data_hilogd_file:dir { getattr open read search }; +allow system_core_hap_attr data_log:dir { getattr read }; +allow appspawn data_log:dir { getattr mounton }; +allow system_core_hap data_hilogd_file:file { getattr read open }; +allow system_core_hap system_core_hap:capability { sys_nice dac_override dac_read_search }; +allow processdump system_core_hap:tcp_socket { read write }; +allow processdump system_core_hap_data_file:file { read write }; +allow system_core_hap tmpfs:dir { read }; +allow system_core_hap data_log:dir { open }; +allow system_core_hap hiviewdfx_hiview_param:file { read open }; +allow system_core_hap faultloggerd_temp_file:dir { search read open }; +allow system_core_hap data_log:file { open getattr }; +allow processdump data_log:file { read }; +allow system_core_hap faultloggerd_temp_file:file { open getattr }; + +allow system_core_hap sys_prod_file:dir { search }; + +allow system_core_hap appspawn:fifo_file { read }; diff --git a/sepolicy/base/public/type.te b/sepolicy/base/public/type.te index 0614e81ee..46060e27b 100644 --- a/sepolicy/base/public/type.te +++ b/sepolicy/base/public/type.te @@ -111,7 +111,10 @@ type ark_aot_compiler_exec, exec_attr, file_attr, system_file_attr; type compiler_service, sadomain, domain; -debug_only(` - type console, sadomain, domain; - type su, native_system_domain, domain; -') +# debug_only(` +# type console, sadomain, domain; +# type su, native_system_domain, domain; +# ') + +type console, sadomain, domain; +type su, native_system_domain, domain; diff --git a/sepolicy/base/system/system_domain.te b/sepolicy/base/system/system_domain.te index 860e14e52..2496b9944 100644 --- a/sepolicy/base/system/system_domain.te +++ b/sepolicy/base/system/system_domain.te @@ -14,7 +14,7 @@ # Prohibit system component processes from accessing vendor files to achieve access isolation neverallow { system_domain -vendor_file_violator_dir } vendor_file:dir ~{ search getattr relabelto read open mounton }; -neverallow { system_domain -hdcd -hidumper_service -init -processdump -vendor_file_violator_dir_getattr} vendor_file:dir { getattr }; +neverallow { system_domain -hdcd -hidumper_service -init -processdump -vendor_file_violator_dir_getattr -su } vendor_file:dir { getattr }; neverallow { system_domain -init -vendor_file_violator_dir_relabelto } vendor_file:dir { relabelto }; neverallow { system_domain -init -processdump -vendor_file_violator_dir_read } vendor_file:dir { read }; neverallow { system_domain -init -processdump -vendor_file_violator_dir_open } vendor_file:dir { open }; @@ -60,7 +60,7 @@ neverallow { system_domain -bootanimation -ispserver -media_service -misc -multi -nfc_service -wifi_hal_service -telephony_sa -dhardware -dinput -hdf_devmgr -hiview -memmgrservice -msdp_sa -audio_server -av_codec_service -multimodalinput -charger -concurrent_task_service -resource_schedule_service -dlp_permission_service -sensors -appspawn -init -ueventd -telephony_sa -module_update_service -sys_installer_sa -updater_binary -nwebspawn -module_update_service -vendor_etc_file_violator_dir_search -cjappspawn - -hap_domain -render_service developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_dir_search } vendor_etc_file:dir { search }; + -hap_domain -render_service -resource_schedule_executor -camera_service developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_dir_search -installs -softbus_server -inputmethod_service -usb_service -distributedsche -sharing_service -intell_voice_service } vendor_etc_file:dir { search }; neverallow { system_domain -nfc_service -charger -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_getattr } vendor_etc_file:dir { getattr }; neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_read } vendor_etc_file:dir { read }; neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_open } vendor_etc_file:dir { open }; @@ -69,14 +69,14 @@ neverallow { system_domain -vendor_etc_file_violator_dir_relabelto } vendor_etc_ neverallow { system_domain -vendor_etc_file_violator_file } vendor_etc_file:file ~{ map open read getattr relabelto }; neverallow { system_domain -bootanimation -media_service -memmgrservice -concurrent_task_service -resource_schedule_service -vendor_etc_file_violator_file_map } vendor_etc_file:file { map }; -neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr +neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr -ueventd -hdf_devmgr -hiview -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service - -resource_schedule_service -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_open developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_open } vendor_etc_file:file { open }; -neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -msdp_sa -foundation -powermgr + -resource_schedule_service -resource_schedule_executor -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_open developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_open } vendor_etc_file:file { open }; +neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -msdp_sa -foundation -powermgr -ueventd -hdf_devmgr -hiview -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service - -resource_schedule_service -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_read developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_read } vendor_etc_file:file { read }; -neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr + -resource_schedule_service -resource_schedule_executor -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_read developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_read } vendor_etc_file:file { read }; +neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr -ueventd -hdf_devmgr -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service - -resource_schedule_service -appspawn -cjappspawn -init -vendor_etc_file_violator_file_getattr developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_getattr } vendor_etc_file:file { getattr }; + -resource_schedule_service -resource_schedule_executor -appspawn -cjappspawn -init -vendor_etc_file_violator_file_getattr developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_getattr } vendor_etc_file:file { getattr }; neverallow { system_domain -vendor_etc_file_violator_file_relabelto } vendor_etc_file:file { relabelto }; neverallow { system_domain } vendor_etc_file:{ blk_file chr_file fifo_file lnk_file sock_file } *; diff --git a/sepolicy/base/te/accessibility.te b/sepolicy/base/te/accessibility.te index 25643a2bd..89fcdab1b 100644 --- a/sepolicy/base/te/accessibility.te +++ b/sepolicy/base/te/accessibility.te @@ -79,5 +79,6 @@ allow accessibility sysfs_devices_system_cpu:file { read }; allow accessibility sa_dataobs_mgr_service_service:samgr_class { get }; allow accessibility sa_render_service:samgr_class { get }; allow accessibility render_service:binder { call transfer }; +allow accessibility multimodalinput:binder { transfer }; allow accessibility data_service_el1_file:dir {open read}; allow accessibility foundation:fd {use}; diff --git a/sepolicy/base/te/audio_server.te b/sepolicy/base/te/audio_server.te index f5bb0cc5a..edbca852a 100644 --- a/sepolicy/base/te/audio_server.te +++ b/sepolicy/base/te/audio_server.te @@ -47,3 +47,9 @@ allow audio_server security_param:file { map open read }; allow audio_server startup_param:file { map open read }; allow audio_server sys_param:file { map open read }; allow audio_server sys_usb_param:file { map open read }; + +allow audio_server dev_console_file:chr_file { read write }; +allow audio_server sysfs_devices_system_cpu:file { read open getattr }; + +allow audio_server chip_prod_file:dir { search }; +allow audio_server sys_prod_file:dir { search }; diff --git a/sepolicy/base/te/bootanimation.te b/sepolicy/base/te/bootanimation.te index c7a963879..44894c474 100644 --- a/sepolicy/base/te/bootanimation.te +++ b/sepolicy/base/te/bootanimation.te @@ -29,6 +29,7 @@ allow bootanimation dev_kmsg_file:chr_file { open write }; allow bootanimation dev_mali:chr_file { getattr ioctl map open read write }; allow bootanimation dev_unix_socket:dir { search }; allow bootanimation allocator_host:fd { use }; +allow bootanimation allocator_host:binder { call }; allow bootanimation distributedsche_param:file { map open read }; allow bootanimation foundation:binder { call transfer }; allow bootanimation hilog_param:file { map open read }; @@ -81,3 +82,20 @@ allow bootanimation vendor_etc_file:dir { search }; allow bootanimation chip_prod_file:file { map open read getattr }; allow bootanimation sys_prod_file:file { map open read getattr }; allow bootanimation vendor_etc_file:file { map open read getattr }; +allow bootanimation data_file:dir { search }; +allow bootanimation data_file:file { read open getattr }; + +allow bootanimation dev_file:chr_file { read write open getattr map }; +allow bootanimation dev_file:chr_file { ioctl }; +allowxperm bootanimation dev_file:chr_file ioctl { 0x8203 0x8402 0x4905 0x4909 0x8202 0x8309 }; + +allow bootanimation hdf_devmgr:binder { call }; +allowxperm bootanimation dev_file:chr_file ioctl { 0x8301 0x8206 0x4901 }; + +allow bootanimation dev_graphics_file:dir { search }; +allow bootanimation dev_graphics_file:chr_file { read write open map }; +allow bootanimation dev_graphics_file:chr_file { ioctl }; +allowxperm bootanimation dev_graphics_file:chr_file ioctl { 0x4602 0x4600 0x4601 }; + +allow bootanimation devinfo_type_param:file { read open map }; + diff --git a/sepolicy/base/te/camera_service.te b/sepolicy/base/te/camera_service.te index 38d534405..ae2f42d23 100644 --- a/sepolicy/base/te/camera_service.te +++ b/sepolicy/base/te/camera_service.te @@ -67,3 +67,13 @@ allow camera_service tracefs:dir { search }; allow camera_service tracefs_trace_marker_file:file { open write }; allow camera_service sa_memory_manager_service:samgr_class { get }; allow camera_service memmgrservice:binder { call transfer }; + +allow camera_service vendor_etc_file:dir { search }; + +allow camera_service dev_console_file:chr_file { read write }; + +allow camera_service system_usr_file:dir { search }; +allow camera_service system_usr_file:file { getattr read open map }; + +allow camera_service sysfs_devices_system_cpu:file { read open getattr }; + diff --git a/sepolicy/base/te/console.te b/sepolicy/base/te/console.te index dbcfbeaf5..3e88df9a3 100644 --- a/sepolicy/base/te/console.te +++ b/sepolicy/base/te/console.te @@ -14,3 +14,14 @@ debug_only(` permissive console; ') + +allow console persist_param:file { read open map }; +allow console console:udp_socket { create }; +allow console dev_unix_socket:dir { search }; +allow console console:capability { dac_override net_admin }; +allow console netsysnative:unix_stream_socket { connectto }; +allow console console:udp_socket { ioctl }; +allowxperm console console:udp_socket ioctl { 0x8916 0x5413 0x8913 0x8914 }; +allow console tty_device:chr_file { ioctl }; +allowxperm console tty_device:chr_file ioctl { 0x5401 0x5413 }; + diff --git a/sepolicy/base/te/deviceauth_service.te b/sepolicy/base/te/deviceauth_service.te index f8145ef8e..7fb76e937 100644 --- a/sepolicy/base/te/deviceauth_service.te +++ b/sepolicy/base/te/deviceauth_service.te @@ -55,3 +55,6 @@ allow deviceauth_service normal_hap_attr:binder { call transfer }; allow deviceauth_service sa_foundation_bms:samgr_class { get }; allow deviceauth_service sa_foundation_abilityms:samgr_class { get }; allow deviceauth_service accountmgr:fd { use }; + +allow deviceauth_service sysfs_devices_system_cpu:file { read open getattr }; + diff --git a/sepolicy/base/te/deviceinfoservice.te b/sepolicy/base/te/deviceinfoservice.te index a6cc1f1cd..7367fbebf 100644 --- a/sepolicy/base/te/deviceinfoservice.te +++ b/sepolicy/base/te/deviceinfoservice.te @@ -51,4 +51,4 @@ allow deviceinfoservice system_bin_file:dir { search }; allow deviceinfoservice sys_usb_param:file { map open read }; allow deviceinfoservice tracefs:dir { search }; allow deviceinfoservice tracefs_trace_marker_file:file { open write }; -allow deviceinfoservice sys_file:file { open read }; +allow deviceinfoservice sysfs_devices_system_cpu:file { read }; diff --git a/sepolicy/base/te/dhardware.te b/sepolicy/base/te/dhardware.te index 0985a7595..0a9b938bc 100644 --- a/sepolicy/base/te/dhardware.te +++ b/sepolicy/base/te/dhardware.te @@ -53,3 +53,12 @@ allow dhardware system_bin_file:dir { search }; allow dhardware sys_usb_param:file { map open read }; allow dhardware tracefs:dir { search }; allow dhardware tracefs_trace_marker_file:file { open write }; + +allow dhardware chip_prod_file:dir { search }; +allow dhardware sys_prod_file:dir { search }; +allow dhardware dev_input_file:chr_file { ioctl }; +allowxperm dhardware dev_input_file:chr_file ioctl { 0x4534 0x4572 }; + +allow dhardware system_usr_file:dir { search }; +allow dhardware system_usr_file:file { getattr read open map }; + diff --git a/sepolicy/base/te/distributedsche.te b/sepolicy/base/te/distributedsche.te index c07a2e8c5..dbe1ba771 100644 --- a/sepolicy/base/te/distributedsche.te +++ b/sepolicy/base/te/distributedsche.te @@ -53,3 +53,7 @@ allow distributedsche system_bin_file:dir { search }; allow distributedsche sys_usb_param:file { map open read }; allow distributedsche tracefs:dir { search }; allow distributedsche tracefs_trace_marker_file:file { open write }; + +allow distributedsche chip_prod_file:dir { search }; +allow distributedsche sys_prod_file:dir { search }; +allow distributedsche vendor_etc_file:dir { search }; diff --git a/sepolicy/base/te/drm_service.te b/sepolicy/base/te/drm_service.te index 7427677c1..66b08519e 100644 --- a/sepolicy/base/te/drm_service.te +++ b/sepolicy/base/te/drm_service.te @@ -50,3 +50,4 @@ allow drm_service tracefs:dir { search }; allow drm_service tracefs_trace_marker_file:file { open write }; allow drm_service hdf_devmgr:hdf_devmgr_class { list }; +allow drm_service drm_service:unix_dgram_socket { getopt setopt }; diff --git a/sepolicy/base/te/dslm_service.te b/sepolicy/base/te/dslm_service.te index 63dda0751..bf82fd1b9 100644 --- a/sepolicy/base/te/dslm_service.te +++ b/sepolicy/base/te/dslm_service.te @@ -55,3 +55,8 @@ allow dslm_service system_bin_file:dir { search }; allow dslm_service sys_usb_param:file { map open read }; allow dslm_service tracefs:dir { search }; allow dslm_service tracefs_trace_marker_file:file { open write }; + +allow dslm_service dev_console_file:chr_file { read write }; + +allow dslm_service sysfs_devices_system_cpu:file { read open getattr }; + diff --git a/sepolicy/base/te/faultloggerd.te b/sepolicy/base/te/faultloggerd.te index 21670d54e..c754b9ca7 100644 --- a/sepolicy/base/te/faultloggerd.te +++ b/sepolicy/base/te/faultloggerd.te @@ -56,3 +56,5 @@ allow faultloggerd system_basic_hap_attr:process { signal }; allow faultloggerd system_bin_file:dir { search }; allow faultloggerd system_core_hap_attr:process { signal }; allow faultloggerd sys_usb_param:file { map open read }; + +allow faultloggerd dev_console_file:chr_file { read write }; diff --git a/sepolicy/base/te/foundation.te b/sepolicy/base/te/foundation.te index e5c851098..0a061653c 100644 --- a/sepolicy/base/te/foundation.te +++ b/sepolicy/base/te/foundation.te @@ -130,3 +130,6 @@ allow foundation useriam:binder { call transfer }; allowxperm foundation data_service_el1_file:file ioctl { 0xf50c 0xf546 0xf547 }; allowxperm foundation dev_dri_file:chr_file ioctl { 0x641f }; allowxperm foundation dev_mali:chr_file ioctl { 0x8000 0x8001 0x8003 0x8018 }; + +allow foundation sys_prod_file:dir { search }; +allow foundation config_file:dir { search }; diff --git a/sepolicy/base/te/hilogd.te b/sepolicy/base/te/hilogd.te index 46846b4ed..0f8f616bd 100644 --- a/sepolicy/base/te/hilogd.te +++ b/sepolicy/base/te/hilogd.te @@ -48,3 +48,5 @@ allow hilogd sys_usb_param:file { map open read }; allow hilogd proc_kmsg_file:file { map open read }; allow hilogd kernel:system { syslog_mod }; allow hilogd hilogd:capability2 { syslog }; + +allow hilogd dev_console_file:chr_file { read write }; diff --git a/sepolicy/base/te/hiview.te b/sepolicy/base/te/hiview.te index a121ef947..74a97848b 100644 --- a/sepolicy/base/te/hiview.te +++ b/sepolicy/base/te/hiview.te @@ -86,3 +86,19 @@ allow init hiviewdfx_hiview_param:file { map open read relabelto relabelfrom }; allow hiview hiviewdfx_hiview_param:parameter_service { set }; allow hiview hiviewdfx_hiview_param:file { map open read }; allow hiview paramservice_socket:sock_file { read write }; + +allow hiview chip_prod_file:dir { search }; +allow hiview sys_prod_file:dir { search }; +allow hiview system_usr_file:dir { search }; +allow hiview system_usr_file:file { getattr read open map }; +allow hiview hiview_file:dir { ioctl }; +allowxperm hiview hiview_file:dir ioctl { 0xf546 }; +allow hiview persist_param:parameter_service { set }; + +allow hiview sysfs_devices_system_cpu:dir { read open }; + +allow hiview proc_cmdline_file:file { read open getattr }; + +allow hiview multimodalinput:binder { call transfer }; +allow hiview multimodalinput:fd { use }; +allow hiview multimodalinput:unix_stream_socket { read write }; diff --git a/sepolicy/base/te/huks_service.te b/sepolicy/base/te/huks_service.te index 8dc358029..933ab7385 100644 --- a/sepolicy/base/te/huks_service.te +++ b/sepolicy/base/te/huks_service.te @@ -50,3 +50,6 @@ allow huks_service huks_service:unix_dgram_socket { getopt setopt }; allow huks_service tracefs_trace_marker_file:file { open write }; allow huks_service accountmgr:binder { call }; allow huks_service sa_accountmgr:samgr_class { get }; + +allow huks_service dev_console_file:chr_file { read write }; +allow huks_service sysfs_devices_system_cpu:file { read open getattr }; diff --git a/sepolicy/base/te/inputmethod_service.te b/sepolicy/base/te/inputmethod_service.te index d8b7f8bcf..6f03aadc2 100644 --- a/sepolicy/base/te/inputmethod_service.te +++ b/sepolicy/base/te/inputmethod_service.te @@ -63,4 +63,11 @@ allow inputmethod_service multimodalinput:binder { call }; allow inputmethod_service multimodalinput:fd { use }; allow inputmethod_service multimodalinput:unix_stream_socket { read write }; allow inputmethod_service sa_multimodalinput_service:samgr_class { get }; +allow inputmethod_service multimodalinput:binder { transfer }; +allow inputmethod_service data_service_el1_file:file { ioctl }; +allowxperm inputmethod_service data_service_el1_file:file ioctl { 0x5413 }; + +allow inputmethod_service vendor_etc_file:dir { search }; +allow inputmethod_service sys_prod_file:dir { search }; +allow inputmethod_service chip_prod_file:dir { search }; diff --git a/sepolicy/base/te/kernel.te b/sepolicy/base/te/kernel.te index 82ce1b31d..26618769e 100644 --- a/sepolicy/base/te/kernel.te +++ b/sepolicy/base/te/kernel.te @@ -18,7 +18,7 @@ allow kernel dev_bbox:chr_file { open write }; allow kernel device:chr_file { create getattr setattr unlink }; allow kernel device:dir { add_name remove_name rmdir search write }; allow kernel init:process { dyntransition }; -allow kernel kernel:capability { mknod }; +allow kernel kernel:capability { mknod sys_nice }; allow kernel kernel:process { setcurrent }; allow kernel pstorefs:dir { open read remove_name search write }; allow kernel pstorefs:file { open read unlink }; diff --git a/sepolicy/base/te/memmgrservice.te b/sepolicy/base/te/memmgrservice.te index a968d5495..46df8390f 100644 --- a/sepolicy/base/te/memmgrservice.te +++ b/sepolicy/base/te/memmgrservice.te @@ -56,3 +56,7 @@ allow memmgrservice media_service:binder { call }; allow memmgrservice render_service:binder { call }; allow memmgrservice sa_resource_schedule:samgr_class { get }; allow memmgrservice resource_schedule_service:binder { call }; + +allow memmgrservice dev_console_file:chr_file { read write }; +allow memmgrservice dev_kmsg_file:chr_file { write open }; +allow memmgrservice memmgrservice:unix_dgram_socket { getopt setopt }; diff --git a/sepolicy/base/te/mmi_uinput_service.te b/sepolicy/base/te/mmi_uinput_service.te index 202d04f97..7aa14147c 100644 --- a/sepolicy/base/te/mmi_uinput_service.te +++ b/sepolicy/base/te/mmi_uinput_service.te @@ -55,3 +55,5 @@ allow mmi_uinput_service uinput_inject_exec:file { entrypoint execute map read } allow mmi_uinput_service sysfs_devices_system_cpu:file { open read getattr }; allowxperm mmi_uinput_service dev_hdf_input:chr_file ioctl { 0x6201 0x6202 0x6203 }; allowxperm mmi_uinput_service dev_uinput:chr_file ioctl { 0x5501 0x5564 0x5565 0x5567 0x556e }; + +allow mmi_uinput_service dev_console_file:chr_file { read write }; diff --git a/sepolicy/base/te/multimodalinput.te b/sepolicy/base/te/multimodalinput.te index 8593116c3..907bf2c50 100644 --- a/sepolicy/base/te/multimodalinput.te +++ b/sepolicy/base/te/multimodalinput.te @@ -70,5 +70,9 @@ allow multimodalinput sys_usb_param:file { map open read }; allow multimodalinput vendor_etc_file:dir { search }; allowxperm multimodalinput data_file:file ioctl { 0x5413 }; allowxperm multimodalinput data_libinput:file ioctl { 0x5413 }; -allowxperm multimodalinput dev_input_file:chr_file ioctl { 0x4501 0x4502 0x4506 0x4507 0x4508 0x4509 0x4518 0x4519 0x451b 0x4520 0x4521 0x4522 0x4523 0x4524 0x4525 0x4531 0x4532 0x4535 0x4540 0x4541 0x4558 0x4570 0x4571 0x4574 0x4575 0x4576 0x4578 0x4579 0x457a 0x45a0 }; +allowxperm multimodalinput dev_input_file:chr_file ioctl { 0x4501 0x4502 0x4506 0x4507 0x4508 0x4509 0x4518 0x4519 0x451b 0x4520 0x4521 0x4522 0x4523 0x4524 0x4525 0x4531 0x4532 0x4535 0x4540 0x4541 0x4558 0x4570 0x4571 0x4574 0x4575 0x4576 0x4578 0x4579 0x457a 0x45a0 0x455c 0x4572 }; allowxperm multimodalinput sys_file:file ioctl { 0x5413 }; +allow multimodalinput dev_input_file:chr_file { ioctl }; + +allow multimodalinput chip_prod_file:dir { search }; +allow multimodalinput sys_prod_file:dir { search }; diff --git a/sepolicy/base/te/netmanager.te b/sepolicy/base/te/netmanager.te index ddc817eeb..9b165777d 100644 --- a/sepolicy/base/te/netmanager.te +++ b/sepolicy/base/te/netmanager.te @@ -79,3 +79,9 @@ allow netmanager tracefs_trace_marker_file:file { open write }; allowxperm netmanager data_data_file:file ioctl { 0x5413 }; allowxperm netmanager netmanager:udp_socket ioctl { 0x8927 }; allowxperm netmanager netmanager:unix_dgram_socket ioctl { 0x8910 0x8933 }; +allow netmanager sa_comm_net_stats_manager_service:samgr_class { get }; + +allow netmanager dev_kmsg_file:chr_file { write open }; +allow netmanager dev_kmsg_file:chr_file { open }; +allow netmanager sysfs_devices_system_cpu:file { read open getattr }; + diff --git a/sepolicy/base/te/netsysnative.te b/sepolicy/base/te/netsysnative.te index fc644fba1..5ff4ff999 100644 --- a/sepolicy/base/te/netsysnative.te +++ b/sepolicy/base/te/netsysnative.te @@ -63,3 +63,6 @@ allow netsysnative sys_usb_param:file { map open read }; allow netsysnative tracefs:dir { search }; allow netsysnative tracefs_trace_marker_file:file { open write }; allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8910 }; + +allow netsysnative netmanager:udp_socket { read write getopt setopt }; + diff --git a/sepolicy/base/te/nwebspawn.te b/sepolicy/base/te/nwebspawn.te index aea65fbeb..792857392 100644 --- a/sepolicy/base/te/nwebspawn.te +++ b/sepolicy/base/te/nwebspawn.te @@ -76,3 +76,6 @@ debug_only(` allow nwebspawn devpts:chr_file { write open ioctl getattr }; allowxperm nwebspawn devpts:chr_file ioctl { 0x5401 0x5403 0x540f 0x5413 0x5410 }; ') + +allow nwebspawn sys_prod_file:dir { search }; +allow nwebspawn chip_prod_file:dir { search }; diff --git a/sepolicy/base/te/processdump.te b/sepolicy/base/te/processdump.te index 1e2412cf0..f10b3a1cb 100644 --- a/sepolicy/base/te/processdump.te +++ b/sepolicy/base/te/processdump.te @@ -48,3 +48,9 @@ allow processdump softbus_server:process { ptrace }; allow processdump startup_param:file { map open read }; allow processdump sys_param:file { map open read }; allow processdump sys_usb_param:file { map open read }; + +allow processdump blue_host:udp_socket { read write }; +allow processdump blue_host:unix_stream_socket { read write }; +allow processdump dev_console_file:chr_file { read write }; + +allow processdump processdump:unix_dgram_socket { getopt setopt }; diff --git a/sepolicy/base/te/render_service.te b/sepolicy/base/te/render_service.te index 3b4c519a7..9caa2c3d3 100644 --- a/sepolicy/base/te/render_service.te +++ b/sepolicy/base/te/render_service.te @@ -28,8 +28,10 @@ allow render_service debug_param:file { map open read }; allow render_service default_param:file { map open read }; allow render_service dev_dri_file:chr_file { getattr ioctl open read write }; allow render_service dev_dri_file:dir { search }; -allow render_service dev_graphics_file:chr_file { open read write }; +allow render_service dev_graphics_file:chr_file { open read write map }; allow render_service dev_graphics_file:dir { search }; +allow render_service dev_graphics_file:chr_file { ioctl }; +allowxperm render_service dev_graphics_file:chr_file ioctl { 0x4602 0x4600 0x4601 }; allow render_service dev_mali:chr_file { getattr ioctl map open read write }; allow render_service dev_rga:chr_file { ioctl open read write }; allow render_service distributedsche_param:file { map open read }; @@ -86,3 +88,10 @@ allowxperm render_service dev_rga:chr_file ioctl { 0x601b }; hdi_call(render_service, hdf_allocator_service) allow render_service usb_service:fd { use }; allow render_service data_service_el1_file:file { map write read }; + +allow render_service dev_file:chr_file { read write open getattr map }; +allow render_service dev_file:chr_file { ioctl }; +allowxperm render_service dev_file:chr_file ioctl { 0x4905 0x4901 0x8202 0x4909 0x8203 0x8309 0x8301 0x8404 0x8303 0x8206 0x8302 0x820b 0x830a 0x8402 }; + +allow render_service render_service:unix_dgram_socket { getopt setopt }; +allow render_service data_service_file:dir { search }; diff --git a/sepolicy/base/te/resource_schedule_service.te b/sepolicy/base/te/resource_schedule_service.te index 448bc7b90..2bf844067 100644 --- a/sepolicy/base/te/resource_schedule_service.te +++ b/sepolicy/base/te/resource_schedule_service.te @@ -59,3 +59,7 @@ allow resource_schedule_service sa_wifi_p2p_ability:samgr_class { get }; allow resource_schedule_service sa_wifi_device_ability:samgr_class { get }; allow resource_schedule_service netmanager:binder { call }; allow resource_schedule_service powermgr:binder {call transfer}; + +allow resource_schedule_service dev_console_file:chr_file { read write }; +allow resource_schedule_service dev_kmsg_file:chr_file { write open }; + diff --git a/sepolicy/base/te/samgr.te b/sepolicy/base/te/samgr.te index 856cc1759..e9b21f438 100644 --- a/sepolicy/base/te/samgr.te +++ b/sepolicy/base/te/samgr.te @@ -24,7 +24,7 @@ allow samgr const_postinstall_param:file { map open read }; allow samgr const_product_param:file { map open read }; allow samgr debug_param:file { map open read }; allow samgr default_param:file { map open read }; -allow samgr dev_kmsg_file:chr_file { open write }; +allow samgr dev_kmsg_file:chr_file { open write read }; allow samgr dev_unix_socket:sock_file { write }; allow samgr distributedsche_param:file { map open read }; allow samgr data_samgr:dir { add_name search write remove_name }; diff --git a/sepolicy/base/te/sensors.te b/sepolicy/base/te/sensors.te index 7ce64a12e..d3a285c9d 100644 --- a/sepolicy/base/te/sensors.te +++ b/sepolicy/base/te/sensors.te @@ -50,3 +50,4 @@ allow sensors sys_usb_param:file { map open read }; allow sensors tracefs:dir { search }; allow sensors tracefs_trace_marker_file:file { open write }; allow sensors vibrator_host:binder { call }; +allow sensors dev_console_file:chr_file { read write }; diff --git a/sepolicy/base/te/softbus_server.te b/sepolicy/base/te/softbus_server.te index f2372d512..b98a68078 100644 --- a/sepolicy/base/te/softbus_server.te +++ b/sepolicy/base/te/softbus_server.te @@ -27,8 +27,13 @@ allow softbus_server const_postinstall_param:file { map open read }; allow softbus_server const_product_param:file { map open read }; allow softbus_server data_file:dir { search }; allow softbus_server data_log:file { read write }; -allow softbus_server data_service_el1_file:dir { add_name search write }; +allow softbus_server data_service_el1_file:dir { add_name search write read open }; allow softbus_server data_service_el1_file:file { create read write open }; +allow softbus_server data_service_el1_file:file { ioctl }; +allowxperm softbus_server data_service_el1_file:file ioctl { 0xf546 }; +allow softbus_server data_service_el1_file:dir { ioctl }; +allowxperm softbus_server data_service_el1_file:dir ioctl { 0xf546 }; + allow softbus_server data_service_file:dir { search }; allow softbus_server debug_param:file { map open read }; allow softbus_server default_param:file { map open read }; @@ -99,3 +104,10 @@ allow softbus_server kernel:system { module_request }; allow softbus_server softbus_server:capability { net_admin }; allowxperm softbus_server softbus_server:udp_socket ioctl { 0x8910 0x8912 0x8913 0x8915 0x8919 0x8927 }; allowxperm softbus_server softbus_server:unix_dgram_socket ioctl { 0x8910 }; + +allow softbus_server chip_prod_file:dir { search }; +allow softbus_server sys_prod_file:dir { search }; +allow softbus_server vendor_etc_file:dir { search }; +allow softbus_server dev_console_file:chr_file { read write }; + +allow softbus_server powermgr:binder { call }; diff --git a/sepolicy/base/te/storage_manager.te b/sepolicy/base/te/storage_manager.te index 9d3e85ccf..47add567e 100644 --- a/sepolicy/base/te/storage_manager.te +++ b/sepolicy/base/te/storage_manager.te @@ -61,3 +61,6 @@ allow storage_manager tracefs:dir { search }; allow storage_manager tracefs_trace_marker_file:file { open write }; allow storage_manager sa_accountmgr:samgr_class { get }; allow storage_manager accountmgr:binder { call }; + +allow storage_manager dev_console_file:chr_file { read write }; +allow storage_manager sysfs_devices_system_cpu:file { read open }; diff --git a/sepolicy/base/te/su.te b/sepolicy/base/te/su.te new file mode 100755 index 000000000..32dc81209 --- /dev/null +++ b/sepolicy/base/te/su.te @@ -0,0 +1,43 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow su persist_param:parameter_service { set }; +allow su debug_param:parameter_service { set }; +allow su su:tcp_socket { read create getattr listen setopt bind }; +allow su sh_exec:file { getattr execute read open map }; +allow su persist_param:file { read open map }; +allow su developtools_hdc_auth_param:file { read open map }; +allow su dev_unix_socket:dir { search }; +allow su su:capability { setuid }; +allow su su:udp_socket { create setopt bind }; +allow su hdcd_exec:file { entrypoint }; +allow su dev_console_file:chr_file { read write }; +allow su hdcd_exec:file { map execute read}; +allow su port:udp_socket { name_bind }; +allow su node:udp_socket { node_bind }; +allow su su:tcp_socket { setopt bind accept write }; +allow su port:tcp_socket { name_bind }; +allow su node:tcp_socket { node_bind }; +allow su paramservice_socket:sock_file { write }; +allow su kernel:unix_stream_socket { connectto }; +# allow su sh_exec:file { execute_no_trans }; +allow su tty_device:chr_file { read write open }; +allow su data_local:dir { search }; +allow su data_local_tmp:dir { write search getattr }; +allow su system_bin_file:lnk_file { read }; +allow su toybox_exec:file { getattr execute read open map }; +# allow su toybox_exec:file { execute_no_trans }; +allow su dev_file:dir { getattr }; +allow su dev_pts_file:dir { getattr }; +allow su vendor_file:dir { getattr }; +allow su data_app_el1_file:dir { getattr }; diff --git a/sepolicy/base/te/system_basic_hap.te b/sepolicy/base/te/system_basic_hap.te index be71877ee..4b4b42464 100644 --- a/sepolicy/base/te/system_basic_hap.te +++ b/sepolicy/base/te/system_basic_hap.te @@ -138,3 +138,13 @@ allow system_basic_hap_attr sa_locationhub_lbsservice_network:samgr_class { get allow system_basic_hap_attr sa_locationhub_lbsservice_passive:samgr_class { get }; allow system_basic_hap_attr sa_location_geo_convert_service:samgr_class { get }; allow system_basic_hap_attr sa_hiview_service:samgr_class { get }; + +allow system_basic_hap dev_file:chr_file { read write open getattr map }; +allow system_basic_hap dev_file:chr_file { ioctl }; +allowxperm system_basic_hap dev_file:chr_file ioctl { 0x8203 0x4905 0x8301 0x8404 0x830a 0x820b 0x8300 0x8401 0x8209 0x820a 0x8202 0x4909 }; + +allow system_basic_hap allocator_host:binder { call }; +allow system_basic_hap dev_graphics_file:dir { search }; +allow system_basic_hap dev_graphics_file:chr_file { read write open }; +allow system_basic_hap dev_graphics_file:chr_file { ioctl }; +allowxperm system_basic_hap dev_graphics_file:chr_file ioctl { 0x4602 0x4600 }; diff --git a/sepolicy/base/te/system_core_hap.te b/sepolicy/base/te/system_core_hap.te index 28bf94868..7cda50aa0 100644 --- a/sepolicy/base/te/system_core_hap.te +++ b/sepolicy/base/te/system_core_hap.te @@ -122,3 +122,6 @@ allowxperm system_core_hap_attr dev_dri_file:chr_file ioctl { 0x641f }; allowxperm system_core_hap_attr dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800f 0x800e 0x8011 0x8014 0x8016 0x8018 0x8019 0x801d 0x801e 0x8024 0x8025 0x8026 0x8027 0x802a 0x802c 0x802d 0x802f 0x8030 0x8033 0x8034 0x8036 }; allowxperm system_core_hap_attr system_core_hap_data_file_attr:file ioctl { 0x5413 0xf50c }; allow system_core_hap_attr sa_hiview_service:samgr_class { get }; + +allow system_core_hap sa_update_distributed_service:samgr_class { get }; +allow system_core_hap updater_sa:binder { call }; diff --git a/sepolicy/base/te/time_service.te b/sepolicy/base/te/time_service.te index 2c732b2ff..89c840569 100644 --- a/sepolicy/base/te/time_service.te +++ b/sepolicy/base/te/time_service.te @@ -66,3 +66,11 @@ allow time_service tracefs_trace_marker_file:file { open write }; allow time_service domain:dir { getattr search }; allow time_service domain:file { open read }; allowxperm time_service data_service_el1_file:file ioctl { 0x5413 }; + +allow time_service wifi_manager_service:file { getattr }; +allow time_service foundation:file { getattr }; + +allow time_service data_service_el1_file:dir { ioctl }; +allowxperm time_service data_service_el1_file:dir ioctl { 0xf546 }; + +allow time_service resource_schedule_service:file { getattr }; diff --git a/sepolicy/base/te/wifi_hal_service.te b/sepolicy/base/te/wifi_hal_service.te index a51d2a047..0369ff244 100644 --- a/sepolicy/base/te/wifi_hal_service.te +++ b/sepolicy/base/te/wifi_hal_service.te @@ -64,3 +64,4 @@ allow wifi_hal_service wifi_manager_service:process { signal }; allow wifi_hal_service sa_accesstoken_manager_service:samgr_class { get }; allowxperm wifi_hal_service data_misc:file ioctl { 0x5413 }; allowxperm wifi_hal_service wifi_hal_service:unix_dgram_socket ioctl { 0x8910 }; +allow wifi_hal_service data_local_tmp:dir { search write }; diff --git a/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/init.te b/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/init.te index cf90a3a40..ad531df4e 100644 --- a/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/init.te +++ b/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/init.te @@ -14,3 +14,4 @@ allow init sandbox_manager_service:process { rlimitinh siginh transition }; allow init sandbox_manager_data_file:dir { getattr open read relabelto setattr}; allow init sa_sandbox_manager_service:samgr_class { get }; +allow init sandbox_manager_service:file { write }; diff --git a/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te b/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te index b0520d594..04ca289c8 100644 --- a/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te +++ b/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te @@ -49,3 +49,6 @@ allow sandbox_manager_service foundation:fd { use }; debug_only(` binder_call(sandbox_manager_service, su); ') + +allow sandbox_manager_service dev_console_file:chr_file { read write }; +allow sandbox_manager_service persist_param:file { read }; diff --git a/sepolicy/ohos_policy/account/os_account/system/accountmgr.te b/sepolicy/ohos_policy/account/os_account/system/accountmgr.te index e9b816b62..bf445516f 100644 --- a/sepolicy/ohos_policy/account/os_account/system/accountmgr.te +++ b/sepolicy/ohos_policy/account/os_account/system/accountmgr.te @@ -159,3 +159,7 @@ allow accountmgr msdp_sa:binder { call transfer }; debug_only(` allow accountmgr sh:binder { call }; ') + +allow accountmgr sys_prod_file:dir { search }; +allow accountmgr chip_prod_file:dir { search }; +allow accountmgr resource_schedule_service:binder { transfer }; diff --git a/sepolicy/ohos_policy/account/os_account/system/useriam.te b/sepolicy/ohos_policy/account/os_account/system/useriam.te index 8183384ea..a80ee3a92 100644 --- a/sepolicy/ohos_policy/account/os_account/system/useriam.te +++ b/sepolicy/ohos_policy/account/os_account/system/useriam.te @@ -15,3 +15,4 @@ debug_only(` allow useriam sh:binder { call }; ') +allow useriam dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te b/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te index 8a78d4fac..24eae2688 100644 --- a/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te +++ b/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te @@ -230,7 +230,7 @@ allow intell_voice_service sys_param:file { open read map }; allow intell_voice_service chip_prod_file:dir { search }; # avc_audit_slow:267] avc: denied { write } for pid=890, comm="/system/bin/sa_main" path="/dev/kmsg" dev="" ino=22 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=0 -allow intell_voice_service dev_kmsg_file:chr_file { write }; +allow intell_voice_service dev_kmsg_file:chr_file { write open }; # avc_audit_slow:267] avc: denied { write } for pid=890, comm="/system/bin/sa_main" path="pipe:[13]" dev="tmpfs" ino=13 scontext=u:r:intell_voice_service:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0 allow intell_voice_service init:fifo_file { write }; @@ -253,3 +253,7 @@ allow intell_voice_service sa_privacy_service:samgr_class { get }; #avc: denied { get } for service=4607 pid=640 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 allow intell_voice_service sa_foundation_dms:samgr_class { get }; + +allow intell_voice_service vendor_etc_file:dir { search }; +allow intell_voice_service system_usr_file:dir { search }; +allow intell_voice_service dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/arkXtest/arkXtest/system/param_watcher.te b/sepolicy/ohos_policy/arkXtest/arkXtest/system/param_watcher.te index 3061ce987..f27eef534 100644 --- a/sepolicy/ohos_policy/arkXtest/arkXtest/system/param_watcher.te +++ b/sepolicy/ohos_policy/arkXtest/arkXtest/system/param_watcher.te @@ -11,7 +11,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -developer_only(` - allow param_watcher dev_console_file:chr_file { read write }; - allow param_watcher uitest:binder { call }; -') +allow param_watcher dev_console_file:chr_file { read write }; +allow param_watcher uitest:binder { call }; diff --git a/sepolicy/ohos_policy/bundlemanager/bundle_framework/system/installs.te b/sepolicy/ohos_policy/bundlemanager/bundle_framework/system/installs.te index 4d4e5d85a..83c4435b0 100644 --- a/sepolicy/ohos_policy/bundlemanager/bundle_framework/system/installs.te +++ b/sepolicy/ohos_policy/bundlemanager/bundle_framework/system/installs.te @@ -91,10 +91,9 @@ allow installs data_service_el1_public_print_service_file:file { unlink rename g allow installs print_driver_exec:dir { remove_name getattr setattr rename }; allow installs print_driver_exec:file { unlink rename getattr setattr }; allow installs dev_console_file:chr_file { read write }; -allow installs sysfs_devices_system_cpu:file { read }; +allow installs sysfs_devices_system_cpu:file { read open getattr }; allow installs tracefs:dir { search }; allow installs data_app_el1_file:file { ioctl }; -allow installs sysfs_devices_system_cpu:file { open }; allow installs kernel:key { search }; allow installs installs:unix_dgram_socket { getopt setopt }; allowxperm installs data_app_el1_file:file ioctl { 0x6601 0x66c8 }; diff --git a/sepolicy/ohos_policy/cast_engine_service/public/service_contexts b/sepolicy/ohos_policy/cast_engine_service/public/service_contexts new file mode 100755 index 000000000..10452d3a3 --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/public/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +5526 u:object_r:sa_cast_engine_service:s0 diff --git a/sepolicy/ohos_policy/cast_engine_service/public/type.te b/sepolicy/ohos_policy/cast_engine_service/public/type.te new file mode 100755 index 000000000..37f406cb0 --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_cast_engine_service, sa_service_attr; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/audio_server.te b/sepolicy/ohos_policy/cast_engine_service/system/audio_server.te new file mode 100755 index 000000000..de644df92 --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/system/audio_server.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_server cast_engine_service:binder { call }; +allow audio_server normal_hap_attr:fd { use }; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/cast_engine_service.te b/sepolicy/ohos_policy/cast_engine_service/system/cast_engine_service.te new file mode 100755 index 000000000..cac8628e8 --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/system/cast_engine_service.te @@ -0,0 +1,60 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type cast_engine_service, sadomain, domain; +allow cast_engine_service foundation:binder { call }; +allow cast_engine_service hilog_param:file { map read open }; +allow cast_engine_service media_service:binder { call }; +allow cast_engine_service net_param:file { map open read }; +allow cast_engine_service net_tcp_param:file { map open read }; +allow cast_engine_service ohos_param:file { map open read }; +allow cast_engine_service sa_accesstoken_manager_service:samgr_class { get }; +allow cast_engine_service sa_cast_engine_service:samgr_class { add }; +allow cast_engine_service sa_device_service_manager:samgr_class { get }; +allow cast_engine_service sa_foundation_dms:samgr_class { get }; +allow cast_engine_service security_param:file { map open read }; +allow cast_engine_service startup_param:file { map open read }; +allow cast_engine_service dev_unix_socket:dir { search }; +allow cast_engine_service render_service:binder { call }; +allow cast_engine_service debug_param:file { map open read }; +allow cast_engine_service sys_param:file { map open read }; +allow cast_engine_service persist_param:file { map open read }; +allow cast_engine_service persist_sys_param:file { map open read }; +allow cast_engine_service system_bin_file:dir { search }; +allow cast_engine_service system_core_hap_attr:binder { call transfer }; +allow cast_engine_service tracefs:dir { search }; +allow cast_engine_service dev_console_file:chr_file { read write }; +allow cast_engine_service tracefs_trace_marker_file:file { open write }; +allow cast_engine_service sa_memory_manager_service:samgr_class { get }; +allow cast_engine_service sa_audio_policy_service:samgr_class { get }; +allow cast_engine_service sa_media_service:samgr_class { get }; +allow cast_engine_service sa_softbus_service:samgr_class { get }; +allow cast_engine_service sa_foundation_devicemanager_service:samgr_class { get }; +allow cast_engine_service device_manager:binder { call transfer }; +allow cast_engine_service audio_server:binder { call transfer }; +allow cast_engine_service softbus_server:binder { call transfer }; +allow cast_engine_service softbus_server:fd { use }; +allow cast_engine_service softbus_server:tcp_socket { read write setopt shutdown }; +allow cast_engine_service media_service:binder { call transfer }; +allow cast_engine_service medialibrary_hap:fd { use }; +allow cast_engine_service hmdfs:file { read write }; +allow cast_engine_service data_user_file:file { read write }; +allow cast_engine_service media_service:fd { use }; +allow cast_engine_service cast_engine_service:unix_dgram_socket { getopt setopt }; +allow cast_engine_service sysfs_devices_system_cpu:file { getattr read open }; +allow cast_engine_service sa_sharing_service:samgr_class { get }; +allow cast_engine_service sa_foundation_abilityms:samgr_class { get }; +allow cast_engine_service sa_powermgr_powermgr_service:samgr_class { get }; + +allow cast_engine_service sharing_service:binder { call transfer }; +allow cast_engine_service system_basic_hap:binder { call transfer }; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/device_manager.te b/sepolicy/ohos_policy/cast_engine_service/system/device_manager.te new file mode 100755 index 000000000..6800a87eb --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/system/device_manager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow device_manager cast_engine_service:binder { call }; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/init.te b/sepolicy/ohos_policy/cast_engine_service/system/init.te new file mode 100755 index 000000000..b1898e55c --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/system/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init cast_engine_service:process { transition rlimitinh siginh }; +allow init cast_engine_service:file { write }; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/normal_hap.te b/sepolicy/ohos_policy/cast_engine_service/system/normal_hap.te new file mode 100755 index 000000000..bbd99ea80 --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/system/normal_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_cast_engine_service:samgr_class { get }; +allow normal_hap_attr cast_engine_service:binder { call transfer }; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/softbus_server.te b/sepolicy/ohos_policy/cast_engine_service/system/softbus_server.te new file mode 100755 index 000000000..c88948bd2 --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/system/softbus_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server cast_engine_service:binder { call }; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/system_basic_hap.te b/sepolicy/ohos_policy/cast_engine_service/system/system_basic_hap.te new file mode 100755 index 000000000..2ea36e427 --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_cast_engine_service:samgr_class { get }; +allow system_basic_hap_attr cast_engine_service:binder { call transfer }; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/system_core_hap.te b/sepolicy/ohos_policy/cast_engine_service/system/system_core_hap.te new file mode 100755 index 000000000..962dfe245 --- /dev/null +++ b/sepolicy/ohos_policy/cast_engine_service/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr cast_engine_service:binder { call transfer }; +allow system_core_hap_attr sa_cast_engine_service:samgr_class { get }; diff --git a/sepolicy/ohos_policy/communication/bluetooth/system/blue_host.te b/sepolicy/ohos_policy/communication/bluetooth/system/blue_host.te index 9fc5cdcfb..01a8e7aa5 100644 --- a/sepolicy/ohos_policy/communication/bluetooth/system/blue_host.te +++ b/sepolicy/ohos_policy/communication/bluetooth/system/blue_host.te @@ -87,3 +87,12 @@ allow blue_host data_vendor:dir { add_name write }; allow blue_host data_vendor:file { create read write open }; allow blue_host blue_host:capability { sys_nice }; +allow blue_host dev_file:chr_file { open read write }; + +allow blue_host dev_console_file:chr_file { read write }; +allow blue_host blue_host:udp_socket { create setopt bind }; +allow blue_host port:udp_socket { name_bind }; + +allow blue_host data_misc:dir { search }; + +allow blue_host node:udp_socket { node_bind }; diff --git a/sepolicy/ohos_policy/communication/bluetooth/system/bluetooth_service.te b/sepolicy/ohos_policy/communication/bluetooth/system/bluetooth_service.te index 0db6ac780..cd1188865 100644 --- a/sepolicy/ohos_policy/communication/bluetooth/system/bluetooth_service.te +++ b/sepolicy/ohos_policy/communication/bluetooth/system/bluetooth_service.te @@ -176,7 +176,7 @@ allowxperm bluetooth_service data_log:file ioctl { 0x5413 }; #avc: denied { call } for pid=305 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:a2dp_host:s0 tclass=binder permissive=1 #avc: denied { transfer } for pid=305 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:a2dp_host:s0 tclass=binder permissive=1 allow bluetooth_service a2dp_host:binder { call transfer }; - +allow bluetooth_service rcu_host:binder { call transfer }; #avc: denied { get } for service=3009 pid=283 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=1 allow bluetooth_service sa_audio_policy_service:samgr_class { get }; @@ -226,3 +226,20 @@ allow bluetooth_service medialibrary_hap:fd { use }; allow bluetooth_service sharefs:file { ioctl write }; allowxperm bluetooth_service sharefs:file ioctl { 0x5413 }; +allow bluetooth_service sa_resource_schedule:samgr_class { get }; +allow bluetooth_service av_session:binder { call }; +allow appspawn share_public_file:dir { getattr }; +allow appspawn data_service_el1_utd_file:dir { getattr }; +allow foundation sa_accessibleabilityms:samgr_class { get }; +allow netmanager sa_comm_net_stats_manager_service:samgr_class { get }; +allow resource_schedule_service sa_accountmgr:samgr_class { get }; +allow resource_schedule_service sa_distributeddata_service:samgr_class { get }; +allow storage_manager sa_distributeddata_service:samgr_class { get }; +allow wifi_hal_service data_local_tmp:dir { search write }; +allow app_domain_verify_agent persist_sys_param:file { open read }; +allow app_domain_verify_agent sys_param:file { open read }; +allow init init:capability { sys_module }; +allow intell_voice_service powermgr:binder { transfer }; +allow render_service sysfs_devices_system_cpu:dir { open }; +allow distributeddata storage_manager:binder { transfer }; +allow sandbox_manager_service persist_param:file { open map }; diff --git a/sepolicy/ohos_policy/communication/bluetooth/system/rcu_host.te b/sepolicy/ohos_policy/communication/bluetooth/system/rcu_host.te new file mode 100755 index 000000000..409f99e91 --- /dev/null +++ b/sepolicy/ohos_policy/communication/bluetooth/system/rcu_host.te @@ -0,0 +1,85 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { read } rcu_host proc_file tclass=file +#avc: denied { open } rcu_host proc_file tclass=file +allow rcu_host proc_file:file { read open }; + +#avc: denied { open } rcu_host musl_param tclass=file +#avc: denied { map } rcu_host musl_param tclass=file +#avc: denied { read } rcu_host musl_param tclass=file +allow rcu_host musl_param:file { open map read }; + +#avc: denied { get } for service=1130 pid=2180 scontext=u:r:rcu_host:s0 context=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=1 +allow rcu_host sa_bluetooth_server:samgr_class { get }; + +allow rcu_host hdf_device_manager:hdf_devmgr_class { get }; +allow rcu_host hdf_audio_rcu_hdi_service:hdf_devmgr_class { add }; +allow rcu_host hdf_bluetooth_audio_session_service:hdf_devmgr_class { add }; +allow rcu_host sa_device_service_manager:samgr_class { get }; + +allow rcu_host bootevent_param:file { map open read }; +allow rcu_host bootevent_samgr_param:file { map open read }; +allow rcu_host build_version_param:file { map open read }; +allow rcu_host const_allow_mock_param:file { map open read }; +allow rcu_host const_allow_param:file { map open read }; +allow rcu_host const_build_param:file { map open read }; +allow rcu_host const_display_brightness_param:file { map open read }; +allow rcu_host const_param:file { map open read }; +allow rcu_host const_postinstall_fstab_param:file { map open read }; +allow rcu_host const_postinstall_param:file { map open read }; +allow rcu_host const_product_param:file { map open read }; +allow rcu_host debug_param:file { map open read }; +allow rcu_host default_param:file { map open read }; +allow rcu_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow rcu_host dev_unix_socket:dir { search }; +allow rcu_host distributedsche_param:file { map open read }; +allow rcu_host hdf_audio_rcu_hdi_service:hdf_devmgr_class { add }; +allow rcu_host hdf_device_manager:hdf_devmgr_class { get }; +allow rcu_host hdf_devmgr:binder { call transfer }; +allow rcu_host hilog_param:file { map open read }; +allow rcu_host hw_sc_build_os_param:file { map open read }; +allow rcu_host hw_sc_build_param:file { map open read }; +allow rcu_host hw_sc_param:file { map open read }; +allow rcu_host init_param:file { map open read }; +allow rcu_host init_svc_param:file { map open read }; +allow rcu_host input_pointer_device_param:file { map open read }; +allow rcu_host net_param:file { map open read }; +allow rcu_host net_tcp_param:file { map open read }; +allow rcu_host ohos_boot_param:file { map open read }; +allow rcu_host ohos_param:file { map open read }; +allow rcu_host persist_param:file { map open read }; +allow rcu_host persist_sys_param:file { map open read }; +allow rcu_host sa_device_service_manager:samgr_class { get }; +allow rcu_host samgr:binder { call }; +allow rcu_host security_param:file { map open read }; +allow rcu_host startup_param:file { map open read }; +allow rcu_host sys_param:file { map open read }; +allow rcu_host system_bin_file:dir { search }; +allow rcu_host sys_usb_param:file { map open read }; +allow rcu_host vendor_etc_file:dir { search }; +allow rcu_host vendor_etc_file:file { getattr open read }; +allowxperm rcu_host dev_hdf_kevent:chr_file ioctl { 0x6202 0x6203 }; + +#avc: denied { call } for pid=2029 comm="rcu_host" scontext=u:r:rcu_host:s0 context=u:r:bluetooth_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2029 comm="rcu_host" scontext=u:r:rcu_host:s0 context=u:r:bluetooth_service:s0 tclass=binder permissive=1 +allow rcu_host bluetooth_service:binder { call transfer }; + +#avc: denied { open } for rcu_host dev_ashmem_file tclass=chr_file +allow rcu_host dev_ashmem_file:chr_file { open }; +#allow rcu_host rcu_host:capability { sys_nice }; + +allow rcu_host dev_file:chr_file { read write open ioctl }; +allowxperm rcu_host dev_file:chr_file ioctl { 0x4801 0x4802 0x4803 0x4804 0x4805 }; + +allow rcu_host dev_file:dir { read watch open }; diff --git a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te index 2de6c84d4..c9c76126d 100644 --- a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te +++ b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te @@ -21,6 +21,7 @@ allow netmanager data_file:dir { remove_name rmdir search }; allow netmanager data_init_agent:dir { search }; allow netmanager data_init_agent:file { ioctl open read append }; allow netmanager data_service_el1_file:dir { add_name create getattr ioctl lock open read remove_name search setattr unlink write rmdir }; +allowxperm netmanager data_service_el1_file:file ioctl { 0xf50c }; allow netmanager data_service_el1_file:file { append create getattr ioctl lock map open read setattr unlink write }; allow netmanager data_service_file:dir { add_name create getattr ioctl lock open read remove_name search setattr unlink write }; allow netmanager data_system:dir { add_name search write }; diff --git a/sepolicy/ohos_policy/communication/wifi/system/wifi_manager_service.te b/sepolicy/ohos_policy/communication/wifi/system/wifi_manager_service.te index bbf9603d5..23bcc8df2 100644 --- a/sepolicy/ohos_policy/communication/wifi/system/wifi_manager_service.te +++ b/sepolicy/ohos_policy/communication/wifi/system/wifi_manager_service.te @@ -263,3 +263,6 @@ allow wifi_manager_service device_manager:binder { call }; allow wifi_manager_service data_service_el1_file:dir { read open ioctl }; allowxperm wifi_manager_service data_service_el1_file:dir ioctl { 0xf546 0xf547 }; allowxperm wifi_manager_service data_service_el1_file:file ioctl { 0xf547 }; +###############需要解决编译问题 yexuan ############################## +# allow wifi_manager_service vendor_etc_file:dir { search }; +allow wifi_manager_service netsysnative:binder { transfer }; diff --git a/sepolicy/ohos_policy/developtools/hdc/public/type.te b/sepolicy/ohos_policy/developtools/hdc/public/type.te index 97559dacb..f6bb0c16a 100644 --- a/sepolicy/ohos_policy/developtools/hdc/public/type.te +++ b/sepolicy/ohos_policy/developtools/hdc/public/type.te @@ -13,4 +13,5 @@ type hdcd_user_permit, native_system_domain, domain; type hdcd_user_permit_exec, exec_attr, file_attr, system_file_attr; +# type developtools_hdc_auth_param, parameter_attr; domain_auto_transition_pattern(hdcd, hdcd_user_permit_exec, hdcd_user_permit); diff --git a/sepolicy/ohos_policy/developtools/hdc/system/hdcd.te b/sepolicy/ohos_policy/developtools/hdc/system/hdcd.te index 0068bf4ca..ff3de24c4 100644 --- a/sepolicy/ohos_policy/developtools/hdc/system/hdcd.te +++ b/sepolicy/ohos_policy/developtools/hdc/system/hdcd.te @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License type developtools_hdc_control_param, parameter_attr; -type developtools_hdc_auth_param, parameter_attr; +# type developtools_hdc_auth_param, parameter_attr; developer_only(` allow hdcd data_local:file { read open getattr create write }; diff --git a/sepolicy/ohos_policy/developtools/profiler/system/other.te b/sepolicy/ohos_policy/developtools/profiler/system/other.te index 9c561e6ae..e24826dfc 100644 --- a/sepolicy/ohos_policy/developtools/profiler/system/other.te +++ b/sepolicy/ohos_policy/developtools/profiler/system/other.te @@ -63,11 +63,16 @@ allow init data_updater_file:dir add_name; allow init data_service_el0_file:dir relabelfrom; allow init data_startup:file getattr; allow init musl_param:file read; -allow init chip_prod_file:dir search; -allow init sys_prod_file:dir search; +allow init chip_prod_file:dir { search getattr read open }; +allow init chip_prod_file:file { getattr read open }; +allow init sys_prod_file:dir { search getattr read open }; +allow init sys_prod_file:file { getattr read open }; allow init data_local_tmp:dir search; allow init dev_unix_socket:sock_file unlink; +allow init data_mediadrm:dir { setattr }; +allow init data_hdc_pubkeys:dir { getattr setattr }; + allow samgr appspawn:binder transfer; allow samgr appspawn:dir search; allow samgr appspawn:file { open read }; diff --git a/sepolicy/ohos_policy/developtools/smartperf/system/console.te b/sepolicy/ohos_policy/developtools/smartperf/system/console.te index 43894cec7..b6225fa3f 100644 --- a/sepolicy/ohos_policy/developtools/smartperf/system/console.te +++ b/sepolicy/ohos_policy/developtools/smartperf/system/console.te @@ -14,9 +14,9 @@ debug_only(` allow console dev_console_file:chr_file { ioctl read write }; allow console lib_file:lnk_file { read }; -allow console system_bin_file:dir { search }; +allow console system_bin_file:dir { search read open }; allow console system_bin_file:file { execute execute_no_trans getattr map read open }; -allow console system_bin_file:lnk_file { read }; +allow console system_bin_file:lnk_file { read getattr }; allow console toybox_exec:file { execute execute_no_trans getattr map read open }; allow console toybox_exec:lnk_file { read }; allow console tty_device:chr_file { ioctl }; diff --git a/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te b/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te index ec2006bc8..be02ed9b0 100644 --- a/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te +++ b/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te @@ -232,3 +232,11 @@ allowxperm distributeddata data_service_el2_pasteboard_service:file ioctl { 0xf5 allow distributeddata usb_service:binder { transfer }; allow distributeddata concurrent_task_service:binder { call }; allow distributeddata sa_concurrent_task_service:samgr_class { get }; + +allow distributeddata data_service_el1_file:dir { ioctl }; +allowxperm distributeddata data_service_el1_file:dir ioctl { 0xf546 }; + +allow distributeddata dev_kmsg_file:chr_file { write open }; +allow distributeddata dev_kmsg_file:chr_file { open }; +allow distributeddata sysfs_devices_system_cpu:file { read open getattr }; + diff --git a/sepolicy/ohos_policy/distributeddatamgr/fileshare/public/service.te b/sepolicy/ohos_policy/distributeddatamgr/fileshare/public/service.te new file mode 100755 index 000000000..b0ff15a33 --- /dev/null +++ b/sepolicy/ohos_policy/distributeddatamgr/fileshare/public/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Hunan OpenValley Digital Industry Development Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_file_share_service, sa_service_attr; diff --git a/sepolicy/ohos_policy/distributeddatamgr/fileshare/public/type.te b/sepolicy/ohos_policy/distributeddatamgr/fileshare/public/type.te new file mode 100755 index 000000000..ed103557e --- /dev/null +++ b/sepolicy/ohos_policy/distributeddatamgr/fileshare/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Hunan OpenValley Digital Industry Development Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type file_share_service, sadomain, domain; diff --git a/sepolicy/ohos_policy/distributeddatamgr/fileshare/system/service_contexts b/sepolicy/ohos_policy/distributeddatamgr/fileshare/system/service_contexts new file mode 100755 index 000000000..5c072293b --- /dev/null +++ b/sepolicy/ohos_policy/distributeddatamgr/fileshare/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +9555 u:object_r:sa_file_share_service:s0 diff --git a/sepolicy/ohos_policy/distributedhardware/device_manager/system/device_manager.te b/sepolicy/ohos_policy/distributedhardware/device_manager/system/device_manager.te index 4a52c085c..18e3b13f3 100644 --- a/sepolicy/ohos_policy/distributedhardware/device_manager/system/device_manager.te +++ b/sepolicy/ohos_policy/distributedhardware/device_manager/system/device_manager.te @@ -349,3 +349,6 @@ allowxperm device_manager data_service_el1_file:file ioctl { 0xf50c 0x5413 0xf54 allow device_manager data_file:dir { search }; allow device_manager chip_prod_file:dir { search }; allow device_manager foundation:fd { use }; + +allow device_manager data_service_el1_file:dir { ioctl }; +allowxperm device_manager data_service_el1_file:dir ioctl { 0xf546 }; diff --git a/sepolicy/ohos_policy/distributedhardware/distributed_hardware_fwk/system/dhardware.te b/sepolicy/ohos_policy/distributedhardware/distributed_hardware_fwk/system/dhardware.te index b6a5f25f7..679e7884a 100644 --- a/sepolicy/ohos_policy/distributedhardware/distributed_hardware_fwk/system/dhardware.te +++ b/sepolicy/ohos_policy/distributedhardware/distributed_hardware_fwk/system/dhardware.te @@ -121,7 +121,8 @@ allow dhardware data_service_el1_file:dir { search write add_name create getattr #avc: denied { map } for pid=2403 comm="dhardware" path="/data/xxx//main/gen_natural_store.db-shm" dev="mmcblk0p11" ino=784139 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 #avc: denied { setattr } for pid=2455 comm="dhardware" name="gen_natural_store.db" dev="mmcblk0p11" ino=1175817 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 allow dhardware data_service_el1_file:file { create write open read getattr ioctl lock unlink map setattr }; - +allow dhardware data_service_el1_file:dir { ioctl }; +allowxperm dhardware data_service_el1_file:dir ioctl { 0xf546 }; #avc: denied { call } for pid=2451 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 allow dhardware accesstoken_service:binder { call }; debug_only(` diff --git a/sepolicy/ohos_policy/distributedhardware/distributed_input/system/dhardware.te b/sepolicy/ohos_policy/distributedhardware/distributed_input/system/dhardware.te index 41ae7462f..79a340e16 100644 --- a/sepolicy/ohos_policy/distributedhardware/distributed_input/system/dhardware.te +++ b/sepolicy/ohos_policy/distributedhardware/distributed_input/system/dhardware.te @@ -23,6 +23,9 @@ allow dhardware dev_console_file:chr_file { open read write getattr setattr }; allow dhardware dev_input_file:chr_file { open read write getattr setattr }; +allow dhardware dev_input_file:chr_file { ioctl }; +allowxperm dhardware dev_input_file:chr_file ioctl { 0x455c }; + allow dhardware dev_file:dir { getattr setattr }; allow dhardware resource_schedule_service:binder { call }; diff --git a/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te b/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te index a1cb70d85..b20886066 100644 --- a/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te +++ b/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te @@ -27,7 +27,11 @@ allow distributedsche accountmgr:binder { call }; allow distributedsche data_file:dir { search }; allow distributedsche data_service_file:dir { search }; allow distributedsche data_service_el1_file:dir { add_name open read search write getattr create remove_name rmdir }; -allow distributedsche data_service_el1_file:file { create getattr ioctl open read write lock map unlink rename}; +allow distributedsche data_service_el1_file:file { create getattr ioctl open read write lock map unlink rename append }; +allow distributedsche data_service_el2_file:dir { search write }; +allow distributedsche data_service_el2_file:file { append }; +allow distributedsche data_service_el2_file:file { ioctl }; +allowxperm distributedsche data_service_el2_file:file ioctl { 0x5413 }; allow distributedsche deviceauth_service:binder { call }; allow distributedsche device_manager:binder { transfer }; allow distributedsche dev_ashmem_file:chr_file { open }; diff --git a/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te b/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te index dfd958756..0ca69385b 100644 --- a/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te +++ b/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te @@ -83,7 +83,7 @@ allow samgr system_bin_file:dir { search }; allow samgr system_file:file { getattr map open read }; -allow samgr system_profile_file:dir { open read }; +allow samgr system_profile_file:dir { open read getattr }; #avc: denied { getopt } for pid=245 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:samgr:s0 tclass=unix_dgram_socket permissive=1 #avc: denied { setopt } for pid=245 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:samgr:s0 tclass=unix_dgram_socket permissive=1 diff --git a/sepolicy/ohos_policy/drivers/adapter/public/hdf_service.te b/sepolicy/ohos_policy/drivers/adapter/public/hdf_service.te index 2585dd181..ceb916f0a 100644 --- a/sepolicy/ohos_policy/drivers/adapter/public/hdf_service.te +++ b/sepolicy/ohos_policy/drivers/adapter/public/hdf_service.te @@ -65,6 +65,7 @@ type hdf_usbhost_ecm_pnp_service, hdf_service_attr; type hdf_usbhost_acm_pnp_test_service, hdf_service_attr; type hdf_sample_driver_service, hdf_service_attr; type hdf_audio_bluetooth_hdi_service, hdf_service_attr; +type hdf_audio_rcu_hdi_service, hdf_service_attr; type hdf_bluetooth_audio_session_service, hdf_service_attr; type hdf_wlan_hal_c_service, hdf_service_attr; type hdf_audio_hdi_pnp_service, hdf_service_attr; diff --git a/sepolicy/ohos_policy/drivers/adapter/public/hdf_service_contexts b/sepolicy/ohos_policy/drivers/adapter/public/hdf_service_contexts index a6b3702bd..97551509e 100644 --- a/sepolicy/ohos_policy/drivers/adapter/public/hdf_service_contexts +++ b/sepolicy/ohos_policy/drivers/adapter/public/hdf_service_contexts @@ -37,6 +37,7 @@ usbfn_cdcacm u:object_r:hdf_usbfn_cdcacm:s0 audio_hdi_service u:object_r:hdf_audio_hdi_service:s0 audio_hdi_usb_service u:object_r:hdf_audio_hdi_usb_service:s0 audio_hdi_a2dp_service u:object_r:hdf_audio_hdi_a2dp_service:s0 +audio_hdi_rcu_service u:object_r:hdf_audio_hdi_rcu_service:s0 audio_manager_service u:object_r:hdf_audio_manager_service:s0 effect_model_service u:object_r:hdf_effect_model_service:s0 wlan_hal_service u:object_r:hdf_wlan_hal_service:s0 @@ -67,6 +68,7 @@ usbhost_ecm_pnp_service u:object_r:hdf_usbhost_ecm_pnp_service:s usbhost_acm_pnp_test_service u:object_r:hdf_usbhost_acm_pnp_test_service:s0 sample_driver_service u:object_r:hdf_sample_driver_service:s0 audio_bluetooth_hdi_service u:object_r:hdf_audio_bluetooth_hdi_service:s0 +audio_rcu_hdi_service u:object_r:hdf_audio_rcu_hdi_service:s0 bluetooth_audio_session_service u:object_r:hdf_bluetooth_audio_session_service:s0 wlan_hal_c_service u:object_r:hdf_wlan_hal_c_service:s0 audio_hdi_pnp_service u:object_r:hdf_audio_hdi_pnp_service:s0 diff --git a/sepolicy/ohos_policy/drivers/adapter/public/type.te b/sepolicy/ohos_policy/drivers/adapter/public/type.te index d80496f54..2fe4bf2e8 100644 --- a/sepolicy/ohos_policy/drivers/adapter/public/type.te +++ b/sepolicy/ohos_policy/drivers/adapter/public/type.te @@ -17,6 +17,7 @@ type sa_hdf_ext_devmgr, sa_service_attr; type blue_host, hdfdomain, domain; type a2dp_host, hdfdomain, domain; +type rcu_host, hdfdomain, domain; type sample_host, hdfdomain, domain; type light_host, hdfdomain, domain; type dcamera_host, hdfdomain, domain; diff --git a/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devmgr.te b/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devmgr.te index edf980084..f90cdf2ed 100644 --- a/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devmgr.te +++ b/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devmgr.te @@ -85,6 +85,10 @@ allow hdf_devmgr a2dp_host:binder { call transfer }; allow hdf_devmgr a2dp_host:dir { search }; allow hdf_devmgr a2dp_host:file { open read }; allow hdf_devmgr a2dp_host:process { getattr }; +allow hdf_devmgr rcu_host:binder { call transfer }; +allow hdf_devmgr rcu_host:dir { search }; +allow hdf_devmgr rcu_host:file { open read }; +allow hdf_devmgr rcu_host:process { getattr }; allow hdf_devmgr blue_host:binder { call transfer }; allow hdf_devmgr blue_host:dir { search }; allow hdf_devmgr blue_host:file { open read }; @@ -225,3 +229,6 @@ allow hdf_devmgr wifi_manager_service:binder { transfer }; allow hdf_devmgr bootevent_param:file { map open read }; allow hdf_devmgr bootevent_samgr_param:file { map open read }; + +allow hdf_devmgr system_basic_hap:binder { transfer }; +allow hdf_devmgr bootanimation:binder { transfer }; diff --git a/sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te b/sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te index 1520c03ef..0bb09cc1f 100644 --- a/sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te +++ b/sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te @@ -128,3 +128,11 @@ allowxperm hdf_ext_devmgr dev_uinput:chr_file ioctl { 0x5568 }; allow hdf_ext_devmgr hdf_usb_ddk_service:hdf_devmgr_class { get }; allow hdf_ext_devmgr hdf_usb_serial_ddk_service:hdf_devmgr_class { get }; allow hdf_ext_devmgr hdf_scsi_peripheral_ddk_service:hdf_devmgr_class { get }; + +allow hdf_ext_devmgr hdf_ext_devmgr_file:dir { ioctl }; +allowxperm hdf_ext_devmgr hdf_ext_devmgr_file:dir ioctl { 0xf546 }; +allow hdf_ext_devmgr hdf_ext_devmgr_file:file { ioctl }; +allowxperm hdf_ext_devmgr hdf_ext_devmgr_file:file ioctl { 0xf546 }; + +allow hdf_ext_devmgr sys_param:file { read open map }; +allow hdf_ext_devmgr hdf_ext_devmgr:unix_dgram_socket { getopt setopt }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te b/sepolicy/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te index 983423228..c19a4d654 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te @@ -68,6 +68,7 @@ allow audio_host hdf_device_manager:hdf_devmgr_class { get }; allow audio_host hdf_audio_hdi_service:hdf_devmgr_class { add }; allow audio_host dev_unix_socket:dir { search }; allow audio_host hdf_audio_hdi_a2dp_service:hdf_devmgr_class { add }; +allow audio_host hdf_audio_hdi_rcu_service:hdf_devmgr_class { add }; allow audio_host hdf_devmgr:binder { call transfer }; allow audio_host chip_prod_file:dir { search }; allow audio_host chip_prod_file:file { read open getattr }; @@ -140,3 +141,8 @@ allow audio_host sys_prod_file:dir { search }; # /sys/class/switch allow audio_host sysfs_switch:file { open read getattr }; + +allow audio_host dev_file:chr_file { read write }; +allow audio_host dev_file:chr_file { open }; +allow audio_host dev_file:chr_file { ioctl }; +allowxperm audio_host dev_file:chr_file ioctl { 0x1100 0x1159 0x1101 0x1155 0x1156 0x1163 }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te b/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te index 872f5380d..705154490 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te @@ -118,3 +118,4 @@ allowxperm camera_host dev_mpp:chr_file ioctl { 0x7601 }; allowxperm camera_host dev_rga:chr_file ioctl { 0x5017 0x5019 0x601b }; allowxperm camera_host dev_video_file:chr_file ioctl { 0x5600 0x5605 0x5608 0x5609 0x560f 0x5611 0x5612 0x5613 0x561b 0x564a 0x5602 0x5624 0x564b 0x5625 0x5616 }; allowxperm camera_host hidumper_file:file ioctl 0x5413; +allow camera_host dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/clearplay/vendor/clearplay_host.te b/sepolicy/ohos_policy/drivers/peripheral/clearplay/vendor/clearplay_host.te index b40de207e..214da5164 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/clearplay/vendor/clearplay_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/clearplay/vendor/clearplay_host.te @@ -76,3 +76,5 @@ allow clearplay_host hap_domain:fd { use }; #avc: denied { get } for service=1151 pid=5890 scontext=u:r:drm_service:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=1 allow drm_service sa_net_conn_manager:samgr_class { get }; + +allow clearplay_host persist_param:file { read open map }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/clearplay/vendor/init.te b/sepolicy/ohos_policy/drivers/peripheral/clearplay/vendor/init.te index 0473d292c..61cfc2c19 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/clearplay/vendor/init.te +++ b/sepolicy/ohos_policy/drivers/peripheral/clearplay/vendor/init.te @@ -12,3 +12,4 @@ # limitations under the License. allow init clearplay_host:process { rlimitinh siginh transition }; +allow init clearplay_host:file { write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te index acf745d4e..344f22a5c 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te @@ -57,3 +57,15 @@ allow allocator_host vendor_etc_file:dir { search }; allow allocator_host vendor_etc_file:file { getattr open read }; allowxperm allocator_host dev_dri_file:chr_file ioctl { 0x641f 0x642d 0x64b2 0x64b4 }; allowxperm allocator_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; + +allow allocator_host dev_console_file:chr_file { read write }; + +allow allocator_host dev_file:chr_file { ioctl }; +allow allocator_host dev_file:chr_file { read }; +allow allocator_host dev_file:chr_file { open }; +allowxperm allocator_host dev_file:chr_file ioctl { 0x4900 0x4901 0x4904 0x4905 0x4909 0x490a }; + +allow allocator_host dev_graphics_file:dir { search }; +allow allocator_host dev_graphics_file:chr_file { read write open map }; +allow allocator_host dev_graphics_file:chr_file { ioctl }; +allowxperm allocator_host dev_graphics_file:chr_file ioctl { 0x4602 0x4600 0x4601 }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te index 70ca1b619..720868772 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te @@ -92,3 +92,13 @@ allowxperm composer_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allowxperm composer_host dev_rga:chr_file ioctl { 0x5017 0x601b }; allow composer_host composer_host:capability {sys_nice}; allow hap_domain composer_host:fd { use }; + +allow composer_host dev_graphics_file:chr_file { ioctl }; +allowxperm composer_host dev_graphics_file:chr_file ioctl { 0x4694 0x4600 0x4692 0x4664 }; + +allow composer_host dev_file:chr_file { ioctl }; +allowxperm composer_host dev_file:chr_file ioctl { 0x405 0x300 0x6d14 }; + +allow composer_host dev_file:chr_file { read write }; +allow composer_host dev_file:chr_file { open }; +allow composer_host dev_file:chr_file { getattr }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/input/vendor/input_user_host.te b/sepolicy/ohos_policy/drivers/peripheral/input/vendor/input_user_host.te index e7b3a43c4..dc878291e 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/input/vendor/input_user_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/input/vendor/input_user_host.te @@ -97,3 +97,4 @@ allow input_user_host dev_bus_usb_file:file { open read}; allow input_user_host dev_bus_usb_file:lnk_file { read }; allow input_user_host hidraw_device_file:chr_file { open read write ioctl }; allowxperm input_user_host hidraw_device_file:chr_file ioctl { 0x4801-0x480C }; +allow input_user_host dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te b/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te index d60855372..98b1094eb 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te @@ -135,3 +135,6 @@ allow intell_voice_host tty_device:chr_file { read write }; debug_only(` allow intell_voice_host su:binder { transfer }; ') + +allow intell_voice_host dev_console_file:chr_file { read write }; +allow intell_voice_host persist_param:file { read open map }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/power/vendor/power_host.te b/sepolicy/ohos_policy/drivers/peripheral/power/vendor/power_host.te index 0028dcecf..488759e2b 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/power/vendor/power_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/power/vendor/power_host.te @@ -85,3 +85,5 @@ allowxperm power_host data_power:file ioctl { 0x660b 0xf520 }; allowxperm power_host data_log:file ioctl { 0x5413 }; allowxperm power_host data_service_el0_file:file ioctl { 0x5413 }; allowxperm power_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allow power_host dev_console_file:chr_file { read write }; +allow power_host chip_prod_file:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te index 5e9afd2c6..82a9c101b 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te @@ -63,3 +63,5 @@ allow pin_auth_host vendor_etc_file:dir { search }; allow pin_auth_host vendor_etc_file:file { getattr open read }; allowxperm pin_auth_host data_service_el1_file:file ioctl { 0x5413 }; allowxperm pin_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; + +allow pin_auth_host dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/wlan/vendor/wifi_host.te b/sepolicy/ohos_policy/drivers/peripheral/wlan/vendor/wifi_host.te index ac8f1c269..acb6e8870 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/wlan/vendor/wifi_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/wlan/vendor/wifi_host.te @@ -182,3 +182,4 @@ debug_only(` # avc: denied { sendto } for pid=3621, comm="/vendor/bin/hdf_devhost" scontext=u:r:wifi_host:s0 tcontext=u:r:hiview:s0 tclass=unix_dgram_socket permissive=0 allow wifi_host wifi_host:unix_dgram_socket { setopt }; allow wifi_host hiview:unix_dgram_socket { sendto }; +allow wifi_host wifi_host:capability { dac_override }; diff --git a/sepolicy/ohos_policy/dsoftbus/system/softbus_server.te b/sepolicy/ohos_policy/dsoftbus/system/softbus_server.te index f41cbc9ac..54956b9d1 100644 --- a/sepolicy/ohos_policy/dsoftbus/system/softbus_server.te +++ b/sepolicy/ohos_policy/dsoftbus/system/softbus_server.te @@ -118,7 +118,7 @@ allow softbus_server distributeddata:binder { transfer }; allow softbus_server sa_foundation_appms:samgr_class { get }; #avc: denied { setattr } for pid=4233 comm="IPC_1_4241" name="gen_natural_store.db" dev="sdd78" ino=56915 scontext=u:r:softbus_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 -allow softbus_server data_service_el1_file:file { map setattr }; +allow softbus_server data_service_el1_file:file { map setattr lock getattr }; #avc: denied { getattr } for pid=1032 comm="IPC_2_1941" path="/data/service/el1/public/database/dsoftbus/kvdb/4cee433d3b0a6fca315f8eff4d59b13eaa177772d85bde578b7bf9fe1ea3a4dc/single_ver/main" dev="sdd78" ino=5376 scontext=u:r:softbus_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 allow softbus_server data_service_el1_file:dir { create getattr }; diff --git a/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te b/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te index 10cbfcb75..5c05d0cbf 100644 --- a/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te +++ b/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te @@ -72,3 +72,11 @@ allow backup_sa data_log:file { create getattr open read append }; allow backup_sa distributeddata:binder { call }; allow backup_sa distributeddata:fd { use }; allow backup_sa inputmethod_service:binder { call }; + +allow backup_sa persist_sys_param:file { read open map }; +allow backup_sa persist_sys_param:file { open }; +allow backup_sa persist_sys_param:file { map }; +allow backup_sa sys_param:file { read open map }; +allow backup_sa sys_param:file { open }; +allow backup_sa sys_param:file { map }; + diff --git a/sepolicy/ohos_policy/filemanagement/file_api/system/hap_domain.te b/sepolicy/ohos_policy/filemanagement/file_api/system/hap_domain.te index eb8bef08a..ccd190dc0 100644 --- a/sepolicy/ohos_policy/filemanagement/file_api/system/hap_domain.te +++ b/sepolicy/ohos_policy/filemanagement/file_api/system/hap_domain.te @@ -18,4 +18,4 @@ allow hap_domain hmdfs:dir { watch watch_reads create_dir_perms_without_ioctl }; neverallow { hap_domain -medialibrary_hap } hmdfs:dir { ioctl }; allow hap_domain hmdfs:file ioctl; allowxperm hap_domain hmdfs:file ioctl { 0xf207 }; -neverallowxperm hap_domain hmdfs:file ioctl ~{ 0xf207 0x5413 }; +neverallowxperm hap_domain hmdfs:file ioctl ~{ 0xf205 0xf207 0x5413 }; diff --git a/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te b/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te index 97df98703..2a4f90c1f 100644 --- a/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te +++ b/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te @@ -268,6 +268,7 @@ allow storage_daemon system_core_hap_attr:lnk_file { read }; #avc: denied { read } for pid=254 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_daemon:s0 tclass=netlink_kobject_uevent_socket permissive=1 allow storage_daemon storage_daemon:netlink_kobject_uevent_socket { read }; +allow storage_daemon storage_daemon:unix_dgram_socket { getopt setopt }; #conflict #avc: denied { dac_read_search } for pid=241 comm="storage_daemon" capability=2 scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_daemon:s0 tclass=capability permissive=1 diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/public/hilog.te b/sepolicy/ohos_policy/hiviewdfx/hilog/public/hilog.te new file mode 100755 index 000000000..5d03c692a --- /dev/null +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/public/hilog.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS,n +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hilog, native_system_domain, domain; +type hilog_private_param, parameter_attr; diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilog.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilog.te index c4fce20a2..908478b83 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilog.te +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilog.te @@ -14,8 +14,8 @@ ################## ## Type define: ## ################## -type hilog, native_system_domain, domain; -type hilog_private_param, parameter_attr; +# type hilog, native_system_domain, domain; +# type hilog_private_param, parameter_attr; debug_only(` allow hilog hilog_private_param:parameter_service { set }; @@ -32,4 +32,7 @@ allow hilog hilog_param:parameter_service { set }; allow domain hilog_param:file { read map open }; allow domain hilog_private_param:file { read map open }; +# allow hilog persist_param:file { read }; +# allow hilog hilog:capability { dac_override }; + neverallow ~{ hilog hilogd } hilog_private_param:parameter_service { set }; diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te index fb6a54738..826ac8b7d 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te @@ -40,6 +40,7 @@ allow hilogd data_file:dir { search }; allow hilogd data_log:dir { getattr open read search }; allow hilogd cgroup:dir { search }; +allow hilogd cgroup:file { write open }; allow hilogd data_init_agent:dir { add_name search write }; allow hilogd data_init_agent:file { create ioctl open read append }; @@ -100,6 +101,7 @@ neverallow { -hdcd # write is covered next updater_only(`-updater') updater_only(`-hiview_light') + -system_core_hap } data_hilogd_file:file { rw_file_perms }; # shell can read but cannot write hilogd files diff --git a/sepolicy/ohos_policy/hiviewdfx/hiview/system/init.te b/sepolicy/ohos_policy/hiviewdfx/hiview/system/init.te index fa62562cb..c8fd29fc0 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hiview/system/init.te +++ b/sepolicy/ohos_policy/hiviewdfx/hiview/system/init.te @@ -12,7 +12,7 @@ # limitations under the License. #avc: denied { setattr } for pid=1 comm="init" name="bbox" dev="tmpfs" ino=198 scontext=u:r:init:s0 tcontext=u:object_r:dev_bbox:s0 tclass=chr_file permissive=0 -allow init dev_bbox:chr_file { setattr ioctl }; +allow init dev_bbox:chr_file { setattr ioctl write open }; #avc: denied { write } for pid=4175 comm="init" name="hiview" dev="mmcblk0p11" ino=18 scontext=u:r:init:s0 tcontext=u:object_r:hiview_file:s0 tclass=dir permissive=0 #avc: denied { add_name } for pid=1594 comm="init" name="temp" scontext=u:r:init:s0 tcontext=u:object_r:hiview_file:s0 tclass=dir permissive=0 diff --git a/sepolicy/ohos_policy/miscservices/inputmethod_native/system/input_isolate_hap.te b/sepolicy/ohos_policy/miscservices/inputmethod_native/system/input_isolate_hap.te index 2a367cee9..738fd34b0 100644 --- a/sepolicy/ohos_policy/miscservices/inputmethod_native/system/input_isolate_hap.te +++ b/sepolicy/ohos_policy/miscservices/inputmethod_native/system/input_isolate_hap.te @@ -33,3 +33,5 @@ allow input_isolate_hap data_app_el1_arkprofile:dir { search }; allow input_isolate_hap hisysevent_socket:sock_file { write }; allow input_isolate_hap hilog_input_socket:sock_file { write }; +binder_call(input_isolate_hap, cast_engine_service); +binder_call(cast_engine_service, input_isolate_hap); diff --git a/sepolicy/ohos_policy/miscservices/inputmethod_native/system/inputmethod_service.te b/sepolicy/ohos_policy/miscservices/inputmethod_native/system/inputmethod_service.te index 05d723270..c94725fdb 100644 --- a/sepolicy/ohos_policy/miscservices/inputmethod_native/system/inputmethod_service.te +++ b/sepolicy/ohos_policy/miscservices/inputmethod_native/system/inputmethod_service.te @@ -23,6 +23,7 @@ allow inputmethod_service inputmethod_service:unix_dgram_socket { getopt setopt allow inputmethod_service kernel:unix_stream_socket { connectto }; allow inputmethod_service paramservice_socket:sock_file { write }; allow inputmethod_service sa_subsys_ace_service:samgr_class { get }; +allow inputmethod_service sa_inputmethod_service:samgr_class { get }; allow inputmethod_service pasteboard_service:binder { call transfer }; allow inputmethod_service inputmethod_param:parameter_service { set }; allow domain inputmethod_param:file { map open read }; diff --git a/sepolicy/ohos_policy/multimedia/audio/public/type.te b/sepolicy/ohos_policy/multimedia/audio/public/type.te index bb260e19f..52e3ed1da 100644 --- a/sepolicy/ohos_policy/multimedia/audio/public/type.te +++ b/sepolicy/ohos_policy/multimedia/audio/public/type.te @@ -19,4 +19,4 @@ type audio_server_exec, exec_attr, file_attr, system_file_attr; type hdf_audio_hdi_service, hdf_service_attr; type hdf_audio_hdi_usb_service, hdf_service_attr; type hdf_audio_hdi_a2dp_service, hdf_service_attr; - +type hdf_audio_hdi_rcu_service, hdf_service_attr; diff --git a/sepolicy/ohos_policy/multimedia/audio/system/audio_server.te b/sepolicy/ohos_policy/multimedia/audio/system/audio_server.te index 6fb3f4a5e..7cff09b93 100644 --- a/sepolicy/ohos_policy/multimedia/audio/system/audio_server.te +++ b/sepolicy/ohos_policy/multimedia/audio/system/audio_server.te @@ -109,6 +109,10 @@ allow audio_server hdf_audio_hdi_usb_service:hdf_devmgr_class { get }; allow audio_server hdf_audio_hdi_a2dp_service:hdf_devmgr_class { get }; +allow audio_server hdf_audio_hdi_rcu_service:hdf_devmgr_class { get }; + +allow audio_server hdf_audio_rcu_hdi_service:hdf_devmgr_class { get }; + allow audio_server hdf_audio_bluetooth_hdi_service:hdf_devmgr_class { get }; allow audio_server hdf_audio_manager_service:hdf_devmgr_class { get }; @@ -119,6 +123,8 @@ binder_call(audio_server, audio_host); binder_call(audio_server, a2dp_host); +binder_call(audio_server, rcu_host); + binder_call(audio_server, hdf_devmgr); # interact with others diff --git a/sepolicy/ohos_policy/multimedia/av_codec/system/av_codec_service.te b/sepolicy/ohos_policy/multimedia/av_codec/system/av_codec_service.te index 197062ae0..dd80c0729 100755 --- a/sepolicy/ohos_policy/multimedia/av_codec/system/av_codec_service.te +++ b/sepolicy/ohos_policy/multimedia/av_codec/system/av_codec_service.te @@ -138,3 +138,5 @@ allow av_codec_service foundation:binder { call }; allow av_codec_service dev_kmsg_file:chr_file { open read write }; allow av_codec_service tty_device:chr_file { open read write }; allow av_codec_service sys_prod_file:dir { search }; + +allow av_codec_service persist_param:file { read open map }; diff --git a/sepolicy/ohos_policy/multimedia/av_codec/system/init.te b/sepolicy/ohos_policy/multimedia/av_codec/system/init.te index ba8fe5fde..38860a834 100644 --- a/sepolicy/ohos_policy/multimedia/av_codec/system/init.te +++ b/sepolicy/ohos_policy/multimedia/av_codec/system/init.te @@ -15,3 +15,4 @@ # avc: denied { siginh } for pid=1651 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:av_codec_service:s0 tclass=process permissive=1 # avc: denied { transition } for pid=1651 comm="init" path="/system/bin/sa_main" dev="mmcblk0p7" ino=343 scontext=u:r:init:s0 tcontext=u:r:av_codec_service:s0 tclass=process permissive=1 allow init av_codec_service:process { rlimitinh siginh transition }; +allow init av_codec_service:file { write }; diff --git a/sepolicy/ohos_policy/multimedia/camera/system/camera_service.te b/sepolicy/ohos_policy/multimedia/camera/system/camera_service.te index cfe1690cf..408fad5e8 100644 --- a/sepolicy/ohos_policy/multimedia/camera/system/camera_service.te +++ b/sepolicy/ohos_policy/multimedia/camera/system/camera_service.te @@ -74,7 +74,7 @@ allow camera_service sa_foundation_abilityms:samgr_class { get }; #avc: denied { get } for service=501 pid=1448 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 allow camera_service sa_foundation_appms:samgr_class {get}; allow camera_service distributeddata:binder { call }; -allow camera_service dev_kmsg_file:chr_file { write }; +allow camera_service dev_kmsg_file:chr_file { write open }; allow camera_service tty_device:chr_file { read write }; allow camera_service chip_prod_file:dir { search }; allow camera_service normal_hap:fd { use }; diff --git a/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te b/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te index b4c75c58b..734039129 100644 --- a/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te +++ b/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te @@ -42,3 +42,5 @@ allow medialibrary_hap dev_fuse_file:chr_file { read write }; allow medialibrary_hap ntfs:dir { watch watch_reads }; allow medialibrary_hap exfat:dir { watch watch_reads }; allow medialibrary_hap vfat:dir { watch_reads }; + +allow medialibrary_hap sys_prod_file:dir { search }; diff --git a/sepolicy/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te b/sepolicy/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te index 618320793..6c0bd1082 100644 --- a/sepolicy/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te +++ b/sepolicy/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te @@ -44,7 +44,7 @@ allow bgtaskmgr_service sa_work_schedule_service:samgr_class { add get }; #avc: denied { search } for pid=1059, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_storage:s0 tclass=dir permissive=0 allow bgtaskmgr_service data_storage:dir { search }; #avc: denied { read } for pid=1059, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0 -allow bgtaskmgr_service persist_param:file { read }; +allow bgtaskmgr_service persist_param:file { read open map }; #avc: denied { read write } for pid=53703, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 allow bgtaskmgr_service tty_device:chr_file { read write }; #avc: denied { write } for pid=53703, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=0 @@ -181,3 +181,5 @@ binder_call(system_basic_hap_attr, bgtaskmgr_service); debug_only(` binder_call(bgtaskmgr_service, sh); ') + +allow bgtaskmgr_service dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/resourceschedule/concurrent_task_service/system/concurrent_task_service.te b/sepolicy/ohos_policy/resourceschedule/concurrent_task_service/system/concurrent_task_service.te index fd5412854..0629de057 100644 --- a/sepolicy/ohos_policy/resourceschedule/concurrent_task_service/system/concurrent_task_service.te +++ b/sepolicy/ohos_policy/resourceschedule/concurrent_task_service/system/concurrent_task_service.te @@ -48,3 +48,10 @@ allow concurrent_task_service persist_param:parameter_service { set }; #cgroup allow concurrent_task_service cgroup:dir { search open read write }; allow concurrent_task_service cgroup:file { open read write }; + +allow concurrent_task_service dev_console_file:chr_file { read write }; +allow concurrent_task_service dev_kmsg_file:chr_file { write open }; +allow concurrent_task_service sysfs_devices_system_cpu:file { read open getattr }; + +allow concurrent_task_service concurrent_task_service:unix_dgram_socket { getopt setopt }; + diff --git a/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/resource_schedule_service.te b/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/resource_schedule_service.te index ad8bba149..bc6ac9984 100644 --- a/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/resource_schedule_service.te +++ b/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/resource_schedule_service.te @@ -31,7 +31,7 @@ allow resource_schedule_service data_service_el1_file:dir { add_name create geta allow resource_schedule_service data_service_el1_file:file { create getattr ioctl lock open read unlink write }; # avc: denied { transfer } for pid=892, comm="/system/bin/sa_main" scountext=u:resource_schedule_service:s0 tcountext=u:r:distributeddata:s0 tclass=binder permissive=0 # Before obtaining the application list, the rss service needs to call the DataShare interface to query the database information to check whether the user agrees to the authorization -allow resource_schedule_service distributeddata:binder { transfer }; +allow resource_schedule_service distributeddata:binder { transfer call }; allow resource_schedule_service vendor_bin_file:dir { search }; allow resource_schedule_service vendor_file:dir { search }; allow resource_schedule_service vendor_file:file { execute getattr map open read }; @@ -176,7 +176,7 @@ allow resource_schedule_service sys_prod_ressched_file:dir { search }; allow resource_schedule_service sys_prod_ressched_file:file { getattr open read }; #for os_account_manager binder -allow resource_schedule_service accountmgr:binder { transfer }; +allow resource_schedule_service accountmgr:binder { transfer call }; allow accountmgr resource_schedule_service:binder { call }; #for devinfo param diff --git a/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te b/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te index 42ee9c4f9..55e9f375b 100644 --- a/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te +++ b/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te @@ -52,3 +52,9 @@ allow resource_schedule_executor sysfs_devices_system_cpu:file { getattr open re allow resource_schedule_executor sysfs_devices_system_cpu:dir { open read search }; allow resource_schedule_executor cgroup:dir { search }; allow resource_schedule_executor cgroup:file { open read write }; +allow resource_schedule_executor vendor_etc_file:dir { search }; +allow resource_schedule_executor vendor_etc_file:file { open read getattr }; + +allow resource_schedule_executor dev_console_file:chr_file { read write }; +allow resource_schedule_executor dev_kmsg_file:chr_file { write open }; + diff --git a/sepolicy/ohos_policy/security/access_token/system/access_token.te b/sepolicy/ohos_policy/security/access_token/system/access_token.te index 305a2082a..4fefb1f04 100644 --- a/sepolicy/ohos_policy/security/access_token/system/access_token.te +++ b/sepolicy/ohos_policy/security/access_token/system/access_token.te @@ -127,3 +127,6 @@ debug_only(` binder_call(accesstoken_service, sh); binder_call(accesstoken_service, su); ') + +allow accesstoken_service dev_console_file:chr_file { read write }; +allow accesstoken_service sysfs_devices_system_cpu:file { read open getattr }; diff --git a/sepolicy/ohos_policy/security/access_token/system/privacy.te b/sepolicy/ohos_policy/security/access_token/system/privacy.te index 72dba9e3b..2d30078e3 100644 --- a/sepolicy/ohos_policy/security/access_token/system/privacy.te +++ b/sepolicy/ohos_policy/security/access_token/system/privacy.te @@ -95,3 +95,6 @@ debug_only(` binder_call(privacy_service, sh); binder_call(privacy_service, su); ') + +allow privacy_service sysfs_devices_system_cpu:file { read open getattr }; +allow privacy_service privacy_service:unix_dgram_socket { getopt setopt }; diff --git a/sepolicy/ohos_policy/security/asset/system/asset_service.te b/sepolicy/ohos_policy/security/asset/system/asset_service.te index dff93779e..2038e05fa 100755 --- a/sepolicy/ohos_policy/security/asset/system/asset_service.te +++ b/sepolicy/ohos_policy/security/asset/system/asset_service.te @@ -48,3 +48,10 @@ binder_call(asset_service, accountmgr); binder_call(asset_service, foundation); binder_call(asset_service, accesstoken_service); binder_call(asset_service, huks_service); + +allow asset_service asset_service:unix_dgram_socket { getopt setopt }; + +allow asset_service dev_console_file:chr_file { read write }; +allow asset_service persist_param:file { read open map }; +allow asset_service sysfs_devices_system_cpu:file { read open getattr }; + diff --git a/sepolicy/ohos_policy/security/code_signature/system/key_enable.te b/sepolicy/ohos_policy/security/code_signature/system/key_enable.te index 90f3427f7..0dfbccc0c 100644 --- a/sepolicy/ohos_policy/security/code_signature/system/key_enable.te +++ b/sepolicy/ohos_policy/security/code_signature/system/key_enable.te @@ -93,3 +93,6 @@ allow key_enable sa_screenlock_service:samgr_class {get}; allow key_enable proc_cmdline_file:file { open read }; neverallow { sh normal_hap_attr } key_enable_exec:file never_execute_file; +allow key_enable dev_console_file:chr_file { read write }; + +allow key_enable persist_param:file { read open map }; diff --git a/sepolicy/ohos_policy/security/code_signature/system/su.te b/sepolicy/ohos_policy/security/code_signature/system/su.te index 01a3e2343..287a69555 100644 --- a/sepolicy/ohos_policy/security/code_signature/system/su.te +++ b/sepolicy/ohos_policy/security/code_signature/system/su.te @@ -14,3 +14,4 @@ debug_only(` allow su self:xpm { exec_no_sign exec_anon_mem }; ') + diff --git a/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te b/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te index 9a2319432..12c5b6475 100644 --- a/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te +++ b/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te @@ -92,6 +92,9 @@ allow dlp_permission_service data_service_el1_file:dir { getattr search add_name # avc: denied { setattr } for pid=2334 comm="IPC_13_2590" name="retention_sandbox_info.json" dev="sdd78" ino=2807 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 allow dlp_permission_service data_service_el1_file:file { getattr ioctl open write create read setattr unlink lock map }; +allow dlp_permission_service data_service_el1_file:file { ioctl }; +allowxperm dlp_permission_service data_service_el1_file:file ioctl { 0xf546 }; + # avc: denied { get } for service=3901 pid=5063 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 allow dlp_permission_service sa_foundation_cesfwk_service:samgr_class { get }; @@ -120,3 +123,7 @@ allow dlp_permission_service { vendor_etc_file sys_prod_file chip_prod_file }:di allow dlp_permission_service sa_distributeddata_service:samgr_class { get }; binder_call(dlp_permission_service, distributeddata); + +allow dlp_permission_service persist_param:file { read open map }; + +allow dlp_permission_service dlp_permission_service:unix_dgram_socket { getopt setopt }; diff --git a/sepolicy/ohos_policy/security/security_guard/system/security_guard.te b/sepolicy/ohos_policy/security/security_guard/system/security_guard.te index 6867eb3d0..94284e8e9 100644 --- a/sepolicy/ohos_policy/security/security_guard/system/security_guard.te +++ b/sepolicy/ohos_policy/security/security_guard/system/security_guard.te @@ -26,6 +26,8 @@ allow security_guard data_service_el1_file:file { lock read getattr write map op allowxperm security_guard data_service_el1_file:file ioctl { 0xf50c }; allow security_guard data_service_el1_file:dir { read search open getattr add_name create write remove_name}; +allow security_guard data_service_el1_file:file { ioctl }; +allowxperm security_guard data_service_el1_file:file ioctl { 0xf546 }; allow security_guard data_file:dir { search }; @@ -87,3 +89,9 @@ allow security_guard normal_hap_attr:fd { use }; # avc: denied { read } for pid=2037 comm="OS_FFRT_2_1" path="/data/storage/el2/base/files/text.json" dev="mmcblk0p15" ino=2627 scontext=u:r:security_guard:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=file permissive=1 allow security_guard normal_hap_data_file:file { read }; +allow security_guard dev_console_file:chr_file { read write }; +allow security_guard persist_param:file { read open map }; + +allow security_guard sysfs_devices_system_cpu:file { read open getattr }; +allow security_guard security_guard:unix_dgram_socket { getopt setopt }; + diff --git a/sepolicy/ohos_policy/sharing_service/system/sharing_service.te b/sepolicy/ohos_policy/sharing_service/system/sharing_service.te index 05df11ac0..2a7c77a67 100644 --- a/sepolicy/ohos_policy/sharing_service/system/sharing_service.te +++ b/sepolicy/ohos_policy/sharing_service/system/sharing_service.te @@ -79,6 +79,9 @@ allow sharing_service render_service:binder { call }; allow sharing_service render_service:fd { use }; allow sharing_service composer_host:fd { use }; allow sharing_service sa_render_service:samgr_class { get }; +allow sharing_service cast_engine_service:binder { transfer }; +allow sharing_service cast_engine_service:binder { call }; +allow sharing_service media_monitor:binder { call }; allow sharing_service render_service:binder { transfer }; allow render_service sharing_service:binder { call }; allow render_service sharing_service:binder { transfer }; @@ -96,3 +99,9 @@ allow sharing_service sa_accountmgr:samgr_class { get }; allow sharing_service sa_distributeddata_service:samgr_class { get }; allow sharing_service distributeddata:binder { call }; allow sharing_service accountmgr:binder { call }; + +allow sharing_service sys_prod_file:dir { search }; +allow sharing_service vendor_etc_file:dir { search }; +allow sharing_service system_usr_file:dir { search }; +allow sharing_service system_usr_file:file { getattr read open map }; + diff --git a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te index 511615b7c..069f43560 100644 --- a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te +++ b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te @@ -256,3 +256,12 @@ allow appspawn { sharefs tmpfs }:filesystem { unmount }; allow appspawn foundation:fd { use }; #avc: denied { write } for pid=51347, comm="/system/bin/appspawn" path="pipe:[8763]" dev="tmpfs" ino=8763 scontext=u:r:appspawn:s0 tcontext=u:r:foundation:s0 tclass=fifo_file permissive=1 allow appspawn foundation:fifo_file { write }; + +allow appspawn dev_file:dir { write add_name create }; + +allow appspawn data_data_file:dir { search }; +allow appspawn data_service_el0_file:dir { mounton }; + +allow appspawn dev_file:dir { remove_name rmdir }; + +allow appspawn appspawn:capability { fsetid }; diff --git a/sepolicy/ohos_policy/startup/init/public/chipset_init.te b/sepolicy/ohos_policy/startup/init/public/chipset_init.te index 67f68d176..e16c8efb6 100644 --- a/sepolicy/ohos_policy/startup/init/public/chipset_init.te +++ b/sepolicy/ohos_policy/startup/init/public/chipset_init.te @@ -18,6 +18,7 @@ allow domain chipset_init:fd use; allow init init:process { setcurrent }; allow init chipset_init:process { setcurrent dyntransition }; +allow init chipset_init:file { write }; allow chipset_init chipset_init:process { setexec setsockcreate }; allow chipset_init composer_host:process { rlimitinh siginh transition }; allow chipset_init allocator_host:process { rlimitinh siginh transition }; @@ -46,6 +47,9 @@ allow chipset_init dev_char_file:dir { getattr open read relabelto setattr }; allow chipset_init dev_console_file:chr_file { getattr ioctl open read write }; allow chipset_init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write }; allow chipset_init dev_file:lnk_file { create }; +allow chipset_init dev_file:chr_file { setattr }; +allow chipset_init dev_file:file { write }; +allow chipset_init dev_file:file { open create }; allow chipset_init dev_fscklogs_file:dir { open read relabelto search setattr }; allow chipset_init dev_fuse_file:chr_file { setattr }; allow chipset_init dev_graphics_file:chr_file { setattr }; @@ -80,6 +84,8 @@ allow chipset_init { user_auth_host pin_auth_host fingerprint_auth_host face_aut allow chipset_init { light_host input_user_host wifi_host camera_host power_host audio_host }:process { rlimitinh siginh transition }; allow chipset_init { usb_host blue_host partitionslot_host location_host dcamera_host a2dp_host daudio_host sample_host intell_voice_host }:process { rlimitinh siginh transition }; +allow chipset_init { usb_host blue_host partitionslot_host location_host dcamera_host rcu_host daudio_host sample_host intell_voice_host }:process { rlimitinh siginh transition }; + #for init.usb.configfs.cfg allow chipset_init configfs:dir { add_name create mounton open read search setattr write remove_name rmdir }; allow chipset_init configfs:lnk_file { create unlink }; @@ -116,3 +122,9 @@ allow chipset_init clearplay_host:process { rlimitinh siginh transition }; # avc: denied { open } for pid=638 comm="/bin/init" path="/sys/devices/virtual/gadget_usb/gadget0/f_rndis/wceis" dev="" ino=9426 scontext=u:r:chipset_init:s0 tcontext=u:r:object_r:sysfs_gadget_usb:s0 tclass=file permissive=1 allow chipset_init sysfs_gadget_usb:file { open }; +allow chipset_init rcu_host:process { transition }; + +allow chipset_init cgroup:dir { search }; + +allow chipset_init cgroup:file { write open ioctl getattr }; +allowxperm chipset_init cgroup:file ioctl { 0x5413 }; diff --git a/sepolicy/ohos_policy/startup/init/public/parameter.te b/sepolicy/ohos_policy/startup/init/public/parameter.te index 46a370d4a..aa4213ada 100644 --- a/sepolicy/ohos_policy/startup/init/public/parameter.te +++ b/sepolicy/ohos_policy/startup/init/public/parameter.te @@ -34,7 +34,7 @@ typeattribute resource_schedule_service devinfo_type_allow_attr; typeattribute telephony_sa devinfo_type_allow_attr; typeattribute wifi_manager_service devinfo_type_allow_attr; -neverallow {sadomain -devinfo_type_allow_attr} devinfo_type_param:file {open read map}; +neverallow {sadomain -devinfo_type_allow_attr -bootanimation } devinfo_type_param:file {open read map}; allow {domain -sadomain } devinfo_type_param:file {open read map}; allow devinfo_type_allow_attr devinfo_type_param:file {open read map}; diff --git a/sepolicy/ohos_policy/startup/init/system/init.te b/sepolicy/ohos_policy/startup/init/system/init.te index e8e2fbe35..b5f9cf184 100644 --- a/sepolicy/ohos_policy/startup/init/system/init.te +++ b/sepolicy/ohos_policy/startup/init/system/init.te @@ -29,8 +29,9 @@ allow init hisysevent_socket:sock_file { unlink setattr }; allow init system_core_hap_attr:file { read open }; allow init system_core_hap_attr:dir { search }; allow init system_core_hap_attr:process { getattr }; -allow init system_lib_file:dir { open read }; - +allow init system_lib_file:dir { open read getattr mounton }; +allow init system_lib_file:file { mounton }; +allow init system_lib_file:system { module_load }; allow init accessibility_param:file { map open read relabelto relabelfrom }; allow init const_postinstall_param:file { map open read relabelto relabelfrom }; allow init hilog_param:file { map open read relabelto relabelfrom }; @@ -130,6 +131,7 @@ debug_only(` ') allow init a2dp_host:process { rlimitinh siginh sigkill transition }; +allow init rcu_host:process { rlimitinh siginh sigkill transition }; allow init accessibility:process { rlimitinh siginh transition }; allow init accesstoken_data_file:file { getattr open read write relabelto setattr lock }; allow init accesstoken_service:process { rlimitinh siginh transition }; @@ -240,8 +242,11 @@ allow init data_system_ce:dir { getattr open read relabelto setattr }; allow init data_system_de:dir { getattr open read relabelto setattr }; allow init data_system:dir { add_name create getattr open read relabelto search setattr write }; allow init data_udev:dir { getattr open read relabelto search setattr }; -allow init data_updater_file:dir { getattr open read relabelto search setattr }; +allow init data_updater_file:dir { getattr open read relabelto search setattr write }; allow init data_updater_file:file { relabelto create getattr map open read rename setattr unlink write append }; +allow init data_updater_file:file { ioctl }; +allowxperm init data_updater_file:file ioctl { 0x5413 }; + allow init data_user_de:dir { getattr open read relabelto setattr }; allow init data_user:dir { add_name getattr open read relabelto search setattr write }; allow init data_user:lnk_file { create }; @@ -251,7 +256,7 @@ allow init data_vendor:dir { add_name create getattr open read relabelto search allow init d-bms:process { rlimitinh siginh sigkill transition }; allow init dcamera_host:process { rlimitinh siginh sigkill transition }; allow init dcamera:process { rlimitinh siginh transition }; -allow init debugfs:dir { mounton }; +allow init debugfs:dir { mounton setattr }; allow init debugfs:filesystem { mount }; allow init debugfs_usb:dir { search }; allow init debug_param:file { map open read relabelto }; @@ -261,10 +266,11 @@ allow init dev_binder_file:chr_file { relabelto }; allow init dev_block_file:blk_file { getattr ioctl open read read write relabelto setattr write }; allow init dev_block_file:dir { open read relabelto search }; allow init dev_block_file:lnk_file { read relabelto }; -allow init dev_block_volfile:dir { open read relabelto search }; +allow init dev_block_volfile:dir { open read relabelto search write add_name }; +allow init dev_block_volfile:lnk_file { create }; allow init dev_char_file:dir { getattr open read relabelto setattr }; allow init dev_console_file:chr_file { getattr ioctl open read write }; -allow init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write }; +allow init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write setattr }; allow init dev_file:lnk_file { create }; allow init dev_fscklogs_file:dir { open read relabelto search setattr }; allow init dev_fuse_file:chr_file { setattr }; @@ -309,6 +315,7 @@ allow init distributedsche:process { rlimitinh siginh transition }; allow init download_server:process { rlimitinh siginh transition }; allow init dscreen:process { rlimitinh siginh transition }; allow init dslm_service:process { rlimitinh siginh transition }; +allow init dslm_service:file { write }; allow init edm_sa:process { rlimitinh siginh transition }; allow init faultloggerd_exec:file { execute getattr read open }; allow init faultloggerd:process { rlimitinh siginh transition }; diff --git a/sepolicy/ohos_policy/startup/init/system/param_watcher.te b/sepolicy/ohos_policy/startup/init/system/param_watcher.te index 0fd3ae5be..df25301b1 100644 --- a/sepolicy/ohos_policy/startup/init/system/param_watcher.te +++ b/sepolicy/ohos_policy/startup/init/system/param_watcher.te @@ -113,3 +113,6 @@ debug_only(` allow param_watcher console:binder { call }; allow param_watcher sh:binder { call }; ') + +allow param_watcher sysfs_devices_system_cpu:file { read open getattr }; +allow param_watcher param_watcher:unix_dgram_socket { getopt }; diff --git a/sepolicy/ohos_policy/startup/init/system/ueventd.te b/sepolicy/ohos_policy/startup/init/system/ueventd.te index 82d9b8efe..aa1b9eebb 100644 --- a/sepolicy/ohos_policy/startup/init/system/ueventd.te +++ b/sepolicy/ohos_policy/startup/init/system/ueventd.te @@ -56,8 +56,9 @@ allow ueventd dev_file:file { create read write open }; allow ueventd dev_full:chr_file { relabelto }; allow ueventd dev_fuse_file:chr_file { relabelto }; allow ueventd dev_gpiochip:chr_file { relabelto }; -allow ueventd dev_graphics_file:chr_file { relabelto }; -allow ueventd dev_graphics_file:dir { getattr relabelto search }; +allow ueventd dev_graphics_file:chr_file { relabelto create setattr getattr }; +allow ueventd dev_graphics_file:dir { getattr relabelto search write add_name write }; + allow ueventd dev_hdf_audio_capture:chr_file { relabelto }; allow ueventd dev_hdf_audio_codec_primary:chr_file { relabelto }; allow ueventd dev_hdf_audio_codec_hdmi:chr_file { getattr open read write }; @@ -164,6 +165,10 @@ allow ueventd tty_device:chr_file { getattr relabelto setattr }; allow ueventd ueventd:capability { chown fowner fsetid mknod setgid net_admin dac_override }; allow ueventd ueventd:netlink_kobject_uevent_socket { create setopt bind read }; allow ueventd vendor_etc_file:dir { search }; +allow ueventd vendor_etc_file:file { read open getattr }; +allow ueventd sysfs_switch:dir { read open }; +allow ueventd sysfs_switch:file { write read open }; +allow ueventd dev_kmsg_file:chr_file { relabelto }; allow ueventd init:unix_dgram_socket { read write }; allow ueventd paramservice_socket:sock_file { write }; allow ueventd kernel:unix_stream_socket { connectto }; @@ -192,4 +197,6 @@ allow ueventd tmpfs:blk_file { getattr relabelfrom setattr }; # avc: denied { getattr } for pid=245 comm="ueventd" path="/dev/block/by-name/misc" dev="tmpfs" ino=37 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=1 allow ueventd updater_block_file:lnk_file { getattr }; +allow ueventd dev_snd_file:dir { relabelto search }; +allow ueventd dev_snd_file:chr_file { relabelto }; diff --git a/sepolicy/ohos_policy/startup/init/system/watchdog_service.te b/sepolicy/ohos_policy/startup/init/system/watchdog_service.te index 55cb8b86f..36753c79e 100644 --- a/sepolicy/ohos_policy/startup/init/system/watchdog_service.te +++ b/sepolicy/ohos_policy/startup/init/system/watchdog_service.te @@ -17,3 +17,5 @@ allow watchdog_service dev_watchdog_file:chr_file { getattr ioctl open read writ allow watchdog_service watchdog_service_exec:file { entrypoint execute map read }; allow watchdog_service dev_unix_socket:dir { search }; allowxperm watchdog_service dev_watchdog_file:chr_file ioctl { 0x5705 0x5706 0x5707 }; +allow watchdog_service dev_console_file:chr_file { read write }; +allow watchdog_service persist_param:file { read open map }; diff --git a/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te b/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te index f591987fd..2cf83f324 100644 --- a/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te +++ b/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te @@ -84,3 +84,9 @@ debug_only(` allow cadaemon sh:fd { use }; ') +allow cadaemon dev_console_file:chr_file { read write }; + +allow cadaemon persist_param:file { read open map }; +allow cadaemon sysfs_devices_system_cpu:file { read open getattr }; +allow cadaemon cadaemon:unix_dgram_socket { getopt setopt }; + diff --git a/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te b/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te index 32d35dbb4..58457c280 100644 --- a/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te +++ b/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te @@ -53,3 +53,4 @@ debug_only(` allow teecd sh:file { read open getattr }; ') +allow teecd persist_param:file { read open map }; diff --git a/sepolicy/ohos_policy/update/updater/system/init.te b/sepolicy/ohos_policy/update/updater/system/init.te index 74b4c9d05..252e1fda4 100644 --- a/sepolicy/ohos_policy/update/updater/system/init.te +++ b/sepolicy/ohos_policy/update/updater/system/init.te @@ -187,10 +187,17 @@ allow init dev_asanlog_file:dir { open }; # avc: denied { getattr } for pid=591 comm="init" path="/dev/unix/socket/faultloggerd.crash.server" dev="tmpfs" ino=385 scontext=u:r:init:s0 tcontext=u:object_r:faultloggerd_socket_crash:s0 tclass=sock_file permissive=1 # avc: denied { relabelto } for pid=591 comm="init" name="faultloggerd.crash.server" dev="tmpfs" ino=385 scontext=u:r:init:s0 tcontext=u:object_r:faultloggerd_socket_crash:s0 tclass=sock_file permissive=1 -allow init faultloggerd_socket_crash:sock_file { getattr relabelto }; +allow init faultloggerd_socket_crash:sock_file { getattr relabelto unlink }; # avc: denied { setattr } for pid=271 comm="init" name="sysrq-trigger" dev="proc" ino=4026532372 scontext=u:r:init:s0 tcontext=u:object_r:proc_sysrq_trigger_file:s0 tclass=file permissive=1 allow init proc_sysrq_trigger_file:file { setattr }; # avc: denied { relabelto } for pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 allow init updater_block_file:blk_file { relabelto }; + +allow init dev_bbox:chr_file { write open }; + +allow init unlabeled:chr_file { write }; +allow init sys_prod_file:dir { getattr read open }; +allow init sys_prod_file:file { getattr read open }; + diff --git a/sepolicy/ohos_policy/update/updater/system/updater.te b/sepolicy/ohos_policy/update/updater/system/updater.te index 3a7de713c..7ac220cc3 100644 --- a/sepolicy/ohos_policy/update/updater/system/updater.te +++ b/sepolicy/ohos_policy/update/updater/system/updater.te @@ -357,7 +357,7 @@ allow updater dev_ptmx:chr_file { ioctl open }; allowxperm updater dev_ptmx:chr_file ioctl { 0x5431 0x5430 }; allow updater data_file:dir { add_name create }; -allow updater data_file:file { create getattr ioctl read write open setattr }; +allow updater data_file:file { create getattr ioctl read write open setattr unlink }; allowxperm updater data_file:file ioctl { 0x5413 }; # denied { map } for pid=246 comm="updater" path="/data/update/ota_package/firmware/versions/updater_diff.zip" dev="mmcblk0p12" ino=1409 scontext=u:r:updater:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=file permissive=1 diff --git a/sepolicy/ohos_policy/update/updater/system/updater_binary.te b/sepolicy/ohos_policy/update/updater/system/updater_binary.te index c53158539..83e0e8ba4 100644 --- a/sepolicy/ohos_policy/update/updater/system/updater_binary.te +++ b/sepolicy/ohos_policy/update/updater/system/updater_binary.te @@ -160,7 +160,7 @@ allow updater_binary kernel:fd { use }; # avc: denied { create } for pid=271 comm="updater_binary" name="updater" scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 # avc: denied { getattr } for pid=268 comm="updater_binary" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 # avc: denied { write } for pid=266 comm="updater_binary" name="data" dev="rootfs" ino=2725 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 -allow updater_binary data_file:dir { search add_name create getattr write }; +allow updater_binary data_file:dir { search add_name create getattr write open read remove_name }; #avc: denied { add_name } for pid=279 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { search } for pid=270 comm="updater_binary" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 @@ -239,7 +239,7 @@ allow updater_binary tmpfs:dir { read write add_name }; # avc: denied { read } for pid=272 comm="updater_binary" name="u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater_binary:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 allow updater_binary debug_param:file { map open read }; -allow updater_binary data_file:file { setattr write create }; +allow updater_binary data_file:file { setattr write create open unlink getattr }; allow updater_binary exfat:file { map }; allow updater_binary ntfs:file { map }; diff --git a/sepolicy/ohos_policy/update/updater/system/write_updater.te b/sepolicy/ohos_policy/update/updater/system/write_updater.te index be28a2727..1f6aa7c54 100644 --- a/sepolicy/ohos_policy/update/updater/system/write_updater.te +++ b/sepolicy/ohos_policy/update/updater/system/write_updater.te @@ -18,9 +18,10 @@ allow write_updater debug_param:file { map open read }; # avc: denied { search } for pid=1449 comm="write_updater" name="by-name" dev="tmpfs" ino=12 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=dir permissive=1 allow write_updater dev_block_file:dir { search }; - +allow write_updater dev_block_file:lnk_file { read }; # avc: denied { search } for pid=1449 comm="write_updater" name="block" dev="tmpfs" ino=6 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 allow write_updater dev_block_volfile:dir { search }; +allow write_updater dev_block_volfile:lnk_file { read }; # avc: denied { read write } for pid=1449 comm="write_updater" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 allow write_updater dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/update/updater_sa/system/time_service.te b/sepolicy/ohos_policy/update/updater_sa/system/time_service.te index 30e861dbc..a35a9497e 100644 --- a/sepolicy/ohos_policy/update/updater_sa/system/time_service.te +++ b/sepolicy/ohos_policy/update/updater_sa/system/time_service.te @@ -13,4 +13,5 @@ #avc: denied { call } for pid=472 comm="timer_loop" scontext=u:r:time_service:s0 tcontext=u:r:updater_sa:s0 tclass=binder permissive=0 allow time_service updater_sa:binder { call }; +allow time_service updater_sa:file { getattr }; diff --git a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te index 5a1ddc7a4..d9d79732f 100644 --- a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te +++ b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te @@ -131,3 +131,10 @@ allow usb_service normal_hap_attr:fd { use }; allow usb_service paramservice_socket:sock_file { write }; allow usb_service kernel:unix_stream_socket { connectto }; allow usb_service usb_setting_param_attr:parameter_service { set }; + +allow usb_service chip_prod_file:dir { search }; +allow usb_service sys_prod_file:dir { search }; +allow usb_service vendor_etc_file:dir { search }; +allow usb_service system_usr_file:dir { search getattr read open map }; +allow usb_service system_usr_file:file { getattr read open map }; + diff --git a/sepolicy/ohos_policy/useriam/user_auth/system/useriam.te b/sepolicy/ohos_policy/useriam/user_auth/system/useriam.te index 9f6de21ec..b11fbd5ba 100644 --- a/sepolicy/ohos_policy/useriam/user_auth/system/useriam.te +++ b/sepolicy/ohos_policy/useriam/user_auth/system/useriam.te @@ -78,6 +78,7 @@ binder_call(useriam, powermgr); allow useriam sa_powermgr_powermgr_service:samgr_class { get }; allow useriam dev_mali:chr_file { getattr ioctl map open read write }; allow useriam sysfs_devices_system_cpu:dir { read open }; +allow useriam sysfs_devices_system_cpu:file { read open getattr }; allow useriam allocator_host:fd { use }; allow useriam sa_foundation_abilityms:samgr_class { get }; diff --git a/sepolicy/ohos_policy/web/webview/system/normal_hap.te b/sepolicy/ohos_policy/web/webview/system/normal_hap.te index 3ac782b3b..b230d7858 100644 --- a/sepolicy/ohos_policy/web/webview/system/normal_hap.te +++ b/sepolicy/ohos_policy/web/webview/system/normal_hap.te @@ -195,5 +195,5 @@ allow normal_hap_attr port:tcp_socket { name_bind }; allow normal_hap arkweb_crashpad_handler_exec:file { execute open read execute_no_trans map }; -allowxperm normal_hap_attr dev_mali:chr_file ioctl { 0x800f }; +allowxperm normal_hap_attr dev_mali:chr_file ioctl { 0x800f 0x8503 }; -- Gitee From 0c1c3ffefc5d4cf68049657da5fc7c68d35cc276 Mon Sep 17 00:00:00 2001 From: 15091282640 Date: Thu, 14 Aug 2025 19:31:59 +0800 Subject: [PATCH 13/15] =?UTF-8?q?=E5=90=88=E5=85=A5=E9=83=A8=E5=88=86?= =?UTF-8?q?=E7=AD=96=E7=95=A5=EF=BC=8C=E7=BA=A2=E5=A4=96=E9=81=A5=E6=8E=A7?= =?UTF-8?q?=E6=8E=A7=E5=88=B6=E6=AD=A3=E5=B8=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- selinux.gni | 2 +- sepolicy/base/public/domain.te | 37 ++++++++---- sepolicy/base/public/init.te | 1 + sepolicy/base/public/system_core_hap.te | 3 + sepolicy/base/public/type.te | 2 + sepolicy/base/system/system_domain.te | 28 ++++----- sepolicy/base/te/accessibility.te | 1 + sepolicy/base/te/audio_server.te | 5 ++ sepolicy/base/te/bootanimation.te | 7 ++- sepolicy/base/te/console.te | 59 ++++++++++++++++++- sepolicy/base/te/deviceauth_service.te | 1 + sepolicy/base/te/dhardware.te | 2 +- sepolicy/base/te/distributedsche.te | 1 + sepolicy/base/te/faultloggerd.te | 1 + sepolicy/base/te/foundation.te | 13 ++++ sepolicy/base/te/hidumper.te | 8 +++ sepolicy/base/te/hidumper_service.te | 1 + sepolicy/base/te/hilogd.te | 1 + sepolicy/base/te/hiview.te | 5 ++ sepolicy/base/te/huks_service.te | 1 + sepolicy/base/te/inputmethod_service.te | 3 + sepolicy/base/te/installs.te | 3 + sepolicy/base/te/ir_user.te | 19 ++++++ sepolicy/base/te/kernel.te | 4 ++ sepolicy/base/te/media_service.te | 3 + sepolicy/base/te/msdp_sa.te | 2 + sepolicy/base/te/multimodalinput.te | 2 + sepolicy/base/te/netmanager.te | 1 + sepolicy/base/te/netsysnative.te | 2 + sepolicy/base/te/processdump.te | 9 +++ sepolicy/base/te/render_service.te | 8 ++- sepolicy/base/te/resource_schedule_service.te | 4 +- sepolicy/base/te/samgr.te | 1 + sepolicy/base/te/softbus_server.te | 8 ++- sepolicy/base/te/storage_daemon.te | 15 +++-- sepolicy/base/te/storage_manager.te | 6 +- sepolicy/base/te/su.te | 55 +++++++++++++++-- sepolicy/base/te/system_basic_hap.te | 6 +- sepolicy/base/te/time_service.te | 2 + sepolicy/base/te/ui_service.te | 5 +- sepolicy/base/te/updater_sa.te | 1 + sepolicy/base/te/wallpaper_service.te | 3 + sepolicy/base/te/wifi_hal_service.te | 1 + sepolicy/base/te/wifi_manager_service.te | 1 + .../sandbox_manager/system/sandbox_manager.te | 3 +- .../account/os_account/system/accountmgr.te | 1 + .../system/intell_voice_service.te | 4 +- .../app_domain_verify/system/init.te | 1 + .../bluetooth/system/blue_host.te | 1 + .../bluetooth/system/bluetooth_service.te | 2 + .../netmanager/system/netmanager.te | 2 +- .../system/distributeddata.te | 7 ++- .../device_manager/system/device_manager.te | 3 +- .../distributedsche/system/distributedsche.te | 4 +- .../system/hdf_ext_devmgr.te | 8 ++- .../external_device_manager/system/init.te | 1 + .../peripheral/audio/vendor/audio_host.te | 2 +- .../peripheral/codec/vendor/codec_host.te | 2 + .../display/vendor/allocator_host.te | 2 +- .../display/vendor/composer_host.te | 6 +- .../peripheral/light/vendor/light_host.te | 1 + .../peripheral/power/vendor/power_host.te | 2 + .../peripheral/sensor/vendor/sensor_host.te | 1 + .../drivers/peripheral/usb/vendor/usb_host.te | 2 + .../useriam/vendor/face_auth_host.te | 1 + .../useriam/vendor/fingerprint_auth_host.te | 2 + .../drivers/peripheral/useriam/vendor/init.te | 2 +- .../useriam/vendor/user_auth_host.te | 2 + .../vibrator/vendor/vibrator_host.te | 1 + .../system/app_file_service.te | 2 +- .../app_file_service/system/backup_sa.te | 4 +- .../app_file_service/system/init.te | 1 + .../storage_service/system/storage_daemon.te | 6 +- .../global/i18n/system/i18n_service.te | 3 + .../ohos_policy/global/i18n/system/init.te | 1 + .../hiviewdfx/hilog/system/hilogd.te | 3 +- .../multimedia/drm/system/drm_service.te | 2 +- .../powermgr/power_manager/public/powermgr.te | 2 + .../access_token/system/access_token.te | 5 ++ .../security/access_token/system/privacy.te | 6 +- .../security/asset/system/asset_service.te | 1 + .../ohos_policy/security/asset/system/init.te | 2 +- .../system/dlp_permission_service.te | 1 + .../dlp_permission_service/system/init.te | 1 + .../system/el5_filekey_manager.te | 1 + .../security_guard/system/security_guard.te | 1 + .../startup/appspawn/system/appspawn.te | 2 + .../startup/init/public/chipset_init.te | 4 ++ .../startup/init/public/parameter.te | 2 +- .../ohos_policy/startup/init/system/init.te | 15 ++++- .../startup/init/system/param_watcher.te | 3 +- .../system/module_update_service.te | 4 ++ .../update/updater/system/write_updater.te | 5 ++ .../usb/usb_manager/system/usb_service.te | 4 +- sepolicy/whitelist/perm_group_whitelist.json | 3 + 95 files changed, 413 insertions(+), 77 deletions(-) create mode 100755 sepolicy/base/te/ir_user.te diff --git a/selinux.gni b/selinux.gni index 7af87e852..02aaae69e 100644 --- a/selinux.gni +++ b/selinux.gni @@ -31,5 +31,5 @@ declare_args() { } declare_args() { - selinux_adapter_enforce = true + selinux_adapter_enforce = false } diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te index 34b34920b..410c9f679 100644 --- a/sepolicy/base/public/domain.te +++ b/sepolicy/base/public/domain.te @@ -11,6 +11,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +type device_manager, sadomain, domain; +type backup_sa, sadomain, domain; +type privacy_service, sadomain, domain; allow domain init:process sigchld; allow init domain:process sigkill; @@ -99,9 +102,9 @@ neverallow { domain -init -appspawn -nwebspawn -cjappspawn -nativespawn -rgm_vio #neverallow { domain -init -foundation } data_file:dir { write add_name remove_name }; # /data/local/tmp dir using for debug. -neverallow { domain developer_only(`-wukong -atm -snapshot_display -bm -data_local_tmp_violator_dir -mediatool') -hdcd -SP_daemon -installs -init -hiprofilerd -hiprofiler_plugins -native_daemon -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -sh -uitest updater_only(`-updater') -wifi_hal_service -su } data_local_tmp:dir never_write_dir; +neverallow { domain developer_only(`-wukong -atm -console -snapshot_display -bm -data_local_tmp_violator_dir -mediatool') -hdcd -SP_daemon -installs -init -hiprofilerd -hiprofiler_plugins -native_daemon -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -sh -uitest updater_only(`-updater') -wifi_hal_service -su -console } data_local_tmp:dir never_write_dir; -neverallow { domain developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir -mediatool') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') -wifi_hal_service -su } data_local_tmp:dir { open search }; +neverallow { domain developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir -mediatool') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') -wifi_hal_service -su -console } data_local_tmp:dir { open search }; # only samgr can be binder manager. neverallow { domain -samgr } *:binder set_context_mgr; @@ -179,14 +182,22 @@ neverallow { domain -composer_host } default_param:parameter_service *; neverallow domain default_service:samgr_class *; # Please set hdf_service label in hdf_service_contexts -neverallow domain default_hdf_service:hdf_devmgr_class *; +neverallow { domain -usb_host } default_hdf_service:hdf_devmgr_class *; # Please set secon field service's cfg file, don't use limit_domain! neverallow limit_domain *:file *; neverallow domain limit_domain:binder *; # every file should have a label. The unlabeled file shouldn't be accessed. -neverallow { domain -appspawn -init -kernel updater_only(`-updater') -unlabeled_dir_file_violators -rgm_violator_ohos_unlabeled_file -installs -storage_daemon -su } unlabeled:dir_file_class_set *; +neverallow { domain -appspawn -console -init -usb_host -distributedsche -foundation -faultloggerd -bootanimation -audio_server + -distributeddata -chipset_init -powermgr -power_host -bluetooth_service -wallpaper_service -sandbox_manager_service + -hiview -kernel updater_only(`-updater') -unlabeled_dir_file_violators -hilogd -wifi_manager_service + -huks_service -inputmethod_service -multimodalinput -netmanager -resource_schedule_service + -wifi_hal_service -intell_voice_service -hdf_ext_devmgr -backup_sa -usb_service -render_service + -accesstoken_service -privacy_service -security_guard -module_update_service + -user_auth_host -deviceauth_service -dhardware -media_service -netsysnative -time_service -updater_sa + -samgr -softbus_server -accountmgr -blue_host -asset_service -dlp_permission_service -device_manager + -rgm_violator_ohos_unlabeled_file -installs -storage_daemon -su } unlabeled:dir_file_class_set *; # keep selinuxfs safe. neverallow * kernel:security { load_policy setenforce setbool }; @@ -207,18 +218,18 @@ neverallow * self:process { execstack execheap }; # allow at /home/last/bb/h1/cc/out/rk3568/obj/base/security/selinux/ohos.cil:11230 # (allow riladapter_host dev_file (chr_file (ioctl read write open))) # -neverallow { domain -init -ueventd -riladapter_host debug_only(`-softbus_server') -dev_file_violator -rgm_violator_ohos_dev_char_file -blue_host -rcu_host -composer_host -system_basic_hap -allocator_host -render_service -audio_host -bootanimation -chipset_init } dev_file:{ file chr_file blk_file } *; +neverallow { domain -init -ueventd -su -riladapter_host -system_core_hap debug_only(`-softbus_server') -dev_file_violator -rgm_violator_ohos_dev_char_file -blue_host -rcu_host -composer_host -system_basic_hap -allocator_host -render_service -audio_host -bootanimation -chipset_init -ohos_ir_user -foundation -processdump } dev_file:{ file chr_file blk_file } *; #todo change file label for sock file #neverallow { domain -ueventd -riladapter_host } dev_file:sock_file *; neverallow { domain -kernel -init -chipset_init -misc -updater_sa -storage_daemon -partitionslot_host -updater -updater_binary -dev_attr_violator -sys_installer_sa -write_updater -rgm_violator_ohos_dev_blk_file -module_update_service } dev_attr:blk_file { open read write }; -neverallow { updater_sa sys_installer_sa write_updater } {dev_attr -updater_block_file}:blk_file { open read write }; +neverallow { updater_sa sys_installer_sa write_updater -write_updater } {dev_attr -updater_block_file}:blk_file { open read write }; neverallow { module_update_service } {dev_attr -dev_block_file}:blk_file { open read write }; # fs operation limit neverallow { domain -filesystem_violator } *:filesystem ~{ getattr mount remount unmount relabelfrom relabelto quotaget quotamod }; neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nativespawn_mount_filesystem_violator -netsysnative -rgm_violator_filesystem_mount -updater -module_update_service } *:filesystem mount; -neverallow { domain -init -appspawn -rgm_violator_ohos_filesystem_remount } *:filesystem remount; +neverallow { domain -init -appspawn -su -rgm_violator_ohos_filesystem_remount } *:filesystem remount; neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nwebspawn -nativespawn -updater -rgm_violator_ohos_filesystem_unmount -module_update_service } *:filesystem unmount; neverallow { domain -init -storage_daemon -rgm_violator_filesystem_relabelfrom -appspawn } *:filesystem relabelfrom; neverallow { domain -init -storage_daemon -appspawn } *:filesystem relabelto; @@ -272,11 +283,11 @@ neverallow { appspawn storage_daemon udevd resource_schedule_service ispserver } #ensure no write access to readonly filesystem. -neverallow { domain updater_only(`-init -updater_binary') -appspawn -updater } { rootfs system_file_attr vendor_file_attr }:dir never_write_dir; -neverallow { domain updater_only(`-init -updater_binary') -updater } { rootfs system_file_attr vendor_file_attr }:file never_write_file; +neverallow { domain updater_only(`-init -updater_binary') -appspawn -su -updater } { rootfs system_file_attr vendor_file_attr }:dir never_write_dir; +neverallow { domain updater_only(`-init -updater_binary') -updater -su } { rootfs system_file_attr vendor_file_attr }:file never_write_file; #limit domain access to sh_exec -neverallow { domain developer_only(`-wukong -aa -hdcd -sh -hnp -hnp_hap_domain_attr') -init -faultloggerd -riladapter_host -appspawn -su +neverallow { domain developer_only(`-wukong -aa -hdcd -sh -hnp -hnp_hap_domain_attr') -init -faultloggerd -riladapter_host -appspawn -su -console debug_only(`-hiprofiler_cmd -hiprofiler_plugins -hiprofilerd -native_daemon -camera_host -aa') -hidumper_service -SP_daemon -test_server -netsysnative -wifi_hal_service -sh_exec_violator -rgm_violator_ohos_sh_exec_file_execute -cupsd -print_driver} sh_exec:file execute; @@ -296,7 +307,7 @@ neverallow isolated_render {domain -isolated_render}:process ptrace; neverallow { domain -appspawn -chipset_init -init -ueventd -installs -storage_daemon -cap_violator_chown -rgm_violator_cap_chown updater_only(`-updater') -distributedfiledaemon -rgm_violator_ohos_capability_chown -download_server -media_service -prerogative_app} self:{ capability cap_userns } chown; neverallow { domain -appspawn -cjappspawn -init -chipset_init -ueventd -memmgrservice -resource_schedule_executor -wifi_host -installs updater_only(`-updater') - -storage_daemon -usb_host -cap_violator_dacoverride developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_capability_dacoverride -system_core_hap -hilog -console } self:{ capability cap_userns } dac_override; + -storage_daemon -su -usb_host -cap_violator_dacoverride developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_capability_dacoverride -system_core_hap -hilog -console } self:{ capability cap_userns } dac_override; neverallow { domain -system_core_hap -chipset_init -appspawn -cjappspawn -init -hidumper_service -hiview -storage_daemon -hiprofiler_plugins -file_guard_server debug_only(`-hiperf') -cap_violator_dacreadsearch updater_only(`-updater') -wifi_host developer_only(`-hdcd -hnp') -distributedfiledaemon -memmgrservice -rgm_violator_ohos_capability_dacreadsearch } self:{ capability cap_userns } dac_read_search; neverallow { domain -chipset_init -appspawn -cjappspawn -init -hidumper_service -hiview -storage_daemon -hiprofiler_plugins -file_guard_server debug_only(`-hiperf') -cap_violator_dacreadsearch updater_only(`-updater') -wifi_host developer_only(`-hdcd -hnp -hap_domain_self_violators') -hnp_violator -distributedfiledaemon -memmgrservice -rgm_violator_ohos_capability_dacreadsearch -system_core_hap } self:{ capability cap_userns } dac_read_search; neverallow { domain -init -chipset_init -ueventd -installs -storage_daemon -cap_violator_fowner updater_only(`-updater') -rgm_violator_ohos_capability_fowner } self:{ capability cap_userns } fowner; @@ -319,8 +330,8 @@ neverallow { domain -appspawn -hiview -hidumper_service -memmgrservice -storage_ -foundation -cap_violator_sysptrace debug_only(`-hiebpf') -SP_daemon -rgm_violator_ohos_capability_sysptrace } self:{ capability cap_userns } sys_ptrace; neverallow * self:{ capability cap_userns } sys_pacct; neverallow { domain -kernel -init -chipset_init -storage_daemon -installs -appspawn -nwebspawn -nativespawn -cjappspawn -netsysnative -file_guard_server debug_only(`-hiprofiler_plugins -hiebpf') updater_only(`-updater') -rgm_violator_ohos_capability_sysadmin -rgm_violator_cap_sysadmin -module_update_service -prerogative_app } self:{ capability cap_userns } sys_admin; -neverallow { domain -init -chipset_init } self:{ capability cap_userns } sys_boot; -neverallow { domain -render_service -cap_violator_sysnice -composer_host -a2dp_host -resource_schedule_executor -appspawn -blue_host -system_core_hap -kernel} self:{ capability cap_userns } sys_nice; +neverallow { domain -init -chipset_init -multimodalinput } self:{ capability cap_userns } sys_boot; +neverallow { domain -render_service -cap_violator_sysnice -composer_host -a2dp_host -resource_schedule_executor -appspawn -blue_host -system_core_hap -kernel -multimodalinput } self:{ capability cap_userns } sys_nice; neverallow { domain -init -chipset_init -memmgrservice -netsysnative debug_only(`-hiebpf') } self:{ capability cap_userns } sys_resource; neverallow { domain -time_service updater_only(`-updater') } self:{ capability cap_userns } sys_time; neverallow * self:{ capability cap_userns } sys_tty_config; diff --git a/sepolicy/base/public/init.te b/sepolicy/base/public/init.te index 8b3b0c463..7d9e8c676 100644 --- a/sepolicy/base/public/init.te +++ b/sepolicy/base/public/init.te @@ -44,3 +44,4 @@ allow init init:capability { sys_ptrace }; allow init distributedsche:file { write }; allow init system_usr_file:dir { search }; allow init system_usr_file:file { getattr read open map }; +allow init intell_voice_host:file { write }; diff --git a/sepolicy/base/public/system_core_hap.te b/sepolicy/base/public/system_core_hap.te index 64ccf2ec1..1524d8a4a 100644 --- a/sepolicy/base/public/system_core_hap.te +++ b/sepolicy/base/public/system_core_hap.te @@ -33,3 +33,6 @@ allow system_core_hap faultloggerd_temp_file:file { open getattr }; allow system_core_hap sys_prod_file:dir { search }; allow system_core_hap appspawn:fifo_file { read }; +allow system_core_hap dev_file:chr_file { read write open getattr map }; +allow system_core_hap dev_file:chr_file { ioctl }; +allowxperm system_core_hap dev_file:chr_file ioctl { 0x8203 0x8206 0x8402 0x8202 0x8300 0x830a }; diff --git a/sepolicy/base/public/type.te b/sepolicy/base/public/type.te index 46060e27b..8f6a859aa 100644 --- a/sepolicy/base/public/type.te +++ b/sepolicy/base/public/type.te @@ -50,6 +50,7 @@ type netsysnative, sadomain, domain; type mdnsmanager, sadomain, domain; type hidumper_service, sadomain, domain; type bootanimation, sadomain, domain; +type ohos_ir_user, sadomain, domain; type limit_domain, develop_domain; type device_usage_statistics_service, sadomain, domain; type thermal_sa, sadomain, domain; @@ -118,3 +119,4 @@ type compiler_service, sadomain, domain; type console, sadomain, domain; type su, native_system_domain, domain; +type data_service_el2_share, file_attr, data_file_attr; diff --git a/sepolicy/base/system/system_domain.te b/sepolicy/base/system/system_domain.te index 2496b9944..e96498e5d 100644 --- a/sepolicy/base/system/system_domain.te +++ b/sepolicy/base/system/system_domain.te @@ -14,7 +14,7 @@ # Prohibit system component processes from accessing vendor files to achieve access isolation neverallow { system_domain -vendor_file_violator_dir } vendor_file:dir ~{ search getattr relabelto read open mounton }; -neverallow { system_domain -hdcd -hidumper_service -init -processdump -vendor_file_violator_dir_getattr -su } vendor_file:dir { getattr }; +neverallow { system_domain -hdcd -console -hidumper_service -init -processdump -vendor_file_violator_dir_getattr -su } vendor_file:dir { getattr }; neverallow { system_domain -init -vendor_file_violator_dir_relabelto } vendor_file:dir { relabelto }; neverallow { system_domain -init -processdump -vendor_file_violator_dir_read } vendor_file:dir { read }; neverallow { system_domain -init -processdump -vendor_file_violator_dir_open } vendor_file:dir { open }; @@ -41,10 +41,10 @@ neverallow { system_domain -vendor_bin_file_violator_dir_read } vendor_bin_file: neverallow { system_domain -vendor_bin_file_violator_dir_mounton } vendor_bin_file:dir { mounton }; neverallow { system_domain -vendor_bin_file_violator_dir_relabelto } vendor_bin_file:dir { relabelto }; neverallow { system_domain -vendor_bin_file_violator_file } { vendor_bin_file }:file ~{ entrypoint execute map read getattr open execute_no_trans relabelto setattr }; -neverallow { system_domain -ispserver -vendor_bin_file_violator_file_entrypoint } vendor_bin_file:file { entrypoint }; -neverallow { system_domain -ispserver -init -vendor_bin_file_violator_file_execute } vendor_bin_file:file { execute }; -neverallow { system_domain -ispserver -hiebpf -hidumper_service -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_map } vendor_bin_file:file { map }; -neverallow { system_domain -ispserver -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_read } vendor_bin_file:file { read }; +neverallow { system_domain -ispserver -vendor_bin_file_violator_file_entrypoint -ohos_ir_user } vendor_bin_file:file { entrypoint }; +neverallow { system_domain -ispserver -init -vendor_bin_file_violator_file_execute -ohos_ir_user } vendor_bin_file:file { execute }; +neverallow { system_domain -ispserver -hiebpf -hidumper_service -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_map -ohos_ir_user } vendor_bin_file:file { map }; +neverallow { system_domain -ispserver -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_read -ohos_ir_user } vendor_bin_file:file { read }; neverallow { system_domain -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_getattr } vendor_bin_file:file { getattr }; neverallow { system_domain -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_open } vendor_bin_file:file { open }; neverallow { system_domain -vendor_bin_file_violator_file_execute_no_trans } vendor_bin_file:file { execute_no_trans }; @@ -57,10 +57,10 @@ neverallow { system_domain } vendor_bin_file:{ blk_file chr_file fifo_file sock_ # Prohibit system component processes from accessing vendor etc files to achieve access isolation neverallow { system_domain -vendor_etc_file_violator_dir } vendor_etc_file:dir ~{ search getattr read open mounton relabelto }; neverallow { system_domain -bootanimation -ispserver -media_service -misc -multimodalinput -resource_schedule_service -samgr -foundation -powermgr -accountmgr -oaid_service - -nfc_service -wifi_hal_service -telephony_sa -dhardware -dinput -hdf_devmgr -hiview -memmgrservice -msdp_sa -audio_server -av_codec_service - -multimodalinput -charger -concurrent_task_service -resource_schedule_service -dlp_permission_service -sensors -appspawn -init -ueventd -telephony_sa - -module_update_service -sys_installer_sa -updater_binary -nwebspawn -module_update_service -vendor_etc_file_violator_dir_search -cjappspawn - -hap_domain -render_service -resource_schedule_executor -camera_service developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_dir_search -installs -softbus_server -inputmethod_service -usb_service -distributedsche -sharing_service -intell_voice_service } vendor_etc_file:dir { search }; + -nfc_service -wifi_hal_service -telephony_sa -dhardware -dinput -hdf_devmgr -hiview -memmgrservice -msdp_sa -audio_server -av_codec_service -i18n_service + -multimodalinput -charger -concurrent_task_service -resource_schedule_service -dlp_permission_service -sensors -appspawn -init -ueventd -telephony_sa -ohos_ir_user -console + -module_update_service -privacy_service -sys_installer_sa -updater_binary -nwebspawn -module_update_service -vendor_etc_file_violator_dir_search -cjappspawn + -hap_domain -storage_daemon -accesstoken_service -render_service -resource_schedule_executor -camera_service developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_dir_search -installs -softbus_server -inputmethod_service -usb_service -distributedsche -sharing_service -intell_voice_service -storage_manager } vendor_etc_file:dir { search }; neverallow { system_domain -nfc_service -charger -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_getattr } vendor_etc_file:dir { getattr }; neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_read } vendor_etc_file:dir { read }; neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_open } vendor_etc_file:dir { open }; @@ -69,14 +69,14 @@ neverallow { system_domain -vendor_etc_file_violator_dir_relabelto } vendor_etc_ neverallow { system_domain -vendor_etc_file_violator_file } vendor_etc_file:file ~{ map open read getattr relabelto }; neverallow { system_domain -bootanimation -media_service -memmgrservice -concurrent_task_service -resource_schedule_service -vendor_etc_file_violator_file_map } vendor_etc_file:file { map }; -neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr -ueventd +neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr -ueventd -ohos_ir_user -hdf_devmgr -hiview -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service - -resource_schedule_service -resource_schedule_executor -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_open developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_open } vendor_etc_file:file { open }; -neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -msdp_sa -foundation -powermgr -ueventd + -resource_schedule_service -storage_daemon -resource_schedule_executor -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_open developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_open } vendor_etc_file:file { open }; +neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -msdp_sa -foundation -powermgr -ueventd -ohos_ir_user -hdf_devmgr -hiview -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service - -resource_schedule_service -resource_schedule_executor -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_read developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_read } vendor_etc_file:file { read }; + -resource_schedule_service -storage_daemon -resource_schedule_executor -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_read developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_read } vendor_etc_file:file { read }; neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr -ueventd -hdf_devmgr -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service - -resource_schedule_service -resource_schedule_executor -appspawn -cjappspawn -init -vendor_etc_file_violator_file_getattr developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_getattr } vendor_etc_file:file { getattr }; + -resource_schedule_service -storage_daemon -resource_schedule_executor -appspawn -cjappspawn -init -ohos_ir_user -vendor_etc_file_violator_file_getattr developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_file_getattr } vendor_etc_file:file { getattr }; neverallow { system_domain -vendor_etc_file_violator_file_relabelto } vendor_etc_file:file { relabelto }; neverallow { system_domain } vendor_etc_file:{ blk_file chr_file fifo_file lnk_file sock_file } *; diff --git a/sepolicy/base/te/accessibility.te b/sepolicy/base/te/accessibility.te index 89fcdab1b..99c8a82c8 100644 --- a/sepolicy/base/te/accessibility.te +++ b/sepolicy/base/te/accessibility.te @@ -73,6 +73,7 @@ allow accessibility sys_prod_file:file { map open read getattr }; allow accessibility vendor_bin_file:dir { search }; allow accessibility vendor_file:file { map open read getattr }; allow accessibility chip_prod_file:file { map open read getattr }; +allow accessibility chip_prod_file:dir { search }; allow accessibility data_app_el1_file:file { map open read getattr }; allow accessibility dev_console_file:chr_file { read write }; allow accessibility sysfs_devices_system_cpu:file { read }; diff --git a/sepolicy/base/te/audio_server.te b/sepolicy/base/te/audio_server.te index edbca852a..79fa2f169 100644 --- a/sepolicy/base/te/audio_server.te +++ b/sepolicy/base/te/audio_server.te @@ -53,3 +53,8 @@ allow audio_server sysfs_devices_system_cpu:file { read open getattr }; allow audio_server chip_prod_file:dir { search }; allow audio_server sys_prod_file:dir { search }; +allow audio_server sa_foundation_appms:samgr_class { get }; +allow audio_server sa_concurrent_task_service:samgr_class { get }; + +allow audio_server concurrent_task_service:binder { call }; +allow audio_server unlabeled:dir { search }; diff --git a/sepolicy/base/te/bootanimation.te b/sepolicy/base/te/bootanimation.te index 44894c474..3cc577480 100644 --- a/sepolicy/base/te/bootanimation.te +++ b/sepolicy/base/te/bootanimation.te @@ -87,7 +87,7 @@ allow bootanimation data_file:file { read open getattr }; allow bootanimation dev_file:chr_file { read write open getattr map }; allow bootanimation dev_file:chr_file { ioctl }; -allowxperm bootanimation dev_file:chr_file ioctl { 0x8203 0x8402 0x4905 0x4909 0x8202 0x8309 }; +allowxperm bootanimation dev_file:chr_file ioctl { 0x8203 0x8402 0x4905 0x4909 0x8202 0x8309 0x830a 0x8300 0x8302 0x8404 0x8401 0x820b 0x8209 0x820a 0x8303 0x490a 0x8204 }; allow bootanimation hdf_devmgr:binder { call }; allowxperm bootanimation dev_file:chr_file ioctl { 0x8301 0x8206 0x4901 }; @@ -98,4 +98,7 @@ allow bootanimation dev_graphics_file:chr_file { ioctl }; allowxperm bootanimation dev_graphics_file:chr_file ioctl { 0x4602 0x4600 0x4601 }; allow bootanimation devinfo_type_param:file { read open map }; - +allow bootanimation dev_console_file:chr_file { read write }; +allow bootanimation sa_device_service_manager:samgr_class { get }; +allow bootanimation hdf_allocator_service:hdf_devmgr_class { get }; +allow bootanimation unlabeled:dir { search }; diff --git a/sepolicy/base/te/console.te b/sepolicy/base/te/console.te index 3e88df9a3..44067e4ef 100644 --- a/sepolicy/base/te/console.te +++ b/sepolicy/base/te/console.te @@ -21,7 +21,62 @@ allow console dev_unix_socket:dir { search }; allow console console:capability { dac_override net_admin }; allow console netsysnative:unix_stream_socket { connectto }; allow console console:udp_socket { ioctl }; -allowxperm console console:udp_socket ioctl { 0x8916 0x5413 0x8913 0x8914 }; +allowxperm console console:udp_socket ioctl { 0x8916 0x5413 0x8913 0x8914 0x8927 }; allow console tty_device:chr_file { ioctl }; -allowxperm console tty_device:chr_file ioctl { 0x5401 0x5413 }; +allowxperm console tty_device:chr_file ioctl { 0x5401 0x5413 0x540f }; +allow console dev_console_file:chr_file { getattr }; +allow console proc_file:file { read open }; +allow console init:dir { getattr search }; +allow console init:file { read open }; +allow console kernel:dir { getattr }; +allow console hilog_exec:file { getattr execute read open execute_no_trans map}; +allow console hilog_control_socket:sock_file { write }; +allow console hilogd:unix_stream_socket { connectto }; + +allow console dev_file:dir { getattr }; +allow console dev_pts_file:dir { getattr }; +allow console vendor_file:dir { getattr }; +allow console data_app_el1_file:dir { getattr }; +allow console data_service_file:dir { search }; +allow console data_service_el2_file:dir { search }; +allow console data_service_el2_hmdfs:dir { search }; +allow console hmdfs:dir { search }; + +allow console dev_kmsg_file:chr_file { getattr }; +allow console selinuxfs:dir { search search }; +allow console selinuxfs:file { read open write }; + +allow console unlabeled:dir { getattr }; +allow console chip_ckm_file:dir { getattr }; +allow console security:security { setenforce }; +allow console sh_exec:file { entrypoint }; +allow console sh_exec:file { map read execute }; +allow console tty_device:chr_file { read write open }; +allow console unlabeled:dir { search }; +allow console data_local:dir { search }; +allow console data_local_tmp:dir { write search getattr }; + +allow console kernel:dir { search }; +allow console kernel:file { read open }; +allow console ueventd:dir { getattr search }; +allow console ueventd:file { read open }; +allow console watchdog_service:dir { getattr }; + +allow console proc_net:file { read open getattr }; + +allow ohos_ir_user persist_param:file { map }; +allow ohos_ir_user dev_file:chr_file { read open write }; +allow ohos_ir_user vendor_etc_file:dir { search }; +allow ohos_ir_user vendor_etc_file:file { getattr read open }; +allow ohos_ir_user ohos_ir_user:udp_socket { create }; +allow ohos_ir_user dev_file:chr_file { ioctl }; +allowxperm ohos_ir_user dev_file:chr_file ioctl { 0x6202 }; + +allow console proc_net:file { read open getattr }; +allow console console:udp_socket { ioctl }; +allowxperm console console:udp_socket ioctl { 0x8927 }; +allow console vendor_etc_file:dir { search }; +allow console sys_prod_file:dir { search }; +allow console chip_prod_file:dir { search }; +allow console servicectrl_reboot_param:parameter_service { set }; diff --git a/sepolicy/base/te/deviceauth_service.te b/sepolicy/base/te/deviceauth_service.te index 7fb76e937..3e463c9bb 100644 --- a/sepolicy/base/te/deviceauth_service.te +++ b/sepolicy/base/te/deviceauth_service.te @@ -58,3 +58,4 @@ allow deviceauth_service accountmgr:fd { use }; allow deviceauth_service sysfs_devices_system_cpu:file { read open getattr }; +allow deviceauth_service unlabeled:dir { search }; diff --git a/sepolicy/base/te/dhardware.te b/sepolicy/base/te/dhardware.te index 0a9b938bc..0971f0ee2 100644 --- a/sepolicy/base/te/dhardware.te +++ b/sepolicy/base/te/dhardware.te @@ -61,4 +61,4 @@ allowxperm dhardware dev_input_file:chr_file ioctl { 0x4534 0x4572 }; allow dhardware system_usr_file:dir { search }; allow dhardware system_usr_file:file { getattr read open map }; - +allow dhardware unlabeled:dir { search }; diff --git a/sepolicy/base/te/distributedsche.te b/sepolicy/base/te/distributedsche.te index dbe1ba771..91e986ecd 100644 --- a/sepolicy/base/te/distributedsche.te +++ b/sepolicy/base/te/distributedsche.te @@ -57,3 +57,4 @@ allow distributedsche tracefs_trace_marker_file:file { open write }; allow distributedsche chip_prod_file:dir { search }; allow distributedsche sys_prod_file:dir { search }; allow distributedsche vendor_etc_file:dir { search }; +allow distributedsche unlabeled:dir { search }; diff --git a/sepolicy/base/te/faultloggerd.te b/sepolicy/base/te/faultloggerd.te index c754b9ca7..0acbc54b3 100644 --- a/sepolicy/base/te/faultloggerd.te +++ b/sepolicy/base/te/faultloggerd.te @@ -58,3 +58,4 @@ allow faultloggerd system_core_hap_attr:process { signal }; allow faultloggerd sys_usb_param:file { map open read }; allow faultloggerd dev_console_file:chr_file { read write }; +allow faultloggerd unlabeled:dir { search }; diff --git a/sepolicy/base/te/foundation.te b/sepolicy/base/te/foundation.te index 0a061653c..f84fdfa35 100644 --- a/sepolicy/base/te/foundation.te +++ b/sepolicy/base/te/foundation.te @@ -27,6 +27,8 @@ allow foundation const_product_param:file { map open read }; allow foundation data_app_el1_file:file { open }; allow foundation data_service_el1_file:dir { getattr rmdir setattr }; allow foundation data_service_el1_file:file { ioctl lock map read append open setattr }; +allow foundation data_service_el1_file:dir { ioctl }; +allowxperm foundation data_service_el1_file:dir ioctl { 0xf546 }; allow foundation data_system_ce:dir { create open read remove_name }; allow foundation data_system_ce:file { unlink }; allow foundation debug_param:file { map open read }; @@ -128,8 +130,19 @@ allow foundation wifi_manager_service:binder { call }; allow foundation allocator_host:fd { use }; allow foundation useriam:binder { call transfer }; allowxperm foundation data_service_el1_file:file ioctl { 0xf50c 0xf546 0xf547 }; +allowxperm foundation data_service_el1_file:dir ioctl { 0xf546 }; allowxperm foundation dev_dri_file:chr_file ioctl { 0x641f }; allowxperm foundation dev_mali:chr_file ioctl { 0x8000 0x8001 0x8003 0x8018 }; allow foundation sys_prod_file:dir { search }; allow foundation config_file:dir { search }; +allow foundation unlabeled:dir { search }; + +allow foundation dev_graphics_file:dir { search }; +allow foundation dev_graphics_file:chr_file { read write open map }; +allow foundation dev_graphics_file:chr_file { ioctl }; +allowxperm foundation dev_graphics_file:chr_file ioctl { 0x4602 }; +allow foundation dev_file:chr_file { read open }; +allow foundation dev_file:chr_file { ioctl }; +allowxperm foundation dev_file:chr_file ioctl { 0x4901 }; +allow foundation proc_version_file:file { read open getattr }; diff --git a/sepolicy/base/te/hidumper.te b/sepolicy/base/te/hidumper.te index 11d0986ec..ed3aaf475 100644 --- a/sepolicy/base/te/hidumper.te +++ b/sepolicy/base/te/hidumper.te @@ -19,3 +19,11 @@ allow hidumper hiview:fd { use }; allow hidumper hiview:fifo_file { read write }; allow hidumper hiview_file:file { read write }; allow hidumper hiview:unix_dgram_socket { read write }; + +allow hidumper multimodalinput:fd { use }; +allow hidumper hiview_file:file { append }; +allow hidumper_service init:dir { search }; +allow hidumper_service init:file { read open getattr }; +allow hidumper_service kernel:dir { search }; +allow hidumper_service kernel:file { read open getattr }; + diff --git a/sepolicy/base/te/hidumper_service.te b/sepolicy/base/te/hidumper_service.te index 3a14212fa..37fd6db73 100644 --- a/sepolicy/base/te/hidumper_service.te +++ b/sepolicy/base/te/hidumper_service.te @@ -56,3 +56,4 @@ allow hidumper_service sys_usb_param:file { map open read }; allow hidumper_service tracefs:dir { search }; allow hidumper_service tracefs_trace_marker_file:file { open write }; allow hidumper_service hiview_file:file { write }; +allow hidumper_service dev_unix_socket:dir { search }; diff --git a/sepolicy/base/te/hilogd.te b/sepolicy/base/te/hilogd.te index 0f8f616bd..8694290fc 100644 --- a/sepolicy/base/te/hilogd.te +++ b/sepolicy/base/te/hilogd.te @@ -50,3 +50,4 @@ allow hilogd kernel:system { syslog_mod }; allow hilogd hilogd:capability2 { syslog }; allow hilogd dev_console_file:chr_file { read write }; +allow hilogd unlabeled:dir { search }; diff --git a/sepolicy/base/te/hiview.te b/sepolicy/base/te/hiview.te index 74a97848b..e44cb538c 100644 --- a/sepolicy/base/te/hiview.te +++ b/sepolicy/base/te/hiview.te @@ -102,3 +102,8 @@ allow hiview proc_cmdline_file:file { read open getattr }; allow hiview multimodalinput:binder { call transfer }; allow hiview multimodalinput:fd { use }; allow hiview multimodalinput:unix_stream_socket { read write }; + +allow hiview unlabeled:dir { search }; + +allow hiview system_core_hap_data_file:dir { search }; +allow hiview proc_meminfo_file:file { getattr }; diff --git a/sepolicy/base/te/huks_service.te b/sepolicy/base/te/huks_service.te index 933ab7385..884b3d3fc 100644 --- a/sepolicy/base/te/huks_service.te +++ b/sepolicy/base/te/huks_service.te @@ -53,3 +53,4 @@ allow huks_service sa_accountmgr:samgr_class { get }; allow huks_service dev_console_file:chr_file { read write }; allow huks_service sysfs_devices_system_cpu:file { read open getattr }; +allow huks_service unlabeled:dir { search }; diff --git a/sepolicy/base/te/inputmethod_service.te b/sepolicy/base/te/inputmethod_service.te index 6f03aadc2..d91e78960 100644 --- a/sepolicy/base/te/inputmethod_service.te +++ b/sepolicy/base/te/inputmethod_service.te @@ -71,3 +71,6 @@ allowxperm inputmethod_service data_service_el1_file:file ioctl { 0x5413 }; allow inputmethod_service vendor_etc_file:dir { search }; allow inputmethod_service sys_prod_file:dir { search }; allow inputmethod_service chip_prod_file:dir { search }; +allow inputmethod_service unlabeled:dir { search }; + +allow inputmethod_service resource_schedule_service:binder { call }; diff --git a/sepolicy/base/te/installs.te b/sepolicy/base/te/installs.te index 283da599a..9c730721a 100644 --- a/sepolicy/base/te/installs.te +++ b/sepolicy/base/te/installs.te @@ -85,3 +85,6 @@ allowxperm installs data_app_el4_file:dir ioctl { 0xf546 0xf547 }; allowxperm installs data_app_el5_file:dir ioctl { 0xf546 0xf547 }; allow installs data_service_el2_file:file { unlink }; +allow installs chip_prod_file:dir { search }; +allow installs sys_prod_file:dir { search }; +allow installs vendor_etc_file:dir { search }; diff --git a/sepolicy/base/te/ir_user.te b/sepolicy/base/te/ir_user.te new file mode 100755 index 000000000..62444ee30 --- /dev/null +++ b/sepolicy/base/te/ir_user.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ohos_ir_user dev_file:chr_file { ioctl }; +allowxperm ohos_ir_user dev_file:chr_file ioctl { 0x5106 0x6901 }; +allow ohos_ir_user vendor_bin_file:file { entrypoint map read execute }; +allow ohos_ir_user dev_console_file:chr_file { read write }; +allow ohos_ir_user persist_param:file { read open }; + diff --git a/sepolicy/base/te/kernel.te b/sepolicy/base/te/kernel.te index 26618769e..e9fd23d10 100644 --- a/sepolicy/base/te/kernel.te +++ b/sepolicy/base/te/kernel.te @@ -25,3 +25,7 @@ allow kernel pstorefs:file { open read unlink }; allow kernel softbus_server:tcp_socket { read write }; allow kernel sys_file:dir { open read }; allow kernel tmpfs:chr_file { write }; +allow kernel kernel:system { module_request }; +allow kernel dev_kmsg_file:chr_file { write }; + +allow kernel unlabeled:chr_file { write }; diff --git a/sepolicy/base/te/media_service.te b/sepolicy/base/te/media_service.te index 5920de1a0..99fcb1685 100644 --- a/sepolicy/base/te/media_service.te +++ b/sepolicy/base/te/media_service.te @@ -90,3 +90,6 @@ allow media_service system_file:file { map open read getattr }; allow media_service data_app_el1_file:file { map open read getattr }; allow media_service sa_memory_manager_service:samgr_class { get }; allow media_service memmgrservice:binder { call transfer }; +allow media_service sysfs_devices_system_cpu:file { read open getattr }; +allow media_service dev_console_file:chr_file { read write }; +allow media_service unlabeled:dir { search }; diff --git a/sepolicy/base/te/msdp_sa.te b/sepolicy/base/te/msdp_sa.te index e86c6de10..977e2093e 100644 --- a/sepolicy/base/te/msdp_sa.te +++ b/sepolicy/base/te/msdp_sa.te @@ -52,3 +52,5 @@ allow msdp_sa system_bin_file:dir { search }; allow msdp_sa sys_usb_param:file { map open read }; allow msdp_sa tracefs:dir { search }; allow msdp_sa tracefs_trace_marker_file:file { open write }; +allow msdp_sa sys_prod_file:dir { search }; +allow msdp_sa system_usr_file:file { map }; diff --git a/sepolicy/base/te/multimodalinput.te b/sepolicy/base/te/multimodalinput.te index 907bf2c50..5c1ae8702 100644 --- a/sepolicy/base/te/multimodalinput.te +++ b/sepolicy/base/te/multimodalinput.te @@ -76,3 +76,5 @@ allow multimodalinput dev_input_file:chr_file { ioctl }; allow multimodalinput chip_prod_file:dir { search }; allow multimodalinput sys_prod_file:dir { search }; +allow multimodalinput unlabeled:dir { search }; +allow multimodalinput multimodalinput:capability { sys_nice }; diff --git a/sepolicy/base/te/netmanager.te b/sepolicy/base/te/netmanager.te index 9b165777d..b909cfcaf 100644 --- a/sepolicy/base/te/netmanager.te +++ b/sepolicy/base/te/netmanager.te @@ -85,3 +85,4 @@ allow netmanager dev_kmsg_file:chr_file { write open }; allow netmanager dev_kmsg_file:chr_file { open }; allow netmanager sysfs_devices_system_cpu:file { read open getattr }; +allow netmanager unlabeled:dir { search }; diff --git a/sepolicy/base/te/netsysnative.te b/sepolicy/base/te/netsysnative.te index 5ff4ff999..6ab8338c5 100644 --- a/sepolicy/base/te/netsysnative.te +++ b/sepolicy/base/te/netsysnative.te @@ -65,4 +65,6 @@ allow netsysnative tracefs_trace_marker_file:file { open write }; allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8910 }; allow netsysnative netmanager:udp_socket { read write getopt setopt }; +allow netsysnative netsysnative:unix_dgram_socket { getopt setopt }; +allow netsysnative unlabeled:dir { search }; diff --git a/sepolicy/base/te/processdump.te b/sepolicy/base/te/processdump.te index f10b3a1cb..0ef33b628 100644 --- a/sepolicy/base/te/processdump.te +++ b/sepolicy/base/te/processdump.te @@ -54,3 +54,12 @@ allow processdump blue_host:unix_stream_socket { read write }; allow processdump dev_console_file:chr_file { read write }; allow processdump processdump:unix_dgram_socket { getopt setopt }; +allow processdump resource_schedule_service:file { write }; +allow processdump multimodalinput:unix_stream_socket { read write }; +allow processdump bootanimation:file { write }; + +allow processdump appspawn:unix_stream_socket { read write }; +allow processdump system_core_hap:unix_stream_socket { read write }; +allow processdump render_service:unix_stream_socket { read write }; +allow processdump system_core_hap:file { write }; +allow processdump dev_file:chr_file { read write }; diff --git a/sepolicy/base/te/render_service.te b/sepolicy/base/te/render_service.te index 9caa2c3d3..5a4d88d25 100644 --- a/sepolicy/base/te/render_service.te +++ b/sepolicy/base/te/render_service.te @@ -91,7 +91,13 @@ allow render_service data_service_el1_file:file { map write read }; allow render_service dev_file:chr_file { read write open getattr map }; allow render_service dev_file:chr_file { ioctl }; -allowxperm render_service dev_file:chr_file ioctl { 0x4905 0x4901 0x8202 0x4909 0x8203 0x8309 0x8301 0x8404 0x8303 0x8206 0x8302 0x820b 0x830a 0x8402 }; +allowxperm render_service dev_file:chr_file ioctl { 0x4905 0x4901 0x8202 0x4909 0x8203 0x8309 0x8301 0x8404 0x8303 0x8206 0x8302 0x820b 0x830a 0x8402 0x8300 0x8209 0x820a 0x490a 0x8401 }; allow render_service render_service:unix_dgram_socket { getopt setopt }; allow render_service data_service_file:dir { search }; +allow render_service dev_console_file:chr_file { read write }; + +allow render_service system_usr_file:dir { search }; +allow render_service system_usr_file:file { getattr read open map }; + +allow render_service unlabeled:dir { search }; diff --git a/sepolicy/base/te/resource_schedule_service.te b/sepolicy/base/te/resource_schedule_service.te index 2bf844067..4f90285c7 100644 --- a/sepolicy/base/te/resource_schedule_service.te +++ b/sepolicy/base/te/resource_schedule_service.te @@ -62,4 +62,6 @@ allow resource_schedule_service powermgr:binder {call transfer}; allow resource_schedule_service dev_console_file:chr_file { read write }; allow resource_schedule_service dev_kmsg_file:chr_file { write open }; - +allow resource_schedule_service sa_foundation_abilityms:samgr_class { get }; +allow resource_schedule_service unlabeled:dir { search }; +allow resource_schedule_service multimodalinput:binder { transfer }; diff --git a/sepolicy/base/te/samgr.te b/sepolicy/base/te/samgr.te index e9b21f438..03114f7f2 100644 --- a/sepolicy/base/te/samgr.te +++ b/sepolicy/base/te/samgr.te @@ -62,3 +62,4 @@ allow samgr tracefs_trace_marker_file:file { open write }; allow samgr vendor_etc_file:dir { search }; allow samgr appspawn:process { getattr }; allowxperm samgr data_samgr:file ioctl { 0x5413 }; +allow samgr unlabeled:dir { search }; diff --git a/sepolicy/base/te/softbus_server.te b/sepolicy/base/te/softbus_server.te index b98a68078..72ea46481 100644 --- a/sepolicy/base/te/softbus_server.te +++ b/sepolicy/base/te/softbus_server.te @@ -30,7 +30,7 @@ allow softbus_server data_log:file { read write }; allow softbus_server data_service_el1_file:dir { add_name search write read open }; allow softbus_server data_service_el1_file:file { create read write open }; allow softbus_server data_service_el1_file:file { ioctl }; -allowxperm softbus_server data_service_el1_file:file ioctl { 0xf546 }; +allowxperm softbus_server data_service_el1_file:file ioctl { 0xf546 0xf50c}; allow softbus_server data_service_el1_file:dir { ioctl }; allowxperm softbus_server data_service_el1_file:dir ioctl { 0xf546 }; @@ -111,3 +111,9 @@ allow softbus_server vendor_etc_file:dir { search }; allow softbus_server dev_console_file:chr_file { read write }; allow softbus_server powermgr:binder { call }; +allow softbus_server sa_powermgr_powermgr_service:samgr_class { get }; +allow softbus_server unlabeled:dir { search }; + +allow softbus_server dev_kmsg_file:chr_file { write open }; +allow softbus_server sysfs_devices_system_cpu:file { read open getattr }; + diff --git a/sepolicy/base/te/storage_daemon.te b/sepolicy/base/te/storage_daemon.te index f8402d47d..a29a9bb5a 100644 --- a/sepolicy/base/te/storage_daemon.te +++ b/sepolicy/base/te/storage_daemon.te @@ -28,7 +28,7 @@ allow storage_daemon data_app_el2_file:dir { add_name create getattr open read s allow storage_daemon data_app_el3_file:dir { add_name create getattr open read search setattr write }; allow storage_daemon data_app_el4_file:dir { add_name create getattr open read search setattr write }; allow storage_daemon data_app_el5_file:dir { add_name create getattr open read search setattr write }; -allow storage_daemon data_app_file:dir { search }; +allow storage_daemon data_app_file:dir { search add_name create }; allow storage_daemon data_chipset_el1_file:dir { add_name create getattr open read search setattr write }; allow storage_daemon data_chipset_el2_file:dir { add_name create getattr open read search setattr write }; allow storage_daemon data_chipset_file:dir { search }; @@ -38,10 +38,10 @@ allow storage_daemon data_service_el2_file:dir { add_name create getattr open re allow storage_daemon data_service_el2_file:file { relabelfrom }; allow storage_daemon data_service_el2_hmdfs:dir { add_name create getattr open read read open relabelto relabelfrom search setattr write }; allow storage_daemon data_service_el2_hmdfs:file { read open write open }; -allow storage_daemon data_service_el3_file:dir { add_name create getattr open read relabelfrom search setattr write }; -allow storage_daemon data_service_el4_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow storage_daemon data_service_el3_file:dir { add_name create getattr open read relabelfrom search setattr write relabelto }; +allow storage_daemon data_service_el4_file:dir { add_name create getattr open read relabelfrom search setattr write relabelto }; allow storage_daemon data_service_el5_file:dir { add_name create getattr open read relabelfrom search setattr write }; -allow storage_daemon data_service_file:dir { search }; +allow storage_daemon data_service_file:dir { search write add_name create setattr getattr relabelfrom }; allow storage_daemon data_user_file:dir { open read read open relabelto setattr }; allow storage_daemon debug_param:file { map open read }; allow storage_daemon default_param:file { map open read }; @@ -86,3 +86,10 @@ allow storage_daemon toybox_exec:file { execute execute_no_trans map read open } allow storage_daemon sys_usb_param:file { map open read }; allow storage_daemon tmpfs:dir { add_name create mounton open read setattr write }; +allow storage_daemon init:file { getattr }; +allow storage_daemon kernel:file { getattr }; +allow storage_daemon ueventd:file { getattr }; +allow storage_daemon watchdog_service:file { getattr }; +allow storage_daemon faultloggerd:file { getattr }; +allow storage_daemon hdf_devmgr:file { getattr }; +allow storage_daemon param_watcher:file { getattr }; diff --git a/sepolicy/base/te/storage_manager.te b/sepolicy/base/te/storage_manager.te index 47add567e..28ba4386e 100644 --- a/sepolicy/base/te/storage_manager.te +++ b/sepolicy/base/te/storage_manager.te @@ -63,4 +63,8 @@ allow storage_manager sa_accountmgr:samgr_class { get }; allow storage_manager accountmgr:binder { call }; allow storage_manager dev_console_file:chr_file { read write }; -allow storage_manager sysfs_devices_system_cpu:file { read open }; +allow storage_manager sysfs_devices_system_cpu:file { read open getattr }; +allow storage_manager vendor_etc_file:dir { search }; + +allow storage_manager sys_prod_file:dir { search }; +allow storage_manager chip_prod_file:dir { search }; diff --git a/sepolicy/base/te/su.te b/sepolicy/base/te/su.te index 32dc81209..8052a0ee6 100755 --- a/sepolicy/base/te/su.te +++ b/sepolicy/base/te/su.te @@ -11,6 +11,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +# type cadaemon, sadomain, domain; + allow su persist_param:parameter_service { set }; allow su debug_param:parameter_service { set }; allow su su:tcp_socket { read create getattr listen setopt bind }; @@ -30,14 +32,59 @@ allow su port:tcp_socket { name_bind }; allow su node:tcp_socket { node_bind }; allow su paramservice_socket:sock_file { write }; allow su kernel:unix_stream_socket { connectto }; -# allow su sh_exec:file { execute_no_trans }; +allow su sh_exec:file { execute_no_trans }; allow su tty_device:chr_file { read write open }; allow su data_local:dir { search }; allow su data_local_tmp:dir { write search getattr }; allow su system_bin_file:lnk_file { read }; allow su toybox_exec:file { getattr execute read open map }; -# allow su toybox_exec:file { execute_no_trans }; -allow su dev_file:dir { getattr }; -allow su dev_pts_file:dir { getattr }; +allow su toybox_exec:file { execute_no_trans }; +allow su dev_file:dir { getattr read open }; +allow su dev_pts_file:dir { getattr search }; +allow su devpts:chr_file { read write open }; allow su vendor_file:dir { getattr }; allow su data_app_el1_file:dir { getattr }; +allow su data_hilogd_file:file { read open getattr write unlink }; +allow su data_hilogd_file:dir { getattr read open search write remove_name }; +allow su data_service_el2_share:dir { getattr }; +allow su data_service_file:dir { search }; +allow su data_service_el2_file:dir { search }; +allow su data_service_el2_hmdfs:dir { search }; +allow su hmdfs:dir { search }; +allow su data_user_file:dir { getattr }; +allow su labeledfs:filesystem { remount }; +allow su system_etc_file:dir { write add_name create write }; +allow su system_etc_file:file { create write }; +allow su devpts:chr_file { ioctl }; +allowxperm su devpts:chr_file ioctl { 0x5413 }; +allow su devpts:chr_file { getattr }; +allow su proc_file:file { read open }; +allow su proc_file:file { open }; +allow su init:dir { getattr search }; + +allow su tty_device:chr_file { ioctl }; +allowxperm su tty_device:chr_file ioctl { 0x5403 0x5413 0x540f 0x5410 }; +allow su init:dir { search getattr search }; +allow su init:file { read open }; +allow su init:file { open }; +allow su kernel:dir { getattr search }; +allow su kernel:file { read open }; + +allow su dev_ptmx:chr_file { read write open }; +allow su dev_ptmx:chr_file { ioctl }; +allowxperm su dev_ptmx:chr_file ioctl { 0x5431 }; + + +allow su su:capability { dac_override }; + +allow su ueventd:dir { getattr search }; +allow su ueventd:file { read open }; +allow su watchdog_service:dir { getattr }; +allow su faultloggerd:dir { getattr search }; +allow su hdf_devmgr:dir { getattr search }; +allow su storage_daemon:dir { getattr search }; +allow su storage_manager:dir { getattr search }; +# allow su cadaemon:dir { getattr search }; +allow su rootfs:dir { read open }; +allow su dev_kmsg_file:chr_file { getattr }; +allow su dev_file:chr_file { getattr }; diff --git a/sepolicy/base/te/system_basic_hap.te b/sepolicy/base/te/system_basic_hap.te index 4b4b42464..103039f71 100644 --- a/sepolicy/base/te/system_basic_hap.te +++ b/sepolicy/base/te/system_basic_hap.te @@ -141,10 +141,10 @@ allow system_basic_hap_attr sa_hiview_service:samgr_class { get }; allow system_basic_hap dev_file:chr_file { read write open getattr map }; allow system_basic_hap dev_file:chr_file { ioctl }; -allowxperm system_basic_hap dev_file:chr_file ioctl { 0x8203 0x4905 0x8301 0x8404 0x830a 0x820b 0x8300 0x8401 0x8209 0x820a 0x8202 0x4909 }; +allowxperm system_basic_hap dev_file:chr_file ioctl { 0x8203 0x4905 0x8301 0x8404 0x830a 0x820b 0x8300 0x8401 0x8209 0x820a 0x8202 0x4909 0x8206 0x8402 0x8304 0x4901 0x8309 0x8302 }; allow system_basic_hap allocator_host:binder { call }; allow system_basic_hap dev_graphics_file:dir { search }; -allow system_basic_hap dev_graphics_file:chr_file { read write open }; +allow system_basic_hap dev_graphics_file:chr_file { read write open map }; allow system_basic_hap dev_graphics_file:chr_file { ioctl }; -allowxperm system_basic_hap dev_graphics_file:chr_file ioctl { 0x4602 0x4600 }; +allowxperm system_basic_hap dev_graphics_file:chr_file ioctl { 0x4602 0x4600 0x4901 0x4601 }; diff --git a/sepolicy/base/te/time_service.te b/sepolicy/base/te/time_service.te index 89c840569..5110e51ab 100644 --- a/sepolicy/base/te/time_service.te +++ b/sepolicy/base/te/time_service.te @@ -74,3 +74,5 @@ allow time_service data_service_el1_file:dir { ioctl }; allowxperm time_service data_service_el1_file:dir ioctl { 0xf546 }; allow time_service resource_schedule_service:file { getattr }; +allow time_service unlabeled:dir { search }; + diff --git a/sepolicy/base/te/ui_service.te b/sepolicy/base/te/ui_service.te index c09ca41ff..0a04248aa 100644 --- a/sepolicy/base/te/ui_service.te +++ b/sepolicy/base/te/ui_service.te @@ -51,6 +51,7 @@ allow ui_service ohos_boot_param:file { map open read }; allow ui_service ohos_param:file { map open read }; allow ui_service param_watcher:binder { call transfer }; allow ui_service persist_param:file { map open read }; +allow ui_service persist_param:parameter_service { set }; allow ui_service persist_sys_param:file { map open read }; allow ui_service render_service:binder { call transfer }; allow ui_service render_service:fd { use }; @@ -67,7 +68,7 @@ allow ui_service sa_resource_schedule:samgr_class { get }; allow ui_service sa_subsys_ace_service:samgr_class { add }; allow ui_service security_param:file { map open read }; allow ui_service startup_param:file { map open read }; -allow ui_service sysfs_devices_system_cpu:file { open read }; +allow ui_service sysfs_devices_system_cpu:file { open read getattr }; allow ui_service sys_param:file { map open read }; allow ui_service system_basic_hap_attr:binder { call }; allow ui_service system_basic_hap_attr:fd { use }; @@ -82,3 +83,5 @@ allow ui_service tracefs:dir { search }; allow ui_service tracefs_trace_marker_file:file { open write }; allow ui_service ui_service:unix_dgram_socket { getopt setopt }; allowxperm ui_service dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x8019 0x801d 0x801e 0x8026 }; +allow ui_service dev_console_file:chr_file { read write }; +allow ui_service system_core_hap:binder { transfer }; diff --git a/sepolicy/base/te/updater_sa.te b/sepolicy/base/te/updater_sa.te index 1e198686a..3e9c6fe4b 100644 --- a/sepolicy/base/te/updater_sa.te +++ b/sepolicy/base/te/updater_sa.te @@ -61,3 +61,4 @@ allow updater_sa updater_block_file:blk_file { getattr ioctl open read write }; allow updater_sa updater_block_file:dir { search }; allow updater_sa updater_block_file:lnk_file { read }; allowxperm updater_sa updater_block_file:blk_file ioctl { 0x5413 }; +allow updater_sa unlabeled:dir { search }; diff --git a/sepolicy/base/te/wallpaper_service.te b/sepolicy/base/te/wallpaper_service.te index c85d1362c..f84769d15 100644 --- a/sepolicy/base/te/wallpaper_service.te +++ b/sepolicy/base/te/wallpaper_service.te @@ -64,3 +64,6 @@ allow wallpaper_service tracefs_trace_marker_file:file { open write }; allow wallpaper_service wallpaper_service:unix_dgram_socket { getopt setopt }; allowxperm wallpaper_service data_service_el1_file:file ioctl { 0x5413 0xf207 }; allowxperm wallpaper_service sys_prod_file:file ioctl { 0xf207 }; +allow wallpaper_service system_etc_file:file { ioctl }; +allowxperm wallpaper_service system_etc_file:file ioctl { 0xf207 }; +allow wallpaper_service unlabeled:dir { search }; diff --git a/sepolicy/base/te/wifi_hal_service.te b/sepolicy/base/te/wifi_hal_service.te index 0369ff244..ab0e81a9d 100644 --- a/sepolicy/base/te/wifi_hal_service.te +++ b/sepolicy/base/te/wifi_hal_service.te @@ -65,3 +65,4 @@ allow wifi_hal_service sa_accesstoken_manager_service:samgr_class { get }; allowxperm wifi_hal_service data_misc:file ioctl { 0x5413 }; allowxperm wifi_hal_service wifi_hal_service:unix_dgram_socket ioctl { 0x8910 }; allow wifi_hal_service data_local_tmp:dir { search write }; +allow wifi_hal_service unlabeled:dir { search }; diff --git a/sepolicy/base/te/wifi_manager_service.te b/sepolicy/base/te/wifi_manager_service.te index 77198f11e..c9e31b1a5 100644 --- a/sepolicy/base/te/wifi_manager_service.te +++ b/sepolicy/base/te/wifi_manager_service.te @@ -67,3 +67,4 @@ allow wifi_manager_service wifi_manager_service:netlink_route_socket { setopt bi allow wifi_manager_service wifi_manager_service:unix_dgram_socket { ioctl }; allowxperm wifi_manager_service wifi_manager_service:unix_dgram_socket ioctl { 0x8933 0x8910}; allowxperm wifi_manager_service data_misc:file ioctl { 0x5413 }; +allow wifi_manager_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te b/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te index 04ca289c8..4ad903899 100644 --- a/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te +++ b/sepolicy/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te @@ -27,7 +27,7 @@ allow sandbox_manager_service accesstoken_service:binder { call }; allow sandbox_manager_service data_file:dir { search }; allow sandbox_manager_service data_service_el1_file:dir { search }; allow sandbox_manager_service data_service_file:dir { search }; -allow sandbox_manager_service sandbox_manager_data_file:dir { search add_name read open remove_name write ioctl }; +allow sandbox_manager_service sandbox_manager_data_file:dir { search add_name read open remove_name write ioctl create }; allow sandbox_manager_service sandbox_manager_data_file:file { getattr lock ioctl create read write open unlink setattr map }; allowxperm sandbox_manager_service sandbox_manager_data_file:file ioctl { 0xf501 0xf502 0xf50c 0xf546 }; allowxperm sandbox_manager_service sandbox_manager_data_file:dir ioctl { 0xf546 }; @@ -52,3 +52,4 @@ debug_only(` allow sandbox_manager_service dev_console_file:chr_file { read write }; allow sandbox_manager_service persist_param:file { read }; +allow sandbox_manager_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/account/os_account/system/accountmgr.te b/sepolicy/ohos_policy/account/os_account/system/accountmgr.te index bf445516f..057b3b7ad 100644 --- a/sepolicy/ohos_policy/account/os_account/system/accountmgr.te +++ b/sepolicy/ohos_policy/account/os_account/system/accountmgr.te @@ -163,3 +163,4 @@ debug_only(` allow accountmgr sys_prod_file:dir { search }; allow accountmgr chip_prod_file:dir { search }; allow accountmgr resource_schedule_service:binder { transfer }; +allow accountmgr unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te b/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te index 24eae2688..c911fa434 100644 --- a/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te +++ b/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te @@ -255,5 +255,7 @@ allow intell_voice_service sa_privacy_service:samgr_class { get }; allow intell_voice_service sa_foundation_dms:samgr_class { get }; allow intell_voice_service vendor_etc_file:dir { search }; -allow intell_voice_service system_usr_file:dir { search }; +allow intell_voice_service system_usr_file:dir { search getattr }; allow intell_voice_service dev_console_file:chr_file { read write }; +allow intell_voice_service system_usr_file:file { getattr read open map }; +allow intell_voice_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/bundlemanager/app_domain_verify/system/init.te b/sepolicy/ohos_policy/bundlemanager/app_domain_verify/system/init.te index 20cbbdbf8..2ae4ab9ce 100644 --- a/sepolicy/ohos_policy/bundlemanager/app_domain_verify/system/init.te +++ b/sepolicy/ohos_policy/bundlemanager/app_domain_verify/system/init.te @@ -12,3 +12,4 @@ # limitations under the License. allow init app_domain_verify_agent:process { rlimitinh siginh transition }; +allow init app_domain_verify_agent:file { write }; diff --git a/sepolicy/ohos_policy/communication/bluetooth/system/blue_host.te b/sepolicy/ohos_policy/communication/bluetooth/system/blue_host.te index 01a8e7aa5..74043ee07 100644 --- a/sepolicy/ohos_policy/communication/bluetooth/system/blue_host.te +++ b/sepolicy/ohos_policy/communication/bluetooth/system/blue_host.te @@ -96,3 +96,4 @@ allow blue_host port:udp_socket { name_bind }; allow blue_host data_misc:dir { search }; allow blue_host node:udp_socket { node_bind }; +allow blue_host unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/communication/bluetooth/system/bluetooth_service.te b/sepolicy/ohos_policy/communication/bluetooth/system/bluetooth_service.te index cd1188865..740ab0d26 100644 --- a/sepolicy/ohos_policy/communication/bluetooth/system/bluetooth_service.te +++ b/sepolicy/ohos_policy/communication/bluetooth/system/bluetooth_service.te @@ -243,3 +243,5 @@ allow intell_voice_service powermgr:binder { transfer }; allow render_service sysfs_devices_system_cpu:dir { open }; allow distributeddata storage_manager:binder { transfer }; allow sandbox_manager_service persist_param:file { open map }; +allow bluetooth_service unlabeled:dir { search }; +allow bluetooth_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te index c9c76126d..24357045f 100644 --- a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te +++ b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te @@ -21,7 +21,7 @@ allow netmanager data_file:dir { remove_name rmdir search }; allow netmanager data_init_agent:dir { search }; allow netmanager data_init_agent:file { ioctl open read append }; allow netmanager data_service_el1_file:dir { add_name create getattr ioctl lock open read remove_name search setattr unlink write rmdir }; -allowxperm netmanager data_service_el1_file:file ioctl { 0xf50c }; +allowxperm netmanager data_service_el1_file:file ioctl { 0xf50c 0xf501 }; allow netmanager data_service_el1_file:file { append create getattr ioctl lock map open read setattr unlink write }; allow netmanager data_service_file:dir { add_name create getattr ioctl lock open read remove_name search setattr unlink write }; allow netmanager data_system:dir { add_name search write }; diff --git a/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te b/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te index be02ed9b0..19e869581 100644 --- a/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te +++ b/sepolicy/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te @@ -96,6 +96,10 @@ allow distributeddata system_core_hap_attr:dir { search }; allow distributeddata system_core_hap_attr:file { getattr open read }; allow distributeddata system_core_hap_data_file_attr:dir { getattr open read search write add_name create remove_name rmdir }; allow distributeddata system_core_hap_data_file_attr:file { getattr ioctl lock map open setattr create unlink }; + +allow distributeddata system_core_hap_data_file:dir { ioctl }; +allowxperm distributeddata system_core_hap_data_file:dir ioctl { 0xf546 }; + allow distributeddata system_etc_file:dir { getattr open read }; allow distributeddata system_profile_file:dir { search }; allow distributeddata telephony_sa:binder { call transfer }; @@ -202,7 +206,7 @@ allow distributeddata dlp_permission_service:binder { call transfer }; allow distributeddata sa_filemanagement_distributed_file_daemon_service:samgr_class { get }; allow distributeddata distributedfiledaemon:binder { call transfer }; allow distributeddata inputmethod_service:binder { call transfer }; -allow distributeddata data_service_el1_file:dir { relabelfrom }; +allow distributeddata data_service_el1_file:dir { relabelfrom setattr }; allow distributeddata data_service_el1_utd_file:dir { relabelto add_name search write }; allow distributeddata data_service_el1_utd_file:file { create ioctl getattr read write open }; allowxperm distributeddata data_service_el1_utd_file:file ioctl { 0x5413 }; @@ -240,3 +244,4 @@ allow distributeddata dev_kmsg_file:chr_file { write open }; allow distributeddata dev_kmsg_file:chr_file { open }; allow distributeddata sysfs_devices_system_cpu:file { read open getattr }; +allow distributeddata unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/distributedhardware/device_manager/system/device_manager.te b/sepolicy/ohos_policy/distributedhardware/device_manager/system/device_manager.te index 18e3b13f3..6fd8e4c94 100644 --- a/sepolicy/ohos_policy/distributedhardware/device_manager/system/device_manager.te +++ b/sepolicy/ohos_policy/distributedhardware/device_manager/system/device_manager.te @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -type device_manager, sadomain, domain; +# type device_manager, sadomain, domain; allow device_manager sa_foundation_devicemanager_service:samgr_class { add get }; @@ -352,3 +352,4 @@ allow device_manager foundation:fd { use }; allow device_manager data_service_el1_file:dir { ioctl }; allowxperm device_manager data_service_el1_file:dir ioctl { 0xf546 }; +allow device_manager unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te b/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te index b20886066..bedda729f 100644 --- a/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te +++ b/sepolicy/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te @@ -28,8 +28,8 @@ allow distributedsche data_file:dir { search }; allow distributedsche data_service_file:dir { search }; allow distributedsche data_service_el1_file:dir { add_name open read search write getattr create remove_name rmdir }; allow distributedsche data_service_el1_file:file { create getattr ioctl open read write lock map unlink rename append }; -allow distributedsche data_service_el2_file:dir { search write }; -allow distributedsche data_service_el2_file:file { append }; +allow distributedsche data_service_el2_file:dir { search write add_name }; +allow distributedsche data_service_el2_file:file { append create }; allow distributedsche data_service_el2_file:file { ioctl }; allowxperm distributedsche data_service_el2_file:file ioctl { 0x5413 }; allow distributedsche deviceauth_service:binder { call }; diff --git a/sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te b/sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te index 0bb09cc1f..e0c9336e8 100644 --- a/sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te +++ b/sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te @@ -104,9 +104,9 @@ allow hdf_ext_devmgr data_service_file:dir { search }; allow hdf_ext_devmgr persist_sys_param:file { map open read }; allow hdf_ext_devmgr dev_ashmem_file:chr_file { open }; allow hdf_ext_devmgr system_bin_file:dir { search }; -allowxperm hdf_ext_devmgr hdf_ext_devmgr_file:file ioctl { 0xf50c }; -allow hdf_ext_devmgr hdf_ext_devmgr_file:dir { add_name open read remove_name search write }; -allow hdf_ext_devmgr hdf_ext_devmgr_file:file { create getattr ioctl lock map open read write setattr unlink }; +allowxperm hdf_ext_devmgr hdf_ext_devmgr_file:file ioctl { 0xf50c 0x5413 }; +allow hdf_ext_devmgr hdf_ext_devmgr_file:dir { add_name open read remove_name search write create }; +allow hdf_ext_devmgr hdf_ext_devmgr_file:file { create getattr ioctl lock map open read write setattr unlink append }; # avc: denied { search } for pid=659 comm="SaInit0" name="el1" dev="mmcblk0p14" ino=12 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 allow hdf_ext_devmgr data_service_el1_file:dir { search }; @@ -136,3 +136,5 @@ allowxperm hdf_ext_devmgr hdf_ext_devmgr_file:file ioctl { 0xf546 }; allow hdf_ext_devmgr sys_param:file { read open map }; allow hdf_ext_devmgr hdf_ext_devmgr:unix_dgram_socket { getopt setopt }; +allow hdf_ext_devmgr persist_param:file { read open map }; +allow hdf_ext_devmgr unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/external_device_manager/system/init.te b/sepolicy/ohos_policy/drivers/external_device_manager/system/init.te index 8d1fb3b66..c235f2754 100644 --- a/sepolicy/ohos_policy/drivers/external_device_manager/system/init.te +++ b/sepolicy/ohos_policy/drivers/external_device_manager/system/init.te @@ -19,3 +19,4 @@ allow init hdf_ext_devmgr:process { rlimitinh siginh transition }; # avc: denied { open } for pid=1431 comm="init" path="/data/service/el1/public/pkg_service" dev="mmcblk0p14" ino=1496 scontext=u:r:init:s0 tcontext=u:object_r:hdf_ext_devmgr_file:s0 tclass=dir permissive=0 # avc: denied { getattr } for pid=661 comm="init" path="/data/service/el1/public/pkg_service" dev="mmcblk0p14" ino=1488 scontext=u:r:init:s0 tcontext=u:object_r:hdf_ext_devmgr_file:s0 tclass=dir permissive=0 allow init hdf_ext_devmgr_file:dir { relabelto read setattr open getattr }; +allow init hdf_ext_devmgr:file { write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te b/sepolicy/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te index c19a4d654..f576c5e6c 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te @@ -145,4 +145,4 @@ allow audio_host sysfs_switch:file { open read getattr }; allow audio_host dev_file:chr_file { read write }; allow audio_host dev_file:chr_file { open }; allow audio_host dev_file:chr_file { ioctl }; -allowxperm audio_host dev_file:chr_file ioctl { 0x1100 0x1159 0x1101 0x1155 0x1156 0x1163 }; +allowxperm audio_host dev_file:chr_file ioctl { 0x1100 0x1159 0x1101 0x1155 0x1156 0x1163 0x1158 0x1164 0x115d }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te b/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te index 6ee5b7984..4561c34e0 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te @@ -84,3 +84,5 @@ debug_only(` allow codec_host hdcd:fifo_file { write }; allow codec_host hdcd:fifo_file { read }; ') + +allow codec_host dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te index 344f22a5c..dbb8188a8 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te @@ -68,4 +68,4 @@ allowxperm allocator_host dev_file:chr_file ioctl { 0x4900 0x4901 0x4904 0x4905 allow allocator_host dev_graphics_file:dir { search }; allow allocator_host dev_graphics_file:chr_file { read write open map }; allow allocator_host dev_graphics_file:chr_file { ioctl }; -allowxperm allocator_host dev_graphics_file:chr_file ioctl { 0x4602 0x4600 0x4601 }; +allowxperm allocator_host dev_graphics_file:chr_file ioctl { 0x4602 0x4600 0x4601 0x4621 }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te index 720868772..6c87801ee 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te @@ -94,10 +94,10 @@ allow composer_host composer_host:capability {sys_nice}; allow hap_domain composer_host:fd { use }; allow composer_host dev_graphics_file:chr_file { ioctl }; -allowxperm composer_host dev_graphics_file:chr_file ioctl { 0x4694 0x4600 0x4692 0x4664 }; - +allowxperm composer_host dev_graphics_file:chr_file ioctl { 0x4694 0x4600 0x4692 0x4664 0x4602 0x4601 }; +allow composer_host dev_graphics_file:chr_file { map }; allow composer_host dev_file:chr_file { ioctl }; -allowxperm composer_host dev_file:chr_file ioctl { 0x405 0x300 0x6d14 }; +allowxperm composer_host dev_file:chr_file ioctl { 0x405 0x300 0x6d14 0x4901 }; allow composer_host dev_file:chr_file { read write }; allow composer_host dev_file:chr_file { open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/light/vendor/light_host.te b/sepolicy/ohos_policy/drivers/peripheral/light/vendor/light_host.te index f1178a4e9..099a00f4e 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/light/vendor/light_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/light/vendor/light_host.te @@ -73,3 +73,4 @@ allow light_host sys_usb_param:file { map open read }; allow light_host vendor_etc_file:dir { search }; allow light_host vendor_etc_file:file { getattr open read }; allow light_host sys_file:file { create }; +allow light_host dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/power/vendor/power_host.te b/sepolicy/ohos_policy/drivers/peripheral/power/vendor/power_host.te index 488759e2b..e2053b355 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/power/vendor/power_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/power/vendor/power_host.te @@ -87,3 +87,5 @@ allowxperm power_host data_service_el0_file:file ioctl { 0x5413 }; allowxperm power_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow power_host dev_console_file:chr_file { read write }; allow power_host chip_prod_file:dir { search }; + +allow power_host unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/sensor/vendor/sensor_host.te b/sepolicy/ohos_policy/drivers/peripheral/sensor/vendor/sensor_host.te index f63935f74..e32faf3cc 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/sensor/vendor/sensor_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/sensor/vendor/sensor_host.te @@ -80,3 +80,4 @@ allow sensor_host vendor_etc_file:file { getattr open read }; allowxperm sensor_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allowxperm sensor_host dev_hdf_sensor_mgr:chr_file ioctl { 0x6201 0x6203 }; allowxperm sensor_host dev_mgr_file:chr_file ioctl { 0x6201 }; +allow sensor_host dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/usb/vendor/usb_host.te b/sepolicy/ohos_policy/drivers/peripheral/usb/vendor/usb_host.te index 9c795857b..398b08a1b 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/usb/vendor/usb_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/usb/vendor/usb_host.te @@ -159,3 +159,5 @@ allow usb_host dev_sg_file:chr_file { open read write ioctl }; allowxperm usb_host dev_sg_file:chr_file ioctl { 0x2285 }; allow usb_host sys_file:file { open read write }; allow usb_host sys_file:dir { open read search }; +allow usb_host default_hdf_service:hdf_devmgr_class { add }; +allow usb_host unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te index 83df22eab..4b54fac68 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te @@ -57,3 +57,4 @@ allow face_auth_host vendor_etc_file:dir { search }; allow face_auth_host vendor_etc_file:file { getattr open read }; allowxperm face_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow face_auth_host useriam:binder { call transfer }; +allow face_auth_host dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te index 0c32201be..90fdd8fe8 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te @@ -57,3 +57,5 @@ allow fingerprint_auth_host vendor_etc_file:dir { search }; allow fingerprint_auth_host vendor_etc_file:file { getattr open read }; allowxperm fingerprint_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow fingerprint_auth_host useriam:binder { call transfer }; +allow fingerprint_auth_host dev_console_file:chr_file { read write }; + diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/init.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/init.te index e139f78f8..2b1c0a6ce 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/init.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/init.te @@ -16,7 +16,7 @@ allow init pinauth:process { rlimitinh siginh transition }; allow init user_auth_host:process { rlimitinh siginh transition }; allow init useriam:dir { search }; -allow init useriam:file { open read }; +allow init useriam:file { open read write }; allow init useriam:process { getattr rlimitinh siginh transition }; allow init face_auth_host:process { rlimitinh siginh transition }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/user_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/user_auth_host.te index 1c44e8d83..25000ec73 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/user_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/user_auth_host.te @@ -63,3 +63,5 @@ allow user_auth_host vendor_etc_file:file { getattr open read }; allowxperm user_auth_host data_service_el1_file:file ioctl { 0x5413 }; allowxperm user_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow user_auth_host useriam:binder { call }; +allow user_auth_host dev_console_file:chr_file { read write }; +allow user_auth_host unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/vibrator/vendor/vibrator_host.te b/sepolicy/ohos_policy/drivers/peripheral/vibrator/vendor/vibrator_host.te index c11a6d69b..e94c21a5b 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/vibrator/vendor/vibrator_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/vibrator/vendor/vibrator_host.te @@ -60,3 +60,4 @@ allow vibrator_host system_bin_file:dir { search }; allow vibrator_host sys_usb_param:file { map open read }; allow vibrator_host vendor_etc_file:dir { search }; allow vibrator_host vendor_etc_file:file { getattr open read }; +allow vibrator_host dev_console_file:chr_file { read write }; diff --git a/sepolicy/ohos_policy/filemanagement/app_file_service/system/app_file_service.te b/sepolicy/ohos_policy/filemanagement/app_file_service/system/app_file_service.te index 6078fbac4..2a3dcce43 100644 --- a/sepolicy/ohos_policy/filemanagement/app_file_service/system/app_file_service.te +++ b/sepolicy/ohos_policy/filemanagement/app_file_service/system/app_file_service.te @@ -11,4 +11,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -type data_service_el2_share, file_attr, data_file_attr; +# type data_service_el2_share, file_attr, data_file_attr; diff --git a/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te b/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te index 5c05d0cbf..7e7ef7392 100644 --- a/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te +++ b/sepolicy/ohos_policy/filemanagement/app_file_service/system/backup_sa.te @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -type backup_sa, sadomain, domain; +# type backup_sa, sadomain, domain; allow backup_sa sa_accesstoken_manager_service:samgr_class { get }; allow backup_sa sa_foundation_abilityms:samgr_class { get }; @@ -80,3 +80,5 @@ allow backup_sa sys_param:file { read open map }; allow backup_sa sys_param:file { open }; allow backup_sa sys_param:file { map }; +allow backup_sa dev_console_file:chr_file { read write }; +allow backup_sa unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/filemanagement/app_file_service/system/init.te b/sepolicy/ohos_policy/filemanagement/app_file_service/system/init.te index 2de255c1f..5117755c6 100644 --- a/sepolicy/ohos_policy/filemanagement/app_file_service/system/init.te +++ b/sepolicy/ohos_policy/filemanagement/app_file_service/system/init.te @@ -12,3 +12,4 @@ # limitations under the License. allow init backup_sa:process { siginh transition rlimitinh }; +allow init backup_sa:file { write }; diff --git a/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te b/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te index 2a4f90c1f..812b99aea 100644 --- a/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te +++ b/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te @@ -84,9 +84,12 @@ allowxperm storage_daemon data_data_file:dir ioctl { 0x5705 }; #avc: denied { read } for pid=246 comm="storage_daemon" path="/data/service/el0/huks_service/root_encrypt_key" dev="mmcblk0p11" ino=1044791 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 #avc: denied { getattr } for pid=246 comm="storage_daemon" path="/data/service/el0/huks_service/root_encrypt_key" dev="mmcblk0p11" ino=1044791 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 #avc: denied { create } for pid=249 comm="storage_daemon" name="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 -allow storage_daemon data_service_el0_file:dir { rw_dir_perms rmdir ioctl getattr search rename create relabelfrom }; +allow storage_daemon data_service_el0_file:dir { rw_dir_perms rmdir ioctl getattr search rename create relabelfrom setattr }; allow storage_daemon data_service_el0_file:file { create write open ioctl setattr read getattr relabelfrom }; +allow storage_daemon vendor_etc_file:dir { search }; +allow storage_daemon vendor_etc_file:file { read open getattr }; + #avc: denied { read open } for pid=1875 comm="event_runner#1" path="/data/service/el2/100/hmdfs/account/files" dev="mmcblk0p11" ino=130643 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 #avc: denied { getattr } for pid=3372 comm="kworker/u8:4" path="/data/service/el2/100/hmdfs/account/data" dev="mmcblk0p11" ino=130644 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 #avc: denied { search } for pid=7 comm="kworker/u8:0" name="account" dev="mmcblk0p11" ino=130642 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 @@ -464,3 +467,4 @@ allow storage_daemon sa_foundation_appms:samgr_class { get }; allow storage_daemon fuse_file:filesystem { relabelfrom }; #avc: denied { use } for pid=649 comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_manager:s0 tclass=fd permissive=0 allow storage_daemon storage_manager:fd { use }; +allow storage_daemon system_core_hap_data_file:dir { relabelfrom }; diff --git a/sepolicy/ohos_policy/global/i18n/system/i18n_service.te b/sepolicy/ohos_policy/global/i18n/system/i18n_service.te index 64fc6658a..2f7c3fbc7 100644 --- a/sepolicy/ohos_policy/global/i18n/system/i18n_service.te +++ b/sepolicy/ohos_policy/global/i18n/system/i18n_service.te @@ -49,3 +49,6 @@ allow i18n_service accountmgr:binder { call }; allow i18n_service sa_accountmgr:samgr_class { get }; allow i18n_service data_service_el1_file:file { ioctl }; allowxperm i18n_service data_service_el1_file:file ioctl { 0xf546 }; + +allow i18n_service vendor_etc_file:dir { search }; +allow i18n_service sys_param:file { read open map }; diff --git a/sepolicy/ohos_policy/global/i18n/system/init.te b/sepolicy/ohos_policy/global/i18n/system/init.te index 7ddfa386a..4c3a1b4a7 100644 --- a/sepolicy/ohos_policy/global/i18n/system/init.te +++ b/sepolicy/ohos_policy/global/i18n/system/init.te @@ -12,6 +12,7 @@ # limitations under the License. allow init i18n_service:process { transition rlimitinh siginh }; +allow init i18n_service:file { write }; allow init data_service_el1_i18n_libphonenumber_file:dir { create getattr open read write add_name remove_name rmdir }; allow init data_service_el1_i18n_libphonenumber_file:file { create getattr map open read write unlink }; allow init data_service_el1_i18n_taboo_file:dir { create getattr open read write add_name remove_name rmdir }; diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te index 826ac8b7d..764196946 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te @@ -96,6 +96,7 @@ neverallow { developer_only(`-hiprofiler_plugins') -data_hilogd_file_viloator -init + -su -hilogd -hiview # write is covered next -hdcd # write is covered next @@ -105,6 +106,6 @@ neverallow { } data_hilogd_file:file { rw_file_perms }; # shell can read but cannot write hilogd files -neverallow { domain -hilogd -installs } data_hilogd_file:file { append create rename setattr write }; +neverallow { domain -hilogd -installs -su } data_hilogd_file:file { append create rename setattr write }; allow hilogd hilog_private_param:parameter_service { set }; diff --git a/sepolicy/ohos_policy/multimedia/drm/system/drm_service.te b/sepolicy/ohos_policy/multimedia/drm/system/drm_service.te index 94d73f54e..269930367 100644 --- a/sepolicy/ohos_policy/multimedia/drm/system/drm_service.te +++ b/sepolicy/ohos_policy/multimedia/drm/system/drm_service.te @@ -76,7 +76,7 @@ allow drm_service data_file:dir { search }; allow drm_service data_system:dir { search write add_name create read open }; # avc: denied { write } for pid=11141 comm="sa_main" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 -allow drm_service dev_kmsg_file:chr_file { write }; +allow drm_service dev_kmsg_file:chr_file { write open }; # avc: denied { connect } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 # avc: denied { create } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 diff --git a/sepolicy/ohos_policy/powermgr/power_manager/public/powermgr.te b/sepolicy/ohos_policy/powermgr/power_manager/public/powermgr.te index b4eec6487..ac88390b8 100644 --- a/sepolicy/ohos_policy/powermgr/power_manager/public/powermgr.te +++ b/sepolicy/ohos_policy/powermgr/power_manager/public/powermgr.te @@ -543,3 +543,5 @@ allow powermgr intell_voice_service:binder { call }; # avc: denied { ioctl } for pid=1506, comm="/system/bin/sa_main" path="/dev/bbox" dev="" ino=54 ioctlcmd=0x4265 scontext=u:r:powermgr:s0 tcontext=u:object_r:dev_bbox:s0 tclass=chr_file permissive=0 allow powermgr dev_bbox:chr_file { ioctl }; allowxperm powermgr dev_bbox:chr_file ioctl { 0x4264 0x4265 }; + +allow powermgr unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/security/access_token/system/access_token.te b/sepolicy/ohos_policy/security/access_token/system/access_token.te index 4fefb1f04..8ee0d25d0 100644 --- a/sepolicy/ohos_policy/security/access_token/system/access_token.te +++ b/sepolicy/ohos_policy/security/access_token/system/access_token.te @@ -130,3 +130,8 @@ debug_only(` allow accesstoken_service dev_console_file:chr_file { read write }; allow accesstoken_service sysfs_devices_system_cpu:file { read open getattr }; + +allow accesstoken_service vendor_etc_file:dir { search }; +allow accesstoken_service sys_prod_file:dir { search }; +allow accesstoken_service chip_prod_file:dir { search }; +allow accesstoken_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/security/access_token/system/privacy.te b/sepolicy/ohos_policy/security/access_token/system/privacy.te index 2d30078e3..1535855d4 100644 --- a/sepolicy/ohos_policy/security/access_token/system/privacy.te +++ b/sepolicy/ohos_policy/security/access_token/system/privacy.te @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -type privacy_service, sadomain, domain; +# type privacy_service, sadomain, domain; allow privacy_service accesstoken_data_file:dir { search add_name open read write remove_name }; # [ 324.857258] audit: type=1400 audit(1501923927.060:2293): avc: denied { map } for pid=2232 comm="SaInit1" path="/data/service/el1/public/access_token/permission_used_record.db-shm" dev="mmcblk0p15" ino=3066 scontext=u:r:privacy_service:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=file permissive=1 @@ -98,3 +98,7 @@ debug_only(` allow privacy_service sysfs_devices_system_cpu:file { read open getattr }; allow privacy_service privacy_service:unix_dgram_socket { getopt setopt }; +allow privacy_service vendor_etc_file:dir { search }; +allow privacy_service sys_prod_file:dir { search }; +allow privacy_service chip_prod_file:dir { search }; +allow privacy_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/security/asset/system/asset_service.te b/sepolicy/ohos_policy/security/asset/system/asset_service.te index 2038e05fa..404ac5aa7 100755 --- a/sepolicy/ohos_policy/security/asset/system/asset_service.te +++ b/sepolicy/ohos_policy/security/asset/system/asset_service.te @@ -55,3 +55,4 @@ allow asset_service dev_console_file:chr_file { read write }; allow asset_service persist_param:file { read open map }; allow asset_service sysfs_devices_system_cpu:file { read open getattr }; +allow asset_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/security/asset/system/init.te b/sepolicy/ohos_policy/security/asset/system/init.te index e94b86a48..126bc9df6 100755 --- a/sepolicy/ohos_policy/security/asset/system/init.te +++ b/sepolicy/ohos_policy/security/asset/system/init.te @@ -15,5 +15,5 @@ allow init data_service_el1_public_asset_service_file:dir { add_name create geta allow init data_service_el1_public_asset_service_file:file { relabelto setattr }; allow init asset_service:process { rlimitinh siginh transition }; - +allow init asset_service:file { write }; init_relabel(data_service_el1_public_asset_service_file); diff --git a/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te b/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te index 12c5b6475..526a5a4e0 100644 --- a/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te +++ b/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te @@ -127,3 +127,4 @@ binder_call(dlp_permission_service, distributeddata); allow dlp_permission_service persist_param:file { read open map }; allow dlp_permission_service dlp_permission_service:unix_dgram_socket { getopt setopt }; +allow dlp_permission_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/security/dlp_permission_service/system/init.te b/sepolicy/ohos_policy/security/dlp_permission_service/system/init.te index 99767a26f..cd738dab8 100644 --- a/sepolicy/ohos_policy/security/dlp_permission_service/system/init.te +++ b/sepolicy/ohos_policy/security/dlp_permission_service/system/init.te @@ -15,6 +15,7 @@ # avc: denied { siginh } for pid=14376 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:dlp_permission_service:s0 tclass=process permissive=1 # avc: denied { transition } for pid=14376 comm="init" path="/system/bin/sa_main" dev="sdd74" ino=406 scontext=u:r:init:s0 tcontext=u:r:dlp_permission_service:s0 tclass=process permissive=1 allow init dlp_permission_service:process { rlimitinh siginh transition }; +allow init dlp_permission_service:file { write }; # avc: denied { relabelto } for pid=1 comm="init" name="dlp_permission_service" dev="sdd78" ino=3362 scontext=u:r:init:s0 tcontext=u:object_r:dlp_permission_data_file:s0 tclass=dir permissive=0 allow init dlp_permission_data_file:dir { relabelto }; diff --git a/sepolicy/ohos_policy/security/el5_filekey_manager/system/el5_filekey_manager.te b/sepolicy/ohos_policy/security/el5_filekey_manager/system/el5_filekey_manager.te index de41309d7..c2a9bcb7f 100644 --- a/sepolicy/ohos_policy/security/el5_filekey_manager/system/el5_filekey_manager.te +++ b/sepolicy/ohos_policy/security/el5_filekey_manager/system/el5_filekey_manager.te @@ -24,6 +24,7 @@ binder_call(el5_filekey_manager, foundation); binder_call(foundation, el5_filekey_manager); allow init el5_filekey_manager:process { rlimitinh siginh transition }; +allow init el5_filekey_manager:file { write }; # avc: denied { map } for pid=2030 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 # avc: denied { open } for pid=2030 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 diff --git a/sepolicy/ohos_policy/security/security_guard/system/security_guard.te b/sepolicy/ohos_policy/security/security_guard/system/security_guard.te index 94284e8e9..2e7a122cd 100644 --- a/sepolicy/ohos_policy/security/security_guard/system/security_guard.te +++ b/sepolicy/ohos_policy/security/security_guard/system/security_guard.te @@ -95,3 +95,4 @@ allow security_guard persist_param:file { read open map }; allow security_guard sysfs_devices_system_cpu:file { read open getattr }; allow security_guard security_guard:unix_dgram_socket { getopt setopt }; +allow security_guard unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te index 069f43560..5d2943875 100644 --- a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te +++ b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te @@ -265,3 +265,5 @@ allow appspawn data_service_el0_file:dir { mounton }; allow appspawn dev_file:dir { remove_name rmdir }; allow appspawn appspawn:capability { fsetid }; +allow appspawn unlabeled:dir { search }; +allow appspawn system_basic_hap_data_file:dir { search }; diff --git a/sepolicy/ohos_policy/startup/init/public/chipset_init.te b/sepolicy/ohos_policy/startup/init/public/chipset_init.te index e16c8efb6..42232915f 100644 --- a/sepolicy/ohos_policy/startup/init/public/chipset_init.te +++ b/sepolicy/ohos_policy/startup/init/public/chipset_init.te @@ -128,3 +128,7 @@ allow chipset_init cgroup:dir { search }; allow chipset_init cgroup:file { write open ioctl getattr }; allowxperm chipset_init cgroup:file ioctl { 0x5413 }; +allow chipset_init unlabeled:chr_file { write }; +allow chipset_init unlabeled:dir { search }; +allow chipset_init ohos_ir_user:process { transition rlimitinh siginh }; + diff --git a/sepolicy/ohos_policy/startup/init/public/parameter.te b/sepolicy/ohos_policy/startup/init/public/parameter.te index aa4213ada..96e38bc88 100644 --- a/sepolicy/ohos_policy/startup/init/public/parameter.te +++ b/sepolicy/ohos_policy/startup/init/public/parameter.te @@ -34,7 +34,7 @@ typeattribute resource_schedule_service devinfo_type_allow_attr; typeattribute telephony_sa devinfo_type_allow_attr; typeattribute wifi_manager_service devinfo_type_allow_attr; -neverallow {sadomain -devinfo_type_allow_attr -bootanimation } devinfo_type_param:file {open read map}; +neverallow {sadomain -devinfo_type_allow_attr -bootanimation -usb_service } devinfo_type_param:file {open read map}; allow {domain -sadomain } devinfo_type_param:file {open read map}; allow devinfo_type_allow_attr devinfo_type_param:file {open read map}; diff --git a/sepolicy/ohos_policy/startup/init/system/init.te b/sepolicy/ohos_policy/startup/init/system/init.te index b5f9cf184..57799d0b0 100644 --- a/sepolicy/ohos_policy/startup/init/system/init.te +++ b/sepolicy/ohos_policy/startup/init/system/init.te @@ -308,6 +308,7 @@ allow init dev_v_file:chr_file { setattr }; allow init dev_media_file:chr_file { setattr }; allow init dev_video_file:chr_file { setattr }; allow init dhardware:process { rlimitinh siginh transition }; +allow init dhardware:file { write }; allow init distributeddata:process { rlimitinh siginh transition }; allow init distributedfiledaemon:process { rlimitinh siginh transition }; allow init distributedsche_param:file { map open read relabelto }; @@ -366,6 +367,7 @@ allow init labeledfs:filesystem { mount remount unmount }; allow init location_host:process { rlimitinh siginh transition }; allow init locationhub:process { rlimitinh siginh transition }; allow init media_service:process { rlimitinh siginh transition }; +allow init media_service:file { write }; allow init memmgrservice:dir { search }; allow init memmgrservice:file { open read }; allow init memmgrservice:process { getattr rlimitinh siginh transition }; @@ -384,7 +386,7 @@ allow init nwebspawn:process { rlimitinh siginh transition }; allow init nwebspawn_socket:sock_file { getattr relabelto }; allow init ohos_boot_param:file { map open read relabelto }; allow init ohos_param:file { map open read relabelfrom relabelto }; -allow init paramservice_socket:sock_file { getattr relabelto }; +allow init paramservice_socket:sock_file { getattr relabelto write }; allow init param_watcher:process { rlimitinh siginh transition }; allow init pasteboard_service:process { rlimitinh siginh transition }; allow init persist_param:file { map open read relabelto }; @@ -451,10 +453,11 @@ allow init ui_service:process { rlimitinh siginh transition }; allow init unlabeled:dir { getattr relabelfrom }; allow init unlabeled:file { getattr open read relabelfrom }; allow init updater_sa:dir { search }; -allow init updater_sa:file { open read }; +allow init updater_sa:file { open read write }; allow init updater_sa:process { getattr rlimitinh siginh transition }; allow init usb_host:process { rlimitinh siginh transition }; allow init usb_service:process { rlimitinh siginh transition }; +allow init usb_service:file { write }; allow init vendor_bin_file:dir { search }; allow init vendor_bin_file:file { execute getattr read read open }; allow init vendor_etc_file:dir { open read search getattr }; @@ -465,6 +468,7 @@ allow init watchdog_service:process { rlimitinh siginh transition }; allow init wifi_hal_service_exec:file { execute getattr read read open }; allow init wifi_hal_service:process { rlimitinh siginh transition }; allow init wifi_manager_service:process { rlimitinh siginh transition }; +allow init wifi_manager_service:file { write }; allow init kernel:unix_dgram_socket { sendto }; allowxperm init data_file:file ioctl { 0x5413 }; allowxperm init data_parameters:file ioctl { 0x5413 }; @@ -549,3 +553,10 @@ allow init init:capability { setpcap }; # avc: denied { append } for pid=1 comm="init" name="private_persist_parameters" dev="mmcblk0p15" ino=2386 scontext=u:r:init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 # avc: denied { rename } for pid=1 comm="init" name="tmp_private_persist_parameters" dev="mmcblk0p15" ino=2703 scontext=u:r:init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 allow init data_service_el1_file:file { open read append rename map }; +allow init kernel:unix_stream_socket { connectto }; +allow init installs:file { write }; +allow init drm_service:file { write }; + +allow init unlabeled:dir { setattr search }; + +allow init accessibility:file { write }; diff --git a/sepolicy/ohos_policy/startup/init/system/param_watcher.te b/sepolicy/ohos_policy/startup/init/system/param_watcher.te index df25301b1..77902bb50 100644 --- a/sepolicy/ohos_policy/startup/init/system/param_watcher.te +++ b/sepolicy/ohos_policy/startup/init/system/param_watcher.te @@ -115,4 +115,5 @@ debug_only(` ') allow param_watcher sysfs_devices_system_cpu:file { read open getattr }; -allow param_watcher param_watcher:unix_dgram_socket { getopt }; +allow param_watcher param_watcher:unix_dgram_socket { getopt setopt }; +allow param_watcher usb_setting_param:file { read open map }; diff --git a/sepolicy/ohos_policy/update/module_update/system/module_update_service.te b/sepolicy/ohos_policy/update/module_update/system/module_update_service.te index f9d085f62..b70bbfa91 100644 --- a/sepolicy/ohos_policy/update/module_update/system/module_update_service.te +++ b/sepolicy/ohos_policy/update/module_update/system/module_update_service.te @@ -120,3 +120,7 @@ allow module_update_service dev_block_file:dir { search }; allow module_update_service dev_block_file:lnk_file { read }; allow module_update_service system_module_update_file:file { map }; +allow module_update_service persist_param:file { read open map }; +allow module_update_service data_updater_file:file { ioctl }; +allowxperm module_update_service data_updater_file:file ioctl { 0x5413 }; +allow module_update_service unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/update/updater/system/write_updater.te b/sepolicy/ohos_policy/update/updater/system/write_updater.te index 1f6aa7c54..68c5b4934 100644 --- a/sepolicy/ohos_policy/update/updater/system/write_updater.te +++ b/sepolicy/ohos_policy/update/updater/system/write_updater.te @@ -19,6 +19,11 @@ allow write_updater debug_param:file { map open read }; # avc: denied { search } for pid=1449 comm="write_updater" name="by-name" dev="tmpfs" ino=12 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=dir permissive=1 allow write_updater dev_block_file:dir { search }; allow write_updater dev_block_file:lnk_file { read }; +allow write_updater dev_block_file:blk_file { read write }; +allow write_updater dev_block_file:blk_file { open }; +allow write_updater dev_block_file:blk_file { ioctl }; +allowxperm write_updater dev_block_file:blk_file ioctl { 0x5413 }; +allow write_updater dev_block_file:blk_file { getattr }; # avc: denied { search } for pid=1449 comm="write_updater" name="block" dev="tmpfs" ino=6 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 allow write_updater dev_block_volfile:dir { search }; allow write_updater dev_block_volfile:lnk_file { read }; diff --git a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te index d9d79732f..b5423ae0e 100644 --- a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te +++ b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te @@ -57,7 +57,7 @@ allow usb_service system_core_hap_attr:binder { call }; allow usb_service data_service_file:dir { search }; allow usb_service data_service_el1_file:dir { search }; allow usb_service data_service_el1_file:file { ioctl open read write getattr }; -neverallow { domain -SP_daemon -system_core_hap_attr -system_basic_hap_attr -usb_service -usb_setting_param_attr } usb_setting_param:file { map open read }; +neverallow { domain -SP_daemon -system_core_hap_attr -system_basic_hap_attr -usb_service -usb_setting_param_attr -param_watcher } usb_setting_param:file { map open read }; neverallow { domain -system_core_hap_attr -system_basic_hap_attr -usb_service -usb_setting_param_attr } usb_setting_param:parameter_service { set }; allow usb_service bootevent_param:file { map read open }; allow usb_service bootevent_samgr_param:file { map open read }; @@ -138,3 +138,5 @@ allow usb_service vendor_etc_file:dir { search }; allow usb_service system_usr_file:dir { search getattr read open map }; allow usb_service system_usr_file:file { getattr read open map }; +allow usb_service devinfo_type_param:file { read open map }; +allow usb_service unlabeled:dir { search }; diff --git a/sepolicy/whitelist/perm_group_whitelist.json b/sepolicy/whitelist/perm_group_whitelist.json index 4276421fa..21c6ba4c4 100644 --- a/sepolicy/whitelist/perm_group_whitelist.json +++ b/sepolicy/whitelist/perm_group_whitelist.json @@ -4,6 +4,9 @@ "name": "execute and execute_no_trans", "user": [ "appspawn appspawn_exec", + "su sh_exec", + "su toybox_exec", + "console hilog_exec", "cjappspawn cjappspawn_exec", "nwebspawn appspawn_exec", "cjappspawn system_bin_file", -- Gitee From 2779cadaac0768c4e6bb75131459b105020f47db Mon Sep 17 00:00:00 2001 From: 15091282640 Date: Mon, 18 Aug 2025 09:20:32 +0800 Subject: [PATCH 14/15] =?UTF-8?q?=E5=90=88=E5=85=A5=E9=83=A8=E5=88=86?= =?UTF-8?q?=E7=AD=96=E7=95=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sepolicy/base/public/domain.te | 9 +++++---- sepolicy/base/public/init.te | 1 + sepolicy/base/public/system_core_hap.te | 6 +++++- sepolicy/base/system/system_domain.te | 8 +++++--- sepolicy/base/te/accessibility.te | 3 ++- sepolicy/base/te/camera_service.te | 1 + sepolicy/base/te/console.te | 5 +++++ sepolicy/base/te/foundation.te | 7 +++++-- sepolicy/base/te/hidumper.te | 2 ++ sepolicy/base/te/inputmethod_service.te | 1 + sepolicy/base/te/ir_user.te | 2 +- sepolicy/base/te/media_service.te | 3 ++- sepolicy/base/te/netmanager.te | 2 ++ sepolicy/base/te/resource_schedule_service.te | 1 + sepolicy/base/te/su.te | 6 ++++-- sepolicy/base/te/system_basic_hap.te | 2 ++ sepolicy/base/te/ui_service.te | 1 + .../ai/intelligent_voice_framework/system/init.te | 1 + .../system/cast_engine_service.te | 2 +- .../drivers/peripheral/codec/vendor/codec_host.te | 7 +++++++ .../peripheral/display/vendor/composer_host.te | 6 ++---- .../peripheral/useriam/vendor/pin_auth_host.te | 1 + .../dfs_service/system/cloudfiledaemon.te | 7 +++++++ .../system/file_access_service.te | 6 ++++++ .../ohos_policy/hiviewdfx/hilog/system/hilog.te | 7 ++++--- .../ohos_policy/hiviewdfx/hilog/system/hilogd.te | 1 + .../multimedia/av_codec/system/av_codec_service.te | 3 ++- .../multimedia/av_session/system/av_session.te | 14 +++++++++++++- .../media_library/system/medialibrary_hap.te | 2 ++ .../system/bgtaskmgr_service.te | 11 ++++++++++- .../system/ressched_executor.te | 2 +- .../security/access_token/system/privacy.te | 2 ++ .../system/dlp_permission_service.te | 4 +++- .../security/security_guard/system/file.te | 2 +- .../useriam/pinauth_auth/system/pinauth.te | 3 +++ 35 files changed, 112 insertions(+), 29 deletions(-) diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te index 410c9f679..7f3b8dbb8 100644 --- a/sepolicy/base/public/domain.te +++ b/sepolicy/base/public/domain.te @@ -14,6 +14,7 @@ type device_manager, sadomain, domain; type backup_sa, sadomain, domain; type privacy_service, sadomain, domain; +type av_session, sadomain, domain; allow domain init:process sigchld; allow init domain:process sigkill; @@ -192,9 +193,9 @@ neverallow domain limit_domain:binder *; neverallow { domain -appspawn -console -init -usb_host -distributedsche -foundation -faultloggerd -bootanimation -audio_server -distributeddata -chipset_init -powermgr -power_host -bluetooth_service -wallpaper_service -sandbox_manager_service -hiview -kernel updater_only(`-updater') -unlabeled_dir_file_violators -hilogd -wifi_manager_service - -huks_service -inputmethod_service -multimodalinput -netmanager -resource_schedule_service - -wifi_hal_service -intell_voice_service -hdf_ext_devmgr -backup_sa -usb_service -render_service - -accesstoken_service -privacy_service -security_guard -module_update_service + -huks_service -inputmethod_service -multimodalinput -netmanager -resource_schedule_service -cloudfiledaemon + -wifi_hal_service -intell_voice_service -hdf_ext_devmgr -backup_sa -usb_service -render_service -av_session + -accesstoken_service -privacy_service -security_guard -module_update_service -pin_auth_host -bgtaskmgr_service -user_auth_host -deviceauth_service -dhardware -media_service -netsysnative -time_service -updater_sa -samgr -softbus_server -accountmgr -blue_host -asset_service -dlp_permission_service -device_manager -rgm_violator_ohos_unlabeled_file -installs -storage_daemon -su } unlabeled:dir_file_class_set *; @@ -218,7 +219,7 @@ neverallow * self:process { execstack execheap }; # allow at /home/last/bb/h1/cc/out/rk3568/obj/base/security/selinux/ohos.cil:11230 # (allow riladapter_host dev_file (chr_file (ioctl read write open))) # -neverallow { domain -init -ueventd -su -riladapter_host -system_core_hap debug_only(`-softbus_server') -dev_file_violator -rgm_violator_ohos_dev_char_file -blue_host -rcu_host -composer_host -system_basic_hap -allocator_host -render_service -audio_host -bootanimation -chipset_init -ohos_ir_user -foundation -processdump } dev_file:{ file chr_file blk_file } *; +neverallow { domain -init -ueventd -su -riladapter_host -system_core_hap debug_only(`-softbus_server') -dev_file_violator -rgm_violator_ohos_dev_char_file -blue_host -rcu_host -composer_host -system_basic_hap -allocator_host -render_service -audio_host -bootanimation -chipset_init -ohos_ir_user -codec_host -foundation -processdump } dev_file:{ file chr_file blk_file } *; #todo change file label for sock file #neverallow { domain -ueventd -riladapter_host } dev_file:sock_file *; diff --git a/sepolicy/base/public/init.te b/sepolicy/base/public/init.te index 7d9e8c676..c19cc2376 100644 --- a/sepolicy/base/public/init.te +++ b/sepolicy/base/public/init.te @@ -45,3 +45,4 @@ allow init distributedsche:file { write }; allow init system_usr_file:dir { search }; allow init system_usr_file:file { getattr read open map }; allow init intell_voice_host:file { write }; +allow init console:file { write }; diff --git a/sepolicy/base/public/system_core_hap.te b/sepolicy/base/public/system_core_hap.te index 1524d8a4a..2fa4a32d8 100644 --- a/sepolicy/base/public/system_core_hap.te +++ b/sepolicy/base/public/system_core_hap.te @@ -35,4 +35,8 @@ allow system_core_hap sys_prod_file:dir { search }; allow system_core_hap appspawn:fifo_file { read }; allow system_core_hap dev_file:chr_file { read write open getattr map }; allow system_core_hap dev_file:chr_file { ioctl }; -allowxperm system_core_hap dev_file:chr_file ioctl { 0x8203 0x8206 0x8402 0x8202 0x8300 0x830a }; +allowxperm system_core_hap dev_file:chr_file ioctl { 0x8203 0x8206 0x8402 0x8202 0x8300 0x830a 0x4901 }; +allow system_core_hap dev_graphics_file:dir { search }; +allow system_core_hap dev_graphics_file:chr_file { read write open map }; +allow system_core_hap dev_graphics_file:chr_file { ioctl }; +allowxperm system_core_hap dev_graphics_file:chr_file ioctl { 0x4602 }; diff --git a/sepolicy/base/system/system_domain.te b/sepolicy/base/system/system_domain.te index e96498e5d..371f274ce 100644 --- a/sepolicy/base/system/system_domain.te +++ b/sepolicy/base/system/system_domain.te @@ -56,11 +56,13 @@ neverallow { system_domain } vendor_bin_file:{ blk_file chr_file fifo_file sock_ # Prohibit system component processes from accessing vendor etc files to achieve access isolation neverallow { system_domain -vendor_etc_file_violator_dir } vendor_etc_file:dir ~{ search getattr read open mounton relabelto }; -neverallow { system_domain -bootanimation -ispserver -media_service -misc -multimodalinput -resource_schedule_service -samgr -foundation -powermgr -accountmgr -oaid_service +neverallow { system_domain -bootanimation -ispserver -media_service -misc -multimodalinput -resource_schedule_service -samgr + -foundation -powermgr -accountmgr -oaid_service -bgtaskmgr_service -av_session -nfc_service -wifi_hal_service -telephony_sa -dhardware -dinput -hdf_devmgr -hiview -memmgrservice -msdp_sa -audio_server -av_codec_service -i18n_service -multimodalinput -charger -concurrent_task_service -resource_schedule_service -dlp_permission_service -sensors -appspawn -init -ueventd -telephony_sa -ohos_ir_user -console - -module_update_service -privacy_service -sys_installer_sa -updater_binary -nwebspawn -module_update_service -vendor_etc_file_violator_dir_search -cjappspawn - -hap_domain -storage_daemon -accesstoken_service -render_service -resource_schedule_executor -camera_service developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_dir_search -installs -softbus_server -inputmethod_service -usb_service -distributedsche -sharing_service -intell_voice_service -storage_manager } vendor_etc_file:dir { search }; + -module_update_service -privacy_service -sys_installer_sa -updater_binary -nwebspawn -module_update_service -vendor_etc_file_violator_dir_search -cjappspawn -accessibility -file_access_service + -hap_domain -storage_daemon -accesstoken_service -render_service -resource_schedule_executor -camera_service developer_only(`-hnp') -hnp_violator -rgm_violator_ohos_vendor_etc_dir_search + -installs -softbus_server -inputmethod_service -usb_service -distributedsche -sharing_service -intell_voice_service -storage_manager } vendor_etc_file:dir { search }; neverallow { system_domain -nfc_service -charger -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_getattr } vendor_etc_file:dir { getattr }; neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_read } vendor_etc_file:dir { read }; neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_open } vendor_etc_file:dir { open }; diff --git a/sepolicy/base/te/accessibility.te b/sepolicy/base/te/accessibility.te index 99c8a82c8..063ac1b2c 100644 --- a/sepolicy/base/te/accessibility.te +++ b/sepolicy/base/te/accessibility.te @@ -76,10 +76,11 @@ allow accessibility chip_prod_file:file { map open read getattr }; allow accessibility chip_prod_file:dir { search }; allow accessibility data_app_el1_file:file { map open read getattr }; allow accessibility dev_console_file:chr_file { read write }; -allow accessibility sysfs_devices_system_cpu:file { read }; +allow accessibility sysfs_devices_system_cpu:file { read open getattr }; allow accessibility sa_dataobs_mgr_service_service:samgr_class { get }; allow accessibility sa_render_service:samgr_class { get }; allow accessibility render_service:binder { call transfer }; allow accessibility multimodalinput:binder { transfer }; allow accessibility data_service_el1_file:dir {open read}; allow accessibility foundation:fd {use}; +allow accessibility vendor_etc_file:dir { search }; diff --git a/sepolicy/base/te/camera_service.te b/sepolicy/base/te/camera_service.te index ae2f42d23..a4ad70ffa 100644 --- a/sepolicy/base/te/camera_service.te +++ b/sepolicy/base/te/camera_service.te @@ -77,3 +77,4 @@ allow camera_service system_usr_file:file { getattr read open map }; allow camera_service sysfs_devices_system_cpu:file { read open getattr }; +allow camera_service sa_foundation_wms:samgr_class { get }; diff --git a/sepolicy/base/te/console.te b/sepolicy/base/te/console.te index 44067e4ef..b0aa46d14 100644 --- a/sepolicy/base/te/console.te +++ b/sepolicy/base/te/console.te @@ -11,6 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +type system_etc_security_guard_file, system_file_attr, file_attr; debug_only(` permissive console; ') @@ -80,3 +81,7 @@ allow console vendor_etc_file:dir { search }; allow console sys_prod_file:dir { search }; allow console chip_prod_file:dir { search }; allow console servicectrl_reboot_param:parameter_service { set }; + +allow console data_hilogd_file:dir { open remove_name }; +allow console data_hilogd_file:file { getattr }; +allow console system_etc_security_guard_file:file { getattr }; diff --git a/sepolicy/base/te/foundation.te b/sepolicy/base/te/foundation.te index f84fdfa35..df062694a 100644 --- a/sepolicy/base/te/foundation.te +++ b/sepolicy/base/te/foundation.te @@ -11,6 +11,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +type cast_engine_service, sadomain, domain; + allow foundation bluetooth_service:binder { call transfer }; allow foundation bootevent_param:file { map open read }; allow foundation bootevent_samgr_param:file { map open read }; @@ -141,8 +143,9 @@ allow foundation unlabeled:dir { search }; allow foundation dev_graphics_file:dir { search }; allow foundation dev_graphics_file:chr_file { read write open map }; allow foundation dev_graphics_file:chr_file { ioctl }; -allowxperm foundation dev_graphics_file:chr_file ioctl { 0x4602 }; +allowxperm foundation dev_graphics_file:chr_file ioctl { 0x4602 0x4600 }; allow foundation dev_file:chr_file { read open }; allow foundation dev_file:chr_file { ioctl }; -allowxperm foundation dev_file:chr_file ioctl { 0x4901 }; +allowxperm foundation dev_file:chr_file ioctl { 0x4901 0x4905 }; allow foundation proc_version_file:file { read open getattr }; +allow foundation cast_engine_service:binder { transfer }; diff --git a/sepolicy/base/te/hidumper.te b/sepolicy/base/te/hidumper.te index ed3aaf475..9d82c6624 100644 --- a/sepolicy/base/te/hidumper.te +++ b/sepolicy/base/te/hidumper.te @@ -27,3 +27,5 @@ allow hidumper_service init:file { read open getattr }; allow hidumper_service kernel:dir { search }; allow hidumper_service kernel:file { read open getattr }; +allow hidumper dev_kmsg_file:chr_file { write }; +allow hidumper multimodalinput:unix_stream_socket { read write }; diff --git a/sepolicy/base/te/inputmethod_service.te b/sepolicy/base/te/inputmethod_service.te index d91e78960..87713a394 100644 --- a/sepolicy/base/te/inputmethod_service.te +++ b/sepolicy/base/te/inputmethod_service.te @@ -74,3 +74,4 @@ allow inputmethod_service chip_prod_file:dir { search }; allow inputmethod_service unlabeled:dir { search }; allow inputmethod_service resource_schedule_service:binder { call }; +allow inputmethod_service sa_resource_schedule:samgr_class { get }; diff --git a/sepolicy/base/te/ir_user.te b/sepolicy/base/te/ir_user.te index 62444ee30..76798004d 100755 --- a/sepolicy/base/te/ir_user.te +++ b/sepolicy/base/te/ir_user.te @@ -12,7 +12,7 @@ # limitations under the License. allow ohos_ir_user dev_file:chr_file { ioctl }; -allowxperm ohos_ir_user dev_file:chr_file ioctl { 0x5106 0x6901 }; +allowxperm ohos_ir_user dev_file:chr_file ioctl { 0x5106 0x6901 0x5109 }; allow ohos_ir_user vendor_bin_file:file { entrypoint map read execute }; allow ohos_ir_user dev_console_file:chr_file { read write }; allow ohos_ir_user persist_param:file { read open }; diff --git a/sepolicy/base/te/media_service.te b/sepolicy/base/te/media_service.te index 99fcb1685..49557eeae 100644 --- a/sepolicy/base/te/media_service.te +++ b/sepolicy/base/te/media_service.te @@ -75,7 +75,7 @@ allow media_service system_basic_hap_attr:binder { call transfer }; allow media_service system_bin_file:dir { search }; allow media_service system_core_hap_attr:binder { call transfer }; allow media_service system_core_hap_attr:fd { use }; -allow media_service system_lib_file:dir { open read }; +allow media_service system_lib_file:dir { open read getattr }; allow media_service sys_usb_param:file { map open read }; allow media_service tracefs:dir { search }; allow media_service tracefs_trace_marker_file:file { open write }; @@ -93,3 +93,4 @@ allow media_service memmgrservice:binder { call transfer }; allow media_service sysfs_devices_system_cpu:file { read open getattr }; allow media_service dev_console_file:chr_file { read write }; allow media_service unlabeled:dir { search }; +allow media_service netmanager:binder { call }; diff --git a/sepolicy/base/te/netmanager.te b/sepolicy/base/te/netmanager.te index b909cfcaf..791bfe16f 100644 --- a/sepolicy/base/te/netmanager.te +++ b/sepolicy/base/te/netmanager.te @@ -86,3 +86,5 @@ allow netmanager dev_kmsg_file:chr_file { open }; allow netmanager sysfs_devices_system_cpu:file { read open getattr }; allow netmanager unlabeled:dir { search }; +allow netmanager sa_net_policy_manager:samgr_class { get }; +allow netmanager sa_foundation_abilityms:samgr_class { get }; diff --git a/sepolicy/base/te/resource_schedule_service.te b/sepolicy/base/te/resource_schedule_service.te index 4f90285c7..5c390a9fa 100644 --- a/sepolicy/base/te/resource_schedule_service.te +++ b/sepolicy/base/te/resource_schedule_service.te @@ -65,3 +65,4 @@ allow resource_schedule_service dev_kmsg_file:chr_file { write open }; allow resource_schedule_service sa_foundation_abilityms:samgr_class { get }; allow resource_schedule_service unlabeled:dir { search }; allow resource_schedule_service multimodalinput:binder { transfer }; +allow resource_schedule_service sa_avsession_service:samgr_class { get }; diff --git a/sepolicy/base/te/su.te b/sepolicy/base/te/su.te index 8052a0ee6..9011701cb 100755 --- a/sepolicy/base/te/su.te +++ b/sepolicy/base/te/su.te @@ -63,7 +63,7 @@ allow su proc_file:file { open }; allow su init:dir { getattr search }; allow su tty_device:chr_file { ioctl }; -allowxperm su tty_device:chr_file ioctl { 0x5403 0x5413 0x540f 0x5410 }; +allowxperm su tty_device:chr_file ioctl { 0x5403 0x5413 0x540f 0x5410 0x5401 }; allow su init:dir { search getattr search }; allow su init:file { read open }; allow su init:file { open }; @@ -72,7 +72,7 @@ allow su kernel:file { read open }; allow su dev_ptmx:chr_file { read write open }; allow su dev_ptmx:chr_file { ioctl }; -allowxperm su dev_ptmx:chr_file ioctl { 0x5431 }; +allowxperm su dev_ptmx:chr_file ioctl { 0x5431 0x5430 }; allow su su:capability { dac_override }; @@ -88,3 +88,5 @@ allow su storage_manager:dir { getattr search }; allow su rootfs:dir { read open }; allow su dev_kmsg_file:chr_file { getattr }; allow su dev_file:chr_file { getattr }; +allow su unlabeled:dir { search getattr }; +allow su selinuxfs:file { read write }; diff --git a/sepolicy/base/te/system_basic_hap.te b/sepolicy/base/te/system_basic_hap.te index 103039f71..62046fc74 100644 --- a/sepolicy/base/te/system_basic_hap.te +++ b/sepolicy/base/te/system_basic_hap.te @@ -148,3 +148,5 @@ allow system_basic_hap dev_graphics_file:dir { search }; allow system_basic_hap dev_graphics_file:chr_file { read write open map }; allow system_basic_hap dev_graphics_file:chr_file { ioctl }; allowxperm system_basic_hap dev_graphics_file:chr_file ioctl { 0x4602 0x4600 0x4901 0x4601 }; +allow system_basic_hap sa_device_service_manager:samgr_class { get }; +allow system_basic_hap hdf_allocator_service:hdf_devmgr_class { get }; diff --git a/sepolicy/base/te/ui_service.te b/sepolicy/base/te/ui_service.te index 0a04248aa..92ee904e5 100644 --- a/sepolicy/base/te/ui_service.te +++ b/sepolicy/base/te/ui_service.te @@ -85,3 +85,4 @@ allow ui_service ui_service:unix_dgram_socket { getopt setopt }; allowxperm ui_service dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x8019 0x801d 0x801e 0x8026 }; allow ui_service dev_console_file:chr_file { read write }; allow ui_service system_core_hap:binder { transfer }; +allow ui_service sa_foundation_abilityms:samgr_class { get }; diff --git a/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/init.te b/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/init.te index 6559a738c..53891170d 100644 --- a/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/init.te +++ b/sepolicy/ohos_policy/ai/intelligent_voice_framework/system/init.te @@ -18,3 +18,4 @@ allow init intell_voice_service:process { transition rlimitinh siginh }; # avc: denied { transition } for pid=7035 comm="init" path="/vendor/bin/hdf_devhost" dev="sdd72" ino=34 scontext=u:r:init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=0 allow init intell_voice_host:process { transition }; +allow init intell_voice_service:file { write }; diff --git a/sepolicy/ohos_policy/cast_engine_service/system/cast_engine_service.te b/sepolicy/ohos_policy/cast_engine_service/system/cast_engine_service.te index cac8628e8..a9685d2e6 100755 --- a/sepolicy/ohos_policy/cast_engine_service/system/cast_engine_service.te +++ b/sepolicy/ohos_policy/cast_engine_service/system/cast_engine_service.te @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -type cast_engine_service, sadomain, domain; +# type cast_engine_service, sadomain, domain; allow cast_engine_service foundation:binder { call }; allow cast_engine_service hilog_param:file { map read open }; allow cast_engine_service media_service:binder { call }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te b/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te index 4561c34e0..47c784d69 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te @@ -86,3 +86,10 @@ debug_only(` ') allow codec_host dev_console_file:chr_file { read write }; +allow codec_host dev_file:chr_file { read write open }; +allow codec_host dev_file:chr_file { ioctl }; +allowxperm codec_host dev_file:chr_file ioctl { 0x7601 }; +allow codec_host dev_graphics_file:dir { search }; +allow codec_host dev_graphics_file:chr_file { read write open map }; +allow codec_host dev_graphics_file:chr_file { ioctl }; +allowxperm codec_host dev_graphics_file:chr_file ioctl { 0x4602 }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te index 6c87801ee..5266cbe4d 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te @@ -97,8 +97,6 @@ allow composer_host dev_graphics_file:chr_file { ioctl }; allowxperm composer_host dev_graphics_file:chr_file ioctl { 0x4694 0x4600 0x4692 0x4664 0x4602 0x4601 }; allow composer_host dev_graphics_file:chr_file { map }; allow composer_host dev_file:chr_file { ioctl }; -allowxperm composer_host dev_file:chr_file ioctl { 0x405 0x300 0x6d14 0x4901 }; +allowxperm composer_host dev_file:chr_file ioctl { 0x405 0x300 0x6d14 0x4901 0x2405 }; -allow composer_host dev_file:chr_file { read write }; -allow composer_host dev_file:chr_file { open }; -allow composer_host dev_file:chr_file { getattr }; +allow composer_host dev_file:chr_file { read write open getattr }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te index 82a9c101b..ec7838944 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te @@ -65,3 +65,4 @@ allowxperm pin_auth_host data_service_el1_file:file ioctl { 0x5413 }; allowxperm pin_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow pin_auth_host dev_console_file:chr_file { read write }; +allow pin_auth_host unlabeled:dir { search }; diff --git a/sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te b/sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te index 3c3fc044c..b04a0a21c 100644 --- a/sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te +++ b/sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te @@ -99,3 +99,10 @@ allow cloudfiledaemon media_service:dir { search }; allow cloudfiledaemon media_service:file { getattr open read }; allow cloudfiledaemon sa_media_service:samgr_class { get }; allow cloudfiledaemon media_service:binder { call transfer }; + +allow cloudfiledaemon debug_param:file { read open map }; +allow cloudfiledaemon cloudfiledaemon:unix_dgram_socket { setopt }; +allow cloudfiledaemon sysfs_devices_system_cpu:file { read open getattr }; +allow cloudfiledaemon unlabeled:dir { search }; + +allow cloudfiledaemon dev_kmsg_file:chr_file { write open }; diff --git a/sepolicy/ohos_policy/filemanagement/user_file_service/system/file_access_service.te b/sepolicy/ohos_policy/filemanagement/user_file_service/system/file_access_service.te index 3eaa3e3f9..1a4a46399 100644 --- a/sepolicy/ohos_policy/filemanagement/user_file_service/system/file_access_service.te +++ b/sepolicy/ohos_policy/filemanagement/user_file_service/system/file_access_service.te @@ -110,3 +110,9 @@ allow file_access_service hap_domain:binder { transfer }; # avc:denied { getopt } for pid=6408,comm="/system/bin/sa_main" scontex=u:r:file_acccess_services:s0 tcontext=u:r:file_access_service:s0 tclass=unix_dgram_socket permissive=1 allow file_access_service file_access_service:unix_dgram_socket { getopt setopt }; +allow file_access_service persist_sys_param:file { open map }; +allow file_access_service sys_param:file { read open map }; +allow file_access_service chip_prod_file:dir { search }; +allow file_access_service sys_prod_file:dir { search }; +allow file_access_service vendor_etc_file:dir { search }; +allow file_access_service system_usr_file:file { getattr read }; diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilog.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilog.te index 908478b83..ae06ebd44 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilog.te +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilog.te @@ -32,7 +32,8 @@ allow hilog hilog_param:parameter_service { set }; allow domain hilog_param:file { read map open }; allow domain hilog_private_param:file { read map open }; -# allow hilog persist_param:file { read }; -# allow hilog hilog:capability { dac_override }; - neverallow ~{ hilog hilogd } hilog_private_param:parameter_service { set }; +allow hilog dev_console_file:chr_file { read write }; +allow hilog persist_param:file { read open map }; +allow hilog hilog:capability { dac_override }; + diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te index 764196946..bbd884870 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te @@ -97,6 +97,7 @@ neverallow { -data_hilogd_file_viloator -init -su + -console -hilogd -hiview # write is covered next -hdcd # write is covered next diff --git a/sepolicy/ohos_policy/multimedia/av_codec/system/av_codec_service.te b/sepolicy/ohos_policy/multimedia/av_codec/system/av_codec_service.te index dd80c0729..8703f9c4e 100755 --- a/sepolicy/ohos_policy/multimedia/av_codec/system/av_codec_service.te +++ b/sepolicy/ohos_policy/multimedia/av_codec/system/av_codec_service.te @@ -30,7 +30,7 @@ allow av_codec_service allocator_host:fd { use }; allow av_codec_service dev_dri_file:chr_file { ioctl open read write }; allow av_codec_service dev_dri_file:dir { search }; allow av_codec_service hdf_allocator_service:hdf_devmgr_class { get }; -allow av_codec_service hdf_devmgr:binder { call }; +allow av_codec_service hdf_devmgr:binder { call transfer }; allow av_codec_service sa_device_service_manager:samgr_class { get }; allow av_codec_service data_test_media_file:file { write read getattr }; allow av_codec_service system_core_hap_attr:fd { use }; @@ -140,3 +140,4 @@ allow av_codec_service tty_device:chr_file { open read write }; allow av_codec_service sys_prod_file:dir { search }; allow av_codec_service persist_param:file { read open map }; +allow av_codec_service dev_graphics_file:dir { search }; diff --git a/sepolicy/ohos_policy/multimedia/av_session/system/av_session.te b/sepolicy/ohos_policy/multimedia/av_session/system/av_session.te index 164ad9905..41d74560c 100644 --- a/sepolicy/ohos_policy/multimedia/av_session/system/av_session.te +++ b/sepolicy/ohos_policy/multimedia/av_session/system/av_session.te @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -type av_session, sadomain, domain; +# type av_session, sadomain, domain; allow av_session accesstoken_service:binder { call }; allow av_session sa_avsession_service:samgr_class { add get_remote }; allow av_session sa_multimodalinput_service:samgr_class { get }; @@ -82,3 +82,15 @@ allow av_session sa_memory_manager_service:samgr_class { get }; allow av_session memmgrservice:binder { call }; allow av_session sa_foundation_cesfwk_service:samgr_class { get }; allow av_session accountmgr:binder { transfer }; + +allow av_session persist_param:file { read open map }; +allow av_session sysfs_devices_system_cpu:file { read open getattr }; +allow av_session persist_sys_param:file { read open map }; +allow av_session sys_param:file { read open map }; +allow av_session unlabeled:dir { search }; + +allow av_session chip_prod_file:dir { search }; +allow av_session sys_prod_file:dir { search }; +allow av_session vendor_etc_file:dir { search }; +allow av_session system_usr_file:file { getattr read open map }; +allow av_session multimodalinput:binder { transfer }; diff --git a/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te b/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te index 734039129..35b5bc0fc 100644 --- a/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te +++ b/sepolicy/ohos_policy/multimedia/media_library/system/medialibrary_hap.te @@ -44,3 +44,5 @@ allow medialibrary_hap exfat:dir { watch watch_reads }; allow medialibrary_hap vfat:dir { watch_reads }; allow medialibrary_hap sys_prod_file:dir { search }; +allow medialibrary_hap hmdfs:file { ioctl }; +allowxperm medialibrary_hap hmdfs:file ioctl { 0x5413 }; diff --git a/sepolicy/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te b/sepolicy/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te index 6c0bd1082..2bcd03630 100644 --- a/sepolicy/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te +++ b/sepolicy/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te @@ -27,6 +27,7 @@ allow bgtaskmgr_service sys_prod_file:dir { search }; allow bgtaskmgr_service chip_prod_file:file { map open read getattr }; #avc: denied { search } for pid=1067, ino=6413 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 allow bgtaskmgr_service system_usr_file:dir { search }; +allow bgtaskmgr_service system_usr_file:file { getattr read open map }; #avc: denied { getopt } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:r:bgtaskmgr_service:s0 tclass=unix_dgram_socket permissive=1 #avc: denied { setopt } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:r:bgtaskmgr_service:s0 tclass=unix_dgram_socket permissive=1 allow bgtaskmgr_service bgtaskmgr_service:unix_dgram_socket { getopt setopt }; @@ -52,7 +53,7 @@ allow bgtaskmgr_service dev_kmsg_file:chr_file { write }; # workschedule task get cpu info #avc: denied { read } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 -allow bgtaskmgr_service sysfs_devices_system_cpu:file { read }; +allow bgtaskmgr_service sysfs_devices_system_cpu:file { read open getattr }; #avc: denied { get } for service=1067 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_hiview_service:s0 tclass=samgr_class permissive=1 allow bgtaskmgr_service sa_hiview_service:samgr_class { get }; #avc: denied { open } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=1 @@ -183,3 +184,11 @@ debug_only(` ') allow bgtaskmgr_service dev_console_file:chr_file { read write }; + +allow bgtaskmgr_service unlabeled:dir { search }; +allow bgtaskmgr_service data_service_el1_file:dir { ioctl }; +allowxperm bgtaskmgr_service data_service_el1_file:dir ioctl { 0xf546 }; +allow bgtaskmgr_service data_service_el1_file:file { append }; +allow bgtaskmgr_service sys_param:file { read open map }; +allow bgtaskmgr_service chip_prod_file:dir { search }; +allow bgtaskmgr_service vendor_etc_file:dir { search }; diff --git a/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te b/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te index 55e9f375b..44acca76e 100644 --- a/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te +++ b/sepolicy/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te @@ -57,4 +57,4 @@ allow resource_schedule_executor vendor_etc_file:file { open read getattr }; allow resource_schedule_executor dev_console_file:chr_file { read write }; allow resource_schedule_executor dev_kmsg_file:chr_file { write open }; - +allow resource_schedule_executor system_core_hap:process { setsched }; diff --git a/sepolicy/ohos_policy/security/access_token/system/privacy.te b/sepolicy/ohos_policy/security/access_token/system/privacy.te index 1535855d4..f1fa38baa 100644 --- a/sepolicy/ohos_policy/security/access_token/system/privacy.te +++ b/sepolicy/ohos_policy/security/access_token/system/privacy.te @@ -102,3 +102,5 @@ allow privacy_service vendor_etc_file:dir { search }; allow privacy_service sys_prod_file:dir { search }; allow privacy_service chip_prod_file:dir { search }; allow privacy_service unlabeled:dir { search }; +allow privacy_service accesstoken_data_file:dir { ioctl }; +allowxperm privacy_service accesstoken_data_file:dir ioctl { 0xf546 }; diff --git a/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te b/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te index 526a5a4e0..bd867df0a 100644 --- a/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te +++ b/sepolicy/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te @@ -94,7 +94,8 @@ allow dlp_permission_service data_service_el1_file:file { getattr ioctl open wri allow dlp_permission_service data_service_el1_file:file { ioctl }; allowxperm dlp_permission_service data_service_el1_file:file ioctl { 0xf546 }; - +allow dlp_permission_service data_service_el1_file:dir { ioctl }; +allowxperm dlp_permission_service data_service_el1_file:dir ioctl { 0xf546 }; # avc: denied { get } for service=3901 pid=5063 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 allow dlp_permission_service sa_foundation_cesfwk_service:samgr_class { get }; @@ -128,3 +129,4 @@ allow dlp_permission_service persist_param:file { read open map }; allow dlp_permission_service dlp_permission_service:unix_dgram_socket { getopt setopt }; allow dlp_permission_service unlabeled:dir { search }; + diff --git a/sepolicy/ohos_policy/security/security_guard/system/file.te b/sepolicy/ohos_policy/security/security_guard/system/file.te index ee2a9d7a6..69dcae570 100644 --- a/sepolicy/ohos_policy/security/security_guard/system/file.te +++ b/sepolicy/ohos_policy/security/security_guard/system/file.te @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -type system_etc_security_guard_file, system_file_attr, file_attr; +# type system_etc_security_guard_file, system_file_attr, file_attr; type data_service_el1_public_security_guard_file, data_file_attr, file_attr; type security_guard_file_store_file, data_file_attr, file_attr; diff --git a/sepolicy/ohos_policy/useriam/pinauth_auth/system/pinauth.te b/sepolicy/ohos_policy/useriam/pinauth_auth/system/pinauth.te index 304d332e2..d1a5a5007 100644 --- a/sepolicy/ohos_policy/useriam/pinauth_auth/system/pinauth.te +++ b/sepolicy/ohos_policy/useriam/pinauth_auth/system/pinauth.te @@ -83,3 +83,6 @@ allowxperm pinauth dev_at_file:chr_file ioctl { 0x4103 }; allow pinauth hdf_device_manager:hdf_devmgr_class { get }; allow pinauth paramservice_socket:sock_file { write }; allow pinauth kernel:unix_stream_socket { connectto }; + +allow pinauth dev_console_file:chr_file { read write }; +allow pinauth sysfs_devices_system_cpu:file { read open getattr }; -- Gitee From 2e14b7b929f08fdc42eb37939c6c81bbe63fc6cd Mon Sep 17 00:00:00 2001 From: sunchanglong3 Date: Mon, 25 Aug 2025 09:08:52 +0800 Subject: [PATCH 15/15] =?UTF-8?q?=E5=8D=95=E5=8F=B7:#ICTGPM=20=E6=8F=8F?= =?UTF-8?q?=E8=BF=B0=EF=BC=9A=E6=81=A2=E5=A4=8D=E5=87=BA=E5=8E=82=E6=B8=85?= =?UTF-8?q?=E7=90=86log=E7=BC=93=E5=AD=98selinux=E9=80=82=E9=85=8D=20?= =?UTF-8?q?=E6=98=AF=E5=90=A6=E5=AE=8C=E6=88=90=E5=8F=98=E6=88=90=E8=A7=84?= =?UTF-8?q?=E8=8C=83=E8=87=AA=E6=A3=80=EF=BC=9AY=20=E6=98=AF=E5=90=A6?= =?UTF-8?q?=E7=BC=96=E8=AF=91=E4=B8=94=E9=AA=8C=E8=AF=81=E9=80=9A=E8=BF=87?= =?UTF-8?q?=EF=BC=9AY=20=E5=BD=B1=E5=93=8D=E7=9A=84=E8=AE=BE=E5=A4=87?= =?UTF-8?q?=E4=B8=8E=E5=B9=B3=E5=8F=B0=E8=8C=83=E5=9B=B4=EF=BC=9Aoriole=20?= =?UTF-8?q?=E5=9B=A2=E9=98=9F:=20H?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: sunchanglong3 Change-Id: Icac52475f97411a5b4c7d5153f229d6bdc1f8e10 --- sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te b/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te index 9969ac2e1..bae9b8471 100644 --- a/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te +++ b/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te @@ -78,4 +78,6 @@ allow updater_sa time_service:binder { call transfer }; #avc: denied { transfer } for pid=473 comm="OS_IPC_2_1087" scontext=u:r:updater_sa:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 allow updater_sa foundation:binder { transfer }; - +allow updater_sa data_local:dir { search read open }; +allow updater_sa hilog_control_socket:sock_file { open read write }; +allow updater_sa hilogd:unix_stream_socket { connectto }; -- Gitee