diff --git a/BUILD.gn b/BUILD.gn index 7491f89a9daae93673019083f822deeb7628a293..8c56a46702dbc2b564d6bceb23261a9194d0d926 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -419,6 +419,117 @@ ohos_executable("service_check") { debug_version = "disable" updater_version = "disable" +action("build_policy_treble_test") { + if (build_variant == "user") { + debug_version = "disable" + } else if (build_variant == "root") { + debug_version = "enable" + } else { + debug_version = "enable" + } + + updater_version = "disable" + sepolicy_dir_lists = rebase_path("prebuilts/api/5.0", root_build_dir) + if (selinux_adapter_build_path_treble_test != "default") { + foreach(src, string_split(selinux_adapter_build_path_treble_test, ":")) { + src = "//" + src + sepolicy_dir_lists += ":" + rebase_path(src, root_build_dir) + } + if (special_build_selinux_gni_exist && + selinux_build_path_ext != "default") { + selinux_adapter_build_path_treble_test = + selinux_adapter_build_path_treble_test + ":" + selinux_build_path_ext + } + } else { + selinux_adapter_build_path_treble_test = + selinux_adapter_build_path_treble_test + ":" + OHOS_PRODUCT_DIR_TREBLE_TEST + } + + if (selinux_adapter_special_build_policy_script_treble_test != "default") { + script = selinux_adapter_special_build_policy_script_treble_test + } else { + script = "scripts/build_policy_treble_test.py" + } + depfile = "$target_gen_dir/$target_name.d" + args = [ + "--depfile", + rebase_path(depfile, root_build_dir), + "--output-file", + rebase_path("$target_out_dir/$target_name.txt", root_build_dir), + "--sepolicy-dir-lists", + sepolicy_dir_lists, + "--dst-file", + rebase_path(target_out_dir + "/prebuilts/policy.31"), + "--tool-path", + tool_path, + "--source-root-dir", + rebase_path("//"), + "--policy_dir_list", + selinux_adapter_build_path_treble_test, + "--debug-version", + debug_version, + "--updater-version", + updater_version, + "--components", + selinux_adapter_components, + "--build-path", + rebase_path("prebuilts/api/5.0"), + "--campat-cil-path", + selinux_adapter_campat_cil_path + ] + + if (selinux_adapter_components != "default") { + args += [ + "--vendor-policy-version", + "$selinux_adapter_vendor_policy_version", + ] + } + + if (selinux_adapter_extra_args != "default") { + foreach(arg, string_split(selinux_adapter_extra_args, " ")) { + args += [ arg ] + } + } + + external_deps = [ + "selinux:checkpolicy($host_toolchain)", + "selinux:secilc($host_toolchain)", + ] + outputs = [ + target_out_dir + "/prebuilts/policy.31", + target_out_dir + "/prebuilts/user_policy", + target_out_dir + "/prebuilts/vendor.cil", + target_out_dir + "/prebuilts/prebuild_sepolicy.system.cil.sha256", + target_out_dir + "/prebuilts/system.cil", + target_out_dir + "/prebuilts/system.cil.sha256", + target_out_dir + "/prebuilts/compatible/$selinux_adapter_vendor_policy_version.cil", + target_out_dir + "/prebuilts/compatible", + target_out_dir + "/prebuilts/version", + target_out_dir + "/prebuilts/public.cil", + ] + + outputs += [ + target_out_dir + "/prebuilts/developer/prebuild_sepolicy.system.cil.sha256", + target_out_dir + "/prebuilts/developer/system.cil.sha256", + target_out_dir + + "/prebuilts/developer/compatible/$selinux_adapter_vendor_policy_version.cil", + target_out_dir + "/prebuilts/developer/compatible", + target_out_dir + "/prebuilts/developer/developer_policy", + target_out_dir + "/prebuilts/developer/policy.31", + target_out_dir + "/prebuilts/developer/vendor.cil", + target_out_dir + "/prebuilts/developer/system.cil", + target_out_dir + "/prebuilts/developer/public.cil", + ] + + if (selinux_adapter_components != "default") { + outputs += [ + target_out_dir + "/prebuilts/system_common.cil", + target_out_dir + "/prebuilts/vendor_common.cil", + target_out_dir + "/prebuilts/public_common.cil", + ] + } +} + action("build_policy") { if (build_variant == "user") { debug_version = "disable" @@ -1406,6 +1517,7 @@ group("selinux_group") { ":service_check", ":service_contexts", ":updater_config", + ":build_policy_treble_test", ] external_deps = [ "selinux:checkpolicy($host_toolchain)", diff --git a/bundle.json b/bundle.json index 8083d59fafb3e1b9e73afb1e4be56e734525e86a..59245787ad10a6c6c2f3d64ec401e28a4ad463b7 100644 --- a/bundle.json +++ b/bundle.json @@ -14,11 +14,14 @@ "subsystem": "security", "features": [ "selinux_adapter_build_path", + "selinux_adapter_build_path_treble_test", + "selinux_adapter_campat_cil_path", "selinux_adapter_components", "selinux_adapter_enforce", "selinux_adapter_vendor_policy_version", "selinux_adapter_support_developer_mode", "selinux_adapter_special_build_policy_script", + "selinux_adapter_special_build_policy_script_treble_test", "selinux_adapter_extra_args", "selinux_adapter_special_build_contexts_script", "selinux_adapter_contexts_extra_args", diff --git a/prebuilts/api/5.0/base/public/attributes b/prebuilts/api/5.0/base/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..1b7d47c2b1f5d8c73444f2fd37b2aa99251f4829 --- /dev/null +++ b/prebuilts/api/5.0/base/public/attributes @@ -0,0 +1,310 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# Type of all devices. +# i.e. /dev/camera_dev +attribute dev_attr; + +# Type of all processes, including the hap process and native process. +# i.e. hdbd, media +attribute domain; + +# Type of all virtual file system files. +# i.e. /sys/block, +# /sys/bus, +# /proc/mtd, +# /dev/camera_dev +attribute fs_attr; + +# Type of all proc files. +# i.e. /proc/mtd +attribute proc_attr; + +# Type of all common files. +# i.e. /data/user, +# /system/bin +attribute file_attr; + +# Type of all rootfs files. +# i.e. /* +attribute rootfs_file_attr; + +# Type of all system files. +# i.e. /system/* +attribute system_file_attr; + +# Type of all sys_prod files. +# i.e. /sys_prod/* +attribute sys_prod_file_attr; + +# Type of all vendor files. +# i.e. /vendor/* +attribute vendor_file_attr; + +# Type of all chip_prod files. +# i.e. /chip_prod/* +attribute chip_prod_file_attr; + +# Type of all chip_ckm files. +# i.e. /chip_ckm/* +attribute chip_ckm_file_attr; + +# Type of all domain access points, which is used in domain trasition. +# i.e. vold_exec, +# appspawn_exec +attribute exec_attr; + +# Types of all files in the /data directory. +# i.e. /data/user +attribute data_file_attr; + +# All types in the sysfs file system. +# i.e. /sys/firmware +attribute sysfs_attr; + +# All types in the debugfs file system. +# i.e. /sys/kernel/debug/* +attribute debugfs_attr; + +# All types of parameters. +# i.e. ohos_param +attribute parameter_attr; + +# All types of services. +# i.e. bms_service +attribute sa_service_attr; + +# All types of hdf_services. +# i.e. camera_service +attribute hdf_service_attr; + +# Type of all processes in the hap format. +# i.e. com.ohos.setting +attribute hap_domain; + +# Type of all haps in apl normal. +attribute normal_hap_attr; + +# Type of all haps in apl system_basic. +attribute system_basic_hap_attr; + +# Type of all haps in apl system_core. +attribute system_core_hap_attr; + +# File type of all processes in the hap format. +# i.e. com.ohos.setting +attribute hap_file_attr; + +# File type of all haps in apl normal. +attribute normal_hap_data_file_attr; + +# File type of all haps in apl system_basic. +attribute system_basic_hap_data_file_attr; + +# File type of all haps in apl system_core. +attribute system_core_hap_data_file_attr; + +# Type of hdf processes. +# i.e. hdv_devmgr, +attribute hdfdomain; + +# Type of all native processes. +# i.e. at, +attribute sadomain; + +# Type of all native system processes not in sadomain. +# i.e. init, +attribute native_system_domain; + +# Type of all native chipset processes not in sadomain. +# i.e. chipset-init, +attribute native_chipset_domain; + +#define some violator attribute for neverallows. +attribute cap_violator_chown; +attribute cap_violator_dacoverride; +attribute cap_violator_dacreadsearch; +attribute cap_violator_fowner; +attribute cap_violator_fsetid; +attribute cap_violator_kill; +attribute cap_violator_setuid; +attribute cap_violator_setgid; +attribute cap_violator_netbindservice; +attribute cap_violator_netadmin; +attribute cap_violator_netraw; +attribute cap_violator_sysptrace; +attribute cap_violator_sysadmin; +attribute cap_violator_wakealarm; +attribute cap_violator_sysnice; +attribute cap_violator_perfmon; +attribute cap_violator_sysmodule; +attribute cap_violator_syslog; +attribute cap_violator_sysrawio; + +attribute data_file_attr_violator_exec; +attribute data_local_tmp_violator_dir; +attribute data_local_tmp_violator_file_open; +attribute system_core_hap_data_file_attr_violator_dir; +attribute system_basic_hap_data_file_attr_violator_dir; +attribute normal_hap_data_file_attr_violator_dir; +attribute normal_hap_data_file_attr_violator_dir_file_create_unlink; +attribute normal_hap_data_file_attr_violator_file_open; +attribute accesstoken_data_file_violator_dir; +attribute accesstoken_data_file_violator_file; +attribute module_update_file_violator_file_dir; +attribute module_update_binary_file_violator_file_dir; +attribute normal_hap_data_file_attr_violator_relabel; +attribute file_migrate_hap_data_file_attr_violator_opt; + +attribute data_user_file_dir_violator; +attribute data_user_file_file_violator; + +attribute dev_fuse_file_violator; + +attribute nativespawn_mount_filesystem_violator; + +attribute proc_violator; +attribute sh_exec_violator; +attribute proc_sys_writer; + +attribute violator_hdfdomain_binder_call; + +attribute modem_file_attr; + +attribute cgroup_creator; + +# Type of all module_update file +# i.e. /module_update/* +attribute module_update_file_attr; + +attribute dev_attr_violator; +attribute dev_file_violator; +attribute dev_attr_violator_chr_file_rw; +attribute dev_attr_violator_file_rw; +attribute samgr_binder_violator; +attribute installs_binder_violator; +attribute binder_call_installs_violators; +attribute permissions_mount_file_attr; +attribute log_file_attr; +attribute appspawn_unmount_filesystem_violators; +attribute hap_domain_lnk_file_violators; + +attribute filesystem_violator; + +# Type of develop process +# i.e. sh +attribute develop_domain; + +# define some violator attribute for neverallows. +attribute vendor_file_violator_dir; +attribute vendor_file_violator_dir_getattr; +attribute vendor_file_violator_dir_relabelto; +attribute vendor_file_violator_dir_read; +attribute vendor_file_violator_dir_open; +attribute vendor_file_violator_file; +attribute vendor_file_violator_file_map; +attribute vendor_file_violator_file_open; +attribute vendor_file_violator_file_read; +attribute vendor_file_violator_file_getattr; +attribute vendor_file_violator_file_execute; +attribute vendor_bin_file_violator_dir; +attribute vendor_bin_file_violator_dir_search; +attribute vendor_bin_file_violator_file; +attribute vendor_bin_file_violator_file_entrypoint; +attribute vendor_bin_file_violator_file_execute; +attribute vendor_bin_file_violator_file_map; +attribute vendor_bin_file_violator_file_read; +attribute vendor_bin_file_violator_file_getattr; +attribute vendor_bin_file_violator_file_open; +attribute vendor_etc_file_violator_dir; +attribute vendor_etc_file_violator_dir_search; +attribute vendor_etc_file_violator_dir_getattr; +attribute vendor_etc_file_violator_dir_read; +attribute vendor_etc_file_violator_dir_open; +attribute vendor_etc_file_violator_file; +attribute vendor_etc_file_violator_file_map; +attribute vendor_etc_file_violator_file_open; +attribute vendor_etc_file_violator_file_read; +attribute vendor_etc_file_violator_file_getattr; + +attribute system_file_violator_dir; +attribute system_file_violator_file; +attribute system_bin_file_violator_dir; +attribute system_bin_file_violator_dir_search; +attribute system_bin_file_violator_dir_getattr; +attribute system_bin_file_violator_file; +attribute system_bin_file_violator_file_execute; +attribute system_bin_file_violator_file_execute_no_trans; +attribute system_bin_file_violator_file_map; +attribute system_bin_file_violator_file_read; +attribute system_bin_file_violator_file_open; +attribute system_bin_file_violator_file_getattr; +attribute system_bin_file_violator_lnk_file; +attribute system_bin_file_violator_lnk_file_read; +attribute system_etc_file_violator_dir; +attribute system_etc_file_violator_file; +attribute system_etc_file_violator_lnk_file; +attribute system_profile_file_violator_dir; +attribute system_fonts_file_violator_dir_mounton; + +attribute system_bin_file_violator_file_entrypoint; +attribute system_etc_file_violator_lnk_file_relabelto; +attribute system_etc_file_violator_lnk_file_read; +attribute system_etc_file_violator_lnk_file_getattr; + +attribute vendor_file_violator_dir_mounton; +attribute vendor_file_violator_file_relabelto; +attribute vendor_file_violator_file_setattr; +attribute vendor_bin_file_violator_dir_getattr; +attribute vendor_bin_file_violator_dir_open; +attribute vendor_bin_file_violator_dir_read; +attribute vendor_bin_file_violator_dir_mounton; +attribute vendor_bin_file_violator_dir_relabelto; +attribute vendor_bin_file_violator_file_execute_no_trans; +attribute vendor_bin_file_violator_file_relabelto; +attribute vendor_bin_file_violator_file_setattr; +attribute vendor_bin_file_violator_file_lnk_file; +attribute vendor_bin_file_violator_file_lnk_file_read; +attribute vendor_etc_file_violator_dir_mounton; +attribute vendor_etc_file_violator_dir_relabelto; +attribute vendor_etc_file_violator_file_relabelto; + +attribute violator_hdf_devmgr_class_get; + +attribute binder_call_hdfdomain_violators; + +attribute hiview_host; + +attribute rgm_violator_filesystem_mount; + +attribute system_bin_file_quickfix; + +attribute sp_daemon_get; + +#define some rgm_violator_ohos attribute for neverallows +attribute rgm_violator_ohos_filesystem_unmount; + +attribute hap_domain_lnk_file_operation_viloator; + +attribute rgmli_violator_exec_file_attr; + +# define some hap_domain violator attribute for neverallows +attribute hap_domain_dev_ptmx_violators; +attribute hap_domain_cgroup_violators; +attribute hap_domain_proc_stat_file_violators; +attribute hap_domain_proc_modules_file_violators; + +attribute hap_attr_link_violators; + +attribute normal_hap_system_basic_hap_data_file_violators; diff --git a/prebuilts/api/5.0/base/public/basetype.te b/prebuilts/api/5.0/base/public/basetype.te new file mode 100644 index 0000000000000000000000000000000000000000..e4a5e5a2b3e4a54f5061449e2be42ab85b9ac7ce --- /dev/null +++ b/prebuilts/api/5.0/base/public/basetype.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type security; +type port; +type netif; +type netmsg; +type node; +type sysctl; diff --git a/prebuilts/api/5.0/base/public/chipset_domain.te b/prebuilts/api/5.0/base/public/chipset_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..1c338dbd821b7a5f6ec963d2590bd921ddef63dd --- /dev/null +++ b/prebuilts/api/5.0/base/public/chipset_domain.te @@ -0,0 +1,58 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# Prohibit chipset component processes from accessing system files to achieve access isolation +neverallow { chipset_domain -system_file_violator_dir } system_file:dir ~{ search }; +neverallow { chipset_domain -system_file_violator_file } system_file:file *; +neverallow { chipset_domain } system_file:{ blk_file chr_file fifo_file lnk_file sock_file } *; + +# Prohibit chipset component processes from accessing system bin files to achieve access isolation +neverallow { chipset_domain -system_bin_file_violator_dir } system_bin_file:dir ~{ search getattr }; +neverallow { chipset_domain -camera_host -system_bin_file_violator_dir_getattr } system_bin_file:dir { getattr }; +neverallow { chipset_domain -system_bin_file_violator_file } system_bin_file:file ~{ execute execute_no_trans map read open getattr entrypoint }; +neverallow { chipset_domain -audio_host -camera_host -input_user_host -usb_host -riladapter_host -chipset_init -system_bin_file_violator_file_execute } system_bin_file:file { execute }; +neverallow { chipset_domain -audio_host -camera_host -input_user_host -usb_host -riladapter_host -system_bin_file_violator_file_execute_no_trans } system_bin_file:file { execute_no_trans }; +neverallow { chipset_domain -audio_host -camera_host -input_user_host -usb_host -riladapter_host -system_bin_file_violator_file_map } system_bin_file:file { map }; +neverallow { chipset_domain -audio_host -camera_host -input_user_host -usb_host -riladapter_host -chipset_init -system_bin_file_violator_file_read } system_bin_file:file { read }; +neverallow { chipset_domain -audio_host -camera_host -input_user_host -usb_host -riladapter_host -chipset_init -system_bin_file_violator_file_open } system_bin_file:file { open }; +neverallow { chipset_domain -camera_host -input_user_host -riladapter_host -chipset_init -system_bin_file_violator_file_getattr } system_bin_file:file { getattr }; +neverallow { chipset_domain -system_bin_file_violator_file_entrypoint } system_bin_file:file { entrypoint }; +neverallow { chipset_domain -system_bin_file_violator_lnk_file } system_bin_file:lnk_file ~{ read }; +neverallow { chipset_domain -camera_host -input_user_host -riladapter_host -system_bin_file_violator_lnk_file_read } system_bin_file:lnk_file { read }; +neverallow { chipset_domain } system_bin_file:{ blk_file chr_file fifo_file sock_file } *; + +# Prohibit chipset component processes from accessing system etc files to achieve access isolation +neverallow { chipset_domain -system_etc_file_violator_dir } system_etc_file:dir ~{ open read search getattr }; +neverallow { chipset_domain -system_etc_file_violator_file } system_etc_file:file ~{ getattr map open read }; +neverallow { chipset_domain -system_etc_file_violator_lnk_file } system_etc_file:lnk_file ~{ relabelto read getattr }; +neverallow { chipset_domain -chipset_init -system_etc_file_violator_lnk_file_relabelto } system_etc_file:lnk_file { relabelto }; +neverallow { chipset_domain -chipset_init -system_etc_file_violator_lnk_file_read } system_etc_file:lnk_file { read }; +neverallow { chipset_domain -chipset_init -system_etc_file_violator_lnk_file_getattr } system_etc_file:lnk_file { getattr }; +neverallow { chipset_domain } system_etc_file:{ blk_file chr_file fifo_file sock_file } *; + +# Prohibit chipset component processes from accessing system hap files to achieve access isolation +neverallow { chipset_domain } system_hap_file:dir_file_class_set *; + +# Prohibit chipset component processes from accessing system fonts files to achieve access isolation +neverallow { chipset_domain } system_fonts_file:dir_file_class_set *; + +# Prohibit chipset component processes from accessing system profile files to achieve access isolation +neverallow { chipset_domain -system_profile_file_violator_dir } { system_profile_file }:dir ~{ search }; +neverallow { chipset_domain } system_profile_file:file_class_set *; + +# Prohibit chipset component processes from accessing system usr files to achieve access isolation +neverallow { chipset_domain } system_usr_file:dir_file_class_set *; + +# Prohibit chipset component processes from accessing system module_update files to achieve access isolation +neverallow { chipset_domain } system_module_update_file:dir_file_class_set *; diff --git a/prebuilts/api/5.0/base/public/device.te b/prebuilts/api/5.0/base/public/device.te new file mode 100644 index 0000000000000000000000000000000000000000..5b4c4f00dd6ba66b55dc037db4ccf1128b74501b --- /dev/null +++ b/prebuilts/api/5.0/base/public/device.te @@ -0,0 +1,20 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dev_null_file,dev_attr; +type param_device,dev_attr; +type param_info,dev_attr; +type param_storage,dev_attr; +type socket_device,dev_attr; +type binder_device,dev_attr; +type device,dev_attr,fs_attr; diff --git a/prebuilts/api/5.0/base/public/domain.te b/prebuilts/api/5.0/base/public/domain.te new file mode 100644 index 0000000000000000000000000000000000000000..5ce6aaa1a5e452e22f7b9beb44a7e5f2f22d9ee1 --- /dev/null +++ b/prebuilts/api/5.0/base/public/domain.te @@ -0,0 +1,336 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +allow domain init:process sigchld; +allow init domain:process sigkill; + +allow { domain -lldb_server } self:process { fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit }; + +allow domain self:fd use; +allow domain self:file rw_file_perms; +allow domain self:fifo_file rw_file_perms; +allow domain self:dir read_dir_perms; +allow domain self:lnk_file read_file_perms; +allow domain self:unix_dgram_socket { connect create write }; +allow domain self:unix_stream_socket { accept bind connect create getattr listen read getopt setopt write connectto ioctl lock append shutdown map }; +allowxperm normal_hap_attr self:unix_stream_socket ioctl { 0x5401 0x05411 0x5413-0x5414 0x541b 0x5421 0x5450-0x5451 0x8910 0x8933 }; +allow domain self:lockdown confidentiality; + +allow domain init:fd use; + +allow domain tmpfs:dir { getattr search }; +allow domain tmpfs:lnk_file read; + +allow { domain -normal_hap_attr } proc_attr:dir read_dir_perms; +allow { domain -normal_hap_attr } proc_attr:lnk_file { getattr read }; +allow normal_hap_attr { proc_attr -proc_net }:dir read_dir_perms; +allow normal_hap_attr { proc_attr -proc_net }:lnk_file { getattr read }; + +allow domain rootfs:dir search; +allow domain rootfs:lnk_file { read getattr }; + +allow domain dev_file:dir search; +allow domain dev_null_file:chr_file rw_file_perms; +allow domain dev_zero_file:chr_file rw_file_perms; +allow domain dev_ashmem_file:chr_file { getattr read ioctl lock map append write }; +allow domain dev_binder_file:chr_file { ioctl map open read write }; +allowxperm domain dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f 0x6220 }; + +allow domain dev_unix_file:dir search; + +allow domain dev_random_file:chr_file rw_file_perms; +allow domain dev_parameters_file:dir { getattr search }; +allow domain dev_parameters_file:file read_file_perms; + +allow domain system_etc_file:dir { open read search getattr }; +allow domain system_etc_file:file { getattr map open read }; + +allow domain system_file:dir { search }; +allow domain vendor_file:dir search; + +allow domain { lib_file system_lib_file vendor_lib_file }:dir { search }; +allow domain { lib_file system_lib_file vendor_lib_file }:file { execute getattr map open read }; +allow domain { lib_file system_lib_file vendor_lib_file }:lnk_file { read }; + + +allow domain system_profile_file:dir search; + +allow domain sysfs_attr:lnk_file { getattr read }; +allow domain sysfs_attr:dir search; + +allow domain selinuxfs:file getattr; + +allow domain debugfs:dir search; + +allow domain fs_attr:filesystem getattr; +allow domain { fs_attr -unlabeled }:dir getattr; + +allow domain etc_file:lnk_file { read }; + + +allow { domain -hap_domain } kernel:fd use; + +allow domain key_enable:key { search }; + +allow domain init:unix_dgram_socket { sendto }; +allow { domain -hap_domain } init:unix_stream_socket { read write }; +allow { domain -hap_domain } init:netlink_kobject_uevent_socket { read write }; + +# deny access for noatsecure +dontaudit domain domain:process noatsecure; +# neverallow rules +neverallow { domain -init } dev_parameters_file:file write; +neverallow { domain -init updater_only(`-updater') } data_parameters:dir never_write_dir; + +neverallow { domain -init -appspawn -nwebspawn -cjappspawn -nativespawn -rgm_violator_ohos_proc_file_mounton } proc_file:{ file dir } mounton; + +#todo audio edm hidump installs location multimodalinput netmanager normal pwer thermal.. +#neverallow { domain -init -foundation } data_file:dir { write add_name remove_name }; + +# /data/local/tmp dir using for debug. +neverallow { domain developer_only(`-wukong -atm -snapshot_display -bm -data_local_tmp_violator_dir') -hdcd -SP_daemon -installs -init -hiprofilerd -hiprofiler_plugins -native_daemon -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -sh -uitest updater_only(`-updater') } data_local_tmp:dir never_write_dir; + +neverallow { domain developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') } data_local_tmp:dir { open search }; + +# only samgr can be binder manager. +neverallow { domain -samgr } *:binder set_context_mgr; + +neverallow { domain -init } hdcd:process transition; + +neverallow * hdcd:process dyntransition; + +neverallow { domain -rgm_violator_ohos_dev_sock_file_mounton } { file_attr fs_attr dev_attr }:{ lnk_file fifo_file sock_file } mounton; + +neverallow { domain -init } debugfs: { file lnk_file } never_rw_file; + +#ioctl cmd TIOCSTI, dangerous cmd. +neverallowxperm { domain debug_only(`-appspawn -ioctl_0x5412_chr_file_devpts_violators') } devpts:chr_file ioctl 0x5412; + +neverallow domain dev_port:chr_file ~{ create relabelto unlink setattr getattr }; + +neverallow * *:{ blk_file chr_file } rename; + +# don't use system v IPC +neverallow { domain -rgm_violator_system_v_ipc} {domain -rgm_violator_system_v_ipc}:{ shm sem msg msgq } *; + +neverallow { domain debug_only(`-domain')} self:lockdown integrity; + +neverallow * self:memprotect mmap_zero; + +# only execute file with exec_attr & system_bin_file & vendor_bin_file ToDo delete vendor_file +neverallow * { file_attr -lib_file -system_bin_file -system_lib_file -vendor_bin_file -vendor_lib_file + -vendor_file -exec_attr -hap_file_attr -data_local_tmp -chip_prod_file -module_update_lib_file + -module_update_bin_file -data_updater_file -data_local_arkcache -system_file -data_service_el1_public_print_service_file -print_driver_exec + -rgmli_violator_exec_file_attr -data_service_scan_service_driver_file -system_bin_uni_print_driver_file + developer_only(`-lldb_server_file -hnp_file -hnp_file_attr -data_app_el1_file') }:file { execute execute_no_trans entrypoint }; +neverallow { domain -installs -ark_aot_compiler updater_only(`-updater') } data_local_arkcache:file { write }; +neverallow { domain -installs -ark_aot_compiler updater_only(`-updater') } data_local_arkcache:dir { write }; + +neverallow * { file_attr -exec_attr -system_bin_file -vendor_bin_file + developer_only(`-lldb_server_file') }:file entrypoint; + +# keep every process join the domain attribute. +neverallow ~{ domain develop_domain debug_only(`rgm_violator_su_process_dyntransition') } { domain develop_domain }:process { transition dyntransition }; + +# everyone should in { sadomain hdfdomain hap_domain native_system_domain native_chipset_domain } +neverallow domain { domain -sadomain -ark_aot_compiler -hdfdomain -hap_domain -native_system_domain -native_chipset_domain + developer_only(`-lldb_server') }:process { transition }; +neverallow domain { domain -sadomain -ark_aot_compiler -hdfdomain -hap_domain -isolated_render -native_system_domain -native_chipset_domain developer_only(`-input_isolate_debug_hap') -input_isolate_hap }:process { dyntransition }; + +# keep file based type belong to file_attr , fs_attr, dev_attr, parameter_attr. +# first label class +neverallow * ~{ file_attr domain rgm_violator_domain rgm_violator_domain_oh_to_box fs_attr dev_attr parameter_attr develop_domain } :{ dir notdevfile_class_set } *; + +# second level for file based label class +neverallow { domain develop_domain updater_only(`-updater') } ~{ domain rgm_violator_domain rgm_violator_domain_oh_to_box fs_attr dev_attr parameter_attr system_file_attr sys_prod_file_attr vendor_file_attr + chip_prod_file_attr sysfs_attr data_file_attr rootfs_file_attr modem_file_attr module_update_file_attr log_file_attr develop_domain chip_ckm_file_attr + rgmli_violator_exec_file_attr sys_prod_ai_model_llm_file_attr + developer_only(`lldb_server_file') }:{ file dir } *; +# keep every dev_node join dev_attr +neverallow * ~{ dev_attr fs_attr } :devfile_class_set *; + + +# keep every service join service_type +neverallow * ~sa_service_attr:samgr_class ~list; +neverallow * ~samgr:samgr_class list; + +# keep every hdf service join hdf_service_attr +neverallow * ~hdf_service_attr:hdf_devmgr_class ~list; +neverallow * ~hdf_devmgr:hdf_devmgr_class list; + +# Please set parammeter label in parameter_contexts +neverallow domain default_param:parameter_service *; + +# Please set service label in service_contexts +neverallow domain default_service:samgr_class *; + +# Please set hdf_service label in hdf_service_contexts +neverallow domain default_hdf_service:hdf_devmgr_class *; + +# Please set secon field service's cfg file, don't use limit_domain! +neverallow limit_domain *:file *; +neverallow domain limit_domain:binder *; + +# every file should have a label. The unlabeled file shouldn't be accessed. +neverallow { domain -appspawn -init -kernel updater_only(`-updater') -unlabeled_dir_file_violators -rgm_violator_ohos_unlabeled_file -installs } unlabeled:dir_file_class_set *; + +# keep selinuxfs safe. +neverallow * kernel:security { load_policy setenforce setbool }; +neverallow { domain -kernel } kernel:security setcheckreqprot; +neverallow { domain -init } kernel:security setsecparam; + +# can't use domain type as exec target. +neverallow * domain:file { execute execute_no_trans entrypoint }; + +# never use set stack and heap executable. +neverallow * self:process { execstack execheap }; + +# dev node file label should be configured in file_contexts. +#/dev/char +#/dev/v4l +#todo +# +# allow at /home/last/bb/h1/cc/out/rk3568/obj/base/security/selinux/ohos.cil:11230 +# (allow riladapter_host dev_file (chr_file (ioctl read write open))) +# +neverallow { domain -init -ueventd -riladapter_host debug_only(`-softbus_server') -dev_file_violator -rgm_violator_ohos_dev_char_file } dev_file:{ file chr_file blk_file } *; + +#todo change file label for sock file +#neverallow { domain -ueventd -riladapter_host } dev_file:sock_file *; + +neverallow { domain -kernel -init -chipset_init -misc -updater_sa -storage_daemon -partitionslot_host updater_only(`-updater ') -updater_binary -dev_attr_violator -sys_installer_sa -write_updater -rgm_violator_ohos_dev_blk_file -module_update_service } dev_attr:blk_file { open read write }; +neverallow { updater_sa sys_installer_sa write_updater } {dev_attr -updater_block_file}:blk_file { open read write }; +neverallow { module_update_service } {dev_attr -dev_block_file}:blk_file { open read write }; +# fs operation limit +neverallow { domain -filesystem_violator } *:filesystem ~{ getattr mount remount unmount relabelfrom relabelto quotaget quotamod }; +neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nativespawn_mount_filesystem_violator -netsysnative -rgm_violator_filesystem_mount updater_only(`-updater') -module_update_service } *:filesystem mount; +neverallow { domain -init -appspawn -rgm_violator_ohos_filesystem_remount } *:filesystem remount; +neverallow { domain -init -storage_daemon -appspawn -cjappspawn -nwebspawn -nativespawn updater_only(`-updater') -rgm_violator_ohos_filesystem_unmount -module_update_service } *:filesystem unmount; +neverallow { domain -init -storage_daemon -rgm_violator_filesystem_relabelfrom -appspawn } *:filesystem relabelfrom; +neverallow { domain -init -storage_daemon -appspawn } *:filesystem relabelto; +neverallow { domain -storage_daemon -installs -init updater_only(`-updater') } *:filesystem quotaget; +neverallow { domain -storage_daemon -init updater_only(`-updater') } *:filesystem quotamod; + +neverallow { domain updater_only(`-updater -updater_binary -init')} rootfs:file { create write setattr relabelto append unlink link rename }; + +neverallow { domain -init -proc_sys_writer } { proc_attr sysfs_attr }:dir { add_name create link rename remove_name reparent rmdir write }; + +neverallow { domain -init } debugfs_kprobes:file *; + +neverallow domain parameter_attr:file { ioctl lock }; + +neverallow { domain -init updater_only(`-updater') } data_parameters:file { never_write_file never_execute_file }; + +neverallow { domain -init } parameter_attr:file { never_write_file never_execute_file }; + +neverallow { domain -init } dev_parameters_file:file { never_write_file never_execute_file }; + +neverallow domain file_attr:file execmod; + +neverallow installs data_data_file:file ~{ read_file_perms relabelfrom unlink }; + +neverallow domain debugfs_attr:file { execute execute_no_trans }; + +neverallow { domain -cgroup_creator -rgm_violator_ohos_cgroup_file_create } cgroup:file create; + +neverallow { domain -init } debugfs:{ file lnk_file } never_rw_file; + +neverallow { domain -init -appspawn -nwebspawn -cjappspawn -nativespawn -normal_hap_attr -system_fonts_file_violator_dir_mounton -rgm_violator_system_file_mounton } system_file_attr:dir_file_class_set mounton; + +neverallow { domain -init -appspawn -nwebspawn -cjappspawn -nativespawn -normal_hap_attr -rgm_violator_vendor_file_mounton } vendor_file_attr:dir_file_class_set mounton; + +neverallow { domain -init -kernel -hap_domain -locationhub + -audio_host updater_only(`-updater -updater_binary')} data_file:file never_write_file; + +neverallow { domain developer_only(`-wukong -atm -snapshot_display -hiprofiler_cmd -bm') -uitest -SP_daemon -hdcd -hap_domain -sh -hiprofilerd -native_daemon -hiprofiler_plugins -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -bm') -data_local_tmp_violator_file_open -processdump } data_local_tmp:file open; + +#forbid root process access network; +# +#[OHOS ERROR] (allow init init (udp_socket (ioctl create))) +#[OHOS ERROR] (neverallow hdcd domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind))) +#[OHOS ERROR] (neverallow init domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind))) +#[OHOS ERROR] (allow hdcd self (udp_socket (create bind setopt))) +#[OHOS ERROR] (neverallow hdcd domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect))) +#[OHOS ERROR] (allow hdcd hdcd (tcp_socket (connect getopt name_connect))) +#[OHOS ERROR] (allow hdcd self (tcp_socket (ioctl read write create getattr bind listen accept setopt))) +# +neverallow { appspawn storage_daemon udevd resource_schedule_service ispserver } domain:{ tcp_socket udp_socket rawip_socket } *; + +#ensure no write access to readonly filesystem. + +neverallow { domain updater_only(`-init -updater -updater_binary')} { rootfs system_file_attr vendor_file_attr }:dir never_write_dir; +neverallow { domain updater_only(`-init -updater -updater_binary')} { rootfs system_file_attr vendor_file_attr }:file never_write_file; + +#limit domain access to sh_exec +neverallow { domain developer_only(`-wukong -aa -hdcd -sh -hnp -hnp_hap_domain_attr') -init -faultloggerd -riladapter_host -appspawn + debug_only(`-hiprofiler_cmd -hiprofiler_plugins -hiprofilerd -native_daemon -camera_host -aa') -hidumper_service -SP_daemon -test_server -netsysnative + -wifi_hal_service -sh_exec_violator -rgm_violator_ohos_sh_exec_file_execute -cupsd -print_driver} sh_exec:file execute; + +#limit execmem use +neverallow { domain -appspawn -hap_domain -isolated_render -rgm_violator_execmem } self:process execmem; + +neverallow { domain -processdump -hap_domain -isolated_render developer_only(`-lldb_server -hiperf -native_daemon') debug_only(`-hiperf') } domain:process ptrace; + +# limit capability use. +# for exemption add rule like this: +# neverallow { domain -init } self:capability chown; +# means that only init can have the caps of chown. +# TODO:debug/release +neverallow { domain -appspawn -chipset_init -init -ueventd -installs -storage_daemon -cap_violator_chown -rgm_violator_cap_chown updater_only(`-updater') -distributedfiledaemon -rgm_violator_ohos_capability_chown -download_server } self:{ capability cap_userns } chown; +neverallow { domain -appspawn -cjappspawn -init -chipset_init -ueventd -memmgrservice -resource_schedule_executor + -installs updater_only(`-updater') + -storage_daemon -usb_host -cap_violator_dacoverride developer_only(`-hnp') -rgm_violator_ohos_capability_dacoverride } self:{ capability cap_userns } dac_override; +neverallow { domain -chipset_init -appspawn -cjappspawn -init -hidumper_service -hiview -storage_daemon -hiprofiler_plugins -file_guard_server debug_only(`-hiperf') -cap_violator_dacreadsearch updater_only(`-updater') -wifi_host developer_only(`-hdcd -hnp') -distributedfiledaemon -memmgrservice -rgm_violator_ohos_capability_dacreadsearch } self:{ capability cap_userns } dac_read_search; +neverallow { domain -init -chipset_init -ueventd -installs -storage_daemon -cap_violator_fowner updater_only(`-updater') -rgm_violator_ohos_capability_fowner } self:{ capability cap_userns } fowner; +neverallow { domain -chipset_init -appspawn -init -ueventd -storage_daemon -cap_violator_fsetid updater_only(`-updater') -rgm_violator_ohos_capability_fsetid } self:{ capability cap_userns } fsetid; +neverallow { domain -init -memmgrservice -appspawn -nativespawn -cjappspawn -storage_daemon -compiler_service -nwebspawn -faultloggerd -hiview -foundation -resource_schedule_executor -native_daemon -cap_violator_kill -rgm_violator_ohos_capability_kill } self:{ capability cap_userns } kill; +neverallow { domain -init -chipset_init -appspawn -compiler_service -nwebspawn -nativespawn -cjappspawn -storage_daemon -cap_violator_setuid updater_only(`-updater') -rgm_violator_ohos_capability_setuid -rgm_violator_cap_setuid } self:{ capability cap_userns } setuid; +neverallow { domain -init -chipset_init -ueventd -appspawn -compiler_service -nwebspawn -nativespawn -cjappspawn -storage_daemon debug_only(`-hiperf -hiprofilerd -hiprofiler_plugins -hiprofiler_cmd -native_daemon -bytrace -hitrace') updater_only(` -updater ') -rgm_violator_ohos_capability_setgid -rgm_violator_cap_setgid -cap_violator_setgid } self:{ capability cap_userns } setgid; +neverallow { domain -init -chipset_init -rgm_violator_ohos_capability_setpcap } self:{ capability cap_userns } setpcap; +neverallow * self:{ capability cap_userns } linux_immutable; +neverallow { domain -wifi_manager_service -netsysnative } self:{ capability cap_userns } net_bind_service; +neverallow * self:{ capability cap_userns } net_broadcast; +neverallow { domain -init -appspawn -nativespawn -chipset_init -ueventd -wifi_hal_service -wifi_manager_service -softbus_server -netsysnative -storage_daemon -udevd -blue_host -netmanager -riladapter_host -bluetooth_service -cap_violator_netadmin -wifi_host -resource_schedule_service -rgm_violator_ohos_capability_netadmin } self:{ capability cap_userns } net_admin; +neverallow { domain -wifi_hal_service -wifi_manager_service -netmanager -netsysnative -cap_violator_netraw -distributedfiledaemon -wifi_host -rgm_violator_ohos_capability_netraw } self:{ capability cap_userns } net_raw; +neverallow { domain -hiperf } self:{ capability cap_userns } ipc_lock; +neverallow * self:{ capability cap_userns } ipc_owner; +neverallow { domain -cap_violator_sysmodule } self:{ capability cap_userns } sys_module; +neverallow { domain -init -chipset_init -cap_violator_sysrawio} self:{ capability cap_userns } sys_rawio; +neverallow { domain -init -chipset_init -appspawn -rgm_violator_ohos_capability_syschroot } self:{ capability cap_userns } sys_chroot; +neverallow { domain -appspawn -hiview -hidumper_service -memmgrservice -storage_daemon -hiprofiler_cmd -hiprofiler_plugins -native_daemon -hiperf + -foundation -cap_violator_sysptrace debug_only(`-hiebpf') -SP_daemon -rgm_violator_ohos_capability_sysptrace } self:{ capability cap_userns } sys_ptrace; +neverallow * self:{ capability cap_userns } sys_pacct; +neverallow { domain -init -chipset_init -storage_daemon -installs -appspawn -nwebspawn -nativespawn -cjappspawn -netsysnative -file_guard_server debug_only(`-hiprofiler_plugins -hiebpf') updater_only(`-updater') -rgm_violator_ohos_capability_sysadmin -rgm_violator_cap_sysadmin -module_update_service } self:{ capability cap_userns } sys_admin; +neverallow { domain -init -chipset_init } self:{ capability cap_userns } sys_boot; +neverallow { domain -render_service -cap_violator_sysnice -composer_host -a2dp_host -appspawn -blue_host } self:{ capability cap_userns } sys_nice; +neverallow { domain -init -chipset_init -memmgrservice -netsysnative debug_only(`-hiebpf') } self:{ capability cap_userns } sys_resource; +neverallow { domain -time_service updater_only(`-updater') } self:{ capability cap_userns } sys_time; +neverallow * self:{ capability cap_userns } sys_tty_config; +neverallow { domain -ueventd -kernel -storage_daemon -rgm_violator_ohos_capability_mknod } self:{ capability cap_userns } mknod; +neverallow * self:{ capability cap_userns } lease; +neverallow * self:{ capability cap_userns } audit_write; +neverallow * self:{ capability cap_userns } audit_control; +neverallow * self:{ capability cap_userns } setfcap; +neverallow * self:{ capability2 cap2_userns } mac_override; +neverallow * self:{ capability2 cap2_userns } mac_admin; +neverallow { domain -hiview -hilogd debug_only(`-hiperf') -cap_violator_syslog } self:{ capability2 cap2_userns } syslog; +neverallow { domain -time_service -cap_violator_wakealarm } self:{ capability2 cap2_userns } wake_alarm; +neverallow { domain -power_host } self:{ capability2 cap2_userns } block_suspend; +neverallow * self:{ capability2 cap2_userns } audit_read; +neverallow * self:{ capability2 cap2_userns } checkpoint_restore; +neverallow { domain -hiperf -cap_violator_perfmon debug_only(`-hiebpf') } self:{ capability2 cap2_userns } perfmon; + +#limit domain has exec_no_sign and exec_anon_mem permission +neverallow { domain developer_only(`-debug_hap -normal_hap') debug_only(`-su') -updater_binary -rgm_violator_exec_no_sign } self:xpm { exec_no_sign }; +neverallow { domain developer_only(`-debug_hap') debug_only(`-su') -isolated_render } self:xpm { exec_anon_mem }; diff --git a/prebuilts/api/5.0/base/public/file.te b/prebuilts/api/5.0/base/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..5500147110802eab31b2a8ab86c3f0cac27f7b12 --- /dev/null +++ b/prebuilts/api/5.0/base/public/file.te @@ -0,0 +1,329 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Filesystem types +type labeledfs, fs_attr; +type pipefs, fs_attr; +type sockfs, fs_attr; +type rootfs, fs_attr; +type proc_file, fs_attr, proc_attr; +type proc_random, fs_attr, proc_attr; +type proc_panic, fs_attr, proc_attr; + +type unlabeled, fs_attr; +type devpts, fs_attr; +type tmpfs, fs_attr; +type shm, fs_attr; +type mqueue, fs_attr; +type sys_file, fs_attr, sysfs_attr; +type selinuxfs, fs_attr; +type cgroup, fs_attr; +type inotify, fs_attr; +type debugfs, fs_attr, debugfs_attr; +type configfs, fs_attr; +type functionfs, fs_attr; +type pstorefs, fs_attr; +type tracefs, fs_attr; +type hmdfs, fs_attr; +type epfs, fs_attr; +type sharefs, fs_attr; + +type updater_file, system_file_attr, file_attr; + +type config_file, system_file_attr, file_attr; +type system_lib_file, system_file_attr, file_attr; +type system_etc_file, system_file_attr, file_attr; +type system_hap_file, system_file_attr, file_attr; +type system_fonts_file, system_file_attr, file_attr; +type system_profile_file, system_file_attr, file_attr; +type system_usr_file, system_file_attr, file_attr; +type system_bin_file, system_file_attr, file_attr; + +type fontconfig_file, system_file_attr, file_attr; +type fonts_file, system_file_attr, file_attr; +type vendor_file, vendor_file_attr, file_attr; +type vendor_bin_file, vendor_file_attr, file_attr; +type vendor_lib_file, vendor_file_attr, file_attr; +type vendor_etc_file, vendor_file_attr, file_attr; + +type sysfs_rtc, fs_attr, sysfs_attr; +type system_file, system_file_attr, file_attr; +type lib_file, file_attr, rootfs_file_attr; +type etc_file, file_attr, rootfs_file_attr; +type dev_file, dev_attr, file_attr; + +type sys_prod_file, sys_prod_file_attr, file_attr; + +type chip_prod_file, chip_prod_file_attr, file_attr; +type chip_ckm_file, chip_ckm_file_attr, file_attr; + +type sysfs_block_file, sysfs_attr, fs_attr; +type sysfs_hisys_file, sysfs_attr, fs_attr; + +type sysfs_devices_system_cpu, sysfs_attr, fs_attr; +type sysfs_gadget_usb, sysfs_attr, fs_attr; +type sysfs_extcon, sysfs_attr, fs_attr; +type sysfs_leds, sysfs_attr, fs_attr; +type sysfs_net, sysfs_attr, fs_attr; +type sysfs_rfkill, sysfs_attr, fs_attr; +type sysfs_wakeup, sysfs_attr, fs_attr; + +type sysfs_block_loop, sysfs_attr, fs_attr; +type sysfs_block_zram, sysfs_attr, fs_attr; + +type sysfs_fs_ext4_features, sysfs_attr, fs_attr; +type sysfs_fs_f2fs, sysfs_attr, fs_attr; +type sysfs_autosleep, sysfs_attr, fs_attr; +type sysfs_state, sysfs_attr, fs_attr; +type sysfs_suspend_stats, sysfs_attr, fs_attr; +type sysfs_power, sysfs_attr, fs_attr; +type sysfs_wake_lck, sysfs_attr, fs_attr; +type sysfs_kernel_notes, sysfs_attr, fs_attr; +type sysfs_wakeup_reasons, sysfs_attr, fs_attr; +type sysfs_hctosys, sysfs_attr, fs_attr; +type sysfs_hungtask_userlist, sysfs_attr, fs_attr; + +type config_usb_gadget, fs_attr; + +type data_file, file_attr, data_file_attr; +type data_app_file, file_attr, data_file_attr, hap_file_attr; +type data_app_el1_file, file_attr, data_file_attr, hap_file_attr; +type data_app_el2_file, file_attr, data_file_attr, hap_file_attr; +type data_app_el3_file, file_attr, data_file_attr, hap_file_attr; +type data_app_el4_file, file_attr, data_file_attr, hap_file_attr; +type data_app_el5_file, file_attr, data_file_attr, hap_file_attr; +type data_service_file, file_attr, data_file_attr; +type data_service_el0_file, file_attr, data_file_attr; +type data_service_el1_file, file_attr, data_file_attr; +type data_service_el1_public_print_service_file, file_attr, data_file_attr; +type data_service_el2_file, file_attr, data_file_attr; +type data_service_el3_file, file_attr, data_file_attr; +type data_service_el4_file, file_attr, data_file_attr; +type data_service_el5_file, file_attr, data_file_attr; +type data_user_file, file_attr, data_file_attr; +type data_chipset_file, file_attr, data_file_attr; +type data_chipset_el1_file, file_attr, data_file_attr; +type data_chipset_el2_file, file_attr, data_file_attr; + +type data_accounts, file_attr, data_file_attr; +type data_ams_whitelist, file_attr, data_file_attr; +type data_appasec, file_attr, data_file_attr; +type data_appephemeral, file_attr, data_file_attr; +type data_applib, file_attr, data_file_attr; +type data_appprivate, file_attr, data_file_attr; +type data_appstaging, file_attr, data_file_attr; +type data_backup, file_attr, data_file_attr; +type data_bluetooth, file_attr, data_file_attr; +type data_startup, file_attr, data_file_attr; +type data_cache, file_attr, data_file_attr; +type data_data_file, file_attr, data_file_attr; +type data_drm, file_attr, data_file_attr; +type data_ethernet, file_attr, data_file_attr; +type data_filelog, file_attr, data_file_attr; +type data_init_agent, file_attr, data_file_attr; +type data_libinput, file_attr, data_file_attr; +type data_local, file_attr, data_file_attr; +type data_local_traces, file_attr, data_file_attr; +type data_local_tmp, file_attr, data_file_attr; +type data_local_arkcache, file_attr, data_file_attr; +type data_local_arkprofile, file_attr, data_file_attr; +type data_local_shadercache, file_attr, data_file_attr; +type data_log, file_attr, data_file_attr; +type data_media, file_attr, data_file_attr; +type data_mediadrm, file_attr, data_file_attr; +type data_misc, file_attr, data_file_attr; +type data_misc_ce, file_attr, data_file_attr; +type data_misc_de, file_attr, data_file_attr; +type data_nfc, file_attr, data_file_attr; +type data_ota, file_attr, data_file_attr; +type data_ota_package, file_attr, data_file_attr; +type data_parameters, file_attr, data_file_attr; +type data_preloads, file_attr, data_file_attr; +type data_resourcecache, file_attr, data_file_attr; +type data_sadata, file_attr, data_file_attr; +type data_sadata_de, file_attr, data_file_attr; +type data_samgr, file_attr, data_file_attr; +type data_ss, file_attr, data_file_attr; +type data_storage, file_attr, data_file_attr; +type data_system, file_attr, data_file_attr; +type data_system_ce, file_attr, data_file_attr; +type data_system_de, file_attr, data_file_attr; +type data_udev, file_attr, data_file_attr; +type data_multimodalinput, file_attr, data_file_attr; +type data_update_service_log, file_attr, data_file_attr; +type data_user, file_attr, data_file_attr; +type data_user_de, file_attr, data_file_attr; +type data_vendor, file_attr, data_file_attr; +type data_vendor_ce, file_attr, data_file_attr; +type data_vendor_de, file_attr, data_file_attr; +type data_updater, file_attr, data_file_attr; + +type proc_net, fs_attr, proc_attr; +type proc_net_tcp_udp, fs_attr, proc_attr; +type proc_asound_file, fs_attr, proc_attr; +type proc_bluetooth_file, fs_attr, proc_attr; +type proc_buddyinfo_file, fs_attr, proc_attr; +type proc_bus_file, fs_attr, proc_attr; +type proc_cgroups_file, fs_attr, proc_attr; +type proc_cmdline_file, fs_attr, proc_attr; +type proc_config_gz_file, fs_attr, proc_attr; +type proc_cpuinfo_file, fs_attr, proc_attr; +type proc_diskstats_file, fs_attr, proc_attr; +type proc_dynamic_debug_file, fs_attr, proc_attr; +type proc_filesystems_file, fs_attr, proc_attr; +type proc_fs_file, fs_attr, proc_attr; +type proc_gt9xx_config_file, fs_attr, proc_attr; +type proc_interrupts_file, fs_attr, proc_attr; +type proc_iomem_file, fs_attr, proc_attr; +type proc_keys_file, fs_attr, proc_attr; +type proc_kmsg_file, fs_attr, proc_attr; +type proc_loadavg_file, fs_attr, proc_attr; +type proc_meminfo_file, fs_attr, proc_attr; +type proc_misc_file, fs_attr, proc_attr; +type proc_modules_file, fs_attr, proc_attr; +type proc_mounts_file, fs_attr, proc_attr; +type proc_mpp_service_file, fs_attr, proc_attr; +type proc_pagetypeinfo_file, fs_attr, proc_attr; +type proc_partitions_file, fs_attr, proc_attr; +type proc_rkisp_vir0_file, fs_attr, proc_attr; +type proc_slabinfo_file, fs_attr, proc_attr; +type proc_softirqs_file, fs_attr, proc_attr; +type proc_stat_file, fs_attr, proc_attr; +type proc_swaps_file, fs_attr, proc_attr; +type proc_sysrq_trigger_file, fs_attr, proc_attr; +type proc_timer_list_file, fs_attr, proc_attr; +type proc_uptime_file, fs_attr, proc_attr; +type proc_version_file, fs_attr, proc_attr; +type proc_vmallocinfo_file, fs_attr, proc_attr; +type proc_vmstat_file, fs_attr, proc_attr; +type proc_zoneinfo_file, fs_attr, proc_attr; +type proc_boot_id, fs_attr, proc_attr; +type proc_max_user_watches, fs_attr, proc_attr; +type proc_developer_file, fs_attr, proc_attr; + + +type dev_parameters_file, dev_attr, file_attr; +type dev_block_file, dev_attr; +type updater_block_file, dev_attr; +type dev_bus_file, dev_attr; +type dev_bus_usb_file, dev_attr; +type dev_char_file, dev_attr; +type dev_dma_heap_file, dev_attr; +type dev_dri_file, dev_attr; +type dev_fscklogs_file, dev_attr; +type dev_graphics_file, dev_attr; +type dev_input_file, dev_attr; +type dev_pts_file, dev_attr; +type dev_snd_file, dev_attr; +type dev_socket_file, dev_attr; +type dev_unix_file, dev_attr, file_attr; +type dev_unix_socket, dev_attr, file_attr; +type appspawn_socket, dev_attr, file_attr; +type nwebspawn_socket, dev_attr, file_attr; +type fd_holder_socket, dev_attr, file_attr; +type hdcd_socket, dev_attr, file_attr; +type native_socket, dev_attr, file_attr; +type paramservice_socket, dev_attr, file_attr; +type dev_v_file, dev_attr; +type dev_at_file, dev_attr; +type dev_ashmem_file, dev_attr; +type dev_binder_file, dev_attr; +type dev_console_file, dev_attr; +type dev_cpu_dma_latency_file, dev_attr; +type dev_mgr_file, dev_attr; +type dev_svc_mgr_file, dev_attr; +type dev_fuse_file, dev_attr; +type dev_hdf_file, dev_attr; +type dev_hwbinder_file, dev_attr; +type dev_iio_file, dev_attr; +type dev_kmsg_file, dev_attr; +type dev_loop_control_file, dev_attr; +type dev_media_file, dev_attr; +type dev_rpmb_file, dev_attr; +type dev_random_file, dev_attr; +type dev_rtc_file, dev_attr; +type dev_tee_file, dev_attr; +type dev_ubi_file, dev_attr; +type dev_uhid_file, dev_attr; +type dev_tun_file, dev_attr; +type dev_vcs_file, dev_attr; +type dev_vhci_file, dev_attr; +type dev_video_file, dev_attr; +type dev_vndbinder_file, dev_attr; +type dev_watchdog_file, dev_attr; +type dev_zero_file, dev_attr; +type tty_device, dev_attr; +type dev_asanlog_file, dev_attr; + +type dev_hdf_i2c_mgr, dev_attr; +type dev_hdf_test, dev_attr; +type dev_i2c_test, dev_attr; +type dev_bbox, dev_attr; +type dev_bus, dev_attr; +type dev_dev_cec0, dev_attr; +type dev_full, dev_attr; +type dev_gpiochip, dev_attr; +type dev_hdf_audio_capture, dev_attr; +type dev_hdf_audio_codec_dev, dev_attr; +type dev_hdf_audio_codec_primary, dev_attr; +type dev_hdf_audio_codec_hdmi, dev_attr; +type dev_hdf_audio_control, dev_attr; +type dev_hdf_audio_render, dev_attr; +type dev_hdf_audio_smartpa, dev_attr; +type dev_hdf_bl, dev_attr; +type dev_hdf_disp, dev_attr; +type dev_hdf_input, dev_attr; +type dev_hdf_light, dev_attr; +type dev_hdf_misc_vibrator, dev_attr; +type dev_hdf_sensor_mgr, dev_attr; +type dev_hdf_usb_pnp, dev_attr; +type dev_hdmi_hdcplx, dev_attr; +type dev_hwrng, dev_attr; +type dev_i2c, dev_attr; +type dev_mali, dev_attr; +type dev_mem, dev_attr; +type dev_mpp, dev_attr; +type dev_pm_test, dev_attr; +type dev_port, dev_attr; +type dev_ptmx, dev_attr; +type dev_ptp, dev_attr; +type dev_rfkill, dev_attr; +type dev_rga, dev_attr; +type dev_sample_svc, dev_attr; +type dev_sched_rtg_ctrl, dev_attr; +type dev_auth_ctrl, dev_attr; +type dev_snapshot, dev_attr; +type dev_sw_sync, dev_attr; +type dev_usb_ffs, dev_attr; +type dev_uinput, dev_attr; +type dev_hdmi_hdcp1x, dev_attr; +type dev_xpm, dev_attr; + +type debugfs_kprobes, fs_attr, debugfs_attr; +type debugfs_wakeup_sources, fs_attr, debugfs_attr; +type debugfs_failed_transaction_log, fs_attr, debugfs_attr; +type debugfs_transactions, fs_attr, debugfs_attr; +type debugfs_transaction_log, fs_attr, debugfs_attr; +type debugfs_used, fs_attr, debugfs_attr; +type debugfs_state, fs_attr, debugfs_attr; +type debugfs_stats, fs_attr, debugfs_attr; + +type module_update_file, module_update_file_attr, file_attr; +type module_update_bin_file, module_update_file_attr, file_attr; +type module_update_lib_file, module_update_file_attr, file_attr; +type data_module_update, file_attr, data_file_attr; +type data_module_update_package, file_attr, data_file_attr; +type system_module_update_file, system_file_attr, file_attr; + +# for hyperhold +type zram_device, dev_attr; diff --git a/prebuilts/api/5.0/base/public/filesystem.te b/prebuilts/api/5.0/base/public/filesystem.te new file mode 100644 index 0000000000000000000000000000000000000000..51a0a31aca83046ea6afd65f337d40f593640fd5 --- /dev/null +++ b/prebuilts/api/5.0/base/public/filesystem.te @@ -0,0 +1,21 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow fs_attr self:filesystem associate; +allow file_attr labeledfs:filesystem associate; +allow dev_attr tmpfs:filesystem associate; + +neverallow storage_daemon ~{ exfat vfat ntfs hmdfs sharefs tmpfs labeledfs }:filesystem unmount; +neverallow appspawn ~{ labeledfs appspawn_unmount_filesystem_violators sharefs tmpfs dlp_fuse_file fuse_file proc_file proc_random }:filesystem unmount; +neverallow nwebspawn ~{ tmpfs labeledfs }:filesystem unmount; +neverallow hdcd ~{ labeledfs }:filesystem remount; diff --git a/prebuilts/api/5.0/base/public/foundation.te b/prebuilts/api/5.0/base/public/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..c1e6f35efdedb9112ef36a56d89577d78c7290f5 --- /dev/null +++ b/prebuilts/api/5.0/base/public/foundation.te @@ -0,0 +1,19 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow foundation dev_ashmem_file:chr_file execute; + +# forbid ioctl cmd:binder_freeze, binder_get_frozen_info +neverallowxperm { domain -foundation } dev_binder_file:chr_file ioctl { 0x400c620e 0xc00c620f }; + +neverallow { domain -foundation -app_fwk_update_service -storage_manager developer_only(`-devicedebug') } appspawn_socket:sock_file write; diff --git a/prebuilts/api/5.0/base/public/glb_never_def.spt b/prebuilts/api/5.0/base/public/glb_never_def.spt new file mode 100644 index 0000000000000000000000000000000000000000..25c0c0cba4932af991b601b683eec60e9089eeb2 --- /dev/null +++ b/prebuilts/api/5.0/base/public/glb_never_def.spt @@ -0,0 +1,18 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +define(`never_write_file', `{ append create link unlink relabelfrom rename setattr write }') +define(`never_rw_file', `{ never_write_file open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }') +define(`never_execute_file', `{ execute execute_no_trans}') +define(`never_rwx_file', `{ never_rw_file never_execute_file }') +define(`never_write_dir', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }') diff --git a/prebuilts/api/5.0/base/public/glb_perm_def.spt b/prebuilts/api/5.0/base/public/glb_perm_def.spt new file mode 100644 index 0000000000000000000000000000000000000000..209c5cde3d1be701ea7bb210275f5440f8bf4b9a --- /dev/null +++ b/prebuilts/api/5.0/base/public/glb_perm_def.spt @@ -0,0 +1,57 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +define(`notdevfile_class_set',`{ fifo_file file lnk_file sock_file }') +define(`devfile_class_set',`{ blk_file chr_file }') +define(`file_class_set',`{ devfile_class_set notdevfile_class_set }') +define(`dir_file_class_set',`{ dir file_class_set }') + +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket +appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket +netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket +netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket +ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket +iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }') + +define(`dgram_socket_class_set',`{ udp_socket unix_dgram_socket }') +define(`stream_socket_class_set',`{ tcp_socket unix_stream_socket sctp_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }') + +# permission for ipc +define(`read_ipc_perms', `{ associate getattr read unix_read }') +define(`rw_ipc_perms', `{ read_ipc_perms unix_write write }') +define(`create_ipc_perms', `{ create destroy rw_ipc_perms setattr }') +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') +define(`create_socket_perms', `{ create rw_socket_perms }') + +# permission for dir +define(`read_dir_perms', `{ getattr search open read lock ioctl watch watch_reads }') +define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') +define(`create_dir_perms',`{ create reparent rename rmdir setattr rw_dir_perms }') + +# permission for file +define(`read_file_perms',`{ getattr open read lock ioctl map watch watch_reads }') +define(`exec_file_perms',`{ getattr map execute execute_no_trans }') +define(`write_file_perms',`{ open write append lock map }') +define(`rw_file_perms',`{ write_file_perms read_file_perms }') +define(`create_file_perms',`{ create rename setattr unlink rw_file_perms }') + +# permission without ioctl for dir +define(`read_dir_perms_without_ioctl', `{ getattr search open read lock watch watch_reads }') +define(`rw_dir_perms_without_ioctl', `{ open read getattr lock search add_name remove_name write }') +define(`create_dir_perms_without_ioctl',`{ create reparent rename rmdir setattr rw_dir_perms_without_ioctl }') + +# permission without ioctl for file +define(`read_file_perms_without_ioctl',`{ getattr open read lock map watch watch_reads }') +define(`rw_file_perms_without_ioctl',`{ write_file_perms read_file_perms_without_ioctl }') +define(`create_file_perms_without_ioctl',`{ create rename setattr unlink rw_file_perms_without_ioctl }') diff --git a/prebuilts/api/5.0/base/public/glb_te_def.spt b/prebuilts/api/5.0/base/public/glb_te_def.spt new file mode 100644 index 0000000000000000000000000000000000000000..2b16f5ad7de3e2f0f69bb7f213bb07e8ee6c20bf --- /dev/null +++ b/prebuilts/api/5.0/base/public/glb_te_def.spt @@ -0,0 +1,119 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +define(`domain_transition_pattern',` + allow $1 $2:file { getattr open map read execute ioctl }; + allow $1 $3:process transition; + allow $1 $3:process { siginh rlimitinh }; + allow $3 $2:file { entrypoint open read execute getattr map }; + dontaudit $1 $3:process noatsecure; +') + +define(`domain_auto_transition_pattern',` + domain_transition_pattern($1,$2,$3) + type_transition $1 $2:process $3; +') + +define(`init_daemon_domain', ` + domain_auto_transition_pattern(init, $1_exec, $1) +') + +define(`chipset_init_daemon_domain', ` + domain_auto_transition_pattern(chipset_init, $1_exec, $1) +') + +define(`appspawn _daemon_domain', ` + domain_auto_transition_pattern(appspawn, $1_exec, $1) +') + +define(`binder_call', ` + allow $1 $2:binder {call transfer}; + allow $2 $1:binder transfer; + allow $1 $2:fd use; +') + +define(`hdi_call', ` + binder_call($1, hdf_devmgr) + allow hdf_devmgr $1:dir { search }; + allow hdf_devmgr $1:process { getattr }; + allow hdf_devmgr $1:file { read open }; + allow $1 $2:hdf_devmgr_class { get }; +') + +define(`hap_set', ` + typeattribute $1 hap_domain; + neverallow $1 { domain -$1 }:file never_rw_file; + neverallow { hap_domain -$1 } $1:file never_rw_file; + neverallow { domain -$1 -processdump } $1:process ptrace; +') + +# policy only for developer version +# developer_only(` +# developer_only +# ') +# +define(`developer_only', ifelse(build_with_developer, `enable', $1, )) +# The macro non_developer_mode is expected to strengthen the expressiveness for +# SELinux policies. For example, + +# neverallow init data_local_tmp:dir { write add_name remove_name }; + +# in the developer mode, we'd like to allow init to create the directory +# /data/local/tmp/debugserver. Without this macro, it seems very hard to tweak +# the above rule to give the init process permissions, write and add_name. +# Nevertheless, by non_developer_mode, we can encompass rules only effective +# in the developer mode with it. Then, the above rule becoms, + +# neverallow init data_local_tmp:dir { +# non_developer_mode(`write add_name') remove_name }; +define(`non_developer_mode', ifelse(build_with_developer, `enable', , $1)) + +# policy only for debug version +# debug_only(` +# debug_policy +# ') +# +define(`debug_only', ifelse(build_with_debug, `enable', $1, )) + +# policy only for updater version +# updater_only(` +# updater_policy +# ') +# +define(`updater_only', ifelse(build_with_updater, `enable', $1, )) + +################### +## Macro define: ## +################### +define(`use_hilog', ` + allow $1 hilog_input_socket:sock_file write; + allow $1 hilogd:unix_dgram_socket sendto; +') + +define(`read_hilog', ` + allow $1 hilog_exec:file { getattr open read execute execute_no_trans map }; + allow $1 hilog_output_socket:sock_file write; + allow $1 hilogd:unix_stream_socket connectto; + allow $1 time_param:file { read open map }; +') + +define(`control_hilog', ` + allow $1 hilog_exec:file { getattr open read execute execute_no_trans map }; + allow $1 hilog_control_socket:sock_file write; + allow $1 hilogd:unix_stream_socket connectto; + allow $1 hilog_param:parameter_service { set }; +') + +define(`system_domain', `sadomain rgm_violator_sadomain hap_domain native_system_domain') + +define(`chipset_domain', `hdfdomain native_chipset_domain') diff --git a/prebuilts/api/5.0/base/public/hap_domain.te b/prebuilts/api/5.0/base/public/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..b0266383138767800bc73d7276d92e0427b3b8d9 --- /dev/null +++ b/prebuilts/api/5.0/base/public/hap_domain.te @@ -0,0 +1,242 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type system_core_hap, domain; +type system_basic_hap, domain; +type normal_hap, domain; +type debug_hap, domain, hap_domain, normal_hap_attr; + +typeattribute normal_hap hap_domain; +typeattribute normal_hap normal_hap_attr; + +neverallow normal_hap_attr { domain -normal_hap_attr }:file never_rw_file; +neverallow { hap_domain -normal_hap_attr } normal_hap_attr:file never_rw_file; +neverallow { domain -normal_hap_attr -processdump developer_only(`-lldb_server -hiperf -native_daemon') debug_only(`-hiperf') } normal_hap_attr:process ptrace; + +typeattribute system_core_hap hap_domain; +typeattribute system_core_hap system_core_hap_attr; + +neverallow system_core_hap_attr { domain -system_core_hap_attr }:file never_rw_file; +neverallow { hap_domain -system_core_hap_attr } system_core_hap_attr:file never_rw_file; +neverallow { domain -system_core_hap_attr -processdump debug_only(`-hiperf -native_daemon') } system_core_hap_attr:process ptrace; + +typeattribute system_basic_hap hap_domain; +typeattribute system_basic_hap system_basic_hap_attr; + +neverallow system_basic_hap_attr { domain -system_basic_hap_attr }:file never_rw_file; +neverallow { hap_domain -system_basic_hap_attr } system_basic_hap_attr:file never_rw_file; +neverallow { domain -system_basic_hap_attr -processdump debug_only(`-hiperf -native_daemon') } system_basic_hap_attr:process ptrace; + +neverallow hap_domain ~{ proc_attr tmpfs system_bin_file toybox_exec data_user_file hmdfs hap_domain rootfs lib_file system_lib_file vendor_lib_file sysfs_attr etc_file hap_domain_lnk_file_operation_viloator developer_only(`hnp_file_attr') }:lnk_file *; +neverallow hap_domain { proc_attr tmpfs system_bin_file rootfs lib_file system_lib_file vendor_lib_file sysfs_attr etc_file developer_only(`hnp_file_attr') }:lnk_file ~{ getattr read }; +neverallow hap_domain hap_domain:lnk_file ~{ read_file_perms }; +neverallow { hap_domain -hap_domain_lnk_file_violators } data_user_file:lnk_file *; +neverallow { hap_domain -hap_domain_lnk_file_violators } hmdfs:lnk_file *; + +type system_core_hap_data_file, system_core_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; +type system_basic_hap_data_file, system_basic_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; +type normal_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; + +type debug_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; + +allow hap_domain appspawn:fd use; +allow hap_domain appspawn:fifo_file write; +allow hap_domain appspawn:unix_dgram_socket { connect write }; +allow hap_domain self:process execmem; + +allow hap_domain data_app_el1_file:dir { add_name create open read search setattr write }; +allow hap_domain data_app_el1_file:file { getattr map open read }; +allow hap_domain data_app_el2_file:dir { add_name search read write create open remove_name setattr rmdir }; +allow hap_domain data_app_el2_file:file { create read write open lock ioctl unlink map setattr getattr rename }; +allow hap_domain data_app_file:dir search; +allow hap_domain data_file:dir { getattr open read search }; +#to remove +allow hap_domain data_file:file { create getattr ioctl lock map open read write rename setattr unlink write }; +allow hap_domain data_log:file { read write }; + +allow hap_domain sa_dataobs_mgr_service_service:binder { call }; +allow hap_domain sa_dataobs_mgr_service_service:samgr_class { get }; + +allow hap_domain self:ced { container_escape_check }; + +binder_call(hap_domain, samgr); +binder_call(hap_domain, render_service); +binder_call(hap_domain, param_watcher); +binder_call(hap_domain, multimodalinput); +binder_call(hap_domain, inputmethod_service); +binder_call(hap_domain, foundation); +binder_call(hap_domain, powermgr); +binder_call(hap_domain, accessibility); +binder_call(hap_domain, hiview); + +allow hap_domain hdf_devmgr:binder call; + +#neverallow +#never use caps for haps. +neverallow hap_domain self:{ capability capability2 } *; + +#haps can't modify files of other domain. +neverallow hap_domain { domain -hap_domain }:file never_write_file; + +neverallow hap_domain { domain -hap_domain }:file never_rw_file; + +neverallow hap_domain vendor_file_attr:dir never_write_dir; +#limit hap access vendor. +neverallow hap_domain { vendor_file_attr -vendor_lib_file -vendor_etc_vulkan_file -vendor_etc_graphic_xengine_file_violator_dir_open_read_serach }:{ file fifo_file lnk_file sock_file } *; + +#hap never access blk_file. +neverallow hap_domain dev_attr:blk_file open; +neverallow hap_domain dev_attr:blk_file read; +neverallow hap_domain dev_attr:blk_file write; +neverallow hap_domain dev_attr:blk_file ioctl; + +#limit hap access dev file. +neverallow hap_domain { dev_attr -dev_ptmx -dev_ucollection -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file + -dev_zero_file -dev_mali -tty_device -dev_fuse_file -dev_bbox + -dev_tun_file -dev_attr_violator_chr_file_rw -dev_bus_usb_file -dev_usb_accessory_file }:chr_file { open ioctl read write}; + +neverallow { hap_domain -hap_domain_dev_ptmx_violators } dev_ptmx:chr_file { open ioctl read write}; + +neverallow normal_hap { dev_attr -dev_at_file -dev_bbox -dev_binder_file -dev_null_file -dev_random_file -dev_zero_file -dev_ucollection + -dev_attr_violator_chr_file_rw -dev_ashmem_file -dev_dri_file -dev_mali }:chr_file open; + +neverallow normal_hap { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_null_file -dev_random_file -dev_tun_file -dev_zero_file + -dev_ucollection -dev_attr_violator_chr_file_rw -dev_dri_file -dev_mali -dev_bus_usb_file -dev_usb_accessory_file }:chr_file read; + +neverallow normal_hap { dev_attr -dev_ashmem_file -dev_at_file -dev_bbox -dev_binder_file -dev_null_file -dev_random_file -dev_tun_file -dev_zero_file + -dev_ucollection -dev_attr_violator_chr_file_rw -dev_dri_file -dev_mali -dev_bus_usb_file -dev_usb_accessory_file }:chr_file write; + +neverallow normal_hap { dev_attr -dev_ashmem_file -dev_at_file -dev_bbox -dev_binder_file -dev_null_file -dev_random_file -dev_zero_file + -dev_ucollection -dev_attr_violator_chr_file_rw -dev_dri_file -dev_mali -dev_bus_usb_file }:chr_file ioctl; + +neverallow normal_hap dev_attr:sock_file open; + +neverallow normal_hap { dev_attr -dnsproxy_service -fwmark_service }:sock_file read; + +neverallow normal_hap { dev_attr -dev_unix_file -dev_unix_socket -dnsproxy_service -faultloggerd_socket -fwmark_service -hiprofiler_socket + -hilog_output_socket -hilog_input_socket -hilog_control_pub_socket -hisysevent_socket -dev_file -native_socket }:sock_file write; + +neverallow normal_hap dev_attr:sock_file ioctl; + +neverallow normal_hap { dev_attr -dev_parameters_file -dev_asanlog_file -dev_attr_violator_file_rw }:file open; + +neverallow normal_hap { dev_attr -dev_parameters_file -dev_asanlog_file -dev_attr_violator_file_rw }:file read; + +neverallow normal_hap { dev_attr -dev_asanlog_file -dev_attr_violator_file_rw }:file write; + +neverallow normal_hap { dev_attr -dev_parameters_file -dev_asanlog_file }:file ioctl; + +neverallow { hap_domain -system_basic_hap_attr } dev_tun_file:chr_file { open ioctl }; + +neverallow hap_domain dev_bbox:chr_file { read }; +#avc denied {ioctl} ino=71 ioctlcmd=0x426a 0x426d scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:dev_bbox:s0 tclass=chr_file permissive=0 +neverallowxperm hap_domain dev_bbox:chr_file ioctl ~{ 0xab01 0xab04 0xab09 0xad01 0xaf04 0xaf06 0xaf08 0x426a 0x426d }; +neverallowxperm hap_domain dev_bus_usb_file:chr_file ioctl ~{ 0x5500 0x5504 0x5505 0x5508 0x550a 0x550b 0x550d 0x550f 0x5510 0x5511 0x5512 0x5514 + 0x5515 0x5516 0x5517 0x551a 0x551b 0x551c 0x551d 0x551e 0x551f }; +neverallow { hap_domain -dev_fuse_file_violator -dlpmanager_hap } dev_fuse_file:chr_file { open ioctl read write}; + +#limit hap use kobject netlink. +neverallow hap_domain domain:netlink_kobject_uevent_socket { write append }; + +#no use ptrace +neverallow hap_domain { domain -hap_domain }:process ptrace; +neverallow { domain -hap_domain -processdump developer_only(`-lldb_server -hiperf -native_daemon') debug_only(`-hiperf') } hap_domain:process ptrace; + +#hap don't bother other domain. +neverallow hap_domain { domain -hap_domain }:process { sigkill sigstop signal }; + +#file acess limit. +neverallow hap_domain rootfs:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow hap_domain system_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; + +neverallow hap_domain { file_attr -data_file_attr -dev_attr }:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; + +neverallow { hap_domain -system_core_hap_attr -isolated_render } system_core_hap_data_file_attr:dir_file_class_set { create setattr relabelfrom relabelto append unlink link rename }; + +neverallow { hap_domain -system_basic_hap_attr -isolated_render } system_basic_hap_data_file_attr:dir_file_class_set { create setattr relabelfrom relabelto append unlink link rename }; + +# dir_file_class_set defines { dir { { blk_file chr_file } { fifo_file file lnk_file sock_file } } }, need to subtract file +neverallow { isolated_render } system_core_hap_data_file_attr: { dir blk_file chr_file fifo_file lnk_file sock_file } { create write setattr relabelfrom relabelto append unlink link rename }; + +# dir_file_class_set defines { dir { { blk_file chr_file } { fifo_file file lnk_file sock_file } } }, need to subtract file +neverallow { isolated_render } system_basic_hap_data_file_attr: { dir blk_file chr_file fifo_file lnk_file sock_file } { create write setattr relabelfrom relabelto append unlink link rename }; + +neverallow hap_domain { sysfs_attr proc_attr }:dir_file_class_set write; + +neverallow hap_domain exec_attr:file { create write setattr relabelfrom relabelto append unlink link rename }; + +#Access /proc/kmsg +neverallow hap_domain kernel:system { syslog_read syslog_mod syslog_console }; + +#SELinux is not an API for haps to use. +neverallow { hap_domain } *:security { compute_av check_context }; + +#Ability to perform any filesystem operation other than statfs(2). +neverallow hap_domain fs_attr:filesystem ~getattr; + +#limit access to system_core_hap_data_file +neverallow { domain -appspawn -hap_domain -installs -storage_daemon -distributeddata -download_server -system_core_hap_data_file_attr_violator_dir -distributedfiledaemon updater_only(`-updater') } system_core_hap_data_file_attr:dir_file_class_set { create unlink open }; + +neverallow { system_basic_hap_attr normal_hap_attr } system_core_hap_data_file_attr:dir_file_class_set { create unlink open }; + +#limit access to system_basic_hap_data_file +neverallow { domain -appspawn -hap_domain -installs -storage_daemon -distributeddata -hiview -download_server -system_basic_hap_data_file_attr_violator_dir -distributedfiledaemon -file_migrate_hap_data_file_attr_violator_opt updater_only(`-updater') } system_basic_hap_data_file_attr:dir_file_class_set { create unlink open }; + +neverallow { normal_hap_attr -normal_hap_system_basic_hap_data_file_violators } system_basic_hap_data_file_attr:dir_file_class_set { create unlink open }; + +#limit access to normal_hap_data_file_attr +neverallow { domain -hap_domain -installs -distributeddata -storage_daemon -hiview -download_server developer_only(`-input_isolate_debug_hap') -input_isolate_hap -appspawn -distributedfiledaemon -file_migrate_hap_data_file_attr_violator_opt -rgm_violator_normal_hap_data_file_attr_dir_file_create_unlink updater_only(`-updater') } normal_hap_data_file_attr:dir_file_class_set { create unlink }; + +neverallow { domain -hap_domain -installs -appspawn -nwebspawn -nativespawn -cjappspawn -distributeddata -storage_daemon -hiview -download_server developer_only(`-input_isolate_debug_hap') -input_isolate_hap -cloudfiledaemon -normal_hap_data_file_attr_violator_dir -rgm_violator_normal_hap_data_file_attr_dir -distributedfiledaemon -pasteboard_service developer_only(`-hdcd') updater_only(`-updater') } normal_hap_data_file_attr:dir *; + +neverallow { domain -hap_domain -installs -distributeddata -storage_daemon -hiview -download_server -input_isolate_hap -cloudfiledaemon -normal_hap_data_file_attr_violator_file_open -rgm_violator_normal_hap_data_file_attr_file_open -distributedfiledaemon -file_migrate_hap_data_file_attr_violator_opt developer_only(`-hdcd -input_isolate_debug_hap') updater_only(`-updater') } normal_hap_data_file_attr:file_class_set open; + +neverallow { domain -installs -appspawn -normal_hap_data_file_attr_violator_relabel } normal_hap_data_file_attr:dir_file_class_set { relabelfrom relabelto }; + +neverallow hap_domain { domain -hap_domain -processdump }:process transition; +neverallow hap_domain { domain -hap_domain }:process dyntransition; + +neverallow hap_domain domain:{ netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_dnrt_socket } *; + +neverallow hap_domain domain:netlink_kobject_uevent_socket { write append }; + +neverallow hap_domain *:netlink_selinux_socket *; + +neverallow hap_domain dev_input_file:chr_file ~getattr; + +neverallow hap_domain hdcd_socket:sock_file write; + +# can't execute data file unless hap. +neverallow { domain -hap_domain -nwebspawn -cupsd -print_driver developer_only(`-data_file_attr_violator_exec -hnp_native')} { data_file_attr }:file { execute_no_trans }; +neverallow { domain -hap_domain -nwebspawn -isolated_render -cupsd -print_driver -sane_service -input_isolate_hap developer_only(`-data_file_attr_violator_exec -uitest -input_isolate_debug_hap -hnp_native')} data_file_attr:file { execute }; + +neverallow hap_domain rootfs:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; + +neverallow hap_domain system_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; + +# limit access to /data/(*)? first level.todo +#neverallow hap_domain data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; + +neverallow { hap_domain -system_basic_hap_attr } data_app_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; + +neverallow hap_domain proc_file:dir_file_class_set write; + +neverallow * { file_attr -hap_file_attr }:file execmod; + +neverallow hap_domain exec_attr:file { create write setattr relabelfrom relabelto append unlink link rename }; + +#normal_hap or selfdefine should be forbidden to set parameters. +neverallow { hap_domain -system_core_hap_attr -system_basic_hap_attr } init:unix_stream_socket connectto; + +neverallow hiview normal_hap_data_file_attr:file read; +neverallow hiview system_basic_hap_data_file_attr:file read; diff --git a/prebuilts/api/5.0/base/public/hdcd.te b/prebuilts/api/5.0/base/public/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..0450445988c626a4ec5d3ef6ab7da5d9adff27a1 --- /dev/null +++ b/prebuilts/api/5.0/base/public/hdcd.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#for debugging +#for debugging + +neverallow hdcd self:perf_event ~{ open read write kernel }; + +neverallow hdcd dev_input_file:chr_file never_write_file; + +neverallow hdcd { dev_fuse_file dev_port }:chr_file ~getattr; diff --git a/prebuilts/api/5.0/base/public/init.te b/prebuilts/api/5.0/base/public/init.te new file mode 100644 index 0000000000000000000000000000000000000000..702737266bcd998c08da50398bc124fc11739a67 --- /dev/null +++ b/prebuilts/api/5.0/base/public/init.te @@ -0,0 +1,41 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +allow init domain:{ unix_stream_socket unix_dgram_socket } { create bind setopt }; + +neverallow init data_local_tmp:dir { non_developer_mode(`write add_name') remove_name }; +neverallow { domain -kernel } init:process dyntransition; +neverallow { domain -kernel } init:process transition; + +neverallow init { domain debug_only(`-domain')}:process {noatsecure}; +debug_only(`neverallow init processdump:process {noatsecure};') + +neverallow { domain -processdump } init:process ptrace; + +neverallow init self:perf_event { kernel tracepoint read write }; + +neverallow init hap_file_attr:lnk_file read; +neverallow init data_local_tmp:lnk_file read; + +neverallow init { file_attr fs_attr -init_exec }:file entrypoint; + +neverallow init domain:{ tcp_socket rawip_socket } *; +neverallow init domain:udp_socket ~{ ioctl create }; + +#todo +# system_bin_file need to fix +neverallow init { file_attr fs_attr -system_bin_file -toybox_exec -sdc_exec -hnp_exec updater_only(`-rootfs') -system_bin_file_quickfix -init_module_system_bin_file -bootanimation_exec}:file execute_no_trans; + +#todo +#neverallow init sys_file:file { open read write }; diff --git a/prebuilts/api/5.0/base/public/installs.te b/prebuilts/api/5.0/base/public/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..36d0edec4c561255d731a6732ed2ecb508ed0545 --- /dev/null +++ b/prebuilts/api/5.0/base/public/installs.te @@ -0,0 +1,18 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { domain -samgr -foundation -binder_call_installs_violators} installs:binder call; + +neverallow installs { domain -el5_filekey_manager -installs_binder_violator -samgr -storage_manager -compiler_service -local_code_sign -accesstoken_service }:binder call; + +allow installs data_service_el2_file:dir { relabelfrom }; diff --git a/prebuilts/api/5.0/base/public/ioctl_def.te b/prebuilts/api/5.0/base/public/ioctl_def.te new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/base/public/kernel.te b/prebuilts/api/5.0/base/public/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..94822a2d8fd566dc3dff9ddf8fd48200001475e7 --- /dev/null +++ b/prebuilts/api/5.0/base/public/kernel.te @@ -0,0 +1,19 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow * kernel:process { transition dyntransition }; +neverallow * kernel:process ptrace; + +neverallow kernel *:file { entrypoint execute_no_trans }; + + diff --git a/prebuilts/api/5.0/base/public/normal_hap.te b/prebuilts/api/5.0/base/public/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..33e9b7947eb49e47ad935ece58122445ae82dacc --- /dev/null +++ b/prebuilts/api/5.0/base/public/normal_hap.te @@ -0,0 +1,86 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow normal_hap_attr data_local_traces:dir *; +neverallow normal_hap_attr *:{ socket netlink_socket packet_socket appletalk_socket netlink_tcpdiag_socket +netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket +netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket +netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket ax25_socket +ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket +irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket +isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket +qipcrtr_socket smc_socket xdp_socket } *; + +neverallow normal_hap_attr domain:netlink_kobject_uevent_socket *; + +neverallow normal_hap_attr *:{ netlink_route_socket netlink_selinux_socket } ioctl; + +neverallow normal_hap_attr { domain }:netlink_route_socket { bind nlmsg_readpriv }; + +neverallow normal_hap_attr *:{ netlink_route_socket netlink_selinux_socket } ioctl; + +#neverallowxperm normal_hap domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl + +neverallow normal_hap_attr dev_kmsg_file:chr_file never_rw_file; + +neverallow { normal_hap_attr -dev_fuse_file_violator -dlpmanager_hap} dev_fuse_file:chr_file *; + +neverallow normal_hap_attr debugfs_attr:file read; + +neverallow normal_hap_attr { normal_hap_data_file_attr system_core_hap_data_file_attr }:file execute_no_trans; + +neverallow { normal_hap_attr -hap_attr_link_violators } file_attr:file link; + +neverallow normal_hap_attr sysfs_attr:file { never_write_file never_execute_file }; + +neverallow normal_hap_attr sys_file:file never_rw_file; + +typeattribute system_core_hap proc_violator; +typeattribute system_basic_hap proc_violator; + +neverallow { hap_domain -proc_violator } { proc_file proc_asound_file proc_kmsg_file proc_loadavg_file proc_mounts_file proc_pagetypeinfo_file proc_slabinfo_file + proc_swaps_file proc_uptime_file proc_version_file proc_vmallocinfo_file proc_vmstat_file }:file { never_rwx_file }; + +neverallow { hap_domain -proc_violator -hap_domain_proc_stat_file_violators } proc_stat_file:file { never_rwx_file }; + +neverallow normal_hap_attr proc_filesystems_file:file { never_rwx_file }; + +neverallow normal_hap_attr proc_config_gz_file:file { never_rwx_file }; + +#expand to system_file_attr +neverallow normal_hap_attr system_file_attr:file lock; + +# neverallow normal_hap_attr selinuxfs:file never_rw_file; +neverallow hap_domain selinuxfs:file never_rw_file; +neverallow sh selinuxfs:file { write }; + +neverallow { normal_hap_attr -hap_domain_cgroup_violators } cgroup:file *; + +#todo closing for debug building. +neverallow normal_hap_attr debugfs_attr:{ file lnk_file } read; + +neverallow normal_hap_attr domain:netlink_socket *; + +neverallow normal_hap_attr domain:netlink_kobject_uevent_socket *; + +neverallow normal_hap_attr proc_net:file rw_file_perms; +neverallow normal_hap_attr proc_net:dir ~{ getattr }; + +# neverallow normal_hap sh restorecon +neverallow { sh debug_only(`-sh') normal_hap_attr } *:dir_file_class_set { relabelto relabelfrom }; + +neverallow normal_hap_attr { dev_block_volfile dev_block_file dev_bus dev_char_file dev_pts_file dev_snd_file dev_unix_file dev_v_file }:file { open read }; + +neverallow { normal_hap_attr -hap_domain_proc_stat_file_violators -hap_domain_proc_modules_file_violators } { proc_attr -proc_meminfo_file -proc_max_user_watches -proc_boot_id -proc_cpuinfo_file -proc_cmdline_file }:file { open read }; + +neverallow hap_domain proc_attr:file write; diff --git a/prebuilts/api/5.0/base/public/parameter.te b/prebuilts/api/5.0/base/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..e3f56fd797b8d037f2f714bf5127e02ddfc77f5f --- /dev/null +++ b/prebuilts/api/5.0/base/public/parameter.te @@ -0,0 +1,75 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type ohos_param, parameter_attr; +type ohos_boot_param, parameter_attr; +type ohos_dev_param, parameter_attr; +type sys_param, parameter_attr; +type sys_usb_param, parameter_attr; +type net_param, parameter_attr; +type net_tcp_param, parameter_attr; +type hw_sc_param, parameter_attr; +type hw_sc_build_param, parameter_attr; +type hw_sc_build_os_param, parameter_attr; +type init_param, parameter_attr; +type init_svc_param, parameter_attr; +type const_param, parameter_attr; +type const_postinstall_param, parameter_attr; +type const_postinstall_fstab_param, parameter_attr; +type const_allow_param, parameter_attr; +type const_allow_mock_param, parameter_attr; +type const_build_param, parameter_attr; +type const_product_param, parameter_attr; +type security_param, parameter_attr; +type hilog_param, parameter_attr; +type hook_param, parameter_attr; +type persist_param, parameter_attr; +type persist_sys_param, parameter_attr; +type debug_param, parameter_attr; +type default_param, parameter_attr; +type accessibility_param, parameter_attr; +type musl_param, parameter_attr; + +type build_version_param, parameter_attr; +type startup_param, parameter_attr; +type bootevent_param, parameter_attr; +type servicectrl_param, parameter_attr; +type servicectrl_reboot_param, parameter_attr; +type startup_init_param, parameter_attr; +type startup_appspawn_param, parameter_attr; +type startup_uevent_param, parameter_attr; +type devinfo_private_param, parameter_attr; +type devinfo_public_param, parameter_attr; +type const_telephony_param, parameter_attr; +type telephony_param, parameter_attr; +type bootevent_wms_param, parameter_attr; +type dhardware_dm_param, parameter_attr; +type persist_audio_param, parameter_attr; +type arkcompiler_param, parameter_attr; +type arkui_param, parameter_attr; +type inputmethod_param, parameter_attr; +type pasteboard_param, parameter_attr; +type time_param, parameter_attr; +type accesstoken_perm_param, parameter_attr; +type ffrt_param, parameter_attr; +type hiviewdfx_profiler_param, parameter_attr; +type hiviewdfx_hiview_param, parameter_attr; +type bluetooth_param, parameter_attr; +type print_param, parameter_attr; +type i18n_param, parameter_attr; +type const_i18n_param, parameter_attr; +type hichecker_writable_param, parameter_attr; +# avc: denied { relabelfrom } for pid=1 comm="init" path="/dev/__paramerters__/u:object_r:hilog_private_param:s0" dev=""ino=218 scontext=u:r:init:s0 tcontext=u:object_r:hilog_private_param:s0 tclass=file permissive=0 +allow init parameter_attr:file { relabelto relabelfrom }; +allow parameter_attr tmpfs:filesystem associate; + diff --git a/prebuilts/api/5.0/base/public/parameter_contexts b/prebuilts/api/5.0/base/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..20a39d9f516bc1642a138ee383c27b18e4a279da --- /dev/null +++ b/prebuilts/api/5.0/base/public/parameter_contexts @@ -0,0 +1,76 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ohos.servicectrl. u:object_r:servicectrl_param:s0 +ohos.servicectrl.reboot. u:object_r:servicectrl_reboot_param:s0 +ohos.boot. u:object_r:ohos_boot_param:s0 +bootevent. u:object_r:bootevent_param:s0 +startup.device. u:object_r:servicectrl_reboot_param:s0 + +const.build. u:object_r:devinfo_public_param:s0 +const.SystemCapability. u:object_r:devinfo_public_param:s0 +const.product. u:object_r:devinfo_public_param:s0 +const.ohos. u:object_r:devinfo_public_param:s0 +bootevent.boot.completed u:object_r:devinfo_public_param:s0 + +startup.service.ctl. u:object_r:startup_init_param:s0 +const.debuggable u:object_r:startup_init_param:s0 +persist.init. u:object_r:startup_init_param:s0 +startup.appspawn. u:object_r:startup_appspawn_param:s0 +startup.uevent. u:object_r:startup_uevent_param:s0 +ohos.boot.sn u:object_r:devinfo_private_param:s0 +const.product.udid u:object_r:devinfo_private_param:s0 +const.product.devUdid u:object_r:devinfo_private_param:s0 +persist.appspawn. u:object_r:startup_appspawn_param:s0 + +sys. u:object_r:sys_param:s0 +net. u:object_r:net_param:s0 +net.tcp. u:object_r:net_tcp_param:s0 +const.postinstall. u:object_r:const_postinstall_param:s0 +const.postinstall.fstab. u:object_r:const_postinstall_fstab_param:s0 +const.allow. u:object_r:const_allow_param:s0 +const.allow.mock. u:object_r:const_allow_mock_param:s0 +security. u:object_r:security_param:s0 +hilog. u:object_r:hilog_param:s0 +hilog.private.on u:object_r:hilog_private_param:s0 +hilog.debug.on u:object_r:hilog_private_param:s0 +persist.sys.hilog.debug.on u:object_r:hilog_private_param:s0 +libc.hook_mode u:object_r:hook_param:s0 +persist. u:object_r:persist_param:s0 +persist.sys. u:object_r:persist_sys_param:s0 +persist.sys.hilog. u:object_r:hilog_param:s0 +debug. u:object_r:debug_param:s0 +debug.hitrace. u:object_r:hiviewdfx_profiler_param:s0 +accessibility.config.ready u:object_r:accessibility_param:s0 +musl. u:object_r:musl_param:s0 +const.telephony. u:object_r:const_telephony_param:s0 +persist.telephony. u:object_r:telephony_param:s0 +telephony. u:object_r:telephony_param:s0 +print. u:object_r:print_param:s0 +bootevent.wms. u:object_r:bootevent_wms_param:s0 +ffrt. u:object_r:ffrt_param:s0 +hiviewdfx.hiperf. u:object_r:hiviewdfx_profiler_param:s0 +hiviewdfx.hiprofiler. u:object_r:hiviewdfx_profiler_param:s0 +hiviewdfx.hichecker. u:object_r:hichecker_writable_param:s0 + +persist.distributed_hardware.device_manager.discover_status u:object_r:dhardware_dm_param:s0 +persist.multimedia.audio. u:object_r:persist_audio_param:s0 +persist.ark. u:object_r:arkcompiler_param:s0 +persist.ace. u:object_r:arkui_param:s0 +persist.sys.default_ime u:object_r:inputmethod_param:s0 +persist.pasteboard. u:object_r:pasteboard_param:s0 +persist.time. u:object_r:time_param:s0 +accesstoken.permission. u:object_r:accesstoken_perm_param:s0 +persist.bluetooth. u:object_r:bluetooth_param:s0 +persist.global. u:object_r:i18n_param:s0 +const.global. u:object_r:const_i18n_param:s0 diff --git a/prebuilts/api/5.0/base/public/sadomain.te b/prebuilts/api/5.0/base/public/sadomain.te new file mode 100644 index 0000000000000000000000000000000000000000..3d2ef80b90dd08f936ad58ec8a36fead65edb0bc --- /dev/null +++ b/prebuilts/api/5.0/base/public/sadomain.te @@ -0,0 +1,38 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sadomain samain_exec:file read_file_perms; +allow sadomain samain_exec:file { entrypoint execute }; +allow sadomain samgr:binder { call transfer }; + +allow sadomain system_profile_file:file read_file_perms; + +# add mmap permission for sa +allow sadomain system_file:file { map open read getattr}; +allow sadomain sys_prod_file:file { map open read getattr}; +allow sadomain vendor_file:file { map open read getattr}; +allow sadomain chip_prod_file:file { map open read getattr}; +allow sadomain data_app_el1_file:file { map open read getattr}; + +allow sadomain sa_dataobs_mgr_service_service:binder { call }; +allow sadomain sa_dataobs_mgr_service_service:samgr_class { get }; +# neverallow +# only samgr can be the mgr for binder. +neverallow { domain -samgr } self:binder set_context_mgr; +# let every sa join sadomain +# TODO:remove hdfdomain after SA dynamic loading support. +neverallow { domain -sadomain -SP_daemon -init -ark_aot_compiler -hap_domain -isolated_render -input_isolate_hap -hdfdomain -samgr_binder_violator -key_enable developer_only(`-bm -input_isolate_debug_hap -uitest -edm -wukong') debug_only(`-edm') } samgr:binder transfer; + +neverallow { sadomain hap_domain } dev_tee_file:chr_file { open read append write ioctl }; + +neverallow { sadomain hap_domain } dev_iio_file:chr_file { open read append write ioctl }; diff --git a/prebuilts/api/5.0/base/public/sehap_contexts b/prebuilts/api/5.0/base/public/sehap_contexts new file mode 100644 index 0000000000000000000000000000000000000000..5847bfb03b43261225187f8aa29ff5f77574393a --- /dev/null +++ b/prebuilts/api/5.0/base/public/sehap_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apl=system_core domain=system_core_hap type=system_core_hap_data_file +apl=system_basic domain=system_basic_hap type=system_basic_hap_data_file +apl=normal domain=normal_hap type=normal_hap_data_file +apl=normal debuggable=true domain=debug_hap type=debug_hap_data_file diff --git a/prebuilts/api/5.0/base/public/service.te b/prebuilts/api/5.0/base/public/service.te new file mode 100644 index 0000000000000000000000000000000000000000..70ac7df39d711966399647245e446c1ae134e4f2 --- /dev/null +++ b/prebuilts/api/5.0/base/public/service.te @@ -0,0 +1,233 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type default_service, sa_service_attr; +type sa_samgr_service, sa_service_attr; +type sa_foundation_abilityms, sa_service_attr; +type sa_accountmgr, sa_service_attr; +type sa_foundation_bms, sa_service_attr; +type sa_foundation_appms, sa_service_attr; +type sa_accessibleabilityms, sa_service_attr; +type sa_wifi_device_ability, sa_service_attr; +type sa_wifi_hotspot_ability, sa_service_attr; +type sa_wifi_p2p_ability, sa_service_attr; +type sa_wifi_scan_ability, sa_service_attr; +type sa_dhcp_client, sa_service_attr; +type sa_dhcp_server, sa_service_attr; +type sa_bluetooth_server, sa_service_attr; +type sa_net_conn_manager, sa_service_attr; +type sa_netsys_native_manager, sa_service_attr; +type sa_distributeddata_service, sa_service_attr; +type sa_distributeschedule, sa_service_attr; +type sa_resource_schedule, sa_service_attr; +type sa_concurrent_task_service, sa_service_attr; +type sa_bgtaskmgr, sa_service_attr; +type sa_resource_schedule_socperf_server, sa_service_attr; +type sa_locationhub_lbsservice_gnss, sa_service_attr; +type sa_locationhub_lbsservice_network, sa_service_attr; +type sa_locationhub_lbsservice_passive, sa_service_attr; +type sa_msdp_devicestatus_service, sa_service_attr; +type sa_pulseaudio_audio_service, sa_service_attr; +type sa_media_service, sa_service_attr; +type sa_audio_policy_service, sa_service_attr; +type sa_multimodalinput_service, sa_service_attr; +type sa_foundation_ans, sa_service_attr; +type sa_foundation_cesfwk_service, sa_service_attr; +type sa_powermgr_powermgr_service, sa_service_attr; +type sa_powermgr_battery_service, sa_service_attr; +type sa_powermgr_batterystats_service, sa_service_attr; +type sa_powermgr_thermal_service, sa_service_attr; +type sa_powermgr_displaymgr_service, sa_service_attr; +type sa_accesstoken_manager_service, sa_service_attr; +type sa_token_sync_manager_service, sa_service_attr; +type sa_sensor_service, sa_service_attr; +type sa_miscdevice_service, sa_service_attr; +type sa_time_service, sa_service_attr; +type sa_inputmethod_service, sa_service_attr; +type sa_param_watcher, sa_service_attr; +type sa_foundation_tel_call_manager, sa_service_attr; +type sa_telephony_tel_cellular_call, sa_service_attr; +type sa_telephony_tel_core_service, sa_service_attr; +type sa_telephony_tel_ims, sa_service_attr; +type sa_softbus_service, sa_service_attr; +type sa_foundation_devicemanager_service, sa_service_attr; +type sa_storage_manager_service, sa_service_attr; +type sa_device_service_manager, sa_service_attr; + +type sa_subsys_ccruntime_service, sa_service_attr; +type sa_subsys_aafwk_service, sa_service_attr; +type sa_subsys_communication_service, sa_service_attr; +type sa_rpc_unregistered_test_service, sa_service_attr; +type sa_rpc_test_service, sa_service_attr; +type sa_rpc_test_service2, sa_service_attr; +type sa_ipc_msg_sev, sa_service_attr; +type sa_ipc_msg_unregistered_server, sa_service_attr; +type sa_ipc_msg_repeat_server, sa_service_attr; +type sa_ipc_msg_server, sa_service_attr; +type sa_ipc_test_service, sa_service_attr; +type sa_ipc_extra_test_service, sa_service_attr; +type sa_wifi_enhancer_service, sa_service_attr; +type sa_nfc_manager_service, sa_service_attr; +type sa_net_manager_service, sa_service_attr; + +type sa_comm_net_stats_manager_service, sa_service_attr; +type sa_comm_net_tethering_manager_service, sa_service_attr; +type sa_comm_vpn_manager_service, sa_service_attr; +type sa_comm_dns_manager_service, sa_service_attr; +type sa_comm_ethernet_manager_service, sa_service_attr; +type sa_comm_mdns_manager_service, sa_service_attr; +type sa_discover_service, sa_service_attr; +type sa_ability_tools_service, sa_service_attr; +type sa_dnet_service, sa_service_attr; +type sa_smart_comm_service, sa_service_attr; +type sa_subsys_dfx_service, sa_service_attr; + + +type sa_subsys_distributeddatamng_service, sa_service_attr; +type sa_distributed_fs_daemon_service, sa_service_attr; +type sa_distributed_fs_meta_service, sa_service_attr; +type sa_distributed_fs_storage_service, sa_service_attr; +type sa_subsys_distributedschedule_service, sa_service_attr; +type sa_distributed_sched_adapter_service, sa_service_attr; +type sa_distributed_scenario_mgr_service, sa_service_attr; +type sa_distributed_sched_test_so, sa_service_attr; +type sa_distributed_sched_test_os, sa_service_attr; +type sa_distributed_sched_test_oos, sa_service_attr; +type sa_distributed_sched_test_tt, sa_service_attr; +type sa_distributed_sched_test_listen, sa_service_attr; +type sa_distributed_sched_test_connection, sa_service_attr; +type sa_distributed_sched_test_incomplete, sa_service_attr; +type sa_distributed_sched_test_ondemand, sa_service_attr; +type sa_distributed_sched_test_audio, sa_service_attr; +type sa_distributed_sched_test_media, sa_service_attr; +type sa_subsys_drivers_service, sa_service_attr; +type sa_subsys_global_service, sa_service_attr; +type sa_enterprise_device_manager_service, sa_service_attr; +type sa_i18n_service, sa_service_attr; +type sa_subsys_graphic_service, sa_service_attr; +type sa_ability_test_service, sa_service_attr; +type sa_subsys_hbs_service, sa_service_attr; +type sa_ability_mst_service, sa_service_attr; +type sa_dataobs_mgr_service_service, sa_service_attr; +type sa_uri_permission_mgr_service, sa_service_attr; +type sa_subsys_iaware_service, sa_service_attr; +type sa_resschedd_service, sa_service_attr; +type sa_work_schedule_service, sa_service_attr; +type sa_device_usage_statistics_service, sa_service_attr; +type sa_memory_manager_service, sa_service_attr; +type sa_subsys_common_service, sa_service_attr; +type sa_subsyse_service, sa_service_attr; +type sa_subsys_intelliaccessories_service, sa_service_attr; +type sa_subsys_intellispeaker_service, sa_service_attr; +type sa_subsys_intellitv_service, sa_service_attr; +type sa_subsys_iot_service, sa_service_attr; +type sa_subsys_iothardware_service, sa_service_attr; +type sa_subsys_ivihardware_service, sa_service_attr; +type sa_ivihardware_manager_service, sa_service_attr; +type sa_ivihardware_adas_service, sa_service_attr; +type sa_ivihardware_tbox_service, sa_service_attr; +type sa_ivihardware_cluster_service, sa_service_attr; +type sa_subsys_kernel_service, sa_service_attr; +type sa_subsys_location_service, sa_service_attr; +type sa_location_geo_convert_service, sa_service_attr; +type sa_location_locator_service, sa_service_attr; +type sa_location_notification_service, sa_service_attr; +type sa_subsys_msdp_service, sa_service_attr; +type sa_msdp_motion_service, sa_service_attr; +type sa_msdp_movement_service, sa_service_attr; +type sa_msdp_spatial_awareness_service, sa_service_attr; +type sa_msdp_geofence_service, sa_service_attr; +type sa_msdp_timeline_service, sa_service_attr; +type sa_msdp_multimodal_awareness_service, sa_service_attr; +type sa_subsys_multimedia_service, sa_service_attr; +type sa_radio_ivi_service, sa_service_attr; +type sa_audio_swift_service, sa_service_attr; +type sa_update_distributed_service, sa_service_attr; +type sa_media_library_service, sa_service_attr; +type sa_camera_service, sa_service_attr; +type sa_drm_service, sa_service_attr; +type sa_subsys_ai_service, sa_service_attr; +type sa_avsession_service, sa_service_attr; +type sa_subsys_multimodainput_service, sa_service_attr; +type sa_multimodal_channel_service, sa_service_attr; +type sa_subsys_ai_ds_service, sa_service_attr; +type sa_subsys_notification_service, sa_service_attr; +type sa_event_manager_service, sa_service_attr; +type sa_common_event_service_ability, sa_service_attr; +type sa_subsys_powermng_service, sa_service_attr; +type sa_ivipower_enhanced_service, sa_service_attr; +type sa_subsys_router_service, sa_service_attr; +type sa_subsys_security_service, sa_service_attr; +type sa_device_security_level_manager_service, sa_service_attr; +type sa_subsys_sensors_service, sa_service_attr; +type sa_extshb_service_ability, sa_service_attr; +type sa_medical_sensor_service_ability, sa_service_attr; +type sa_subsys_smallservices_service, sa_service_attr; +type sa_pasteboard_service, sa_service_attr; +type sa_screenlock_service, sa_service_attr; +type sa_wallpaper_manager_service, sa_service_attr; +type sa_download_service, sa_service_attr; +type sa_subsys_sourcecodetransformer_service, sa_service_attr; +type sa_subsys_startup_service, sa_service_attr; +type sa_sysparam_device_service, sa_service_attr; +type sa_subsys_telepony_service, sa_service_attr; +type sa_telephony_service, sa_service_attr; +type sa_dcall_service, sa_service_attr; + +type sa_subsys_appexecfwk_service, sa_service_attr; +type sa_telephony_data_storage_service, sa_service_attr; +type sa_distributed_bundle_mgr_service_service, sa_service_attr; +type sa_form_mgr_service, sa_service_attr; +type sa_subsys_update_service, sa_service_attr; +type sa_subsys_usb_service, sa_service_attr; +type sa_subsys_wearable_service, sa_service_attr; +type sa_subsys_wearablehardware_service, sa_service_attr; +type sa_subsys_ivi_service, sa_service_attr; +type sa_ivi_drivingsafety_service, sa_service_attr; +type sa_ivi_configmanager_service, sa_service_attr; +type sa_ivi_cockpitmonitor_service, sa_service_attr; +type sa_window_manager, sa_service_attr; +type sa_vsync_manager, sa_service_attr; +type sa_vsync_manager_test, sa_service_attr; +type sa_graphic_dumper_service_service, sa_service_attr; +type sa_graphic_dumper_command_service, sa_service_attr; +type sa_animation_server_service, sa_service_attr; +type sa_device_auth_service, sa_service_attr; +type sa_subsys_distributed_hardware_service, sa_service_attr; +type sa_distributed_hardware_input_source_service, sa_service_attr; +type sa_distributed_hardware_input_sink_service, sa_service_attr; +type sa_device_storage_manager_service, sa_service_attr; +type sa_storage_service, sa_service_attr; +type sa_storage_manager_daemon, sa_service_attr; +type sa_subsys_applications_service, sa_service_attr; +type sa_file_access_service, sa_service_attr; +type sa_installd_service, sa_service_attr; +type sa_subsys_filemanagement_service, sa_service_attr; +type sa_filemanagement_distributed_file_daemon_service, sa_service_attr; +type sa_filemanagement_distributed_file_service_service, sa_service_attr; +type sa_filemanagement_backup_service_service, sa_service_attr; +type sa_filemanagement_cloud_sync_service, sa_service_attr; +type sa_filemanagement_cloud_daemon_service, sa_service_attr; +type sa_subsys_arvr_service, sa_service_attr; +type sa_subsys_ace_service, sa_service_attr; +type sa_subsys_arvrhardware_service, sa_service_attr; +type sa_ca_daemon_service, sa_service_attr; +type sa_subsys_useriam_service, sa_service_attr; +type sa_dfx_sys_hidumper_ability, sa_service_attr; +type sa_privacy_service, sa_service_attr; +type sa_devattest_service, sa_service_attr; +type sa_oaid_service, sa_service_attr; +type sa_ui_appearance, sa_service_attr; +type sa_device_standby, sa_service_attr; + + diff --git a/prebuilts/api/5.0/base/public/service_contexts b/prebuilts/api/5.0/base/public/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..2b12f2c002cf9bf123321f07c49acdfbec9fcbf2 --- /dev/null +++ b/prebuilts/api/5.0/base/public/service_contexts @@ -0,0 +1,254 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +0 u:object_r:sa_samgr_service:s0 +10 u:object_r:sa_render_service:s0 +116 u:object_r:sa_ability_tools_service:s0 +179 u:object_r:sa_ability_test_service:s0 +180 u:object_r:sa_foundation_abilityms:s0 +181 u:object_r:sa_ability_mst_service:s0 +182 u:object_r:sa_dataobs_mgr_service_service:s0 +183 u:object_r:sa_uri_permission_mgr_service:s0 +200 u:object_r:sa_accountmgr:s0 +300 u:object_r:sa_subsys_ai_service:s0 +310 u:object_r:sa_subsys_ai_ds_service:s0 +400 u:object_r:sa_subsys_appexecfwk_service:s0 +401 u:object_r:sa_foundation_bms:s0 +402 u:object_r:sa_distributed_bundle_mgr_service_service:s0 +403 u:object_r:sa_form_mgr_service:s0 +404 u:object_r:sa_service_router_mgr_service:s0 +500 u:object_r:sa_subsys_applications_service:s0 +501 u:object_r:sa_foundation_appms:s0 +511 u:object_r:sa_installd_service:s0 +600 u:object_r:sa_subsys_arvr_service:s0 +700 u:object_r:sa_subsys_arvrhardware_service:s0 +801 u:object_r:sa_accessibleabilityms:s0 +900 u:object_r:sa_subsys_useriam_service:s0 +901 u:object_r:sa_useriam_useridm_service:s0 +921 u:object_r:sa_useriam_userauth_service:s0 +931 u:object_r:sa_useriam_authexecutormgr_service:s0 +941 u:object_r:sa_useriam_pinauth_service:s0 +942 u:object_r:sa_useriam_faceauth_service:s0 +943 u:object_r:sa_useriam_fingerprintauth_service:s0 +1000 u:object_r:sa_subsys_ccruntime_service:s0 +1100 u:object_r:sa_subsys_communication_service:s0 +1108 u:object_r:sa_rpc_unregistered_test_service:s0 +1109 u:object_r:sa_rpc_test_service:s0 +1110 u:object_r:sa_rpc_test_service2:s0 +1114 u:object_r:sa_ipc_msg_sev:s0 +1115 u:object_r:sa_ipc_msg_unregistered_server:s0 +1116 u:object_r:sa_ipc_msg_repeat_server:s0 +1117 u:object_r:sa_ipc_msg_server:s0 +1118 u:object_r:sa_ipc_test_service:s0 +1119 u:object_r:sa_ipc_extra_test_service:s0 +1120 u:object_r:sa_wifi_device_ability:s0 +1121 u:object_r:sa_wifi_hotspot_ability:s0 +1122 u:object_r:sa_wifi_enhancer_service:s0 +1123 u:object_r:sa_wifi_p2p_ability:s0 +1124 u:object_r:sa_wifi_scan_ability:s0 +1126 u:object_r:sa_dhcp_client:s0 +1127 u:object_r:sa_dhcp_server:s0 +1130 u:object_r:sa_bluetooth_server:s0 +1140 u:object_r:sa_nfc_manager_service:s0 +1150 u:object_r:sa_net_manager_service:s0 +1151 u:object_r:sa_net_conn_manager:s0 +1152 u:object_r:sa_net_policy_manager:s0 +1153 u:object_r:sa_comm_net_stats_manager_service:s0 +1154 u:object_r:sa_comm_net_tethering_manager_service:s0 +1155 u:object_r:sa_comm_vpn_manager_service:s0 +1156 u:object_r:sa_comm_dns_manager_service:s0 +1157 u:object_r:sa_comm_ethernet_manager_service:s0 +1158 u:object_r:sa_netsys_native_manager:s0 +1160 u:object_r:sa_discover_service:s0 +1161 u:object_r:sa_comm_mdns_manager_service:s0 +1170 u:object_r:sa_dnet_service:s0 +1180 u:object_r:sa_smart_comm_service:s0 +1200 u:object_r:sa_subsys_dfx_service:s0 +1201 u:object_r:sa_hiview_service:s0 +1202 u:object_r:sa_hiview_faultlogger_service:s0 +1203 u:object_r:sa_sys_event_service:s0 +1205 u:object_r:sa_native_daemon:s0 +1212 u:object_r:sa_dfx_sys_hidumper_ability:s0 +1300 u:object_r:sa_subsys_distributeddatamng_service:s0 +1301 u:object_r:sa_distributeddata_service:s0 +1302 u:object_r:sa_distributed_fs_daemon_service:s0 +1303 u:object_r:sa_distributed_fs_meta_service:s0 +1304 u:object_r:sa_distributed_fs_storage_service:s0 +1400 u:object_r:sa_subsys_distributedschedule_service:s0 +1401 u:object_r:sa_distributeschedule:s0 +1402 u:object_r:sa_distributed_sched_adapter_service:s0 +1403 u:object_r:sa_distributed_scenario_mgr_service:s0 +1490 u:object_r:sa_distributed_sched_test_so:s0 +1491 u:object_r:sa_distributed_sched_test_os:s0 +1492 u:object_r:sa_distributed_sched_test_oos:s0 +1493 u:object_r:sa_distributed_sched_test_tt:s0 +1494 u:object_r:sa_distributed_sched_test_listen:s0 +1495 u:object_r:sa_distributed_sched_test_connection:s0 +1496 u:object_r:sa_distributed_sched_test_incomplete:s0 +1497 u:object_r:sa_distributed_sched_test_ondemand:s0 +1498 u:object_r:sa_distributed_sched_test_audio:s0 +1499 u:object_r:sa_distributed_sched_test_media:s0 +1500 u:object_r:sa_subsys_drivers_service:s0 +1600 u:object_r:sa_subsys_global_service:s0 +1601 u:object_r:sa_enterprise_device_manager_service:s0 +1602 u:object_r:sa_i18n_service:s0 +1700 u:object_r:sa_subsys_graphic_service:s0 +1800 u:object_r:sa_subsys_hbs_service:s0 +1900 u:object_r:sa_subsys_iaware_service:s0 +1901 u:object_r:sa_resource_schedule:s0 +1902 u:object_r:sa_resschedd_service:s0 +1903 u:object_r:sa_bgtaskmgr:s0 +1904 u:object_r:sa_work_schedule_service:s0 +1906 u:object_r:sa_resource_schedule_socperf_server:s0 +1907 u:object_r:sa_device_usage_statistics_service:s0 +1909 u:object_r:sa_memory_manager_service:s0 +1912 u:object_r:sa_concurrent_task_service:s0 +1914 u:object_r:sa_device_standby:s0 +2000 u:object_r:sa_subsyse_service:s0 +2100 u:object_r:sa_subsys_intelliaccessories_service:s0 +2200 u:object_r:sa_subsys_intellispeaker_service:s0 +2300 u:object_r:sa_subsys_intellitv_service:s0 +2400 u:object_r:sa_subsys_iot_service:s0 +2500 u:object_r:sa_subsys_iothardware_service:s0 +2600 u:object_r:sa_subsys_ivihardware_service:s0 +2601 u:object_r:sa_ivihardware_manager_service:s0 +2602 u:object_r:sa_ivihardware_adas_service:s0 +2603 u:object_r:sa_ivihardware_tbox_service:s0 +2604 u:object_r:sa_ivihardware_cluster_service:s0 +2700 u:object_r:sa_subsys_kernel_service:s0 +2800 u:object_r:sa_subsys_location_service:s0 +2801 u:object_r:sa_location_geo_convert_service:s0 +2802 u:object_r:sa_location_locator_service:s0 +2803 u:object_r:sa_locationhub_lbsservice_gnss:s0 +2804 u:object_r:sa_locationhub_lbsservice_network:s0 +2805 u:object_r:sa_locationhub_lbsservice_passive:s0 +2806 u:object_r:sa_location_notification_service:s0 +2900 u:object_r:sa_subsys_msdp_service:s0 +2901 u:object_r:sa_msdp_motion_service:s0 +2902 u:object_r:sa_msdp_devicestatus_service:s0 +2903 u:object_r:sa_msdp_movement_service:s0 +2904 u:object_r:sa_msdp_spatial_awareness_service:s0 +2905 u:object_r:sa_msdp_geofence_service:s0 +2906 u:object_r:sa_msdp_timeline_service:s0 +2908 u:object_r:sa_msdp_multimodal_awareness_service:s0 +3000 u:object_r:sa_subsys_multimedia_service:s0 +3001 u:object_r:sa_pulseaudio_audio_service:s0 +3002 u:object_r:sa_media_service:s0 +3003 u:object_r:sa_radio_ivi_service:s0 +3004 u:object_r:sa_audio_swift_service:s0 +3006 u:object_r:sa_update_distributed_service:s0 +3007 u:object_r:sa_media_library_service:s0 +3008 u:object_r:sa_camera_service:s0 +3009 u:object_r:sa_audio_policy_service:s0 +3010 u:object_r:sa_avsession_service:s0 +3012 u:object_r:sa_drm_service:s0 +3100 u:object_r:sa_subsys_multimodainput_service:s0 +3101 u:object_r:sa_multimodalinput_service:s0 +3102 u:object_r:sa_multimodal_channel_service:s0 +3200 u:object_r:sa_subsys_notification_service:s0 +3201 u:object_r:sa_event_manager_service:s0 +3202 u:object_r:sa_common_event_service_ability:s0 +3203 u:object_r:sa_foundation_ans:s0 +3299 u:object_r:sa_foundation_cesfwk_service:s0 +3300 u:object_r:sa_subsys_powermng_service:s0 +3301 u:object_r:sa_powermgr_powermgr_service:s0 +3302 u:object_r:sa_powermgr_battery_service:s0 +3303 u:object_r:sa_powermgr_thermal_service:s0 +3304 u:object_r:sa_powermgr_batterystats_service:s0 +3308 u:object_r:sa_powermgr_displaymgr_service:s0 +3309 u:object_r:sa_ivipower_enhanced_service:s0 +3400 u:object_r:sa_subsys_router_service:s0 +3500 u:object_r:sa_subsys_security_service:s0 +3503 u:object_r:sa_accesstoken_manager_service:s0 +3504 u:object_r:sa_token_sync_manager_service:s0 +3505 u:object_r:sa_privacy_service:s0 +3511 u:object_r:sa_device_security_level_manager_service:s0 +3600 u:object_r:sa_subsys_sensors_service:s0 +3601 u:object_r:sa_sensor_service:s0 +3602 u:object_r:sa_miscdevice_service:s0 +3603 u:object_r:sa_extshb_service_ability:s0 +3605 u:object_r:sa_medical_sensor_service_ability:s0 +3700 u:object_r:sa_subsys_smallservices_service:s0 +3701 u:object_r:sa_pasteboard_service:s0 +3702 u:object_r:sa_time_service:s0 +3703 u:object_r:sa_inputmethod_service:s0 +3704 u:object_r:sa_screenlock_service:s0 +3705 u:object_r:sa_wallpaper_manager_service:s0 +3706 u:object_r:sa_download_service:s0 +3800 u:object_r:sa_subsys_sourcecodetransformer_service:s0 +3900 u:object_r:sa_subsys_startup_service:s0 +3901 u:object_r:sa_param_watcher:s0 +3902 u:object_r:sa_sysparam_device_service:s0 +4000 u:object_r:sa_subsys_telepony_service:s0 +4001 u:object_r:sa_telephony_service:s0 +4002 u:object_r:sa_dcall_service:s0 +4005 u:object_r:sa_foundation_tel_call_manager:s0 +4006 u:object_r:sa_telephony_tel_cellular_call:s0 +4007 u:object_r:sa_telephony_tel_cellular_data:s0 +4008 u:object_r:sa_telephony_tel_sms_mms:s0 +4009 u:object_r:sa_foundation_tel_state_registry:s0 +4010 u:object_r:sa_telephony_tel_core_service:s0 +4012 u:object_r:sa_telephony_data_storage_service:s0 +4014 u:object_r:sa_telephony_tel_ims:s0 +4100 u:object_r:sa_subsys_update_service:s0 +4200 u:object_r:sa_subsys_usb_service:s0 +4201 u:object_r:sa_usb_service:s0 +4300 u:object_r:sa_subsys_wearable_service:s0 +4400 u:object_r:sa_subsys_wearablehardware_service:s0 +4500 u:object_r:sa_subsys_ivi_service:s0 +4501 u:object_r:sa_ivi_drivingsafety_service:s0 +4502 u:object_r:sa_ivi_configmanager_service:s0 +4503 u:object_r:sa_ivi_cockpitmonitor_service:s0 +4600 u:object_r:sa_window_manager:s0 +4601 u:object_r:sa_vsync_manager:s0 +4602 u:object_r:sa_vsync_manager_test:s0 +4603 u:object_r:sa_graphic_dumper_service_service:s0 +4604 u:object_r:sa_graphic_dumper_command_service:s0 +4605 u:object_r:sa_animation_server_service:s0 +4606 u:object_r:sa_foundation_wms:s0 +4607 u:object_r:sa_foundation_dms:s0 +4700 u:object_r:sa_softbus_service:s0 +4701 u:object_r:sa_device_auth_service:s0 +4800 u:object_r:sa_subsys_distributed_hardware_service:s0 +4801 u:object_r:sa_dhardware_service:s0 +4802 u:object_r:sa_foundation_devicemanager_service:s0 +4803 u:object_r:sa_dcamera_source_service:s0 +4804 u:object_r:sa_dcamera_sink_service:s0 +4805 u:object_r:sa_distributed_hardware_audio_source_service:s0 +4806 u:object_r:sa_distributed_hardware_audio_sink_service:s0 +4807 u:object_r:sa_dscreen_source_service:s0 +4808 u:object_r:sa_dscreen_sink_service:s0 +4809 u:object_r:sa_distributed_hardware_input_source_service:s0 +4810 u:object_r:sa_distributed_hardware_input_sink_service:s0 +5000 u:object_r:sa_device_storage_manager_service:s0 +5001 u:object_r:sa_storage_service:s0 +5002 u:object_r:sa_storage_manager_daemon:s0 +5003 u:object_r:sa_storage_manager_service:s0 +5010 u:object_r:sa_file_access_service:s0 +5100 u:object_r:sa_device_service_manager:s0 +5200 u:object_r:sa_subsys_filemanagement_service:s0 +5201 u:object_r:sa_filemanagement_distributed_file_daemon_service:s0 +5202 u:object_r:sa_filemanagement_distributed_file_service_service:s0 +5203 u:object_r:sa_filemanagement_backup_service_service:s0 +5204 u:object_r:sa_filemanagement_cloud_sync_service:s0 +5205 u:object_r:sa_filemanagement_cloud_daemon_service:s0 +5501 u:object_r:sa_devattest_service:s0 +6001 u:object_r:sa_device_profile_service:s0 +6101 u:object_r:sa_oaid_service:s0 +6105 u:object_r:sa_ecological_rule_mgr_service:s0 +7001 u:object_r:sa_subsys_ace_service:s0 +7002 u:object_r:sa_ui_appearance:s0 +8001 u:object_r:sa_ca_daemon_service:s0 + + diff --git a/prebuilts/api/5.0/base/public/shell.te b/prebuilts/api/5.0/base/public/shell.te new file mode 100644 index 0000000000000000000000000000000000000000..4ea67c405d35a10b75433dd14d4447a1fb761b46 --- /dev/null +++ b/prebuilts/api/5.0/base/public/shell.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow sh file_attr:file link; diff --git a/prebuilts/api/5.0/base/public/system_basic_hap.te b/prebuilts/api/5.0/base/public/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..828449ab3428c1c59e83dedeeff3b89ab643c9d7 --- /dev/null +++ b/prebuilts/api/5.0/base/public/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS,n +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow system_basic_hap_attr dev_fuse_file:chr_file *; + +neverallow system_basic_hap_attr dev_kmsg_file:chr_file never_rw_file; diff --git a/prebuilts/api/5.0/base/public/system_core_hap.te b/prebuilts/api/5.0/base/public/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..5fcf9b2cc4b0a4dca1d15104b16a483736431d91 --- /dev/null +++ b/prebuilts/api/5.0/base/public/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS,n +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow system_core_hap_attr dev_kmsg_file:chr_file never_rw_file; + +neverallow system_core_hap_attr data_local_tmp:file { open read ioctl lock }; diff --git a/prebuilts/api/5.0/base/public/test.te b/prebuilts/api/5.0/base/public/test.te new file mode 100644 index 0000000000000000000000000000000000000000..d06f187959e48cf9f7e7aba9cefb8729c7b224b6 --- /dev/null +++ b/prebuilts/api/5.0/base/public/test.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for test +debug_only(` +type selftest, domain; +type selftest_hap_data_file, file_attr, system_file_attr; +') diff --git a/prebuilts/api/5.0/base/public/type.te b/prebuilts/api/5.0/base/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..d79ef6688dea80dfa74f01243c365493a0a8c769 --- /dev/null +++ b/prebuilts/api/5.0/base/public/type.te @@ -0,0 +1,117 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type samgr, sadomain, domain; +type accesstoken_service, sadomain, domain; +type socperf_service, sadomain, domain; +type distributedsche, sadomain, domain; +type bluetooth_service, sadomain, domain; +type accountmgr, sadomain, domain; +type ui_service, sadomain, domain; +type d_bms, sadomain, domain; +type wifi_manager_service, sadomain, domain; +type softbus_server, sadomain, domain; +type usb_service, sadomain, domain; +type medialibrary_service, sadomain, domain; +type netdnative, domain; +type netmanager, sadomain, domain; +type sensors, sadomain, domain; +type telephony_sa, sadomain, domain; +type camera_service, sadomain, domain; +type drm_service, sadomain, domain; +type media_service, sadomain, domain; +type param_watcher, sadomain, domain; +type foundation, sadomain, domain; +type powermgr, sadomain, domain; +type token_sync_service, sadomain, domain; +type memmgrservice, sadomain, domain; +type accessibility, sadomain, domain; +type distributedsched, sadomain, domain; +type distributedfile, sadomain, domain; +type deviceinfoservice, sadomain, domain; +type distributedhardware_fwk, sadomain, domain; +type nwebspawn, sadomain, domain; +type upms, sadomain, domain; +type mmi_uinput_service, sadomain, domain; +type download_server, sadomain, domain; +type msdp_sa, sadomain, domain; +type misc, sadomain, domain; +type netsysnative, sadomain, domain; +type mdnsmanager, sadomain, domain; +type hidumper_service, sadomain, domain; +type bootanimation, sadomain, domain; +type limit_domain, develop_domain; +type device_usage_statistics_service, sadomain, domain; +type thermal_sa, sadomain, domain; +type nfc_service, sadomain, domain; + +type watchdog_service, sadomain, domain; +type watchdog_service_exec, exec_attr, file_attr, system_file_attr; +#domain_auto_transition_pattern(init, watchdog_service_exec, watchdog_service); + +type lmks, sadomain, domain; +type lmks_exec, exec_attr, file_attr, system_file_attr; +#domain_auto_transition_pattern(init, lmks_exec, lmks); + +type wifi_hal_service, sadomain, domain; +type wifi_hal_service_exec, exec_attr, file_attr, system_file_attr; +#domain_auto_transition_pattern(init, wifi_hal_service_exec, wifi_hal_service); + +type ispserver, sadomain, domain; +type ispserver_exec, exec_attr, file_attr, system_file_attr; +#domain_auto_transition_pattern(init, ispserver_exec, ispserver); + +#domain_auto_transition_pattern(init, storage_daemon_exec, storage_daemon); + +type thermal_protector, sadomain, domain; +type thermal_protector_exec, exec_attr, file_attr, system_file_attr; +#domain_auto_transition_pattern(init, thermal_protector_exec, thermal_protector); + +type sh, develop_domain; +type sh_exec, exec_attr, file_attr, system_file_attr; +#domain_auto_transition_pattern(init, sh_exec, sh); + +type hdcd, native_system_domain, domain; +type hdcd_exec, exec_attr, file_attr, system_file_attr; +#domain_auto_transition_pattern(init, hdcd_exec, hdcd); + +type atm, native_system_domain, domain; +type atm_exec, exec_attr, file_attr, system_file_attr; + +type bm, native_system_domain, domain; +type bm_exec, exec_attr, file_attr, system_file_attr; +type updater, native_system_domain, domain; +type file_guard_server, sadomain, domain; +type cupsd, sadomain, domain; + +type wukong, native_system_domain, domain; +type wukong_exec, exec_attr, file_attr, system_file_attr; + +type SP_daemon, native_system_domain, domain; +type SP_daemon_exec, exec_attr, file_attr, system_file_attr; + +type uitest_exec, exec_attr, file_attr, system_file_attr; +type uitest, native_system_domain, domain; + +type aa, native_system_domain, domain; +type aa_exec, exec_attr, file_attr, system_file_attr; + +type ark_aot_compiler, native_system_domain, domain; +type ark_aot_compiler_exec, exec_attr, file_attr, system_file_attr; + +type compiler_service, sadomain, domain; + +debug_only(` + type console, sadomain, domain; + type su, native_system_domain, domain; +') diff --git a/prebuilts/api/5.0/base/public/ueventd.te b/prebuilts/api/5.0/base/public/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..17ae729dc8c94fd9537e8f1b6138f3b21dcf935a --- /dev/null +++ b/prebuilts/api/5.0/base/public/ueventd.te @@ -0,0 +1,18 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { domain -processdump } ueventd:process ptrace; + +neverallow ueventd dev_port:chr_file ~{ getattr create setattr unlink relabelto }; + +neverallow ueventd { file_attr fs_attr }:file execute_no_trans; diff --git a/prebuilts/api/5.0/base/system/access_vectors b/prebuilts/api/5.0/base/system/access_vectors new file mode 100644 index 0000000000000000000000000000000000000000..7ad272405960e8dc51d95ebcd3d4f52b237824b9 --- /dev/null +++ b/prebuilts/api/5.0/base/system/access_vectors @@ -0,0 +1,576 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map + unlink + link + rename + execute + quotaon + mounton + audit_access + open + execmod + watch + watch_mount + watch_sb + watch_with_perm + watch_reads +} +common socket +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + name_bind +} +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} +common cap +{ + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} +common cap2 +{ + mac_override + mac_admin + syslog + wake_alarm + block_suspend + audit_read + checkpoint_restore + perfmon + bpf +} +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + associate + quotamod + quotaget + watch +} +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} +class file +inherits file +{ + execute_no_trans + entrypoint +} +class lnk_file +inherits file +class chr_file +inherits file +{ + execute_no_trans + entrypoint +} +class blk_file +inherits file +class sock_file +inherits file +class fifo_file +inherits file +class fd +{ + use +} +class socket +inherits socket +class tcp_socket +inherits socket +{ + node_bind + name_connect +} +class udp_socket +inherits socket +{ + node_bind +} +class rawip_socket +inherits socket +{ + node_bind +} +class node +{ + recvfrom + sendto +} +class netif +{ + ingress + egress +} +class netlink_socket +inherits socket +class packet_socket +inherits socket +class key_socket +inherits socket +class unix_stream_socket +inherits socket +{ + connectto +} +class unix_dgram_socket +inherits socket +class process +{ + fork + transition + sigchld + sigkill + sigstop + signull + signal + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate + getrlimit +} +class process2 +{ + nnp_transition + nosuid_transition +} +class ipc +inherits ipc +class sem +inherits ipc +class msgq +inherits ipc +{ + enqueue +} +class msg +{ + send + receive +} +class shm +inherits ipc +{ + lock +} +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce + setbool + setsecparam + setcheckreqprot + read_policy + validate_trans +} +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request + module_load +} +class capability +inherits cap +class capability2 +inherits cap2 +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_readpriv +} +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_nflog_socket +inherits socket +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_selinux_socket +inherits socket +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} +class netlink_dnrt_socket +inherits socket +class association +{ + sendto + recvfrom + setcontext + polmatch +} +class netlink_kobject_uevent_socket +inherits socket +class appletalk_socket +inherits socket +class packet +{ + send + recv + relabelto + forward_in + forward_out +} +class key +{ + view + read + write + search + link + setattr + create +} +class dccp_socket +inherits socket +{ + node_bind + name_connect +} +class memprotect +{ + mmap_zero +} +class peer +{ + recv +} +class kernel_service +{ + use_as_override + create_files_as +} +class tun_socket +inherits socket +{ + attach_queue +} +class binder +{ + impersonate + call + set_context_mgr + transfer +} +class netlink_iscsi_socket +inherits socket +class netlink_fib_lookup_socket +inherits socket +class netlink_connector_socket +inherits socket +class netlink_netfilter_socket +inherits socket +class netlink_generic_socket +inherits socket +class netlink_scsitransport_socket +inherits socket +class netlink_rdma_socket +inherits socket +class netlink_crypto_socket +inherits socket +class infiniband_pkey +{ + access +} +class infiniband_endport +{ + manage_subnet +} +class cap_userns +inherits cap +class cap2_userns +inherits cap2 +class sctp_socket +inherits socket +{ + node_bind + name_connect + association +} +class icmp_socket +inherits socket +{ + node_bind +} +class ax25_socket +inherits socket +class ipx_socket +inherits socket +class netrom_socket +inherits socket +class atmpvc_socket +inherits socket +class x25_socket +inherits socket +class rose_socket +inherits socket +class decnet_socket +inherits socket +class atmsvc_socket +inherits socket +class rds_socket +inherits socket +class irda_socket +inherits socket +class pppox_socket +inherits socket +class llc_socket +inherits socket +class can_socket +inherits socket +class tipc_socket +inherits socket +class bluetooth_socket +inherits socket +class iucv_socket +inherits socket +class rxrpc_socket +inherits socket +class isdn_socket +inherits socket +class phonet_socket +inherits socket +class ieee802154_socket +inherits socket +class caif_socket +inherits socket +class alg_socket +inherits socket +class nfc_socket +inherits socket +class vsock_socket +inherits socket +class kcm_socket +inherits socket +class qipcrtr_socket +inherits socket +class smc_socket +inherits socket +class bpf +{ + map_create + map_read + map_write + prog_load + prog_run +} +class xdp_socket +inherits socket +class parameter_service +{ + set +} +class samgr_class +{ + add + get + get_remote + list +} +class hdf_devmgr_class +{ + add + get + list +} + +class lockdown +{ + integrity + confidentiality +} + +class perf_event +{ + open + cpu + kernel + tracepoint + read + write +} + +class xpm +{ + exec_no_sign + exec_anon_mem + exec_in_jitfort + exec_allow_debug_id + exec_allow_sa_plugin +} + +class hideaddr +{ + hide_exec_anon_mem + hide_exec_anon_mem_debug +} + +class code_sign +{ + add_cert_chain + remove_cert_chain +} + +class hmpsf +{ + map_create + map_read + map_write + module_load + module_run +} + +class ced +{ + container_escape_check +} + +class jit_memory +{ + exec_mem_ctrl +} + +class hmcap +{ + supervsable + pid_mem_read + pid_mem_write +} diff --git a/prebuilts/api/5.0/base/system/appspawn.te b/prebuilts/api/5.0/base/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..bc2311bc1bc8ac7d3ba17e7abb2370229e365870 --- /dev/null +++ b/prebuilts/api/5.0/base/system/appspawn.te @@ -0,0 +1,39 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#todo need to know why data_app_el1_file need write +#(allow appspawn data_app_el1_file (dir (add_name))) +#(allow appspawn data_app_el1_file (dir (create))) +#(allow appspawn data_app_el1_file (dir (mounton))) +#(allow appspawn data_app_el1_file (dir (search))) +#(allow appspawn data_app_el1_file (dir (write))) +#(allow appspawn data_app_el2_file (dir (search))) +#(allow appspawn data_app_file (dir (search))) +#(allow appspawn normal_hap_data_file_attr (dir (mounton))) +#(allow appspawn system_basic_hap_data_file_attr (dir (mounton))) +#(allow appspawn system_core_hap_data_file_attr (dir (mounton))) + +neverallow appspawn { hap_file_attr -data_app_el1_file -data_app_el2_file -data_app_el3_file -data_app_el4_file -data_app_el5_file -data_service_el2_file -normal_hap_data_file_attr -system_basic_hap_data_file -system_core_hap_data_file_attr }:dir ~{ getattr search mounton }; +neverallow appspawn normal_hap_data_file_attr:dir ~{ getattr search mounton create write add_name setattr relabelto }; +neverallow appspawn { system_basic_hap_data_file system_core_hap_data_file}:dir ~{ getattr search mounton relabelto }; + +neverallow appspawn data_cache:dir ~{ read_dir_perms }; + +neverallow appspawn data_cache:file ~{ read getattr }; + +neverallow appspawn data_file_attr:file never_execute_file; + +neverallow { domain -appspawn -foundation -ui_service -app_fwk_update_service -storage_manager developer_only(`-devicedebug') } appspawn:unix_stream_socket connectto; + +neverallow appspawn hap_file_attr:file { exec_file_perms }; + diff --git a/prebuilts/api/5.0/base/system/file_contexts b/prebuilts/api/5.0/base/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..daf03988c93bb7fef76f420e8b7302f44499e261 --- /dev/null +++ b/prebuilts/api/5.0/base/system/file_contexts @@ -0,0 +1,327 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# please put shorter config ahead; +# root +/ u:object_r:rootfs:s0 + +/lost\+found u:object_r:rootfs:s0 +/bin u:object_r:rootfs:s0 +/chip_prod u:object_r:rootfs:s0 +/init u:object_r:rootfs:s0 +/chipset u:object_r:rootfs:s0 +/mnt u:object_r:rootfs:s0 +/proc u:object_r:rootfs:s0 +/storage u:object_r:rootfs:s0 +/sys_prod u:object_r:rootfs:s0 +/cust u:object_r:rootfs:s0 +/version u:object_r:system_file:s0 +/preload u:object_r:system_file:s0 +/tmp u:object_r:rootfs:s0 +/sys u:object_r:sys_file:s0 + +/dev(/.*)? u:object_r:dev_file:s0 +/dev/functionfs(/.*)? u:object_r:dev_functionfs_file:s0 +/dev/__parameters__(/.*)? u:object_r:dev_parameters_file:s0 +/dev/block(/.*)? u:object_r:dev_block_file:s0 +/dev/block/zram0 u:object_r:zram_device:s0 +/dev/block/by-name/misc u:object_r:updater_block_file:s0 +/dev/block/mmcblk0p2 u:object_r:updater_block_file:s0 +/dev/block/by-name/bootctrl u:object_r:updater_block_file:s0 +/dev/block/mmcblk0p3 u:object_r:updater_block_file:s0 +/dev/bus(/.*)? u:object_r:dev_bus_file:s0 +/dev/bus/usb(/.*)? u:object_r:dev_bus_usb_file:s0 +/dev/char(/.*)? u:object_r:dev_char_file:s0 +/dev/dma_heap(/.*)? u:object_r:dev_dma_heap_file:s0 +/dev/dri(/.*)? u:object_r:dev_dri_file:s0 +/dev/fscklogs(/.*)? u:object_r:dev_fscklogs_file:s0 +/dev/graphics(/.*)? u:object_r:dev_graphics_file:s0 +/dev/input(/.*)? u:object_r:dev_input_file:s0 +/dev/pts(/.*)? u:object_r:dev_pts_file:s0 +/dev/snd(/.*)? u:object_r:dev_snd_file:s0 +/dev/socket(/.*)? u:object_r:dev_socket_file:s0 +/dev/unix(/.*)? u:object_r:dev_unix_file:s0 +/dev/unix/socket u:object_r:dev_unix_socket:s0 +/dev/unix/socket/AppSpawn u:object_r:appspawn_socket:s0 +/dev/unix/socket/NWebSpawn u:object_r:nwebspawn_socket:s0 +/dev/unix/socket/fd_holder u:object_r:fd_holder_socket:s0 +/dev/unix/socket/hdcd u:object_r:hdcd_socket:s0 +/dev/unix/socket/native u:object_r:native_socket:s0 +/dev/unix/socket/paramservice u:object_r:paramservice_socket:s0 +/dev/v4l(/.*)? u:object_r:dev_v_file:s0 +/dev/v4l-subdev[0-9]* u:object_r:dev_v_file:s0 +/dev/tty[0-9]* u:object_r:tty_device:s0 +/dev/ttyFIQ0 u:object_r:tty_device:s0 +/dev/ttyS[0-9]* u:object_r:tty_device:s0 +/dev/usb-ffs(/.*)? u:object_r:dev_usb_ffs:s0 +/dev/asanlog(/.*)? u:object_r:dev_asanlog_file:s0 + +/dev/usbfn u:object_r:dev_usbfn_file:s0 +/dev/access_token_id u:object_r:dev_at_file:s0 +/dev/ashmem u:object_r:dev_ashmem_file:s0 +/dev/binder u:object_r:dev_binder_file:s0 +/dev/console u:object_r:dev_console_file:s0 +/dev/cpu_dma_latency u:object_r:dev_cpu_dma_latency_file:s0 +/dev/dev_mgr u:object_r:dev_mgr_file:s0 +/dev/devsvc_mgr u:object_r:dev_svc_mgr_file:s0 +/dev/fuse u:object_r:dev_fuse_file:s0 +/dev/hdf_input_host u:object_r:dev_hdf_file:s0 +/dev/hwbinder u:object_r:dev_hwbinder_file:s0 +/dev/iio:device0 u:object_r:dev_iio_file:s0 +/dev/kmsg u:object_r:dev_kmsg_file:s0 +/dev/loop-control u:object_r:dev_loop_control_file:s0 +/dev/media[0-9]* u:object_r:dev_media_file:s0 +/dev/mmcblk0rpmb u:object_r:dev_rpmb_file:s0 +/dev/null u:object_r:dev_null_file:s0 +/dev/random u:object_r:dev_random_file:s0 +/dev/urandom u:object_r:dev_random_file:s0 +/dev/rtc u:object_r:dev_rtc_file:s0 +/dev/rtc[0-9]* u:object_r:dev_rtc_file:s0 +/dev/socket u:object_r:dev_socket_file:s0 +/dev/tee[0-9]* u:object_r:dev_tee_file:s0 +/dev/teepriv[0-9]* u:object_r:dev_tee_file:s0 +/dev/ubi_ctrl u:object_r:dev_ubi_file:s0 +/dev/uhid u:object_r:dev_uhid_file:s0 +/dev/tun u:object_r:dev_tun_file:s0 +/dev/vcs u:object_r:dev_vcs_file:s0 +/dev/vcs[0-9]* u:object_r:dev_vcs_file:s0 +/dev/vcsa u:object_r:dev_vcs_file:s0 +/dev/vcsa[0-9]* u:object_r:dev_vcs_file:s0 +/dev/vcsu u:object_r:dev_vcs_file:s0 +/dev/vcsu[0-9]* u:object_r:dev_vcs_file:s0 +/dev/vhci u:object_r:dev_vhci_file:s0 +/dev/video[0-9]* u:object_r:dev_video_file:s0 +/dev/vndbinder u:object_r:dev_vndbinder_file:s0 +/dev/watchdog* u:object_r:dev_watchdog_file:s0 +/dev/watchdog[0-9]* u:object_r:dev_watchdog_file:s0 +/dev/zero u:object_r:dev_zero_file:s0 +/dev/HDF_PLATFORM_I2C_MANAGER u:object_r:dev_hdf_i2c_mgr:s0 +/dev/khdf_ut u:object_r:dev_hdf_test:s0 +/dev/I2C_TEST u:object_r:dev_i2c_test:s0 +/dev/bbox u:object_r:dev_bbox:s0 +/dev/bus u:object_r:dev_bus:s0 +/dev/cec0 u:object_r:dev_dev_cec0:s0 +/dev/full u:object_r:dev_full:s0 +/dev/gpiochip[0-9]* u:object_r:dev_gpiochip:s0 +/dev/hdf_audio_capture u:object_r:dev_hdf_audio_capture:s0 +/dev/hdf_audio_codec_dev0 u:object_r:dev_hdf_audio_codec_dev:s0 +/dev/hdf_audio_codec_primary_dev0 u:object_r:dev_hdf_audio_codec_primary:s0 +/dev/hdf_audio_codec_hdmi_dev0 u:object_r:dev_hdf_audio_codec_hdmi:s0 +/dev/hdf_audio_smartpa_dev0 u:object_r:dev_hdf_audio_smartpa:s0 +/dev/hdf_audio_control u:object_r:dev_hdf_audio_control:s0 +/dev/hdf_audio_render u:object_r:dev_hdf_audio_render:s0 +/dev/hdf_bl u:object_r:dev_hdf_bl:s0 +/dev/hdf_disp u:object_r:dev_hdf_disp:s0 +/dev/hdf_input_event[0-9] u:object_r:dev_hdf_input:s0 +/dev/hdf_light u:object_r:dev_hdf_light:s0 +/dev/hdf_misc_vibrator u:object_r:dev_hdf_misc_vibrator:s0 +/dev/hdf_sensor_manager_ap u:object_r:dev_hdf_sensor_mgr:s0 +/dev/hdf_usb_pnp_notify_service u:object_r:dev_hdf_usb_pnp:s0 +/dev/hdmi_hdcplx u:object_r:dev_hdmi_hdcplx:s0 +/dev/hwrng u:object_r:dev_hwrng:s0 +/dev/i2c-[0-9] u:object_r:dev_i2c:s0 +/dev/mali0 u:object_r:dev_mali:s0 +/dev/mem u:object_r:dev_mem:s0 +/dev/mpp_service u:object_r:dev_mpp:s0 +/dev/pm_ut_service u:object_r:dev_pm_test:s0 +/dev/port u:object_r:dev_port:s0 +/dev/ptmx u:object_r:dev_ptmx:s0 +/dev/ptp[0-9] u:object_r:dev_ptp:s0 +/dev/rfkill u:object_r:dev_rfkill:s0 +/dev/rga u:object_r:dev_rga:s0 +/dev/sample_service u:object_r:dev_sample_svc:s0 +/dev/sched_rtg_ctrl u:object_r:dev_sched_rtg_ctrl:s0 +/dev/auth_ctrl u:object_r:dev_auth_ctrl:s0 +/dev/snapshot u:object_r:dev_snapshot:s0 +/dev/sw_sync u:object_r:dev_sw_sync:s0 +/dev/usb-ffs u:object_r:dev_usb_ffs:s0 +/dev/uinput u:object_r:dev_uinput:s0 + +/dev/hdmi_hdcp1x u:object_r:dev_hdmi_hdcp1x:s0 +/dev/xpm u:object_r:dev_xpm:s0 + + +/etc(/.*)? u:object_r:etc_file:s0 +/lib(/.*)? u:object_r:lib_file:s0 +/lib64(/.*)? u:object_r:lib_file:s0 + +/config(/.*)? u:object_r:config_file:s0 +/updater(/.*)? u:object_r:updater_file:s0 +/cust(/.*)? u:object_r:system_file:s0 +/preload(/.*)? u:object_r:system_file:s0 +/version(/.*)? u:object_r:system_file:s0 +/system(/.*)? u:object_r:system_file:s0 +/system/hap(/.*)? u:object_r:system_hap_file:s0 +/system/bin(/.*)? u:object_r:system_bin_file:s0 +/system/etc(/.*)? u:object_r:system_etc_file:s0 +/system/fonts(/.*)? u:object_r:system_fonts_file:s0 +/system/lib(/.*)? u:object_r:system_lib_file:s0 +/system/profile(/.*)? u:object_r:system_profile_file:s0 +/system/usr(/.*)? u:object_r:system_usr_file:s0 + +/sys_prod(/.*)? u:object_r:sys_prod_file:s0 + +/chip_prod(/.*)? u:object_r:chip_prod_file:s0 +/chip_ckm(/.*)? u:object_r:chip_ckm_file:s0 + +/eng_system(/.*)? u:object_r:system_file:s0 +/eng_system/etc(/.*)? u:object_r:system_etc_file:s0 +/eng_system/lib(/.*)? u:object_r:system_lib_file:s0 +/eng_system/bin(/.*)? u:object_r:system_bin_file:s0 + +/eng_chipset(/.*)? u:object_r:vendor_file:s0 +/eng_chipset/bin(/.*)? u:object_r:vendor_bin_file:s0 +/eng_chipset/lib(/.*)? u:object_r:vendor_lib_file:s0 +/eng_chipset/lib64(/.*)? u:object_r:vendor_lib_file:s0 +/eng_chipset/etc(/.*)? u:object_r:vendor_etc_file:s0 + +/data(/.*)? u:object_r:data_file:s0 +/data/app u:object_r:data_app_file:s0 +/data/app/(.*)? u:object_r:data_app_file:s0 +/data/app/el1(/.*)? u:object_r:data_app_el1_file:s0 +/data/app/el2(/.*)? u:object_r:data_app_el2_file:s0 +/data/app/el3(/.*)? u:object_r:data_app_el3_file:s0 +/data/app/el4(/.*)? u:object_r:data_app_el4_file:s0 +/data/app/el5(/.*)? u:object_r:data_app_el5_file:s0 +/data/service u:object_r:data_service_file:s0 +/data/service/(.*)? u:object_r:data_service_file:s0 +/data/service/el0(/.*)? u:object_r:data_service_el0_file:s0 +/data/service/el1(/.*)? u:object_r:data_service_el1_file:s0 +/data/service/el1/public/print_service(/.*)? u:object_r:data_service_el1_public_print_service_file:s0 +/data/service/el2(/.*)? u:object_r:data_service_el2_file:s0 +/data/service/el3(/.*)? u:object_r:data_service_el3_file:s0 +/data/service/el4(/.*)? u:object_r:data_service_el4_file:s0 +/data/service/el5(/.*)? u:object_r:data_service_el5_file:s0 +/data/chipset u:object_r:data_chipset_file:s0 +/data/chipset/(.*)? u:object_r:data_chipset_file:s0 +/data/chipset/el1(/.*)? u:object_r:data_chipset_el1_file:s0 +/data/chipset/el2(/.*)? u:object_r:data_chipset_el2_file:s0 +/data/storage u:object_r:data_storage:s0 +/data/storage/(.*)? u:object_r:data_storage:s0 +/data/accounts u:object_r:data_accounts:s0 +/data/accounts/(.*)? u:object_r:data_accounts:s0 +/data/ams_white_list u:object_r:data_ams_whitelist:s0 +/data/app-asec u:object_r:data_appasec:s0 +/data/app-asec/(.*)? u:object_r:data_appasec:s0 +/data/app-ephemeral u:object_r:data_appephemeral:s0 +/data/app-ephemeral/(.*)? u:object_r:data_appephemeral:s0 +/data/app-lib u:object_r:data_applib:s0 +/data/app-lib/(.*)? u:object_r:data_applib:s0 +/data/app-private u:object_r:data_appprivate:s0 +/data/app-private/(.*)? u:object_r:data_appprivate:s0 +/data/app-staging u:object_r:data_appstaging:s0 +/data/app-staging/(.*)? u:object_r:data_appstaging:s0 +/data/backup u:object_r:data_backup:s0 +/data/backup/(.*)? u:object_r:data_backup:s0 +/data/bluetooth u:object_r:data_bluetooth:s0 +/data/bluetooth/(.*)? u:object_r:data_bluetooth:s0 +/data/service/el0/startup(/.*)? u:object_r:data_startup:s0 +/data/cache u:object_r:data_cache:s0 +/data/cache/(.*)? u:object_r:data_cache:s0 +/data/data u:object_r:data_data_file:s0 +/data/data/(.*)? u:object_r:data_data_file:s0 +/data/drm u:object_r:data_drm:s0 +/data/drm/(.*)? u:object_r:data_drm:s0 +/data/ethernet u:object_r:data_ethernet:s0 +/data/ethernet/(.*)? u:object_r:data_ethernet:s0 +/data/file\.log u:object_r:data_filelog:s0 +/data/init_agent u:object_r:data_init_agent:s0 +/data/init_agent/(.*)? u:object_r:data_init_agent:s0 +/data/log/libinput(/.*)? u:object_r:data_libinput:s0 +/data/local u:object_r:data_local:s0 +/data/local/(.*)? u:object_r:data_local:s0 +/data/local/traces(/.*)? u:object_r:data_local_traces:s0 +/data/local/tmp(/.*)? u:object_r:data_local_tmp:s0 +/data/local/ark-cache(/.*)? u:object_r:data_local_arkcache:s0 +/data/local/ark-profile(/.*)? u:object_r:data_local_arkprofile:s0 +/data/log u:object_r:data_log:s0 +/data/log/(.*)? u:object_r:data_log:s0 +/data/media u:object_r:data_media:s0 +/data/media/(.*)? u:object_r:data_media:s0 +/data/mediadrm u:object_r:data_mediadrm:s0 +/data/mediadrm/(.*)? u:object_r:data_mediadrm:s0 +/data/misc u:object_r:data_misc:s0 +/data/misc/(.*)? u:object_r:data_misc:s0 +/data/misc_ce u:object_r:data_misc_ce:s0 +/data/misc_ce/(.*)? u:object_r:data_misc_ce:s0 +/data/misc_de u:object_r:data_misc_de:s0 +/data/misc_de/(.*)? u:object_r:data_misc_de:s0 +/data/nfc u:object_r:data_nfc:s0 +/data/nfc/(.*)? u:object_r:data_nfc:s0 +/data/ota u:object_r:data_ota:s0 +/data/ota/(.*)? u:object_r:data_ota:s0 +/data/ota_package u:object_r:data_ota_package:s0 +/data/ota_package/(.*)? u:object_r:data_ota_package:s0 +/data/service/el1/startup/parameters(/.*)? u:object_r:data_parameters:s0 +/data/preloads u:object_r:data_preloads:s0 +/data/preloads/(.*)? u:object_r:data_preloads:s0 +/data/resource-cache u:object_r:data_resourcecache:s0 +/data/resource-cache/(.*)? u:object_r:data_resourcecache:s0 +/data/sadata u:object_r:data_sadata:s0 +/data/sadata/(.*)? u:object_r:data_sadata:s0 +/data/sadata_de u:object_r:data_sadata_de:s0 +/data/sadata_de/(.*)? u:object_r:data_sadata_de:s0 +/data/samgr u:object_r:data_samgr:s0 +/data/samgr/(.*)? u:object_r:data_samgr:s0 +/data/ss u:object_r:data_ss:s0 +/data/ss/(.*)? u:object_r:data_ss:s0 +/data/system u:object_r:data_system:s0 +/data/system/(.*)? u:object_r:data_system:s0 +/data/system_ce u:object_r:data_system_ce:s0 +/data/system_ce/(.*)? u:object_r:data_system_ce:s0 +/data/system_de u:object_r:data_system_de:s0 +/data/system_de/(.*)? u:object_r:data_system_de:s0 +/data/service/el1/public/udev(/.*)? u:object_r:data_udev:s0 +/data/update_service_log\.txt u:object_r:data_update_service_log:s0 +/data/user u:object_r:data_user:s0 +/data/user/(.*)? u:object_r:data_user:s0 +/data/user_de u:object_r:data_user_de:s0 +/data/user_de/(.*)? u:object_r:data_user_de:s0 +/data/vendor u:object_r:data_vendor:s0 +/data/vendor/(.*)? u:object_r:data_vendor:s0 +/data/vendor_ce u:object_r:data_vendor_ce:s0 +/data/vendor_ce/(.*)? u:object_r:data_vendor_ce:s0 +/data/vendor_de u:object_r:data_vendor_de:s0 +/data/vendor_de/(.*)? u:object_r:data_vendor_de:s0 + +/vendor(/.*)? u:object_r:vendor_file:s0 +/vendor/bin(/.*)? u:object_r:vendor_bin_file:s0 +/vendor/lib(/.*)? u:object_r:vendor_lib_file:s0 +/vendor/lib64(/.*)? u:object_r:vendor_lib_file:s0 +/vendor/etc(/.*)? u:object_r:vendor_etc_file:s0 + +/system/bin/init u:object_r:init_exec:s0 + +/system/bin/watchdog_service u:object_r:watchdog_service_exec:s0 + +/system/bin/lmks u:object_r:lmks_exec:s0 + +/vendor/bin/hdf_devmgr u:object_r:hdf_devmgr_exec:s0 + +/system/bin/wifi_hal_service u:object_r:wifi_hal_service_exec:s0 + +/system/bin/ispserver u:object_r:ispserver_exec:s0 + +/system/bin/storage_daemon u:object_r:storage_daemon_exec:s0 + +/system/bin/sdc u:object_r:sdc_exec:s0 + +/system/bin/thermal_protector u:object_r:thermal_protector_exec:s0 + +/system/bin/sh u:object_r:sh_exec:s0 + +/system/bin/hdcd u:object_r:hdcd_exec:s0 + +/system/lib64(/.*)? u:object_r:system_lib_file:s0 + +/eng_system/bin/hdcd u:object_r:hdcd_exec:s0 diff --git a/prebuilts/api/5.0/base/system/fs_use b/prebuilts/api/5.0/base/system/fs_use new file mode 100644 index 0000000000000000000000000000000000000000..2efbb79d8626545bf0cb71ed6385c466b50c0f4d --- /dev/null +++ b/prebuilts/api/5.0/base/system/fs_use @@ -0,0 +1,32 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +fs_use_xattr ext2 u:object_r:labeledfs:s0; +fs_use_xattr ext3 u:object_r:labeledfs:s0; +fs_use_xattr ext4 u:object_r:labeledfs:s0; +fs_use_xattr xfs u:object_r:labeledfs:s0; +fs_use_xattr btrfs u:object_r:labeledfs:s0; +fs_use_xattr f2fs u:object_r:labeledfs:s0; +fs_use_xattr squashfs u:object_r:labeledfs:s0; +fs_use_xattr overlay u:object_r:labeledfs:s0; +fs_use_xattr erofs u:object_r:labeledfs:s0; +fs_use_xattr incremental-fs u:object_r:labeledfs:s0; + +fs_use_task pipefs u:object_r:pipefs:s0; +fs_use_task sockfs u:object_r:sockfs:s0; + +fs_use_trans devpts u:object_r:devpts:s0; +fs_use_trans tmpfs u:object_r:tmpfs:s0; +fs_use_trans devtmpfs u:object_r:device:s0; +fs_use_trans shm u:object_r:shm:s0; +fs_use_trans mqueue u:object_r:mqueue:s0; diff --git a/prebuilts/api/5.0/base/system/glb_roles.spt b/prebuilts/api/5.0/base/system/glb_roles.spt new file mode 100644 index 0000000000000000000000000000000000000000..cc4bacde0a1378df47d8d9c494cba5d202fdcb3f --- /dev/null +++ b/prebuilts/api/5.0/base/system/glb_roles.spt @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +role r; +role r types domain; + +role r types develop_domain; diff --git a/prebuilts/api/5.0/base/system/hiview.te b/prebuilts/api/5.0/base/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..c098c44e663bd7e638db17aa4caeca81c3540c1d --- /dev/null +++ b/prebuilts/api/5.0/base/system/hiview.te @@ -0,0 +1,21 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#todo need to know why data_app_el1_file need write +#(allow hiview dev_bbox:chr_file { ioctl } +#(allow hiview dev_bbox:chr_file ioctl { 0xaf01 } +#(allow hiview dev_bbox:chr_file ioctl { 0xaf02 } +#(allow hiview dev_bbox:chr_file ioctl { 0xaf03 } + +# avc: denied { call } for pid=1218 comm="sys_dispatcher" scontext=u:r:hiview:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 +allow hiview wifi_manager_service:binder { call }; diff --git a/prebuilts/api/5.0/base/system/initial_sid_contexts b/prebuilts/api/5.0/base/system/initial_sid_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e7c6205647e82b1547f5a3d5145bc63bc3196248 --- /dev/null +++ b/prebuilts/api/5.0/base/system/initial_sid_contexts @@ -0,0 +1,40 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sid kernel u:r:kernel:s0 +sid security u:object_r:security:s0 +sid unlabeled u:object_r:unlabeled:s0 +sid fs u:object_r:labeledfs:s0 +sid file u:object_r:unlabeled:s0 +sid file_labels u:object_r:unlabeled:s0 +sid init u:object_r:unlabeled:s0 +sid any_socket u:object_r:unlabeled:s0 +sid port u:object_r:port:s0 +sid netif u:object_r:netif:s0 +sid netmsg u:object_r:netmsg:s0 +sid node u:object_r:node:s0 +sid igmp_packet u:object_r:unlabeled:s0 +sid icmp_socket u:object_r:unlabeled:s0 +sid tcp_socket u:object_r:unlabeled:s0 +sid sysctl_modprobe u:object_r:unlabeled:s0 +sid sysctl u:object_r:sysctl:s0 +sid sysctl_fs u:object_r:unlabeled:s0 +sid sysctl_kernel u:object_r:unlabeled:s0 +sid sysctl_net u:object_r:unlabeled:s0 +sid sysctl_net_unix u:object_r:unlabeled:s0 +sid sysctl_vm u:object_r:unlabeled:s0 +sid sysctl_dev u:object_r:unlabeled:s0 +sid kmod u:object_r:unlabeled:s0 +sid policy u:object_r:unlabeled:s0 +sid scmp_packet u:object_r:unlabeled:s0 +sid devnull u:object_r:dev_null_file:s0 diff --git a/prebuilts/api/5.0/base/system/initial_sids b/prebuilts/api/5.0/base/system/initial_sids new file mode 100644 index 0000000000000000000000000000000000000000..ad9d30ded9e0c0be5df9b022b7f1d689b0217198 --- /dev/null +++ b/prebuilts/api/5.0/base/system/initial_sids @@ -0,0 +1,41 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + diff --git a/prebuilts/api/5.0/base/system/mls b/prebuilts/api/5.0/base/system/mls new file mode 100644 index 0000000000000000000000000000000000000000..7e6986ff2802e3efe9e559c969d833229253c595 --- /dev/null +++ b/prebuilts/api/5.0/base/system/mls @@ -0,0 +1,28 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +define(`decl_cat',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cat(incr($1),$2)')dnl +') + +sensitivity s0; + +dominance { s0 } + +decl_cat(0, 1023) + +level s0:c0.c1023; + +mlsconstrain filesystem relabelto + ( h1 dom h2 ); diff --git a/prebuilts/api/5.0/base/system/policy_cap b/prebuilts/api/5.0/base/system/policy_cap new file mode 100644 index 0000000000000000000000000000000000000000..52b8b85484e7bd164776f16979d2895f805883b0 --- /dev/null +++ b/prebuilts/api/5.0/base/system/policy_cap @@ -0,0 +1,17 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +policycap network_peer_controls; +policycap open_perms; +policycap extended_socket_class; +policycap nnp_nosuid_transition; diff --git a/prebuilts/api/5.0/base/system/security_classes b/prebuilts/api/5.0/base/system/security_classes new file mode 100644 index 0000000000000000000000000000000000000000..19907ad3428083a4ef1c90dc3e70e3ba997b9a53 --- /dev/null +++ b/prebuilts/api/5.0/base/system/security_classes @@ -0,0 +1,117 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +class security +class process +class system +class capability +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket +class sem +class msg +class msgq +class shm +class ipc +class netlink_route_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_dnrt_socket +class association +class netlink_kobject_uevent_socket +class appletalk_socket +class packet +class key +class dccp_socket +class memprotect +class peer +class capability2 +class kernel_service +class tun_socket +class binder +class netlink_iscsi_socket +class netlink_fib_lookup_socket +class netlink_connector_socket +class netlink_netfilter_socket +class netlink_generic_socket +class netlink_scsitransport_socket +class netlink_rdma_socket +class netlink_crypto_socket +class infiniband_pkey +class infiniband_endport +class cap_userns +class cap2_userns +class sctp_socket +class icmp_socket +class ax25_socket +class ipx_socket +class netrom_socket +class atmpvc_socket +class x25_socket +class rose_socket +class decnet_socket +class atmsvc_socket +class rds_socket +class irda_socket +class pppox_socket +class llc_socket +class can_socket +class tipc_socket +class bluetooth_socket +class iucv_socket +class rxrpc_socket +class isdn_socket +class phonet_socket +class ieee802154_socket +class caif_socket +class alg_socket +class nfc_socket +class vsock_socket +class kcm_socket +class qipcrtr_socket +class smc_socket +class process2 +class bpf +class xdp_socket +class parameter_service +class samgr_class +class hdf_devmgr_class +class lockdown +class perf_event +class xpm +class hideaddr +class code_sign +class hmpsf +class ced +class jit_memory +class hmcap diff --git a/prebuilts/api/5.0/base/system/system_domain.te b/prebuilts/api/5.0/base/system/system_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..dd4c278389c66f7d79dcaf7e6de8c8b638d504eb --- /dev/null +++ b/prebuilts/api/5.0/base/system/system_domain.te @@ -0,0 +1,82 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# Prohibit system component processes from accessing vendor files to achieve access isolation +neverallow { system_domain -vendor_file_violator_dir } vendor_file:dir ~{ search getattr relabelto read open mounton }; +neverallow { system_domain -hdcd -hidumper_service -init -processdump -vendor_file_violator_dir_getattr} vendor_file:dir { getattr }; +neverallow { system_domain -init -vendor_file_violator_dir_relabelto } vendor_file:dir { relabelto }; +neverallow { system_domain -init -processdump -vendor_file_violator_dir_read } vendor_file:dir { read }; +neverallow { system_domain -init -processdump -vendor_file_violator_dir_open } vendor_file:dir { open }; +neverallow { system_domain -vendor_file_violator_dir_mounton } vendor_file:dir { mounton }; +neverallow { system_domain -vendor_file_violator_file } vendor_file:file ~{ map open read getattr execute relabelto setattr }; +neverallow { system_domain -sadomain -processdump -vendor_file_violator_file_map } vendor_file:file { map }; +neverallow { system_domain -sadomain -processdump -vendor_file_violator_file_open } vendor_file:file { open }; +neverallow { system_domain -sadomain -processdump -vendor_file_violator_file_read } vendor_file:file { read }; +neverallow { system_domain -sadomain -processdump -vendor_file_violator_file_getattr } vendor_file:file { getattr }; +neverallow { system_domain -bluetooth_service -distributeddata -foundation -audio_server -resource_schedule_service + -usb_service -vendor_file_violator_file_execute } vendor_file:file { execute }; +neverallow { system_domain -vendor_file_violator_file_relabelto } vendor_file:file { relabelto }; +neverallow { system_domain -vendor_file_violator_file_setattr } vendor_file:file { setattr }; +neverallow { system_domain } vendor_file:{ blk_file chr_file fifo_file lnk_file sock_file } *; + +# Prohibit system component processes from accessing vendor bin files to achieve access isolation +neverallow { system_domain -vendor_bin_file_violator_dir } vendor_bin_file:dir ~{ search getattr open read mounton relabelto }; +neverallow { system_domain -accessibility -bootanimation -nfc_service -hiebpf -hiprofiler_cmd -hiprofilerd -daudio -dcamera -dhardware -dinput -dscreen -render_service + -processdump -hidumper_service -hiview -locationhub -audio_server -av_session -resource_schedule_service -dlp_permission_service + -security_component_service -init -module_update_service -hiprofiler_plugins -hiperf -vendor_bin_file_violator_dir_search } vendor_bin_file:dir { search }; +neverallow { system_domain -vendor_bin_file_violator_dir_getattr } vendor_bin_file:dir { getattr }; +neverallow { system_domain -vendor_bin_file_violator_dir_open } vendor_bin_file:dir { open }; +neverallow { system_domain -vendor_bin_file_violator_dir_read } vendor_bin_file:dir { read }; +neverallow { system_domain -vendor_bin_file_violator_dir_mounton } vendor_bin_file:dir { mounton }; +neverallow { system_domain -vendor_bin_file_violator_dir_relabelto } vendor_bin_file:dir { relabelto }; +neverallow { system_domain -vendor_bin_file_violator_file } { vendor_bin_file }:file ~{ entrypoint execute map read getattr open execute_no_trans relabelto setattr }; +neverallow { system_domain -ispserver -vendor_bin_file_violator_file_entrypoint } vendor_bin_file:file { entrypoint }; +neverallow { system_domain -ispserver -init -vendor_bin_file_violator_file_execute } vendor_bin_file:file { execute }; +neverallow { system_domain -ispserver -hiebpf -hidumper_service -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_map } vendor_bin_file:file { map }; +neverallow { system_domain -ispserver -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_read } vendor_bin_file:file { read }; +neverallow { system_domain -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_getattr } vendor_bin_file:file { getattr }; +neverallow { system_domain -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_open } vendor_bin_file:file { open }; +neverallow { system_domain -vendor_bin_file_violator_file_execute_no_trans } vendor_bin_file:file { execute_no_trans }; +neverallow { system_domain -vendor_bin_file_violator_file_relabelto } vendor_bin_file:file { relabelto }; +neverallow { system_domain -vendor_bin_file_violator_file_setattr } vendor_bin_file:file { setattr }; +neverallow { system_domain -vendor_bin_file_violator_file_lnk_file } vendor_bin_file:lnk_file ~{ read }; +neverallow { system_domain -vendor_bin_file_violator_file_lnk_file_read } vendor_bin_file:lnk_file { read }; +neverallow { system_domain } vendor_bin_file:{ blk_file chr_file fifo_file sock_file } *; + +# Prohibit system component processes from accessing vendor etc files to achieve access isolation +neverallow { system_domain -vendor_etc_file_violator_dir } vendor_etc_file:dir ~{ search getattr read open mounton relabelto }; +neverallow { system_domain -bootanimation -ispserver -media_service -misc -multimodalinput -resource_schedule_service -samgr -foundation -powermgr -accountmgr -oaid_service + -nfc_service -wifi_hal_service -telephony_sa -dhardware -dinput -hdf_devmgr -hiview -memmgrservice -msdp_sa -audio_server -av_codec_service + -multimodalinput -charger -concurrent_task_service -resource_schedule_service -dlp_permission_service -sensors -appspawn -init -ueventd -telephony_sa + -module_update_service -sys_installer_sa -updater_binary -nwebspawn -module_update_service -vendor_etc_file_violator_dir_search -cjappspawn + -hap_domain -render_service developer_only(`-hnp') -rgm_violator_ohos_vendor_etc_dir_search } vendor_etc_file:dir { search }; +neverallow { system_domain -nfc_service -charger -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_getattr } vendor_etc_file:dir { getattr }; +neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_read } vendor_etc_file:dir { read }; +neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_open } vendor_etc_file:dir { open }; +neverallow { system_domain -vendor_etc_file_violator_dir_mounton } vendor_etc_file:dir { mounton }; +neverallow { system_domain -vendor_etc_file_violator_dir_relabelto } vendor_etc_file:dir { relabelto }; +neverallow { system_domain -vendor_etc_file_violator_file } vendor_etc_file:file ~{ map open read getattr relabelto }; +neverallow { system_domain -bootanimation -media_service -memmgrservice -concurrent_task_service -resource_schedule_service + -vendor_etc_file_violator_file_map } vendor_etc_file:file { map }; +neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr + -hdf_devmgr -hiview -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service + -resource_schedule_service -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_open developer_only(`-hnp') -rgm_violator_ohos_vendor_etc_file_open } vendor_etc_file:file { open }; +neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -msdp_sa -foundation -powermgr + -hdf_devmgr -hiview -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service + -resource_schedule_service -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_read developer_only(`-hnp') -rgm_violator_ohos_vendor_etc_file_read } vendor_etc_file:file { read }; +neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr + -hdf_devmgr -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service + -resource_schedule_service -appspawn -cjappspawn -init -vendor_etc_file_violator_file_getattr developer_only(`-hnp') -rgm_violator_ohos_vendor_etc_file_getattr } vendor_etc_file:file { getattr }; +neverallow { system_domain -vendor_etc_file_violator_file_relabelto } vendor_etc_file:file { relabelto }; +neverallow { system_domain } vendor_etc_file:{ blk_file chr_file fifo_file lnk_file sock_file } *; diff --git a/prebuilts/api/5.0/base/system/users b/prebuilts/api/5.0/base/system/users new file mode 100644 index 0000000000000000000000000000000000000000..9cc575ca71ae5d2a88320d1581605dccd8295529 --- /dev/null +++ b/prebuilts/api/5.0/base/system/users @@ -0,0 +1,14 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +user u roles { r } level s0 range s0 - s0:c0.c1023; diff --git a/prebuilts/api/5.0/base/system/virtfs_contexts b/prebuilts/api/5.0/base/system/virtfs_contexts new file mode 100644 index 0000000000000000000000000000000000000000..5a6527939165d47e5f975a1f7d35de1b4b432214 --- /dev/null +++ b/prebuilts/api/5.0/base/system/virtfs_contexts @@ -0,0 +1,125 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# please put short path ahead. +# use relative path to mount point. +genfscon rootfs / u:object_r:rootfs:s0 + +genfscon proc / u:object_r:proc_file:s0 +genfscon proc /net u:object_r:proc_net:s0 +genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0 +genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0 + + +genfscon proc /asound u:object_r:proc_asound_file:s0 +genfscon proc /bluetooth u:object_r:proc_bluetooth_file:s0 +genfscon proc /buddyinfo u:object_r:proc_buddyinfo_file:s0 +genfscon proc /bus u:object_r:proc_bus_file:s0 +genfscon proc /cgroups u:object_r:proc_cgroups_file:s0 +genfscon proc /cmdline u:object_r:proc_cmdline_file:s0 +genfscon proc /config.gz u:object_r:proc_config_gz_file:s0 +genfscon proc /cpuinfo u:object_r:proc_cpuinfo_file:s0 +genfscon proc /diskstats u:object_r:proc_diskstats_file:s0 +genfscon proc /dynamic_debug u:object_r:proc_dynamic_debug_file:s0 +genfscon proc /filesystems u:object_r:proc_filesystems_file:s0 +genfscon proc /fs u:object_r:proc_fs_file:s0 +genfscon proc /gt9xx_config u:object_r:proc_gt9xx_config_file:s0 +genfscon proc /interrupts u:object_r:proc_interrupts_file:s0 +genfscon proc /iomem u:object_r:proc_iomem_file:s0 +genfscon proc /keys u:object_r:proc_keys_file:s0 +genfscon proc /kmsg u:object_r:proc_kmsg_file:s0 +genfscon proc /loadavg u:object_r:proc_loadavg_file:s0 +genfscon proc /mounts u:object_r:proc_mounts_file:s0 +genfscon proc /meminfo u:object_r:proc_meminfo_file:s0 +genfscon proc /misc u:object_r:proc_misc_file:s0 +genfscon proc /modules u:object_r:proc_modules_file:s0 +genfscon proc /mpp_service u:object_r:proc_mpp_service_file:s0 +genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo_file:s0 +genfscon proc /partitions u:object_r:proc_partitions_file:s0 +genfscon proc /rkisp-vir0 u:object_r:proc_rkisp_vir0_file:s0 +genfscon proc /slabinfo u:object_r:proc_slabinfo_file:s0 +genfscon proc /softirqs u:object_r:proc_softirqs_file:s0 +genfscon proc /stat u:object_r:proc_stat_file:s0 +genfscon proc /swaps u:object_r:proc_swaps_file:s0 +genfscon proc /sysrq-trigger u:object_r:proc_sysrq_trigger_file:s0 +genfscon proc /timer_list u:object_r:proc_timer_list_file:s0 +genfscon proc /uptime u:object_r:proc_uptime_file:s0 +genfscon proc /version u:object_r:proc_version_file:s0 +genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo_file:s0 +genfscon proc /vmstat u:object_r:proc_vmstat_file:s0 +genfscon proc /zoneinfo u:object_r:proc_zoneinfo_file:s0 +genfscon proc /sys/kernel/random/boot_id u:object_r:proc_boot_id:s0 +genfscon proc /sys/fs/inotify/max_user_watches u:object_r:proc_max_user_watches:s0 +genfscon proc /dsmm/developer u:object_r:proc_developer_file:s0 + +genfscon selinuxfs / u:object_r:selinuxfs:s0 + +genfscon sysfs / u:object_r:sys_file:s0 +genfscon sysfs /hisys u:object_r:sysfs_hisys_file:s0 +genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /class/gadget_usb u:object_r:sysfs_gadget_usb:s0 +genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /class/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /class/net u:object_r:sysfs_net:s0 +genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_rfkill:s0 +genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_rfkill:s0 +genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_rfkill:s0 +genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_rfkill:s0 +genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/gadget_usb u:object_r:sysfs_gadget_usb:s0 +genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_block_file:s0 +genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_block_loop:s0 +genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_block_zram:s0 +genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_block_zram:s0 +genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0 +genfscon sysfs /power/autosleep u:object_r:sysfs_autosleep:s0 +genfscon sysfs /power/state u:object_r:sysfs_state:s0 +genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0 +genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0 +genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lck:s0 +genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lck:s0 +genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0 +genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0 +genfscon sysfs /kernel/hungtask/userlist u:object_r:sysfs_hungtask_userlist:s0 +genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/fdd40000.i2c/i2c-0/0-0020/rk808-rtc/rtc/rtc0/hctosys u:object_r:sysfs_hctosys:s0 +genfscon sysfs /devices/platform/fe5e0000.i2c/i2c-5/5-0051/rtc/rtc1/hctosys u:object_r:sysfs_hctosys:s0 + + +genfscon debugfs / u:object_r:debugfs:s0 +genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0 +genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0 +genfscon debugfs /binder/failed_transaction_log u:object_r:debugfs_failed_transaction_log:s0 +genfscon debugfs /binder/state u:object_r:debugfs_state:s0 +genfscon debugfs /binder/stats u:object_r:debugfs_stats:s0 +genfscon debugfs /binder/transactions u:object_r:debugfs_transactions:s0 +genfscon debugfs /binder/transaction_log u:object_r:debugfs_transaction_log:s0 +genfscon debugfs /cma/cma-reserved/used u:object_r:debugfs_used:s0 + +genfscon tracefs / u:object_r:tracefs:s0 + +genfscon configfs / u:object_r:configfs:s0 +genfscon configfs /usb_gadget u:object_r:config_usb_gadget:s0 + +genfscon cgroup / u:object_r:cgroup:s0 +genfscon functionfs / u:object_r:functionfs:s0 + +genfscon pstore / u:object_r:pstorefs:s0 + +genfscon hmdfs / u:object_r:hmdfs:s0 +genfscon epfs / u:object_r:epfs:s0 +genfscon sharefs / u:object_r:sharefs:s0 +genfscon fuse / u:object_r:fuse_file:s0 diff --git a/prebuilts/api/5.0/base/te/accessibility.te b/prebuilts/api/5.0/base/te/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..91748cb8a02ad98e1d18a23db114a8979aab19e0 --- /dev/null +++ b/prebuilts/api/5.0/base/te/accessibility.te @@ -0,0 +1,81 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accessibility accessibility:unix_dgram_socket { getopt setopt }; +allow accessibility accountmgr:binder { call }; +allow accessibility bootevent_param:file { map open read }; +allow accessibility bootevent_samgr_param:file { map open read }; +allow accessibility build_version_param:file { map open read }; +allow accessibility const_allow_mock_param:file { map open read }; +allow accessibility const_allow_param:file { map open read }; +allow accessibility const_build_param:file { map open read }; +allow accessibility const_display_brightness_param:file { map open read }; +allow accessibility const_param:file { map open read }; +allow accessibility const_postinstall_fstab_param:file { map open read }; +allow accessibility const_postinstall_param:file { map open read }; +allow accessibility const_product_param:file { map open read }; +allow accessibility data_file:dir { search }; +allow accessibility data_service_el1_file:dir { add_name getattr remove_name search write }; +allow accessibility data_service_el1_file:file { create getattr ioctl read rename setattr unlink write open }; +allow accessibility data_service_file:dir { search }; +allow accessibility debug_param:file { map open read }; +allow accessibility default_param:file { map open read }; +allow accessibility dev_unix_socket:dir { search }; +allow accessibility distributedsche_param:file { map open read }; +allow accessibility foundation:binder { call transfer }; +allow accessibility hilog_param:file { map open read }; +allow accessibility hw_sc_build_os_param:file { map open read }; +allow accessibility hw_sc_build_param:file { map open read }; +allow accessibility hw_sc_param:file { map open read }; +allow accessibility init_param:file { map open read }; +allow accessibility init_svc_param:file { map open read }; +allow accessibility input_pointer_device_param:file { map open read }; +allow accessibility net_param:file { map open read }; +allow accessibility net_tcp_param:file { map open read }; +allow accessibility normal_hap_attr:binder { call }; +allow accessibility ohos_boot_param:file { map open read }; +allow accessibility ohos_param:file { map open read }; +allow accessibility param_watcher:binder { call transfer }; +allow accessibility persist_param:file { map open read }; +allow accessibility persist_sys_param:file { map open read }; +allow accessibility sa_accessibleabilityms:samgr_class { add }; +allow accessibility sa_accountmgr:samgr_class { get }; +allow accessibility sa_foundation_bms:samgr_class { get }; +allow accessibility sa_foundation_cesfwk_service:samgr_class { get }; +allow accessibility sa_foundation_dms:samgr_class { get }; +allow accessibility sa_foundation_wms:samgr_class { get }; +allow accessibility sa_param_watcher:samgr_class { get }; +allow accessibility security_param:file { map open read }; +allow accessibility startup_param:file { map open read }; +allow accessibility sys_param:file { map open read }; +allow accessibility system_basic_hap_attr:binder { call }; +allow accessibility system_bin_file:dir { search }; +allow accessibility system_core_hap_attr:binder { call }; +allow accessibility system_usr_file:dir { search }; +allow accessibility system_usr_file:file { getattr map open read }; +allow accessibility sys_usb_param:file { map open read }; +allow accessibility tracefs:dir { search }; +allow accessibility tracefs_trace_marker_file:file { open write }; +allow accessibility ui_service:binder { call }; +allowxperm accessibility data_service_el1_file:file ioctl { 0x5413 }; +allow accessibility system_file:file { map open read getattr }; +allow accessibility sys_prod_file:file { map open read getattr }; +allow accessibility vendor_bin_file:dir { search }; +allow accessibility vendor_file:file { map open read getattr }; +allow accessibility chip_prod_file:file { map open read getattr }; +allow accessibility data_app_el1_file:file { map open read getattr }; +allow accessibility dev_console_file:chr_file { read write }; +allow accessibility sysfs_devices_system_cpu:file { read }; +allow accessibility sa_dataobs_mgr_service_service:samgr_class { get }; +allow accessibility sa_render_service:samgr_class { get }; +allow accessibility render_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/base/te/audio_server.te b/prebuilts/api/5.0/base/te/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..f5bb0cc5ae8097cb3df59dea784859265dc11094 --- /dev/null +++ b/prebuilts/api/5.0/base/te/audio_server.te @@ -0,0 +1,49 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_server audio_server:unix_stream_socket { connectto }; +allow audio_server bootevent_param:file { map open read }; +allow audio_server bootevent_samgr_param:file { map open read }; +allow audio_server build_version_param:file { map open read }; +allow audio_server const_allow_mock_param:file { map open read }; +allow audio_server const_allow_param:file { map open read }; +allow audio_server const_build_param:file { map open read }; +allow audio_server const_display_brightness_param:file { map read open }; +allow audio_server const_param:file { map open read }; +allow audio_server const_postinstall_fstab_param:file { map open read }; +allow audio_server const_postinstall_param:file { map open read }; +allow audio_server const_product_param:file { map open read }; +allow audio_server debug_param:file { map open read }; +allow audio_server default_param:file { map open read }; +allow audio_server dev_kmsg_file:chr_file { open write }; +allow audio_server distributedsche_param:file { map open read }; +allow audio_server hilog_param:file { map open read }; +allow audio_server hw_sc_build_os_param:file { map open read }; +allow audio_server hw_sc_build_param:file { map open read }; +allow audio_server hw_sc_param:file { map open read }; +allow audio_server init_param:file { map open read }; +allow audio_server init_svc_param:file { map open read }; +allow audio_server input_pointer_device_param:file { map open read }; +allow audio_server net_param:file { map open read }; +allow audio_server net_tcp_param:file { map open read }; +allow audio_server ohos_boot_param:file { map open read }; +allow audio_server ohos_param:file { map open read }; +allow audio_server param_watcher:binder { call transfer }; +allow audio_server persist_param:file { map open read }; +allow audio_server persist_sys_param:file { map open read }; +allow audio_server sa_bluetooth_server:samgr_class { get }; +allow audio_server sa_param_watcher:samgr_class { get }; +allow audio_server security_param:file { map open read }; +allow audio_server startup_param:file { map open read }; +allow audio_server sys_param:file { map open read }; +allow audio_server sys_usb_param:file { map open read }; diff --git a/prebuilts/api/5.0/base/te/bgtaskmgr_service.te b/prebuilts/api/5.0/base/te/bgtaskmgr_service.te new file mode 100644 index 0000000000000000000000000000000000000000..88c6066df0dabbe1deb364557dd73f4b45b4f01e --- /dev/null +++ b/prebuilts/api/5.0/base/te/bgtaskmgr_service.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#smoke test +#avc: denied { get } for service=501 pid=473 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_foundation_appms:samgr_class { get }; +#avc: denied { get } for service=401 pid=473 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_foundation_bms:samgr_class { get }; +#avc: denied { add } for service=1903 pid=471 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_bgtaskmgr:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_bgtaskmgr:samgr_class { add }; diff --git a/prebuilts/api/5.0/base/te/bootanimation.te b/prebuilts/api/5.0/base/te/bootanimation.te new file mode 100644 index 0000000000000000000000000000000000000000..c7a963879521266e160729aa8e253409afb6ce4e --- /dev/null +++ b/prebuilts/api/5.0/base/te/bootanimation.te @@ -0,0 +1,83 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bootanimation bootevent_param:file { map open read }; +allow bootanimation bootevent_param:parameter_service { set }; +allow bootanimation bootevent_samgr_param:file { map open read }; +allow bootanimation build_version_param:file { map open read }; +allow bootanimation const_allow_mock_param:file { map open read }; +allow bootanimation const_allow_param:file { map open read }; +allow bootanimation const_build_param:file { map open read }; +allow bootanimation const_display_brightness_param:file { map open read }; +allow bootanimation const_param:file { map open read }; +allow bootanimation const_postinstall_fstab_param:file { map open read }; +allow bootanimation const_postinstall_param:file { map open read }; +allow bootanimation const_product_param:file { map open read }; +allow bootanimation debug_param:file { map open read }; +allow bootanimation default_param:file { map open read }; +allow bootanimation dev_kmsg_file:chr_file { open write }; +allow bootanimation dev_mali:chr_file { getattr ioctl map open read write }; +allow bootanimation dev_unix_socket:dir { search }; +allow bootanimation allocator_host:fd { use }; +allow bootanimation distributedsche_param:file { map open read }; +allow bootanimation foundation:binder { call transfer }; +allow bootanimation hilog_param:file { map open read }; +allow bootanimation hw_sc_build_os_param:file { map open read }; +allow bootanimation hw_sc_build_param:file { map open read }; +allow bootanimation hw_sc_param:file { map open read }; +allow bootanimation init_param:file { map open read }; +allow bootanimation init_svc_param:file { map open read }; +allow bootanimation input_pointer_device_param:file { map open read }; +allow bootanimation kernel:unix_stream_socket { connectto }; +allow bootanimation media_service:binder { call transfer }; +allow bootanimation multimodalinput:binder { call }; +allow bootanimation multimodalinput:fd { use }; +allow bootanimation multimodalinput:unix_stream_socket { read write }; +allow bootanimation net_param:file { map open read }; +allow bootanimation net_tcp_param:file { map open read }; +allow bootanimation ohos_boot_param:file { map open read }; +allow bootanimation ohos_param:file { map open read }; +allow bootanimation paramservice_socket:sock_file { write }; +allow bootanimation param_watcher:binder { call transfer }; +allow bootanimation persist_param:file { map open read }; +allow bootanimation persist_sys_param:file { map open read }; +allow bootanimation proc_cpuinfo_file:file { open read }; +allow bootanimation render_service:binder { call transfer }; +allow bootanimation render_service:fd { use }; +allow bootanimation render_service:unix_stream_socket { read read write }; +allow bootanimation sa_foundation_dms:samgr_class { get }; +allow bootanimation sa_foundation_wms:samgr_class { get }; +allow bootanimation sa_media_service:samgr_class { get }; +allow bootanimation sa_multimodalinput_service:samgr_class { get }; +allow bootanimation sa_param_watcher:samgr_class { get }; +allow bootanimation sa_render_service:samgr_class { get }; +allow bootanimation security_param:file { map open read }; +allow bootanimation startup_param:file { map open read }; +allow bootanimation sys_param:file { map open read }; +allow bootanimation system_basic_hap_attr:fd { use }; +allow bootanimation system_bin_file:dir { search }; +allow bootanimation system_bin_file:file { entrypoint execute map read }; +allow bootanimation toybox_exec:file { entrypoint execute map read }; +allow bootanimation system_usr_file:dir { search }; +allow bootanimation system_usr_file:file { getattr map open read }; +allow bootanimation sys_usb_param:file { map open read }; +allow bootanimation tracefs:dir { search }; +allow bootanimation tracefs_trace_marker_file:file { open write }; +allowxperm bootanimation dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8004 0x8005 0x8006 0x8007 0x800e 0x8011 0x8016 0x8018 0x8019 0x801d 0x801e 0x8024 0x8025 0x8026 0x8027 0x800f 0x8029 0x802a 0x8031 0x802b 0x802c 0x802d 0x802e 0x802f 0x8030 0x8033 0x8034 0x8036}; +allow bootanimation chip_prod_file:dir { search }; +allow bootanimation sys_prod_file:dir { search }; +allow bootanimation vendor_bin_file:dir { search }; +allow bootanimation vendor_etc_file:dir { search }; +allow bootanimation chip_prod_file:file { map open read getattr }; +allow bootanimation sys_prod_file:file { map open read getattr }; +allow bootanimation vendor_etc_file:file { map open read getattr }; diff --git a/prebuilts/api/5.0/base/te/camera_service.te b/prebuilts/api/5.0/base/te/camera_service.te new file mode 100644 index 0000000000000000000000000000000000000000..38d534405b5582b629e8589d44e6c0b47f4608f1 --- /dev/null +++ b/prebuilts/api/5.0/base/te/camera_service.te @@ -0,0 +1,69 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow camera_service accesstoken_service:binder { call }; +allow camera_service bootevent_param:file { map open read }; +allow camera_service bootevent_samgr_param:file { map open read }; +allow camera_service build_version_param:file { map open read }; +allow camera_service camera_host:binder { call transfer }; +allow camera_service const_allow_mock_param:file { map open read }; +allow camera_service const_allow_param:file { map open read }; +allow camera_service const_build_param:file { map open read }; +allow camera_service const_display_brightness_param:file { map open read }; +allow camera_service const_param:file { map open read }; +allow camera_service const_postinstall_fstab_param:file { map open read }; +allow camera_service const_postinstall_param:file { map open read }; +allow camera_service const_product_param:file { map open read }; +allow camera_service dcamera:binder { call }; +allow camera_service dcamera_host:binder { call transfer }; +allow camera_service debug_param:file { map open read }; +allow camera_service default_param:file { map read open }; +allow camera_service dev_unix_socket:dir { search }; +allow camera_service dhardware:binder { call transfer }; +allow camera_service distributedsche_param:file { map open read }; +allow camera_service foundation:binder { call }; +allow camera_service hdf_camera_service:hdf_devmgr_class { get }; +allow camera_service hdf_devmgr:binder { call transfer }; +allow camera_service hdf_distributed_camera_service:hdf_devmgr_class { get }; +allow camera_service hilog_param:file { map read open }; +allow camera_service hw_sc_build_os_param:file { map open read }; +allow camera_service hw_sc_build_param:file { map open read }; +allow camera_service hw_sc_param:file { map open read }; +allow camera_service init_param:file { map open read }; +allow camera_service init_svc_param:file { map open read }; +allow camera_service input_pointer_device_param:file { map open read }; +allow camera_service media_service:binder { call }; +allow camera_service net_param:file { map open read }; +allow camera_service net_tcp_param:file { map open read }; +allow camera_service ohos_boot_param:file { map open read }; +allow camera_service ohos_param:file { map open read }; +allow camera_service param_watcher:binder { call transfer }; +allow camera_service persist_param:file { map open read }; +allow camera_service persist_sys_param:file { map open read }; +allow camera_service powermgr:binder { call }; +allow camera_service render_service:binder { call }; +allow camera_service sa_accesstoken_manager_service:samgr_class { get }; +allow camera_service sa_camera_service:samgr_class { add }; +allow camera_service sa_device_service_manager:samgr_class { get }; +allow camera_service sa_foundation_dms:samgr_class { get }; +allow camera_service sa_param_watcher:samgr_class { get }; +allow camera_service security_param:file { map open read }; +allow camera_service startup_param:file { map open read }; +allow camera_service sys_param:file { map open read }; +allow camera_service system_bin_file:dir { search }; +allow camera_service system_core_hap_attr:binder { call transfer }; +allow camera_service sys_usb_param:file { map open read }; +allow camera_service tracefs:dir { search }; +allow camera_service tracefs_trace_marker_file:file { open write }; +allow camera_service sa_memory_manager_service:samgr_class { get }; +allow camera_service memmgrservice:binder { call transfer }; diff --git a/prebuilts/api/5.0/base/te/console.te b/prebuilts/api/5.0/base/te/console.te new file mode 100644 index 0000000000000000000000000000000000000000..dbcfbeaf5f37161e0f9fe009626c96e18c2bae86 --- /dev/null +++ b/prebuilts/api/5.0/base/te/console.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + permissive console; +') diff --git a/prebuilts/api/5.0/base/te/d-bms.te b/prebuilts/api/5.0/base/te/d-bms.te new file mode 100644 index 0000000000000000000000000000000000000000..505eaa7751ee48a863c1e5f666fc8ad588f63dfa --- /dev/null +++ b/prebuilts/api/5.0/base/te/d-bms.te @@ -0,0 +1,52 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow d-bms bootevent_param:file { map open read }; +allow d-bms bootevent_samgr_param:file { map open read }; +allow d-bms build_version_param:file { map open read }; +allow d-bms const_allow_mock_param:file { map open read }; +allow d-bms const_allow_param:file { map open read }; +allow d-bms const_build_param:file { map open read }; +allow d-bms const_display_brightness_param:file { map open read }; +allow d-bms const_param:file { map open read }; +allow d-bms const_postinstall_fstab_param:file { map open read }; +allow d-bms const_postinstall_param:file { map open read }; +allow d-bms const_product_param:file { map open read }; +allow d-bms debug_param:file { map open read }; +allow d-bms default_param:file { map open read }; +allow d-bms distributedsche_param:file { map open read }; +allow d-bms hilog_param:file { map open read }; +allow d-bms hw_sc_build_os_param:file { map open read }; +allow d-bms hw_sc_build_param:file { map open read }; +allow d-bms hw_sc_param:file { map open read }; +allow d-bms init_param:file { map open read }; +allow d-bms init_svc_param:file { map open read }; +allow d-bms input_pointer_device_param:file { map open read }; +allow d-bms net_param:file { map open read }; +allow d-bms net_tcp_param:file { map open read }; +allow d-bms ohos_boot_param:file { map open read }; +allow d-bms ohos_param:file { map open read }; +allow d-bms param_watcher:binder { call transfer }; +allow d-bms persist_param:file { map open read }; +allow d-bms persist_sys_param:file { map open read }; +allow d-bms sa_distributed_bundle_mgr_service_service:samgr_class { add }; +allow d-bms sa_foundation_devicemanager_service:samgr_class { get }; +allow d-bms security_param:file { map open read }; +allow d-bms startup_param:file { map open read }; +allow d-bms sys_param:file { map open read }; +allow d-bms system_bin_file:dir { search }; +allow d-bms system_usr_file:dir { search }; +allow d-bms system_usr_file:file { getattr map open read }; +allow d-bms sys_usb_param:file { map open read }; +allow d-bms tracefs:dir { search }; +allow d-bms tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/deviceauth_service.te b/prebuilts/api/5.0/base/te/deviceauth_service.te new file mode 100644 index 0000000000000000000000000000000000000000..f8145ef8ebe27ba6947f9c2f7add1fc414bb498f --- /dev/null +++ b/prebuilts/api/5.0/base/te/deviceauth_service.te @@ -0,0 +1,57 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow deviceauth_service bootevent_param:file { map open read }; +allow deviceauth_service bootevent_samgr_param:file { map open read }; +allow deviceauth_service build_version_param:file { map open read }; +allow deviceauth_service const_allow_mock_param:file { map open read }; +allow deviceauth_service const_allow_param:file { map open read }; +allow deviceauth_service const_build_param:file { map open read }; +allow deviceauth_service const_display_brightness_param:file { map open read }; +allow deviceauth_service const_param:file { map open read }; +allow deviceauth_service const_postinstall_fstab_param:file { map open read }; +allow deviceauth_service const_postinstall_param:file { map open read }; +allow deviceauth_service const_product_param:file { map open read }; +allow deviceauth_service debug_param:file { map open read }; +allow deviceauth_service default_param:file { map open read }; +allow deviceauth_service distributedsche:binder { call }; +allow deviceauth_service distributedsche_param:file { map open read }; +allow deviceauth_service hilog_param:file { map open read }; +allow deviceauth_service hw_sc_build_os_param:file { map open read }; +allow deviceauth_service hw_sc_build_param:file { map open read }; +allow deviceauth_service hw_sc_param:file { map open read }; +allow deviceauth_service init_param:file { map open read }; +allow deviceauth_service init_svc_param:file { map open read }; +allow deviceauth_service input_pointer_device_param:file { map open read }; +allow deviceauth_service net_param:file { map open read }; +allow deviceauth_service net_tcp_param:file { map open read }; +allow deviceauth_service ohos_boot_param:file { map open read }; +allow deviceauth_service ohos_param:file { map open read }; +allow deviceauth_service persist_param:file { map open read }; +allow deviceauth_service persist_sys_param:file { map open read }; +allow deviceauth_service sa_accesstoken_manager_service:samgr_class { get }; +allow deviceauth_service sa_accountmgr:samgr_class { get }; +allow deviceauth_service sa_device_auth_service:samgr_class { add }; +allow deviceauth_service sa_huks_service:samgr_class { get }; +allow deviceauth_service sa_softbus_service:samgr_class { get }; +allow deviceauth_service security_param:file { map open read }; +allow deviceauth_service startup_param:file { map open read }; +allow deviceauth_service sys_param:file { map open read }; +allow deviceauth_service sys_usb_param:file { map open read }; +allow deviceauth_service netmanager:binder { call transfer }; +allow netmanager deviceauth_service:binder { call }; +allow deviceauth_service sa_net_conn_manager:samgr_class { get }; +allow deviceauth_service normal_hap_attr:binder { call transfer }; +allow deviceauth_service sa_foundation_bms:samgr_class { get }; +allow deviceauth_service sa_foundation_abilityms:samgr_class { get }; +allow deviceauth_service accountmgr:fd { use }; diff --git a/prebuilts/api/5.0/base/te/deviceinfoservice.te b/prebuilts/api/5.0/base/te/deviceinfoservice.te new file mode 100644 index 0000000000000000000000000000000000000000..a6cc1f1cd6a1f9ac2ab6a32299bff1231277b206 --- /dev/null +++ b/prebuilts/api/5.0/base/te/deviceinfoservice.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow deviceinfoservice accesstoken_service:binder { call }; +allow deviceinfoservice bootevent_param:file { map open read }; +allow deviceinfoservice bootevent_samgr_param:file { map open read }; +allow deviceinfoservice build_version_param:file { map open read }; +allow deviceinfoservice const_allow_mock_param:file { map open read }; +allow deviceinfoservice const_allow_param:file { map open read }; +allow deviceinfoservice const_build_param:file { map open read }; +allow deviceinfoservice const_display_brightness_param:file { map open read }; +allow deviceinfoservice const_param:file { map open read }; +allow deviceinfoservice const_postinstall_fstab_param:file { map open read }; +allow deviceinfoservice const_postinstall_param:file { map open read }; +allow deviceinfoservice const_product_param:file { map open read }; +allow deviceinfoservice debug_param:file { map open read }; +allow deviceinfoservice default_param:file { map open read }; +allow deviceinfoservice dev_unix_socket:dir { search }; +allow deviceinfoservice distributedsche_param:file { map open read }; +allow deviceinfoservice hilog_param:file { map open read }; +allow deviceinfoservice hw_sc_build_os_param:file { map open read }; +allow deviceinfoservice hw_sc_build_param:file { map open read }; +allow deviceinfoservice hw_sc_param:file { map open read }; +allow deviceinfoservice init_param:file { map open read }; +allow deviceinfoservice init_svc_param:file { map open read }; +allow deviceinfoservice input_pointer_device_param:file { map open read }; +allow deviceinfoservice net_param:file { map open read }; +allow deviceinfoservice net_tcp_param:file { map open read }; +allow deviceinfoservice ohos_boot_param:file { map open read }; +allow deviceinfoservice ohos_param:file { map open read }; +allow deviceinfoservice param_watcher:binder { call transfer }; +allow deviceinfoservice persist_param:file { map open read }; +allow deviceinfoservice persist_sys_param:file { map open read }; +allow deviceinfoservice sa_accesstoken_manager_service:samgr_class { get }; +allow deviceinfoservice sa_param_watcher:samgr_class { get }; +allow deviceinfoservice sa_sysparam_device_service:samgr_class { add }; +allow deviceinfoservice security_param:file { map open read }; +allow deviceinfoservice startup_param:file { map open read }; +allow deviceinfoservice sys_param:file { map open read }; +allow deviceinfoservice system_bin_file:dir { search }; +allow deviceinfoservice sys_usb_param:file { map open read }; +allow deviceinfoservice tracefs:dir { search }; +allow deviceinfoservice tracefs_trace_marker_file:file { open write }; +allow deviceinfoservice sys_file:file { open read }; diff --git a/prebuilts/api/5.0/base/te/dhardware.te b/prebuilts/api/5.0/base/te/dhardware.te new file mode 100644 index 0000000000000000000000000000000000000000..0985a75955697578f01c41542e2eb1560d543735 --- /dev/null +++ b/prebuilts/api/5.0/base/te/dhardware.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dhardware bootevent_param:file { map open read }; +allow dhardware bootevent_samgr_param:file { map open read }; +allow dhardware build_version_param:file { map open read }; +allow dhardware const_allow_mock_param:file { map open read }; +allow dhardware const_allow_param:file { map open read }; +allow dhardware const_build_param:file { map open read }; +allow dhardware const_display_brightness_param:file { map open read }; +allow dhardware const_param:file { map open read }; +allow dhardware const_postinstall_fstab_param:file { map open read }; +allow dhardware const_postinstall_param:file { map open read }; +allow dhardware const_product_param:file { map open read }; +allow dhardware debug_param:file { map open read }; +allow dhardware default_param:file { map open read }; +allow dhardware distributeddata:binder { call transfer }; +allow dhardware distributedsche_param:file { map open read }; +allow dhardware dscreen:binder { call transfer }; +allow dhardware foundation:binder { call transfer }; +allow dhardware hilog_param:file { map open read }; +allow dhardware hw_sc_build_os_param:file { map open read }; +allow dhardware hw_sc_build_param:file { map open read }; +allow dhardware hw_sc_param:file { map open read }; +allow dhardware init_param:file { map open read }; +allow dhardware init_svc_param:file { map open read }; +allow dhardware input_pointer_device_param:file { map open read }; +allow dhardware media_service:binder { call transfer }; +allow dhardware net_param:file { map open read }; +allow dhardware net_tcp_param:file { map open read }; +allow dhardware ohos_boot_param:file { map open read }; +allow dhardware ohos_param:file { map open read }; +allow dhardware param_watcher:binder { call transfer }; +allow dhardware persist_param:file { map open read }; +allow dhardware persist_sys_param:file { map open read }; +allow dhardware powermgr:binder { call transfer }; +allow dhardware security_param:file { map open read }; +allow dhardware softbus_server:binder { call transfer }; +allow dhardware softbus_server:tcp_socket { shutdown }; +allow dhardware startup_param:file { map open read }; +allow dhardware sys_param:file { map open read }; +allow dhardware system_bin_file:dir { search }; +allow dhardware sys_usb_param:file { map open read }; +allow dhardware tracefs:dir { search }; +allow dhardware tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/distributedfiledaemon.te b/prebuilts/api/5.0/base/te/distributedfiledaemon.te new file mode 100644 index 0000000000000000000000000000000000000000..1b4e662ee4db0e3c5a3fd07975f2b6090ac5a98a --- /dev/null +++ b/prebuilts/api/5.0/base/te/distributedfiledaemon.te @@ -0,0 +1,70 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedfiledaemon accountmgr:binder { call transfer }; +allow distributedfiledaemon bootevent_param:file { map open read }; +allow distributedfiledaemon bootevent_samgr_param:file { map open read }; +allow distributedfiledaemon build_version_param:file { map open read }; +allow distributedfiledaemon const_allow_mock_param:file { map open read }; +allow distributedfiledaemon const_allow_param:file { map open read }; +allow distributedfiledaemon const_build_param:file { map open read }; +allow distributedfiledaemon const_display_brightness_param:file { map open read }; +allow distributedfiledaemon const_param:file { map open read }; +allow distributedfiledaemon const_postinstall_fstab_param:file { map open read }; +allow distributedfiledaemon const_postinstall_param:file { map open read }; +allow distributedfiledaemon const_product_param:file { map open read }; +allow distributedfiledaemon data_service_el2_file:dir { search }; +allow distributedfiledaemon debug_param:file { map open read }; +allow distributedfiledaemon default_param:file { map open read }; +allow distributedfiledaemon deviceauth_service:binder { call }; +allow distributedfiledaemon dev_unix_socket:dir { search }; +allow distributedfiledaemon distributedfiledaemon:unix_dgram_socket { getopt setopt }; +allow distributedfiledaemon distributedsche_param:file { map open read }; +allow distributedfiledaemon dslm_service:binder { call transfer }; +allow distributedfiledaemon foundation:binder { call transfer }; +allow distributedfiledaemon hilog_param:file { map open read }; +allow distributedfiledaemon hiview:unix_dgram_socket { sendto }; +allow distributedfiledaemon huks_service:binder { call }; +allow distributedfiledaemon hw_sc_build_os_param:file { map open read }; +allow distributedfiledaemon hw_sc_build_param:file { map open read }; +allow distributedfiledaemon hw_sc_param:file { map open read }; +allow distributedfiledaemon init_param:file { map open read }; +allow distributedfiledaemon init_svc_param:file { map open read }; +allow distributedfiledaemon input_pointer_device_param:file { map open read }; +allow distributedfiledaemon net_param:file { map open read }; +allow distributedfiledaemon net_tcp_param:file { map open read }; +allow distributedfiledaemon ohos_boot_param:file { map open read }; +allow distributedfiledaemon ohos_param:file { map open read }; +allow distributedfiledaemon param_watcher:binder { call transfer }; +allow distributedfiledaemon persist_param:file { map open read }; +allow distributedfiledaemon persist_sys_param:file { map open read }; +allow distributedfiledaemon sa_accountmgr:samgr_class { get }; +allow distributedfiledaemon sa_device_auth_service:samgr_class { get }; +allow distributedfiledaemon sa_device_security_level_manager_service:samgr_class { get }; +allow distributedfiledaemon sa_filemanagement_distributed_file_daemon_service:samgr_class { add }; +allow distributedfiledaemon sa_foundation_devicemanager_service:samgr_class { get }; +allow distributedfiledaemon sa_huks_service:samgr_class { get }; +allow distributedfiledaemon sa_param_watcher:samgr_class { get }; +allow distributedfiledaemon sa_softbus_service:samgr_class { get }; +allow distributedfiledaemon security_param:file { map open read }; +allow distributedfiledaemon softbus_server:binder { call transfer }; +allow distributedfiledaemon softbus_server:fd { use }; +allow distributedfiledaemon softbus_server:tcp_socket { setopt shutdown }; +allow distributedfiledaemon startup_param:file { map open read }; +allow distributedfiledaemon sys_file:file { getattr open read write }; +allow distributedfiledaemon sys_fs_hmdfs:file { getattr open read write }; +allow distributedfiledaemon sys_param:file { map open read }; +allow distributedfiledaemon system_bin_file:dir { search }; +allow distributedfiledaemon sys_usb_param:file { map open read }; +allow distributedfiledaemon tracefs:dir { search }; +allow distributedfiledaemon tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/distributedsche.te b/prebuilts/api/5.0/base/te/distributedsche.te new file mode 100644 index 0000000000000000000000000000000000000000..c07a2e8c55ac54d73bf1a95a14e6e642ced7e428 --- /dev/null +++ b/prebuilts/api/5.0/base/te/distributedsche.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedsche bootevent_param:file { map open read }; +allow distributedsche bootevent_samgr_param:file { map open read }; +allow distributedsche build_version_param:file { map open read }; +allow distributedsche const_allow_mock_param:file { map open read }; +allow distributedsche const_allow_param:file { map open read }; +allow distributedsche const_build_param:file { map open read }; +allow distributedsche const_display_brightness_param:file { map open read }; +allow distributedsche const_param:file { map open read }; +allow distributedsche const_postinstall_fstab_param:file { map open read }; +allow distributedsche const_postinstall_param:file { map open read }; +allow distributedsche const_product_param:file { map open read }; +allow distributedsche debug_param:file { map open read }; +allow distributedsche default_param:file { map open read }; +allow distributedsche deviceauth_service:binder { transfer }; +allow distributedsche distributeddata:binder { transfer }; +allow distributedsche distributedsche_param:file { map open read }; +allow distributedsche distributedsche:unix_dgram_socket { getopt setopt }; +allow distributedsche hilog_param:file { map open read }; +allow distributedsche huks_service:binder { call }; +allow distributedsche hw_sc_build_os_param:file { map open read }; +allow distributedsche hw_sc_build_param:file { map open read }; +allow distributedsche hw_sc_param:file { map open read }; +allow distributedsche init_param:file { map open read }; +allow distributedsche init_svc_param:file { map open read }; +allow distributedsche input_pointer_device_param:file { map open read }; +allow distributedsche net_param:file { map open read }; +allow distributedsche net_tcp_param:file { map open read }; +allow distributedsche ohos_boot_param:file { map open read }; +allow distributedsche ohos_param:file { map open read }; +allow distributedsche param_watcher:binder { call transfer }; +allow distributedsche persist_param:file { map open read }; +allow distributedsche persist_sys_param:file { map open read }; +allow distributedsche sa_device_auth_service:samgr_class { get }; +allow distributedsche sa_huks_service:samgr_class { get }; +allow distributedsche security_param:file { map open read }; +allow distributedsche softbus_server:binder { transfer }; +allow distributedsche startup_param:file { map open read }; +allow distributedsche sys_param:file { map open read }; +allow distributedsche system_bin_file:dir { search }; +allow distributedsche sys_usb_param:file { map open read }; +allow distributedsche tracefs:dir { search }; +allow distributedsche tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/download_server.te b/prebuilts/api/5.0/base/te/download_server.te new file mode 100644 index 0000000000000000000000000000000000000000..b383fe022fc1623e058d58fa9b83ed4db528c475 --- /dev/null +++ b/prebuilts/api/5.0/base/te/download_server.te @@ -0,0 +1,64 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow download_server bootevent_param:file { map open read }; +allow download_server bootevent_samgr_param:file { map open read }; +allow download_server build_version_param:file { map open read }; +allow download_server const_allow_mock_param:file { map open read }; +allow download_server const_allow_param:file { map open read }; +allow download_server const_build_param:file { map open read }; +allow download_server const_display_brightness_param:file { map open read }; +allow download_server const_param:file { map open read }; +allow download_server const_postinstall_fstab_param:file { map open read }; +allow download_server const_postinstall_param:file { map open read }; +allow download_server const_product_param:file { map open read }; +allow download_server data_log:file { read write write }; +allow download_server debug_param:file { map open read }; +allow download_server default_param:file { map open read }; +allow download_server dev_unix_socket:dir { search }; +allow download_server dev_unix_socket:sock_file { write }; +allow download_server distributedsche_param:file { map open read }; +allow download_server download_server:unix_dgram_socket { getopt setopt }; +allow download_server faultloggerd:fd { use }; +allow download_server faultloggerd:unix_stream_socket { connectto }; +allow download_server hilog_param:file { map open read }; +allow download_server hw_sc_build_os_param:file { map open read }; +allow download_server hw_sc_build_param:file { map open read }; +allow download_server hw_sc_param:file { map open read }; +allow download_server init_param:file { map open read }; +allow download_server init_svc_param:file { map open read }; +allow download_server input_pointer_device_param:file { map open read }; +allow download_server netmanager:binder { call transfer }; +allow download_server net_param:file { map open read }; +allow download_server net_tcp_param:file { map open read }; +allow download_server ohos_boot_param:file { map open read }; +allow download_server ohos_param:file { map open read }; +allow download_server param_watcher:binder { call transfer }; +allow download_server persist_param:file { map open read }; +allow download_server persist_sys_param:file { map open read }; +allow download_server sa_download_service:samgr_class { add }; +allow download_server sa_net_conn_manager:samgr_class { get }; +allow download_server sa_param_watcher:samgr_class { get }; +allow download_server sa_telephony_tel_core_service:samgr_class { get }; +allow download_server security_param:file { map open read }; +allow download_server startup_param:file { map open read }; +allow download_server sys_param:file { map open read }; +allow download_server system_bin_file:dir { search }; +allow download_server system_bin_file:file { execute execute_no_trans map read open }; +allow download_server toybox_exec:file { execute execute_no_trans map read open }; +allow download_server system_basic_hap_attr:fd { use }; +allow download_server system_basic_hap_data_file_attr:file { read write }; +allow download_server sys_usb_param:file { map open read }; +allow download_server telephony_sa:binder { call }; +allow download_server tracefs:dir { search }; +allow download_server tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/drm_service.te b/prebuilts/api/5.0/base/te/drm_service.te new file mode 100644 index 0000000000000000000000000000000000000000..7427677c1f36ef97da8859eeffba04f58eaf934d --- /dev/null +++ b/prebuilts/api/5.0/base/te/drm_service.te @@ -0,0 +1,52 @@ +allow drm_service accesstoken_service:binder { call }; +allow drm_service bootevent_param:file { map open read }; +allow drm_service bootevent_samgr_param:file { map open read }; +allow drm_service build_version_param:file { map open read }; +#allow drm_service drm_host:binder { call transfer }; +allow drm_service clearplay_host:binder { call transfer }; +allow drm_service const_allow_mock_param:file { map open read }; +allow drm_service const_allow_param:file { map open read }; +allow drm_service const_build_param:file { map open read }; +allow drm_service const_param:file { map open read }; +allow drm_service const_postinstall_fstab_param:file { map open read }; +allow drm_service const_postinstall_param:file { map open read }; +allow drm_service const_product_param:file { map open read }; +allow drm_service debug_param:file { map open read }; +allow drm_service default_param:file { map read open }; +allow drm_service dev_unix_socket:dir { search }; +allow drm_service dhardware:binder { call transfer }; +allow drm_service distributedsche_param:file { map open read }; +allow drm_service foundation:binder { call }; +allow drm_service hdf_drm_service:hdf_devmgr_class { get }; +allow drm_service hdf_devmgr:binder { call transfer }; +allow drm_service hilog_param:file { map read open }; +allow drm_service hw_sc_build_os_param:file { map open read }; +allow drm_service hw_sc_build_param:file { map open read }; +allow drm_service hw_sc_param:file { map open read }; +allow drm_service init_param:file { map open read }; +allow drm_service init_svc_param:file { map open read }; +allow drm_service input_pointer_device_param:file { map open read }; +allow drm_service media_service:binder { call }; +allow drm_service net_param:file { map open read }; +allow drm_service net_tcp_param:file { map open read }; +allow drm_service ohos_boot_param:file { map open read }; +allow drm_service ohos_param:file { map open read }; +allow drm_service param_watcher:binder { call transfer }; +allow drm_service persist_param:file { map open read }; +allow drm_service persist_sys_param:file { map open read }; +allow drm_service render_service:binder { call }; +allow drm_service sa_accesstoken_manager_service:samgr_class { get }; +allow drm_service sa_drm_service:samgr_class { add }; +allow drm_service sa_device_service_manager:samgr_class { get }; +allow drm_service sa_foundation_dms:samgr_class { get }; +allow drm_service sa_param_watcher:samgr_class { get }; +allow drm_service security_param:file { map open read }; +allow drm_service startup_param:file { map open read }; +allow drm_service sys_param:file { map open read }; +allow drm_service system_bin_file:dir { search }; +allow drm_service system_core_hap:binder { call transfer }; +allow drm_service sys_usb_param:file { map open read }; +allow drm_service tracefs:dir { search }; +allow drm_service tracefs_trace_marker_file:file { open write }; +allow drm_service hdf_devmgr:hdf_devmgr_class { list }; + diff --git a/prebuilts/api/5.0/base/te/dscreen.te b/prebuilts/api/5.0/base/te/dscreen.te new file mode 100644 index 0000000000000000000000000000000000000000..bf57c2eebaa4f3b63c8982b27adbcf642f1cdd94 --- /dev/null +++ b/prebuilts/api/5.0/base/te/dscreen.te @@ -0,0 +1,47 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dscreen bootevent_param:file { map open read }; +allow dscreen bootevent_samgr_param:file { map open read }; +allow dscreen build_version_param:file { map open read }; +allow dscreen const_allow_mock_param:file { map open read }; +allow dscreen const_allow_param:file { map open read }; +allow dscreen const_build_param:file { map open read }; +allow dscreen const_display_brightness_param:file { map open read }; +allow dscreen const_param:file { map open read }; +allow dscreen const_postinstall_fstab_param:file { map open read }; +allow dscreen const_postinstall_param:file { map open read }; +allow dscreen const_product_param:file { map open read }; +allow dscreen debug_param:file { map open read }; +allow dscreen default_param:file { map open read }; +allow dscreen dhardware:binder { call }; +allow dscreen distributedsche_param:file { map open read }; +allow dscreen hilog_param:file { map open read }; +allow dscreen hw_sc_build_os_param:file { map open read }; +allow dscreen hw_sc_build_param:file { map open read }; +allow dscreen hw_sc_param:file { map open read }; +allow dscreen init_param:file { map open read }; +allow dscreen init_svc_param:file { map open read }; +allow dscreen input_pointer_device_param:file { map open read }; +allow dscreen net_param:file { map open read }; +allow dscreen net_tcp_param:file { map open read }; +allow dscreen ohos_boot_param:file { map open read }; +allow dscreen ohos_param:file { map open read }; +allow dscreen param_watcher:binder { call transfer }; +allow dscreen persist_param:file { map open read }; +allow dscreen persist_sys_param:file { map open read }; +allow dscreen security_param:file { map open read }; +allow dscreen startup_param:file { map open read }; +allow dscreen sys_param:file { map open read }; +allow dscreen system_bin_file:dir { search }; +allow dscreen sys_usb_param:file { map open read }; diff --git a/prebuilts/api/5.0/base/te/dslm_service.te b/prebuilts/api/5.0/base/te/dslm_service.te new file mode 100644 index 0000000000000000000000000000000000000000..63dda0751d418cc15c43e01a9de3271c6ad1f4b1 --- /dev/null +++ b/prebuilts/api/5.0/base/te/dslm_service.te @@ -0,0 +1,57 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dslm_service bootevent_param:file { map open read }; +allow dslm_service bootevent_samgr_param:file { map open read }; +allow dslm_service build_version_param:file { map open read }; +allow dslm_service const_allow_mock_param:file { map open read }; +allow dslm_service const_allow_param:file { map open read }; +allow dslm_service const_build_param:file { map open read }; +allow dslm_service const_display_brightness_param:file { map open read }; +allow dslm_service const_param:file { map open read }; +allow dslm_service const_postinstall_fstab_param:file { map open read }; +allow dslm_service const_postinstall_param:file { map open read }; +allow dslm_service const_product_param:file { map open read }; +allow dslm_service debug_param:file { map open read }; +allow dslm_service default_param:file { map open read }; +allow dslm_service distributeddata:binder { call }; +allow dslm_service distributedfiledaemon:binder { call }; +allow dslm_service distributedsche_param:file { map open read }; +allow dslm_service hilog_param:file { map open read }; +allow dslm_service hw_sc_build_os_param:file { map open read }; +allow dslm_service hw_sc_build_param:file { map open read }; +allow dslm_service hw_sc_param:file { map open read }; +allow dslm_service init_param:file { map open read }; +allow dslm_service init_svc_param:file { map open read }; +allow dslm_service input_pointer_device_param:file { map open read }; +allow dslm_service net_param:file { map open read }; +allow dslm_service net_tcp_param:file { map open read }; +allow dslm_service normal_hap_attr:binder { call }; +allow dslm_service ohos_boot_param:file { map open read }; +allow dslm_service ohos_param:file { map open read }; +allow dslm_service param_watcher:binder { call transfer }; +allow dslm_service persist_param:file { map open read }; +allow dslm_service persist_sys_param:file { map open read }; +allow dslm_service sa_device_auth_service:samgr_class { get }; +allow dslm_service sa_device_security_level_manager_service:samgr_class { add }; +allow dslm_service sa_huks_service:samgr_class { get }; +allow dslm_service sa_param_watcher:samgr_class { get }; +allow dslm_service sa_softbus_service:samgr_class { get }; +allow dslm_service security_param:file { map open read }; +allow dslm_service softbus_server:tcp_socket { shutdown }; +allow dslm_service startup_param:file { map open read }; +allow dslm_service sys_param:file { map open read }; +allow dslm_service system_bin_file:dir { search }; +allow dslm_service sys_usb_param:file { map open read }; +allow dslm_service tracefs:dir { search }; +allow dslm_service tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/faultloggerd.te b/prebuilts/api/5.0/base/te/faultloggerd.te new file mode 100644 index 0000000000000000000000000000000000000000..21670d54e10bd59c7f8923e34c8885bffc52e42f --- /dev/null +++ b/prebuilts/api/5.0/base/te/faultloggerd.te @@ -0,0 +1,58 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow faultloggerd bootevent_param:file { map open read }; +allow faultloggerd bootevent_samgr_param:file { map open read }; +allow faultloggerd build_version_param:file { map open read }; +allow faultloggerd const_allow_mock_param:file { map open read }; +allow faultloggerd const_allow_param:file { map open read }; +allow faultloggerd const_build_param:file { map open read }; +allow faultloggerd const_display_brightness_param:file { map open read }; +allow faultloggerd const_param:file { map open read }; +allow faultloggerd const_postinstall_fstab_param:file { map open read }; +allow faultloggerd const_postinstall_param:file { map open read }; +allow faultloggerd const_product_param:file { map open read }; +allow faultloggerd data_file:dir { search }; +allow faultloggerd data_log:dir { add_name open read search write }; +allow faultloggerd data_log:file { create read write open setattr }; +allow faultloggerd debug_param:file { map open read }; +allow faultloggerd default_param:file { map open read }; +allow faultloggerd dev_kmsg_file:chr_file { open write }; +allow faultloggerd dev_unix_socket:dir { add_name remove_name search write }; +allow faultloggerd dev_unix_socket:sock_file { create setattr }; +allow faultloggerd distributedsche_param:file { map open read }; +allow faultloggerd faultloggerd:capability kill; +allow faultloggerd faultloggerd_exec:file { entrypoint execute map read }; +allow faultloggerd faultloggerd_socket:sock_file { setattr }; +allow faultloggerd foundation:process { signal }; +allow faultloggerd hilog_param:file { map open read }; +allow faultloggerd hw_sc_build_os_param:file { map open read }; +allow faultloggerd hw_sc_build_param:file { map open read }; +allow faultloggerd hw_sc_param:file { map open read }; +allow faultloggerd init_param:file { map open read }; +allow faultloggerd init_svc_param:file { map open read }; +allow faultloggerd input_pointer_device_param:file { map open read }; +allow faultloggerd net_param:file { map open read }; +allow faultloggerd net_tcp_param:file { map open read }; +allow faultloggerd ohos_boot_param:file { map open read }; +allow faultloggerd ohos_param:file { map open read }; +allow faultloggerd persist_param:file { map open read }; +allow faultloggerd persist_sys_param:file { map open read }; +allow faultloggerd powermgr:process { signal }; +allow faultloggerd security_param:file { map open read }; +allow faultloggerd startup_param:file { map open read }; +allow faultloggerd sys_param:file { map open read }; +allow faultloggerd system_basic_hap_attr:process { signal }; +allow faultloggerd system_bin_file:dir { search }; +allow faultloggerd system_core_hap_attr:process { signal }; +allow faultloggerd sys_usb_param:file { map open read }; diff --git a/prebuilts/api/5.0/base/te/filesystem.te b/prebuilts/api/5.0/base/te/filesystem.te new file mode 100644 index 0000000000000000000000000000000000000000..4ec38091b8e9be2c7cd991aba187b67558505653 --- /dev/null +++ b/prebuilts/api/5.0/base/te/filesystem.te @@ -0,0 +1,47 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bootevent_param tmpfs:filesystem { associate }; +allow bootevent_samgr_param tmpfs:filesystem { associate }; +allow build_version_param tmpfs:filesystem { associate }; +allow const_allow_mock_param tmpfs:filesystem { associate }; +allow const_allow_param tmpfs:filesystem { associate }; +allow const_build_param tmpfs:filesystem { associate }; +allow const_display_brightness_param tmpfs:filesystem { associate }; +allow const_param tmpfs:filesystem { associate }; +allow const_postinstall_fstab_param tmpfs:filesystem { associate }; +allow const_postinstall_param tmpfs:filesystem { associate }; +allow const_product_param tmpfs:filesystem { associate }; +allow debug_param tmpfs:filesystem { associate }; +allow default_param tmpfs:filesystem { associate }; +allow dev_pts_file devpts:filesystem { associate }; +allow distributedsche_param tmpfs:filesystem { associate }; +allow hilog_param tmpfs:filesystem { associate }; +allow hook_param tmpfs:filesystem { associate }; +allow hw_sc_build_os_param tmpfs:filesystem { associate }; +allow hw_sc_build_param tmpfs:filesystem { associate }; +allow hw_sc_param tmpfs:filesystem { associate }; +allow init_param tmpfs:filesystem { associate }; +allow init_svc_param tmpfs:filesystem { associate }; +allow input_pointer_device_param tmpfs:filesystem { associate }; +allow net_param tmpfs:filesystem { associate }; +allow net_tcp_param tmpfs:filesystem { associate }; +allow ohos_boot_param tmpfs:filesystem { associate }; +allow ohos_param tmpfs:filesystem { associate }; +allow persist_param tmpfs:filesystem { associate }; +allow persist_sys_param tmpfs:filesystem { associate }; +allow security_param tmpfs:filesystem { associate }; +allow startup_param tmpfs:filesystem { associate }; +allow sys_param tmpfs:filesystem { associate }; +allow sys_usb_param tmpfs:filesystem { associate }; +allow hiviewdfx_profiler_param tmpfs:filesystem { associate }; diff --git a/prebuilts/api/5.0/base/te/foundation.te b/prebuilts/api/5.0/base/te/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..8653e9a2aec19859d58bacc1e1325ec3ba23124c --- /dev/null +++ b/prebuilts/api/5.0/base/te/foundation.te @@ -0,0 +1,131 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation bluetooth_service:binder { call transfer }; +allow foundation bootevent_param:file { map open read }; +allow foundation bootevent_samgr_param:file { map open read }; +allow foundation build_version_param:file { map open read }; +allow foundation configfs:dir { add_name create search }; +allow foundation const_allow_mock_param:file { map open read }; +allow foundation const_allow_param:file { map open read }; +allow foundation const_build_param:file { map open read }; +allow foundation const_display_brightness_param:file { map open read }; +allow foundation const_param:file { map open read }; +allow foundation const_postinstall_fstab_param:file { map open read }; +allow foundation const_postinstall_param:file { map open read }; +allow foundation const_product_param:file { map open read }; +allow foundation data_app_el1_file:file { open }; +allow foundation data_service_el1_file:dir { getattr rmdir setattr }; +allow foundation data_service_el1_file:file { ioctl lock map read append open setattr }; +allow foundation data_system_ce:dir { create open read remove_name }; +allow foundation data_system_ce:file { unlink }; +allow foundation debug_param:file { map open read }; +allow foundation default_param:file { map open read }; +allow foundation dev_dri_file:chr_file { getattr ioctl open read write }; +allow foundation dev_dri_file:dir { search }; +allow foundation deviceauth_service:binder { transfer }; +allow foundation dev_kmsg_file:chr_file { open write }; +allow foundation dev_mali:chr_file { getattr ioctl open }; +allow foundation dhardware:binder { call }; +allow foundation allocator_host:binder { call }; +allow foundation distributedfiledaemon:binder { call }; +allow foundation distributedsche_param:file { map open read }; +allow foundation foundation:capability { kill }; +allow foundation hdf_devmgr:binder { call transfer }; +allow foundation hdf_allocator_service:hdf_devmgr_class { get }; +allow foundation hidumper_service:fifo_file { write }; +allow foundation hilog_param:file { map open read }; +allow foundation hiview:binder { call }; +allow foundation hiview:unix_dgram_socket { sendto }; +allow foundation huks_service:binder { call transfer }; +allow foundation hw_sc_build_os_param:file { map open read }; +allow foundation hw_sc_build_param:file { map open read }; +allow foundation hw_sc_param:file { map open read }; +allow foundation init_param:file { map open read }; +allow foundation init_svc_param:file { map open read }; +allow foundation init:unix_stream_socket { connectto }; +allow foundation input_pointer_device_param:file { map open read }; +allow foundation installs:binder { call }; +allow foundation locationhub:binder { call }; +allow foundation multimodalinput:fd { use }; +allow foundation net_param:file { map open read }; +allow foundation net_tcp_param:file { map open read }; +allow foundation normal_hap_data_file_attr:file { read }; +allow foundation normal_hap_attr:fd { use }; +allow foundation normal_hap_attr:unix_stream_socket { read write }; +allow foundation nwebspawn_socket:sock_file { write }; +allow foundation ohos_boot_param:file { map open read }; +allow foundation ohos_param:file { map open read }; +allow foundation persist_param:file { map open read }; +allow foundation persist_param:parameter_service { set }; +allow foundation persist_sys_param:file { map open read }; +allow foundation power_host:binder { transfer }; +allow foundation powermgr:binder { call transfer }; +allow foundation proc_boot_id:file { open read }; +allow foundation sa_accountmgr:samgr_class { get }; +allow foundation sa_bgtaskmgr:samgr_class { get }; +allow foundation sa_bluetooth_server:samgr_class { get }; +allow foundation sa_dataobs_mgr_service_service:samgr_class { add }; +allow foundation sa_device_auth_service:samgr_class { get }; +allow foundation sa_device_profile_service:samgr_class { get }; +allow foundation sa_device_service_manager:samgr_class { get }; +allow foundation sa_dhardware_service:samgr_class { get }; +allow foundation sa_distributeddata_service:samgr_class { get }; +allow foundation sa_form_mgr_service:samgr_class { add }; +allow foundation sa_foundation_abilityms:samgr_class { add }; +allow foundation sa_foundation_ans:samgr_class { add }; +allow foundation sa_foundation_appms:samgr_class { add get }; +allow foundation sa_foundation_bms:samgr_class { add get }; +allow foundation sa_foundation_cesfwk_service:samgr_class { add get }; +allow foundation sa_foundation_devicemanager_service:samgr_class { add get }; +allow foundation sa_powermgr_displaymgr_service:samgr_class { add get}; +allow foundation sa_foundation_dms:samgr_class { get }; +allow foundation sa_huks_service:samgr_class { get }; +allow foundation sa_installd_service:samgr_class { get }; +allow foundation sa_msdp_devicestatus_service:samgr_class { get }; +allow foundation sa_multimodalinput_service:samgr_class { get }; +allow foundation sa_param_watcher:samgr_class { get }; +allow foundation sa_screenlock_service:samgr_class { add }; +allow foundation sa_softbus_service:samgr_class { get }; +allow foundation sa_subsys_ace_service:samgr_class { get }; +allow foundation sa_uri_permission_mgr_service:samgr_class { add get }; +allow foundation sa_privacy_service:samgr_class { get }; +allow foundation security_param:file { map open read }; +allow foundation sensors:binder { call }; +allow foundation softbus_server:binder { transfer }; +allow foundation startup_param:file { map open read }; +allow foundation startup_param:parameter_service { set }; +allow foundation storage_manager:binder { transfer }; +allow foundation sysfs_hctosys:file { open read }; +allow foundation sysfs_leds:dir { open read }; +allow foundation sysfs_rtc:dir { open read }; +allow foundation sys_param:file { map open read }; +allow foundation system_basic_hap_attr:process { sigkill }; +allow foundation system_bin_file:dir { search }; +allow foundation system_core_hap_attr:fd { use }; +allow foundation system_basic_hap_attr:fd { use }; +allow foundation system_core_hap_attr:process { signal }; +allow foundation system_etc_power_mode_config_file:file { getattr open read }; +allow foundation system_file:dir { getattr open read }; +allow foundation system_file:file { getattr map open read }; +allow foundation system_lib_file:dir { getattr }; +allow foundation sys_usb_param:file { map open read }; +allow foundation token_sync_service:binder { call }; +allow foundation ui_service:binder { transfer }; +allow foundation wallpaper_service:binder { call }; +allow foundation wifi_manager_service:binder { call }; +allow foundation allocator_host:fd { use }; +allow foundation useriam:binder { call transfer }; +allowxperm foundation data_service_el1_file:file ioctl { 0xf50c 0xf546 0xf547 }; +allowxperm foundation dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm foundation dev_mali:chr_file ioctl { 0x8000 0x8001 0x8003 0x8018 }; diff --git a/prebuilts/api/5.0/base/te/hidumper.te b/prebuilts/api/5.0/base/te/hidumper.te new file mode 100644 index 0000000000000000000000000000000000000000..11d0986ec48a34587cd6c84e215c1c2c4b37e470 --- /dev/null +++ b/prebuilts/api/5.0/base/te/hidumper.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper data_log:file { write }; +allow hidumper dev_bbox:chr_file { read }; +allow hidumper distributedsche_param:file { map open read }; +allow hidumper faultloggerd:fifo_file { read }; +allow hidumper hiview:fd { use }; +allow hidumper hiview:fifo_file { read write }; +allow hidumper hiview_file:file { read write }; +allow hidumper hiview:unix_dgram_socket { read write }; diff --git a/prebuilts/api/5.0/base/te/hidumper_service.te b/prebuilts/api/5.0/base/te/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..3a14212fad3ff9d69da12dbaef8bdb94874b1a76 --- /dev/null +++ b/prebuilts/api/5.0/base/te/hidumper_service.te @@ -0,0 +1,58 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper_service bootevent_param:file { map open read }; +allow hidumper_service bootevent_samgr_param:file { map open read }; +allow hidumper_service build_version_param:file { map open read }; +allow hidumper_service const_allow_mock_param:file { map open read }; +allow hidumper_service const_allow_param:file { map open read }; +allow hidumper_service const_build_param:file { map open read }; +allow hidumper_service const_display_brightness_param:file { map open read }; +allow hidumper_service const_param:file { map open read }; +allow hidumper_service const_postinstall_fstab_param:file { map open read }; +allow hidumper_service const_postinstall_param:file { map open read }; +allow hidumper_service const_product_param:file { map open read }; +allow hidumper_service debug_param:file { map open read }; +allow hidumper_service default_param:file { map open read }; +allow hidumper_service distributedsche_param:file { map open read }; +allow hidumper_service hidumper_file:dir { create rmdir }; +allow hidumper_service hidumper_service:capability { dac_read_search sys_ptrace }; +allow hidumper_service hilog_param:file { map open read }; +allow hidumper_service hiview:fd { use }; +allow hidumper_service hiview:fifo_file { write }; +allow hidumper_service hw_sc_build_os_param:file { map open read }; +allow hidumper_service hw_sc_build_param:file { map open read }; +allow hidumper_service hw_sc_param:file { map open read }; +allow hidumper_service init_param:file { map open read }; +allow hidumper_service init_svc_param:file { map open read }; +allow hidumper_service input_pointer_device_param:file { map open read }; +allow hidumper_service net_param:file { map open read }; +allow hidumper_service net_tcp_param:file { map open read }; +allow hidumper_service ohos_boot_param:file { map open read }; +allow hidumper_service ohos_param:file { map open read }; +allow hidumper_service param_watcher:binder { transfer }; +allow hidumper_service persist_param:file { map open read }; +allow hidumper_service persist_sys_param:file { map open read }; +allow hidumper_service sa_dfx_sys_hidumper_ability:samgr_class { add }; +allow hidumper_service sa_foundation_wms:samgr_class { get }; +allow hidumper_service sa_param_watcher:samgr_class { get }; +allow hidumper_service security_param:file { map open read }; +allow hidumper_service startup_param:file { map open read }; +allow hidumper_service sysfs_devices_system_cpu:dir { open read }; +allow hidumper_service sys_param:file { map open read }; +allow hidumper_service system_core_hap_attr:dir { search }; +allow hidumper_service system_core_hap_attr:file { open read }; +allow hidumper_service sys_usb_param:file { map open read }; +allow hidumper_service tracefs:dir { search }; +allow hidumper_service tracefs_trace_marker_file:file { open write }; +allow hidumper_service hiview_file:file { write }; diff --git a/prebuilts/api/5.0/base/te/hilogd.te b/prebuilts/api/5.0/base/te/hilogd.te new file mode 100644 index 0000000000000000000000000000000000000000..46846b4ed0acb2e889fe2c6536cee8df21269937 --- /dev/null +++ b/prebuilts/api/5.0/base/te/hilogd.te @@ -0,0 +1,50 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hilogd bootevent_param:file { map open read }; +allow hilogd bootevent_samgr_param:file { map open read }; +allow hilogd build_version_param:file { map open read }; +allow hilogd const_allow_mock_param:file { map open read }; +allow hilogd const_allow_param:file { map open read }; +allow hilogd const_build_param:file { map open read }; +allow hilogd const_display_brightness_param:file { map open read }; +allow hilogd const_param:file { map open read }; +allow hilogd const_postinstall_fstab_param:file { map open read }; +allow hilogd const_postinstall_param:file { map open read }; +allow hilogd const_product_param:file { map open read }; +allow hilogd debug_param:file { map open read }; +allow hilogd default_param:file { map open read }; +allow hilogd dev_unix_socket:dir { search }; +allow hilogd distributedsche_param:file { map open read }; +allow hilogd hilog_param:file { map open read }; +allow hilogd hilogd:unix_dgram_socket { getattr read getopt }; +allow hilogd hw_sc_build_os_param:file { map open read }; +allow hilogd hw_sc_build_param:file { map open read }; +allow hilogd hw_sc_param:file { map open read }; +allow hilogd init_param:file { map open read }; +allow hilogd init_svc_param:file { map open read }; +allow hilogd input_pointer_device_param:file { map open read }; +allow hilogd net_param:file { map open read }; +allow hilogd net_tcp_param:file { map open read }; +allow hilogd ohos_boot_param:file { map open read }; +allow hilogd ohos_param:file { map open read }; +allow hilogd persist_param:file { map open read }; +allow hilogd persist_sys_param:file { map open read }; +allow hilogd security_param:file { map open read }; +allow hilogd startup_param:file { map open read }; +allow hilogd sys_param:file { map open read }; +allow hilogd system_bin_file:dir { search }; +allow hilogd sys_usb_param:file { map open read }; +allow hilogd proc_kmsg_file:file { map open read }; +allow hilogd kernel:system { syslog_mod }; +allow hilogd hilogd:capability2 { syslog }; diff --git a/prebuilts/api/5.0/base/te/hiview.te b/prebuilts/api/5.0/base/te/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..a121ef94747d020a509fc64a0e98bb288893d263 --- /dev/null +++ b/prebuilts/api/5.0/base/te/hiview.te @@ -0,0 +1,88 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hiview accesstoken_service:binder { call }; +allow hiview bootevent_param:file { map open read }; +allow hiview bootevent_samgr_param:file { map open read }; +allow hiview build_version_param:file { map open read }; +allow hiview const_allow_mock_param:file { map open read }; +allow hiview const_allow_param:file { map open read }; +allow hiview const_build_param:file { map open read }; +allow hiview const_display_brightness_param:file { map open read }; +allow hiview const_param:file { map open read }; +allow hiview const_postinstall_fstab_param:file { map open read }; +allow hiview const_postinstall_param:file { map open read }; +allow hiview const_product_param:file { map open read }; +allow hiview data_file:dir { read write add_name create }; +allow hiview data_log:dir { setattr }; +allow hiview data_system:dir { add_name create setattr write }; +allow hiview debug_param:file { map open read }; +allow hiview default_param:file { map open read }; +allow hiview dev_at_file:chr_file { ioctl }; +allow hiview dev_kmsg_file:chr_file { open write }; +allow hiview distributedsche_param:file { map open read }; +allow hiview faultloggerd:fifo_file { read }; +allow hiview faultloggerd_temp_file:dir { open read remove_name search watch write }; +allow hiview faultloggerd_temp_file:file { getattr open read unlink }; +allow hiview foundation:dir { search }; +allow hiview foundation:file { open read }; +allow hiview hidumper_exec:file { execute execute_no_trans getattr map read open }; +allow hiview hidumper_service:binder { call transfer }; +allow hiview hilog_param:file { map open read }; +allow hiview hiview:unix_dgram_socket { read }; +allow hiview hiview_file:dir { create }; +allow hiview hiview_file:file { create }; +allow hiview hw_sc_build_os_param:file { map open read }; +allow hiview hw_sc_build_param:file { map open read }; +allow hiview hw_sc_param:file { map open read }; +allow hiview init_param:file { map open read }; +allow hiview init_svc_param:file { map open read }; +allow hiview input_pointer_device_param:file { map open read }; +allow hiview net_param:file { map open read }; +allow hiview net_tcp_param:file { map open read }; +allow hiview ohos_boot_param:file { map open read }; +allow hiview ohos_param:file { map open read }; +allow hiview persist_param:file { map open read }; +allow hiview persist_sys_param:file { map open read }; +allow hiview powermgr:dir { search }; +allow hiview powermgr:file { open read }; +allow hiview proc_file:file { open read }; +allow hiview sa_accesstoken_manager_service:samgr_class { get }; +allow hiview sa_accountmgr:samgr_class { get }; +allow hiview sa_device_usage_statistics_service:samgr_class { get }; +allow hiview sa_dfx_sys_hidumper_ability:samgr_class { get }; +allow hiview sa_foundation_bms:samgr_class { get }; +allow hiview sa_param_watcher:samgr_class { get }; +allow hiview sa_time_service:samgr_class { get }; +allow hiview security_param:file { map open read }; +allow hiview startup_param:file { map open read }; +allow hiview sysfs_hctosys:file { open read }; +allow hiview sysfs_rtc:dir { open read }; +allow hiview sys_param:file { map open read }; +allow hiview system_basic_hap_attr:dir { search }; +allow hiview system_basic_hap_attr:file { open read }; +allow hiview system_core_hap_attr:dir { search }; +allow hiview system_core_hap_attr:file { open read getattr }; +allow hiview sys_usb_param:file { map open read }; +allow hiview tmpfs:dir { add_name create setattr write }; +allow hiview tty_device:chr_file { open read write }; + +allow sadomain hiview:unix_dgram_socket { sendto }; +allowxperm hiview dev_at_file:chr_file ioctl { 0x4103 }; + +# hiview param +allow hiviewdfx_hiview_param tmpfs:filesystem associate; +allow init hiviewdfx_hiview_param:file { map open read relabelto relabelfrom }; +allow hiview hiviewdfx_hiview_param:parameter_service { set }; +allow hiview hiviewdfx_hiview_param:file { map open read }; +allow hiview paramservice_socket:sock_file { read write }; diff --git a/prebuilts/api/5.0/base/te/huks_service.te b/prebuilts/api/5.0/base/te/huks_service.te new file mode 100644 index 0000000000000000000000000000000000000000..8dc358029e857f2f9945d533b428dab04d342d16 --- /dev/null +++ b/prebuilts/api/5.0/base/te/huks_service.te @@ -0,0 +1,52 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow huks_service bootevent_param:file { map open read }; +allow huks_service bootevent_samgr_param:file { map open read }; +allow huks_service build_version_param:file { map open read }; +allow huks_service const_allow_mock_param:file { map open read }; +allow huks_service const_allow_param:file { map open read }; +allow huks_service const_build_param:file { map open read }; +allow huks_service const_display_brightness_param:file { map open read }; +allow huks_service const_param:file { map open read }; +allow huks_service const_postinstall_fstab_param:file { map open read }; +allow huks_service const_postinstall_param:file { map open read }; +allow huks_service const_product_param:file { map open read }; +allow huks_service debug_param:file { map open read }; +allow huks_service default_param:file { map open read }; +allow huks_service distributedsche_param:file { map open read }; +allow huks_service hilog_param:file { map open read }; +allow huks_service hw_sc_build_os_param:file { map open read }; +allow huks_service hw_sc_build_param:file { map open read }; +allow huks_service hw_sc_param:file { map open read }; +allow huks_service init_param:file { map open read }; +allow huks_service init_svc_param:file { map open read }; +allow huks_service input_pointer_device_param:file { map open read }; +allow huks_service net_param:file { map open read }; +allow huks_service net_tcp_param:file { map open read }; +allow huks_service ohos_boot_param:file { map open read }; +allow huks_service ohos_param:file { map open read }; +allow huks_service param_watcher:binder { call transfer }; +allow huks_service persist_param:file { map open read }; +allow huks_service persist_sys_param:file { map open read }; +allow huks_service sa_accesstoken_manager_service:samgr_class { get }; +allow huks_service sa_param_watcher:samgr_class { get }; +allow huks_service security_param:file { map open read }; +allow huks_service startup_param:file { map open read }; +allow huks_service sys_param:file { map open read }; +allow huks_service sys_usb_param:file { map open read }; +allow huks_service tracefs:dir { search }; +allow huks_service huks_service:unix_dgram_socket { getopt setopt }; +allow huks_service tracefs_trace_marker_file:file { open write }; +allow huks_service accountmgr:binder { call }; +allow huks_service sa_accountmgr:samgr_class { get }; diff --git a/prebuilts/api/5.0/base/te/inputmethod_service.te b/prebuilts/api/5.0/base/te/inputmethod_service.te new file mode 100644 index 0000000000000000000000000000000000000000..d8b7f8bcfedcc98638a581e7c3e3b596b866a540 --- /dev/null +++ b/prebuilts/api/5.0/base/te/inputmethod_service.te @@ -0,0 +1,66 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow inputmethod_service bootevent_param:file { map open read }; +allow inputmethod_service bootevent_samgr_param:file { map read open }; +allow inputmethod_service build_version_param:file { map open read }; +allow inputmethod_service const_allow_mock_param:file { map open read }; +allow inputmethod_service const_allow_param:file { map open read }; +allow inputmethod_service const_build_param:file { map open read }; +allow inputmethod_service const_display_brightness_param:file { map open read }; +allow inputmethod_service const_param:file { map open read }; +allow inputmethod_service const_postinstall_fstab_param:file { map open read }; +allow inputmethod_service const_postinstall_param:file { map open read }; +allow inputmethod_service const_product_param:file { map open read }; +allow inputmethod_service debug_param:file { map open read }; +allow inputmethod_service default_param:file { map open read }; +allow inputmethod_service distributedsche_param:file { map open read }; +allow inputmethod_service foundation:binder { call transfer }; +allow inputmethod_service hilog_param:file { map open read }; +allow inputmethod_service hw_sc_build_os_param:file { map open read }; +allow inputmethod_service hw_sc_build_param:file { map open read }; +allow inputmethod_service hw_sc_param:file { map open read }; +allow inputmethod_service init_param:file { map open read }; +allow inputmethod_service init_svc_param:file { map open read }; +allow inputmethod_service input_pointer_device_param:file { map open read }; +allow inputmethod_service net_param:file { map open read }; +allow inputmethod_service net_tcp_param:file { map open read }; +allow inputmethod_service ohos_boot_param:file { map open read }; +allow inputmethod_service ohos_param:file { map open read }; +allow inputmethod_service param_watcher:binder { call transfer }; +allow inputmethod_service persist_param:file { map open read }; +allow inputmethod_service persist_sys_param:file { map open read }; +allow inputmethod_service sa_foundation_abilityms:samgr_class { get }; +allow inputmethod_service sa_foundation_cesfwk_service:samgr_class { get }; +allow inputmethod_service sa_inputmethod_service:samgr_class { add }; +allow inputmethod_service sa_param_watcher:samgr_class { get }; +allow inputmethod_service security_param:file { map open read }; +allow inputmethod_service startup_param:file { map open read }; +allow inputmethod_service sys_param:file { map open read }; +allow inputmethod_service system_bin_file:dir { search }; +allow inputmethod_service system_usr_file:dir { search }; +allow inputmethod_service system_usr_file:file { getattr map open read }; +allow inputmethod_service sys_usb_param:file { map open read }; +allow inputmethod_service tracefs:dir { search }; +allow inputmethod_service tracefs_trace_marker_file:file { open write }; +allow inputmethod_service ui_service:binder { call transfer }; +# avc: denied { call } for pid=492 comm="MmiClientRecvEv" scontext=u:r:inputmethod_service:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 +# avc: denied { use } for pid=248 comm="IPC_0_279" path="socket:[27945]" dev="sockfs" ino=27945 scontext=u:r:inputmethod_service:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=1 +# avc: denied { read write } for pid=248 comm="IPC_0_279" path="socket:[27945]" dev="sockfs" ino=27945 scontext=u:r:inputmethod_service:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +# avc: denied { read } for pid=1643 comm="MmiClientRecvEv" scontext=u:r:inputmethod_service:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +# avc: denied { get } for service=3101 pid=1945 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=0 +allow inputmethod_service multimodalinput:binder { call }; +allow inputmethod_service multimodalinput:fd { use }; +allow inputmethod_service multimodalinput:unix_stream_socket { read write }; +allow inputmethod_service sa_multimodalinput_service:samgr_class { get }; + diff --git a/prebuilts/api/5.0/base/te/installs.te b/prebuilts/api/5.0/base/te/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..b2ac269140b61fed79ec3ba409e547a2422b196f --- /dev/null +++ b/prebuilts/api/5.0/base/te/installs.te @@ -0,0 +1,76 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow installs bootevent_param:file { map open read }; +allow installs bootevent_samgr_param:file { map open read }; +allow installs build_version_param:file { map open read }; +allow installs const_allow_mock_param:file { map open read }; +allow installs const_allow_param:file { map open read }; +allow installs const_build_param:file { map open read }; +allow installs const_display_brightness_param:file { map open read }; +allow installs const_param:file { map open read }; +allow installs const_postinstall_fstab_param:file { map open read }; +allow installs const_postinstall_param:file { map open read }; +allow installs const_product_param:file { map open read }; +allow installs data_app_el1_file:dir { add_name create getattr open read relabelfrom rename search setattr write }; +allow installs data_app_el1_file:file { create ioctl setattr write open }; +allow installs data_app_el2_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow installs data_app_el3_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow installs data_app_el4_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow installs data_app_el5_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow installs data_app_file:dir { search }; +allow installs data_file:dir { add_name create getattr open read search setattr write }; +allow installs data_service_el1_file:dir { add_name create getattr open read remove_name search setattr write }; +allow installs data_service_el1_file:file { getattr open read rename }; +allow installs data_service_el2_file:dir { add_name create open read search setattr write }; +allow installs data_service_el2_hmdfs:dir { add_name create open read search setattr write }; +allow installs data_service_el3_file:dir { add_name create open read search setattr write }; +allow installs data_service_el4_file:dir { add_name create open read search setattr write }; +allow installs data_service_el5_file:dir { add_name create open read search setattr write }; +allow installs data_service_file:dir { search }; +allow installs debug_param:file { map open read }; +allow installs default_param:file { map open read }; +allow installs dev_unix_socket:dir { search }; +allow installs dev_unix_socket:sock_file { write }; +allow installs distributedsche_param:file { map open read }; +allow installs faultloggerd_temp_file:file { read write }; +allow installs hilog_param:file { map open read }; +allow installs hw_sc_build_os_param:file { map open read }; +allow installs hw_sc_build_param:file { map open read }; +allow installs hw_sc_param:file { map open read }; +allow installs init_param:file { map open read }; +allow installs init_svc_param:file { map open read }; +allow installs input_pointer_device_param:file { map open read }; +allow installs installs:capability { chown dac_override fowner }; +allow installs net_param:file { map open read }; +allow installs net_tcp_param:file { map open read }; +allow installs normal_hap_data_file_attr:dir { open read relabelto search }; +allow installs normal_hap_data_file_attr:file { unlink }; +allow installs ohos_boot_param:file { map open read }; +allow installs ohos_param:file { map open read }; +allow installs persist_param:file { map open read }; +allow installs persist_sys_param:file { map open read }; +allow installs sa_installd_service:samgr_class { add }; +allow installs security_param:file { map open read }; +allow installs security:security { check_context }; +allow installs selinuxfs:dir { search }; +allow installs selinuxfs:file { open read write }; +allow installs startup_param:file { map open read }; +allow installs sys_param:file { map open read }; +allow installs system_basic_hap_data_file_attr:dir { getattr open read relabelto remove_name rmdir search write }; +allow installs system_bin_file:dir { search }; +allow installs system_core_hap_data_file_attr:dir { getattr open read relabelto search }; +allow installs system_file:file { getattr open read }; +allow installs sys_usb_param:file { map open read }; +allowxperm installs data_app_el1_file:file ioctl { 0x5413 }; +allow installs data_service_el2_file:file { unlink }; diff --git a/prebuilts/api/5.0/base/te/ispserver.te b/prebuilts/api/5.0/base/te/ispserver.te new file mode 100644 index 0000000000000000000000000000000000000000..015bc8fac4a27c00819520443fed99497da1f5d3 --- /dev/null +++ b/prebuilts/api/5.0/base/te/ispserver.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ispserver bootevent_param:file { map open read }; +allow ispserver bootevent_samgr_param:file { map open read }; +allow ispserver build_version_param:file { map open read }; +allow ispserver const_allow_mock_param:file { map open read }; +allow ispserver const_allow_param:file { map open read }; +allow ispserver const_build_param:file { map open read }; +allow ispserver const_display_brightness_param:file { map open read }; +allow ispserver const_param:file { map open read }; +allow ispserver const_postinstall_fstab_param:file { map open read }; +allow ispserver const_postinstall_param:file { map open read }; +allow ispserver const_product_param:file { map open read }; +allow ispserver debug_param:file { map open read }; +allow ispserver default_param:file { map open read }; +allow ispserver dev_media_file:chr_file { ioctl open read read write write }; +allow ispserver dev_unix_socket:dir { search }; +allow ispserver dev_v_file:chr_file { getattr ioctl open read write }; +allow ispserver dev_video_file:chr_file { getattr ioctl map open read write }; +allow ispserver distributedsche_param:file { map open read }; +allow ispserver hilog_param:file { map open read }; +allow ispserver hw_sc_build_os_param:file { map open read }; +allow ispserver hw_sc_build_param:file { map open read }; +allow ispserver hw_sc_param:file { map open read }; +allow ispserver init_param:file { map open read }; +allow ispserver init_svc_param:file { map open read }; +allow ispserver input_pointer_device_param:file { map open read }; +allow ispserver net_param:file { map open read }; +allow ispserver net_tcp_param:file { map open read }; +allow ispserver ohos_boot_param:file { map open read }; +allow ispserver ohos_param:file { map open read }; +allow ispserver persist_param:file { map open read }; +allow ispserver persist_sys_param:file { map open read }; +allow ispserver security_param:file { map open read }; +allow ispserver startup_param:file { map open read }; +allow ispserver sys_param:file { map open read }; +allow ispserver system_bin_file:dir { search }; +allow ispserver sys_usb_param:file { map open read }; +allow ispserver vendor_bin_file:file { entrypoint execute map read }; +allow ispserver vendor_etc_file:dir { search }; +allow ispserver vendor_etc_file:file { getattr open read }; +allowxperm ispserver dev_media_file:chr_file ioctl { 0x7c00 0x7c01 0x7c02 0x7c03 }; +allowxperm ispserver dev_v_file:chr_file ioctl { 0x5604 0x5605 0x5615 0x561c 0x5624 0x563d 0x563e 0x5659 0x565a 0x565b 0x56c0 0x56c5 0x56c8 0x56c9 0x56d4 0x56d6 0x564b 0x56c3 }; +allowxperm ispserver dev_video_file:chr_file ioctl { 0x5600 0x5604 0x5605 0x5608 0x5609 0x560f 0x5610 0x5611 0x5612 0x5613 0x5659 0x565a 0x5611 0x565b }; diff --git a/prebuilts/api/5.0/base/te/kernel.te b/prebuilts/api/5.0/base/te/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..82ce1b31d9511781da4edbe087418a912658f10c --- /dev/null +++ b/prebuilts/api/5.0/base/te/kernel.te @@ -0,0 +1,27 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow kernel data_file:dir { add_name write create search setattr }; +allow kernel data_log:dir { add_name create search setattr write }; +allow kernel data_log:file { append create read write open setattr }; +allow kernel dev_bbox:chr_file { open write }; +allow kernel device:chr_file { create getattr setattr unlink }; +allow kernel device:dir { add_name remove_name rmdir search write }; +allow kernel init:process { dyntransition }; +allow kernel kernel:capability { mknod }; +allow kernel kernel:process { setcurrent }; +allow kernel pstorefs:dir { open read remove_name search write }; +allow kernel pstorefs:file { open read unlink }; +allow kernel softbus_server:tcp_socket { read write }; +allow kernel sys_file:dir { open read }; +allow kernel tmpfs:chr_file { write }; diff --git a/prebuilts/api/5.0/base/te/locationhub.te b/prebuilts/api/5.0/base/te/locationhub.te new file mode 100644 index 0000000000000000000000000000000000000000..9c7e23cf032688573ed66e133f3f964afab305fd --- /dev/null +++ b/prebuilts/api/5.0/base/te/locationhub.te @@ -0,0 +1,75 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow locationhub accesstoken_service:binder { call }; +allow locationhub accountmgr:binder { call }; +allow locationhub bootevent_param:file { map open read }; +allow locationhub bootevent_samgr_param:file { map open read }; +allow locationhub build_version_param:file { map open read }; +allow locationhub const_allow_mock_param:file { map open read }; +allow locationhub const_allow_param:file { map open read }; +allow locationhub const_build_param:file { map open read }; +allow locationhub const_display_brightness_param:file { map open read }; +allow locationhub const_param:file { map open read }; +allow locationhub const_postinstall_fstab_param:file { map open read }; +allow locationhub const_postinstall_param:file { map open read }; +allow locationhub const_product_param:file { map open read }; +allow locationhub data_file:dir { add_name search write }; +allow locationhub data_file:file { create getattr ioctl open read write open }; +allow locationhub debug_param:file { map open read }; +allow locationhub default_param:file { map open read }; +allow locationhub dev_at_file:chr_file { ioctl }; +allow locationhub dev_unix_socket:dir { search }; +allow locationhub distributedsche_param:file { map open read }; +allow locationhub foundation:binder { call transfer }; +allow locationhub hdf_agnss_interface_service:hdf_devmgr_class { get }; +allow locationhub hdf_devmgr:binder { call }; +allow locationhub hdf_gnss_interface_service:hdf_devmgr_class { get }; +allow locationhub hilog_param:file { map open read }; +allow locationhub hw_sc_build_os_param:file { map open read }; +allow locationhub hw_sc_build_param:file { map open read }; +allow locationhub hw_sc_param:file { map open read }; +allow locationhub init_param:file { map open read }; +allow locationhub init_svc_param:file { map open read }; +allow locationhub input_pointer_device_param:file { map open read }; +allow locationhub location_host:binder { call transfer }; +allow locationhub locationhub:unix_dgram_socket { getopt setopt }; +allow locationhub net_param:file { map open read }; +allow locationhub net_tcp_param:file { map open read }; +allow locationhub ohos_boot_param:file { map open read }; +allow locationhub ohos_param:file { map open read }; +allow locationhub param_watcher:binder { call transfer }; +allow locationhub persist_param:file { map open read }; +allow locationhub persist_sys_param:file { map open read }; +allow locationhub sa_accesstoken_manager_service:samgr_class { get }; +allow locationhub sa_accountmgr:samgr_class { get }; +allow locationhub sa_device_service_manager:samgr_class { get }; +allow locationhub sa_foundation_cesfwk_service:samgr_class { get }; +allow locationhub sa_location_geo_convert_service:samgr_class { add }; +allow locationhub sa_locationhub_lbsservice_gnss:samgr_class { add get }; +allow locationhub sa_locationhub_lbsservice_network:samgr_class { add get }; +allow locationhub sa_locationhub_lbsservice_passive:samgr_class { add get }; +allow locationhub sa_location_locator_service:samgr_class { add }; +allow locationhub sa_param_watcher:samgr_class { get }; +allow locationhub security_param:file { map open read }; +allow locationhub startup_param:file { map open read }; +allow locationhub sys_param:file { map open read }; +allow locationhub system_basic_hap_attr:binder { call }; +allow locationhub system_bin_file:dir { search }; +allow locationhub system_usr_file:dir { search }; +allow locationhub system_usr_file:file { getattr map open read }; +allow locationhub sys_usb_param:file { map open read }; +allow locationhub tracefs:dir { search }; +allow locationhub tracefs_trace_marker_file:file { open write }; +allowxperm locationhub data_file:file ioctl { 0x5413 }; +allowxperm locationhub dev_at_file:chr_file ioctl { 0x4103 }; diff --git a/prebuilts/api/5.0/base/te/media_service.te b/prebuilts/api/5.0/base/te/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..5920de1a090714decc9b73067f3b878b4a731e42 --- /dev/null +++ b/prebuilts/api/5.0/base/te/media_service.te @@ -0,0 +1,92 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_service accesstoken_service:binder { call }; +allow media_service bootanimation:binder { call transfer }; +allow media_service bootevent_param:file { map open read }; +allow media_service bootevent_samgr_param:file { map open read }; +allow media_service build_version_param:file { map open read }; +allow media_service const_allow_mock_param:file { map open read }; +allow media_service const_allow_param:file { map open read }; +allow media_service const_build_param:file { map open read }; +allow media_service const_display_brightness_param:file { map open read }; +allow media_service const_param:file { map open read }; +allow media_service const_postinstall_fstab_param:file { map open read }; +allow media_service const_postinstall_param:file { map open read }; +allow media_service const_product_param:file { map open read }; +allow media_service data_app_el1_file:file { getattr }; +allow media_service data_data_file:dir { search }; +allow media_service data_file:dir { search }; +allow media_service data_media:dir { search }; +allow media_service data_service_el2_hmdfs:file { getattr read write }; +allow media_service debug_param:file { map open read }; +allow media_service default_param:file { map open read }; +allow media_service dev_ashmem_file:chr_file { open }; +allow media_service dev_dri_file:chr_file { getattr ioctl open read write }; +allow media_service dev_dri_file:dir { search }; +allow media_service dev_unix_socket:dir { search }; +allow media_service dhardware:binder { call transfer }; +allow media_service allocator_host:binder { call }; +allow media_service allocator_host:fd { use }; +allow media_service distributedsche_param:file { map open read }; +allow media_service dscreen:binder { call transfer }; +allow media_service hdf_devmgr:binder { call }; +allow media_service hdf_allocator_service:hdf_devmgr_class { get }; +allow media_service hilog_param:file { map open read }; +allow media_service hmdfs:file { getattr read read write }; +allow media_service hw_sc_build_os_param:file { map open read }; +allow media_service hw_sc_build_param:file { map open read }; +allow media_service hw_sc_param:file { map open read }; +allow media_service init_param:file { map open read }; +allow media_service init_svc_param:file { map open read }; +allow media_service init:unix_stream_socket { connectto }; +allow media_service input_pointer_device_param:file { map open read }; +allow media_service media_service:unix_dgram_socket { getopt setopt }; +allow media_service native_socket:sock_file { write }; +allow media_service net_param:file { map open read }; +allow media_service net_tcp_param:file { map open read }; +allow media_service normal_hap_attr:binder { call transfer }; +allow media_service ohos_boot_param:file { map open read }; +allow media_service ohos_param:file { map open read }; +allow media_service audio_server:unix_stream_socket { connectto }; +allow media_service param_watcher:binder { call transfer }; +allow media_service persist_param:file { map open read }; +allow media_service persist_sys_param:file { map open read }; +allow media_service proc_file:file { open read }; +allow media_service render_service:binder { call }; +allow media_service sa_accesstoken_manager_service:samgr_class { get }; +allow media_service sa_device_service_manager:samgr_class { get }; +allow media_service sa_media_service:samgr_class { add }; +allow media_service sa_param_watcher:samgr_class { get }; +allow media_service security_param:file { map open read }; +allow media_service startup_param:file { map open read }; +allow media_service sys_param:file { map open read }; +allow media_service system_basic_hap_attr:binder { call transfer }; +allow media_service system_bin_file:dir { search }; +allow media_service system_core_hap_attr:binder { call transfer }; +allow media_service system_core_hap_attr:fd { use }; +allow media_service system_lib_file:dir { open read }; +allow media_service sys_usb_param:file { map open read }; +allow media_service tracefs:dir { search }; +allow media_service tracefs_trace_marker_file:file { open write }; +allowxperm media_service dev_dri_file:chr_file ioctl { 0x641f }; +allow media_service sys_prod_file:dir { search }; +allow media_service chip_prod_file:dir { search }; +allow media_service vendor_etc_file:dir { search }; +allow media_service sys_prod_file:file { map open read getattr }; +allow media_service chip_prod_file:file { map open read getattr }; +allow media_service vendor_etc_file:file { map open read getattr }; +allow media_service system_file:file { map open read getattr }; +allow media_service data_app_el1_file:file { map open read getattr }; +allow media_service sa_memory_manager_service:samgr_class { get }; +allow media_service memmgrservice:binder { call transfer }; diff --git a/prebuilts/api/5.0/base/te/memmgrservice.te b/prebuilts/api/5.0/base/te/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..a968d5495c77ced867a0f44dab249d606b30f909 --- /dev/null +++ b/prebuilts/api/5.0/base/te/memmgrservice.te @@ -0,0 +1,58 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice bootevent_param:file { map open read }; +allow memmgrservice bootevent_samgr_param:file { map open read }; +allow memmgrservice build_version_param:file { map open read }; +allow memmgrservice const_allow_mock_param:file { map open read }; +allow memmgrservice const_allow_param:file { map open read }; +allow memmgrservice const_build_param:file { map open read }; +allow memmgrservice const_display_brightness_param:file { map open read }; +allow memmgrservice const_param:file { map open read }; +allow memmgrservice const_postinstall_fstab_param:file { map open read }; +allow memmgrservice const_postinstall_param:file { map open read }; +allow memmgrservice const_product_param:file { map open read }; +allow memmgrservice debug_param:file { map open read }; +allow memmgrservice default_param:file { map open read }; +allow memmgrservice distributedsche_param:file { map open read }; +allow memmgrservice hilog_param:file { map open read }; +allow memmgrservice hw_sc_build_os_param:file { map open read }; +allow memmgrservice hw_sc_build_param:file { map open read }; +allow memmgrservice hw_sc_param:file { map open read }; +allow memmgrservice init_param:file { map open read }; +allow memmgrservice init_svc_param:file { map open read }; +allow memmgrservice input_pointer_device_param:file { map open read }; +allow memmgrservice memmgrservice:capability { sys_ptrace }; +allow memmgrservice net_param:file { map open read }; +allow memmgrservice net_tcp_param:file { map open read }; +allow memmgrservice ohos_boot_param:file { map open read }; +allow memmgrservice ohos_param:file { map open read }; +allow memmgrservice param_watcher:binder { call transfer }; +allow memmgrservice persist_param:file { map open read }; +allow memmgrservice persist_param:parameter_service { set }; +allow memmgrservice persist_sys_param:file { map open read }; +allow memmgrservice proc_file:file { read }; +allow memmgrservice sa_bgtaskmgr:samgr_class { get }; +allow memmgrservice sa_memory_manager_service:samgr_class { add }; +allow memmgrservice sa_param_watcher:samgr_class { get }; +allow memmgrservice security_param:file { map open read }; +allow memmgrservice startup_param:file { map open read }; +allow memmgrservice sys_param:file { map open read }; +allow memmgrservice system_bin_file:dir { search }; +allow memmgrservice sys_usb_param:file { map open read }; +allow memmgrservice tracefs:dir { search }; +allow memmgrservice tracefs_trace_marker_file:file { open write }; +allow memmgrservice media_service:binder { call }; +allow memmgrservice render_service:binder { call }; +allow memmgrservice sa_resource_schedule:samgr_class { get }; +allow memmgrservice resource_schedule_service:binder { call }; diff --git a/prebuilts/api/5.0/base/te/misc.te b/prebuilts/api/5.0/base/te/misc.te new file mode 100644 index 0000000000000000000000000000000000000000..1196f50c1557e8ec84549ef8a46e22e1cde19a5b --- /dev/null +++ b/prebuilts/api/5.0/base/te/misc.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow misc bootevent_param:file { map open read }; +allow misc bootevent_samgr_param:file { map open read }; +allow misc build_version_param:file { map open read }; +allow misc const_allow_mock_param:file { map open read }; +allow misc const_allow_param:file { map open read }; +allow misc const_build_param:file { map open read }; +allow misc const_display_brightness_param:file { map open read }; +allow misc const_param:file { map open read }; +allow misc const_postinstall_fstab_param:file { map open read }; +allow misc const_postinstall_param:file { map open read }; +allow misc const_product_param:file { map open read }; +allow misc debug_param:file { map open read }; +allow misc default_param:file { map open read }; +allow misc dev_block_file:blk_file { open read write }; +allow misc dev_block_file:dir { search }; +allow misc dev_block_file:lnk_file { read }; +allow misc dev_block_volfile:dir { search }; +allow misc dev_unix_socket:dir { search }; +allow misc distributedsche_param:file { map open read }; +allow misc hilog_param:file { map open read }; +allow misc hw_sc_build_os_param:file { map open read }; +allow misc hw_sc_build_param:file { map open read }; +allow misc hw_sc_param:file { map open read }; +allow misc init_param:file { map open read }; +allow misc init_svc_param:file { map open read }; +allow misc input_pointer_device_param:file { map open read }; +allow misc net_param:file { map open read }; +allow misc net_tcp_param:file { map open read }; +allow misc ohos_boot_param:file { map open read }; +allow misc ohos_param:file { map open read }; +allow misc persist_param:file { map open read }; +allow misc persist_sys_param:file { map open read }; +allow misc proc_cmdline_file:file { open read }; +allow misc security_param:file { map open read }; +allow misc startup_param:file { map open read }; +allow misc sys_param:file { map open read }; +allow misc system_bin_file:dir { search }; +allow misc system_bin_file:file { entrypoint execute map read }; +allow misc sys_usb_param:file { map open read }; +allow misc vendor_etc_file:dir { search }; +allow misc vendor_etc_file:file { getattr open read }; diff --git a/prebuilts/api/5.0/base/te/mmi_uinput_service.te b/prebuilts/api/5.0/base/te/mmi_uinput_service.te new file mode 100644 index 0000000000000000000000000000000000000000..202d04f972f61cdad18ea532ea0603e53cf7f56d --- /dev/null +++ b/prebuilts/api/5.0/base/te/mmi_uinput_service.te @@ -0,0 +1,57 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow mmi_uinput_service accessibility_param:file { map open read }; +allow mmi_uinput_service bootevent_param:file { map open read }; +allow mmi_uinput_service bootevent_samgr_param:file { map open read }; +allow mmi_uinput_service build_version_param:file { map open read }; +allow mmi_uinput_service const_allow_mock_param:file { map open read }; +allow mmi_uinput_service const_allow_param:file { map open read }; +allow mmi_uinput_service const_build_param:file { map open read }; +allow mmi_uinput_service const_display_brightness_param:file { map open read }; +allow mmi_uinput_service const_param:file { map open read }; +allow mmi_uinput_service const_postinstall_fstab_param:file { map open read }; +allow mmi_uinput_service const_postinstall_param:file { map open read }; +allow mmi_uinput_service const_product_param:file { map open read }; +allow mmi_uinput_service debug_param:file { map open read }; +allow mmi_uinput_service default_param:file { map open read }; +allow mmi_uinput_service dev_hdf_input:chr_file { getattr ioctl open read write }; +allow mmi_uinput_service dev_uinput:chr_file { ioctl open write }; +allow mmi_uinput_service dev_unix_socket:dir { search }; +allow mmi_uinput_service distributedsche_param:file { map open read }; +allow mmi_uinput_service hdf_devmgr:binder { call }; +allow mmi_uinput_service hdf_input_interfaces_service:hdf_devmgr_class { get }; +allow mmi_uinput_service hilog_param:file { map open read }; +allow mmi_uinput_service hw_sc_build_os_param:file { map open read }; +allow mmi_uinput_service hw_sc_build_param:file { map open read }; +allow mmi_uinput_service hw_sc_param:file { map open read }; +allow mmi_uinput_service init_param:file { map open read }; +allow mmi_uinput_service init_svc_param:file { map open read }; +allow mmi_uinput_service input_pointer_device_param:file { map open read }; +allow mmi_uinput_service input_user_host:binder { call transfer }; +allow mmi_uinput_service net_param:file { map open read }; +allow mmi_uinput_service net_tcp_param:file { map open read }; +allow mmi_uinput_service ohos_boot_param:file { map open read }; +allow mmi_uinput_service ohos_param:file { map open read }; +allow mmi_uinput_service persist_param:file { map open read }; +allow mmi_uinput_service persist_sys_param:file { map open read }; +allow mmi_uinput_service sa_device_service_manager:samgr_class { get }; +allow mmi_uinput_service security_param:file { map open read }; +allow mmi_uinput_service startup_param:file { map open read }; +allow mmi_uinput_service sys_param:file { map open read }; +allow mmi_uinput_service system_bin_file:dir { search }; +allow mmi_uinput_service sys_usb_param:file { map open read }; +allow mmi_uinput_service uinput_inject_exec:file { entrypoint execute map read }; +allow mmi_uinput_service sysfs_devices_system_cpu:file { open read getattr }; +allowxperm mmi_uinput_service dev_hdf_input:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm mmi_uinput_service dev_uinput:chr_file ioctl { 0x5501 0x5564 0x5565 0x5567 0x556e }; diff --git a/prebuilts/api/5.0/base/te/msdp_sa.te b/prebuilts/api/5.0/base/te/msdp_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..e86c6de108f6ec9f38482e0d2ee0d6b58c4f996e --- /dev/null +++ b/prebuilts/api/5.0/base/te/msdp_sa.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow msdp_sa bootevent_param:file { map open read }; +allow msdp_sa bootevent_samgr_param:file { map open read }; +allow msdp_sa build_version_param:file { map open read }; +allow msdp_sa const_allow_mock_param:file { map open read }; +allow msdp_sa const_allow_param:file { map open read }; +allow msdp_sa const_build_param:file { map open read }; +allow msdp_sa const_display_brightness_param:file { map open read }; +allow msdp_sa const_param:file { map open read }; +allow msdp_sa const_postinstall_fstab_param:file { map open read }; +allow msdp_sa const_postinstall_param:file { map open read }; +allow msdp_sa const_product_param:file { map open read }; +allow msdp_sa debug_param:file { map open read }; +allow msdp_sa default_param:file { map open read }; +allow msdp_sa distributedsche_param:file { map open read }; +allow msdp_sa foundation:binder { call }; +allow msdp_sa hilog_param:file { map open read }; +allow msdp_sa hw_sc_build_os_param:file { map open read }; +allow msdp_sa hw_sc_build_param:file { map open read }; +allow msdp_sa hw_sc_param:file { map open read }; +allow msdp_sa init_param:file { map open read }; +allow msdp_sa init_svc_param:file { map open read }; +allow msdp_sa input_pointer_device_param:file { map open read }; +allow msdp_sa msdp_sa:unix_dgram_socket { getopt setopt }; +allow msdp_sa net_param:file { map open read }; +allow msdp_sa net_tcp_param:file { map open read }; +allow msdp_sa ohos_boot_param:file { map open read }; +allow msdp_sa ohos_param:file { map open read }; +allow msdp_sa param_watcher:binder { call transfer }; +allow msdp_sa persist_param:file { map open read }; +allow msdp_sa persist_sys_param:file { map open read }; +allow msdp_sa sa_accesstoken_manager_service:samgr_class { get }; +allow msdp_sa sa_msdp_devicestatus_service:samgr_class { add }; +allow msdp_sa sa_param_watcher:samgr_class { get }; +allow msdp_sa security_param:file { map open read }; +allow msdp_sa sensors:binder { call }; +allow msdp_sa startup_param:file { map open read }; +allow msdp_sa sys_param:file { map open read }; +allow msdp_sa system_bin_file:dir { search }; +allow msdp_sa sys_usb_param:file { map open read }; +allow msdp_sa tracefs:dir { search }; +allow msdp_sa tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/multimodalinput.te b/prebuilts/api/5.0/base/te/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..8593116c3f5a4443204f1e05c98313f449283eac --- /dev/null +++ b/prebuilts/api/5.0/base/te/multimodalinput.te @@ -0,0 +1,74 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow multimodalinput accesstoken_service:binder { call }; +allow multimodalinput bootevent_param:file { map open read }; +allow multimodalinput bootevent_samgr_param:file { map open read }; +allow multimodalinput build_version_param:file { map open read }; +allow multimodalinput const_allow_mock_param:file { map open read }; +allow multimodalinput const_allow_param:file { map open read }; +allow multimodalinput const_build_param:file { map open read }; +allow multimodalinput const_display_brightness_param:file { map open read }; +allow multimodalinput const_param:file { map open read }; +allow multimodalinput const_postinstall_fstab_param:file { map open read }; +allow multimodalinput const_postinstall_param:file { map open read }; +allow multimodalinput const_product_param:file { map open read }; +allow multimodalinput data_file:dir { add_name create write }; +allow multimodalinput data_file:file { ioctl open read }; +allow multimodalinput data_libinput:dir { add_name search write }; +allow multimodalinput data_libinput:file { create ioctl open read write }; +allow multimodalinput data_udev:dir { search }; +allow multimodalinput data_udev:file { open read }; +allow multimodalinput debug_param:file { map open read }; +allow multimodalinput default_param:file { map open read }; +allow multimodalinput dev_input_file:chr_file { getattr ioctl open read write }; +allow multimodalinput dev_input_file:dir { search }; +allow multimodalinput dev_kmsg_file:chr_file { open write }; +allow multimodalinput distributedsche_param:file { map open read }; +allow multimodalinput hilog_param:file { map open read }; +allow multimodalinput hiview:unix_dgram_socket { sendto }; +allow multimodalinput hw_sc_build_os_param:file { map open read }; +allow multimodalinput hw_sc_build_param:file { map open read }; +allow multimodalinput hw_sc_param:file { map open read }; +allow multimodalinput init_param:file { map open read }; +allow multimodalinput init_svc_param:file { map open read }; +allow multimodalinput input_pointer_device_param:file { map open read }; +allow multimodalinput kernel:unix_stream_socket { connectto }; +allow multimodalinput multimodalinput:netlink_kobject_uevent_socket { bind create getattr setopt }; +allow multimodalinput multimodalinput:unix_dgram_socket { getopt setopt }; +allow multimodalinput net_param:file { map open read }; +allow multimodalinput net_tcp_param:file { map open read }; +allow multimodalinput ohos_boot_param:file { map open read }; +allow multimodalinput ohos_param:file { map open read }; +allow multimodalinput paramservice_socket:sock_file { write }; +allow multimodalinput persist_param:file { map open read }; +allow multimodalinput persist_sys_param:file { map open read }; +allow multimodalinput sa_accesstoken_manager_service:samgr_class { get }; +allow multimodalinput sa_foundation_abilityms:samgr_class { get }; +allow multimodalinput sa_multimodalinput_service:samgr_class { add }; +allow multimodalinput sa_param_watcher:samgr_class { get }; +allow multimodalinput sa_resource_schedule:samgr_class { get }; +allow multimodalinput security_param:file { map open read }; +allow multimodalinput startup_param:file { map open read }; +allow multimodalinput sys_file:dir { open read }; +allow multimodalinput sys_file:file { getattr open read ioctl write }; +allow multimodalinput sys_param:file { map open read }; +allow multimodalinput system_bin_file:dir { search }; +allow multimodalinput system_usr_file:dir { search }; +allow multimodalinput system_usr_file:file { getattr map open read }; +allow multimodalinput sys_usb_param:file { map open read }; +allow multimodalinput vendor_etc_file:dir { search }; +allowxperm multimodalinput data_file:file ioctl { 0x5413 }; +allowxperm multimodalinput data_libinput:file ioctl { 0x5413 }; +allowxperm multimodalinput dev_input_file:chr_file ioctl { 0x4501 0x4502 0x4506 0x4507 0x4508 0x4509 0x4518 0x4519 0x451b 0x4520 0x4521 0x4522 0x4523 0x4524 0x4525 0x4531 0x4532 0x4535 0x4540 0x4541 0x4558 0x4570 0x4571 0x4574 0x4575 0x4576 0x4578 0x4579 0x457a 0x45a0 }; +allowxperm multimodalinput sys_file:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/base/te/netmanager.te b/prebuilts/api/5.0/base/te/netmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..ddc817eeb9964b12db8a615948b034c4d6835852 --- /dev/null +++ b/prebuilts/api/5.0/base/te/netmanager.te @@ -0,0 +1,81 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netmanager bootevent_param:file { map open read }; +allow netmanager bootevent_samgr_param:file { map open read }; +allow netmanager build_version_param:file { map open read }; +allow netmanager const_allow_mock_param:file { map open read }; +allow netmanager const_allow_param:file { map open read }; +allow netmanager const_build_param:file { map open read }; +allow netmanager const_display_brightness_param:file { map open read }; +allow netmanager const_param:file { map open read }; +allow netmanager const_postinstall_fstab_param:file { map open read }; +allow netmanager const_postinstall_param:file { map open read }; +allow netmanager const_product_param:file { map open read }; +allow netmanager data_data_file:dir { add_name write }; +allow netmanager data_data_file:file { append create ioctl write }; +allow netmanager data_ethernet:dir { getattr open read }; +allow netmanager data_file:dir { add_name create getattr open read write }; +allow netmanager data_log:file { read write }; +allow netmanager data_system:file { create getattr read write open }; +allow netmanager debug_param:file { map open read }; +allow netmanager default_param:file { map open read }; +allow netmanager dev_file:sock_file { write }; +allow netmanager dev_unix_socket:sock_file { write }; +allow netmanager distributedsche_param:file { map open read }; +allow netmanager faultloggerd:fd { use }; +allow netmanager faultloggerd:unix_stream_socket { connectto }; +allow netmanager hilog_param:file { map open read }; +allow netmanager hiview:binder { call }; +allow netmanager hiview:unix_dgram_socket { sendto }; +allow netmanager hw_sc_build_os_param:file { map open read }; +allow netmanager hw_sc_build_param:file { map open read }; +allow netmanager hw_sc_param:file { map open read }; +allow netmanager init_param:file { map open read }; +allow netmanager init_svc_param:file { map open read }; +allow netmanager input_pointer_device_param:file { map open read }; +allow netmanager netmanager:netlink_route_socket { bind setopt }; +allow netmanager netmanager:udp_socket { ioctl }; +allow netmanager netmanager:unix_dgram_socket { getopt setopt ioctl }; +allow netmanager net_param:file { map open read }; +allow netmanager netsysnative:binder { transfer }; +allow netmanager netsysnative:unix_stream_socket { connectto }; +allow netmanager net_tcp_param:file { map open read }; +allow netmanager normal_hap_attr:binder { call }; +allow netmanager ohos_boot_param:file { map open read }; +allow netmanager ohos_param:file { map open read }; +allow netmanager param_watcher:binder { call transfer }; +allow netmanager persist_param:file { map open read }; +allow netmanager persist_sys_param:file { map open read }; +allow netmanager sa_accesstoken_manager_service:samgr_class { get }; +allow netmanager sa_comm_dns_manager_service:samgr_class { add }; +allow netmanager sa_comm_ethernet_manager_service:samgr_class { add }; +allow netmanager sa_comm_mdns_manager_service:samgr_class { add }; +allow netmanager sa_comm_net_stats_manager_service:samgr_class { add }; +allow netmanager sa_foundation_cesfwk_service:samgr_class { get }; +allow netmanager sa_net_conn_manager:samgr_class { add }; +allow netmanager sa_net_policy_manager:samgr_class { add }; +allow netmanager sa_netsys_native_manager:samgr_class { get }; +allow netmanager sa_param_watcher:samgr_class { get }; +allow netmanager security_param:file { map open read }; +allow netmanager startup_param:file { map open read }; +allow netmanager sys_file:file { open read }; +allow netmanager sysfs_net:dir { open read }; +allow netmanager sysfs_net:file { open read }; +allow netmanager sys_param:file { map open read }; +allow netmanager sys_usb_param:file { map open read }; +allow netmanager tracefs:dir { search }; +allow netmanager tracefs_trace_marker_file:file { open write }; +allowxperm netmanager data_data_file:file ioctl { 0x5413 }; +allowxperm netmanager netmanager:udp_socket ioctl { 0x8927 }; +allowxperm netmanager netmanager:unix_dgram_socket ioctl { 0x8910 0x8933 }; diff --git a/prebuilts/api/5.0/base/te/netsysnative.te b/prebuilts/api/5.0/base/te/netsysnative.te new file mode 100644 index 0000000000000000000000000000000000000000..fc644fba15ba77edca68f70691652be76f00c6bc --- /dev/null +++ b/prebuilts/api/5.0/base/te/netsysnative.te @@ -0,0 +1,65 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netsysnative bootevent_param:file { map open read }; +allow netsysnative bootevent_samgr_param:file { map open read }; +allow netsysnative build_version_param:file { map open read }; +allow netsysnative const_allow_mock_param:file { map open read }; +allow netsysnative const_allow_param:file { map open read }; +allow netsysnative const_build_param:file { map open read }; +allow netsysnative const_display_brightness_param:file { map open read }; +allow netsysnative const_param:file { map open read }; +allow netsysnative const_postinstall_fstab_param:file { map open read }; +allow netsysnative const_postinstall_param:file { map open read }; +allow netsysnative const_product_param:file { map open read }; +allow netsysnative data_file:dir { add_name remove_name search write }; +allow netsysnative data_file:sock_file { create setattr unlink }; +allow netsysnative debug_param:file { map open read }; +allow netsysnative default_param:file { map open read }; +allow netsysnative dev_file:dir { add_name write }; +allow netsysnative dev_file:sock_file { create setattr }; +allow netsysnative distributedsche_param:file { map open read }; +allow netsysnative hilog_param:file { map open read }; +allow netsysnative hw_sc_build_os_param:file { map open read }; +allow netsysnative hw_sc_build_param:file { map open read }; +allow netsysnative hw_sc_param:file { map open read }; +allow netsysnative init_param:file { map open read }; +allow netsysnative init_svc_param:file { map open read }; +allow netsysnative input_pointer_device_param:file { map open read }; +allow netsysnative kernel:system { module_request }; +allow netsysnative netmanager:binder { call }; +allow netsysnative net_param:file { map open read }; +allow netsysnative netsysnative:capability { net_admin }; +allow netsysnative netsysnative:netlink_kobject_uevent_socket { bind create getopt read setopt }; +allow netsysnative netsysnative:netlink_netfilter_socket { bind create getopt setopt }; +allow netsysnative netsysnative:netlink_nflog_socket { create }; +allow netsysnative netsysnative:netlink_route_socket { bind connect getopt nlmsg_read read setopt }; +allow netsysnative netsysnative:udp_socket { create ioctl }; +allow netsysnative netsysnative:unix_dgram_socket { ioctl }; +allow netsysnative net_tcp_param:file { map open read }; +allow netsysnative ohos_boot_param:file { map open read }; +allow netsysnative ohos_param:file { map open read }; +allow netsysnative param_watcher:binder { call transfer }; +allow netsysnative persist_param:file { map open read }; +allow netsysnative persist_sys_param:file { map read open }; +allow netsysnative sa_netsys_native_manager:samgr_class { add }; +allow netsysnative sa_param_watcher:samgr_class { get }; +allow netsysnative security_param:file { map open read }; +allow netsysnative startup_param:file { map open read }; +allow netsysnative sysfs_net:dir { open read }; +allow netsysnative sys_param:file { map open read }; +allow netsysnative system_bin_file:dir { search }; +allow netsysnative sys_usb_param:file { map open read }; +allow netsysnative tracefs:dir { search }; +allow netsysnative tracefs_trace_marker_file:file { open write }; +allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8910 }; diff --git a/prebuilts/api/5.0/base/te/normal_hap.te b/prebuilts/api/5.0/base/te/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..58dd9026b01166db662cf25ba361e274c2cfed64 --- /dev/null +++ b/prebuilts/api/5.0/base/te/normal_hap.te @@ -0,0 +1,128 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr bootevent_param:file { map open read }; +allow normal_hap_attr bootevent_samgr_param:file { map open read }; +allow normal_hap_attr build_version_param:file { map open read }; +allow normal_hap_attr const_allow_mock_param:file { map open read }; +allow normal_hap_attr const_allow_param:file { map open read }; +allow normal_hap_attr const_build_param:file { map open read }; +allow normal_hap_attr const_display_brightness_param:file { map open read }; +allow normal_hap_attr const_param:file { map open read }; +allow normal_hap_attr const_postinstall_fstab_param:file { map open read }; +allow normal_hap_attr const_postinstall_param:file { map open read }; +allow normal_hap_attr const_product_param:file { map open read }; +allow normal_hap_attr data_app_el1_file:file { execute }; +allow normal_hap_attr data_service_el2_file:dir { read open search }; +allow normal_hap_attr data_service_el2_hmdfs:dir { add_name create getattr read open remove_name search write }; +allow normal_hap_attr data_service_el2_hmdfs:file { create getattr rename }; +allow normal_hap_attr data_service_el3_file:dir { read open search }; +allow normal_hap_attr data_service_el4_file:dir { read open search }; +allow normal_hap_attr data_service_el5_file:dir { read open search }; +allow normal_hap_attr data_user_file:dir { getattr read open search add_name create write }; +allow normal_hap_attr data_user_file:file { create getattr }; +allow normal_hap_attr debug_param:file { map open read }; +allow normal_hap_attr default_param:file { map open read }; +allow normal_hap_attr dev_ashmem_file:chr_file { open }; +allow normal_hap_attr dev_file:sock_file { write }; +allow normal_hap_attr deviceauth_service:binder { call }; +allow normal_hap_attr dev_mali:chr_file { getattr ioctl map open read write }; +allow normal_hap_attr dev_unix_socket:dir { search }; +allow normal_hap_attr dev_unix_socket:sock_file { write }; +allow normal_hap_attr allocator_host:binder { call }; +allow normal_hap_attr distributeddata:binder { call transfer }; +allow normal_hap_attr distributedsche_param:file { map open read }; +allow normal_hap_attr dslm_service:binder { call transfer }; +allow normal_hap_attr faultloggerd:fd { use }; +allow normal_hap_attr faultloggerd_socket:sock_file { write }; +allow normal_hap_attr faultloggerd_temp_file:file { read write }; +allow normal_hap_attr faultloggerd:unix_stream_socket { connectto }; +allow normal_hap_attr hdf_allocator_service:hdf_devmgr_class { get }; +allow normal_hap_attr hilog_param:file { map open read }; +allow normal_hap_attr hiview:unix_dgram_socket { sendto }; +allow normal_hap_attr huks_service:binder { call }; +allow normal_hap_attr hw_sc_build_os_param:file { map open read }; +allow normal_hap_attr hw_sc_build_param:file { map open read }; +allow normal_hap_attr hw_sc_param:file { map open read }; +allow normal_hap_attr init_param:file { map open read }; +allow normal_hap_attr init_svc_param:file { map open read }; +allow normal_hap_attr input_pointer_device_param:file { map open read }; +allow normal_hap_attr media_service:fd { use }; +allow normal_hap_attr netmanager:binder { call transfer }; +allow normal_hap_attr net_param:file { map open read }; +allow normal_hap_attr netsysnative:unix_stream_socket { connectto }; +allow normal_hap_attr net_tcp_param:file { map open read }; +allow normal_hap_attr normal_hap_attr:binder { call transfer }; +allow normal_hap_attr normal_hap_data_file_attr:dir { open read remove_name rmdir search add_name create write }; +allow normal_hap_attr normal_hap_data_file_attr:file { getattr ioctl lock map rename setattr unlink }; +allow normal_hap_attr normal_hap_attr:netlink_route_socket { append connect create getattr getopt lock nlmsg_read read setattr setopt shutdown write }; +allow normal_hap_attr normal_hap_attr:process { ptrace }; +allow normal_hap_attr normal_hap_attr:unix_dgram_socket { getopt setopt }; +allow normal_hap_attr normal_hap_attr:tcp_socket { getattr bind listen accept }; +allow normal_hap_attr node:tcp_socket { node_bind }; +allow normal_hap_attr nwebspawn:fifo_file { write }; +allow normal_hap_attr ohos_boot_param:file { map open read }; +allow normal_hap_attr ohos_param:file { map open read }; +allow normal_hap_attr persist_param:file { map open read }; +allow normal_hap_attr persist_sys_param:file { map open read }; +allow normal_hap_attr proc_max_user_watches:file { open read }; +allow normal_hap_attr render_service:unix_stream_socket { read read write write }; +allow normal_hap_attr sa_accessibleabilityms:samgr_class { get }; +allow normal_hap_attr sa_accesstoken_manager_service:samgr_class { get }; +allow normal_hap_attr sa_privacy_service:samgr_class { get }; +allow normal_hap_attr sa_dataobs_mgr_service_service:samgr_class { get }; +allow normal_hap_attr sa_device_auth_service:samgr_class { get }; +allow normal_hap_attr sa_device_security_level_manager_service:samgr_class { get }; +allow normal_hap_attr sa_device_service_manager:samgr_class { get }; +allow normal_hap_attr sa_distributeddata_service:samgr_class { get }; +allow normal_hap_attr sa_foundation_abilityms:samgr_class { get }; +allow normal_hap_attr sa_foundation_ans:samgr_class { get }; +allow normal_hap_attr sa_foundation_appms:samgr_class { get }; +allow normal_hap_attr sa_foundation_bms:samgr_class { get }; +allow normal_hap_attr sa_foundation_cesfwk_service:samgr_class { get }; +allow normal_hap_attr sa_foundation_devicemanager_service:samgr_class { get }; +allow normal_hap_attr sa_foundation_dms:samgr_class { get }; +allow normal_hap_attr sa_foundation_tel_state_registry:samgr_class { get }; +allow normal_hap_attr sa_foundation_wms:samgr_class { get }; +allow normal_hap_attr sa_huks_service:samgr_class { get }; +allow normal_hap_attr sa_inputmethod_service:samgr_class { get }; +allow normal_hap_attr sa_media_service:samgr_class { get }; +allow normal_hap_attr sa_net_conn_manager:samgr_class { get }; +allow normal_hap_attr sa_param_watcher:samgr_class { get }; +allow normal_hap_attr sa_render_service:samgr_class { get }; +allow normal_hap_attr sa_resource_schedule:samgr_class { get }; +allow normal_hap_attr sa_telephony_tel_cellular_data:samgr_class { get }; +allow normal_hap_attr sa_telephony_tel_core_service:samgr_class { get }; +allow normal_hap_attr sa_uri_permission_mgr_service:samgr_class { get }; +allow normal_hap_attr security_param:file { map open read }; +allow normal_hap_attr startup_param:file { map open read }; +allow normal_hap_attr sysfs_devices_system_cpu:file { open read }; +allow normal_hap_attr sysfs_hctosys:file { open read }; +allow normal_hap_attr sysfs_rtc:dir { open read }; +allow normal_hap_attr sys_param:file { map open read }; +allow normal_hap_attr system_bin_file:file { execute_no_trans map open }; +allow normal_hap_attr toybox_exec:file { execute_no_trans map open }; +allow normal_hap_attr system_core_hap_attr:binder { transfer }; +allow normal_hap_attr system_core_hap_attr:fd { use }; +allow normal_hap_attr system_lib_file:dir { open read }; +allow normal_hap_attr sys_usb_param:file { map open read }; +allow normal_hap_attr telephony_sa:binder { call }; +allow normal_hap_attr tracefs:dir { search }; +allow normal_hap_attr allocator_host:fd { use }; +allow normal_hap_attr tracefs_trace_marker_file:file { open write }; +allowxperm normal_hap_attr dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800c 0x800e 0x8011 0x8016 0x8018 0x8019 0x801d 0x801e 0x8026 0x8024 0x8025 0x8027 0x8030 0x8033 0x8034 0x8036 0x802a 0x802c 0x802d 0x802f 0x8014 }; +allowxperm normal_hap_attr normal_hap_data_file_attr:file ioctl { 0x5413 0xf50c }; +binder_call(normal_hap_attr system_basic_hap_attr); +allow normal_hap_attr dev_asanlog_file:dir { rw_dir_perms }; +allow normal_hap_attr dev_asanlog_file:file { create_file_perms }; +allow normal_hap_attr sa_hiview_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/base/te/nwebspawn.te b/prebuilts/api/5.0/base/te/nwebspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..aea65fbeb38ecba3c399d05c16c3d7873a47cda3 --- /dev/null +++ b/prebuilts/api/5.0/base/te/nwebspawn.te @@ -0,0 +1,78 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow nwebspawn bootevent_param:file { map open read }; +allow nwebspawn bootevent_samgr_param:file { map open read }; +allow nwebspawn build_version_param:file { map open read }; +allow nwebspawn const_allow_mock_param:file { map open read }; +allow nwebspawn const_allow_param:file { map open read }; +allow nwebspawn const_build_param:file { map open read }; +allow nwebspawn const_display_brightness_param:file { map open read }; +allow nwebspawn const_param:file { map open read }; +allow nwebspawn const_postinstall_fstab_param:file { map open read }; +allow nwebspawn const_postinstall_param:file { map open read }; +allow nwebspawn const_product_param:file { map open read }; +allow nwebspawn data_app_el1_file:dir { mounton search }; +allow nwebspawn data_app_el1_file:file { execute getattr map open read }; +allow nwebspawn data_app_el2_file:dir { search }; +allow nwebspawn data_app_file:dir { search }; +allow nwebspawn debug_param:file { map open read }; +allow nwebspawn default_param:file { map open read }; +allow nwebspawn dev_at_file:chr_file { ioctl }; +allow nwebspawn distributedsche_param:file { map open read }; +allow nwebspawn hilog_param:file { map open read }; +allow nwebspawn hw_sc_build_os_param:file { map open read }; +allow nwebspawn hw_sc_build_param:file { map open read }; +allow nwebspawn hw_sc_param:file { map open read }; +allow nwebspawn init_param:file { map open read }; +allow nwebspawn init_svc_param:file { map open read }; +allow nwebspawn init:unix_stream_socket { getattr getopt }; +allow nwebspawn input_pointer_device_param:file { map open read }; +allow nwebspawn net_param:file { map open read }; +allow nwebspawn net_tcp_param:file { map open read }; +allow nwebspawn normal_hap_data_file_attr:dir { mounton }; +allow nwebspawn nwebspawn:capability { setgid setuid sys_admin kill }; +allow nwebspawn nwebspawn_socket:sock_file { setattr }; +allow nwebspawn ohos_boot_param:file { map open read }; +allow nwebspawn ohos_param:file { map open read }; +allow nwebspawn persist_param:file { map open read }; +allow nwebspawn persist_sys_param:file { map open read }; +allow nwebspawn proc_file:dir { mounton }; +allow nwebspawn rootfs:dir { mounton }; +allow nwebspawn security_param:file { map open read }; +allow nwebspawn startup_param:file { map open read }; +allow nwebspawn sys_file:dir { mounton }; +allow nwebspawn sys_param:file { map open read }; +allow nwebspawn system_bin_file:dir { mounton search }; +allow nwebspawn system_bin_file:file { entrypoint execute map read }; +allow nwebspawn toybox_exec:file { entrypoint execute map read }; +allow nwebspawn system_etc_file:dir { mounton }; +allow nwebspawn system_file:dir { mounton }; +allow nwebspawn system_fonts_file:dir { mounton }; +allow nwebspawn system_lib_file:dir { mounton }; +allow nwebspawn system_profile_file:dir { mounton }; +allow nwebspawn system_usr_file:dir { mounton search }; +allow nwebspawn system_usr_file:file { getattr map open read }; +allow nwebspawn sys_usb_param:file { map open read }; +allow nwebspawn tmpfs:dir { mounton }; +allow nwebspawn tmpfs:filesystem { unmount }; +allow nwebspawn vendor_lib_file:dir { mounton }; +# avc: denied { map } for pid=2795 comm="appspawn" path="/system/bin/appspawn" dev="mmcblk0p7" ino=136 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:appspawn_exec:s0 tclass=file permissive=0 +allow nwebspawn appspawn_exec:file { execute execute_no_trans open read map }; +allowxperm nwebspawn dev_at_file:chr_file ioctl { 0x4102 }; + +debug_only(` + allow nwebspawn dev_pts_file:dir { search }; + allow nwebspawn devpts:chr_file { write open ioctl getattr }; + allowxperm nwebspawn devpts:chr_file ioctl { 0x5401 0x5403 0x540f 0x5413 0x5410 }; +') diff --git a/prebuilts/api/5.0/base/te/pasteboard_service.te b/prebuilts/api/5.0/base/te/pasteboard_service.te new file mode 100644 index 0000000000000000000000000000000000000000..80918140568b0cf055fc8dd3cda85ae6e4c7182c --- /dev/null +++ b/prebuilts/api/5.0/base/te/pasteboard_service.te @@ -0,0 +1,50 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pasteboard_service bootevent_param:file { map open read }; +allow pasteboard_service bootevent_samgr_param:file { map open read }; +allow pasteboard_service build_version_param:file { map open read }; +allow pasteboard_service const_allow_mock_param:file { map open read }; +allow pasteboard_service const_allow_param:file { map open read }; +allow pasteboard_service const_build_param:file { map open read }; +allow pasteboard_service const_display_brightness_param:file { map open read }; +allow pasteboard_service const_param:file { map open read }; +allow pasteboard_service const_postinstall_fstab_param:file { map open read }; +allow pasteboard_service const_postinstall_param:file { map open read }; +allow pasteboard_service const_product_param:file { map open read }; +allow pasteboard_service debug_param:file { map open read }; +allow pasteboard_service default_param:file { map open read }; +allow pasteboard_service distributedsche_param:file { map open read }; +allow pasteboard_service hilog_param:file { map open read }; +allow pasteboard_service hw_sc_build_os_param:file { map open read }; +allow pasteboard_service hw_sc_build_param:file { map open read }; +allow pasteboard_service hw_sc_param:file { map open read }; +allow pasteboard_service init_param:file { map open read }; +allow pasteboard_service init_svc_param:file { map open read }; +allow pasteboard_service input_pointer_device_param:file { map open read }; +allow pasteboard_service net_param:file { map open read }; +allow pasteboard_service net_tcp_param:file { map open read }; +allow pasteboard_service ohos_boot_param:file { map open read }; +allow pasteboard_service ohos_param:file { map open read }; +allow pasteboard_service param_watcher:binder { call transfer }; +allow pasteboard_service persist_param:file { map open read }; +allow pasteboard_service persist_sys_param:file { map open read }; +allow pasteboard_service sa_param_watcher:samgr_class { get }; +allow pasteboard_service sa_pasteboard_service:samgr_class { add }; +allow pasteboard_service security_param:file { map open read }; +allow pasteboard_service startup_param:file { map open read }; +allow pasteboard_service sys_param:file { map open read }; +allow pasteboard_service system_bin_file:dir { search }; +allow pasteboard_service sys_usb_param:file { map open read }; +allow pasteboard_service tracefs:dir { search }; +allow pasteboard_service tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/processdump.te b/prebuilts/api/5.0/base/te/processdump.te new file mode 100644 index 0000000000000000000000000000000000000000..1e2412cf06b16e0c74b7e47b7bd7923077989c8f --- /dev/null +++ b/prebuilts/api/5.0/base/te/processdump.te @@ -0,0 +1,50 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow processdump bootevent_param:file { map open read }; +allow processdump bootevent_samgr_param:file { map open read }; +allow processdump build_version_param:file { map open read }; +allow processdump const_allow_mock_param:file { map open read }; +allow processdump const_allow_param:file { map open read }; +allow processdump const_build_param:file { map open read }; +allow processdump const_display_brightness_param:file { map open read }; +allow processdump const_param:file { map open read }; +allow processdump const_postinstall_fstab_param:file { map open read }; +allow processdump const_postinstall_param:file { map open read }; +allow processdump const_product_param:file { map open read }; +allow processdump debug_param:file { map open read }; +allow processdump default_param:file { map open read }; +allow processdump dev_kmsg_file:chr_file { open write }; +allow processdump distributedsche_param:file { map open read }; +allow processdump download_server:process { ptrace }; +allow processdump foundation:process { ptrace }; +allow processdump hilog_param:file { map open read }; +allow processdump hw_sc_build_os_param:file { map open read }; +allow processdump hw_sc_build_param:file { map open read }; +allow processdump hw_sc_param:file { map open read }; +allow processdump init_param:file { map open read }; +allow processdump init_svc_param:file { map open read }; +allow processdump input_pointer_device_param:file { map open read }; +allow processdump installs:process { ptrace }; +allow processdump net_param:file { map open read }; +allow processdump net_tcp_param:file { map open read }; +allow processdump ohos_boot_param:file { map open read }; +allow processdump ohos_param:file { map open read }; +allow processdump persist_param:file { map open read }; +allow processdump persist_sys_param:file { map open read }; +allow processdump powermgr:process { ptrace }; +allow processdump security_param:file { map open read }; +allow processdump softbus_server:process { ptrace }; +allow processdump startup_param:file { map open read }; +allow processdump sys_param:file { map open read }; +allow processdump sys_usb_param:file { map open read }; diff --git a/prebuilts/api/5.0/base/te/render_service.te b/prebuilts/api/5.0/base/te/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ff4b2506641b3f69d561f05aa1fbd3ec2dca1739 --- /dev/null +++ b/prebuilts/api/5.0/base/te/render_service.te @@ -0,0 +1,88 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service bootanimation:binder { call transfer }; +allow render_service bootanimation:fd { use }; +allow render_service bootevent_param:file { map open read }; +allow render_service bootevent_samgr_param:file { map open read }; +allow render_service build_version_param:file { map open read }; +allow render_service const_allow_mock_param:file { map open read }; +allow render_service const_allow_param:file { map open read }; +allow render_service const_build_param:file { map open read }; +allow render_service const_display_brightness_param:file { map open read }; +allow render_service const_param:file { map open read }; +allow render_service const_postinstall_fstab_param:file { map open read }; +allow render_service const_postinstall_param:file { map open read }; +allow render_service const_product_param:file { map open read }; +allow render_service debug_param:file { map open read }; +allow render_service default_param:file { map open read }; +allow render_service dev_dri_file:chr_file { getattr ioctl open read write }; +allow render_service dev_dri_file:dir { search }; +allow render_service dev_graphics_file:chr_file { open read write }; +allow render_service dev_graphics_file:dir { search }; +allow render_service dev_mali:chr_file { getattr ioctl map open read write }; +allow render_service dev_rga:chr_file { ioctl open read write }; +allow render_service distributedsche_param:file { map open read }; +allow render_service hilog_param:file { map open read }; +allow render_service hw_sc_build_os_param:file { map open read }; +allow render_service hw_sc_build_param:file { map open read }; +allow render_service hw_sc_param:file { map open read }; +allow render_service init_param:file { map open read }; +allow render_service init_svc_param:file { map open read }; +allow render_service input_pointer_device_param:file { map open read }; +allow render_service multimodalinput:binder { call transfer }; +allow render_service net_param:file { map open read }; +allow render_service net_tcp_param:file { map open read }; +allow render_service ohos_boot_param:file { map open read }; +allow render_service ohos_param:file { map open read }; +allow render_service param_watcher:binder { call transfer }; +allow render_service persist_param:file { map open read }; +allow render_service persist_sys_param:file { map open read }; +allow render_service proc_boot_id:file { open read }; +allow render_service render_service:capability { sys_nice }; +allow render_service render_service:netlink_kobject_uevent_socket { bind create setopt }; +allow render_service sa_device_service_manager:samgr_class { get }; +allow render_service sa_param_watcher:samgr_class { get }; +allow render_service sa_render_service:samgr_class { add }; +allow render_service security_param:file { map open read }; +allow render_service startup_param:file { map open read }; +allow render_service sys_param:file { map open read }; +allow render_service system_bin_file:dir { search }; +allow render_service system_core_hap_attr:binder { call }; +allow render_service system_core_hap_attr:fd { use }; +allow render_service sys_usb_param:file { map open read }; +allow render_service tracefs:dir { search }; +allow render_service tracefs_trace_marker_file:file { open write }; +allow render_service ui_service:binder { call transfer }; +allow render_service ui_service:fd { use }; +allow render_service sh:fd { use }; +allow render_service allocator_host:binder { call }; +allow render_service allocator_host:fd { use }; +allow render_service composer_host:binder { call transfer }; +allow render_service composer_host:fd { use }; +allow render_service hdf_allocator_service:hdf_devmgr_class { get }; +allow render_service hdf_display_composer_service:hdf_devmgr_class { get }; +allow render_service useriam:binder { call transfer }; +allow render_service useriam:fd { use }; +allow render_service sa_memory_manager_service:samgr_class { get }; +allow render_service memmgrservice:binder { call transfer }; +allow render_service data_system:dir { create open read write getattr setattr unlink link remove_name search add_name}; +allow render_service data_system:file { create open read write getattr setattr unlink link}; +allow render_service chip_prod_file:dir { search read }; +allow render_service chip_prod_file:file { map open read getattr }; +allowxperm render_service dev_dri_file:chr_file ioctl { 0x640d 0x6411 0x641e 0x641f 0x642d 0x64a0 0x64a1 0x64a6 0x64a7 0x64aa 0x64b2 0x64b4 0x64b5 0x64b6 0x64b9 }; +allowxperm render_service dev_mali:chr_file ioctl { 0x8000 0x8001 0x8003 0x8005 0x800e 0x8011 0x8018 0x8024 0x8026 0x8027 0x8029 0x802a 0x802b 0x802c 0x802d 0x802e 0x800f 0x8030 0x8031 0x8033 0x8034 0x8036 }; +allowxperm render_service dev_rga:chr_file ioctl { 0x601b }; +hdi_call(render_service, hdf_allocator_service) +allow render_service usb_service:fd { use }; +allow render_service data_service_el1_file:file { map write read }; diff --git a/prebuilts/api/5.0/base/te/resource_schedule_service.te b/prebuilts/api/5.0/base/te/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..448bc7b90dfd62c600378d5fbda3177b2837921c --- /dev/null +++ b/prebuilts/api/5.0/base/te/resource_schedule_service.te @@ -0,0 +1,61 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# bootdevice rely +allow resource_schedule_service bootevent_param:file { map open read }; +allow resource_schedule_service bootevent_samgr_param:file { map open read }; +allow resource_schedule_service const_display_brightness_param:file { map open read }; +# install unintsall envent +allow resource_schedule_service const_postinstall_fstab_param:file { map open read }; +allow resource_schedule_service const_postinstall_param:file { map open read }; +# hilog file open rely +allow resource_schedule_service hilog_param:file { map open read }; +allow resource_schedule_service hw_sc_build_os_param:file { map open read }; +allow resource_schedule_service hw_sc_build_param:file { map open read }; +allow resource_schedule_service hw_sc_param:file { map open read }; +# boot device rely +allow resource_schedule_service ohos_boot_param:file { map open read }; +allow resource_schedule_service ohos_param:file { map open read }; +allow resource_schedule_service sa_bgtaskmgr:samgr_class { get }; +allow resource_schedule_service sa_foundation_appms:samgr_class { get }; +allow resource_schedule_service sa_resource_schedule_socperf_server:samgr_class { add get }; +allow resource_schedule_service security_param:file { map open read }; +allow resource_schedule_service startup_param:file { map open read }; +# hdc device recognition +allow resource_schedule_service sys_param:file { map open read }; +allow resource_schedule_service system_usr_file:file { map open }; +allow resource_schedule_service sys_usb_param:file { map open read }; +allow resource_schedule_service vendor_etc_file:dir { search }; +debug_only(` + allow resource_schedule_service debug_param:file { map open read }; +') +allow resource_schedule_service default_param:file { map open read }; +allow resource_schedule_service dev_file:lnk_file { read }; +allow resource_schedule_service persist_param:file { map open read }; +allow resource_schedule_service persist_sys_param:file { map open read }; +allow resource_schedule_service sa_foundation_tel_state_registry:samgr_class { get }; +allow resource_schedule_service sa_foundation_wms:samgr_class { get }; +allow resource_schedule_service sa_resource_schedule:samgr_class { add get }; +allow resource_schedule_service sa_sys_event_service:samgr_class { get }; +allowxperm resource_schedule_service sysfs_devices_system_cpu:file ioctl { 0x5413 }; +allow resource_schedule_service sa_multimodalinput_service:samgr_class { get }; +allow resource_schedule_service multimodalinput:unix_stream_socket { read }; +allow resource_schedule_service sa_work_schedule_service:samgr_class { get }; +allow resource_schedule_service distributeddata:fd { use }; +allow distributeddata resource_schedule_service:binder { transfer }; +allow resource_schedule_service wifi_manager_service:binder { call }; +allow resource_schedule_service sa_wifi_hotspot_ability:samgr_class { get }; +allow resource_schedule_service sa_wifi_p2p_ability:samgr_class { get }; +allow resource_schedule_service sa_wifi_device_ability:samgr_class { get }; +allow resource_schedule_service netmanager:binder { call }; +allow resource_schedule_service powermgr:binder {call transfer}; diff --git a/prebuilts/api/5.0/base/te/samgr.te b/prebuilts/api/5.0/base/te/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..5a91d14f03672cb7b82cad44c8c452529c5ae0cf --- /dev/null +++ b/prebuilts/api/5.0/base/te/samgr.te @@ -0,0 +1,63 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr bootevent_param:file { map open read }; +allow samgr bootevent_samgr_param:file { map open read }; +allow samgr build_version_param:file { map open read }; +allow samgr const_allow_mock_param:file { map open read }; +allow samgr const_allow_param:file { map open read }; +allow samgr const_build_param:file { map open read }; +allow samgr const_display_brightness_param:file { map open read }; +allow samgr const_param:file { map open read }; +allow samgr const_postinstall_fstab_param:file { map open read }; +allow samgr const_postinstall_param:file { map open read }; +allow samgr const_product_param:file { map open read }; +allow samgr debug_param:file { map open read }; +allow samgr default_param:file { map open read }; +allow samgr dev_kmsg_file:chr_file { open write }; +allow samgr dev_unix_socket:sock_file { write }; +allow samgr distributedsche_param:file { map open read }; +allow samgr data_samgr:dir { add_name search write remove_name }; +allow samgr data_samgr:file { create getattr ioctl read write lock map open rename setattr unlink }; +allow samgr hilog_param:file { map open read }; +allow samgr hw_sc_build_os_param:file { map open read }; +allow samgr hw_sc_build_param:file { map open read }; +allow samgr hw_sc_param:file { map open read }; +allow samgr init_param:file { map open read }; +allow samgr init_svc_param:file { map open read }; +allow samgr input_pointer_device_param:file { map open read }; +allow samgr net_param:file { map open read }; +allow samgr net_tcp_param:file { map open read }; +allow samgr normal_hap_attr:binder { call }; +allow samgr ohos_boot_param:file { map open read }; +allow samgr ohos_param:file { map open read }; +allow samgr ohos_param:parameter_service { set }; +allow samgr persist_param:file { map open read }; +allow samgr persist_sys_param:file { map open read }; +allow samgr processdump:binder { transfer }; +allow samgr processdump:dir { search }; +allow samgr processdump:file { open read }; +allow samgr processdump:process { getattr }; +allow samgr samgr:unix_dgram_socket { getopt setopt }; +allow samgr sa_softbus_service:samgr_class { get }; +allow samgr security_param:file { map open read }; +allow samgr startup_param:file { map open read }; +allow samgr sys_param:file { map open read }; +allow samgr system_basic_hap_attr:binder { call }; +allow samgr system_core_hap_attr:binder { call }; +allow samgr sys_usb_param:file { map open read }; +allow samgr tracefs:dir { search }; +allow samgr tracefs_trace_marker_file:file { open write }; +allow samgr vendor_etc_file:dir { search }; +allow samgr appspawn:process { getattr }; +allowxperm samgr data_samgr:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/base/te/screenlock_server.te b/prebuilts/api/5.0/base/te/screenlock_server.te new file mode 100644 index 0000000000000000000000000000000000000000..745858d013091e965d1499b3047810a0c54334ba --- /dev/null +++ b/prebuilts/api/5.0/base/te/screenlock_server.te @@ -0,0 +1,56 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow screenlock_server bootevent_param:file { map open read }; +allow screenlock_server bootevent_samgr_param:file { map open read }; +allow screenlock_server build_version_param:file { map open read }; +allow screenlock_server const_allow_mock_param:file { map open read }; +allow screenlock_server const_allow_param:file { map open read }; +allow screenlock_server const_build_param:file { map open read }; +allow screenlock_server const_display_brightness_param:file { map open read }; +allow screenlock_server const_param:file { map open read }; +allow screenlock_server const_postinstall_fstab_param:file { map open read }; +allow screenlock_server const_postinstall_param:file { map open read }; +allow screenlock_server const_product_param:file { map open read }; +allow screenlock_server debug_param:file { map open read }; +allow screenlock_server default_param:file { map open read }; +allow screenlock_server distributedsche_param:file { map open read }; +allow screenlock_server foundation:binder { call transfer }; +allow screenlock_server hilog_param:file { map open read }; +allow screenlock_server hw_sc_build_os_param:file { map open read }; +allow screenlock_server hw_sc_build_param:file { map open read }; +allow screenlock_server hw_sc_param:file { map open read }; +allow screenlock_server init_param:file { map open read }; +allow screenlock_server init_svc_param:file { map open read }; +allow screenlock_server input_pointer_device_param:file { map open read }; +allow screenlock_server net_param:file { map open read }; +allow screenlock_server net_tcp_param:file { map open read }; +allow screenlock_server ohos_boot_param:file { map open read }; +allow screenlock_server ohos_param:file { map open read }; +allow screenlock_server param_watcher:binder { call transfer }; +allow screenlock_server persist_param:file { map open read }; +allow screenlock_server persist_sys_param:file { map open read }; +allow screenlock_server sa_foundation_bms:samgr_class { get }; +allow screenlock_server sa_foundation_dms:samgr_class { get }; +allow screenlock_server sa_foundation_wms:samgr_class { get }; +allow screenlock_server sa_param_watcher:samgr_class { get }; +allow screenlock_server sa_screenlock_service:samgr_class { add }; +allow screenlock_server security_param:file { map open read }; +allow screenlock_server startup_param:file { map open read }; +allow screenlock_server sys_param:file { map open read }; +allow screenlock_server system_bin_file:dir { search }; +allow screenlock_server system_usr_file:dir { search }; +allow screenlock_server system_usr_file:file { getattr open read }; +allow screenlock_server sys_usb_param:file { map open read }; +allow screenlock_server tracefs:dir { search }; +allow screenlock_server tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/sensors.te b/prebuilts/api/5.0/base/te/sensors.te new file mode 100644 index 0000000000000000000000000000000000000000..7ce64a12e9f39e82751e99854ddca42f7091de66 --- /dev/null +++ b/prebuilts/api/5.0/base/te/sensors.te @@ -0,0 +1,52 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sensors bootevent_param:file { map open read }; +allow sensors bootevent_samgr_param:file { map open read }; +allow sensors build_version_param:file { map open read }; +allow sensors const_allow_mock_param:file { map open read }; +allow sensors const_allow_param:file { map open read }; +allow sensors const_build_param:file { map open read }; +allow sensors const_display_brightness_param:file { map open read }; +allow sensors const_param:file { map open read }; +allow sensors const_postinstall_fstab_param:file { map open read }; +allow sensors const_postinstall_param:file { map open read }; +allow sensors const_product_param:file { map open read }; +allow sensors debug_param:file { map open read }; +allow sensors default_param:file { map open read }; +allow sensors dev_unix_socket:dir { search }; +allow sensors distributedsche_param:file { map open read }; +allow sensors hdf_devmgr:binder { call }; +allow sensors hilog_param:file { map open read }; +allow sensors hw_sc_build_os_param:file { map open read }; +allow sensors hw_sc_build_param:file { map open read }; +allow sensors hw_sc_param:file { map open read }; +allow sensors init_param:file { map open read }; +allow sensors init_svc_param:file { map open read }; +allow sensors input_pointer_device_param:file { map open read }; +allow sensors net_param:file { map open read }; +allow sensors net_tcp_param:file { map open read }; +allow sensors ohos_boot_param:file { map open read }; +allow sensors ohos_param:file { map open read }; +allow sensors param_watcher:binder { call transfer }; +allow sensors persist_param:file { map open read }; +allow sensors persist_sys_param:file { map open read }; +allow sensors security_param:file { map open read }; +allow sensors sensor_host:binder { call transfer }; +allow sensors startup_param:file { map open read }; +allow sensors sys_param:file { map open read }; +allow sensors system_bin_file:dir { search }; +allow sensors sys_usb_param:file { map open read }; +allow sensors tracefs:dir { search }; +allow sensors tracefs_trace_marker_file:file { open write }; +allow sensors vibrator_host:binder { call }; diff --git a/prebuilts/api/5.0/base/te/softbus_server.te b/prebuilts/api/5.0/base/te/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..f2372d512a3e9874435aa98fbd6ba6374c5fc22d --- /dev/null +++ b/prebuilts/api/5.0/base/te/softbus_server.te @@ -0,0 +1,101 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server accesstoken_service:binder { call }; +allow softbus_server accountmgr:binder { call }; +allow softbus_server bluetooth_service:binder { call transfer }; +allow softbus_server bootevent_param:file { map open read }; +allow softbus_server bootevent_samgr_param:file { map open read }; +allow softbus_server build_version_param:file { map open read }; +allow softbus_server const_allow_mock_param:file { map open read }; +allow softbus_server const_allow_param:file { map open read }; +allow softbus_server const_build_param:file { map open read }; +allow softbus_server const_display_brightness_param:file { map open read }; +allow softbus_server const_param:file { map open read }; +allow softbus_server const_postinstall_fstab_param:file { map open read }; +allow softbus_server const_postinstall_param:file { map open read }; +allow softbus_server const_product_param:file { map open read }; +allow softbus_server data_file:dir { search }; +allow softbus_server data_log:file { read write }; +allow softbus_server data_service_el1_file:dir { add_name search write }; +allow softbus_server data_service_el1_file:file { create read write open }; +allow softbus_server data_service_file:dir { search }; +allow softbus_server debug_param:file { map open read }; +allow softbus_server default_param:file { map open read }; +allow softbus_server dev_file:sock_file { write }; +allow softbus_server deviceauth_service:binder { call transfer }; +allow softbus_server dev_unix_socket:dir { search }; +allow softbus_server dev_unix_socket:sock_file { write }; +allow softbus_server dhardware:binder { call }; +allow softbus_server distributeddata:binder { call }; +allow softbus_server distributedfiledaemon:binder { call }; +allow softbus_server distributedsche:binder { call }; +allow softbus_server distributedsche_param:file { map open read }; +allow softbus_server dslm_service:binder { call }; +allow softbus_server faultloggerd:fd { use }; +allow softbus_server faultloggerd:unix_stream_socket { connectto }; +allow softbus_server foundation:binder { call transfer }; +allow softbus_server hilog_param:file { map open read }; +allow softbus_server hiview:binder { call }; +allow softbus_server huks_service:binder { call }; +allow softbus_server hw_sc_build_os_param:file { map open read }; +allow softbus_server hw_sc_build_param:file { map open read }; +allow softbus_server hw_sc_param:file { map open read }; +allow softbus_server init_param:file { map open read }; +allow softbus_server init_svc_param:file { map open read }; +allow softbus_server input_pointer_device_param:file { map open read }; +allow softbus_server net_param:file { map open read }; +allow softbus_server netsysnative:unix_stream_socket { connectto }; +allow softbus_server net_tcp_param:file { map open read }; +allow softbus_server node:tcp_socket { node_bind }; +allow softbus_server node:udp_socket { node_bind }; +allow softbus_server ohos_boot_param:file { map open read }; +allow softbus_server ohos_param:file { map open read }; +allow softbus_server param_watcher:binder { call transfer }; +allow softbus_server persist_param:file { map open read }; +allow softbus_server persist_sys_param:file { map open read }; +allow softbus_server port:tcp_socket { name_connect }; +allow softbus_server port:udp_socket { name_bind }; +allow softbus_server sa_accesstoken_manager_service:samgr_class { get }; +allow softbus_server sa_accountmgr:samgr_class { get }; +allow softbus_server sa_bluetooth_server:samgr_class { get }; +allow softbus_server sa_device_auth_service:samgr_class { get }; +allow softbus_server sa_huks_service:samgr_class { get }; +allow softbus_server sa_param_watcher:samgr_class { get }; +allow softbus_server sa_softbus_service:samgr_class { add get }; +allow softbus_server sa_wifi_device_ability:samgr_class { get }; +allow softbus_server sa_wifi_hotspot_ability:samgr_class { get }; +allow softbus_server sa_wifi_p2p_ability:samgr_class { get }; +allow softbus_server sa_wifi_scan_ability:samgr_class { get }; +allow softbus_server security_param:file { map open read }; +allow softbus_server softbus_server:netlink_route_socket { bind create nlmsg_read read setopt write }; +allow softbus_server softbus_server:tcp_socket { accept bind connect create getattr listen read setopt shutdown write }; +allow softbus_server softbus_server:udp_socket { bind connect create getattr ioctl read setopt write }; +allow softbus_server softbus_server:unix_dgram_socket { getopt ioctl setopt }; +allow softbus_server startup_param:file { map open read }; +allow softbus_server sys_param:file { map open read }; +allow softbus_server system_basic_hap_attr:binder { call transfer }; +allow softbus_server system_basic_hap_attr:fd { use }; +allow softbus_server system_bin_file:dir { search }; +allow softbus_server system_bin_file:file { execute execute_no_trans map read read open }; +allow softbus_server system_usr_file:dir { search }; +allow softbus_server system_usr_file:file { getattr map open read }; +allow softbus_server sys_usb_param:file { map open read }; +allow softbus_server token_sync_service:binder { call }; +allow softbus_server tracefs:dir { search }; +allow softbus_server tracefs_trace_marker_file:file { open write }; +allow softbus_server wifi_manager_service:binder { call transfer }; +allow softbus_server kernel:system { module_request }; +allow softbus_server softbus_server:capability { net_admin }; +allowxperm softbus_server softbus_server:udp_socket ioctl { 0x8910 0x8912 0x8913 0x8915 0x8919 0x8927 }; +allowxperm softbus_server softbus_server:unix_dgram_socket ioctl { 0x8910 }; diff --git a/prebuilts/api/5.0/base/te/storage_daemon.te b/prebuilts/api/5.0/base/te/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..f8402d47d895b98aceea3245e80594212ea4be69 --- /dev/null +++ b/prebuilts/api/5.0/base/te/storage_daemon.te @@ -0,0 +1,88 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon accesstoken_service:binder { call }; +allow storage_daemon bootevent_param:file { map open read }; +allow storage_daemon bootevent_samgr_param:file { map open read }; +allow storage_daemon build_version_param:file { map open read }; +allow storage_daemon const_allow_mock_param:file { map open read }; +allow storage_daemon const_allow_param:file { map open read }; +allow storage_daemon const_build_param:file { map open read }; +allow storage_daemon const_display_brightness_param:file { map open read }; +allow storage_daemon const_param:file { map open read }; +allow storage_daemon const_postinstall_fstab_param:file { map open read }; +allow storage_daemon const_postinstall_param:file { map open read }; +allow storage_daemon const_product_param:file { map open read }; +allow storage_daemon data_app_el1_file:dir { add_name create getattr open read search setattr write }; +allow storage_daemon data_app_el2_file:dir { add_name create getattr open read search setattr write }; +allow storage_daemon data_app_el3_file:dir { add_name create getattr open read search setattr write }; +allow storage_daemon data_app_el4_file:dir { add_name create getattr open read search setattr write }; +allow storage_daemon data_app_el5_file:dir { add_name create getattr open read search setattr write }; +allow storage_daemon data_app_file:dir { search }; +allow storage_daemon data_chipset_el1_file:dir { add_name create getattr open read search setattr write }; +allow storage_daemon data_chipset_el2_file:dir { add_name create getattr open read search setattr write }; +allow storage_daemon data_chipset_file:dir { search }; +allow storage_daemon data_file:dir { search }; +allow storage_daemon data_service_el1_file:dir { add_name create getattr open read search setattr write }; +allow storage_daemon data_service_el2_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow storage_daemon data_service_el2_file:file { relabelfrom }; +allow storage_daemon data_service_el2_hmdfs:dir { add_name create getattr open read read open relabelto relabelfrom search setattr write }; +allow storage_daemon data_service_el2_hmdfs:file { read open write open }; +allow storage_daemon data_service_el3_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow storage_daemon data_service_el4_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow storage_daemon data_service_el5_file:dir { add_name create getattr open read relabelfrom search setattr write }; +allow storage_daemon data_service_file:dir { search }; +allow storage_daemon data_user_file:dir { open read read open relabelto setattr }; +allow storage_daemon debug_param:file { map open read }; +allow storage_daemon default_param:file { map open read }; +allow storage_daemon dev_unix_socket:dir { search }; +allow storage_daemon distributedfiledaemon:fd { use }; +allow storage_daemon distributedsche_param:file { map open read }; +allow storage_daemon hilog_param:file { map open read }; +allow storage_daemon hmdfs:dir { search }; +allow storage_daemon hmdfs:filesystem { mount }; +allow storage_daemon hw_sc_build_os_param:file { map open read }; +allow storage_daemon hw_sc_build_param:file { map open read }; +allow storage_daemon hw_sc_param:file { map open read }; +allow storage_daemon init_param:file { map open read }; +allow storage_daemon init_svc_param:file { map open read }; +allow storage_daemon input_pointer_device_param:file { map open read }; +allow storage_daemon net_param:file { map open read }; +allow storage_daemon net_tcp_param:file { map open read }; +allow storage_daemon ohos_boot_param:file { map open read }; +allow storage_daemon ohos_param:file { map open read }; +allow storage_daemon persist_param:file { map open read }; +allow storage_daemon persist_sys_param:file { map open read }; +allow storage_daemon sa_accesstoken_manager_service:samgr_class { get }; +allow storage_daemon sa_storage_manager_daemon:samgr_class { add }; +allow storage_daemon security_param:file { map open read }; +allow storage_daemon startup_param:file { map open read }; +allow storage_daemon storage_daemon:capability { chown dac_override dac_read_search fowner fsetid net_admin sys_admin }; +allow storage_daemon storage_daemon_exec:file { entrypoint execute map read }; +allow storage_daemon storage_daemon:netlink_kobject_uevent_socket { bind create read setopt }; +allow storage_daemon sys_file:dir { open read }; +allow storage_daemon sys_file:file { open write }; +allow storage_daemon sysfs_block_file:dir { open read }; +allow storage_daemon sysfs_block_file:file { open write }; +allow storage_daemon sysfs_block_loop:dir { open read }; +allow storage_daemon sysfs_block_loop:file { open write }; +allow storage_daemon sysfs_block_zram:dir { open read }; +allow storage_daemon sysfs_block_zram:file { open write }; +allow storage_daemon sys_fs_hmdfs:file { setattr }; +allow storage_daemon sys_param:file { map open read }; +allow storage_daemon system_bin_file:dir { search }; +allow storage_daemon system_bin_file:file { execute execute_no_trans map read open }; +allow storage_daemon toybox_exec:file { execute execute_no_trans map read open }; +allow storage_daemon sys_usb_param:file { map open read }; +allow storage_daemon tmpfs:dir { add_name create mounton open read setattr write }; + diff --git a/prebuilts/api/5.0/base/te/storage_manager.te b/prebuilts/api/5.0/base/te/storage_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..9d3e85ccfdc1a1238764ad3456720b9301dd3d13 --- /dev/null +++ b/prebuilts/api/5.0/base/te/storage_manager.te @@ -0,0 +1,63 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_manager bootevent_param:file { map open read }; +allow storage_manager bootevent_samgr_param:file { map open read }; +allow storage_manager build_version_param:file { map open read }; +allow storage_manager const_allow_mock_param:file { map open read }; +allow storage_manager const_allow_param:file { map open read }; +allow storage_manager const_build_param:file { map open read }; +allow storage_manager const_display_brightness_param:file { map open read }; +allow storage_manager const_param:file { map open read }; +allow storage_manager const_postinstall_fstab_param:file { map open read }; +allow storage_manager const_postinstall_param:file { map open read }; +allow storage_manager const_product_param:file { map open read }; +allow storage_manager debug_param:file { map open read }; +allow storage_manager default_param:file { map open read }; +allow storage_manager dev_unix_socket:dir { search }; +allow storage_manager distributedsche_param:file { map open read }; +allow storage_manager foundation:binder { call transfer }; +allow storage_manager hilog_param:file { map open read }; +allow storage_manager hw_sc_build_os_param:file { map open read }; +allow storage_manager hw_sc_build_param:file { map open read }; +allow storage_manager hw_sc_param:file { map open read }; +allow storage_manager init_param:file { map open read }; +allow storage_manager init_svc_param:file { map open read }; +allow storage_manager input_pointer_device_param:file { map open read }; +allow storage_manager net_param:file { map open read }; +allow storage_manager net_tcp_param:file { map open read }; +allow storage_manager normal_hap_attr:binder { call }; +allow storage_manager ohos_boot_param:file { map open read }; +allow storage_manager ohos_param:file { map open read }; +allow storage_manager param_watcher:binder { call transfer }; +allow storage_manager persist_param:file { map open read }; +allow storage_manager persist_sys_param:file { map open read }; +allow storage_manager sa_foundation_abilityms:samgr_class { get }; +allow storage_manager sa_foundation_cesfwk_service:samgr_class { get }; +allow storage_manager sa_param_watcher:samgr_class { get }; +allow storage_manager sa_storage_manager_daemon:samgr_class { get }; +allow storage_manager sa_storage_manager_service:samgr_class { add get }; +allow storage_manager security_param:file { map open read }; +allow storage_manager startup_param:file { map open read }; +allow storage_manager storage_daemon:binder { call }; +allow storage_manager sys_file:file { open read }; +allow storage_manager sysfs_rtc:dir { open read }; +allow storage_manager sys_param:file { map open read }; +allow storage_manager system_bin_file:dir { search }; +allow storage_manager system_usr_file:dir { search }; +allow storage_manager system_usr_file:file { getattr map open read }; +allow storage_manager sys_usb_param:file { map open read }; +allow storage_manager tracefs:dir { search }; +allow storage_manager tracefs_trace_marker_file:file { open write }; +allow storage_manager sa_accountmgr:samgr_class { get }; +allow storage_manager accountmgr:binder { call }; diff --git a/prebuilts/api/5.0/base/te/system_basic_hap.te b/prebuilts/api/5.0/base/te/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..be71877ee5064b1c1dec7702630ab88db4377cb7 --- /dev/null +++ b/prebuilts/api/5.0/base/te/system_basic_hap.te @@ -0,0 +1,140 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr appspawn_exec:file { getattr map open read }; +allow system_basic_hap_attr bluetooth_service:binder { call transfer }; +allow system_basic_hap_attr bootanimation:fd { use }; +allow system_basic_hap_attr bootevent_param:file { map open read }; +allow system_basic_hap_attr bootevent_samgr_param:file { map open read }; +allow system_basic_hap_attr build_version_param:file { map open read }; +allow system_basic_hap_attr const_allow_mock_param:file { map open read }; +allow system_basic_hap_attr const_allow_param:file { map open read }; +allow system_basic_hap_attr const_build_param:file { map open read }; +allow system_basic_hap_attr const_display_brightness_param:file { map open read }; +allow system_basic_hap_attr const_postinstall_fstab_param:file { map open }; +allow system_basic_hap_attr const_product_param:file { map open read }; +allow system_basic_hap_attr data_service_el1_file:file { getattr read }; +allow system_basic_hap_attr data_service_el2_file:dir { search }; +allow system_basic_hap_attr data_service_el2_hmdfs:dir { search }; +allow system_basic_hap_attr data_service_el3_file:dir { search }; +allow system_basic_hap_attr data_service_el4_file:dir { search }; +allow system_basic_hap_attr data_service_el5_file:dir { search }; +allow system_basic_hap_attr data_service_file:dir { search }; +allow system_basic_hap_attr debug_param:file { map open read }; +allow system_basic_hap_attr default_param:file { map open read }; +allow system_basic_hap_attr dev_ashmem_file:chr_file { open }; +allow system_basic_hap_attr deviceinfoservice:binder { call }; +allow system_basic_hap_attr dev_mali:chr_file { getattr ioctl map open read write }; +allow system_basic_hap_attr dev_unix_socket:dir { search }; +allow system_basic_hap_attr dev_unix_socket:sock_file { write }; +allow system_basic_hap_attr allocator_host:fd { use }; +allow system_basic_hap_attr distributedsche_param:file { map open read }; +allow system_basic_hap_attr download_server:binder { call transfer }; +allow system_basic_hap_attr faultloggerd_temp_file:file { read }; +allow system_basic_hap_attr hilog_param:file { map open read }; +allow system_basic_hap_attr hiview:unix_dgram_socket { sendto }; +allow system_basic_hap_attr hmdfs:dir { search }; +allow system_basic_hap_attr huks_service:binder { call }; +allow system_basic_hap_attr hw_sc_build_os_param:file { map open }; +allow system_basic_hap_attr hw_sc_build_param:file { map open }; +allow system_basic_hap_attr hw_sc_param:file { map open }; +allow system_basic_hap_attr init_param:file { map open }; +allow system_basic_hap_attr input_pointer_device_param:file { map open read }; +allow system_basic_hap_attr kernel:unix_stream_socket { connectto }; +allow system_basic_hap_attr locationhub:binder { call transfer }; +allow system_basic_hap_attr media_service:binder { call transfer }; +allow system_basic_hap_attr multimodalinput:unix_stream_socket { read write }; +allow system_basic_hap_attr netmanager:binder { call transfer }; +allow system_basic_hap_attr netsysnative:unix_stream_socket { connectto }; +allow system_basic_hap_attr net_tcp_param:file { map open read }; +allow system_basic_hap_attr node:udp_socket { node_bind }; +allow system_basic_hap_attr paramservice_socket:sock_file { write }; +allow system_basic_hap_attr persist_param:file { map open read }; +allow system_basic_hap_attr persist_param:parameter_service { set }; +allow system_basic_hap_attr persist_sys_param:file { map open read }; +allow system_basic_hap_attr pinauth:binder { call transfer }; +allow system_basic_hap_attr port:tcp_socket { name_connect }; +allow system_basic_hap_attr port:udp_socket { name_bind }; +allow system_basic_hap_attr proc_boot_id:file { open read }; +allow system_basic_hap_attr proc_cpuinfo_file:file { open read }; +allow system_basic_hap_attr proc_file:file { open read }; +allow system_basic_hap_attr render_service:unix_stream_socket { read read write write }; +allow system_basic_hap_attr resource_schedule_service:binder { call }; +allow system_basic_hap_attr sa_accessibleabilityms:samgr_class { get }; +allow system_basic_hap_attr sa_accesstoken_manager_service:samgr_class { get }; +allow system_basic_hap_attr sa_bluetooth_server:samgr_class { get }; +allow system_basic_hap_attr sa_dataobs_mgr_service_service:samgr_class { get }; +allow system_basic_hap_attr sa_form_mgr_service:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_abilityms:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_ans:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_appms:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_bms:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_cesfwk_service:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_devicemanager_service:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_dms:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_wms:samgr_class { get }; +allow system_basic_hap_attr sa_huks_service:samgr_class { get }; +allow system_basic_hap_attr sa_inputmethod_service:samgr_class { get }; +allow system_basic_hap_attr sa_location_locator_service:samgr_class { get }; +allow system_basic_hap_attr sa_media_service:samgr_class { get }; +allow system_basic_hap_attr sa_multimodalinput_service:samgr_class { get }; +allow system_basic_hap_attr sa_param_watcher:samgr_class { get }; +allow system_basic_hap_attr sa_render_service:samgr_class { get }; +allow system_basic_hap_attr sa_resource_schedule:samgr_class { get }; +allow system_basic_hap_attr sa_screenlock_service:samgr_class { get }; +allow system_basic_hap_attr sa_subsys_ace_service:samgr_class { get }; +allow system_basic_hap_attr sa_sysparam_device_service:samgr_class { get }; +allow system_basic_hap_attr sa_time_service:samgr_class { get }; +allow system_basic_hap_attr sa_update_distributed_service:samgr_class { get }; +allow system_basic_hap_attr sa_uri_permission_mgr_service:samgr_class { get }; +allow system_basic_hap_attr sa_wallpaper_manager_service:samgr_class { get }; +allow system_basic_hap_attr screenlock_server:binder { call transfer }; +allow system_basic_hap_attr security_param:file { map open read }; +allow system_basic_hap_attr softbus_server:binder { call transfer }; +allow system_basic_hap_attr startup_param:file { map open read }; +allow system_basic_hap_attr sys_file:dir { open read }; +allow system_basic_hap_attr sys_file:file { open read }; +allow system_basic_hap_attr sysfs_devices_system_cpu:file { open read }; +allow system_basic_hap_attr sysfs_hctosys:file { open read }; +allow system_basic_hap_attr sysfs_rtc:dir { open read }; +allow system_basic_hap_attr system_basic_hap_attr:binder { call transfer }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:dir { add_name create getattr open read remove_name search write }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:file { create getattr ioctl lock map read write open setattr unlink }; +allow system_basic_hap_attr system_basic_hap_attr:tcp_socket { connect getattr getopt shutdown }; +allow system_basic_hap_attr system_basic_hap_attr:udp_socket { bind create connect getattr getopt write }; +allow system_basic_hap_attr system_basic_hap_attr:unix_dgram_socket { getopt setopt }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:file { append rename }; +allow system_basic_hap_attr system_core_hap_attr:fd { use }; +allow system_basic_hap_attr system_fonts_file:dir { search }; +allow system_basic_hap_attr system_fonts_file:file { getattr map open read }; +allow system_basic_hap_attr system_lib_file:dir { open read }; +allow system_basic_hap_attr system_usr_file:dir { search }; +allow system_basic_hap_attr time_service:binder { call transfer }; +allow system_basic_hap_attr tmpfs:dir { add_name create write }; +allow system_basic_hap_attr tracefs:dir { search }; +allow system_basic_hap_attr tracefs_trace_marker_file:file { open write }; +allow system_basic_hap_attr ui_service:binder { call transfer }; +allow system_basic_hap_attr ui_service:fd { use }; +allow system_basic_hap_attr updater_sa:binder { call transfer }; +allow system_basic_hap_attr useriam:binder { call transfer }; +allow system_basic_hap_attr wallpaper_service:binder { call transfer }; +allow system_basic_hap_attr wallpaper_service:fd { use }; +allowxperm system_basic_hap_attr dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x800e 0x8011 0x8014 0x8016 0x8018 0x8019 0x801d 0x801e 0x8024 0x8025 0x8026 0x8027 0x802a 0x802c 0x802d 0x802f 0x8030 0x8033 0x8034 0x8036 }; +allow system_basic_hap_attr allocator_host:fd { use }; +allowxperm system_basic_hap_attr system_basic_hap_data_file_attr:file ioctl { 0x5413 0xf50c }; +binder_call(system_basic_hap_attr normal_hap_attr); +allow system_basic_hap_attr sa_locationhub_lbsservice_gnss:samgr_class { get }; +allow system_basic_hap_attr sa_locationhub_lbsservice_network:samgr_class { get }; +allow system_basic_hap_attr sa_locationhub_lbsservice_passive:samgr_class { get }; +allow system_basic_hap_attr sa_location_geo_convert_service:samgr_class { get }; +allow system_basic_hap_attr sa_hiview_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/base/te/system_core_hap.te b/prebuilts/api/5.0/base/te/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..28bf948683e898d8ed8563a5c89057302db9cedd --- /dev/null +++ b/prebuilts/api/5.0/base/te/system_core_hap.te @@ -0,0 +1,124 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr appspawn_exec:file { getattr map open read }; +allow system_core_hap_attr bootevent_param:file { map open read }; +allow system_core_hap_attr bootevent_samgr_param:file { map open read }; +allow system_core_hap_attr build_version_param:file { map open read }; +allow system_core_hap_attr camera_service:binder { call transfer }; +allow system_core_hap_attr drm_service:binder { call transfer }; +allow system_core_hap_attr const_allow_mock_param:file { map open read }; +allow system_core_hap_attr const_allow_param:file { map open read }; +allow system_core_hap_attr const_build_param:file { map open read }; +allow system_core_hap_attr const_display_brightness_param:file { map open read }; +allow system_core_hap_attr const_param:file { map open read }; +allow system_core_hap_attr const_postinstall_fstab_param:file { map open read }; +allow system_core_hap_attr const_postinstall_param:file { map open read }; +allow system_core_hap_attr const_product_param:file { map open read }; +allow system_core_hap_attr data_service_el2_hmdfs:file { write }; +allow system_core_hap_attr data_user_file:file { write }; +allow system_core_hap_attr debug_param:file { map open read }; +allow system_core_hap_attr default_param:file { map open read }; +allow system_core_hap_attr dev_ashmem_file:chr_file { open }; +allow system_core_hap_attr dev_dri_file:chr_file { getattr ioctl open read write }; +allow system_core_hap_attr dev_dri_file:dir { search }; +allow system_core_hap_attr deviceinfoservice:binder { call }; +allow system_core_hap_attr dev_mali:chr_file { getattr ioctl map open read write }; +allow system_core_hap_attr dev_unix_socket:dir { search }; +allow system_core_hap_attr allocator_host:binder { call }; +allow system_core_hap_attr allocator_host:fd { use }; +allow system_core_hap_attr distributeddata:binder { call transfer }; +allow system_core_hap_attr faultloggerd:fd { use }; +allow system_core_hap_attr faultloggerd_socket:sock_file { write }; +allow system_core_hap_attr faultloggerd:unix_stream_socket { connectto }; +allow system_core_hap_attr hdf_allocator_service:hdf_devmgr_class { get }; +allow system_core_hap_attr hilog_param:file { map open read }; +allow system_core_hap_attr hiview:unix_dgram_socket { sendto }; +allow system_core_hap_attr hmdfs:file { read write }; +allow system_core_hap_attr huks_service:binder { call }; +allow system_core_hap_attr hw_sc_build_os_param:file { map open read }; +allow system_core_hap_attr hw_sc_build_param:file { map open read }; +allow system_core_hap_attr hw_sc_param:file { map open read }; +allow system_core_hap_attr init_param:file { map open read }; +allow system_core_hap_attr init_svc_param:file { map open read }; +allow system_core_hap_attr input_pointer_device_param:file { map open read }; +allow system_core_hap_attr locationhub:binder { call }; +allow system_core_hap_attr media_service:binder { call transfer }; +allow system_core_hap_attr multimodalinput:unix_stream_socket { write }; +allow system_core_hap_attr net_param:file { map open read }; +allow system_core_hap_attr net_tcp_param:file { map open read }; +allow system_core_hap_attr node:udp_socket { node_bind }; +allow system_core_hap_attr normal_hap_attr:binder { call }; +allow system_core_hap_attr normal_hap_attr:fd { use }; +allow system_core_hap_attr ohos_boot_param:file { map open read }; +allow system_core_hap_attr ohos_param:file { map open read }; +allow system_core_hap_attr persist_param:file { map open read }; +allow system_core_hap_attr persist_sys_param:file { map open read }; +allow system_core_hap_attr port:udp_socket { name_bind }; +allow system_core_hap_attr powermgr:binder { call }; +allow system_core_hap_attr proc_boot_id:file { open read }; +allow system_core_hap_attr proc_cpuinfo_file:file { open read }; +allow system_core_hap_attr proc_file:file { open read }; +allow system_core_hap_attr render_service:unix_stream_socket { read read write write }; +allow system_core_hap_attr resource_schedule_service:binder { call }; +allow system_core_hap_attr sa_accessibleabilityms:samgr_class { get }; +allow system_core_hap_attr sa_accesstoken_manager_service:samgr_class { get }; +allow system_core_hap_attr sa_camera_service:samgr_class { get }; +allow system_core_hap_attr sa_drm_service:samgr_class { get }; +allow system_core_hap_attr sa_device_service_manager:samgr_class { get }; +allow system_core_hap_attr sa_distributeddata_service:samgr_class { get }; +allow system_core_hap_attr sa_foundation_abilityms:samgr_class { get }; +allow system_core_hap_attr sa_foundation_appms:samgr_class { get }; +allow system_core_hap_attr sa_foundation_bms:samgr_class { get }; +allow system_core_hap_attr sa_foundation_cesfwk_service:samgr_class { get }; +allow system_core_hap_attr sa_powermgr_displaymgr_service:samgr_class { get }; +allow system_core_hap_attr sa_foundation_dms:samgr_class { get }; +allow system_core_hap_attr sa_powermgr_powermgr_service:samgr_class { get }; +allow system_core_hap_attr sa_foundation_wms:samgr_class { get }; +allow system_core_hap_attr sa_huks_service:samgr_class { get }; +allow system_core_hap_attr sa_location_locator_service:samgr_class { get }; +allow system_core_hap_attr sa_media_service:samgr_class { get }; +allow system_core_hap_attr sa_multimodalinput_service:samgr_class { get }; +allow system_core_hap_attr sa_net_conn_manager:samgr_class { get }; +allow system_core_hap_attr sa_param_watcher:samgr_class { get }; +allow system_core_hap_attr sa_render_service:samgr_class { get }; +allow system_core_hap_attr sa_resource_schedule:samgr_class { get }; +allow system_core_hap_attr sa_sysparam_device_service:samgr_class { get }; +allow system_core_hap_attr sa_uri_permission_mgr_service:samgr_class { get }; +allow system_core_hap_attr security_param:file { map open read }; +allow system_core_hap_attr startup_param:file { map open read }; +allow system_core_hap_attr storage_manager:binder { call }; +allow system_core_hap_attr sys_file:dir { open read }; +allow system_core_hap_attr sys_file:file { open read }; +allow system_core_hap_attr sysfs_devices_system_cpu:file { open read }; +allow system_core_hap_attr sys_param:file { map open read }; +allow system_core_hap_attr system_basic_hap_attr:fd { use }; +allow system_core_hap_attr system_bin_file:dir { search }; +allow system_core_hap_attr system_bin_file:file { execute execute_no_trans map read open }; +allow system_core_hap_attr toybox_exec:file { execute execute_no_trans map read open }; +allow system_core_hap_attr system_core_hap_data_file_attr:dir { add_name create getattr open read remove_name search write }; +allow system_core_hap_attr system_core_hap_data_file_attr:file { create getattr setattr ioctl lock map read write open unlink }; +allow system_core_hap_attr system_core_hap_attr:process { ptrace }; +allow system_core_hap_attr system_core_hap_attr:udp_socket { bind create getattr getopt write }; +allow system_core_hap_attr system_core_hap_attr:unix_dgram_socket { getopt setopt }; +allow system_core_hap_attr system_fonts_file:dir { search }; +allow system_core_hap_attr system_fonts_file:file { getattr map open read }; +allow system_core_hap_attr system_lib_file:dir { open read }; +allow system_core_hap_attr system_usr_file:dir { search }; +allow system_core_hap_attr sys_usb_param:file { map open read }; +allow system_core_hap_attr tracefs:dir { search }; +allow system_core_hap_attr tracefs_trace_marker_file:file { open write }; +allowxperm system_core_hap_attr dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm system_core_hap_attr dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800f 0x800e 0x8011 0x8014 0x8016 0x8018 0x8019 0x801d 0x801e 0x8024 0x8025 0x8026 0x8027 0x802a 0x802c 0x802d 0x802f 0x8030 0x8033 0x8034 0x8036 }; +allowxperm system_core_hap_attr system_core_hap_data_file_attr:file ioctl { 0x5413 0xf50c }; +allow system_core_hap_attr sa_hiview_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/base/te/telephony_sa.te b/prebuilts/api/5.0/base/te/telephony_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..bf37dc553c9b041ddeb7b4024578f2652a8fb162 --- /dev/null +++ b/prebuilts/api/5.0/base/te/telephony_sa.te @@ -0,0 +1,57 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow telephony_sa accesstoken_service:binder { call }; +allow telephony_sa bootevent_param:file { map open read }; +allow telephony_sa bootevent_samgr_param:file { map open read }; +allow telephony_sa build_version_param:file { map open read }; +allow telephony_sa const_allow_mock_param:file { map open read }; +allow telephony_sa const_allow_param:file { map open read }; +allow telephony_sa const_build_param:file { map open read }; +allow telephony_sa const_display_brightness_param:file { map open read }; +allow telephony_sa const_param:file { map open read }; +allow telephony_sa const_postinstall_fstab_param:file { map open read }; +allow telephony_sa const_postinstall_param:file { map open read }; +allow telephony_sa const_product_param:file { map open read }; +allow telephony_sa debug_param:file { map open read }; +allow telephony_sa default_param:file { map open read }; +allow telephony_sa dev_unix_socket:dir { search }; +allow telephony_sa distributedsche_param:file { map open read }; +allow telephony_sa foundation:binder { call }; +allow telephony_sa hdf_devmgr:binder { call transfer }; +allow telephony_sa hilog_param:file { map open read }; +allow telephony_sa hw_sc_build_os_param:file { map open read }; +allow telephony_sa hw_sc_build_param:file { map open read }; +allow telephony_sa hw_sc_param:file { map open read }; +allow telephony_sa init_param:file { map open read }; +allow telephony_sa init_svc_param:file { map open read }; +allow telephony_sa input_pointer_device_param:file { map open read }; +allow telephony_sa net_param:file { map open read }; +allow telephony_sa net_tcp_param:file { map open read }; +allow telephony_sa ohos_boot_param:file { map open read }; +allow telephony_sa ohos_param:file { map open read }; +allow telephony_sa param_watcher:binder { call transfer }; +allow telephony_sa persist_param:file { map open read }; +allow telephony_sa persist_sys_param:file { map open read }; +allow telephony_sa powermgr:binder { call }; +allow telephony_sa security_param:file { map open read }; +allow telephony_sa startup_param:file { map open read }; +allow telephony_sa sysfs_hctosys:file { open read }; +allow telephony_sa sysfs_rtc:dir { open read }; +allow telephony_sa sys_param:file { map open read }; +allow telephony_sa system_bin_file:dir { search }; +allow telephony_sa system_usr_file:dir { search }; +allow telephony_sa system_usr_file:file { getattr map open read }; +allow telephony_sa sys_usb_param:file { map open read }; +allow telephony_sa tracefs:dir { search }; +allow telephony_sa tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/time_service.te b/prebuilts/api/5.0/base/te/time_service.te new file mode 100644 index 0000000000000000000000000000000000000000..2c732b2ffc48629944bf23498274d9af6911ab54 --- /dev/null +++ b/prebuilts/api/5.0/base/te/time_service.te @@ -0,0 +1,68 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow time_service bootevent_param:file { map open read }; +allow time_service bootevent_samgr_param:file { map open read }; +allow time_service build_version_param:file { map open read }; +allow time_service const_allow_mock_param:file { map open read }; +allow time_service const_allow_param:file { map open read }; +allow time_service const_build_param:file { map open read }; +allow time_service const_display_brightness_param:file { map open read }; +allow time_service const_param:file { map open read }; +allow time_service const_postinstall_fstab_param:file { map open read }; +allow time_service const_postinstall_param:file { map open read }; +allow time_service const_product_param:file { map open read }; +allow time_service data_file:dir { search }; +allow time_service data_misc:dir { getattr search }; +allow time_service data_service_el1_file:dir { add_name search write }; +allow time_service data_service_el1_file:file { create ioctl read write open }; +allow time_service data_service_file:dir { search }; +allow time_service debug_param:file { map open read }; +allow time_service default_param:file { map open read }; +allow time_service dev_file:sock_file { write }; +allow time_service distributedsche_param:file { map read read open }; +allow time_service hilog_param:file { map open read }; +allow time_service hiview:binder { call }; +allow time_service hw_sc_build_os_param:file { map open read }; +allow time_service hw_sc_build_param:file { map open read }; +allow time_service hw_sc_param:file { map open read }; +allow time_service init_param:file { map open read }; +allow time_service init_svc_param:file { map open read }; +allow time_service input_pointer_device_param:file { map open read }; +allow time_service netmanager:binder { call transfer }; +allow time_service net_param:file { map open read }; +allow time_service netsysnative:unix_stream_socket { connectto }; +allow time_service net_tcp_param:file { map open read }; +allow time_service ohos_boot_param:file { map open read }; +allow time_service ohos_param:file { map open read }; +allow time_service param_watcher:binder { call transfer }; +allow time_service persist_param:file { map open read }; +allow time_service persist_sys_param:file { map open read }; +allow time_service sa_foundation_bms:samgr_class { get }; +allow time_service sa_foundation_cesfwk_service:samgr_class { get }; +allow time_service sa_net_conn_manager:samgr_class { get }; +allow time_service sa_time_service:samgr_class { add }; +allow time_service security_param:file { map open read }; +allow time_service startup_param:file { map open read }; +allow time_service sys_file:file { open read }; +allow time_service sysfs_hctosys:file { open read }; +allow time_service sysfs_rtc:dir { open read }; +allow time_service sys_param:file { map open read }; +allow time_service system_bin_file:dir { search }; +allow time_service sys_usb_param:file { map open read }; +allow time_service time_service:unix_dgram_socket { getopt setopt }; +allow time_service tracefs:dir { search }; +allow time_service tracefs_trace_marker_file:file { open write }; +allow time_service domain:dir { getattr search }; +allow time_service domain:file { open read }; +allowxperm time_service data_service_el1_file:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/base/te/token_sync_service.te b/prebuilts/api/5.0/base/te/token_sync_service.te new file mode 100644 index 0000000000000000000000000000000000000000..326dd932696f21a97f209a5c724f74f933a9a18c --- /dev/null +++ b/prebuilts/api/5.0/base/te/token_sync_service.te @@ -0,0 +1,52 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow token_sync_service accesstoken_service:binder { call }; +allow token_sync_service bootevent_param:file { map open read }; +allow token_sync_service bootevent_samgr_param:file { map open read }; +allow token_sync_service build_version_param:file { map open read }; +allow token_sync_service const_allow_mock_param:file { map open read }; +allow token_sync_service const_allow_param:file { map open read }; +allow token_sync_service const_build_param:file { map open read }; +allow token_sync_service const_display_brightness_param:file { map open read }; +allow token_sync_service const_param:file { map open read }; +allow token_sync_service const_postinstall_fstab_param:file { map open read }; +allow token_sync_service const_postinstall_param:file { map open read }; +allow token_sync_service const_product_param:file { map open read }; +allow token_sync_service debug_param:file { map open read }; +allow token_sync_service default_param:file { map open read }; +allow token_sync_service distributedsche_param:file { map open read }; +allow token_sync_service hilog_param:file { map open read }; +allow token_sync_service hw_sc_build_os_param:file { map open read }; +allow token_sync_service hw_sc_build_param:file { map open read }; +allow token_sync_service hw_sc_param:file { map open read }; +allow token_sync_service init_param:file { map open read }; +allow token_sync_service init_svc_param:file { map open read }; +allow token_sync_service input_pointer_device_param:file { map open read }; +allow token_sync_service net_param:file { map open read }; +allow token_sync_service net_tcp_param:file { map open read }; +allow token_sync_service ohos_boot_param:file { map open read }; +allow token_sync_service ohos_param:file { map open read }; +allow token_sync_service param_watcher:binder { call transfer }; +allow token_sync_service persist_param:file { map open read }; +allow token_sync_service persist_sys_param:file { map open read }; +allow token_sync_service sa_accesstoken_manager_service:samgr_class { get }; +allow token_sync_service sa_param_watcher:samgr_class { get }; +allow token_sync_service security_param:file { map open read }; +allow token_sync_service softbus_server:tcp_socket { read read write setopt shutdown }; +allow token_sync_service startup_param:file { map open read }; +allow token_sync_service sys_param:file { map open read }; +allow token_sync_service sys_usb_param:file { map open read }; +allow token_sync_service token_sync_service:unix_dgram_socket { getopt setopt }; +allow token_sync_service tracefs:dir { search }; +allow token_sync_service tracefs_trace_marker_file:file { open write }; diff --git a/prebuilts/api/5.0/base/te/udevadm.te b/prebuilts/api/5.0/base/te/udevadm.te new file mode 100644 index 0000000000000000000000000000000000000000..c4d064c90013f0cbe304f0b24559051c8e633363 --- /dev/null +++ b/prebuilts/api/5.0/base/te/udevadm.te @@ -0,0 +1,60 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow udevadm bootevent_param:file { map open read }; +allow udevadm bootevent_samgr_param:file { map open read }; +allow udevadm build_version_param:file { map open read }; +allow udevadm const_allow_mock_param:file { map open read }; +allow udevadm const_allow_param:file { map open read }; +allow udevadm const_build_param:file { map open read }; +allow udevadm const_display_brightness_param:file { map open read }; +allow udevadm const_param:file { map open read }; +allow udevadm const_postinstall_fstab_param:file { map open read }; +allow udevadm const_postinstall_param:file { map open read }; +allow udevadm const_product_param:file { map open read }; +allow udevadm debug_param:file { map open read }; +allow udevadm default_param:file { map open read }; +allow udevadm dev_unix_socket:dir { search }; +allow udevadm distributedsche_param:file { map open read }; +allow udevadm hilog_param:file { map open read }; +allow udevadm hw_sc_build_os_param:file { map open read }; +allow udevadm hw_sc_build_param:file { map open read }; +allow udevadm hw_sc_param:file { map open read }; +allow udevadm init_param:file { map open read }; +allow udevadm init_svc_param:file { map open read }; +allow udevadm input_pointer_device_param:file { map open read }; +allow udevadm net_param:file { map open read }; +allow udevadm net_tcp_param:file { map open read }; +allow udevadm ohos_boot_param:file { map open read }; +allow udevadm ohos_param:file { map open read }; +allow udevadm persist_param:file { map open read }; +allow udevadm persist_sys_param:file { map open read }; +allow udevadm security_param:file { map open read }; +allow udevadm startup_param:file { map open read }; +allow udevadm sys_file:dir { open read }; +allow udevadm sys_file:file { getattr open write }; +allow udevadm sysfs_gadget_usb:dir { open read }; +allow udevadm sysfs_block_file:file { getattr open write }; +allow udevadm sysfs_block_loop:file { getattr open write }; +allow udevadm sysfs_block_zram:file { getattr open write }; +allow udevadm sysfs_devices_system_cpu:file { getattr open write }; +allow udevadm sysfs_extcon:dir { open read }; +allow udevadm sysfs_leds:dir { open read }; +allow udevadm sysfs_net:dir { open read }; +allow udevadm sysfs_net:file { getattr open write }; +allow udevadm sysfs_rtc:dir { open read }; +allow udevadm sysfs_wakeup:dir { open read }; +allow udevadm sysfs_wakeup:file { getattr open write }; +allow udevadm sys_param:file { map open read }; +allow udevadm system_bin_file:dir { search }; +allow udevadm sys_usb_param:file { map open read }; diff --git a/prebuilts/api/5.0/base/te/udevd.te b/prebuilts/api/5.0/base/te/udevd.te new file mode 100644 index 0000000000000000000000000000000000000000..bea653cd3c0f343b361045fdd2e5e4b3734683bc --- /dev/null +++ b/prebuilts/api/5.0/base/te/udevd.te @@ -0,0 +1,126 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow udevd bootevent_param:file { map open read }; +allow udevd bootevent_samgr_param:file { map open read }; +allow udevd build_version_param:file { map open read }; +allow udevd const_allow_mock_param:file { map open read }; +allow udevd const_allow_param:file { map open read }; +allow udevd const_build_param:file { map open read }; +allow udevd const_display_brightness_param:file { map open read }; +allow udevd const_param:file { map open read }; +allow udevd const_postinstall_fstab_param:file { map open read }; +allow udevd const_postinstall_param:file { map open read }; +allow udevd const_product_param:file { map open read }; +allow udevd data_file:dir { add_name create read remove_name watch write }; +allow udevd data_file:file { ioctl read }; +allow udevd data_file:sock_file { create unlink }; +allow udevd data_udev:dir { add_name create getattr open read remove_name search watch write }; +allow udevd data_udev:file { create ioctl open read rename unlink write write open }; +allow udevd data_udev:sock_file { create unlink }; +allow udevd debug_param:file { map open read }; +allow udevd default_param:file { map open read }; +allow udevd dev_at_file:chr_file { getattr }; +allow udevd dev_bbox:chr_file { getattr write }; +allow udevd dev_binder_file:chr_file { getattr }; +allow udevd dev_bus:dir { search }; +allow udevd dev_bus_usb_file:chr_file { getattr write }; +allow udevd dev_bus_usb_file:dir { search }; +allow udevd dev_char_file:dir { add_name getattr search write }; +allow udevd dev_char_file:lnk_file { create getattr read write }; +allow udevd dev_console_file:chr_file { getattr write }; +allow udevd dev_cpu_dma_latency_file:chr_file { getattr write }; +allow udevd dev_dev_cec0:chr_file { getattr write }; +allow udevd dev_dma_heap_file:chr_file { getattr write }; +allow udevd dev_dma_heap_file:dir { search }; +allow udevd dev_dri_file:dir { create getattr }; +allow udevd dev_dri_file:lnk_file { create getattr read write }; +#allow udevd dev_file:chr_file { getattr setattr write }; +allow udevd dev_file:dir { getattr remove_name }; +allow udevd dev_file:lnk_file { getattr read unlink write }; +allow udevd dev_full:chr_file { getattr write }; +allow udevd dev_fuse_file:chr_file { getattr setattr write }; +allow udevd dev_gpiochip:chr_file { getattr write }; +allow udevd dev_hdmi_hdcp1x:chr_file { getattr write }; +allow udevd dev_xpm:chr_file { getattr write }; +allow udevd dev_hwbinder_file:chr_file { getattr write }; +allow udevd dev_hwrng:chr_file { getattr write }; +allow udevd dev_i2c:chr_file { getattr write }; +allow udevd dev_iio_file:chr_file { getattr write }; +allow udevd dev_input_file:chr_file { getattr ioctl open read setattr write }; +allow udevd dev_input_file:dir { add_name create getattr search write }; +allow udevd dev_input_file:lnk_file { create }; +allow udevd dev_kmsg_file:chr_file { getattr ioctl open write }; +allow udevd dev_loop_control_file:chr_file { getattr write }; +allow udevd dev_mali:chr_file { getattr write }; +allow udevd dev_media_file:chr_file { getattr write }; +allow udevd dev_mem:chr_file { getattr write }; +allow udevd dev_mpp:chr_file { getattr write }; +allow udevd dev_ptp:chr_file { getattr setattr write }; +allow udevd dev_rfkill:chr_file { getattr write }; +allow udevd dev_rga:chr_file { getattr write }; +allow udevd dev_rpmb_file:chr_file { getattr write }; +allow udevd dev_rtc_file:chr_file { getattr write }; +allow udevd dev_sched_rtg_ctrl:chr_file { getattr write }; +allow udevd dev_snapshot:chr_file { getattr write }; +allow udevd dev_sw_sync:chr_file { getattr write }; +allow udevd dev_tee_file:chr_file { getattr write }; +allow udevd dev_ubi_file:chr_file { getattr write }; +allow udevd dev_uhid_file:chr_file { getattr write }; +allow udevd dev_tun_file:chr_file { getattr write }; +allow udevd dev_uinput:chr_file { getattr write }; +allow udevd dev_unix_socket:dir { search }; +allow udevd dev_vcs_file:chr_file { getattr write }; +allow udevd dev_v_file:chr_file { getattr write }; +allow udevd dev_v_file:dir { add_name create getattr search write }; +allow udevd dev_v_file:lnk_file { create }; +allow udevd dev_vhci_file:chr_file { getattr write }; +allow udevd dev_video_file:chr_file { getattr write }; +allow udevd dev_vndbinder_file:chr_file { getattr write }; +allow udevd dev_watchdog_file:chr_file { getattr write }; +allow udevd distributedsche_param:file { map open read }; +allow udevd hilog_param:file { map open read }; +allow udevd hw_sc_build_os_param:file { map open read }; +allow udevd hw_sc_build_param:file { map open read }; +allow udevd hw_sc_param:file { map open read }; +allow udevd init_param:file { map open read }; +allow udevd init_svc_param:file { map open read }; +allow udevd input_pointer_device_param:file { map open read }; +allow udevd net_param:file { map open read }; +allow udevd net_tcp_param:file { map open read }; +allow udevd ohos_boot_param:file { map open read }; +allow udevd ohos_param:file { map open read }; +allow udevd persist_param:file { map open read }; +allow udevd persist_sys_param:file { map open read }; +allow udevd proc_cmdline_file:file { open read }; +allow udevd security_param:file { map open read }; +allow udevd startup_param:file { map open read }; +allow udevd sysfs_gadget_usb:file { open read getattr }; +allow udevd sysfs_block_file:file { open read }; +allow udevd sysfs_block_loop:file { open read }; +allow udevd sysfs_block_zram:file { open read }; +allow udevd sysfs_devices_system_cpu:file { getattr open read }; +allow udevd sysfs_hctosys:file { getattr open read }; +allow udevd sysfs_net:file { getattr open read }; +allow udevd sysfs_wakeup:file { getattr open read }; +allow udevd sys_param:file { map open read }; +allow udevd system_etc_file:dir { watch }; +allow udevd sys_usb_param:file { map open read }; +allow udevd tty_device:chr_file { getattr }; +allow udevd udevd:capability { net_admin }; +allow udevd udevd_socket:sock_file { unlink }; +allow udevd udevd:unix_dgram_socket { setopt }; +allowxperm udevd data_file:file ioctl { 0x5413 }; +allowxperm udevd data_udev:file ioctl { 0x5413 }; +allowxperm udevd dev_input_file:chr_file ioctl { 0x4540 0x4541 }; +allowxperm udevd dev_kmsg_file:chr_file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/base/te/ui_service.te b/prebuilts/api/5.0/base/te/ui_service.te new file mode 100644 index 0000000000000000000000000000000000000000..c09ca41ffa9b43e072765bd19a2e1c469111db32 --- /dev/null +++ b/prebuilts/api/5.0/base/te/ui_service.te @@ -0,0 +1,84 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ui_service accessibility:binder { call transfer }; +allow ui_service bootevent_param:file { map open read }; +allow ui_service bootevent_samgr_param:file { map open read }; +allow ui_service build_version_param:file { map open read }; +allow ui_service const_allow_mock_param:file { map open read }; +allow ui_service const_allow_param:file { map open read }; +allow ui_service const_build_param:file { map open read }; +allow ui_service const_display_brightness_param:file { map open read }; +allow ui_service const_param:file { map open read }; +allow ui_service const_postinstall_fstab_param:file { map open read }; +allow ui_service const_postinstall_param:file { map open read }; +allow ui_service const_product_param:file { map open read }; +allow ui_service data_file:dir { search }; +allow ui_service data_storage:dir { search }; +allow ui_service debug_param:file { map open read }; +allow ui_service default_param:file { map open read }; +allow ui_service dev_kmsg_file:chr_file { open write }; +allow ui_service dev_mali:chr_file { getattr ioctl map open read write }; +allow ui_service dev_unix_socket:dir { search }; +allow ui_service allocator_host:fd { use }; +allow ui_service distributedsche_param:file { map read read open }; +allow ui_service foundation:binder { call transfer }; +allow ui_service hilog_param:file { map open read }; +allow ui_service hw_sc_build_os_param:file { map open read }; +allow ui_service hw_sc_build_param:file { map open read }; +allow ui_service hw_sc_param:file { map open read }; +allow ui_service init_param:file { map open read }; +allow ui_service init_svc_param:file { map open read }; +allow ui_service inputmethod_service:binder { call transfer }; +allow ui_service input_pointer_device_param:file { map open read }; +allow ui_service multimodalinput:binder { call }; +allow ui_service multimodalinput:fd { use }; +allow ui_service multimodalinput:unix_stream_socket { read write }; +allow ui_service net_param:file { map open read }; +allow ui_service net_tcp_param:file { map open read }; +allow ui_service normal_hap_attr:fd { use }; +allow ui_service ohos_boot_param:file { map open read }; +allow ui_service ohos_param:file { map open read }; +allow ui_service param_watcher:binder { call transfer }; +allow ui_service persist_param:file { map open read }; +allow ui_service persist_sys_param:file { map open read }; +allow ui_service render_service:binder { call transfer }; +allow ui_service render_service:fd { use }; +allow ui_service render_service:unix_stream_socket { read read write }; +allow ui_service resource_schedule_service:binder { call }; +allow ui_service sa_accessibleabilityms:samgr_class { get }; +allow ui_service sa_foundation_dms:samgr_class { get }; +allow ui_service sa_foundation_wms:samgr_class { get }; +allow ui_service sa_inputmethod_service:samgr_class { get }; +allow ui_service sa_multimodalinput_service:samgr_class { get }; +allow ui_service sa_param_watcher:samgr_class { get }; +allow ui_service sa_render_service:samgr_class { get }; +allow ui_service sa_resource_schedule:samgr_class { get }; +allow ui_service sa_subsys_ace_service:samgr_class { add }; +allow ui_service security_param:file { map open read }; +allow ui_service startup_param:file { map open read }; +allow ui_service sysfs_devices_system_cpu:file { open read }; +allow ui_service sys_param:file { map open read }; +allow ui_service system_basic_hap_attr:binder { call }; +allow ui_service system_basic_hap_attr:fd { use }; +allow ui_service system_bin_file:dir { search }; +allow ui_service system_core_hap_attr:fd { use }; +allow ui_service system_fonts_file:dir { open read search }; +allow ui_service system_fonts_file:file { getattr map open read }; +allow ui_service system_usr_file:dir { search }; +allow ui_service system_usr_file:file { getattr map open read }; +allow ui_service sys_usb_param:file { map open read }; +allow ui_service tracefs:dir { search }; +allow ui_service tracefs_trace_marker_file:file { open write }; +allow ui_service ui_service:unix_dgram_socket { getopt setopt }; +allowxperm ui_service dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x8019 0x801d 0x801e 0x8026 }; diff --git a/prebuilts/api/5.0/base/te/updater_sa.te b/prebuilts/api/5.0/base/te/updater_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..1e198686a5038f9374b2415bcbd969319d9a2260 --- /dev/null +++ b/prebuilts/api/5.0/base/te/updater_sa.te @@ -0,0 +1,63 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow updater_sa accesstoken_service:binder { call }; +allow updater_sa bootevent_param:file { map open read }; +allow updater_sa bootevent_samgr_param:file { map open read }; +allow updater_sa build_version_param:file { map open read }; +allow updater_sa const_allow_mock_param:file { map open read }; +allow updater_sa const_allow_param:file { map open read }; +allow updater_sa const_build_param:file { map open read }; +allow updater_sa const_display_brightness_param:file { map open read }; +allow updater_sa const_param:file { map open read }; +allow updater_sa const_postinstall_fstab_param:file { map open read }; +allow updater_sa const_postinstall_param:file { map open read }; +allow updater_sa const_product_param:file { map open read }; +allow updater_sa debug_param:file { map open read }; +allow updater_sa default_param:file { map open read }; +allow updater_sa dev_block_volfile:dir { search }; +allow updater_sa dev_unix_socket:dir { search }; +allow updater_sa distributedsche_param:file { map open read }; +allow updater_sa hilog_param:file { map open read }; +allow updater_sa hw_sc_build_os_param:file { map open read }; +allow updater_sa hw_sc_build_param:file { map open read }; +allow updater_sa hw_sc_param:file { map open read }; +allow updater_sa init_param:file { map open read }; +allow updater_sa init_svc_param:file { map open read }; +allow updater_sa input_pointer_device_param:file { map open read }; +allow updater_sa kernel:unix_stream_socket { connectto }; +allow updater_sa net_param:file { map open read }; +allow updater_sa net_tcp_param:file { map open read }; +allow updater_sa ohos_boot_param:file { map open read }; +allow updater_sa ohos_param:file { map open read }; +allow updater_sa ohos_param:parameter_service { set }; +allow updater_sa paramservice_socket:sock_file { write }; +allow updater_sa param_watcher:binder { call transfer }; +allow updater_sa persist_param:file { map open read }; +allow updater_sa persist_sys_param:file { map open read }; +allow updater_sa sa_accesstoken_manager_service:samgr_class { get }; +allow updater_sa sa_param_watcher:samgr_class { get }; +allow updater_sa sa_update_distributed_service:samgr_class { add }; +allow updater_sa security_param:file { map open read }; +allow updater_sa startup_param:file { map open read }; +allow updater_sa startup_param:parameter_service { set }; +allow updater_sa sys_param:file { map open read }; +allow updater_sa system_bin_file:dir { search }; +allow updater_sa sys_usb_param:file { map open read }; +allow updater_sa tracefs:dir { search }; +allow updater_sa tracefs_trace_marker_file:file { open write }; + +allow updater_sa updater_block_file:blk_file { getattr ioctl open read write }; +allow updater_sa updater_block_file:dir { search }; +allow updater_sa updater_block_file:lnk_file { read }; +allowxperm updater_sa updater_block_file:blk_file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/base/te/wallpaper_service.te b/prebuilts/api/5.0/base/te/wallpaper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..c22e940cfc2679f1e51809c9c76f6c821cdfb3fb --- /dev/null +++ b/prebuilts/api/5.0/base/te/wallpaper_service.te @@ -0,0 +1,63 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wallpaper_service accesstoken_service:binder { call }; +allow wallpaper_service bootevent_param:file { map open read }; +allow wallpaper_service bootevent_samgr_param:file { map open read }; +allow wallpaper_service build_version_param:file { map open read }; +allow wallpaper_service const_allow_mock_param:file { map open read }; +allow wallpaper_service const_allow_param:file { map open read }; +allow wallpaper_service const_build_param:file { map open read }; +allow wallpaper_service const_display_brightness_param:file { map open read }; +allow wallpaper_service const_param:file { map open read }; +allow wallpaper_service const_postinstall_fstab_param:file { map open read }; +allow wallpaper_service const_postinstall_param:file { map open read }; +allow wallpaper_service const_product_param:file { map open read }; +allow wallpaper_service data_file:dir { search }; +allow wallpaper_service data_service_el1_file:dir { add_name search write }; +allow wallpaper_service data_service_el1_file:file { create ioctl open read write open }; +allow wallpaper_service data_service_file:dir { search }; +allow wallpaper_service debug_param:file { map open read }; +allow wallpaper_service default_param:file { map open read }; +allow wallpaper_service dev_unix_socket:dir { search }; +allow wallpaper_service distributedsche_param:file { map open read }; +allow wallpaper_service foundation:binder { call transfer }; +allow wallpaper_service hilog_param:file { map open read }; +allow wallpaper_service hw_sc_build_os_param:file { map open read }; +allow wallpaper_service hw_sc_build_param:file { map open read }; +allow wallpaper_service hw_sc_param:file { map open read }; +allow wallpaper_service init_param:file { map open read }; +allow wallpaper_service init_svc_param:file { map open read }; +allow wallpaper_service input_pointer_device_param:file { map open read }; +allow wallpaper_service net_param:file { map open read }; +allow wallpaper_service net_tcp_param:file { map open read }; +allow wallpaper_service ohos_boot_param:file { map open read }; +allow wallpaper_service ohos_param:file { map open read }; +allow wallpaper_service param_watcher:binder { call transfer }; +allow wallpaper_service persist_param:file { map open read }; +allow wallpaper_service persist_sys_param:file { map open read }; +allow wallpaper_service sa_accesstoken_manager_service:samgr_class { get }; +allow wallpaper_service sa_foundation_abilityms:samgr_class { get }; +allow wallpaper_service sa_foundation_cesfwk_service:samgr_class { get }; +allow wallpaper_service sa_param_watcher:samgr_class { get }; +allow wallpaper_service sa_wallpaper_manager_service:samgr_class { add }; +allow wallpaper_service security_param:file { map open read }; +allow wallpaper_service startup_param:file { map open read }; +allow wallpaper_service sys_param:file { map open read }; +allow wallpaper_service system_basic_hap_attr:binder { call }; +allow wallpaper_service system_bin_file:dir { search }; +allow wallpaper_service sys_usb_param:file { map open read }; +allow wallpaper_service tracefs:dir { search }; +allow wallpaper_service tracefs_trace_marker_file:file { open write }; +allow wallpaper_service wallpaper_service:unix_dgram_socket { getopt setopt }; +allowxperm wallpaper_service data_service_el1_file:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/base/te/wifi_hal_service.te b/prebuilts/api/5.0/base/te/wifi_hal_service.te new file mode 100644 index 0000000000000000000000000000000000000000..a51d2a0471d659e6adb5a7c9579c009ec7c13091 --- /dev/null +++ b/prebuilts/api/5.0/base/te/wifi_hal_service.te @@ -0,0 +1,66 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_hal_service bootevent_param:file { map open read }; +allow wifi_hal_service bootevent_samgr_param:file { map open read }; +allow wifi_hal_service build_version_param:file { map open read }; +allow wifi_hal_service const_allow_mock_param:file { map open read }; +allow wifi_hal_service const_allow_param:file { map open read }; +allow wifi_hal_service const_build_param:file { map open read }; +allow wifi_hal_service const_display_brightness_param:file { map open read }; +allow wifi_hal_service const_param:file { map open read }; +allow wifi_hal_service const_postinstall_fstab_param:file { map open read }; +allow wifi_hal_service const_postinstall_param:file { map open read }; +allow wifi_hal_service const_product_param:file { map open read }; +allow wifi_hal_service data_file:dir { search }; +allow wifi_hal_service data_misc:dir { add_name remove_name search write }; +allow wifi_hal_service data_misc:file { ioctl rename unlink }; +allow wifi_hal_service data_misc:sock_file { create unlink }; +allow wifi_hal_service debug_param:file { map open read }; +allow wifi_hal_service default_param:file { map open read }; +allow wifi_hal_service dev_mgr_file:chr_file { getattr }; +allow wifi_hal_service dev_unix_socket:dir { search }; +allow wifi_hal_service distributedsche_param:file { map open read }; +allow wifi_hal_service faultloggerd_socket:sock_file { write }; +allow wifi_hal_service hilog_param:file { map open read }; +allow wifi_hal_service hw_sc_build_os_param:file { map open read }; +allow wifi_hal_service hw_sc_build_param:file { map open read }; +allow wifi_hal_service hw_sc_param:file { map open read }; +allow wifi_hal_service init_param:file { map open read }; +allow wifi_hal_service init_svc_param:file { map open read }; +allow wifi_hal_service input_pointer_device_param:file { map read open }; +allow wifi_hal_service net_param:file { map open read }; +allow wifi_hal_service net_tcp_param:file { map open read }; +allow wifi_hal_service ohos_boot_param:file { map open read }; +allow wifi_hal_service ohos_param:file { map open read }; +allow wifi_hal_service persist_param:file { map open read }; +allow wifi_hal_service persist_sys_param:file { map open read }; +allow wifi_hal_service security_param:file { map open read }; +allow wifi_hal_service sh_exec:file { execute execute_no_trans map read read open }; +allow wifi_hal_service startup_param:file { map open read }; +allow wifi_hal_service sys_param:file { map open read }; +allow wifi_hal_service system_bin_file:dir { search }; +allow wifi_hal_service system_bin_file:file { execute execute_no_trans getattr map read read open }; +allow wifi_hal_service system_bin_file:lnk_file { read }; +allow wifi_hal_service toybox_exec:file { execute execute_no_trans getattr map read open }; +allow wifi_hal_service toybox_exec:lnk_file { read }; +allow wifi_hal_service sys_usb_param:file { map open read }; +allow wifi_hal_service tty_device:chr_file { open read write }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { ioctl }; +allow wifi_hal_service wifi_hal_service_exec:file { entrypoint execute map read }; +allow wifi_hal_service wifi_manager_service:dir { search }; +allow wifi_hal_service wifi_manager_service:file { open read }; +allow wifi_hal_service wifi_manager_service:process { signal }; +allow wifi_hal_service sa_accesstoken_manager_service:samgr_class { get }; +allowxperm wifi_hal_service data_misc:file ioctl { 0x5413 }; +allowxperm wifi_hal_service wifi_hal_service:unix_dgram_socket ioctl { 0x8910 }; diff --git a/prebuilts/api/5.0/base/te/wifi_manager_service.te b/prebuilts/api/5.0/base/te/wifi_manager_service.te new file mode 100644 index 0000000000000000000000000000000000000000..77198f11eab3fe007fface8c38ad8d678874c76a --- /dev/null +++ b/prebuilts/api/5.0/base/te/wifi_manager_service.te @@ -0,0 +1,69 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_manager_service accesstoken_service:binder { call }; +allow wifi_manager_service bootevent_param:file { map open read }; +allow wifi_manager_service bootevent_samgr_param:file { map open read }; +allow wifi_manager_service build_version_param:file { map open read }; +allow wifi_manager_service const_allow_mock_param:file { map open read }; +allow wifi_manager_service const_allow_param:file { map open read }; +allow wifi_manager_service const_build_param:file { map open read }; +allow wifi_manager_service const_display_brightness_param:file { map open read }; +allow wifi_manager_service const_param:file { map open read }; +allow wifi_manager_service const_postinstall_fstab_param:file { map open read }; +allow wifi_manager_service const_postinstall_param:file { map open read }; +allow wifi_manager_service const_product_param:file { map open read }; +allow wifi_manager_service data_file:dir { search }; +allow wifi_manager_service data_misc:dir { add_name search write }; +allow wifi_manager_service data_misc:file { create ioctl read write open }; +allow wifi_manager_service data_misc:sock_file { write }; +allow wifi_manager_service debug_param:file { map open read }; +allow wifi_manager_service default_param:file { map open read }; +allow wifi_manager_service dev_unix_socket:dir { search }; +allow wifi_manager_service distributedsche_param:file { map open read }; +allow wifi_manager_service hilog_param:file { map open read }; +allow wifi_manager_service hw_sc_build_os_param:file { map open read }; +allow wifi_manager_service hw_sc_build_param:file { map open read }; +allow wifi_manager_service hw_sc_param:file { map open read }; +allow wifi_manager_service init_param:file { map open read }; +allow wifi_manager_service init_svc_param:file { map open read }; +allow wifi_manager_service input_pointer_device_param:file { map open read }; +allow wifi_manager_service net_param:file { map open read }; +allow wifi_manager_service net_tcp_param:file { map open read }; +allow wifi_manager_service ohos_boot_param:file { map open read }; +allow wifi_manager_service ohos_param:file { map open read }; +allow wifi_manager_service param_watcher:binder { call transfer }; +allow wifi_manager_service persist_param:file { map open read }; +allow wifi_manager_service persist_sys_param:file { map open read }; +allow wifi_manager_service sa_accesstoken_manager_service:samgr_class { get }; +allow wifi_manager_service sa_param_watcher:samgr_class { get }; +allow wifi_manager_service sa_wifi_device_ability:samgr_class { add }; +allow wifi_manager_service sa_wifi_hotspot_ability:samgr_class { add }; +allow wifi_manager_service sa_wifi_p2p_ability:samgr_class { add }; +allow wifi_manager_service sa_wifi_scan_ability:samgr_class { add get }; +allow wifi_manager_service security_param:file { map open read }; +allow wifi_manager_service softbus_server:binder { call }; +allow wifi_manager_service startup_param:file { map open read }; +allow wifi_manager_service sys_param:file { map open read }; +allow wifi_manager_service system_basic_hap_attr:binder { call transfer }; +allow wifi_manager_service system_bin_file:dir { search }; +allow wifi_manager_service sys_usb_param:file { map open read }; +allow wifi_manager_service tracefs:dir { search }; +allow wifi_manager_service tracefs_trace_marker_file:file { open write }; +allow wifi_manager_service wifi_hal_service:unix_stream_socket { connectto }; +allow wifi_manager_service wifi_manager_service:capability { net_admin net_raw net_bind_service }; +allow wifi_manager_service wifi_manager_service:udp_socket { connect write }; +allow wifi_manager_service wifi_manager_service:netlink_route_socket { setopt bind setattr getattr listen read nlmsg_read nlmsg_write create write }; +allow wifi_manager_service wifi_manager_service:unix_dgram_socket { ioctl }; +allowxperm wifi_manager_service wifi_manager_service:unix_dgram_socket ioctl { 0x8933 0x8910}; +allowxperm wifi_manager_service data_misc:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/campat/50_system.cil b/prebuilts/api/5.0/campat/50_system.cil new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/campat/50_system_ignore.cil b/prebuilts/api/5.0/campat/50_system_ignore.cil new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/min/access_vectors b/prebuilts/api/5.0/min/access_vectors new file mode 100644 index 0000000000000000000000000000000000000000..dc0a671c8dd4ef0b021de7f5ca9c9fb00127b41b --- /dev/null +++ b/prebuilts/api/5.0/min/access_vectors @@ -0,0 +1,576 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map + unlink + link + rename + execute + quotaon + mounton + audit_access + open + execmod + watch + watch_mount + watch_sb + watch_with_perm + watch_reads +} +common socket +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + name_bind +} +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} +common cap +{ + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} +common cap2 +{ + mac_override + mac_admin + syslog + wake_alarm + block_suspend + audit_read + checkpoint_restore + perfmon + bpf +} +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + associate + quotamod + quotaget + watch +} +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} +class file +inherits file +{ + execute_no_trans + entrypoint +} +class lnk_file +inherits file +class chr_file +inherits file +{ + execute_no_trans + entrypoint +} +class blk_file +inherits file +class sock_file +inherits file +class fifo_file +inherits file +class fd +{ + use +} +class socket +inherits socket +class tcp_socket +inherits socket +{ + node_bind + name_connect +} +class udp_socket +inherits socket +{ + node_bind +} +class rawip_socket +inherits socket +{ + node_bind +} +class node +{ + recvfrom + sendto +} +class netif +{ + ingress + egress +} +class netlink_socket +inherits socket +class packet_socket +inherits socket +class key_socket +inherits socket +class unix_stream_socket +inherits socket +{ + connectto +} +class unix_dgram_socket +inherits socket +class process +{ + fork + transition + sigchld + sigkill + sigstop + signull + signal + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate + getrlimit +} +class process2 +{ + nnp_transition + nosuid_transition +} +class ipc +inherits ipc +class sem +inherits ipc +class msgq +inherits ipc +{ + enqueue +} +class msg +{ + send + receive +} +class shm +inherits ipc +{ + lock +} +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce + setbool + setsecparam + setcheckreqprot + read_policy + validate_trans +} +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request + module_load +} +class capability +inherits cap +class capability2 +inherits cap2 +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_readpriv +} +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_nflog_socket +inherits socket +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_selinux_socket +inherits socket +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} +class netlink_dnrt_socket +inherits socket +class association +{ + sendto + recvfrom + setcontext + polmatch +} +class netlink_kobject_uevent_socket +inherits socket +class appletalk_socket +inherits socket +class packet +{ + send + recv + relabelto + forward_in + forward_out +} +class key +{ + view + read + write + search + link + setattr + create +} +class dccp_socket +inherits socket +{ + node_bind + name_connect +} +class memprotect +{ + mmap_zero +} +class peer +{ + recv +} +class kernel_service +{ + use_as_override + create_files_as +} +class tun_socket +inherits socket +{ + attach_queue +} +class binder +{ + impersonate + call + set_context_mgr + transfer +} +class netlink_iscsi_socket +inherits socket +class netlink_fib_lookup_socket +inherits socket +class netlink_connector_socket +inherits socket +class netlink_netfilter_socket +inherits socket +class netlink_generic_socket +inherits socket +class netlink_scsitransport_socket +inherits socket +class netlink_rdma_socket +inherits socket +class netlink_crypto_socket +inherits socket +class infiniband_pkey +{ + access +} +class infiniband_endport +{ + manage_subnet +} +class cap_userns +inherits cap +class cap2_userns +inherits cap2 +class sctp_socket +inherits socket +{ + node_bind + name_connect + association +} +class icmp_socket +inherits socket +{ + node_bind +} +class ax25_socket +inherits socket +class ipx_socket +inherits socket +class netrom_socket +inherits socket +class atmpvc_socket +inherits socket +class x25_socket +inherits socket +class rose_socket +inherits socket +class decnet_socket +inherits socket +class atmsvc_socket +inherits socket +class rds_socket +inherits socket +class irda_socket +inherits socket +class pppox_socket +inherits socket +class llc_socket +inherits socket +class can_socket +inherits socket +class tipc_socket +inherits socket +class bluetooth_socket +inherits socket +class iucv_socket +inherits socket +class rxrpc_socket +inherits socket +class isdn_socket +inherits socket +class phonet_socket +inherits socket +class ieee802154_socket +inherits socket +class caif_socket +inherits socket +class alg_socket +inherits socket +class nfc_socket +inherits socket +class vsock_socket +inherits socket +class kcm_socket +inherits socket +class qipcrtr_socket +inherits socket +class smc_socket +inherits socket +class bpf +{ + map_create + map_read + map_write + prog_load + prog_run +} +class xdp_socket +inherits socket +class parameter_service +{ + set +} +class samgr_class +{ + add + get + get_remote + list +} +class hdf_devmgr_class +{ + add + get + list +} + +class lockdown +{ + integrity + confidentiality +} + +class perf_event +{ + open + cpu + kernel + tracepoint + read + write +} + +class xpm +{ + exec_no_sign + exec_anon_mem + exec_in_jitfort + exec_allow_debug_id + exec_allow_sa_plugin +} + +class hideaddr +{ + hide_exec_anon_mem + hide_exec_anon_mem_debug +} + +class code_sign +{ + add_cert_chain + remove_cert_chain +} + +class hmpsf +{ + map_create + map_read + map_write + module_load + module_run +} + +class ced +{ + container_escape_check +} + +class jit_memory +{ + exec_mem_ctrl +} + +class hmcap +{ + supervsable + pid_mem_read + pid_mem_write +} diff --git a/prebuilts/api/5.0/min/glb_roles.spt b/prebuilts/api/5.0/min/glb_roles.spt new file mode 100644 index 0000000000000000000000000000000000000000..be367fa0394a8d6a8e269fa36efefd5d48a1b8a9 --- /dev/null +++ b/prebuilts/api/5.0/min/glb_roles.spt @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +role r; +role r types sid_test_type; diff --git a/prebuilts/api/5.0/min/initial_sid_contexts b/prebuilts/api/5.0/min/initial_sid_contexts new file mode 100644 index 0000000000000000000000000000000000000000..3cdc53305468e5040991c908b4d0090106e99901 --- /dev/null +++ b/prebuilts/api/5.0/min/initial_sid_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sid sid_test u:r:sid_test_type:s0 diff --git a/prebuilts/api/5.0/min/initial_sids b/prebuilts/api/5.0/min/initial_sids new file mode 100644 index 0000000000000000000000000000000000000000..6b63759bd2bc16d11e176a745a000217fb17147b --- /dev/null +++ b/prebuilts/api/5.0/min/initial_sids @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sid sid_test diff --git a/prebuilts/api/5.0/min/min.te b/prebuilts/api/5.0/min/min.te new file mode 100644 index 0000000000000000000000000000000000000000..40b5d851b08504039afb42171ed29a482565de48 --- /dev/null +++ b/prebuilts/api/5.0/min/min.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type abc; +type bdc; +type sid_test_type; +allow abc bdc : process transition; diff --git a/prebuilts/api/5.0/min/mls b/prebuilts/api/5.0/min/mls new file mode 100644 index 0000000000000000000000000000000000000000..a59880ab7ac0b54e76ce91b6fe5c93308cc6c921 --- /dev/null +++ b/prebuilts/api/5.0/min/mls @@ -0,0 +1,28 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +define(`decl_cat',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cat(incr($1),$2)')dnl +') + +sensitivity s0; + +dominance { s0 } + +decl_cat(0, 1023) + +level s0:c0.c1023; + +mlsconstrain filesystem relabelto + ( h1 dom h2 ); diff --git a/prebuilts/api/5.0/min/security_classes b/prebuilts/api/5.0/min/security_classes new file mode 100644 index 0000000000000000000000000000000000000000..5837e1933c28dcd9bd03f64fc4d90820fa4cfcc8 --- /dev/null +++ b/prebuilts/api/5.0/min/security_classes @@ -0,0 +1,117 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +class security +class process +class system +class capability +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket +class sem +class msg +class msgq +class shm +class ipc +class netlink_route_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_dnrt_socket +class association +class netlink_kobject_uevent_socket +class appletalk_socket +class packet +class key +class dccp_socket +class memprotect +class peer +class capability2 +class kernel_service +class tun_socket +class binder +class netlink_iscsi_socket +class netlink_fib_lookup_socket +class netlink_connector_socket +class netlink_netfilter_socket +class netlink_generic_socket +class netlink_scsitransport_socket +class netlink_rdma_socket +class netlink_crypto_socket +class infiniband_pkey +class infiniband_endport +class cap_userns +class cap2_userns +class sctp_socket +class icmp_socket +class ax25_socket +class ipx_socket +class netrom_socket +class atmpvc_socket +class x25_socket +class rose_socket +class decnet_socket +class atmsvc_socket +class rds_socket +class irda_socket +class pppox_socket +class llc_socket +class can_socket +class tipc_socket +class bluetooth_socket +class iucv_socket +class rxrpc_socket +class isdn_socket +class phonet_socket +class ieee802154_socket +class caif_socket +class alg_socket +class nfc_socket +class vsock_socket +class kcm_socket +class qipcrtr_socket +class smc_socket +class process2 +class bpf +class xdp_socket +class parameter_service +class samgr_class +class hdf_devmgr_class +class lockdown +class perf_event +class xpm +class hideaddr +class code_sign +class hmpsf +class ced +class jit_memory +class hmcap diff --git a/prebuilts/api/5.0/min/users b/prebuilts/api/5.0/min/users new file mode 100644 index 0000000000000000000000000000000000000000..a168d484056c0a4b16905be0b2e2cfc2f53d5ae4 --- /dev/null +++ b/prebuilts/api/5.0/min/users @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +user u roles { r } level s0 range s0 - s0:c0.c1023; diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/aa.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/aa.te new file mode 100644 index 0000000000000000000000000000000000000000..bddeafc9fc8a9704620d725fc8a5944ddb8f66ad --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/aa.te @@ -0,0 +1,152 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# add for aa in debug mode +debug_only(` + allow aa aa_exec:file { execute_no_trans }; + allow aa accessibility:binder { call transfer }; + allow aa arkcompiler_param:file { map open read }; + allow aa ark_writeable_param:file { map open read }; + allow aa bm_exec:file { getattr execute execute_no_trans map read open }; + allow aa data_file:dir { search getattr}; + allow aa data_local:dir { search }; + allow aa data_local_tmp:dir { getattr write search }; + allow aa data_service_el1_file:file { read write }; + allow aa debug_param:file { map read open }; + allow aa dev_ashmem_file:chr_file { open }; + allow aa dev_console_file:chr_file { read write }; + allow aa dev_kmsg_file:chr_file { write }; + allow aa devpts:chr_file { ioctl read write }; + allow aa dev_unix_socket:dir { search }; + allow aa foundation:binder { call transfer }; + allow aa foundation:fd { use }; + allow aa hap_domain:fd { use }; + allow aa hap_file_attr:file { getattr ioctl read write }; + allow aa hdcd:fd { use }; + allow aa hdcd:fifo_file { ioctl read write }; + allow aa hdcd:unix_stream_socket { read write }; + allow aa hilog_control_socket:sock_file { write }; + allow aa hilogd:unix_stream_socket { connectto }; + allow aa hilog_exec:file { getattr execute execute_no_trans map read open }; + allow aa hilog_output_socket:sock_file { write }; + allow aa hilog_param:file { map read open }; + allow aa init:dir { getattr search }; + allow aa init:file { open read }; + allow aa kernel:dir { getattr search }; + allow aa kernel:file { open read }; + allow aa multimodalinput:binder { call }; + allow aa normal_hap_attr:binder { call transfer }; + allow aa param_watcher:binder { call transfer }; + allow aa persist_sys_param:file { map open read }; + binder_call(aa, powermgr); + allow aa render_service:fd { use }; + allow aa sa_accessibleabilityms:samgr_class { get }; + allow aa sa_accountmgr:samgr_class { get }; + allow aa sa_foundation_abilityms:samgr_class { get }; + allow aa sa_foundation_appms:samgr_class { get }; + allow aa sa_foundation_bms:samgr_class { get }; + allow aa sa_foundation_cesfwk_service:samgr_class { get }; + allow aa sa_foundation_dms:samgr_class { get }; + allow aa samgr:binder { call }; + allow aa sa_multimodalinput_service:samgr_class { get }; + allow aa sa_param_watcher:samgr_class { get }; + allow aa sh_exec:file { execute execute_no_trans map read open }; + allow aa sh:fd { use }; + allow aa sh:fifo_file { ioctl write }; + allow aa system_bin_file:dir { search }; + allow aa system_bin_file:file { getattr execute read open execute_no_trans map }; + allow aa system_bin_file:lnk_file { read }; + allow aa toybox_exec:file { execute execute_no_trans getattr map read open }; + allow aa toybox_exec:lnk_file { read }; + allow aa tracefs:dir { search }; + allow aa tty_device:chr_file { read write open ioctl }; + allow aa uinput_exec:file { execute execute_no_trans getattr map read open }; + allow aa uitest_exec:file { execute getattr map read open }; + allow aa watchdog_service:dir { getattr search }; + allow accessibility aa:binder { call transfer }; + allow foundation aa:binder { call }; + allow hap_domain aa:binder { call }; + allow hdcd aa:process { signal }; + allow hidumper aa:fd { use }; + allow hidumper aa:fifo_file { write }; + allow hidumper_service aa:dir { search }; + allow hidumper_service aa:fd { use }; + allow hidumper_service aa:fifo_file { write }; + allow hidumper_service aa:file { getattr open read }; + allow hiview aa:dir { search }; + allow hiview aa:file { read open getattr }; + allow normal_hap_attr aa:binder { transfer }; + allow param_watcher aa:binder { call }; + allow powermgr aa:binder { call }; + allow samgr aa:binder { call transfer }; + allow samgr aa:dir { search }; + allow samgr aa:file { open read }; + allow samgr aa:process { getattr }; + allowxperm aa devpts:chr_file ioctl { 0x5413 }; + allowxperm aa hap_file_attr:file ioctl { 0x5413 }; + allowxperm aa hdcd:fifo_file ioctl { 0x5413 }; + allowxperm aa sh:fifo_file ioctl { 0x5413 }; + allowxperm aa tty_device:chr_file ioctl { 0x5413 }; +') + +# add for aa in developer mode +developer_only(` + allow aa aa_exec:file { execute_no_trans }; + allow aa arkcompiler_param:file { map open read }; + allow aa ark_writeable_param:file { map open read }; + allow aa bm_exec:file { getattr execute execute_no_trans map read open }; + allow aa debug_param:file { map read open }; + allow aa dev_console_file:chr_file { read write }; + allow aa devpts:chr_file { ioctl read write }; + allow aa dev_unix_socket:dir { search }; + allow aa foundation:binder { call transfer }; + allow aa foundation:fd { use }; + allow aa hdcd:fd { use }; + allow aa hdcd:fifo_file { ioctl read write }; + allow aa hdcd:unix_stream_socket { read write }; + allow aa hilog_param:file { map read open }; + allow aa persist_sys_param:file { map open read }; + binder_call(aa, powermgr); + allow aa sa_foundation_abilityms:samgr_class { get }; + allow aa sa_foundation_appms:samgr_class { get }; + allow aa sa_foundation_bms:samgr_class { get }; + allow aa samgr:binder { call }; + allow aa samgr:dir { search }; + allow aa samgr:file { read open }; + allow aa samgr:process { getattr }; + allow aa sh_exec:file { execute execute_no_trans map read open }; + allow aa sh:fd { use }; + allow aa system_bin_file:dir { search }; + allow aa system_bin_file:file { getattr execute read open execute_no_trans map }; + allow aa system_bin_file:lnk_file { read }; + allow aa toybox_exec:file { getattr execute read open execute_no_trans map }; + allow aa toybox_exec:lnk_file { read }; + allow aa tracefs:dir { search }; + allow aa tty_device:chr_file { read write open ioctl }; + allow debug_hap aa:binder { call }; + allow foundation aa:binder { call transfer }; + allow hdcd aa:process { signal }; + allow hidumper_service aa:dir { search }; + allow hidumper_service aa:file { getattr open read }; + allow hiview aa:dir { search }; + allow hiview aa:file { read open getattr }; + allow normal_hap aa:binder { call }; + allow powermgr aa:binder { call transfer }; + allow samgr aa:binder { call transfer }; + allow samgr aa:dir { search }; + allow samgr aa:file { open read }; + allow samgr aa:process { getattr }; + allowxperm aa devpts:chr_file ioctl { 0x5413 }; + allowxperm aa hdcd:fifo_file ioctl { 0x5413 }; + allowxperm aa tty_device:chr_file ioctl { 0x5413 }; +') diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/distributedfiledaemon.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/distributedfiledaemon.te new file mode 100644 index 0000000000000000000000000000000000000000..b85e2a1547c1dc37981c26092a63b12b3b02507b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/distributedfiledaemon.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedfiledaemon sa_foundation_abilityms:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/file_contexts b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..cd925da635302ca762b1abd149a570445700d513 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for aa tool +/system/bin/aa u:object_r:aa_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/formrenderservice_hap.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/formrenderservice_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..0d8ccd0a1624d2cac231b54d1464913440b572d6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/formrenderservice_hap.te @@ -0,0 +1,28 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type formrenderservice_hap, normal_hap_attr, hap_domain, domain; + +type formrenderservice_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; + +allow formrenderservice_hap sa_form_mgr_service:samgr_class { get }; +allow formrenderservice_hap system_core_hap_attr:binder { call transfer }; +allow formrenderservice_hap system_file:file { getattr open read execute}; +allow formrenderservice_hap data_service_el1_file:file { getattr map open read }; +allow formrenderservice_hap sa_quick_fix_mgr_service:samgr_class { get }; +allow formrenderservice_hap quick_fix:binder { call }; +allow formrenderservice_hap system_file:file { map }; +allow formrenderservice_hap sa_service_router_mgr_service:samgr_class { get }; +allow formrenderservice_hap service_router:binder { call transfer }; +allow formrenderservice_hap sa_memory_manager_service:samgr_class { get }; +allow formrenderservice_hap memmgrservice:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/foundation.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..2bf52cf37433d72630360b881b49419bab664183 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/foundation.te @@ -0,0 +1,118 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation accessibility:binder { call }; +allow foundation accesstoken_service:binder { call }; +allow foundation accountmgr:binder { call }; +allow foundation appspawn_socket:sock_file { write }; +allow foundation appspawn:fd { use }; +allow foundation appspawn:unix_stream_socket { connectto }; +allow foundation bootevent_param:file { map open read }; +allow foundation bootevent_param:parameter_service { set }; +allow foundation bgtaskmgr_service:binder { call transfer }; +allow foundation configfs:dir { remove_name rmdir search write }; +allow foundation data_app_el1_file:file { getattr map read }; +allow foundation data_file:dir { search }; +allow foundation data_service_el1_file:dir { add_name create remove_name search write }; +allow foundation data_service_el1_file:file { create ioctl unlink write open }; +allow foundation data_service_file:dir { search }; +allow foundation data_system_ce:dir { add_name search write }; +allow foundation data_system_ce:file { create getattr ioctl lock map open read write }; +allow foundation device_usage_stats_service:binder { call transfer }; +allow foundation dev_mali:chr_file { ioctl }; +allow foundation dev_unix_socket:dir { search }; +allow foundation dev_unix_socket:sock_file { write }; +allow foundation distributeddata:binder { call transfer }; +allow foundation distributedfiledaemon:binder { call }; +allow foundation distributedfileservice:binder { call }; +allow foundation edm_sa:binder { call }; +allow foundation foundation:unix_dgram_socket { getopt setopt }; +allow foundation hdcd:binder { transfer }; +allow foundation hdf_devmgr:binder { call transfer }; +allow foundation hdf_allocator_service:hdf_devmgr_class { get }; +allow foundation hiview:binder { transfer }; +allow foundation memmgrservice:binder { call transfer }; +allow foundation multimodalinput:binder { transfer }; +allow foundation multimodalinput:unix_stream_socket { read }; +allow foundation normal_hap_attr:process { sigkill signal }; +allow foundation normal_hap_data_file_attr:file { read }; +allow foundation persist_param:parameter_service { set }; +allow foundation power_host:binder { call }; +allow foundation render_service:binder { call transfer }; +allow foundation render_service:fd { use }; +allow foundation resource_schedule_service:binder { call transfer }; +allow foundation sa_accesstoken_manager_service:samgr_class { get }; +allow foundation sa_accountmgr:samgr_class { get }; +allow foundation sa_bgtaskmgr:samgr_class { get }; +allow foundation sa_device_service_manager:samgr_class { get }; +allow foundation sa_distributeddata_service:samgr_class { get }; +allow foundation sa_distributeschedule:samgr_class { get }; +allow foundation sa_foundation_abilityms:samgr_class { add }; +allow foundation sa_foundation_ans:samgr_class { add }; +allow foundation sa_foundation_appms:samgr_class { add get }; +allow foundation sa_foundation_bms:samgr_class { add }; +allow foundation sa_foundation_devicemanager_service:samgr_class { add get }; +allow foundation sa_foundation_tel_call_manager:samgr_class { add }; +allow foundation sa_foundation_wms:samgr_class { get }; +allow foundation sa_powermgr_battery_service:samgr_class { get }; +allow foundation sa_powermgr_batterystats_service:samgr_class { get }; +allow foundation sa_powermgr_displaymgr_service:samgr_class { get }; +allow foundation sa_powermgr_powermgr_service:samgr_class { get }; +allow foundation sa_powermgr_thermal_service:samgr_class { get }; +binder_call(foundation, powermgr); +allow foundation sa_memory_manager_service:samgr_class { get }; +allow foundation sa_msdp_devicestatus_service:samgr_class { get }; +allow foundation sa_multimodalinput_service:samgr_class { get }; +allow foundation sa_param_watcher:samgr_class { get }; +allow foundation sa_softbus_service:samgr_class { get }; +allow foundation sa_telephony_tel_cellular_call:samgr_class { get }; +allow foundation sa_useriam_useridm_service:samgr_class { get }; +allow foundation sa_useriam_userauth_service:samgr_class { get }; +allow foundation screenlock_server:binder { call transfer }; +allow foundation softbus_server:binder { call }; +allow foundation sys_file:file { ioctl write }; +allow foundation system_basic_hap_attr:binder { call transfer }; +allow foundation system_basic_hap_attr:fd { use }; +allow foundation system_basic_hap_attr:process { sigkill signal }; +allow foundation system_basic_hap_data_file_attr:file { read }; +allow foundation system_basic_hap_data_file:file { write }; +allow foundation system_core_hap_attr:binder { call transfer }; +allow foundation system_core_hap_attr:dir { search }; +allow foundation system_core_hap_attr:file { getattr open read }; +allow foundation system_core_hap_attr:process { sigkill signal }; +allow foundation system_core_hap_data_file_attr:file { read }; +allow foundation system_lib_file:dir { getattr }; +allow foundation vendor_etc_file:dir { search }; +allow foundation work_scheduler_service:binder { call }; +allow foundation quick_fix:binder { call transfer }; +allowxperm foundation data_service_el1_file:file ioctl { 0x5413 }; +allowxperm foundation data_system_ce:file ioctl { 0xf50c }; +allowxperm foundation dev_mali:chr_file ioctl { 0x8002 }; +allowxperm foundation sys_file:file ioctl { 0x5413 }; +allow foundation foundation:capability { sys_ptrace }; +allow foundation storage_manager:dir { search }; +allow foundation storage_manager:file { open read write getattr }; +allow foundation sa_storage_manager_service:samgr_class { get }; +allow foundation netmanager:binder { transfer }; +allow foundation faultloggerd:fifo_file { read }; +allow foundation exfat:file { read write }; +allow foundation vfat:file { read write }; +allow foundation ntfs:file { read write }; +allow foundation key_enable:key { search }; +allow foundation accountmgr:fd { use }; +neverallow foundation *:process ptrace; +allow foundation sa_sandbox_manager_service:samgr_class { get }; +binder_call(foundation, sa_sandbox_manager_service); + +# add for hiperf +allow hiperf multimodalinput:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/init.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..916b81b7e30785f523290afae7bfb7b482a8bd61 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init quick_fix:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..7a8967e7320203c8f7ae5168417df34694a3c92e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/normal_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_form_mgr_service:samgr_class { get }; +allow normal_hap_attr system_core_hap_attr:binder { call transfer }; +allow normal_hap_attr system_file:file { getattr open read execute}; +allow normal_hap_attr data_service_el1_file:file { getattr map open read }; +allow normal_hap_attr sa_quick_fix_mgr_service:samgr_class { get }; +allow normal_hap_attr quick_fix:binder { call }; +allow normal_hap_attr system_file:file { map }; +allow normal_hap_attr sa_service_router_mgr_service:samgr_class { get }; +allow normal_hap_attr service_router:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/quick_fix.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/quick_fix.te new file mode 100644 index 0000000000000000000000000000000000000000..5277972f10131f80c1af141c02cb1b44b111b9e6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/quick_fix.te @@ -0,0 +1,37 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow quick_fix accesstoken_service:binder { call }; +allow quick_fix data_file:dir { search }; +allow quick_fix data_service_el1_file:dir { search }; +allow quick_fix data_service_el1_file:file { getattr }; +allow quick_fix data_service_file:dir { search }; +allow quick_fix dev_unix_socket:dir { search }; +allow quick_fix foundation:binder { call transfer}; +allow quick_fix hilog_param:file { map open read }; +allow quick_fix sa_accesstoken_manager_service:samgr_class { get }; +allow quick_fix sa_foundation_bms:samgr_class { get }; +allow quick_fix sa_foundation_appms:samgr_class { get }; +allow quick_fix sa_foundation_cesfwk_service:samgr_class { get }; +allow quick_fix sa_quick_fix_mgr_service:samgr_class { add }; +allow quick_fix hw_sc_param:file { map open read }; +allow quick_fix net_param:file { map open read }; +allow quick_fix net_tcp_param:file { map open read }; +allow quick_fix ohos_boot_param:file { map open read }; +allow quick_fix ohos_dev_param:file { map open read }; +allow quick_fix ohos_param:file { map open read }; +allow quick_fix sys_param:file { map open read }; +allow quick_fix sys_usb_param:file { map open read }; +allow quick_fix system_bin_file:dir { search }; +allow quick_fix tmpfs:chr_file { read write }; +allow quick_fix foundation:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/sehap_contexts b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/sehap_contexts new file mode 100644 index 0000000000000000000000000000000000000000..16cacabba32e791743e494016e2dbe6fb4ea3ac0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/sehap_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apl=normal name=com.ohos.formrenderservice domain=formrenderservice_hap type=formrenderservice_hap_data_file diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/service_contexts b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a1ff57a48f128ffe4e8aa430fd1182b80c33639c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +184 u:object_r:sa_quick_fix_mgr_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..40b9e2ca082f738a55744ec97d0a932cc90d1ca1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/system_basic_hap.te @@ -0,0 +1,28 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr dev_mali:chr_file { ioctl }; +allow system_basic_hap_attr faultloggerd_temp_file:file { write }; +allow system_basic_hap_attr net_param:file { map open read }; +allow system_basic_hap_attr ohos_boot_param:file { map open read }; +allow system_basic_hap_attr ohos_param:file { map open read }; +allow system_basic_hap_attr sys_param:file { map open read }; +allow system_basic_hap_attr sys_usb_param:file { map open read }; +allow system_basic_hap_attr system_basic_hap_attr:process { ptrace }; +allow system_basic_hap_attr system_bin_file:dir { search }; +allowxperm system_basic_hap_attr dev_mali:chr_file ioctl { 0x8007 0x800f }; +allow system_basic_hap_attr system_file:file { getattr open read execute }; +allow system_basic_hap_attr data_service_el1_file:file { getattr map open read }; +allow system_basic_hap_attr sa_quick_fix_mgr_service:samgr_class { get }; +allow system_basic_hap_attr quick_fix:binder { call }; +allow system_basic_hap_attr system_file:file { map }; diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..f64fe16acfa9040fcb4889f8609a36bb968a8423 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/system_core_hap.te @@ -0,0 +1,33 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr faultloggerd:fifo_file { write }; +allow system_core_hap_attr faultloggerd_temp_file:file { read write }; +allow system_core_hap_attr normal_hap_attr:binder { call transfer }; +allow system_core_hap_attr sysfs_rtc:dir { open read }; +allow system_core_hap_attr system_core_hap_attr:binder { call transfer }; +allow system_core_hap_attr time_service:binder { call }; +allow system_core_hap_attr sa_form_mgr_service:samgr_class { get }; +allow system_core_hap_attr sa_dataobs_mgr_service_service:samgr_class { get }; +allow system_core_hap_attr system_file:file { getattr open read execute }; +allow system_core_hap_attr data_service_el1_file:file { getattr open read }; +allow system_core_hap_attr softbus_server:binder { call transfer }; +allow system_core_hap_attr softbus_server:fd { use }; +allow system_core_hap_attr sa_quick_fix_mgr_service:samgr_class { get }; +allow system_core_hap_attr quick_fix:binder { call }; +allow system_core_hap_attr system_file:file { map }; +allow system_core_hap_attr data_service_el1_file:file { map }; + +debug_only(` + allow system_core_hap_attr sh:binder { call transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/type.te b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..ce159e625cdae67383bf095416d71aa04f09adcb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ability/ability_runtime/system/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type quick_fix, sadomain, domain; +type sa_quick_fix_mgr_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/service.te b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/service.te new file mode 100644 index 0000000000000000000000000000000000000000..f48d9266a3eb842d28cbeec7d36d3ac35a3864c9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_sandbox_manager_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/service_contexts b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..9b24a475f16267bff765ba60de2d7996acea8994 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3508 u:object_r:sa_sandbox_manager_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/type.te b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..3421888d91478013f1058fa6bb73c444e7617632 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sandbox_manager_service, sadomain, domain; +type sandbox_manager_data_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..dc74e217d9e82950f111d8d4633b71c3119c8fe3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/sandbox_manager(/.*)? u:object_r:sandbox_manager_data_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..246f13d71e05bd75e3bf14fc0a62cfe63fa0445c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/hap_domain.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain sa_sandbox_manager_service:samgr_class { get }; +allow hap_domain sandbox_manager_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/init.te b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..cf90a3a4023fb3774e6f215fdda3c18a913c89c3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init sandbox_manager_service:process { rlimitinh siginh transition }; +allow init sandbox_manager_data_file:dir { getattr open read relabelto setattr}; +allow init sa_sandbox_manager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..2c1aff02e8465962316de94fbab4d160d2b4aefb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/accesscontrol/sandbox_manager/system/sandbox_manager.te @@ -0,0 +1,49 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sandbox_manager_service sa_sandbox_manager_service:samgr_class { add }; +allow sandbox_manager_service dev_unix_socket:dir { search }; +allow sandbox_manager_service tracefs:dir { search }; +allow sandbox_manager_service hilog_param:file { read open map }; +allow sandbox_manager_service debug_param:file { read open map }; +allow sandbox_manager_service sysfs_devices_system_cpu:file { read open getattr }; +allow sandbox_manager_service sandbox_manager_service:unix_dgram_socket { getopt setopt }; +allow sandbox_manager_service dev_kmsg_file:chr_file { write }; +allow sandbox_manager_service dev_file:dir { getattr }; +allow sandbox_manager_service system_bin_file:dir { search }; +allow sandbox_manager_service sa_accesstoken_manager_service:samgr_class { get }; +allow sandbox_manager_service sa_foundation_cesfwk_service:samgr_class { get }; +allow sandbox_manager_service accesstoken_service:binder { call }; +allow sandbox_manager_service data_file:dir { search }; +allow sandbox_manager_service data_service_el1_file:dir { search }; +allow sandbox_manager_service data_service_file:dir { search }; +allow sandbox_manager_service sandbox_manager_data_file:dir { search add_name read open remove_name write ioctl }; +allow sandbox_manager_service sandbox_manager_data_file:file { getattr lock ioctl create read write open unlink setattr map }; +allowxperm sandbox_manager_service sandbox_manager_data_file:file ioctl { 0xf501 0xf502 0xf50c 0xf546 }; +allowxperm sandbox_manager_service sandbox_manager_data_file:dir ioctl { 0xf546 }; + +allow sandbox_manager_service foundation:binder { call transfer }; +allow foundation sandbox_manager_service:binder { call }; +allow sandbox_manager_service tty_device:chr_file { read write }; +binder_call(sandbox_manager_service, distributeddata); +allow sandbox_manager_service dev_ashmem_file:chr_file { open }; +allow sandbox_manager_service init:fifo_file { write }; +allow sandbox_manager_service chip_prod_file:dir { search }; +allow sandbox_manager_service data_hilogd_file:dir { search }; +allow sandbox_manager_service sa_distributeddata_service:samgr_class { get }; +binder_call(sandbox_manager_service, accountmgr); +allow sandbox_manager_service sa_accountmgr:samgr_class { get }; + +debug_only(` + binder_call(sandbox_manager_service, su); +') diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/public/file.te b/prebuilts/api/5.0/ohos_policy/account/os_account/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..bb95a443349acdd8a2ae398c282677350a352bd7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/public/file.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Filesystem types +type account_data_file, file_attr, data_file_attr; +type account_data_el2_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..0ad3c77f5b2fe588337104f812211cce0270fe5b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/accountmgr.te @@ -0,0 +1,158 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#type accountmgr, sadomain, domain, samgr_type; + +binder_call(accountmgr, foundation); +binder_call(accountmgr, useriam); +binder_call(accountmgr, pinauth); +binder_call(accountmgr, system_core_hap_attr); +binder_call(accountmgr, system_basic_hap_attr); +binder_call(accountmgr, normal_hap_attr); + +allow accountmgr init:binder { call transfer }; +allow accountmgr self:unix_dgram_socket{ getopt setopt }; + +allow accountmgr data_system:dir { getattr write add_name create read open setattr search remove_name rmdir }; +allow accountmgr data_system:file { getattr write create read open setattr ioctl relabelfrom }; +allow accountmgr data_service_file:dir { search }; +allow accountmgr data_service_el1_file:dir { add_name create getattr open read search setattr write remove_name rmdir watch }; +allow accountmgr data_service_el1_file:file { create getattr ioctl relabelfrom setattr write open read unlink map lock watch }; +allowxperm accountmgr data_service_el1_file:file ioctl { 0xf50c }; +allowxperm accountmgr data_service_el1_file:file ioctl { 0x5413 }; +allow accountmgr data_service_el2_file:dir { search }; +allow accountmgr account_data_file:file { getattr setattr open ioctl create write read relabelto unlink map }; +allow accountmgr account_data_file:dir { add_name create open setattr remove_name rmdir getattr search read write watch }; +allow accountmgr vendor_lib_file:file { getattr open read map execute }; +allow accountmgr vendor_lib_file:lnk_file { read }; +allow accountmgr vendor_lib_file:dir { search }; +allow accountmgr data_file:dir { search }; +allow accountmgr sys_file:file { read open }; +# avc: denied { lock } for pid=4779 comm="IPC_1_4783" path="/data/service/el1/public/account/100/account_info.json" dev="mmcblk0p14" ino=7594 scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_file:s0 tclass=file permissive=1 +# avc: denied { watch } for pid=4779 comm="SaInit0" path="/data/service/el1/public/account/104/account_info.json" dev="mmcblk0p14" ino=14953 scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_file:s0 tclass=file permissive=1 +allow accountmgr account_data_file:file { lock watch }; + +allow accountmgr account_data_el2_file:file { getattr setattr open create write read relabelto unlink map lock watch }; +allow accountmgr account_data_el2_file:dir { add_name create open setattr remove_name rmdir getattr search read write watch }; +# avc: denied { ioctl } for pid=666 comm="OS_IPC_3_955" path="/data/service/el2/100/account/app_account/database/kvdb/5b281d1d619b09bcafed523d8fe64b47c64bec36bee7fa9d64ad21e569894065/single_ver/main/gen_natural_store.db" dev="mmcblk0p15" ino=2591 ioctlcmd=0xf50c scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_el2_file:s0 tclass=file permissive=1 +allow accountmgr account_data_el2_file:file { ioctl }; +# avc: denied { ioctl } for pid=666 comm="OS_IPC_3_955" path="/data/service/el2/100/account/app_account/database/kvdb/5b281d1d619b09bcafed523d8fe64b47c64bec36bee7fa9d64ad21e569894065/single_ver/main/gen_natural_store.db" dev="mmcblk0p15" ino=2591 ioctlcmd=0xf50c scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_el2_file:s0 tclass=file permissive=1 +allowxperm accountmgr account_data_el2_file:file ioctl { 0xf50c }; + +allow accountmgr tracefs:dir { search }; +allow accountmgr tracefs_trace_marker_file:file { write open }; +allow accountmgr hilog_input_socket:sock_file { write }; +allow accountmgr hisysevent_socket:sock_file { write }; +allow accountmgr accesstoken_service:binder { call }; +allow accountmgr dev_unix_socket:dir { search }; +allow accountmgr param_watcher:binder { call }; +allow accountmgr storage_manager:binder { call }; +allow accountmgr storage_manager:binder { transfer }; +allow accountmgr distributeddata:binder { transfer }; +allow accountmgr distributeddata:binder { call }; +allow accountmgr data_init_agent:dir { search }; +allow accountmgr data_init_agent:file { read append ioctl open }; +allow accountmgr param_watcher:binder { transfer }; +allow accountmgr devinfo_private_param:file { map open read }; +allow accountmgr wifi_manager_service:binder { transfer }; + +allow accountmgr sa_accountmgr:samgr_class { add }; +allow accountmgr sa_param_watcher:samgr_class { get }; +allow accountmgr sa_foundation_appms:samgr_class { get }; +allow accountmgr sa_storage_manager_service:samgr_class { get }; +allow accountmgr sa_foundation_cesfwk_service:samgr_class { get }; +allow accountmgr sa_foundation_abilityms:samgr_class { get }; +allow accountmgr sa_distributeddata_service:samgr_class { get }; +allow accountmgr sa_accesstoken_manager_service:samgr_class { get }; +allow accountmgr sa_foundation_bms:samgr_class { get }; +allow accountmgr sa_useriam_useridm_service:samgr_class { get }; +allow accountmgr sa_useriam_userauth_service:samgr_class { get }; +allow accountmgr sa_useriam_pinauth_service:samgr_class { get }; +allow accountmgr sa_foundation_devicemanager_service:samgr_class { get }; +allow accountmgr sa_time_service:samgr_class { get }; +allow accountmgr sa_huks_service:samgr_class { get }; +# avc: denied { transfer } for pid=4779 comm="IPC_4_4794" scontext=u:r:accountmgr:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1 +allow accountmgr dlp_permission_service:binder { transfer }; + +# avc: denied { call } for pid=4779 comm="IPC_1_4783" scontext=u:r:accountmgr:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=1 +allow accountmgr huks_service:binder { call transfer }; + +allow accountmgr accessibility:binder { transfer }; +allow accountmgr bootevent_param:file { map open read }; +allow accountmgr bootevent_param:parameter_service { set }; +allow accountmgr bootevent_samgr_param:file { map open read }; +allow accountmgr build_version_param:file { map open read }; +allow accountmgr const_allow_mock_param:file { map open read }; +allow accountmgr const_allow_param:file { map open read }; +allow accountmgr const_build_param:file { map open read }; +allow accountmgr const_display_brightness_param:file { map open read }; +allow accountmgr const_param:file { map open read }; +allow accountmgr const_postinstall_fstab_param:file { map open read }; +allow accountmgr const_postinstall_param:file { map open read }; +allow accountmgr const_product_param:file { map open read }; + +allow accountmgr debug_param:file { map open read }; +allow accountmgr default_param:file { map open read }; +allow accountmgr deviceauth_service:binder { transfer }; +allow accountmgr dev_console_file:chr_file { read write }; + +allow accountmgr time_service:binder { call transfer }; +allow accountmgr distributedfiledaemon:binder { call transfer }; +allow accountmgr distributedsche_param:file { map open read }; +allow accountmgr hilog_param:file { map open read }; +allow accountmgr hiview:binder { transfer }; +allow accountmgr hiview:unix_dgram_socket { sendto }; +allow accountmgr hw_sc_build_os_param:file { map open read }; +allow accountmgr hw_sc_build_param:file { map open read }; +allow accountmgr hw_sc_param:file { map open read }; +allow accountmgr init_param:file { map open read }; +allow accountmgr init_svc_param:file { map open read }; +allow accountmgr input_pointer_device_param:file { map open read }; +allow accountmgr locationhub:binder { transfer }; +allow accountmgr net_param:file { map open read }; +allow accountmgr net_tcp_param:file { map open read }; +allow accountmgr ohos_boot_param:file { map open read }; +allow accountmgr ohos_param:file { map open read }; +allow accountmgr paramservice_socket:sock_file { write }; +allow accountmgr persist_param:file { map open read }; +allow accountmgr persist_sys_param:file { map open read }; +allow accountmgr security_param:file { map open read }; +allow accountmgr softbus_server:binder { transfer }; +allow accountmgr startup_param:file { map open read }; +allow accountmgr sys_param:file { map open read }; +allow accountmgr system_bin_file:dir { search }; +allow accountmgr sys_usb_param:file { map open read }; +allow accountmgr sysfs_devices_system_cpu:file { open read getattr }; +allow accountmgr kernel:unix_stream_socket { connectto }; +allow accountmgr vendor_etc_file:dir { search }; +allow accountmgr vendor_etc_file:file { read getattr open }; +allow accountmgr usb_service:binder { call transfer }; +allow accountmgr system_etc_file:file { lock }; +allow accountmgr sa_asset_service:samgr_class { get }; +allow accountmgr asset_service:binder { call transfer }; +allow accountmgr audio_server:binder { call transfer }; +allow accountmgr media_service:binder { call transfer }; + +# avc: denied { open } for pid=541 comm="IPC_0_735" path="/dev/ashmem" dev="tmpfs" ino=170 scontext=u:r:accountmgr:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +allow accountmgr dev_ashmem_file:chr_file { open }; + +# avc: denied { set } for parameter=persist.account.login_name_max pid=2208 uid=3058 gid=3058 scontext=u:r:accountmgr:s0 tcontext=u:object_r:persist_param:s0 tclass=parameter_service permissive=0 +allow accountmgr persist_param:parameter_service { set }; + +allow accountmgr account_data_file:dir { ioctl }; +allowxperm accountmgr account_data_file:dir ioctl { 0xf546 0xf547 }; + +# add for test +debug_only(` + allow accountmgr sh:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/file_contexts b/prebuilts/api/5.0/ohos_policy/account/os_account/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..8c752ae685e67f40c0c3481c9d989d9a37a96657 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/file_contexts @@ -0,0 +1,25 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/account u:object_r:account_data_file:s0 +/data/service/el1/public/account/[0-9]+(/.*)? u:object_r:account_data_file:s0 +/data/service/el2/[0-9]+/account(/.*)? u:object_r:account_data_el2_file:s0 +/data/service/el1/public/account/account_list.json u:object_r:account_data_file:s0 +/data/service/el1/public/account/account_index_info.json u:object_r:account_data_file:s0 +/data/service/el1/public/account/account_info_digest.json u:object_r:account_data_file:s0 + +/data/service/el1/public/account/base_os_account_constraints.json u:object_r:account_data_file:s0 +/data/service/el1/public/account/global_os_account_constraints.json u:object_r:account_data_file:s0 +/data/service/el1/public/account/specific_os_account_constraints.json u:object_r:account_data_file:s0 +#/system/etc/account/osaccount_constraints.json u:object_r:account_data_file:s0 +#/system/etc/account/constraints_list_collection.json u:object_r:account_data_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/foundation.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..f4f5f0d91c00f6215e16bebe74b571db374fd1cb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation accountmgr:binder { call }; +allow foundation accountmgr:dir { search }; +allow foundation accountmgr:file { read open getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..b847ea6765af53bf3a5c4d61d26177398c901020 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/hap_domain.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { use } for pid=554 comm="accountmgr" path="/dev/ashmem" dev="tmpfs" ino=170 scontext=u:r:system_core_hap:s0 tcontext=u:r:accountmgr:s0 tclass=fd permissive=1 +allow hap_domain accountmgr:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/hiview.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..2be6a6f95c8d8bb16fddcedaa9f659465e77b300 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/hiview.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hiview sa_accountmgr:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/init.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..5eea56a7e1132b43a100c3fbed8b0c3b01397b70 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/init.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init accountmgr:process { rlimitinh siginh transition }; +dontaudit init accountmgr:process { noatsecure }; + +#allow init accountmgr:binder { call transfer }; +allow init account_data_file:dir { relabelto read open setattr }; +allow init account_data_file:dir { getattr }; +allow init account_data_file:file { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..f772a8a6e4b2ffdffe0dbe12ade534ce20bfa8ff --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/memmgrservice.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice accountmgr:file { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..980f128cc36d9d64f7148a9b092a228d26183db7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/normal_hap_attr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr accountmgr:binder { call }; +allow normal_hap_attr sa_accountmgr:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/pinauth.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/pinauth.te new file mode 100644 index 0000000000000000000000000000000000000000..ea9c67b06b8c866bbde28dd3325875e5fa991594 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/pinauth.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pinauth accountmgr:binder { call }; + +# avc: denied { call } for pid=858 comm="IPC_1_914" scontext=u:r:pinauth:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +debug_only(` + allow pinauth sh:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/samgr.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..ba59ceb197abce4bb3e5bf78dcf763a3e9262544 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/samgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(samgr, accountmgr); +allow samgr accountmgr:dir { search }; +allow samgr accountmgr:file { read open }; +allow samgr accountmgr:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..140d46a0c34bac697bf681cd5ff3a877f557cdb6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/storage_daemon.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon account_data_el2_file:dir { getattr open read search rmdir write remove_name }; +allow storage_daemon account_data_el2_file:file { getattr open read unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..94e86d31f969a5890f22072d7796b338df6262b6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr accountmgr:binder { call }; +allow system_basic_hap_attr sa_accountmgr:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..3c71a10caf4a600d2dd34cae3b67d369bde0d93f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr accountmgr:binder { call }; +allow system_core_hap_attr sa_accountmgr:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/time_service.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/time_service.te new file mode 100644 index 0000000000000000000000000000000000000000..c03df7a54fac934f0681d0d4fece969894149a70 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/time_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow time_service sa_accountmgr:samgr_class { get }; +allow time_service accountmgr:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/account/os_account/system/useriam.te b/prebuilts/api/5.0/ohos_policy/account/os_account/system/useriam.te new file mode 100644 index 0000000000000000000000000000000000000000..8183384ea4c7e3aa17a3893cdeac23454335e321 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/account/os_account/system/useriam.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=510 comm="useriam" scontext=u:r:useriam:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +debug_only(` + allow useriam sh:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/service.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/service.te new file mode 100644 index 0000000000000000000000000000000000000000..72fee34d5e7a432dfe90ba51d4c8d2c2840c6e44 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_intell_voice_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/service_contexts b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..bf3bcbd32834fb3635d29a248db25faa20b9c9b1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +312 u:object_r:sa_intell_voice_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/type.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..8d8e9bd28be4bff7bd125af2ba2fb32050bd40bc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type intell_voice_service, sadomain, domain; + diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..9240c4e3d0e1b00fe47f5e7276f997a73c0f461c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/audio_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_server intell_voice_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..363ee37702c879de120dac25fd0db39758810615 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/distributeddata.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transfer } for pid=1171 comm="distributeddata" scontext=u:r:distributeddata:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=1199 comm="IPC_2_2180" scontext=u:r:distributeddata:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +allow distributeddata intell_voice_service:binder { transfer call }; + +# avc: denied { search } for pid=1063 comm="IPC_7_2150" name="24482" dev="proc" ino=228421 scontext=u:r:distributeddata:s0 tcontext=u:r:intell_voice_service:s0 tclass=dir permissive=0 +allow distributeddata intell_voice_service:dir { search }; + +# avc: denied { read } for pid=1075 comm="IPC_5_2126" name="cgroup" dev="proc" ino=226160 scontext=u:r:distributeddata:s0 tcontext=u:r:intell_voice_service:s0 tclass=file permissive=0 +# avc: denied { open } for pid=1108 comm="IPC_9_3270" path="/proc/7282/cgroup" dev="proc" ino=350941 scontext=u:r:distributeddata:s0 tcontext=u:r:intell_voice_service:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=1094 comm="IPC_2_1833" path="/proc/19623/cgroup" dev="proc" ino=188442 scontext=u:r:distributeddata:s0 tcontext=u:r:intell_voice_service:s0 tclass=file permissive=0 +allow distributeddata intell_voice_service:file { read open getattr }; + diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/foundation.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..d319a9e8ab43d5cd7a02d31d8d0ee6d8c3e22c00 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=1180 comm="InnerInputManag" scontext=u:r:foundation:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=1 +allow foundation intell_voice_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..193d4addfe69482e4e92ed215926e320e7bfdec9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/hdf_devmgr.te @@ -0,0 +1,26 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { search } for pid=482 comm="IPC_1_493" name="618" dev="proc" ino=19537 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_service:s0 tclass=dir permissive=0 +allow hdf_devmgr intell_voice_service:dir { search }; + +# avc: denied { read } for pid=482 comm="IPC_5_1102" name="current" dev="proc" ino=404 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_service:s0 tclass=file permissive=0 +# avc: denied { open } for pid=485 comm="IPC_3_1005" path="/proc/626/attr/current" dev="proc" ino=18879 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_service:s0 tclass=file permissive=0 +allow hdf_devmgr intell_voice_service:file { open read }; + +# avc: denied { getattr } for pid=484 comm="IPC_0_494" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_service:s0 tclass=process permissive=0 +allow hdf_devmgr intell_voice_service:process { getattr }; + +# avc: denied { call } for pid=463 comm="IPC_4_1056" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=476 comm="IPC_1_486" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +allow hdf_devmgr intell_voice_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/init.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..6559a738ce811c47a68f0620fc4ca2e0bb79de64 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/init.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transition } for pid=989 comm="init" path="/system/bin/sa_main" dev="sdd74" ino=462 scontext=u:r:init:s0 tcontext=u:r:intell_voice_service:s0 tclass=process permissive=0 +# avc: denied { rlimitinh } for pid=622 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:intell_voice_service:s0 tclass=process permissive=0 +# avc: denied { siginh } for pid=622 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:intell_voice_service:s0 tclass=process permissive=0 +allow init intell_voice_service:process { transition rlimitinh siginh }; + +# avc: denied { transition } for pid=7035 comm="init" path="/vendor/bin/hdf_devhost" dev="sdd72" ino=34 scontext=u:r:init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=0 +allow init intell_voice_host:process { transition }; diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te new file mode 100644 index 0000000000000000000000000000000000000000..8a78d4fac1a725689dd3ff35066f135fc8b4bca2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/intell_voice_service.te @@ -0,0 +1,255 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=intell_voice_trigger_manager_service pid=633 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:default_hdf_service:s0 tclass=hdf_devmgr_class permissive=1 +allow intell_voice_service hdf_intell_voice_trigger_manager_service:hdf_devmgr_class { get }; + +# avc: denied { get } for service=intell_voice_engine_manager_service pid=12739 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:hdf_intell_voice_engine_manager_service:s0 tclass=hdf_devmgr_class permissive=0 +allow intell_voice_service hdf_intell_voice_engine_manager_service:hdf_devmgr_class { get }; + +# avc: denied { add } for service=312 pid=633 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:default_service:s0 tclass=samgr_class permissive=1 +allow intell_voice_service sa_intell_voice_service:samgr_class { add }; + +# avc: denied { get } for service=hdf_device_manager pid=624 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=0 +allow intell_voice_service hdf_device_manager:hdf_devmgr_class { get }; + +# avc: denied { get } for service=3503 pid=633 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow intell_voice_service sa_accesstoken_manager_service:samgr_class { get }; + +# avc: denied { get } for service=5100 pid=633 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow intell_voice_service sa_device_service_manager:samgr_class { get }; + +# avc: denied { get } for service=1301 pid=633 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=1 +allow intell_voice_service sa_distributeddata_service:samgr_class { get }; + +# avc: denied { get } for service=3299 pid=633 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow intell_voice_service sa_foundation_cesfwk_service:samgr_class { get }; + +# avc: denied { search } for pid=594 comm="SaInit0" name="socket" dev="tmpfs" ino=106 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +allow intell_voice_service dev_unix_socket:dir { search }; + +# avc: denied { read } for pid=587 comm="SaInit1" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=133 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +# avc: denied { open } for pid=607 comm="SaInit0" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=133 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +# avc: denied { map } for pid=600 comm="IPC_1_738" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=133 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +allow intell_voice_service hilog_param:file { open map read }; + +# avc: denied { search } for pid=658 comm="intell_voice_se" name="/" dev="tracefs" ino=1 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow intell_voice_service tracefs:dir { search }; + +# avc: denied { transfer } for pid=618 comm="SaOndemand" scontext=u:r:intell_voice_service:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=622 comm="SaOndemand" scontext=u:r:intell_voice_service:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=0 +allow intell_voice_service accesstoken_service:binder { call transfer }; + +# avc: denied { search } for pid=622 comm="TaskExecutor" name="/" dev="sdd78" ino=3 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow intell_voice_service data_file:dir { search }; + +# avc: denied { map } for pid=627 comm="SaOndemand" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=140 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +# avc: denied { open } for pid=618 comm="SaOndemand" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=140 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +# avc: denied { read } for pid=622 comm="SaOndemand" name="u:object_r:debug_param:s0" dev="tmpfs" ino=140 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +allow intell_voice_service debug_param:file { open read map }; + +# avc: denied { call } for pid=622 comm="IPC_0_703" scontext=u:r:intell_voice_service:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=0 +allow intell_voice_service distributeddata:binder { call transfer }; + +# avc: denied { transfer } for pid=618 comm="IPC_1_683" scontext=u:r:intell_voice_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=622 comm="SaOndemand" scontext=u:r:intell_voice_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0 +allow intell_voice_service foundation:binder { call transfer }; + +# avc: denied { transfer } for pid=618 comm="SaOndemand" scontext=u:r:intell_voice_service:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=622 comm="SaOndemand" scontext=u:r:intell_voice_service:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=0 +allow intell_voice_service hdf_devmgr:binder { call transfer }; + +# avc: denied { map } for pid=627 comm="SaOndemand" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=139 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 +# avc: denied { open } for pid=618 comm="SaOndemand" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=139 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 +# avc: denied { read } for pid=622 comm="SaOndemand" name="u:object_r:persist_sys_param:s0" dev="tmpfs" ino=139 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 +allow intell_voice_service persist_sys_param:file { open read map }; + +# avc: denied { open } for pid=618 comm="sa_main" path="/proc/sys/vm/overcommit_memory" dev="proc" ino=29821 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=0 +# avc: denied { read } for pid=622 comm="sa_main" name="overcommit_memory" dev="proc" ino=28161 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=0 +allow intell_voice_service proc_file:file { open read }; + +# avc: denied { getattr } for pid=627 comm="intell_voice_se" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33295 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +# avc: denied { open } for pid=618 comm="intell_voice_se" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33295 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +# avc: denied { read } for pid=622 comm="intell_voice_se" name="online" dev="sysfs" ino=33295 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +allow intell_voice_service sysfs_devices_system_cpu:file { open read getattr }; + +# avc: denied { search } for pid=618 comm="TaskExecutor" name="service" dev="sdd78" ino=7 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0 +allow intell_voice_service data_service_file:dir { search }; + +# avc: denied { read } for pid=641 comm="SaOndemand" name="single_ver" dev="sdd78" ino=7790 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=638 comm="SaOndemand" path="/data/service/el1/public/database/intell_voice_service_manager/kvdb/b3d8655ead59fa38a8343d30b2db86909f3b069f186c3816d9961c290b5ba9a7/single_ver" dev="sdd78" ino=7790 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { remove_name } for pid=614 comm="SaOndemand" name="single_ver" dev="sdd78" ino=7790 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { rmdir } for pid=625 comm="SaOndemand" name="single_ver" dev="sdd78" ino=7790 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { getattr } for pid=633 comm="SaOndemand" path="/data/service/el1/public/database/intell_voice_service_manager/kvdb/b3d8655ead59fa38a8343d30b2db86909f3b069f186c3816d9961c290b5ba9a7/single_ver/main" dev="sdd78" ino=19562 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { setattr } for pid=633 comm="SaOndemand" name="main" dev="sdd78" ino=19562 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { write } for pid=626 comm="SaOndemand" name="intell_voice_service_manager" dev="sdd78" ino=232 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { add_name } for pid=629 comm="SaOndemand" name="kvdb" scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { create } for pid=624 comm="SaOndemand" name="kvdb" scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +# avc: denied { search } for pid=627 comm="TaskExecutor" name="el1" dev="sdd78" ino=11 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +allow intell_voice_service data_service_el1_file:dir { search write create add_name read open remove_name rmdir getattr setattr }; + +# avc: denied { create } for pid=643 comm="SaOndemand" name="single_ver_db_incomplete.lock" scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { write open } for pid=641 comm="SaOndemand" path="/data/service/el1/public/database/intell_voice_service_manager/kvdb/b3d8655ead59fa38a8343d30b2db86909f3b069f186c3816d9961c290b5ba9a7/single_ver_db_incomplete.lock" dev="sdd78" ino=8227 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { read } for pid=627 comm="SaOndemand" name="gen_natural_store.db" dev="sdd78" ino=20010 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=616 comm="SaOndemand" path="/data/service/el1/public/database/intell_voice_service_manager/kvdb/b3d8655ead59fa38a8343d30b2db86909f3b069f186c3816d9961c290b5ba9a7/single_ver/main/gen_natural_store.db" dev="sdd78" ino=20010 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { unlink } for pid=639 comm="SaOndemand" name="gen_natural_store.db" dev="sdd78" ino=20010 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=639 comm="SaOndemand" path="/data/service/el1/public/database/intell_voice_service_manager/kvdb/b3d8655ead59fa38a8343d30b2db86909f3b069f186c3816d9961c290b5ba9a7/single_ver/main/gen_natural_store.db" dev="sdd78" ino=25900 ioctlcmd=0xf50c scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { lock } for pid=639 comm="SaOndemand" path="/data/service/el1/public/database/intell_voice_service_manager/kvdb/b3d8655ead59fa38a8343d30b2db86909f3b069f186c3816d9961c290b5ba9a7/single_ver/main/gen_natural_store.db" dev="sdd78" ino=25900 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { map } for pid=627 comm="SaOndemand" path="/data/service/el1/public/database/intell_voice_service_manager/kvdb/b3d8655ead59fa38a8343d30b2db86909f3b069f186c3816d9961c290b5ba9a7/single_ver/main/gen_natural_store.db-shm" dev="sdd78" ino=5937 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { setattr } for pid=627 comm="SaOndemand" name="gen_natural_store.db" dev="sdd78" ino=6349 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allow intell_voice_service data_service_el1_file:file { setattr create write open read getattr unlink ioctl lock map }; +allowxperm intell_voice_service data_service_el1_file:file ioctl { 0xf50c 0xf546 0xf547 }; + +# avc: denied { use } for pid=1199 comm="IPC_2_2180" path="/dev/ashmem" dev="tmpfs" ino=581 scontext=u:r:intell_voice_service:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=0 +allow intell_voice_service distributeddata:fd { use }; + +# avc: denied { transfer } for pid=596 comm="IPC_1_649" scontext=u:r:intell_voice_service:s0 tcontext=u:r:audio_host:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=643 comm="IPC_1_675" scontext=u:r:intell_voice_service:s0 tcontext=u:r:audio_host:s0 tclass=binder permissive=0 +allow intell_voice_service audio_host:binder { call transfer }; + +# avc: denied { search } for pid=17884 comm="intell_voice_se" name="etc" dev="sdd73" ino=41 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=0 +allow intell_voice_service sys_prod_file:dir { search }; + +# avc: denied { open } for pid=17884 comm="IPC_0_18004" path="/dev/ashmem" dev="tmpfs" ino=581 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +allow intell_voice_service dev_ashmem_file:chr_file { open }; + +# avc: denied { search } for pid=18039 comm="dump_tmp_thread" name="bin" dev="sdd74" ino=237 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=0 +allow intell_voice_service system_bin_file:dir { search }; + +# avc: denied { call } for pid=20234 comm="intell_voice_se" scontext=u:r:intell_voice_service:s0 tcontext=u:r:intell_voice_host:s0 tclass=binder permissive=0 +# avc: denied { transfer } for pid=7282 comm="IPC_3_7440" scontext=u:r:intell_voice_service:s0 tcontext=u:r:intell_voice_host:s0 tclass=binder permissive=0 +allow intell_voice_service intell_voice_host:binder { call transfer }; + +# avc: denied { call } for pid=24893 comm="IPC_0_25005" scontext=u:r:intell_voice_service:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0 +# avc: denied { transfer } for pid=19073 comm="IPC_2_19154" scontext=u:r:intell_voice_service:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0 +allow intell_voice_service normal_hap_attr:binder { transfer call }; + +# avc: denied { get } for service=3009 pid=11437 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=0 +allow intell_voice_service sa_audio_policy_service:samgr_class { get }; + +# avc: denied { transfer } for pid=23348 comm="IPC_0_23464" scontext=u:r:intell_voice_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=11529 comm="intell_voice_se" scontext=u:r:intell_voice_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=0 +allow intell_voice_service audio_server:binder { call transfer }; + +# avc: denied { read } for pid=599 comm="threaded-ml" name="cache" dev="sdd78" ino=4315 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 +# avc: denied { add_name } for pid=627 comm="IPC_2_7260" name="2023_07_16_16_09_16_.pcm" scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=0 +# avc: denied { write } for pid=25639 comm="IPC_1_25766" name="pcm_data" dev="sdd78" ino=4761 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=0 +# avc: denied { search } for pid=12584 comm="IPC_3_12689" name="data" dev="sdd78" ino=4235 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=0 +# avc: denied { getattr } for pid=700 comm="threaded-ml" path="/data/data/intell_voice/cache" dev="sdd91" ino=4770 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=700 comm="threaded-ml" path="/data/data/intell_voice/cache" dev="sdd91" ino=4770 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 +# avc: denied { remove_name } for pid=700 comm="IPC_2_2968" name="cookie" dev="sdd91" ino=13095 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 +allow intell_voice_service data_data_file:dir { search write add_name getattr open remove_name read }; + +# avc: denied { getattr } for pid=23348 comm="threaded-ml" path="/data/data/.pulse_dir/state" dev="sdd78" ino=4737 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=23848 comm="threaded-ml" path="/data/data/.pulse_dir/state" dev="sdd78" ino=4737 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=0 +# avc: denied { read } for pid=19545 comm="threaded-ml" name="state" dev="sdd78" ino=4737 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=0 +# avc: denied { search } for pid=12624 comm="IPC_0_12710" name=".pulse_dir" dev="sdd78" ino=4271 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=0 +allow intell_voice_service data_data_pulse_dir:dir { open search read getattr }; + +# avc: denied { write } for pid=29312 comm="IPC_1_29464" name="native" dev="tmpfs" ino=759 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:native_socket:s0 tclass=sock_file permissive=0 +allow intell_voice_service native_socket:sock_file { write }; + +# avc: denied { connectto } for pid=11468 comm="IPC_3_11564" path="/dev/unix/socket/native" scontext=u:r:intell_voice_service:s0 tcontext=u:r:audio_server:s0 tclass=unix_stream_socket permissive=0 +allow intell_voice_service audio_server:unix_stream_socket { connectto }; + +# avc: denied { read } for pid=19545 comm="threaded-ml" name="cookie" dev="sdd78" ino=4822 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=0 +# avc: denied { read write } for pid=19545 comm="threaded-ml" name="cookie" dev="sdd78" ino=4822 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=0 +# avc: denied { open } for pid=23848 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="sdd78" ino=4822 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=0 +# avc: denied { lock } for pid=23348 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="sdd78" ino=4822 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=0 +allow intell_voice_service data_data_pulse_dir:file { open read read write lock }; + +# avc: denied { getopt } for pid=23348 comm="IPC_0_23464" scontext=u:r:intell_voice_service:s0 tcontext=u:r:intell_voice_service:s0 tclass=unix_dgram_socket permissive=0 +# avc: denied { setopt } for pid=23348 comm="IPC_0_23464" scontext=u:r:intell_voice_service:s0 tcontext=u:r:intell_voice_service:s0 tclass=unix_dgram_socket permissive=0 +allow intell_voice_service intell_voice_service:unix_dgram_socket { getopt setopt }; + +# avc: denied { get } for service=3001 pid=23348 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=0 +allow intell_voice_service sa_pulseaudio_audio_service:samgr_class { get }; + +# avc: denied { get } for service=401 pid=627 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0 +allow intell_voice_service sa_foundation_bms:samgr_class { get }; + +# avc: denied { lock } for pid=700 comm="threaded-ml" path="/data/data/intell_voice/cache/cookie" dev="sdd91" ino=13095 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=700 comm="threaded-ml" name="cookie" dev="sdd91" ino=13095 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=file permissive=1 +# avc: denied { unlink } for pid=700 comm="IPC_2_2968" name="cookie" dev="sdd91" ino=13095 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=file permissive=1 +# avc: denied { write open } for pid=596 comm="IPC_2_7119" path="/data/data/intell_voice/pcm_data/2023_07_16_16_41_33_.pcm" dev="sdd78" ino=11625 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=596 comm="intell_voice_se" path="/data/data/intell_voice/pcm_data/2023_07_16_17_05_39_.pcm" dev="sdd78" ino=11994 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=596 comm="intell_voice_se" path="/data/data/intell_voice/pcm_data/2023_07_16_17_05_39_.pcm" dev="sdd78" ino=11994 ioctlcmd=0x5413 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=file permissive=0 +# avc: denied { create } for pid=587 comm="intell_voice_se" name="2023_07_16_16_30_28_.pcm" scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=file permissive=0 +allow intell_voice_service data_data_file:file { write open getattr ioctl create lock read unlink }; +allowxperm intell_voice_service data_data_file:file ioctl { 0x5413 }; + +# avc: denied { use } for pid=7010 comm="IPC_0_7020" path="/dev/ashmem" dev="tmpfs" ino=581 scontext=u:r:intell_voice_service:s0 tcontext=u:r:intell_voice_host:s0 tclass=fd permissive=0 +allow intell_voice_service intell_voice_host:fd { use }; + +# avc: denied { get } for service=180 pid=600 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 +allow intell_voice_service sa_foundation_abilityms:samgr_class { get }; + +# avc: denied { transfer } for pid=596 comm="IPC_3_7292" scontext=u:r:intell_voice_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=608 comm="intell_voice_se" scontext=u:r:intell_voice_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=0 +allow intell_voice_service system_basic_hap_attr:binder { transfer call }; + +# avc: denied { map } for pid=599 comm="IPC_0_630" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=138 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=599 comm="IPC_0_630" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=138 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=599 comm="IPC_0_630" name="u:object_r:persist_param:s0" dev="tmpfs" ino=138 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +allow intell_voice_service persist_param:file { map open read }; + +# avc: denied { get } for service=4009 pid=640 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_foundation_tel_state_registry:s0 tclass=samgr_class permissive=1 +allow intell_voice_service sa_foundation_tel_state_registry:samgr_class { get }; + +# avc: denied { get } for service=3510 pid=759 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_huks_service:s0 tclass=samgr_class permissive=0 +allow intell_voice_service sa_huks_service:samgr_class { get }; + +# avc: denied { call } for pid=790 comm="IPC_3_3181" scontext=u:r:intell_voice_service:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=0 +allow intell_voice_service huks_service:binder { call }; + +# avc: denied { map } for pid=757 comm="SaOndemand" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=157 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +# avc: denied { open } for pid=757 comm="SaOndemand" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=157 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +# avc: denied { read } for pid=757 comm="SaOndemand" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=157 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +allow intell_voice_service arkcompiler_param:file { map open read }; +allow intell_voice_service ark_writeable_param:file { map open read }; + +# avc: denied { get } for service=3301 pid=826 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow intell_voice_service sa_powermgr_powermgr_service:samgr_class { get }; + +# avc: denied { open } for pid=882, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="" ino=209 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=0 +# avc: denied { read } for pid=864, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="" ino=208 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=0 +# avc: denied { map } for pid=896, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="" ino=209 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=0 +allow intell_voice_service sys_param:file { open read map }; + +# avc_audit_slow:267] avc: denied { search } for pid=890, comm="/system/bin/sa_main" name="/lib64" dev="/dev/block/dm-6" ino=65 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=0 +allow intell_voice_service chip_prod_file:dir { search }; + +# avc_audit_slow:267] avc: denied { write } for pid=890, comm="/system/bin/sa_main" path="/dev/kmsg" dev="" ino=22 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=0 +allow intell_voice_service dev_kmsg_file:chr_file { write }; + +# avc_audit_slow:267] avc: denied { write } for pid=890, comm="/system/bin/sa_main" path="pipe:[13]" dev="tmpfs" ino=13 scontext=u:r:intell_voice_service:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0 +allow intell_voice_service init:fifo_file { write }; + +# avc_audit_slow:267] avc: denied { call } for pid=5147, comm="/system/bin/sa_main" scontext=u:r:intell_voice_service:s0 tcontext=u:r:powermgr:s0 tclass=binder permissive=1 +# avc_audit_slow:267] avc: denied { transfer } for pid=5147, comm="/system/bin/sa_main" scontext=u:r:intell_voice_service:s0 tcontext=u:r:powermgr:s0 tclass=binder permissive=1 +allow intell_voice_service powermgr:binder { call transfer }; + +# avc_audit_slow:267] avc: denied { call } for pid=890, comm="/system/bin/sa_main" scontext=u:r:intell_voice_service:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=0 +binder_call(intell_voice_service, privacy_service); + +# avc: denied { get } for service=3505 sid=u:r:intell_voice_service:s0 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0 +allow intell_voice_service sa_privacy_service:samgr_class { get }; + +# avc_audit_slow:267] avc: denied { read write } for pid=890, comm="/system/bin/sa_main" path="/dev/tty0" dev="" ino=50 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 +allow intell_voice_service tty_device:chr_file { read write }; + +# avc: denied { get } for service=3505 sid=u:r:intell_voice_service:s0 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0 +allow intell_voice_service sa_privacy_service:samgr_class { get }; + +#avc: denied { get } for service=4607 pid=640 scontext=u:r:intell_voice_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow intell_voice_service sa_foundation_dms:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..3fb17d05a06fbee5b7a04bb32b296b3ff494d223 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/normal_hap.te @@ -0,0 +1,19 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=312 pid=3548 scontext=u:r:normal_hap:s0 tcontext=u:object_r:default_service:s0 tclass=samgr_class permissive=0 +allow normal_hap_attr sa_intell_voice_service:samgr_class { get }; + +# avc: denied { call } for pid=11051 comm="IPC_3_11213" scontext=u:r:normal_hap:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +# avc: denied { transfer } for pid=14997 comm="hmos.vassistant" scontext=u:r:normal_hap:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +allow normal_hap_attr intell_voice_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9220af074f958ae2229a6e388ebfea233b616d52 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/intelligent_voice_framework/system/system_basic_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=312 pid=2633 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:default_service:s0 tclass=samgr_class permissive=0 +allow system_basic_hap_attr sa_intell_voice_service:samgr_class { get }; + +# avc: denied { transfer } for pid=19359 comm="wei.hmos.wakeup" scontext=u:r:system_basic_hap:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +allow system_basic_hap_attr intell_voice_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/ai/large_model_engine/public/attributes b/prebuilts/api/5.0/ohos_policy/ai/large_model_engine/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..6c45b0b424f4678e3dbae71a4137049fd3a83c8a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ai/large_model_engine/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute sys_prod_ai_model_llm_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/ark/runtime/public/type.te b/prebuilts/api/5.0/ohos_policy/ark/runtime/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..3409557e91a43d4d1a8bc65c0758bab60ea28b91 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ark/runtime/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type ark_lib_file, system_file_attr, exec_attr, jitfort_lib_attr, file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/ark/runtime/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..bed85a697e5934b7583e0fc6d6556d4a9b696101 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/appspawn.te @@ -0,0 +1,34 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn appspawn:process { execmem }; +allow appspawn debug_param:parameter_service { set }; +allow appspawn persist_sys_param:parameter_service { set }; +allow appspawn arkui_param:parameter_service { set }; +allow system_basic_hap_attr appspawn:unix_stream_socket { write }; +allow system_basic_hap_attr appspawn:unix_stream_socket { read }; +allow normal_hap data_local_arkcache:file { map execute read open}; +allow system_basic_hap_attr data_local_arkcache:file { map execute read open}; +allow system_core_hap_attr data_local_arkcache:file { map execute read open }; +allow appspawn data_local_arkcache:dir { search mounton}; +allow normal_hap data_local_arkcache:dir { search}; +allow system_basic_hap_attr data_local_arkcache:dir { search}; +allow system_core_hap_attr data_local_arkcache:dir {search}; +allow hap_domain key_enable:key { search }; +allow hap_domain data_local_arkprofile:file { create getattr ioctl map open read rename unlink write }; +allowxperm hap_domain data_local_arkprofile:file ioctl { 0x5413 }; +allow hap_domain data_local_arkprofile:dir { add_name remove_name search write }; +allow hap_domain ark_profile:file { map read open }; +allow appspawn data_local_arkprofile:dir { search mounton getattr }; +allow normal_hap appspawn:fifo_file { read }; +allow system_basic_hap appspawn:fifo_file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/ark/runtime/system/debugger.te b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/debugger.te new file mode 100644 index 0000000000000000000000000000000000000000..7b9049ada431f781a3b3c638001cc6c1d694d647 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/debugger.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow hap_domain hdcd:unix_stream_socket { connectto read write }; +') + +debug_only(` + allow hap_domain su:unix_stream_socket { read write }; +') diff --git a/prebuilts/api/5.0/ohos_policy/ark/runtime/system/file_contexts b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b47a8bcc2634af6be89f95f2b0be37c8475449a0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/file_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/lib(64)?/platformsdk/libark_jsruntime.so u:object_r:ark_lib_file:s0 +/system/lib(64)?/libark_jsoptimizer.so u:object_r:ark_lib_file:s0 +/system/lib(64)?/ndk/libjsvm.so u:object_r:ark_lib_file:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/ark/runtime/system/parameter.te b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..2adc6978a3f1c0a8f6c5dee6ec27f8589c3cc6ca --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/parameter.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type ark_profile, parameter_attr; +type ark_writeable_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/ark/runtime/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..044abe5c4194baaf37156ed51bc4f969a1eb9ef8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/parameter_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ark.profile u:object_r:ark_profile:s0 + +persist.ark.properties u:object_r:ark_writeable_param:s0 +persist.ark.longpausetime u:object_r:ark_writeable_param:s0 +persist.ark.asminterpreter u:object_r:ark_writeable_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/ark/runtime/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..12294386821b864ef2bca77b27a816fc90720557 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/ark/runtime/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr debug_param:parameter_service { set }; +allow system_core_hap_attr persist_sys_param:parameter_service { set }; +allow system_core_hap_attr arkui_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/accessibility.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..a23517d3e1c9679a9c5542886b5dc0c41c34da33 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/accessibility.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# enable accessibility call binder in sh (binder of accessibility-client in uitest process) +developer_only(` + allow accessibility uitest:binder { call transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/file_contexts b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..f2c0fdb6f0f730b0973a1f40b6ba032bef483c8d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/uitest u:object_r:uitest_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/foundation.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..86ed18cd3fb5222a98fbe8afcef9f8d958562b99 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow foundation uitest:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/hiview.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..39a5830af1b0e56f31485546d0623bf6e3358895 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/hiview.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow hiview module_update_service:binder { call }; + allow hiview uitest:dir { search }; + allow hiview uitest:file { getattr open read }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..76f8efcc8b1b15008ff35d52b511f451c69b01fc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow normal_hap_attr uitest:binder { call transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..3061ce98714a7806ac1ca874232293a26406bc63 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/param_watcher.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow param_watcher dev_console_file:chr_file { read write }; + allow param_watcher uitest:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/samgr.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..417f8117a3c4743be27d5014668cac5791a988b6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/samgr.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow samgr uitest:dir { search read }; + allow samgr uitest:file { map open read }; + allow samgr uitest:process { getattr }; + allow samgr uitest:binder { transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..e1e134df024b450b7c69895dc3b1eeac565b0897 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/system_basic_hap.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow system_basic_hap_attr uitest:binder { call transfer }; + allow system_basic_hap_attr ffrt_param:parameter_service { set }; +') +allow system_basic_hap_attr data_app_el1_file:file { execute }; +allow system_basic_hap_attr system_basic_hap_attr:tcp_socket { create setopt bind listen accept read write }; +allow system_basic_hap_attr port:tcp_socket { name_bind }; +allow system_basic_hap_attr node:tcp_socket { node_bind }; diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..e17c549923b2da249f88e2417924cf0f9e5a8c85 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/system_core_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow system_core_hap_attr uitest:binder { call transfer}; +') +allow system_core_hap_attr data_app_el1_file:file { execute }; +allow system_core_hap_attr system_core_hap_attr:tcp_socket { create }; diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/type.te b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..34d7ef0e3c59b4a4fe565cdf9583f94155b7df7b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/arkXtest/system/type.te @@ -0,0 +1,91 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow uitest {data_file_attr -data_local_tmp}:file {execute}; + +debug_only(` + domain_auto_transition_pattern(su, uitest_exec, uitest); +') + +developer_only(` + allow uitest sa_accessibleabilityms:samgr_class { get }; + allow uitest accessibility:binder { call transfer }; + allow uitest foundation:binder { call transfer }; + allow uitest sa_foundation_dms:samgr_class { get }; + allow uitest sa_foundation_cesfwk_service:samgr_class { get }; + allow uitest sa_foundation_abilityms:samgr_class { get }; + allow uitest multimodalinput:binder { call }; + allow uitest sa_multimodalinput_service:samgr_class { get }; + allow uitest normal_hap_data_file_attr:file { getattr ioctl read write }; + allow uitest normal_hap_attr:fd { use }; + allow uitest normal_hap_attr:binder { call }; + allowxperm uitest normal_hap_data_file_attr:file ioctl { 0x5413 }; + allow uitest system_bin_file:dir { search }; + allow uitest render_service:fd { use }; + allow uitest data_file:dir { search }; + allow uitest data_local:dir { search }; + # allow uitest load and execute test tool in data_local_tmp in developer mode + allow uitest data_local_tmp:file { read create write open ioctl getattr map execute }; + allow uitest uitest:tcp_socket { accept read write setopt create bind name_bind node_bind listen }; + allow uitest port:tcp_socket { name_bind name_connect }; + allow uitest node:tcp_socket { node_bind }; + allowxperm uitest devpts:chr_file ioctl { 0x5413 }; + allow uitest dev_kmsg_file:chr_file { write }; + allow uitest key_enable:key { search }; + allow uitest data_local_tmp:dir { search map open create write read add_name}; + allowxperm uitest data_local_tmp:file ioctl { 0x5413 }; + allow uitest dev_unix_socket:dir { search }; + allow uitest dev_ashmem_file:chr_file { open }; + allow uitest dev_console_file:chr_file { read write }; + allow uitest hdcd:fifo_file { read write ioctl }; + allow uitest hdcd:fd { use }; + allow uitest hdcd:unix_stream_socket { read write }; + allowxperm uitest hdcd:fifo_file ioctl { 0x5413 }; + allow uitest samgr:binder { call }; + allow uitest sh:fd { use }; + allow uitest sh:fifo_file { write }; + allow uitest tty_device:chr_file { read write }; + allow render_service sh:binder { call transfer }; + + domain_auto_transition_pattern(aa, uitest_exec, uitest); + allow hdcd uitest:process {signal}; + allow uitest system_basic_hap_attr:binder { call }; + allow uitest sa_foundation_wms:samgr_class { get }; + allow uitest arkcompiler_param:file { open read map }; + allow uitest ark_writeable_param:file { open read map }; + allow uitest devpts:chr_file { read write }; + allow uitest system_basic_hap_attr:fd { use }; + allow uitest system_basic_hap_data_file_attr:file { read write getattr write }; + allowxperm uitest system_basic_hap_data_file_attr:file ioctl { 0x5413 0xf50c }; + allow hidumper_service uitest:dir { search }; + allow hidumper_service uitest:file { open getattr }; + allow uitest hidumper_service:binder { call }; + allow hidumper_service uitest:fd { use }; + allow uitest sa_dfx_sys_hidumper_ability:samgr_class { get }; + allow uitest aa:fd { use }; + allow foundation uitest:binder {transfer}; + allow uitest multimodalinput:fd {use}; + allow uitest multimodalinput:unix_stream_socket { read write }; + # allow sh kill uitest in deverloper mode + allow sh uitest:process { sigkill }; + allow uitest pasteboard_service:binder { call }; + allow uitest sa_pasteboard_service:samgr_class { get }; + allow uitest samgr:binder { transfer }; + allow uitest persist_sys_param:file { map read open }; + allow uitest sa_param_watcher:samgr_class { get }; + allow uitest param_watcher:binder { call transfer }; + + allow uitest sa_test_server:samgr_class { get }; + allow uitest test_server:binder { call transfer }; + allow uitest samgr:binder { transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/service.te b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/service.te new file mode 100644 index 0000000000000000000000000000000000000000..26701048a0ba9d59142d660d56a7a15c57dab0d8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_test_server, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/service_contexts b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..dc0e06a279ab1c397774419d4d8df14383600d22 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +5502 u:object_r:sa_test_server:s0 diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/test_server.te b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/test_server.te new file mode 100644 index 0000000000000000000000000000000000000000..c46d1382924d51c895571e9b5674fbac8d6c0b68 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/test_server.te @@ -0,0 +1,51 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { domain developer_only(`-uitest -wukong') debug_only(`-uitest -wukong') -SP_daemon -sp_daemon_get } sa_test_server:samgr_class { get }; +developer_only(` + allow test_server sa_test_server:samgr_class { add }; + allow test_server hilog_param:file { read open }; + allow test_server samgr:binder { call }; + allow test_server uitest:binder { call }; + allow test_server dev_unix_socket:dir { search }; + allow test_server aa:binder { call }; + allow test_server pasteboard_service:binder { call }; + allow test_server sa_pasteboard_service:samgr_class { get }; + allow test_server sa_foundation_cesfwk_service:samgr_class { get }; + allow test_server foundation:binder {call transfer}; + allow test_server SP_daemon:binder { call }; + allow test_server sa_resource_schedule_socperf_server:samgr_class { get }; + allow test_server resource_schedule_service:binder { call transfer }; + allow test_server samgr:binder { transfer }; + allow pasteboard_service test_server:fd { use }; + allow test_server dev_ashmem_file:chr_file { open }; +') + +debug_only(` + allow test_server sa_test_server:samgr_class { add }; + allow test_server hilog_param:file { read open }; + allow test_server samgr:binder { call }; + allow test_server uitest:binder { call }; + allow test_server dev_unix_socket:dir { search }; + allow test_server aa:binder { call }; + allow test_server pasteboard_service:binder { call }; + allow test_server sa_pasteboard_service:samgr_class { get }; + allow test_server sa_foundation_cesfwk_service:samgr_class { get }; + allow test_server foundation:binder {call transfer}; + allow test_server SP_daemon:binder { call }; + allow test_server sa_resource_schedule_socperf_server:samgr_class { get }; + allow test_server resource_schedule_service:binder { call transfer }; + allow test_server samgr:binder { transfer }; + allow pasteboard_service test_server:fd { use }; + allow test_server dev_ashmem_file:chr_file { open }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/type.te b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..1cadc54e3a6ea466edbb72bb220c241a3581cbbe --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type test_server, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/system/init.te b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..b0b096f9026c5984e8548104e98d497bf74593f5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/system/init.te @@ -0,0 +1,20 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow init test_server:process { rlimitinh siginh transition }; +') + +debug_only(` + allow init test_server:process { rlimitinh siginh transition }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/system/samgr.te b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..dda8fc2bf9bff6839c85eb0da2d04e976594ca19 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkXtest/testserver/system/samgr.te @@ -0,0 +1,22 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow samgr uitest:binder { call }; + allow samgr sa_test_server:binder { transfer }; +') + +debug_only(` + allow samgr uitest:binder { call }; + allow samgr sa_test_server:binder { transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/public/type.te b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..575318cfc830534dbd656c03e917d9c12fbc7557 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_ark_aot_compiler, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/ark_aot_compiler.te b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/ark_aot_compiler.te new file mode 100644 index 0000000000000000000000000000000000000000..2df3bdb9e5e98797e035d335a8355f6b478aa35e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/ark_aot_compiler.te @@ -0,0 +1,23 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ark_aot_compiler ark_aot_compiler:unix_dgram_socket { getopt setopt }; +allow ark_aot_compiler chip_prod_file:dir { search }; + +allow ark_aot_compiler ark_writeable_param:file { map open read }; +allow ark_aot_compiler compiler_service:fd { use }; +allow ark_aot_compiler data_local_arkprofile:file { ioctl }; +allow ark_aot_compiler dev_kmsg_file:chr_file { write }; +allow ark_aot_compiler tty_device:chr_file { read write }; +allowxperm ark_aot_compiler data_local_arkcache:file ioctl { 0x5413 }; +allowxperm ark_aot_compiler data_local_arkprofile:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/compiler_service.te b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/compiler_service.te new file mode 100644 index 0000000000000000000000000000000000000000..4ef51ba85fae7cf140f8d73d53e0ac3bc9195503 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/compiler_service.te @@ -0,0 +1,42 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +domain_auto_transition_pattern(compiler_service, ark_aot_compiler_exec, ark_aot_compiler); +allow compiler_service sa_local_code_sign:samgr_class { add get }; +allow compiler_service compiler_service:capability { setgid setuid }; +allow compiler_service sa_local_code_sign:samgr_class { get }; +allow compiler_service local_code_sign:binder { call }; +allow compiler_service hilog_param:file { map open read }; +allow compiler_service ark_writeable_param:file { map read open }; +allow compiler_service data_local_arkcache:file { map read open }; + +allow compiler_service ark_aot_compiler_exec:file { execute execute_no_trans map open read execute read }; +allow compiler_service compiler_service:unix_dgram_socket { getopt setopt }; +allow compiler_service data_local:dir { search }; +allow compiler_service data_local_arkcache:dir { open read search }; +allow compiler_service data_local_arkprofile:dir { search write add_name search write remove_name search }; +allow compiler_service data_local_arkprofile:file { map open read rename }; +allow compiler_service debug_param:file { map open read }; + +allow compiler_service dev_kmsg_file:chr_file { write }; +allow compiler_service dev_unix_socket:dir { search }; +allow compiler_service sa_ark_aot_compiler:samgr_class { add }; +allow compiler_service sysfs_devices_system_cpu:file { getattr open read }; +allow compiler_service tty_device:chr_file { read write }; +allow compiler_service ark_aot_compiler:process { rlimitinh siginh transition sigkill }; +allow compiler_service compiler_service:capability { kill }; +allow compiler_service persist_param:file { map open read }; +allow compiler_service sa_foundation_cesfwk_service:samgr_class { get }; +allow compiler_service foundation:binder { call transfer }; +allow compiler_service data_app_el1_file:dir { search }; +allow compiler_service data_app_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/file_contexts b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..5a3a7baea0d90f235a7cf9f6ac77c919dd69b3f6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/ark_aot_compiler u:object_r:ark_aot_compiler_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/foundation.te b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..44b962c4ae58fed57ae41b5637045553ab5a6c4e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation compiler_service:binder { call }; +allow foundation sa_ark_aot_compiler:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/init.te b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..bcaa2d398b33bc29f5c2c1a2d46e5a3f64b22314 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init compiler_service:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/installs.te b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..7122870cb652d5f428fdd1d185c858a7ecd3c293 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/installs.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow installs compiler_service:binder { call }; +allow installs sa_ark_aot_compiler:samgr_class { get }; +allow installs code_sign_utils:file { execute getattr map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/service_contexts b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..f29eab347cdad9ee162f9106c1bf736f3b78c516 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkcompiler/ets_runtime/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +5300 u:object_r:sa_ark_aot_compiler:s0 diff --git a/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..e4a93e1dd29dc3d095a92b30cd4b1c459c248841 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_subsys_ace_service:samgr_class { get }; +allow normal_hap_attr ui_service:binder { call }; +allow normal_hap_attr ui_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..ba1573da4d51da93843f0e9a30c343221a1fa1be --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.ace.debug.boundary.enabled u:object_r:debug_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d909cfc3346f8df450e7ad591dbc14a2274bdec0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_subsys_ace_service:samgr_class { get }; +allow system_core_hap_attr ui_service:binder { call }; +allow system_core_hap_attr ui_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/ui_service.te b/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/ui_service.te new file mode 100644 index 0000000000000000000000000000000000000000..49c630bcc1ba1dcdc0e9a539c903a7e09dab46dc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkui/ace_engine/system/ui_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ui_service system_core_hap_attr:binder { call }; +allow ui_service normal_hap_attr:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/arkui/ui_appearance/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/arkui/ui_appearance/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d6e58b92d3b7c80fec41c868df1d9137da204f1b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkui/ui_appearance/system/system_basic_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service = 7002 pid=4595 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_ui_appearance:s0 tclass=samgr_class permissive=1 +allow hap_domain sa_ui_appearance:samgr_class { get }; +allow system_basic_hap_attr debug_param:parameter_service { set }; +allow system_basic_hap_attr persist_sys_param:parameter_service { set }; +allow system_basic_hap_attr arkui_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/arkui/ui_appearance/system/ui_service.te b/prebuilts/api/5.0/ohos_policy/arkui/ui_appearance/system/ui_service.te new file mode 100644 index 0000000000000000000000000000000000000000..2c445e58b698b082cc46f2a7af4388a971cc2f48 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/arkui/ui_appearance/system/ui_service.te @@ -0,0 +1,34 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ui_service arkui_param:parameter_service { set }; +allow ui_service arkui_param:file { map open read }; +allow ui_service kernel:unix_stream_socket { connectto }; +allow ui_service paramservice_socket:sock_file { write }; +allow ui_service sa_foundation_appms:samgr_class { get }; +allow ui_service sa_ui_appearance:samgr_class { add }; +allow ui_service persist_sys_param:parameter_service { set }; +allow ui_service persist_sys_param:file { open read map }; +allow ui_service sa_accountmgr:samgr_class { get }; +allow ui_service accountmgr:binder { call }; +allow accountmgr ui_service:binder { transfer }; +allow ui_service sa_foundation_cesfwk_service:samgr_class { get }; +allow ui_service accountmgr:fd { use }; +allow ui_service time_service:binder { call transfer }; +allow ui_service sa_time_service:samgr_class { get }; +allow ui_service sa_distributeddata_service:samgr_class { get }; +allow ui_service distributeddata:fd { use }; +allow ui_service distributeddata:binder { call }; +allow time_service ui_service:file { getattr }; +allow time_service ui_service:binder { call transfer }; +allow distributeddata ui_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/accessibility.te b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..1dccdd63ad67164f75f29d6e6aff0b4a192fd997 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/accessibility.te @@ -0,0 +1,65 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accessibility data_app_el1_file:dir { search }; +allow accessibility data_app_el1_file:file { getattr open read }; +allow accessibility data_app_file:dir { search }; +allow accessibility data_file:dir { search }; +allow accessibility data_service_el1_file:dir { add_name getattr remove_name search write }; +allow accessibility data_service_el1_file:file { create getattr ioctl open read rename setattr unlink write }; +allow accessibility data_service_file:dir { search }; +allow accessibility dev_unix_socket:dir { search }; +allow accessibility foundation:binder { call transfer }; +allow accessibility multimodalinput:binder { call }; +allow accessibility multimodalinput:fd { use }; +allow accessibility multimodalinput:unix_stream_socket { read write }; +allow accessibility normal_hap_attr:binder { call }; +allow accessibility param_watcher:binder { call transfer }; +allow accessibility system_basic_hap_attr:binder { call }; +allow accessibility system_bin_file:dir { search }; +allow accessibility system_core_hap_attr:binder { call }; +allow accessibility system_usr_file:dir { search }; +allow accessibility system_usr_file:file { getattr map open read }; +allow accessibility tracefs:dir { search }; +allow accessibility tracefs_trace_marker_file:file { open write }; +allow accessibility vendor_lib_file:dir { search }; +allow accessibility vendor_lib_file:file { execute getattr map open read }; +allow accessibility sa_foundation_abilityms:samgr_class { get }; +allow accessibility kernel:unix_stream_socket { connectto }; +allow accessibility paramservice_socket:sock_file { write }; +allow accessibility accessibility_param:parameter_service { set }; +allow accessibility persist_sys_param:parameter_service { set }; +allow accessibility sa_powermgr_displaymgr_service:samgr_class { get }; +binder_call(accessibility, powermgr); +allowxperm accessibility data_service_el1_file:file ioctl { 0x5413 }; + +allow accessibility accessibility_param:file { map open read }; +allow accessibility audio_server:binder { call transfer }; + +allow accessibility sa_resource_schedule:samgr_class { get }; +allow accessibility sys_prod_file:dir { search }; +allow accessibility data_storage:dir { search }; + +allow accessibility distributeddata:binder { call }; +allow accessibility distributeddata:fd { use }; +allow distributeddata accessibility:binder { transfer }; +allow accessibility sa_distributeddata_service:samgr_class { get }; +allow accessibility render_service:fd { use }; +allow accessibility render_service:unix_stream_socket { read write }; +allow accessibility dev_mali:chr_file { getattr ioctl map open read write }; +allowxperm accessibility dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x8019 0x801d 0x801e 0x8026 }; +allow render_service accessibility:fd { use }; +allow composer_host accessibility:fd { use }; +allow accessibility allocator_host:fd { use }; +allow accessibility resource_schedule_service:binder { call transfer }; +allow accessibility sysfs_devices_system_cpu:dir { read open }; diff --git a/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..bc7f141571ff7414d090958b86a9fd686e36f89f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/appspawn.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn accessibility_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/foundation.te b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..c373a1811d55a9a356a75c79fd1a5791440463ee --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation accessibility:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/init.te b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..33f4d46fa5bf9a424d46b8bf95ee7282634a334a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init accessibility:dir { search }; +allow init accessibility:file { open read }; +allow init accessibility:process { getattr }; +allow init accessibility_param:file { relabelto }; diff --git a/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..7622e0dc8f3e083c2e278511bd762ace17e908c4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/barrierfree/accessibility/system/normal_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr accessibility_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/bootanimation/public/type.te b/prebuilts/api/5.0/ohos_policy/bootanimation/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..288ec2c0a6aa9849539074e93ae2245ff647499c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bootanimation/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type bootanimation_exec, exec_attr, file_attr, system_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/bootanimation/system/bootanimation.te b/prebuilts/api/5.0/ohos_policy/bootanimation/system/bootanimation.te new file mode 100644 index 0000000000000000000000000000000000000000..df5c7231adf9e7b95c336052662fc0186833ec4d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bootanimation/system/bootanimation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bootanimation bootanimation_exec:file { read map execute entrypoint }; + diff --git a/prebuilts/api/5.0/ohos_policy/bootanimation/system/file_contexts b/prebuilts/api/5.0/ohos_policy/bootanimation/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..5d93e1ee7723125b4acea1c403ccb0041b480bd8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bootanimation/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/bootanimation u:object_r:bootanimation_exec:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/bootanimation/system/init.te b/prebuilts/api/5.0/ohos_policy/bootanimation/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..4d4b424509b6f4a39986f20763ee6017b54a11f0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bootanimation/system/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init bootanimation_exec:file { execute execute_no_trans getattr open map read }; + diff --git a/prebuilts/api/5.0/ohos_policy/bootanimation/system/parameter.te b/prebuilts/api/5.0/ohos_policy/bootanimation/system/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..8fe5071b798f34ac4a4a2c1315e7c44a25ababae --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bootanimation/system/parameter.te @@ -0,0 +1,23 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type bootanimiation_optimizing_param, parameter_attr; + +allow bootanimiation_optimizing_param tmpfs:filesystem associate; +allow init bootanimiation_optimizing_param:file { map open read relabelto relabelfrom }; +allow init bootanimiation_optimizing_param:parameter_service { set }; + +# avc: denied { read } for pid=5103 comm="/system/bin/bootanimation" path="/system/fonts" dev="/dev/block" scontext=u:r:bootanimation:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=5103 comm="/system/bin/bootanimation" path="/system/fonts" dev="/dev/block" scontext=u:r:bootanimation:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +allow bootanimation system_fonts_file:dir { open read search }; +allow bootanimation system_fonts_file:file { getattr map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/bootanimation/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/bootanimation/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..3ad5490c3bddc45e9c7240b73b12ae1bf36fd539 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bootanimation/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.bootanimiation.optimizing_apps. u:object_r:bootanimiation_optimizing_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/public/type.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..b97864df15a37d582f491fa3ff9fe1056afec50a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/public/type.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_app_domain_verify_mgr_service, sa_service_attr; +type sa_app_domain_verify_agent, sa_service_attr; +type app_domain_verify_agent, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/accoutmgr.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/accoutmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..9fd771af88adafd388555dfef93325339d7c05b9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/accoutmgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr app_domain_verify_agent:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/app_domain_verify_agent.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/app_domain_verify_agent.te new file mode 100644 index 0000000000000000000000000000000000000000..812386c5b1a52baf72314c51786269c04409c51d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/app_domain_verify_agent.te @@ -0,0 +1,40 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow app_domain_verify_agent dev_kmsg_file:chr_file { write open }; +allow app_domain_verify_agent debug_param:file { open read map }; +allow app_domain_verify_agent dev_unix_socket:dir { search }; +allow app_domain_verify_agent sysfs_devices_system_cpu:file { open read getattr }; +allow app_domain_verify_agent netmanager:binder { call }; +allow app_domain_verify_agent app_domain_verify_agent:tcp_socket { create read write getopt setopt connect getattr }; +allow app_domain_verify_agent app_domain_verify_agent:udp_socket { create bind write read connect getattr}; +allow app_domain_verify_agent port:tcp_socket { name_connect }; +allow app_domain_verify_agent netsysnative:unix_stream_socket { connectto }; +allow app_domain_verify_agent foundation:binder { call transfer }; +allow app_domain_verify_agent node:udp_socket { node_bind }; +allow app_domain_verify_agent accountmgr:binder { call }; +allow app_domain_verify_agent sa_app_domain_verify_mgr_service:samgr_class { get }; +allow app_domain_verify_agent sa_app_domain_verify_agent:samgr_class { add get }; +allow app_domain_verify_agent sa_foundation_bms:samgr_class { get }; +allow app_domain_verify_agent sa_accountmgr:samgr_class { get }; +allow app_domain_verify_agent sa_net_conn_manager:samgr_class { get }; +allow app_domain_verify_agent dev_console_file:chr_file { read write }; +allow app_domain_verify_agent persist_param:file { open read map}; +allow app_domain_verify_agent tracefs:dir { search }; +allow app_domain_verify_agent app_domain_verify_agent:unix_dgram_socket { getopt setopt }; +allow app_domain_verify_agent chip_prod_file:dir { search }; +allow app_domain_verify_agent sa_foundation_cesfwk_service:samgr_class { get }; +allow app_domain_verify_agent tty_device:chr_file { write }; +allow app_domain_verify_agent distributeddata:binder { call }; +allow app_domain_verify_agent distributeddata:fd { use }; +allow app_domain_verify_agent sa_distributeddata_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..30c1bcf1e2d8b5326b1fd4a6fe3395452ec284fa --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/distributeddata.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata app_domain_verify_agent:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/foundation.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..832c30985e1e9d72214400f79aa7aa82eb54f47b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation app_domain_verify_agent:binder { call transfer }; +allow foundation sa_app_domain_verify_agent:samgr_class { add get }; +allow foundation sa_app_domain_verify_mgr_service:samgr_class { add }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..a8a7293df5324a4ac57b620f181deec8cbf239db --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/hap_domain.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain sa_app_domain_verify_mgr_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..5a5dc368a0d789788e845df7a12af9ac209a7e9c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper_service sa_app_domain_verify_mgr_service:samgr_class { get }; +allow hidumper_service sa_app_domain_verify_agent:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/init.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..20cbbdbf8c70b15fe7fc648e261534cf3d90aa0c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init app_domain_verify_agent:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/service_contexts b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..147bb2bcfc2bbc86e875d82360fdf6073058dcd0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/app_domain_verify/system/service_contexts @@ -0,0 +1,15 @@ +# Copyright (C) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +6200 u:object_r:sa_app_domain_verify_mgr_service:s0 +6201 u:object_r:sa_app_domain_verify_agent:s0 diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/public/installs.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/public/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..80f5af65ff8c8d0fb2e968b7b1cb00c8678bd1c7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/public/installs.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type installs, sadomain, domain; +type installs_exec, system_file_attr, exec_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/public/service_router.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/public/service_router.te new file mode 100644 index 0000000000000000000000000000000000000000..4f93e34aa84e43649e0839a80fe9e42c0a743d58 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/public/service_router.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type service_router, sadomain, domain; +type sa_service_router_mgr_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/ark_aot_compiler.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/ark_aot_compiler.te new file mode 100644 index 0000000000000000000000000000000000000000..7f0ef88636e0ca597629d0109b270378f4920f90 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/ark_aot_compiler.te @@ -0,0 +1,43 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#for ark_aot_compiler run +domain_auto_transition_pattern(installs, ark_aot_compiler_exec, ark_aot_compiler); + +allow ark_aot_compiler code_sign_utils:file { execute getattr map open read }; +allow ark_aot_compiler data_file:dir { search }; +allow ark_aot_compiler installs:fd { use }; +allow ark_aot_compiler key_enable:key { search }; +allow ark_aot_compiler sa_local_code_sign:samgr_class { get }; +allow ark_aot_compiler data_local:dir { search }; +allow ark_aot_compiler local_code_sign:binder { call }; +allow ark_aot_compiler samgr:binder { call transfer }; +allow ark_aot_compiler dev_unix_socket:dir { search }; +allow ark_aot_compiler hook_param:file { read map open }; +allow ark_aot_compiler tracefs:dir { search }; +allow ark_aot_compiler data_local_arkprofile:file { map open read rename create getattr unlink write }; +allow ark_aot_compiler system_file:file { map open read }; +allow ark_aot_compiler hilog_param:file { map open read }; +allow ark_aot_compiler debug_param:file { map open read }; +allow ark_aot_compiler data_local_arkprofile:dir { search add_name remove_name write }; +allow ark_aot_compiler sysfs_devices_system_cpu:file { read getattr open }; +allow ark_aot_compiler data_local_arkcache:dir { add_name create setattr getattr open read remove_name rmdir search write }; +allow ark_aot_compiler data_local_arkcache:file { create getattr ioctl setattr unlink map read open write }; +allowxperm ark_aot_compiler data_local_arkcache:file ioctl { 0x6685 }; + +allow ark_aot_compiler data_app_el1_file:file { map read open read }; +allow ark_aot_compiler data_app_file:dir { search }; +allow ark_aot_compiler data_app_el1_file:dir { search }; +allow ark_aot_compiler sys_prod_file:dir { search }; +allow ark_aot_compiler sys_prod_file:file { map read open }; +allow ark_aot_compiler hiview:unix_dgram_socket { sendto }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/attributes b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/attributes new file mode 100644 index 0000000000000000000000000000000000000000..28d2eb3bbd290c2ef07dc81966ffcef917d05dc9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute bundle_data_app_el1_file; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/bm.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/bm.te new file mode 100644 index 0000000000000000000000000000000000000000..208e20edfc61a43e2f29f65a40eb60c723211b13 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/bm.te @@ -0,0 +1,124 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# add for bm in debug mode +debug_only(` + allow bm samgr:binder { call }; + allow samgr bm:dir { search }; + allow samgr bm:file { open read }; + allow samgr bm:process { getattr }; + allow samgr bm:binder { call transfer }; + allow accountmgr bm:binder { transfer }; + allow hiview bm:dir { search }; + allow hiview bm:file { read open getattr}; + allow hiview sa_multimodalinput_service:samgr_class { get }; + allow bm debug_param:file { map read open }; + allow bm hilog_param:file { map read open }; + allow bm sa_foundation_bms:samgr_class { get }; + allow bm foundation:binder { call transfer }; + allow bm foundation:fd { use }; + allow bm data_service_el1_file:file { read write }; + allow bm hdcd:fd { use }; + allow bm sh:fd { use }; + allow bm hdcd:fifo_file { read write ioctl }; + allowxperm bm hdcd:fifo_file ioctl { 0x5413 }; + allow bm data_file:dir { search getattr read open }; + allow bm data_local:dir read_dir_perms; + allow bm data_local_tmp:dir read_dir_perms; + allow foundation bm:binder { call transfer }; + allow bm hdcd:unix_stream_socket { read write }; + allow bm data_local_tmp:file { read_file_perms }; + allow bm devinfo_private_param:file { read map open }; + allow bm accountmgr:binder { call transfer }; + + allow bm dev_console_file:chr_file { read write }; + allow bm dev_unix_socket:dir { search }; + allow bm data_file:file { getattr read open }; + allow bm sh:fifo_file { write ioctl }; + allow bm sa_accountmgr:samgr_class { get }; + allow bm tracefs:dir { search }; + allow bm data_app_file:dir { search }; + allow bm devpts:chr_file { read write ioctl }; + allow bm tty_device:chr_file { read write }; + allow bm system_file:file { getattr read open }; + allow bm system_file:dir { open read }; + allow bm data_app_el2_file:dir { search }; + allow bm quick_fix:binder { call transfer }; + allow bm sa_foundation_cesfwk_service:samgr_class { get }; + allow bm sa_quick_fix_mgr_service:samgr_class { get }; + allow bm sa_foundation_abilityms:samgr_class { get }; + allow bm sa_foundation_appms:samgr_class { get }; + allow bm dev_kmsg_file:chr_file { write }; + allow bm persist_sys_param:file { map open read }; + allow bm arkcompiler_param:file { map open read }; + allow bm ark_writeable_param:file { map open read }; + allowxperm bm devpts:chr_file ioctl { 0x5413 }; + allowxperm bm sh:fifo_file ioctl { 0x5413 }; +') + +# add for bm in developer mode +developer_only(` + allow bm samgr:binder { transfer }; + allow bm samgr:binder { call }; + allow samgr bm:dir { search }; + allow samgr bm:file { open read }; + allow samgr bm:process { getattr }; + allow samgr bm:binder { call transfer }; + allow accountmgr bm:binder { transfer }; + allow hiview bm:dir { search }; + allow hiview bm:file { read open getattr}; + allow hiview sa_multimodalinput_service:samgr_class { get }; + allow bm debug_param:file { map read open }; + allow bm hilog_param:file { map read open }; + allow bm sa_foundation_bms:samgr_class { get }; + allow bm foundation:binder { call transfer }; + allow bm foundation:fd { use }; + allow bm data_service_el1_file:file { read write }; + allow bm hdcd:fd { use }; + allow bm sh:fd { use }; + allow bm hdcd:fifo_file { read write ioctl }; + allowxperm bm hdcd:fifo_file ioctl { 0x5413 }; + allow bm data_file:dir { search getattr read open }; + allow bm data_local:dir read_dir_perms; + allow bm data_local_tmp:dir read_dir_perms; + allow foundation bm:binder { call transfer }; + allow foundation sh:binder { call transfer }; + allow bm hdcd:unix_stream_socket { read write }; + allow bm data_local_tmp:file { read_file_perms }; + allow bm devinfo_private_param:file { read map open }; + allow bm accountmgr:binder { call transfer }; + + allow bm dev_console_file:chr_file { read write }; + allow bm dev_unix_socket:dir { search }; + allow bm data_file:file { getattr read open }; + allow bm sh:fifo_file { write ioctl }; + allow bm sa_accountmgr:samgr_class { get }; + allow bm tracefs:dir { search }; + allow bm data_app_file:dir { search }; + allow bm devpts:chr_file { read write ioctl }; + allow bm tty_device:chr_file { read write }; + allow bm system_file:file { getattr read open }; + allow bm system_file:dir { open read }; + allow bm data_app_el2_file:dir { search }; + allow bm quick_fix:binder { call transfer }; + allow bm sa_foundation_cesfwk_service:samgr_class { get }; + allow bm sa_quick_fix_mgr_service:samgr_class { get }; + allow bm sa_foundation_abilityms:samgr_class { get }; + allow bm sa_foundation_appms:samgr_class { get }; + allow bm dev_kmsg_file:chr_file { write }; + allow bm persist_sys_param:file { map open read }; + allow bm arkcompiler_param:file { map open read }; + allow bm ark_writeable_param:file { map open read }; + allowxperm bm devpts:chr_file ioctl { 0x5413 }; + allowxperm bm sh:fifo_file ioctl { 0x5413 }; +') diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/file.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..194cea53c3c8ff8859f09223893ef6129b3ad72a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type foundation_data_file, file_attr, data_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/file_contexts b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..27732d035de9b1c48c93385786f124c30256f067 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/file_contexts @@ -0,0 +1,21 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#installs +/system/bin/installs u:object_r:installs_exec:s0 + +# for sa_main Service +/system/bin/sa_main u:object_r:samain_exec:s0 + +# for bm tool +/system/bin/bm u:object_r:bm_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/foundation.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..433ea1297e0bc12d8c6cfed1791d429e2c16ca43 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/foundation.te @@ -0,0 +1,148 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type bms_param, parameter_attr; + +#domain_auto_transition_pattern(init, samain_exec, foundation); +#allow init samain_exec:file execute_no_trans; + +#binder_call(foundation, appspawn); +#binder_call(foundation, installs); +#binder_call(foundation, deviceauth_service); +#binder_call(foundation, samgr); +#binder_call(foundation, render_service); +#allow foundation hdf_devmgr:binder call; +#allow appspawn foundation:binder call; +#allow deviceauth_service foundation:binder call; + +#allow foundation appspawn:unix_stream_socket connectto; + +#allow foundation vendor_file:dir read_dir_perms; + +#allow foundation foundation:{ udp_socket netlink_route_socket } { create ioctl setopt bind read }; + +#allow foundation init:unix_stream_socket connectto; + +# "/system/profile/foundation.xml", O_RDONLY +#allow foundation system_file:file read_file_perms; + +allow foundation multimodalinput:binder call; +allow foundation multimodalinput:unix_stream_socket write; + +allow foundation bms_param:parameter_service { set }; +allow foundation accessibility:binder { call }; +allow foundation accesstoken_service:binder { call }; +allow foundation appspawn:unix_stream_socket { connectto }; +allow foundation appspawn_socket:sock_file { write }; +allow foundation arkcompiler_param:file { read open getattr map }; +allow foundation ark_writeable_param:file { read open getattr map }; +allow foundation bgtaskmgr_service:binder { call transfer }; +allow foundation chip_prod_file:dir { search }; +allow foundation configfs:dir { search }; +allow foundation configfs:file { open write }; +allow foundation data_file:dir { getattr open read search }; +allow foundation data_file:file { getattr map read open }; +allow foundation data_app_el1_file:file { getattr map read }; +allow foundation data_app_el2_file:file { getattr read }; +allow foundation data_service_el1_file:dir { add_name remove_name search write }; +allow foundation data_service_el1_file:file { create ioctl open unlink write write open }; +allow foundation data_service_file:dir { search }; +allow foundation data_system_ce:file { lock }; +allow foundation dev_ashmem_file:chr_file { open }; +allow foundation device_usage_stats_service:binder { call transfer }; +allow foundation deviceauth_service:binder { call transfer }; +allow foundation devinfo_private_param:file { map open read }; +allow foundation dev_unix_socket:dir { search }; +allow foundation dev_unix_socket:sock_file { write }; +allow foundation dev_mali:chr_file { ioctl map read write }; +allow foundation distributeddata:binder { call transfer }; +allow foundation distributedfileservice:binder { call }; +allow foundation distributedsche:binder { call }; +allow foundation foundation:unix_dgram_socket { getopt setopt }; +allow foundation hdf_devmgr:binder { call transfer }; +allow foundation hiview:binder { transfer }; +allow foundation huks_service:binder { call transfer }; +allow foundation inputmethod_service:binder { call }; +allow foundation memmgrservice:binder { call }; +allow foundation msdp_sa:binder { call }; +allow foundation multimodalinput:unix_stream_socket { read }; +allow foundation normal_hap_attr:dir { search }; +allow foundation normal_hap_attr:file { getattr read }; +allow foundation normal_hap_attr:process { sigkill }; +allow foundation update_updater_param:parameter_service { set }; +allow foundation ohos_param:parameter_service { set }; +allow foundation persist_param:parameter_service { set }; +allow foundation power_host:binder { call }; +allow foundation proc_file:file { open read }; +allow foundation render_service:binder { call transfer }; +allow foundation resource_schedule_service:binder { call transfer }; +allow foundation sa_accountmgr:samgr_class { get }; +allow foundation sa_distributed_bundle_mgr_service_service:samgr_class { get }; +allow foundation sa_distributeddata_service:samgr_class { get }; +allow foundation sa_distributeschedule:samgr_class { get }; +allow foundation sa_foundation_abilityms:samgr_class { add get }; +allow foundation sa_foundation_ans:samgr_class { add }; +allow foundation sa_foundation_appms:samgr_class { add get }; +allow foundation sa_foundation_bms:samgr_class { add }; +allow foundation sa_foundation_devicemanager_service:samgr_class { add }; +allow foundation sa_foundation_tel_call_manager:samgr_class { add }; +allow foundation sa_msdp_devicestatus_service:samgr_class { get }; +allow foundation sa_multimodalinput_service:samgr_class { get }; +allow foundation sa_param_watcher:samgr_class { get }; +allow foundation sa_softbus_service:samgr_class { get }; +allow foundation sa_telephony_tel_cellular_call:samgr_class { get }; +allow foundation sa_time_service:samgr_class { get }; +allow foundation screenlock_server:binder { call transfer }; +allow foundation sensors:binder { call }; +allow foundation softbus_server:binder { call transfer }; +allow foundation storage_manager:binder { call transfer }; +allow foundation sys_file:dir { open read }; +allow foundation sys_file:file { ioctl open read }; +allow foundation system_basic_hap_attr:binder { call }; +allow foundation system_basic_hap_attr:fd { use }; +allow foundation system_core_hap_attr:binder { call }; +allow foundation system_core_hap_attr:file { getattr read }; +allow foundation system_core_hap_attr:process { sigkill }; +allow foundation system_file:file { getattr map open read }; +allow foundation time_service:binder { call transfer }; +allow foundation vendor_lib_file:dir { search }; +allow foundation work_scheduler_service:binder { call }; +allow foundation servicectrl_param:parameter_service { set }; +allow foundation sa_download_service:samgr_class get; +allow foundation wifi_manager_service:binder { transfer }; +allowxperm foundation data_service_el1_file:file ioctl { 0x5413 }; +allowxperm foundation dev_mali:chr_file ioctl { 0x8002 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8019 0x801d 0x801e 0x8026 }; +allowxperm foundation sys_file:file ioctl { 0x5413 }; + +debug_only(` + allow bms_param tmpfs:filesystem associate; + allow init bms_param:file { map open read relabelto relabelfrom }; + allow domain bms_param:file { map open read }; + allow { param_watcher } bms_param:parameter_service { set }; +') + +allow foundation arkui_param:file { map open read }; +allow foundation storage_daemon:binder { call transfer }; +allow foundation storage_daemon:fd { use }; +allow foundation proc_cmdline_file:file { open read }; +allow foundation hidumper_service:fifo_file { lock }; +allow foundation sa_app_domain_verify_mgr_service:samgr_class { get }; +allow foundation bms_param:file { map open read }; +allow foundation update_updater_param:file { read map open }; +allow foundation data_service_el1_utd_file:dir { search }; +allow foundation data_service_el1_utd_file:file { getattr open read }; +allow foundation data_app_el1_file:dir { getattr search }; +allow foundation data_app_el2_file:dir { getattr search }; +allow foundation data_app_el5_file:dir { getattr search }; +allow foundation data_service_el2_hmdfs:dir { getattr search }; +allow foundation sa_app_fwk_update_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/init.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..dfc1cd55e04fd07b77fa01e60289bd3f70358583 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init service_router:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/installs.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..bb819b1fc286996ee6920f92026e10690b098d68 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/installs.te @@ -0,0 +1,163 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { domain -installs debug_only(` -aa ') -bundle_data_app_el1_file developer_only(`-hnp') -appspawn } data_app_el1_file:file { write }; + +init_daemon_domain(installs); + +allow installs data_app_el1_file:dir { add_name getattr open read remove_name rmdir search write setattr rename reparent }; +allow installs data_app_el1_file:file { create getattr ioctl setattr unlink map read rename relabelfrom relabelto }; +allow installs data_app_el1_file:lnk_file { unlink rename }; +allow installs data_app_el1_file:sock_file { unlink rename }; +allow installs data_app_el2_file:dir { add_name create getattr open read remove_name search setattr write rmdir rename }; +allow installs data_app_el2_file:lnk_file { unlink rename }; +allow installs data_app_el2_file:sock_file { unlink rename }; +allow installs data_app_el5_file:dir { add_name create getattr open read remove_name search setattr write rmdir rename }; +allow installs data_app_el5_file:lnk_file { unlink rename }; +allow installs data_app_el5_file:sock_file { unlink rename }; +allow installs data_app_file:dir { search rename }; +allow installs data_file:file { getattr open read }; +allow installs data_service_el1_file:dir { remove_name search rmdir getattr setattr rename }; +allow installs data_service_el1_file:file { create setattr unlink getattr open read rename write ioctl map relabelfrom }; +allow installs data_service_el2_file:dir { add_name create open read search setattr write getattr rmdir remove_name rename }; +allow installs data_service_el2_hmdfs:dir { getattr setattr rmdir remove_name rename }; +allow installs data_service_el2_hmdfs:file { open read unlink getattr setattr rename }; +allow installs data_service_el2_hmdfs:lnk_file { unlink rename }; +allow installs data_service_el2_hmdfs:sock_file { unlink rename }; +allow installs data_service_el5_file:dir { add_name create open read search setattr write getattr rmdir remove_name rename }; +allow installs data_service_file:dir { search rename }; +allow installs dev_unix_socket:dir { search }; +allow installs normal_hap_data_file_attr:dir { getattr open read relabelfrom relabelto remove_name rmdir search setattr write rename }; +allow installs normal_hap_data_file_attr:file { open read getattr setattr unlink relabelfrom relabelto rename }; +allow installs security:security { check_context }; +allow installs selinuxfs:dir { search }; +allow installs selinuxfs:file { open read write }; +allow installs system_basic_hap_data_file_attr:file { open read getattr setattr unlink relabelfrom relabelto rename }; +allow installs system_basic_hap_data_file_attr:dir { open read relabelfrom relabelto remove_name rmdir search getattr setattr write rename }; +allow installs system_core_hap_data_file_attr:dir { getattr open read relabelfrom relabelto remove_name rmdir search setattr write rename }; +allow installs system_core_hap_data_file_attr:file { create open read getattr setattr unlink relabelfrom relabelto rename }; +allow installs system_file:file { getattr open read }; +allow installs data_service_el2_share:file { open read getattr setattr unlink rename }; +allow installs data_service_el2_share:dir { add_name create open read search remove_name setattr write getattr rmdir rename }; +allow installs data_service_el2_share:lnk_file { unlink rename }; +allow installs data_service_el2_share:sock_file { unlink rename }; +allow installs data_local:file { create getattr ioctl setattr unlink map read open write rename }; +allow installs data_local:dir { add_name create setattr getattr open read remove_name rmdir search write rename }; +allow installs data_local_arkcache:file { create getattr ioctl setattr unlink map read open rename }; +allow installs data_local_arkcache:dir { add_name create setattr getattr open read remove_name rmdir search write rename }; +allow installs data_local_arkprofile:file { create getattr setattr ioctl map open read rename unlink write rename }; +allowxperm installs data_local_arkprofile:file ioctl { 0x5413 }; +allow installs data_local_arkprofile:dir { add_name create setattr getattr open read remove_name rmdir search write rename }; +allow installs data_local_arkprofile:lnk_file { unlink rename }; +allow installs data_local_arkprofile:sock_file { unlink rename }; +allow installs data_local_shadercache:file { create setattr getattr map open read rename unlink write rename }; +allow installs data_local_shadercache:dir { add_name create setattr getattr open read remove_name rmdir search write rename }; +allow installs system_bin_file:file { execute execute_no_trans map read open }; +allow appspawn data_local:dir { add_name create mounton search write read open getattr }; +allow normal_hap_attr data_local:file { getattr open read map create write }; +allow normal_hap_attr data_local:dir { getattr search write add_name }; +allow normal_hap_attr arkcompiler_param:file { getattr open read map }; +allow normal_hap_attr ark_writeable_param:file { getattr open read map }; +allow system_basic_hap_attr data_local:file { getattr open read map create write }; +allow system_basic_hap_attr data_local:dir { getattr search write add_name }; +allow system_basic_hap_attr arkcompiler_param:file { getattr open read map }; +allow system_basic_hap_attr ark_writeable_param:file { getattr open read map }; +allow system_core_hap_attr data_local:file { getattr open read map create write }; +allow system_core_hap_attr data_local:dir { getattr search write add_name }; +allow system_core_hap_attr arkcompiler_param:file { getattr open read map }; +allow system_core_hap_attr ark_writeable_param:file { getattr open read map }; +allowxperm installs data_app_el1_file:file ioctl { 0x5413 }; +allowxperm installs data_service_el1_file:file ioctl 0x5413; +allow installs sa_storage_manager_service:samgr_class { get }; +allow installs storage_manager:binder { call }; +allow installs data_service_el1_public_print_service_file:dir { remove_name getattr setattr rename }; +allow installs data_service_el1_public_print_service_file:file { unlink rename getattr setattr }; +allow installs print_driver_exec:dir { remove_name getattr setattr rename }; +allow installs print_driver_exec:file { unlink rename getattr setattr }; +allow installs dev_console_file:chr_file { read write }; +allow installs sysfs_devices_system_cpu:file { read }; +allow installs tracefs:dir { search }; +allow installs data_app_el1_file:file { ioctl }; +allow installs sysfs_devices_system_cpu:file { open }; +allow installs kernel:key { search }; +allow installs installs:unix_dgram_socket { getopt setopt }; +allowxperm installs data_app_el1_file:file ioctl { 0x6601 0x66c8 }; +allow installs installs:code_sign { add_cert_chain remove_cert_chain }; +allow installs data_service_el0_file:dir { add_name create getattr write open read rmdir remove_name search setattr rename }; +allow installs data_service_el0_file:file { create getattr open read unlink write setattr rename }; +allow installs dev_code_sign:chr_file { ioctl write write open }; +allow installs data_app_el2_file:file { create getattr setattr unlink map read rename relabelfrom relabelto }; +allowxperm installs dev_code_sign:chr_file ioctl { 0x6b01 }; +allow installs data_app_el3_file:file { create getattr setattr unlink map read rename relabelfrom relabelto }; +allow installs data_app_el3_file:dir { add_name create getattr open read relabelfrom remove_name search setattr write rmdir rename }; +allow installs data_app_el4_file:file { create getattr setattr unlink map read rename relabelfrom relabelto }; +allow installs data_app_el4_file:dir { add_name create getattr open read relabelfrom remove_name search setattr write rmdir rename }; +allow installs data_app_el5_file:file { create getattr setattr unlink map read rename relabelfrom relabelto }; +allow installs data_app_el5_file:dir { add_name create getattr open read relabelfrom remove_name search setattr write rmdir rename }; +allow installs normal_hap_data_file_attr:lnk_file { unlink rename }; +allow installs system_basic_hap_data_file_attr:lnk_file { unlink rename }; +allow installs system_core_hap_data_file_attr:lnk_file { unlink rename }; +allow installs normal_hap_data_file_attr:sock_file { unlink rename }; +allow installs system_basic_hap_data_file_attr:sock_file { unlink rename }; +allow installs system_core_hap_data_file_attr:sock_file { unlink rename }; +allow installs data_service_el1_file:dir { relabelfrom }; +allow installs dev_kmsg_file:chr_file { write }; +allow installs proc_file:file { getattr }; +allow installs normal_hap_data_file_attr:dir { add_name create }; +allow installs system_basic_hap_data_file_attr:dir { add_name create }; +allow installs system_core_hap_data_file_attr:dir { add_name create }; +allow installs dev_block_file:dir { search }; +allow installs dev_block_file:lnk_file { read }; +allow installs dev_block_volfile:dir { search }; +allow installs labeledfs:filesystem { quotaget }; +allow installs installs:capability { sys_admin }; +allow installs sa_el5_filekey_manager:samgr_class { get }; +allow installs el5_filekey_manager:binder { call }; +allow installs normal_hap_data_file_attr:dir { ioctl }; +allowxperm installs normal_hap_data_file_attr:dir ioctl { 0xf554 }; +allow installs system_core_hap_data_file_attr:dir { ioctl }; +allowxperm installs system_core_hap_data_file_attr:dir ioctl { 0xf554 }; +allow installs system_basic_hap_data_file_attr:dir { ioctl }; +allowxperm installs system_basic_hap_data_file_attr:dir ioctl { 0xf554 }; +allow installs data_app_el5_file:dir { ioctl }; +allowxperm installs data_app_el5_file:dir ioctl { 0xf554 }; +allow installs foundation:fd { use }; +allow installs normal_hap_data_file:fifo_file { getattr setattr relabelfrom relabelto unlink rename }; +allow installs system_basic_hap_data_file:fifo_file { getattr setattr relabelfrom relabelto unlink rename }; +allow installs system_core_hap_data_file:fifo_file { getattr setattr relabelfrom relabelto unlink rename }; +allow installs normal_hap_data_file_attr:fifo_file { unlink rename }; +allow installs system_basic_hap_data_file_attr:fifo_file { unlink rename }; +allow installs system_core_hap_data_file_attr:fifo_file { unlink rename }; +allow installs data_app_el1_file:fifo_file { unlink rename }; +allow installs data_app_el2_file:fifo_file { unlink rename }; +allow installs data_app_el3_file:fifo_file { unlink rename }; +allow installs data_app_el4_file:fifo_file { unlink rename }; +allow installs data_app_el5_file:fifo_file { unlink rename }; +allow installs data_service_el2_hmdfs:fifo_file { unlink rename }; +allow installs data_service_el2_share:fifo_file { unlink rename }; +allow installs data_local_arkprofile:fifo_file { unlink rename }; +allow installs faultloggerd:fifo_file { write }; +allow installs normal_hap_data_file_attr:lnk_file { getattr read rename }; +allow installs system_core_hap_data_file_attr:lnk_file { getattr read rename }; +allow installs system_basic_hap_data_file_attr:lnk_file { getattr read rename }; +allow installs data_service_el0_file:lnk_file { getattr read rename }; +allow installs data_service_el1_file:lnk_file { getattr read rename }; +allow installs data_service_el2_file:lnk_file { getattr read rename }; +allow installs data_service_el2_hmdfs:lnk_file { getattr read rename }; +allow installs data_user_file:lnk_file { getattr read rename }; +allow installs data_service_el2_share:lnk_file { getattr read rename }; +allow installs unlabeled:dir { add_name ioctl getattr open read relabelfrom remove_name rmdir search setattr write rename }; +allow installs unlabeled:fifo_file { getattr relabelfrom rename setattr unlink read }; +allow installs unlabeled:file { open read ioctl getattr setattr unlink relabelfrom relabelto rename }; +allow installs unlabeled:lnk_file { getattr relabelfrom rename setattr unlink read }; +allow installs unlabeled:sock_file { getattr relabelfrom rename setattr unlink read }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..14b4708c2b284860512d89bd464ffa23abca95f3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/parameter_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.bms. u:object_r:bms_param:s0 +persist.bms.optimizing_apps. u:object_r:bms_param:s0 +const.bms.optimizing_apps. u:object_r:bms_param:s0 +bms.optimizing_apps. u:object_r:bms_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/samgr.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..40f1c4fdbe9b47c7da9d0a3916a05654bd9fe4e7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/samgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr ark_aot_compiler:binder { call transfer }; +allow samgr ark_aot_compiler:dir { search }; +allow samgr ark_aot_compiler:file { read open read }; +allow samgr ark_aot_compiler:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/service_router.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/service_router.te new file mode 100644 index 0000000000000000000000000000000000000000..33d51aa1cb4d71bb2494b1b63cd7e6e79653a9f7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/service_router.te @@ -0,0 +1,40 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow service_router samgr:binder { transfer}; +allow service_router foundation:fd { use }; +allow service_router sa_foundation_cesfwk_service:samgr_class { get }; +allow service_router sa_foundation_bms:samgr_class { get }; +allow service_router sa_form_mgr_service:samgr_class { get }; +allow service_router system_basic_hap_attr:binder { call transfer }; +allow service_router sa_service_router_mgr_service:samgr_class { add }; +allow service_router foundation:binder { call transfer}; +allow service_router hilog_param:file { map open read }; +allow service_router data_file:dir { search }; +allow service_router dev_unix_socket:dir { search }; +allow service_router system_profile_file:file { getattr read open }; +allow service_router data_service_el1_file:dir { search }; +allow service_router data_service_el1_file:file { getattr }; +allow service_router data_service_file:dir { search }; +allow service_router accesstoken_service:binder { call transfer }; +allow service_router sa_accesstoken_manager_service:samgr_class { get }; +allow service_router sa_accountmgr:samgr_class { get }; +allow service_router accountmgr:binder { call transfer}; +allow service_router sa_foundation_abilityms:samgr_class { get }; +allow service_router normal_hap_attr:binder { call }; +allow accountmgr service_router:binder { call transfer}; +allow foundation service_router:binder { call transfer}; +allow system_core_hap_attr service_router:binder { call transfer }; +allow system_basic_hap_attr service_router:binder { call transfer }; +allow system_core_hap_attr sa_service_router_mgr_service:samgr_class { get }; +allow system_basic_hap_attr sa_service_router_mgr_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..719f193887bc56e8a2f60813579e91d36cb5e032 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/bundle_framework/system/system_basic_hap.te @@ -0,0 +1,32 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr system_basic_hap_attr:binder { transfer }; +allow normal_hap_attr system_file:file { getattr }; +allow system_basic_hap_attr const_param:file { map open read }; +allow system_basic_hap_attr const_postinstall_fstab_param:file { read }; +allow system_basic_hap_attr const_postinstall_param:file { open map read }; +allow system_basic_hap_attr data_service_el1_file:file { open write }; +allow system_basic_hap_attr hw_sc_build_os_param:file { read }; +allow system_basic_hap_attr hw_sc_build_param:file { read }; +allow system_basic_hap_attr hw_sc_param:file { read }; +allow system_basic_hap_attr init_param:file { read }; +allow system_basic_hap_attr init_svc_param:file { map open read }; +allow system_basic_hap_attr net_param:file { read }; +allow system_basic_hap_attr normal_hap_attr:binder { transfer }; +allow system_basic_hap_attr ohos_boot_param:file { map open read }; +allow system_basic_hap_attr ohos_param:file { map open read }; +allow system_basic_hap_attr sys_param:file { open read }; +allow system_basic_hap_attr system_bin_file:dir { search }; +allow system_basic_hap_attr system_file:file { getattr }; +allow system_basic_hap_attr sys_usb_param:file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/public/d-bms.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/public/d-bms.te new file mode 100644 index 0000000000000000000000000000000000000000..90bf4e211c1c11179b6293e38175bae5c4efb01b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/public/d-bms.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type d-bms, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/d-bms.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/d-bms.te new file mode 100644 index 0000000000000000000000000000000000000000..66112c0c2019b6a822bd0c7e008676525da771c5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/d-bms.te @@ -0,0 +1,48 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow d-bms accessibility_param:file { map open read }; +allow d-bms accesstoken_service:binder { call transfer }; +allow d-bms accountmgr:binder { call transfer }; +allow d-bms data_file:dir { search }; +allow d-bms device_manager:binder { call transfer }; +allow d-bms devinfo_private_param:file { map open read }; +allow d-bms dev_console_file:chr_file { read write }; +allow d-bms dev_unix_socket:dir { search }; +allow d-bms distributedsche_param:file { read }; +allow d-bms distributeddata:binder { call transfer }; +allow d-bms d-bms:unix_dgram_socket { getopt setopt }; +allow d-bms foundation:binder { call transfer}; +allow d-bms foundation:fd { use }; +allow d-bms sa_accesstoken_manager_service:samgr_class { get }; +allow d-bms sa_accountmgr:samgr_class { get }; +allow d-bms sa_distributeddata_service:samgr_class { get }; +allow d-bms sa_foundation_bms:samgr_class { get }; +allow d-bms sa_foundation_cesfwk_service:samgr_class { get }; +allow d-bms sa_param_watcher:samgr_class { get }; +allow d-bms sa_softbus_service:samgr_class { get }; +allow d-bms softbus_server:binder { call transfer }; +allow d-bms sysfs_devices_system_cpu:file { read open }; +allow d-bms system_basic_hap_attr:binder { call transfer }; +allow d-bms softbus_server:fd { use }; +allow d-bms softbus_server:tcp_socket { read write setopt shutdown }; +allow d-bms startup_param:file { map open }; +allow d-bms sa_distributed_bundle_mgr_service_service:samgr_class { get_remote }; +allow d-bms data_service_el1_file:dir { add_name create getattr open remove_name search read write }; +allow d-bms data_service_el1_file:file { create getattr lock ioctl map open read unlink write setattr }; +allow d-bms data_service_file:dir { search }; +allow init data_udev:sock_file { relabelfrom }; +allow accountmgr d-bms:binder { call transfer }; +allow distributeddata d-bms:binder { call transfer }; +allow foundation d-bms:binder { call transfer }; +allow foundation data_service_el1_file:file { ioctl }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/device_manager.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/device_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..70233008b161942c74d29707a5deb158c67f76c3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/device_manager.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow device_manager d-bms:binder { call }; +allow device_manager camera_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..4204ca83411a29a2d52564889a0d8374035cf753 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/system_core_hap.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr bluetooth_service:binder { call }; +allow normal_hap_attr bluetooth_service:binder { transfer }; + +allow system_core_hap_attr d-bms:binder { call transfer }; +allow system_core_hap_attr data_service_el1_file:file { read write }; +allow system_core_hap_attr sa_distributed_bundle_mgr_service_service:samgr_class { get }; +allow system_core_hap_attr sa_foundation_devicemanager_service:samgr_class { get }; + +allow system_basic_hap_attr d-bms:binder { call transfer }; +allow system_basic_hap_attr data_service_el1_file:file { read write }; +allow system_basic_hap_attr sa_distributed_bundle_mgr_service_service:samgr_class { get }; +allow system_basic_hap_attr sa_foundation_devicemanager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/watchdog_service.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/watchdog_service.te new file mode 100644 index 0000000000000000000000000000000000000000..1b826ce62e7eae1ae01c623dc728ff074f20cb97 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/distributed_bundle_framework/system/watchdog_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow watchdog_service dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/bundlemanager/ecological_rule_manager/system/ecological_rule_mgr_service.te b/prebuilts/api/5.0/ohos_policy/bundlemanager/ecological_rule_manager/system/ecological_rule_mgr_service.te new file mode 100644 index 0000000000000000000000000000000000000000..6fa345a12a118d0cdcd77ab85720884090a9ef88 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/bundlemanager/ecological_rule_manager/system/ecological_rule_mgr_service.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_ecological_rule_mgr_service, sa_service_attr; +allow foundation sa_ecological_rule_mgr_service:samgr_class { add get }; +allow normal_hap sa_ecological_rule_mgr_service:samgr_class { get }; +allow debug_hap sa_ecological_rule_mgr_service:samgr_class { get }; +allow system_core_hap sa_ecological_rule_mgr_service:samgr_class { get }; +allow system_basic_hap sa_ecological_rule_mgr_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..65de00c3d4b7796a9ceb10d705855d5caa6e111b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/distributeddata.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata oaid_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..1175aa5fb379d23c9d939f79f4530a6d1ad95cff --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/foundation.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation oaid_service:binder { transfer call }; +allow foundation oaid_service:dir { search }; +allow foundation oaid_service:file { read open getattr }; +allow foundation oaid_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/init.te b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..975b0d7acbb9e5e9f07ce3ccae5ffa00fb5069a7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init oaid_service:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..82fde58101c2cd54b1810c1d0a09d2681497a12c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/normal_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr oaid_service:binder { call transfer }; +allow normal_hap_attr sa_oaid_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/oaid_service.te b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/oaid_service.te new file mode 100644 index 0000000000000000000000000000000000000000..d9393ae2b949a7bf9adb4d0db903131a7ee42191 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/oaid_service.te @@ -0,0 +1,91 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type oaid_service, sadomain, domain; + +allow oaid_service sa_foundation_abilityms:samgr_class { get }; +allow oaid_service oaid_service:udp_socket { bind connect create read setopt write }; +allow oaid_service accesstoken_service:binder { call }; +allow oaid_service dev_rtc_file:chr_file { ioctl open read write }; +allow oaid_service data_service_el1_file:dir { create search read write open add_name getattr remove_name rmdir }; +allow oaid_service data_service_el1_file:file { ioctl lock create getattr write open rename read unlink map }; +allow oaid_service data_service_file:dir { search }; +allow oaid_service dev_unix_socket:dir { search }; +allow oaid_service foundation:binder { call transfer }; +allow oaid_service foundation:fd { use }; +allow oaid_service net_param:file { map open read }; +allow oaid_service net_tcp_param:file { open read }; +allow oaid_service node:udp_socket { node_bind }; +allow oaid_service ohos_boot_param:file { map open read }; +allow oaid_service ohos_param:file { map open read }; +allow oaid_service sa_accesstoken_manager_service:samgr_class { get }; +allow oaid_service sa_param_watcher:samgr_class { get }; +allow oaid_service param_watcher:binder { call transfer }; +allow oaid_service sys_param:file { map open read }; +allow oaid_service sys_usb_param:file { map open }; +allow oaid_service system_bin_file:dir { search }; +allowxperm oaid_service dev_rtc_file:chr_file ioctl { 0x700a }; +allow oaid_service hw_sc_build_os_param:file { map open read }; +allow oaid_service hw_sc_build_param:file { map open read read open }; +allow oaid_service hw_sc_param:file { map open read }; +allow oaid_service init_param:file { map open read }; +allow oaid_service init_svc_param:file { map open read }; +allow oaid_service net_tcp_param:file { map }; +allow oaid_service sys_usb_param:file { read }; +allow oaid_service const_param:file { read map open }; +allow oaid_service const_postinstall_fstab_param:file { map open read }; +allow oaid_service const_postinstall_param:file { map open read }; +allow oaid_service const_allow_mock_param:file { map open read }; +allow oaid_service const_allow_param:file { map open read }; +allow oaid_service const_build_param:file { map open read }; +allow oaid_service const_product_param:file { map open read }; +allow oaid_service security_param:file { open read map}; +allow oaid_service hilog_param:file { map open read }; +allow oaid_service persist_param:file { map open read }; +allow oaid_service persist_sys_param:file { read map open}; +allow oaid_service tracefs:dir { search }; +allow oaid_service accessibility_param:file { map open read }; +allow oaid_service bootevent_param:file { map open read }; +allow oaid_service bootevent_samgr_param:file { open read }; +allow oaid_service build_version_param:file { map open read }; +allow oaid_service distributedsche_param:file { map open read }; +allow oaid_service input_pointer_device_param:file { map open read }; +allow oaid_service const_display_brightness_param:file { map open read }; +allow oaid_service tracefs_trace_marker_file:file { read write open }; +allow oaid_service data_file:dir { search }; +allow oaid_service debug_param:file { map open read }; +allow oaid_service default_param:file { map read open }; +allow oaid_service startup_param:file { map open read }; +allow oaid_service sa_oaid_service:samgr_class { add }; +allow oaid_service sa_foundation_bms:samgr_class { get }; +allow oaid_service sa_foundation_cesfwk_service:samgr_class { get }; +allow oaid_service sa_net_conn_manager:samgr_class { get }; +allow oaid_service normal_hap_attr:binder { call transfer }; +allow oaid_service system_basic_hap_attr:binder { call }; +allow oaid_service sa_distributeddata_service:samgr_class { get }; +allow oaid_service musl_param:file { map open read }; +allow oaid_service distributeddata:binder { call transfer }; +allow oaid_service dev_console_file:chr_file { read write }; +allow oaid_service chip_prod_file:dir { search }; +allow oaid_service sys_prod_file:dir { search }; +allow oaid_service vendor_etc_file:dir { search }; +allow oaid_service huks_service:binder { call }; +allow oaid_service sa_huks_service:samgr_class { get }; +allow oaid_service sa_privacy_service:samgr_class { get }; +allow oaid_service privacy_service:binder { call }; + +debug_only(` + allow oaid_service sh:binder { call }; +') + +allowxperm oaid_service data_service_el1_file:file ioctl { 0xf50c 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..cacb51ae420679531e8b31818902e70a3bfa6e10 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher oaid_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..5c1628baec765e934febaf9b9f4a0d800f49bdac --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr oaid_service:binder { call }; +allow system_basic_hap_attr sa_oaid_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..02d6adec5bd8559d0fc610df440d3df097e3725f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/cloud/oaid_service/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr oaid_service:binder { call }; +allow system_core_hap_attr sa_oaid_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/public/type.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..8c5ab916d73d1a4492cc067b96460466d017158d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hdf_hci_interface_service, hdf_service_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/a2dp_host.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/a2dp_host.te new file mode 100644 index 0000000000000000000000000000000000000000..ce1a7f102e11e95bfbac83cffa2dc81b26ac79ad --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/a2dp_host.te @@ -0,0 +1,81 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { read } a2dp_host proc_file tclass=file +#avc: denied { open } a2dp_host proc_file tclass=file +allow a2dp_host proc_file:file { read open }; + +#avc: denied { open } a2dp_host musl_param tclass=file +#avc: denied { map } a2dp_host musl_param tclass=file +#avc: denied { read } a2dp_host musl_param tclass=file +allow a2dp_host musl_param:file { open map read }; + +#avc: denied { get } for service=1130 pid=2180 scontext=u:r:a2dp_host:s0 tcontext=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=1 +allow a2dp_host sa_bluetooth_server:samgr_class { get }; + +allow a2dp_host hdf_device_manager:hdf_devmgr_class { get }; +allow a2dp_host hdf_audio_bluetooth_hdi_service:hdf_devmgr_class { add }; +allow a2dp_host hdf_bluetooth_audio_session_service:hdf_devmgr_class { add }; +allow a2dp_host sa_device_service_manager:samgr_class { get }; + +allow a2dp_host bootevent_param:file { map open read }; +allow a2dp_host bootevent_samgr_param:file { map open read }; +allow a2dp_host build_version_param:file { map open read }; +allow a2dp_host const_allow_mock_param:file { map open read }; +allow a2dp_host const_allow_param:file { map open read }; +allow a2dp_host const_build_param:file { map open read }; +allow a2dp_host const_display_brightness_param:file { map open read }; +allow a2dp_host const_param:file { map open read }; +allow a2dp_host const_postinstall_fstab_param:file { map open read }; +allow a2dp_host const_postinstall_param:file { map open read }; +allow a2dp_host const_product_param:file { map open read }; +allow a2dp_host debug_param:file { map open read }; +allow a2dp_host default_param:file { map open read }; +allow a2dp_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow a2dp_host dev_unix_socket:dir { search }; +allow a2dp_host distributedsche_param:file { map open read }; +allow a2dp_host hdf_audio_bluetooth_hdi_service:hdf_devmgr_class { add }; +allow a2dp_host hdf_device_manager:hdf_devmgr_class { get }; +allow a2dp_host hdf_devmgr:binder { call transfer }; +allow a2dp_host hilog_param:file { map open read }; +allow a2dp_host hw_sc_build_os_param:file { map open read }; +allow a2dp_host hw_sc_build_param:file { map open read }; +allow a2dp_host hw_sc_param:file { map open read }; +allow a2dp_host init_param:file { map open read }; +allow a2dp_host init_svc_param:file { map open read }; +allow a2dp_host input_pointer_device_param:file { map open read }; +allow a2dp_host net_param:file { map open read }; +allow a2dp_host net_tcp_param:file { map open read }; +allow a2dp_host ohos_boot_param:file { map open read }; +allow a2dp_host ohos_param:file { map open read }; +allow a2dp_host persist_param:file { map open read }; +allow a2dp_host persist_sys_param:file { map open read }; +allow a2dp_host sa_device_service_manager:samgr_class { get }; +allow a2dp_host samgr:binder { call }; +allow a2dp_host security_param:file { map open read }; +allow a2dp_host startup_param:file { map open read }; +allow a2dp_host sys_param:file { map open read }; +allow a2dp_host system_bin_file:dir { search }; +allow a2dp_host sys_usb_param:file { map open read }; +allow a2dp_host vendor_etc_file:dir { search }; +allow a2dp_host vendor_etc_file:file { getattr open read }; +allowxperm a2dp_host dev_hdf_kevent:chr_file ioctl { 0x6202 0x6203 }; + +#avc: denied { call } for pid=2029 comm="a2dp_host" scontext=u:r:a2dp_host:s0 tcontext=u:r:bluetooth_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2029 comm="a2dp_host" scontext=u:r:a2dp_host:s0 tcontext=u:r:bluetooth_service:s0 tclass=binder permissive=1 +allow a2dp_host bluetooth_service:binder { call transfer }; + +#avc: denied { open } for a2dp_host dev_ashmem_file tclass=chr_file +allow a2dp_host dev_ashmem_file:chr_file { open }; +allow a2dp_host a2dp_host:capability { sys_nice }; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..b6f7542d414b3bfff656821739126a51c35549c6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/audio_server.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=353 comm="audio_server" scontext=u:r:audio_server:s0 tcontext=u:r:bluetooth_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=351 comm="audio_server" scontext=u:r:audio_server:s0 tcontext=u:r:bluetooth_service:s0 tclass=binder permissive=1 +allow audio_server bluetooth_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/blue_host.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/blue_host.te new file mode 100644 index 0000000000000000000000000000000000000000..9fc5cdcfb931aa0432bd9253b6e709d8fb7203a9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/blue_host.te @@ -0,0 +1,89 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { search } blue_host data_file tclass=dir +allow blue_host data_file:dir { search }; + +#avc: denied { search } blue_host data_vendor tclass=dir +allow blue_host data_vendor:dir { search }; + +#avc: denied { read } blue_host vendor_file tclass=file +#avc: denied { open } blue_host vendor_file tclass=file +allow blue_host vendor_file:file { read open }; + +#avc: denied { open } blue_host tmpfs tclass=file +allow blue_host tmpfs:file { open }; + +#avc: denied { get } for service=hdf_device_manager pid=362 scontext=u:r:blue_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=hci_interface_service pid=362 scontext=u:r:blue_host:s0 tcontext=u:object_r:hdf_hci_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow blue_host hdf_device_manager:hdf_devmgr_class { get }; +allow blue_host hdf_hci_interface_service:hdf_devmgr_class { add }; + +allow blue_host blue_host:capability { net_admin }; +allow blue_host bluetooth_service:binder { call }; +allow blue_host bootevent_param:file { map open read }; +allow blue_host bootevent_samgr_param:file { map open read }; +allow blue_host build_version_param:file { map open read }; +allow blue_host const_allow_mock_param:file { map open read }; +allow blue_host const_allow_param:file { map open read }; +allow blue_host const_build_param:file { map open read }; +allow blue_host const_display_brightness_param:file { map open read }; +allow blue_host const_param:file { map open read }; +allow blue_host const_postinstall_fstab_param:file { map open read }; +allow blue_host const_postinstall_param:file { map open read }; +allow blue_host const_product_param:file { map open read }; +allow blue_host debug_param:file { map open read }; +allow blue_host default_param:file { map open read }; +allow blue_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow blue_host dev_unix_socket:dir { search }; +allow blue_host distributedsche_param:file { map open read }; +allow blue_host hdf_devmgr:binder { call transfer }; +allow blue_host hilog_param:file { map open read }; +allow blue_host hw_sc_build_os_param:file { map open read }; +allow blue_host hw_sc_build_param:file { map open read }; +allow blue_host hw_sc_param:file { map open read }; +allow blue_host init_param:file { map open read }; +allow blue_host init_svc_param:file { map open read }; +allow blue_host input_pointer_device_param:file { map open read }; +allow blue_host net_param:file { map open read }; +allow blue_host net_tcp_param:file { map open read }; +allow blue_host ohos_boot_param:file { map open read }; +allow blue_host ohos_param:file { map open read }; +allow blue_host persist_param:file { map open read }; +allow blue_host persist_sys_param:file { map open read }; +allow blue_host sa_device_service_manager:samgr_class { get }; +allow blue_host samgr:binder { call }; +allow blue_host security_param:file { map open read }; +allow blue_host startup_param:file { map open read }; +allow blue_host sys_file:file { open read read open write }; +allow blue_host sys_param:file { map open read }; +allow blue_host system_bin_file:dir { search }; +allow blue_host sys_usb_param:file { map open read }; +allow blue_host tty_device:chr_file { ioctl open read write }; +allow blue_host vendor_etc_file:dir { search }; +allow blue_host vendor_etc_file:file { getattr open read }; +allowxperm blue_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm blue_host tty_device:chr_file ioctl { 0x5401 0x5402 0x540b }; + + +#avc: denied { add_name } for pid=987 comm="IPC_3_3086" name="bluetooth" dev="sdd78" ino=7746 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=dir permissive=0 +#avc: denied { write } for pid=990 comm="IPC_0_1010" name="bluetooth" dev="sdd78" ino=7746 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=dir permissive=0 +allow blue_host data_vendor:dir { add_name write }; + +#avc: denied { create } for pid=986 comm="IPC_3_2618" name="btmac.txt" scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=file permissive=0 +#avc: denied { read write open } for pid=1007 comm="IPC_1_1005" path="/data/vender/bluetooth/btmac.txt" dev="sdd78" ino=8371 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=file permissive=0 +#avc: denied { read } for pid=1007 comm="IPC_3_3026" name="btmac.txt" dev="sdd78" ino=8371 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=file permissive=0 +#avc: denied { read write } for pid=1007 comm="IPC_3_3026" name="btmac.txt" dev="sdd78" ino=8371 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=file permissive=0 +allow blue_host data_vendor:file { create read write open }; +allow blue_host blue_host:capability { sys_nice }; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/bluetooth_service.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/bluetooth_service.te new file mode 100644 index 0000000000000000000000000000000000000000..b9ddee5cca38a57f914cacf4f96ab6481a933edb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/bluetooth_service.te @@ -0,0 +1,227 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { add } for service=3302 pid=608 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=1 +allow bluetooth_service sa_bluetooth_server:samgr_class { add }; + +#avc: denied { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +allow bluetooth_service audio_server:binder { call transfer }; + +#avc: denied {search} for pid=371 comm="threaded-ml" name="data" dev="mmcblk0p7" ino=1436162 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=dir permissive=1 +allow bluetooth_service data_bluetooth:dir { search }; + +#avc: denied { getattr } for pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state" dev="mmcblk0p7" ino=1436167 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_data_pudata_bluetoothlse_dir:s0 tclass=file permissive=1 +#avc: denied { open } for pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="mmcblk0p7" ino=1436170 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=file permissive=1 +#avc: denied { read } for pid=371 comm="threaded-ml" name="state" dev="mmcblk0p7" ino=1436167 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=file permissive=1 +allow bluetooth_service data_bluetooth:file { getattr open read }; + +#avc: denied { write } for pid=1207 comm="bluetooth_servi" name="ubsan" dev="mmcblk0p11" ino=574 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +#avc: denied { search } for pid=371 comm="threaded-ml" name="/" dev="mmcblk0p7" ino=2 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow bluetooth_service data_file:dir { search write }; + +allow bluetooth_service samain_exec:file { entrypoint execute map read }; + +#avc: denied { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +#avc: denied {transfer} for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +allow bluetooth_service samgr:binder { call transfer }; + +#avc: denied { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +#avc: denied {transfer} for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +allow bluetooth_service softbus_server:binder { call transfer }; + +allow bluetooth_service tmpfs:lnk_file { read }; + +allow bluetooth_service vendor_file:file { execute getattr map open read }; + +#avc: denied { get } for service=5100 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow bluetooth_service sa_device_service_manager:samgr_class { get }; + +#avc: denied { get } for service=hci_interface_service pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:hdf_hci_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow bluetooth_service hdf_hci_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=4010 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_telephony_tel_core_service:s0 tclass=samgr_class permissive=1 +allow bluetooth_service sa_telephony_tel_core_service:samgr_class { get }; + +#avc: denied { get } for service=4005 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_foundation_tel_call_manager:s0 tclass=samgr_class permissive=1 +allow bluetooth_service sa_foundation_tel_call_manager:samgr_class { get }; + +#avc: denied { get } for service=4009 pid=348 scotext=u:bluetooth_service:s0 tcontext:u:object_r:sa_foundation_tel_state_registry:s0 tclass=samgr_class permissive=0 +allow bluetooth_service sa_foundation_tel_state_registry:samgr_class { get }; + +#avc: denied { get } for pid=279 scontext=u:r:bluetooth_service:s0 tcontext=u:r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +allow bluetooth_service hdf_device_manager:hdf_devmgr_class { get }; + +#avc: denied { get } for service=3299 pid=348 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 +allow bluetooth_service sa_foundation_cesfwk_service:samgr_class { get }; + +allow bluetooth_service dev_tun_file:chr_file { open read write ioctl }; +allow bluetooth_service bluetooth_service:udp_socket { create ioctl read write shutdown }; +allowxperm bluetooth_service bluetooth_service:udp_socket ioctl { 0x8927 0x8914 0x8924 0x891c 0x8916 0x8915 }; +allow bluetooth_service bluetooth_service:tun_socket { create ioctl read write shutdown }; +allowxperm bluetooth_service dev_tun_file:chr_file ioctl { 0x800454d2 0x400454ca }; +allow bluetooth_service bluetooth_service:capability { net_admin }; +allow bluetooth_service netmanager:binder { call transfer }; +allow bluetooth_service kernel:system { module_request }; + +allow bluetooth_service dev_uhid_file:chr_file { read write }; +allow bluetooth_service data_bluetooth:dir { remove_name }; +allow bluetooth_service data_bluetooth:file { rename }; +allow bluetooth_service data_bluetooth:file { unlink }; + +debug_only(` + allow bluetooth_service sh:binder { transfer }; + allow bluetooth_service sh:binder { call }; +') +allow bluetooth_service dev_uhid_file:chr_file { open }; +allow bluetooth_service normal_hap_attr:binder { call transfer }; + +#avc: denied { call } for pid=380 comm="1IPC_450" scontext=u:r:bluetooth_service:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=1 +allow bluetooth_service system_core_hap_attr:binder { call transfer }; + +allow bluetooth_service dev_console_file:chr_file { read write }; +allow bluetooth_service data_service_file:dir { search }; +allow bluetooth_service data_service_el1_file:dir { getattr search open read write add_name remove_name }; +allow bluetooth_service data_service_el1_file:file { getattr setattr open read write rename unlink ioctl create}; + +#avc: denied { getattr } bluetooth_service data_log tclass=file +#avc: denied { setattr } bluetooth_service data_log tclass=file +#avc: denied { unlink } bluetooth_service data_log tclass=file +allow bluetooth_service data_log:file { getattr setattr unlink }; + +#avc: denied { read } bluetooth_service data_log tclass=dir +#avc: denied { open } bluetooth_service data_log tclass=dir +allow bluetooth_service data_log:dir { read open }; + +#avc: denied { read } bluetooth_service hdf_bluetooth_audio_session_service tclass=hdf_devmgr_class +#avc: denied { open } bluetooth_service a2dp_host tclass=fd +#avc: denied { open } bluetooth_service sa_powermgr_battery_service tclass=samgr_class +allow bluetooth_service hdf_bluetooth_audio_session_service:hdf_devmgr_class { get }; +allow bluetooth_service hdf_audio_bluetooth_hdi_service:hdf_devmgr_class { get }; +allow bluetooth_service a2dp_host:fd { use }; +allow bluetooth_service sa_powermgr_battery_service:samgr_class { get }; + +#avc: denied { read open getattr } scontext=u:r:bluetooth_service tcontext=u:object_r:sysfs_devices_system_cpu: tclass=file permissive=1 +allow bluetooth_service sysfs_devices_system_cpu:file { read open getattr }; + +#avc: denied { getattr } scontext=u:r:bluetooth_service tcontext=u:object_r:dev_file: tclass=dir permissive=1 +allow bluetooth_service dev_file:dir { getattr }; + +allow bluetooth_service accesstoken_service:binder { call }; +allow bluetooth_service blue_host:binder { call transfer }; +allow bluetooth_service bluetooth_service:unix_dgram_socket { getopt setopt }; +allow bluetooth_service bootevent_param:file { map open read }; +allow bluetooth_service bootevent_samgr_param:file { map open read }; +allow bluetooth_service build_version_param:file { map open read }; +allow bluetooth_service const_allow_mock_param:file { map open read }; +allow bluetooth_service const_allow_param:file { map open read }; +allow bluetooth_service const_build_param:file { map open read }; +allow bluetooth_service const_display_brightness_param:file { map open read }; +allow bluetooth_service const_param:file { map open read }; +allow bluetooth_service const_postinstall_fstab_param:file { map open read }; +allow bluetooth_service const_postinstall_param:file { map open read }; +allow bluetooth_service const_product_param:file { map open read }; +allow bluetooth_service data_bluetooth:dir { add_name write read open }; +allow bluetooth_service data_bluetooth:file { create ioctl write read }; +allow bluetooth_service data_user:dir { search }; +allow bluetooth_service data_file:file { read open }; +allow bluetooth_service data_log:dir { add_name remove_name search write }; +allow bluetooth_service data_log:file { create ioctl open read rename write write open }; +allow bluetooth_service debug_param:file { map open read }; +allow bluetooth_service default_param:file { map open read }; +allow bluetooth_service dev_unix_socket:dir { search }; +allow bluetooth_service distributedsche_param:file { map open read }; +allow bluetooth_service foundation:binder { call transfer }; +allow bluetooth_service hdf_devmgr:binder { call }; +allow bluetooth_service hilog_param:file { map open read }; +allow bluetooth_service hw_sc_build_os_param:file { map open read }; +allow bluetooth_service hw_sc_build_param:file { map open read }; +allow bluetooth_service hw_sc_param:file { map open read }; +allow bluetooth_service init_param:file { map open read }; +allow bluetooth_service init_svc_param:file { map open read }; +allow bluetooth_service input_pointer_device_param:file { map open read }; +allow bluetooth_service net_param:file { map open read }; +allow bluetooth_service net_tcp_param:file { map open read }; +allow bluetooth_service ohos_boot_param:file { map open read }; +allow bluetooth_service ohos_param:file { map open read }; +allow bluetooth_service param_watcher:binder { call transfer }; +allow bluetooth_service persist_param:file { map open read }; +allow bluetooth_service persist_sys_param:file { map open read }; +binder_call(bluetooth_service, powermgr); +allow bluetooth_service sa_accesstoken_manager_service:samgr_class { get }; +allow bluetooth_service sa_param_watcher:samgr_class { get }; +allow bluetooth_service security_param:file { map open read }; +allow bluetooth_service startup_param:file { map open read }; +allow bluetooth_service sys_param:file { map open read }; +allow bluetooth_service system_basic_hap_attr:binder { call transfer }; +allow bluetooth_service system_bin_file:dir { search }; +allow bluetooth_service sys_usb_param:file { map open read }; +allow bluetooth_service telephony_sa:binder { call transfer }; +allow bluetooth_service tracefs:dir { search }; +allow bluetooth_service tracefs_trace_marker_file:file { open write }; +allow bluetooth_service normal_hap_attr:binder { call }; +allowxperm bluetooth_service data_bluetooth:file ioctl { 0x5413 }; +allowxperm bluetooth_service data_log:file ioctl { 0x5413 }; + +#avc: denied { call } for pid=305 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:a2dp_host:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=305 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:a2dp_host:s0 tclass=binder permissive=1 +allow bluetooth_service a2dp_host:binder { call transfer }; + +#avc: denied { get } for service=3009 pid=283 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=1 +allow bluetooth_service sa_audio_policy_service:samgr_class { get }; + +#avc: denied { get } for service=3001 pid=316 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=1 +allow bluetooth_service sa_pulseaudio_audio_service:samgr_class { get }; + +#bluetooth_service +allow bluetooth_service resource_schedule_service:binder { call }; + +allow bluetooth_service persist_param:parameter_service set; + + +#avc: denied { write } for pid=2949 comm="AdapterManager" name="paramservice" dev="tmpfs" ino=85 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0 +allow bluetooth_service paramservice_socket:sock_file { read write }; + +#avc: denied { connectto } for pid=2922 comm="AdapterManager" path="/dev/unix/socket/paramservice" scontext=u:r:bluetooth_service:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0 +allow bluetooth_service kernel:unix_stream_socket { connectto }; + +allow bluetooth_service distributeddata:binder { call transfer }; +allow bluetooth_service distributeddata:fd { use }; +allow bluetooth_service sa_dataobs_mgr_service_service:samgr_class { get }; +allow bluetooth_service sa_distributeddata_service:samgr_class { get }; +allow bluetooth_service sa_foundation_abilityms:samgr_class { get }; +allow bluetooth_service sa_net_conn_manager:samgr_class { get }; + +allow bluetooth_service data_misc:dir { read write add_name remove_name open }; +allow bluetooth_service data_misc:file { read getattr unlink create ioctl write open }; +allowxperm bluetooth_service data_misc:file ioctl { 0x5413 }; + +#avc: denied { get } for service=3299 pid=348 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_telephony_tel_sms_mms:s0 tclass=samgr_class permissive=0 +allow bluetooth_service sa_telephony_tel_sms_mms:samgr_class { get }; +allow bluetooth_service sa_foundation_bms:samgr_class { get }; + +#avc: denied { call } for pid=1414, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=1414, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +allow bluetooth_service device_manager:binder { call transfer }; + +#avc: denied { get } for service=3505 pid=14188 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0 +allow bluetooth_service sa_privacy_service:samgr_class { get }; + +#avc: denied { call } for pid=1612, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=1 +allow bluetooth_service privacy_service:binder { call }; + +allow bluetooth_service appspawn:fd { use }; +allow bluetooth_service hmdfs:file { read }; +allow bluetooth_service medialibrary_hap:fd { use }; +allow bluetooth_service sharefs:file { ioctl write }; +allowxperm bluetooth_service sharefs:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..c28a5484ef6f4ea8e79008a28b22ac1faa4b05a2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/normal_hap_attr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr bluetooth_service:fd { use }; + +allow normal_hap_attr bluetooth_service:unix_stream_socket { read write shutdown }; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..10f6b741cf5c051d9aceb020f8873e9cc05b0581 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/softbus_server.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server bluetooth_service:fd { use }; +allow softbus_server bluetooth_service:unix_stream_socket { read write }; +allow softbus_server bluetooth_service:unix_stream_socket { setopt }; +allow softbus_server bluetooth_service:unix_stream_socket { shutdown }; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..69203e655561efde8ea8188edc5fab1ff140eac7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/system_core_hap.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { use } for pid=351 comm="IPC_0_465" path="socket:[27604]" dev="sockfs" ino=27604 scontext=u:r:system_core_hap:s0 tcontext=u:r:bluetooth_service:s0 tclass=fd permissive=0 +allow system_core_hap_attr bluetooth_service:fd { use }; + +#avc: denied { read write shutdown } for pid=351 comm="bluetooth_servi" path="socket:[27422]" dev="sockfs" ino=27422 scontext=u:r:system_core_hap:s0 tcontext=u:r:bluetooth_service:s0 tclass=unix_stream_socket permissive=0 +allow system_core_hap_attr bluetooth_service:unix_stream_socket { read write shutdown }; + +#avc: denied { call } for pid=1934 comm="jsThread-1" scontext=u:r:system_core_hap:s0 tcontext=u:r:bluetooth_service:s0 tclass=binder permissive=0 +allow system_core_hap_attr bluetooth_service:binder { call transfer }; + +#avc: denied { get } for service=1130 pid=8861 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=1 +allow system_core_hap_attr sa_bluetooth_server:samgr_class { get }; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/telephony_sa.te b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/telephony_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..f8165a42659061f7100e98017b4101cdaa2a630f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/bluetooth/system/telephony_sa.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow telephony_sa bluetooth_service:binder { call transfer }; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/public/type.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..2ed6d07ec5a5f8f9b325d8c4ac28715432199a34 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/public/type.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type fwmark_service, dev_attr, file_attr; +type dnsproxy_service, dev_attr, file_attr; + +type etc_hosts_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/attributes b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/attributes new file mode 100644 index 0000000000000000000000000000000000000000..d827d30d50fd2561f6a976e8655a1b6552732286 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute netsysnative_violator_binder_call; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/file.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..608b05624dc98bc6cf411694abe05a10c1b1dddb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/file.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type cgroup2, fs_attr; +type fs_bpf, fs_attr, debugfs_attr; +type iptables_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..ed2807ce30f6367e66a63b932c428cce88bb5a69 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/file_contexts @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/dev/unix/socket/fwmarkd u:object_r:fwmark_service:s0 +/dev/unix/socket/dnsproxyd u:object_r:dnsproxy_service:s0 +/system/bin/iptables u:object_r:iptables_exec:s0 +/system/bin/iptables-restore u:object_r:iptables_exec:s0 +/system/bin/iptables-save u:object_r:iptables_exec:s0 +/system/bin/ip6tables u:object_r:iptables_exec:s0 +/system/bin/ip6tables-restore u:object_r:iptables_exec:s0 +/system/bin/ip6tables-save u:object_r:iptables_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/foundation.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..63035982a9d7c6d3b3c961a47552425eacc86aea --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation netmanager:binder { call transfer }; +allow foundation sa_net_conn_manager:samgr_class { add get }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/mdnsmanager.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/mdnsmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..54700e80e5df06316718be9471397ca0f36a9639 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/mdnsmanager.te @@ -0,0 +1,50 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow mdnsmanager dev_console_file:chr_file { read write }; +allow mdnsmanager hilog_param:file { open read map }; +allow mdnsmanager dev_unix_socket:dir { search }; +allow mdnsmanager tracefs:dir { search }; +allow mdnsmanager tracefs_trace_marker_file:file { open write }; +allow mdnsmanager debug_param:file { open read map }; +allow mdnsmanager param_watcher:binder { call transfer }; +allow mdnsmanager mdnsmanager:binder { call }; +allow mdnsmanager musl_param:file { open read map }; +allow mdnsmanager mdnsmanager:netlink_route_socket { create write read nlmsg_read nlmsg_readpriv }; + +allow param_watcher mdnsmanager:binder { call }; +allow system_basic_hap_attr mdnsmanager:binder { transfer call }; +allow mdnsmanager system_basic_hap_attr:binder { call }; +allow system_basic_hap_attr sa_comm_mdns_manager_service:samgr_class { get }; +allow system_core_hap_attr mdnsmanager:binder { transfer call }; +allow mdnsmanager system_core_hap_attr:binder { call }; +allow system_core_hap_attr sa_comm_mdns_manager_service:samgr_class { get }; +allow normal_hap_attr mdnsmanager:binder { transfer call }; +allow mdnsmanager normal_hap_attr:binder { call }; +allow normal_hap_attr sa_comm_mdns_manager_service:samgr_class { get }; +allow mdnsmanager sa_param_watcher:samgr_class { get }; +allow mdnsmanager sa_comm_mdns_manager_service:samgr_class { add }; +allow mdnsmanager sa_accesstoken_manager_service:samgr_class { get }; +allow mdnsmanager accesstoken_service:binder { call }; + +allow mdnsmanager mdnsmanager:udp_socket { create getopt setopt bind name_bind ioctl read write }; +allow mdnsmanager node:udp_socket { node_bind }; +allow mdnsmanager port:udp_socket { name_bind }; +allow mdnsmanager mdnsmanager:unix_dgram_socket { ioctl getopt setopt }; + +allow mdnsmanager netmanager:binder { call transfer }; +allow mdnsmanager sa_net_conn_manager:samgr_class { get }; + +debug_only(` + allow mdnsmanager sh:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netfirewall.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netfirewall.te new file mode 100644 index 0000000000000000000000000000000000000000..d4c1bfe77052a09707a5cb71cd14e34bc66b4d6a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netfirewall.te @@ -0,0 +1,22 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=8300 pid=2244 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_netfirewall_service:s0 tclass=samgr_class permissive=0 +allow system_basic_hap_attr sa_netfirewall_service:samgr_class { get }; +# avc: denied { get } for service=8300 pid=2715 scontext=u:r:netsysnative:s0 tcontext=u:object_r:sa_netfirewall_service:s0 tclass=samgr_class permissive=0 +allow netsysnative sa_netfirewall_service:samgr_class { get }; +# avc: denied { get } for service=8300 pid=2813 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_netfirewall_service:s0 tclass=samgr_class permissive=0 +allow hidumper_service sa_netfirewall_service:samgr_class { get }; +# avc: denied { add } for service=8300 pid=2927 scontext=u:r:netmanager:s0 tcontext=u:object_r:sa_netfirewall_service:s0 tclass=samgr_class permissive=0 +allow netmanager sa_netfirewall_service:samgr_class { add }; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netmanager.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..830adeee57b212595ead3436c6a691ef9d42af6c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netmanager.te @@ -0,0 +1,112 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netmanager accesstoken_service:binder { call }; +allow netmanager fs_bpf:dir { search }; +allow netmanager fs_bpf:file { read }; +allow netmanager netsysnative:bpf { map_read }; +allow netmanager data_data_file:dir { search }; +allow netmanager data_data_file:file { open read }; +allow netmanager data_file:dir { remove_name rmdir search }; +allow netmanager data_init_agent:dir { search }; +allow netmanager data_init_agent:file { ioctl open read append }; +allow netmanager data_service_el1_file:dir { add_name create getattr ioctl lock open read remove_name search setattr unlink write rmdir }; +allow netmanager data_service_el1_file:file { append create getattr ioctl lock map open read setattr unlink write }; +allow netmanager data_service_file:dir { add_name create getattr ioctl lock open read remove_name search setattr unlink write }; +allow netmanager data_system:dir { add_name search write }; +allow netmanager data_system:file { ioctl }; +allow netmanager dev_unix_socket:dir { search }; +allow netmanager download_server:binder { call }; +allow netmanager foundation:binder { call transfer }; +allow netmanager kernel:unix_stream_socket { connectto }; +allow netmanager musl_param:file { read }; +allow netmanager netmanager:capability { net_admin }; +allow netmanager netmanager:capability { net_raw }; +allow netmanager netmanager:netlink_route_socket { create nlmsg_read nlmsg_readpriv read write }; +allow netmanager netmanager:packet_socket { bind create read write }; +allow netmanager netmanager:tcp_socket { connect create getattr getopt read setopt write }; +allow netmanager netmanager:udp_socket { bind connect create getattr ioctl read write setopt getopt }; +allow netmanager netmanager:rawip_socket { write setopt create read }; +allow netmanager netmanager:unix_dgram_socket { ioctl }; +allow netmanager netsysnative:binder { call }; +allow netmanager node:udp_socket { node_bind }; +allow netmanager port:tcp_socket { name_connect }; +allow netmanager port:udp_socket { name_bind }; +allow netmanager system_bin_file:dir { search }; +allow netmanager system_bin_file:file { execute execute_no_trans map read open }; +allow netmanager toybox_exec:file { execute execute_no_trans map read open }; +allow netmanager system_core_hap_attr:binder { call }; +allow netmanager telephony_sa:binder { call }; +allow netmanager time_service:binder { call }; +allow netmanager wifi_manager_service:binder { call transfer }; +allow netmanager sa_comm_net_tethering_manager_service:samgr_class { add }; +allow netmanager sa_net_conn_manager:samgr_class { get }; +allow netmanager sa_wifi_hotspot_ability:samgr_class { get }; +allow netmanager sa_wifi_p2p_ability:samgr_class { get }; +allow netmanager sa_wifi_scan_ability:samgr_class { get }; +allow netmanager sa_wifi_device_ability:samgr_class { get }; +allow netmanager sa_bluetooth_server:samgr_class { get }; +allow netmanager bluetooth_service:binder { call transfer }; +allow system_core_hap_attr sa_comm_net_tethering_manager_service:samgr_class { get }; +allow netmanager kernel:system { module_request }; +allow netmanager accessibility_param:file { read open map }; +allow netmanager fwmark_service:sock_file { write }; +allow netmanager dnsproxy_service:sock_file { write }; +allow netmanager netmanager:process { setfscreate }; +allow netmanager usb_service:binder { call }; +allow netmanager sa_usb_service:samgr_class { get }; +allow netmanager sa_telephony_tel_core_service:samgr_class { get }; +allow init configfs:dir { rmdir }; +allowxperm netmanager data_service_el1_file:file ioctl { 0x5413 0xf546 0xf547 }; +allowxperm netmanager data_init_agent:file ioctl { 0x5413 }; +allowxperm netmanager netmanager:udp_socket ioctl { 0x8910 0x8915 0x8916 0x891b 0x891c 0x8933 }; +allowxperm netmanager netmanager:unix_dgram_socket ioctl { 0x8910 }; +allow netsysnative netmanager:fd { use }; +allow netsysnative netmanager:tcp_socket { read write bind getopt setopt connect }; +allow netmanager data_service_el1_file:file { rename }; +allow netmanager sa_foundation_appms:samgr_class { get }; + +allow netmanager sa_comm_vpn_manager_service:samgr_class { add }; +allow netmanager dev_console_file:chr_file { read write }; +allow netmanager sa_accountmgr:samgr_class { get }; +allow netmanager accountmgr:binder { call }; +allow accountmgr netmanager:binder { transfer }; +allow netmanager sa_foundation_bms:samgr_class { get }; + +debug_only(` + allow netmanager sh:binder { call }; +') + +allow sa_comm_ethernet_manager_service sa_comm_ethernet_manager_service:samgr_class { add get }; +allow system_basic_hap_attr sa_comm_ethernet_manager_service:samgr_class { add get }; +allow system_core_hap_attr sa_comm_ethernet_manager_service:samgr_class { add get }; +allow netmanager updater_sa:binder { call }; +allow netmanager musl_param:file { read open map }; +allow netmanager distributeddata:binder { call transfer }; +allow netmanager distributeddata:fd use; +allow netmanager sa_dataobs_mgr_service_service:samgr_class get; +allow netmanager sa_distributeddata_service:samgr_class get; +allow netmanager mdnsmanager:binder { call }; + +allow netmanager sa_netsys_ext_service:samgr_class { add get }; +allow netmanager sa_distributed_net_service:samgr_class { add get }; + +allow netmanager wifi_hal_service:binder { transfer call }; +allow netmanager sa_dhcp_client:samgr_class { add get }; +allow netmanager sa_dhcp_server:samgr_class { add get }; +allow netmanager sa_huks_service:samgr_class { get }; +allow netmanager huks_service:binder { call }; +allow netmanager dev_ashmem_file:chr_file { open }; +allow netmanager foundation:fd { use }; +allow netmanager proc_net:file { open write }; +allow netmanager softbus_server:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netsysnative.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netsysnative.te new file mode 100644 index 0000000000000000000000000000000000000000..a174e6fff24e9aaae20aece0558fe1cfd3d72c9e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/netsysnative.te @@ -0,0 +1,142 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netsysnative dev_unix_socket:dir { search }; +allow netsysnative dev_unix_socket:sock_file { write }; +allow netsysnative netsysnative:capability { net_admin net_raw net_bind_service sys_resource sys_admin }; +allow netsysnative netsysnative:netlink_route_socket { create listen nlmsg_write write }; +allow netsysnative netsysnative:unix_dgram_socket { ioctl }; +allow netsysnative netsysnative:tcp_socket { connect create getattr getopt read setopt write }; +allow netsysnative sh_exec:file { execute execute_no_trans map open read }; +allow netsysnative netsysnative:bpf { map_create map_read map_write prog_load prog_run }; +allow netsysnative sys_file:dir { mounton }; +allow netsysnative system_bin_file:lnk_file { read }; +allow netsysnative toybox_exec:lnk_file { read }; +allow netsysnative netsysnative:netlink_nflog_socket { bind getopt setopt }; +allow netsysnative netsysnative:rawip_socket { create getopt setopt }; +allow netsysnative proc_file:file { write open read }; +allow netsysnative proc_net:file { getattr }; +allow netsysnative system_bin_file:file { execute execute_no_trans getattr map open read }; +allow netsysnative toybox_exec:file { execute execute_no_trans getattr map open read }; +allow netsysnative system_etc_file:file { lock }; +allow netsysnative tty_device:chr_file { open read write }; +allow netsysnative netsysnative:udp_socket { bind read getopt setopt connect write ioctl }; +allow netsysnative port:udp_socket { name_bind }; +allow netsysnative node:udp_socket { node_bind }; +allow netsysnative netsysnative:netlink_nflog_socket { read }; +allow netsysnative dev_file:sock_file { write unlink }; +allow netsysnative dev_console_file:chr_file { read write }; +allow netsysnative dev_file:dir { remove_name }; +allow netsysnative netsysnative:netlink_netfilter_socket { listen }; +allow netsysnative netsysnative:netlink_kobject_uevent_socket { listen }; +allow netsysnative system_bin_file:lnk_file { read }; +allow netsysnative toybox_exec:lnk_file { read }; +allow netsysnative accessibility_param:file { read open map }; +allow netsysnative data_service_file:dir { search }; +allow netsysnative data_service_el1_file:dir { search write add_name }; +allow netsysnative data_service_el1_file:file { create write open ioctl read }; +allow netsysnative fwmark_service:sock_file { create unlink setattr write }; +allow netsysnative dnsproxy_service:sock_file { create unlink setattr }; +allow netsysnative netsysnative:process { setfscreate }; +allow netsysnative normal_hap_attr:fd { use }; +allow netsysnative normal_hap_attr:tcp_socket { read write getopt setopt }; +allow netsysnative normal_hap_attr:unix_dgram_socket { read write getopt setopt }; +allow netsysnative normal_hap_attr:udp_socket { read write getopt setopt }; +allow netsysnative normal_hap_attr:unix_stream_socket { read write getopt setopt }; +allow init dev_unix_file:sock_file { unlink }; +allowxperm netsysnative netsysnative:udp_socket ioctl { 0x8933 0x8953 0x8955 0x8915 0x891b 0x8913 0x8927 0x8914 0x8916 0x891c 0x8922 }; +allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8933 }; + +allow netsysnative system_basic_hap_attr:fd { use }; +allow netsysnative system_basic_hap_attr:tcp_socket { read write getopt setopt }; +allow netsysnative dev_tun_file:chr_file { open read write ioctl }; +allow netsysnative netsysnative:tun_socket { create relabelfrom relabelto }; +allow netsysnative system_basic_hap_attr:udp_socket { read write getopt setopt }; + +allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8927 0x8954 }; + +allow netsysnative iptables_exec:lnk_file { read }; +allow netsysnative iptables_exec:file { execute read open execute_no_trans map }; +allow netsysnative netsysnative:packet_socket { read bind create ioctl setopt }; +allow netsysnative netsysnative:bpf { map_read prog_load map_create prog_run map_write }; +allow netsysnative data_file:file { read }; +allow netsysnative sa_netsys_ext_service:samgr_class { add get }; + +allow netsysnative sys_file:filesystem { mount }; +allow netsysnative netsysnative:process { rlimitinh transition siginh }; +allow netsysnative netsysnative:capability2 { bpf }; +allow netsysnative netsysnative:capability { net_raw sys_resource sys_admin net_admin }; +allow netsysnative netsysnative:rawip_socket { write setopt getopt create }; +allow netsysnative netsysnative:unix_dgram_socket { ioctl }; +allow netsysnative debug_param:file { map open read }; +allow netsysnative dev_console_file:chr_file { write read }; +allow netsysnative dev_unix_socket:dir { search }; +allow netsysnative hilog_param:file { map open read }; +allow netsysnative musl_param:file { map open read }; +allow netsysnative param_watcher:binder { call transfer }; +allow netsysnative proc_net:file { getattr }; +allow netsysnative sa_param_watcher:samgr_class { get }; +allow netsysnative sh_exec:file { read map execute_no_trans execute open }; +allow netsysnative sysfs_net:dir { open read }; +allow netsysnative system_bin_file:dir { search }; +allow netsysnative system_bin_file:file { read map execute_no_trans execute open }; +allow netsysnative toybox_exec:file { read map execute_no_trans execute open getattr }; +allow netsysnative system_etc_file:file { lock }; +allow netsysnative tracefs:dir { search }; +allow netsysnative tracefs_trace_marker_file:file { write open }; +allow netsysnative sys_file:dir { mounton }; +allow netsysnative fs_bpf:dir { getattr search mounton add_name create write }; +allow netsysnative fs_bpf:file { create setattr write read }; +allow netsysnative fs_bpf:filesystem { mount }; +allow netsysnative netsysnative:netlink_route_socket { setopt bind setattr getattr listen read nlmsg_read nlmsg_readpriv nlmsg_write create write }; +allow netsysnative netsysnative:netlink_tcpdiag_socket { create connect write nlmsg_read read nlmsg_write }; +allow netsysnative system_core_hap_attr:fd { use }; +allow netsysnative system_core_hap_attr:tcp_socket { read write getopt setopt }; +allow netsysnative system_core_hap_attr:udp_socket { read write getopt setopt }; +allow netsysnative edm_sa:binder { call }; +allow netsysnative sysfs_devices_system_cpu:file { read open getattr }; +allow netsysnative dev_kmsg_file:chr_file { open write }; + +allow netsysnative sa_distributed_net_service:samgr_class { add get }; + +allow netsysnative cgroup2:dir { read open }; + +allow netsysnative sa_netvirt_ext:samgr_class { add }; + +allow init fs_bpf:dir { add_name create mounton open read search setattr write }; +allow init fs_bpf:file { create getattr open }; +allow init fs_bpf:filesystem { mount }; +allow init fs_bpf:file { write }; +allow init fs_bpf:lnk_file { create }; +allow init cgroup2:dir { add_name create mounton open read search setattr write }; +allow init cgroup2:file { create getattr open }; +allow init cgroup2:filesystem { mount }; +allow init cgroup2:file { write }; +allow init cgroup2:lnk_file { create }; + +allow init dnsproxy_service:sock_file { getattr unlink setattr relabelto }; +allow netsysnative dnsproxy_service:sock_file { setattr }; +allow init fwmark_service:sock_file { getattr unlink setattr relabelto }; +allow netsysnative fwmark_service:sock_file { setattr }; + +allow domain fwmark_service:sock_file { write read }; +allow domain dnsproxy_service:sock_file { write read }; +allow domain dev_tun_file:chr_file { read write }; +allow domain netsysnative:fd { use }; + +allow netsysnative sa_net_policy_manager:samgr_class { get }; + +neverallow { domain -wifi_hal_service -wifi_manager_service -netmanager -telephony_sa -param_watcher -hidumper_service -samgr -edm_sa -netsysnative_violator_binder_call -security_collector } netsysnative:binder *; +neverallow { domain -netsysnative -rgm_violator_ohos_iptables_exec_file_execute } iptables_exec:file { execute }; + +allow netsysnative hap_domain:icmp_socket { setopt getopt }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..76ac6d0f0f44f70f16ca05d3713582305be8ce90 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/normal_hap.te @@ -0,0 +1,28 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr normal_hap_attr:udp_socket { getopt }; +allow normal_hap_attr fwmark_service:sock_file { write }; +allow normal_hap_attr netmanager:binder { call transfer }; + +allow normal_hap_attr netsysnative:unix_stream_socket { connectto read write }; +allow normal_hap_attr normal_hap_attr:tcp_socket { getattr create setopt bind connect getopt read write shutdown }; +allow normal_hap_attr normal_hap_attr:udp_socket { getattr create setopt bind connect getopt read write shutdown }; + +allow normal_hap_attr sa_comm_ethernet_manager_service:samgr_class { get }; +allow normal_hap_attr sa_comm_net_stats_manager_service:samgr_class { get }; +allow normal_hap_attr sa_comm_net_tethering_manager_service:samgr_class { get }; +allow normal_hap_attr sa_net_policy_manager:samgr_class { get }; + +allow normal_hap_attr sa_comm_vpn_manager_service:samgr_class { get }; +allow normal_hap_attr port:udp_socket { name_bind }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/sa_distributed_net_service.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/sa_distributed_net_service.te new file mode 100644 index 0000000000000000000000000000000000000000..028860e67c390fd119b67e5b96a5d1cbc8b0c30c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/sa_distributed_net_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sa_distributed_net_service sa_distributed_net_service:samgr_class { add get }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/sa_netsys_ext_service.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/sa_netsys_ext_service.te new file mode 100644 index 0000000000000000000000000000000000000000..655d86d8fcf1e52ce3bc74b745f74b9f6483a2de --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/sa_netsys_ext_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sa_netsys_ext_service sa_netsys_ext_service:samgr_class { add get }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/service.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..528a88c5b9f40369d57282ac07ba8959ff4956fc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/service.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_netsys_ext_service, sa_service_attr; +type sa_distributed_net_service, sa_service_attr; +type sa_netvirt_ext, sa_service_attr; +type sa_netfirewall_service, sa_service_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/service_contexts b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..cf9c481f82ea40fa10ce4ee509e741c53526af12 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/service_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +1162 u:object_r:sa_netsys_ext_service:s0 +1163 u:object_r:sa_distributed_net_service:s0 +1164 u:object_r:sa_netvirt_ext:s0 +8300 u:object_r:sa_netfirewall_service:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..fe949c663307bf767748a28b88509cfb97d547ea --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/system_basic_hap.te @@ -0,0 +1,35 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_comm_net_tethering_manager_service:samgr_class { get }; + +allow system_basic_hap_attr fwmark_service:sock_file { write }; +allow system_basic_hap_attr netmanager:binder { call transfer }; + +allow system_basic_hap_attr netsysnative:unix_stream_socket { connectto read write }; +allow system_basic_hap_attr system_basic_hap_attr:tcp_socket { getattr create setopt bind connect getopt read write shutdown }; +allow system_basic_hap_attr system_basic_hap_attr:udp_socket { getattr create setopt bind connect getopt read write shutdown }; + +allow system_basic_hap_attr netmsg:tcp_socket { node_bind name_connect }; +allow system_basic_hap_attr sa_comm_vpn_manager_service:samgr_class { get }; +allow system_basic_hap_attr netsysnative:fd { use }; +allow system_basic_hap_attr dev_tun_file:chr_file { read write }; + +allow system_basic_hap_attr sa_comm_net_stats_manager_service:samgr_class { get }; + +allow system_basic_hap_attr sa_netsys_ext_service:samgr_class { add get }; +allow system_basic_hap_attr sa_distributed_net_service:samgr_class { add get }; + +allow system_basic_hap_attr sa_net_policy_manager:samgr_class { add get }; + +allow system_basic_hap_attr self:icmp_socket { create write read connect bind setopt getattr getopt shutdown }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..7200d02fa747baf32a39f22fc0d5f37f31e815ce --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/system_core_hap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr netmanager:binder { call }; +allow system_core_hap_attr netmanager:binder { transfer }; + +allow system_core_hap_attr netsysnative:unix_stream_socket { connectto read write }; +allow system_core_hap_attr system_core_hap_attr:tcp_socket { getattr create setopt bind connect getopt read write shutdown }; +allow system_core_hap_attr system_core_hap_attr:udp_socket { getattr create setopt bind connect getopt read write shutdown }; + +allow system_core_hap_attr system_core_hap_attr:udp_socket { getopt }; +allow system_core_hap_attr fwmark_service:sock_file { write }; + +allow system_core_hap_attr sa_comm_net_stats_manager_service:samgr_class { get }; +allow system_core_hap_attr node:tcp_socket { node_bind }; + +allow system_core_hap_attr sa_netsys_ext_service:samgr_class { add get }; +allow system_core_hap_attr sa_distributed_net_service:samgr_class { add get }; + +allow system_core_hap_attr sa_comm_vpn_manager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/virtfs_contexts b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/virtfs_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e909205f173432e582281232f54f2f26bc5f65a9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/virtfs_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +genfscon bpf / u:object_r:fs_bpf:s0 +genfscon cgroup2 / u:object_r:cgroup2:s0 diff --git a/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/wifi_manager_service.te b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/wifi_manager_service.te new file mode 100644 index 0000000000000000000000000000000000000000..1611eb4d7f8586ceb0ca609bb5773a340e9cc90f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netmanager/system/wifi_manager_service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_manager_service netmanager:binder { call }; +allow wifi_manager_service netsysnative:unix_stream_socket { connectto }; +allow wifi_manager_service device_manager:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/netstack/system/netstack.te b/prebuilts/api/5.0/ohos_policy/communication/netstack/system/netstack.te new file mode 100644 index 0000000000000000000000000000000000000000..540a98f8d22a9dd1cbeb527c86bddfd1b4ff52bb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/netstack/system/netstack.te @@ -0,0 +1,23 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow debug_hap debug_hap_data_file:sock_file { append create getattr lock map open read rename setattr unlink watch watch_reads write }; + allow installs debug_hap_data_file:sock_file { unlink }; +') +allow normal_hap_attr normal_hap_data_file_attr:sock_file { append create getattr lock map open read rename setattr unlink watch watch_reads write }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:sock_file { create unlink read write }; +allow system_core_hap_attr system_core_hap_data_file_attr:sock_file { create unlink read write }; +allow installs normal_hap_data_file_attr:sock_file { unlink }; +allow installs system_basic_hap_data_file_attr:sock_file { unlink }; +allow installs system_core_hap_data_file_attr:sock_file { unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/nfc/system/nfc_service.te b/prebuilts/api/5.0/ohos_policy/communication/nfc/system/nfc_service.te new file mode 100644 index 0000000000000000000000000000000000000000..36811e039bf1e4148ba7fb6a3e30b2132b3da05d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/nfc/system/nfc_service.te @@ -0,0 +1,42 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc:denied { call } scontext=u:r:nfc_service:s0 tcontext=u:r:normal_hap:s0 tclass=binder +#avc:denied { transfer } scontext=u:r:nfc_service:s0 tcontext=u:r:normal_hap:s0 tclass=binder +allow nfc_service hap_domain:binder { transfer call }; +#avc:denied { getattr } scontext=u:r:nfc_service:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir +#avc:denied { search } scontext=u:r:nfc_service:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir +allow nfc_service vendor_etc_file:dir { getattr search }; +allow nfc_service sys_file:file { read }; +allow nfc_service dev_kmsg_file:chr_file { open write }; +#avc:denied { map } scontext=u:r:nfc_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file +#avc:denied { open } scontext=u:r:nfc_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file +#avc:denied { read } scontext=u:r:nfc_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file +allow nfc_service persist_param:file { map open read }; +allow nfc_service hiview_file:dir { open read remove_name search write }; +allow nfc_service hiview_file:file { getattr open read unlink }; +#avc:denied { write } scontext=u:r:nfc_service:s0 tcontext=u:object_r:data_nfc:s0 tclass=dir +#avc:denied { add_name } scontext=u:r:nfc_service:s0 tcontext=u:object_r:data_nfc:s0 tclass=dir +#avc:denied { remove_name } scontext=u:r:nfc_service:s0 tcontext=u:object_r:data_nfc:s0 tclass=dir +allow nfc_service data_nfc:dir { write add_name remove_name }; +#avc:denied { create write open } scontext=u:r:nfc_service:s0 tcontext=u:object_r:data_nfc:s0 tclass=file +#avc:denied { getattr ioctl setattr } scontext=u:r:nfc_service:s0 tcontext=u:object_r:data_nfc:s0 tclass=file +#avc:denied { read rename unlink } scontext=u:r:nfc_service:s0 tcontext=u:object_r:data_nfc:s0 tclass=file +allow nfc_service data_nfc:file { create write open getattr ioctl setattr read rename unlink }; +allowxperm nfc_service data_nfc:file ioctl { 0x5413 }; +#avc:denied { getattr } scontext=u:r:nfc_service:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir +#avc:denied { search } scontext=u:r:nfc_service:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir +allow nfc_service vendor_etc_file:dir { getattr search }; +allow nfc_service vendor_bin_file:dir {search}; + + diff --git a/prebuilts/api/5.0/ohos_policy/communication/nfc/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/communication/nfc/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..43e58a9516d000e8a763c1add499eac31e72252e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/nfc/system/normal_hap.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc:denied { call } scontext=u:r:normal_hap:s0 tcontext=u:r:nfc_service:s0 tclass=binder +#avc:denied { transfer } scontext=u:r:normal_hap:s0 tcontext=u:r:nfc_service:s0 tclass=binder +allow hap_domain nfc_service:binder { call transfer }; +allow hap_domain nfc_service:fd { use }; +#avc:denied { get } scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_nfc_manager_service:s0 tclass=samgr_class +allow hap_domain sa_nfc_manager_service:samgr_class { get }; + + diff --git a/prebuilts/api/5.0/ohos_policy/communication/wifi/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..5d22e566ba58ceb161b79c21d792e96df2006610 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/normal_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_wifi_device_ability:samgr_class { get }; +allow normal_hap_attr sa_wifi_hotspot_ability:samgr_class { get }; +allow normal_hap_attr sa_wifi_p2p_ability:samgr_class { get }; +allow normal_hap_attr sa_wifi_scan_ability:samgr_class { get }; +allow normal_hap_attr wifi_manager_service:binder { call transfer }; +allow normal_hap_attr wifi_manager_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/wifi/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..745411a763a26b788cb3a0d2401da88fe9aa778b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/system_basic_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_wifi_device_ability:samgr_class { get }; +allow system_basic_hap_attr sa_wifi_hotspot_ability:samgr_class { get }; +allow system_basic_hap_attr sa_wifi_p2p_ability:samgr_class { get }; +allow system_basic_hap_attr sa_wifi_scan_ability:samgr_class { get }; +allow system_basic_hap_attr wifi_manager_service:binder { call transfer }; +allow system_basic_hap_attr wifi_manager_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/wifi/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..571cd4bde0a44ddfe14e4c2cc5dc8b11f8a92920 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/system_core_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_wifi_device_ability:samgr_class { get }; +allow system_core_hap_attr sa_wifi_hotspot_ability:samgr_class { get }; +allow system_core_hap_attr sa_wifi_p2p_ability:samgr_class { get }; +allow system_core_hap_attr sa_wifi_scan_ability:samgr_class { get }; +allow system_core_hap_attr wifi_manager_service:binder { call transfer }; +allow system_core_hap_attr wifi_manager_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_hal_service.te b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_hal_service.te new file mode 100644 index 0000000000000000000000000000000000000000..e6a5f6c38a2f4f7ad22f1b69ff2ec9d890aded3b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_hal_service.te @@ -0,0 +1,107 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_hal_service data_file:dir { search }; +allow wifi_hal_service data_log:file { read write }; +allow wifi_hal_service data_service_el1_file:dir { add_name getattr remove_name search write }; +allow wifi_hal_service data_service_el1_file:file { create read write open getattr ioctl rename }; +allow wifi_hal_service data_service_el1_file:sock_file { create unlink }; +allow wifi_hal_service dev_mgr_file:chr_file { getattr }; +allow wifi_hal_service dev_unix_socket:dir { search }; +allow wifi_hal_service dev_unix_socket:sock_file { write }; +allow wifi_hal_service faultloggerd:fd { use }; +allow wifi_hal_service faultloggerd:unix_stream_socket { connectto }; +allow wifi_hal_service hiview:binder { call }; +allow wifi_hal_service kernel:system { module_request }; +allow wifi_hal_service node:udp_socket { node_bind }; +allow wifi_hal_service port:udp_socket { name_bind }; +allow wifi_hal_service sh_exec:file { execute execute_no_trans map read open }; +allow wifi_hal_service system_bin_file:dir { search }; +allow wifi_hal_service system_bin_file:file { execute execute_no_trans getattr map read open }; +allow wifi_hal_service system_bin_file:lnk_file { read }; +allow wifi_hal_service toybox_exec:file { execute execute_no_trans getattr map read open }; +allow wifi_hal_service toybox_exec:lnk_file { read }; +allow wifi_hal_service tty_device:chr_file { open read write }; +allow wifi_hal_service vendor_etc_file:dir { search }; +allow wifi_hal_service vendor_etc_file:file { open read }; +allow wifi_hal_service vendor_lib_file:dir { search }; +allow wifi_hal_service vendor_lib_file:file { execute getattr map open read }; +allow wifi_hal_service wifi_hal_service:capability { net_admin net_raw }; +allow wifi_hal_service wifi_hal_service_exec:file { entrypoint execute map read }; +allow wifi_hal_service wifi_hal_service:netlink_generic_socket { bind create getattr read setopt write }; +allow wifi_hal_service wifi_hal_service:netlink_route_socket { bind create nlmsg_write read write }; +allow wifi_hal_service wifi_hal_service:packet_socket { bind create ioctl read setopt write }; +allow wifi_hal_service wifi_hal_service:udp_socket { bind connect create ioctl read write }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { ioctl }; +allow wifi_hal_service hdf_devmgr:binder { call }; +allow wifi_hal_service data_local:dir { search }; +allow wifi_hal_service wifi_host:binder { call transfer }; +allow wifi_hal_service wifi_manager_service:dir { search }; +allow wifi_hal_service wifi_manager_service:file { open read }; +allow wifi_hal_service wifi_manager_service:process { signal }; +allow wifi_hal_service data_service_file:dir { search }; +allow wifi_hal_service sa_cert_manager_service:samgr_class { get }; +allow wifi_hal_service sa_accesstoken_manager_service:samgr_class { get }; +allow wifi_hal_service hdf_wlan_interface_service:hdf_devmgr_class { get }; +allow wifi_hal_service sa_device_service_manager:samgr_class { get }; +allow wifi_hal_service cert_manager_service:binder { call }; +allow wifi_hal_service huks_service:binder { call }; +allowxperm wifi_hal_service wifi_hal_service:packet_socket ioctl { 0x8927 0x8933 }; +allowxperm wifi_hal_service wifi_hal_service:udp_socket ioctl { 0x8913 0x8914 0x8915 0x8924 0x8927 0x8b0d 0x8bf7 0x8933 0x8910 0x8916 0x891c 0x891b }; +allowxperm wifi_hal_service wifi_hal_service:unix_dgram_socket ioctl { 0x8933 0x5411 }; +allow wifi_hal_service musl_param:file { read }; +allow wifi_hal_service data_service_el1_file:file { append }; +allow wifi_hal_service musl_param:file { open }; +allow wifi_hal_service musl_param:file { map }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { setattr }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { bind }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { sendto }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { read }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { getopt }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { ioctl }; +allow wifi_hal_service dev_hdfwifi:chr_file { read open write getattr ioctl }; +allow wifi_hal_service data_service_el1_file:sock_file { write setattr getattr unlink}; +allow wifi_hal_service data_service_el1_file:dir { create search write getattr add_name }; +allow wifi_hal_service data_local_tmp:dir { getattr read }; +allow wifi_hal_service sys_file:file { read write open }; +allow wifi_hal_service wifi_hal_service:udp_socket { ioctl setopt getopt }; + +# avc: denied { rmdir } for pid=10994 comm="WpaMainThread" name="wpa" dev="mmcblk0p14" ino=2248 scontext=u:r:wifi_hal_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow wifi_hal_service data_service_el1_file:dir { rmdir }; + +# avc: denied { unlink } for pid=478 comm="wifi_hal_servic" name="wifi_mgr_pid.pid" dev="mmcblk0p14" ino=1468 scontext=u:r:wifi_hal_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow wifi_hal_service data_service_el1_file:file { unlink }; + +# avc: denied { read write } for pid=478 comm="wifi_hal_servic" path="/dev/console" dev="tmpfs" ino=40 scontext=u:r:wifi_hal_service:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 +allow wifi_hal_service dev_console_file:chr_file { read write }; + +#avc: denied { get } for service=hdf_device_manager pid=481 scontext=u:r:wifi_hal_service:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=0 +allow wifi_hal_service hdf_device_manager:hdf_devmgr_class { get }; + +#avc: denied { get } for service=wpa_interface_service pid=481 scontext=u:r:wifi_hal_service:s0 tcontext=u:object_r:hdf_wpa_interface_service:s0 tclass=hdf_devmgr_class permissive=0 +allow wifi_hal_service hdf_wpa_interface_service:hdf_devmgr_class { get }; + +#avc: denied { sendto } for pid=499 comm="wifi_hal_servic" path=002F646174612F736572766963652F656C312F7075626C69632F776966692F736F636B6574732F7770612F776C616E30000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=u:r:wifi_hal_service:s0 tcontext=u:r:wifi_host:s0 tclass=unix_dgram_socket permissive=1 +allow wifi_hal_service wifi_host:unix_dgram_socket { sendto }; + +# avc: denied { call } for pid=1009 comm="IPC_0_1136" scontext=u:r:wifi_hal_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 +allow wifi_hal_service wifi_manager_service:binder { call }; + +# avc: denied { nlmsg_read } for pid=1006 comm="IPC_0_1130" scontext=u:r:wifi_hal_service:s0 tcontext=u:r:wifi_hal_service:s0 tclass=netlink_route_socket permissive=1 +allow wifi_hal_service wifi_hal_service:netlink_route_socket { nlmsg_read nlmsg_readpriv setopt }; + +allow wifi_hal_service netmanager:binder { call }; +allow wifi_hal_service sa_dhcp_client:samgr_class { add get }; +allow wifi_hal_service sa_dhcp_server:samgr_class { add get }; + +allow wifi_hal_service hdf_hostapd_interface_service:hdf_devmgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..ff379ca9bf996d7ee2a0bc62fc96e9a6b7019d81 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_hdf_devmgr.te @@ -0,0 +1,23 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr wifi_hal_service:dir { search }; +allow hdf_devmgr wifi_hal_service:file { open read }; +allow hdf_devmgr wifi_hal_service:process { getattr }; +allow hdf_devmgr wifi_hal_service:binder { transfer }; + +allow hdf_devmgr wifi_manager_service:dir { search }; +allow hdf_devmgr wifi_manager_service:file { open read }; +allow hdf_devmgr wifi_manager_service:process { getattr }; +allow hdf_devmgr wifi_manager_service:binder { transfer }; + diff --git a/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_manager_service.te b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_manager_service.te new file mode 100644 index 0000000000000000000000000000000000000000..d0387717449976f0a715dea3660fccc38ba17e4c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/communication/wifi/system/wifi_manager_service.te @@ -0,0 +1,233 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_manager_service dev_unix_file:sock_file write; +allow wifi_manager_service accesstoken_service:binder { call }; +allow wifi_manager_service data_service_el1_file:dir { add_name remove_name search write create }; +allow wifi_manager_service data_service_el1_file:file { create getattr ioctl lock open read setattr unlink write rename }; +allow wifi_manager_service data_file:dir { search }; +allow wifi_manager_service data_service_el1_file:sock_file { write }; +allow wifi_manager_service accessibility_param:file { read }; +allow wifi_manager_service dev_unix_socket:dir { search }; +allow wifi_manager_service foundation:binder { call transfer }; +allow wifi_manager_service netmanager:binder { call transfer }; +allow wifi_manager_service node:udp_socket { node_bind }; +allow wifi_manager_service port:udp_socket { name_bind }; +binder_call(wifi_manager_service, powermgr); +allow wifi_manager_service sa_accesstoken_manager_service:samgr_class { get }; +allow wifi_manager_service netsysnative:binder { call }; +allow wifi_manager_service sa_foundation_cesfwk_service:samgr_class { get }; +allow wifi_manager_service sa_net_conn_manager:samgr_class { get }; +allow wifi_manager_service sa_wifi_device_ability:samgr_class { add }; +allow wifi_manager_service sa_wifi_hotspot_ability:samgr_class { add get }; +allow wifi_manager_service sa_wifi_p2p_ability:samgr_class { add }; +allow wifi_manager_service sa_wifi_p2p_ability:samgr_class { get }; +allow wifi_manager_service sa_wifi_scan_ability:samgr_class { add }; +allow wifi_manager_service softbus_server:binder { call transfer }; +allow wifi_manager_service system_bin_file:dir { search }; +allow wifi_manager_service system_bin_file:file { execute execute_no_trans map read open }; +allow wifi_manager_service toybox_exec:file { execute execute_no_trans getattr map read open }; +allow wifi_manager_service wifi_hal_service:unix_stream_socket { connectto }; +allow wifi_manager_service sa_netsys_native_manager:samgr_class { get }; +allow wifi_manager_service wifi_manager_service:netlink_route_socket { create nlmsg_read nlmsg_readpriv read write }; +allow wifi_manager_service wifi_manager_service:packet_socket { bind create read write }; +allow wifi_manager_service wifi_manager_service:udp_socket { bind create ioctl setopt getopt read write getattr }; +allow wifi_manager_service wifi_manager_service:unix_dgram_socket { ioctl }; +allow wifi_manager_service data_service_file:dir { search }; +allow wifi_manager_service normal_hap_attr:binder { call transfer }; +allow wifi_manager_service system_core_hap_attr:binder { call transfer }; +allow wifi_manager_service system_basic_hap_attr:binder { call transfer }; +allow wifi_manager_service sa_foundation_appms:samgr_class { get }; +allow wifi_manager_service kernel:system { module_request }; +allow wifi_manager_service musl_param:file { read }; +allow wifi_manager_service sa_huks_service:samgr_class { get }; +allow wifi_manager_service sa_cert_manager_service:samgr_class { get }; +allow wifi_manager_service cert_manager_service:binder { call }; +allow wifi_manager_service huks_service:binder { call }; +allowxperm wifi_manager_service data_service_el1_file:file ioctl { 0x5413 }; +allowxperm wifi_manager_service wifi_manager_service:udp_socket ioctl { 0x8910 0x890B 0x8913 0x8914 0x8915 0x8916 0x891b 0x891c 0x8927 0x8933 0x89f1 0x8955 0x8953}; +allowxperm wifi_manager_service wifi_manager_service:unix_dgram_socket ioctl { 0x8910 }; +allow wifi_manager_service musl_param:file { open }; +allow wifi_manager_service musl_param:file { map }; +allow wifi_manager_service distributeddata:binder { call transfer }; +allow wifi_manager_service distributeddata:fd { use }; +allow wifi_manager_service sa_dataobs_mgr_service_service:samgr_class { get }; +allow wifi_manager_service sa_distributeddata_service:samgr_class { get }; +allow wifi_manager_service sa_foundation_abilityms:samgr_class { get }; +allow wifi_manager_service sa_wifi_device_ability:samgr_class { get }; +allow wifi_manager_service sys_file:file { read open }; +# avc: denied { read write } for pid=7931 comm="sa_main" path="/dev/console" dev="tmpfs" ino=40 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 +allow wifi_manager_service dev_console_file:chr_file { read write }; + +# avc: denied { getattr } for pid=7931 comm="wifi_manager_se" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { open } for pid=7931 comm="wifi_manager_se" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { read } for pid=7931 comm="wifi_manager_se" name="online" dev="sysfs" ino=4917 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow wifi_manager_service sysfs_devices_system_cpu:file { getattr open read }; + +# avc: denied { open } for pid=860 comm="AutoStartThread" path="/sys/class/net" dev="sysfs" ino=14626 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=860 comm="AutoStartThread" name="net" dev="sysfs" ino=14626 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=1 +allow wifi_manager_service sysfs_net:dir { open read }; + + +# avc: denied { getopt } for pid=7931 comm="RunHandleThread" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=unix_dgram_socket permissive=1 +# avc: denied { setopt } for pid=7931 comm="RunHandleThread" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=unix_dgram_socket permissive=1 +allow wifi_manager_service wifi_manager_service:unix_dgram_socket { getopt setopt }; + +# avc: denied { connectto } for pid=1828 comm="GetHostThread" path="/dev/unix/socket/dnsproxyd" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:netsysnative:s0 tclass=unix_stream_socket permissive=1 +allow wifi_manager_service netsysnative:unix_stream_socket { connectto }; + +# avc: denied { connect } for pid=1828 comm="NetCheckThread" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { create } for pid=1828 comm="NetCheckThread" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=tcp_socket permissive=1 +allow wifi_manager_service wifi_manager_service:tcp_socket { connect create getopt read write setopt getattr bind }; +allow wifi_manager_service port:tcp_socket { name_connect }; + +# avc: denied { get } for service=4010 pid=1814 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sa_telephony_tel_core_service:s0 tclass=samgr_class permissive=0 +allow wifi_manager_service sa_telephony_tel_core_service:samgr_class { get }; + +# avc: denied { get } for service=4007 pid=1728 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sa_telephony_tel_cellular_data:s0 tclass=samgr_class permissive=0 +allow wifi_manager_service sa_telephony_tel_cellular_data:samgr_class { get }; + +# avc: denied { call } for pid=3727 comm="RunHandleThread" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:telephony_sa:s0 tclass=binder permissive=0 +allow wifi_manager_service telephony_sa:binder { call }; + +# avc: denied { transfer } for pid=2121 comm="IPC_2_2419" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:locationhub:s0 tclass=binder permissive=1 +allow wifi_manager_service locationhub:binder { transfer }; + +# avc: denied { get } for service=3301 pid=1449 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=0 +allow wifi_manager_service sa_powermgr_powermgr_service:samgr_class { get }; + +allow wifi_manager_service wifi_hal_service:binder { transfer call }; + +allow wifi_manager_service sa_dhcp_client:samgr_class { add get }; +allow wifi_manager_service sa_dhcp_server:samgr_class { add get }; + +allow wifi_manager_service normal_hap_attr:fd { use }; +allow wifi_manager_service sa_msdp_movement_service:samgr_class { get }; +allow wifi_manager_service msdp_sa:binder { call transfer }; + +allow wifi_manager_service sa_device_service_manager:samgr_class { get }; +allow wifi_manager_service hdf_devmgr:binder { call }; +allow wifi_manager_service hdf_wlan_interface_service:hdf_devmgr_class { get }; +allow wifi_manager_service hdf_device_manager:hdf_devmgr_class { get }; +allow wifi_manager_service hdf_wpa_interface_service:hdf_devmgr_class { get }; +allow wifi_manager_service sa_time_service:samgr_class { get }; +allow wifi_manager_service sa_powermgr_battery_service:samgr_class { get }; +allow wifi_manager_service time_service:binder { call }; +allow wifi_manager_service time_service:binder { transfer }; + +# avc: denied { get } for service=4010 pid=1814 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=0 +allow wifi_manager_service sa_accountmgr:samgr_class { get }; + +# avc: denied { call } for pid=599 comm="IPC_1_2526" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=0 +# avc: denied { transfer } for pid=2121 comm="IPC_2_2419" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=0 +allow wifi_manager_service accountmgr:binder { call transfer }; + +allow wifi_manager_service wifi_host:binder { call transfer }; +allow wifi_manager_service wifi_host:unix_dgram_socket { sendto }; +allow wifi_manager_service data_local:dir { search }; + +allow wifi_manager_service dev_unix_socket:sock_file { write }; +allow wifi_manager_service paramservice_socket:sock_file { write }; + +allow wifi_manager_service hdf_hostapd_interface_service:hdf_devmgr_class { get }; +allow wifi_manager_service dev_block_volfile:dir { search }; +allow wifi_manager_service kernel:unix_stream_socket { connectto }; +allow wifi_manager_service data_vendor:dir { search }; + +# avc: denied { set } for parameter=persist.wifi_country_code.dynamic_update pid=3941 uid=1010 gid=1010 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:persist_param:s0 tclass=parameter_service permissive=0 +allow wifi_manager_service persist_param:parameter_service { set }; + +# avc: denied { search } for pid=3925 comm="RunHandleThread" name="by-name" dev="tmpfs" ino=13 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:dev_block_file:s0 tclass=dir permissive=0 +allow wifi_manager_service dev_block_file:dir { search }; + +# avc: denied { read } for pid=3927 comm="RunHandleThread" name="conn_calidata" dev="tmpfs" ino=379 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:dev_block_file:s0 tclass=lnk_file permissive=0 +allow wifi_manager_service dev_block_file:lnk_file { read }; + +# avc: denied { getattr } for pid=1419 comm="RunHandleThread" laddr=7.246.161.199 lport=52412 faddr=121.14.84.231 fport=80 scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=tcp_socket permissive=1 +allow wifi_manager_service wifi_manager_service:tcp_socket { getattr setopt }; + +# avc: denied { call } for pid=1386 comm="OS_cesComLstnr" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_host:s0 tclass=binder permissive=1 +allow wifi_manager_service wifi_host:binder { call transfer }; + + +# avc: denied { get } for service=5100 pid=1367 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow wifi_manager_service sa_device_service_manager:samgr_class { get }; + + +# avc: denied { get } for service=hdf_device_manager pid=1365 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +allow wifi_manager_service hdf_device_manager:hdf_devmgr_class { get }; + + +# avc: denied { get } for service=wpa_interface_service pid=1367 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:hdf_wpa_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow wifi_manager_service hdf_wpa_interface_service:hdf_devmgr_class { get }; + +# avc: denied { open } for pid=2538 comm="sh" path="/dev/tty" dev="tmpfs" ino=112 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allow wifi_manager_service tty_device:chr_file { read write open }; + +# avc: denied { use } for pid=1353 comm="RunHandleThread" path="/dev/ashmem" dev="tmpfs" ino=615 scontext=u:r:wifi_manager_service:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1 +allow wifi_manager_service normal_hap:fd { use }; + + +# avc: denied { transfer } for pid=1359 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:hiview:s0 tclass=binder permissive=1 +allow wifi_manager_service hiview:binder { transfer }; + +# avc: denied { search } for pid=6428 comm="sh" name="local" dev="sdd91" ino=3161 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 +allow wifi_manager_service data_local:dir { search }; + +# avc: denied { read } for pid=6535 comm="sh" name="cp" dev="sdd86" ino=375 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1 +allow wifi_manager_service system_bin_file:lnk_file { read }; +allow wifi_manager_service toybox_exec:lnk_file { read }; + +# avc: denied { getattr } for pid=5751 comm="sh" path="/system/bin/toybox" dev="sdd86" ino=647 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +allow wifi_manager_service system_bin_file:file { getattr }; +allow wifi_manager_service toybox_exec:file { getattr }; + +# avc: denied { getattr } for pid=6460 comm="cp" path="/data/service/el1/public/wifi/wpa_supplicant" dev="sdd91" ino=3363 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow wifi_manager_service data_service_el1_file:dir { getattr }; + +# avc: denied { create } for pid=1376 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_generic_socket permissive=1 +# avc: denied { setopt } for pid=1376 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_generic_socket permissive=1 +# avc: denied { bind } for pid=1376 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_generic_socket permissive=1 +# avc: denied { getattr } for pid=1376 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_generic_socket permissive=1 +# avc: denied { write } for pid=1376 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_generic_socket permissive=1 +# avc: denied { read } for pid=1376 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_generic_socket permissive=1 +allow wifi_manager_service wifi_manager_service:netlink_generic_socket { create setopt bind getattr write read }; + +# avc: denied { write } for pid=1359 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow wifi_manager_service dev_kmsg_file:chr_file { write }; + +# avc: denied { get } for pid=1359 comm="wifi_manager_se" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:hdf_chip_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow wifi_manager_service hdf_chip_interface_service:hdf_devmgr_class { get }; + +# avc: denied { call } for pid=1376 comm="RunHandleThread" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 +allow wifi_manager_service hdf_devmgr:binder { call }; + +# avc: denied { read write } for pid=2048, comm="system/bin/sa_main/" path="proc/2048/net/aware/aware_ctrl" dev="" ino=11053 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 +# avc: denied { open } for pid=2048, comm="system/bin/sa_main/" path="proc/2048/net/aware/aware_ctrl" dev="" ino=11053 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 +allow wifi_manager_service proc_net:file { read write open }; + +allow wifi_manager_service sa_foundation_ans:samgr_class { get }; + +allow wifi_manager_service dev_ashmem_file:chr_file { open }; + +# avc: denied { get } for service=1153 pid=1544 scontext=u:r:wifi_manager_service:s0 tcontext=u:object_r:sa_comm_net_stats_manager_service:s0 tclass=samgr_class permissive=0 +allow wifi_manager_service sa_comm_net_stats_manager_service:samgr_class { get }; + +# avc: denied { create } for pid=1624 comm="system/bin/sa_main/" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_socket permissive=1 +# avc: denied { setopt } for pid=1624 comm="system/bin/sa_main/" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_socket permissive=1 +# avc: denied { write } for pid=1624 comm="system/bin/sa_main/" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_socket permissive=1 +# avc: denied { read } for pid=1624 comm="system/bin/sa_main/" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:wifi_manager_service:s0 tclass=netlink_socket permissive=1 +allow wifi_manager_service wifi_manager_service:netlink_socket { create setopt write read }; + +allow wifi_manager_service sa_asset_service:samgr_class { get }; +allow wifi_manager_service asset_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/attributes b/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..1be1968f8669e83f7c7c32ff5d2016c344939129 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute custom_param_set_allow_attr; diff --git a/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/neverallow.te b/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/neverallow.te new file mode 100644 index 0000000000000000000000000000000000000000..efe3c869b50edb1da688b226f55fc21fda19d6d4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/neverallow.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { normal_hap_attr domain -init -sys_installer_sa -custom_param_set_allow_attr } custom_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/parameter.te b/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..abbfb9326d8159b83dcd82891e2ce8e17fa78842 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type custom_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/parameter_contexts b/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..7a5372df407e7c5c3f9beded01c6ed5264308c5d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/config_policy/public/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.custom.preload. u:object_r:custom_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/custom_param.te b/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/custom_param.te new file mode 100644 index 0000000000000000000000000000000000000000..1482ac77d87e1109b3fe2507311e3f7bbe5c5c81 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/custom_param.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow custom_param tmpfs:filesystem associate; diff --git a/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/domain.te b/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/domain.te new file mode 100644 index 0000000000000000000000000000000000000000..fbb1f5fc2be7c8f50b99c8a3cdc97381e2c8b172 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/domain.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow domain custom_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/init.te b/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..4ee25b396ed00c24fbb874fa614cc2a0fe3747ef --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init custom_param:file { map open read relabelfrom relabelto }; +allow init custom_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..2d78ae3c416d93e73fb3c3a88440622bca568365 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/config_policy/system/normal_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr custom_param:file { getattr map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/parameter.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..c008efda44ae0dd0c5973171c3c2b8ab00dd66e3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type edm_writable_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/parameter_contexts b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..7ffa9e9b0b15925ff8b6999c88c236f5068ec273 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.edm. u:object_r:edm_writable_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/type.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..2aaf677b81bc4626d706a2328aeb49cea05dc1d3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/public/type.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type edm_sa, sadomain, domain; +# edm tool +type edm, native_system_domain, domain; +type edm_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..8eb9b2184fe340551af9761061800d23cdf4c32c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/accountmgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr edm_sa:binder { transfer }; +debug_only(` + allow accountmgr sh:binder { transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/bluetooth_service.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/bluetooth_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9346b30e129d49e842e8b157246cb8e2f6201d31 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/bluetooth_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bluetooth_service edm_sa:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..9684d5a25757e616b4f1afc31954cfb1dc0074a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/distributeddata.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=597 comm="IPC_2_1166" scontext=u:r:distributeddata:s0 tcontext=u:r:edm_sa:s0 tclass=binder permissive=0 +allow distributeddata edm_sa:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/edm.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/edm.te new file mode 100644 index 0000000000000000000000000000000000000000..7854027919be54cae81805dce38f2ffef95d2c7e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/edm.te @@ -0,0 +1,112 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + domain_auto_transition_pattern(sh, edm_exec, edm); + + # avc: denied { read open map } for pid=2473 comm="edm" name="u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:edm:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 + allow edm debug_param:file { map open read }; + + # avc: denied { search } for pid=2090 comm="edm" name="socket" dev="tmpfs" ino=43 scontext=u:r:edm:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 + allow edm dev_unix_socket:dir { search }; + + # avc: denied { read write } for pid=2473 comm="edm" path="/dev/pts/3" dev="devpts" ino=6 scontext=u:r:edm:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 + allow edm devpts:chr_file { read write ioctl }; + allowxperm edm devpts:chr_file ioctl { 0x5413 }; + + # avc: denied { call } for pid=2124 comm="edm" scontext=u:r:edm:s0 tcontext=u:r:edm_sa:s0 tclass=binder permissive=0 + allow edm edm_sa:binder { call }; + + # avc: denied { use } for pid=14587 comm="edm" path="/dev/pts/0" dev="" ino=15478 scontext=u:r:edm:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=0 + allow edm hdcd:fd { use }; + + # avc: denied { read write } for pid=6713, comm="bin/edm", dev="tmpfs" scontext=u:r:edm:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=0 + allow edm hdcd:fifo_file { read write }; + + # avc: denied { read write } for pid=14587 comm="edm" scontext=u:r:edm:s0 tcontext=u:r:hdcd:s0 tclass=unix_stream_socket permissive=0 + allow edm hdcd:unix_stream_socket { read write }; + + # avc: denied { call transfer } for pid=2193 comm="edm" scontext=u:r:edm:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0 + allow edm samgr:binder { call transfer }; + + # avc: denied { get } for service=1601 pid=2024 scontext=u:r:edm:s0 tcontext=u:object_r:sa_enterprise_device_manager_service:s0 tclass=samgr_class permissive=0 + allow edm sa_enterprise_device_manager_service:samgr_class { get }; + + # avc: denied { use } for pid=3841 comm="edm" path="/dev/ptmx" dev="tmpfs" ino=296 scontext=u:r:edm:s0 tcontext=u:r:sh:s0 tclass=fd permissive=0 + allow edm sh:fd { use }; + + # { read write } for pid=3841 comm="edm" path="socket:[31510]" dev="sockfs" ino=31510 scontext=u:r:edm:s0 tcontext=u:r:sh:s0 tclass=unix_stream_socket permissive=0 + allow edm sh:unix_stream_socket { read write }; + + # avc: denied { read write } for pid=3841 comm="edm" path="/dev/tty" dev="tmpfs" ino=40 scontext=u:r:edm:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 + allow edm tty_device:chr_file { read write }; + + # avc: denied { call transfer } for pid=260 comm="OS_IPC_2_304" scontext=u:r:samgr:s0 tcontext=u:r:edm:s0 tclass=binder permissive=0 + allow samgr edm:binder { call transfer }; + + # avc: denied { search } for pid=260 comm="OS_IPC_11_1826" name="2411" dev="proc" ino=183478 scontext=u:r:samgr:s0 tcontext=u:r:edm:s0 tclass=dir permissive=0 + allow samgr edm:dir { search }; + + # avc: denied { read open } for pid=254 comm="OS_IPC_5_811" name="current" dev="proc" ino=151985 scontext=u:r:samgr:s0 tcontext=u:r:edm:s0 tclass=file permissive=0 + allow samgr edm:file { read open }; + + # avc: denied { getattr } for pid=263 comm="OS_IPC_2_305" scontext=u:r:samgr:s0 tcontext=u:r:edm:s0 tclass=process permissive=0 + allow samgr edm:process { getattr }; +') + +debug_only(` + domain_auto_transition_pattern(su, edm_exec, edm); + + # avc: denied { read open map } for pid=2473 comm="edm" name="u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:edm:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 + allow edm debug_param:file { map open read }; + + # avc: denied { search } for pid=2090 comm="edm" name="socket" dev="tmpfs" ino=43 scontext=u:r:edm:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 + allow edm dev_unix_socket:dir { search }; + + # avc: denied { read write } for pid=2473 comm="edm" path="/dev/pts/3" dev="devpts" ino=6 scontext=u:r:edm:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 + allow edm devpts:chr_file { read write ioctl }; + allowxperm edm devpts:chr_file ioctl { 0x5413 }; + + # avc: denied { call } for pid=2124 comm="edm" scontext=u:r:edm:s0 tcontext=u:r:edm_sa:s0 tclass=binder permissive=0 + allow edm edm_sa:binder { call }; + + # avc: denied { call transfer } for pid=2193 comm="edm" scontext=u:r:edm:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0 + allow edm samgr:binder { call transfer }; + + # avc: denied { get } for service=1601 pid=2024 scontext=u:r:edm:s0 tcontext=u:object_r:sa_enterprise_device_manager_service:s0 tclass=samgr_class permissive=0 + allow edm sa_enterprise_device_manager_service:samgr_class { get }; + + # avc: denied { use } for pid=3841 comm="edm" path="/dev/ptmx" dev="tmpfs" ino=296 scontext=u:r:edm:s0 tcontext=u:r:su:s0 tclass=fd permissive=0 + allow edm su:fd { use }; + + # avc: denied { read write } for pid=15691, comm="bin/edm", dev="tmpfs" scontext=u:r:edm:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=0 + allow edm su:fifo_file { read write }; + + # { read write } for pid=3841 comm="edm" path="socket:[31510]" dev="sockfs" ino=31510 scontext=u:r:edm:s0 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0 + allow edm su:unix_stream_socket { read write }; + + # avc: denied { read write } for pid=3841 comm="edm" path="/dev/tty" dev="tmpfs" ino=40 scontext=u:r:edm:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 + allow edm tty_device:chr_file { read write }; + + # avc: denied { call transfer } for pid=260 comm="OS_IPC_2_304" scontext=u:r:samgr:s0 tcontext=u:r:edm:s0 tclass=binder permissive=0 + allow samgr edm:binder { call transfer }; + + # avc: denied { search } for pid=260 comm="OS_IPC_11_1826" name="2411" dev="proc" ino=183478 scontext=u:r:samgr:s0 tcontext=u:r:edm:s0 tclass=dir permissive=0 + allow samgr edm:dir { search }; + + # avc: denied { read open } for pid=254 comm="OS_IPC_5_811" name="current" dev="proc" ino=151985 scontext=u:r:samgr:s0 tcontext=u:r:edm:s0 tclass=file permissive=0 + allow samgr edm:file { read open }; + + # avc: denied { getattr } for pid=263 comm="OS_IPC_2_305" scontext=u:r:samgr:s0 tcontext=u:r:edm:s0 tclass=process permissive=0 + allow samgr edm:process { getattr }; +') diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/edm_sa.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/edm_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..2009133c0062b48c6d8179611c9407688ea0cd24 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/edm_sa.te @@ -0,0 +1,215 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow edm_sa accesstoken_service:binder { call }; +allow edm_sa accountmgr:binder { call }; +allow edm_sa bootevent_param:file { map open read }; +allow edm_sa bootevent_samgr_param:file { map open read }; +allow edm_sa build_version_param:file { map read read open }; +allow edm_sa const_allow_mock_param:file { map open read }; +allow edm_sa const_allow_param:file { map open read }; +allow edm_sa const_build_param:file { map open read }; +allow edm_sa const_display_brightness_param:file { map open read }; +allow edm_sa const_param:file { map open read }; +allow edm_sa const_postinstall_fstab_param:file { map open read }; +allow edm_sa const_postinstall_param:file { map open read }; +allow edm_sa const_product_param:file { map open read }; +allow edm_sa data_file:dir { add_name open read remove_name search write }; +allow edm_sa data_service_el1_file:dir { search read write open add_name remove_name }; +allow edm_sa time_param:parameter_service { set }; + +# avc: denied { lock } for pid=3779 comm="IPC_6_3929" path="/data/service/el1/public/edm/edmdb.db-shm" dev="mmcblk0p12" ino=10573 scontext=u:r:edm_sa:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { map } for pid=398 comm="edm" path="/data/service/el1/public/edm/edmdb.db-shm" dev="mmcblk0p12" ino=14163 scontext=u:r:edm_sa:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allow edm_sa data_service_el1_file:file { create write open ioctl rename read unlink setattr getattr lock map }; + +allow edm_sa data_service_file:dir { search }; +allow edm_sa debug_param:file { map open read }; +allow edm_sa default_param:file { map open read }; + +# avc: denied { open } for pid=1904 comm="SaInit0" path="/dev/ashmem" dev="tmpfs" ino=211 scontext=u:r:edm_sa:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +allow edm_sa dev_ashmem_file:chr_file { open }; + +allow edm_sa dev_console_file:chr_file { read write }; +allow edm_sa dev_file:dir { getattr }; +allow edm_sa dev_unix_socket:dir { search }; + +# avc: denied { read } for pid=2972 comm="edm" name="u:object_r:developtools_hdc_control_param:s0" dev="tmpfs" ino=126 scontext=u:r:edm_sa:s0 tcontext=u:object_r:developtools_hdc_control_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=2972 comm="edm" path="/dev/__parameters__/u:object_r:developtools_hdc_control_param:s0" dev="tmpfs" ino=126 scontext=u:r:edm_sa:s0 tcontext=u:object_r:developtools_hdc_control_param:s0 tclass=file permissive=1 +# avc: denied { map } for pid=2972 comm="edm" path="/dev/__parameters__/u:object_r:developtools_hdc_control_param:s0" dev="tmpfs" ino=126 scontext=u:r:edm_sa:s0 tcontext=u:object_r:developtools_hdc_control_param:s0 tclass=file permissive=1 +allow edm_sa developtools_hdc_control_param:file { map open read }; + +# avc: denied { set } for process="unknown process" parameter=persist.hdc.control pid=2939 uid=3057 gid=3057 scontext=u:r:edm_sa:s0 tcontext=u:object_r:developtools_hdc_control_param:s0 tclass=parameter_service permissive=0 +allow edm_sa developtools_hdc_control_param:parameter_service { set }; + +allow edm_sa devinfo_private_param:file { map open read }; + +# avc: denied { transfer } for pid=1524 comm="SaInit0" scontext=u:r:edm_sa:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=0 +allow edm_sa distributeddata:binder { call transfer }; + +allow edm_sa distributedsche_param:file { map open read }; +allow edm_sa distributeddata:fd { use }; +allow edm_sa foundation:binder { call transfer }; +binder_call(edm_sa, powermgr); + +# avc: denied { call } for pid=740 comm="edm" scontext=u:r:edm_sa:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 +allow edm_sa hdf_devmgr:binder { call }; + +allow edm_sa hilog_param:file { map open read }; +allow edm_sa hw_sc_build_os_param:file { map open read }; +allow edm_sa hw_sc_build_param:file { map open read }; +allow edm_sa hw_sc_param:file { map open read }; +allow edm_sa init_param:file { map read read open }; +allow edm_sa init_svc_param:file { map open read }; +allow edm_sa input_pointer_device_param:file { map open read }; +allow edm_sa kernel:unix_stream_socket { connectto }; +allow edm_sa musl_param:file { open read map }; +allow edm_sa net_param:file { map open read }; +allow edm_sa net_tcp_param:file { map open read }; +allow edm_sa netmanager:binder { call }; +allow edm_sa normal_hap_attr:binder { call }; + +# avc: denied { use } for pid=995 comm="IPC_4_1048" path="/dev/ashmem" dev="tmpfs" ino=229 scontext=u:r:edm_sa:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1 +allow edm_sa normal_hap_attr:fd { use }; + +# avc: denied { read } for pid=4149 comm="OS_FFRT_2_17" dev="sdd78" ino=14037 scontext=u:r:edm_sa:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=file permissive=0 +allow edm_sa normal_hap_data_file_attr:file { read }; + +allow edm_sa ohos_boot_param:file { map open read }; +allow edm_sa ohos_param:file { map open read }; +allow edm_sa param_watcher:binder { call transfer }; +allow edm_sa paramservice_socket:sock_file { write }; +allow edm_sa persist_param:file { map open read }; +allow edm_sa persist_param:parameter_service { set }; +allow edm_sa persist_sys_param:file { map open read }; + +# avc: denied { use } for pid=1072 comm="IPC_5_1858" path="/dev/ashmem" dev="tmpfs" ino=576 scontext=u:r:edm_sa:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1 +allow edm_sa render_service:fd { use }; + +allow edm_sa sa_accesstoken_manager_service:samgr_class { get }; +allow edm_sa sa_accountmgr:samgr_class { get }; +allow edm_sa sa_cert_manager_service:samgr_class { get }; +allow edm_sa sa_comm_ethernet_manager_service:samgr_class { get }; +# avc: denied { get } for service=3704 pid=2004 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_screenlock_service:s0 tclass=samgr_class permissive=0 +allow edm_sa sa_screenlock_service:samgr_class { get }; +# avc: denied { get } for service=3301 pid=2779 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=0 +allow edm_sa sa_powermgr_powermgr_service:samgr_class { get }; +# avc: denied { get } for service=3009 pid=646 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=0 +allow edm_sa sa_audio_policy_service:samgr_class { get }; +# avc: denied { call } for pid=607 comm="IPC_1_859" scontext=u:r:edm_sa:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=0 +allow edm_sa audio_server:binder { call }; + +# avc: denied { get } for service=5100 pid=740 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow edm_sa sa_device_service_manager:samgr_class { get }; + +allow edm_sa sa_distributeddata_service:samgr_class { get }; +allow edm_sa sa_enterprise_device_manager_service:samgr_class { get add }; +allow edm_sa sa_foundation_appms:samgr_class { get }; +allow edm_sa sa_foundation_abilityms:samgr_class { get }; +allow edm_sa sa_foundation_bms:samgr_class { get }; +allow edm_sa sa_foundation_cesfwk_service:samgr_class { get }; + +# avc: denied { get } for service=4607 pid=1035 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow edm_sa sa_foundation_dms:samgr_class { get }; + +# avc: denied { get } for service=1151 pid=759 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=1 +allow edm_sa sa_net_conn_manager:samgr_class { get }; + +allow edm_sa sa_param_watcher:samgr_class { get }; +allow edm_sa sa_softbus_service:samgr_class { get }; + +# avc: denied { get } for service=5003 pid=2191 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_storage_manager_service:s0 tclass=samgr_class permissive=1 +allow edm_sa sa_storage_manager_service:samgr_class { get }; + +allow edm_sa sa_time_service:samgr_class { get }; +allow edm_sa sa_update_distributed_service:samgr_class { get }; +allow edm_sa sa_wifi_device_ability:samgr_class { get }; +allow edm_sa sa_wifi_scan_ability:samgr_class { get }; +allow edm_sa sa_wifi_p2p_ability:samgr_class { get }; +allow edm_sa sa_wifi_hotspot_ability:samgr_class { get }; +allow edm_sa sa_wifi_p2p_ability:samgr_class { get }; +allow edm_sa security_param:file { map open read }; +allow edm_sa startup_param:file { map open read }; +allow edm_sa sa_bluetooth_server:samgr_class { get }; +allow edm_sa bluetooth_service:binder { call }; +allow edm_sa sa_location_locator_service:samgr_class { get }; +allow edm_sa sa_telephony_tel_cellular_data:samgr_class { get }; +allow edm_sa sa_telephony_tel_core_service:samgr_class { get }; +allow edm_sa locationhub:binder { call }; + +# avc: denied { call } for pid=740 comm="edm" scontext=u:r:edm_sa:s0 tcontext=u:r:storage_manager:s0 tclass=binder permissive=1 +allow edm_sa storage_manager:binder { call }; + +allow edm_sa sys_file:file { open read }; +allow edm_sa sys_param:file { map open read }; +allow edm_sa sys_usb_param:file { map open read }; + +# avc: denied { open } for pid=2168 comm="sa_main" path="/sys/devices/system/cpu/online" dev="sysfs" ino=28065 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=2168 comm="sa_main" path="/sys/devices/system/cpu/online" dev="sysfs" ino=28065 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow edm_sa sysfs_devices_system_cpu:file { getattr open read }; + +allow edm_sa sysfs_hctosys:file { open read }; +allow edm_sa sysfs_rtc:dir { open read }; +allow edm_sa system_basic_hap_attr:binder { call }; +allow edm_sa system_bin_file:dir { search }; +allow edm_sa system_core_hap_attr:binder { call }; +allow edm_sa system_lib_file:dir { open read }; +allow edm_sa time_service:binder { call }; +allow edm_sa tracefs:dir { search }; +allow edm_sa tracefs_trace_marker_file:file { open write }; +allow edm_sa updater_sa:binder { call }; +allow edm_sa wifi_manager_service:binder { call }; +allow edm_sa netsysnative:binder { transfer call }; +allow edm_sa sa_netsys_native_manager:samgr_class { get }; +allow edm_sa cert_manager_service:binder { call }; +allow edm_sa sa_net_conn_manager:samgr_class { get }; +allow edm_sa sa_foundation_wms:samgr_class { get }; +allow edm_sa sa_usb_service:samgr_class { get }; +allow edm_sa usb_service:binder { call }; +allow edm_sa edm_writable_param:parameter_service { set }; + +# avc: denied { create } for pid=1652 comm="SaInit0" name="stream_install" scontext=u:r:edm_sa:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +allow edm_sa data_service_el1_file:dir { create setattr }; +allow edm_sa foundation:fd { use }; + +# avc: denied { set } for parameter=persist.useriam.enable.fingerprintauth pid=756 uid=3057 gid=3057 scontext=u:r:edm_sa:s0 tcontext=u:object_r:useriam_enable_writable_param:s0 tclass=parameter_service permissive=0 +allow edm_sa useriam_enable_writable_param:parameter_service { set }; + +# avc: denied { ioctl } for pid=398 comm="edm" path="/data/service/el1/public/edm/edmdb.db" dev="mmcblk0p12" ino=14159 ioctlcmd=0xf50c scontext=u:r:edm_sa:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allowxperm edm_sa data_service_el1_file:file ioctl { 0x5413 0xf50c }; + +# avc: denied { call } for pid=9009, comm="/system/bin/sa_main" scontext=u:r:edm_sa:s0 tcontext=u:r:telephony_sa:s0 tclass=binder permissive=0 +allow edm_sa telephony_sa:binder { call }; + +# avc: denied { get } for service=921 pid=577 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_useriam_userauth_service:s0 tclass=samgr_class permissive=0 +allow edm_sa sa_useriam_userauth_service:samgr_class { get }; + +# avc: denied { get } for service=3701 pid=627 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_pasteboard_service:s0 tclass=samgr_class permissive=0 +allow edm_sa sa_pasteboard_service:samgr_class { get }; + +# avc: denied { call } for pid=2537 comm="edm" scontext=u:r:edm_sa:s0 tcontext=u:r:pasteboard_service:s0 tclass=binder permissive=0 +allow edm_sa pasteboard_service:binder { call }; + +# avc: denied { call } for pid=1412, comm="/system/bin/sa_main" scontext=u:r:edm_sa:s0 tcontext=u:r:useriam:s0 tclass=binder permissive=0 +allow edm_sa useriam:binder { call }; + +# avc: denied { get } for service=3001 pid=6793 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samar_class permissive=0 +allow edm_sa sa_pulseaudio_audio_service:samgr_class { get }; + +allow edm_sa sa_camera_service:samgr_class { get }; +allow edm_sa camera_service:binder { call }; + +# avc: denied { get } for service=3524 sid=u:r:edm_sa:s0 scontext=u:r:edm_sa:s0 tcontext=u:object_r:sa_sg_collect_service:s0 tclass=samgr_class permissive=0 +allow edm_sa sa_sg_collect_service:samgr_class { get }; + +# avc: denied { append } for pid=445 comm="OS_IPC_2_1213" path="/data/service/el1/public/edm/browser/com.example.edmtest8" dev="mmcblk0p15" ino=10496 scontext=u:r:edm_sa:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allow edm_sa data_service_el1_file:file { append }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/file_contexts b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..da248ab35d67950f43d992293ffb4f423c29a215 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for edmm tool +/system/bin/edm u:object_r:edm_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/foundation.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..1050aac7ac4f4ef9b8cd51682d1b8b0766b67f7a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/foundation.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation edm_sa:binder { call transfer }; +allow foundation edm_sa:dir { search }; + +# avc: denied { getattr } for pid=854 comm="IPC_14_1986" path="/proc/2168/cmdline" dev="proc" ino=28981 scontext=u:r:foundation:s0 tcontext=u:r:edm_sa:s0 tclass=file permissive=1 +allow foundation edm_sa:file { open read getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..06289121b5e008ea6129a5c7443d771c3dae32bd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/hdf_devmgr.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transfer } for pid=417 comm="IPC_2_858" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:edm_sa:s0 tclass=binder permissive=1 +allow hdf_devmgr edm_sa:binder { transfer }; + +# avc: denied { search } for pid=461 comm="IPC_41029" name="740" dev="proc" ino=29166 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:edm_sa:s0 tclass=dir permissive=1 +allow hdf_devmgr edm_sa:dir { search }; + +# avc: denied { read } for pid=461 comm="IPC_41029" name="current" dev="proc" ino=2598 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:edm_sa:s0 tclass=file permissive=1 +# avc: denied { open } for pid=461 comm="IPC_41029" path="/proc/740/attr/current" dev="proc" ino=2598 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:edm_sa:s0 tclass=file permissive=1 +allow hdf_devmgr edm_sa:file { open read }; + +# avc: denied { getattr } for pid=461 comm="IPC_41029" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:edm_sa:s0 tclass=process permissive=1 +allow hdf_devmgr edm_sa:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..3db46ce7b61b4e877ecc7f184b2b8551162b8872 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transfer } for pid=995 comm="IPC_5_1053" scontext=u:r:normal_hap:s0 tcontext=u:r:edm_sa:s0 tclass=binder permissive=0 +allow normal_hap_attr edm_sa:binder { call transfer }; +allow normal_hap_attr sa_enterprise_device_manager_service:samgr_class { get }; +allow normal_hap_attr edm_sa:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..faa6deb1e34acf85863a8c1a27cc1ea47d95b441 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr edm_sa:binder { call }; +allow system_basic_hap_attr sa_enterprise_device_manager_service:samgr_class { get }; +allow system_core_hap_attr edm_sa:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..b2c1ab6f3e7b99ab5e88e63c903eec23f097edb6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr edm_sa:binder { call }; +allow system_core_hap_attr sa_enterprise_device_manager_service:samgr_class { get }; +allow system_core_hap_attr edm_sa:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/wifi_manager_service.te b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/wifi_manager_service.te new file mode 100644 index 0000000000000000000000000000000000000000..1e67c29888d9bd93235683c2424e27bb25f237fc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/customization/enterprise_device_management/system/wifi_manager_service.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_manager_service edm_sa:binder { transfer }; + +debug_only(` + # avc: denied { transfer } for pid=912 comm="IPC_2_1093" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow wifi_manager_service su:binder { transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/bytrace/public/type.te b/prebuilts/api/5.0/ohos_policy/developtools/bytrace/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..750084e0b4da89ee8ee89d0a436235658acbd9af --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/bytrace/public/type.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +type bytrace_exec, exec_attr, file_attr, system_file_attr; + +type bytrace, native_system_domain, domain; + +domain_auto_transition_pattern(native_system_domain, bytrace_exec, bytrace); diff --git a/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/bytrace.te b/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/bytrace.te new file mode 100644 index 0000000000000000000000000000000000000000..bfd33a7059b3db0692d30629efb83b022ce68129 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/bytrace.te @@ -0,0 +1,67 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +#allow bytrace data_file:file write; +allow bytrace data_file:dir search; +allow bytrace data_local:dir search; +allow bytrace data_log:dir { add_name search write }; +allow bytrace data_log:file { create getattr open write }; +allow bytrace data_local_tmp:dir { add_name search write create }; +allow bytrace data_local_tmp:file { create getattr open write }; +allow bytrace debug_param:parameter_service set; +allow bytrace dev_unix_socket:dir search; +allow bytrace devpts:chr_file { read write }; +allow bytrace hdcd:fd use; +allow bytrace hdcd:unix_stream_socket { read write }; +allow bytrace system_bin_file:dir search; +allow bytrace tracefs:dir search; +allow bytrace tracefs_trace_marker_file:file { getattr open write }; +allow bytrace tty_device:chr_file { read write }; +allow bytrace tracefs:file { getattr ioctl open read write }; + +allow bytrace ohos_param:file { read map open }; + +allow bytrace kernel:unix_stream_socket connectto; +allow bytrace paramservice_socket:sock_file write; + +allow bytrace ohos_boot_param:file { map open read }; +allow bytrace sys_param:file { open read map }; + +allow bytrace net_param:file { map open read }; +allow bytrace net_tcp_param:file read; +allow bytrace sys_usb_param:file { map open read }; + +allow bytrace hw_sc_build_param:file { open read map }; +allow bytrace hw_sc_param:file { map open read }; +allow bytrace net_tcp_param:file { map open }; + +allow bytrace data_local_tmp:file { read write }; + +allow bytrace domain:dir { getattr search }; +allow bytrace domain:file { open read }; +allow bytrace hw_sc_build_os_param:file { open read map }; + +allow bytrace hw_sc_build_os_param:file { open read }; +allow bytrace init_param:file { map open read }; +allow bytrace init_svc_param:file { map open read }; + +allow bytrace hdcd:fifo_file { ioctl write }; + +allow bytrace const_param:file { map open read }; +allow bytrace const_postinstall_fstab_param:file { map open read }; +allow bytrace const_postinstall_param:file { map open read }; + +developer_only(` + allow bytrace sh:fd use; + allow bytrace sh:fifo_file { read write }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/file_contexts b/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e385fd40602544e4f5cecc59a136b8f825e3e1ed --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +/system/bin/bytrace u:object_r:bytrace_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..42f7e97b649ea48fbbbcb80f72f918e93617b74c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/bytrace/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hidumper_service bytrace:dir search; +allow hidumper_service bytrace:file { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/ebpf/public/type.te b/prebuilts/api/5.0/ohos_policy/developtools/ebpf/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..c7bdd89f407c4c2a08a6e7399012545f7e9c5fb0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/ebpf/public/type.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +type hiebpf_exec, exec_attr, file_attr, system_file_attr; + +type hiebpf, native_system_domain, domain; + +domain_auto_transition_pattern(native_system_domain, hiebpf_exec, hiebpf); diff --git a/prebuilts/api/5.0/ohos_policy/developtools/ebpf/system/file_contexts b/prebuilts/api/5.0/ohos_policy/developtools/ebpf/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..ef0f9d6d2bbb960e325ed2676e7660410d9328d3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/ebpf/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +/system/bin/hiebpf u:object_r:hiebpf_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/ebpf/system/hiebpf.te b/prebuilts/api/5.0/ohos_policy/developtools/ebpf/system/hiebpf.te new file mode 100644 index 0000000000000000000000000000000000000000..f2ec6f333074762e1f9896f9762b4eb165efb656 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/ebpf/system/hiebpf.te @@ -0,0 +1,85 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hiebpf data_file:dir search; +allow hiebpf devpts:chr_file { read write }; +allow hiebpf hdcd:fd use; +allow hiebpf hdcd:unix_stream_socket { read write }; +allow hiebpf hiview_exec:file { getattr map open read }; +allow hiebpf hiview_file:dir search; +allow hiebpf tmpfs:file { getattr open }; +allow hiebpf tty_device:chr_file { read write }; + +allow hiebpf data_service_file:dir search; +allow hiebpf foundation:dir search; +allow hiebpf foundation:file { getattr open read }; +allow hiebpf hidumper_service:file read; +allow hiebpf normal_hap_attr:file read; + +allow hiebpf domain:dir { open read getattr search }; +allow hiebpf domain:file { open read getattr }; + +allow hiebpf system_bin_file:dir search; +allow hiebpf system_bin_file:file { getattr map open read }; +allow hiebpf toybox_exec:file { getattr map open read }; +allow hiebpf self:perf_event { cpu kernel open write }; + +debug_only(` + allow hiebpf data_local_tmp:dir { add_name search write remove_name }; + allow hiebpf data_local_tmp:file { read write create map open getattr ioctl link unlink }; + allow hiebpf self:capability { sys_ptrace sys_resource sys_admin }; + allow hiebpf self:capability2 { perfmon }; + allow hiebpf sh:fd use; +') + +allow hiebpf data_local:dir search; +allow hiebpf hilogd_exec:file { open read }; +allow hiebpf proc_file:file { getattr open read }; +allow hiebpf samain_exec:file { getattr map open read }; +allow hiebpf appspawn_exec:file { getattr map open read }; +allow hiebpf data_service_el1_file:dir search; +allow hiebpf data_service_el1_file:file { getattr open read }; +allow hiebpf self:bpf { map_create map_read map_write prog_load prog_run }; +allow hiebpf self:capability2 { bpf }; +allow hiebpf sys_file:file read; +allow hiebpf system_usr_file:dir search; +allow hiebpf system_usr_file:file read; +allow hiebpf vendor_bin_file:dir search; +allow hiebpf vendor_bin_file:file { getattr map open read }; + +allow hiebpf data_service_el1_file:file map; +allow hiebpf hdf_devmgr_exec:file read; +allow hiebpf hiview_file:file { getattr map open read }; +allow hiebpf init_exec:file { getattr map open read }; +allow hiebpf render_service_exec:file { getattr map open read }; +allow hiebpf sys_file:file { getattr open }; +allow hiebpf system_usr_file:file { getattr map open }; + +allow hiebpf hdcd_exec:file { getattr map open read }; +allow hiebpf hilogd_exec:file { getattr map }; +allow hiebpf uinput_inject_exec:file { getattr map open read }; + +allow hiebpf dev_unix_socket:dir { add_name remove_name search write }; +allow hiebpf dev_unix_socket:sock_file { create unlink }; +allow hiebpf hiprofiler_plugins:fd use; +allow hiebpf hiprofiler_plugins:fifo_file { ioctl write }; +allow hiebpf hiprofiler_plugins:unix_stream_socket { read write }; +allow hiebpf hiprofilerd:fd use; +allow hiebpf rootfs:file read; +allow hiebpf sh_exec:file read; + +allow hiebpf tracefs:dir search; +allow hiebpf tracefs:file { open read write }; + +allow hiebpf powermgr:dir search; +allow hiebpf powermgr:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hdc/public/file.te b/prebuilts/api/5.0/ohos_policy/developtools/hdc/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..3cd776e17cfd60259bc60c1f79e7e2cbc4d0abab --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hdc/public/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Filesystem types +type data_hdc_pubkeys, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hdc/public/type.te b/prebuilts/api/5.0/ohos_policy/developtools/hdc/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..97559dacba3278dab1c487ba08b14fc97ab89c04 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hdc/public/type.te @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hdcd_user_permit, native_system_domain, domain; +type hdcd_user_permit_exec, exec_attr, file_attr, system_file_attr; +domain_auto_transition_pattern(hdcd, hdcd_user_permit_exec, hdcd_user_permit); diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/file_contexts b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..7b1106d2b3204de9c652baf43670db2c5388d038 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/hdc u:object_r:data_hdc_pubkeys:s0 +/data/service/el1/public/hdc/(.*)? u:object_r:data_hdc_pubkeys:s0 +/system/bin/hdcd_user_permit u:object_r:hdcd_user_permit_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/hdcd.te b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..b38bece0883fbcca24d7c02d2903ae3962a0bcbc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/hdcd.te @@ -0,0 +1,342 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License +type developtools_hdc_control_param, parameter_attr; +type developtools_hdc_auth_param, parameter_attr; + +developer_only(` + allow hdcd data_local:file { read open getattr create write }; + allow hdcd data_local:dir { search getattr read write add_name open create }; + allow hdcd data_local_tmp:file { write create setattr read append open getattr unlink }; + allow hdcd data_local_tmp:dir { add_name remove_name write create setattr search getattr read open }; + allow hdcd data_local_traces:dir { read open getattr }; + + allow hdcd vendor_lib_file:file { read getattr }; + allow hdcd vendor_lib_file:dir { read getattr search }; + + allow hdcd self:tcp_socket { accept ioctl setopt read write create bind listen getattr connect name_connect getopt }; + allow hdcd port:tcp_socket { name_bind name_connect }; + allow hdcd node:tcp_socket { node_bind }; + allow hdcd self:udp_socket { create setopt bind }; + allow hdcd port:udp_socket { name_bind }; + allow hdcd node:udp_socket { node_bind }; + allow hdcd sh:process { signal sigkill }; + allow hdcd hdcd_exec:file { open execute_no_trans entrypoint execute map read }; + + allow hdcd kernel:system { syslog_read }; + allow hdcd kernel:unix_stream_socket { connectto }; + allow hdcd kernel:process { setsched }; + + allow hdcd dev_rtc_file:chr_file { write open ioctl }; + + allow hdcd vendor_file:dir { getattr }; + allow hdcd tmpfs:dir { open read }; + allow hdcd tmpfs:file { getattr open read }; + allow hdcd data_file:dir { read write open create getattr search rmdir add_name }; + allow hdcd data_file:file { read getattr open }; + allow hdcd system_file:dir { getattr }; + allow hdcd system_file:file { open }; + + allow hdcd tty_device:chr_file { ioctl read write open }; + allow hdcd system_bin_file:lnk_file { read }; + allow hdcd toybox_exec:lnk_file { read }; + allow hdcd system_bin_file:dir { search getattr }; + allow hdcd system_bin_file:file { open }; + allow hdcd toybox_exec:file { getattr map open read }; + + allow hdcd lib_file:lnk_file { read }; + allow hdcd dev_kmsg_file:chr_file { read open }; + allow hdcd vendor_lib_file:file { open map execute }; + + allow hdcd dev_unix_socket:dir { search }; + allow hdcd dev_unix_socket:sock_file { write }; + + allow hdcd data_init_agent:dir { search write add_name }; + allow hdcd data_init_agent:file { create }; + + allow hdcd dev_ptmx:chr_file { read write open ioctl }; + allow hdcd dev_pts_file:dir { search }; + allow hdcd devpts:chr_file { read write open }; + allow hdcd paramservice_socket:sock_file { write }; + + allow hdcd dev_block_file:dir { search }; + allow hdcd dev_block_file:lnk_file { read }; + allow hdcd dev_block_file:blk_file { ioctl }; + allow hdcd dev_block_volfile:dir { search }; + + allow hdcd bootevent_param:file { map open read }; + allow hdcd bootevent_samgr_param:file { map open read }; + allow hdcd build_version_param:file { map open read }; + allow hdcd const_allow_mock_param:file { map open read }; + allow hdcd const_allow_param:file { map open read }; + allow hdcd const_build_param:file { map open read }; + allow hdcd const_display_brightness_param:file { map open read }; + allow hdcd const_param:file { map open read }; + allow hdcd const_postinstall_fstab_param:file { map open read }; + allow hdcd const_postinstall_param:file { map open read }; + allow hdcd const_product_param:file { map open read }; + allow hdcd data_log:dir { search }; + allow hdcd debug_param:file { map open read }; + allow hdcd default_param:file { map open read }; + allow hdcd dev_usb_ffs:dir { open read search }; + allow hdcd distributedsche_param:file { map open read }; + allow hdcd faultloggerd_temp_file:dir { search }; + allow hdcd faultloggerd_temp_file:file { getattr open read }; + allow hdcd functionfs:dir { search }; + allow hdcd functionfs:file { open read write }; + allow hdcd hilog_param:file { map open read }; + allow hdcd hw_sc_build_os_param:file { map open read }; + allow hdcd hw_sc_build_param:file { map open read }; + allow hdcd hw_sc_param:file { map open read }; + allow hdcd init_param:file { map open read }; + allow hdcd init_svc_param:file { map open read }; + allow hdcd input_pointer_device_param:file { map open read }; + allow hdcd net_param:file { map read open }; + allow hdcd net_tcp_param:file { map open read }; + allow hdcd ohos_boot_param:file { map open read }; + allow hdcd ohos_param:file { map open read }; + allow hdcd persist_param:file { map open read }; + allow hdcd persist_sys_param:file { map open read }; + allow hdcd security_param:file { map open read }; + allow hdcd startup_param:file { map open read }; + allow hdcd sys_file:file { open read }; + allow hdcd sys_param:file { map open read }; + allow hdcd sys_usb_param:file { map open read }; + allow hdcd tracefs:dir { search }; + allow hdcd tracefs_trace_marker_file:file { write open }; + allow hdcd dev_console_file:chr_file { read write }; + allow hdcd musl_param:file { map read open }; + + allow hdcd hmdfs:dir create_dir_perms_without_ioctl; + allow hdcd hmdfs:file create_file_perms_without_ioctl; + + allow hdcd samgr:binder { call }; + allow hdcd param_watcher:binder { call transfer }; + allow hdcd audio_server:binder { call transfer }; + allow hdcd sa_audio_policy_service:samgr_class { get }; + allow hdcd sa_pulseaudio_audio_service:samgr_class { get }; + + #for auth user permit: show system dialog + #avc: denied { call } for pid=8390, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0 + allow hdcd_user_permit samgr:binder { call }; + #avc: denied { search } for pid=592, comm="/system/bin/samgr" name="/7691" dev="" ino=21628 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=dir permissive=0 + allow samgr hdcd_user_permit:dir { search }; + #avc: denied { read } for pid=597, comm="/system/bin/samgr" path="/proc/4938/attr/current" dev="" ino=14239 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=file permissive=0 + allow samgr hdcd_user_permit:file { read }; + #avc: denied { transfer } for pid=623, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=1 + allow samgr hdcd_user_permit:binder { call transfer }; + #avc: denied { write } for pid=5470, comm="/system/bin/hdcd_user_permit" path="/dev/kmsg" dev="" ino=16 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 + allow hdcd_user_permit dev_kmsg_file:chr_file { write }; + #avc: denied { call } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 + #avc: denied { transfer } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 + allow hdcd_user_permit foundation:binder { call transfer }; + #avc: denied { open } for pid=5574, comm="/bin/bm" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=200 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 + #avc: denied { read } for pid=5574, comm="/bin/bm" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=200 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 + allow hdcd_user_permit persist_sys_param:file { open read }; + #avc: denied { call } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sceneboard_hap:s0 tclass=binder permissive=1 + #avc: denied { transfer } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sceneboard_hap:s0 tclass=binder permissive=1 + allow hdcd_user_permit hap_domain:binder { call transfer }; + #avc: denied { ioctl } for pid=5570, comm="/bin/sh" path="/dev/tty" dev="" ino=17 ioctlcmd=0x5413 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 + #avc: denied { open } for pid=5570, comm="/bin/sh" path="/dev/tty" dev="" ino=17 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 + #avc: denied { write } for pid=5470, comm="/system/bin/hdcd_user_permit" path="/dev/tty0" dev="" ino=56 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 + #avc: denied { read write } for pid=7691, comm="/system/bin/hdcd_user_permit" path="/dev/tty0" dev="" ino=56 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 + allow hdcd_user_permit tty_device:chr_file { ioctl open write read }; + allowxperm hdcd_user_permit tty_device:chr_file ioctl { 0x5413 }; + # avc: denied { open } for pid=623, comm="/system/bin/samgr" path="/proc/5470/attr/current" dev="" ino=16620 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=file permissive=1 + allow samgr hdcd_user_permit:file { open }; + #avc: denied { getattr } for pid=623, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=process permissive=1 + allow samgr hdcd_user_permit:process { getattr }; + #avc: denied { get } for service=180 pid=5753 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 + allow hdcd_user_permit sa_foundation_abilityms:samgr_class { get }; + #avc denied { get } for service=401 pid=5574 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 + allow hdcd_user_permit sa_foundation_bms:samgr_class { get }; + #avc: denied { call } for pid=1495, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=0 + #avc: denied { transfer } for pid=1492, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=0 + allow foundation hdcd_user_permit:binder { call transfer }; + + allow hdcd memmgrservice:dir { getattr search }; + allow hdcd memmgrservice:file { open read }; + + allow hdcd sa_param_watcher:samgr_class { get }; + allow hdcd sys_param:parameter_service { set }; + # hdcd should set sys.usb.ffs.ready + allow hdcd sys_usb_param:parameter_service { set }; + allow hdcd persist_param:parameter_service { set }; + allow hdcd servicectrl_reboot_param:parameter_service { set }; + #avc: denied { search } for pid=2387 comm="hdcd_user_permi" name="socket" dev="tmpfs" ino=43 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 + allow hdcd_user_permit dev_unix_socket:dir { search }; + #avc: denied { connectto } for pid=2387 comm="hdcd_user_permi" path="/dev/unix/socket/paramservice" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 + allow hdcd_user_permit kernel:unix_stream_socket { connectto }; + #avc: denied { write } for pid=2387 comm="hdcd_user_permi" name="paramservice" dev="tmpfs" ino=49 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1 + allow hdcd_user_permit paramservice_socket:sock_file { write }; + #avc: denied { map } for pid=2387 comm="hdcd_user_permi" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 + #avc: denied { open } for pid=2387 comm="hdcd_user_permi" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 + #avc: denied { read } for pid=2387 comm="hdcd_user_permi" name="u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 + allow hdcd_user_permit debug_param:file { map open read }; + allow hdcd developtools_hdc_auth_param:parameter_service { set }; + allow system_basic_hap_attr developtools_hdc_auth_param:parameter_service { set }; + #avc: denied { relabelfrom } for pid=1 comm="init" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:init:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=0 + allow init developtools_hdc_auth_param:file { relabelfrom }; + #avc: denied { map } for pid=716 comm="async-50" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1 + #avc: denied { open } for pid=716 comm="async-50" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1 + #avc: denied { read } for pid=716 comm="async-50" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1 + allow hdcd_user_permit developtools_hdc_auth_param:file { map open read }; + allow system_basic_hap_attr developtools_hdc_auth_param:file { map open read }; + #avc: denied { read } for pid=699 comm="async-57" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=0 + #avc: denied { map } for pid=623 comm="async-46" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1 + #avc: denied { open } for pid=623 comm="async-46" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1 + allow hdcd developtools_hdc_auth_param:file { read map open }; + #avc: denied { getattr } for pid=641 comm="async-34" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4921 scontext=u:r:hdcd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 + #avc: denied { open } for pid=691 comm="async-30" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4921 scontext=u:r:hdcd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 + #avc: denied { read } for pid=791 comm="async-0" name="online" dev="sysfs" ino=4921 scontext=u:r:hdcd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 + allow hdcd sysfs_devices_system_cpu:file { getattr open read }; + #avc: denied { ioctl } for pid=3677 comm="async-62" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x540e scontext=u:r:hdcd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 + allow hdcd devpts:chr_file { ioctl }; + allowxperm hdcd devpts:chr_file ioctl { 0x540e 0x5414 }; + #avc: denied { ioctl } for pid=5516 comm="SaInit0" path="/data/service/el1/public/netmanager/net_stats_data.db" dev="mmcblk0p15" ino=239 ioctlcmd=0xf50c scontext=u:r:netmanager:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 + allow hdcd data_service_el1_file:file { ioctl }; + allowxperm hdcd data_service_el1_file:file ioctl { 0xf50c }; + #avc: denied { map } for pid=14537 comm="sh" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=70 scontext=u:r:sh:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1 + #avc: denied { open } for pid=5554 comm="sh" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=70 scontext=u:r:sh:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1 + allow hdcd hook_param:file { map open }; + #avc: denied { use } for pid=5554 comm="sh" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:sh:s0 tcontext=u:r:init:s0 tclass=fd permissive=1 + allow hdcd init:fd { use }; + #avc: denied { use } for pid=2387 comm="hdcd_user_permi" path="/system/bin/hdcd_user_permit" dev="mmcblk0p7" ino=238 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1 + allow hdcd_user_permit sh:fd { use }; + + #avc: denied { add_name } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { create } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { write } for pid=623 comm="async-46" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { search } for pid=701 comm="async-18" name="misc" dev="mmcblk0p15" ino=108 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + allow hdcd data_hdc_pubkeys:dir { search getattr read open add_name create write }; + #avc: denied { remove_name } for pid=5502, comm="/system/bin/hdcd" name="/service/el1/public/hdc" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=3876 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0 + allow hdcd data_hdc_pubkeys:dir { remove_name }; + #avc: denied { getattr } for pid=728 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys" dev="mmcblk0p15" ino=582 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + #avc: denied { open } for pid=728 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys" dev="mmcblk0p15" ino=582 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + #avc: denied { append } for pid=623 comm="async-46" name="hdc_keys" dev="mmcblk0p15" ino=2116 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + #avc: denied { create } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + #avc: denied { write } for pid=623 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys/hdc_keys" dev="mmcblk0p15" ino=2116 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + #avc: denied { unlink } for pid=6821, comm="/system/bin/hdcd" name="/service/el1/public/hdc/hdc_keys" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=14932 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=0 + allow hdcd data_hdc_pubkeys:file { getattr open append create write unlink }; + #avc: denied { getattr } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0 + #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0 + #avc: denied { relabelto } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0 + #avc: denied { setattr } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0 + allow init data_hdc_pubkeys:dir { getattr open read relabelto setattr }; + #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + allow init data_hdc_pubkeys:file { read }; + + #avc: denied { search } for pid=736 comm="async-40" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 + allow hdcd_user_permit data_service_el1_file:dir { search }; + #avc: denied { search } for pid=736 comm="async-40" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 + allow hdcd_user_permit data_service_file:dir { search }; + + #avc: denied { search } for pid=692 comm="async-47" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 + allow init data_service_el1_file:dir { search }; + #avc: denied { search } for pid=692 comm="async-47" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 + allow init data_service_file:dir { search }; + + #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + allow hdcd data_hdc_pubkeys:file { read }; + #avc: denied { search } for pid=692 comm="async-47" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 + allow hdcd data_service_el1_file:dir { search }; + #avc: denied { search } for pid=692 comm="async-47" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 + allow hdcd data_service_file:dir { search }; + #avc: denied { use } for pid=5024 comm="hdcd_user_permi" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=0 + allow hdcd hdcd:fd { use }; + #avc: denied { use } for pid=5024 comm="hdcd_user_permi" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=0 + allow hdcd_user_permit hdcd:fd { use }; + #avc: denied { ioctl } for pid=5024 comm="sh" path="/dev/null" dev="tmpfs" ino=3 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:object_r:dev_null_file:s0 tclass=chr_file permissive=0 + allow hdcd_user_permit dev_null_file:chr_file { ioctl }; + allowxperm hdcd_user_permit dev_null_file:chr_file ioctl { 0x5413 }; + #avc: denied { map } for pid=13700 comm="sh" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1 + #avc: denied { open } for pid=13700 comm="sh" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1 + #avc: denied { read } for pid=13700 comm="sh" name="u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1 + allow hdcd_user_permit startup_init_param:file { map open read }; + #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 + #avc: denied { write } for pid=12045 comm="hdcd_user_permi" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 + allow hdcd_user_permit dev_console_file:chr_file { read write }; + #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="socket:[20161]" dev="sockfs" ino=20161 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=unix_stream_socket permissive=1 + #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="socket:[20161]" dev="sockfs" ino=20161 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=unix_stream_socket permissive=1 + allow hdcd_user_permit hdcd:unix_stream_socket { read write }; + #avc: denied { ioctl } for pid=2387 comm="hdcd_user_permi" path="pipe:[37910]" dev="pipefs" ino=37910 ioctlcmd=0x5413 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1 + #avc: denied { write } for pid=13700 comm="hdcd_user_permi" path="pipe:[89014]" dev="pipefs" ino=89014 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1 + allow hdcd_user_permit hdcd:fifo_file { ioctl write }; + allowxperm hdcd_user_permit hdcd:fifo_file ioctl { 0x5413 }; + #avc: denied { set } for parameter=persist.hdc.daemon.auth_result pid=12378 uid=2000 gid=2000 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=parameter_service permissive=1 + allow hdcd_user_permit developtools_hdc_auth_param:parameter_service { set }; + #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { relabelto } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { setattr } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { getattr } for pid=8467 comm="ls" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:sh:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { add_name } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { create } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + #avc: denied { write } for pid=716 comm="async-50" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1 + allow hdcd_user_permit data_hdc_pubkeys:dir { open read relabelto setattr getattr add_name create write }; + #avc: denied { append } for pid=716 comm="async-50" name="hdc_keys" dev="mmcblk0p15" ino=2083 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + #avc: denied { create } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + #avc: denied { write } for pid=716 comm="async-50" path="/data/service/el1/public/hdc/hdc_keys/hdc_keys" dev="mmcblk0p15" ino=2083 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1 + allow hdcd_user_permit data_hdc_pubkeys:file { append create read write }; + + allow hdcd hiprofiler_plugins:process { signal }; + allow hdcd hiprofilerd:process { signal }; + allow hdcd bytrace:process { signal }; + allow hdcd hitrace:process { signal }; + allow hdcd hidumper:process { signal }; + allow hdcd hidumper_file:dir { search }; + allow hdcd hiperf:process { signal }; + allow hdcd hidumper_file:file { getattr open read }; + allow hdcd hilogd_exec:file { execute read open getattr execute_no_trans map }; + allow hdcd hiview_exec:file { execute read open getattr execute_no_trans map }; + allow hdcd hisysevent_exec:file { execute read open getattr execute_no_trans map }; + + # for recv /data/log and /data/log/hilog + allow hdcd data_log:dir { getattr read open }; + allow hdcd data_log:file { getattr read open }; + allow hdcd data_hilogd_file:dir { getattr read open }; + allow hdcd data_hilogd_file:file { getattr read open }; + + # for read hdc.version + allow hdcd debug_param:file { map read open }; + allow hdcd debug_param:parameter_service { set }; + + allow hdcd { normal_hap_attr system_basic_hap_attr system_core_hap_attr sh }:unix_stream_socket { connectto }; + + domain_auto_transition_pattern(hdcd, sh_exec, sh); + + ## this is to do temporary change for get app file in sandbox + # access /data/app/el2/100/base/ + allow hdcd data_app_file:dir { search getattr read open }; + allow hdcd data_app_el2_file:dir { search getattr read open }; + allow hdcd debug_hap_data_file:dir { search getattr read open }; + allow hdcd debug_hap_data_file:file { getattr read open }; + + allow samgr hdcd:dir { search }; + allow samgr hdcd:file { read open }; + allow samgr hdcd:process { getattr }; + allow samgr hdcd:binder { transfer }; + allow param_watcher hdcd:binder { call }; +') + +neverallow hdcd hmdfs:dir ioctl; +neverallow hdcd hmdfs:file ioctl; + +# hdc control +neverallow { domain -usb_host -init -edm_sa } developtools_hdc_control_param:parameter_service { set }; +neverallow { domain -hdcd_user_permit -hdcd } hdcd_user_permit_exec:file { execute }; +neverallow { domain -hdcd -hdcd_user_permit -system_basic_hap_attr } developtools_hdc_auth_param:parameter_service { set }; +neverallow hdcd { normal_hap_data_file_attr system_basic_hap_data_file_attr system_core_hap_data_file_attr -debug_hap_data_file }:{ dir file } *; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..d2f41b2f30f3f8578842146c968e75834c00c78b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/parameter_contexts @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +const.hdc.version u:object_r:debug_param:s0 +persist.hdc.control u:object_r:developtools_hdc_control_param:s0 + +persist.hdc.daemon.auth_result u:object_r:developtools_hdc_auth_param:s0 +persist.hdc.client.hostname u:object_r:developtools_hdc_auth_param:s0 +persist.hdc.client.pubkey_sha256 u:object_r:developtools_hdc_auth_param:s0 +persist.hdc.daemon.auth_cancel u:object_r:developtools_hdc_auth_param:s0 +persist.hdc.jdwp u:object_r:debug_param:s0 + +persist.hdc.mode.usb u:object_r:developtools_hdc_auth_param:s0 +persist.hdc.mode.tcp u:object_r:developtools_hdc_auth_param:s0 +persist.hdc.mode.uart u:object_r:developtools_hdc_auth_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/sh.te b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/sh.te new file mode 100644 index 0000000000000000000000000000000000000000..abe75fda7b4fbab7ee6407907219664b35fdbf21 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/sh.te @@ -0,0 +1,170 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for developer_only version +developer_only(` +# for shell +allow sh rootfs:dir { search }; +allow sh rootfs:lnk_file { read }; +allow sh dev_file:dir { search }; +allow sh dev_null_file:chr_file { read write open }; +allow sh dev_unix_file:dir { search }; +allow sh dev_unix_socket:dir { search }; +allow sh devpts:chr_file { getattr ioctl read write }; +allowxperm sh devpts:chr_file ioctl { 0x5413 0x5403 }; +allow sh dev_console_file:chr_file { getattr read write }; +allow sh sh:process { fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit }; +allow sh sh:fd use; +allow sh sh:file rw_file_perms; +allow sh sh:fifo_file rw_file_perms; +allow sh sh:dir read_dir_perms; +allow sh sh:lnk_file read_file_perms; +allow sh sh:udp_socket { ioctl bind read write }; +allowxperm sh sh:udp_socket ioctl { 0x8912 0x8913 0x8915 0x8919 0x891b 0x891d 0x8921 0x8927 0x8942 0x8970 }; +allow sh sh:unix_dgram_socket { connect create write }; +allow sh sh:unix_stream_socket { connect create write read setopt }; +allow sh sh:icmp_socket { create setopt write read bind }; +allow sh sh:rawip_socket { create setopt write read }; +allow sh dev_random_file:chr_file { read open }; +allow sh dnsproxy_service:sock_file { read open write }; +allow sh node:udp_socket { node_bind }; +allow sh node:icmp_socket { node_bind }; +allow sh netsysnative:unix_stream_socket { connectto }; +allow sh proc_net:lnk_file { read }; +allow sh devinfo_public_param:file { map open read }; +allow sh devinfo_type_param:file { map open read }; +## for musl.so +allow sh system_lib_file:file { map read execute open getattr }; + +#avc: denied { execute } for pid=26490 comm="sh" name="hdcd_user_permit" dev="mmcblk0p15" ino=2134 scontext=u:r:sh:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=0 +#avc: denied { execute_no_trans } for pid=1621 comm="sh" path="/data/local/tmp/a.sh" dev="mmcblk0p15" ino=1984 scontext=u:r:sh:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=0 +allow sh data_local_tmp:file { execute execute_no_trans }; + +# for toybox command execute +allow sh system_file:dir { search }; +allow sh vendor_file:dir { search }; +allow sh system_lib_file:dir { search }; +allow sh vendor_lib_file:dir { search }; +allow sh system_etc_file:dir { search }; +allow sh lib_file:lnk_file { read }; +allow sh etc_file:lnk_file { read }; +allow sh system_etc_file:file { read open getattr map }; +allow sh sysfs_net:dir { search }; +allow sh sysfs_net:lnk_file { read }; +allow sh proc_net_tcp_udp:file { getattr }; + +allow sh system_bin_file:file { execute execute_no_trans getattr map read open }; +allow sh system_bin_file:lnk_file { read }; +allow sh toybox_exec:file { execute execute_no_trans getattr map read open }; +allow sh toybox_exec:lnk_file { read }; +## for toybox command auto complete, like tab +allow sh system_bin_file:dir { search getattr open read }; + +# for terminal +allow sh tty_device:chr_file { getattr ioctl open read write }; +allowxperm sh tty_device:chr_file ioctl { 0x5401 0x5402 0x5403 0x540f 0x5413 0x5410 }; + +# for reboot +allow sh servicectrl_reboot_param:parameter_service set; +allow sh hichecker_writable_param:parameter_service { set }; +allow sh arkui_param:parameter_service { set }; +allow sh paramservice_socket:sock_file { write }; +## for /dev/unix/socket/parameterservice +allow sh kernel:unix_stream_socket { connectto }; + +# for hdc shell command +allow sh hdcd:fifo_file { read }; +allow sh hdcd:fd { use }; +allow sh hdcd:unix_stream_socket { read write }; +allow sh hdcd:fifo_file { ioctl write }; +allowxperm sh hdcd:fifo_file ioctl { 0x5413 }; + +# for data/local/tmp +allow sh data_file:dir { search getattr }; +allow sh data_local:dir read_dir_perms; +allow sh data_local_tmp:dir { create_dir_perms read_dir_perms }; +allow sh data_local_tmp:file { create_file_perms }; + +# for data/log +allow sh data_log:dir { search }; + +# for data/log/hilog +allow sh data_hilogd_file:dir read_dir_perms; +allow sh data_hilogd_file:file read_file_perms; + +# for ps -efZ +allow sh proc_file:dir { search read open getattr }; +allow sh proc_file:lnk_file { read getattr }; +allow sh proc_net:file { read open getattr }; +allow sh sys_file:dir { search }; +allow sh domain:dir { getattr search }; +allow sh domain:file { open read }; +allow sh domain:process { getattr }; +allow sh selinuxfs:filesystem { getattr }; + +# for access debug_hap_data_file +allow sh data_file:dir search; +allow sh data_app_file:dir search; +allow sh data_app_el1_file:dir search; +allow sh data_app_el2_file:dir search; +allow sh data_app_el3_file:dir search; +allow sh data_app_el4_file:dir search; +allow sh debug_hap_data_file:dir { search getattr read open }; +allow sh debug_hap_data_file:file { getattr read open }; + +# for system_fonts_file +allow sh system_file:dir search; +allow sh system_fonts_file:dir { getattr search read open }; +allow sh system_fonts_file:file { getattr read open }; + +# for param_get +allow sh dev_parameters_file:dir { search }; +allow sh dev_parameters_file:file read_file_perms; +allow sh debug_param:file { map read open }; +allow sh hilog_param:file { map read open }; +allow sh developtools_hdc_control_param:file { map read open }; + +# for bin run +## for bm install +domain_auto_transition_pattern(sh, bm_exec, bm); +## for aa start in deveco +domain_auto_transition_pattern(sh, aa_exec, aa); +domain_auto_transition_pattern(sh, hiperf_exec, hiperf); +domain_auto_transition_pattern(sh, hiprofiler_cmd_exec, hiprofiler_cmd); +domain_auto_transition_pattern(sh, hidumper_exec, hidumper); +domain_auto_transition_pattern(sh, hitrace_exec, hitrace); +domain_auto_transition_pattern(sh, bytrace_exec, bytrace); +domain_auto_transition_pattern(sh, hisysevent_exec, hisysevent); +domain_auto_transition_pattern(sh, wukong_exec, wukong); +domain_auto_transition_pattern(sh, SP_daemon_exec, SP_daemon); +domain_auto_transition_pattern(sh, uitest_exec, uitest); +domain_auto_transition_pattern(sh, snapshot_display_exec, snapshot_display); + +# for sh process crash faultlog +allow sh processdump:process { share sigchld }; +domain_auto_transition_pattern({ domain -sh }, processdump_exec, processdump); +developer_only(` + domain_auto_transition_pattern(sh, processdump_exec, processdump); +') + +# for sh process arkCompiler AOT +allow sh ark_profile:parameter_service { set }; + +# for sh process arkCompiler param +allow sh ark_writeable_param:parameter_service { set }; + +# for hilog +use_hilog(sh) +read_hilog(sh) +control_hilog(sh) +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/su.te b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/su.te new file mode 100644 index 0000000000000000000000000000000000000000..eb8f4d57f5f31a4369cde9556a4b9d3af1025291 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hdc/system/su.te @@ -0,0 +1,374 @@ +# Copyright (c) 2023-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License +debug_only(` + permissive su; + neverallow { domain -init } su:process transition; + neverallow { domain -updater -process_dyntransition_su_violators } su:process dyntransition; + domain_auto_transition_pattern(su, SP_daemon_exec, SP_daemon); + +# allow xxx sh:xxx {xxxx} to allow xxx su:xxx {xxxx} + allow hidumper_service su:dir { search }; + allow hidumper_service su:file { getattr open read }; + allow memmgrservice su:binder { call }; + allow render_service su:fd { use }; + allow aa su:fd { use }; + allow aa su:fifo_file { ioctl write }; + allowxperm aa su:fifo_file ioctl { 0x5413 }; + allow system_core_hap_attr su:binder { call transfer }; + allow accountmgr su:binder { call }; + # avc: denied { call } for pid=858 comm="IPC_1_914" scontext=u:r:pinauth:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow pinauth su:binder { call }; + #avc: denied { call } for pid=510 comm="useriam" scontext=u:r:useriam:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow useriam su:binder { call }; + allow uitest su:fd { use }; + allow uitest su:fifo_file { write }; + allow render_service su:binder { call transfer }; + allow foundation su:binder { call transfer }; + allow powermgr su:binder { call transfer }; + allow bm su:fd { use }; + allow bm su:fifo_file { write ioctl }; + allowxperm bm su:fifo_file ioctl { 0x5413 }; + allow oaid_service su:binder { call }; + allow bluetooth_service su:binder { transfer }; + allow bluetooth_service su:binder { call }; + allow mdnsmanager su:binder { call }; + allow netmanager su:binder { call }; + allow accountmgr su:binder { transfer }; + allow bytrace su:fd use; + allow bytrace su:fifo_file { read write }; + allow hiebpf su:fd use; + allow hdcd su:process { signal sigkill }; + allow hiperf su:dir { getattr open read search }; + allow hiperf su:fd use; + allow hiperf su:fifo_file { read write }; + allow hiperf su:process signull; + allow hiprofiler_cmd su:fd use; + allow hiprofiler_cmd su:fifo_file write; + allow hiprofiler_cmd su:fifo_file ioctl; + allow hiprofiler_plugins su:fd use; + allow hiprofiler_plugins su:dir { open read }; + allow hiprofiler_plugins su:file { getattr open }; + allow hiprofilerd su:fd use; + allow native_daemon su:fd use; + allow native_daemon su:file read; + allow hidumper_service su:fd { use }; + allow hidumper_service su:fifo_file { write }; + allow hidumper su:fd { use }; + allow hidumper su:fifo_file { read write }; + allow distributeddata su:binder { call transfer }; + allow distributeddata su:dir { search }; + allow distributeddata su:fd { use }; + allow distributeddata su:file { getattr open read }; + # avc: denied { getattr } for pid=2245 comm="ps" path="/proc/651" dev="proc" ino=19199 scontext=u:r:su:s0 tcontext=u:r:drm_service:s0 tclass=dir permissive=1 + # avc: denied { search } for pid=2245 comm="ps" name="651" dev="proc" ino=19199 scontext=u:r:su:s0 tcontext=u:r:drm_service:s0 tclass=dir permissive=1 + allow su drm_service:dir { getattr search }; + #avc: denied { call } for pid=686 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + # avc: denied { open } for pid=2245 comm="ps" path="/proc/651/stat" dev="proc" ino=30035 scontext=u:r:su:s0 tcontext=u:r:drm_service:s0 tclass=file permissive=1 + # avc: denied { read } for pid=2245 comm="ps" name="stat" dev="proc" ino=30035 scontext=u:r:su:s0 tcontext=u:r:drm_service:s0 tclass=file permissive=1 + allow su drm_service:file { open read }; + allow device_manager su:binder { call }; + allow daudio su:binder { call }; + allow daudio_host su:binder { call transfer }; + allow dcamera su:binder { call transfer }; + #avc: denied { call } for pid=2003 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow dhardware su:binder { call }; + #avc: denied { call } for pid=2552 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow dscreen su:binder { call transfer }; + allow distributedsche su:binder { call }; + allow samgr su:dir { search }; + allow samgr su:file { open read }; + allow samgr su:process { getattr }; + allow samgr su:binder { call transfer }; + #avc: denied { call } for pid=240 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + #avc: denied { transfer } for pid=241 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + #avc: denied { search } for pid=241 comm="hdf_devmgr" name="1998" dev="proc" ino=31745 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:su:s0 tclass=dir permissive=1 + #avc: denied { read } for pid=241 comm="hdf_devmgr" name="current" dev="proc" ino=31058 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:su:s0 tclass=file permissive=1 + #avc: denied { open } for pid=241 comm="hdf_devmgr" path="/proc/2125/attr/current" dev="proc" ino=31058 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:su:s0 tclass=file permissive=1 + #avc: denied { getattr } for pid=241 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:su:s0 tclass=process permissive=1 + allow hdf_devmgr su:binder { call transfer }; + allow hdf_devmgr su:dir { search }; + allow hdf_devmgr su:file { open read }; + allow hdf_devmgr su:process { getattr }; + #avc: denied { use } for pid=1997 comm="HdiServiceManag" path="/dev/ashmem" dev="tmpfs" ino=185 scontext=u:r:sample_host:s0 tcontext=u:r:su:s0 tclass=fd permissive=1 + #avc: denied { call } for pid=2011 comm="sample_host" scontext=u:r:sample_host:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow sample_host su:binder { call }; + allow sample_host su:fd { use }; + #avc: denied { call } for pid=1295 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow hdf_ext_devmgr su:binder {call}; + allow audio_host su:fd { use }; + allow audio_host su:binder { transfer }; + allow camera_host su:binder { call transfer }; + allow codec_host su:binder { transfer call }; + allow codec_host su:fd { use }; + #avc: denied { call } for pid=2059 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow dcamera_host su:binder { call transfer }; + allow allocator_host su:fd { use }; + allow composer_host su:fd { use }; + allow composer_host su:binder { call transfer }; + allow input_user_host su:binder { call }; + #avc: denied { call } for pid=502 comm="sensor_host" scontext=u:r:sensor_host:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow sensor_host su:binder { call }; + allow usb_host su:binder { call }; + #avc: denied { call} for pid=448 comm="wifi_host" scontext=u:r:wifi_host:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow wifi_host su:binder { call }; + allow softbus_server su:binder { call transfer }; + allow backup_sa su:fd { use }; + allow backup_sa su:binder { call }; + allow cloudfiledaemon su:binder { call }; + #avc: denied { call } for pid=611 comm="IPC_0_654" scontext=u:r:file_access_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow file_access_service su:binder { call }; + allow render_service su:fd { use }; + allow hidumper su:fd use; + allow hisysevent su:fd { use }; + allow hisysevent su:fifo_file { write ioctl }; + allowxperm hisysevent su:fifo_file ioctl { 0x5413 }; + allow hitrace su:fd use; + allow hitrace su:fifo_file { read write }; + allow hiview su:dir { getattr open read search}; + allow hiview su:file { getattr read open }; + allow hiview su:binder { call transfer }; + #avc: denied { call } for pid=353 comm="IPC_1_409" scontext=u:r:locationhub:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow locationhub su:binder { call }; + #avc: denied { signal } for pid=1549 comm="su" scontext=u:r:su:s0 tcontext=u:r:inputmethod_service:s0 tclass=process permissive=1 + allow inputmethod_service su:binder { call transfer }; + #avc: denied { use } for pid=555 comm="IPC_1_843" path="/dev/ashmem" dev="tmpfs" ino=166 scontext=u:r:su:s0 tcontext=u:r:pasteboard_service:s0 tclass=fd permissive=1 + allow pasteboard_service su:fd { use }; + allow pasteboard_service su:binder { call transfer }; + allow screenlock_server su:binder { call transfer }; + allow time_service su:binder { call }; + allow wallpaper_service su:fd { use }; + allow wallpaper_service su:fifo_file { read }; + allow wallpaper_service su:binder { call }; + #avc: denied { call } for pid=543 comm="msdp" scontext=u:r:msdp_sa:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow msdp_sa su:binder { call }; + #avc: denied { use } for pid=1794 comm="InteractionMana" path="/dev/ashmem" dev="tmpfs" ino=197 scontext=u:r:msdp_sa:s0 tcontext=u:r:su:s0 tclass=fd permissive=0 + allow msdp_sa su:fd { use }; + allow audio_server su:binder { call transfer }; + allow av_codec_service su:binder { call transfer }; + allow av_codec_service su:fd { use }; + allow av_session su:binder { call transfer }; + allow camera_service su:binder { call transfer }; + #avc: denied { call } for pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + #avc: denied { transfer } for pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow media_service su:binder { call transfer }; + #avc: denied { use } for pid=20777 comm="avmetadata_unit" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:r:su:s0 tclass=fd permissive=1 + allow media_service su:fd { use }; + #avc: denied { call } for pid=449 comm="render_service" scontext=u:r:render_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow render_service su:binder { call }; + #avc: denied { transfer } for pid=449 comm="render_service" scontext=u:r:render_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow render_service su:binder { transfer }; + #avc: denied { setsched } for pid=270 comm="CgroupEventHand" scontext=u:r:resource_schedule_service:s0 tcontext=u:r:su:s0 tclass=process permissive=1 + allow resource_schedule_service su:process { setsched }; + allow multimodalinput su:binder { call }; + #avc: denied { transfer } for pid=1615 comm="com.ohos.settin" scontext=u:r:normal_hap:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow normal_hap_attr su:binder { transfer }; + #avc: denied { transfer } for pid=1529 comm="com.ohos.settin" scontext=u:r:system_basic_hap:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow system_basic_hap_attr su:binder { transfer }; + #avc: denied { call } for pid=472 comm="thermal" scontext=u:r:thermal:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow foundation su:binder { call }; + allow resource_schedule_service su:dir { search }; + allow resource_schedule_service su:file { open }; + allow resource_schedule_service su:binder { call }; + allow su su:code_sign { add_cert_chain remove_cert_chain }; + # avc: denied { call } for pid=12263 comm="IPC_1_12275" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow dlp_permission_service su:binder { call }; + # avc: denied { call } for pid=2854 comm="IPC_1_2877" scontext=u:r:security_component_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + # avc: denied { transfer } for pid=2854 comm="IPC_1_2877" scontext=u:r:security_component_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow security_component_service su:binder { call transfer }; + #avc: denied { getattr } for pid=1853 comm="ls" path="/data/log/sanitizer/ubsan/ubsan.log.394" dev="mmcblk0p11" ino=4712 scontext=u:r:su:s0 tcontext=u:object_r:data_log_sanitizer_file:s0 tclass=file permissive=1 + #avc: denied { getattr } for pid=1805 comm="su" path="/data/log/sanitizer/ubsan/ubsan.log.394" dev="mmcblk0p11" ino=4712 scontext=u:r:su:s0 tcontext=u:object_r:data_log_sanitizer_file:s0 tclass=file permissive=1 + #avc: denied { use } for pid=2011 comm="SensorAgentTest" path="socket:[39791]" dev="sockfs" ino=39791 scontext=u:r:sensors:s0 tcontext=u:r:su:s0 tclass=fd permissive=0 + allow sensors su:fd { use }; + # avc: denied { call } for pid=687 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:su:s0 tclass=binder permissive=0 + allow sensors su:binder { call }; + #avc: denied { read write } for pid=2132 comm="SensorAgentTest" path="socket:[39407]" dev="sockfs" ino=39407 scontext=u:r:sensors:s0 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0 + allow sensors su:unix_stream_socket { read write }; + allow init su:file { map open read relabelto relabelfrom }; + allow init su:dir { search }; + allow init su:process { getattr }; + allow param_watcher su:binder { call }; + allow hdf_devmgr su:binder transfer; + allow hdf_devmgr su:dir search; + allow hdf_devmgr su:file { open read }; + allow hdf_devmgr su:process getattr; + allow riladapter_host su:binder call; + allow telephony_sa su:binder { call transfer }; + allow accessibility su:binder { call transfer }; + allow normal_hap_attr su:binder { call }; + allow system_basic_hap_attr su:binder { call }; + allow system_core_hap_attr su:binder { call }; + allow module_update_service su:binder { call transfer }; + allow sys_installer_sa su:binder { call }; + # avc: denied { dyntransition } for pid=285 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:su:s0 tclass=process permissive=1 + # avc: denied { signal } for pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:su:s0 tclass=process permissive=1 + # avc: denied { sigkill } for pid=241 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:su:s0 tclass=process permissive=1 + allow updater su:process { signal sigkill }; + allow foundation su:binder { call transfer }; + allow { SP_daemon wukong uitest } su:fd { use }; + allow { SP_daemon wukong uitest } su:unix_stream_socket { read write }; + allow su data_hdc_pubkeys:dir { getattr setattr }; + + # sh.te baseline to su + allow su su:process { fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit }; + allow su su:fd use; + allow su su:file rw_file_perms; + allow su su:fifo_file rw_file_perms; + allow su su:dir read_dir_perms; + allow su su:lnk_file read_file_perms; + allow su su:unix_dgram_socket { connect create write }; + allow su su:unix_stream_socket { connect create write read setopt }; + + # for bin run + ## for bm install + domain_auto_transition_pattern(su, bm_exec, bm); + ## for aa start in deveco + domain_auto_transition_pattern(su, aa_exec, aa); + domain_auto_transition_pattern(su, hiperf_exec, hiperf); + domain_auto_transition_pattern(su, hiprofiler_cmd_exec, hiprofiler_cmd); + domain_auto_transition_pattern(su, hidumper_exec, hidumper); + domain_auto_transition_pattern(su, hitrace_exec, hitrace); + domain_auto_transition_pattern(su, bytrace_exec, bytrace); + domain_auto_transition_pattern(su, hisysevent_exec, hisysevent); + domain_auto_transition_pattern(su, snapshot_display_exec, snapshot_display); + + # for su process crash faultlog + # avc: denied { getattr } for pid=2245 comm="ps" path="/proc/503" dev="proc" ino=19131 scontext=u:r:su:s0 tcontext=u:r:clearplay_host:s0 tclass=dir permissive=1 + # avc: denied { search } for pid=2245 comm="ps" name="503" dev="proc" ino=19131 scontext=u:r:su:s0 tcontext=u:r:clearplay_host:s0 tclass=dir permissive=1 + allow su clearplay_host:dir { getattr search }; + allow su processdump:process { share sigchld }; + # avc: denied { open } for pid=2245 comm="ps" path="/proc/503/stat" dev="proc" ino=30001 scontext=u:r:su:s0 tcontext=u:r:clearplay_host:s0 tclass=file permissive=1 + # avc: denied { read } for pid=2245 comm="ps" name="stat" dev="proc" ino=30001 scontext=u:r:su:s0 tcontext=u:r:clearplay_host:s0 tclass=file permissive=1 + allow su clearplay_host:file { open read }; + domain_auto_transition_pattern(su, processdump_exec, processdump); + + # for hilog + use_hilog(su) + read_hilog(su) + control_hilog(su) + + # enable getting accessibility service + allow su sa_accessibleabilityms:samgr_class { get }; + + # allow xxxx hdcd:xxx {xxx} to allow xxxx su:xxx {xxx} + allow foundation su:binder { transfer }; + allow aa su:fd { use }; + allow aa su:unix_stream_socket { read write }; + allow aa su:fifo_file { ioctl read write }; + allowxperm aa su:fifo_file ioctl { 0x5413 }; + allow normal_hap_attr su:unix_stream_socket { connectto }; + allow system_basic_hap_attr su:unix_stream_socket { connectto }; + allow system_core_hap_attr su:unix_stream_socket { connectto }; + allow uitest su:fifo_file { read write ioctl }; + allow uitest su:fd { use }; + allow uitest su:unix_stream_socket { read write }; + allowxperm uitest su:fifo_file ioctl { 0x5413 }; + allow bm su:fd { use }; + allow bm su:fifo_file { read write ioctl }; + allowxperm bm su:fifo_file ioctl { 0x5413 }; + allow bm su:unix_stream_socket { read write }; + allow bytrace su:fd use; + allow bytrace su:unix_stream_socket { read write }; + allow bytrace su:fifo_file { ioctl write }; + allow hiebpf su:fd use; + allow hiebpf su:unix_stream_socket { read write }; + allow samgr su:dir { search }; + allow samgr su:file { read open }; + allow samgr su:process { getattr }; + allow samgr su:binder { transfer }; + allow param_watcher su:binder { call }; + allow sh su:fifo_file { read }; + allow sh su:fd { use }; + allow sh su:unix_stream_socket { read write }; + allow sh su:fifo_file { ioctl write }; + allowxperm sh su:fifo_file ioctl { 0x5413 }; + # for hdc shell command + allow su su:fifo_file { read }; + allow su su:fd { use }; + allow su su:unix_stream_socket { read write }; + allow su su:fifo_file { ioctl write }; + allowxperm su su:fifo_file ioctl { 0x5413 }; + allow hiperf su:fd use; + allow hiperf su:unix_stream_socket { read write }; + allow hiperf su:dir { open read }; + allow hiperf su:process signull; + allow hiprofiler_cmd su:fd use; + allow hiprofiler_cmd su:unix_stream_socket { read write }; + allow hiprofiler_cmd su:fifo_file write; + allow hiprofiler_plugins su:unix_stream_socket { read write }; + allow hiprofiler_plugins su:fifo_file write; + allow hiprofiler_plugins su:fd use; + allow hiprofiler_plugins su:fifo_file ioctl; + allow hiprofiler_plugins su:file read; + allow hiprofilerd su:fd use; + allow hiprofilerd su:unix_stream_socket { read write }; + allow hiprofilerd su:fifo_file write; + allow native_daemon su:fd use; + allow native_daemon su:unix_stream_socket { read write }; + allow hiperf su:fifo_file { ioctl write }; + allow appspawn su:unix_stream_socket connectto; + allow hiprofilerd su:fifo_file { ioctl }; + allowxperm hiprofilerd su:fifo_file ioctl 0x5413; + allow distributeddata su:binder { call transfer }; + allow distributeddata su:dir { search }; + allow distributeddata su:fd { use }; + allow distributeddata su:file { open read }; + allow audio_host su:fd { use }; + allow codec_host su:fd { use }; + allow codec_host su:fifo_file { write }; + allow codec_host su:fifo_file { read }; + allow processdump su:fd use; + allow processdump su:fifo_file { read write }; + allow processdump su:file { getattr open read }; + allow processdump su:process ptrace; + allow processdump su:unix_stream_socket { read write }; + allow processdump su:lnk_file read; + allow hidumper_service su:dir { getattr open read search }; + allow hidumper_service su:fd use; + allow hidumper_service su:file { getattr open read }; + allow hidumper_service su:lnk_file read; + allow hidumper_service su:fifo_file write; + allow hidumper su:fd use; + allow hidumper su:fifo_file write; + allow hidumper su:unix_stream_socket { read write }; + allow hisysevent su:fd { use }; + allow hisysevent su:fifo_file { read write }; + allow hisysevent su:unix_stream_socket { read write }; + allow hitrace su:fd use; + allow hitrace su:unix_stream_socket { read write }; + allow hitrace su:fifo_file { ioctl write }; + allow hiview su:dir search; + allow hiview su:file { getattr open read }; + allow hiview su:binder { call transfer }; + allow bytrace su:fifo_file { ioctl write }; + allowxperm bytrace su:fifo_file ioctl { 0x5413 }; + allow init su:process { rlimitinh siginh transition getattr }; + allow init su:file { read open }; + allow init su:dir { search }; + allow hdcd su:process { setcurrent }; + #avc: denied { use } for pid=1953 comm="nweb_test" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:normal_hap:s0 tcontext=u:r:su:s0 tclass=fd permissive=1 + allow normal_hap_attr su:fd { use }; + allow SP_daemon su:unix_stream_socket { read write }; + allow SP_daemon su:fd use; + allow SP_daemon su:fifo_file { ioctl read write }; + allowxperm SP_daemon su:fifo_file ioctl { 0x5413 }; + allow SP_daemon su:dir { getattr open read search }; + allow SP_daemon su:file { getattr open read }; + allow SP_daemon su:lnk_file read; + + #for read and write system parameter + #avc: denied { use } for pid=696 comm="async-55" path="socket:[28017]" dev="sockfs" ino=28017 scontext=u:r:hdcd:s0 tcontext=u:r:su:s0 tclass=fd permissive=0 + allow hdcd su:fd { use }; + #avc: denied { connect write } for pid=696 comm="async-55" scontext=u:r:hdcd:s0 tcontext=u:r:su:s0 tclass=unix_dgram_socket permissive=0 + allow hdcd su:unix_dgram_socket { connect write }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hiperf/public/type.te b/prebuilts/api/5.0/ohos_policy/developtools/hiperf/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..0ee216e07c373b3f8e2ebcf270512247fb426ee6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hiperf/public/type.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +type data_test_file, file_attr, data_file_attr; + +type data_log_hiperf_file, file_attr, data_file_attr; + +type data_local_tmp_hiperf_file, file_attr, data_file_attr; + +type hiperf_exec, exec_attr, file_attr, system_file_attr; + +type hiperf, native_system_domain, domain; + +domain_auto_transition_pattern(native_system_domain, hiperf_exec, hiperf); +domain_auto_transition_pattern(hiview, hiperf_exec, hiperf); diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/file_contexts b/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..2a216e79ab535f5011608ca1745c9e47d4634f56 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/file_contexts @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +/system/bin/hiperf u:object_r:hiperf_exec:s0 + +/data/test u:object_r:data_test_file:s0 +/data/test/(.*)? u:object_r:data_test_file:s0 + +/data/log/hiperf(/.*)? u:object_r:data_log_hiperf_file:s0 + +/data/local/tmp/hiperf(/.*)? u:object_r:data_local_tmp_hiperf_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9a634139e20be124b0195e58c749055d49a279da --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hidumper_service hiperf:dir search; +allow hidumper_service hiperf:file { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/hiperf.te b/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/hiperf.te new file mode 100644 index 0000000000000000000000000000000000000000..72294e47a4a4d8d99d517df0863b3551212ed6f8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/hiperf/system/hiperf.te @@ -0,0 +1,263 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hiperf const_allow_mock_param:file { map open read }; +allow hiperf const_allow_param:file { map open read }; +allow hiperf const_build_param:file { map open read }; +allow hiperf const_param:file { map open read }; +allow hiperf const_postinstall_fstab_param:file { map open read }; +allow hiperf const_postinstall_param:file { map open read }; +allow hiperf data_test_file:file { write }; +allow hiperf data_file:file { getattr ioctl map open read }; +allow hiperf default_param:file { map open read }; +allow hiperf distributedsche_param:file { map open read }; +allow hiperf hdcd:fd use; +allow hiperf hdcd_exec:file { getattr map open read }; +allow hiperf hw_sc_build_os_param:file { map open read }; +allow hiperf hw_sc_build_param:file { map open read }; +allow hiperf hw_sc_param:file { map open read }; +allow hiperf init_param:file { map open read }; +allow hiperf init_svc_param:file { map open read }; +allow hiperf input_pointer_device_param:file { map open read }; +allow hiperf net_param:file { map open read }; +allow hiperf net_tcp_param:file { map open read }; +allow hiperf normal_hap_attr:dir { getattr open read search }; +allow hiperf normal_hap_attr:process signull; +allow hiperf ohos_boot_param:file { map open read }; +allow hiperf ohos_param:file { map open read }; +allow hiperf proc_buddyinfo_file:file getattr; +allow hiperf proc_cgroups_file:file getattr; +allow hiperf proc_cmdline_file:file getattr; +allow hiperf proc_config_gz_file:file getattr; +allow hiperf proc_cpuinfo_file:file getattr; +allow hiperf proc_diskstats_file:file getattr; +allow hiperf proc_file:file { ioctl write }; +allow hiperf proc_filesystems_file:file getattr; +allow hiperf proc_interrupts_file:file getattr; +allow hiperf proc_iomem_file:file getattr; +allow hiperf proc_keys_file:file getattr; +allow hiperf proc_kmsg_file:file getattr; +allow hiperf proc_loadavg_file:file getattr; +allow hiperf proc_meminfo_file:file { getattr open read }; +allow hiperf proc_misc_file:file getattr; +allow hiperf proc_modules_file:file { getattr open read }; +allow hiperf proc_pagetypeinfo_file:file getattr; +allow hiperf proc_partitions_file:file getattr; +allow hiperf proc_rkisp_vir0_file:file getattr; +allow hiperf proc_slabinfo_file:file getattr; +allow hiperf proc_softirqs_file:file getattr; +allow hiperf proc_stat_file:file getattr; +allow hiperf proc_swaps_file:file getattr; +allow hiperf proc_sysrq_trigger_file:file getattr; +allow hiperf proc_timer_list_file:file getattr; +allow hiperf proc_uptime_file:file getattr; +allow hiperf proc_version_file:file getattr; +allow hiperf proc_vmallocinfo_file:file getattr; +allow hiperf proc_vmstat_file:file getattr; +allow hiperf proc_zoneinfo_file:file getattr; +allow hiperf samain_exec:file { getattr map open read }; +allow hiperf sys_param:file { map open read }; +allow hiperf sys_usb_param:file { map open read }; +allow hiperf tracefs:dir { open read search }; +allow hiperf tracefs:file { getattr open read write ioctl }; +allowxperm hiperf tracefs:file ioctl { 0x5413 }; +allow hiperf tty_device:chr_file { read write }; + +allow hiperf appspawn_exec:file { getattr map open read }; +allow hiperf bootevent_param:file { map open read }; +allow hiperf bootevent_samgr_param:file { map open read }; +allow hiperf build_version_param:file { map open read }; +allow hiperf const_display_brightness_param:file { map open read }; +allow hiperf const_product_param:file { map open read }; +allow hiperf debug_param:file { map open read }; +allow hiperf devpts:chr_file { read write }; +allow hiperf hdcd:unix_stream_socket { read write }; +allow hiperf hilog_param:file { map open read }; +allow hiperf hilogd_exec:file { getattr map open read }; +allow hiperf persist_param:file { map open read }; +allow hiperf persist_sys_param:file { map open read }; +allow hiperf proc_file:file { getattr open read }; +allow hiperf security_param:file { map open read }; +allow hiperf self:perf_event { cpu kernel open read write }; +allow hiperf startup_param:file { map open read }; +allow hiperf wifi_hal_service_exec:file { getattr map open read }; +allow hiperf hiview_exec:file { getattr map open read }; +allow hiperf storage_daemon_exec:file { getattr map open read }; + +allow hiperf data_file:dir search; +allow hiperf dev_unix_socket:dir search; +allow hiperf system_bin_file:dir search; +allow hiperf data_local:dir search; + +allow hiperf hiprofiler_plugins:unix_stream_socket { read write }; +allow hiperf rootfs:file read; +allow hiperf sh_exec:file { getattr map open read }; +allow hiperf sysfs_kernel_notes:file { open read }; +allow hiperf system_bin_file:file { execute execute_no_trans getattr map open read }; +allow hiperf toybox_exec:file { execute execute_no_trans getattr map open read }; +allow hiperf tmpfs:file { read write }; + +allow hiperf hiprofiler_plugins:fd use; +allow hiperf hiprofilerd:fd use; +allow hiperf hiprofiler_plugins:fifo_file { ioctl write }; +allow hiperf watchdog_service_exec:file { getattr map open read }; + +allow hiperf data_local_tmp:fifo_file { create open read unlink write }; +allow hiperf hdf_devmgr_exec:file { getattr map open read }; +allow hiperf proc_cpuinfo_file:file { open read }; +allow hiperf sysfs_devices_system_cpu:file { open read }; +allow hiperf uinput_inject_exec:file { getattr map open read }; +allow hiperf vendor_bin_file:dir search; + +allow hiperf domain:dir { add_name getattr search open read write }; +allow hiperf domain:file { getattr map open read }; + +allow hiperf camera_service:dir { open read }; +allow hiperf camera_service:process signull; +allow hiperf drm_service:dir { open read }; +allow hiperf drm_service:process signull; +allow hiperf data_file:dir { add_name getattr open read write }; + +allow hiperf dev_mali:chr_file { getattr open read }; +allow hiperf distributedfiledaemon:dir { open read }; +allow hiperf distributedfiledaemon:process signull; +allow hiperf hdcd:dir { open read }; +allow hiperf hdcd:process signull; +allow hiperf init:dir { open read }; +allow hiperf init:process signull; +allow hiperf render_service:dir { open read }; +allow hiperf render_service:process signull; +allow hiperf render_service_exec:file { getattr map open read }; +allow hiperf rootfs:dir read; +allow hiperf self:perf_event tracepoint; +allow hiperf system_basic_hap_attr:dir { open read }; +allow hiperf system_basic_hap_attr:process signull; +allow hiperf system_bin_file:lnk_file read; +allow hiperf toybox_exec:lnk_file read; +allow hiperf ui_service:dir { open read }; +allow hiperf ui_service:process signull; +allow hiperf hiview:process signull; +allow hiperf domain:process signull; + +allow hiperf accessibility_param:file { map open read }; +allow hiperf ohos_dev_param:file { map open read }; +allow hiperf data_log_hiperf_file:dir { create_dir_perms }; +allow hiperf data_log_hiperf_file:file { create_file_perms }; +allow hiperf data_log_hiperf_file:fifo_file { create open read unlink write }; + +allow hiperf data_local_tmp_hiperf_file:dir { create_dir_perms }; +allow hiperf data_local_tmp_hiperf_file:file { create_file_perms }; +allow hiperf data_local_tmp_hiperf_file:fifo_file { create open read unlink write }; + +allow hiperf data_log:dir { add_name open read search watch write create remove_name }; +allow hiperf data_log:file { create getattr lock map open read rename ioctl write unlink }; +allow hiperf data_app_el1_file:file { getattr map open read }; +allow hiperf data_app_el1_file:dir search; +allow hiperf normal_hap_attr:lnk_file read; + +allow hiperf chip_prod_file:dir search; +allow hiperf chip_prod_file:file { getattr map open read }; +allow hiperf sys_file:file { getattr open read }; +allow hiperf sysfs_devices_system_cpu:file getattr; +allow hiperf udevd_exec:file { getattr map open read }; +allow hiperf ueventd_exec:file read; +allow hiperf vendor_bin_file:file { getattr map open read }; + +allow init data_log:file relabelfrom; +allow init data_log_hiperf_file:dir relabelto; + +#allow hiperf data_file:file { create write }; +#allow hiperf devpts:chr_file ioctl; + +debug_only(` + allow hiperf self:capability { setgid }; + allow hiperf self:capability2 syslog; + allow hiperf hap_domain:process { ptrace }; +') + +developer_only(` + allow hiperf sh:dir { getattr open read search }; + allow hiperf sh:fd use; + allow hiperf sh:fifo_file { read write }; + allow hiperf sh:process signull; + allow hiperf debug_hap:process { ptrace }; +') + +neverallow hiperf { domain debug_only(`-hap_domain') developer_only(`-debug_hap') }:process ptrace; +allow hiperf data_local_tmp:file { create getattr ioctl map open read rename unlink write }; +allow hiperf data_local_tmp:dir { open read add_name remove_name search write }; +allow hiperf self:capability2 perfmon; +allow hiperf self:capability { sys_ptrace ipc_lock }; +allow hiperf self:perf_event { open read write kernel }; + +neverallow { domain -hiperf -init -hiebpf } self:perf_event ~{ open read write kernel }; + +allow hiperf musl_param:file { open map read }; +allow hiperf dev_console_file:chr_file { read write }; +allow hiperf musl_param:file { open map read }; +allow hiperf security_param:parameter_service { set }; +allow hiperf hiviewdfx_profiler_param:parameter_service { set }; +allow hiperf paramservice_socket:sock_file { read write }; +allow hiperf kernel:unix_stream_socket connectto; + +allow hiperf sa_foundation_bms:samgr_class get; +allow hiperf sa_param_watcher:samgr_class get; +allow hiperf foundation:binder call; +allow hiperf samgr:binder { call }; + +allow hiperf param_watcher:binder { call transfer }; +allow hiperf tracefs_trace_marker_file:file { open write }; +allow hiperf hilog_exec:file { getattr map open read }; +allow hiperf rootfs:file { ioctl }; +allow hiperf ueventd_exec:file { getattr map open }; +allow hiperf dev_file:dir getattr; + +allow samgr hiperf:file { read open }; +allow samgr hiperf:dir { search }; +allow samgr hiperf:process { getattr }; +allow samgr hiperf:binder { call transfer }; + +allow hiperf dev_bbox:chr_file { read }; +allow hiperf sysfs_devices_system_cpu:dir { read open }; + +allow hiperf hiview:fd { use }; +allow hiperf hiview:unix_dgram_socket { read write }; +allow hiperf hiview:fifo_file { read write }; +allow hiperf hiview_file:file { read write }; + +allow hiview hiperf:process sigkill; +allow hiview data_local:dir { search }; +allow hiview proc_file:file { getattr }; +allow hiview debug_param:parameter_service { set }; + +allow hiperf system_file:file { getattr open read }; +allow hiperf SP_daemon_exec:file { getattr open read }; +allow hiperf data_local_arkcache:dir { search }; +allow hiperf data_local_arkcache:file { getattr open read }; +allow hiperf app_el1_bundle_public:dir { getattr open read search }; +allow hiperf app_el1_bundle_public:file { getattr map open read }; +allow hiperf deviceauth_service_exec:file { getattr map open read }; +allow hiperf faultloggerd_exec:file { getattr map open read }; +allow hiperf hidumper_exec:file { getattr map open read }; +allow hiperf hiprofiler_cmd_exec:file { getattr map open read }; +allow hiperf hiprofiler_plugins_exec:file { getattr map open read }; +allow hiperf hiprofilerd_exec:file { getattr map open read }; +allow hiperf hisysevent_exec:file { getattr map open read }; +allow hiperf hitrace_exec:file { getattr map open read }; +allow hiperf init_exec:file { getattr map open read }; +allow hiperf sys_prod_file:dir { search }; +allow hiperf sys_prod_file:file { getattr map open read }; +allow hiperf system_usr_file:file { getattr map open read }; +allow hiperf data_service_el1_file:file { getattr map open read }; + +allow hiperf isolated_render:lnk_file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/lldb/public/lldb.te b/prebuilts/api/5.0/ohos_policy/developtools/lldb/public/lldb.te new file mode 100644 index 0000000000000000000000000000000000000000..ebf010dda868fc930d14861440a838efb6890b84 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/lldb/public/lldb.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The context for processes of lldb-server, it does not inherit any other +# existing attributes for processes other than 'domain' because rules for +# lldb-server are expected to be controlled discretely. +type lldb_server, domain; +# The context for the binary file of lldb-server, files and subdirectories under +# /data/local/tmp/debugserver/ are supposed to be labeled with it. The rationale +# of not inheritting other file-related attributes is the same as above. +type lldb_server_file, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..a13bc10c1d2a4b79bd3b14787b31dd61ad9755a8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/appspawn.te @@ -0,0 +1,27 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + +# lldb-server is launch by Appspawn, therefore Appspawn should be allowed to +# execute lldb-server and transit to the SELinux context designated for the +# lldb-server process. +domain_auto_transition_pattern(appspawn, lldb_server_file, lldb_server); +# Needed for Appspawn to execute lldb-server +allow appspawn data_local_tmp:dir { search }; +allow appspawn lldb_server_file:dir { search }; +allow appspawn lldb_server:process2 { nosuid_transition }; +# For fs-verify(signature checking) of lldb-server. appspawn will execute lldb-server. +allow appspawn key_enable:key { search }; + +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/file_contexts b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..de5b81633d4d133ef3b4edebb72a3faac991713f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# For lldb-server +/data/local/tmp/debugserver(/.*)? u:object_r:lldb_server_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/hdcd.te b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..54cca26b45f05fb0a2f548c003d2350179aa9772 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/hdcd.te @@ -0,0 +1,35 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + +# If an lldb client is used for remotely debugging an application with a +# OpenHarmony device, hdc is utilized to pull necessary binary and dso files +# (e.g. /system/bin/appspawn and /lib/ld-musl-aarch64.so.1). If such files +# cannot be pulled from the device, the lldb client was not able to resolve any +# of dso files loaded by an application, therefore breakpoints cannot be set on +# any of loaded dso. +allow hdcd appspawn_exec:file { getattr read open }; +allow hdcd cjappspawn_exec:file { getattr read open }; + +# Allow users using hdc to upload lldb-server to subdirectories under +# /data/local/tmp/lldb-server/ +allow hdcd lldb_server_file:file { write create setattr read append open getattr + unlink }; +allow hdcd lldb_server_file:dir { add_name remove_name write create setattr + search getattr read open }; +# Before connecting to lldb-server, users have to create a network forwarding +# by hdc fport to the Unix abstraact socket listened by lldb-server. +allow hdcd lldb_server:unix_stream_socket { connectto }; + +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/init.te b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..156dab41f958996fc6104bd22b320a0853d2e175 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/init.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + +# Allow init to create directory /data/local/tmp/lldb-server and set SELinux +# context to lldb_server_file +allow init data_local_tmp:dir { add_name create relabelfrom write }; +allow init lldb_server_file:dir { setattr relabelto }; + +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/lldb.te b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/lldb.te new file mode 100644 index 0000000000000000000000000000000000000000..7d62caed36d8959aed0b64e3d78e9005eb50d4e1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/lldb.te @@ -0,0 +1,74 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + +# lldb-server has to access stdin, stdout and stderror SELinuc context of which +# is appspawn. +allow lldb_server appspawn:fd { use }; +allow lldb_server cjappspawn:fd { use }; + +# lldb-server at first ran in the platform mode. Each time it accepts a request +# of a client, it forks, and the child run (reload using the execv syscall) +# lldb-server. The logs of lldb-server are also allowed to be output to the directory +# where lldb-server is stored. +allow lldb_server data_file:dir { search }; +allow lldb_server data_local:dir { search }; +allow lldb_server data_local_tmp:dir { search getattr }; +allow lldb_server lldb_server_file:dir { write create add_name search }; +allow lldb_server lldb_server_file:file { create append map execute execute_no_trans }; +allow lldb_server lldb_server:process { fork getsched setsched }; + +# lldb-server needs to read the procfs of a debuggable app to know runtime +# information such as what the binary is and the runtime vm address the binary +# is loaded at. +allow lldb_server debug_hap:dir { search read open }; +allow lldb_server debug_hap:file { read open }; +allow lldb_server debug_hap:lnk_file { read }; + +# lldb-server needs to read system libraries and the Appspawn/CJAppspawn binary so that it +# can compare these with local module caches which are used for symbol resolving +# and breaking setting etc. +allow lldb_server system_bin_file:dir { search }; +allow lldb_server appspawn_exec:file { getattr read open map }; +allow lldb_server cjappspawn_exec:file { getattr read open map }; + +# Debugging functionalities like breakpoints and stepping are accomplished by +# sending ptrace syscalls. +allow lldb_server debug_hap:process { ptrace sigkill signal sigstop }; + +# For fs-verify(signature checking) of lldb-server. lldb-server will execute lldb-server. +allow lldb_server key_enable:key { search }; + +') + +# Forbid lldb-server to debug other processes except debuggable applications and +# even child processes launched by lldb-server. +neverallow lldb_server { domain developer_only(`-debug_hap') }:process { + ptrace sigkill signal sigstop }; +neverallow lldb_server self:process { ptrace sigkill signal sigstop }; +# Only processes of Appspawn/CJAppspawn and lldb-server can execute lldb-server. +neverallow { domain developer_only(`-appspawn -cjappspawn -lldb_server') } + lldb_server_file:file { map execute execute_no_trans entrypoint }; +# Only allow Appspawn/CJAppspawn to spawn lldb-server, the context transition is +# accomplished by the kernel, and dynamic transition in the user land is +# forbidden. +neverallow { domain developer_only(`-appspawn -cjappspawn') } + lldb_server:process { transition }; +neverallow domain lldb_server:process { dyntransition }; +# Only allow hdcd to connect to Unix socket owned lldb-server in the developer +# mode in case an already launched lldb-server is utilized by other thirdy-party +# process directly or indirectly to dump sensitive information from debuggable +# applications. +neverallow { domain -lldb_server developer_only(`-hdcd') } + lldb_server:unix_stream_socket { connectto }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/sh.te b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/sh.te new file mode 100644 index 0000000000000000000000000000000000000000..a2a7bdb5ed7551fb60c2c87fe67b178288970d64 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/lldb/system/sh.te @@ -0,0 +1,23 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + +# Allow users using hdc shell to create directories and files under +# /data/local/tmp/lldb-server +allow sh lldb_server_file:file { write create setattr read append open getattr + unlink }; +allow sh lldb_server_file:dir { add_name remove_name write create setattr search + getattr read open rmdir }; + +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/public/parameter_contexts b/prebuilts/api/5.0/ohos_policy/developtools/profiler/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..5da3ea91840613034e3309289698d5372f490dfe --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/public/parameter_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +hiviewdfx.debugenv. u:object_r:hidebug_private_param:s0 +persist.hiviewdfx.debugenv. u:object_r:hidebug_private_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/public/type.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..869d5208308f85c6868990206d648ce84acc2316 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/public/type.te @@ -0,0 +1,46 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +type hiprofilerd_exec, exec_attr, file_attr, system_file_attr; + +type hiprofilerd, native_system_domain, domain; + +type hiprofiler_cmd_exec, exec_attr, file_attr, system_file_attr; + +type hiprofiler_cmd, native_system_domain, domain; + +type hiprofiler_plugins_exec, exec_attr, file_attr, system_file_attr; + +type hiprofiler_plugins, native_system_domain, domain; + +type native_daemon_exec, exec_attr, file_attr, system_file_attr; + +type native_daemon, sadomain, domain; + +type hiprofiler_socket, dev_attr, file_attr; + +type sa_native_daemon, sa_service_attr; + +type hidebug_private_param, parameter_attr; + +domain_auto_transition_pattern(native_system_domain, hiprofilerd_exec, hiprofilerd); + +domain_auto_transition_pattern(native_system_domain, hiprofiler_cmd_exec, hiprofiler_cmd); + +domain_auto_transition_pattern(native_system_domain, hiprofiler_plugins_exec, hiprofiler_plugins); + +domain_auto_transition_pattern(native_system_domain, native_daemon_exec, native_daemon); + +domain_auto_transition_pattern(hiprofiler_plugins, SP_daemon_exec, SP_daemon); + +neverallow { domain debug_only(`-su') } hidebug_private_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/bytrace.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/bytrace.te new file mode 100644 index 0000000000000000000000000000000000000000..215f817d83db2fb6234aca33b39bef3495f166d5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/bytrace.te @@ -0,0 +1,68 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow bytrace hiprofiler_plugins:fifo_file read; +allow bytrace hiprofiler_plugins:unix_stream_socket { read write }; +allow bytrace hiprofilerd:fd use; + +allow bytrace hiprofiler_plugins:fd use; +allow bytrace hiprofiler_plugins:fifo_file write; + +allow bytrace domain:file { map open read write }; + +allow bytrace data_local_tmp:dir read; + +allow bytrace const_param:file { read map open }; +allow bytrace hw_sc_build_os_param:file map; +allow bytrace init_param:file { map open read }; +allow bytrace init_svc_param:file { map open read }; +allow bytrace ohos_boot_param:file open; +allow bytrace tmpfs:file { read write }; + +allow bytrace const_postinstall_fstab_param:file { read map open }; +allow bytrace const_postinstall_param:file { read map open }; + +allow bytrace bootevent_param:file { read map open }; +allow bytrace build_version_param:file { read map open }; +allow bytrace const_build_param:file { read map open }; +allow bytrace const_product_param:file { read map open }; +allow bytrace debug_param:file { read map open }; +allow bytrace hilog_param:file { read map open }; +allow bytrace persist_param:file { read map open }; +allow bytrace persist_sys_param:file { read map open }; +allow bytrace security_param:file { read map open }; +allow bytrace startup_param:file { read map open }; + +allow bytrace bootevent_samgr_param:file { read map open }; +allow bytrace const_display_brightness_param:file { read map open }; +allow bytrace default_param:file { read map open }; +allow bytrace distributedsche_param:file { read map open }; +allow bytrace input_pointer_device_param:file { read map open }; + +allow bytrace hiprofiler_plugins:fifo_file ioctl; + +allow hiperf init_exec:file { getattr map open read }; +allow hiperf render_service_exec:file { getattr map open read }; + +allow bytrace const_allow_mock_param:file { read map open }; +allow bytrace const_allow_param:file { read map open }; + +allow bytrace sa_hiview_service:samgr_class get; +allow bytrace samgr:binder { call }; +allow bytrace dev_console_file:chr_file { read write }; +allow bytrace hiview:binder { call transfer }; + +allow samgr bytrace:dir { search }; +allow samgr bytrace:file { read open }; +allow samgr bytrace:process { getattr }; +allow samgr bytrace:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/file_contexts b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..fdeef1fe23fd229b80d8f9e9958ed29c6c446d07 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/file_contexts @@ -0,0 +1,24 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +/system/bin/hiprofilerd u:object_r:hiprofilerd_exec:s0 + +/system/bin/hiprofiler_plugins u:object_r:hiprofiler_plugins_exec:s0 + +/system/bin/hiprofiler_cmd u:object_r:hiprofiler_cmd_exec:s0 + +/system/bin/native_daemon u:object_r:native_daemon_exec:s0 + +/dev/unix/socket/hiprofiler_unix_socket u:object_r:hiprofiler_socket:s0 + +/dev/unix/socket/hook_unix_socket u:object_r:hiprofiler_socket:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hidebug.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hidebug.te new file mode 100644 index 0000000000000000000000000000000000000000..2c1be46ba0364c76dcf97ffd1969a5322e01b090 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hidebug.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + allow domain hidebug_private_param:file { map open read }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..c3b216025869da7d8b2b19fff12b4398c5ea1a5b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hidumper_service.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hidumper_service hiprofiler_plugins:dir search; +allow hidumper_service hiprofiler_plugins:file { open read }; +allow hidumper_service hiprofilerd:dir search; +allow hidumper_service hiprofilerd:file { open read }; +allow hidumper_service hiprofiler_cmd:file read; + +allow hidumper_service hiprofiler_cmd:dir search; +allow hidumper_service hiprofiler_cmd:file open; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofiler_cmd.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofiler_cmd.te new file mode 100644 index 0000000000000000000000000000000000000000..346c0e80082a2134154f9f5643d0819225761e33 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofiler_cmd.te @@ -0,0 +1,182 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hiprofiler_cmd devpts:chr_file { read write }; +allow hiprofiler_cmd hdcd:fd use; +allow hiprofiler_cmd hdcd:unix_stream_socket { read write }; +allow hiprofiler_cmd proc_cpuinfo_file:file { open read }; +allow hiprofiler_cmd tty_device:chr_file { read write }; +allow hiprofiler_cmd node:tcp_socket node_bind; +allow hiprofiler_cmd self:netlink_route_socket { create nlmsg_read nlmsg_readpriv read write }; +allow hiprofiler_cmd self:tcp_socket { bind create setopt }; +allow hiprofiler_cmd port:tcp_socket name_connect; +allow hiprofiler_cmd self:tcp_socket { connect getattr getopt read write }; +allow hiprofiler_cmd self:tcp_socket shutdown; +allow hiprofiler_cmd data_local:dir search; + +allow hiprofiler_cmd rootfs:file { read }; + +allow hiprofiler_cmd dev_unix_socket:dir search; +allow hiprofiler_cmd hdcd:fifo_file { read write }; +allow hiprofiler_cmd ohos_boot_param:file { map open read }; +allow hiprofiler_cmd ohos_param:file { map open read }; +allow hiprofiler_cmd system_bin_file:dir search; + +allow hiprofiler_cmd const_param:file { map open read }; +allow hiprofiler_cmd init_param:file { map open read }; +allow hiprofiler_cmd net_tcp_param:file { open read }; +allow hiprofiler_cmd sys_usb_param:file { map open }; + +allow hiprofiler_cmd hw_sc_param:file { open read }; +allow hiprofiler_cmd net_param:file { map open read }; +allow hiprofiler_cmd net_tcp_param:file map; +allow hiprofiler_cmd persist_param:file read; +allow hiprofiler_cmd security_param:file { map open read }; + +allow hiprofiler_cmd const_postinstall_param:file { map open read }; +allow hiprofiler_cmd hw_sc_build_param:file { map open read }; +allow hiprofiler_cmd hw_sc_param:file map; +allow hiprofiler_cmd init_svc_param:file { map open read }; + +allow hiprofiler_cmd hw_sc_build_os_param:file { open read }; +allow hiprofiler_cmd persist_param:file { map open }; +allow hiprofiler_cmd persist_sys_param:file { open read }; + +allow hiprofiler_cmd const_postinstall_fstab_param:file { map open read }; +allow hiprofiler_cmd debug_param:file { map open read }; +allow hiprofiler_cmd hw_sc_build_os_param:file map; +allow hiprofiler_cmd persist_sys_param:file map; +allow hiprofiler_cmd startup_param:file { open read }; + +allow hiprofiler_cmd const_postinstall_fstab_param:file { map open read }; +allow hiprofiler_cmd hw_sc_build_os_param:file map; +allow hiprofiler_cmd persist_sys_param:file map; + +allow hiprofiler_cmd bootevent_param:file { map open read }; +allow hiprofiler_cmd const_allow_mock_param:file { map open read }; +allow hiprofiler_cmd const_allow_param:file { map open read }; +allow hiprofiler_cmd startup_param:file map; + +allow hiprofiler_cmd build_version_param:file { open read }; +allow hiprofiler_cmd data_file:dir search; +allow hiprofiler_cmd dev_file:sock_file write; +allow hiprofiler_cmd netsysnative:unix_stream_socket connectto; + +allow hiprofiler_cmd bootevent_samgr_param:file read; +allow hiprofiler_cmd build_version_param:file map; +allow hiprofiler_cmd const_display_brightness_param:file read; +allow hiprofiler_cmd distributedsche_param:file { map open read }; + +allow hiprofiler_cmd bootevent_samgr_param:file { map open }; +allow hiprofiler_cmd const_build_param:file { map open read }; +allow hiprofiler_cmd const_display_brightness_param:file open; +allow hiprofiler_cmd input_pointer_device_param:file { map open read }; + +allow hiprofiler_cmd const_display_brightness_param:file map; +allow hiprofiler_cmd default_param:file { map open read }; + +allow hiprofiler_cmd tty_device:chr_file { ioctl open }; + +allow hiprofiler_cmd rootfs:file getattr; +allow hiprofiler_cmd system_bin_file:lnk_file read; +allow hiprofiler_cmd toybox_exec:lnk_file read; + +allow hiprofiler_cmd init:file read; +allow hiprofiler_cmd kernel:file read; +allow hiprofiler_cmd system_bin_file:file { execute execute_no_trans getattr map open read }; +allow hiprofiler_cmd toybox_exec:file { execute execute_no_trans getattr map open read }; + +allow hiprofiler_cmd dev_unix_socket:dir remove_name; +allow hiprofiler_cmd dev_unix_socket:sock_file unlink; +allow hiprofiler_cmd hdf_devmgr:file read; +allow hiprofiler_cmd hiprofiler_plugins:process sigkill; +allow hiprofiler_cmd hiprofilerd:fd use; +allow hiprofiler_cmd hiprofilerd:process sigkill; + +allow hiprofiler_cmd const_product_param:file { map open read }; +allow hiprofiler_cmd hilog_param:file { map open read }; +allow hiprofiler_cmd sys_param:file { map open read }; +allow hiprofiler_cmd sys_usb_param:file read; + +allow hiprofiler_cmd hilogd:file read; +allow hiprofiler_cmd hiprofilerd:process signal; + +allow hiprofiler_cmd domain:dir { search open read }; +allow hiprofiler_cmd domain:file { getattr map open read }; + +allow hiprofiler_cmd dev_unix_socket:dir write; +allow hiprofiler_cmd dev_unix_socket:sock_file write; + +allow hiprofiler_cmd dev_unix_socket:dir add_name; +allow hiprofiler_cmd hiprofilerd:unix_stream_socket connectto; +allow hiprofiler_cmd tmpfs:file { map read write }; + +allow hiprofiler_cmd kernel:unix_stream_socket connectto; + +allow hiprofiler_cmd dev_unix_socket:sock_file { create getattr setattr }; +allow hiprofiler_cmd hook_param:parameter_service set; + +developer_only(` + allow hiprofiler_cmd data_local_tmp:file { lock read open getattr }; + allow hiprofiler_cmd data_local_tmp:dir { open search }; +') + +debug_only(` + allow hiprofiler_cmd data_local_tmp:file { create write }; + allow hiprofiler_cmd data_local_tmp:dir { add_name write getattr }; + allow hiprofiler_cmd sh_exec:file { execute execute_no_trans map open read }; + allow hiprofiler_cmd self:capability { setgid }; +') + +developer_only(` + allow hiprofiler_cmd sh:fd use; + allow hiprofiler_cmd sh:fifo_file write; + allowxperm hiprofiler_cmd sh:fifo_file ioctl { 0x5413 }; + allow hiprofiler_cmd sh:fifo_file ioctl; +') + +allow hiprofiler_cmd self:capability sys_ptrace; + +allow hiprofiler_cmd domain:process signal; +allow hiprofiler_cmd hiview_exec:file { getattr map open read }; + +allow domain hiprofiler_cmd:fd use; +allow domain hiprofiler_cmd:unix_stream_socket connectto; +allow domain tmpfs:file { map read write }; +allow hiprofiler_cmd ohos_dev_param:file { map open read }; +allow hiprofiler_cmd dev_unix_file:sock_file unlink; +allow hiprofiler_cmd paramservice_socket:sock_file write; + +allow hiprofiler_cmd appspawn_exec:file { open read }; +allow hiprofiler_cmd normal_hap_attr:lnk_file read; +allow hiprofiler_cmd data_app_el1_file:dir search; +allow hiprofiler_cmd data_app_el1_file:file { getattr map open read }; + +neverallow hiprofiler_cmd *:process ptrace; +allow hiprofiler_cmd musl_param:file read; +allow hiprofiler_cmd native_daemon:process sigkill; +allow hiprofiler_cmd musl_param:file { map open }; +allow hiprofiler_cmd security_param:parameter_service set; +allow hiprofiler_cmd dnsproxy_service:sock_file write; +allow hiprofiler_cmd proc_file:file { getattr open read }; + +allow hiprofiler_cmd hiviewdfx_profiler_param:parameter_service { set }; +allow hiprofiler_cmd dev_console_file:chr_file { read write }; +allowxperm hiprofiler_cmd devpts:chr_file ioctl { 0x5413 }; +allow hiprofiler_cmd devpts:chr_file { ioctl }; + +allow hiprofiler_cmd vendor_bin_file:dir search; +allow hiprofiler_cmd sysfs_devices_system_cpu:dir { read open }; +allow hiprofiler_cmd dev_file:dir getattr; +allow hiprofiler_cmd dev_ashmem_file:chr_file { open }; +allow hiprofiler_cmd hdcd_exec:file { read open getattr map }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofiler_plugins.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofiler_plugins.te new file mode 100644 index 0000000000000000000000000000000000000000..24a988576f5c5f9b57add74a5a6e49042ef9a5ce --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofiler_plugins.te @@ -0,0 +1,317 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hiprofiler_plugins data_file:dir search; +allow hiprofiler_plugins data_init_agent:dir search; +allow hiprofiler_plugins data_init_agent:file { append ioctl open read }; +allow hiprofiler_plugins dev_unix_socket:sock_file { unlink create getattr setattr write }; +allow hiprofiler_plugins devpts:chr_file { read write }; +allow hiprofiler_plugins hdcd:unix_stream_socket { read write }; +allow hiprofiler_plugins hdcd:fifo_file write; +allow hiprofiler_plugins tty_device:chr_file { read write }; +allow hiprofiler_plugins dev_unix_socket:dir { add_name remove_name write search }; +allow hiprofiler_plugins proc_cpuinfo_file:file { open read }; +allow hiprofiler_plugins system_bin_file:dir search; +allow hiprofiler_plugins data_local:dir search; +allow hiprofiler_plugins hiprofilerd:unix_stream_socket connectto; +allow hiprofiler_plugins hiprofilerd:fd { use }; + +allow hiprofiler_plugins appspawn:file read; +allow hiprofiler_plugins hdcd:fd use; +allow hiprofiler_plugins hdf_devmgr:file read; +allow hiprofiler_plugins hilog_param:file { map open read }; +allow hiprofiler_plugins init:file { getattr open read }; +allow hiprofiler_plugins kernel:file read; +allow hiprofiler_plugins net_param:file read; +allow hiprofiler_plugins net_tcp_param:file read; +allow hiprofiler_plugins ohos_boot_param:file { map open read }; +allow hiprofiler_plugins ohos_param:file { map open read }; +allow hiprofiler_plugins param_watcher:file read; +allow hiprofiler_plugins persist_param:file { map open read }; +allow hiprofiler_plugins persist_sys_param:file read; +allow hiprofiler_plugins proc_stat_file:file { getattr open read }; +allow hiprofiler_plugins samgr:file read; +allow hiprofiler_plugins security_param:file { map open read }; +allow hiprofiler_plugins storage_manager:file read; +allow hiprofiler_plugins sys_file:file { getattr open read }; +allow hiprofiler_plugins sys_param:file { map open read }; +allow hiprofiler_plugins sys_usb_param:file read; +allow hiprofiler_plugins sysfs_devices_system_cpu:dir { open read }; +allow hiprofiler_plugins sysfs_devices_system_cpu:file { getattr read }; +allow hiprofiler_plugins tmpfs:file write; +allow hiprofiler_plugins udevd:file read; +allow hiprofiler_plugins watchdog_service:file read; + +allow hiprofiler_plugins const_param:file read; +allow hiprofiler_plugins const_postinstall_param:file read; +allow hiprofiler_plugins hw_sc_build_os_param:file read; +allow hiprofiler_plugins hw_sc_build_param:file read; +allow hiprofiler_plugins hw_sc_param:file { map open read }; +allow hiprofiler_plugins init_param:file read; +allow hiprofiler_plugins init_svc_param:file read; +allow hiprofiler_plugins net_param:file { map open }; +allow hiprofiler_plugins net_tcp_param:file { map open }; +allow hiprofiler_plugins sys_usb_param:file { map open }; + +allow hiprofiler_plugins const_param:file { map open }; +allow hiprofiler_plugins hw_sc_build_os_param:file { map open }; +allow hiprofiler_plugins hw_sc_build_param:file { map open }; +allow hiprofiler_plugins init_param:file { map open }; +allow hiprofiler_plugins init_svc_param:file { map open }; +allow hiprofiler_plugins const_postinstall_param:file open; + +allow hiprofiler_plugins const_allow_mock_param:file read; +allow hiprofiler_plugins const_allow_param:file { open read }; +allow hiprofiler_plugins const_build_param:file read; +allow hiprofiler_plugins const_postinstall_fstab_param:file { map open read }; +allow hiprofiler_plugins const_postinstall_param:file map; +allow hiprofiler_plugins const_product_param:file read; +allow hiprofiler_plugins debug_param:file read; +allow hiprofiler_plugins persist_sys_param:file open; +allow hiprofiler_plugins startup_param:file read; +allow hiprofiler_plugins bootevent_param:file read; +allow hiprofiler_plugins bootevent_samgr_param:file read; +allow hiprofiler_plugins build_version_param:file read; +allow hiprofiler_plugins const_allow_mock_param:file open; +allow hiprofiler_plugins const_allow_param:file map; +allow hiprofiler_plugins const_build_param:file open; +allow hiprofiler_plugins const_product_param:file open; +allow hiprofiler_plugins debug_param:file open; +allow hiprofiler_plugins persist_sys_param:file map; +allow hiprofiler_plugins startup_param:file open; + +allow hiprofiler_plugins bootevent_param:file { map open }; +allow hiprofiler_plugins bootevent_samgr_param:file open; +allow hiprofiler_plugins build_version_param:file { map open }; +allow hiprofiler_plugins const_allow_mock_param:file map; +allow hiprofiler_plugins const_build_param:file map; +allow hiprofiler_plugins const_product_param:file map; +allow hiprofiler_plugins debug_param:file map; +allow hiprofiler_plugins startup_param:file map; + +allow hiprofiler_plugins bootevent_samgr_param:file map; +allow hiprofiler_plugins const_display_brightness_param:file { map open read }; +allow hiprofiler_plugins distributedsche_param:file { map open read }; +allow hiprofiler_plugins input_pointer_device_param:file { map open read }; + +allow hiprofiler_plugins default_param:file { map open read }; + +allow hiprofiler_plugins accessibility:file { getattr open read }; +allow hiprofiler_plugins distributeddata:file { getattr read }; +allow hiprofiler_plugins hilog_exec:file { execute execute_no_trans getattr map open read }; +allow hiprofiler_plugins init:dir { open read }; +allow hiprofiler_plugins kernel:file { getattr open }; +allow hiprofiler_plugins media_service:dir search; +allow hiprofiler_plugins proc_meminfo_file:file { getattr open read }; +allow hiprofiler_plugins proc_vmstat_file:file { getattr open read }; +allow hiprofiler_plugins sysfs_block_zram:file { getattr open read }; +allow hiprofiler_plugins sysfs_devices_system_cpu:file open; + +allow hiprofiler_plugins tracefs:file write; + +allow hiprofiler_plugins init:dir search; +allow hiprofiler_plugins init:unix_stream_socket connectto; +allow hiprofiler_plugins mmi_uinput_service:file read; + +allow hiprofiler_plugins accountmgr:file read; +allow hiprofiler_plugins deviceauth_service:file read; +allow hiprofiler_plugins huks_service:file read; +allow hiprofiler_plugins locationhub:file read; +allow hiprofiler_plugins memmgrservice:file read; +allow hiprofiler_plugins multimodalinput:file read; +allow hiprofiler_plugins resource_schedule_service:file read; +allow hiprofiler_plugins storage_daemon:file read; + +allow hiprofiler_plugins bgtaskmgr_service:file read; +allow hiprofiler_plugins bluetooth_service:file read; +allow hiprofiler_plugins device_usage_stats_service:file read; +allow hiprofiler_plugins pasteboard_service:file read; + +allow hiprofiler_plugins audio_server:file read; +allow hiprofiler_plugins download_server:file read; +allow hiprofiler_plugins edm_sa:file read; +allow hiprofiler_plugins msdp_sa:file read; +allow hiprofiler_plugins screenlock_server:file read; +allow hiprofiler_plugins time_service:file read; +allow hiprofiler_plugins tty_device:chr_file open; +allow hiprofiler_plugins wallpaper_service:file read; + +allow hiprofiler_plugins codec_host:file read; +allow hiprofiler_plugins face_auth_host:file read; +allow hiprofiler_plugins fingerprint_auth_host:file read; +allow hiprofiler_plugins hdcd:fifo_file ioctl; +allow hiprofiler_plugins hilog_control_socket:sock_file write; +allow hiprofiler_plugins light_host:file read; +allow hiprofiler_plugins location_host:file read; +allow hiprofiler_plugins pin_auth_host:file read; +allow hiprofiler_plugins sensor_host:file read; +allow hiprofiler_plugins user_auth_host:file read; +allow hiprofiler_plugins vibrator_host:file read; + +allow hiprofiler_plugins audio_host:file read; +allow hiprofiler_plugins blue_host:file read; +allow hiprofiler_plugins clearplay_host:file read; +allow hiprofiler_plugins camera_host:file read; +allow hiprofiler_plugins allocator_host:file read; +allow hiprofiler_plugins input_user_host:file read; +allow hiprofiler_plugins power_host:file read; +allow hiprofiler_plugins usb_host:file read; +allow hiprofiler_plugins wifi_host:file read; + +allow hiprofiler_plugins camera_service:file read; +allow hiprofiler_plugins faultloggerd:file read; +allow hiprofiler_plugins drm_service:file read; +allow hiprofiler_plugins media_service:file read; +allow hiprofiler_plugins render_service:file read; +allow hiprofiler_plugins useriam:file read; +allow hiprofiler_plugins wifi_hal_service:file read; + +allow hiprofiler_plugins distributedsche:file read; +allow hiprofiler_plugins softbus_server:file read; +allow hiprofiler_plugins ui_service:file read; + +allow hiprofiler_plugins hiview:file read; +allow hiprofiler_plugins installs:file read; +allow hiprofiler_plugins sensors:file read; + +allow hiprofiler_plugins foundation:file read; +allow hiprofiler_plugins hdcd:file read; +allow hiprofiler_plugins hidumper_service:file read; +allow hiprofiler_plugins hiprofilerd:file read; +allow hiprofiler_plugins kernel:dir search; +allow hiprofiler_plugins pinauth:file read; +allow hiprofiler_plugins wifi_manager_service:file read; + +allow hiprofiler_plugins proc_file:file write; +allow hiprofiler_plugins udevd:file { getattr open }; + +allow hiprofiler_plugins deviceauth_service:dir search; +allow hiprofiler_plugins deviceauth_service:file { getattr open }; +allow hiprofiler_plugins resource_schedule_service:dir search; +allow hiprofiler_plugins resource_schedule_service:file { getattr open }; +allow hiprofiler_plugins storage_daemon:dir search; +allow hiprofiler_plugins storage_daemon:file { getattr open }; + +allow hiprofiler_plugins hilogd:file getattr; +allow hiprofiler_plugins system_bin_file:file execute; +allow hiprofiler_plugins toybox_exec:file { execute execute_no_trans getattr map open read }; +allow hiprofiler_plugins tmpfs:file { map read }; +allow hiprofiler_plugins tracefs:dir search; +allow hiprofiler_plugins tracefs:file { getattr read }; + +allow hiprofiler_plugins accountmgr:file getattr; +allow hiprofiler_plugins bgtaskmgr_service:file getattr; +allow hiprofiler_plugins bluetooth_service:file getattr; +allow hiprofiler_plugins device_usage_stats_service:file getattr; +allow hiprofiler_plugins hiprofiler_cmd:file getattr; +allow hiprofiler_plugins hiprofilerd:file getattr; +allow hiprofiler_plugins huks_service:file getattr; +allow hiprofiler_plugins locationhub:file getattr; +allow hiprofiler_plugins memmgrservice:file getattr; +allow hiprofiler_plugins pasteboard_service:file getattr; +allow hiprofiler_plugins proc_file:file { getattr open read }; +allow hiprofiler_plugins audio_server:file getattr; +allow hiprofiler_plugins tracefs:file open; + +allow hiprofiler_plugins proc_diskstats_file:file { open read }; +allow hiprofiler_plugins rootfs:file getattr; + +allow hiprofiler_plugins hiprofiler_cmd:fd use; +allow hiprofiler_plugins rootfs:file read; +allow hiprofiler_plugins tty_device:chr_file ioctl; +allow hiprofiler_plugins hilog_output_socket:sock_file write; + +allow hiprofiler_plugins proc_uptime_file:file { open read }; +allow hiprofiler_plugins tracefs:dir { open read }; + +allow hiprofiler_plugins tracefs:file append; + +allow hiprofiler_plugins data_local_tmp:dir { getattr read watch watch_reads add_name write open search remove_name }; +allow hiprofiler_plugins data_local_tmp:file { create read open write lock getattr unlink }; +allow hiprofiler_plugins self:capability { sys_ptrace dac_read_search }; + +debug_only(` + allow hiprofiler_plugins self:capability { sys_admin }; + allow hiprofiler_plugins sh_exec:file { execute execute_no_trans map open read }; + allow hiprofiler_plugins self:capability setgid; + allow hiprofiler_plugins sh:fd use; + allow hiprofiler_plugins sh:dir { open read }; + allow hiprofiler_plugins sh:file { getattr open }; + allow hiprofiler_plugins console:file read; +') + +allow hiprofiler_plugins domain:dir { open read getattr search }; +allow hiprofiler_plugins domain:file { open read getattr }; + +allow hiprofiler_plugins data_local_tmp:file ioctl; +allow hiprofiler_plugins hilogd:unix_stream_socket connectto; +allow hiprofiler_plugins musl_param:file { open read }; + +neverallow hiprofiler_plugins *:process ptrace; +allow hiprofiler_plugins musl_param:file map; +allow hiprofiler_plugins dev_unix_file:sock_file write; +allow hiprofiler_plugins hisysevent_exec:file { open read execute execute_no_trans map}; +allow hiprofiler_plugins samgr:binder call; +allow hiprofiler_plugins sa_sys_event_service:samgr_class get; +allow hiprofiler_plugins sa_hiview_service:samgr_class get; +allow hiprofiler_plugins hiview:binder { call transfer }; +allow hiprofiler_plugins dev_console_file:chr_file { read write }; +allow hiprofiler_plugins proc_diskstats_file:file getattr; +allow hiprofiler_plugins proc_uptime_file:file getattr; + +allow hiprofiler_plugins appspawn_exec:file read; +allow hiprofiler_plugins data_local_tmp:fifo_file { open read unlink write }; +allow hiprofiler_plugins hiview_exec:file { getattr map open read }; +allow hiprofiler_plugins self:perf_event write; +allow hiprofiler_plugins storage_daemon_exec:file { getattr map open read }; +allow hiprofiler_plugins vendor_bin_file:file { getattr map open read }; +allow hiprofiler_plugins vendor_bin_file:dir search; +allow hiprofiler_plugins dev_file:dir getattr; + +allow hiprofiler_plugins hisysevent:process sigkill; +allow hiprofiler_plugins sa_accountmgr:samgr_class get; +allow hiprofiler_plugins sa_foundation_bms:samgr_class get; +allow hiprofiler_plugins hiview:fd use; + +allow samgr hiprofiler_plugins:dir { search }; +allow samgr hiprofiler_plugins:file { read open }; +allow samgr hiprofiler_plugins:process { getattr }; +allow samgr hiprofiler_plugins:binder { call transfer }; +allow hiprofiler_plugins arkcompiler_param:file { read open map }; +allow hiprofiler_plugins ark_writeable_param:file { read open map }; +allow hiprofiler_plugins accountmgr:binder { call }; +allow hiprofiler_plugins foundation:binder { call }; +allow accountmgr hiprofiler_plugins:binder { transfer }; +allow hiprofiler_plugins system_bin_file:lnk_file read; +allow hiprofiler_plugins toybox_exec:lnk_file read; +allow hiprofiler_plugins SP_daemon_exec:file { getattr open read execute execute_no_trans map}; + +allow hiprofiler_plugins sa_render_service:samgr_class get; +allow hiprofiler_plugins render_service:binder { call transfer }; +allow hiprofiler_plugins normal_hap_attr:unix_stream_socket { connectto }; + +developer_only(` + allow hiprofiler_plugins system_usr_file:dir { search }; + allow hiprofiler_plugins system_usr_file:file { getattr map open read }; + allow hiprofiler_plugins SP_daemon:process { rlimitinh siginh transition sigkill signal }; + allow hiprofiler_plugins dev_ashmem_file:chr_file { open }; + allow hiprofiler_plugins hiviewdfx_profiler_param:parameter_service { set }; + allow hiprofiler_plugins paramservice_socket:sock_file { read write }; + allow hiprofiler_plugins kernel:unix_stream_socket { connectto }; + allow hap_domain hiviewdfx_profiler_param:file { map open read }; + allow hap_domain hiprofiler_plugins:unix_stream_socket { connectto read write }; + allow hap_domain hiprofiler_plugins:fd { use }; + allow hiprofiler_plugins data_hilogd_file:dir { getattr open read search }; + allow hiprofiler_plugins data_hilogd_file:file { getattr open read }; + allow sadomain hiviewdfx_profiler_param:file { map open read }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofilerd.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofilerd.te new file mode 100644 index 0000000000000000000000000000000000000000..81314ef2548fe60332bccda985e2ec984924c239 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hiprofilerd.te @@ -0,0 +1,135 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hiprofilerd dev_unix_socket:dir search; +allow hiprofilerd devpts:chr_file { read write }; +allow hiprofilerd hdcd:fd use; +allow hiprofilerd hdcd:unix_stream_socket { read write }; +allow hiprofilerd hdcd:fifo_file write; +allow hiprofilerd node:tcp_socket node_bind; +allow hiprofilerd proc_cpuinfo_file:file { open read }; +allow hiprofilerd proc_file:file { getattr open read }; +allow hiprofilerd tty_device:chr_file { read write }; +allow hiprofilerd data_file:dir search; +allow hiprofilerd data_init_agent:dir search; +allow hiprofilerd data_init_agent:file { append ioctl open read }; +allow hiprofilerd self:tcp_socket { accept read write }; +allow hiprofilerd self:tcp_socket shutdown; +allow hiprofilerd self:tcp_socket { bind create getattr getopt listen setopt }; +allow hiprofilerd dev_unix_socket:dir { add_name remove_name write }; +allow hiprofilerd dev_unix_socket:sock_file { create unlink }; +allow hiprofilerd system_bin_file:dir search; +allow hiprofilerd data_local:dir search; +allow hiprofilerd tmpfs:file { map read write }; + +allow hiprofilerd bootevent_samgr_param:file { map open read }; +allow hiprofilerd build_version_param:file { map open read }; +allow hiprofilerd const_product_param:file { map open read }; + +allow hiprofilerd dev_file:sock_file write; +allow hiprofilerd distributedsche_param:file { open read }; +allow hiprofilerd hilog_param:file { map open read }; +allow hiprofilerd hw_sc_build_os_param:file read; +allow hiprofilerd hw_sc_build_param:file read; +allow hiprofilerd hw_sc_param:file { open read }; +allow hiprofilerd init_param:file read; +allow hiprofilerd net_param:file { open read }; +allow hiprofilerd net_tcp_param:file { map open read }; +allow hiprofilerd netsysnative:unix_stream_socket connectto; +allow hiprofilerd ohos_boot_param:file { map open read }; +allow hiprofilerd ohos_param:file { map open read }; +allow hiprofilerd persist_param:file read; +allow hiprofilerd security_param:file { map open read }; +allow hiprofilerd sys_param:file { map open read }; +allow hiprofilerd sys_usb_param:file { map open read }; + +allow hiprofilerd const_allow_param:file read; +allow hiprofilerd const_param:file read; +allow hiprofilerd const_postinstall_fstab_param:file read; +allow hiprofilerd const_postinstall_param:file read; +allow hiprofilerd hw_sc_build_os_param:file open; +allow hiprofilerd hw_sc_build_param:file open; +allow hiprofilerd hw_sc_param:file map; +allow hiprofilerd init_param:file open; +allow hiprofilerd init_svc_param:file read; +allow hiprofilerd net_param:file map; + +allow hiprofilerd bootevent_param:file { open read }; +allow hiprofilerd const_allow_mock_param:file read; +allow hiprofilerd const_allow_param:file { map open }; +allow hiprofilerd const_param:file { map open }; +allow hiprofilerd const_postinstall_fstab_param:file { map open }; +allow hiprofilerd const_postinstall_param:file { map open }; + +allow hiprofilerd debug_param:file { map open read }; +allow hiprofilerd distributedsche_param:file map; +allow hiprofilerd hw_sc_build_os_param:file map; +allow hiprofilerd hw_sc_build_param:file map; +allow hiprofilerd init_param:file map; +allow hiprofilerd init_svc_param:file { map open }; +allow hiprofilerd input_pointer_device_param:file { map open read }; +allow hiprofilerd persist_param:file { map open }; +allow hiprofilerd persist_sys_param:file { map open read }; +allow hiprofilerd startup_param:file { map open read }; + +allow hiprofilerd bootevent_param:file map; +allow hiprofilerd const_allow_mock_param:file { map open }; +allow hiprofilerd const_build_param:file { map open read }; +allow hiprofilerd const_display_brightness_param:file { map open read }; + +allow hiprofilerd default_param:file { map open read }; +allow hiprofilerd system_bin_file:file { map open read execute execute_no_trans }; +allow hiprofilerd toybox_exec:file { getattr map open read execute execute_no_trans }; +allow hiprofilerd dev_unix_socket:sock_file { getattr setattr }; + +allow hiprofilerd hiprofiler_cmd:fd use; +allow hiprofilerd rootfs:file read; + +allow hiprofilerd data_local_tmp:file { getattr read ioctl lock create read open write unlink }; +allow hiprofilerd data_local_tmp:dir { search add_name remove_name write open getattr }; + +debug_only(` + allow hiprofilerd sh_exec:file { execute execute_no_trans map open read }; + allow hiprofilerd self:capability setgid; + allow hiprofilerd sh:fd use; +') + +allow hiprofilerd dev_unix_socket:sock_file write; +allow hiprofilerd hiprofiler_cmd:unix_stream_socket connectto; +allow hiprofilerd ohos_dev_param:file { open read map}; +allow hiprofilerd system_bin_file:file getattr; +allow hiprofilerd system_bin_file:lnk_file read; +allow hiprofilerd toybox_exec:lnk_file read; +allow hiprofilerd tty_device:chr_file { ioctl open }; +allow hiprofilerd musl_param:file { map open read }; +allow hiprofilerd dev_unix_file:sock_file unlink; +allow hiprofilerd dev_ashmem_file:chr_file { open }; +allow hiprofilerd proc_file:file getattr; + +allow hiprofilerd sa_foundation_bms:samgr_class get; +allow hiprofilerd sa_param_watcher:samgr_class get; +allow hiprofilerd samgr:binder { call }; +allow hiprofilerd foundation:binder call; +allow hiprofilerd dev_console_file:chr_file { read write }; +allow hiprofilerd param_watcher:binder { call }; +allow hiprofilerd tracefs:dir search; +allow hiprofilerd tracefs_trace_marker_file:file { open write }; + +allow hiprofilerd vendor_bin_file:dir search; +allow hiprofilerd sysfs_devices_system_cpu:dir { read open }; + +allow hiprofilerd hap_domain:dir { read open getattr search }; +allow hiprofilerd hap_domain:file { read open getattr map }; +allow hiprofilerd dev_file:dir getattr; + +allow hiprofilerd sysfs_devices_system_cpu:file { read open getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hitrace.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hitrace.te new file mode 100644 index 0000000000000000000000000000000000000000..c41abba55f83b79948cf2e96f32f07b32979209c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/hitrace.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hitrace hiprofiler_plugins:fifo_file read; +allow hitrace hiprofiler_plugins:unix_stream_socket { read write }; +allow hitrace hiprofilerd:fd use; +allow hitrace hiprofiler_plugins:fd use; +allow hitrace hiprofiler_plugins:fifo_file write; +allow hitrace hiprofiler_plugins:fifo_file ioctl; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/native_daemon.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/native_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..1e52c109a241c25dbb92b1f120bbcbb5f7393629 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/native_daemon.te @@ -0,0 +1,128 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +developer_only(` + allow native_daemon debug_hap:process { ptrace }; +') + +neverallow native_daemon { domain debug_only(`-hap_domain') developer_only(`-debug_hap') }:process ptrace; +debug_only(` + allow native_daemon self:capability setgid; + allow domain dev_unix_socket:sock_file write; + allow domain dev_unix_file:sock_file write; + allow native_daemon sh_exec:file execute; + allow native_daemon sh:fd use; + allow native_daemon sh:file read; +') +allow domain hiprofiler_socket:sock_file { getattr write unlink }; +allow init hiprofiler_socket:sock_file { relabelto }; + +allow native_daemon data_local_tmp:file { create read open write lock getattr ioctl map }; +allow native_daemon data_local_tmp:dir { search add_name write getattr }; +allow native_daemon self:capability { kill sys_ptrace }; + +allow native_daemon data_file:dir search; +allow native_daemon data_local:dir search; +allow native_daemon devpts:chr_file { read write }; +allow native_daemon hilog_param:file { map open read }; +allow native_daemon musl_param:file { map open read }; + +allow native_daemon hdcd:fd use; +allow native_daemon hdcd:unix_stream_socket { read write }; + +allow native_daemon tty_device:chr_file { ioctl open read write }; +allow native_daemon hiprofilerd:fd use; +allow native_daemon hiview:process signal; +allow native_daemon hiview_exec:file { getattr map open read }; +allow native_daemon rootfs:file read; +allow native_daemon system_bin_file:dir search; + +allow native_daemon hiview:dir search; +allow native_daemon hiview:file { open read }; +allow native_daemon tty_device:chr_file { ioctl open }; +allow native_daemon sh_exec:file { execute_no_trans map open read }; +allow native_daemon hilog_param:file read; +allow native_daemon paramservice_socket:sock_file write; +allow native_daemon system_bin_file:lnk_file read; +allow native_daemon system_bin_file:file { execute execute_no_trans getattr map open read }; +allow native_daemon toybox_exec:lnk_file read; +allow native_daemon toybox_exec:file { execute execute_no_trans getattr map open read }; + +allow native_daemon domain:dir { open read getattr search }; +allow native_daemon domain:file { open read getattr }; +allow domain native_daemon:fd use; +allow domain native_daemon:unix_stream_socket connectto; +allow domain hiprofilerd:unix_stream_socket connectto; +allow native_daemon dev_unix_socket:dir { add_name remove_name write search }; +allow native_daemon dev_unix_socket:sock_file { unlink create getattr setattr write }; +allow native_daemon domain:process signal; +allow native_daemon appspawn_exec:file read; +allow native_daemon kernel:unix_stream_socket connectto; +allow native_daemon dev_unix_file:sock_file unlink; +allow native_daemon hook_param:parameter_service set; +allow native_daemon dev_unix_file:sock_file write; +allow native_daemon appspawn_exec:file open; +allow native_daemon appspawn_exec:file getattr; +allow native_daemon appspawn_exec:file map; +allow native_daemon dev_ashmem_file:chr_file { open }; +allow native_daemon dev_console_file:chr_file { read write }; +allow native_daemon proc_file:file { open read getattr }; + +allow native_daemon sa_foundation_bms:samgr_class get; +allow native_daemon sa_param_watcher:samgr_class get; +allow native_daemon samgr:binder { call }; +allow native_daemon debug_param:file { map open read }; +allow native_daemon foundation:binder call; +allow native_daemon param_watcher:binder call; +allow native_daemon tracefs:dir search; +allow native_daemon tracefs_trace_marker_file:file { open write }; +allow native_daemon param_watcher:binder transfer; +allow native_daemon appspawn:lnk_file read; +allowxperm native_daemon devpts:chr_file ioctl { 0x5413 }; +allow native_daemon devpts:chr_file { ioctl }; +allow native_daemon data_app_el1_file:dir search; +allow native_daemon data_app_el1_file:file { getattr map open read }; +allow native_daemon native_daemon:unix_dgram_socket { ioctl }; +allow native_daemon dev_file:dir getattr; +allow native_daemon hap_domain:lnk_file { getattr map open read }; +allow native_daemon app_el1_bundle_public:dir { read search open getattr }; +allow native_daemon app_el1_bundle_public:file { map getattr read open }; +allow native_daemon sa_native_daemon:samgr_class { add }; +allow native_daemon hiviewdfx_profiler_param:parameter_service { set }; +allow native_daemon hdcd_exec:file { read open getattr map }; + +allow native_daemon hilog_exec:file { getattr map open read }; +allow native_daemon data_local_arkcache:dir { search }; +allow native_daemon data_local_arkcache:file { getattr open read }; +allow native_daemon SP_daemon_exec:file { getattr open read map }; +allow native_daemon hilogd_exec:file { getattr map open read }; +allow native_daemon render_service_exec:file { getattr map open read }; +allow native_daemon samain_exec:file { getattr map open read }; +allow native_daemon storage_daemon_exec:file { getattr map open read }; +allow native_daemon wifi_hal_service_exec:file { getattr map open read }; +allow native_daemon watchdog_service_exec:file { getattr map open read }; +allow native_daemon ueventd_exec:file { getattr map open read }; +allow native_daemon deviceauth_service_exec:file { getattr map open read }; +allow native_daemon faultloggerd_exec:file { getattr map open read }; +allow native_daemon hidumper_exec:file { getattr map open read }; +allow native_daemon hiprofiler_cmd_exec:file { getattr map open read }; +allow native_daemon hiprofiler_plugins_exec:file { getattr map open read }; +allow native_daemon hiprofilerd_exec:file { getattr map open read }; +allow native_daemon hisysevent_exec:file { getattr map open read }; +allow native_daemon hitrace_exec:file { getattr map open read }; +allow native_daemon init_exec:file { getattr map open read }; +allow native_daemon sys_prod_file:dir { search }; +allow native_daemon sys_prod_file:file { getattr map open read }; +allow native_daemon system_usr_file:file { getattr map open read }; +allow native_daemon data_service_el1_file:file { getattr map open read }; +allow native_daemon isolated_render:lnk_file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/other.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/other.te new file mode 100644 index 0000000000000000000000000000000000000000..89ee49e1274bdc86ab3201affe9ce7ca6574fc79 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/other.te @@ -0,0 +1,83 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow audio_server audio_server:binder transfer; +allow audio_server audio_server:binder call; +allow deviceauth_service paramservice_socket:sock_file write; +allow deviceauth_service kernel:unix_stream_socket connectto; +allow foundation data_service_el1_file:file ioctl; +allow telephony_sa vendor_etc_file:dir search; +allow time_service data_file:dir getattr; +allow time_service data_service_el1_file:dir getattr; +allow udevd dev_port:chr_file getattr; +allow hiperf hdcd:fifo_file { ioctl write }; +allow usb_service self:unix_dgram_socket { getopt setopt }; + +allow init dev_block_file:blk_file ioctl; +allow init hook_param:file relabelto; +allow { sadomain hdfdomain hap_domain native_system_domain native_chipset_domain } hook_param:file { map open read }; +allow normal_hap_attr normal_hap_data_file_attr:file ioctl; +allow hap_domain proc_meminfo_file:file { read getattr open }; +allow hap_domain dev_ucollection:chr_file { read ioctl open }; +allowxperm hap_domain dev_ucollection:chr_file ioctl { 0x6 0x8 }; +neverallowxperm hap_domain dev_ucollection:chr_file ioctl ~{ 0x6 0x8 }; + +allow { sadomain -hilogd } system_core_hap_data_file_attr:file { read write }; +allow appspawn accesstoken_service:binder call; +allow appspawn accountmgr:binder call; +allow appspawn dev_console_file:chr_file { read write }; +allow appspawn foundation:binder { call transfer }; +allow appspawn hdcd:unix_stream_socket connectto; +allow appspawn multimodalinput:binder call; +allow appspawn multimodalinput:fd use; +allow appspawn multimodalinput:unix_stream_socket { read write }; +allow appspawn musl_param:file { map open read }; +allow appspawn normal_hap_attr:binder { call transfer }; +allow appspawn normal_hap_attr:fd use; +allow appspawn normal_hap_data_file_attr:dir search; +allow appspawn render_service:binder { call transfer }; +allow appspawn render_service:fd use; +allow appspawn resource_schedule_service:binder call; +allow appspawn samgr:binder call; +allow appspawn system_file:file { getattr open read }; +allow appspawn system_lib_file:dir { open read }; +allow appspawn tracefs:dir search; +allow appspawn tracefs_trace_marker_file:file { open write }; +allow appspawn accessibility:binder { call transfer }; +allow appspawn dev_mali:chr_file { getattr ioctl open read write }; +allow appspawn param_watcher:binder { call transfer }; + +allow init dev_dri_file:dir search; +allow init data_updater_file:dir add_name; +allow init data_service_el0_file:dir relabelfrom; +allow init data_startup:file getattr; +allow init musl_param:file read; +allow init chip_prod_file:dir search; +allow init sys_prod_file:dir search; +allow init data_local_tmp:dir search; +allow init dev_unix_socket:sock_file unlink; + +allow samgr appspawn:binder transfer; +allow samgr appspawn:dir search; +allow samgr appspawn:file { open read }; +allow samgr dev_console_file:chr_file { read write }; +allow samgr hiprofiler_plugins:dir search; +allow samgr hiprofiler_plugins:file { open read }; +allow samgr hiprofiler_plugins:binder transfer; +allow samgr hiprofiler_plugins:process getattr; + +allow hiview hiprofiler_plugins:binder call; +allow deviceauth_service dev_console_file:chr_file { read write }; +allow hiview sa_native_daemon:samgr_class { get }; + +allow render_service hiprofiler_plugins:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..21a6f8a4c73d56dd232a77d3f13ae7060caf43cc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/param_watcher.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow param_watcher hiprofilerd:binder call; +allow param_watcher native_daemon:binder call; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/samgr.te b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..5a5530c65024585bb088d02775224812c56b3090 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/profiler/system/samgr.te @@ -0,0 +1,22 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow samgr native_daemon:dir search; +allow samgr native_daemon:binder transfer; +allow samgr native_daemon:file { open read }; +allow samgr native_daemon:process getattr; + +allow samgr hiprofilerd:binder transfer; +allow samgr hiprofilerd:dir search; +allow samgr hiprofilerd:file { open read }; +allow samgr hiprofilerd:process getattr; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/SP_daemon.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/SP_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..4ad8658f0895b739a09ddce162497feee54bf1cf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/SP_daemon.te @@ -0,0 +1,155 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +neverallow SP_daemon *:process ptrace; +allow SP_daemon data_file:dir { search }; +allow SP_daemon data_local:dir { search }; +allow SP_daemon data_local_tmp:dir { add_name getattr search write search create open read remove_name }; +allow SP_daemon data_local_tmp:file { create getattr ioctl open write unlink read}; +allowxperm SP_daemon data_local_tmp:file ioctl 0x5413; + +allow SP_daemon dev_console_file:chr_file { read write }; +allow SP_daemon dev_unix_socket:dir { search }; +allow SP_daemon devpts:chr_file { getattr read write write ioctl }; +allow SP_daemon hdcd:fd { use }; +allow SP_daemon hdcd:unix_stream_socket { read write }; +allow SP_daemon sh:fd { use }; +allow SP_daemon sh_exec:file { execute execute_no_trans map read open }; +allow SP_daemon sys_file:dir { open read }; +allow SP_daemon sys_file:file { getattr open read }; +allow SP_daemon sysfs_devices_system_cpu:file { getattr open read}; +allow SP_daemon system_bin_file:dir { search }; +allow SP_daemon system_bin_file:file { execute execute_no_trans getattr map read open }; +allow SP_daemon toybox_exec:file { execute execute_no_trans getattr map read open }; +allow SP_daemon tty_device:chr_file { read write ioctl open }; + +allow SP_daemon system_bin_file:lnk_file { read }; +allow SP_daemon toybox_exec:lnk_file { read }; +allow SP_daemon uitest_exec:file { execute execute_no_trans getattr map read open }; +allowxperm SP_daemon devpts:chr_file ioctl 0x5413; +allowxperm SP_daemon tty_device:chr_file ioctl 0x5413; +allow SP_daemon multimodalinput:binder { call }; +allow SP_daemon SP_daemon:tcp_socket { create accept bind listen }; +allow SP_daemon SP_daemon:udp_socket { create read bind write }; +allow SP_daemon foundation:binder { call }; +allow SP_daemon samgr:binder { call }; +allow SP_daemon param_watcher:binder { call transfer }; +allow SP_daemon node:tcp_socket { node_bind }; +allow SP_daemon node:udp_socket { node_bind }; +allow SP_daemon port:tcp_socket { name_bind }; +allow SP_daemon port:udp_socket { name_bind }; + +allow SP_daemon sa_param_watcher:samgr_class { get }; +allow SP_daemon sa_foundation_dms:samgr_class { get }; +allow SP_daemon sa_foundation_wms:samgr_class { get }; + +allow SP_daemon hilog_param:file { map open read }; +allow SP_daemon persist_sys_param:file { map open read }; +allow SP_daemon ohos_boot_param:file { map open read }; +allow SP_daemon debug_param:file { map open read }; +allow SP_daemon bootevent_param:file { map open read }; +allow SP_daemon devinfo_private_param:file { read map open }; +allow SP_daemon net_param:file { open read map }; +allow SP_daemon sys_param:file { map open read }; +allow SP_daemon sys_usb_param:file { map open read }; +allow SP_daemon const_postinstall_fstab_param:file { map read open }; +allow SP_daemon const_postinstall_param:file { map open read }; +allow SP_daemon net_tcp_param:file { map open read }; +allow SP_daemon const_allow_mock_param:file { map open read }; +allow SP_daemon const_allow_param:file { map open read }; +allow SP_daemon persist_param:file { read map open }; +allow SP_daemon security_param:file { map open read }; +allow SP_daemon bootevent_wms_param:file { map open read }; +allow SP_daemon ffrt_param:file { map open read }; +allow SP_daemon print_param:file { map open read }; +allow SP_daemon arkcompiler_param:file { map open read }; +allow SP_daemon ark_writeable_param:file { map open read }; +allow SP_daemon arkui_param:file { map open read }; +allow SP_daemon hiviewdfx_profiler_param:file { map open read }; +allow SP_daemon bms_param:file { map read open}; +allow SP_daemon const_display_brightness_param:file { map read open }; +allow SP_daemon developtools_hdc_control_param:file { map read open }; +allow SP_daemon distributedsche_param:file { map read open }; +allow SP_daemon samgr_perf_param:file { map read open }; +allow SP_daemon thermal_log_param:file { map read open }; +allow SP_daemon update_updater_param:file { map read open}; +allow SP_daemon updater_flashd_param:file { map read open }; +allow SP_daemon render_service:fd { use }; +allow SP_daemon usb_setting_param:file { read open map }; +allow SP_daemon sh:dir { search }; +allow SP_daemon sh:file { read }; +allow SP_daemon data_hilogd_file:dir { search }; +allow SP_daemon hdcd:fd { use }; +allow SP_daemon hdcd:fifo_file { ioctl read write }; +allow SP_daemon hdcd:unix_stream_socket { read write }; +allowxperm SP_daemon hdcd:fifo_file ioctl { 0x5413 }; +# ps -ef +allow SP_daemon domain: dir { search getattr }; +allow SP_daemon domain: file { open read }; +allow SP_daemon hisysevent:lnk_file { read }; +allow SP_daemon hisysevent:process { signal }; +allow SP_daemon hitrace:lnk_file { read }; +allow SP_daemon dev_ucollection:chr_file { ioctl read open read write open write }; +allowxperm SP_daemon dev_ucollection:chr_file ioctl { 0x1 0x2 0x3 }; +allow SP_daemon SP_daemon:tcp_socket { connect read shutdown write }; +allow SP_daemon port:tcp_socket { name_connect }; +allow SP_daemon sysfs_devices_system_cpu:dir { read open read }; +allow SP_daemon foundation:binder { transfer }; +allow SP_daemon SP_daemon_exec:file { execute_no_trans }; +allow SP_daemon SP_daemon:capability { sys_ptrace }; + +allow SP_daemon hiprofiler_plugins:fd { use }; +allow SP_daemon hiprofiler_plugins:fifo_file { ioctl write }; +allow SP_daemon hiprofiler_plugins:unix_stream_socket { read write }; +allow SP_daemon hiprofilerd:fd { use }; +allowxperm SP_daemon hiprofiler_plugins:fifo_file ioctl { 0x5413 }; +allow SP_daemon uinput_exec:file { execute execute_no_trans getattr open read map }; +allow SP_daemon aa_exec:file { execute execute_no_trans getattr open read }; + +allow SP_daemon proc_net:file { getattr read open read }; +allow SP_daemon proc_stat_file:file { read open getattr setattr }; +allow SP_daemon proc_meminfo_file:file { getattr open read }; +allow SP_daemon proc_cmdline_file:file { getattr open read }; +allow SP_daemon proc_loadavg_file:file { getattr open read }; +allow SP_daemon proc_modules_file:file { getattr open read }; +allow SP_daemon proc_net_tcp_udp:file { getattr open read }; +allow SP_daemon proc_slabinfo_file:file { getattr open read }; +allow SP_daemon proc_version_file:file { getattr open read }; +allow SP_daemon proc_vmallocinfo_file:file { getattr open read }; +allow SP_daemon proc_vmstat_file:file { getattr open read }; +allow SP_daemon proc_zoneinfo_file:file { getattr open read }; +allow SP_daemon proc_file:file { open read }; +allow SP_daemon processdump:dir search; +allow SP_daemon processdump:file { open read }; +allow SP_daemon hiprofiler_cmd:file getattr; +allow SP_daemon hiprofiler_plugins:file getattr; +allow SP_daemon hiprofilerd:file getattr; +allow SP_daemon SP_daemon:tcp_socket { setopt }; +allow SP_daemon proc_cpuinfo_file:file { getattr open read }; +allow SP_daemon snapshot_display_exec:file { execute execute_no_trans getattr open read map }; +allow SP_daemon aa_exec:file { map }; +allow SP_daemon dev_ucollection:chr_file { ioctl }; +allow SP_daemon sh:file { open }; +allowxperm SP_daemon dev_ucollection:chr_file ioctl { 0x4 }; +allow SP_daemon sa_multimodalinput_service:samgr_class { get }; +allow SP_daemon sa_foundation_abilityms:samgr_class { get }; +allow SP_daemon sa_accessibleabilityms:samgr_class { get }; +allow SP_daemon chip_prod_file:dir { search }; + +allow SP_daemon test_server:fd { use }; +allow SP_daemon dev_kmsg_file:chr_file { write }; +allow SP_daemon sysfs_attr:file { read open getattr }; +allow SP_daemon sys_prod_file:dir { search }; +allow SP_daemon SP_daemon:file { open }; +allow SP_daemon SP_daemon:hmcap { supervsable }; + diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/accessibility.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..c6631a5035782c56aa58902ba8bbc02be4252049 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/accessibility.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow accessibility data_file:dir { search }; +allow accessibility data_service_el1_file:dir { getattr search }; +allow accessibility data_service_el1_file:file { getattr open read }; +allow accessibility data_service_file:dir { search }; +allow accessibility dev_unix_socket:dir { search }; +developer_only(` +allow accessibility SP_daemon:binder { call transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..d043c7039c81f327b3427432bb1abba45e0a65dd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/accountmgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow accountmgr distributedfiledaemon:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..76bbd288387a445a153b3ba97a54ef70c1d4fcf0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/appspawn.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow appspawn appspawn:unix_dgram_socket { getopt setopt }; +allow appspawn data_init_agent:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/bytrace.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/bytrace.te new file mode 100644 index 0000000000000000000000000000000000000000..57a8312f921bab10c769ed92770b7089d5c70992 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/bytrace.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +developer_only(` +allow bytrace SP_daemon:fd { use }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/console.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/console.te new file mode 100644 index 0000000000000000000000000000000000000000..43894cec77171ba780e417cbf419f90635bac1d9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/console.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +debug_only(` +allow console dev_console_file:chr_file { ioctl read write }; +allow console lib_file:lnk_file { read }; +allow console system_bin_file:dir { search }; +allow console system_bin_file:file { execute execute_no_trans getattr map read open }; +allow console system_bin_file:lnk_file { read }; +allow console toybox_exec:file { execute execute_no_trans getattr map read open }; +allow console toybox_exec:lnk_file { read }; +allow console tty_device:chr_file { ioctl }; +allowxperm console dev_console_file:chr_file ioctl { 0x5413 }; +allowxperm console tty_device:chr_file ioctl { 0x5403 }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedfiledaemon.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedfiledaemon.te new file mode 100644 index 0000000000000000000000000000000000000000..f533e019eb9dc58983887e234d622ae047dfac9f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedfiledaemon.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow distributedfiledaemon accountmgr:binder { transfer }; +allow distributedfiledaemon foundation:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedfileservice.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedfileservice.te new file mode 100644 index 0000000000000000000000000000000000000000..e76851965083c46492b2a52ef09ec5360481dd34 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedfileservice.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow distributedfileservice dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedsche.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedsche.te new file mode 100644 index 0000000000000000000000000000000000000000..e1a5ad4d1413ff54ea24e843fb2e152fa16efa69 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/distributedsche.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow distributedsche dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/file_contexts b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..2f308972429df8edd7d66d038ea3e212df2e55a8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for SP_daemon tool +/system/bin/SP_daemon u:object_r:SP_daemon_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/foundation.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..973b08161c0279960c9fa27080033da8122ba24a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/foundation.te @@ -0,0 +1,33 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow foundation accesstoken_service:binder { call }; +allow foundation data_file:dir { search }; +allow foundation data_service_file:dir { search }; +allow foundation dev_unix_socket:dir { search }; +allow foundation distributedfiledaemon:binder { call }; +allow foundation foundation:unix_dgram_socket { getopt setopt }; +allow foundation multimodalinput:unix_stream_socket { read }; +allow foundation normal_hap_attr:binder { call }; +allow foundation power_host:binder { call }; +allow foundation render_service:binder { call }; +allow foundation resource_schedule_service:binder { call transfer }; +allow foundation screenlock_server:binder { call transfer }; +allow foundation system_basic_hap_attr:binder { call }; + +developer_only(` +allow foundation SP_daemon:binder { transfer }; +') + +allow foundation SP_daemon:fifo_file { write }; +allow foundation SP_daemon:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hdcd.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..410a5870e3136be0e9900a50b3f5b05bd600e71c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hdcd.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +developer_only(` +allow hdcd SP_daemon:process { signal }; + +# for SP_daemon tool +allow hdcd hdcd:tcp_socket { shutdown }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hidumper.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hidumper.te new file mode 100644 index 0000000000000000000000000000000000000000..9f83a2bb6e4ace7c923e527eeba4459835c86f05 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hidumper.te @@ -0,0 +1,34 @@ +# Copyright (c) 2023-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hidumper hiprofilerd:fd { use }; +allow hidumper hiprofiler_plugins:fd { use }; +allow hidumper hiprofiler_plugins:fifo_file { write }; +allow hidumper hiprofiler_plugins:unix_stream_socket { read write }; + +developer_only(` + allow hidumper sh:fd { use }; + allow hidumper sh:fifo_file { read write }; +') +allow hidumper SP_daemon:fd { use }; +allow hidumper SP_daemon:fifo_file { write }; +allow hidumper SP_daemon:tcp_socket { read write }; +allow hidumper SP_daemon:udp_socket { read write }; +allow hidumper dev_ucollection:chr_file { read open }; +allow hidumper test_server:fd { use }; +allow hidumper tty_device:chr_file { read open }; +allow hidumper dev_sysevent:chr_file { read open }; +allow hidumper proc_file:file { read open }; +allow hidumper sysfs_attr:file { read open }; +allow hidumper proc_net:file { read open }; +allow hidumper hidumper:hmcap { supervsable }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..6a0426a23fb744a8b688ad64d124d30313c4d0d1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hidumper_service.te @@ -0,0 +1,31 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +debug_only(` +allow hidumper_service sh:fd { use }; +allow hidumper_service sh:fifo_file { write }; +') +allow hidumper_service hiprofiler_plugins:fd { use }; +allow hidumper_service hiprofiler_plugins:fifo_file { write }; +developer_only(` +allow hidumper_service SP_daemon:dir { search }; +allow hidumper_service SP_daemon:file { open read getattr }; +allow hidumper_service arkcompiler_param:file { read }; +allow hidumper_service ark_writeable_param:file { read }; +allow hidumper_service dev_console_file:chr_file { read write }; +') + +allow hidumper_service dev_kmsg_file:chr_file { write }; +allow hidumper_service SP_daemon:fd { use }; +allow hidumper_service hidumper_service:unix_dgram_socket { getopt setopt }; +allow hidumper_service SP_daemon:fifo_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofiler_cmd.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofiler_cmd.te new file mode 100644 index 0000000000000000000000000000000000000000..fe58ddf306f1c3d36d6e86bb54b12163d943d803 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofiler_cmd.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hiprofiler_cmd SP_daemon:fd { use }; +allow hiprofiler_cmd SP_daemon:fifo_file { ioctl write }; +allowxperm hiprofiler_cmd SP_daemon:fifo_file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofiler_plugins.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofiler_plugins.te new file mode 100644 index 0000000000000000000000000000000000000000..7d3114d4be30b0effe4b76d2aa2ad76bfd39edaa --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofiler_plugins.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License +allow hiprofiler_plugins system_bin_file:file { execute_no_trans }; +allow hiprofiler_plugins system_bin_file:file { getattr }; +allow hiprofiler_plugins system_bin_file:file { map }; +allow hiprofiler_plugins system_bin_file:file { read open }; + +allow hiprofiler_plugins toybox_exec:file { execute execute_no_trans getattr map read open }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofilerd.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofilerd.te new file mode 100644 index 0000000000000000000000000000000000000000..50fa9b2067b2bae4c9f249b0812d3436eeceabec --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiprofilerd.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License +allow hiprofilerd hdcd:fifo_file { ioctl }; +allowxperm hiprofilerd hdcd:fifo_file ioctl 0x5413; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hisysevent.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hisysevent.te new file mode 100644 index 0000000000000000000000000000000000000000..ebd9b9044705d4ac13952919576b816787c193d5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hisysevent.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +developer_only(` +allow hisysevent SP_daemon:fd { use }; +allow hisysevent SP_daemon:fifo_file { write ioctl }; + +allowxperm hisysevent SP_daemon:fifo_file ioctl 0x5413; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hitrace.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hitrace.te new file mode 100644 index 0000000000000000000000000000000000000000..fdf6bd9a08d0b376b63f42602d08d2b7acf6bbf3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hitrace.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +developer_only(` +allow hitrace SP_daemon:fd { use }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiview.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..9cc559cf0762a5b4ff523e284efb7c70ca995e98 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/hiview.te @@ -0,0 +1,23 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hiview hiview_file:dir { add_name write }; +allow hiview hiview_file:file { create }; + +developer_only(` +allow hiview SP_daemon:dir { search }; +allow hiview SP_daemon:file { getattr open read }; +allow hiview SP_daemon:fifo_file { write }; +') +allow hiview hidumper:process { sigkill }; +allow hiview SP_daemon:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/init.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..7832a8f3bcd54888eaae92399d8eb1f2451566ca --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/init.te @@ -0,0 +1,28 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow init accessibility:process { rlimitinh transition }; +allow init bluetooth_service:process { rlimitinh siginh }; +allow init data_service_el1_public_deviceauthService_file:dir { getattr search setattr }; +allow init dev_file:dir { open read relabelto }; +allow init dev_kmsg_file:chr_file { write }; +allow init memmgrservice:process { rlimitinh siginh }; +allow init samain_exec:file { execute }; +allow init tmpfs:chr_file { getattr }; +allow init tmpfs:dir { relabelfrom }; + +developer_only(` +allow init cgroup:file { ioctl }; +allowxperm init cgroup:file ioctl 0x5413; +') + diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/kernel.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..c1cd17ed9bf68e10c3ce9ccc6651d63ddad73dc6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/kernel.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow kernel init:process { dyntransition }; +allow kernel kernel:process { setcurrent }; +allow kernel tmpfs:chr_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/locationhub.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/locationhub.te new file mode 100644 index 0000000000000000000000000000000000000000..3907648d4efe1765228e77a2d580cf0486ca029a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/locationhub.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow locationhub dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/media_service.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..2033ffa3ab2562aac45f109a6cc0617bee11e657 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/media_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow media_service dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/mmi_uinput_service.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/mmi_uinput_service.te new file mode 100644 index 0000000000000000000000000000000000000000..3ad3f8d430a0398880c7a984c1cd65ee6d6ef7fb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/mmi_uinput_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow mmi_uinput_service dev_hdf_file:chr_file { ioctl }; +allowxperm mmi_uinput_service dev_hdf_file:chr_file ioctl { 0x6202 }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..d4d1912bce75c3f73796021be91290965aa11da0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/multimodalinput.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow multimodalinput accesstoken_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/netmanager.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/netmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..1f84cea0ffe08bf15064d472ff86561a1e23cf5b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/netmanager.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow netmanager data_data_file:dir { search }; +allow netmanager data_data_file:file { append ioctl open read }; +allow netmanager data_file:dir { search }; +allow netmanager sys_file:dir { open read }; +allow netmanager sys_file:file { open read }; +allowxperm netmanager data_data_file:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..20449bed3b4ebcabde46e1509dca69af87dec9b4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow normal_hap_attr dev_unix_socket:dir { search }; +allow normal_hap_attr normal_hap_attr:unix_dgram_socket { getopt setopt }; +allow normal_hap_attr render_service:unix_stream_socket { read }; +allow normal_hap_attr system_usr_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..f050596c06c963648f8e62e0603fecce6e8b4cf1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/param_watcher.te @@ -0,0 +1,30 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow param_watcher bgtaskmgr_service:binder { call }; +allow param_watcher distributeddata:binder { call }; +allow param_watcher distributedsche:binder { call }; +allow param_watcher foundation:binder { call }; +allow param_watcher media_service:binder { call }; +allow param_watcher normal_hap_attr:binder { call }; +allow param_watcher render_service:binder { call }; +allow param_watcher resource_schedule_service:binder { call }; +allow param_watcher screenlock_server:binder { call }; +allow param_watcher storage_manager:binder { call }; +allow param_watcher system_basic_hap_attr:binder { call }; +allow param_watcher wallpaper_service:binder { call }; +allow param_watcher netsysnative:binder { call }; +developer_only(` +allow param_watcher SP_daemon:binder { call }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/pinauth.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/pinauth.te new file mode 100644 index 0000000000000000000000000000000000000000..35bcc8096f4d2f43ec8cf2be7cdff780512ab503 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/pinauth.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow pinauth data_file:dir { search }; +allow pinauth dev_unix_socket:dir { search }; +allow pinauth system_bin_file:dir { search }; +allow pinauth vendor_file:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/power_host.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/power_host.te new file mode 100644 index 0000000000000000000000000000000000000000..6843bc83c5b75e4639fe88f2c98d537b5ed72c19 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/power_host.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow power_host data_file:dir { search }; +allow power_host dev_unix_socket:dir { search }; +allow power_host foundation:binder { call }; +allow power_host sys_file:file { open read }; +binder_call(power_host, powermgr); diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/render_service.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..e98e341e14fe5afc267146199bd69540d50bbf2d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/render_service.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow render_service dev_dri_file:chr_file { ioctl }; +allow render_service hidumper_service:fd { use }; +allow render_service hidumper_service:fifo_file { write }; +allowxperm render_service dev_dri_file:chr_file ioctl { 0x64bc 0x64be }; +allow render_service SP_daemon:fd { use }; +allow render_service SP_daemon:fifo_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/samgr.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..77168e29da5b0450bd878b11faa972c66bc24829 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/samgr.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +developer_only(` +allow samgr SP_daemon:dir { search }; +allow samgr SP_daemon:binder { transfer }; +allow samgr SP_daemon:file { open read }; +allow samgr SP_daemon:process { getattr }; +') diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/sensors.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/sensors.te new file mode 100644 index 0000000000000000000000000000000000000000..1dea636c9347821ebdc7f8f3865b8ee9c469fb7b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/sensors.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow sensors dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..5f8ff0005eea9fa4986475b8d0fae8193c32b0f6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/softbus_server.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow softbus_server dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/storage_manager.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/storage_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..55c34674b08e155c3bc71bb489e3731fc7ba842d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/storage_manager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow storage_manager dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..c08134df5b61bbed0e1c7311bf89d0bc5339acc1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/system_basic_hap.te @@ -0,0 +1,30 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow system_basic_hap_attr dev_unix_socket:dir { search }; +allow system_basic_hap_attr multimodalinput:unix_stream_socket { read }; +allow system_basic_hap_attr proc_file:file { open read }; +allow system_basic_hap_attr proc_stat_file:file { open read }; +allow system_basic_hap_attr render_service:unix_stream_socket { read }; +allow system_basic_hap_attr sa_net_conn_manager:samgr_class { get }; +allow system_basic_hap_attr sys_file:file { open read }; +allow system_basic_hap_attr sysfs_devices_system_cpu:dir { open read }; +allow system_basic_hap_attr system_basic_hap_attr:udp_socket { read }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:dir { search }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:file { lock }; +allow system_basic_hap_attr system_usr_file:dir { search }; +allow system_basic_hap_attr vendor_file:dir { search }; +developer_only(` +allow system_basic_hap_attr SP_daemon:binder { call }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/telephony_sa.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/telephony_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..0830793d92fa3f64f11e8d5b214f2444eaf0807a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/telephony_sa.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow telephony_sa dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/udevd.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/udevd.te new file mode 100644 index 0000000000000000000000000000000000000000..23853f8263ddbe9f02ce8b062fd621d9a79650f8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/udevd.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow udevd data_file:dir { add_name getattr remove_name search write }; diff --git a/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/watchdog_service.te b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/watchdog_service.te new file mode 100644 index 0000000000000000000000000000000000000000..de7f97181eb8e2589470caebd49dae0d75dd05e7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/developtools/smartperf/system/watchdog_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow watchdog_service dev_watchdog_file:chr_file { ioctl }; +allowxperm watchdog_service dev_watchdog_file:chr_file ioctl { 0x5705 }; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/public/parameter.te b/prebuilts/api/5.0/ohos_policy/device_attest/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..3d72a5ba30e5eff3ea0f6fc46fa569655dff57ad --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type xts_devattest_authresult_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..59cb878e54cca308476b0bd4d48bd6f14816bd4b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/accountmgr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { transfer } for pid=590 comm="IPC_2_1093" scontext=u:r:accountmgr:s0 tcontext=u:r:devattest_service:s0 tclass=binder permissive=0 +allow accountmgr devattest_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/devattest_service.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/devattest_service.te new file mode 100644 index 0000000000000000000000000000000000000000..a5f8613308b800314848c123358c248cb9d301b0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/devattest_service.te @@ -0,0 +1,113 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type devattest_service, sadomain, domain; +type devattest_service_exec, system_file_attr, exec_attr, file_attr; + +init_daemon_domain(devattest_service); + +#avc: denied { search } for pid=324 comm="IPC_0_424" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:devattest_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow devattest_service data_file:dir { search }; +allow devattest_service data_service_file:dir { search }; +allow devattest_service data_service_el1_file:dir { search }; +allow devattest_service data_service_el1_public_device_attest:dir { search getattr add_name open read remove_name write create }; +allow devattest_service data_service_el1_public_device_attest:file { append map open read create write getattr setattr unlink lock ioctl rename }; + +allow devattest_service netsysnative:unix_stream_socket { connectto read write }; +allow devattest_service port:tcp_socket { name_connect }; +allow devattest_service devattest_service:tcp_socket { connect create read setopt write getopt getattr }; +allow devattest_service devattest_service:udp_socket { create bind connect getattr read write }; + +allow devattest_service accesstoken_service:binder { call }; +allow devattest_service foundation:binder { call transfer }; +allow devattest_service netmanager:binder { call transfer }; +allow devattest_service softbus_server:binder { call }; + +allow devattest_service accessibility_param:file { read }; +allow devattest_service dev_unix_socket:dir { search }; + +allow devattest_service node:udp_socket { node_bind }; +allow devattest_service port:udp_socket { name_bind }; +#avc: denied { connectto } for pid=320 comm="IPC_1_566" path="/dev/unix/socket/paramservice" scontext=u:r:devattest_service:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0 +allow devattest_service kernel:unix_stream_socket { connectto }; + +allow devattest_service devattest_service:netlink_route_socket { create nlmsg_read nlmsg_readpriv read write }; +allow devattest_service devattest_service:packet_socket { bind create read write }; +allow devattest_service devattest_service:udp_socket { bind create ioctl setopt getopt read write }; +allow devattest_service devattest_service:unix_dgram_socket { ioctl getopt setopt }; + +allow devattest_service paramservice_socket:sock_file { write create setattr getattr relabelto }; +allow devattest_service xts_devattest_authresult_param:file { map open read }; +allow devattest_service xts_devattest_authresult_param:parameter_service { set }; + +allow devattest_service sa_devattest_service:samgr_class { add }; +allow devattest_service sa_net_conn_manager:samgr_class { get }; +allow devattest_service sa_accesstoken_manager_service:samgr_class { add get }; +allow devattest_service sa_foundation_bms:samgr_class { get }; + +allow devattest_service devinfo_private_param:file { map open read }; + +allow devattest_service hilog_param:file { map open read }; + +allow devattest_service normal_hap_attr:binder { call transfer }; +allow devattest_service system_basic_hap_attr:binder { call transfer }; +allow devattest_service system_core_hap_attr:binder { call transfer }; + +#avc: denied { open } for pid=326 comm="IPC_2_436" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:devattest_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=324 comm="devattest_servi" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:devattest_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +allow devattest_service musl_param:file { open read map }; + +#avc: denied { search } for pid=324 comm="devattest_servi" name="/" dev="tracefs" ino=1 scontext=u:r:devattest_service:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=0 +allow devattest_service tracefs:dir { search }; + +#avc: denied { get } for service=3203 pid=324 scontext=u:r:devattest_service:s0 tcontext=u:object_r:sa_foundation_ans:s0 tclass=samgr_class permissive=0 +allow devattest_service sa_foundation_ans:samgr_class { get }; + +#avc: denied { read } for pid=320 comm="IPC_1_566" name="u:object_r:persist_param:s0" dev="tmpfs" ino=58 scontext=u:r:devattest_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=1587 comm="SaInit0" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=58 scontext=u:r:devattest_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=1601 comm="SaInit2" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=58 scontext=u:r:devattest_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0 +allow devattest_service persist_param:file { read open map }; + +#avc: denied { get } for service=200 pid=1587 scontext=u:r:devattest_service:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=0 +allow devattest_service sa_accountmgr:samgr_class { get }; + +#avc: denied { search } for pid=2016 comm="devattest_servi" name="usr" dev="mmcblk0p7" ino=3033 scontext=u:r:devattest_service:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=0 +allow devattest_service system_usr_file:dir { search }; + +#avc: denied { read } for pid=2249 comm="sa_main" name="u:object_r:debug_param:s0" dev="tmpfs" ino=60 scontext=u:r:devattest_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2249 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=60 scontext=u:r:devattest_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2249 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=60 scontext=u:r:devattest_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow devattest_service debug_param:file { read open map }; + +#avc: denied { write } for pid=2249 comm="devattest_servi" name="trace_marker" dev="tracefs" ino=17126 scontext=u:r:devattest_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2249 comm="devattest_servi" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=17126 scontext=u:r:devattest_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow devattest_service tracefs_trace_marker_file:file { write open }; + +#avc: denied { call } for pid=2249 comm="devattest_servi" scontext=u:r:devattest_service:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2249 comm="devattest_servi" scontext=u:r:devattest_service:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +allow devattest_service param_watcher:binder { call transfer }; + +#avc: denied { getattr } for pid=2249 comm="devattest_servi" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p7" ino=3040 scontext=u:r:devattest_service:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +allow devattest_service system_usr_file:file { getattr }; + +#avc: denied { get } for service=3901 pid=1588 scontext=u:r:devattest_service:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=0 +allow devattest_service sa_param_watcher:samgr_class { get }; + +#avc: denied { call } for pid=1588 comm="SaInit0" scontext=u:r:devattest_service:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=0 +allow devattest_service accountmgr:binder { call }; + +#avc: denied { get } for service=3510 pid=1486 scontext=u:r:devattest_service:s0 tcontext=u:object_r:sa_huks_service:s0 tclass=samgr_class permissive=0 +allow devattest_service huks_service:binder { call }; +allow devattest_service sa_huks_service:samgr_class { get }; + +allow devattest_service sysfs_devices_system_cpu:file { open read getattr}; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/domain.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/domain.te new file mode 100644 index 0000000000000000000000000000000000000000..6591c781fc38f0695f8ca84c98d4f8096e3ff18a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/domain.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow domain xts_devattest_authresult_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/file.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..1b0db18fa7a215a06b360a19e2fc009937c22dbf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_service_el1_public_device_attest, file_attr, data_file_attr; +type etc_device_attest, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/file_contexts b/prebuilts/api/5.0/ohos_policy/device_attest/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..3c4aeb4ab3447e86d6e5b9a06ccc4fb1a14aeb43 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/file_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/device_attest u:object_r:data_service_el1_public_device_attest:s0 +/data/service/el1/public/device_attest/(.*)? u:object_r:data_service_el1_public_device_attest:s0 +/etc/device_attest u:object_r:etc_device_attest:s0 +/etc/device_attest/(.*)? u:object_r:etc_device_attest:s0 diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/init.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..c553fdb9d223055f00ef05f89e99ccbddaa2d52e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init devattest_service:process { rlimitinh siginh transition }; +allow init data_service_el1_public_device_attest:dir { getattr open read relabelto search setattr add_name create write remove_name }; +allow init data_service_el1_public_device_attest:file { create ioctl open read append relabelto rename unlink write map getattr setattr lock }; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/netmanager.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/netmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..99d2ffb36f2d035939277d6954708b09da98fdeb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/netmanager.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=349 comm="netmanager" scontext=u:r:netmanager:s0 tcontext=u:r:devattest_service:s0 tclass=binder permissive=0 +allow netmanager devattest_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..def12bb593c1a20d5cbddbf3f64cab4e5fc64392 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/normal_hap_attr.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_devattest_service:samgr_class { get }; +allow normal_hap_attr devattest_service:fd { use }; +allow normal_hap_attr devattest_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..a99305e0214e406c229bf7c5b1ee5abaddd5539f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/param_watcher.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher xts_devattest_authresult_param:parameter_service { set }; + +#avc: denied { call } for pid=251 comm="IPC_0_266" scontext=u:r:param_watcher:s0 tcontext=u:r:devattest_service:s0 tclass=binder permissive=0 +allow param_watcher devattest_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/device_attest/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..9c8cdb5006360bbd9cca9c8bf437725ff81d2994 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.xts.devattest.authresult u:object_r:xts_devattest_authresult_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..ac5e9b9c7126645d77b1de7c74e7bca767cdcf19 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_devattest_service:samgr_class { get }; +allow system_basic_hap_attr devattest_service:fd { use }; +allow system_basic_hap_attr devattest_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/device_attest/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/device_attest/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9bd48ce899f3092cca83ce2c3b1bc2fa7f0af490 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/device_attest/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_devattest_service:samgr_class { get }; +allow system_core_hap_attr devattest_service:fd { use }; +allow system_core_hap_attr devattest_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/deviceprofile/device_profile_core/public/deviceprofile.te b/prebuilts/api/5.0/ohos_policy/deviceprofile/device_profile_core/public/deviceprofile.te new file mode 100644 index 0000000000000000000000000000000000000000..1a5ecf48034249befa98fe7b33a44ffb515d1b1b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/deviceprofile/device_profile_core/public/deviceprofile.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_device_profile_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te b/prebuilts/api/5.0/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te new file mode 100644 index 0000000000000000000000000000000000000000..d05a94b87b81f123a9d945832ec6b1edf6db3a0a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedsche sa_device_profile_service:samgr_class { add get }; +allow distributedsche pasteboard_service:binder { call transfer }; +allow distributedsche sa_dhardware_service:samgr_class { get_remote }; + diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/public/distributeddata.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/public/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..42b86fcce1684228a16eb3ed0107c15580076f0c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/public/distributeddata.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type composer_host, hdfdomain, domain; +type allocator_host, hdfdomain, domain; +type dev_usbfn_file, dev_attr, file_attr; +type dev_functionfs_file, dev_attr, file_attr; +type distributeddata, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..06ba1e6b453bc00ae9840008185e9004656ef91f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/appspawn.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn musl_param:file { open map read }; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..323766983e032b9bcd3cc050fe1eeb2262375f09 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/distributeddata.te @@ -0,0 +1,229 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata accesstoken_service:binder { call }; +allow distributeddata accountmgr:binder { call }; +allow distributeddata accountmgr:dir { search }; +allow distributeddata accountmgr:file { getattr open read }; +allow distributeddata audio_server:binder { call transfer }; +allow distributeddata data_app_el1_database_file:dir { add_name create open read remove_name rmdir search setattr write }; +allow distributeddata data_app_el1_database_file:file { create getattr ioctl lock map open read rename setattr unlink write }; +allow distributeddata data_app_el2_database_file:dir { add_name create open read remove_name rmdir search setattr write }; +allow distributeddata data_app_el2_database_file:file { create getattr ioctl lock map open read rename setattr unlink write }; +allow distributeddata data_app_el3_database_file:dir { add_name create open read remove_name rmdir search setattr write }; +allow distributeddata data_app_el3_database_file:file { create getattr ioctl lock map open read rename setattr unlink write }; +allow distributeddata data_app_el4_database_file:dir { add_name create open read remove_name rmdir search setattr write }; +allow distributeddata data_app_el4_database_file:file { create getattr ioctl lock map open read rename setattr unlink write }; +allow distributeddata data_app_file:dir { search }; +allow distributeddata data_file:dir { search }; +allow distributeddata data_service_el0_file:dir { search }; +allow distributeddata data_service_el1_file:dir { add_name create getattr open read remove_name rmdir search setattr write }; +allow distributeddata data_service_el1_file:file { create getattr ioctl lock map open read rename setattr unlink write }; +allow distributeddata data_service_el2_file:dir { search }; +allow distributeddata data_service_file:dir { search }; +allow distributeddata data_user_file:dir { getattr search }; +allow distributeddata deviceauth_service:binder { call }; +allow distributeddata device_manager:binder { call transfer }; +allow distributeddata dev_ashmem_file:chr_file { open }; +allow distributeddata dev_console_file:chr_file { read write }; +allow distributeddata dev_unix_socket:dir { search }; +allow distributeddata dev_unix_socket:sock_file { write }; +allow distributeddata dhardware:file { getattr }; +allow distributeddata distributeddata:dir { search }; +allow distributeddata distributeddata:lnk_file { read }; +allow distributeddata distributedsche:binder { call transfer }; +allow distributeddata distributedsched:binder { call transfer }; +allow distributeddata dslm_service:binder { call transfer }; +allow distributeddata d-bms:dir { search }; +allow distributeddata d-bms:file { getattr open read }; +allow distributeddata foundation:binder { call transfer }; +allow distributeddata foundation:dir { search }; +allow distributeddata foundation:file { getattr open read }; +allow distributeddata hdcd:binder { call transfer }; +allow distributeddata hdcd:dir { search }; +allow distributeddata hdcd:fd { use }; +allow distributeddata hdcd:file { open read }; +allow distributeddata huks_service:binder { call }; +allow distributeddata musl_param:file { open read map }; +allow distributeddata multimodalinput:binder { call transfer }; +allow distributeddata normal_hap_attr:binder { call transfer }; +allow distributeddata normal_hap_attr:dir { search }; +allow distributeddata normal_hap_attr:file { getattr open read }; +allow distributeddata normal_hap_data_file_attr:dir { add_name create getattr remove_name rmdir search write }; +allow distributeddata normal_hap_data_file_attr:file { create getattr ioctl lock setattr unlink }; +allow distributeddata data_service_el2_hmdfs:lnk_file { create open write read getattr }; +allow distributeddata data_service_el2_hmdfs:file { getattr }; +allow distributeddata data_service_el2_hmdfs:dir { search read open create write add_name }; +allow distributeddata hmdfs:file { getattr }; +allow distributeddata hmdfs:dir { search read open ioctl }; +allowxperm distributeddata hmdfs:dir ioctl { 0xf203 }; +allow distributeddata data_service_el2_hmdfs:dir { search read open create }; +allow distributeddata proc_file:file { open read }; +allow distributeddata sa_accesstoken_manager_service:samgr_class { get }; +allow distributeddata sa_accountmgr:samgr_class { get }; +allow distributeddata sa_dataobs_mgr_service_service:samgr_class { get }; +allow distributeddata sa_distributeddata_service:samgr_class { add get }; +allow distributeddata sa_foundation_abilityms:samgr_class { get }; +allow distributeddata sa_foundation_devicemanager_service:samgr_class { get }; +allow distributeddata sa_foundation_wms:samgr_class { get }; +allow distributeddata sa_filemanagement_cloud_sync_service:samgr_class { get }; +allow distributeddata sa_net_conn_manager:samgr_class { get }; +allow distributeddata sa_param_watcher:samgr_class { get }; +allow distributeddata samain_exec:file { entrypoint execute read }; +allow distributeddata samgr:binder { call transfer }; +allow distributeddata sensors:binder { call }; +allow distributeddata softbus_server:binder { call transfer }; +allow distributeddata softbus_server:tcp_socket { read setopt write }; +allow distributeddata sys_file:dir { search }; +allow distributeddata system_basic_hap_attr:binder { call transfer }; +allow distributeddata system_basic_hap_attr:dir { search }; +allow distributeddata system_basic_hap_attr:file { getattr open read }; +allow distributeddata system_basic_hap_data_file_attr:dir { getattr open read search write add_name create remove_name rmdir }; +allow distributeddata system_basic_hap_data_file_attr:file { getattr ioctl lock map open setattr create unlink read write }; +allow distributeddata system_core_hap_attr:dir { search }; +allow distributeddata system_core_hap_attr:file { getattr open read }; +allow distributeddata system_core_hap_data_file_attr:dir { getattr open read search write add_name create remove_name rmdir }; +allow distributeddata system_core_hap_data_file_attr:file { getattr ioctl lock map open setattr create unlink }; +allow distributeddata system_etc_file:dir { getattr open read }; +allow distributeddata system_profile_file:dir { search }; +allow distributeddata telephony_sa:binder { call transfer }; +allow distributeddata tmpfs:lnk_file { read }; +allow distributeddata vendor_file:file { execute getattr map open read }; +allow distributeddata vendor_lib_file:dir { search }; +allow distributeddata data_app_el1_file:dir { search }; +allow distributeddata data_app_el1_file:file { getattr open read }; +allow normal_hap_attr normal_hap_data_file_attr:file { ioctl }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:file { ioctl }; +allow system_core_hap_attr system_core_hap_data_file_attr:file { ioctl }; +allowxperm normal_hap_attr normal_hap_data_file_attr:file ioctl { 0xf546 0xf547 }; +allowxperm system_basic_hap_attr system_basic_hap_data_file_attr:file ioctl { 0xf546 0xf547 }; +allowxperm system_core_hap_attr system_core_hap_data_file_attr:file ioctl { 0xf546 0xf547 }; +allowxperm distributeddata data_service_el1_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; +allowxperm distributeddata data_app_el1_database_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; +allowxperm distributeddata data_app_el2_database_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; +allowxperm distributeddata data_app_el3_database_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; +allowxperm distributeddata data_app_el4_database_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; +allowxperm distributeddata normal_hap_data_file_attr:file ioctl { 0x5413 0xf546 0xf547 }; +allowxperm distributeddata system_core_hap_data_file_attr:file ioctl { 0xf50c 0xf546 0xf547 }; +allowxperm distributeddata system_basic_hap_data_file_attr:file ioctl { 0xf50c 0xf546 0xf547 }; +allow distributeddata locationhub:binder { transfer }; +allow distributeddata netmanager:binder { call transfer }; +allow distributeddata accountmgr:binder { transfer }; +allow distributeddata bootevent_param:file { map open read }; +allow distributeddata bootevent_samgr_param:file { map open read }; +allow distributeddata build_version_param:file { map open read }; +allow distributeddata const_allow_mock_param:file { map open read }; +allow distributeddata const_allow_param:file { map open read }; +allow distributeddata const_build_param:file { map open read }; +allow distributeddata const_display_brightness_param:file { map open read }; +allow distributeddata const_param:file { map open read }; +allow distributeddata const_postinstall_fstab_param:file { map open read }; +allow distributeddata const_postinstall_param:file { map open read }; +allow distributeddata const_product_param:file { map open read }; +allow distributeddata data_app_el2_file:dir { search }; +allow distributeddata data_app_el5_file:dir { search }; +allow distributeddata data_service_el0_file:dir { search }; +allow distributeddata debug_param:file { map open read }; +allow distributeddata default_param:file { map open read }; +allow distributeddata dhardware:binder { call transfer }; +allow distributeddata dhardware:dir { search }; +allow distributeddata dhardware:file { open read }; +allow distributeddata distributeddata:unix_dgram_socket { getopt setopt }; +allow distributeddata distributedsche:dir { search }; +allow distributeddata distributedsche:file { open read }; +allow distributeddata distributedsche_param:file { map open read }; +allow distributeddata foundation:dir { search }; +allow distributeddata foundation:file { open read }; +allow distributeddata hilog_param:file { map open read }; +allow distributeddata hiview:unix_dgram_socket { sendto }; +allow distributeddata hw_sc_build_os_param:file { map open read }; +allow distributeddata hw_sc_build_param:file { map open read }; +allow distributeddata hw_sc_param:file { map open read }; +allow distributeddata init_param:file { map open read }; +allow distributeddata init_svc_param:file { map open read }; +allow distributeddata input_pointer_device_param:file { map open read }; +allow distributeddata net_param:file { map open read }; +allow distributeddata net_tcp_param:file { map open read }; +allow distributeddata normal_hap_attr:fd { use }; +allow distributeddata normal_hap_data_file_attr:dir { getattr open read }; +allow distributeddata normal_hap_data_file_attr:file { ioctl map open read write setattr }; +allow distributeddata ohos_boot_param:file { map open read }; +allow distributeddata ohos_param:file { map open read }; +allow distributeddata param_watcher:binder { call transfer }; +allow distributeddata persist_param:file { map open read }; +allow distributeddata persist_sys_param:file { map open read }; +# avc denied { call } for pid=1509, comm="/system/bin/sa_main" scontext=u:r:distributeddata:s0 tcontext=resource_schedule_service:s0 tclass=binder permissive=1 +#Before obtaining the application list, the rss service needs to call the DataShare interface to query the database information to check whether the user agrees to the authorization +allow distributeddata resource_schedule_service:binder { call transfer }; +allow distributeddata sa_resource_schedule:samgr_class { get }; +allow distributeddata sa_device_auth_service:samgr_class { get }; +allow distributeddata sa_device_security_level_manager_service:samgr_class { get }; +allow distributeddata sa_foundation_abilityms:samgr_class { get }; +allow distributeddata sa_foundation_bms:samgr_class { get }; +allow distributeddata sa_foundation_cesfwk_service:samgr_class { get }; +allow distributeddata sa_huks_service:samgr_class { get }; +allow distributeddata sa_softbus_service:samgr_class { get }; +allow distributeddata sa_uri_permission_mgr_service:samgr_class { get }; +allow distributeddata sa_distributeschedule:samgr_class { get }; +allow distributeddata security_param:file { map open read }; +allow distributeddata softbus_server:fd { use }; +allow distributeddata softbus_server:tcp_socket { shutdown }; +allow distributeddata startup_param:file { map open read }; +allow distributeddata sys_param:file { map open read }; +allow distributeddata system_basic_hap_attr:fd { use }; +allow distributeddata system_bin_file:dir { search }; +allow distributeddata system_core_hap_attr:binder { call transfer }; +allow distributeddata system_core_hap_attr:fd { use }; +allow distributeddata sys_usb_param:file { map open read }; +allow distributeddata tracefs:dir { search }; +allow distributeddata tracefs_trace_marker_file:file { open write }; +allowxperm distributeddata normal_hap_data_file_attr:file ioctl { 0xf50c }; +debug_only(` +allow distributeddata sh:binder { call transfer }; +allow distributeddata sh:dir { search }; +allow distributeddata sh:fd { use }; +allow distributeddata sh:file { getattr open read }; +') +allow distributeddata wifi_manager_service:binder { call transfer }; +allow distributeddata bluetooth_service:binder { call transfer }; +allow distributeddata dlp_permission_service:binder { call transfer }; +allow distributeddata sa_filemanagement_distributed_file_daemon_service:samgr_class { get }; +allow distributeddata distributedfiledaemon:binder { call transfer }; +allow distributeddata inputmethod_service:binder { call transfer }; +allow distributeddata data_service_el1_file:dir { relabelfrom }; +allow distributeddata data_service_el1_utd_file:dir { relabelto add_name search write }; +allow distributeddata data_service_el1_utd_file:file { create ioctl getattr read write open }; +allowxperm distributeddata data_service_el1_utd_file:file ioctl { 0x5413 }; +allow distributeddata sa_time_service:samgr_class { get }; +allow distributeddata sa_screenlock_service:samgr_class { get }; +allow distributeddata time_service:binder { call transfer }; +binder_call(distributeddata, powermgr); +allow distributeddata powermgr:dir { search }; +allow distributeddata powermgr:file { getattr open read }; +allow distributeddata sa_memory_manager_service:samgr_class { get }; +allow distributeddata memmgrservice:binder { call }; +allow distributeddata data_service_el3_file:dir { search }; +allow distributeddata data_service_el4_file:dir { search }; +allow distributeddata data_service_el5_file:dir { search }; +allow distributeddata data_app_el3_file:dir { search }; +allow distributeddata data_app_el3_file:file { getattr open read }; +allow distributeddata data_app_el4_file:dir { search }; +allow distributeddata data_app_el4_file:file { getattr open read }; +allow distributeddata data_app_el5_file:dir { search }; +allow distributeddata data_app_el5_file:file { getattr open read }; +allow distributeddata key_enable:key { search }; +allow distributeddata data_service_el1_file:dir { rename }; +allow distributeddata data_service_el2_pasteboard_service:dir { read write create getattr setattr open add_name remove_name search rmdir ioctl relabelfrom rename }; +allow distributeddata data_service_el2_pasteboard_service:file { read write create getattr setattr lock map unlink rename open ioctl }; +allowxperm distributeddata data_service_el2_pasteboard_service:dir ioctl { 0xf546 }; +allowxperm distributeddata data_service_el2_pasteboard_service:file ioctl { 0xf50c 0xf546 }; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/file.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..b8e0ab4feb39c3444169d71288499d9e47a3f169 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/file.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_app_el1_database_file, file_attr, data_file_attr; +type data_app_el2_database_file, file_attr, data_file_attr; +type data_app_el3_database_file, file_attr, data_file_attr; +type data_app_el4_database_file, file_attr, data_file_attr; +type data_service_el1_utd_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/file_contexts b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..88ce49d1875888ec685a4b8772e8b27a0d2c6c32 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/file_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/app/el1/[0-9]+/database(/.*)? u:object_r:data_app_el1_database_file:s0 +/data/app/el2/[0-9]+/database(/.*)? u:object_r:data_app_el2_database_file:s0 +/data/app/el3/[0-9]+/database(/.*)? u:object_r:data_app_el3_database_file:s0 +/data/app/el4/[0-9]+/database(/.*)? u:object_r:data_app_el4_database_file:s0 +/data/service/el1/[0-9]+/distributeddata/utd(/.*)? u:object_r:data_service_el1_utd_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..7d94a189963fb86b40c93c78dc14d44f37c0640f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/hap_domain.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +allow hap_domain data_service_el1_utd_file:dir { search }; +allow hap_domain data_service_el1_utd_file:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..b5c76f7a044cc10beb8f031f2e1cad1b51cb24d0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/normal_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr distributeddata:fd { use }; +allow normal_hap_attr musl_param:file { open map read }; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..cca291ae47771d6278fe5960a0edd7f7c2c1b73a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/storage_daemon.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon data_service_el1_utd_file:dir { open read search write remove_name getattr rmdir }; +allow storage_daemon data_service_el1_utd_file:file { unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..1cde826a93e42f763f1f617d681f56ba7e00dd9a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr distributeddata:binder { call transfer }; +allow system_basic_hap_attr distributeddata:fd { use }; +allow system_basic_hap_attr musl_param:file { open map read }; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..7a77876cf8cc03b11bc02774842487c81c48f474 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/distributeddatamgr/system/system_core_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr distributeddata:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/public/file_contexts b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a74483bb978364d9ab3bffcf9782b994be2f104c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/public/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el2/[0-9]+/database/pasteboard_service(/.*)? u:object_r:data_service_el2_pasteboard_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/public/type.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..fe45c86530d72e485146bdd47f97c86cac1ab46e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_service_el2_pasteboard_service, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/system/pasteboard_service.te b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/system/pasteboard_service.te new file mode 100644 index 0000000000000000000000000000000000000000..aa08d630b38af75a4c901e409099db1fe0498b23 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributeddatamgr/pasteboard/system/pasteboard_service.te @@ -0,0 +1,42 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pasteboard_service sa_multimodalinput_service:samgr_class { get }; +allow pasteboard_service multimodalinput:binder { call transfer }; +allow pasteboard_service multimodalinput:fd { use }; +allow pasteboard_service multimodalinput:unix_stream_socket { read write }; +allow pasteboard_service sa_privacy_service:samgr_class { get }; +allow pasteboard_service privacy_service:binder { call }; +allow pasteboard_service data_app_el1_file:dir { search }; +allow pasteboard_service normal_hap_data_file_attr:dir { search }; +allow pasteboard_service arkcompiler_param:file { read }; +allow pasteboard_service arkcompiler_param:file { map }; +allow pasteboard_service dev_kmsg_file:chr_file { write }; +allow pasteboard_service sa_resource_schedule:samgr_class { get }; +allow pasteboard_service tty_device:chr_file { read write }; +allow pasteboard_service arkcompiler_param:file { open }; +allow pasteboard_service resource_schedule_service:binder { call }; +allow pasteboard_service sa_memory_manager_service:samgr_class { get }; +allow pasteboard_service memmgrservice:binder { call }; +allow pasteboard_service distributeddata:fd { use }; +allow pasteboard_service chip_prod_file:dir { search }; +allow pasteboard_service data_user_file:dir { search }; +allow pasteboard_service sa_device_security_level_manager_service:samgr_class { get }; +allow pasteboard_service dslm_service:binder { call transfer }; +allow dslm_service pasteboard_service:binder { call }; +allow pasteboard_service data_service_el2_pasteboard_service:dir { read write create getattr open add_name remove_name search rmdir ioctl }; +allow pasteboard_service data_service_el2_pasteboard_service:file { read write create getattr setattr lock map unlink open ioctl }; +allowxperm pasteboard_service data_service_el2_pasteboard_service:dir ioctl { 0xf546 }; +allowxperm pasteboard_service data_service_el2_pasteboard_service:file ioctl { 0xf50c 0xf546 }; +allow storage_daemon data_service_el2_pasteboard_service:dir { relabelto lock rename remove_name rmdir read write create getattr setattr relabelfrom open add_name search }; +allow storage_daemon data_service_el2_pasteboard_service:file { relabelto read write create getattr setattr lock append map unlink rename open watch watch_reads relabelfrom }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..ea1b6faec5d185b979c9596049401e0a63d6bb7c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/accountmgr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { transfer } for pid=660 comm="accountmgr" scontext=u:r:accountmgr:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow accountmgr device_manager:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/device_manager.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/device_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..ed43f6ec0948532b91b15586b25665ac0a2d9892 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/device_manager.te @@ -0,0 +1,349 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type device_manager, sadomain, domain; + +allow device_manager sa_foundation_devicemanager_service:samgr_class { add get }; + +#avc: denied { search } for pid=594 comm="sa_main" name="bin" dev="mmcblk0p6" ino=107 scontext=u:r:device_manager:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=0 +allow device_manager system_bin_file:dir { search }; + +#avc: denied { read } for pid=594 comm="sa_main" name="u:object_r:ohos_param:s0" dev="tmpfs" ino=27 scontext=u:r:device_manager:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=525 comm="sa_main" path="/dev/__parameters__/u:object_r:ohos_param:s0" dev="tmpfs" ino=27 scontext=u:r:device_manager:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:ohos_param:s0" dev="tmpfs" ino=27 scontext=u:r:device_manager:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=0 +allow device_manager ohos_param:file { read open map }; + +#avc: denied { search } for pid=594 comm="sa_main" name="socket" dev="tmpfs" ino=21 scontext=u:r:device_manager:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +#avc: denied { search } for pid=594 comm="device_manager" name="socket" dev="tmpfs" ino=21 scontext=u:r:device_manager:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +allow device_manager dev_unix_socket:dir { search }; + +#avc: denied { read } for pid=479 comm="device_manager" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=46 scontext=u:r:device_manager:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=496 comm="device_manager" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=46 scontext=u:r:device_manager:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=525 comm="device_manager" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=46 scontext=u:r:device_manager:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +allow device_manager hilog_param:file { read open map }; + +#avc: denied { set } for parameter=persist.distributed_hardware.device_manager.discover_status pid=506 uid=3062 gid=1000 scontext=u:r:device_manager:s0 tcontext=u:object_r:persist_param:s0 tclass=parameter_service permissive=1 +allow device_manager persist_param:parameter_service { set }; + +#avc: denied { read } for pid=675 comm="sa_main" name="u:object_r:persist_param:s0" dev="tmpfs" ino=47 scontext=u:r:device_manager:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=496 comm="sa_main" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=47 scontext=u:r:device_manager:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=47 scontext=u:r:device_manager:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0 +allow device_manager persist_param:file { read open map }; + +#avc: denied { call } for pid=506 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 +allow device_manager system_basic_hap_attr:binder { call }; + +#avc: denied { get } for service=3510 pid=559 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_huks_service:s0 tclass=samgr_class permissive=1 +allow device_manager sa_huks_service:samgr_class { get }; + +#avc: denied { get } for service=200 pid=559 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 +allow device_manager sa_accountmgr:samgr_class { get }; + +#avc: denied { get } for service=3299 pid=559 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow device_manager sa_foundation_cesfwk_service:samgr_class { get }; + +#avc: denied { get } for service=7001 pid=559 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_subsys_ace_service:s0 tclass=samgr_class permissive=1 +allow device_manager sa_subsys_ace_service:samgr_class { get }; + +#avc: denied { get } for service=4701 pid=530 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_device_auth_service:s0 tclass=samgr_class permissive=1 +allow device_manager sa_device_auth_service:samgr_class { get }; + +#avc: denied { get } for service=401 pid=518 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow device_manager sa_foundation_bms:samgr_class { get }; + +#avc: denied { get } for service=4801 pid=518 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=1 +allow device_manager sa_dhardware_service:samgr_class { get }; + +#avc: denied { call } for pid=724 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=0 +allow device_manager dhardware:binder { call }; + +#avc: denied { get } for service=6001 pid=518 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_device_profile_service:s0 tclass=samgr_class permissive=1 +allow device_manager sa_device_profile_service:samgr_class { get }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=28 scontext=u:r:device_manager:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=28 scontext=u:r:device_manager:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=489 comm="sa_main" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=28 scontext=u:r:device_manager:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 +allow device_manager ohos_boot_param:file { read open map }; + +#denied { read } for pid=525 comm="sa_main" name="u:object_r:sys_param:s0" dev="tmpfs" ino=29 scontext=u:r:device_manager:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="tmpfs" ino=29 scontext=u:r:device_manager:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=489 comm="sa_main" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="tmpfs" ino=29 scontext=u:r:device_manager:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=0 +allow device_manager sys_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:sys_usb_param:s0" dev="tmpfs" ino=30 scontext=u:r:device_manager:s0 tcontext=u:object_r:sys_usb_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:sys_usb_param:s0" dev="tmpfs" ino=30 scontext=u:r:device_manager:s0 tcontext=u:object_r:sys_usb_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=489 comm="sa_main" path="/dev/__parameters__/u:object_r:sys_usb_param:s0" dev="tmpfs" ino=30 scontext=u:r:device_manager:s0 tcontext=u:object_r:sys_usb_param:s0 tclass=file permissive=0 +allow device_manager sys_usb_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:net_param:s0" dev="tmpfs" ino=31 scontext=u:r:device_manager:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:net_param:s0" dev="tmpfs" ino=31 scontext=u:r:device_manager:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:net_param:s0" dev="tmpfs" ino=31 scontext=u:r:device_manager:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=0 +allow device_manager net_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:net_tcp_param:s0" dev="tmpfs" ino=32 scontext=u:r:device_manager:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:net_tcp_param:s0" dev="tmpfs" ino=32 scontext=u:r:device_manager:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:net_tcp_param:s0" dev="tmpfs" ino=32 scontext=u:r:device_manager:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=0 +allow device_manager net_tcp_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:hw_sc_param:s0" dev="tmpfs" ino=33 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:hw_sc_param:s0" dev="tmpfs" ino=33 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:hw_sc_param:s0" dev="tmpfs" ino=33 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_param:s0 tclass=file permissive=0 +allow device_manager hw_sc_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:hw_sc_build_param:s0" dev="tmpfs" ino=34 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_build_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:hw_sc_build_param:s0" dev="tmpfs" ino=34 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_build_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:hw_sc_build_param:s0" dev="tmpfs" ino=34 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_build_param:s0 tclass=file permissive=0 +allow device_manager hw_sc_build_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:hw_sc_build_os_param:s0" dev="tmpfs" ino=35 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_build_os_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:hw_sc_build_os_param:s0" dev="tmpfs" ino=35 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_build_os_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:hw_sc_build_os_param:s0" dev="tmpfs" ino=35 scontext=u:r:device_manager:s0 tcontext=u:object_r:hw_sc_build_os_param:s0 tclass=file permissive=0 +allow device_manager hw_sc_build_os_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:init_param:s0" dev="tmpfs" ino=36 scontext=u:r:device_manager:s0 tcontext=u:object_r:init_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=469 comm="sa_main" path="/dev/__parameters__/u:object_r:init_param:s0" dev="tmpfs" ino=36 scontext=u:r:device_manager:s0 tcontext=u:object_r:init_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:init_param:s0" dev="tmpfs" ino=36 scontext=u:r:device_manager:s0 tcontext=u:object_r:init_param:s0 tclass=file permissive=0 +allow device_manager init_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:init_svc_param:s0" dev="tmpfs" ino=37 scontext=u:r:device_manager:s0 tcontext=u:object_r:init_svc_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:init_svc_param:s0" dev="tmpfs" ino=37 scontext=u:r:device_manager:s0 tcontext=u:object_r:init_svc_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=675 comm="sa_main" path="/dev/__parameters__/u:object_r:init_svc_param:s0" dev="tmpfs" ino=37 scontext=u:r:device_manager:s0 tcontext=u:object_r:init_svc_param:s0 tclass=file permissive=0 +allow device_manager init_svc_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:const_param:s0" dev="tmpfs" ino=38 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:const_param:s0" dev="tmpfs" ino=38 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=675 comm="sa_main" path="/dev/__parameters__/u:object_r:const_param:s0" dev="tmpfs" ino=38 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=0 +allow device_manager const_param:file { read open map }; + +#avc: denied { read } for pid=525 comm="sa_main" name="u:object_r:const_postinstall_param:s0" dev="tmpfs" ino=39 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=570 comm="sa_main" path="/dev/__parameters__/u:object_r:const_postinstall_param:s0" dev="tmpfs" ino=39 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=675 comm="sa_main" path="/dev/__parameters__/u:object_r:const_postinstall_param:s0" dev="tmpfs" ino=39 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=0 +allow device_manager const_postinstall_param:file { read open map }; + +#avc: denied { read } for pid=570 comm="sa_main" name="u:object_r:const_postinstall_fstab_param:s0" dev="tmpfs" ino=40 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_postinstall_fstab_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=675 comm="sa_main" path="/dev/__parameters__/u:object_r:const_postinstall_fstab_param:s0" dev="tmpfs" ino=40 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_postinstall_fstab_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:const_postinstall_fstab_param:s0" dev="tmpfs" ino=40 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_postinstall_fstab_param:s0 tclass=file permissive=0 +allow device_manager const_postinstall_fstab_param:file { read open map }; + +#avc: denied { get } for service=4700 pid=609 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1 +allow device_manager sa_softbus_service:samgr_class { get }; + +#avc: denied { call } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=1 +allow device_manager huks_service:binder { call }; + +#avc: denied { call } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:deviceauth_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:deviceauth_service:s0 tclass=binder permissive=1 +allow device_manager deviceauth_service:binder { call transfer }; + +#avc: denied { call } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=1 +allow device_manager accountmgr:binder { call }; + +#avc: denied { call } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=724 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0 +allow device_manager foundation:binder { call transfer }; + +#avc: denied { call } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:ui_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:ui_service:s0 tclass=binder permissive=1 +allow device_manager ui_service:binder { call transfer }; + +#avc: denied { getopt } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:device_manager:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:device_manager:s0 tclass=unix_dgram_socket permissive=1 +allow device_manager device_manager:unix_dgram_socket { getopt setopt }; + +#avc: denied { call } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=675 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=0 +allow device_manager softbus_server:binder { call transfer }; + +#avc: denied { call } for pid=599 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1 +allow device_manager normal_hap_attr:binder { call }; + +#avc: denied { read } for pid=675 comm="sa_main" name="u:object_r:const_allow_param:s0" dev="tmpfs" ino=41 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:const_allow_param:s0" dev="tmpfs" ino=41 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=462 comm="sa_main" path="/dev/__parameters__/u:object_r:const_allow_param:s0" dev="tmpfs" ino=41 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=0 +allow device_manager const_allow_param:file { read open map }; + +#avc: denied { read } for pid=675 comm="sa_main" name="u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=42 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=42 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=462 comm="sa_main" path="/dev/__parameters__/u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=42 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=0 +allow device_manager const_allow_mock_param:file { read open map }; + +#avc: denied { read } for pid=675 comm="sa_main" name="u:object_r:const_build_param:s0" dev="tmpfs" ino=43 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_build_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=496 comm="sa_main" path="/dev/__parameters__/u:object_r:const_build_param:s0" dev="tmpfs" ino=43 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_build_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:const_build_param:s0" dev="tmpfs" ino=43 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_build_param:s0 tclass=file permissive=0 +allow device_manager const_build_param:file { read open map }; + +#avc: denied { read } for pid=675 comm="sa_main" name="u:object_r:const_product_param:s0" dev="tmpfs" ino=44 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_product_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=496 comm="sa_main" path="/dev/__parameters__/u:object_r:const_product_param:s0" dev="tmpfs" ino=44 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_product_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:const_product_param:s0" dev="tmpfs" ino=44 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_product_param:s0 tclass=file permissive=0 +allow device_manager const_product_param:file { read open map }; + +#avc: denied { read } for pid=675 comm="sa_main" name="u:object_r:security_param:s0" dev="tmpfs" ino=45 scontext=u:r:device_manager:s0 tcontext=u:object_r:security_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=496 comm="sa_main" path="/dev/__parameters__/u:object_r:security_param:s0" dev="tmpfs" ino=45 scontext=u:r:device_manager:s0 tcontext=u:object_r:security_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:security_param:s0" dev="tmpfs" ino=45 scontext=u:r:device_manager:s0 tcontext=u:object_r:security_param:s0 tclass=file permissive=0 +allow device_manager security_param:file { read open map }; + +#avc: denied { read } for pid=496 comm="sa_main" name="u:object_r:persist_sys_param:s0" dev="tmpfs" ino=48 scontext=u:r:device_manager:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=48 scontext=u:r:device_manager:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=462 comm="sa_main" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=48 scontext=u:r:device_manager:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 +allow device_manager persist_sys_param:file { read open map }; + +#avc: denied { read } for pid=496 comm="sa_main" name="u:object_r:debug_param:s0" dev="tmpfs" ino=49 scontext=u:r:device_manager:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=49 scontext=u:r:device_manager:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=462 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=49 scontext=u:r:device_manager:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +allow device_manager debug_param:file { read open map }; + +#avc: denied { read } for pid=496 comm="sa_main" name="u:object_r:startup_param:s0" dev="tmpfs" ino=50 scontext=u:r:device_manager:s0 tcontext=u:object_r:startup_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=647 comm="sa_main" path="/dev/__parameters__/u:object_r:startup_param:s0" dev="tmpfs" ino=50 scontext=u:r:device_manager:s0 tcontext=u:object_r:startup_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=462 comm="sa_main" path="/dev/__parameters__/u:object_r:startup_param:s0" dev="tmpfs" ino=50 scontext=u:r:device_manager:s0 tcontext=u:object_r:startup_param:s0 tclass=file permissive=0 +allow device_manager startup_param:file { read open map }; + +#avc: denied { read } for pid=496 comm="sa_main" name="u:object_r:bootevent_param:s0" dev="tmpfs" ino=51 scontext=u:r:device_manager:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=462 comm="sa_main" path="/dev/__parameters__/u:object_r:bootevent_param:s0" dev="tmpfs" ino=51 scontext=u:r:device_manager:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=554 comm="sa_main" path="/dev/__parameters__/u:object_r:bootevent_param:s0" dev="tmpfs" ino=51 scontext=u:r:device_manager:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=0 +allow device_manager bootevent_param:file { read open map }; + +#avc: denied { read } for pid=496 comm="sa_main" name="u:object_r:build_version_param:s0" dev="tmpfs" ino=53 scontext=u:r:device_manager:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=462 comm="sa_main" path="/dev/__parameters__/u:object_r:build_version_param:s0" dev="tmpfs" ino=53 scontext=u:r:device_manager:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=0 +allow device_manager build_version_param:file { read open }; +#avc: denied { map } for pid=554 comm="sa_main" path="/dev/__parameters__/u:object_r:build_version_param:s0" dev="tmpfs" ino=53 scontext=u:r:device_manager:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=0 +allow device_manager build_version_param:file { map }; + +#avc: denied { read } for pid=496 comm="sa_main" name="u:object_r:bootevent_samgr_param:s0" dev="tmpfs" ino=54 scontext=u:r:device_manager:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=462 comm="sa_main" path="/dev/__parameters__/u:object_r:bootevent_samgr_param:s0" dev="tmpfs" ino=54 scontext=u:r:device_manager:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=554 comm="sa_main" path="/dev/__parameters__/u:object_r:bootevent_samgr_param:s0" dev="tmpfs" ino=54 scontext=u:r:device_manager:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=0 +allow device_manager bootevent_samgr_param:file { read open map }; + +#avc: denied { call } for pid=525 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=0 +allow device_manager accesstoken_service:binder { call }; + +#avc: denied { call } for pid=525 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=binder permissive=0 +allow device_manager distributedfiledaemon:binder { call }; + +#avc: denied { read } for pid=462 comm="sa_main" name="u:object_r:distributedsche_param:s0" dev="tmpfs" ino=55 scontext=u:r:device_manager:s0 tcontext=u:object_r:distributedsche_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=554 comm="sa_main" path="/dev/__parameters__/u:object_r:distributedsche_param:s0" dev="tmpfs" ino=55 scontext=u:r:device_manager:s0 tcontext=u:object_r:distributedsche_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=557 comm="sa_main" path="/dev/__parameters__/u:object_r:distributedsche_param:s0" dev="tmpfs" ino=55 scontext=u:r:device_manager:s0 tcontext=u:object_r:distributedsche_param:s0 tclass=file permissive=0 +allow device_manager distributedsche_param:file { read open map }; + +#avc: denied { call } for pid=724 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=657 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=1 +allow device_manager distributedsche:binder { call transfer }; + +#avc: denied { read } for pid=462 comm="sa_main" name="u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=56 scontext=u:r:device_manager:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=554 comm="sa_main" path="/dev/__parameters__/u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=56 scontext=u:r:device_manager:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=0 +allow device_manager input_pointer_device_param:file { read open }; +#avc: denied { map } for pid=557 comm="sa_main" path="/dev/__parameters__/u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=56 scontext=u:r:device_manager:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=0 +allow device_manager input_pointer_device_param:file { read open map }; + +#avc: denied { write } for pid=427 comm="device_manager" name="paramservice" dev="tmpfs" ino=26 scontext=u:r:device_manager:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0 +allow device_manager paramservice_socket:sock_file { write }; + +#avc: denied { read } for pid=554 comm="sa_main" name="u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=57 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=557 comm="sa_main" path="/dev/__parameters__/u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=57 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=536 comm="sa_main" path="/dev/__parameters__/u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=57 scontext=u:r:device_manager:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=0 +allow device_manager const_display_brightness_param:file { read open map }; + +#avc: denied { read } for pid=554 comm="sa_main" name="u:object_r:default_param:s0" dev="tmpfs" ino=58 scontext=u:r:device_manager:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=557 comm="sa_main" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=58 scontext=u:r:device_manager:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=536 comm="sa_main" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=58 scontext=u:r:device_manager:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=0 +allow device_manager default_param:file { read open map }; + +#avc: denied { search } for pid=554 comm="device_manager" name="/" dev="tracefs" ino=1 scontext=u:r:device_manager:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=0 +allow device_manager tracefs:dir { search }; + +#avc: denied { connectto } for pid=554 comm="device_manager" path="/dev/unix/socket/paramservice" scontext=u:r:device_manager:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0 +allow device_manager kernel:unix_stream_socket { connectto }; + +#avc: denied { get } for service=3901 pid=647 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=0 +allow device_manager sa_param_watcher:samgr_class { get }; + +#avc: denied { call } for pid=557 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=536 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=0 +allow device_manager param_watcher:binder { call transfer }; + +#avc: denied { write } for pid=557 comm="device_manager" name="trace_marker" dev="tracefs" ino=14932 scontext=u:r:device_manager:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=0 +#avc: denied { open } for pid=536 comm="device_manager" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=15109 scontext=u:r:device_manager:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=0 +allow device_manager tracefs_trace_marker_file:file { write open }; + +#avc: denied { call } for pid=657 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:token_sync_service:s0 tclass=binder permissive=1 +allow device_manager token_sync_service:binder { call }; + +debug_only(` + #avc: denied { call } for pid=686 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 + allow device_manager sh:binder { call }; +') + +#avc: denied { get } for service=3503 pid=615 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=0 +allow device_manager sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { get } for service=180 pid=246 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 +allow device_manager sa_foundation_abilityms:samgr_class { get }; + +allow device_manager system_core_hap_attr:binder { call transfer }; +allow device_manager pasteboard_service:binder { call transfer }; +allow device_manager distributeddata:binder { call }; + +allow device_manager devinfo_private_param:file { map open read}; + +allow device_manager dhardware_dm_param:parameter_service { set }; +allow domain dhardware_dm_param:file { map open read }; + +allow device_manager msdp_sa:binder { call }; +allow device_manager multimodalinput:binder { call }; + +#avc: denied { read write } for pid=242 comm="sa_main" path="/dev/console" dev="tmpfs" ino=21 scontext=u:r:device_manager:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 +allow device_manager dev_console_file:chr_file { read write }; + +#avc: denied { read } for pid=242 comm="IPC_1_300" name="u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:device_manager:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=249 comm="device_manager" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:device_manager:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=248 comm="IPC_1_281" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:device_manager:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +allow device_manager musl_param:file { read open map }; + +#avc: denied { call } for pid=255 comm="IPC_0_273" scontext=u:r:device_manager:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +allow device_manager dcamera:binder { call }; + +#avc: denied { get } for service=1130 pid=580 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=0 +allow device_manager sa_bluetooth_server:samgr_class { get }; +allow device_manager bluetooth_service:binder { call transfer }; + +allow device_manager daudio:binder { call transfer }; +allow device_manager softbus_server:fd { use }; +allow device_manager softbus_server:tcp_socket { read write setopt shutdown }; +allow device_manager arkcompiler_param:file { read }; +allow device_manager ark_writeable_param:file { read }; + +allow device_manager sa_memory_manager_service:samgr_class { get }; +allow device_manager memmgrservice:binder { call }; +allow device_manager accountmgr:fd { use }; +allow device_manager sa_screenlock_service:samgr_class { get }; +allow device_manager sa_powermgr_powermgr_service:samgr_class { get }; +allow device_manager sa_wifi_device_ability:samgr_class { get }; + +#avc: denied { read } for pid=3850 comm="device_manager" name="online" dev="sysfs" ino=4921 scontext=u:r:device_manager:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { open } for pid=3850 comm="device_manager" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4921 scontext=u:r:device_manager:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=3850 comm="device_manager" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4921 scontext=u:r:device_manager:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow device_manager sysfs_devices_system_cpu:file { read open getattr }; +#avc: denied { call } for pid=3850 comm="OS_IPC_3_3863" scontext=u:r:device_manager:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 +allow device_manager wifi_manager_service:binder { call }; +#avc: denied { call } for pid=3850 comm="OS_IPC_3_3863" scontext=u:r:device_manager:s0 tcontext=u:r:powermgr:s0 tclass=binder permissive=1 +allow device_manager powermgr:binder { call }; +#avc: denied { get } for service=1301 sid=u:r:device_manager:s0 scontext=u:r:device_manager:s0 tcontext=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=0 +allow device_manager sa_distributeddata_service:samgr_class { get }; +allow device_manager distributeddata:binder { call transfer }; +allow device_manager distributeddata:fd { use }; +allow device_manager data_service_el1_file:dir { search write add_name create getattr read open remove_name }; +allow device_manager data_service_el1_file:dir { relabelfrom }; +allow device_manager data_service_el1_file:file { create write open read getattr ioctl lock unlink map setattr }; +allow device_manager data_service_file:dir { search }; +allow device_manager data_user_file:dir { getattr search }; +allowxperm device_manager data_service_el1_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; +allow device_manager data_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/deviceauth_service.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/deviceauth_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ec53c2f8f8ac9d8b1bf88bd9b3bb69965897179c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/deviceauth_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=376 comm="deviceauth_serv" scontext=u:r:deviceauth_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow deviceauth_service device_manager:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/dhardware.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/dhardware.te new file mode 100644 index 0000000000000000000000000000000000000000..2839e07c3f0a67ca725f3d7114242af1158e8fc1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/dhardware.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=2733 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2733 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow dhardware device_manager:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/distributedfiledaemon.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/distributedfiledaemon.te new file mode 100644 index 0000000000000000000000000000000000000000..260875080c7794788df5527bebc5d29a58796274 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/distributedfiledaemon.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=490 comm="distributedfile" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=629 comm="distributedfile" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +allow distributedfiledaemon device_manager:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/distributedsche.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/distributedsche.te new file mode 100644 index 0000000000000000000000000000000000000000..3850ec770dca1aa42c86d51026238a6a56fa4ada --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/distributedsche.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=610 comm="distributedsche" scontext=u:r:distributedsche:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow distributedsche device_manager:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/foundation.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..6a59311933fe2c3d31ea51ad9f0943730012a443 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=697 comm="foundation" scontext=u:r:foundation:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=627 comm="foundation" scontext=u:r:foundation:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +allow foundation device_manager:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/init.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..f0ea24f1e35650bec2d28da59101e334cb264149 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/init.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { rlimitinh } for pid=594 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:device_manager:s0 tclass=process permissive=0 +#avc: denied { siginh } for pid=594 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:device_manager:s0 tclass=process permissive=0 +#avc: denied { getattr } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:device_manager:s0 tclass=process permissive=0 +allow init device_manager:process { transition rlimitinh siginh getattr }; + + +#avc: denied { read } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:device_manager:s0 tclass=file permissive=0 +#avc: denied { open } for pid=1 comm="init" path="/proc/547/attr/current" dev="proc" ino=27712 scontext=u:r:init:s0 tcontext=u:r:device_manager:s0 tclass=file permissive=0 +allow init device_manager:file { read open }; + +#avc: denied { search } for pid=1 comm="init" name="536" dev="proc" ino=18261 scontext=u:r:init:s0 tcontext=u:r:device_manager:s0 tclass=dir permissive=0 +allow init device_manager:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..26286b7a7f8ba9cc08bfc82449b33a81306199ac --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=2215 comm="jsThread-1" scontext=u:r:normal_hap:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2215 comm="jsThread-1" scontext=u:r:normal_hap:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow normal_hap_attr device_manager:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..076eee4e7de49351eb33fc6b926d6f1606fb8878 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/param_watcher.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=250 comm="param_watcher" scontext=u:r:param_watcher:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +allow param_watcher device_manager:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..fea1157434d3b2dba7a2d07d243120cfb2e8e26d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/softbus_server.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=598 comm="softbus_server" scontext=u:r:softbus_server:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow softbus_server device_manager:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..66cbee6f404df99137ab10d2a8d89c2448dc2836 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/system_basic_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=1548 comm="com.ohos.screen" scontext=u:r:system_basic_hap:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1548 comm="com.ohos.screen" scontext=u:r:system_basic_hap:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=1599 comm="com.ohos.system" scontext=u:r:system_basic_hap:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1599 comm="com.ohos.system" scontext=u:r:system_basic_hap:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow system_basic_hap_attr device_manager:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..3122d3130509c1bab1728c4ce2eab4e5b9a4072a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=3081 comm="1.ui" scontext=u:r:system_core_hap:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=3081 comm="1.ui" scontext=u:r:system_core_hap:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +allow system_core_hap_attr device_manager:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/ui_service.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/ui_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9f28803b7721e505782f6403ba89121f48ac5649 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/device_manager/system/ui_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=555 comm="ui_service" scontext=u:r:ui_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow ui_service device_manager:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/public/hdf_service_contexts b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/public/hdf_service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..df7a6a6be4cc6dbe71be779be9da574f5040ee25 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/public/hdf_service_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +daudio_ext_service u:object_r:hdf_daudio_ext:s0 +daudio_primary_service u:object_r:hdf_daudio_primary:s0 diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/public/type.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..85f3f8aaca0ecbc6cddabc69e81e655ee5b37f27 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/public/type.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +type daudio, sadomain, domain; +type daudio_host, hdfdomain, domain; +type sa_distributed_hardware_audio_source_service, sa_service_attr; +type sa_distributed_hardware_audio_sink_service, sa_service_attr; +type hdf_daudio_ext, hdf_service_attr; +type hdf_daudio_primary, hdf_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..33574791a5307d7d0f68a3b6f1426748e184bb12 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/audio_server.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_server daudio:binder { call transfer }; +allow audio_server daudio_host:binder { call transfer }; +allow audio_server hdf_daudio_primary:hdf_devmgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/daudio.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/daudio.te new file mode 100644 index 0000000000000000000000000000000000000000..c19f7ae2bd624526f3f4b3c3ce3f21c08b39a600 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/daudio.te @@ -0,0 +1,160 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow daudio hilog_param:file { open read map }; + +allow daudio debug_param:file { open read map }; + +allow daudio accesstoken_service:binder { call }; + +allow daudio media_service:binder { call transfer}; + +allow daudio musl_param:file { read open map }; + +allow daudio data_file:dir { search }; + +allow daudio data_data_file:dir { search }; + +allow daudio data_data_file:file { create append open ioctl getattr }; + +allowxperm daudio data_data_file:file ioctl { 0x5413 }; + +allow daudio_host data_data_file:dir { add_name search write }; + +allow daudio_host data_data_file:file { create append open ioctl getattr }; + +allowxperm daudio_host data_data_file:file ioctl { 0x5413 }; + +allow daudio data_data_pulse_dir:dir { search read open getattr }; + +allow daudio data_data_pulse_dir:file { read write open lock }; + +allow daudio dhardware:binder { call }; + +allow daudio daudio:udp_socket { create setopt }; + +allow daudio daudio:udp_socket { read write connect }; + +allow daudio daudio:netlink_route_socket { create write nlmsg_read nlmsg_readpriv read }; + +allow daudio daudio_host:binder { call transfer }; + +allow daudio daudio:unix_dgram_socket { getopt setopt }; + +allow daudio dev_unix_socket:dir { search }; + +allow daudio media_service:fd { use }; + +allow daudio native_socket:sock_file { write }; + +allow daudio softbus_server:tcp_socket { setopt write }; + +allow daudio softbus_server:udp_socket { write read }; + +allow daudio softbus_server:dir { read }; + +allow daudio softbus_server:fd { use }; + +allow daudio softbus_server:binder { call transfer }; + +allow daudio softbus_server:tcp_socket { shutdown }; + +allow daudio softbus_server:tcp_socket { read }; + +allow daudio hilog_param:udp_socket { read }; + +allow daudio hdf_devmgr:binder { call transfer }; + +allow daudio hdf_device_manager:hdf_devmgr_class { get }; + +allow daudio hdf_daudio_ext:hdf_devmgr_class { get }; + +allow daudio tracefs:dir { search }; + +allow daudio tracefs_trace_marker_file:file { write open }; + +allow daudio proc_file:file { read open }; + +allow daudio audio_server:unix_stream_socket { connectto }; + +allow daudio audio_server:binder { call transfer }; + +allow daudio audio_server:fd { use }; + +allow daudio param_watcher:binder { call transfer }; + +allow daudio sa_param_watcher:samgr_class { get }; + +allow daudio sa_distributed_hardware_audio_sink_service:samgr_class { add get_remote }; + +allow daudio sa_distributed_hardware_audio_source_service:samgr_class { add get_remote }; + +allow daudio sa_device_service_manager:samgr_class { get }; + +allow daudio sa_softbus_service:samgr_class { get }; + +allow daudio sa_media_service:samgr_class { get }; + +allow daudio sa_audio_policy_service:samgr_class { get }; + +allow daudio sa_accesstoken_manager_service:samgr_class { get }; + +allow daudio sa_pulseaudio_audio_service:samgr_class { get }; + +allow daudio daudio:udp_socket { bind getattr }; + +allow daudio node:udp_socket { node_bind }; + +allow daudio sys_param:file { open read map }; + +allow daudio system_bin_file:dir { search }; + +allow daudio vendor_bin_file:dir { search }; + +allow daudio daudio_host:fd { use }; + +allow daudio sa_dhardware_service:samgr_class { get }; + +allow daudio hdf_codec_hdi_omx_service:hdf_devmgr_class { get }; + +allow daudio sa_foundation_bms:samgr_class { get }; + +allow daudio foundation:binder { call }; + +allow daudio dhardware:binder { transfer }; + +allow daudio sa_foundation_devicemanager_service:samgr_class { get }; + +allow daudio dslm_service:binder { call transfer }; + +allow daudio device_manager:binder { call transfer }; + +allow daudio dev_kmsg_file:chr_file { write open }; + +allow daudio sa_device_security_level_manager_service:samgr_class { get }; + +allow daudio persist_sys_param:file { read open map }; + +allow daudio arkcompiler_param:file { read open map }; + +allow daudio ark_writeable_param:file { read open map }; + +allow daudio system_lib_file:dir { read open }; + +allow daudio persist_param:file { read open map }; + +allow daudio codec_host:binder { call transfer }; + +debug_only(` + allow daudio sh:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/dhardware.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/dhardware.te new file mode 100644 index 0000000000000000000000000000000000000000..0b2984e4515aef80cdc05455b27748155d300017 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/dhardware.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dhardware audio_server:binder { call transfer }; +allow dhardware daudio:binder { call transfer }; +allow dhardware sa_distributed_hardware_audio_source_service:samgr_class { get }; +allow dhardware sa_distributed_hardware_audio_sink_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..1b39f86e8bcd7928c3fe1cf37b631701b79dada0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/hdf_devmgr.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr daudio:file { read open }; +allow hdf_devmgr daudio:dir { search }; +allow hdf_devmgr daudio:process { getattr }; +allow hdf_devmgr daudio:binder { transfer call }; +allow hdf_devmgr daudio_host:binder { call transfer }; +allow hdf_devmgr daudio_host:dir { search }; +allow hdf_devmgr daudio_host:file { open read }; +allow hdf_devmgr daudio_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..dd23396e34abdb1802f036f97e39a84b12d62988 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper_service sa_distributed_hardware_audio_source_service:samgr_class { get }; +allow hidumper_service sa_distributed_hardware_audio_sink_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/init.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..232ca2476cdc1320bbcf05ce7e0417f47dfb7d56 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init daudio:process { transition rlimitinh siginh }; +allow init daudio_host:process { rlimitinh siginh sigkill transition }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/media_service.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..35bf60917ef8931c9f8fb560847ff7df5e60963e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/media_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_service daudio:binder { transfer call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..4413fa53d926cfd98a74cb5ca19912b3b8469245 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher daudio:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..38a3e53d96c470938bb0d031270a2d3f20e6efee --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/softbus_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server daudio:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..a096c5c8beaa8d9efe3605663ea3589928b7036e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr dhardware:binder { call transfer }; +allow system_core_hap_attr sa_dhardware_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/vendor/daudio_host.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/vendor/daudio_host.te new file mode 100644 index 0000000000000000000000000000000000000000..b253f50e3d4952007bc758a121bcfc51ccd9bf2a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_audio/vendor/daudio_host.te @@ -0,0 +1,59 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +allow daudio_host musl_param:file { map read open }; + +allow daudio_host debug_param:file { open read map }; + +allow daudio_host hilog_param:file { map open read }; + +debug_only(` + allow daudio_host sh:binder { call transfer }; +') + +allow daudio_host hdf_device_manager:hdf_devmgr_class { get }; + +allow daudio_host hdf_devmgr:binder { call transfer }; + +allow daudio_host hdf_daudio_primary:hdf_devmgr_class { add }; + +allow daudio_host hdf_daudio_ext:hdf_devmgr_class { add }; + +allow daudio_host daudio:binder { call }; + +allow daudio_host dev_unix_socket:dir { search }; + +allow daudio_host chip_prod_file:dir { search }; + +allow daudio_host chip_prod_file:file { read }; + +allow daudio_host dev_ashmem_file:chr_file { open }; + +allow daudio_host proc_file:file { open read }; + +allow daudio_host audio_server:binder { transfer }; + +allow daudio_host sa_device_service_manager:samgr_class { get }; + +allow daudio_host samgr:binder { call }; + +allow daudio_host vendor_bin_file:file { entrypoint map read execute }; + +allow daudio_host vendor_etc_file:dir { search }; + +allow daudio_host vendor_etc_file:file { getattr open read }; + +allow daudio_host dev_kmsg_file:chr_file { write }; + +allow daudio_host chip_prod_file:file { open getattr write }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_camera/public/dcamera.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_camera/public/dcamera.te new file mode 100644 index 0000000000000000000000000000000000000000..58b4e27c6ba8fb80eb8a57eba335ab87d996ef00 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_camera/public/dcamera.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dcamera, sadomain, domain; +type sa_dcamera_source_service, sa_service_attr; +type sa_dcamera_sink_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_camera/system/dcamera.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_camera/system/dcamera.te new file mode 100644 index 0000000000000000000000000000000000000000..b15da8a8dad25d63d45216f3c59341384d8b96f4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_camera/system/dcamera.te @@ -0,0 +1,267 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=2061 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2061 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=1 +allow dcamera camera_service:binder { call transfer }; + +#avc: denied { search } for pid=2040 comm="dcamera" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:dcamera:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow dcamera data_file:dir { search }; + +#avc: denied { bind } for pid=3250 comm="Fillp_core_0" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1 +#avc: denied { connect } for pid=2344 comm="Fillp_core_0" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1 +#avc: denied { create } for pid=3250 comm="Fillp_core_0" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1 +#avc: denied { getattr } for pid=2344 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1 +#avc: denied { read } for pid=2040 comm="Fillp_core_94" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1 +#avc: denied { setopt } for pid=3250 comm="Fillp_core_0" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1 +#avc: denied { write } for pid=2040 comm="Fillp_core_94" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1 +allow dcamera dcamera:udp_socket { bind connect create getattr read setopt write }; + +#avc: denied { getopt } for pid=2051 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=2051 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=unix_dgram_socket permissive=1 +allow dcamera dcamera:unix_dgram_socket { getopt setopt }; + +#avc: denied { call } for pid=2178 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera_host:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2429 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera_host:s0 tclass=binder permissive=1 +allow dcamera dcamera_host:binder { call transfer }; + +#avc: denied { create } for pid=2166 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=netlink_route_socket permissive=1 +#avc: denied { write } for pid=2166 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=netlink_route_socket permissive=1 +#avc: denied { nlmsg_read } for pid=2166 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=netlink_route_socket permissive=1 +#avc: denied { read } for pid=2166 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=netlink_route_socket permissive=1 +allow dcamera dcamera:netlink_route_socket { create nlmsg_read nlmsg_readpriv read write }; + +#avc: denied { search } for pid=2047 comm="dcamera" name="socket" dev="tmpfs" ino=38 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow dcamera dev_unix_socket:dir { search }; + +#avc: denied { read write } for pid=2520 comm="sa_main" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 +allow dcamera dev_console_file:chr_file { read write }; + +#avc: denied { getattr } for pid=2396 comm="dcamera" path="/dev/dri/renderD128" dev="tmpfs" ino=94 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=2396 comm="dcamera" name="renderD128" dev="tmpfs" ino=94 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=2396 comm="dcamera" path="/dev/dri/renderD128" dev="tmpfs" ino=94 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=2396 comm="dcamera" path="/dev/dri/renderD128" dev="tmpfs" ino=94 ioctlcmd=0x641f scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +allow dcamera dev_dri_file:chr_file { getattr ioctl open read write }; + +#avc: denied { search } for pid=2396 comm="dcamera" name="dri" dev="tmpfs" ino=93 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1 +allow dcamera dev_dri_file:dir { search }; + +#avc: denied { call } for pid=2464 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=1 +allow dcamera dhardware:binder { call }; + + + +#avc: denied { call } for pid=2061 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=1 +allow dcamera allocator_host:binder { call }; + +#avc: denied { use } for pid=2033 comm="dcamera" path="/dmabuf:" dev="dmabuf" ino=29931 ioctlcmd=0x6200 scontext=u:r:dcamera:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=1 +allow dcamera allocator_host:fd { use }; + +#avc: denied { call } for pid=2483 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow dcamera foundation:binder { call }; + +#avc: denied { get } for service=hdf_device_manager pid=2053 scontext=u:r:dcamera:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +allow dcamera hdf_device_manager:hdf_devmgr_class { get }; + +#avc: denied { get } for service=distributed_camera_provider_service pid=2053 scontext=u:r:dcamera:s0 tcontext=u:object_r:hdf_distributed_camera_provider_service:s0 tclass=hdf_devmgr_class permissive=1 +allow dcamera hdf_distributed_camera_provider_service:hdf_devmgr_class { get }; + + +allow dcamera hdf_allocator_service:hdf_devmgr_class { get }; + +#avc: denied { call } for pid=2040 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2464 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 +allow dcamera hdf_devmgr:binder { call transfer }; + +#avc: denied { call } for pid=2061 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2061 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +allow dcamera media_service:binder { call transfer }; + +#avc: denied { read } for pid=3521 comm="sa_main" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:dcamera:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0 +allow dcamera accessibility_param:file { read open map }; + +#avc: denied { use } for pid=514 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=181 scontext=u:r:dcamera:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 +allow dcamera media_service:fd { use }; + +#avc: denied { get } for service=3002 pid=2053 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1 +allow dcamera sa_media_service:samgr_class { get }; + +#avc: denied { get } for service=3901 pid=2042 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow dcamera sa_param_watcher:samgr_class { get }; + +#avc: denied { get } for service=4700 pid=2053 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1 +allow dcamera sa_softbus_service:samgr_class { get }; + +#avc: denied { add } for service=4803 pid=2068 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_dcamera_source_service:s0 tclass=samgr_class permissive=1 +allow dcamera sa_dcamera_source_service:samgr_class { add get_remote }; + +#avc: denied { get_remote } for service=4804 pid=2068 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_dcamera_sink_service:s0 tclass=samgr_class permissive=1 +#avc: denied { add } for service=4804 pid=2068 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_dcamera_sink_service:s0 tclass=samgr_class permissive=1 +allow dcamera sa_dcamera_sink_service:samgr_class { add get_remote }; + +#avc: denied { get } for service=5100 pid=2068 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow dcamera sa_device_service_manager:samgr_class { get }; + +#avc: denied { get } for service=3008 pid=2475 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_camera_service:s0 tclass=samgr_class permissive=1 +allow dcamera sa_camera_service:samgr_class { get }; + +#avc: denied { get } for service=401 pid=2490 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow dcamera sa_foundation_bms:samgr_class { get }; + +#avc: denied { get } for service=4607 pid=1562 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow dcamera sa_foundation_dms:samgr_class { get }; + +#avc: denied { get } for service=4606 pid=3551 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1 +allow dcamera sa_foundation_wms:samgr_class { get }; + +#avc: denied { read } for pid=2433 comm="THREAD_POOL" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { setopt } for pid=2047 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { shutdown } for pid=2061 comm="THREAD_POOL" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { write } for pid=2047 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow dcamera softbus_server:tcp_socket { read setopt write shutdown }; + +#avc: denied { call } for pid=2047 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2061 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +allow dcamera softbus_server:binder { call transfer }; + +#avc: denied { use } for pid=586 comm="THREAD_POOL" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1 +allow dcamera softbus_server:fd { use }; + +#avc: denied { read } for pid=4773 comm="dcamera" name="online" dev="sysfs" ino=29986 scontext=u:r:dcamera:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { open } for pid=4773 comm="dcamera" path"sys/devices/system/cpu/" name="online" dev="sysfs" ino=29986 scontext=u:r:dcamera:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow dcamera sysfs_devices_system_cpu:file { read open }; + +#avc: denied { read } for pid=2020 comm="sa_main" name="u:object_r:ohos_dev_param:s0" dev="tmpfs" ino=30 scontext=u:r:dcamera:s0 tcontext=u:object_r:ohos_dev_param:s0 tclass=file permissive=0 +allow dcamera ohos_dev_param:file { read }; + +#avc: denied { get } for service=3503 pid=2648 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow dcamera sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { node_bind } for pid=2166 comm="Fillp_core_210" scontext=u:r:dcamera:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1 +allow dcamera node:udp_socket { node_bind }; +allow dcamera init:binder { call transfer }; +debug_only(` + allow dcamera sh:binder { call transfer }; +') + +#avc: denied { get } for service=4803 pid=560 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_dcamera_source_service:s0 tclass=samgr_class permissive=0 +# avc: denied { get } for service=4804 pid=560 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_dcamera_sink_service:s0 tclass=samgr_class permissive=0 +allow hidumper_service sa_dcamera_source_service:samgr_class { get }; +allow hidumper_service sa_dcamera_sink_service:samgr_class { get }; + +#avc: denied { get } for service=4801 pid=2892 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=0 +allow dcamera sa_dhardware_service:samgr_class { get }; + +#avc: denied { search } for pid=3030 comm="sa_main" name="bin" dev="sdd72" ino=12 scontext=u:r:dcamera:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=dir permissive=1 +allow dcamera vendor_bin_file:dir { search }; + +#avc: denied { call } for pid=571 comm="msdp" scontext=u:r:dcamera:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow dcamera accesstoken_service:binder { call }; + +#avc: denied { get } for service=4802 pid=3227 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_devicemanager_service:s0 tclass=samgr_class permissive=1 +allow dcamera sa_foundation_devicemanager_service:samgr_class { get }; + +#avc: denied { call } for pid=2169 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=2712 comm="IPC_1_2732" scontext=u:r:dcamera:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow dcamera device_manager:binder { call transfer }; + +#avc: denied { get } for pid=1380 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:sa_av_codec_service:s0 tclass=samgr_class permissive=1 +allow dcamera sa_av_codec_service:samgr_class { get }; + +#avc: denied { call } for pid=6252 comm="SrcDevHandler" scontext=u:r:dcamera:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=4125 comm="ohos.dharfware." scontext=u:r:dcamera:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=0 +allow dcamera av_codec_service:binder { call transfer }; + +#avc: denied { call } for pid=1544 comm="IPC_3_2014" scontext=u:r:foundation:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +#avc: denied { call } for pid=1453 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +allow foundation dcamera:binder { call transfer }; + +#avc: denied { call } for pid=1380 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1380 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=1 +allow av_codec_service dhardware:binder { call transfer }; +allow av_codec_service dcamera:binder { call transfer }; + +allow dcamera sysfs_devices_system_cpu:file { read getattr }; +allow dcamera arkcompiler_param:file { map open read }; +allow dcamera ark_writeable_param:file { map open read }; + +allow dcamera av_codec_service:fd { use }; +allow dcamera_host chip_prod_file:dir { search }; + +#avc: denied { call transfer } for pid=4202 comm="DRPC_4_6734" scontext=u:r:dcamera:s0 tcontext=u:r:dslm_service:s0 tclass=binder permissive=1; +#avc: denied { call transfer } for pid=3591 comm="dslm_service" scontext=u:r:dslm_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=1; +#avc: denied { call transfer } for pid=4202 comm="IPC_2_2923" scontext=u:r:camera_service:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1; +allow dcamera dslm_service:binder { call transfer }; +allow dslm_service dcamera:binder { call transfer }; +allow camera_service av_codec_service:binder { call transfer }; + +#avc: denied { write } for pid=5006 comm="sa_main" path="/dev/kmsg" dev = "tmpfs" ino=116 scontext=u:r:dcamera:s0 tcontext=u:r:dev_kmsg_file:s0 tclass=chr_file permissive=1; +#avc: denied { write } for pid=4861 comm="hdf_devhost" path="/dev/kmsg" dev = "tmpfs" ino=116 scontext=u:r:dcamera_host:s0 tcontext=u:r:dev_kmsg_file:s0 tclass=chr_file permissive=1; +#avc: denied { write } for pid=4861 comm="IPC_1_4881" name= dev = "tmpfs" ino=116 scontext=u:r:dcamera_host:s0 tcontext=u:r:chip_prod_file:s0 tclass=file permissive=1; +#avc: denied { get } for service=3511 pid=4213 scontext=u:r:dcamera:s0 tcontext=u:r:sa_device_security_level_manager_service:s0 tclass=samgr_class permissive=0; +allow dcamera dev_kmsg_file:chr_file { open write }; +allow dcamera_host dev_kmsg_file:chr_file { open write }; +allow dcamera_host chip_prod_file:file { open getattr write read }; +allow dcamera sa_device_security_level_manager_service:samgr_class{ get }; +allow accessibility sa_powermgr_powermgr_service:samgr_class { get }; + +allow dcamera dev_ashmem_file:chr_file { read open map }; +allow normal_hap sa_dhardware_service:samgr_class { get }; +allow normal_hap dhardware:binder { call }; + + +allow dcamera bootevent_param:file { map open read }; +allow dcamera bootevent_samgr_param:file { map open read }; +allow dcamera build_version_param:file { map open read }; +allow dcamera const_allow_mock_param:file { map open read }; +allow dcamera const_allow_param:file { map open read }; +allow dcamera const_build_param:file { map open read }; +allow dcamera const_display_brightness_param:file { map open read }; +allow dcamera const_param:file { map open read }; +allow dcamera const_postinstall_fstab_param:file { map open read }; +allow dcamera const_postinstall_param:file { map open read }; +allow dcamera const_product_param:file { map open read }; +allow dcamera dcamera_host:binder { transfer }; +allow dcamera debug_param:file { map open read }; +allow dcamera default_param:file { map open read }; +allow dcamera distributedsche_param:file { map open read }; +allow dcamera hilog_param:file { map open read }; +allow dcamera hw_sc_build_os_param:file { map open read }; +allow dcamera hw_sc_build_param:file { map open read }; +allow dcamera hw_sc_param:file { map open read }; +allow dcamera init_param:file { map open read }; +allow dcamera init_svc_param:file { map open read }; +allow dcamera input_pointer_device_param:file { map open read }; +allow dcamera net_param:file { map open read }; +allow dcamera net_tcp_param:file { map open read }; +allow dcamera ohos_boot_param:file { map open read }; +allow dcamera ohos_param:file { map open read }; +allow dcamera param_watcher:binder { call transfer }; +allow dcamera persist_param:file { map open read }; +allow dcamera persist_sys_param:file { map open read }; +allow dcamera security_param:file { map open read }; +allow dcamera startup_param:file { map open read }; +allow dcamera sys_param:file { map open read }; +allow dcamera system_bin_file:dir { search }; +allow dcamera sys_usb_param:file { map open read }; +allow dcamera tracefs:dir { search }; +allow dcamera tracefs_trace_marker_file:file { open write }; +allow dcamera sys_prod_file:dir { search }; +allow dcamera chip_prod_file:dir { search }; +allow dcamera data_data_file:dir { search write add_name search }; +allow dcamera data_data_file:file { create append open ioctl getattr }; +allow camera_service hdf_distributed_camera_provider_service:hdf_devmgr_class { get }; +allow dcamera_host render_service:binder { transfer }; +allow dcamera_host normal_hap_attr:binder { transfer }; +allow dcamera_host av_codec_service:binder { call transfer }; +allowxperm dcamera data_data_file:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_hardware_fwk/public/dhardware.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_hardware_fwk/public/dhardware.te new file mode 100644 index 0000000000000000000000000000000000000000..56cebb7c86c3b394fd3ad8c0734d7ba0309f5a86 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_hardware_fwk/public/dhardware.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dhardware, sadomain, domain; +type sa_dhardware_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_hardware_fwk/system/dhardware.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_hardware_fwk/system/dhardware.te new file mode 100644 index 0000000000000000000000000000000000000000..b6a5f25f7dd66b44f4215aac272132391a895514 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_hardware_fwk/system/dhardware.te @@ -0,0 +1,206 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get_remote } for service=4801 pid=1966 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_dhardware_service:samgr_class { get_remote }; + +#avc: denied { get } for service=4607 pid=1966 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow dhardware sa_foundation_dms:samgr_class { get }; + +#avc: denied { get } for service=4803 pid=1966 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_dcamera_source_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_dcamera_source_service:samgr_class { get }; + +#avc: denied { get } for service=4804 pid=1966 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_dcamera_sink_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_dcamera_sink_service:samgr_class { get }; + +#avc: denied { get } for service=3901 pid=1881 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow dhardware sa_param_watcher:samgr_class { get }; + +#avc: denied { get } for service=1301 pid=1881 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_distributeddata_service:samgr_class { get }; + +#avc: denied { get } for service=4802 pid=1915 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_foundation_devicemanager_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_foundation_devicemanager_service:samgr_class { get }; + +#avc: denied { get } for service=4700 pid=1915 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_softbus_service:samgr_class { get }; + +#avc: denied { search } for pid=1966 comm="dhardware" name="socket" dev="tmpfs" ino=40 scontext=u:r:dhardware:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow dhardware dev_unix_socket:dir { search }; + +#avc: denied { add } for service=4801 pid=2409 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_dhardware_service:samgr_class { add }; + +#avc: denied { get } for service=4808 pid=2498 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_dscreen_sink_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_dscreen_sink_service:samgr_class { get }; + +#avc: denied { get } for service=4807 pid=2498 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_dscreen_source_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_dscreen_source_service:samgr_class { get }; + +#avc: denied { call } for pid=2315 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=1 +allow dhardware dcamera:binder { call }; + +#avc: denied { transfer } for pid=2315 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=1 +allow dhardware dcamera:binder { transfer }; + +#avc: denied { get } for service=3002 pid=2447 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_media_service:samgr_class { get }; + +#avc: denied { use } for pid=535 comm="THREAD_POOL" scontext=u:r:dhardware:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1 +allow dhardware softbus_server:fd { use }; + +#avc: denied { read write } for pid=535 comm="THREAD_POOL" scontext=u:r:dhardware:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { setopt } for pid=2338 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { shutdown } for pid=2343 comm="THREAD_POOL" scontext=u:r:dhardware:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow dhardware softbus_server:tcp_socket { setopt read write shutdown }; + +#avc: denied { get } for service=3008 pid=2324 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_camera_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_camera_service:samgr_class { get }; + +#avc: denied { call } for pid=2329 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2329 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=1 +allow dhardware camera_service:binder { transfer call }; + +#avc: denied { getopt } for pid=2302 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:dhardware:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=2302 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:dhardware:s0 tclass=unix_dgram_socket permissive=1 +allow dhardware dhardware:unix_dgram_socket { setopt getopt }; + +#avc: denied { call } for pid=2343 comm="DHEventbusHandl" scontext=u:r:dhardware:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2225 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1 +allow dhardware distributeddata:binder { call transfer }; + +#avc: denied { call } for pid=2225 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2225 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow dhardware foundation:binder { call transfer }; + +#avc: denied { call } for pid=2154 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2154 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +allow dhardware media_service:binder { call transfer }; + +#avc: denied { read } for pid=2507 comm="sa_main" name="u:object_r:distributedsche_param:s0" dev="tmpfs" ino=57 scontext=u:r:dhardware:s0 tcontext=u:object_r:distributedsche_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2507 comm="sa_main" path="/dev/__parameters__/u:object_r:distributedsche_param:s0" dev="tmpfs" ino=57 scontext=u:r:dhardware:s0 tcontext=u:object_r:distributedsche_param:s0 tclass=file permissive= +#avc: denied { map } for pid=2507 comm="sa_main" path="/dev/__parameters__/u:object_r:distributedsche_param:s0" dev="tmpfs" ino=57 scontext=u:r:dhardware:s0 tcontext=u:object_r:distributedsche_param:s0 tclass=file permissive=1 +allow dhardware distributedsche_param:file { read open map }; + +#avc: denied { get } for service=3503 pid=2451 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { search } for pid=2451 comm="dhardware" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow dhardware data_file:dir { search }; + +#avc: denied { search } for pid=2451 comm="dhardware" name="service" dev="mmcblk0p11" ino=1436161 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 +allow dhardware data_service_file:dir { search }; + +#avc: denied { search } for pid=2451 comm="dhardware" name="el1" dev="mmcblk0p11" ino=1436165 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=2451 comm="dhardware" name="dtbhardware_manager_service" dev="mmcblk0p11" ino=1436923 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +#avc: denied { add_name } for pid=2451 comm="dhardware" name="kvdb" scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +#avc: denied { create } for pid=2451 comm="dhardware" name="kvdb" scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=2451 comm="dhardware" path="/data/xxx/kvdb" dev="mmcblk0p11" ino=1436925 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=2812 comm="dhardware" name="single_ver" dev="mmcblk0p11" ino=131322 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +#avc: denied { open } for pid=2593 comm="dhardware" path="/data/xxx/single_ver" dev="mmcblk0p11" ino=784131 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +#avc: denied { remove_name } for pid=2403 comm="dhardware" name="gen_natural_store.db-journal" dev="mmcblk0p11" ino=784138 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow dhardware data_service_el1_file:dir { search write add_name create getattr read open remove_name }; + +#avc: denied { create } for pid=2451 comm="dhardware" name="single_ver_db_incomplete.lock" scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { write open } for pid=2451 comm="dhardware" path="/data/xxx/single_ver_db_incomplete.lock" dev="mmcblk0p11" ino=1436928 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2451 comm="dhardware" path="/data/xxx/gen_natural_store.db" dev="mmcblk0p11" ino=1436932 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=2812 comm="dhardware" path="/data/xxx/gen_natural_store.db" dev="mmcblk0p11" ino=131327 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +#avc: denied { ioctl } for pid=2593 comm="dhardware" path="/data/xxx/gen_natural_store.db" dev="mmcblk0p11" ino=784137 ioctlcmd=0xf50c scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +#avc: denied { lock } for pid=2593 comm="dhardware" path="/data/xxx/gen_natural_store.db" dev="mmcblk0p11" ino=784137 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +#avc: denied { unlink } for pid=2403 comm="dhardware" name="gen_natural_store.db-journal" dev="mmcblk0p11" ino=784138 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2403 comm="dhardware" path="/data/xxx//main/gen_natural_store.db-shm" dev="mmcblk0p11" ino=784139 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { setattr } for pid=2455 comm="dhardware" name="gen_natural_store.db" dev="mmcblk0p11" ino=1175817 scontext=u:r:dhardware:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow dhardware data_service_el1_file:file { create write open read getattr ioctl lock unlink map setattr }; + +#avc: denied { call } for pid=2451 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow dhardware accesstoken_service:binder { call }; +debug_only(` + #avc: denied { call } for pid=2003 comm="dhardware" scontext=u:r:dhardware:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 + allow dhardware sh:binder { call }; +') + + +#avc: denied { search } for pid=2694 comm="dhardware" name="etc" dev="mmcblk0p7" ino=19 scontext=u:r:dhardware:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1 +allow dhardware vendor_etc_file:dir { search }; + +#avc: denied { read } for pid=2490 comm="dhardware" name="distributed_hardware_components_cfg.json" dev="mmcblk0p7" ino=96 scontext=u:r:dhardware:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2490 comm="dhardware" path="/vendor/etc/distributedhardware/distributed_hardware_components_cfg.json" dev="mmcblk0p7" ino=96 scontext=u:r:dhardware:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +allow dhardware vendor_etc_file:file { read open }; + +#avc: denied { read } for pid=2128 comm="sa_main" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=52 scontext=u:r:dhardware:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2128 comm="sa_main" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=52 scontext=u:r:dhardware:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2128 comm="sa_main" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=52 scontext=u:r:dhardware:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +allow dhardware accessibility_param:file { read open map }; + +#avc: denied { get } for service=4801 pid=551 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_dhardware_service:samgr_class { get }; + +#avc: denied { search } for pid=2662 comm="sa_main" name="bin" dev="sdd72" ino=12 scontext=u:r:dcamera:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=dir permissive=0 +allow dhardware vendor_bin_file:dir { search }; + +#avc: denied { get } for service=5100 pid=2376 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow dhardware sa_device_service_manager:samgr_class { get }; + +#avc: denied { get } for service=codec_hdi_omx_service pid=1690 scontext=u:r:dhardware:s0 tcontext=u:object_r:hdf_codec_hdi_omx_service:s0 tclass=hdf_devmgr_class permissive=1 +allow dhardware hdf_codec_hdi_omx_service:hdf_devmgr_class { get }; + +#avc: denied { read } for pid=2292 comm="dhardware" name="online" dev="sysfs" ino=4917 scontext=u:r:dhardware:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2954 comm="dhardware" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:dhardware:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=2954 comm="dhardware" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:dhardware:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow dhardware sysfs_devices_system_cpu:file { read open getattr }; + +#avc: denied { read } for pid=2292 comm="SendOnLine" name="histreamer_plugins" dev="mmcblk0p7" ino=2372 scontext=u:r:dhardware:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=0 +#avc: denied { open } for pid=2954 comm="SendOnLine" path="/system/lib/media/histreamer_plugins" dev="mmcblk0p7" ino=2372 scontext=u:r:dhardware:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1 +allow dhardware system_lib_file:dir { read open }; + +#avc: denied { call } for pid=2954 comm="SendOnLine" scontext=u:r:dhardware:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 +allow dhardware hdf_devmgr:binder { call }; + +#avc: denied { search } for pid=239 comm="IPC_3_485" name="2954" dev="proc" ino=33347 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:dhardware:s0 tclass=dir permissive=1 +allow hdf_devmgr dhardware:dir { search }; + +#avc: denied { read } for pid=254 comm="IPC_2_482" name="current" dev="proc" ino=34925 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:dhardware:s0 tclass=file permissive=1 +#avc: denied { open } for pid=254 comm="IPC_2_482" path="/proc/3100/attr/current" dev="proc" ino=34925 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:dhardware:s0 tclass=file permissive=1 +allow hdf_devmgr dhardware:file { read open }; + +#avc: denied { getattr } for pid=254 comm="IPC_2_482" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:dhardware:s0 tclass=process permissive=1 +allow hdf_devmgr dhardware:process { getattr }; + +#avc: denied { transfer } for pid=254 comm="IPC_2_482" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=1 +allow hdf_devmgr dhardware:binder { transfer }; + +#avc: denied { call } for pid=3100 comm="SendOnLine" scontext=u:r:dhardware:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1 +allow dhardware codec_host:binder { call }; + +#avc: denied { get } for service=3011 pid=6484 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_av_codec_service:s0 tclass=samgr_class permissive=0 +#avc: denied { get } for service=3011 pid=6484 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_av_codec_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_av_codec_service:samgr_class { get }; + +#avc: denied { call } for pid=4347 comm="SendOnLine" scontext=u:r:dhardware:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=0 +#avc: denied { call } for pid=4445 comm="SendOnLine" scontext=u:r:dhardware:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=4445 comm="SendOnLine" scontext=u:r:dhardware:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1 +allow dhardware av_codec_service:binder { call transfer }; + + +allow dhardware sa_foundation_abilityms:samgr_class{ get }; +allow dhardware dev_kmsg_file:chr_file{ open write }; + +allow dhardware sa_foundation_wms:samgr_class { get }; + +allow dhardware paramservice_socket:sock_file { write }; + +binder_call(dhardware, powermgr); + +#avc: denied { get } for service=3301 pid=4564 scontext=u:r:dhardware:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow dhardware sa_powermgr_powermgr_service:samgr_class { get }; + diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/public/dinput.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/public/dinput.te new file mode 100644 index 0000000000000000000000000000000000000000..bef112fbf50744bcc5cc702f1fdba63d43154710 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/public/dinput.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dinput, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..17acff0842ba788b1f83cf025d72f08649fc44ec --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/appspawn.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn data_misc:dir { mounton }; + diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/dhardware.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/dhardware.te new file mode 100644 index 0000000000000000000000000000000000000000..41ae7462fc131168e6ef459aa59f92205a12b1a6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/dhardware.te @@ -0,0 +1,43 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dhardware dinput:binder { call transfer }; + +allow dhardware sa_distributed_hardware_input_source_service:samgr_class { get }; + +allow dhardware sa_distributed_hardware_input_sink_service:samgr_class { get }; + +allow dhardware dev_input_file:dir { open read setattr getattr watch search }; + +allow dhardware dev_console_file:chr_file { open read write getattr setattr }; + +allow dhardware dev_input_file:chr_file { open read write getattr setattr }; + +allow dhardware dev_file:dir { getattr setattr }; + +allow dhardware resource_schedule_service:binder { call }; + +allow dhardware sa_resource_schedule:samgr_class { get }; + +allow dhardware musl_param:file { open read map }; + +allow dhardware vendor_etc_file:file { getattr }; + +allow dhardware sa_audio_policy_service:samgr_class { get }; + +allow dhardware arkcompiler_param:file { read map open }; + +allow dhardware ark_writeable_param:file { read map open }; + +allow dhardware dev_input_file:chr_file { ioctl }; +allowxperm dhardware dev_input_file:chr_file ioctl { 0x450a 0x456f 0x4577 0x4501 0x4502 0x4503 0x4506 0x4507 0x4508 0x4509 0x4518 0x4519 0x451b 0x4520 0x4521 0x4522 0x4523 0x4524 0x4525 0x4531 0x4532 0x4535 0x4540 0x4541 0x4558 0x4570 0x4571 0x4574 0x4575 0x4576 0x4578 0x4579 0x457a 0x45a0 0x455a 0x455b 0x4560}; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/dinput.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/dinput.te new file mode 100644 index 0000000000000000000000000000000000000000..4b1c7d0243599be4e17cb69e84788d268c72c73d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/dinput.te @@ -0,0 +1,110 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dinput dhardware:binder { call transfer }; + +allow dinput dinput:unix_dgram_socket { getopt setopt }; + +allow dinput dev_unix_socket:dir { search }; + +allow dinput dev_uinput:chr_file { open write ioctl }; + +allow dinput sa_param_watcher:samgr_class { get }; + +allow dinput sa_foundation_dms:samgr_class { get }; + +allow dinput hilog_param:file { open read map }; + +allow dinput proc_file:file { open read }; + +allow dinput softbus_server:binder { call transfer }; + +allow dinput softbus_server:fd { use }; + +allow dinput softbus_server:tcp_socket { read write }; + +allow dinput softbus_server:tcp_socket { setopt shutdown }; + +allow dinput multimodalinput:binder { call }; + +allow dinput sa_softbus_service:samgr_class { get }; + +allow dinput sa_distributed_hardware_input_sink_service:samgr_class { add get get_remote }; + +allow dinput sa_distributed_hardware_input_source_service:samgr_class { add get get_remote }; + +allow dinput sa_dhardware_service:samgr_class { get }; + +allow dinput sa_accesstoken_manager_service:samgr_class { get }; + +allow dinput tracefs:dir { search }; + +allow dinput accesstoken_service:binder { call }; + +allow dinput musl_param:file { open read map }; + +allow dinput foundation:binder { call }; + +allow dinput system_bin_file:dir { search }; + +allow dinput dev_input_file:dir { open read watch search }; + +allow dinput debug_param:file { open read map }; + +allow foundation data_app_el1_file:file { map }; + +allow dinput param_watcher:binder { call transfer }; + +allow dinput dev_input_file:chr_file { open read write setattr getattr }; + +allow dinput dev_input_file:chr_file { ioctl }; +allowxperm dinput dev_input_file:chr_file ioctl { 0x4501 0x4502 0x4503 0x4506 0x4507 0x4508 0x4509 0x450a 0x4518 0x4519 0x451b 0x4520 0x4521 0x4522 0x4523 0x4524 0x4525 0x4531 0x4532 0x4535 0x4540 0x4541 0x4558 0x4570 0x4571 0x4574 0x4575 0x4576 0x4577 0x4578 0x4579 0x457a 0x45a0 0x455a 0x455b 0x4560 0x4569 0x456a 0x456b 0x456f }; + +allow dinput dev_input_file:dir { setattr getattr }; + +allow dinput vendor_etc_file:dir { search }; + +allow dinput vendor_etc_file:file { open read getattr }; + +allow dinput sa_dscreen_sink_service:samgr_class { get }; + +allow dinput sa_dscreen_source_service:samgr_class { get }; + +allow dinput dscreen:binder { call }; + +allow dinput vendor_bin_file:dir { search }; + +allow dinput msdp_sa:binder { call transfer }; + +allow dinput dev_console_file:chr_file { read write }; + +allow dinput sysfs_devices_system_cpu:file { open read getattr }; + +allow dinput dev_file:dir { getattr }; + +allow dinput tracefs_trace_marker_file:file { open write }; + +allow dinput sa_foundation_wms:samgr_class { get }; + +allow dinput persist_sys_param:file { read open map }; + +allow dinput arkcompiler_param:file { read open map }; + +allow dinput ark_writeable_param:file { read open map }; + +allow dinput sys_prod_file:dir { search }; + +allow dinput chip_prod_file:dir { search }; + +allow foundation dinput:binder { transfer }; + diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..fc18804243d882a0b98c89d58a12167977b21e2d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/hidumper_service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper_service sa_distributed_hardware_input_source_service:samgr_class { get }; + +allow hidumper_service sa_distributed_hardware_input_sink_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/init.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..b09b404d6158af5a5cd2d46863105a26f3219b0b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init dinput:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/msdp_sa.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/msdp_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..ec2efaf43099d78e49a0d59ffb5c96e09c6e5b22 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/msdp_sa.te @@ -0,0 +1,24 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow msdp_sa dinput:binder { call transfer }; + +allow msdp_sa sa_softbus_service:samgr_class { get }; + +allow msdp_sa softbus_server:binder { call transfer }; + +allow msdp_sa device_manager:binder { call transfer }; + +allow msdp_sa sa_foundation_devicemanager_service:samgr_class { get }; + +allow msdp_sa vendor_etc_file:file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..d9134b9130d88562149b48830402ceea36fcca02 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/multimodalinput.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow multimodalinput dinput:binder { call }; + +allow multimodalinput dinput:binder { transfer }; + +#avc: denied { get } for service=401 pid=256 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow multimodalinput sa_foundation_bms:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..9130e3d99a53f32985087374ef4e7477a0252492 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher dinput:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..8b4a4b8bed64a226d2b6e6b95648c61fbfbbf898 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_input/system/softbus_server.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server dinput:binder { call transfer }; + +allow softbus_server msdp_sa:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/public/type.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..f1134ecbd89389765919c01b852227b34f033f3d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/public/type.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dscreen, sadomain, domain; +type sa_dscreen_source_service, sa_service_attr; +type sa_dscreen_sink_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/codec_host.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/codec_host.te new file mode 100644 index 0000000000000000000000000000000000000000..a9e49b59149ac4ef1e5deabce636ea7a90235c9f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/codec_host.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow codec_host dscreen:binder { call transfer }; +allow codec_host dscreen:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/dscreen.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/dscreen.te new file mode 100644 index 0000000000000000000000000000000000000000..9e75abc4f5b6f4971787ef119918a7a7e11bbc9f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/dscreen.te @@ -0,0 +1,249 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3002 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1 +allow dscreen sa_media_service:samgr_class { get }; + +#avc: denied { get } for service=4700 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1 +allow dscreen sa_softbus_service:samgr_class { get }; + +#avc: denied { get } for service=3901 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow dscreen sa_param_watcher:samgr_class { get }; + +#avc: denied { call } for pid=2025 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +allow dscreen softbus_server:binder { call }; + +#avc: denied { call } for pid=686 comm="THREAD_POOL" scontext=u:r:softbus_server:s0 tcontext=u:r:dscreen:s0 tclass=binder permissive=1 +allow dscreen dscreen:binder { call }; + +#avc: denied { use } for pid=686 comm="THREAD_POOL" path="socket:[32801]" dev="sockfs" ino=32801 scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1 +allow dscreen softbus_server:fd { use }; + +#avc: denied { read write } for pid=686 comm="THREAD_POOL" path="socket:[32801]" dev="sockfs" ino=32801 scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow dscreen softbus_server:tcp_socket { read write }; + +#avc: denied { setopt } for pid=2025 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow dscreen softbus_server:tcp_socket { setopt }; + +#avc: denied { search } for pid=2117 comm="dscreen" name="socket" dev="tmpfs" ino=40 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow dscreen dev_unix_socket:dir { search }; + +#avc: denied { call } for pid=2117 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1925 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow dscreen foundation:binder { call transfer }; + +#avc: denied { get_remote } for service=4808 pid=2117 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_sink_service:s0 tclass=samgr_class permissive=1 +#avc: denied { add } for service=4808 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_sink_service:s0 tclass=samgr_class permissive=1 +allow dscreen sa_dscreen_sink_service:samgr_class { get_remote add get }; + +#avc: denied { search } for pid=1925 comm="dscreen" name="/" dev="tracefs" ino=1 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow dscreen tracefs:dir { search }; + +#avc: denied { write } for pid=1925 comm="dscreen" name="trace_marker" dev="tracefs" ino=13902 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1925 comm="dscreen" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=13902 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow dscreen tracefs_trace_marker_file:file { write open }; + +#avc: denied { search } for pid=1925 comm="dscreen" name="socket" dev="tmpfs" ino=40 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow dscreen dev_unix_socket:dir { search }; + +#avc: denied { search } for pid=1925 comm="dscreen" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:dscreen:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow dscreen data_file:dir { search }; + +#avc: denied { call } for pid=1925 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2381 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +allow dscreen media_service:binder { call transfer }; + +#avc: denied { use } for pid=674 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=179 scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 +allow dscreen media_service:fd { use }; + +#avc: denied { read } for pid=1978 comm="Fillp_core_31" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1 +#avc: denied { write } for pid=1978 comm="Fillp_core_31" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1 +allow dscreen dscreen:udp_socket { read write }; + +#avc: denied { add } for service=4807 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_source_service:s0 tclass=samgr_class permissive=1 +#avc: denied { get_remote } for service=4807 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_source_service:s0 tclass=samgr_class permissive=1 +allow dscreen sa_dscreen_source_service:samgr_class { add get_remote get }; + +#avc: denied { get } for service=4607 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow dscreen sa_foundation_dms:samgr_class { get }; + +#avc: denied { search } for pid=2127 comm="dscreen" name="usr" dev="mmcblk0p6" ino=2492 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 +allow dscreen system_usr_file:dir { search }; + +#avc: denied { getattr } for pid=2127 comm="dscreen" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2127 comm="dscreen" name="supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2127 comm="dscreen" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2127 comm="dscreen" path="/system/usr/ohos_icu/icudt67l.dat" dev="mmcblk0p6" ino=2494 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +allow dscreen system_usr_file:file { getattr read open map }; + +#avc: denied { transfer } for pid=2127 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +allow dscreen softbus_server:binder { transfer }; + +#avc: denied { create } for pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1 +#avc: denied { setopt } for pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1 +#avc: denied { bind } for pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1 +#avc: denied { getattr } for pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1 +allow dscreen dscreen:udp_socket { create setopt bind getattr}; + +#avc: denied { node_bind } for pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1 +allow dscreen node:udp_socket { node_bind }; + +#avc: denied { create } for pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1 +#avc: denied { write } for pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1 +allow dscreen dscreen:netlink_route_socket { create write }; + +#avc: denied { shutdown } for pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow dscreen softbus_server:tcp_socket { shutdown }; + +#avc: denied { call } for pid=2325 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2444 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 +allow dscreen render_service:binder { call transfer }; + +#avc: denied { shutdown } for pid=2325 comm="THREAD_POOL" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow dscreen softbus_server:tcp_socket { shutdown }; + +#avc: denied { get } for service=10 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_render_service:s0 tclass=samgr_class permissive=1 +allow dscreen sa_render_service:samgr_class { get }; + +#avc: denied { get } for service=4606 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1 +allow dscreen sa_foundation_wms:samgr_class { get }; + +#avc: denied { get } for service=3101 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 +allow dscreen sa_multimodalinput_service:samgr_class { get }; + +#avc: denied { call } for pid=2444 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 +allow dscreen multimodalinput:binder { call }; + +#avc: denied { use } for pid=251 comm="multimodalinput" path="socket:[32377]" dev="sockfs" ino=32377 scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=1 +allow dscreen multimodalinput:fd { use }; + +#avc: denied { nlmsg_read } for pid=2417 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1 +#avc: denied { read } for pid=2417 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1 +allow dscreen dscreen:netlink_route_socket { nlmsg_read nlmsg_readpriv read }; + +#avc: denied { connect } for pid=2417 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1 +allow dscreen dscreen:udp_socket { connect }; + +#avc: denied { read write } for pid=253 comm="multimodalinput" scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +allow dscreen multimodalinput:unix_stream_socket { read write }; + +#avc: denied { getopt } for pid=2404 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=2404 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=unix_dgram_socket permissive=1 +allow dscreen dscreen:unix_dgram_socket { getopt setopt }; + +debug_only(` + #avc: denied { call } for pid=2552 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 + allow dscreen sh:binder { call transfer }; +') + +allow dscreen init:binder { call transfer }; + +#avc: denied { use } for scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=0 +allow dscreen render_service:fd { use }; + +#avc: denied { read write } for scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=unix_stream_socket permissive=1 +allow dscreen render_service:unix_stream_socket { read write }; + +#avc: denied { get } for service=4801 pid=2892 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=0 +allow dscreen sa_dhardware_service:samgr_class { get }; + +#avc: denied { read } for pid=2824 scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2839 scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2839 scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +allow dscreen accessibility_param:file { read open map }; + +#avc: denied { read } for pid=2021 scontext=u:r:dscreen:s0 tcontext=u:object_r:ohos_dev_param:s0 tclass=file permissive=0 +allow dscreen ohos_dev_param:file { read }; + +#avc: denied { read write } for pid=2573 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 +allow dscreen dev_console_file:chr_file { read write }; + +#avc: denied { read } for pid=2692 ino=55 scontext=u:r:dscreen:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2381 ino=55 scontext=u:r:dscreen:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +allow dscreen musl_param:file { read open }; + +#avc: denied { search } for pid=3351 scontext=u:r:dscreen:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=dir permissive=0 +allow dscreen vendor_bin_file:dir { search }; + +#avc: denied { get } for service=allocator_service pid=3162 scontext=u:r:dscreen:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=1 +allow dscreen hdf_allocator_service:hdf_devmgr_class { get }; + +#avc: denied { create } for pid=2893 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1 +#avc: denied { bind } for pid=2893 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1 +#avc: denied { read } for pid=2893 comm="dscreen" laddr=127.0.0.1 lport=7000 faddr=127.0.0.1 fport=44306 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1 +#avc: denied { listen } for pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1 +#avc: denied { setopt } for pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1 +#avc: denied { accept } for pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1 +allow dscreen dscreen:tcp_socket { create bind read listen setopt accept }; + +#avc: denied { name_bind } for pid=2893 comm="dscreen" src=7000 scontext=u:r:dscreen:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1 +allow dscreen port:tcp_socket { name_bind }; + +#avc: denied { use } for pid=2893 comm="IPC_1_2900" path="/dmabuf:" dev="dmabuf" info=39534 ioctlcmd=0x6200 scontext=u:r:dscreen:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=1 +allow dscreen allocator_host:fd { use }; + +#avc: denied { read } for pid=3041 comm="dscreen" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=3041 comm="dscreen" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=3041 comm="dscreen" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +allow dscreen proc_cpuinfo_file:file { read open getattr }; + +#avc: denied { get } for scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=0 +allow dscreen sa_device_service_manager:samgr_class { get }; + +#avc: denied { call } for pid=2914 comm="IPC_1_2921" scontext=u:r:dscreen:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 +allow dscreen hdf_devmgr:binder { call }; + +#avc: denied { call } for pid=2914 comm="IPC_1_2921" scontext=u:r:dscreen:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=1 +allow dscreen allocator_host:binder { call }; + +#avc: denied { read } for pid=2914 comm="IPC_1_2921" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2914 comm="IPC_1_2921" path="/proc/cpuinfo" dev="proc" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=2914 comm="IPC_1_2921" path="/proc/cpuinfo" dev="proc" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +allow dscreen proc_cpuinfo_file:file { read open getattr }; + +#avc: denied { read } for pid=2876 comm="sa_main" name="online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2910 comm="sa_main" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=2910 comm="sa_main" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow dscreen sysfs_devices_system_cpu:file { read open getattr }; + +#avc: denied { node_bind } for pid=2876 comm="IPC_1_2884" saddr=127.0.0.1 src=7000 scontext=u:r:dscreen:s0 tcontext=u:object_r:node:s0 tclass=tcp_socket permissive=1 +allow dscreen node:tcp_socket { node_bind }; + +allow dscreen system_lib_file:dir { open read }; +allow dscreen dev_ashmem_file:chr_file { open }; +allow dscreen dhardware:binder { transfer }; +allow dscreen hdf_codec_hdi_omx_service:hdf_devmgr_class { get }; +allow dscreen codec_host:binder { call transfer }; + +#avc: denied { get } for service=401 pid=1478 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0 +allow dscreen sa_foundation_bms:samgr_class { get }; + +#avc: denied { get } for service=3503 pid=1519 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=0 +allow dscreen sa_accesstoken_manager_service:samgr_class { get }; + +allow dscreen accesstoken_service:binder { call }; + +allow dscreen arkcompiler_param:file { map open read }; +allow dscreen av_codec_service:binder { call transfer }; +allow dscreen av_codec_service:fd { use }; +allow dscreen chip_prod_file:dir { search }; +allow dscreen codec_host:fd { use }; +allow dscreen dev_dri_file:chr_file { open read write }; +allowxperm dscreen dev_dri_file:chr_file ioctl { 0x641f }; +allow dscreen dev_dri_file:dir { search }; +allow dscreen dev_kmsg_file:chr_file { write }; +allow dscreen dev_kmsg_file:file { read }; +allow dscreen sa_av_codec_service:samgr_class { get }; +allow dscreen sys_prod_file:dir { search }; +allow dscreen sysfs_devices_system_cpu:file { read getattr }; +allow dscreen tty_device:chr_file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..6951b7de69bec348a4729d8ec63dd5a0605a2859 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedhardware/distributed_screen/system/hidumper_service.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=4807 pid=616 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_dscreen_source_service:s0 tclass=samgr_class permissive +allow hidumper_service sa_dscreen_source_service:samgr_class { get }; + +#avc: denied { get } for service=4808 pid=616 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_dscreen_sink_service:s0 tclass=samgr_class permissive=0 +allow hidumper_service sa_dscreen_sink_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/public/distributedsche.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/public/distributedsche.te new file mode 100644 index 0000000000000000000000000000000000000000..5ca8c93c017c52a68a41b2be2231dacc35467ba9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/public/distributedsche.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type distributedsche_param, parameter_attr; +type sa_foundation_continuation_manager_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..ab2071209a23e7105803b4cd7bebdaeeb04a2e34 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/accountmgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr distributedsche:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/console.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/console.te new file mode 100644 index 0000000000000000000000000000000000000000..405d2c1224ba4c03dd478c3c34a998b448ccb93f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/console.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + allow console distributedsche_param:file { map open read }; +') diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te new file mode 100644 index 0000000000000000000000000000000000000000..672377d9ea50d775dbd39c2a362ef7171f386279 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/distributedsche.te @@ -0,0 +1,122 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { add } for service=1401 pid=406 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_1401_service:s0 tclass=samgr_class permissive=1 +allow distributedsche sa_distributeschedule:samgr_class { add get_remote }; +allow distributedsche sa_distributeddata_service:samgr_class { get }; +allow distributedsche sa_softbus_service:samgr_class { get }; +allow distributedsche sa_param_watcher:samgr_class { get }; +allow distributedsche sa_accesstoken_manager_service:samgr_class { get }; +allow distributedsche sa_foundation_bms:samgr_class { get }; +allow distributedsche sa_accountmgr:samgr_class { get }; +allow distributedsche sa_foundation_abilityms:samgr_class { get }; +allow distributedsche sa_foundation_appms:samgr_class { get }; +allow distributedsche accessibility_param:file { map open read }; +allow distributedsche accesstoken_service:binder { call }; +allow distributedsche accountmgr:binder { call }; +allow distributedsche data_file:dir { search }; +allow distributedsche data_service_file:dir { search }; +allow distributedsche data_service_el1_file:dir { add_name open read search write getattr create remove_name rmdir }; +allow distributedsche data_service_el1_file:file { create getattr ioctl open read write lock map unlink rename}; +allow distributedsche deviceauth_service:binder { call }; +allow distributedsche device_manager:binder { transfer }; +allow distributedsche dev_ashmem_file:chr_file { open }; +allow distributedsche dev_unix_socket:dir { search }; +allow distributedsche distributeddata:binder { call transfer }; +allow distributedsche distributedsche_param:parameter_service { set }; +allow distributedsche distributedsche:binder { call }; +allow distributedsche distributedsche:unix_dgram_socket { getopt setopt }; +allow distributedsche foundation:binder { call transfer }; +allow distributedsche foundation:fd { use }; +allow distributedsche kernel:unix_stream_socket { connectto }; +allow distributedsche normal_hap_attr:binder { call transfer }; +allow distributedsche system_basic_hap_attr:binder { call transfer }; +allow distributedsche system_core_hap_attr:binder { call transfer }; +allow distributedsche paramservice_socket:sock_file { write }; +allow distributedsche proc_cpuinfo_file:file { open read }; +allow distributedsche proc_file:file { open read }; +allow distributedsche softbus_server:binder { call transfer }; +allow distributedsche softbus_server:fd { use }; +allow distributedsche softbus_server:tcp_socket { read setopt shutdown write }; +allow distributedsche sa_device_security_level_manager_service:samgr_class { get }; +allow distributedsche dslm_service:binder { call transfer }; +allow distributedsche dev_console_file:chr_file { read write }; +allow distributedsche sa_foundation_wms:samgr_class { get }; + +allow distributedsche sa_foundation_devicemanager_service:samgr_class { get }; +allow distributedsche devinfo_private_param:file { map open read}; +allow distributedsche sa_form_mgr_service:samgr_class { get }; + +debug_only(` + allow distributedsche sh:binder { call }; +') + +#avc: denied { get } for service=1903 pid=469 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_bgtaskmgr:s0 tclass=samgr_class permissive=1 +allow distributedsche sa_bgtaskmgr:samgr_class { get }; +#avc: denied { get } for service=1909 pid=560 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_memory_manager_service:s0 tclass=samgr_class permissive=0 +allow distributedsche sa_memory_manager_service:samgr_class { get }; +#avc: denied { call } for pid=479 comm="DmsComponentCha" scontext=u:r:distributedsche:s0 tcontext=u:r:memmgrservice:s0 tclass=binder permissive=0 +allow distributedsche memmgrservice:binder { call }; +#avc: denied { get } for service=402 pid=3055 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_distributed_bundle_mgr_service_service:s0 tclass=samgr_class permissive=1 +allow distributedsche sa_distributed_bundle_mgr_service_service:samgr_class { get }; +#avc: denied { call } for pid=479 comm="continue_manage" scontext=u:r:distributedsche:s0 tcontext=u:r:d-bms:s0 tclass=binder permissive=0 +allow distributedsche d-bms:binder { call }; +#avc: denied { get } for service=4606 pid=2716 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1 +allow distributedsche sa_foundation_wms:samgr_class { get }; +#avc: denied { get } for service=3299 pid=3829 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 +allow distributedsche sa_foundation_cesfwk_service:samgr_class { get }; +#avc: denied { read } for pid=2255 comm="distributedsche" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=148 scontext=u:r:distributedsche:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +allow distributedsche arkcompiler_param:file { read map open }; +allow distributedsche ark_writeable_param:file { read map open }; +#avc: denied { read } for pid=2255 comm="distributedsche" name="online" dev="sysfs" ino=27676 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +allow distributedsche sysfs_devices_system_cpu:file { read }; +#avc: denied { setattr } for pid=2255 comm="dmsDataStorageH" name="gen_natural_store.db" dev="sdd78" ino=60840 scontext=u:r:distributedsche:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allow distributedsche data_service_el1_file:file { setattr }; +#avc: denied { use } for pid=2263 comm="IPC_1_2266" path="/dev/ashmem" dev="tmpfs" ino=612 scontext=u:r:distributedsche:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1 +allow distributedsche render_service:fd { use }; +#avc: denied { open } for pid=3435 comm="deviceprofile" path="/sys/devices/system/cpu/online" dev="sysfs" ino=30137 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +allow distributedsche sysfs_devices_system_cpu:file { open }; +#avc: denied { read } for pid=4101 comm="mmi_EventHdr" scontext=u:r:distributedsche:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +allow distributedsche multimodalinput:unix_stream_socket { read }; +#avc: denied { get } for service=3101 pid=3284 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 +allow distributedsche sa_multimodalinput_service:samgr_class { get }; +#avc: denied { use } for pid=761 comm="IPC_1_779" path="socket:[100099]" dev="sockfs" ino=100099 scontext=u:r:distributedsche:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=0 +allow distributedsche multimodalinput:fd { use }; +#avc: denied { write } for pid=761 comm="multimodalinput" path="socket:[47027]" dev="sockfs" ino=47027 scontext=u:r:distributedsche:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=0 +allow distributedsche multimodalinput:unix_stream_socket { write }; +#avc: denied { getattr } for pid=10752 comm="distributedsche" path="/sys/devices/system/cpu/online" dev="sysfs" ino=30409 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +allow distributedsche sysfs_devices_system_cpu:file { getattr }; +#avc: denied { write } for pid=10752 comm="sa_main" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:distributedsche:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=0 +allow distributedsche dev_kmsg_file:chr_file { write }; +#avc: denied { read write } for pid=2684, comm="/system/bin/sa_main" path="/dev/tty0" dev="" ino=44 scontext=u:r:distributedsche:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allow distributedsche tty_device:chr_file { read write }; +#avc: denied { use } for pid=1524, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:distributedsche:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=1 +allow distributedsche distributeddata:fd { use }; +#avc: denied { call } for pid=4101, comm="/system/bin/sa_main" scontext=u:r:distributedsche:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 +allow distributedsche wifi_manager_service:binder { call }; +#avc: denied { get } for service=1120 pid=4038 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_wifi_device_ability:s0 tclass=samgr_class permissive=1 +allow distributedsche sa_wifi_device_ability:samgr_class { get }; +#avc: denied { transfer } for pid=2414, comm="/system/bin/sa_main" scontext=u:r:wifi_manager_service:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=1 +allow wifi_manager_service distributedsche:binder { transfer }; +#avc: denied { use } for pid=2445, comm="/system/bin/appspawn" scontext=u:r:distributedsche:s0 tcontext=u:r:filemanager_hap:s0 tclass=fd permissive=1 +allow distributedsche hap_domain:fd { use }; +#avc: denied { read write } for pid=4134, comm="IPC_3_4189" scontext=u:r:distributedsche:s0 tcontext=u:r:hmdfs:s0 tclass=file permissive=1 +allow distributedsche hmdfs:file { read write }; +#avc: denied { get } for service=1901 pid=5366 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_resource_schedule:s0 tclass=samgr_class permissive=0 +allow distributedsche sa_resource_schedule:samgr_class { get }; +#avc: denied { use } for pid=5776, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:distributedsche:s0 tcontext=u:r:accountmgr:s0 tclass=fd permissive=1 +allow distributedsche accountmgr:fd { use }; +#avc: denied { transfer } for pid=5776, comm="/system/bin/sa_main" scontext=u:r:distributedsche:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 +allow distributedsche multimodalinput:binder { transfer }; + +neverallow {domain -samgr -distributedsche} sa_distributeschedule:samgr_class { get_remote }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/dslm_service.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/dslm_service.te new file mode 100644 index 0000000000000000000000000000000000000000..b85af473c72eaf993c2106fa8ca49b24e297bd28 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/dslm_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dslm_service distributedsche:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/faultloggerd.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/faultloggerd.te new file mode 100644 index 0000000000000000000000000000000000000000..63e8f1dacd8811810685b15425b3e3e8a8c72c7e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/faultloggerd.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow faultloggerd normal_hap_attr:process { signal }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/foundation.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..6f92a75a74807d3c69761092738a9fa288f0f649 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/foundation.te @@ -0,0 +1,23 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation dev_console_file:chr_file { read write }; +allow foundation distributedsche_param:parameter_service { set }; +allow foundation musl_param:file { open }; +allow foundation sa_foundation_continuation_manager_service:samgr_class { add }; + +#avc: denied { read open } for pid=551 comm="foundation" scontext=u:r:foundation:s0 tcontext=u:r:distributedsche:s0 tclass=file permissive=1 +allow foundation distributedsche:file { read open }; +#avc: denied { search } for pid=551 comm="foundation" name="469" dev="proc" ino=17886 scontext=u:r:foundation:s0 tcontext=u:r:distributedsche:s0 tclass=dir permissive=1 +allow foundation distributedsche:dir { search }; +allow foundation normal_hap_attr:file { open }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..a78d4d281971e41905dffc0634ca1bb29bb4521e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/hidumper_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper_service sa_foundation_continuation_manager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/init.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..079454d0d823a9e4580fd121679adf14d166b66d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init distributedsche:dir { search }; +allow init distributedsche:file { open read }; +allow init distributedsche:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..f049b40279d51a536995e202a38a2c4fa297c308 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/normal_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=2349 comm="com.example.app" scontext=u:r:normal_hap:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +allow normal_hap_attr distributedsche:binder { call transfer }; +allow normal_hap_attr distributedsche:fd { use }; +allow normal_hap_attr sa_distributeschedule:samgr_class { get }; +allow normal_hap_attr sa_softbus_service:samgr_class { get }; +allow normal_hap_attr softbus_server:binder { call transfer }; +allow normal_hap_attr softbus_server:fd { use }; +allow normal_hap_attr softbus_server:tcp_socket { read setopt write }; +allow normal_hap_attr sa_foundation_continuation_manager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..fec5f1a2f2ba240f8da8e1967e178c1a06fcc672 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +distributedsched.continuationmanager. u:object_r:distributedsche_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/service_contexts b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..5bb2e83f053ca8993c5d98ab780411e033e07423 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +1404 u:object_r:sa_foundation_continuation_manager_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..60ca5f55dcd031ddcef1c9cd10cacca7451c6cee --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/softbus_server.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server distributedsche:binder { call transfer }; +allow softbus_server normal_hap_attr:binder { call }; +allow softbus_server sa_privacy_service:samgr_class { get }; +debug_only(` + allow softbus_server listen_test:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d6bd8dd4822d192b53fd50de73d443ba8f0fb664 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/system_basic_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr distributedsche:binder { call transfer }; +allow system_basic_hap_attr distributedsche:fd { use }; +allow system_basic_hap_attr sa_distributeschedule:samgr_class { get }; +allow system_basic_hap_attr sa_softbus_service:samgr_class { get }; +allow system_basic_hap_attr softbus_server:tcp_socket { read setopt write }; +allow system_basic_hap_attr sa_foundation_continuation_manager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..03c59c19a4dae2619ea89a116b50f8e692cb36ab --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/distributedsche/system/system_core_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr distributedsche:binder { call transfer }; +allow system_core_hap_attr distributedsche:fd { use }; +allow system_core_hap_attr sa_distributeschedule:samgr_class { get }; +allow system_core_hap_attr sa_softbus_service:samgr_class { get }; +allow system_core_hap_attr softbus_server:tcp_socket { read setopt write }; +allow system_core_hap_attr sa_foundation_continuation_manager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/safwk/public/sa_main.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/safwk/public/sa_main.te new file mode 100644 index 0000000000000000000000000000000000000000..5a19dadb6eaa7e3befa9984ac5e5b6a277b63327 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/safwk/public/sa_main.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type samain_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/public/samgr.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/public/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..eb8f7643c4d404c948bb2d1d7140b71cca290b6d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/public/samgr.te @@ -0,0 +1,18 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type samgr_exec, exec_attr, file_attr, system_file_attr; + +type bootevent_samgr_param, parameter_attr; +type samgr_perf_param, parameter_attr; +type samgr_writable_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/file_contexts b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..25aeaa2a6cec75cff52c0ff1d862ac23dbd392ed --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/samgr u:object_r:samain_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/foundation.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..3fde96044b400fee71d1a277624512224de89991 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/foundation.te @@ -0,0 +1,60 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation appspawn:unix_stream_socket { connectto }; +allow foundation appspawn_socket:sock_file { write }; +allow foundation configfs:dir { open read search }; +allow foundation data_app_el1_file:dir { search }; +allow foundation data_app_el1_file:file { getattr read }; +allow foundation data_app_file:dir { search }; +allow foundation data_service_el1_file:dir { add_name open read search write }; +allow foundation data_service_el1_file:file { create getattr ioctl open read write }; +allow foundation data_service_file:dir { search }; +allow foundation data_storage:dir { search }; +allow foundation data_system_ce:dir { add_name search write }; +allow foundation data_system_ce:file { create getattr ioctl lock map open read write }; +allow foundation dev_mali:chr_file { ioctl map read write }; +allow foundation deviceauth_service:binder { call }; +allow foundation distributeddata:binder { call transfer }; +allow foundation distributedsche:binder { call transfer }; +allow foundation distributedsche:fd { use }; +allow foundation dscreen:binder { call transfer }; +allow foundation edm_sa:binder { call }; +allow foundation foundation:unix_dgram_socket { getopt setopt }; +allow foundation hdf_devmgr:binder { call transfer }; +allow foundation hiview:binder { transfer }; +allow foundation inputmethod_service:binder { call }; +allow foundation msdp_sa:binder { call transfer }; +allow foundation multimodalinput:fd { use }; +allow foundation multimodalinput:unix_stream_socket { read }; +allow foundation normal_hap_attr:file { getattr read }; +allow foundation normal_hap_attr:process { sigkill }; +allow foundation ohos_param:parameter_service { set }; +allow foundation param_watcher:binder { call transfer }; +allow foundation power_host:binder { call transfer }; +allow foundation sa_distributeschedule:samgr_class { get }; +allow foundation softbus_server:binder { call }; +allow foundation storage_manager:binder { call }; +allow foundation sys_file:dir { open read }; +allow foundation sys_file:file { open read }; +allow foundation system_basic_hap_attr:dir { search }; +allow foundation system_basic_hap_attr:file { getattr read }; +allow foundation system_file:dir { getattr open read }; +allow foundation system_file:file { getattr open read }; +allow foundation telephony_sa:binder { call transfer }; +allow foundation tracefs:dir { search }; +allow foundation tracefs_trace_marker_file:file { open write }; +allow foundation vendor_file:file { execute getattr map open read }; +allow foundation vendor_etc_file:dir { search }; +allow foundation vendor_etc_file:file { getattr open read }; +allow foundation work_scheduler_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/init.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..7fcfac78ee29491f89a73685bfd52be953c459cd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/init.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init samgr_perf_param:file { map open read relabelto }; +allow init samgr_writable_param:file { map open read relabelto }; +allow init data_samgr:dir { getattr open read relabelto search setattr add_name create write }; +debug_only(` + allow init listen_test:process { transition rlimitinh siginh }; +') diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/listen_test.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/listen_test.te new file mode 100644 index 0000000000000000000000000000000000000000..562a3335a42f21659b1b31602390946ec3e793e8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/listen_test.te @@ -0,0 +1,52 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#selinux for tdd +debug_only(` + type listen_test, sadomain, domain; + allow listen_test system_bin_file:dir { search }; + allow listen_test ohos_param:file { read open }; + allow listen_test dev_unix_socket:dir { search }; + allow listen_test ohos_param:file {read open map}; + allow listen_test ohos_boot_param:file {read open map}; + allow listen_test sys_param:file {read open map}; + allow listen_test sys_usb_param:file { read open map }; + allow listen_test sa_softbus_service:samgr_class { get }; + allow listen_test softbus_server:binder { call transfer }; + allow listen_test softbus_server:fd { use }; + allow listen_test softbus_server:tcp_socket { read write }; + allow listen_test softbus_server:tcp_socket { setopt }; + allow listen_test softbus_server:tcp_socket { shutdown }; + allow listen_test net_param:file { read open map }; + allow listen_test net_tcp_param:file { read open map }; + allow listen_test hw_sc_param:file { read open map }; + allow listen_test hw_sc_build_param:file { read open map }; + allow listen_test hw_sc_build_os_param:file { read open map }; + allow listen_test init_param:file { read open map }; + allow listen_test init_svc_param:file { read open map}; + allow listen_test const_param:file { read open map }; + allow listen_test const_postinstall_param:file { read open map }; + allow listen_test const_postinstall_fstab_param:file { read open map }; + allow listen_test const_allow_param:file { read open map }; + allow listen_test const_allow_mock_param:file { read open map }; + allow listen_test const_build_param:file { read open map }; + allow listen_test const_product_param:file { read open map }; + allow listen_test hilog_param:file { read open map }; + allow listen_test persist_param:file { read open map }; + allow listen_test sa_distributed_sched_test_listen:samgr_class { add get }; + allow listen_test sa_distributed_sched_test_media:samgr_class { add get }; + allow listen_test sa_distributed_sched_test_ondemand:samgr_class { add get }; + allow listen_test sa_distributed_sched_test_tt:samgr_class { add get }; + allow listen_test sa_distributed_sched_test_connection:samgr_class { add get }; + allow listen_test sa_distributed_sched_test_incomplete:samgr_class { add get }; +') diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a119474ab1329d5025564b12af0ddd7745dc3e6f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/parameter_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.samgr.perf.ondemand u:object_r:samgr_perf_param:s0 +persist.samgr.cache.sa u:object_r:samgr_writable_param:s0 +persist.samgr.moduleupdate. u:object_r:samgr_writable_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/sadomain.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/sadomain.te new file mode 100644 index 0000000000000000000000000000000000000000..edded124a220d11fdd4421e39978d728548c67cc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/sadomain.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sadomain sa_accesstoken_manager_service:samgr_class { get }; +allow sadomain accesstoken_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..869bbc6de291b8b8621b2aba5dd55a40bf94504d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr.te @@ -0,0 +1,108 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(samgr); + +allow samgr sadomain:binder { call transfer }; +allow samgr sadomain:dir { search }; +allow samgr sadomain:file { open read }; +allow samgr sadomain:process { getattr }; + +allow samgr hdfdomain:binder { transfer }; +allow samgr hdfdomain:dir { search }; +allow samgr hdfdomain:file { open read }; +allow samgr hdfdomain:process { getattr }; + +debug_only(` + allow samgr sh:dir { search }; + allow samgr sh:file { open read }; + allow samgr sh:process { getattr }; + allow samgr sh:binder { call transfer }; +') + +allow samgr bootevent_samgr_param:parameter_service { set }; + +allow samgr data_file:dir { search }; + +allow samgr dev_binder_file:chr_file { ioctl }; + +allow samgr dev_unix_socket:dir { search }; + +allow samgr dslm_service:file { getattr open read }; + +allow samgr kernel:unix_stream_socket { connectto }; + +allow samgr normal_hap_attr:binder { call }; +allow samgr normal_hap_attr:dir { search }; +allow samgr normal_hap_attr:file { open read }; +allow samgr normal_hap_attr:process { getattr }; +allow samgr ohos_param:parameter_service { set }; + +allow samgr paramservice_socket:sock_file { write }; + +allow samgr softbus_server:tcp_socket { read setopt shutdown write }; + +allow samgr samgr:binder { set_context_mgr }; +allow samgr samgr:unix_dgram_socket { getopt setopt }; + +allow samgr security:security { check_context compute_av }; + +allow samgr selinuxfs:dir { open read search }; +allow samgr selinuxfs:file { map open read write }; + +#avc: denied { use } for pid=677 comm="THREAD_POOL" path="socket:[36108]" dev="sockfs" ino=36108 scontext=u:r:samgr:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1 +#avc: denied { shutdown } for pid=246 comm="THREAD_POOL" laddr=192.168.43.222 lport=34003 faddr=192.168.43.64 fport=39734 scontext=u:r:samgr:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { shutdown } for pid=246 comm="samgr" laddr=192.168.43.222 lport=48160 faddr=192.168.43.64 fport=40605 scontext=u:r:samgr:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow samgr softbus_server:tcp_socket { read write setopt shutdown }; +allow samgr softbus_server:fd { use }; + +#avc: denied { get } for service=4700 pid=245 scontext=u:r:samgr:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1 +allow samgr sa_softbus_service:samgr_class { get }; + +allow samgr system_basic_hap_attr:binder { call }; +allow samgr system_basic_hap_attr:dir { search }; +allow samgr system_basic_hap_attr:file { open read }; +allow samgr system_basic_hap_attr:process { getattr }; + +allow samgr system_core_hap_attr:binder { call }; +allow samgr system_core_hap_attr:dir { search }; +allow samgr system_core_hap_attr:file { open read }; +allow samgr system_core_hap_attr:process { getattr }; + +allow samgr system_bin_file:dir { search }; + +allow samgr system_file:file { getattr map open read }; + +allow samgr system_profile_file:dir { open read }; + +#avc: denied { getopt } for pid=245 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:samgr:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=245 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:samgr:s0 tclass=unix_dgram_socket permissive=1 +allow samgr samgr:unix_dgram_socket { getopt setopt }; + +#avc: denied { set } for parameter=bootevent.samgr.ready.true pid=254 uid=5555 gid=5555 scontext=u:r:samgr:s0 tcontext=u:object_r:bootevent_param:s0 tclass=parameter_service permissive=0 +allow samgr bootevent_param:parameter_service { set }; + +allowxperm samgr dev_binder_file:chr_file ioctl { 0x6207 }; + +allow samgr samgr_perf_param:file { map open read }; + +allow samgr samgr_writable_param:parameter_service { set }; + +allow domain samgr_writable_param:file { map open read }; + +allow samgr dev_binder_file:chr_file { ioctl }; + +allowxperm samgr dev_binder_file:chr_file ioctl { 0x620d }; + +#avc: denied { ioctl } for pid=265 comm="RefCountCollect" path="/dev/binder" dev="tmpfs" ino=38 ioctlcmd=0x620c scontext=u:r:samgr:s0 tcontext=u:object_r:dev_binder_file:s0 tclass=chr_file permissive=0 +allowxperm samgr dev_binder_file:chr_file ioctl { 0x620c }; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr_cache_param.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr_cache_param.te new file mode 100644 index 0000000000000000000000000000000000000000..e846e9520c7fdda137e1434c3fa6295361cb3b74 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr_cache_param.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr_writable_param tmpfs:filesystem associate; diff --git a/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr_perf_param.te b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr_perf_param.te new file mode 100644 index 0000000000000000000000000000000000000000..bcebc55e576033371e27ac8e2089a1f6d8152a51 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/distributedschedule/samgr/system/samgr_perf_param.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr_perf_param tmpfs:filesystem associate; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdf_service.te b/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdf_service.te new file mode 100644 index 0000000000000000000000000000000000000000..bcd48c5c85c44fa280c730482a802e722a6cf7cb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdf_service.te @@ -0,0 +1,89 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type default_hdf_service, hdf_service_attr; +type hdf_usbd_service, hdf_service_attr; +type hdf_device_manager, hdf_service_attr; +type hdf_thermal_interface_service, hdf_service_attr; +type hdf_vibrator_interface_service, hdf_service_attr; +type hdf_distributed_camera_provider_service, hdf_service_attr; +type hdf_distributed_camera_service, hdf_service_attr; +type hdf_sensor_interface_service, hdf_service_attr; +type hdf_gnss_interface_service, hdf_service_attr; +type hdf_agnss_interface_service, hdf_service_attr; +type hdf_geofence_interface_service, hdf_service_attr; +type hdf_input_service, hdf_service_attr; +type hdf_codec_hdi_omx_service, hdf_service_attr; +type hdf_codec_component_manager_service, hdf_service_attr; +type hdf_codec_hdi_service, hdf_service_attr; +type hdf_codec_image_service, hdf_service_attr; +type hdf_battery_interface_service, hdf_service_attr; +type hdf_power_interface_service, hdf_service_attr; +type hdf_light_interface_service, hdf_service_attr; +type hdf_usbd, hdf_service_attr; +type hdf_usb_pnp_manager, hdf_service_attr; +type hdf_usbfn, hdf_service_attr; +type hdf_usbfn_cdcecm, hdf_service_attr; +type hdf_usbfn_cdcacm, hdf_service_attr; +type hdf_wlan_hal_service, hdf_service_attr; +type hdf_display_composer_service, hdf_service_attr; +type hdf_allocator_service, hdf_service_attr; +type hdf_camera_service, hdf_service_attr; +type hdf_camera_image_process_service, hdf_service_attr; +type hdf_camera_video_process_service, hdf_service_attr; +type hdf_clearplay_service, hdf_service_attr; +type hdf_face_auth_interface_service, hdf_service_attr; +type hdf_drm_service, hdf_service_attr; +type hdf_pin_auth_interface_service, hdf_service_attr; +type hdf_user_auth_interface_service, hdf_service_attr; +type hdf_fingerprint_auth_interface_service, hdf_service_attr; +type hdf_motion_interface_service, hdf_service_attr; +type hdf_activity_interface_service, hdf_service_attr; +type hdf_geofence_intf_service, hdf_service_attr; +type hdf_cellfence_interface_service, hdf_service_attr; +type hdf_cellbatching_interface_service, hdf_service_attr; +type hdf_wififence_interface_service, hdf_service_attr; + +type hdf_usb_interface_service, hdf_service_attr; +type hdf_usbfn_mtp_interface_service, hdf_service_attr; +type hdf_usb_ddk_service, hdf_service_attr; +type hdf_usb_pnp_sample_service, hdf_service_attr; +type hdf_usbhost_acm_pnp_service, hdf_service_attr; +type hdf_usbhost_acm_rawapi_service, hdf_service_attr; +type hdf_usbhost_ecm_pnp_service, hdf_service_attr; +type hdf_usbhost_acm_pnp_test_service, hdf_service_attr; +type hdf_sample_driver_service, hdf_service_attr; +type hdf_audio_bluetooth_hdi_service, hdf_service_attr; +type hdf_bluetooth_audio_session_service, hdf_service_attr; +type hdf_wlan_hal_c_service, hdf_service_attr; +type hdf_audio_hdi_pnp_service, hdf_service_attr; +type hdf_audio_manager_service, hdf_service_attr; +type hdf_effect_model_service, hdf_service_attr; +type hdf_hdi_media_layer_service, hdf_service_attr; +type hdf_wlan_interface_service, hdf_service_attr; +type hdf_partition_slot_service, hdf_service_attr; +type hdf_input_interfaces_service, hdf_service_attr; +type hdf_chip_interface_service, hdf_service_attr; +type hdf_wpa_interface_service, hdf_service_attr; +type hdf_hostapd_interface_service, hdf_service_attr; +type hdf_hid_ddk_service, hdf_service_attr; +type hdf_safe_location_interface_service, hdf_service_attr; + +# for testcase start +type hdf_sample_service, hdf_service_attr; +type hdf_sample1_driver_service, hdf_service_attr; +# for testcase end + +type hdf_intell_voice_engine_manager_service, hdf_service_attr; +type hdf_intell_voice_trigger_manager_service, hdf_service_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdf_service_contexts b/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdf_service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..0795c0b0b772255adce8bfef628938858bf17999 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdf_service_contexts @@ -0,0 +1,93 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +hdf_device_manager u:object_r:hdf_device_manager:s0 +hci_interface_service u:object_r:hdf_hci_interface_service:s0 +thermal_interface_service u:object_r:hdf_thermal_interface_service:s0 +vibrator_interface_service u:object_r:hdf_vibrator_interface_service:s0 +distributed_camera_provider_service u:object_r:hdf_distributed_camera_provider_service:s0 +distributed_camera_service u:object_r:hdf_distributed_camera_service:s0 +sensor_interface_service u:object_r:hdf_sensor_interface_service:s0 +gnss_interface_service u:object_r:hdf_gnss_interface_service:s0 +agnss_interface_service u:object_r:hdf_agnss_interface_service:s0 +geofence_interface_service u:object_r:hdf_geofence_interface_service:s0 +input_service u:object_r:hdf_input_service:s0 +codec_hdi_omx_service u:object_r:hdf_codec_hdi_omx_service:s0 +codec_component_manager_service u:object_r:hdf_codec_component_manager_service:s0 +codec_hdi_service u:object_r:hdf_codec_hdi_service:s0 +codec_image_service u:object_r:hdf_codec_image_service:s0 +battery_interface_service u:object_r:hdf_battery_interface_service:s0 +power_interface_service u:object_r:hdf_power_interface_service:s0 +light_interface_service u:object_r:hdf_light_interface_service:s0 +usbd u:object_r:hdf_usbd:s0 +usb_pnp_manager u:object_r:hdf_usb_pnp_manager:s0 +usbfn u:object_r:hdf_usbfn:s0 +usbfn_cdcecm u:object_r:hdf_usbfn_cdcecm:s0 +usbfn_cdcacm u:object_r:hdf_usbfn_cdcacm:s0 +audio_hdi_service u:object_r:hdf_audio_hdi_service:s0 +audio_hdi_usb_service u:object_r:hdf_audio_hdi_usb_service:s0 +audio_hdi_a2dp_service u:object_r:hdf_audio_hdi_a2dp_service:s0 +audio_manager_service u:object_r:hdf_audio_manager_service:s0 +effect_model_service u:object_r:hdf_effect_model_service:s0 +wlan_hal_service u:object_r:hdf_wlan_hal_service:s0 +display_composer_service u:object_r:hdf_display_composer_service:s0 +camera_service u:object_r:hdf_camera_service:s0 +camera_image_process_service u:object_r:hdf_camera_image_process_service:s0 +camera_video_process_service u:object_r:hdf_camera_video_process_service:s0 +drm_service u:object_r:hdf_drm_service:s0 +clearplay_service u:object_r:hdf_clearplay_service:s0 +face_auth_interface_service u:object_r:hdf_face_auth_interface_service:s0 +pin_auth_interface_service u:object_r:hdf_pin_auth_interface_service:s0 +user_auth_interface_service u:object_r:hdf_user_auth_interface_service:s0 +input_interfaces_service u:object_r:hdf_input_interfaces_service:s0 +fingerprint_auth_interface_service u:object_r:hdf_fingerprint_auth_interface_service:s0 +motion_interface_service u:object_r:hdf_motion_interface_service:s0 +activity_interface_service u:object_r:hdf_activity_interface_service:s0 +cellular_radio_ext u:object_r:hdf_cellular_radio_ext:s0 +ril_service u:object_r:hdf_ril_service:s0 +geofence_intf_service u:object_r:hdf_geofence_intf_service:s0 +cellfence_interface_service u:object_r:hdf_cellfence_interface_service:s0 +cellbatching_interface_service u:object_r:hdf_cellbatching_interface_service:s0 +wififence_interface_service u:object_r:hdf_wififence_interface_service:s0 + +usb_pnp_sample_service u:object_r:hdf_usb_pnp_sample_service:s0 +usbhost_acm_pnp_service u:object_r:hdf_usbhost_acm_pnp_service:s0 +usbhost_acm_rawapi_service u:object_r:hdf_usbhost_acm_rawapi_service:s0 +usbhost_ecm_pnp_service u:object_r:hdf_usbhost_ecm_pnp_service:s0 +usbhost_acm_pnp_test_service u:object_r:hdf_usbhost_acm_pnp_test_service:s0 +sample_driver_service u:object_r:hdf_sample_driver_service:s0 +audio_bluetooth_hdi_service u:object_r:hdf_audio_bluetooth_hdi_service:s0 +bluetooth_audio_session_service u:object_r:hdf_bluetooth_audio_session_service:s0 +wlan_hal_c_service u:object_r:hdf_wlan_hal_c_service:s0 +audio_hdi_pnp_service u:object_r:hdf_audio_hdi_pnp_service:s0 +hdi_media_layer_service u:object_r:hdf_hdi_media_layer_service:s0 +allocator_service u:object_r:hdf_allocator_service:s0 +safe_location_interface_service u:object_r:hdf_safe_location_interface_service:s0 + +usb_interface_service u:object_r:hdf_usb_interface_service:s0 +usbfn_mtp_interface_service u:object_r:hdf_usbfn_mtp_interface_service:s0 +usb_ddk_service u:object_r:hdf_usb_ddk_service:s0 +partition_slot_service u:object_r:hdf_partition_slot_service:s0 +wlan_interface_service u:object_r:hdf_wlan_interface_service:s0 +wpa_interface_service u:object_r:hdf_wpa_interface_service:s0 +chip_interface_service u:object_r:hdf_chip_interface_service:s0 +hostapd_interface_service u:object_r:hdf_hostapd_interface_service:s0 +hid_ddk_service u:object_r:hdf_hid_ddk_service:s0 + +# for testcase start +sample_driver_service2 u:object_r:hdf_sample_service:s0 +sample1_driver_service u:object_r:hdf_sample1_driver_service:s0 +# for testcase end + +intell_voice_engine_manager_service u:object_r:hdf_intell_voice_engine_manager_service:s0 +intell_voice_trigger_manager_service u:object_r:hdf_intell_voice_trigger_manager_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdfdomain.te b/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdfdomain.te new file mode 100644 index 0000000000000000000000000000000000000000..ccfbba9579d637e657316e074e8b379e8ab20edd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/hdfdomain.te @@ -0,0 +1,30 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute cap_violator_binder_hmc; + +allow hdfdomain vendor_bin_file:file { entrypoint execute map read }; + +#neverallow +# let every hdf_host join hdf_domain +neverallow { domain -hdfdomain -sadomain -init -hap_domain developer_only(`-input_isolate_debug_hap') -input_isolate_hap } hdf_devmgr:binder call; + +neverallow { domain -hdfdomain -sadomain -hap_domain -binder_call_hdfdomain_violators developer_only(`-input_isolate_debug_hap') -input_isolate_hap } hdfdomain:binder call; + +neverallow { hap_domain } { hdfdomain -allocator_host -violator_hdfdomain_binder_call -codec_host -usb_host -input_user_host -cap_violator_binder_hmc }:binder call; + +neverallow { input_isolate_debug_hap -input_isolate_hap } { hdfdomain -allocator_host }:binder call; + +neverallow hap_domain { hdf_service_attr -hdf_hid_ddk_service -hdf_usb_ddk_service debug_only(`-hdf_usb_interface_service') -hdf_allocator_service -hdf_codec_image_service -violator_hdf_devmgr_class_get -hdf_codec_component_manager_service -hdf_usbfn_mtp_interface_service -cap_violator_binder_hmc }:hdf_devmgr_class { get }; + +neverallow { hap_domain -medialibrary_hap } { hdf_usbfn_mtp_interface_service }:hdf_devmgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/type.te b/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..d80496f54a3f06671c6eb4c196e5d86f5a7bbffc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/public/type.te @@ -0,0 +1,46 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hdf_devmgr, sadomain, domain; +type hdf_ext_devmgr, sadomain, domain; +type sa_hdf_ext_devmgr, sa_service_attr; + +type blue_host, hdfdomain, domain; +type a2dp_host, hdfdomain, domain; +type sample_host, hdfdomain, domain; +type light_host, hdfdomain, domain; +type dcamera_host, hdfdomain, domain; +type face_auth_host, hdfdomain, domain; +type pin_auth_host, hdfdomain, domain; +type user_auth_host, hdfdomain, domain; +type fingerprint_auth_host, hdfdomain, domain; +type partitionslot_host, hdfdomain, domain; +type codec_host, hdfdomain, domain; +type wifi_host, hdfdomain, domain; +type audio_host, hdfdomain, domain; +type camera_host, hdfdomain, domain; +type clearplay_host, hdfdomain, domain; +type input_user_host, hdfdomain, domain; +type motion_host, hdfdomain, domain; +type riladapter_host, hdfdomain, domain; +type sensor_host, hdfdomain, domain; +type usb_host, hdfdomain, domain; +type vibrator_host, hdfdomain, domain; +type power_host, hdfdomain, domain; +type location_host, hdfdomain, domain; + +type debugfs_usb, fs_attr, debugfs_attr; +type hdf_devmgr_exec, exec_attr, file_attr, system_file_attr; +type dev_hdf_kevent, dev_attr; +type dev_hdfwifi, dev_attr; +type intell_voice_host, hdfdomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/file_contexts b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e411734fb76556c13caa3420612f8d9d97d81da2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/sytem/bin/hdf_devmgr u:object_r:hdf_devmgr_exec:s0 +/dev/hdf_kevent u:object_r:dev_hdf_kevent:s0 +/dev/hdfwifi u:object_r:dev_hdfwifi:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..edf980084c8695ff50c64926b3462de8dc56d26a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/hdf_devmgr.te @@ -0,0 +1,227 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +init_daemon_domain(hdf_devmgr); + +#avc: denied { entrypoint } for pid=235 comm="init" path="/vendor/bin/hdf_devmgr" dev="mmcblk0p6" ino=14 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:hdf_devmgr_exec:s0 tclass=file permissive=1 +allow hdf_devmgr hdf_devmgr_exec:file { entrypoint }; + +#avc: denied { call } for pid=242 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:power_host:s0 tclass=binder permissive=1 +allow hdf_devmgr power_host:binder call; + +#avc: denied { check_context } for pid=243 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:security:s0 tclass=security permissive=1 +#avc: denied { compute_av } for pid=236 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:security:s0 tclass=security permissive=1 +allow hdf_devmgr security:security { check_context compute_av }; + +#avc: denied { search } for pid=243 comm="hdf_devmgr" name="/" dev="selinuxfs" ino=1 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir permissive=1 +allow hdf_devmgr selinuxfs:dir { search }; + +#avc: denied { open } for pid=243 comm="hdf_devmgr" path="/sys/fs/selinux/context" dev="selinuxfs" ino=5 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 +#avc: denied { read write } for pid=243 comm="hdf_devmgr" name="context" dev="selinuxfs" ino=5 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 +allow hdf_devmgr selinuxfs:file { open read write }; + +#avc: denied { search } for pid=236 comm="hdf_devmgr" name="643" dev="proc" ino=683 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:telephony_sa:s0 tclass=dir permissive=1 +allow hdf_devmgr telephony_sa:dir { search }; + +#avc: denied { open } for pid=243 comm="hdf_devmgr" path="/proc/593/attr/current" dev="proc" ino=24187 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:telephony_sa:s0 tclass=file permissive=1 +#avc: denied { read } for pid=243 comm="hdf_devmgr" name="current" dev="proc" ino=24187 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:telephony_sa:s0 tclass=file permissive=1 +allow hdf_devmgr telephony_sa:file { open read }; + +#avc: denied { getattr } for pid=243 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:telephony_sa:s0 tclass=process permissive=1 +allow hdf_devmgr telephony_sa:process { getattr }; + +#avc: denied { ioctl } for pid=245 comm="hdf_devmgr" path="/dev/hdf_kevent" dev="tmpfs" ino=199 ioctlcmd=0x6201 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:dev_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=245 comm="hdf_devmgr" path="/dev/hdf_kevent" dev="tmpfs" ino=199 ioctlcmd=0x6202 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:dev_file:s0 tclass=chr_file permissive=1 +allow hdf_devmgr dev_hdf_kevent:chr_file { ioctl }; +allowxperm hdf_devmgr dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 }; + +#avc: denied { create } for pid=239 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=netlink_kobject_uevent_socket permissive=1 +#avc: denied { setopt } for pid=239 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=netlink_kobject_uevent_socket permissive=1 +#avc: denied { bind } for pid=239 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=netlink_kobject_uevent_socket permissive=1 +#avc: denied { read } for pid=239 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow hdf_devmgr hdf_devmgr:netlink_kobject_uevent_socket { create bind setopt read }; +#avc: denied { ioctl } for pid=247 comm="IPC_5_569" path="/dev/dev_mgr" dev="tmpfs" ino=207 ioctlcmd=0x6201 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:dev_mgr_file:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=251 comm="IPC_3_563" name="dev_mgr" dev="tmpfs" ino=207 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:dev_mgr_file:s0 tclass=chr_file permissive=0 +allow hdf_devmgr dev_mgr_file:chr_file { getattr read write open ioctl }; +allowxperm hdf_devmgr dev_mgr_file:chr_file ioctl 0x6201; + +# for testcase start +#avc: denied { call } for pid=240 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=240 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=binder permissive=1 +#avc: denied { read } for pid=241 comm="hdf_devmgr" name="current" dev="proc" ino=30596 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=file permissive=0 +#avc: denied { open } for pid=246 comm="hdf_devmgr" path="/proc/2127/attr/current" dev="proc" ino=30142 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=file permissive=0 +#avc: denied { getattr } for pid=244 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=process permissive=0 +#avc: denied { transfer } for pid=238 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=binder permissive=0 +#avc: denied { search } for pid=241 comm="hdf_devmgr" name="2029" dev="proc" ino=32820 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=dir permissive=1 +#avc: denied { transfer } for pid=241 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +#avc: denied { search } for pid=241 comm="hdf_devmgr" name="1998" dev="proc" ino=31745 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=241 comm="hdf_devmgr" name="current" dev="proc" ino=31058 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=file permissive=1 +#avc: denied { open } for pid=241 comm="hdf_devmgr" path="/proc/2125/attr/current" dev="proc" ino=31058 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=241 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 +allow hdf_devmgr sample_host:binder { call transfer }; +allow hdf_devmgr sample_host:file { read open }; +allow hdf_devmgr sample_host:process { getattr }; +allow hdf_devmgr sample_host:dir { search }; +debug_only(` + allow hdf_devmgr sh:binder { call transfer }; + allow hdf_devmgr sh:dir { search }; + allow hdf_devmgr sh:file { open read }; + allow hdf_devmgr sh:process { getattr }; +') +# for testcase end + +allow hdf_devmgr a2dp_host:binder { call transfer }; +allow hdf_devmgr a2dp_host:dir { search }; +allow hdf_devmgr a2dp_host:file { open read }; +allow hdf_devmgr a2dp_host:process { getattr }; +allow hdf_devmgr blue_host:binder { call transfer }; +allow hdf_devmgr blue_host:dir { search }; +allow hdf_devmgr blue_host:file { open read }; +allow hdf_devmgr blue_host:process { getattr }; +allow hdf_devmgr bluetooth_service:binder { transfer }; +allow hdf_devmgr bluetooth_service:dir { search }; +allow hdf_devmgr bluetooth_service:file { open read }; +allow hdf_devmgr bluetooth_service:process { getattr }; +allow hdf_devmgr bootevent_param:file { map open read }; +allow hdf_devmgr bootevent_samgr_param:file { map open read }; +allow hdf_devmgr build_version_param:file { map open read }; +allow hdf_devmgr camera_service:binder { call transfer }; +allow hdf_devmgr camera_service:dir { search }; +allow hdf_devmgr camera_service:file { open read }; +allow hdf_devmgr camera_service:process { getattr }; +allow hdf_devmgr drm_service:binder { call transfer }; +allow hdf_devmgr drm_service:dir { search }; +allow hdf_devmgr drm_service:file { open read }; +allow hdf_devmgr drm_service:process { getattr }; +allow hdf_devmgr const_allow_mock_param:file { map open read }; +allow hdf_devmgr const_allow_param:file { map open read }; +allow hdf_devmgr const_build_param:file { map open read }; +allow hdf_devmgr const_display_brightness_param:file { map open read }; +allow hdf_devmgr const_param:file { map open read }; +allow hdf_devmgr const_postinstall_fstab_param:file { map open read }; +allow hdf_devmgr const_postinstall_param:file { map open read }; +allow hdf_devmgr const_product_param:file { map open read }; +allow hdf_devmgr dcamera:binder { call transfer }; +allow hdf_devmgr dcamera:dir { search }; +allow hdf_devmgr dcamera:file { open read }; +allow hdf_devmgr dcamera_host:binder { call transfer }; +allow hdf_devmgr dcamera_host:dir { search }; +allow hdf_devmgr dcamera_host:file { open read }; +allow hdf_devmgr dcamera_host:process { getattr }; +allow hdf_devmgr dcamera:process { getattr }; +allow hdf_devmgr dscreen:binder { transfer }; +allow hdf_devmgr dscreen:dir { search }; +allow hdf_devmgr dscreen:file { open read }; +allow hdf_devmgr dscreen:process { getattr }; +allow hdf_devmgr debug_param:file { map open read }; +allow hdf_devmgr default_param:file { map open read }; +allow hdf_devmgr dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow hdf_devmgr dev_kmsg_file:chr_file { open write }; +allow hdf_devmgr dev_unix_socket:dir { search }; +allow hdf_devmgr distributedsche_param:file { map open read }; +allow hdf_devmgr foundation:binder { call transfer }; +allow hdf_devmgr foundation:dir { search }; +allow hdf_devmgr foundation:file { open read }; +allow hdf_devmgr foundation:process { getattr }; +allow hdf_devmgr hilog_param:file { map open read }; +allow hdf_devmgr hw_sc_build_os_param:file { map open read }; +allow hdf_devmgr hw_sc_build_param:file { map open read }; +allow hdf_devmgr hw_sc_param:file { map open read }; +allow hdf_devmgr init_param:file { map open read }; +allow hdf_devmgr init_svc_param:file { map open read }; +allow hdf_devmgr input_pointer_device_param:file { map open read }; +allow hdf_devmgr input_user_host:binder { call transfer }; +allow hdf_devmgr input_user_host:dir { search }; +allow hdf_devmgr input_user_host:file { open read }; +allow hdf_devmgr input_user_host:process { getattr }; +allow hdf_devmgr kernel:unix_stream_socket { connectto }; +allow hdf_devmgr location_host:binder { call transfer }; +allow hdf_devmgr location_host:dir { search }; +allow hdf_devmgr location_host:file { open read }; +allow hdf_devmgr location_host:process { getattr }; +allow hdf_devmgr locationhub:binder { transfer }; +allow hdf_devmgr locationhub:dir { search }; +allow hdf_devmgr locationhub:file { open read }; +allow hdf_devmgr locationhub:process { getattr }; +allow hdf_devmgr media_service:binder { transfer }; +allow hdf_devmgr media_service:dir { search }; +allow hdf_devmgr media_service:file { open read }; +allow hdf_devmgr media_service:process { getattr }; +allow hdf_devmgr mmi_uinput_service:binder { transfer }; +allow hdf_devmgr mmi_uinput_service:dir { search }; +allow hdf_devmgr mmi_uinput_service:file { open read }; +allow hdf_devmgr mmi_uinput_service:process { getattr }; +allow hdf_devmgr multimodalinput:binder { transfer }; +allow hdf_devmgr multimodalinput:dir { search }; +allow hdf_devmgr multimodalinput:file { open read }; +allow hdf_devmgr multimodalinput:process { getattr }; +allow hdf_devmgr net_param:file { map open read }; +allow hdf_devmgr net_tcp_param:file { map open read }; +allow hdf_devmgr normal_hap_attr:binder { transfer }; +allow hdf_devmgr normal_hap_attr:dir { search }; +allow hdf_devmgr normal_hap_attr:file { open read }; +allow hdf_devmgr normal_hap_attr:process { getattr }; +allow hdf_devmgr ohos_boot_param:file { map open read }; +allow hdf_devmgr ohos_param:file { map open read }; +allow hdf_devmgr ohos_param:parameter_service { set }; +allow hdf_devmgr paramservice_socket:sock_file { write }; +allow hdf_devmgr persist_param:file { map open read }; +allow hdf_devmgr persist_sys_param:file { map open read }; +allow hdf_devmgr power_host:binder { transfer }; +allow hdf_devmgr power_host:dir { search }; +allow hdf_devmgr power_host:file { open read }; +allow hdf_devmgr power_host:process { getattr }; +binder_call(hdf_devmgr, powermgr); +allow hdf_devmgr powermgr:dir { search }; +allow hdf_devmgr powermgr:file { open read }; +allow hdf_devmgr powermgr:process { getattr }; +allow hdf_devmgr sa_device_service_manager:samgr_class { add }; +allow hdf_devmgr security_param:file { map open read }; +allow hdf_devmgr selinuxfs:dir { open read }; +allow hdf_devmgr selinuxfs:file { map }; +allow hdf_devmgr startup_param:file { map open read }; +allow hdf_devmgr sys_param:file { map open read }; +allow hdf_devmgr system_bin_file:dir { search }; +allow hdf_devmgr system_core_hap_attr:binder { transfer }; +allow hdf_devmgr system_core_hap_attr:dir { search }; +allow hdf_devmgr system_core_hap_attr:file { open read }; +allow hdf_devmgr system_core_hap_attr:process { getattr }; +allow hdf_devmgr sys_usb_param:file { map open read }; +allow hdf_devmgr usb_host:binder { call transfer }; +allow hdf_devmgr usb_host:dir { search }; +allow hdf_devmgr usb_host:file { open read }; +allow hdf_devmgr usb_host:process { getattr }; +allow hdf_devmgr usb_service:binder { transfer }; +allow hdf_devmgr usb_service:dir { search }; +allow hdf_devmgr usb_service:file { open read }; +allow hdf_devmgr usb_service:process { getattr }; +allow hdf_devmgr vendor_etc_file:dir { search }; +allow hdf_devmgr vendor_etc_file:file { getattr open read }; +allow hdf_devmgr telephony_sa:binder { call }; +allowxperm hdf_devmgr dev_hdf_kevent:chr_file ioctl { 0x6203 }; + +# avc: denied { search } for pid=571 comm="IPC_0_581" name="1364" dev="proc" ino=31517 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:wifi_manager_service:s0 tclass=dir permissive=1 +allow hdf_devmgr wifi_manager_service:dir { search }; + +# avc: denied { read } for pid=562 comm="IPC_1_572" name="current" dev="proc" ino=19801 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:wifi_manager_service:s0 tclass=file permissive=1 +allow hdf_devmgr wifi_manager_service:file { open read }; + +# avc: denied { getattr } for pid=571 comm="IPC_0_581" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:wifi_manager_service:s0 tclass=process permissive=1 +allow hdf_devmgr wifi_manager_service:process { getattr }; + +# avc: denied { transfer } for pid=562 comm="IPC_1_572" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 +allow hdf_devmgr wifi_manager_service:binder { transfer }; + +allow hdf_devmgr bootevent_param:file { map open read }; +allow hdf_devmgr bootevent_samgr_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..4b4a88f9759b5bbb60d9d939ec5fe3109510fb6d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/init.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { transition } for pid=1970 comm="init" path="/vendor/bin/hdf_devhost" dev="mmcblk0p7" ino=14 scontext=u:r:init:s0 tcontext=u:r:sample_host:s0 tclass=process permissive=1 +#avc: denied { rlimitinh } for pid=1970 comm="hdf_devhost" scontext=u:r:init:s0 tcontext=u:r:sample_host:s0 tclass=process permissive=1 +#avc: denied { siginh } for pid=1970 comm="hdf_devhost" scontext=u:r:init:s0 tcontext=u:r:sample_host:s0 tclass=process permissive=1 +#avc: denied { sigkill } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:sample_host:s0 tclass=process permissive=1 +allow init sample_host:process { rlimitinh siginh transition sigkill }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/rootfs.te b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/rootfs.te new file mode 100644 index 0000000000000000000000000000000000000000..3d5e6deb823e2addcdb37245ed32a64de201c781 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/rootfs.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +allow rootfs labeledfs:filesystem { associate }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/sample_host.te b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/sample_host.te new file mode 100644 index 0000000000000000000000000000000000000000..b814531059745cc05e7ada1b5200f9170fb5ea7a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/sample_host.te @@ -0,0 +1,169 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for testcase start +#avc: denied { read } for pid=1992 comm="hdf_devhost" name="u:object_r:security_param:s0" dev="tmpfs" ino=64 scontext=u:r:sample_host:s0 tcontext=u:object_r:security_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1992 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:security_param:s0" dev="tmpfs" ino=64 scontext=u:r:sample_host:s0 tcontext=u:object_r:security_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1992 comm="hdf_devhost" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=65 scontext=u:r:sample_host:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1992 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=65 scontext=u:r:sample_host:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1992 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=65 scontext=u:r:sample_host:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1992 comm="hdf_devhost" name="u:object_r:persist_param:s0" dev="tmpfs" ino=66 scontext=u:r:sample_host:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1992 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=66 scontext=u:r:sample_host:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1992 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=66 scontext=u:r:sample_host:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1992 comm="hdf_devhost" name="u:object_r:persist_sys_param:s0" dev="tmpfs" ino=67 scontext=u:r:sample_host:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +#avc: denied { use } for pid=1997 comm="HdiServiceManag" path="/dev/ashmem" dev="tmpfs" ino=185 scontext=u:r:sample_host:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1 +#avc: denied { read } for pid=2106 comm="hdf_devhost" name="u:object_r:ohos_param:s0" dev="tmpfs" ino=46 scontext=u:r:sample_host:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2106 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:ohos_param:s0" dev="tmpfs" ino=46 scontext=u:r:sample_host:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2106 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:ohos_param:s0" dev="tmpfs" ino=46 scontext=u:r:sample_host:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2106 comm="hdf_devhost" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=47 scontext=u:r:sample_host:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2106 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=47 scontext=u:r:sample_host:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2119 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=47 scontext=u:r:sample_host:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2010 comm="hdf_devhost" name="u:object_r:net_param:s0" dev="tmpfs" ino=50 scontext=u:r:sample_host:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2010 comm="hdf_devhost" name="u:object_r:sys_param:s0" dev="tmpfs" ino=48 scontext=u:r:sample_host:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2010 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="tmpfs" ino=48 scontext=u:r:sample_host:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2010 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="tmpfs" ino=48 scontext=u:r:sample_host:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2119 comm="hdf_devhost" name="u:object_r:sys_usb_param:s0" dev="tmpfs" ino=49 scontext=u:r:sample_host:s0 tcontext=u:object_r:sys_usb_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2119 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:sys_usb_param:s0" dev="tmpfs" ino=49 scontext=u:r:sample_host:s0 tcontext=u:object_r:sys_usb_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2119 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:sys_usb_param:s0" dev="tmpfs" ino=49 scontext=u:r:sample_host:s0 tcontext=u:object_r:sys_usb_param:s0 tclass=file permissive=1 +#avc: denied { search } for pid=2038 comm="sample_host" name="etc" dev="mmcblk0p7" ino=19 scontext=u:r:sample_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=2063 comm="sample_host" path="/vendor/etc/hdfconfig/hdf_default.hcb" dev="mmcblk0p7" ino=36 scontext=u:r:sample_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2063 comm="sample_host" name="hdf_default.hcb" dev="mmcblk0p7" ino=36 scontext=u:r:sample_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2063 comm="sample_host" path="/vendor/etc/hdfconfig/hdf_default.hcb" dev="mmcblk0p7" ino=36 scontext=u:r:sample_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2221 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:net_param:s0" dev="tmpfs" ino=50 scontext=u:r:sample_host:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=2056 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:net_param:s0" dev="tmpfs" ino=50 scontext=u:r:sample_host:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2005 comm="hdf_devhost" name="u:object_r:bootevent_samgr_param:s0" dev="tmpfs" ino=72 scontext=u:r:sample_host:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2005 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:bootevent_samgr_param:s0" dev="tmpfs" ino=72 scontext=u:r:sample_host:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2005 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:bootevent_samgr_param:s0" dev="tmpfs" ino=72 scontext=u:r:sample_host:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2221 comm="hdf_devhost" name="u:object_r:const_param:s0" dev="tmpfs" ino=57 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2221 comm="hdf_devhost" name="u:object_r:const_postinstall_fstab_param:s0" dev="tmpfs" ino=59 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_postinstall_fstab_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2221 comm="hdf_devhost" name="u:object_r:const_postinstall_param:s0" dev="tmpfs" ino=58 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2005 comm="hdf_devhost" name="u:object_r:default_param:s0" dev="tmpfs" ino=75 scontext=u:r:sample_host:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2005 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=75 scontext=u:r:sample_host:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2005 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=75 scontext=u:r:sample_host:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2221 comm="hdf_devhost" name="u:object_r:hw_sc_build_os_param:s0" dev="tmpfs" ino=54 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_build_os_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2056 comm="hdf_devhost" name="u:object_r:hw_sc_build_param:s0" dev="tmpfs" ino=53 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_build_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2056 comm="hdf_devhost" name="u:object_r:hw_sc_param:s0" dev="tmpfs" ino=52 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2056 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hw_sc_param:s0" dev="tmpfs" ino=52 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2056 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hw_sc_param:s0" dev="tmpfs" ino=52 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2221 comm="hdf_devhost" name="u:object_r:init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sample_host:s0 tcontext=u:object_r:init_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2221 comm="hdf_devhost" name="u:object_r:init_svc_param:s0" dev="tmpfs" ino=56 scontext=u:r:sample_host:s0 tcontext=u:object_r:init_svc_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2005 comm="hdf_devhost" name="u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=73 scontext=u:r:sample_host:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2005 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=73 scontext=u:r:sample_host:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2005 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=73 scontext=u:r:sample_host:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2056 comm="hdf_devhost" name="u:object_r:net_tcp_param:s0" dev="tmpfs" ino=51 scontext=u:r:sample_host:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2056 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:net_tcp_param:s0" dev="tmpfs" ino=51 scontext=u:r:sample_host:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2056 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:net_tcp_param:s0" dev="tmpfs" ino=51 scontext=u:r:sample_host:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2031 comm="hdf_devhost" name="u:object_r:bootevent_param:s0" dev="tmpfs" ino=70 scontext=u:r:sample_host:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2031 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:bootevent_param:s0" dev="tmpfs" ino=70 scontext=u:r:sample_host:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2031 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:bootevent_param:s0" dev="tmpfs" ino=70 scontext=u:r:sample_host:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2204 comm="hdf_devhost" name="u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=61 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2204 comm="hdf_devhost" name="u:object_r:const_allow_param:s0" dev="tmpfs" ino=60 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2058 comm="hdf_devhost" name="u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=74 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2058 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=74 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2058 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=74 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2195 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_param:s0" dev="tmpfs" ino=57 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2195 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_postinstall_fstab_param:s0" dev="tmpfs" ino=59 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_postinstall_fstab_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2195 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_postinstall_param:s0" dev="tmpfs" ino=58 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2069 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hw_sc_build_os_param:s0" dev="tmpfs" ino=54 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_build_os_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2069 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hw_sc_build_os_param:s0" dev="tmpfs" ino=54 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_build_os_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2069 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hw_sc_build_param:s0" dev="tmpfs" ino=53 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_build_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2069 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hw_sc_build_param:s0" dev="tmpfs" ino=53 scontext=u:r:sample_host:s0 tcontext=u:object_r:hw_sc_build_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2155 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sample_host:s0 tcontext=u:object_r:init_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2173 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:init_svc_param:s0" dev="tmpfs" ino=56 scontext=u:r:sample_host:s0 tcontext=u:object_r:init_svc_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2031 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=67 scontext=u:r:sample_host:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2031 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=67 scontext=u:r:sample_host:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2043 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=61 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2043 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=61 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1972 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_allow_param:s0" dev="tmpfs" ino=60 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1972 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_allow_param:s0" dev="tmpfs" ino=60 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2043 comm="hdf_devhost" name="u:object_r:const_build_param:s0" dev="tmpfs" ino=62 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_build_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1972 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_param:s0" dev="tmpfs" ino=57 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1972 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_postinstall_fstab_param:s0" dev="tmpfs" ino=59 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_postinstall_fstab_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1972 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_postinstall_param:s0" dev="tmpfs" ino=58 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2148 comm="hdf_devhost" name="u:object_r:const_product_param:s0" dev="tmpfs" ino=63 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_product_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2148 comm="hdf_devhost" name="u:object_r:debug_param:s0" dev="tmpfs" ino=68 scontext=u:r:sample_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=2167 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sample_host:s0 tcontext=u:object_r:init_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=2167 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:init_svc_param:s0" dev="tmpfs" ino=56 scontext=u:r:sample_host:s0 tcontext=u:object_r:init_svc_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2064 comm="hdf_devhost" name="u:object_r:build_version_param:s0" dev="tmpfs" ino=71 scontext=u:r:sample_host:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2064 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_build_param:s0" dev="tmpfs" ino=62 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_build_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2064 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_product_param:s0" dev="tmpfs" ino=63 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_product_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2064 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=68 scontext=u:r:sample_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +#avc: denied { call } for pid=2064 comm="sample_host" scontext=u:r:sample_host:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0 +#avc: denied { read } for pid=2064 comm="hdf_devhost" name="u:object_r:startup_param:s0" dev="tmpfs" ino=69 scontext=u:r:sample_host:s0 tcontext=u:object_r:startup_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=2072 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:build_version_param:s0" dev="tmpfs" ino=71 scontext=u:r:sample_host:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=2066 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_build_param:s0" dev="tmpfs" ino=62 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_build_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=2066 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_product_param:s0" dev="tmpfs" ino=63 scontext=u:r:sample_host:s0 tcontext=u:object_r:const_product_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=2072 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=68 scontext=u:r:sample_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +#avc: denied { call } for pid=2063 comm="sample_host" scontext=u:r:sample_host:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=0 +#avc: denied { open } for pid=2072 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:startup_param:s0" dev="tmpfs" ino=69 scontext=u:r:sample_host:s0 tcontext=u:object_r:startup_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=2030 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:build_version_param:s0" dev="tmpfs" ino=71 scontext=u:r:sample_host:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=2033 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:startup_param:s0" dev="tmpfs" ino=69 scontext=u:r:sample_host:s0 tcontext=u:object_r:startup_param:s0 tclass=file permissive=0 +#avc: denied { transfer } for pid=2007 comm="sample_host" scontext=u:r:sample_host:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=0 +#avc: denied { call } for pid=2011 comm="sample_host" scontext=u:r:sample_host:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +#avc: denied { getattr } for pid=2029 comm="sample_host" path="/dev/hdf_kevent" dev="tmpfs" ino=204 scontext=u:r:sample_host:s0 tcontext=u:object_r:dev_hdf_kevent:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=2029 comm="sample_host" name="hdf_kevent" dev="tmpfs" ino=204 scontext=u:r:sample_host:s0 tcontext=u:object_r:dev_hdf_kevent:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=2029 comm="sample_host" path="/dev/hdf_kevent" dev="tmpfs" ino=204 scontext=u:r:sample_host:s0 tcontext=u:object_r:dev_hdf_kevent:s0 tclass=chr_file permissive=1 +#avc: denied { search } for pid=2001 comm="hdf_devhost" name="socket" dev="tmpfs" ino=40 scontext=u:r:sample_host:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +#avc: denied { add } for service=sample_driver_service2 pid=2005 scontext=u:r:sample_host:s0 tcontext=u:object_r:default_hdf_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { get } for service=hdf_device_manager pid=2001 scontext=u:r:sample_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=sample_driver_service pid=2001 scontext=u:r:sample_host:s0 tcontext=u:object_r:hdf_sample_driver_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { get } for service=5100 pid=2001 scontext=u:r:sample_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +#avc: denied { ioctl } for pid=2029 comm="sample_host" path="/dev/hdf_kevent" dev="tmpfs" ino=204 ioctlcmd=0x6203 scontext=u:r:sample_host:s0 tcontext=u:object_r:dev_hdf_kevent:s0 tclass=chr_file permissive=1 +allow sample_host hilog_param:file { map open read }; +allow sample_host ohos_boot_param:file { open read map }; +allow sample_host ohos_param:file { map open read }; +allow sample_host persist_param:file { map open read }; +allow sample_host persist_sys_param:file { read map open }; +allow sample_host security_param:file { map open read }; +allow sample_host system_bin_file:dir { search }; +allow sample_host net_param:file { read map open }; +allow sample_host sys_param:file { map open read }; +allow sample_host sys_usb_param:file { map open read }; +allow sample_host vendor_etc_file:dir { search }; +allow sample_host vendor_etc_file:file { getattr open read }; +allow sample_host bootevent_samgr_param:file { map open read }; +allow sample_host const_param:file { read open map }; +allow sample_host const_postinstall_fstab_param:file { read open map }; +allow sample_host const_postinstall_param:file { read open map }; +allow sample_host default_param:file { map open read }; +allow sample_host hw_sc_build_os_param:file { read map open }; +allow sample_host hw_sc_build_param:file { read map open }; +allow sample_host hw_sc_param:file { map open read }; +allow sample_host init_param:file { read open map }; +allow sample_host init_svc_param:file { read open map }; +allow sample_host input_pointer_device_param:file { map open read }; +allow sample_host net_tcp_param:file { map open read }; +allow sample_host bootevent_param:file { map open read }; +allow sample_host const_allow_mock_param:file { read map open }; +allow sample_host const_allow_param:file { read map open }; +allow sample_host const_display_brightness_param:file { map open read }; +allow sample_host const_build_param:file { read open map }; +allow sample_host const_product_param:file { read open map }; +allow sample_host debug_param:file { read open map }; +allow sample_host build_version_param:file { read open map }; +allow sample_host samgr:binder { call }; +allow sample_host startup_param:file { read open map }; +allow sample_host hdf_devmgr:binder { call transfer }; +allow sample_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow sample_host dev_unix_socket:dir { search }; +allow sample_host hdf_sample_service:hdf_devmgr_class { add }; +allow sample_host hdf_device_manager:hdf_devmgr_class { get }; +allow sample_host hdf_sample_driver_service:hdf_devmgr_class { add }; +allow sample_host sa_device_service_manager:samgr_class { get }; +allowxperm sample_host dev_hdf_kevent:chr_file ioctl { 0x6203 }; +allow sample_host hdf_sample1_driver_service:hdf_devmgr_class { add }; +debug_only(` + allow sample_host sh:binder { call }; + allow sample_host sh:fd { use }; +') +# for testcase end diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/ueventd.te b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..161e4287ca1615220bc9919748ed70745bbd68ce --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/ueventd.te @@ -0,0 +1,24 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { remove_name } for pid=2085 comm="ueventd" name="sample_service1" dev="tmpfs" ino=491 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1 +#avc: denied { unlink } for pid=2085 comm="ueventd" name="sample_service1" dev="tmpfs" ino=491 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=chr_file permissive=1 +#avc: denied { setattr } for pid=2098 comm="ueventd" name="khdf_ut" dev="tmpfs" ino=212 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_hdf_test:s0 tclass=chr_file permissive=1 +#avc: denied { getattr } for pid=2098 comm="ueventd" path="/dev/khdf_ut" dev="tmpfs" ino=212 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_hdf_test:s0 tclass=chr_file permissive=1 +#avc: denied { unlink } for pid=2060 comm="ueventd" name="khdf_ut" dev="tmpfs" ino=212 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_hdf_test:s0 tclass=chr_file permissive=1 +#avc: denied { create } for pid=227 comm="ueventd" name="=9" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_file:s0 tclass=dir permissive=1 +allow ueventd dev_file:dir { remove_name }; +allow ueventd dev_file:chr_file { unlink }; +allow ueventd dev_mapper_control_file:chr_file { unlink }; +allow ueventd dev_hdf_test:chr_file { getattr setattr unlink }; +allow ueventd dev_block_file:dir { create }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/virtfs_contexts b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/virtfs_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b5d11319b1578d211275f7a5b454c6dd4b5511dc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/adapter/vendor/virtfs_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# please put short path ahead. +# use relative path to mount point. + +genfscon debugfs /usb u:object_r:debugfs_usb:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/file.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..67a82295a69534c1a16ff664a285797a897daf06 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Filesystem types +type hidraw_device_file, dev_attr; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/file_contexts b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..2abb8117a15b0db9879520819b57e06c513ce700 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# please put shorter config ahead; +# root +/dev/hidraw[0-9]* u:object_r:hidraw_device_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/type.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..4ebd008c4cb6f843e1725907aca2f77d7ff5f33a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hdf_ext_devmgr_file, file_attr, data_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..9f8fabac99829348274c6fe12882f14df21657a4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/accountmgr.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transfer } for pid=521 comm="IPC_1_643" scontext=u:r:accountmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1 +# avc: denied { call } for pid=683 comm="OS_IPC_2_949" scontext=u:r:accountmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=0 +allow accountmgr hdf_ext_devmgr:binder { transfer call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..8d72b87d539ddfbc3657c0f5145e58c19c78e41c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/appspawn.te @@ -0,0 +1,28 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { map } for pid=246 comm="appspawn" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=246 comm="appspawn" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=246 comm="appspawn" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +allow appspawn arkcompiler_param:file { map open read }; +allow appspawn ark_writeable_param:file { map open read }; + +# avc: denied { map } for pid=246 comm="appspawn" path="/dev/__parameters__/u:object_r:arkui_param:s0" dev="tmpfs" ino=83 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkui_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=246 comm="appspawn" path="/dev/__parameters__/u:object_r:arkui_param:s0" dev="tmpfs" ino=83 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkui_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=246 comm="appspawn" name="u:object_r:arkui_param:s0" dev="tmpfs" ino=83 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkui_param:s0 tclass=file permissive=1 +allow appspawn arkui_param:file { map open read }; + +# avc: denied { getattr } for pid=246 comm="appspawn" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:appspawn:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { open } for pid=246 comm="appspawn" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:appspawn:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { read } for pid=246 comm="appspawn" name="online" dev="sysfs" ino=4917 scontext=u:r:appspawn:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow appspawn sysfs_devices_system_cpu:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/chipset_init.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/chipset_init.te new file mode 100644 index 0000000000000000000000000000000000000000..f19153c195b73efef47c280598ce2d3f3756cd70 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/chipset_init.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { open } for pid=231 comm="chipset_init" path="/data/service/el1/public/usb/mode" dev="mmcblk0p14" ino=166 scontext=u:r:chipset_init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=231 comm="chipset_init" name="mode" dev="mmcblk0p14" ino=166 scontext=u:r:chipset_init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow chipset_init data_service_el1_file:file { open write }; + +# avc: denied { open } for pid=231 comm="chipset_init" path="/dev/kmsg" dev="tmpfs" ino=6 scontext=u:r:chipset_init:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow chipset_init dev_kmsg_file:chr_file { open }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..21cdb768f4ced827f758889569aaaf03f73defc9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/pkg_service(/.*)? u:object_r:hdf_ext_devmgr_file:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/foundation.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..e93ab64f9908df8a995d653540941ac96e8a553b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/foundation.te @@ -0,0 +1,23 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=644 comm="CesSrvUnorderEv" scontext=u:r:foundation:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1 +allow foundation hdf_ext_devmgr:binder { call transfer }; + +# avc: denied { search } for pid=616 comm="IPC_9_1109" name="599" dev="proc" ino=28762 scontext=u:r:foundation:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=dir permissive=1 +allow foundation hdf_ext_devmgr:dir { search }; + +# avc: denied { getattr } for pid=616 comm="IPC_9_1109" path="/proc/599/cmdline" dev="proc" ino=33069 scontext=u:r:foundation:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=file permissive=1 +# avc: denied { open } for pid=616 comm="IPC_9_1109" path="/proc/599/cmdline" dev="proc" ino=33069 scontext=u:r:foundation:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=file permissive=1 +# avc: denied { read } for pid=616 comm="IPC_9_1109" scontext=u:r:foundation:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=file permissive=1 +allow foundation hdf_ext_devmgr:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..0594eb92b6a6fe1ee8693d6b4a8d101e576e5ad8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hap_domain.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=1368 comm="ndwriting_board" scontext=u:r:debug_hap:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=12711 comm="ndwriting_board" scontext=u:r:system_core_hap:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=0 +allow hap_domain hdf_ext_devmgr:binder { call transfer }; + +# avc: denied { get } for service=5110 pid=1368 scontext=u:r:debug_hap:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1 +allow hap_domain sa_hdf_ext_devmgr:samgr_class { get }; + +# avc: denied { call } for pid=1405 comm="ffrtwk/CPU-2-0" scontext=u:r:debug_hap:s0 tcontext=u:r:usb_host:s0 tclass=binder permissive=1 +allow hap_domain usb_host:binder { call }; + +# avc: denied { read } for pid=12711 comm="ndwriting_board" name="u:object_r:hichecker_writable_param:s0" dev="tmpfs" ino=81 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=0 +allow hap_domain hichecker_writable_param:file { read open map }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..8eca0074978b96798f2c6e3340f1234174522837 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hdf_devmgr.te @@ -0,0 +1,28 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transfer } for pid=243 comm="IPC_3_507" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1 +allow hdf_devmgr hdf_ext_devmgr:binder { transfer }; + +# avc: denied { search } for pid=243 comm="IPC_3_507" name="721" dev="proc" ino=20918 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=dir permissive=1 +allow hdf_devmgr hdf_ext_devmgr:dir { search }; + +# avc: denied { open } for pid=243 comm="IPC_3_507" path="/proc/721/attr/current" dev="proc" ino=29742 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=file permissive=1 +# avc: denied { read } for pid=243 comm="IPC_3_507" name="current" dev="proc" ino=29742 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=file permissive=1 +allow hdf_devmgr hdf_ext_devmgr:file { open read }; + +# avc: denied { getattr } for pid=243 comm="IPC_3_507" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=process permissive=1 +allow hdf_devmgr hdf_ext_devmgr:process { getattr }; + +allow hdf_devmgr dev_mgr_file:chr_file { ioctl read write }; +allowxperm hdf_devmgr dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..898ab29d9be34928f9741d22c8e2fa4b753d20d1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te @@ -0,0 +1,128 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_ext_devmgr debug_param:file { map open read }; +allow hdf_ext_devmgr dev_console_file:chr_file { read write }; +# avc: denied { get } for service=usb_interface_service pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hdf_usb_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow hdf_ext_devmgr hdf_usb_interface_service:hdf_devmgr_class { get }; + +# avc: denied { get } for service=200 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 +allow hdf_ext_devmgr sa_accountmgr:samgr_class { get }; + +# avc: denied { get } for service=5100 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow hdf_ext_devmgr sa_device_service_manager:samgr_class { get }; + +# avc: denied { get } for service=401 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow hdf_ext_devmgr sa_foundation_bms:samgr_class { get }; + +# avc: denied { get } for service=3299 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow hdf_ext_devmgr sa_foundation_cesfwk_service:samgr_class { get }; + +# avc: denied { add } for service=5110 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1 +allow hdf_ext_devmgr sa_hdf_ext_devmgr:samgr_class { add get }; + +# avc: denied { get } for service=3901 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow hdf_ext_devmgr sa_param_watcher:samgr_class { get }; + +# avc: denied { search } for pid=1416 comm="SaInit0" name="socket" dev="tmpfs" ino=43 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +allow hdf_ext_devmgr dev_unix_socket:dir { search }; + +# avc: denied { call } for pid=1416 comm="SaInit0" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=0 +allow hdf_ext_devmgr hdf_devmgr:binder { call }; + +# avc: denied { call } for pid=1546 comm="CesFwkListener" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow hdf_ext_devmgr foundation:binder { call transfer }; + +# avc: denied { map } for pid=1546 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1546 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=1546 comm="sa_main" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow hdf_ext_devmgr hilog_param:file { map open read }; + +# avc: denied { call } for pid=1546 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +allow hdf_ext_devmgr param_watcher:binder { call transfer }; + +# avc: denied { search } for pid=1546 comm="hdf_ext_devmgr" name="/" dev="tracefs" ino=1 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow hdf_ext_devmgr tracefs:dir { search }; + +# avc: denied { open } for pid=1546 comm="hdf_ext_devmgr" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=16975 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=1546 comm="hdf_ext_devmgr" name="trace_marker" dev="tracefs" ino=16975 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow hdf_ext_devmgr tracefs_trace_marker_file:file { open write }; + +# avc: denied { call } for pid=721 comm="SaInit0" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=5472 comm="SaInit0" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=0 +allow hdf_ext_devmgr accountmgr:binder { call transfer }; + +# avc: denied { getattr } for pid=721 comm="hdf_ext_devmgr" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { open } for pid=721 comm="hdf_ext_devmgr" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { read } for pid=721 comm="hdf_ext_devmgr" name="online" dev="sysfs" ino=4917 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow hdf_ext_devmgr sysfs_devices_system_cpu:file { getattr open read }; + +# avc: denied { call } for pid=721 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:usb_host:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=721 comm="SaInit0" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:usb_host:s0 tclass=binder permissive=1 +allow hdf_ext_devmgr usb_host:binder { call transfer }; + +# avc: denied { use } for pid=569 comm="IPC_4_888" path="/dev/ashmem" dev="tmpfs" ino=230 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=1 +allow hdf_ext_devmgr foundation:fd { use }; + +debug_only(` +#avc: denied { call } for pid=1295 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +allow hdf_ext_devmgr sh:binder {call}; +') + +# avc: denied { call } for pid=599 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow hdf_ext_devmgr accesstoken_service:binder { call }; + +# avc: denied { write } for pid=599 comm="hdf_ext_devmgr" name="uinput" dev="tmpfs" ino=234 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:dev_uinput:s0 tclass=chr_file permissive=1 +allow hdf_ext_devmgr dev_uinput:chr_file { write ioctl open }; + +# avc: denied { get } for service=3503 pid=599 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow hdf_ext_devmgr sa_accesstoken_manager_service:samgr_class { get }; + +# avc: denied { get } for service=180 pid=599 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=1 +allow hdf_ext_devmgr sa_foundation_abilityms:samgr_class { get }; + +# avc: denied { call } for pid=1750 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=1 +allow hdf_ext_devmgr system_core_hap_attr:binder { call }; +allow hdf_ext_devmgr system_basic_hap_attr:binder { call }; + +# avc: denied { ioctl } for pid=1294 comm="IPC_2_1491" path="/dev/uinput" dev="tmpfs" ino=223 ioctlcmd=0x5502 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:dev_uinput:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=1750 comm="hdf_ext_devmgr" path="/dev/uinput" dev="tmpfs" ino=223 ioctlcmd=0x5564 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:dev_uinput:s0 tclass=chr_file permissive=1 +allowxperm hdf_ext_devmgr dev_uinput:chr_file ioctl { 0x5502 0x5564 0x5501 0x5565 0x5567 0x556e }; + +allow hdf_ext_devmgr data_file:dir { search }; +allow hdf_ext_devmgr data_service_file:dir { search }; +allow hdf_ext_devmgr persist_sys_param:file { map open read }; +allow hdf_ext_devmgr dev_ashmem_file:chr_file { open }; +allow hdf_ext_devmgr system_bin_file:dir { search }; +allowxperm hdf_ext_devmgr hdf_ext_devmgr_file:file ioctl { 0xf50c }; +allow hdf_ext_devmgr hdf_ext_devmgr_file:dir { add_name open read remove_name search write }; +allow hdf_ext_devmgr hdf_ext_devmgr_file:file { create getattr ioctl lock map open read write setattr unlink }; + +# avc: denied { search } for pid=659 comm="SaInit0" name="el1" dev="mmcblk0p14" ino=12 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +allow hdf_ext_devmgr data_service_el1_file:dir { search }; + +# avc: denied { call } for pid=1391 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:debug_hap:s0 tclass=binder permissive=1 +allow hdf_ext_devmgr hap_domain:binder { call transfer }; + +# avc: denied { read } for pid=1723 comm="hdf_ext_devmgr" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +allow hdf_ext_devmgr arkcompiler_param:file { read open map }; +allow hdf_ext_devmgr ark_writeable_param:file { read open map }; + +# avc: denied { ioctl } for pid=1382 comm="hdf_ext_devmgr" path="/dev/uinput" dev="tmpfs" ino=225 ioctlcmd=0x5568 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:dev_uinput:s0 tclass=chr_file permissive=1 +allow hdf_ext_devmgr dev_uinput:chr_file { ioctl }; + +# avc: denied { ioctl } for pid=1382 comm="hdf_ext_devmgr" path="/dev/uinput" dev="tmpfs" ino=225 ioctlcmd=0x5568 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:dev_uinput:s0 tclass=chr_file permissive=1 +allowxperm hdf_ext_devmgr dev_uinput:chr_file ioctl { 0x5568 }; + +#avc: denied { get } for service=usb_ddk_service pid=742 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hdf_usb_ddk_service:s0 tclass=hdf_devmgr_class permissive=0 +allow hdf_ext_devmgr hdf_usb_ddk_service:hdf_devmgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/init.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..8d1fb3b66bb0ab62bba8a79a152b58522bfb3d1d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/init.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init hdf_ext_devmgr:process { rlimitinh siginh transition }; + +# avc: denied { relabelto } for pid=659 comm="init" name="pkg_service" dev="mmcblk0p14" ino=278 scontext=u:r:init:s0 tcontext=u:object_r:hdf_ext_devmgr_file:s0 tclass=dir permissive=0 +# avc: denied { read } for pid=741 comm="init" name="pkg_service" dev="mmcblk0p14" ino=290 scontext=u:r:init:s0 tcontext=u:object_r:hdf_ext_devmgr_file:s0 tclass=dir permissive=0 +# avc: denied { setattr } for pid=741 comm="init" name="pkg_service" dev="mmcblk0p14" ino=290 scontext=u:r:init:s0 tcontext=u:object_r:hdf_ext_devmgr_file:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=1431 comm="init" path="/data/service/el1/public/pkg_service" dev="mmcblk0p14" ino=1496 scontext=u:r:init:s0 tcontext=u:object_r:hdf_ext_devmgr_file:s0 tclass=dir permissive=0 +# avc: denied { getattr } for pid=661 comm="init" path="/data/service/el1/public/pkg_service" dev="mmcblk0p14" ino=1488 scontext=u:r:init:s0 tcontext=u:object_r:hdf_ext_devmgr_file:s0 tclass=dir permissive=0 +allow init hdf_ext_devmgr_file:dir { relabelto read setattr open getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/service_contexts b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..707f607b062e45e9c7a8b52c57a3f40df3167c5e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +5110 u:object_r:sa_hdf_ext_devmgr:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..836b1e4c1cce5d6589e6ecdae49ae106c3f0584a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/system_basic_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=1363 comm="lication:driver" scontext=u:r:system_basic_hap:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1 +allow system_basic_hap_attr hdf_ext_devmgr:binder { call }; + +# avc: denied { get } for service=5110 pid=1415 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_hdf_ext_devmgr:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..dae6e5d4a902cdb6e12ebac4ab80526fc9408cde --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/external_device_manager/system/system_core_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=1363 comm="lication:driver" scontext=u:r:system_core_hap:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1 +allow system_core_hap_attr hdf_ext_devmgr:binder { call }; + +# avc: denied { get } for service=5110 pid=1415 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1 +allow system_core_hap_attr sa_hdf_ext_devmgr:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/public/file.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..a6098f07d2098313892aa4b9a7176fcaf6db04ae --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/public/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Filesystem types +type sysfs_switch, sysfs_attr, fs_attr; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/system/virtfs_contexts b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/system/virtfs_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e456a80b1d80c0b61e2da702f804563d1fb142a4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/system/virtfs_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# please put short path ahead. +# use relative path to mount point. +genfscon sysfs /class/switch u:object_r:sysfs_switch:s0 +genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te new file mode 100644 index 0000000000000000000000000000000000000000..9834232284f9a67982dcb0eac3509ae69460408e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/audio_host.te @@ -0,0 +1,142 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_host audio_host:netlink_kobject_uevent_socket { getattr bind create setopt }; +allow audio_host bootevent_param:file { map open read }; +allow audio_host bootevent_samgr_param:file { map open read }; +allow audio_host build_version_param:file { map open read }; +allow audio_host const_allow_mock_param:file { map open read }; +allow audio_host const_allow_param:file { map open read }; +allow audio_host const_build_param:file { map open read }; +allow audio_host const_display_brightness_param:file { map open read }; +allow audio_host const_param:file { map open read }; +allow audio_host const_postinstall_fstab_param:file { map open read }; +allow audio_host const_postinstall_param:file { map open read }; +allow audio_host const_product_param:file { map open read }; +allow audio_host data_log:dir { search }; +allow audio_host debug_param:file { map open read }; +allow audio_host default_param:file { map open read }; +allow audio_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow audio_host dev_input_file:dir { search }; +allow audio_host distributedsche_param:file { map open read }; +allow audio_host hdf_audio_hdi_pnp_service:hdf_devmgr_class { add }; +allow audio_host hilog_param:file { map open read }; +allow audio_host hw_sc_build_os_param:file { map open read }; +allow audio_host hw_sc_build_param:file { map open read }; +allow audio_host hw_sc_param:file { map open read }; +allow audio_host init_param:file { map open read }; +allow audio_host init_svc_param:file { map open read }; +allow audio_host input_pointer_device_param:file { map open read }; +allow audio_host net_param:file { map open read }; +allow audio_host net_tcp_param:file { map open read }; +allow audio_host ohos_boot_param:file { map open read }; +allow audio_host ohos_param:file { map open read }; +allow audio_host persist_param:file { map open read }; +allow audio_host persist_sys_param:file { map open read }; +allow audio_host samgr:binder { call }; +allow audio_host security_param:file { map open read }; +allow audio_host startup_param:file { map open read }; +allow audio_host sys_param:file { map open read }; +allow audio_host sys_usb_param:file { map open read }; +allowxperm audio_host dev_hdf_kevent:chr_file ioctl { 0x6203 }; +allow audio_host dev_input_file:chr_file { read open }; +allow audio_host data_service_file:dir { search read }; +allow audio_host data_service_el1_file:dir { search }; +allow audio_host data_udev:dir { search }; +allow audio_host sys_file:file { open read getattr }; +allow audio_host dev_hdf_audio_control:chr_file { getattr }; +allow audio_host dev_mgr_file:chr_file { getattr read write open ioctl }; +allow audio_host dev_bus:dir { search }; +allow audio_host dev_bus_usb_file:dir { search }; +allow audio_host dev_bus_usb_file:chr_file { getattr read open }; +allow audio_host musl_param:file { open read map }; +allow audio_host audio_server:binder { transfer call }; +allow audio_host dev_dma_heap_file:dir { search }; +allow audio_host dev_dma_heap_file:chr_file { read open ioctl }; +allowxperm audio_host dev_snd_file:chr_file ioctl { 0x4801 0x4132 0x4142 }; +allow audio_host hdf_device_manager:hdf_devmgr_class { get }; +allow audio_host hdf_audio_hdi_service:hdf_devmgr_class { add }; +allow audio_host dev_unix_socket:dir { search }; +allow audio_host hdf_audio_hdi_a2dp_service:hdf_devmgr_class { add }; +allow audio_host hdf_devmgr:binder { call transfer }; +allow audio_host chip_prod_file:dir { search }; +allow audio_host chip_prod_file:file { read open getattr }; +allow audio_host data_file:dir { search }; +allow audio_host data_file:file { map open read append write }; +allow audio_host dev_hdf_audio_render:chr_file { getattr ioctl open read write }; +allow audio_host devpts:chr_file { read write }; +allow audio_host hdcd:fd { use }; +allow audio_host hdf_audio_hdi_usb_service:hdf_devmgr_class { add get }; +allow audio_host hdf_audio_manager_service:hdf_devmgr_class { add }; +allow audio_host hdf_effect_model_service:hdf_devmgr_class { add }; +allow audio_host sa_device_service_manager:samgr_class { get }; +allow audio_host audio_host:netlink_kobject_uevent_socket { read }; +allow audio_host data_init_agent:dir { search }; +allow audio_host data_init_agent:file { open read append }; +allow audio_host dev_hdf_kevent:chr_file { ioctl }; +allow audio_host system_bin_file:dir { search }; +allow audio_host system_bin_file:file { execute execute_no_trans map read open }; +allow audio_host vendor_etc_file:dir { search }; +allow audio_host vendor_etc_file:file { getattr open read }; +allow audio_host vendor_lib_file:dir { search }; +allow audio_host vendor_lib_file:file { getattr open read }; +allow audio_host data_file:file { ioctl }; +allow audio_host dev_hdf_audio_capture:chr_file { getattr ioctl open read write }; +allow audio_host dev_hdf_audio_control:chr_file { getattr ioctl open read write }; +allow audio_host dev_snd_file:chr_file { ioctl }; +allow audio_host dev_snd_file:dir { search }; +allow audio_host dev_console_file:chr_file { read write }; +allow audio_host dev_unix_socket:sock_file { write }; +allowxperm audio_host dev_snd_file:chr_file ioctl { 0x4143 }; +allowxperm audio_host dev_hdf_audio_render:chr_file ioctl { 0x6201 }; +allowxperm audio_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 }; +allowxperm audio_host data_file:file ioctl { 0x5413 }; +allowxperm audio_host dev_hdf_audio_capture:chr_file ioctl { 0x6201 }; +allowxperm audio_host dev_hdf_audio_control:chr_file ioctl { 0x6201 }; +debug_only(` + allow audio_host sh:fd { use }; + allow audio_host sh:binder { transfer }; +') + +# avc: denied { add } for service=intell_voice_trigger_manager_service pid=1070 scontext=u:r:audio_host:s0 tcontext=u:object_r:default_hdf_service:s0 tclass=hdf_devmgr_class permissive=1 +allow audio_host hdf_intell_voice_trigger_manager_service:hdf_devmgr_class { add }; + +# avc: denied { read } for pid=1070 comm="audio_host" name="usb" dev="tmpfs" ino=453 scontext=u:r:audio_host:s0 tcontext=u:object_r:dev_bus_usb_file:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=1118 comm="audio_host" path="/dev/bus/usb" dev="tmpfs" ino=453 scontext=u:r:audio_host:s0 tcontext=u:object_r:dev_bus_usb_file:s0 tclass=dir permissive=0 +allow audio_host dev_bus_usb_file:dir { open read }; + +# avc: denied { ioctl } for pid=1054 comm="audio_host" path="/dev/soundtrigger_dma_drv" dev="tmpfs" ino=552 ioctlcmd=0x5302 scontext=u:r:audio_host:s0 tcontext=u:object_r:dev_soundtrigger:s0 tclass=chr_file permissive=0 +# avc: denied { open } for pid=1064 comm="audio_host" path="/dev/soundtrigger_dma_drv" dev="tmpfs" ino=552 scontext=u:r:audio_host:s0 tcontext=u:object_r:dev_soundtrigger:s0 tclass=chr_file permissive=0 +# avc: denied { read write } for pid=1102 comm="audio_host" name="soundtrigger_socdsp_lp_pcm_drv" dev="tmpfs" ino=553 scontext=u:r:audio_host:s0 tcontext=u:object_r:dev_soundtrigger:s0 tclass=chr_file permissive=1 +allow audio_host dev_soundtrigger:chr_file { open ioctl read write }; +allowxperm audio_host dev_soundtrigger:chr_file ioctl { 0x5302 }; + +# avc: denied { call } for pid=1042 comm="audio_host" scontext=u:r:audio_host:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +# avc: denied { transfer } for pid=1054 comm="IPC_4_2058" scontext=u:r:audio_host:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +allow audio_host intell_voice_service:binder { transfer call }; + +# avc: denied { use } for pid=596 comm="IPC_2_7119" path="/dev/ashmem" dev="tmpfs" ino=581 scontext=u:r:audio_host:s0 tcontext=u:r:intell_voice_service:s0 tclass=fd permissive=0 +allow audio_host intell_voice_service:fd { use }; + +# avc: denied { write } for pid=1075 comm="IPC_0_1111" name="oeminfo_nvm" dev="tmpfs" ino=757 scontext=u:r:audio_host:s0 tcontext=u:object_r:dev_file:s0 tclass=sock_file permissive=0 +allow audio_host dev_file:sock_file { write }; + +# avc: denied { ioctl } for pid=1063 comm="IPC_0_1116" path="/dev/hifi_misc" dev="tmpfs" ino=583 ioctlcmd=0x417e scontext=u:r:audio_host:s0 tcontext=u:object_r:dev_hifi_misc:s0 tclass=chr_file permissive=0 +allow audio_host dev_hifi_misc:chr_file { ioctl }; +allowxperm audio_host dev_hifi_misc:chr_file ioctl { 0x417e }; + +# avc: denied { search } for pid=1102 comm="IPC_0_1127" name="lib64" dev="sdd85" ino=83 scontext=u:r:audio_host:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=1 +allow audio_host sys_prod_file:dir { search }; + +# /sys/class/switch +allow audio_host sysfs_switch:file { open read getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..e77d195f2e9df26ead490b3edb4e3691415fe4eb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/hdf_devmgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr audio_host:binder { call transfer }; +allow hdf_devmgr audio_host:dir { search }; +allow hdf_devmgr audio_host:file { open read }; +allow hdf_devmgr audio_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..138507bf0512cd9d94c5935d0db8e407a1739751 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/audio/vendor/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init audio_host:process { rlimitinh siginh transition }; +allow init dev_hdf_audio_capture:chr_file { setattr }; +allow init dev_hdf_audio_control:chr_file { setattr }; +allow init dev_hdf_audio_render:chr_file { setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/battery/vendor/power_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/battery/vendor/power_host.te new file mode 100644 index 0000000000000000000000000000000000000000..87c6b3429bb36e56b7ee06f753acafd4fa40e884 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/battery/vendor/power_host.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=hdf_device_manager pid=359 scontext=u:r:power_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class +#avc: denied { add } for service=battery_interface_service pid=359 scontext=u:r:power_host:s0 tcontext=u:object_r:hdf_battery_interface_service:s0 tclass=hdf_devmgr_class +#avc: denied { get } for service=5100 pid=555 scontext=u:r:power_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow power_host hdf_device_manager:hdf_devmgr_class { get }; +allow power_host hdf_battery_interface_service:hdf_devmgr_class { add }; +allow power_host sa_device_service_manager:samgr_class { get }; +allow power_host dev_kmsg_file:chr_file { write open }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/system/camera_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/system/camera_host.te new file mode 100644 index 0000000000000000000000000000000000000000..31e47067bf9bebd5375700fb5bc8e1f335781290 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/system/camera_host.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=929 comm="VIDEO#2" scontext=u:r:camera_host:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=0 +allow camera_host av_codec_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te new file mode 100644 index 0000000000000000000000000000000000000000..75359e74f49865c23c1aba497ddc8e1314d0a21f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te @@ -0,0 +1,119 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=hdf_device_manager pid=348 scontext=u:r:camera_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=camera_service pid=348 scontext=u:r:camera_host:s0 tcontext=u:object_r:hdf_camera_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { call } for pid=439 comm="PREVIEW#2" scontext=u:r:camera_host:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +allow camera_host allocator_host:binder { call }; +allow camera_host allocator_host:fd { use }; +allow camera_host bootevent_param:file { map open read }; +allow camera_host bootevent_samgr_param:file { map open read }; +allow camera_host build_version_param:file { map open read }; +allow camera_host camera_host:netlink_kobject_uevent_socket { bind create read }; +allow camera_host camera_service:binder { call transfer }; +allow camera_host const_allow_mock_param:file { map read open }; +allow camera_host const_allow_param:file { map open read }; +allow camera_host const_build_param:file { map open read }; +allow camera_host const_display_brightness_param:file { map open read }; +allow camera_host const_param:file { map open read }; +allow camera_host const_postinstall_fstab_param:file { map open read }; +allow camera_host const_postinstall_param:file { map open read }; +allow camera_host const_product_param:file { map open read }; +allow camera_host data_file:dir { search getattr }; +allow camera_host data_log:file { read write }; +allow camera_host dcamera:binder { call transfer }; +allow camera_host debug_param:file { map open read }; +allow camera_host debugfs_usb:dir { search }; +allow camera_host default_param:file { map open read }; +allow camera_host dev_dma_heap_file:chr_file { ioctl open read }; +allow camera_host dev_dma_heap_file:dir { search }; +allow camera_host dev_dri_file:chr_file { getattr ioctl open read write }; +allow camera_host dev_dri_file:dir { search }; +allow camera_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow camera_host dev_mpp:chr_file { ioctl open read write }; +allow camera_host dev_rga:chr_file { ioctl open read write }; +allow camera_host dev_unix_socket:dir { search }; +allow camera_host dev_unix_socket:sock_file { write }; +allow camera_host dev_video_file:chr_file { getattr ioctl map open read write }; +allow camera_host distributedsche_param:file { map open read }; +allow camera_host faultloggerd:fd { use }; +allow camera_host faultloggerd:unix_stream_socket { connectto }; +allow camera_host hdf_allocator_service:hdf_devmgr_class { get }; +allow camera_host hdf_camera_service:hdf_devmgr_class { add }; +allow camera_host hdf_device_manager:hdf_devmgr_class { get }; +allow camera_host hdf_devmgr:binder { call transfer }; +allow camera_host hidumper_file:dir { add_name search write }; +allow camera_host hidumper_file:file { append open create getattr ioctl }; +allow camera_host hilog_param:file { map open read }; +allow camera_host hiview:binder { call }; +allow camera_host hiview:unix_dgram_socket { sendto }; +allow camera_host hw_sc_build_os_param:file { map open read }; +allow camera_host hw_sc_build_param:file { map open read }; +allow camera_host hw_sc_param:file { map open read }; +allow camera_host init_param:file { map open read }; +allow camera_host init_svc_param:file { map open read }; +allow camera_host input_pointer_device_param:file { map open read }; +allow camera_host media_service:binder { call }; +allow camera_host net_param:file { map open read }; +allow camera_host net_tcp_param:file { map open read }; +allow camera_host normal_hap_attr:binder { call }; +allow camera_host ohos_boot_param:file { map open read }; +allow camera_host ohos_param:file { map open read }; +allow camera_host persist_param:file { map open read }; +allow camera_host persist_sys_param:file { map open read }; +allow camera_host proc_version_file:file { open read getattr }; +allow camera_host render_service:binder { call }; +allow camera_host render_service:fd { use }; +allow camera_host sa_device_service_manager:samgr_class { get }; +allow camera_host samgr:binder { call }; +allow camera_host security_param:file { map open read }; +allow camera_host startup_param:file { map open read }; +allow camera_host sys_file:file { open read }; +allow camera_host sys_param:file { map open read }; +allow camera_host sys_usb_param:file { map open read }; +allow camera_host system_basic_hap_attr:fd { use }; +allow camera_host system_bin_file:dir { search getattr }; +allow camera_host system_bin_file:file { execute execute_no_trans map read open getattr }; +allow camera_host toybox_exec:file { execute execute_no_trans map read open getattr }; +allow camera_host system_core_hap_attr:binder { call }; +allow camera_host system_core_hap_attr:fd { use }; +allow camera_host tracefs:dir { search }; +allow camera_host tracefs_trace_marker_file:file { write }; +allow camera_host vendor_bin_file:file { entrypoint execute map read }; +allow camera_host vendor_etc_file:dir { search }; +allow camera_host vendor_etc_file:file { getattr open read }; +allow camera_host vendor_file:file { execute getattr map open read getattr }; +debug_only(` + allow camera_host sh:binder { call transfer }; + allow camera_host data_local:dir { search }; + allow camera_host dev_block_file:dir { search }; + allow camera_host dev_block_file:lnk_file { read }; + allow camera_host dev_block_volfile:dir { search }; + allow camera_host dev_block_volfile:lnk_file { read }; + allow camera_host dev_file:dir { getattr }; + allow camera_host system_bin_file:lnk_file { read }; + allow camera_host toybox_exec:lnk_file { read }; + allow camera_host system_lib_file:dir { getattr }; + allow camera_host tty_device:chr_file { read write open }; + allow camera_host data_local_tmp:dir { write search getattr add_name create }; + allow camera_host data_local_tmp:file { getattr create append open ioctl read }; + allowxperm camera_host data_local_tmp:file ioctl { 0x5413 }; + allowxperm camera_host dev_video_file:chr_file ioctl { 0x516c }; + allow camera_host sh_exec:file { execute read open execute_no_trans map }; +') +allowxperm camera_host dev_dri_file:chr_file ioctl { 0x641f 0x642d 0x642e 0x64b2 0x64b4 }; +allowxperm camera_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm camera_host dev_mpp:chr_file ioctl { 0x7601 }; +allowxperm camera_host dev_rga:chr_file ioctl { 0x5017 0x5019 0x601b }; +allowxperm camera_host dev_video_file:chr_file ioctl { 0x5600 0x5605 0x5608 0x5609 0x560f 0x5611 0x5612 0x5613 0x561b 0x564a 0x5602 0x5624 0x564b 0x5625 0x5616 }; +allowxperm camera_host hidumper_file:file ioctl 0x5413; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..53df744fea1d82f173bd2aa339c78ace7bf81161 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/hdf_devmgr.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=243 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:camera_host:s0 tclass=binder permissive=1 +allow hdf_devmgr camera_host:binder { call transfer }; +allow hdf_devmgr camera_host:dir { search }; +allow hdf_devmgr camera_host:file { open read }; +allow hdf_devmgr camera_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..7d72dff555835ed2f5cffce259c020e9f6ee72ce --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/camera/vendor/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init camera_host:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/clearplay_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/clearplay_host.te new file mode 100644 index 0000000000000000000000000000000000000000..b40de207e362d8db6c0cf68276e0f9db59681882 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/clearplay_host.te @@ -0,0 +1,78 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { map } for pid=491 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=491 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=491 comm="hdf_devhost" name="u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow clearplay_host debug_param:file { map open read }; + +# avc: denied { transfer } for pid=503 comm="IPC_0_516" scontext=u:r:clearplay_host:s0 tcontext=u:r:drm_service:s0 tclass=binder permissive=1 +allow clearplay_host drm_service:binder { transfer }; +allow clearplay_host hdf_drm_service:hdf_devmgr_class { add }; +allow clearplay_host chip_prod_file:dir { search }; +allow clearplay_host dev_console_file:chr_file { read write }; +allow clearplay_host dev_hdf_kevent:chr_file { open read write ioctl getattr }; +allow clearplay_host dev_unix_socket:dir { search }; +allow clearplay_host hdf_device_manager:hdf_devmgr_class { get }; +allow clearplay_host hdf_devmgr:binder { call transfer }; +allow clearplay_host hdf_clearplay_service:hdf_devmgr_class { add }; +allow clearplay_host hilog_param:file { open read map }; +allow clearplay_host musl_param:file { open read map }; +allow clearplay_host sa_device_service_manager:samgr_class { get }; +allow clearplay_host samgr:binder { call }; +allow clearplay_host vendor_etc_file:dir { open read getattr search }; +allow clearplay_host vendor_etc_file:file { open read getattr }; +allowxperm clearplay_host dev_hdf_kevent:chr_file ioctl { 0x6202 0x6203 }; +debug_only(` + allow clearplay_host sh:binder { call }; +') + +# avc: denied { map } for pid=491 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=491 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=491 comm="hdf_devhost" name="u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow clearplay_host debug_param:file { map open read }; + +# avc: denied { transfer } for pid=503 comm="IPC_0_516" scontext=u:r:clearplay_host:s0 tcontext=u:r:drm_service:s0 tclass=binder permissive=1 +allow clearplay_host drm_service:binder { transfer }; + +# avc: denied { search } for pid=534 comm="OS_IPC_2_1671" name="/" dev="mmcblk0p15" ino=3 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow clearplay_host data_file:dir { search }; + +# avc: denied { search } for pid=534 comm="OS_IPC_2_1671" name="local" dev="mmcblk0p15" ino=109 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 +allow clearplay_host data_local:dir { search }; + +# avc: denied { search } for pid=534 comm="OS_IPC_2_1671" name="traces" dev="mmcblk0p15" ino=113 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=dir permissive=1 +# avc: denied { add_name } for pid=515 comm="OS_IPC_0_578" name="offline_key.txt" scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=515 comm="OS_IPC_0_578" name="traces" dev="mmcblk0p15" ino=115 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=dir permissive=1 +allow clearplay_host data_local_traces:dir { search add_name write }; + +# avc: denied { getattr } for pid=534 comm="OS_IPC_2_1671" path="/data/local/traces/offline_key.txt" dev="mmcblk0p15" ino=2968 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=file permissive=1 +# avc: denied { ioctl } for pid=534 comm="OS_IPC_2_1671" path="/data/local/traces/offline_key.txt" dev="mmcblk0p15" ino=2968 ioctlcmd=0x5413 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=file permissive=1 +# avc: denied { read write open } for pid=534 comm="OS_IPC_2_1671" path="/data/local/traces/offline_key.txt" dev="mmcblk0p15" ino=2968 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=file permissive=1 +# avc: denied { read write } for pid=534 comm="OS_IPC_2_1671" name="offline_key.txt" dev="mmcblk0p15" ino=2968 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=file permissive=1 +# avc: denied { write } for pid=534 comm="OS_IPC_2_1671" name="offline_key.txt" dev="mmcblk0p15" ino=2968 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=file permissive=1 +allow clearplay_host data_local_traces:file { getattr ioctl read write open create }; + +# avc: denied { call } for pid=534 comm="OS_IPC_2_1671" scontext=u:r:clearplay_host:s0 tcontext=u:r:drm_service:s0 tclass=binder permissive=1 +allow clearplay_host drm_service:binder { call }; + +# avc: denied { use } for pid=534 comm="OS_IPC_0_564" path="/dev/ashmem" dev="tmpfs" ino=238 scontext=u:r:clearplay_host:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 +allow clearplay_host media_service:fd { use }; + +# avc: denied { ioctl } for pid=534 comm="OS_IPC_2_1671" path="/data/local/traces/offline_key.txt" dev="mmcblk0p15" ino=2968 ioctlcmd=0x5413 scontext=u:r:clearplay_host:s0 tcontext=u:object_r:data_local_traces:s0 tclass=file permissive=1 +allowxperm clearplay_host data_local_traces:file ioctl { 0x5413 }; + +allow clearplay_host hap_domain:fd { use }; + +#avc: denied { get } for service=1151 pid=5890 scontext=u:r:drm_service:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=1 +allow drm_service sa_net_conn_manager:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..58808cbbe75a7baff7227b95acc2d25407a15cf6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/hdf_devmgr.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=243 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:clearplay_host:s0 tclass=binder permissive=1 +allow hdf_devmgr clearplay_host:binder { call transfer }; +allow hdf_devmgr clearplay_host:dir { search }; +allow hdf_devmgr clearplay_host:file { open read }; +allow hdf_devmgr clearplay_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..0473d292c24d82cbf353ca49274c7214276cf36d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/clearplay/vendor/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init clearplay_host:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te new file mode 100644 index 0000000000000000000000000000000000000000..6ee5b79844c1de50bb5df80978fdb21a615c80b9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te @@ -0,0 +1,86 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=hdf_device_manager pid=343 scontext=u:r:codec_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class +#avc: denied { add } for service=codec_hdi_omx_service pid=343 scontext=u:r:codec_host:s0 tcontext=u:object_r:hdf_codec_hdi_omx_service:s0 tclass=hdf_devmgr_class +#avc: denied { add } for service=codec_hdi_service pid=354 scontext=u:r:codec_host:s0 tcontext=u:object_r:hdf_codec_hdi_service:s0 tclass=hdf_devmgr_class +#avc: denied { read } for pid=496 comm="IPC_1_599" name="u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:codec_host:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=497 comm="IPC_2_1294" path="/dev/ashmem" dev="tmpfs" ino=190 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +#avc: denied { getattr } for pid=497 comm="omx_msg_hdl" path="/proc/version" dev="proc" ino=4026532114 scontext=u:r:codec_host:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=0 +allow codec_host musl_param:file { open map read }; +allow codec_host dev_ashmem_file:chr_file { open }; +allow codec_host hdf_device_manager:hdf_devmgr_class { get }; +allow codec_host hdf_codec_hdi_omx_service:hdf_devmgr_class { add get }; +allow codec_host hdf_codec_image_service:hdf_devmgr_class { add get }; +allow codec_host hdf_codec_component_manager_service:hdf_devmgr_class { add get }; +allow codec_host hdf_codec_hdi_service:hdf_devmgr_class { add get }; +allow codec_host dev_dri_file:dir { search read write }; +allow codec_host allocator_host:fd { use }; +allow codec_host dev_dri_file:chr_file { read write open ioctl }; +allow codec_host dev_mpp:chr_file { read write open ioctl }; +allow codec_host proc_version_file:file { read open getattr }; +allow codec_host sys_file:file { read open }; +allow codec_host dev_rga:chr_file { read write open ioctl }; +allowxperm codec_host dev_mpp:chr_file ioctl 0x7601; +allowxperm codec_host dev_rga:chr_file ioctl { 0x64b2 0x642d 0x641f 0x642e 0x64b4 0x601b 0x5017 }; +allowxperm codec_host dev_dri_file:chr_file ioctl { 0x64b2 0x642d 0x641f 0x642e 0x64b4 }; +allow codec_host hdcd:fd { use }; +allow codec_host devpts:chr_file { read write }; +allow codec_host bootevent_param:file { map open read }; +allow codec_host bootevent_samgr_param:file { map open read }; +allow codec_host build_version_param:file { map open read }; +allow codec_host const_allow_mock_param:file { map open read }; +allow codec_host const_allow_param:file { map open read }; +allow codec_host const_build_param:file { map open read }; +allow codec_host const_display_brightness_param:file { map open read }; +allow codec_host const_param:file { map open read }; +allow codec_host const_postinstall_fstab_param:file { map open read }; +allow codec_host const_postinstall_param:file { map open read }; +allow codec_host const_product_param:file { map open read }; +allow codec_host debug_param:file { map open read }; +allow codec_host default_param:file { map open read }; +allow codec_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow codec_host dev_unix_socket:dir { search }; +allow codec_host distributedsche_param:file { map open read }; +allow codec_host hdf_codec_hdi_service:hdf_devmgr_class { add }; +allow codec_host hdf_devmgr:binder { call transfer }; +allow codec_host hilog_param:file { map open read }; +allow codec_host hw_sc_build_os_param:file { map open read }; +allow codec_host hw_sc_build_param:file { map open read }; +allow codec_host hw_sc_param:file { map open read }; +allow codec_host init_param:file { map open read }; +allow codec_host init_svc_param:file { map open read }; +allow codec_host input_pointer_device_param:file { map open read }; +allow codec_host net_param:file { map open read }; +allow codec_host net_tcp_param:file { map open read }; +allow codec_host ohos_boot_param:file { map open read }; +allow codec_host ohos_param:file { map open read }; +allow codec_host persist_param:file { map open read }; +allow codec_host persist_sys_param:file { map open read }; +allow codec_host sa_device_service_manager:samgr_class { get }; +allow codec_host samgr:binder { call }; +allow codec_host security_param:file { map open read }; +allow codec_host startup_param:file { map open read }; +allow codec_host sys_param:file { map open read }; +allow codec_host system_bin_file:dir { search }; +allow codec_host sys_usb_param:file { map open read }; +allow codec_host vendor_etc_file:dir { search }; +allow codec_host vendor_etc_file:file { getattr open read }; +allow codec_host hap_domain:binder { call transfer }; +allowxperm codec_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +debug_only(` + allow codec_host sh:binder { transfer call }; + allow codec_host sh:fd { use }; + allow codec_host hdcd:fifo_file { write }; + allow codec_host hdcd:fifo_file { read }; +') diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..2e3703cb0a762c4977596231511359cc09a8e1a7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/hdf_devmgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr codec_host:binder { call transfer }; +allow hdf_devmgr codec_host:dir { search }; +allow hdf_devmgr codec_host:file { open read }; +allow hdf_devmgr codec_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..adef6010925c3e21c2686781b2e47c9876c06141 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/codec/vendor/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init codec_host:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/dcamera/vendor/dcamera_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/dcamera/vendor/dcamera_host.te new file mode 100644 index 0000000000000000000000000000000000000000..befcdf459e3eaca934f4c2d5875833c5782e000b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/dcamera/vendor/dcamera_host.te @@ -0,0 +1,118 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=3275 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2073 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=2057 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=1 +#avc: denied { getattr } for pid=2059 comm="dcamera_host" path="/dev/dri/renderD128" dev="tmpfs" ino=92 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=2059 comm="dcamera_host" name="renderD128" dev="tmpfs" ino=92 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=2059 comm="dcamera_host" path="/dev/dri/renderD128" dev="tmpfs" ino=92 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=2059 comm="dcamera_host" path="/dev/dri/renderD128" dev="tmpfs" ino=92 ioctlcmd=0x641f scontext=u:r:dcamera_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=2541 comm="hdf_devhost" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 +#avc: denied { search } for pid=2059 comm="dcamera_host" name="dri" dev="tmpfs" ino=91 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=2057 comm="dcamera_host" name="socket" dev="tmpfs" ino=40 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +#avc: denied { get } for service=hdf_device_manager pid=342 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=distributed_camera_provider_service pid=342 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:hdf_distributed_camera_provider_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=distributed_camera_service pid=351 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:hdf_distributed_camera_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { call } for pid=1991 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 +#avc: denied { get } for service=5100 pid=2074 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +#avc: denied { use } for pid=2059 comm="dcamera_host" path="/dmabuf:" dev="dmabuf" ino=30969 ioctlcmd=0x6200 scontext=u:r:dcamera_host:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=1 +#avc: denied { call } for pid=2059 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=2059 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +#avc: denied { open } for pid=2666 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_param:s0" dev="tmpfs" ino=57 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2666 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_param:s0" dev="tmpfs" ino=57 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2666 comm="hdf_devhost" name="u:object_r:const_postinstall_param:s0" dev="tmpfs" ino=58 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2666 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:const_postinstall_param:s0" dev="tmpfs" ino=58 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=1 +#avc: denied { call } for pid=2582 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=0 +#avc: denied { read } for pid=3798 comm="hdf_devhost" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0 +#avc: denied { get } for service=3901 pid=3568 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +#avc: denied { call } for pid=2850 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=2850 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 +#avc: denied { read } for pid=2047 comm="hdf_devhost" name="u:object_r:ohos_dev_param:s0" dev="tmpfs" ino=30 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:ohos_dev_param:s0 tclass=file permissive=0 +#avc: denied { search } for pid=554 comm="dcamera_host" name="/" dev="tracefs" ino=1 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=0 +#avc: denied { write } for pid=557 comm="dcamera_host" name="trace_marker" dev="tracefs" ino=14932 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=0 +#avc: denied { open } for pid=536 comm="dcamera_host" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=15109 scontext=u:r:dcamera_host:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=0 +#avc: denied { call transfer } for pid=247 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=599 comm="dcamera_host" scontext=u:r:dcamera_host:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=4125 comm="IPC_0_4135" scontext=u:r:dcamera_host:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +#avc: denied { search } for pid=3252 comm="IPC_1_3267" scontext=u:r:dcamera_host:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=dir permissive=1 +#avc: denied { use } for pid=1203 comm="IPC_2_1541" path="anon_inode:sync_file" dev="anon_inodefs" ino=13318 scontext=u:r:dcamera_host:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1 +allow dcamera_host camera_service:binder { call transfer }; +allow dcamera_host dcamera:binder { call }; +allow dcamera_host dev_console_file:chr_file { read write }; +allow dcamera_host dev_dri_file:chr_file { getattr read write open ioctl }; +allow dcamera_host dev_dri_file:dir { search }; +allow dcamera_host dev_unix_socket:dir { search }; +allow dcamera_host hdf_device_manager:hdf_devmgr_class { get }; +allow dcamera_host hdf_distributed_camera_provider_service:hdf_devmgr_class { add }; +allow dcamera_host hdf_distributed_camera_service:hdf_devmgr_class { add }; +allow dcamera_host hdf_allocator_service:hdf_devmgr_class { get }; +allow dcamera_host hdf_devmgr:binder { call }; +allow dcamera_host sa_device_service_manager:samgr_class { get }; +allow dcamera_host allocator_host:fd { use }; +allow dcamera_host samgr:binder { call }; +debug_only(` + allow dcamera_host sh:binder { call transfer }; +') +allow dcamera_host const_param:file { open read }; +allow dcamera_host const_postinstall_param:file { open map }; +allow dcamera_host allocator_host:binder { call }; +allow dcamera_host accessibility_param:file { read open map }; +allow dcamera_host normal_hap_attr:binder { call }; +allow dcamera_host sa_param_watcher:samgr_class { get }; +allow dcamera_host system_core_hap_attr:binder { call }; +allow dcamera_host render_service:binder { call }; +allow dcamera_host tracefs:dir { search }; +allow dcamera_host tracefs_trace_marker_file:file { write open }; +allow dcamera_host ohos_dev_param:file { read }; +allow dcamera_host media_service:binder { call }; +allow dcamera_host vendor_bin_file:dir { search }; +allow dcamera_host render_service:fd { use }; +allow dcamera_host param_watcher:binder { call transfer }; + +allow dcamera_host bootevent_param:file { map open read }; +allow dcamera_host bootevent_samgr_param:file { map open read }; +allow dcamera_host build_version_param:file { map open read }; +allow dcamera_host const_allow_mock_param:file { map open read }; +allow dcamera_host const_allow_param:file { map open read }; +allow dcamera_host const_build_param:file { map open read }; +allow dcamera_host const_display_brightness_param:file { map open read }; +allow dcamera_host const_param:file { map open read }; +allow dcamera_host const_postinstall_fstab_param:file { map open read }; +allow dcamera_host const_postinstall_param:file { map open read }; +allow dcamera_host const_product_param:file { map open read }; +allow dcamera_host debug_param:file { map open read }; +allow dcamera_host default_param:file { map open read }; +allow dcamera_host dev_hdf_kevent:chr_file { getattr }; +allow dcamera_host distributedsche_param:file { map open read }; +allow dcamera_host hdf_devmgr:binder { transfer }; +allow dcamera_host hilog_param:file { map open read }; +allow dcamera_host hw_sc_build_os_param:file { map open read }; +allow dcamera_host hw_sc_build_param:file { map open read }; +allow dcamera_host hw_sc_param:file { map open read }; +allow dcamera_host init_param:file { map open read }; +allow dcamera_host init_svc_param:file { map open read }; +allow dcamera_host input_pointer_device_param:file { map open read }; +allow dcamera_host net_param:file { map open read }; +allow dcamera_host net_tcp_param:file { map open read }; +allow dcamera_host ohos_boot_param:file { map open read }; +allow dcamera_host ohos_param:file { map open read }; +allow dcamera_host persist_param:file { map open read }; +allow dcamera_host persist_sys_param:file { map open read }; +allow dcamera_host security_param:file { map open read }; +allow dcamera_host startup_param:file { map open read }; +allow dcamera_host sys_param:file { map read read open }; +allow dcamera_host system_bin_file:dir { search }; +allow dcamera_host sys_usb_param:file { map open read }; +allow dcamera_host vendor_etc_file:dir { search }; +allow dcamera_host vendor_etc_file:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/dcamera/vendor/param_watcher.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/dcamera/vendor/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..b6bb0727f726caf6f723b2858ba34ddb666146f3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/dcamera/vendor/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher dcamera_host:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te new file mode 100644 index 0000000000000000000000000000000000000000..acf745d4e1e73e667d1037840fdf98c9328e2909 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/allocator_host.te @@ -0,0 +1,59 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow allocator_host accessibility_param:file { map open read }; +allow allocator_host bootevent_param:file { map open read }; +allow allocator_host bootevent_samgr_param:file { map open read }; +allow allocator_host build_version_param:file { map open read }; +allow allocator_host const_allow_mock_param:file { map open read }; +allow allocator_host const_allow_param:file { map open read }; +allow allocator_host const_build_param:file { map open read }; +allow allocator_host const_display_brightness_param:file { map open read }; +allow allocator_host const_param:file { map open read }; +allow allocator_host const_postinstall_fstab_param:file { map open read }; +allow allocator_host const_postinstall_param:file { map open read }; +allow allocator_host const_product_param:file { map open read }; +allow allocator_host debug_param:file { map open read }; +allow allocator_host default_param:file { map open read }; +allow allocator_host dev_dri_file:chr_file { getattr ioctl open read write }; +allow allocator_host dev_dri_file:dir { search }; +allow allocator_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow allocator_host dev_unix_socket:dir { search }; +allow allocator_host distributedsche_param:file { map open read }; +allow allocator_host hdf_allocator_service:hdf_devmgr_class { add }; +allow allocator_host hdf_device_manager:hdf_devmgr_class { get }; +allow allocator_host hdf_devmgr:binder { call transfer }; +allow allocator_host hilog_param:file { map open read }; +allow allocator_host hw_sc_build_os_param:file { map open read }; +allow allocator_host hw_sc_build_param:file { map open read }; +allow allocator_host hw_sc_param:file { map open read }; +allow allocator_host init_param:file { map open read }; +allow allocator_host init_svc_param:file { map open read }; +allow allocator_host input_pointer_device_param:file { map open read }; +allow allocator_host net_param:file { map open read }; +allow allocator_host net_tcp_param:file { map open read }; +allow allocator_host ohos_boot_param:file { map open read }; +allow allocator_host ohos_param:file { map open read }; +allow allocator_host persist_param:file { map open read }; +allow allocator_host persist_sys_param:file { map open read }; +allow allocator_host sa_device_service_manager:samgr_class { get }; +allow allocator_host samgr:binder { call }; +allow allocator_host security_param:file { map open read }; +allow allocator_host startup_param:file { map open read }; +allow allocator_host sys_param:file { map open read }; +allow allocator_host system_bin_file:dir { search }; +allow allocator_host sys_usb_param:file { map open read }; +allow allocator_host vendor_etc_file:dir { search }; +allow allocator_host vendor_etc_file:file { getattr open read }; +allowxperm allocator_host dev_dri_file:chr_file ioctl { 0x641f 0x642d 0x64b2 0x64b4 }; +allowxperm allocator_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/composer_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/composer_host.te new file mode 100644 index 0000000000000000000000000000000000000000..74faf1fee0925806f43767dfd27de22fa7f16676 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/composer_host.te @@ -0,0 +1,93 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow composer_host accessibility_param:file { map open read }; +allow composer_host allocator_host:fd { use }; +allow composer_host bootanimation:fd { use }; +allow composer_host bootevent_param:file { map open read }; +allow composer_host bootevent_samgr_param:file { map open read }; +allow composer_host build_version_param:file { map open read }; +allow composer_host const_allow_mock_param:file { map open read }; +allow composer_host const_allow_param:file { map open read }; +allow composer_host const_build_param:file { map open read }; +allow composer_host const_display_brightness_param:file { map open read }; +allow composer_host const_param:file { map open read }; +allow composer_host const_postinstall_fstab_param:file { map open read }; +allow composer_host const_postinstall_param:file { map open read }; +allow composer_host const_product_param:file { map open read }; +allow composer_host debug_param:file { map open read }; +allow composer_host default_param:file { map open read }; +allow composer_host dev_ashmem_file:chr_file { open }; +allow composer_host dev_dri_file:chr_file { getattr ioctl open read write }; +allow composer_host dev_dri_file:dir { search }; +allow composer_host dev_graphics_file:chr_file { ioctl open read write }; +allow composer_host dev_graphics_file:dir { search }; +allow composer_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow composer_host dev_rga:chr_file { ioctl open read write }; +allow composer_host dev_unix_socket:dir { search }; +allow composer_host composer_host:netlink_kobject_uevent_socket { bind create read setopt }; +allow composer_host distributedsche_param:file { map open read }; +allow composer_host hdf_device_manager:hdf_devmgr_class { get }; +allow composer_host hdf_devmgr:binder { call transfer }; +allow composer_host hdf_display_composer_service:hdf_devmgr_class { add }; +allow composer_host hilog_param:file { map open read }; +allow composer_host hw_sc_build_os_param:file { map open read }; +allow composer_host hw_sc_build_param:file { map open read }; +allow composer_host hw_sc_param:file { map open read }; +allow composer_host init_param:file { map open read }; +allow composer_host init_svc_param:file { map open read }; +allow composer_host input_pointer_device_param:file { map open read }; +allow composer_host net_param:file { map open read }; +allow composer_host net_tcp_param:file { map open read }; +allow composer_host normal_hap_attr:fd { use }; +allow composer_host ohos_boot_param:file { map read read open }; +allow composer_host ohos_param:file { map open read }; +allow composer_host persist_param:file { map open read }; +allow composer_host persist_sys_param:file { map open read }; +allow composer_host proc_boot_id:file { open read }; +allow composer_host render_service:binder { call }; +allow composer_host render_service:fd { use }; +allow composer_host sa_device_service_manager:samgr_class { get }; +allow composer_host samgr:binder { call }; +allow composer_host security_param:file { map open read }; +allow composer_host startup_param:file { map open read }; +allow composer_host sys_file:file { open read write }; +allow composer_host sys_param:file { map open read }; +allow composer_host system_basic_hap_attr:fd { use }; +allow composer_host system_bin_file:dir { search }; +allow composer_host system_core_hap_attr:fd { use }; +allow composer_host sys_usb_param:file { map open read }; +allow composer_host vendor_etc_file:dir { search }; +allow composer_host vendor_etc_file:file { getattr open read }; +allow composer_host dev_console_file:chr_file { read write }; +allow composer_host musl_param:file { read open map }; +allow composer_host data_file:dir { search }; +allow composer_host allocator_host:binder { call }; +allow composer_host hdf_display_composer_service:hdf_devmgr_class { get add }; +allow composer_host tracefs_trace_marker_file:file { open write }; +allow composer_host tracefs:dir { search }; +allow composer_host param_watcher:binder { call transfer }; +allow composer_host sa_param_watcher:samgr_class { get }; +allow composer_host ffrt_param:parameter_service { set }; +allow composer_host ffrt_param:file { read open map }; + +debug_only(` + allow composer_host sh:fd { use }; + allow composer_host sh:binder { call transfer }; +') + +allowxperm composer_host dev_dri_file:chr_file ioctl { 0x6409 0x640d 0x6411 0x641e 0x641f 0x642d 0x642e 0x643a 0x64a0 0x64a1 0x64a6 0x64a7 0x64aa 0x64af 0x64b2 0x64b4 0x64b5 0x64b6 0x64b8 0x64b9 0x64bc 0x64bd 0x64be }; +allowxperm composer_host dev_graphics_file:chr_file ioctl { 0x4611 }; +allowxperm composer_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm composer_host dev_rga:chr_file ioctl { 0x5017 0x601b }; +allow composer_host composer_host:capability {sys_nice}; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..10ff414d1de0a74706fc9bd0cba5cbf77fd2ae05 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/hdf_devmgr.te @@ -0,0 +1,22 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr allocator_host:binder { call transfer }; +allow hdf_devmgr allocator_host:dir { search }; +allow hdf_devmgr allocator_host:file { open read }; +allow hdf_devmgr allocator_host:process { getattr }; +allow hdf_devmgr composer_host:binder { call transfer }; +allow hdf_devmgr composer_host:dir { search }; +allow hdf_devmgr composer_host:file { open read }; +allow hdf_devmgr composer_host:process { getattr }; + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..bf1da94400522383dc72c24bc884e9ce6c653f1c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/display/vendor/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init composer_host:process { rlimitinh siginh transition }; +allow init allocator_host:process { rlimitinh siginh transition }; + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/input/vendor/input_user_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/input/vendor/input_user_host.te new file mode 100644 index 0000000000000000000000000000000000000000..ad6e41cf34fddf1d39bf1beda822f71192ca870d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/input/vendor/input_user_host.te @@ -0,0 +1,87 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=429 comm="input_user_host" scontext=u:r:input_user_host:s0 tcontext=u:r:mmi_uinput_service:s0 tclass=binder permissive=0 +#avc: denied { get } for service=hdf_device_manager pid=347 scontext=u:r:input_user_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=input_service pid=347 scontext=u:r:input_user_host:s0 tcontext=u:object_r:hdf_input_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { getattr } for pid=477 comm="input_user_host" path="/dev/hdf_input_event3" dev="tmpfs" ino=498 scontext=u:r:input_user_host:s0 tcontext=u:object_r:dev_file:s0 tclass=chr_file permissive=0 +#avc: denied { ioctl } for pid=477 comm="input_user_host" path="/dev/hdf_input_event1" dev="tmpfs" ino=199 ioctlcmd=0x6202 scontext=u:r:input_user_host:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=0 +#avc: denied { ioctl } for pid=420 comm="input_user_host" path="/dev/hdf_input_host" dev="tmpfs" ino=192 ioctlcmd=0x6201 scontext=u:r:input_user_host:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=0 +#avc: denied { getattr } for pid=420 comm="input_user_host" path="/dev/dev_mgr" dev="tmpfs" ino=189 scontext=u:r:input_user_host:s0 tcontext=u:object_r:dev_mgr_file:s0 tclass=chr_file permissive=0 +#avc: denied { read write } for pid=420 comm="input_user_host" name="hdf_input_event1" dev="tmpfs" ino=200 scontext=u:r:input_user_host:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=0 +allow input_user_host hdf_device_manager:hdf_devmgr_class { get }; +allow input_user_host hdf_input_service:hdf_devmgr_class { add }; +allow input_user_host hdf_input_interfaces_service:hdf_devmgr_class { add }; +allow input_user_host sa_device_service_manager:samgr_class { get }; +allow input_user_host dev_hdf_input:chr_file { ioctl open read write getattr setattr }; +allow input_user_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow input_user_host mmi_uinput_service:binder { call }; +allow input_user_host bootevent_param:file { map open read }; +allow input_user_host bootevent_samgr_param:file { map open read }; +allow input_user_host build_version_param:file { map open read }; +allow input_user_host const_allow_mock_param:file { map open read }; +allow input_user_host const_allow_param:file { map open read }; +allow input_user_host const_build_param:file { map open read }; +allow input_user_host const_display_brightness_param:file { map open read }; +allow input_user_host const_param:file { map open read }; +allow input_user_host const_postinstall_fstab_param:file { map open read }; +allow input_user_host const_postinstall_param:file { map open read }; +allow input_user_host const_product_param:file { map open read }; +allow input_user_host debug_param:file { map open read }; +allow input_user_host default_param:file { map open read }; +allow input_user_host dev_hdf_file:chr_file { getattr ioctl open read write }; +allow input_user_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow input_user_host dev_unix_socket:dir { search }; +allow input_user_host distributedsche_param:file { map open read }; +allow input_user_host hdf_devmgr:binder { call transfer }; +allow input_user_host hilog_param:file { map open read }; +allow input_user_host hw_sc_build_os_param:file { map open read }; +allow input_user_host hw_sc_build_param:file { map open read }; +allow input_user_host hw_sc_param:file { map open read }; +allow input_user_host init_param:file { map open read }; +allow input_user_host init_svc_param:file { map open read }; +allow input_user_host input_pointer_device_param:file { map open read }; +allow input_user_host net_param:file { map open read }; +allow input_user_host net_tcp_param:file { map open read }; +allow input_user_host ohos_boot_param:file { map read open }; +allow input_user_host ohos_param:file { map open read }; +allow input_user_host persist_param:file { map open read }; +allow input_user_host persist_sys_param:file { map open read }; +allow input_user_host samgr:binder { call }; +allow input_user_host security_param:file { map open read }; +allow input_user_host startup_param:file { map open read }; +allow input_user_host sys_param:file { map open read }; +allow input_user_host system_bin_file:dir { search }; +allow input_user_host system_bin_file:file { getattr execute read open execute_no_trans map }; +allow input_user_host system_bin_file:lnk_file { read }; +allow input_user_host sys_usb_param:file { map open read }; +allow input_user_host tty_device:chr_file { open read write }; +allow input_user_host vendor_etc_file:dir { search }; +allow input_user_host vendor_etc_file:file { getattr open read }; +allow input_user_host sysfs_devices_system_cpu:file { open read getattr }; +allowxperm input_user_host dev_hdf_file:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm input_user_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm input_user_host dev_hdf_input:chr_file ioctl { 0x6201 0x6202 0x6203 0x6206 }; +allowxperm input_user_host dev_mgr_file:chr_file ioctl 0x6201; + +#avc: denied { add } for service=hid_ddk_service pid=497 scontext=u:r:input_user_host:s0 tcontext=u:object_r:hdf_hid_ddk_service:s0 tclass=hdf_devmgr_class permissive=0 +allow input_user_host hdf_hid_ddk_service:hdf_devmgr_class { add }; + +#avc: denied { write } for pid=522 comm="IPC_1_562" name="uinput" dev="tmpfs" ino=228 scontext=u:r:input_user_host:s0 tcontext=u:object_r:dev_uinput:s0 tclass=chr_file permissive=0 +allow input_user_host dev_uinput:chr_file { write ioctl open }; + +allowxperm input_user_host dev_uinput:chr_file ioctl { 0x5501 0x5502 0x5564 0x5565 0x5566 0x5567 0x5568 0x5569 0x556b 0x556d 0x556e }; + +debug_only(` + allow input_user_host sh:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/input/vendor/normal_hap.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/input/vendor/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..40a85347646bdfd11dcce5857a43b304f83381b0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/input/vendor/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr hdf_hid_ddk_service:hdf_devmgr_class { get }; + +allow normal_hap_attr input_user_host:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/file.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/file.te new file mode 100644 index 0000000000000000000000000000000000000000..4888b19fa0c535579a0f6924d6081684078d66b4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dev_soundtrigger, dev_attr; +type dev_hifi_misc, dev_attr; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/file_contexts b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..2a79e2038c06b0de063012e40cdf904e873aa931 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/dev/soundtrigger u:object_r:dev_soundtrigger:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..b2b84b5a388e9de82cceac52a78522398d706cb8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/hdf_devmgr.te @@ -0,0 +1,26 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { search } for pid=461 comm="IPC_3_1105" name="1484" dev="proc" ino=15659 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_host:s0 tclass=dir permissive=0 +allow hdf_devmgr intell_voice_host:dir { search }; + +# avc: denied { read } for pid=462 comm="IPC_4_1121" name="current" dev="proc" ino=18729 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_host:s0 tclass=file permissive=0 +# avc: denied { open } for pid=472 comm="IPC_0_482" path="/proc/1293/attr/current" dev="proc" ino=31125 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_host:s0 tclass=file permissive=0 +allow hdf_devmgr intell_voice_host:file { open read }; + +# avc: denied { getattr } for pid=463 comm="IPC_1_474" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=0 +allow hdf_devmgr intell_voice_host:process { getattr }; + +# avc: denied { transfer } for pid=462 comm="IPC_2_805" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_host:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=475 comm="IPC_1_486" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:intell_voice_host:s0 tclass=binder permissive=0 +allow hdf_devmgr intell_voice_host:binder { transfer call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..a47ce6f8e014f5b7d6983a1141ba4a80adaa7479 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transition } for pid=997 comm="init" path="/vendor/bin/hdf_devhost" dev="sdd72" ino=34 scontext=u:r:init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=0 +# avc: denied { rlimitinh } for pid=1256 comm="hdf_devhost" scontext=u:r:init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=0 +# avc: denied { siginh } for pid=1256 comm="hdf_devhost" scontext=u:r:init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=0 +allow init intell_voice_host:process { transition rlimitinh siginh }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te new file mode 100644 index 0000000000000000000000000000000000000000..e85e7e014b4f9db27f9acc6796a07f0b32816469 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te @@ -0,0 +1,132 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { add } for service=intell_voice_engine_manager_service pid=1022 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:default_hdf_service:s0 tclass=hdf_devmgr_class permissive=1 +allow intell_voice_host hdf_intell_voice_engine_manager_service:hdf_devmgr_class { add }; + +# avc: denied { get } for service=hdf_device_manager pid=1022 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +allow intell_voice_host hdf_device_manager:hdf_devmgr_class { get }; + +# avc: denied { get } for service=5100 pid=1022 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow intell_voice_host sa_device_service_manager:samgr_class { get }; + +# avc: denied { open } for pid=1394 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=140 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +# avc: denied { map } for pid=1484 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=140 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +# avc: denied { read } for pid=1256 comm="hdf_devhost" name="u:object_r:debug_param:s0" dev="tmpfs" ino=140 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +allow intell_voice_host debug_param:file { open map read }; + +# avc: denied { search } for pid=1506 comm="intell_voice_ho" name="socket" dev="tmpfs" ino=109 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +allow intell_voice_host dev_unix_socket:dir { search }; + +# avc: denied { open } for pid=1394 comm="hdf_devhost" path="/proc/sys/vm/overcommit_memory" dev="proc" ino=29218 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=0 +# avc: denied { read } for pid=1256 comm="hdf_devhost" name="overcommit_memory" dev="proc" ino=28517 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=0 +allow intell_voice_host proc_file:file { open read }; + +# avc: denied { call } for pid=1256 comm="intell_voice_ho" scontext=u:r:intell_voice_host:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0 +allow intell_voice_host samgr:binder { call }; + +# avc: denied { open } for pid=1394 comm="hdf_devhost" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33295 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=1129 comm="hdf_devhost" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33295 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +# avc: denied { read } for pid=1256 comm="hdf_devhost" name="online" dev="sysfs" ino=33295 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +allow intell_voice_host sysfs_devices_system_cpu:file { open getattr read }; + +# avc: denied { transfer } for pid=1178 comm="intell_voice_ho" scontext=u:r:intell_voice_host:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=1206 comm="intell_voice_ho" scontext=u:r:intell_voice_host:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=0 +allow intell_voice_host hdf_devmgr:binder { transfer call }; + +# avc: denied { open } for pid=1394 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=136 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +# avc: denied { read } for pid=1506 comm="intell_voice_ho" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=136 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +# avc: denied { map } for pid=1484 comm="intell_voice_ho" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=136 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +allow intell_voice_host hilog_param:file { open read map }; + +# avc: denied { search } for pid=1065 comm="intell_voice_ho" name="etc" dev="sdd71" ino=12 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=0 +allow intell_voice_host chip_prod_file:dir { search }; + +# avc: denied { getattr } for pid=27925 comm="IPC_1_27937" path="/vendor/etc/audio/intell_voice/wakeup/vpr" dev="sdd72" ino=607 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=0 +# avc: denied { search } for pid=1065 comm="intell_voice_ho" name="etc" dev="sdd72" ino=49 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=0 +allow intell_voice_host vendor_etc_file:dir { getattr search }; + +# avc: denied { read } for pid=1051 comm="intell_voice_ho" name="hdf_default.hcb" dev="sdd71" ino=461 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=file permissive=0 +# avc: denied { open } for pid=1059 comm="intell_voice_ho" path="/chip_prod/etc/hdfconfig/hdf_default.hcb" dev="sdd71" ino=461 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=1064 comm="intell_voice_ho" path="/chip_prod/etc/hdfconfig/hdf_default.hcb" dev="sdd71" ino=461 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=file permissive=0 +allow intell_voice_host chip_prod_file:file { read open getattr }; + +# avc: denied { search } for pid=7321 comm="dump_tmp_thread" name="bin" dev="sdd74" ino=237 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=0 +allow intell_voice_host system_bin_file:dir { search }; + +# avc: denied { call } for pid=19731 comm="IPC_1_19745" scontext=u:r:intell_voice_host:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +# avc: denied { transfer } for pid=18368 comm="IPC_2_18400" scontext=u:r:intell_voice_host:s0 tcontext=u:r:intell_voice_service:s0 tclass=binder permissive=0 +allow intell_voice_host intell_voice_service:binder { transfer call }; + +# avc: denied { search } for pid=24578 comm="IPC_0_24590" name="/" dev="sdd78" ino=3 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow intell_voice_host data_file:dir { search }; + +# avc: denied { search } for pid=25024 comm="IPC_1_25043" name="service" dev="sdd78" ino=4095 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0 +allow intell_voice_host data_service_file:dir { search }; + +# avc: denied { open } for pid=4535 comm="IPC_1_4551" path="/data/service/el0/intellligent_voice/wakeup/vpr/vpr/enroll/tmp/pcm" dev="sdd78" ino=3458 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +# avc: denied { search } for pid=7450 comm="IPC_0_7463" name="el0" dev="sdd78" ino=4096 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +# avc: denied { write } for pid=19731 comm="IPC_1_19745" name="wakeup" dev="sdd78" ino=4379 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +# avc: denied { add_name } for pid=21951 comm="IPC_0_21961" name="dsp" scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +# avc: denied { create } for pid=31770 comm="IPC_1_31784" name="dsp" scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +# avc: denied { getattr } for pid=27925 comm="IPC_1_27937" path="/data/service/el0/intellligent_voice/wakeup/vpr" dev="sdd78" ino=3446 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +# avc: denied { read } for pid=25908 comm="IPC_1_25919" name="pcm" dev="sdd78" ino=3458 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +# avc: denied { remove_name } for pid=18194 comm="IPC_1_18209" name="tmp" dev="sdd78" ino=10104 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +# avc: denied { rmdir } for pid=22108 comm="IPC_0_22126" name="tmp" dev="sdd78" ino=10104 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +allow intell_voice_host data_service_el0_file:dir { open search read write add_name create getattr remove_name rmdir }; + +# avc: denied { getattr } for pid=25908 comm="IPC_1_25919" path="/vendor/etc/audio/intell_voice/wakeup/vpr/vpr_domainDict_03.dat" dev="sdd72" ino=617 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=0 +# avc: denied { open } for pid=25908 comm="IPC_1_25919" path="/vendor/etc/audio/intell_voice/wakeup/ap/wakeup_config.json" dev="sdd72" ino=640 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=0 +# avc: denied { read } for pid=27925 comm="IPC_1_27937" name="wakeup_config.json" dev="sdd72" ino=640 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=0 +# avc: denied { map } for pid=4535 comm="IPC_1_4551" path="/vendor/etc/audio/intell_voice/wakeup/ap/condict/kws2_domainDict_01.dat" dev="sdd72" ino=629 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=0 +allow intell_voice_host vendor_etc_file:file { map read getattr open }; + +# avc: denied { create } for pid=25908 comm="IPC_1_25919" name="vpr_history_info.dat" scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { write } for pid=4535 comm="IPC_1_4551" name="vpr_history_info.dat" dev="sdd78" ino=3569 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { write open } for pid=4535 comm="IPC_1_4551" path="/data/service/el0/intellligent_voice/wakeup/tmp/tmpenroll_phrase.txt" dev="sdd78" ino=3571 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=18194 comm="IPC_1_18209" path="/data/service/el0/intellligent_voice/wakeup/tmp/tmpap_fst/tmp/HCLG.fst" dev="sdd78" ino=10107 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=18194 comm="IPC_1_18209" path="/data/service/el0/intellligent_voice/wakeup/tmp/tmpap_fst/tmp/addr_map.txt" dev="sdd78" ino=10110 ioctlcmd=0x5413 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { read } for pid=22108 comm="IPC_0_22126" name="vpr_history_info.dat" dev="sdd78" ino=3569 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { rename } for pid=22108 comm="IPC_0_22126" name="addr_map.txt" dev="sdd78" ino=10110 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { append } for pid=11539 comm="IPC_1_11555" name="pcoffice_wakeup.fst" dev="sdd78" ino=10218 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { unlink } for pid=5173 comm="IPC_0_5184" name="tmp.pcm" dev="sdd78" ino=10211 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +# avc: denied { map } for pid=11633 comm="AsrEngineThread" path="/data/service/el0/intellligent_voice/wakeup/tmp/tmpap_fst/wakeup.w2p" dev="sdd78" ino=10240 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +allow intell_voice_host data_service_el0_file:file { create map write write open getattr ioctl read rename append unlink }; +allowxperm intell_voice_host data_service_el0_file:file ioctl { 0x5413 }; + +# avc: denied { open } for pid=7263 comm="IPC_3_27758" path="/dev/ashmem" dev="tmpfs" ino=581 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +allow intell_voice_host dev_ashmem_file:chr_file { open }; + +# avc: denied { read } for pid=7263 comm="AsrEngineThread" name="cpu" dev="sysfs" ino=33293 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=7010 comm="AsrEngineThread" path="/sys/devices/system/cpu" dev="sysfs" ino=33293 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=0 +allow intell_voice_host sysfs_devices_system_cpu:dir { open read }; + +# avc: denied { search } for pid=7243 comm="IPC_0_7253" name="variant" dev="sdd73" ino=98 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=0 +# avc: denied { getattr } for pid=7204 comm="IPC_1_7217" path="/sys_prod/variant/region_comm/china/etc/intellvoice/wakeup/vpr" dev="sdd73" ino=168 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=0 +allow intell_voice_host sys_prod_file:dir { getattr search }; + +# avc: denied { read } for pid=7204 comm="IPC_1_7217" name="wakeup_config.json" dev="sdd73" ino=140 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=6928 comm="IPC_1_6942" path="/sys_prod/variant/region_comm/china/etc/intellvoice/wakeup/vpr/vpr_domainDict_03.dat" dev="sdd73" ino=174 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=file permissive=0 +# avc: denied { read } for pid=6928 comm="IPC_1_6942" name="wakeup_config.json" dev="sdd73" ino=140 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=file permissive=0 +# avc: denied { open } for pid=7069 comm="IPC_1_7081" path="/sys_prod/variant/region_comm/china/etc/intellvoice/wakeup/vpr/vpr_domainDict_03.dat" dev="sdd73" ino=174 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=file permissive=0 +# avc: denied { map } for pid=7236 comm="IPC_1_7248" path="/sys_prod/variant/region_comm/china/etc/intellvoice/wakeup/ap/condict/kws2_domainDict_01.dat" dev="sdd73" ino=121 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=file permissive=0 +allow intell_voice_host sys_prod_file:file { open read map getattr read }; + +# avc: denied { use } for pid=757 comm="IPC_2_3452" path="/dev/ashmem" dev="tmpfs" ino=615 scontext=u:r:intell_voice_host:s0 tcontext=u:r:intell_voice_service:s0 tclass=fd permissive=0 +allow intell_voice_host intell_voice_service:fd { use }; + +# avc_audit_slow:267] avc: denied { write } for pid=4988, comm="/vendor/bin/hdf_devhost" path="/dev/kmsg" dev="" ino=22 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=0 +allow intell_voice_host dev_kmsg_file:chr_file { write }; + +# avc_audit_slow:267] avc: denied { read write } for pid=4988, comm="/vendor/bin/hdf_devhost" path="/dev/tty0" dev="" ino=50 scontext=u:r:intell_voice_host:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 +allow intell_voice_host tty_device:chr_file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..2415bbc0de1c195ef3522ce87902e830097e0dc8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/hdf_devmgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr light_host:binder { call transfer }; +allow hdf_devmgr light_host:dir { search }; +allow hdf_devmgr light_host:file { open read }; +allow hdf_devmgr light_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..43218610a88bfa77afab4242c8d01dc80aa7f219 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/init.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dontaudit init light_host:process noatsecure; +dontaudit init light_host:process rlimitinh; +dontaudit init light_host:process siginh; +dontaudit init light_host:process transition; + +allow init light_host:process { rlimitinh siginh transition }; +allow init dev_hdf_light:chr_file { setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/light_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/light_host.te new file mode 100644 index 0000000000000000000000000000000000000000..f1178a4e9f2fbf9f22ffbb03468a69f6bb03ffc9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/light_host.te @@ -0,0 +1,75 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=hdf_device_manager pid=344 scontext=u:r:light_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class +#avc: denied { add } for service=light_interface_service pid=344 scontext=u:r:light_host:s0 tcontext=u:object_r:hdf_light_interface_service:s0 tclass=hdf_devmgr_class +allow light_host hdf_device_manager:hdf_devmgr_class { get }; +allow light_host hdf_light_interface_service:hdf_devmgr_class { add }; +allow light_host sa_device_service_manager:samgr_class { get }; +allow light_host vendor_bin_file:file { entrypoint }; +allow light_host dev_hdf_light:chr_file { getattr }; +allow light_host dev_hdf_light:chr_file { ioctl }; +allow light_host dev_hdf_light:chr_file { open }; +allow light_host dev_hdf_light:chr_file { read write }; +allowxperm light_host dev_hdf_light:chr_file ioctl 0x6201; +#avc: denied { search } for pid=466 comm="IPC_1_527" name="/" dev="tracefs" ino=1 scontext=u:r:light_host:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=0 +allow light_host tracefs:dir { search }; +#avc: denied { write } for pid=507 comm="IPC_1_587" name="trace_marker" dev="tracefs" ino=19169 scontext=u:r:light_host:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=0 +#avc: denied { open } for pid=530 comm="IPC_1_591" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=18461 scontext=u:r:light_host:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow light_host tracefs_trace_marker_file:file { write open }; +#avc: denied { call } for pid=530 comm="IPC_1_591" scontext=u:r:light_host:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=530 comm="IPC_1_591" scontext=u:r:light_host:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=252 comm="IPC_3_1578" scontext=u:r:param_watcher:s0 tcontext=u:r:light_host:s0 tclass=binder permissive=1 +allow light_host param_watcher:binder { call transfer }; +#avc: denied { get } for service=3901 pid=523 scontext=u:r:light_host:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow light_host sa_param_watcher:samgr_class { get }; + +allow light_host bootevent_param:file { map open read }; +allow light_host bootevent_samgr_param:file { map open read }; +allow light_host build_version_param:file { map open read }; +allow light_host const_allow_mock_param:file { map open read }; +allow light_host const_allow_param:file { map open read }; +allow light_host const_build_param:file { map open read }; +allow light_host const_display_brightness_param:file { map open read }; +allow light_host const_param:file { map open read }; +allow light_host const_postinstall_fstab_param:file { map open read }; +allow light_host const_postinstall_param:file { map open read }; +allow light_host const_product_param:file { map open read }; +allow light_host debug_param:file { map open read }; +allow light_host default_param:file { map open read }; +allow light_host dev_hdf_kevent:chr_file { getattr }; +allow light_host dev_unix_socket:dir { search }; +allow light_host distributedsche_param:file { map open read }; +allow light_host hdf_devmgr:binder { call transfer }; +allow light_host hilog_param:file { map open read }; +allow light_host hw_sc_build_os_param:file { map open read }; +allow light_host hw_sc_build_param:file { map open read }; +allow light_host hw_sc_param:file { map open read }; +allow light_host init_param:file { map open read }; +allow light_host init_svc_param:file { map open read }; +allow light_host input_pointer_device_param:file { map open read }; +allow light_host net_param:file { map open read }; +allow light_host net_tcp_param:file { map open read }; +allow light_host ohos_boot_param:file { map open read }; +allow light_host ohos_param:file { map open read }; +allow light_host persist_param:file { map open read }; +allow light_host persist_sys_param:file { map open read }; +allow light_host samgr:binder { call }; +allow light_host security_param:file { map open read }; +allow light_host startup_param:file { map open read }; +allow light_host sys_param:file { map open read }; +allow light_host system_bin_file:dir { search }; +allow light_host sys_usb_param:file { map open read }; +allow light_host vendor_etc_file:dir { search }; +allow light_host vendor_etc_file:file { getattr open read }; +allow light_host sys_file:file { create }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/param_watcher.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..e766f546e8e528c7ff38311a685eb66edf5f821a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/light/vendor/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher light_host:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/location/vendor/location_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/location/vendor/location_host.te new file mode 100644 index 0000000000000000000000000000000000000000..887ff40732cc01e32821ee8ec4244b82b70b7c67 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/location/vendor/location_host.te @@ -0,0 +1,65 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow location_host bootevent_param:file { map open read }; +allow location_host bootevent_samgr_param:file { map open read }; +allow location_host build_version_param:file { map open read }; +allow location_host const_allow_mock_param:file { map open read }; +allow location_host const_allow_param:file { map open read }; +allow location_host const_build_param:file { map open read }; +allow location_host const_display_brightness_param:file { map open read }; +allow location_host const_param:file { map open read }; +allow location_host const_postinstall_fstab_param:file { map open read }; +allow location_host const_postinstall_param:file { map open read }; +allow location_host const_product_param:file { map open read }; +allow location_host data_file:dir { search }; +allow location_host debug_param:file { map open read }; +allow location_host default_param:file { map open read }; +allow location_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow location_host dev_unix_socket:dir { search }; +allow location_host distributedsche_param:file { map open read }; +allow location_host hdf_devmgr:binder { call transfer }; +allow location_host hilog_param:file { map open read }; +allow location_host hw_sc_build_os_param:file { map open read }; +allow location_host hw_sc_build_param:file { map open read }; +allow location_host hw_sc_param:file { map open read }; +allow location_host init_param:file { map open read }; +allow location_host init_svc_param:file { map open read }; +allow location_host input_pointer_device_param:file { map open read }; +allow location_host locationhub:binder { call }; +allow location_host net_param:file { map open read }; +allow location_host net_tcp_param:file { map open read }; +allow location_host ohos_boot_param:file { map open read }; +allow location_host ohos_param:file { map open read }; +allow location_host persist_param:file { map open read }; +allow location_host persist_sys_param:file { map open read }; +allow location_host sa_device_service_manager:samgr_class { get }; +allow location_host samgr:binder { call }; +allow location_host security_param:file { map open read }; +allow location_host startup_param:file { map open read }; +allow location_host sys_param:file { map open read }; +allow location_host system_bin_file:dir { search }; +allow location_host sys_usb_param:file { map open read }; +allow location_host vendor_etc_file:dir { search }; +allow location_host vendor_etc_file:file { getattr open read }; +allowxperm location_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allow location_host musl_param:file { read }; +allow location_host dev_console_file:chr_file { read write }; +allow location_host hdf_device_manager:hdf_devmgr_class { get }; +allow location_host hdf_gnss_interface_service:hdf_devmgr_class { add }; +allow location_host hdf_geofence_interface_service:hdf_devmgr_class { add }; +allow location_host hdf_agnss_interface_service:hdf_devmgr_class { add }; +allow location_host hdf_geofence_intf_service:hdf_devmgr_class { add }; +allow location_host hdf_cellfence_interface_service:hdf_devmgr_class { add }; +allow location_host hdf_cellbatching_interface_service:hdf_devmgr_class { add }; +allow location_host hdf_wififence_interface_service:hdf_devmgr_class { add }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/motion/vendor/motion_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/motion/vendor/motion_host.te new file mode 100644 index 0000000000000000000000000000000000000000..ddcda4c06cf85f0b286fdc222846338cbcb643ef --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/motion/vendor/motion_host.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=hdf_device_manager pid=346 scontext=u:r:motion_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class +#avc: denied { add } for service=motion_interface_service pid=346 scontext=u:r:motion_host:s0 tcontext=u:object_r:hdf_motion_interface_service:s0 tclass=hdf_devmgr_class +allow motion_host hdf_device_manager:hdf_devmgr_class { get }; +allow motion_host hdf_motion_interface_service:hdf_devmgr_class { add }; +allow motion_host sa_device_service_manager:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..79246171fa579984477400871cc5193d55b80253 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/hdf_devmgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr partitionslot_host:binder { call transfer }; +allow hdf_devmgr partitionslot_host:dir { search }; +allow hdf_devmgr partitionslot_host:file { open read }; +allow hdf_devmgr partitionslot_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..dd1c2d2278bec2d60ae02fe98fb0be3713986dcf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init partitionslot_host:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/partitionslot_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/partitionslot_host.te new file mode 100644 index 0000000000000000000000000000000000000000..4b2fbe54bffc8f6c787810f1910057b6fd55f3b1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/partitionslot/vendor/partitionslot_host.te @@ -0,0 +1,68 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow partitionslot_host bootevent_param:file { map open read }; +allow partitionslot_host bootevent_samgr_param:file { map open read }; +allow partitionslot_host build_version_param:file { map open read }; +allow partitionslot_host const_allow_mock_param:file { map open read }; +allow partitionslot_host const_allow_param:file { map open read }; +allow partitionslot_host const_build_param:file { map open read }; +allow partitionslot_host const_display_brightness_param:file { map open read }; +allow partitionslot_host const_param:file { map open read }; +allow partitionslot_host const_postinstall_fstab_param:file { map open read }; +allow partitionslot_host const_postinstall_param:file { map open read }; +allow partitionslot_host const_product_param:file { map open read }; +allow partitionslot_host debug_param:file { map open read }; +allow partitionslot_host default_param:file { map open read }; +allow partitionslot_host dev_block_file:blk_file { read write open }; +allow partitionslot_host dev_block_file:dir { search }; +allow partitionslot_host dev_block_file:lnk_file { read }; +allow partitionslot_host dev_block_volfile:dir { search }; +allow partitionslot_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow partitionslot_host dev_mgr_file:chr_file { getattr }; +allow partitionslot_host dev_unix_socket:dir { search }; +allow partitionslot_host distributedsche_param:file { map open read }; +allow partitionslot_host hdf_devmgr:binder { call transfer }; +allow partitionslot_host hilog_param:file { map open read }; +allow partitionslot_host hw_sc_build_os_param:file { map open read }; +allow partitionslot_host hw_sc_build_param:file { map open read }; +allow partitionslot_host hw_sc_param:file { map open read }; +allow partitionslot_host init_param:file { map open read }; +allow partitionslot_host init_svc_param:file { map open read }; +allow partitionslot_host input_pointer_device_param:file { map open read }; +allow partitionslot_host net_param:file { map open read }; +allow partitionslot_host net_tcp_param:file { map open read }; +allow partitionslot_host ohos_boot_param:file { map open read }; +allow partitionslot_host ohos_param:file { map open read }; +allow partitionslot_host persist_param:file { map open read }; +allow partitionslot_host persist_sys_param:file { map open read }; +allow partitionslot_host proc_cmdline_file:file { open read }; +allow partitionslot_host samgr:binder { call }; +allow partitionslot_host security_param:file { map open read }; +allow partitionslot_host startup_param:file { map open read }; +allow partitionslot_host sys_param:file { map open read }; +allow partitionslot_host sys_usb_param:file { map open read }; +allow partitionslot_host system_bin_file:dir { search }; +allow partitionslot_host vendor_etc_file:dir { search }; +allow partitionslot_host vendor_etc_file:file { getattr open read }; +allow partitionslot_host ohos_boot_param:file { map open read }; +allowxperm partitionslot_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; + +#avc: denied { get } for service=hdf_device_manager pid=379 scontext=u:r:partitionslot_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=partition_slot_service pid=379 scontext=u:r:partitionslot_host:s0 tcontext=u:object_r:hdf_partition_slot_service:s0 tclass=hdf_devmgr_class permissive=1 +allow partitionslot_host hdf_device_manager:hdf_devmgr_class { get }; +allow partitionslot_host hdf_partition_slot_service:hdf_devmgr_class { add }; +allow partitionslot_host sa_device_service_manager:samgr_class { get }; + +allow partitionslot_host updater_block_file:blk_file { read write open }; +allow partitionslot_host updater_block_file:lnk_file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/file_contexts b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..5d7aa56dd575c55442d2fd9e598368cd67904e47 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/power u:object_r:data_power:s0 +/data/power/(.*)? u:object_r:data_power:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/init.te new file mode 100644 index 0000000000000000000000000000000000000000..ac2f9de7b903d8f75c2d318088cd1dacf3d8c4a9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init data_power:file { relabelto }; +allow init data_power:dir { relabelto getattr setattr read }; + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/neverallow.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/neverallow.te new file mode 100644 index 0000000000000000000000000000000000000000..b74e5f0fa1c43a4e454bcb3b741222f4c022b0b4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/neverallow.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { domain -foundation -powermgr -riladapter_host -hiview_host } hdf_power_interface_service:hdf_devmgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/type.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..144f8d57ce4b2a70b66de57279e3398f01ceaa88 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_power, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/vendor/power_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/vendor/power_host.te new file mode 100644 index 0000000000000000000000000000000000000000..0028dcecfe41be3f4d9448943c379e3a38d1a39e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/power/vendor/power_host.te @@ -0,0 +1,87 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { add } for service=power_interface_service pid=359 scontext=u:r:power_host:s0 tcontext=u:object_r:hdf_power_interface_service:s0 tclass=hdf_devmgr_class +allow power_host hdf_power_interface_service:hdf_devmgr_class { add }; + +#avc: denied { open } for pid=403 comm="power_host" path="/sys/power/state" dev="sysfs" ino=4991 scontext=u:r:power_host:s0 tcontext=u:object_r:sysfs_state:s0 tclass=file permissive=1 +#avc: denied { read write } for pid=403 comm="power_host" name="state" dev="sysfs" ino=4991 scontext=u:r:power_host:s0 tcontext=u:object_r:sysfs_state:s0 tclass=file permissive=1 +allow power_host sysfs_state:file { open read write }; +allow power_host bootevent_param:file { map open read }; +allow power_host bootevent_samgr_param:file { map open read }; +allow power_host build_version_param:file { map open read }; +allow power_host const_allow_mock_param:file { map open read }; +allow power_host const_allow_param:file { map open read }; +allow power_host const_build_param:file { map open read }; +allow power_host const_display_brightness_param:file { map open read }; +allow power_host const_param:file { map open read }; +allow power_host const_postinstall_fstab_param:file { map open read }; +allow power_host const_postinstall_param:file { map open read }; +allow power_host const_product_param:file { map open read }; +allow power_host data_file:dir { search }; +allow power_host data_power:dir { search write add_name remove_name }; +allow power_host data_power:file { create getattr ioctl open read write unlink }; +allow power_host data_log:dir { add_name create getattr search write }; +allow power_host data_log:file { append append open create ioctl open read }; +allow power_host data_service_el0_file:dir { add_name create open read search write }; +allow power_host data_service_el0_file:file { create ioctl open read write getattr }; +allow power_host data_service_file:dir { search }; +allow power_host debug_param:file { map open read }; +allow power_host default_param:file { map open read }; +allow power_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow power_host dev_unix_socket:dir { search }; +allow power_host hiview:unix_dgram_socket { sendto }; +allow power_host self:unix_dgram_socket { getopt setopt }; +allow power_host distributedsche_param:file { map open read }; +allow power_host foundation:binder { call }; +allow power_host hdf_devmgr:binder { call transfer }; +allow power_host hilog_param:file { map open read }; +allow power_host hw_sc_build_os_param:file { map open read }; +allow power_host hw_sc_build_param:file { map open read }; +allow power_host hw_sc_param:file { map open read }; +allow power_host init_param:file { map open read }; +allow power_host init_svc_param:file { map open read }; +allow power_host input_pointer_device_param:file { map open read }; +allow power_host net_param:file { map open read }; +allow power_host net_tcp_param:file { map open read }; +allow power_host ohos_boot_param:file { map open read }; +allow power_host ohos_param:file { map open read }; +allow power_host persist_param:file { map open read }; +allow power_host persist_sys_param:file { map open read }; +allow power_host power_host:netlink_kobject_uevent_socket { bind create setopt read }; +binder_call(power_host, powermgr); +allow power_host samgr:binder { call }; +allow power_host security_param:file { map open read }; +allow power_host startup_param:file { map open read }; +allow power_host sys_file:dir { open read }; +allow power_host sys_file:file { open read getattr }; +allow power_host sysfs_devices_system_cpu:file { open read write }; +allow power_host sysfs_leds:dir { open read }; +allow power_host sysfs_power:file { open read write }; +allow power_host sysfs_wake_lck:file { open read write }; +allow power_host sys_param:file { map open read }; +allow power_host system_bin_file:dir { search }; +allow power_host sys_usb_param:file { map open read }; +allow power_host vendor_etc_file:dir { search }; +allow power_host vendor_etc_file:file { getattr open read }; +allow power_host vendor_etc_thermal_hdi_config_file:file { getattr open read }; +allow power_host hdf_light_interface_service:hdf_devmgr_class { get }; +allow power_host light_host:binder { call }; +allow power_host power_host:capability2 { block_suspend }; +allow power_host dev_block_file:dir { search }; +allow power_host dev_block_file:lnk_file { read }; +allow power_host dev_block_volfile:dir { search }; +allowxperm power_host data_power:file ioctl { 0x660b 0xf520 }; +allowxperm power_host data_log:file ioctl { 0x5413 }; +allowxperm power_host data_service_el0_file:file ioctl { 0x5413 }; +allowxperm power_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..dc99d244ea7e7d7dfeed2345e8443621c30a9e2c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/hdf_devmgr.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr sensor_host:binder { call transfer }; +allow hdf_devmgr sensor_host:dir { search }; +allow hdf_devmgr sensor_host:file { open read }; +allow hdf_devmgr sensor_host:process { getattr }; +allow hdf_devmgr sensors:binder { transfer }; +allow hdf_devmgr sensors:dir { search }; +allow hdf_devmgr sensors:file { open read }; +allow hdf_devmgr sensors:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..3446fa7bc65fe03a1459cb3396ab2b434810e251 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init dev_hdf_sensor_mgr:chr_file { setattr }; +allow init sensor_host:process { rlimitinh siginh transition }; +allow init sensors:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/param_watcher.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..aff0bd85bc8181ed147cc980fb23b86aa92a5868 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/param_watcher.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=258 comm="param_watcher" scontext=u:r:param_watcher:s0 tcontext=u:r:sensor_host:s0 tclass=binder permissive=1 +allow param_watcher sensor_host:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/sensor_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/sensor_host.te new file mode 100644 index 0000000000000000000000000000000000000000..f63935f742a9fbdc0772d6dc422708e5b3dd9054 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/sensor_host.te @@ -0,0 +1,82 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=hdf_device_manager pid=346 scontext=u:r:sensor_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class +#avc: denied { add } for service=sensor_interface_service pid=346 scontext=u:r:sensor_host:s0 tcontext=u:object_r:hdf_sensor_interface_service:s0 tclass=hdf_devmgr_class +allow sensor_host hdf_device_manager:hdf_devmgr_class { get }; +allow sensor_host hdf_sensor_interface_service:hdf_devmgr_class { add }; +allow sensor_host sa_device_service_manager:samgr_class { get }; +allow sensor_host dev_hdf_sensor_mgr:chr_file { ioctl }; +allowxperm sensor_host dev_hdf_sensor_mgr:chr_file ioctl 0x6202; +#avc: denied { ioctl } for pid=468 comm="sensor_host" path="/dev/hdf_sensor_manager_ap" dev="tmpfs" ino=195 ioctlcmd=0x6206 scontext=u:r:sensor_host:s0 tcontext=u:object_r:dev_hdf_sensor_mgr:s0 tclass=chr_file permissive=0 +allow sensor_host dev_hdf_sensor_mgr:chr_file { ioctl }; +allowxperm sensor_host dev_hdf_sensor_mgr:chr_file ioctl 0x6206; +#avc: denied { call } for pid=502 comm="sensor_host" scontext=u:r:sensor_host:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +debug_only(` + allow sensor_host sh:binder { call }; +') +#avc: denied { get } for service=3901 pid=522 scontext=u:r:sensor_host:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow sensor_host sa_param_watcher:samgr_class { get }; +#avc: denied { call } for pid=522 comm="IPC_1_621" scontext=u:r:sensor_host:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=522 comm="IPC_1_621" scontext=u:r:sensor_host:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +allow sensor_host param_watcher:binder { call transfer }; +#avc: denied { write } for pid=522 comm="IPC_1_621" name="trace_marker" dev="tracefs" ino=17434 scontext=u:r:sensor_host:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=522 comm="IPC_1_621" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=17434 scontext=u:r:sensor_host:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow sensor_host tracefs_trace_marker_file:file { write open }; +#avc: denied { search } for pid=504 comm="IPC_1_628" name="/" dev="tracefs" ino=1 scontext=u:r:sensor_host:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow sensor_host tracefs:dir { search }; + +allow sensor_host bootevent_param:file { map open read }; +allow sensor_host bootevent_samgr_param:file { map open read }; +allow sensor_host build_version_param:file { map open read }; +allow sensor_host const_allow_mock_param:file { map open read }; +allow sensor_host const_allow_param:file { map open read }; +allow sensor_host const_build_param:file { map open read }; +allow sensor_host const_display_brightness_param:file { map open read }; +allow sensor_host const_param:file { map open read }; +allow sensor_host const_postinstall_fstab_param:file { map open read }; +allow sensor_host const_postinstall_param:file { map open read }; +allow sensor_host const_product_param:file { map open read }; +allow sensor_host debug_param:file { map open read }; +allow sensor_host default_param:file { map open read }; +allow sensor_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow sensor_host dev_hdf_sensor_mgr:chr_file { getattr ioctl open read write }; +allow sensor_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow sensor_host dev_unix_socket:dir { search }; +allow sensor_host distributedsche_param:file { map read read open }; +allow sensor_host hdf_devmgr:binder { call transfer }; +allow sensor_host hilog_param:file { map open read }; +allow sensor_host hw_sc_build_os_param:file { map open read }; +allow sensor_host hw_sc_build_param:file { map open read }; +allow sensor_host hw_sc_param:file { map open read }; +allow sensor_host init_param:file { map open read }; +allow sensor_host init_svc_param:file { map open read }; +allow sensor_host input_pointer_device_param:file { map open read }; +allow sensor_host net_param:file { map open read }; +allow sensor_host net_tcp_param:file { map open read }; +allow sensor_host ohos_boot_param:file { map open read }; +allow sensor_host ohos_param:file { map open read }; +allow sensor_host persist_param:file { map open read }; +allow sensor_host persist_sys_param:file { map open read }; +allow sensor_host samgr:binder { call }; +allow sensor_host security_param:file { map open read }; +allow sensor_host sensors:binder { call }; +allow sensor_host startup_param:file { map open read }; +allow sensor_host sys_param:file { map open read }; +allow sensor_host system_bin_file:dir { search }; +allow sensor_host sys_usb_param:file { map open read }; +allow sensor_host vendor_etc_file:dir { search }; +allow sensor_host vendor_etc_file:file { getattr open read }; +allowxperm sensor_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm sensor_host dev_hdf_sensor_mgr:chr_file ioctl { 0x6201 0x6203 }; +allowxperm sensor_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/sensors.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/sensors.te new file mode 100644 index 0000000000000000000000000000000000000000..2bbfeefe2b28f48187d4e5d64482e4e75c81e8d0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/sensor/vendor/sensors.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sensors sa_miscdevice_service:samgr_class { add }; +allow sensors sa_param_watcher:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/public/file.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..69e3c4508d61f12c4f34e70f9e826a352e5ec112 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/public/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type vendor_etc_thermal_hdi_config_file, vendor_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/public/parameter.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..f1d4f593b64bbf9c0a125a2e484f3d690744b11b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type thermal_log_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/file_contexts b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..678c2619c1ef592c2921168ac70bc5878f48daca --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/vendor/etc/thermal_config/hdf/thermal_hdi_config.xml u:object_r:vendor_etc_thermal_hdi_config_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/param_watcher.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..f3affd5b6e440aedffd4052b6cb1b243a3718a7d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/param_watcher.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call transfer } for pid=247 comm="param_watcher" scontext=u:r:param_watcher:s0 tcontext=u:r:power_host:s0 tclass=binder permissive=1 +allow param_watcher power_host :binder { call transfer }; + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/parameter_contexts b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..fcc59cd0eb64dd48ceb08ac7d4248f25c134a51c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.thermal.log. u:object_r:thermal_log_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/power_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/power_host.te new file mode 100644 index 0000000000000000000000000000000000000000..c834b5d1b2bc216cf2aeeff06db573494f18c1b8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/thermal/vendor/power_host.te @@ -0,0 +1,41 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { open } for pid=478 comm="power_host" path="/data/log/thermal/thermal-log/" dev="sysfs" ino=4991 scontext=u:r:power_host:s0 tcontext=u:object_r:sysfs_state:s0 tclass=file permissive=1 +allow power_host data_log:file { getattr open read write unlink }; + +#avc: denied { remove_name } for pid=436 comm="power_host" name="thermal.007.20220724-172607" dev="mmcblk0p11" ino=1436218 scontext=u:r:power_host:s0 tcontext=u:object_r:data_log:s0 tclass=dir permissive=1 +allow power_host data_log:dir { open read remove_name search write open read remove_name write search }; + +#avc: denied { get } for service=3901 pid=1400 scontext=u:r:power_host:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow power_host sa_param_watcher:samgr_class { get }; + +#avc: denied { call transfer } for pid=464 comm="power_host" scontext=u:r:power_host:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +allow power_host param_watcher:binder { call transfer }; + +#avc: denied { read } for pid=421 comm="hdf_devhost" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:power_host:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +allow power_host accessibility_param:file { read }; + +#avc: denied { getattr } for pid=563 comm="IPC_0_636" path="/data/service/el0/thermal/sensor/soc/temp" dev="mmcblk0p12" ino=209 scontext=u:r:power_host:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +allow power_host data_service_el0_file:file { getattr }; + +#avc: denied { getattr } for pid=563 comm="IPC_0_636" path="/sys/devices/virtual/thermal/thermal_zone0/temp" dev="sysfs" ino=5327 scontext=u:r:power_host:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=0 +allow power_host sys_file:file { getattr }; + +#avc: denied { read } for pid=478 comm="IPC_1_543" name="u:object_r:thermal_log_param:s0" dev="tmpfs" ino=80 scontext=u:r:power_host:s0 tcontext=u:object_r:thermal_log_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=491 comm="IPC_1_542" path="/dev/__parameters__/u:object_r:thermal_log_param:s0" dev="tmpfs" ino=80 scontext=u:r:power_host:s0 tcontext=u:object_r:thermal_log_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=485 comm="IPC_1_594" path="/dev/__parameters__/u:object_r:thermal_log_param:s0" dev="tmpfs" ino=80 scontext=u:r:power_host:s0 tcontext=u:object_r:thermal_log_param:s0 tclass=file permissive=0 +allow power_host thermal_log_param:file { open read map }; + +#avc: denied { add } for service=thermal_interface_service pid=359 scontext=u:r:power_host:s0 tcontext=u:object_r:hdf_thermal_interface_service:s0 tclass=hdf_devmgr_class +allow power_host hdf_thermal_interface_service:hdf_devmgr_class { add }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/public/file.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..0277ecbb9843bb747054fcc91cd589f76b2d9bcc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/public/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Filesystem types +type dev_usb_accessory_file, dev_attr; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/public/file_contexts b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..1551fe27ca6c03899a1ce510815d9c3357edaffe --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/public/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# please put shorter config ahead; +# root +/dev/usb_accessory u:object_r:dev_usb_accessory_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/console.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/console.te new file mode 100644 index 0000000000000000000000000000000000000000..11739b1a1e4d001124b00f3b6138bd5d571f2d62 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/console.te @@ -0,0 +1,31 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +debug_only(` +allow console dev_usbfn_file:chr_file { getattr }; +allow console hdf_usb_interface_service:hdf_devmgr_class { get }; +allow console hdf_usbfn_mtp_interface_service:hdf_devmgr_class { get }; +allow console hdf_usbfn_cdcacm:hdf_devmgr_class { get }; +allow console sa_usb_service:samgr_class { get }; +allow console sys_usb_param:file { map open read }; +allow console usb_host:binder { call transfer }; +allow console usb_service:binder { call }; +allow console foundation:binder { call transfer }; +allow console param_watcher:binder { call }; +allow console sa_foundation_cesfwk_service:samgr_class { get }; +allow console sa_param_watcher:samgr_class { get }; +allow console tracefs:dir { search }; +allow console tracefs_trace_marker_file:file { open write }; +allow console data_local_tmp:file { create ioctl map write read }; +allowxperm console data_local_tmp:file ioctl 0x5413; +') + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/foundation.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..ed54d7ef93a4f79061c5f0dfe00a7261771c993c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +debug_only(` +allow foundation console:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..0da3dd08b8bc5807f8013d5fe96dc70a517281c3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/hdf_devmgr.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +debug_only(` +allow hdf_devmgr console:binder { transfer }; +allow hdf_devmgr console:dir { search }; +allow hdf_devmgr console:file { open read write }; +allow hdf_devmgr console:process { getattr }; +') +allow hdf_devmgr dev_console_file:chr_file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..3e2a06eaf3c063f90846d2e84a9f95532fc5687e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/init.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init configfs:dir { add_name create mounton open read search setattr write remove_name }; +allow init configfs:lnk_file { create unlink }; +allow init usb_host:dir { search }; +allow init usb_host:file { open read }; +allow init usb_host:process { rlimitinh siginh transition getattr }; +allow init data_service_el1_file:dir { relabelto getattr search write add_name remove_name read open setattr }; +allow init data_service_el1_file:file { create write open getattr }; +allow init configfs:file { setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/normal_hap.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..5adca289206a34342c2ebb10a26ca6489cbbcb3c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/normal_hap.te @@ -0,0 +1,23 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=usb_ddk_service pid=1431 scontext=u:r:debug_hap:s0 tcontext=u:object_r:hdf_usb_ddk_service:s0 tclass=hdf_devmgr_class permissive=1 +allow normal_hap_attr hdf_usb_ddk_service:hdf_devmgr_class { get }; + +debug_only(` +# avc: denied { get } for service=usb_interface_service pid=1431 scontext=u:r:debug_hap:s0 tcontext=u:object_r:hdf_usb_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow normal_hap_attr hdf_usb_interface_service:hdf_devmgr_class { get }; +') + +# avc: denied { use } for pid=499 comm="IPC_2_1896" path="/data/service/el1/public/usb/005_003" dev="mmcblk0p14" ino=2577 scontext=u:r:system_core_hap:s0 tcontext=u:r:usb_host:s0 tclass=fd permissive=1 +allow normal_hap_attr usb_host:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/param_watcher.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..c9d646ff620690a02f2487aaaf41bd577114630b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher usb_host:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/samgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..b60cdd2eb9f40f6ac9e7187dd9905f9a7b04ec7d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/samgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr usb_host:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..0d0c40cb77a0ce1bf6b7442109f5016b8241d1be --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/system_core_hap.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` +# avc: denied { get } for service=usb_interface_service pid=1442 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:hdf_usb_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow system_core_hap_attr hdf_usb_interface_service:hdf_devmgr_class { get }; +') + +# avc: denied { use } for pid=499 comm="IPC_2_1896" path="/data/service/el1/public/usb/005_003" dev="mmcblk0p14" ino=2577 scontext=u:r:system_core_hap:s0 tcontext=u:r:usb_host:s0 tclass=fd permissive=1 +allow system_core_hap_attr usb_host:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/udevd.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/udevd.te new file mode 100644 index 0000000000000000000000000000000000000000..d0341ca3fb276b34e0739dad61881f27ef6e5d6e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/udevd.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow udevd dev_console_file:chr_file { getattr setattr write read }; +allow udevd dev_functionfs_file:chr_file { getattr }; +allow udevd dev_functionfs_file:dir { search }; +allow udevd dev_usbfn_file:chr_file { getattr }; +allow udevd dev_usbfn_file:chr_file { setattr write }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/ueventd.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..623a63cbe76494187c2523a0ac06b30589a408a2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/ueventd.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ueventd dev_console_file:chr_file { getattr read write setattr }; +allow ueventd dev_console_file:dir { search }; +allow ueventd dev_functionfs_file:chr_file { relabelto create unlink }; +allow ueventd dev_functionfs_file:dir { relabelto getattr search write add_name remove_name }; +allow ueventd dev_usbfn_file:chr_file { getattr relabelto setattr unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/usb_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/usb_host.te new file mode 100644 index 0000000000000000000000000000000000000000..50e71243fd5c3270f75caf958b2a0489c9c7ad10 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/usb/vendor/usb_host.te @@ -0,0 +1,144 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow usb_host dev_console_file:chr_file { read write }; +allow usb_host sa_usb_service:samgr_class { add }; +allow usb_host data_service_file:dir { search }; +allow usb_host data_service_el1_file:dir { search add_name write}; +allow usb_host data_service_el1_file:file { ioctl open read write getattr create map}; +allow usb_host hdf_usbhost_acm_pnp_service:hdf_devmgr_class { add }; +allow usb_host hdf_usbhost_acm_rawapi_service:hdf_devmgr_class { add }; +allow usb_host hdf_usbhost_ecm_pnp_service:hdf_devmgr_class { add }; +allow usb_host hiview:unix_dgram_socket { sendto }; +allow usb_host usb_host:unix_dgram_socket { getopt }; +allow usb_host usb_host:unix_dgram_socket { setopt }; +allow usb_host musl_param:file { map }; +allow usb_host musl_param:file { open }; +allow usb_host musl_param:file { read }; +allow usb_host param_watcher:binder { call }; +allow usb_host param_watcher:binder { transfer }; +allow usb_host sa_param_watcher:samgr_class { get }; +allow usb_host tracefs:dir { search }; +allow usb_host tracefs_trace_marker_file:file { open }; +allow usb_host tracefs_trace_marker_file:file { write }; +allow usb_host data_local_tmp:file { read write }; +allow usb_host musl_param:file { open read }; +allow usb_host bootevent_param:file { map open read }; +allow usb_host bootevent_samgr_param:file { map open read }; +allow usb_host build_version_param:file { map open read }; +allow usb_host const_allow_mock_param:file { map open read }; +allow usb_host const_allow_param:file { map open read }; +allow usb_host const_build_param:file { map open read }; +allow usb_host const_display_brightness_param:file { map open read }; +allow usb_host const_param:file { map open read }; +allow usb_host const_postinstall_fstab_param:file { map open read }; +allow usb_host const_postinstall_param:file { map open read }; +allow usb_host const_product_param:file { map open read }; +allow usb_host debug_param:file { map open read }; +allow usb_host default_param:file { map open read }; +allow usb_host distributedsche_param:file { map open read }; +allow usb_host hilog_param:file { map open read }; +allow usb_host hw_sc_build_os_param:file { map open read }; +allow usb_host hw_sc_build_param:file { map open read }; +allow usb_host hw_sc_param:file { map open read }; +allow usb_host init_param:file { map open read }; +allow usb_host init_svc_param:file { map open read }; +allow usb_host input_pointer_device_param:file { map open read }; +allow usb_host net_param:file { map open read }; +allow usb_host net_tcp_param:file { map open read }; +allow usb_host ohos_boot_param:file { map open read }; +allow usb_host ohos_param:file { map open read }; +allow usb_host persist_param:file { map open read }; +allow usb_host persist_sys_param:file { map open read }; +allow usb_host security_param:file { map open read }; +allow usb_host startup_param:file { map open read }; +allow usb_host sys_param:file { map open read }; +allow usb_host sys_usb_param:file { map open read }; +allow usb_host hdf_usbfn_cdcacm:hdf_devmgr_class { add }; +allow usb_host hdf_usbfn_cdcecm:hdf_devmgr_class { add }; +allow usb_host hdf_usbfn:hdf_devmgr_class { add }; +allow usb_host hdf_usb_pnp_manager:hdf_devmgr_class { add }; +allow usb_host usb_host:capability { dac_override }; +allow usb_host chip_prod_file:dir { search }; +allow usb_host chip_prod_file:file { getattr open read }; +allow usb_host accessibility_param:file { map open read open read }; +allow usb_host configfs:dir { add_name create open read search write remove_name rmdir }; +allow usb_host configfs:file { create ioctl open read write getattr }; +allow usb_host configfs:lnk_file { create unlink }; +debug_only(` + allow usb_host console:binder { call }; + allow usb_host console:fd { use }; + allow usb_host sh:binder { call }; +') +allow usb_host data_file:dir { search }; +allow usb_host data_init_agent:dir { search }; +allow usb_host data_init_agent:file { ioctl open read append }; +allow usb_host data_log:file { read write }; +allow usb_host debugfs_usb:dir { search }; +allow usb_host debugfs_usb:file { open write }; +allow usb_host dev_bus:dir { search }; +allow usb_host dev_bus_usb_file:chr_file { ioctl map open read write getattr}; +allow usb_host dev_bus_usb_file:dir { search }; +allow usb_host dev_functionfs_file:chr_file { ioctl map open read write getattr }; +allow usb_host dev_functionfs_file:dir { search }; +allow usb_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow usb_host dev_hdf_usb_pnp:chr_file { getattr ioctl open read write }; +allow usb_host dev_usbfn_file:chr_file { getattr ioctl read write open map }; +allow usb_host dev_usbfn_file:dir { search }; +allow usb_host dev_unix_socket:dir { search }; +allow usb_host dev_unix_socket:sock_file { write }; +allow usb_host faultloggerd:fd { use }; +allow usb_host faultloggerd:unix_stream_socket { connectto }; +allow usb_host faultloggerd_socket:sock_file { write }; +allow usb_host hdf_device_manager:hdf_devmgr_class { get }; +allow usb_host hdf_devmgr:binder { call transfer }; +allow usb_host hdf_usb_interface_service:hdf_devmgr_class { add }; +allow usb_host hdf_usbfn_mtp_interface_service:hdf_devmgr_class { add }; +allow usb_host hdf_usb_pnp_manager:hdf_devmgr_class { add }; +allow usb_host hdf_usbd:hdf_devmgr_class { add }; +allow usb_host hdf_usbfn_cdcacm:hdf_devmgr_class { add get }; +allow usb_host hdf_usbfn_cdcecm:hdf_devmgr_class { add get }; +allow usb_host hdf_usbfn:hdf_devmgr_class { add get }; +allow usb_host hdf_usb_ddk_service:hdf_devmgr_class { add }; +allow usb_host hiview:binder { call }; +allow usb_host kernel:unix_stream_socket { connectto }; +allow usb_host paramservice_socket:sock_file { write }; +allow usb_host rootfs:chr_file { read write }; +allow usb_host sa_device_service_manager:samgr_class { get }; +allow usb_host samgr:binder { call }; +allow usb_host sys_param:parameter_service { set }; +allow usb_host system_bin_file:dir { search }; +allow usb_host system_bin_file:file { execute execute_no_trans map read open }; +allow usb_host tty_device:chr_file { open read write }; +allow usb_host usb_service:binder { call }; +allow usb_host vendor_bin_file:file { entrypoint execute map read }; +allow usb_host vendor_etc_file:dir { search }; +allow usb_host vendor_etc_file:file { getattr open read }; +allow usb_host vendor_lib_file:dir { search }; +allow usb_host vendor_lib_file:file { execute getattr map open read }; +allow usb_host samgr:binder { transfer }; +allow usb_host sa_usb_service:samgr_class { get }; +allowxperm usb_host configfs:file ioctl { 0x5413 }; +allowxperm usb_host data_init_agent:file ioctl { 0x5413 }; +allowxperm usb_host dev_bus_usb_file:chr_file ioctl { 0x5500 0x5504 0x5508 0x550b 0x550c 0x550f 0x5510 0x550a 0x5512 0x5516 0x551a 0x551b 0x551f }; +allowxperm usb_host dev_file:chr_file ioctl { 0x6201 0x6202 0x6203 0x6731 0x6732 0x6734 0x673c 0x6782 0x6736 0x673d 0x6735 0x6738 }; +allowxperm usb_host dev_hdf_kevent:chr_file ioctl { 0x6202 0x6201 0x6203 }; +allowxperm usb_host dev_hdf_usb_pnp:chr_file ioctl { 0x6201 0x6202 0x6203 0x6206 }; +# avc: denied { add } for service=5110 pid=512 scontext=u:r:usb_host:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1 +# avc: denied { get } for service=5110 pid=512 scontext=u:r:usb_host:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1 +allow usb_host sa_hdf_ext_devmgr:samgr_class { add get }; +allow usb_host hdf_ext_devmgr:binder { call }; +allow usb_host sys_usb_param:parameter_service { set }; +allow usb_host normal_hap_attr:fd { use }; +allow usb_host dev_usb_accessory_file:chr_file { open ioctl read write }; +allowxperm usb_host dev_usb_accessory_file:chr_file ioctl { 0x4d01 0x4d02 0x4d03 0x4d04 0x4d06 0x4dc0 }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te new file mode 100644 index 0000000000000000000000000000000000000000..83df22eab1f2df98a6abacbc1b776c0edff0fadf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te @@ -0,0 +1,59 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=5100 pid=403 scontext=u:r:face_auth_host:s0 tcontext=u:object_r:default_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=face_auth_interface_service pid=403 scontext=u:r:face_auth_host:s0 tcontext=u:object_r:hdf_face_auth_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { get } for service=5100 pid=403 scontext=u:r:face_auth_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow face_auth_host hdf_device_manager:hdf_devmgr_class { get }; +allow face_auth_host hdf_face_auth_interface_service:hdf_devmgr_class { add }; +allow face_auth_host sa_device_service_manager:samgr_class { get }; +allow face_auth_host bootevent_param:file { map open read }; +allow face_auth_host bootevent_samgr_param:file { map open read }; +allow face_auth_host build_version_param:file { map open read }; +allow face_auth_host const_allow_mock_param:file { map open read }; +allow face_auth_host const_allow_param:file { map open read }; +allow face_auth_host const_build_param:file { map open read }; +allow face_auth_host const_display_brightness_param:file { map open read }; +allow face_auth_host const_param:file { map open read }; +allow face_auth_host const_postinstall_fstab_param:file { map open read }; +allow face_auth_host const_postinstall_param:file { map open read }; +allow face_auth_host const_product_param:file { map open read }; +allow face_auth_host debug_param:file { map open read }; +allow face_auth_host default_param:file { map open read }; +allow face_auth_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow face_auth_host dev_unix_socket:dir { search }; +allow face_auth_host distributedsche_param:file { map open read }; +allow face_auth_host hdf_devmgr:binder { call transfer }; +allow face_auth_host hilog_param:file { map open read }; +allow face_auth_host hw_sc_build_os_param:file { map open read }; +allow face_auth_host hw_sc_build_param:file { map open read }; +allow face_auth_host hw_sc_param:file { map open read }; +allow face_auth_host init_param:file { map open read }; +allow face_auth_host init_svc_param:file { map open read }; +allow face_auth_host input_pointer_device_param:file { map open read }; +allow face_auth_host net_param:file { map open read }; +allow face_auth_host net_tcp_param:file { map open read }; +allow face_auth_host ohos_boot_param:file { map open read }; +allow face_auth_host ohos_param:file { map open read }; +allow face_auth_host persist_param:file { map open read }; +allow face_auth_host persist_sys_param:file { map open read }; +allow face_auth_host samgr:binder { call }; +allow face_auth_host security_param:file { map open read }; +allow face_auth_host startup_param:file { map open read }; +allow face_auth_host sys_param:file { map open read }; +allow face_auth_host system_bin_file:dir { search }; +allow face_auth_host sys_usb_param:file { map open read }; +allow face_auth_host vendor_etc_file:dir { search }; +allow face_auth_host vendor_etc_file:file { getattr open read }; +allowxperm face_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allow face_auth_host useriam:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te new file mode 100644 index 0000000000000000000000000000000000000000..0c32201be01b3faa6d9b5804ea4bf1af6cd82c1b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te @@ -0,0 +1,59 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=5100 pid=369 scontext=u:r:fingerprint_auth_host:s0 tcontext=u:object_r:default_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=fingerprint_auth_interface_service pid=369 scontext=u:r:fingerprint_auth_host:s0 tcontext=u:object_r:hdf_fingerprint_auth_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { get } for service=5100 pid=369 scontext=u:r:fingerprint_auth_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow fingerprint_auth_host hdf_device_manager:hdf_devmgr_class { get }; +allow fingerprint_auth_host hdf_fingerprint_auth_interface_service:hdf_devmgr_class { add }; +allow fingerprint_auth_host sa_device_service_manager:samgr_class { get }; +allow fingerprint_auth_host bootevent_param:file { map open read }; +allow fingerprint_auth_host bootevent_samgr_param:file { map open read }; +allow fingerprint_auth_host build_version_param:file { map open read }; +allow fingerprint_auth_host const_allow_mock_param:file { map open read }; +allow fingerprint_auth_host const_allow_param:file { map open read }; +allow fingerprint_auth_host const_build_param:file { map open read }; +allow fingerprint_auth_host const_display_brightness_param:file { map open read }; +allow fingerprint_auth_host const_param:file { map open read }; +allow fingerprint_auth_host const_postinstall_fstab_param:file { map open read }; +allow fingerprint_auth_host const_postinstall_param:file { map open read }; +allow fingerprint_auth_host const_product_param:file { map open read }; +allow fingerprint_auth_host debug_param:file { map open read }; +allow fingerprint_auth_host default_param:file { map open read }; +allow fingerprint_auth_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow fingerprint_auth_host dev_unix_socket:dir { search }; +allow fingerprint_auth_host distributedsche_param:file { map open read }; +allow fingerprint_auth_host hdf_devmgr:binder { call transfer }; +allow fingerprint_auth_host hilog_param:file { map open read }; +allow fingerprint_auth_host hw_sc_build_os_param:file { map open read }; +allow fingerprint_auth_host hw_sc_build_param:file { map open read }; +allow fingerprint_auth_host hw_sc_param:file { map open read }; +allow fingerprint_auth_host init_param:file { map open read }; +allow fingerprint_auth_host init_svc_param:file { map open read }; +allow fingerprint_auth_host input_pointer_device_param:file { map open read }; +allow fingerprint_auth_host net_param:file { map open read }; +allow fingerprint_auth_host net_tcp_param:file { map open read }; +allow fingerprint_auth_host ohos_boot_param:file { map open read }; +allow fingerprint_auth_host ohos_param:file { map open read }; +allow fingerprint_auth_host persist_param:file { map open read }; +allow fingerprint_auth_host persist_sys_param:file { map open read }; +allow fingerprint_auth_host samgr:binder { call }; +allow fingerprint_auth_host security_param:file { map open read }; +allow fingerprint_auth_host startup_param:file { map open read }; +allow fingerprint_auth_host sys_param:file { map open read }; +allow fingerprint_auth_host system_bin_file:dir { search }; +allow fingerprint_auth_host sys_usb_param:file { map open read }; +allow fingerprint_auth_host vendor_etc_file:dir { search }; +allow fingerprint_auth_host vendor_etc_file:file { getattr open read }; +allowxperm fingerprint_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allow fingerprint_auth_host useriam:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..8454a040f2ff0ff0616535084c677aecd8584e5a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/hdf_devmgr.te @@ -0,0 +1,39 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr pinauth:binder { call transfer }; +allow hdf_devmgr pinauth:dir { search }; +allow hdf_devmgr pinauth:file { open read }; +allow hdf_devmgr pin_auth_host:binder { call transfer }; +allow hdf_devmgr pin_auth_host:dir { search }; +allow hdf_devmgr pin_auth_host:file { open read }; +allow hdf_devmgr pin_auth_host:process { getattr }; +allow hdf_devmgr pinauth:process { getattr }; + +allow hdf_devmgr user_auth_host:binder { call transfer }; +allow hdf_devmgr user_auth_host:dir { search }; +allow hdf_devmgr user_auth_host:file { open read }; +allow hdf_devmgr user_auth_host:process { getattr }; +allow hdf_devmgr useriam:binder { transfer call }; +allow hdf_devmgr useriam:dir { search }; +allow hdf_devmgr useriam:file { open read }; +allow hdf_devmgr useriam:process { getattr }; + +allow hdf_devmgr face_auth_host:binder { call transfer }; +allow hdf_devmgr face_auth_host:dir { search }; +allow hdf_devmgr face_auth_host:file { open read }; +allow hdf_devmgr face_auth_host:process { getattr }; +allow hdf_devmgr fingerprint_auth_host:binder { call transfer }; +allow hdf_devmgr fingerprint_auth_host:dir { search }; +allow hdf_devmgr fingerprint_auth_host:file { open read }; +allow hdf_devmgr fingerprint_auth_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..e139f78f8722557b0c02cfb1f74350fa530bae5b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/init.te @@ -0,0 +1,24 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init pin_auth_host:process { rlimitinh siginh transition }; +allow init pinauth:process { rlimitinh siginh transition }; + +allow init user_auth_host:process { rlimitinh siginh transition }; +allow init useriam:dir { search }; +allow init useriam:file { open read }; +allow init useriam:process { getattr rlimitinh siginh transition }; + +allow init face_auth_host:process { rlimitinh siginh transition }; + +allow init fingerprint_auth_host:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te new file mode 100644 index 0000000000000000000000000000000000000000..5e9afd2c62031cfb4c9f3ec19e8d9b049f75ffe0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te @@ -0,0 +1,65 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=5100 pid=402 scontext=u:r:pin_auth_host:s0 tcontext=u:object_r:default_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=pin_auth_interface_service pid=402 scontext=u:r:pin_auth_host:s0 tcontext=u:object_r:hdf_pin_auth_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { get } for service=5100 pid=402 scontext=u:r:pin_auth_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow pin_auth_host hdf_device_manager:hdf_devmgr_class { get }; +allow pin_auth_host hdf_pin_auth_interface_service:hdf_devmgr_class { add }; +allow pin_auth_host sa_device_service_manager:samgr_class { get }; +allow pin_auth_host data_service_el1_file:file { setattr }; +allow pin_auth_host bootevent_param:file { map open read }; +allow pin_auth_host bootevent_samgr_param:file { map open read }; +allow pin_auth_host build_version_param:file { map open read }; +allow pin_auth_host const_allow_mock_param:file { map open read }; +allow pin_auth_host const_allow_param:file { map open read }; +allow pin_auth_host const_build_param:file { map read open }; +allow pin_auth_host const_display_brightness_param:file { map open read }; +allow pin_auth_host const_param:file { map open read }; +allow pin_auth_host const_postinstall_fstab_param:file { map open read }; +allow pin_auth_host const_postinstall_param:file { map open read }; +allow pin_auth_host const_product_param:file { map open read }; +allow pin_auth_host data_file:dir { search }; +allow pin_auth_host data_service_el1_file:dir { add_name remove_name search write }; +allow pin_auth_host data_service_el1_file:file { create ioctl open read unlink write open getattr }; +allow pin_auth_host data_service_file:dir { search }; +allow pin_auth_host debug_param:file { map open read }; +allow pin_auth_host default_param:file { map open read }; +allow pin_auth_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow pin_auth_host dev_unix_socket:dir { search }; +allow pin_auth_host distributedsche_param:file { map open read }; +allow pin_auth_host hdf_devmgr:binder { call transfer }; +allow pin_auth_host hilog_param:file { map open read }; +allow pin_auth_host hw_sc_build_os_param:file { map open read }; +allow pin_auth_host hw_sc_build_param:file { map open read }; +allow pin_auth_host hw_sc_param:file { map open read }; +allow pin_auth_host init_param:file { map open read }; +allow pin_auth_host init_svc_param:file { map open read }; +allow pin_auth_host input_pointer_device_param:file { map open read }; +allow pin_auth_host net_param:file { map open read }; +allow pin_auth_host net_tcp_param:file { map open read }; +allow pin_auth_host ohos_boot_param:file { map open read }; +allow pin_auth_host ohos_param:file { map open read }; +allow pin_auth_host persist_param:file { map open read }; +allow pin_auth_host persist_sys_param:file { map open read }; +allow pin_auth_host pinauth:binder { call transfer }; +allow pin_auth_host samgr:binder { call }; +allow pin_auth_host security_param:file { map open read }; +allow pin_auth_host startup_param:file { map open read }; +allow pin_auth_host sys_param:file { map open read }; +allow pin_auth_host system_bin_file:dir { search }; +allow pin_auth_host sys_usb_param:file { map open read }; +allow pin_auth_host vendor_etc_file:dir { search }; +allow pin_auth_host vendor_etc_file:file { getattr open read }; +allowxperm pin_auth_host data_service_el1_file:file ioctl { 0x5413 }; +allowxperm pin_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/user_auth_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/user_auth_host.te new file mode 100644 index 0000000000000000000000000000000000000000..1c44e8d832d8e80c4238228cc04af03b5cd53608 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/useriam/vendor/user_auth_host.te @@ -0,0 +1,65 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=hdf_device_manager pid=364 scontext=u:r:user_auth_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=user_auth_interface_service pid=364 scontext=u:r:user_auth_host:s0 tcontext=u:object_r:hdf_user_auth_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { get } for service=5100 pid=364 scontext=u:r:user_auth_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow user_auth_host hdf_device_manager:hdf_devmgr_class { get }; +allow user_auth_host hdf_user_auth_interface_service:hdf_devmgr_class { add }; +allow user_auth_host sa_device_service_manager:samgr_class { get }; +allow user_auth_host data_service_el1_file:file { setattr }; +allow user_auth_host bootevent_param:file { map open read }; +allow user_auth_host bootevent_samgr_param:file { map open read }; +allow user_auth_host build_version_param:file { map open read }; +allow user_auth_host const_allow_mock_param:file { map open read }; +allow user_auth_host const_allow_param:file { map open read }; +allow user_auth_host const_build_param:file { map read open }; +allow user_auth_host const_display_brightness_param:file { map open read }; +allow user_auth_host const_param:file { map open read }; +allow user_auth_host const_postinstall_fstab_param:file { map open read }; +allow user_auth_host const_postinstall_param:file { map open read }; +allow user_auth_host const_product_param:file { map open read }; +allow user_auth_host data_file:dir { search }; +allow user_auth_host data_service_el1_file:dir { add_name search write }; +allow user_auth_host data_service_el1_file:file { create ioctl open read write open getattr }; +allow user_auth_host data_service_file:dir { search }; +allow user_auth_host debug_param:file { map open read }; +allow user_auth_host default_param:file { map open read }; +allow user_auth_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow user_auth_host dev_unix_socket:dir { search }; +allow user_auth_host distributedsche_param:file { map open read }; +allow user_auth_host hdf_devmgr:binder { call transfer }; +allow user_auth_host hilog_param:file { map open read }; +allow user_auth_host hw_sc_build_os_param:file { map open read }; +allow user_auth_host hw_sc_build_param:file { map open read }; +allow user_auth_host hw_sc_param:file { map open read }; +allow user_auth_host init_param:file { map open read }; +allow user_auth_host init_svc_param:file { map open read }; +allow user_auth_host input_pointer_device_param:file { map open read }; +allow user_auth_host net_param:file { map open read }; +allow user_auth_host net_tcp_param:file { map open read }; +allow user_auth_host ohos_boot_param:file { map open read }; +allow user_auth_host ohos_param:file { map open read }; +allow user_auth_host persist_param:file { map open read }; +allow user_auth_host persist_sys_param:file { map open read }; +allow user_auth_host samgr:binder { call }; +allow user_auth_host security_param:file { map open read }; +allow user_auth_host startup_param:file { map open read }; +allow user_auth_host sys_param:file { map open read }; +allow user_auth_host system_bin_file:dir { search }; +allow user_auth_host sys_usb_param:file { map open read }; +allow user_auth_host vendor_etc_file:dir { search }; +allow user_auth_host vendor_etc_file:file { getattr open read }; +allowxperm user_auth_host data_service_el1_file:file ioctl { 0x5413 }; +allowxperm user_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allow user_auth_host useriam:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..8b8c5cf3017c1e9e0d72569d19a35061681e3586 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/hdf_devmgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr vibrator_host:binder { call transfer }; +allow hdf_devmgr vibrator_host:dir { search }; +allow hdf_devmgr vibrator_host:file { open read }; +allow hdf_devmgr vibrator_host:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..125a0fb156e57841f86fe31237b4b61e8348d366 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init dev_hdf_misc_vibrator:chr_file { setattr }; +allow init vibrator_host:process { rlimitinh siginh transition }; +allow init dev_hdf_misc_vibrator:chr_file { setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/vibrator_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/vibrator_host.te new file mode 100644 index 0000000000000000000000000000000000000000..c11a6d69bf61e3af3d5d059ae2a370f335a99572 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/vibrator/vendor/vibrator_host.te @@ -0,0 +1,62 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=hdf_device_manager pid=345 scontext=u:r:vibrator_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +#avc: denied { add } for service=vibrator_interface_service pid=345 scontext=u:r:vibrator_host:s0 tcontext=u:object_r:hdf_vibrator_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow vibrator_host hdf_device_manager:hdf_devmgr_class { get }; +allow vibrator_host hdf_vibrator_interface_service:hdf_devmgr_class { add }; +allow vibrator_host sa_device_service_manager:samgr_class { get }; +allow vibrator_host dev_hdf_misc_vibrator:chr_file { getattr }; +allow vibrator_host dev_hdf_misc_vibrator:chr_file { ioctl }; +allow vibrator_host dev_hdf_misc_vibrator:chr_file { open }; +allow vibrator_host dev_hdf_misc_vibrator:chr_file { read write }; +allowxperm vibrator_host dev_hdf_misc_vibrator:chr_file ioctl 0x6201; + +allow vibrator_host bootevent_param:file { map open read }; +allow vibrator_host bootevent_samgr_param:file { map open read }; +allow vibrator_host build_version_param:file { map open read }; +allow vibrator_host const_allow_mock_param:file { map open read }; +allow vibrator_host const_allow_param:file { map open read }; +allow vibrator_host const_build_param:file { map open read }; +allow vibrator_host const_display_brightness_param:file { map open read }; +allow vibrator_host const_param:file { map open read }; +allow vibrator_host const_postinstall_fstab_param:file { map open read }; +allow vibrator_host const_postinstall_param:file { map open read }; +allow vibrator_host const_product_param:file { map open read }; +allow vibrator_host debug_param:file { map open read }; +allow vibrator_host default_param:file { map open read }; +allow vibrator_host dev_hdf_kevent:chr_file { getattr }; +allow vibrator_host dev_unix_socket:dir { search }; +allow vibrator_host distributedsche_param:file { map open read }; +allow vibrator_host hdf_devmgr:binder { call transfer }; +allow vibrator_host hilog_param:file { map open read }; +allow vibrator_host hw_sc_build_os_param:file { map open read }; +allow vibrator_host hw_sc_build_param:file { map open read }; +allow vibrator_host hw_sc_param:file { map open read }; +allow vibrator_host init_param:file { map open read }; +allow vibrator_host init_svc_param:file { map open read }; +allow vibrator_host input_pointer_device_param:file { map open read }; +allow vibrator_host net_param:file { map open read }; +allow vibrator_host net_tcp_param:file { map open read }; +allow vibrator_host ohos_boot_param:file { map open read }; +allow vibrator_host ohos_param:file { map open read }; +allow vibrator_host persist_param:file { map open read }; +allow vibrator_host persist_sys_param:file { map open read }; +allow vibrator_host samgr:binder { call }; +allow vibrator_host security_param:file { map open read }; +allow vibrator_host startup_param:file { map open read }; +allow vibrator_host sys_param:file { map open read }; +allow vibrator_host system_bin_file:dir { search }; +allow vibrator_host sys_usb_param:file { map open read }; +allow vibrator_host vendor_etc_file:dir { search }; +allow vibrator_host vendor_etc_file:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/system/wifi_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/system/wifi_host.te new file mode 100644 index 0000000000000000000000000000000000000000..27da3c5215032a88665ac1fa90c3cebf6792f145 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/system/wifi_host.te @@ -0,0 +1,37 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for scontext=u:r:wifi_host:s0 tcontext=u:r:sa_cert_manager_service:s0 tclass=samgr_class permissive=1 +allow wifi_host sa_cert_manager_service:samgr_class { get }; + +# avc: denied { call } for scontext=u:r:wifi_host:s0 tcontext=u:r:cert_manager_service:s0 tclass=binder permissive=1 +allow wifi_host cert_manager_service:binder { call }; + +# avc: denied { write } for scontext=u:r:wifi_host:s0 tcontext=u:r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow wifi_host dev_kmsg_file:chr_file { write }; + +# avc: denied { add } for scontext=u:r:wifi_host:s0 tcontext=u:r:hdf_chip_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow wifi_host hdf_chip_interface_service:hdf_devmgr_class { add }; + +# avc: denied { transfer } for scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 +allow wifi_host wifi_manager_service:binder { transfer }; + +# avc: denied { write } for scontext=u:r:wifi_host:s0 tcontext=u:r:paramservice_socket:s0 tclass=sock_file permissive=1 +allow wifi_host paramservice_socket:sock_file { write }; + +# avc: denied { connectto } for scontext=u:r:wifi_host:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 +allow wifi_host kernel:unix_stream_socket { connectto }; + +# avc: denied { nlmsg_read } for scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=netlink_route_socket permissive=1 +allow wifi_host wifi_host:netlink_route_socket { nlmsg_read nlmsg_readpriv }; + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/console.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/console.te new file mode 100644 index 0000000000000000000000000000000000000000..50dc55aae10ec92e52cd1f7a6729e20ddd114365 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/console.te @@ -0,0 +1,37 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +debug_only(` + #avc: denied { ioctl } for pid=2072 com="hdf_hal_wifi" ath="/dev/hdfwifi" dev="tmpfs" ino=192 ioctlcmd=0x6206 scontext=u:r:console:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 + allow console dev_hdfwifi:chr_file { ioctl }; + + #avc: denied { call } for pid=2094 comm="WlanHdiServiceT" scontext=u:r:console:s0 tcontext=u:r:wifi_host:s0 tclass=binder permissive=1 + #avc: denied { transfer } for pid=2094 comm="WlanHdiServiceT" scontext=u:r:console:s0 tcontext=u:r:wifi_host:s0 tclass=binder permissive=1 + allow console wifi_host:binder { call transfer }; + + #avc: denied { get } for service=wlan_interface_service pid=1852 scontext=u:r:console:s0 tcontext=u:object_r:hdf_wlan_interface_service:s0 tclass=hdf_devmgr_class permissive=1 + #avc: denied { get } for service=wlan_interface_service pid=1852 scontext=u:r:console:s0 tcontext=u:object_r:hdf_wlan_interface_service:s0 tclass=hdf_devmgr_class permissive=1 + allow console hdf_wlan_interface_service:hdf_devmgr_class { get }; + + #denied { call } for pid=1986 comm="WlanHdiServiceT" scontext=u:r:console:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 + allow console hdf_devmgr:binder { call }; + + #avc: denied { read } for pid=449 comm="sh" name="/" dev="mmcblk0p11" ino=3 scontext=u:r:console:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 + #avc: denied { open } for pid=449 comm="sh" path="/data" dev="mmcblk0p11" ino=3 scontext=u:r:console:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 + allow console data_file:dir { read open }; + + #avc: denied { read open } for pid=1995 comm="sh" path="/data/WlanHdiServiceTestC" dev="mmcblk0p11" ino=895 scontext=u:r:console:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 + #avc: denied { getattr } for pid=430 comm="sh" path="/data/WlanHdiServiceTestC" dev="mmcblk0p11" ino=4099 scontext=u:r:console:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 + #avc: denied { map } for pid=2058 comm="WlanHdiServiceT" path="/data/WlanHdiServiceTestC" dev="mmcblk0p11" ino=4099 scontext=u:r:console:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 + allow console data_file:file { map read open getattr }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..d4215e3e857b691650c305d82a492745e1e7f0f8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/hdf_devmgr.te @@ -0,0 +1,31 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr wifi_host:binder { call transfer }; +allow hdf_devmgr wifi_host:dir { search }; +allow hdf_devmgr wifi_host:file { open read }; +allow hdf_devmgr wifi_host:process { getattr }; +debug_only(` + #avc: denied { search } for pid=240 comm="hdf_devmgr" name="1833" dev="proc" ino=29030 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:console:s0 tclass=dir permissive=0 + allow hdf_devmgr console:dir { search }; + + #avc: denied { read } for pid=241 comm="hdf_devmgr" name="current" dev="proc" ino=28354 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:console:s0 tclass=file permissive=1 + #avc: denied { open } for pid=241 comm="f_devmgr" path="/proc/2094/attr/current" dev="proc" ino=28354 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:console:s0 tclass=file permissive=1 + allow hdf_devmgr console:file { read open }; + + #avc: denied { getattr } for pid=241 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:console:s0 tclass=process permissive=1 + allow hdf_devmgr console:process { getattr }; + + #avc: denied { transfer } for pid=241 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:console:s0 tclass=binder permissive=1 + allow hdf_devmgr console:binder { transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/init.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..7908b6df05274f5696ad1a3c52d3af8556d71654 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init wifi_host:process { rlimitinh siginh transition }; +allow init dev_hdfwifi:chr_file { setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/processdump.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/processdump.te new file mode 100644 index 0000000000000000000000000000000000000000..26584ec4a3f3927334e8f9de656102fe6af7ac49 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/processdump.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { read } for pid=1836 comm="processdump" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:processdump:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0 +allow processdump accessibility_param:file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/samgr.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..18632b313878267abc5302288153f94b23b16bcd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/samgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr wifi_host:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/ueventd.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..e820de35aff0a7fc5f6260d5a67f9d4de0bdde2e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/ueventd.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { relabelto } for pid=222 comm="ueventd" name="hdfwifi" dev="tmpfs" ino=192 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=0 +allow ueventd dev_hdfwifi:chr_file { relabelto }; diff --git a/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/wifi_host.te b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/wifi_host.te new file mode 100644 index 0000000000000000000000000000000000000000..d56cc36c0d92564ddbf63e7509c71ff5da5b95e8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/drivers/peripheral/wlan/vendor/wifi_host.te @@ -0,0 +1,179 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_host bootevent_param:file { map open read }; +allow wifi_host bootevent_samgr_param:file { map open read }; +allow wifi_host build_version_param:file { map open read }; +allow wifi_host const_allow_mock_param:file { map read read open }; +allow wifi_host const_allow_param:file { map open read }; +allow wifi_host const_build_param:file { map open read }; +allow wifi_host const_display_brightness_param:file { map open read }; +allow wifi_host const_param:file { map open read }; +allow wifi_host const_postinstall_fstab_param:file { map open read }; +allow wifi_host const_postinstall_param:file { map open read }; +allow wifi_host const_product_param:file { map open read }; +allow wifi_host debug_param:file { map open read }; +allow wifi_host default_param:file { map open read }; +allow wifi_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow wifi_host dev_unix_socket:dir { search }; +allow wifi_host distributedsche_param:file { map open read }; +allow wifi_host hdf_devmgr:binder { call transfer }; +allow wifi_host hdf_wlan_hal_c_service:hdf_devmgr_class { add }; +allow wifi_host hilog_param:file { map open read }; +allow wifi_host hw_sc_build_os_param:file { map read read open }; +allow wifi_host hw_sc_build_param:file { map open read }; +allow wifi_host hw_sc_param:file { map open read }; +allow wifi_host init_param:file { map open read }; +allow wifi_host init_svc_param:file { map open read }; +allow wifi_host input_pointer_device_param:file { map open read }; +allow wifi_host net_param:file { map open read }; +allow wifi_host net_tcp_param:file { map open read }; +allow wifi_host ohos_boot_param:file { map open read }; +allow wifi_host ohos_param:file { map read read open }; +allow wifi_host persist_param:file { map open read }; +allow wifi_host persist_sys_param:file { map open read }; +allow wifi_host sa_device_service_manager:samgr_class { get }; +allow wifi_host samgr:binder { call transfer }; +allow wifi_host security_param:file { map open read }; +allow wifi_host startup_param:file { map open read }; +allow wifi_host sys_param:file { map open read }; +allow wifi_host system_bin_file:dir { search }; +allow wifi_host sys_usb_param:file { map open read }; +allow wifi_host vendor_etc_file:dir { search }; +allow wifi_host vendor_etc_file:file { getattr open read }; +allow wifi_host wifi_hal_service:binder { call }; +allow wifi_host wifi_manager_service:binder { call }; +allowxperm wifi_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; + +#avc: denied { get } for service=hdf_device_manager pid=358 scontext=u:r:wifi_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 +allow wifi_host hdf_device_manager:hdf_devmgr_class { get }; + +#avc: denied { add } for service=wlan_interface_service pid=569 scontext=u:r:wifi_host:s0 tcontext=u:object_r:default_hdf_service:s0 tclass=hdf_devmgr_class permissive=1 +allow wifi_host hdf_wlan_interface_service:hdf_devmgr_class { add }; + +#avc: denied { get } for service=5100 pid=569 scontext=u:r:wifi_host:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow wifi_host sa_device_service_manager:samgr_class { get }; + +#avc: denied { getattr } for pid=459 comm="wifi_host" path="" dev="tmpfs" ino=192 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=459 comm="wifi_host" name="hdfwifi" dev="tmpfs" ino=192 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=459 comm="wifi_host" path="/dev/hdfwifi" dev="tmpfs" ino=192 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=459 comm="wifi_host" path="/dev/hdfwifi" dev="tmpfs" ino=192 ioctlcmd=0x6203 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=459 comm="wifi_host" path="/dev/hdfwifi" dev="tmpfs" ino=192 ioctlcmd=0x6206 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 +#avc: denied { getattr } for pid=459 comm="wifi_host" path="/dev/hdfwifi" dev="tmpfs" ino=192 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=459 comm="wifi_host" name="hdfwifi" dev="tmpfs" ino=192 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=459 comm="wifi_host" path="/dev/hdfwifi" dev="tmpfs" ino=192 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdfwifi:s0 tclass=chr_file permissive=1 +allow wifi_host dev_hdfwifi:chr_file { open read write getattr ioctl }; + +debug_only(` + #avc: denied { call } for pid=456 comm="wifi_host" scontext=u:r:wifi_host:s0 tcontext=u:r:console:s0 tclass=binder permissive=0 + allow wifi_host console:binder { call }; + + #avc: denied { call} for pid=448 comm="wifi_host" scontext=u:r:wifi_host:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 + allow wifi_host sh:binder { call }; +') + +allow wifi_host chip_prod_file:dir { search }; +allow wifi_host dev_console_file:chr_file { read write }; + +allow wifi_host hdf_wpa_interface_service:hdf_devmgr_class { add }; +allow wifi_host musl_param:file { open read map }; + +allow wifi_host data_service_el1_file:file { create read write open getattr ioctl rename append unlink }; +allow wifi_host data_service_el1_file:sock_file { write setattr getattr unlink create }; +allow wifi_host data_service_el1_file:dir { create search write getattr add_name remove_name rmdir }; +allow wifi_host wifi_host:netlink_generic_socket { bind create getattr read setopt write }; +allow wifi_host dev_unix_socket:sock_file { write }; +#avc: denied { create } for pid=521 comm="IPC_1_583" scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=netlink_route_socket permissive=0 +allow wifi_host wifi_host:netlink_route_socket { bind create nlmsg_write read write }; +allow wifi_host wifi_host:packet_socket { bind create ioctl read setopt write }; +allow wifi_host wifi_host:udp_socket { bind connect create ioctl read write }; +allow wifi_host faultloggerd:fd { use }; +allow wifi_host faultloggerd:unix_stream_socket { connectto }; +allow wifi_host hiview:binder { call }; +allow wifi_host kernel:system { module_request }; +allow wifi_host node:udp_socket { node_bind }; +allow wifi_host port:udp_socket { name_bind }; +allow wifi_host vendor_lib_file:dir { search }; +allow wifi_host vendor_lib_file:file { execute getattr map open read }; +allow wifi_host huks_service:binder { call }; +allowxperm wifi_host wifi_host:packet_socket ioctl { 0x8927 0x8933 }; +allowxperm wifi_host wifi_host:udp_socket ioctl { 0x8913 0x8914 0x8915 0x8927 0x8b0d 0x8bf7 0x8933 0x8910 }; +allowxperm wifi_host wifi_host:unix_dgram_socket ioctl { 0x8933 0x5411 }; +allow wifi_host wifi_host:unix_dgram_socket { setattr }; +allow wifi_host wifi_host:unix_dgram_socket { sendto }; +allow wifi_host wifi_host:unix_dgram_socket { read }; +allow wifi_host wifi_host:unix_dgram_socket { getopt }; +allow wifi_host wifi_host:unix_dgram_socket { ioctl }; +allow wifi_host dev_hdfwifi:chr_file { read open write getattr ioctl }; +allow wifi_host data_local_tmp:dir { getattr read }; +allow wifi_host sys_file:file { read write open }; +allow wifi_host chip_prod_file:file { getattr open read }; +allow wifi_host data_vendor:dir { search }; + +#avc: denied { transition } for pid=1441 comm="init" path="/vendor/bin/hdf_devhost" dev="mmcblk0p8" ino=13 scontext=u:r:chipset_init:s0 tcontext=u:r:wifi_host:s0 tclass=process permissive=0 +allow chipset_init wifi_host:process { rlimitinh siginh transition }; + +#avc: denied { bind } for pid=1414 comm="WpaMainThread" scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=unix_dgram_socket permissive=0 +allow wifi_host wifi_host:unix_dgram_socket { bind }; + +#avc: denied { search } for pid=516 comm="IPC_1_584" name="/" dev="mmcblk0p14" ino=3 scontext=u:r:wifi_host:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow wifi_host data_file:dir { search }; + +#avc: denied { search } for pid=508 comm="IPC_1_550" name="service" dev="mmcblk0p14" ino=8 scontext=u:r:wifi_host:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0 +allow wifi_host data_service_file:dir { search }; + +#avc: denied { ioctl } for pid=532 comm="WpaMainThread" path="socket:[29690]" dev="sockfs" ino=29690 ioctlcmd=0x8910 scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=unix_dgram_socket permissive=0 +allowxperm wifi_host wifi_host:unix_dgram_socket ioctl { 0x8910 }; + +#avc: denied { search } for pid=532 comm="IPC_1_574" name="misc" dev="mmcblk0p14" ino=97 scontext=u:r:wifi_host:s0 tcontext=u:object_r:data_misc:s0 tclass=dir permissive=0 +allow wifi_host data_misc:dir { add_name remove_name search write }; +allow wifi_host data_misc:file { ioctl rename unlink }; +allow wifi_host data_misc:sock_file { create unlink }; +allowxperm wifi_host data_misc:file ioctl { 0x5413 }; + +#avc: denied { dac_override } for pid=1621 comm="wifi_host" capability=1 scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=capability permissive=0 +#avc: denied { dac_override } for pid=1359 comm="wifi_host" capability=1 scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=capability permissive=0 +#avc: denied { dac_override } for pid=1621 comm="IPC_1_1625" capability=1 scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=capability permissive=0 +#allow wifi_host wifi_host:capability { dac_override }; + +#avc: denied { dac_read_search } for pid=1621 comm="IPC_1_1625" capability=2 scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=capability permissive=0 +allow wifi_host wifi_host:capability { dac_read_search }; + +allow wifi_host wifi_host:capability { net_admin net_raw }; + +#avc: denied { read } for pid=1374 comm="IPC_1_1379" name="rfkill" dev="tmpfs" ino=219 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_rfkill:s0 tclass=chr_file permissive=0 +#avc: denied { open } for pid=1387 comm="IPC_1_1389" path="/dev/rfkill" dev="tmpfs" ino=219 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_rfkill:s0 tclass=chr_file permissive=0 +allow wifi_host dev_rfkill:chr_file { read open }; + +#avc: denied { ioctl } for pid=1374 comm="evt_list_1380" path="/dev/hdf_kevent" dev="tmpfs" ino=259 ioctlcmd=0x6201 scontext=u:r:wifi_host:s0 tcontext=u:object_r:dev_hdf_kevent:s0 tclass=chr_file permissive=0 +allow wifi_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allowxperm wifi_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; + +#avc: denied { sendto } for pid=533 comm="WpaMainThread" path="/data/service/el1/public/wifi/wpa_ctrl_499-1" scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_hal_service:s0 tclass=unix_dgram_socket permissive=1 +allow wifi_host wifi_hal_service:unix_dgram_socket { sendto }; + +allow wifi_host hdf_hostapd_interface_service:hdf_devmgr_class { add }; + +# avc: denied { read } for pid=1398 comm="IPC_1_1430" name="WL_IRAM.bin" dev="sdd84" ino=448 scontext=u:r:wifi_host:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1 +allow wifi_host vendor_file:file { open read }; + +# avc: denied { call } for pid=1293 comm="WpaMainThread" scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 +allow wifi_host wifi_manager_service:binder { call }; + +# avc: denied { write } for pid=1300, comm="/vendor/bin/hdf_devhost" scontext=u:r:wifi_host:s0 tcontext=u:r:wifi_host:s0 tclass=netlink_socket permissive=1 +allow wifi_host wifi_host:netlink_socket { write }; + +# avc: denied { sendto } for pid=3765, comm="/vendor/bin/hdf_devhost" scontext=u:r:wifi_host:s0 tcontext=u:r:su:s0 tclass=unix_dgram_socket permissive=1 +debug_only(` + allow wifi_host su:unix_dgram_socket { sendto }; +') diff --git a/prebuilts/api/5.0/ohos_policy/dsoftbus/system/init.te b/prebuilts/api/5.0/ohos_policy/dsoftbus/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..8008f41b75c568e8a1fcf0224b64cac968176793 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/dsoftbus/system/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { setattr } for pid=1 comm="init" name="btdev0" dev="tmpfs" ino=184 scontext=u:r:init:s0 tcontext=u:object_r:dev_file:s0 tclass=chr_file permissive=0 +debug_only(` + allow init dev_file:chr_file { setattr read write }; +') diff --git a/prebuilts/api/5.0/ohos_policy/dsoftbus/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/dsoftbus/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d032eff85c3c09d4a20db507bd37f2776f339b8d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/dsoftbus/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_softbus_service:samgr_class { get }; +allow normal_hap_attr softbus_server:binder { transfer }; +allow normal_hap_attr softbus_server:fd { use }; +allow normal_hap_attr softbus_server:tcp_socket { read write shutdown }; diff --git a/prebuilts/api/5.0/ohos_policy/dsoftbus/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/dsoftbus/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..f41cbc9ac86e8fc58c0e2179540654fe75a44b7b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/dsoftbus/system/softbus_server.te @@ -0,0 +1,126 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server bluetooth_service:fd { use }; +allow softbus_server bluetooth_service:unix_stream_socket { read read write setopt shutdown write }; + +#avc: denied { call } for pid=496 comm="softbus_server" scontext=u:r:softbus_server:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +allow softbus_server dcamera:binder { call transfer }; + +#avc: denied { call } for pid=471 comm="softbus_server" scontext=u:r:softbus_server:s0 tcontext=u:r:dscreen:s0 tclass=binder permissive=0 +allow softbus_server dscreen:binder { call }; + +allow softbus_server d-bms:binder { call }; + +#avc: denied { transfer } for pid=558 comm="softbus_server" scontext=u:r:softbus_server:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=471 comm="softbus_server" scontext=u:r:softbus_server:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0 +allow softbus_server normal_hap_attr:binder { call transfer }; + +#avc: denied { use } for pid=1537 comm="com.ohos.settin" path="/dev/ashmem" dev="tmpfs" ino=178 scontext=u:r:softbus_server:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=0 +#avc: denied { use } for pid=1601 comm="com.ohos.settin" path="/dev/ashmem" dev="tmpfs" ino=177 scontext=u:r:softbus_server:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=0 +allow softbus_server normal_hap_attr:fd { use }; + +allow softbus_server sa_accesstoken_manager_service:samgr_class { get }; +allow softbus_server sa_accountmgr:samgr_class { get }; +allow softbus_server sa_bluetooth_server:samgr_class { get }; +allow softbus_server sa_foundation_abilityms:samgr_class { get }; +allow softbus_server sa_foundation_cesfwk_service:samgr_class { get }; +allow softbus_server sa_param_watcher:samgr_class { get }; + +#avc: denied { get } for service=3505 pid=532 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0 +allow softbus_server sa_privacy_service:samgr_class { get }; + +allow softbus_server softbus_server:netlink_route_socket { nlmsg_readpriv }; +allow softbus_server sa_softbus_service:samgr_class { add get }; +allow softbus_server sa_wifi_device_ability:samgr_class { get }; +allow softbus_server sa_wifi_hotspot_ability:samgr_class { get }; +allow softbus_server sa_wifi_p2p_ability:samgr_class { get }; +allow softbus_server sa_wifi_scan_ability:samgr_class { get }; +debug_only(` + allow softbus_server sh:binder { call transfer }; +') + +#avc: denied { create } for pid=540 comm="softbus_server" scontext=u:r:softbus_server:s0 tcontext=u:r:softbus_server:s0 tclass=socket permissive=0 +allow softbus_server softbus_server:socket { bind create ioctl setopt shutdown getattr connect accept listen read write getopt }; + +#avc: denied { getopt } for pid=482 comm="THREAD_POOL" scontext=u:r:softbus_server:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow softbus_server softbus_server:tcp_socket { getopt }; + +#avc: denied { ioctl } for pid=526 comm="softbus_server" path="socket:[36080]" dev="sockfs" ino=36080 ioctlcmd=0x8933 scontext=u:r:softbus_server:s0 tcontext=u:r:softbus_server:s0 tclass=socket permissive=0 +allowxperm softbus_server softbus_server:socket ioctl { 0x8933 0x8916 0x890B 0x8913 0x8936 0x890c }; + +#avc: denied { call } for pid=509 comm="0IPC_686" scontext=u:r:softbus_server:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=0 +allow softbus_server system_core_hap_attr:binder { call }; + +binder_call(softbus_server, privacy_service); +binder_call(softbus_server, accountmgr); +binder_call(softbus_server, netmanager); + +allow softbus_server musl_param:file { open map read }; + +#avc: denied { use } for pid=530 comm="IPC_0_952" path="/dev/ashmem" dev="tmpfs" ino=184 scontext=u:r:softbus_server:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=1 +allow softbus_server distributeddata:fd { use }; + +#avc: denied { get } for service=1301 pid=494 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=0 +allow softbus_server sa_distributeddata_service:samgr_class { get }; + +#avc: denied { get } for service=182 pid=522 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sa_dataobs_mgr_service_service:s0 tclass=samgr_class permissive=0 +allow softbus_server sa_dataobs_mgr_service_service:samgr_class { get }; + +#avc: denied { get } for service=401 pid=512 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0 +allow softbus_server sa_foundation_bms:samgr_class { get }; + +#avc: denied { get } for service=6001 pid=1248 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sa_device_profile_service:s0 tclass=samgr_class permissive=1 +allow softbus_server sa_device_profile_service:samgr_class { get }; + +#avc: denied { get } for service=1151 pid=602 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=0 +allow softbus_server sa_net_conn_manager:samgr_class { get }; + +# avc: denied { read write } for pid=2312 comm="SaInit0" name="btdev0" dev="tmpfs" ino=184 scontext =u:r:softbus_server:s0 tcontext=u:object_r:dev_file:s0 tclass=chr_file permissive=0 +debug_only(` + allow softbus_server dev_file:chr_file { read write open ioctl }; +') + +#avc: denied { read } for pid=456 comm="softbus_server" name="af_ninet" dev="sysfs" ino=13529 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=0 +allow softbus_server sys_file:file { open read }; + +#avc: denied { call } for pid=2167 scontext=u:r:softbus_server:s0 tcontext=u:r:pasteboard_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2167 scontext=u:r:softbus_server:s0 tcontext=u:r:pasteboard_service:s0 tclass=binder permissive=1 +allow softbus_server pasteboard_service:binder { call transfer }; + +#avc: denied { read } for pid=497 comm="softbus_server" name="nip_route" dev="proc" ino=4026532651 scontext=u:r:softbus_server:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 +#avc: denied { getattr } for pid=540 comm="SaInit0" path="/proc/540/net/nip_route" dev="proc" ino=4026532673 scontext=u:r:softbus_server:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 +allow softbus_server proc_net:file { open getattr read }; + +#avc: denied { get } for service=1203 pid=1219 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sa_sys_event_service:s0 tclass=samgr_class permissive=0 +allow softbus_server sa_sys_event_service:samgr_class { get }; + +#avc: denied { transfer } for pid=1480 comm="IPC_0_1595" scontext=u:r:softbus_server:s0 tcontext=u:r:hiview:s0 tclass=binder permissive=0 +allow softbus_server hiview:binder { transfer }; + +#avc: denied { use } for pid=516 comm="IPC_5_2079" path="/dev/ashmem" dev="tmpfs" ino=677 scontext=u:r:softbus_server:s0 tcontext=u:r:hiview:s0 tclass=fd permissive=0 +allow softbus_server hiview:fd { use }; + +#avc: denied { transfer } for pid=1421 comm="SaInit0" scontext=u:r:softbus_server:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=0 +allow softbus_server distributeddata:binder { transfer }; + +#avc: denied { get } for service=501 pid=1448 scontext=u:r:softbus_server:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow softbus_server sa_foundation_appms:samgr_class { get }; + +#avc: denied { setattr } for pid=4233 comm="IPC_1_4241" name="gen_natural_store.db" dev="sdd78" ino=56915 scontext=u:r:softbus_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow softbus_server data_service_el1_file:file { map setattr }; + +#avc: denied { getattr } for pid=1032 comm="IPC_2_1941" path="/data/service/el1/public/database/dsoftbus/kvdb/4cee433d3b0a6fca315f8eff4d59b13eaa177772d85bde578b7bf9fe1ea3a4dc/single_ver/main" dev="sdd78" ino=5376 scontext=u:r:softbus_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +allow softbus_server data_service_el1_file:dir { create getattr }; + +allow softbus_server wifi_manager_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/app_file_service.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/app_file_service.te new file mode 100644 index 0000000000000000000000000000000000000000..6078fbac4f9caa1c29e30e34bdb8e45dba09ef69 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/app_file_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_service_el2_share, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..9d0492dcd4f772f0aca4e1fe8be4a8de626643ab --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/appspawn.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn data_service_el2_file:dir { mounton }; +allow appspawn self:capability { sys_chroot }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/backup_sa.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/backup_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..7e3da646511b0c1c1b40d6accb6f52a7fa540860 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/backup_sa.te @@ -0,0 +1,72 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type backup_sa, sadomain, domain; + +allow backup_sa sa_accesstoken_manager_service:samgr_class { get }; +allow backup_sa sa_foundation_abilityms:samgr_class { get }; +allow backup_sa sa_foundation_bms:samgr_class { get }; +allow backup_sa sa_filemanagement_backup_service_service:samgr_class { add }; +allow backup_sa sa_storage_manager_service:samgr_class { get }; + +allow backup_sa accesstoken_service:binder { call }; +allow backup_sa storage_manager:binder { call }; +allow backup_sa foundation:binder { call transfer }; + +allow backup_sa hilog_param:file { map open read }; +allow backup_sa data_service_file:dir { search }; +allow backup_sa data_service_el2_file:dir { read open write search add_name create rmdir remove_name }; +allow backup_sa data_service_el2_file:file { read open write getattr create unlink }; +allow backup_sa data_app_file:dir { search }; +allow backup_sa data_app_el1_file:dir { search }; +allow backup_sa data_app_el1_file:file { getattr read open map }; +allow backup_sa dev_unix_socket:dir { search }; +allow backup_sa data_service_el1_file:file { read write }; +allow backup_sa sysfs_devices_system_cpu:file { read open getattr }; +allow backup_sa data_file:dir { search }; +allow backup_sa data_file:file { getattr read }; +allow backup_sa data_backup:file { read write }; + +debug_only(` + allow backup_sa sh:fd { use }; + allow backup_sa sh:binder { call }; +') + +allow backup_sa hap_domain:binder { call transfer }; +allow backup_sa hap_domain:fd { use }; +allow backup_sa foundation:fd { use }; +allow backup_sa system_core_hap_data_file_attr:file { getattr read write }; +allow backup_sa normal_hap_data_file_attr:file { getattr read write }; +allow backup_sa system_basic_hap_data_file_attr:file { getattr read write }; +allow backup_sa data_storage:dir { search }; +allow backup_sa hmdfs:file { getattr read write }; +allow backup_sa sys_prod_file:file { map open read getattr }; +allow backup_sa sys_prod_file:dir { search }; +allow backup_sa system_file:file { map open read getattr }; +allow backup_sa system_file:dir { search }; +allow backup_sa sa_foundation_cesfwk_service:samgr_class { get }; + +allow backup_sa arkcompiler_param:file { map open read }; +allow backup_sa backup_sa:unix_dgram_socket { getopt setopt }; +allow backup_sa tty_device:chr_file { read write }; +allow backup_sa wifi_manager_service:binder { call }; +allow backup_sa wifi_manager_service:fd { use }; +allow backup_sa data_service_el2_file:file { ioctl }; +allowxperm backup_sa data_service_el2_file:file ioctl { 0x5413 }; +allow backup_sa persist_param:file { map open read }; +allow backup_sa persist_param:parameter_service { set }; +allow backup_sa paramservice_socket:sock_file { write }; +allow backup_sa kernel:unix_stream_socket { connectto }; +allow backup_sa distributeddata:binder { call }; +allow backup_sa distributeddata:fd { use }; +allow backup_sa inputmethod_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/file_contexts b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b3b0b81d2617c41800720235dd29b8b76bd7ff94 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el2/[0-9]+/share(/.*)? u:object_r:data_service_el2_share:s0 diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..c85b3b493b525e8795d985b2c3681539594bf36c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/foundation.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation backup_sa:binder { call transfer }; +allow foundation backup_sa:file { open getattr read }; +allow foundation backup_sa:dir { search }; +allow foundation data_service_el2_file:dir { search }; +allow foundation data_service_el2_file:file { open getattr read }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..7335bad137d5f74a7048dfaced05fc2ae610b07f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/hap_domain.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +allow hap_domain data_service_el2_share:file { read open getattr write append map }; +allow hap_domain data_service_el2_share:dir { read open getattr search }; +allow hap_domain sa_filemanagement_backup_service_service:samgr_class { get }; +allow hap_domain system_bin_file:file { execute execute_no_trans getattr map read open }; +allow hap_domain system_bin_file:lnk_file { read }; +allow hap_domain toybox_exec:file { execute execute_no_trans getattr map read open }; +allow hap_domain toybox_exec:lnk_file { read }; +allow hap_domain backup_sa:binder { call transfer }; +allow hap_domain data_service_el2_file:dir { read write add_name create getattr open remove_name rmdir search setattr }; +allow hap_domain data_service_el2_file:file { getattr create write read open unlink setattr }; +allow hap_domain backup_sa:fd { use }; +allow hap_domain normal_hap_data_file:dir { search }; +allow hap_domain normal_hap_data_file:file { open }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/init.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..2de255c1f5faeb5a03a764b7d85415701f8a985d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init backup_sa:process { siginh transition rlimitinh }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/media_service.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..cbbdaf36474041b9ce02d33146138a3e898efc0a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/media_service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_service sharefs:file { read open getattr write append map }; +allow media_service sharefs_file_attr:file { read open getattr write append map }; +allow media_service data_service_el2_share:file { read open getattr write append map }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..8f5570a2447afefd7498bcc9976072317644c3f7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +allow normal_hap_attr hmdfs:file { read open getattr write }; +allow normal_hap_attr data_service_el2_hmdfs:file { read open getattr write }; +allow normal_hap_attr system_core_hap_data_file:file { write }; +allow normal_hap_attr system_basic_hap_data_file:file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/sharefs.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/sharefs.te new file mode 100644 index 0000000000000000000000000000000000000000..5c37c42b75894f71ba6243b2ad3b1eef174a2d7f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/sharefs.te @@ -0,0 +1,25 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# add sandbox appdata permissions for sharefs +allow hap_domain sharefs:dir { watch watch_reads create_dir_perms_without_ioctl }; +allow hap_domain sharefs:file { watch watch_reads execute create_file_perms_without_ioctl }; + +allow hap_domain sharefs_appdata_file:dir { watch watch_reads read_dir_perms_without_ioctl }; +allow hap_domain sharefs_appdata_file:file { watch watch_reads execute read_file_perms_without_ioctl }; + +allow hap_domain sharefs_appdata_bundle_file:dir { create setattr open read getattr lock search add_name write watch watch_reads }; +allow hap_domain sharefs_appdata_bundle_file:file { watch watch_reads execute create setattr getattr open read lock map write append }; + +allow sharefs_appdata_file sharefs:filesystem { associate }; +allow sharefs_appdata_bundle_file sharefs:filesystem { associate }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..8cb2afc5a2132e13d583c3bd6b045479bc7c459e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/system_basic_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +allow system_basic_hap_attr hmdfs:file { read open getattr write }; +allow system_basic_hap_attr data_service_el2_hmdfs:file { read open getattr write }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d0dedfcaa0b8023d0f4772e64ac14f4794eb32c1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/app_file_service/system/system_core_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +allow system_core_hap_attr hmdfs:file { open }; +allow system_core_hap_attr data_service_el2_hmdfs:file { read open getattr write }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/public/type.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..3f818d57392cba4b8918b492848f6faa0a0b0cc7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/public/type.te @@ -0,0 +1,24 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sys_fs_hmdfs, fs_attr, sysfs_attr; +type vfat, fs_attr, permissions_mount_file_attr; +type exfat, fs_attr, permissions_mount_file_attr; +type ntfs, fs_attr, permissions_mount_file_attr; + +type distributedfiledaemon, sadomain, domain; +type data_service_el2_hmdfs, file_attr, data_file_attr; +type cloudfiledaemon, sadomain, domain; +type fuse_file, fs_attr; +type cloudfile_data_file, file_attr, data_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te new file mode 100644 index 0000000000000000000000000000000000000000..35f82dc6585082d7ca0cc16238eec842017274a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te @@ -0,0 +1,103 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow cloudfiledaemon persist_param:parameter_service { set }; +allow cloudfiledaemon persist_param:file { map open read }; +allow cloudfiledaemon cloudfile_data_file:dir { rmdir }; +allow cloudfiledaemon sa_accesstoken_manager_service:samgr_class { get }; +allow cloudfiledaemon sa_param_watcher:samgr_class { get }; +allow cloudfiledaemon param_watcher:binder { call transfer }; +allow cloudfiledaemon dev_unix_socket:dir { search }; +allow cloudfiledaemon paramservice_socket:sock_file { write }; +allow cloudfiledaemon kernel:unix_stream_socket { connectto }; +allow cloudfiledaemon netsysnative:unix_stream_socket { connectto }; +allow cloudfiledaemon netmanager:binder { call transfer }; +allow cloudfiledaemon accesstoken_service:binder { call }; +allow cloudfiledaemon data_service_file:dir { search }; +allow cloudfiledaemon sa_foundation_cesfwk_service:samgr_class { get }; +allow cloudfiledaemon foundation:binder { transfer call }; +allow cloudfiledaemon sa_foundation_abilityms:samgr_class { get }; +binder_call(cloudfiledaemon, powermgr); +allow cloudfiledaemon sa_powermgr_battery_service:samgr_class { get }; +allow cloudfiledaemon data_app_file:dir { search open read write }; +allow cloudfiledaemon data_app_el2_file:dir { search read write open }; +allow cloudfiledaemon data_app_el2_file:file { lock getattr open read write ioctl map }; +allow cloudfiledaemon dev_fuse_file:chr_file { read write }; +allow cloudfiledaemon data_service_el2_file:dir { search }; +allow cloudfiledaemon data_service_el2_hmdfs:dir { create search read open write add_name remove_name }; +allow cloudfiledaemon data_service_el2_hmdfs:file { create setattr getattr read open write append ioctl rename unlink }; +allow cloudfiledaemon hmdfs:dir { search write remove_name add_name create open read rmdir rename reparent ioctl }; +allowxperm cloudfiledaemon hmdfs:dir ioctl { 0xf20b }; +allow cloudfiledaemon hmdfs:file { read open getattr create append rename unlink ioctl }; +allowxperm cloudfiledaemon hmdfs:file ioctl { 0xf202 0x5413 }; +allow cloudfiledaemon storage_daemon:fd { use }; +allow cloudfiledaemon sa_filemanagement_cloud_sync_service:samgr_class { add get_remote get }; +allow cloudfiledaemon hap_domain:binder { call transfer }; +debug_only(` + allow cloudfiledaemon sh:binder { call }; +') +allow cloudfiledaemon sa_net_conn_manager:samgr_class { get }; +allow cloudfiledaemon dev_console_file:chr_file { read write }; +allow cloudfiledaemon sa_filemanagement_cloud_daemon_service:samgr_class { add }; +allow cloudfiledaemon data_service_el1_file:dir { search write add_name create remove_name read open }; +allow cloudfiledaemon data_service_el1_file:file { create write open getattr setattr read rename unlink lock map }; +allow cloudfiledaemon cloudfile_data_file:dir { search write add_name create remove_name read open setattr getattr }; +allow cloudfiledaemon cloudfile_data_file:file { create write open getattr setattr read rename unlink lock map ioctl }; +allowxperm cloudfiledaemon cloudfile_data_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; +allow cloudfiledaemon hap_domain:binder { call }; +allow cloudfiledaemon data_file:dir { search }; +allow cloudfiledaemon dev_ashmem_file:chr_file { open }; +allow cloudfiledaemon distributeddata:binder { transfer call }; +allow cloudfiledaemon distributeddata:fd { use }; +allow cloudfiledaemon data_user_file:dir { read open search add_name write remove_name create rmdir rename reparent }; +allow cloudfiledaemon data_user_file:file { read open getattr write create rename unlink append ioctl setattr }; +allow cloudfiledaemon cloudfiledaemon:udp_socket { create bind read write node_bind connect getattr ioctl setopt }; +allowxperm cloudfiledaemon cloudfiledaemon:udp_socket ioctl { 0x8912 0x8913 0x8915 0x891b }; +allow cloudfiledaemon node:udp_socket { node_bind }; +allow cloudfiledaemon node:tcp_socket { node_bind }; +allow cloudfiledaemon cloudfiledaemon:tcp_socket { read create setopt connect getopt getattr write bind shutdown listen accept }; +allow cloudfiledaemon port:tcp_socket { name_connect name_bind }; +allow cloudfiledaemon system_bin_file:dir { search }; +allow cloudfiledaemon medialibrary_hap_data_file:dir { search read open }; +allow cloudfiledaemon medialibrary_hap_data_file:file { read open getattr write ioctl lock map }; +allow cloudfiledaemon sa_dataobs_mgr_service_service:samgr_class { get }; +allow cloudfiledaemon sa_distributeddata_service:samgr_class { get }; +allow cloudfiledaemon normal_hap_attr:fd { use }; +allow cloudfiledaemon system_core_hap_attr:fd { use }; +allow cloudfiledaemon hmdfs:file { write setattr }; +allow cloudfiledaemon data_service_el2_hmdfs:file { lock }; +allow cloudfiledaemon data_storage:dir { search }; +allow cloudfiledaemon data_service_el2_hmdfs:file { create_file_perms_without_ioctl }; +allow cloudfiledaemon data_service_el2_hmdfs:dir { create_dir_perms_without_ioctl }; +allow cloudfiledaemon accountmgr:binder { call }; +allow accountmgr cloudfiledaemon:binder { transfer }; +allow cloudfiledaemon sa_accountmgr:samgr_class { get }; +allow cloudfiledaemon sa_powermgr_powermgr_service:samgr_class { get }; +allow cloudfiledaemon dev_unix_file:sock_file { write }; +allow cloudfiledaemon sa_softbus_service:samgr_class { get }; +allow cloudfiledaemon softbus_server:binder { call transfer }; +allow cloudfiledaemon softbus_server:fd { use }; +allow cloudfiledaemon softbus_server:tcp_socket { read write setopt shutdown }; +allow cloudfiledaemon cloudfiledaemon:binder { call }; +allow cloudfiledaemon cloudfiledaemon:netlink_route_socket { create }; +allow cloudfiledaemon cloudfiledaemon:unix_dgram_socket { getopt }; +allow cloudfiledaemon media_library_param:file { map open read }; +allow cloudfiledaemon resource_schedule_service:binder { call transfer }; +allow cloudfiledaemon sa_resource_schedule:samgr_class { get }; +allow resource_schedule_service cloudfiledaemon:binder { call }; +allow cloudfiledaemon media_service:dir { search }; +allow cloudfiledaemon media_service:file { getattr open read }; +allow cloudfiledaemon sa_media_service:samgr_class { get }; +allow cloudfiledaemon media_service:binder { call transfer }; +allow cloudfiledaemon medialibrary_hap_data_file:dir { ioctl }; +allowxperm cloudfiledaemon medialibrary_hap_data_file:dir ioctl 0xf546; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..969765074e8136d572667120328482ec05aa2dbb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributeddata.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata cloudfiledaemon:binder { call transfer }; +allow distributeddata distributedfiledaemon:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributedfiledaemon.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributedfiledaemon.te new file mode 100644 index 0000000000000000000000000000000000000000..ff12f54879ed76b04bd23dae25bc7d4ac5603c35 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributedfiledaemon.te @@ -0,0 +1,130 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedfiledaemon sys_fs_hmdfs:dir { read search setattr getattr open }; +allow distributedfiledaemon sys_fs_hmdfs:file { setattr getattr open read write }; + +#avc: denied { transfer } for pid=604 comm="distributedfile" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=556 comm="foundation" scontext=u:r:foundation:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=binder permissive=1 +allow distributedfiledaemon foundation:binder { call transfer }; + +#avc: denied { read } for pid=2101 comm="dfs_rcv1_1_7" laddr=192.168.43.48 lport=57666 faddr=192.168.43.20 fport=45047 scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { write } for pid=182 comm="kworker/u8:5" laddr=192.168.43.48 lport=39379 faddr=192.168.43.20 fport=59752 scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +allow distributedfiledaemon softbus_server:tcp_socket { read write }; + +#avc: denied { search } for pid=182 comm="kworker/u8:5" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow distributedfiledaemon data_file:dir { search }; + +#avc: denied { search } for pid=182 comm="kworker/u8:5" name="service" dev="mmcblk0p11" ino=1044481 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 +allow distributedfiledaemon data_service_file:dir { search }; + +#avc: denied { search } for pid=7 comm="kworker/u8:0" name="el2" dev="mmcblk0p11" ino=130569 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1 +allow distributedfiledaemon data_service_el2_file:dir { search }; + +#avc: denied { search } for pid=182 comm="kworker/u8:5" name="el2" dev="mmcblk0p11" ino=1044488 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=182 comm="kworker/u8:5" name="account_cache" dev="mmcblk0p11" ino=1044562 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1 +allow distributedfiledaemon data_service_el2_hmdfs:dir { rw_dir_perms rmdir create }; + +#avc: denied { read write open } for pid=183 comm="kworker/u8:4" path=2F646174612F736572766963652F656C322F3130302F686D6466732F63616368652F6163636F756E745F63616368652F23333933303937202864656C6574656429 dev="mmcblk0p11" ino=393097 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=file permissive=1 +allow distributedfiledaemon data_service_el2_hmdfs:file { rw_file_perms }; + +#avc: denied { search } for pid=659 comm="distributedfile" name="socket" dev="tmpfs" ino=40 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow distributedfiledaemon dev_unix_socket:dir { search }; + +#avc: denied { call } for pid=548 comm="distributedfile" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:dslm_service:s0 tclass=binder permissive=1 +allow distributedfiledaemon dslm_service:binder { call }; + +#avc: denied { get } for service=3299 pid=609 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 +allow distributedfiledaemon sa_foundation_cesfwk_service:samgr_class { get }; + +neverallow { domain -pasteboard_service -dslm_service -foundation -softbus_server -accountmgr -device_manager -param_watcher -sadomain -hidumper_service -hap_domain } distributedfiledaemon:binder { call }; + +allow distributedfiledaemon sa_filemanagement_distributed_file_daemon_service:samgr_class { get_remote }; + +allow distributedfiledaemon data_app_file:dir { search }; + +allow distributedfiledaemon data_app_el2_file:dir { search }; + +allow distributedfiledaemon distributedfiledaemon:capability { dac_read_search chown net_raw }; + +allow distributedfiledaemon distributedfiledaemon:tcp_socket { create setopt bind getattr listen getopt shutdown connect accept write read }; + +allow distributedfiledaemon node:tcp_socket { node_bind }; + +allow distributedfiledaemon distributedfiledaemon:udp_socket { ioctl shutdown create read write getattr bind connect getopt setopt accept }; + +allowxperm distributedfiledaemon distributedfiledaemon:udp_socket ioctl { 0x8912 0x8913 0x8915 0x891b }; + +allow distributedfiledaemon normal_hap_data_file_attr:dir { getattr write search read open add_name create setattr }; + +allow distributedfiledaemon normal_hap_data_file_attr:file { write setattr getattr read open create }; + +allow distributedfiledaemon system_basic_hap_data_file_attr:dir { getattr write search read open add_name create setattr }; + +allow distributedfiledaemon system_basic_hap_data_file_attr:file { write setattr getattr read open create }; + +allow distributedfiledaemon system_core_hap_data_file_attr:dir { getattr write search read open add_name create setattr }; + +allow distributedfiledaemon system_core_hap_data_file_attr:file { write setattr getattr read open create }; + +allow distributedfiledaemon port:tcp_socket { name_connect name_bind }; + +allow distributedfiledaemon sysfs_devices_system_cpu:dir { open read }; + +allow distributedfiledaemon sysfs_devices_system_cpu:file { read open getattr }; + +allow distributedfiledaemon data_file:file { getattr read open }; + +allow distributedfiledaemon proc_stat_file:file { open read }; + +allow distributedfiledaemon data_user_file:dir { search getattr write add_name create read open }; + +allow distributedfiledaemon data_user_file:file { getattr open read write create }; + +allow distributedfiledaemon hap_domain:binder { call }; + +allow distributedfiledaemon hmdfs:dir { search read open write add_name create setattr remove_name rmdir }; + +allow distributedfiledaemon hmdfs:file { read open getattr create write setattr rename unlink ioctl }; + +allowxperm distributedfiledaemon hmdfs:file ioctl { 0x5413 }; + +allow distributedfiledaemon dev_kmsg_file:chr_file { write open }; + +allow distributedfiledaemon data_service_el2_hmdfs:file { create rename unlink }; + +allow distributedfiledaemon sa_uri_permission_mgr_service:samgr_class { get }; + +#avc: denied { get } for service=6001 pid=5338 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_device_profile_service:s0 tclass=samgr_class permissive=0 +allow distributedfiledaemon sa_device_profile_service:samgr_class { get }; + +#avc: denied { call } for pid=4447 comm="/system/bin/sa_main" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=0 +allow distributedfiledaemon distributedsche:binder { call }; + +allow distributedfiledaemon sa_storage_manager_service:samgr_class { get }; + +allow distributedfiledaemon storage_manager:binder { call }; + +allow distributedfiledaemon distributeddata:binder { call }; + +allow distributedfiledaemon chip_prod_file:dir { search }; + +allow distributedfiledaemon tty_device:chr_file { read write }; + +allow distributedfiledaemon data_service_el1_file:dir { search }; + +allow distributedfiledaemon node:udp_socket { node_bind }; + +allow pasteboard_service sa_storage_manager_service:samgr_class { get }; + +allow distributeddata sa_storage_manager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributedfileservice.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributedfileservice.te new file mode 100644 index 0000000000000000000000000000000000000000..75e6e98803d54781384f1258d8c6e780b20db30c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/distributedfileservice.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type distributedfileservice, sadomain, domain; + +allow distributedfileservice sys_fs_hmdfs:dir { read search setattr }; + +#avc: denied { transfer } for pid=605 comm="distributedfile" scontext=u:r:distributedfileservice:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=632 comm="distributedfile" scontext=u:r:distributedfileservice:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow distributedfileservice foundation:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/file_contexts b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..d4c9d166d87079bbea62652dae7a4a802ce433c5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/file_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el2/[0-9]+/hmdfs(/.*)? u:object_r:data_service_el2_hmdfs:s0 + +# Public directory for user data +/data/service/el2/[0-9]+/hmdfs/account/files(/.*)? u:object_r:data_user_file:s0 +/data/service/el1/public/cloudfile(/.*)? u:object_r:cloudfile_data_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..6b49d183f0a9054f9a2cb15105f9f666086abf99 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/foundation.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation cloudfiledaemon:binder { transfer call }; +allow foundation cloudfiledaemon:file { read open getattr }; +allow foundation cloudfiledaemon:dir { search }; + diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..18a24fd510dc6d6b1f725b5e470cc7ca64410744 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/hap_domain.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain sa_filemanagement_cloud_sync_service:samgr_class { get }; +allow hap_domain cloudfiledaemon:binder { call transfer }; +allow hap_domain cloudfiledaemon:binder { call }; +allow hap_domain cloudfiledaemon:fd { use }; +allow hap_domain sa_filemanagement_distributed_file_daemon_service:samgr_class { get }; +allow hap_domain sa_filemanagement_distributed_file_daemon_service:binder { call transfer }; +allow hap_domain distributedfiledaemon:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/init.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..146d5a1e97ddea9a764768a89fd4b26c2539aa12 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init cloudfiledaemon:process { rlimitinh siginh transition }; +allow init sa_filemanagement_cloud_daemon_service:samgr_class { add }; +allow init cloudfile_data_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init cloudfile_data_file:file { relabelto }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/media_service.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..0eaff1fb600c77f719e2637654a12d2be9b6f354 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/media_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_service cloudfiledaemon:binder { transfer }; +allow media_service cloudfiledaemon:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/medialibrary_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/medialibrary_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..5c9d37b495b9c914485797d8fb6bd18f6f9ca3da --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/medialibrary_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow medialibrary_hap cloudfiledaemon:binder { transfer }; +allow medialibrary_hap storage_daemon:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..4799a05c145d99c3ae4972cdb1a37b55599ddf0e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/memmgrservice.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice cloudfiledaemon:file { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/netmanager.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/netmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..34c019d73f8ecefcf48fb9040af96677c1cd8d72 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/netmanager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netmanager cloudfiledaemon:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..bc62352908e03f1b1f842201180162afa1c9cb84 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher cloudfiledaemon:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..4b9c1214debe707573662247d1e07c803220b3a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/softbus_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server cloudfiledaemon:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..cffc5c330cd879e321d7a690c79bae579431d60c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/storage_daemon.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon cloudfiledaemon:fd { use }; +allow storage_daemon cloudfiledaemon:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/virtfs_contexts b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/virtfs_contexts new file mode 100644 index 0000000000000000000000000000000000000000..777be658cd8b0851b23d396a8dce41fe2659a444 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/dfs_service/system/virtfs_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +genfscon sysfs /fs/hmdfs u:object_r:sys_fs_hmdfs:s0 +genfscon vfat / u:object_r:vfat:s0 +genfscon exfat / u:object_r:exfat:s0 +genfscon fuseblk / u:object_r:ntfs:s0 diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..eb8bef08af6da462c938bf5dd06fdc5e8ecc26a6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/hap_domain.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain data_service_el2_hmdfs:file { watch watch_reads create_file_perms }; +allow hap_domain data_service_el2_hmdfs:dir { watch watch_reads create_dir_perms }; +allow hap_domain hmdfs:file { watch watch_reads create_file_perms_without_ioctl }; +allow hap_domain hmdfs:dir { watch watch_reads create_dir_perms_without_ioctl }; +neverallow { hap_domain -medialibrary_hap } hmdfs:dir { ioctl }; +allow hap_domain hmdfs:file ioctl; +allowxperm hap_domain hmdfs:file ioctl { 0xf207 }; +neverallowxperm hap_domain hmdfs:file ioctl ~{ 0xf207 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..c755b425c4bce7ccbf0abd6dcea7d983e5ce1a73 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr normal_hap_data_file_attr:file { ioctl create getattr setattr lock append map unlink rename execute watch watch_reads }; +allow normal_hap_attr { normal_hap_data_file_attr -dlp_sandbox_hap_data_file }:file { read write open }; + +allow normal_hap_attr normal_hap_data_file_attr:dir { watch watch_reads create_dir_perms }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..85276b38868b558dc3243a05e9733e7455b81879 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr system_basic_hap_data_file_attr:file { watch watch_reads create_file_perms execute }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:dir { watch watch_reads create_dir_perms }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..1f7dfdacc2288771997b5b1b62b68a1794eaf92c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/file_api/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr system_core_hap_data_file_attr:file { watch watch_reads create_file_perms execute }; +allow system_core_hap_attr system_core_hap_data_file_attr:dir { watch watch_reads create_dir_perms }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/sdc.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/sdc.te new file mode 100644 index 0000000000000000000000000000000000000000..66f0b6690a16bac4f4f2ee03268573bef532c015 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/sdc.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sdc, sadomain, domain; +type sdc_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..2a4de498d5a1e2f6a2e80be1513d460c3a61a7a8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/storage_daemon.te @@ -0,0 +1,32 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type storage_daemon, sadomain, domain; +type storage_daemon_exec, exec_attr, file_attr, system_file_attr; +type dev_block_volfile, dev_attr; + +define(`storage_daemon_relabel', ` + allow storage_daemon $1:{ file dir sock_file } { relabelto setattr }; + allow storage_daemon $1:dir { search }; +') +storage_daemon_relabel(data_user_file); +storage_daemon_relabel(data_service_el1_i18n_timezone_file); +storage_daemon_relabel(data_service_el2_hmdfs); +storage_daemon_relabel(data_service_el2_public_huksService_file); +storage_daemon_relabel(data_service_el2_userId_huksService_file); +storage_daemon_relabel(data_service_el4_userId_huksService_file); + +storage_daemon_relabel(account_data_el2_file); + +allow storage_daemon data_user_file:lnk_file { relabelto setattr }; + diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/storage_manager.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/storage_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..c487de78d8431e0b1ecbb067f8fa8c4307d1be39 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/storage_manager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type storage_manager, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/type.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..5f4357eedb82e8c7c86b6d5dfc62d4cee8f6466d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type proc_drop_caches_file, fs_attr, proc_attr; +type data_service_storage_daemon_sd_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/domain.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/domain.te new file mode 100644 index 0000000000000000000000000000000000000000..260cdbb6799e4e95020ce1edafd4ea20ce07236a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/domain.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { search } for pid=601 comm="foundation" scontext=u:r:foundation:s0 tcontext=u:r:storage_daemon:s0 tclass=key permissive=0 +allow domain storage_daemon:key { search }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/file_contexts b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..9e8de0b11a7d22e5e017d27ef01859340072c83e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/dev/block(/^vol.*)? u:object_r:dev_block_volfile:s0 +/data/service/el1/public/storage_daemon/sd(/.*)? u:object_r:data_service_storage_daemon_sd_file:s0 +/data/service/el0/storage_daemon/sd(/.*)? u:object_r:data_service_storage_daemon_sd_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..f336d65bd96f986994d4960a69eaa68b6ce51122 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation configfs:dir { add_name create search }; +allow foundation data_service_el1_file:file { ioctl lock map read append open }; +allow foundation normal_hap_data_file_attr:file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..945629267249c63411886b71f056754c1084933d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/hap_domain.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=5003 pid=1550 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_storage_manager_service:s0 tclass=samgr_class permissive=0 +allow hap_domain sa_storage_manager_service:samgr_class { get }; +#avc: denied { call } for pid=1550 comm="e.volumemanager" scontext=u:r:system_basic_hap:s0 tcontext=u:r:storage_manager:s0 tclass=binderpermissive=1 +allow hap_domain storage_manager:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/huks_service.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/huks_service.te new file mode 100644 index 0000000000000000000000000000000000000000..e317409f1636b1992c9bd890419c69701e0dc7b4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/huks_service.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { search } for pid=407 comm="huks_service" name="el0" dev="mmcblk0p11" ino=1044482 scontext=u:r:huks_service:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=407 comm="huks_service" path="/data/service/el0/huks_service/root_encrypt_key" dev="mmcblk0p11" ino=1044791 scontext=u:r:huks_service:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +allow huks_service data_service_el0_file:dir { search }; +allow huks_service data_service_el0_file:file { getattr read open }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/init.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..118911a78a713e7825e9847171ef313dc9a19d4a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/init.te @@ -0,0 +1,45 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init sa_storage_manager_daemon:samgr_class { get }; +allow init sa_storage_manager_service:samgr_class { get }; +allow init storage_manager:binder { call }; +allow init storage_daemon:binder { call }; + +#avc: denied { call } for pid=262 comm="sdc" scontext=u:r:init:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0 +allow init samgr:binder { call }; + +#avc: denied { execute } for pid=260 comm="init" name="sdc" dev="mmcblk0p6" ino=354 scontext=u:r:init:s0 tcontext=u:object_r:sdc_exec:s0 tclass=file permissive=1 +#avc: denied { read open } for pid=260 comm="init" path="/system/bin/sdc" dev="mmcblk0p6" ino=354 scontext=u:r:init:s0 tcontext=u:object_r:sdc_exec:s0 tclass=file permissive=1 +#avc: denied { execute_no_trans } for pid=260 comm="init" path="/system/bin/sdc" dev="mmcblk0p6" ino=354 scontext=u:r:init:s0 tcontext=u:object_r:sdc_exec:s0 tclass=file permissive=1 +#avc: denied { map } for pid=260 comm="sdc" path="/system/bin/sdc" dev="mmcblk0p6" ino=354 scontext=u:r:init:s0 tcontext=u:object_r:sdc_exec:s0 tclass=file permissive=1 +allow init system_bin_file:file { execute execute_no_trans map read open }; +allow init toybox_exec:file { execute execute_no_trans getattr map read open }; + +#avc: denied { execute } for pid=250 comm="init" name="sdc" dev="mmcblk0p6" ino=354 scontext=u:r:init:s0 tcontext=u:object_r:sdc_exec:s0 tclass=file permissive=0 +allow init sdc_exec:file { execute execute_no_trans map read open }; + +#avc: denied { ioctl } for pid=1 comm="init" path="/data/app/el1/bundle/public" dev="mmcblk0p11" ino=652804 ioctlcmd=0x6613 scontext=u:r:init:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=0 +#avc: denied { ioctl } for pid=1 comm="init" path="/data/chipset/el1/public" dev="mmcblk0p11" ino=783363 ioctlcmd=0x6613 scontext=u:r:init:s0 tcontext=u:object_r:data_chipset_el1_file:s0 tclass=dir permissive=0 +#avc: denied { ioctl } for pid=1 comm="init" path="/data/service/el1/public" dev="mmcblk0p11" ino=522256 ioctlcmd=0x6613 scontext=u:r:init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +allow init data_app_el1_file:dir { ioctl }; +allow init data_chipset_el1_file:dir { ioctl }; +allow init data_service_el1_file:dir { ioctl }; + +allow init proc_version_file:file { open read }; + +#avc: denied { module_request } for pid=1 comm="init" kmod="crypto-cryptd(__cts-cbc-aes-ce)" scontext=u:r:init:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 +#avc: denied { module_request } for pid=1 comm="init" kmod="crypto-cryptd(__cts-cbc-aes-ce)-all" scontext=u:r:init:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 +allow init kernel:system { module_request }; +allow init data_service_storage_daemon_sd_file:dir { open read relabelto setattr search write }; +allow init data_service_storage_daemon_sd_file:file { relabelto getattr read open }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/kernel.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..a45a69fc4b1608fbc1d29ba82f1af07b6a9dd589 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/kernel.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow kernel device:blk_file { create getattr setattr unlink }; +allow kernel hmdfs:dir { create_dir_perms_without_ioctl }; +allow kernel hmdfs:file { create_file_perms_without_ioctl }; +neverallow kernel hmdfs:dir ioctl; +neverallow kernel hmdfs:file ioctl; +allow kernel data_service_el2_hmdfs:dir { create_dir_perms }; +allow kernel data_service_el2_hmdfs:file { create_file_perms }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..fb809bebc915e223c23916db3e606a18bbbb5a4f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr storage_manager:binder { transfer }; +allow normal_hap_attr sa_file_access_service:samgr_class { get }; +allow normal_hap_attr system_core_hap_data_file_attr:file { getattr read }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/samgr.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..7a958aef521d50dc1b0e4299bd3ac59c7c047aef --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/samgr.te @@ -0,0 +1,24 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { search } for pid=242 comm="samgr" name="260" dev="proc" ino=23041 scontext=u:r:samgr:s0 tcontext=u:r:init:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=242 comm="samgr" name="current" dev="proc" ino=23077 scontext=u:r:samgr:s0 tcontext=u:r:init:s0 tclass=file permissive=1 +#avc: denied { open } for pid=242 comm="samgr" path="/proc/260/attr/current" dev="proc" ino=23077 scontext=u:r:samgr:s0 tcontext=u:r:init:s0 tclass=file permissive=1 +allow samgr init:dir { read_dir_perms search }; +allow samgr init:file { open read }; + +#avc: denied { transfer } for pid=233 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:init:s0 tclass=binder permissive=1 +allow samgr init:binder { transfer }; + +#avc: denied { getattr } for pid=233 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:init:s0 tclass=process permissive=1 +allow samgr init:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/sdc.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/sdc.te new file mode 100644 index 0000000000000000000000000000000000000000..3683385241cbe538ec33932de18b28d29d9eed37 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/sdc.te @@ -0,0 +1,30 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sdc hmdfs:dir { read search setattr getattr mounton }; +allow sdc vfat:dir { read search setattr getattr mounton }; +allow sdc exfat:dir { read search setattr getattr mounton }; +allow sdc ntfs:dir { read search setattr getattr mounton }; + +#avc: denied { call } for pid=292 comm="sdc" scontext=u:r:init:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +allow sdc samgr:binder { call }; +allow sdc storage_daemon:binder { call }; + +#avc: denied { read } for pid=260 comm="sdc" path="/system/bin/sdc" dev="mmcblk0p6" ino=354 scontext=u:r:init:s0 tcontext=u:object_r:sdc_exec:s0 tclass=file permissive=1 +allow sdc system_bin_file:file { read }; +allow sdc toybox_exec:file { getattr map read open }; + +allow sdc sdc:process { setexec }; +allow sdc hilog_param:file { map open read }; +allow sdc sa_foundation_abilityms:samgr_class { get }; +allow sdc sa_storage_manager_daemon:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..79e9448d7472661f944b153eaec5e000f6cb3c81 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/storage_daemon.te @@ -0,0 +1,374 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon hmdfs:dir { create_dir_perms_without_ioctl mounton }; +neverallow storage_daemon hmdfs:dir ioctl; +allow storage_daemon vfat:dir { read search setattr getattr mounton }; +allow storage_daemon exfat:dir { read search setattr getattr mounton }; +allow storage_daemon ntfs:dir { read search setattr getattr mounton }; +allow storage_daemon hmdfs:filesystem { unmount }; +allow storage_daemon tmpfs:filesystem { unmount }; +allow storage_daemon hmdfs:file { mounton }; +allow storage_daemon data_service_el2_hmdfs:file { mounton }; +allow storage_daemon data_user_file:file { mounton }; +allow storage_daemon data_app_el1_file:file { mounton }; +allow storage_daemon data_local_arkcache:file { mounton }; +allow storage_daemon data_local_arkprofile:file { mounton }; +allow storage_daemon data_local:file { mounton }; +allow storage_daemon normal_hap_data_file_attr:file { mounton }; +allow storage_daemon system_core_hap_data_file_attr:file { mounton }; +allow storage_daemon system_basic_hap_data_file_attr:file { mounton }; + +neverallow { domain -storage_manager -hidumper_service -samgr -init -sdc -foundation -useriam } storage_daemon:{ binder } call; + +allow storage_daemon domain:file { read open }; +allow storage_daemon domain:dir { search read open }; +allow storage_daemon domain:lnk_file { read }; +allow storage_daemon domain:process { sigkill }; + +#avc: denied { call } for pid=255 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow storage_daemon accesstoken_service:binder { call }; + +#avc: denied { search } for pid=2218 comm="blkid" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=257 comm="storage_daemon" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow storage_daemon data_file:dir { search read open ioctl }; + +#avc: denied { search } for pid=2218 comm="blkid" name="init_agent" dev="mmcblk0p11" ino=16321 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_init_agent:s0 tclass=dir permissive=1 +allow storage_daemon data_init_agent:dir { search }; +#avc: denied { read append open } for pid=2218 comm="blkid" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=16 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=2218 comm="blkid" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=16 ioctlcmd=0x5413 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1 +allow storage_daemon data_init_agent:file { read append open ioctl }; + +#avc: denied { read open } for pid=1476 comm="event_runner#1" path="/data/service/el2/100/hmdfs/account/files" dev="mmcblk0p11" ino=130633 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=241 comm="storage_daemon" name="el2" dev="mmcblk0p11" ino=130568 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=182 comm="kworker/u8:5" path="/data/service/el2/100/hmdfs/account/data" dev="mmcblk0p11" ino=1044557 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1 +#avc: denied { rmdir } for pid=254 comm="storage_daemon" name="101" dev="mmcblk0p11" ino=914136 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow storage_daemon data_service_el2_file:file { create_file_perms }; +allow storage_daemon data_service_el1_file:file { create_file_perms relabelto relabelfrom }; +allow storage_daemon data_service_el2_file:dir { rw_dir_perms rmdir ioctl getattr search rename }; +allow storage_daemon data_service_el1_file:dir { rw_dir_perms rmdir ioctl getattr search rename relabelto relabelfrom }; +allow storage_daemon data_service_el3_file:file { create_file_perms }; +allow storage_daemon data_service_el3_file:dir { rw_dir_perms rmdir ioctl getattr search rename }; +allow storage_daemon data_service_el4_file:file { create_file_perms }; +allow storage_daemon data_service_el4_file:dir { rw_dir_perms rmdir ioctl getattr search rename }; + +#avc: denied { ioctl } for pid=271 comm="OS_IPC_1_302" path="/data/service/el5/101" dev="mmcblk0p15" ino=3343 ioctlcmd=0x6613 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el5_file:s0 tclass=dir permissive=1 +allow storage_daemon data_service_el5_file:dir { rw_dir_perms rmdir ioctl getattr search rename }; +allowxperm storage_daemon data_service_el5_file:dir ioctl { 0x6613 }; + +allow storage_daemon data_data_file:file { create_file_perms relabelto relabelfrom }; +allow storage_daemon data_data_file:dir { rw_dir_perms rmdir ioctl getattr search rename relabelto relabelfrom }; +allowxperm storage_daemon data_data_file:dir ioctl { 0x5705 }; + +#avc: denied { create } for pid=246 comm="storage_daemon" name="fscrypt_version" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { write open } for pid=246 comm="storage_daemon" path="/data/service/el0/storage_daemon/sd/fscrypt_version" dev="mmcblk0p11" ino=1044790 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=246 comm="storage_daemon" path="/data/service/el0/storage_daemon/sd/fscrypt_version" dev="mmcblk0p11" ino=1044790 ioctlcmd=0x5413 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { setattr } for pid=246 comm="storage_daemon" name="fscrypt_version" dev="mmcblk0p11" ino=1044790 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=246 comm="storage_daemon" path="/data/service/el0/huks_service/root_encrypt_key" dev="mmcblk0p11" ino=1044791 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=246 comm="storage_daemon" path="/data/service/el0/huks_service/root_encrypt_key" dev="mmcblk0p11" ino=1044791 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { create } for pid=249 comm="storage_daemon" name="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +allow storage_daemon data_service_el0_file:dir { rw_dir_perms rmdir ioctl getattr search rename create relabelfrom }; +allow storage_daemon data_service_el0_file:file { create write open ioctl setattr read getattr relabelfrom }; + +#avc: denied { read open } for pid=1875 comm="event_runner#1" path="/data/service/el2/100/hmdfs/account/files" dev="mmcblk0p11" ino=130643 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=3372 comm="kworker/u8:4" path="/data/service/el2/100/hmdfs/account/data" dev="mmcblk0p11" ino=130644 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=7 comm="kworker/u8:0" name="account" dev="mmcblk0p11" ino=130642 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=7 comm="kworker/u8:0" path=2F646174612F736572766963652F656C322F3130302F686D6466732F63616368652F6163636F756E745F63616368652F23313330373335202864656C6574656429 dev="mmcblk0p11" ino=130735 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=file permissive=1 +allow storage_daemon data_service_el2_hmdfs:dir { create_dir_perms }; +allow storage_daemon data_service_el2_hmdfs:file { create_file_perms }; + +#avc: denied { search } for pid=257 comm="storage_daemon" name="huks_service" dev="mmcblk0p11" ino=1044496 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el1_public_huksService_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=257 comm="storage_daemon" path="/data/service/el1/public/huks_service/maindata/root_encrypt_key" dev="mmcblk0p11" ino=1044535 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el1_public_huksService_file:s0 tclass=file permissive=1 +allow storage_daemon data_service_el1_public_huksService_file:dir { search }; +allow storage_daemon data_service_el1_public_huksService_file:file { getattr read open }; + +#avc: denied { search } for pid=257 comm="storage_daemon" name="huks_service" dev="mmcblk0p11" ino=1044496 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_public_huksService_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=257 comm="storage_daemon" path="/data/service/el2/huks_service/maindata/root_encrypt_key" dev="mmcblk0p11" ino=1044535 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_el2_public_huksService_file:s0 tclass=file permissive=1 +allow storage_daemon data_service_el2_public_huksService_file:dir { search }; +allow storage_daemon data_service_el2_public_huksService_file:file { getattr read open unlink }; + +allow storage_daemon data_service_el2_userId_huksService_file:dir { getattr open read search rmdir write remove_name }; +allow storage_daemon data_service_el2_userId_huksService_file:file { getattr open read unlink }; + +allow storage_daemon data_service_el4_userId_huksService_file:dir { getattr open read search rmdir write remove_name }; +allow storage_daemon data_service_el4_userId_huksService_file:file { getattr open read unlink }; + +#avc: denied { search } for pid=257 comm="storage_daemon" name="huks_service" dev="mmcblk0p11" ino=1044496 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_data_huksService_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=257 comm="storage_daemon" path="/data/data/huks_service/maindata/root_encrypt_key" dev="mmcblk0p11" ino=1044535 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_data_huksService_file:s0 tclass=file permissive=1 +allow storage_daemon data_data_huksService_file:dir { search }; +allow storage_daemon data_data_huksService_file:file { getattr read open unlink }; + +#avc: denied { read open } for pid=1789 comm="event_runner#1" path="/data/service/el2/100/hmdfs/account/files" dev="mmcblk0p11" ino=913996 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissive=1 +allow storage_daemon data_user_file:file { create_file_perms }; +allow storage_daemon data_user_file:dir { create_dir_perms }; + +#avc: denied { read } for pid=246 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:device_usage_stats_service:s0 tclass=file permissive=1 +allow storage_daemon device_usage_stats_service:file { read }; +#avc: denied { search } for pid=246 comm="storage_daemon" name="306" dev="proc" ino=1476 scontext=u:r:storage_daemon:s0 tcontext=u:r:device_usage_stats_service:s0 tclass=dir permissive=1 +allow storage_daemon device_usage_stats_service:dir { search }; +#avc: denied { read } for pid=246 comm="storage_daemon" name="48" dev="proc" ino=34994 scontext=u:r:storage_daemon:s0 tcontext=u:r:device_usage_stats_service:s0 tclass=lnk_file permissive=1 +allow storage_daemon device_usage_stats_service:lnk_file { read }; + +#avc: denied { search } for pid=249 comm="storage_daemon" name="socket" dev="tmpfs" ino=40 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow storage_daemon dev_unix_socket:dir { search }; + +#avc: denied { write search } for pid=241 comm="storage_daemon" name="block" dev="tmpfs" ino=7 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_block_file:s0 tclass=dir permissive=1 +#avc: denied { add_name search } for pid=241 comm="storage_daemon" name="disk-8-0" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_block_file:s0 tclass=dir permissive=1 +allow storage_daemon dev_block_volfile:dir { rw_dir_perms }; + +#avc: denied { use } for pid=7 comm="kworker/u8:0" path=2F646174612F736572766963652F656C322F3130302F686D6466732F63616368652F6163636F756E745F63616368652F23313330373335202864656C6574656429 dev="mmcblk0p11" ino=130735 scontext=u:r:storage_daemon:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=fd permissive=1 +allow storage_daemon distributedfiledaemon:fd { use }; + +#conflict +#avc: denied { create } for pid=241 comm="storage_daemon" name="disk-8-0" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { read } for pid=241 comm="storage_daemon" name="disk-8-0" dev="tmpfs" ino=508 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { read open } for pid=2061 comm="blkid" path="/dev/block/vol-8-2" dev="tmpfs" ino=502 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { getattr } for pid=2061 comm="blkid" path="/dev/block/vol-8-2" dev="tmpfs" ino=502 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +allow storage_daemon dev_block_volfile:blk_file { create rw_file_perms unlink }; + +#avc: denied { search } for pid=241 comm="storage_daemon" name="service" dev="mmcblk0p11" ino=130561 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 +allow storage_daemon data_service_file:dir { search }; + +#avc: denied { remove_name } for pid=254 comm="storage_daemon" name="database" dev="mmcblk0p11" ino=132176 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +#avc: denied { remove_name } for pid=257 comm="storage_daemon" name="base" dev="mmcblk0p11" ino=523949 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 +allow storage_daemon data_app_el1_file:dir { rw_dir_perms rmdir ioctl }; +allow storage_daemon data_app_el2_file:dir { rw_dir_perms rmdir ioctl }; +allow storage_daemon data_app_el3_file:dir { rw_dir_perms rmdir ioctl }; +allow storage_daemon data_app_el4_file:dir { rw_dir_perms rmdir ioctl }; + +#avc: denied { ioctl } for pid=271 comm="OS_IPC_1_302" path="/data/app/el5/101" dev="mmcblk0p15" ino=3342 ioctlcmd=0x6613 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_app_el5_file:s0 tclass=dir permissive=1 +allow storage_daemon data_app_el5_file:dir { rw_dir_perms rmdir ioctl }; +allowxperm storage_daemon data_app_el5_file:dir ioctl { 0x6613 }; + +#avc: denied { remove_name } for pid=254 comm="storage_daemon" name="101" dev="mmcblk0p11" ino=262719 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_chipset_el1_file:s0 tclass=dir permissive=1 +#avc: denied { rmdir } for pid=254 comm="storage_daemon" name="101" dev="mmcblk0p11" ino=262719 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_chipset_el1_file:s0 tclass=dir permissive=1 +#avc: denied { remove_name } for pid=254 comm="storage_daemon" name="101" dev="mmcblk0p11" ino=391690 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:data_chipset_el2_file:s0 tclass=dir permissive=1 +allow storage_daemon data_chipset_el1_file:dir { rmdir rw_dir_perms ioctl }; +allow storage_daemon data_chipset_el2_file:dir { rmdir rw_dir_perms ioctl }; + +#avc: denied { search } for pid=259 comm="storage_daemon" name="547" dev="proc" ino=36346 scontext=u:r:storage_daemon:s0 tcontext=u:r:dslm_service:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=259 comm="storage_daemon" name="cwd" dev="proc" ino=40910 scontext=u:r:storage_daemon:s0 tcontext=u:r:dslm_service:s0 tclass=lnk_file permissive=1 +#avc: denied { read } for pid=259 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:dslm_service:s0 tclass=file permissive=1 +allow storage_daemon dslm_service:dir { search }; +allow storage_daemon dslm_service:lnk_file { read }; +allow storage_daemon dslm_service:file { read }; + +#avc: denied { mount } for pid=256 comm="storage_daemon" name="/" dev="sda1" ino=1 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:exfat:s0 tclass=filesystem permissive=1 +allow storage_daemon exfat:filesystem { mount unmount }; +allow storage_daemon vfat:filesystem { mount unmount }; +allow storage_daemon ntfs:filesystem { mount unmount }; +allow storage_daemon sharefs:filesystem { mount }; + +#avc: denied { search } for pid=259 comm="storage_daemon" name="243" dev="proc" ino=36785 scontext=u:r:storage_daemon:s0 tcontext=u:r:hilogd:s0 tclass=dir permissive=0 +#avc: denied { open } for pid=257 comm="storage_daemon" path="/proc/245/maps" dev="proc" ino=43286 scontext=u:r:storage_daemon:s0 tcontext=u:r:hilogd:s0 tclass=file permissive=0 +#avc: denied { read } for pid=257 comm="storage_daemon" name="cwd" dev="proc" ino=43287 scontext=u:r:storage_daemon:s0 tcontext=u:r:hilogd:s0 tclass=lnk_file permissive=0 +allow storage_daemon hilogd:dir { search read open }; +allow storage_daemon hilogd:file { getattr open read }; +allow storage_daemon hilogd:lnk_file { read }; + + +#avc: denied { call } for pid=257 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=1 +allow storage_daemon huks_service:binder { call }; + +#avc: denied { getattr } for pid=179 comm="kworker/u8:3" path="/mnt/hmdfs/100/account/device_view/local/files/Camera/IMG_2022629_152726.jpg" dev="hmdfs" ino=2305843009213824715 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 +#avc: denied { read } for pid=179 comm="kworker/u8:3" name="IMG_2022629_152726.jpg" dev="hmdfs" ino=2305843009213824715 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 +#avc: denied { read write } for pid=179 comm="kworker/u8:3" name="IMG_2022629_152726.jpg" dev="hmdfs" ino=2305843009213824715 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 +#avc: denied { read write open } for pid=179 comm="kworker/u8:3" path="/mnt/hmdfs/100/account/device_view/local/files/Camera/IMG_2022629_152726.jpg" dev="hmdfs" ino=2305843009213824715 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 +allow storage_daemon hmdfs:file { create_file_perms_without_ioctl }; +neverallow storage_daemon hmdfs:file ioctl; + +#avc: denied { read } for pid=253 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:init:s0 tclass=file permissive=0 +allow storage_daemon init:file { open read }; +#avc: denied { read } for pid=253 comm="storage_daemon" name="fd" dev="proc" ino=35228 scontext=u:r:storage_daemon:s0 tcontext=u:r:init:s0 tclass=dir permissive=1 +allow storage_daemon init:dir { open read search }; +#avc: denied { read } for pid=253 comm="storage_daemon" name="exe" dev="proc" ino=35227 scontext=u:r:storage_daemon:s0 tcontext=u:r:init:s0 tclass=lnk_file permissive=1 +allow storage_daemon init:lnk_file { read }; + +#avc: denied { search } for pid=241 comm="storage_daemon" name="32" dev="proc" ino=25299 scontext=u:r:storage_daemon:s0 tcontext=u:r:kernel:s0 tclass=dir permissive=1 +allow storage_daemon kernel:dir { open read search }; +#avc: denied { read open } for pid=257 comm="storage_daemon" path="/proc/1752/maps" dev="proc" ino=33499 scontext=u:r:storage_daemon:s0 tcontext=u:r:kernel:s0 tclass=file permissive=1 +allow storage_daemon kernel:file { open read }; +#avc: denied { read } for pid=241 comm="storage_daemon" name="root" dev="proc" ino=33070 scontext=u:r:storage_daemon:s0 tcontext=u:r:kernel:s0 tclass=lnk_file permissive=1 +allow storage_daemon kernel:lnk_file { read }; +#avc: denied { module_request } for pid=255 comm="storage_daemon" kmod="crypto-hmac(sha512)" scontext=u:r:storage_daemon:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 +allow storage_daemon kernel:system { module_request }; + +#avc: denied { read } for pid=255 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:pin_auth_host:s0 tclass=file permissive=1 +allow storage_daemon pin_auth_host:file { read }; + +#avc: denied { search } for pid=257 comm="storage_daemon" name="fd" dev="proc" ino=31594 scontext=u:r:storage_daemon:s0 tcontext=u:r:audio_server:s0 tclass=dir permissive=1 +allow storage_daemon audio_server:dir { search }; +#avc: denied { read } for pid=257 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +allow storage_daemon audio_server:file { read }; +#avc: denied { read } for pid=257 comm="storage_daemon" name="16" dev="proc" ino=31611 scontext=u:r:storage_daemon:s0 tcontext=u:r:audio_server:s0 tclass=lnk_file permissive=1 +allow storage_daemon audio_server:lnk_file { read }; + +#avc: denied { read } for pid=257 comm="storage_daemon" name="54" dev="proc" ino=35056 scontext=u:r:storage_daemon:s0 tcontext=u:r:render_service:s0 tclass=lnk_file permissive=1 +allow storage_daemon render_service:lnk_file { read }; +#avc: denied { read } for pid=257 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:render_service:s0 tclass=file permissive=1 +allow storage_daemon render_service:file { read }; + +#avc: denied { get } for service=3510 pid=253 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:sa_huks_service:s0 tclass=samgr_class permissive=0 +allow storage_daemon sa_huks_service:samgr_class { get }; + +#avc: denied { get } for service=5003 pid=250 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:sa_storage_manager_service:s0 tclass=samgr_class permissive=0 +allow storage_daemon sa_storage_manager_service:samgr_class { get }; + +#avc: denied { read } for pid=241 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:screenlock_server:s0 tclass=file permissive=1 +allow storage_daemon screenlock_server:file { read }; +#avc: denied { search } for pid=241 comm="storage_daemon" name="533" dev="proc" ino=18171 scontext=u:r:storage_daemon:s0 tcontext=u:r:screenlock_server:s0 tclass=dir permissive=1 +allow storage_daemon screenlock_server:dir { search }; +#avc: denied { read } for pid=241 comm="storage_daemon" name="0" dev="proc" ino=32305 scontext=u:r:storage_daemon:s0 tcontext=u:r:screenlock_server:s0 tclass=lnk_file permissive=1 +allow storage_daemon screenlock_server:lnk_file { read }; + +#avc: denied { setattr } for pid=259 comm="storage_daemon" name="cmd" dev="sysfs" ino=33495 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:sys_fs_hmdfs:s0 tclass=file permissive=1 +allow storage_daemon sys_fs_hmdfs:file { setattr }; + +#avc: denied { search } for pid=246 comm="storage_daemon" name="1692" dev="proc" ino=25045 scontext=u:r:storage_daemon:s0 tcontext=u:r:system_basic_hap:s0 tclass=dir permissive=1 +allow storage_daemon system_basic_hap_attr:dir { search }; +#avc: denied { read } for pid=246 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:system_basic_hap:s0 tclass=file permissive=1 +allow storage_daemon system_basic_hap_attr:file { read }; + +#avc: denied { read } for pid=2061 comm="blkid" path="/system/bin/blkid" dev="mmcblk0p6" ino=122 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +#avc: denied { execute } for pid=1662 comm="storage_daemon" name="restorecon" dev="mmcblk0p6" ino=335 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1662 comm="storage_daemon" path="/system/bin/restorecon" dev="mmcblk0p6" ino=335 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1662 comm="restorecon" path="/system/bin/restorecon" dev="mmcblk0p6" ino=335 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +allow storage_daemon system_bin_file:file { read execute open execute_no_trans map }; +allow storage_daemon toybox_exec:file { read execute open execute_no_trans getattr map }; + +#avc: denied { getattr } for pid=256 comm="storage_daemon" path="/sys/devices/platform/fd800000.usb/usb1/1-1/1-1:1.0/host1/target1:0:0/1:0:0:0/vendor" dev="sysfs" ino=32018 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow storage_daemon sys_file:file { getattr read }; + +#avc: denied { call } for pid=249 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_manager:s0 tclass=binder permissive=1 +allow storage_daemon storage_manager:binder { call }; + +#avc: denied { read } for pid=241 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:system_core_hap:s0 tclass=file permissive=1 +allow storage_daemon system_core_hap_attr:file { open read }; +#avc: denied { search } for pid=241 comm="storage_daemon" name="1875" dev="proc" ino=28270 scontext=u:r:storage_daemon:s0 tcontext=u:r:system_core_hap:s0 tclass=dir permissive=1 +allow storage_daemon system_core_hap_attr:dir { search }; +#avc: denied { read } for pid=254 comm="storage_daemon" name="cwd" dev="proc" ino=52653 scontext=u:r:storage_daemon:s0 tcontext=u:r:system_core_hap:s0 tclass=lnk_file permissive=0 +allow storage_daemon system_core_hap_attr:lnk_file { read }; + +#avc: denied { read } for pid=254 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_daemon:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow storage_daemon storage_daemon:netlink_kobject_uevent_socket { read }; + +#conflict +#avc: denied { dac_read_search } for pid=241 comm="storage_daemon" capability=2 scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_daemon:s0 tclass=capability permissive=1 +#avc: denied { mknod } for pid=241 comm="storage_daemon" capability=27 scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_daemon:s0 tclass=capability permissive=1 +#avc: denied { sys_ptrace } for pid=246 comm="storage_daemon" capability=19 scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_daemon:s0 tclass=capability permissive=1 +#avc: denied { dac_override } for pid=2028 comm="blkid" capability=1 scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_daemon:s0 tclass=capability permissive=1 +allow storage_daemon storage_daemon:capability { mknod dac_read_search sys_ptrace dac_override setgid setuid kill }; + +#avc: denied { remove_name } for pid=256 comm="storage_daemon" name="F7BC-FF57" dev="tmpfs" ino=406 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +allow storage_daemon tmpfs:dir { remove_name rmdir }; + +#avc: denied { search } for pid=259 comm="storage_daemon" name="235" dev="proc" ino=36779 scontext=u:r:storage_daemon:s0 tcontext=u:r:watchdog_service:s0 tclass=dir permissive=0 +#avc: denied { open } for pid=257 comm="storage_daemon" path="/proc/237/maps" dev="proc" ino=43261 scontext=u:r:storage_daemon:s0 tcontext=u:r:watchdog_service:s0 tclass=file permissive=0 +#avc: denied { read } for pid=257 comm="storage_daemon" name="cwd" dev="proc" ino=43262 scontext=u:r:storage_daemon:s0 tcontext=u:r:watchdog_service:s0 tclass=lnk_file permissive=0 +allow storage_daemon watchdog_service:dir { search read open }; +allow storage_daemon watchdog_service:file { open }; +allow storage_daemon watchdog_service:lnk_file { read }; + +#avc: denied { read } for pid=258 comm="storage_daemon" name="com.ohos.launcher" dev="mmcblk0p11" ino=654143 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0 +allow storage_daemon normal_hap_data_file_attr:dir { create_dir_perms getattr open read remove_name rmdir search setattr write }; +allow storage_daemon normal_hap_data_file_attr:file { create_file_perms open read getattr setattr unlink }; +allow storage_daemon system_basic_hap_data_file_attr:dir { create_dir_perms getattr open read remove_name rmdir search setattr write }; +allow storage_daemon system_basic_hap_data_file_attr:file { create_file_perms open read getattr setattr unlink }; +allow storage_daemon system_core_hap_data_file_attr:dir { create_dir_perms getattr open read remove_name rmdir search setattr write }; +allow storage_daemon system_core_hap_data_file_attr:file { create_file_perms open read getattr setattr unlink }; +allow storage_daemon labeledfs:filesystem { unmount quotaget quotamod }; +allow storage_daemon sharefs:filesystem { unmount }; +allow storage_daemon sharefs:dir { create_dir_perms mounton }; +allow storage_daemon sharefs_file_attr:dir { create_dir_perms_without_ioctl mounton }; +allow storage_daemon data_service_el2_share:dir { create_dir_perms mounton relabelto }; +allow storage_daemon sharefs:file { create_file_perms }; +allow storage_daemon sharefs_file_attr:file { create_file_perms_without_ioctl }; +allow storage_daemon data_service_el2_share:file { create_file_perms mounton }; +# avc: denied { call } for pid=2153 comm="IPC_1_2158" scontext=u:r:storage_daemon:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=binder permissive=1 +# avc: denied { mounton } for pid=2060 comm="storage_daemon" path="/mnt/hmdfs/100/cloud" dev="fuse" ino=1668 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { read write } for pid=2153 comm="storage_daemon" path="/dev/console" dev="tmpfs" ino=27 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 +# avc: denied { read } for pid=2153 comm="storage_daemon" name="u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# { open } for pid=2153 comm="storage_daemon" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# avc: denied { map } for pid=2153 comm="storage_daemon" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# avc: denied { get } for service=5205 pid=249 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:sa_filemanagement_cloud_daemon_service:s0 tclass=samgr_class permissive=0 +allow storage_daemon dev_console_file:chr_file { read write }; +allow storage_daemon musl_param:file { open read map}; +allow storage_daemon sa_filemanagement_cloud_daemon_service:samgr_class { get }; +allow storage_daemon sa_ca_daemon_service:samgr_class { get }; + +# avc: denied { relabelfrom } for pid=250 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1 +# avc: denied { relabelto } for pid=250 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:hmdfs:s0 tclass=filesystem permissive=1 +# avc: denied { relabelfrom } for pid=253 comm="IPC_1_271" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:hmdfs:s0 tclass=filesystem permissive=0 +allow storage_daemon unlabeled:filesystem { relabelfrom }; +allow storage_daemon hmdfs:filesystem { relabelfrom relabelto }; +# avc: denied { add_name } for pid=250 comm="storage_daemon" name="3056-3B24" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { create } for pid=250 comm="storage_daemon" name="3056-3B24" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { mounton } for pid=250 comm="storage_daemon" path="/mnt/data/external/3056-3B24" dev="tmpfs" ino=307 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=250 comm="storage_daemon" name="external" dev="tmpfs" ino=57 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=250 comm="storage_daemon" name="external" dev="tmpfs" ino=57 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +allow storage_daemon permissions_mount_file_attr:dir { add_name create mounton search write relabelto relabelfrom }; + +# avc: denied { read } for pid=267 comm="IPC_2_767" name="public" dev="mmcblk0p14" ino=70 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=267 comm="IPC_2_767" path="/data/service/el1/public/storage_daemon/share/public" dev="mmcblk0p14" ino=70 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { ioctl } for pid=267 comm="IPC_2_767" path="/data/service/el1/public/storage_daemon/share/public" dev="mmcblk0p14" ino=70 ioctlcmd=0x581f scontext=u:r:storage_daemon:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { ioctl } for pid=269 comm="IPC_2_822" path="/data/service/el1/public/storage_daemon/share/public" dev="mmcblk0p14" ino=70 ioctlcmd=0x5820 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { ioctl } for pid=269 comm="IPC_2_822" path="/data/service/el1/public/storage_daemon/share/public" dev="mmcblk0p14" ino=70 ioctlcmd=0x6601 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { ioctl } for pid=269 comm="IPC_2_822" path="/data/service/el1/public/storage_daemon/share/public" dev="mmcblk0p14" ino=70 ioctlcmd=0x6602 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +allow storage_daemon share_public_file:dir { read open ioctl }; +allowxperm storage_daemon share_public_file:dir ioctl { 0xf546 0xf547 0x581f 0x5820 0x6601 0x6602 }; + +# avc: denied { write } for pid=544 comm="storage_daemon" name="kmsg" dev="tmpfs" ino=116 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +# avc: denied { open } for pid=544 comm="storage_daemon" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow storage_daemon dev_kmsg_file:chr_file { write open }; +allow storage_daemon medialibrary_hap:fd { use }; +allow storage_daemon hap_file_attr:dir { mounton getattr open read remove_name rmdir search setattr write }; +allow storage_daemon hap_file_attr:file { open read getattr setattr unlink }; +allow storage_daemon proc_drop_caches_file:file { open ioctl getattr write }; +allowxperm storage_daemon proc_drop_caches_file:file ioctl { 0x5413 }; + +allow storage_daemon foundation:binder { call transfer }; +allow storage_daemon foundation:fd { use }; +allow storage_daemon sa_foundation_bms:samgr_class { get }; +allow storage_daemon tracefs:dir { search }; +allow storage_daemon data_service_el2_file:file { relabelfrom }; +allow storage_daemon data_service_el4_file:file { relabelfrom }; +allow storage_daemon data_service_el2_hmdfs:file { read open write }; +allow storage_daemon data_service_el2_hmdfs:lnk_file { unlink rename }; + +storage_daemon_relabel(data_service_el2_share); + +allow storage_daemon data_app_el2_file:file { unlink }; +allow storage_daemon data_chipset_el2_file:file { unlink }; +allow storage_daemon data_app_el5_file:file { unlink }; +allow storage_daemon data_file:dir { create relabelfrom setattr write add_name write remove_name }; +allow storage_daemon el5_filekey_manager:binder { call }; +allow storage_daemon sa_el5_filekey_manager:samgr_class { get }; +allowxperm storage_daemon data_service_storage_daemon_sd_file:file ioctl { 0x5413 0xf546 0xf547 }; +allowxperm storage_daemon data_service_storage_daemon_sd_file:dir ioctl { 0x5413 0xf546 0xf547 }; +allow storage_daemon data_service_storage_daemon_sd_file:dir { add_name search create remove_name rename rmdir getattr setattr open read write relabelto ioctl }; +allow storage_daemon data_service_storage_daemon_sd_file:file { create ioctl setattr unlink getattr open read write relabelto }; +neverallow { domain -storage_daemon -init } data_service_storage_daemon_sd_file:dir { create relabelto }; +neverallow { domain -storage_daemon -init updater_only(`-updater') } data_service_storage_daemon_sd_file:dir { read write getattr rename open add_name remove_name search rmdir }; +neverallow { domain -storage_daemon -init } data_service_storage_daemon_sd_file:file { create ioctl setattr open read write relabelto }; +neverallow { domain -storage_daemon -init updater_only(`-updater') } data_service_storage_daemon_sd_file:file { unlink getattr }; + +neverallow storage_daemon *:process ptrace; + +allow storage_daemon proc_cmdline_file:file { getattr open read }; + +# avc: denied { get } for service=901 pid=627 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:sa_useriam_useridm_service:s0 tclass=samgr_class permissive=0 +allow storage_daemon sa_useriam_useridm_service:samgr_class { get }; +allow storage_daemon useriam:binder { call transfer }; + +#avc: denied { use } for pid=649 comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:storage_daemon:s0 tcontext=u:r:storage_manager:s0 tclass=fd permissive=0 +allow storage_daemon storage_manager:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/storage_manager.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/storage_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..ec74c5effb499901d199882b544c239561b91726 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/storage_manager.te @@ -0,0 +1,51 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=241 comm="storage_manager" scontext=u:r:storage_manager:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow storage_manager accesstoken_service:binder { call }; + +#avc: denied { call } for pid=247 comm="storage_manager" scontext=u:r:storage_manager:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow storage_manager foundation:binder { call }; + +#avc: denied { use } for pid=1803 comm="com.ohos.medial" path="/dev/ashmem" dev="tmpfs" ino=190 scontext=u:r:storage_manager:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1 +allow storage_manager normal_hap_attr:fd { use }; + +#avc: denied { get } for service=3503 pid=238 scontext=u:r:storage_manager:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow storage_manager sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { get } for service=401 pid=238 scontext=u:r:storage_manager:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow storage_manager sa_foundation_bms:samgr_class { get }; + +# avc: denied { call } for pid=247 comm="storage_manager" scontext=u:r:storage_manager:s0 tcontext=u:r:storage_daemon:s0 tclass=binder permissive=1 +allow storage_manager storage_daemon:binder { call }; + +# avc: denied { search } for pid=263 comm="storage_manager" name="external" dev="tmpfs" ino=2 scontext=u:r:storage_manager:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +allow storage_manager permissions_mount_file_attr:dir { search }; + +# avc: denied { get } for service=3704 sid=u:r:storage_manager:s0 scontext=u:r:storage_manager:s0 tcontext=u:object_r:sa_screenlock_service:s0 tclass=samgr_class permissive=1 +allow storage_manager sa_screenlock_service:samgr_class { get }; + +# avc: denied { get } for service=200 pid=574 scontext=u:r:storage_manager:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=0 +allow storage_manager sa_accountmgr:samgr_class { get }; + +# avc: denied { call } for pid=581 comm="OS_cesComLstnr" scontext=u:r:storage_manager:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=0 +allow storage_manager accountmgr:binder { call }; + +# avc: denied { open } for pid=647, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:storage_manager:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +allow storage_manager dev_ashmem_file:chr_file { open }; + +# avc: denied { connectto } for pid=632, comm="/system/bin/sa_main" scontext=u:r:storage_manager:s0 tcontext=u:r:appspawn:s0 tclass=unix_stream_socket permissive=1 +allow storage_manager appspawn:unix_stream_socket { connectto }; + +# avc: denied { write } for pid=632, comm="/system/bin/sa_main" path="/dev/unix/socket/AppSpawn" dev="" ino=818 scontext=u:r:storage_manager:s0 tcontext=u:object_r:appspawn_socket:s0 tclass=sock_file permissive=1 +allow storage_manager appspawn_socket:sock_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..090484c3d2d851e12625c34a652da394bf144074 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/system_basic_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_distributeddata_service:samgr_class { get }; +allow system_basic_hap_attr sa_huks_service:samgr_class { get }; +allow system_basic_hap_attr system_core_hap_attr:binder { call }; +allow system_basic_hap_attr { normal_hap_data_file_attr -dlp_sandbox_hap_data_file }:file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..514d0c15aef07bbcae7f3aea226aee0b65403622 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/system_core_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr dev_unix_socket:sock_file { write }; +allow system_core_hap_attr distributedsche_param:file { open read map }; +allow system_core_hap_attr sa_inputmethod_service:samgr_class { get }; +allow system_core_hap_attr sa_storage_manager_service:samgr_class { get }; +allow system_core_hap_attr inputmethod_service:binder { call }; +allow system_core_hap_attr system_basic_hap_attr:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/udevd.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/udevd.te new file mode 100644 index 0000000000000000000000000000000000000000..286fc33b9549828089306252214a172a1e6f7f8d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/udevd.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow udevd sys_file:dir { read open }; +allow udevd sys_file:file { ioctl write }; +allow udevd dev_block_volfile:dir { search write remove_name }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/ueventd.te b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..6295affa1d9f1593098006ef51ad22e842197833 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/ueventd.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ueventd dev_block_file:dir { create remove_name }; +allow ueventd dev_block_file:blk_file { unlink }; +allow ueventd dev_block_file:lnk_file { read unlink }; +allow ueventd dev_block_volfile:dir { remove_name }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/virtfs_contexts b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/virtfs_contexts new file mode 100644 index 0000000000000000000000000000000000000000..61b5db9d2a35bd68c4d2ac9d877e327cf7074038 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/storage_service/system/virtfs_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# please put short path ahead. +# use relative path to mount point. + +genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches_file:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..dd1ef9472529f77dcf599f35e70c7afd20d7fa6c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/appspawn.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { getattr } for pid=1129 comm="m.ohos.systemui" path="/data/service/el1/public/wallpaper/0" dev="mmcblk0p15" ino=305 scontext=u:r:appspawn:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow appspawn data_service_el1_file:dir { mounton search getattr }; +allow appspawn permissions_mount_file_attr:dir { mounton }; +# avc: denied { add_name } for pid=1344 comm="appspawn" name="Download" scontext=u:r:appspawn:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissive=1 +# avc: denied { create } for pid=1344 comm="appspawn" name="Download" scontext=u:r:appspawn:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=1344 comm="appspawn" name="Docs" dev="mmcblk0p14" ino=757 scontext=u:r:appspawn:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissive=1 +allow appspawn data_user_file:dir { add_name create write }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..315db8c2709c98ae4c8c899ad01ab184b1798b3a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type mnt_external_file, fs_attr, permissions_mount_file_attr; +type share_public_file, file_attr, data_file_attr, permissions_mount_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file_access_service.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file_access_service.te new file mode 100644 index 0000000000000000000000000000000000000000..3eaa3e3f93c7a6118204ef7be1d99f9d0f6df445 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file_access_service.te @@ -0,0 +1,112 @@ +# Copyright (c) 2023-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type file_access_service, sadomain, domain; +allow file_access_service sa_file_access_service:samgr_class { add get }; + +#avc: denied { call } for pid=611 comm="IPC_0_654" scontext=u:r:file_access_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +# avc: denied { use } for pid=1553 comm="external_file_a" path="/dev/ashmem" dev="tmpfs" ino=231 scontext=u:r:normal_hap:s0 tcontext=u:r:sh:s0 tclass=fd permissive=0 +debug_only(` + allow file_access_service sh:binder { call }; + allow normal_hap_attr su:fd { use }; + # avc: denied { transfer } for pid=3205 comm="OS_IPC_6_5177" scontext=u:r:file_access_service:s0 tcontext=u:r:su:s0 tclass=binder permissive=1 + allow file_access_service su:binder { transfer }; +') + +#avc: denied { read } for pid=812 comm="sa_main" name="u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:file_access_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=812 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:file_access_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=812 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:file_access_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow file_access_service musl_param:file { read open map }; + +#avc: denied { open } for pid=685 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=56 scontext=u:r:file_access_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=685 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=56 scontext=u:r:file_access_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=812 comm="sa_main" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=56 scontext=u:r:file_access_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow file_access_service hilog_param:file { read open map }; + +#avc: denied { search } for pid=611 comm="IPC_0_654" name="socket" dev="tmpfs" ino=30 scontext=u:r:file_access_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +allow file_access_service dev_unix_socket:dir { search }; + +#avc: denied { get } for service=3901 pid=536 scontext=u:r:file_access_service:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow file_access_service sa_param_watcher:samgr_class { get }; + +#avc: denied { dac_read_search } for pid=2108 comm="appspawn" capability=2 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=0 + +#avc: denied { get } for service=3503 pid=550 scontext=u:r:file_access_service:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=0 +allow file_access_service sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { call } for pid=553 comm="IPC_1_665" scontext=u:r:file_access_service:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=0 +allow file_access_service accesstoken_service:binder { call }; + +#avc: denied { get } for service=5010 pid=1841 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_file_access_service:s0 tclass=samgr_class permissive=1 +allow system_core_hap_attr sa_file_access_service:samgr_class { get }; + +#avc: denied { search } for pid=1605 comm="file_access_ser" name="/" dev="tracefs" ino=1 scontext=u:r:file_access_service:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=0 +allow file_access_service tracefs:dir { search }; + +#avc: denied { call } for pid=1558 comm="IPC_0_1559" scontext=u:r:system_core_hap:s0 tcontext=u:r:file_access_service:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=1864 comm="mple.fileaccess" scontext=u:r:system_core_hap:s0 tcontext=u:r:file_access_service:s0 tclass=binder permissive=0 +allow system_core_hap_attr file_access_service:binder { call transfer }; + +#avc: denied { call } for pid=1915 comm="IPC_0_1916" scontext=u:r:file_access_service:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=0 +allow file_access_service system_core_hap_attr:binder { call }; + +#avc: denied { write } for pid=1914 comm="file_access_ser" name="trace_marker" dev="tracefs" ino=18561 scontext=u:r:file_access_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=0 +#avc: denied { open } for pid=1915 comm="file_access_ser" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=17125 scontext=u:r:file_access_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=0 +allow file_access_service tracefs_trace_marker_file:file { open write }; + +#avc: denied { watch } for pid=3065 comm="ager:fileAccess" path="/data/storage/el1/bundle/storage_daemon/uri_dir1" dev="mmcblk0p14" ino=6102 scontext=u:r:normal_hap:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +allow normal_hap_attr share_public_file:dir { watch }; +allow normal_hap_attr share_public_file:file { watch }; + +allow normal_hap_attr sa_file_access_service:samgr_class { get }; + +#avc: denied { watch } for pid=1412 comm="ager:fileAccess" path="/mnt/external/00D7-4E04/uri_dir1" dev="mmcblk1p1" ino=38 scontext=u:r:normal_hap:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 +#avc: denied { watch } for pid=1412 comm="ager:fileAccess" path="/mnt/external/00D7-4E04/uri_dir1" dev="mmcblk1p1" ino=38 scontext=u:r:normal_hap:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +allow normal_hap_attr vfat:dir { watch }; +allow normal_hap_attr vfat:file { watch }; +# avc: denied { call } for pid=3057 comm="file_access_ser" scontext=u:r:file_access_service:s0 tcontext=u:r:filemanager_hap:s0 tclass=binder permissive=1 +allow file_access_service hap_domain:binder { call }; + +#avc: denied { watch } for pid=1604 comm="ager:fileAccess" path="/storage/External" dev="tmpfs" ino=2 scontext=u:r:normal_hap:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +allow hap_domain mnt_external_file:dir { watch }; + +#avc: denied { call } for pid=1458 comm="IPC_2_1473" scontext=u:r:system_basic_hap:s0 tcontext=u:r:file_access_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1458 comm="xample.listfile" scontext=u:r:system_basic_hap:s0 tcontext=u:r:file_access_service:s0 tclass=binder permissive=1 +allow hap_domain file_access_service:binder { call transfer }; +#avc: denied { call } for pid=1509 comm="file_access_ser" scontext=u:r:file_access_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 +allow file_access_service hap_domain:binder {call}; + +# avc: denied { open } for pid=1554 comm="IPC_1_1556" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:file_access_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +allow file_access_service debug_param:file { read open }; +# avc: denied { read } for pid=1554 comm="file_access_ser" name="u:object_r:persist_sys_param:s0" dev="tmpfs" ino=71 scontext=u:r:file_access_service:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 +allow file_access_service persist_sys_param:file { read }; +# avc: denied { get } for service=180 pid=1473 scontext=u:r:file_access_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=1 +allow file_access_service sa_foundation_abilityms:samgr_class { get }; +# avc: denied { get } for service=5003 pid=1473 scontext=u:r:file_access_service:s0 tcontext=u:object_r:sa_storage_manager_service:s0 tclass=samgr_class permissive=1 +allow file_access_service sa_storage_manager_service:samgr_class { get }; +# avc: denied { search } for pid=1554 comm="file_access_ser" name="usr" dev="mmcblk0p7" ino=3373 scontext=u:r:file_access_service:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=0 +allow file_access_service system_usr_file:dir { search }; +# avc: denied { call } for pid=1483 comm="IPC_0_1484" scontext=u:r:file_access_service:s0 tcontext=u:r:storage_manager:s0 tclass=binder permissive=0 +allow file_access_service storage_manager:binder { call }; +# avc: denied { call } for pid=1632 comm="IPC_1_1634" scontext=u:r:file_access_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0 +allow file_access_service foundation:binder { call transfer }; +# avc: denied { map } for pid=1561 comm="IPC_1_1563" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:file_access_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +allow file_access_service debug_param:file { map }; +# avc: denied { call } for pid=1534 comm="file_access_ser" scontext=u:r:file_access_service:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0 +allow file_access_service hap_domain:binder { call }; + +# avc: denied {transfer} for pid=6408, comm="/system/bin/sa_main" scontext=u:r:file:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=1 +allow file_access_service hap_domain:binder { transfer }; + +# avc:denied { getopt } for pid=6408,comm="/system/bin/sa_main" scontex=u:r:file_acccess_services:s0 tcontext=u:r:file_access_service:s0 tclass=unix_dgram_socket permissive=1 +allow file_access_service file_access_service:unix_dgram_socket { getopt setopt }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file_contexts b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..9569eb7dba5571ecb9b2ac0e8610d6c1c97e2c54 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/mnt/data/external(/.*)? u:object_r:mnt_external_file:s0 +/data/service/el1/public/storage_daemon/share/public(/.*)? u:object_r:share_public_file:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/filesystem.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/filesystem.te new file mode 100644 index 0000000000000000000000000000000000000000..1875a4541544752e3fd68b43f5439043c71175d0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/filesystem.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { associate } for pid=250 comm="storage_daemon" name="3056-3B24" scontext=u:object_r:mnt_external_file:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=1 +allow mnt_external_file tmpfs:filesystem { associate }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..2c0fe36ae0d255fa663f03e5909d7c62fc5ba374 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=560 comm="IPC_2_793" scontext=u:r:foundation:s0 tcontext=u:r:file_access_service:s0 tclass=binder permissive=0 +allow foundation file_access_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..709e09685692ef6c4ed6cbb3d7859a77dfb9a305 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hap_domain.te @@ -0,0 +1,32 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# avc: denied { add_name } for pid=20925 comm=".myapplication4" name="test0.txt" scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=20925 comm=".myapplication4" name="public" dev="mmcblk0p14" ino=66 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=20925 comm=".myapplication4" name="public" dev="mmcblk0p14" ino=66 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { create } for pid=20925 comm=".myapplication4" name="test0.txt" scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:share_public_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=5180 comm=".myapplication4" path="/storage/Share/test0.txt" dev="mmcblk0p14" ino=2509 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:share_public_file:s0 tclass=file permissive=1 +# avc: denied { read write } for pid=20925 comm=".myapplication4" name="test0.txt" dev="mmcblk0p14" ino=2509 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:share_public_file:s0 tclass=file permissive=1 +# avc: denied { create } for pid=21851 comm=".myapplication4" name="test1.txt" scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1 +# avc: denied { open } for pid=21851 comm=".myapplication4" path="/storage/External/3056-3B24/test1.txt" dev="mmcblk1p1" ino=31 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1 +# avc: denied { read write } for pid=21851 comm=".myapplication4" name="test1.txt" dev="mmcblk1p1" ino=31 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1 +allow hap_domain permissions_mount_file_attr:file { create open read write getattr lock rename unlink append ioctl setattr }; +allowxperm hap_domain permissions_mount_file_attr:file ioctl { 0x9409 }; +# avc: denied { search } for pid=21054 comm=".myapplication4" name="external" dev="tmpfs" ino=57 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { add_name } for pid=3202 comm=".myapplication4" name="test0.txt" scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=3202 comm=".myapplication4" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=3202 comm=".myapplication4" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 +allow hap_domain permissions_mount_file_attr:dir { add_name search write create rename open read getattr reparent remove_name rmdir }; +allow hap_domain ntfs:file { append setattr }; +allow hap_domain file_access_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hdcd.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..caac6f0460901d6de2f276123de0b2bb8073033b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hdcd.te @@ -0,0 +1,21 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for developer_only version +developer_only(` +allow hdcd tmpfs:dir { search read open getattr }; +allow hdcd hmdfs:dir { search read open getattr }; +allow hdcd data_service_el2_hmdfs:dir { search read open getattr }; +allow hdcd data_user_file:dir { write read add_name create rename open getattr search }; +allow hdcd data_user_file:file { write read map create rename append open getattr }; +') diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hidumper.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hidumper.te new file mode 100644 index 0000000000000000000000000000000000000000..94c331f9b2f234ae74fe4432c0fd37cd1d44ace6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/hidumper.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { read } for pid=1731 comm="hidumper" path="pipe:[30548]" dev="pipefs" ino=30548 scontext=u:r:hidumper:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=0 +allow hidumper hdcd:fifo_file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/init.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..f4bbb7312548d1cb1121e4dcdb10e1bd4598af7f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/init.te @@ -0,0 +1,23 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init data_libinput:dir { getattr }; +allow init data_service_el1_file:sock_file { relabelfrom }; +allow init data_udev:file { relabelto }; + +# avc: denied { open } for pid=1 comm="init" path="/mnt/data/external" dev="tmpfs" ino=57 scontext=u:r:init:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=1 comm="init" name="external" dev="tmpfs" ino=57 scontext=u:r:init:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { relabelto } for pid=1 comm="init" name="external" dev="tmpfs" ino=57 scontext=u:r:init:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { setattr } for pid=1 comm="init" name="external" dev="tmpfs" ino=57 scontext=u:r:init:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +allow init mnt_external_file:dir { open read relabelto setattr }; +allow init file_access_service:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/installs.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..c307219bab553370101e7c185df3296f7a7b4476 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/installs.te @@ -0,0 +1,13 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/kernel.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..3288ecf095de1377869ce39e43e140ac5086f2a8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/kernel.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow kernel debugfs_usb:dir { search }; +allow kernel sys_file:dir { open }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..887e5eda7bf097ca4eda4a573f64a3234b80af40 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/normal_hap.te @@ -0,0 +1,28 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr data_service_el1_file:dir { create read open rename reparent search write rmdir getattr remove_name add_name }; +allow normal_hap_attr data_service_el1_file:file { create read open write unlink getattr rename }; +allow normal_hap_attr vfat:dir { add_name create open read remove_name rename reparent rmdir write search }; +allow normal_hap_attr vfat:file { create getattr read rename open unlink write }; +allow normal_hap_attr sa_storage_manager_service:samgr_class { get }; +allow normal_hap_attr storage_manager:binder { call }; +allow normal_hap_attr exfat:dir { create read open rename reparent search write rmdir getattr remove_name add_name }; +allow normal_hap_attr exfat:file { create read open write unlink getattr rename }; +allow normal_hap_attr data_user_file:dir { rename reparent }; +allow normal_hap_attr ntfs:dir { create read open rename reparent search write rmdir getattr remove_name add_name }; +allow normal_hap_attr ntfs:file { create read open write unlink getattr rename }; + +#avc: denied { open } for pid=1737 comm="ager:fileAccess" path="/mnt/data/external" dev="tmpfs" ino=47 scontext=u:r:normal_hap:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=1737 comm="ager:fileAccess" name="external" dev="tmpfs" ino=47 scontext=u:r:normal_hap:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +allow normal_hap_attr tmpfs:dir { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/sh.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/sh.te new file mode 100644 index 0000000000000000000000000000000000000000..e180d414d834a8e2656d85b8f1247774fe9c2809 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/sh.te @@ -0,0 +1,23 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# for developer_only version +developer_only(` +allow sh tmpfs:dir { search read open getattr }; +allow sh hmdfs:dir { search read open getattr }; +allow sh hmdfs:file { write read map create rename append open getattr }; +allow sh data_service_el2_hmdfs:dir { search read open getattr }; +allow sh data_user_file:dir { write read add_name create rename open getattr search }; +allow sh data_user_file:file { write read map create rename append open getattr }; +') diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..2b11f5157c628a11fa0f6a9e9bce53df185e3d91 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/storage_daemon.te @@ -0,0 +1,26 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon dev_block_file:lnk_file { read }; +allow storage_daemon dev_fuse_file:chr_file { open getattr read write }; +allow storage_daemon proc_filesystems_file:file { open read }; +allow storage_daemon dev_block_file:dir { search }; +allow storage_daemon dev_block_file:blk_file { getattr }; +allow storage_daemon unlabeled:filesystem { mount }; +# avc: denied { remove_name } for pid=262 comm="storage_daemon" name="F0C2A58FC2A55A9C" dev="tmpfs" ino=61 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +# avc: denied { rmdir } for pid=262 comm="storage_daemon" name="F0C2A58FC2A55A9C" dev="tmpfs" ino=61 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mnt_external_file:s0 tclass=dir permissive=1 +allow storage_daemon mnt_external_file:dir { remove_name rmdir }; +# avc: denied { getattr } for pid=262 comm="IPC_1_282" path="/data/service/el1/public/storage_daemon/share/public" dev="mmcblk0p14" ino=69 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +# avc: denied { setattr } for pid=262 comm="IPC_1_282" name="public" dev="mmcblk0p14" ino=69 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:share_public_file:s0 tclass=dir permissive=1 +allow storage_daemon share_public_file:dir { getattr setattr }; +allow storage_daemon system_bin_file:lnk_file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..c4f5ede3ed00388cf4366d60dfefe93b222c2d5c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/user_file_service/system/system_core_hap.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr data_service_el1_file:file { read write }; +allow system_core_hap_attr vfat:file { read write }; +allow system_core_hap_attr exfat:file { read write }; +allow system_core_hap_attr ntfs:file { read write }; +# avc: denied { open } for pid=1406 comm="RSRenderThread" path="/sys/devices/system/cpu" dev="sysfs" ino=4915 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=1406 comm="RSRenderThread" name="cpu" dev="sysfs" ino=4915 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1 +allow system_core_hap_attr sysfs_devices_system_cpu:dir { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..62ef0c449664f35c68f08e271d38a3aca0701d18 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/appspawn.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn epfs:dir { mounton }; +allow appspawn epfs:filesystem { mount }; +allow appspawn hmdfs:dir { write add_name create }; +allow appspawn data_service_el2_hmdfs:dir { read open write add_name create }; +allow appspawn data_user_file:dir { search read open }; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/file.te b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..610c27e17bd549a86309aceaf3ae49e445b7f995 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type mimetype_file, system_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..21383b42afa7023bb3792275efb68a2d5fc7c933 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/etc/userfilemanager/userfilemanager_mimetypes.json u:object_r:mimetype_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..65a1e3b5aaa212c4191436babf47ea5faf598334 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/normal_hap.te @@ -0,0 +1,24 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { + domain + -storage_daemon +} data_user_file:file { + never_execute_file +}; + +allow hap_domain data_user_file:dir create_dir_perms; +allow hap_domain data_user_file:file create_file_perms; +allow hap_domain epfs:dir create_dir_perms; +allow hap_domain epfs:file create_file_perms; diff --git a/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/sehap_contexts b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/sehap_contexts new file mode 100644 index 0000000000000000000000000000000000000000..6b3df47dcf851276c7ae6af2f5b993c521c59eb6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/filemanagement/userfile_manager/system/sehap_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apl=normal name=com.ohos.medialibrary.medialibrarydata domain=medialibrary_hap type=medialibrary_hap_data_file +apl=normal name=com.ohos.medialibrary.medialibrarydata:fileAccess domain=medialibrary_hap type=medialibrary_hap_data_file +apl=normal name=com.ohos.medialibrary.medialibrarydata:backup domain=medialibrary_hap type=medialibrary_hap_data_file diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/public/parameter.te b/prebuilts/api/5.0/ohos_policy/global/i18n/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..c183693dd77ee90fbc40124bce08d2a7c198f776 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type i18n_param_tz_override, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/public/parameter_contexts b/prebuilts/api/5.0/ohos_policy/global/i18n/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..cf49e761c37d03b610c0e17c87451838ac2a17ec --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/public/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.global.tz_override u:object_r:i18n_param_tz_override:s0 diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/public/type.te b/prebuilts/api/5.0/ohos_policy/global/i18n/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..67c8060fd094cac12eab6c2980d08d43e2f2f895 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type i18n_service, sadomain, domain; +type data_service_el1_i18n_timezone_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/system/debug_hap.te b/prebuilts/api/5.0/ohos_policy/global/i18n/system/debug_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..0018250edaf43a212fade2a3aa81bf48b1ab0f0a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/system/debug_hap.te @@ -0,0 +1,21 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow debug_hap system_usr_file:file { open read getattr }; +allow debug_hap system_usr_file:dir { open read getattr }; +allow debug_hap sysfs_devices_system_cpu:file { getattr }; +allow debug_hap sa_i18n_service:samgr_class { get }; +allow debug_hap i18n_service:binder { call }; +allow debug_hap i18n_service:fd { use }; +# avc: denied { getattr } for pid=51567, comm="/system/bin/chrome_crashpad_handler" path="/dev" dev="" ino=0 scontext=u:r:debug_hap:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1 +allow debug_hap dev_file:dir { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/system/file_contexts b/prebuilts/api/5.0/ohos_policy/global/i18n/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..85d1ee7e3ff951ba0d1a48bd18c49d164e119825 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/i18n/timezone(/.*)? u:object_r:data_service_el1_i18n_timezone_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/system/i18n_service.te b/prebuilts/api/5.0/ohos_policy/global/i18n/system/i18n_service.te new file mode 100644 index 0000000000000000000000000000000000000000..224667f1f8f34e0d9170096cb109d94e7fea580e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/system/i18n_service.te @@ -0,0 +1,44 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow i18n_service sa_i18n_service:samgr_class { get add }; +allow i18n_service debug_param:file { open read map }; +allow i18n_service hilog_param:file { open read map }; +allow i18n_service sa_accesstoken_manager_service:samgr_class { get }; +allow i18n_service dev_unix_socket:dir { search }; +allow i18n_service accesstoken_service:binder { call }; +allow i18n_service i18n_param:parameter_service { set }; +allow i18n_service i18n_param_tz_override:parameter_service { set }; +allow i18n_service system_usr_file:dir { search getattr }; +allow i18n_service system_usr_file:file { getattr read open map }; +allow i18n_service sysfs_devices_system_cpu:file { getattr read open map }; +allow i18n_service tracefs:dir { search }; +allow i18n_service paramservice_socket:sock_file { write }; +allow i18n_service kernel:unix_stream_socket { connectto }; +allow i18n_service sa_foundation_appms:samgr_class { get }; +allow i18n_service sa_foundation_cesfwk_service:samgr_class { get }; +allow i18n_service foundation:binder { call }; +allow i18n_service arkcompiler_param:file { map open read }; +allow i18n_service ark_writeable_param:file { map open read }; +allow i18n_service dev_console_file:chr_file { read write }; +allow i18n_service chip_prod_file:dir { search }; +allow i18n_service data_service_el1_file:dir { search write add_name remove_name }; +allow i18n_service data_service_el1_file:file { getattr open read create ioctl rename setattr unlink write }; +allow i18n_service data_service_file:dir { search }; +allow i18n_service dev_kmsg_file:chr_file { write }; +allow i18n_service i18n_service:unix_dgram_socket { getopt setopt }; +allow i18n_service persist_sys_param:file { map open read }; +allow i18n_service sys_prod_file:dir { search }; +allowxperm i18n_service data_service_el1_file:file ioctl 0x5413; +allow i18n_service sa_memory_manager_service:samgr_class { get }; +allow i18n_service memmgrservice:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/system/init.te b/prebuilts/api/5.0/ohos_policy/global/i18n/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..ca9f90231e0dd21554b3e83cbd5a756638ba69dd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/system/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init i18n_service:process { transition rlimitinh siginh }; +allow init data_service_el1_i18n_timezone_file:dir { create getattr open read write add_name remove_name rmdir }; +allow init data_service_el1_i18n_timezone_file:file { create getattr map open read write unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/global/i18n/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..23ef6e4ed98b25afe8e6247ad6dbbb643000a7e9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/system/normal_hap.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr system_usr_file:file { open read getattr }; +allow normal_hap_attr system_usr_file:dir { open read getattr }; +allow normal_hap_attr sysfs_devices_system_cpu:file { getattr }; +allow normal_hap_attr sa_i18n_service:samgr_class { get }; +allow normal_hap_attr i18n_service:binder { call }; +allow normal_hap_attr i18n_service:fd { use }; +# avc: denied { getattr } for pid=32477, comm="/system/bin/chrome_crashpad_handler" path="/dev" dev="" ino=0 scontext=u:r:normal_hap_attr:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1 +allow normal_hap_attr dev_file:dir { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/global/i18n/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..e79e1251301eaa8d427ce3c99189f8f096645e31 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/system/storage_daemon.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon data_service_el1_i18n_timezone_file:dir { getattr open read search rmdir write remove_name }; +allow storage_daemon data_service_el1_i18n_timezone_file:file { getattr map open read unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/global/i18n/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9302847ecb26cd28ae02b3a74447697276bafabb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/system/system_basic_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr system_usr_file:file { open read getattr }; +allow system_basic_hap_attr system_usr_file:dir { open read getattr }; +allow system_basic_hap_attr sysfs_devices_system_cpu:file { getattr }; +allow system_basic_hap_attr persist_param:parameter_service { set }; +allow system_basic_hap_attr sa_i18n_service:samgr_class { get }; +allow system_basic_hap_attr i18n_service:binder { call }; +allow system_basic_hap_attr hichecker_writable_param:file { map open read }; +allow system_basic_hap_attr i18n_param:parameter_service { set }; +allow system_basic_hap_attr i18n_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/global/i18n/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/global/i18n/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..07d997811e1375f23d74019207b60a62bfc81134 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/i18n/system/system_core_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr system_usr_file:file { open read getattr }; +allow system_core_hap_attr system_usr_file:dir { open read getattr }; +allow system_core_hap_attr sysfs_devices_system_cpu:file { getattr }; +allow system_core_hap_attr persist_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/global/system_resources/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/global/system_resources/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..cbd6e6fde48e5c9549207369e27f227a7be50f90 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/global/system_resources/system/normal_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr system_fonts_file:dir { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/attributes b/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..3fed7bb91df7fbff60deddfade5836ce3b8322c4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/attributes @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute vendor_etc_vulkan_file_violator_dir_open_read_search; +attribute vendor_etc_vulkan_file_violator_file_getattr_open_read; +attribute vendor_etc_graphic_xengine_file_violator_dir_open_read_serach; diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/file_contexts b/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..4baf7f05384c87080e9506fa9202755b3bf48846 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/file_contexts @@ -0,0 +1 @@ +/data/local/shader_cache(/.*)? u:object_r:data_local_shadercache:s0 diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/graphic.te b/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/graphic.te new file mode 100644 index 0000000000000000000000000000000000000000..a2e215f831b69e9f3786b2c1d5fdddb817b34c92 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/graphic.te @@ -0,0 +1,19 @@ +# Copyright (c) 2021-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type render_service, sadomain, domain; +type render_service_exec, exec_attr, file_attr, system_file_attr; +type sa_render_service, sa_service_attr; +type vendor_etc_vulkan_file, vendor_file_attr, file_attr; +type drawing_engine_sample, file_attr, system_file_attr; +type drawing_sample_replayer, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/shader.te b/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/shader.te new file mode 100644 index 0000000000000000000000000000000000000000..784a481cc6db0c31fba5cfbf763c2ad07d27cd29 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/public/shader.te @@ -0,0 +1,18 @@ +# for init +allow init data_local_shadercache:dir { getattr open read relabelto setattr add_name create search write }; + +# for appspawn +allow appspawn data_local_shadercache:dir { search mounton getattr }; + +# for storage_daemon +allow storage_daemon data_local_shadercache:file { mounton }; + +# for render_service +allow render_service data_local:dir { search }; +allow render_service data_local_shadercache:file { create setattr getattr map open read rename unlink write }; +allow render_service data_local_shadercache:dir { create setattr getattr open read add_name remove_name search unlink write rmdir }; + +# for hap_domain +allow hap_domain data_local_shadercache:file { create setattr getattr map open read rename unlink write ioctl lock }; +allow hap_domain data_local_shadercache:dir { create setattr getattr open read add_name remove_name search unlink write rmdir }; +allowxperm hap_domain data_local_shadercache:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/file_contexts b/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..f5af85f6f8041a814becdddbe99a285d73c1cd55 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/file_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/render_service u:object_r:render_service_exec:s0 + +/system/bin/drawing_engine_sample u:object_r:drawing_engine_sample:s0 + +/system/bin/drawing_sample_replayer u:object_r:drawing_sample_replayer:s0 diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/graphic.te b/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/graphic.te new file mode 100644 index 0000000000000000000000000000000000000000..4a787011bbd92251740617b18f3c80bd6119e189 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/graphic.te @@ -0,0 +1,93 @@ +# Copyright (c) 2021-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(render_service); + +allow render_service data_log:file { write }; +allow render_service data_file:dir { search }; +allow render_service dev_ashmem_file:chr_file { open }; +allow render_service dev_dri_file:chr_file { ioctl open read write }; +allow render_service dev_dri_file:dir { search }; +allow render_service dev_graphics_file:chr_file { ioctl }; +allow render_service dev_mali:chr_file { ioctl }; +allow render_service dev_rga:chr_file { ioctl }; +allow render_service dev_unix_socket:dir { search }; +allow render_service dev_unix_socket:sock_file { write }; +allow render_service allocator_host:binder { call }; +allow render_service allocator_host:fd { use }; +allow render_service foundation:binder { call transfer }; +allow render_service foundation:fd { use }; +allow render_service normal_hap_attr:binder { call }; +allow render_service normal_hap_attr:fd { use }; +allow render_service proc_file:file { open read }; +allow render_service render_service:netlink_kobject_uevent_socket { read }; +allow render_service sys_file:file { open read write }; +allow render_service system_basic_hap_attr:binder { call }; +allow render_service system_basic_hap_attr:fd { use }; +allow render_service system_core_hap_attr:binder { call }; +allow render_service system_core_hap_attr:fd { use }; +allow render_service vendor_lib_file:dir { search }; +allow render_service accessibility_param:file { read }; +allow render_service system_fonts_file:dir { open read search }; +allow render_service system_fonts_file:file { getattr map open read }; +allow render_service sa_accessibleabilityms:samgr_class { get }; +allow render_service sa_concurrent_task_service:samgr_class { get }; +allow render_service vendor_bin_file:dir { search }; +allow render_service paramservice_socket:sock_file { write }; +allow render_service kernel:unix_stream_socket { connectto }; +allow render_service debug_param:parameter_service { set }; +allow render_service sa_resource_schedule_socperf_server:samgr_class { get }; +allow render_service persist_param:parameter_service { set }; +allow render_service sa_sensor_service:samgr_class { get }; +allow render_service sensors:binder { call transfer }; +allow render_service hmdfs:file { map write read }; +allow render_service multimodalinput:fd { use }; +allow render_service drawing_engine_sample:file { getattr map open read }; +allow render_service drawing_sample_replayer:file { getattr map open read }; +allow render_service sa_foundation_appms:samgr_class { get }; +allow render_service camera_service:fd { use }; + +debug_only(` + allow render_service sh:fd { use }; +') + +developer_only(` + allow sh debug_param:parameter_service { set }; + allow hdcd render_service:unix_stream_socket { connectto }; +') + +allowxperm render_service dev_dri_file:chr_file ioctl { 0x6409 0x640d 0x641e 0x642e 0x643a 0x64af 0x64b8 0x64bc 0x64bd 0x64be }; +allowxperm render_service dev_graphics_file:chr_file ioctl 0x4611; +allowxperm render_service dev_mali:chr_file ioctl { 0x8002 0x8006 0x8007 0x8016 0x8018 0x8019 0x801b 0x801d 0x801e }; +allowxperm render_service dev_rga:chr_file ioctl 0x5017; + + +hdi_call(render_service, hdf_allocator_service) + +allow render_service vendor_etc_file:dir { search }; +allow render_service vendor_etc_vulkan_file:dir { open read search }; +allow render_service vendor_etc_vulkan_file:file { getattr open read }; + +allow hap_domain vendor_etc_file:dir { search }; +allow hap_domain vendor_etc_vulkan_file:dir { open read search }; +allow hap_domain vendor_etc_vulkan_file:file { getattr open read }; + +neverallow { domain -nwebspawn } vendor_etc_vulkan_file:dir ~{ open read search getattr mounton }; +neverallow { domain } vendor_etc_vulkan_file:file ~{ getattr open read }; +neverallow { domain -hap_domain -render_service -vendor_etc_vulkan_file_violator_dir_open_read_search -nwebspawn } vendor_etc_vulkan_file:dir { open read search }; +neverallow { domain -hap_domain -render_service -init -vendor_etc_vulkan_file_violator_file_getattr_open_read } vendor_etc_vulkan_file:file { getattr open read }; +neverallow { domain -init } vendor_etc_vulkan_file:dir { getattr }; +neverallow { domain -init -nwebspawn } vendor_etc_vulkan_file:dir { mounton }; +neverallow { domain } dev_graphics_file:file ~{ getattr open read }; +neverallow { domain -render_service } drawing_engine_sample:file { getattr map open read }; +neverallow { domain -render_service } drawing_sample_replayer:file { getattr map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..be53b4cc6b73de6a61cd2fd0b861e47e9f7ac60b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/parameter_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug.graphic.overdraw u:object_r:debug_param:s0 +rosen.dirtyregiondebug.enabled u:object_r:debug_param:s0 +rosen.drawingCache.enabledDfx u:object_r:debug_param:s0 +persist.graphic.profiler. u:object_r:debug_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..e90f68282263999dd664802e837909b32a8ef826 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/system/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr debug_param:parameter_service { set }; +allow system_basic_hap_attr persist_sys_param:parameter_service { set }; + diff --git a/prebuilts/api/5.0/ohos_policy/graphic/graphic/vendor/file_contexts b/prebuilts/api/5.0/ohos_policy/graphic/graphic/vendor/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..543c8f63a475f93bbc0b3c2c70979842cb4b550d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/graphic/graphic/vendor/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/vendor/etc/vulkan(/.*)? u:object_r:vendor_etc_vulkan_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/public/type.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..cdce04234f3aa8cb17aacc3d0163b33966ac8935 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/public/type.te @@ -0,0 +1,43 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################## +## Type define: ## +################## +type faultloggerd, sadomain, domain; + +type faultloggerd_exec, exec_attr, file_attr, system_file_attr; + +type faultloggerd_temp_file, file_attr, data_file_attr; + +type faultloggerd_socket, dev_attr, file_attr; + +type faultloggerd_socket_crash, dev_attr, file_attr; + +type faultloggerd_socket_sdkdump, dev_attr, file_attr; + +init_daemon_domain(faultloggerd); + +type processdump, native_system_domain, domain; + +type processdump_exec, exec_attr, file_attr, system_file_attr; + +domain_auto_transition_pattern(domain, processdump_exec, processdump); + +type dumpcatcher, native_system_domain, domain; + +type dumpcatcher_exec, exec_attr, file_attr, system_file_attr; + +debug_only(` + domain_auto_transition_pattern(su, dumpcatcher_exec, dumpcatcher); +') diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/dumpcatcher.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/dumpcatcher.te new file mode 100644 index 0000000000000000000000000000000000000000..a8a8e860d03cdd6ce87dbe7b242759d9ff756ef7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/dumpcatcher.te @@ -0,0 +1,30 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + allow dumpcatcher debug_param:file { map open read }; + allow dumpcatcher dev_kmsg_file:chr_file { write }; + allow dumpcatcher dev_ptmx:chr_file { read write }; + allow dumpcatcher dev_unix_socket:dir { search }; + allow dumpcatcher devpts:chr_file { read write }; + allow dumpcatcher faultloggerd:fifo_file { read }; + allow dumpcatcher faultloggerd_socket_sdkdump:sock_file { write }; + allow dumpcatcher su:dir { search read open }; + allow dumpcatcher su:fd { use }; + allow dumpcatcher su:file { getattr open read }; + allow dumpcatcher su:fifo_file { write }; + allow dumpcatcher su:unix_stream_socket { read write }; + allow dumpcatcher tty_device:chr_file { read write }; + allowxperm dumpcatcher dev_bbox:chr_file ioctl 0xab09; + allowxperm dumpcatcher tty_device:chr_file ioctl 0x5413; +') diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te new file mode 100644 index 0000000000000000000000000000000000000000..59eeb0f61b76e34930f79386cd37b7ee27450855 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te @@ -0,0 +1,82 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################### +## Macro define: ## +################### +define(`use_faultloggerd', ` + allow $1 faultloggerd:fd use; + allow $1 faultloggerd:unix_stream_socket connectto; + allow $1 faultloggerd_socket:sock_file { getattr write }; +') + +define(`use_faultloggerd_file', ` + allow $1 faultloggerd_temp_file:dir { getattr setattr open read search watch }; + allow $1 faultloggerd_temp_file:file { getattr open read write }; + allow $1 faultloggerd:fifo_file read; +') + +define(`use_faultloggerd_crash', ` + allow $1 faultloggerd:fd use; + allow $1 faultloggerd:unix_stream_socket connectto; + allow $1 faultloggerd_socket_crash:sock_file { getattr write }; +') + +define(`use_faultloggerd_sdkdump', ` + allow $1 faultloggerd:fd use; + allow $1 faultloggerd:unix_stream_socket connectto; + allow $1 faultloggerd_socket_sdkdump:sock_file { getattr write }; +') + +########################################## +## Read/Use/Control faultloggerd rules: ## +########################################## +use_faultloggerd(domain) +use_faultloggerd_crash({ processdump }) +use_faultloggerd_file({ hiview hidumper }) +use_faultloggerd_sdkdump({ hiview hidumper foundation }) + +neverallow { domain -processdump } faultloggerd_socket_crash:sock_file { write read ioctl }; +neverallow { domain -processdump -foundation -hidumper -hiview -dumpcatcher -appspawn } faultloggerd_socket_sdkdump:sock_file { write read ioctl }; +######################### +## faultloggerd rules: ## +######################### +allow faultloggerd init:unix_stream_socket { accept getattr getopt listen setopt }; + +allow faultloggerd domain:file { open read }; +allow faultloggerd domain:dir { getattr search }; +allow faultloggerd domain:process signal; + +allow faultloggerd data_file:dir search; +allow faultloggerd data_init_agent:dir search; +allow faultloggerd dev_unix_socket:dir search; +allow faultloggerd data_log:dir search; + +allow faultloggerd tty_device:chr_file { open read write }; +allow faultloggerd system_bin_file:file { execute execute_no_trans getattr map open read }; +allow faultloggerd system_bin_file:lnk_file read; +allow faultloggerd toybox_exec:file { execute execute_no_trans getattr map open read }; +allow faultloggerd toybox_exec:lnk_file read; + +allow faultloggerd data_init_agent:file { append ioctl open read }; +allow faultloggerd dev_unix_socket:sock_file unlink; +allow faultloggerd faultloggerd_socket:sock_file unlink; +allow faultloggerd faultloggerd_socket_crash:sock_file unlink; +allow faultloggerd faultloggerd_socket_sdkdump:sock_file unlink; +allow faultloggerd faultloggerd_temp_file:dir { add_name remove_name write open read search }; +allow faultloggerd faultloggerd_temp_file:file { create getattr setattr write open read unlink }; + +allow faultloggerd_temp_file labeledfs:filesystem { associate }; + +# allow hap apply pipe fd for mix stack +allow hap_domain faultloggerd:fifo_file write; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/file_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..d090479a45a60e4f9886eadfedabc38d2f8a614a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/file_contexts @@ -0,0 +1,30 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# processdump +/system/bin/processdump u:object_r:processdump_exec:s0 + +# faultloggerd +/system/bin/faultloggerd u:object_r:faultloggerd_exec:s0 + +# faultloggerd file +/data/log/faultlog/temp(/.*)? u:object_r:faultloggerd_temp_file:s0 +/data/log/faultlog/debug(/.*)? u:object_r:faultloggerd_temp_file:s0 + +# faultloggerd socket +/dev/unix/socket/faultloggerd.server u:object_r:faultloggerd_socket:s0 +/dev/unix/socket/faultloggerd.crash.server u:object_r:faultloggerd_socket_crash:s0 +/dev/unix/socket/faultloggerd.sdkdump.server u:object_r:faultloggerd_socket_sdkdump:s0 + +#dumpcatcher +/system/bin/dumpcatcher u:object_r:dumpcatcher_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/foundation.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..03aad5d8dd7493328a0fdc05f88a07434f7f08ff --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation hap_domain:dir { read open }; +allow foundation sadomain:dir { open read getattr search }; +allow foundation sadomain:file { open read getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..7dc519c01da24778b6cafe9405372e2b38f99e97 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +faultloggerd. u:object_r:hiviewdfx_hiview_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te new file mode 100644 index 0000000000000000000000000000000000000000..31a7c5ccac6613b78de723a507bc29b5216b6b3a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te @@ -0,0 +1,172 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################### +## Macro define: ## +################### +define(`use_processdump', ` + allow $1 processdump_exec:file { execute getattr map open read }; +') + +define(`processdump_cmd', ` + allow processdump $1:file { getattr map open read }; +') + +######################## +## processdump rules: ## +######################## +use_processdump({ domain -init -kernel }) +processdump_cmd({ + app_el1_bundle_public + arkcompiler_param + ark_writeable_param + chip_prod_file + data_app_el1_file # remove later + data_file + data_service_el1_file + dev_parameters_file + domain + exec_attr + foundation + sys_prod_file + system_bin_file + system_file + system_lib_file + system_usr_file + vendor_bin_file + vendor_file + vendor_lib_file +}) + +#============= domain ================= +allow domain processdump:process { share sigchld }; +allow domain self:fifo_file { write }; +allow domain system_bin_file:dir { search }; +allow processdump { domain -processdump -kernel }:process { ptrace sigstop }; +allow processdump domain:fd use; +allow processdump domain:fifo_file { read write }; +allow processdump domain:dir { getattr open read search }; +allow processdump domain:lnk_file { read }; + +#============= write event to hiview ========= +allow processdump hiview:binder { call transfer }; +allow processdump samgr:binder { call }; +allow processdump hiview:unix_dgram_socket { sendto }; + +#============= for faultloggerd =========== +allow processdump faultloggerd_temp_file:file { getattr open read write }; +allow processdump faultloggerd:fd { use }; +allow processdump faultloggerd:unix_stream_socket { connectto }; +allow processdump faultloggerd_socket:sock_file write; + +#============= processdump ============== +allow processdump processdump_exec:file { entrypoint }; +allow processdump processdump:process { fork }; +allow processdump processdump:dir { search }; +allow processdump processdump:lnk_file { read }; +allow processdump processdump:unix_dgram_socket { create connect write }; +allow processdump processdump:unix_stream_socket { create setopt connect write read }; +allow processdump data_local_arkcache:file { getattr open read map }; +allow processdump data_local_arkcache:dir { search }; +allow processdump data_local_tmp:file { getattr map open read }; + +developer_only(` +allow processdump data_local_tmp:dir { search }; +allow processdump data_local:dir { search }; +') + +#============ hidumper ============== +allow processdump hidumper_service:fifo_file ioctl; + +#============ normal_hap ================= +allow processdump normal_hap_attr:dir { getattr open read search }; +allow processdump normal_hap_attr:file { getattr open read }; +allow processdump app_el1_bundle_public:dir search; +allow processdump data_app_el1_file:dir search; # remove later + +#============ hap_domain ================ +allow processdump hap_domain:lnk_file { read }; + +#============= for hdcd ================ +allow processdump hdcd:fd use; +allow processdump hdcd:fifo_file { read write }; +allow processdump hdcd:file { getattr open read }; +allow processdump hdcd:process ptrace; +allow processdump hdcd:unix_stream_socket { read write }; + +#============= devpts && tty =========== +allow processdump devpts:chr_file { read write }; +allow processdump tty_device:chr_file { read write }; + +#============= init ================ +allow processdump init:dir { getattr open read search }; +allow processdump init:file { getattr open read }; +allow processdump init:netlink_kobject_uevent_socket { read write }; +allow processdump init:unix_dgram_socket { sendto }; +allow processdump init:unix_stream_socket { read write connectto }; + +#============ foundation =========== +allow processdump foundation:dir { getattr open read search }; +allow processdump foundation:binder { call transfer }; +allow processdump sa_foundation_abilityms:samgr_class { get }; + +#============ data_xxx ================== +allow processdump data_file:dir search; +allow processdump data_init_agent:file { append ioctl open read }; +allow processdump data_init_agent:dir search; + +#============ dev_xxx =================== +allow processdump dev_file:dir { search }; +allow processdump dev_null_file:chr_file { read write }; +allow processdump dev_parameters_file:dir { search }; +allow processdump dev_unix_file:dir { search }; +allow processdump dev_unix_socket:dir search; +allow processdump dev_unix_socket:sock_file write; + +#============ sys_xxx ================= +allow processdump sys_prod_file:dir { search }; + +#============ system_xxx ================= +allow processdump system_bin_file:dir search; +allow processdump system_etc_file:dir { getattr open read search }; +allow processdump system_etc_file:file { getattr open read }; +allow processdump system_file:dir { search }; +allow processdump system_lib_file:dir { search }; +allow processdump system_usr_file:dir { search }; + +#============ vendor_xxx ================= +allow processdump vendor_file:dir { getattr open read search }; +allow processdump vendor_bin_file:dir search; +allow processdump vendor_lib_file:dir search; + +#============ proc_file & tmpfs & debugfs =================== +allow processdump proc_file:dir { search }; +allow processdump proc_file:lnk_file { read }; +allow processdump tmpfs:dir { search }; +allow processdump tmpfs:lnk_file { read }; +allow processdump debugfs:dir { search }; + +#============ chip_prod_file =================== +allow processdump chip_prod_file:dir { search }; + +############################ +## neverallow assertions: ## +############################ +neverallow processdump self:process ptrace; +neverallow domain processdump:process noatsecure; +neverallow domain processdump_exec:file execute_no_trans; + +allow processdump hiviewdfx_hiview_param:file { map open read }; + +allow processdump dev_bbox:chr_file { ioctl open write }; +allowxperm processdump dev_bbox:chr_file ioctl 0xab09; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hichecker/public/hichecker.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hichecker/public/hichecker.te new file mode 100644 index 0000000000000000000000000000000000000000..d8a081ab4c59fe5e75b8729d881b5b1f54d1428a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hichecker/public/hichecker.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +#only shell allowed set hichecker param +neverallow { domain -sh } hichecker_writable_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/public/type.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..28069016c4267b70261e11d4e46671fe5c4a853d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/public/type.te @@ -0,0 +1,28 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hidumper_file, file_attr, data_file_attr; + +type hidumper_exec, exec_attr, file_attr, system_file_attr; + +type hidumper, native_system_domain, sadomain, domain; + +type sa_dfx_sys_hidumper_cpu_ability, sa_service_attr; + +domain_auto_transition_pattern({ native_system_domain sadomain }, hidumper_exec, hidumper); + +# cannot write hidumper files +neverallow { domain -sadomain } hidumper_file:file { write }; + +# cannot execute hidumper +neverallow { domain -sadomain -native_system_domain -sh } hidumper_exec:file { execute }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/accessibility.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..8359095b01543d91eb321f0b71139edae5ee2f40 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/accessibility.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accessibility accesstoken_service:binder call; +allow accessibility sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/bgtaskmgr_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/bgtaskmgr_service.te new file mode 100644 index 0000000000000000000000000000000000000000..3d07d8165a1d70442acd9ddd168fe5b9f3f6ff68 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/bgtaskmgr_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bgtaskmgr_service sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/distributedfiledaemon.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/distributedfiledaemon.te new file mode 100644 index 0000000000000000000000000000000000000000..75a0b31a81b0fc2bab182521ef592b9eea74f26a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/distributedfiledaemon.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedfiledaemon accesstoken_service:binder call; +allow distributedfiledaemon sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/download_server.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/download_server.te new file mode 100644 index 0000000000000000000000000000000000000000..094c15a835043ee661c80a1c88be9fa26a13ab2f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/download_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow download_server sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/dslm_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/dslm_service.te new file mode 100644 index 0000000000000000000000000000000000000000..b7dbadba47a3085401eaff52345189095e45a094 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/dslm_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dslm_service sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/file_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..eeb97a6fd1ef4ab38a587940b7a6fd69b3de97c2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/hidumper u:object_r:hidumper_exec:s0 + +/data/log/hidumper(/.*)? u:object_r:hidumper_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/foundation.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..ef67440602b5d07053a4f57fb2feed187e450dab --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation hidumper:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hap.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hap.te new file mode 100644 index 0000000000000000000000000000000000000000..28fa88d126699f749ff55b863347b4bc14df06cf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain sa_dfx_sys_hidumper_cpu_ability:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hidumper.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hidumper.te new file mode 100644 index 0000000000000000000000000000000000000000..9fabb80026d91f83cdad6d052264137beced05c4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hidumper.te @@ -0,0 +1,86 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper data_log:file read; +allow hidumper data_log:file append; +allow hidumper data_file:dir search; +allow hidumper data_init_agent:dir search; +allow hidumper data_init_agent:file { append ioctl open read }; + +allow hidumper dev_unix_socket:dir search; +allow hidumper dev_unix_socket:sock_file write; + +allow hidumper devpts:chr_file { read write }; + +allow hidumper hdcd:fd use; +allow hidumper hdcd:fifo_file write; +allow hidumper hdcd:unix_stream_socket { read write }; + +allow hidumper hidumper_service:binder { call transfer }; + +allow hidumper lib_file:lnk_file read; + +allow hidumper samgr:binder { call transfer }; + +allow hidumper system_bin_file:dir search; +allow hidumper system_bin_file:file { execute execute_no_trans map open read }; +allow hidumper toybox_exec:file { execute execute_no_trans getattr map open read }; + +allow hidumper tty_device:chr_file { read write }; + +allow hidumper vendor_lib_file:dir search; + +allow hidumper bootevent_param:file { map open read }; +allow hidumper bootevent_samgr_param:file { map open read }; +allow hidumper build_version_param:file { map open read }; +allow hidumper chip_prod_file:dir { search }; +allow hidumper const_allow_mock_param:file { map open read }; +allow hidumper const_allow_param:file { map open read }; +allow hidumper const_build_param:file { map open read }; +allow hidumper const_display_brightness_param:file { map open read }; +allow hidumper const_param:file { map open read }; +allow hidumper const_postinstall_fstab_param:file { map open read }; +allow hidumper const_postinstall_param:file { map open read }; +allow hidumper const_product_param:file { map open read }; +allow hidumper debug_param:file { map open read }; +allow hidumper default_param:file { map open read }; +allow hidumper hilog_param:file { map open read }; +allow hidumper hw_sc_build_os_param:file { map open read }; +allow hidumper hw_sc_build_param:file { map open read }; +allow hidumper hw_sc_param:file { map open read }; +allow hidumper init_param:file { map open read }; +allow hidumper init_svc_param:file { map open read }; +allow hidumper input_pointer_device_param:file { map open read }; +allow hidumper net_param:file { map open read }; +allow hidumper net_tcp_param:file { map open read }; +allow hidumper ohos_boot_param:file { map open read }; +allow hidumper ohos_param:file { map open read }; +allow hidumper persist_param:file { map open read }; +allow hidumper persist_sys_param:file { map open read }; +allow hidumper sa_dfx_sys_hidumper_ability:samgr_class get; +allow hidumper security_param:file { map open read }; +allow hidumper startup_param:file { map open read }; +allow hidumper sys_param:file { map open read }; +allow hidumper sys_usb_param:file { map open read }; +allow hidumper dev_console_file:chr_file { read write }; +allow hidumper dev_file:dir { getattr }; +allow hidumper musl_param:file { read open map }; +allow hidumper hiprofiler_plugins:fifo_file { read }; +allow hidumper sys_file:file { read }; +allow hidumper hdcd:fifo_file { read }; + +allow hidumper hidumper_file:file { write open read append }; + +developer_only(` + allow hidumper sh:fd use; +') diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..09c53da68907fcaf9f9d4d4ba80fd1f79e4fed1f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/hidumper_service.te @@ -0,0 +1,315 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +define(`use_hidumper', ` + allow $1 hidumper_service:fd use; + allow $1 hidumper_service:fifo_file write; +') +developer_only(` + # avc: denied { use } for pid=1994 comm="hidumper" path="pipe:[39192]" dev="pipefs" ino=39192 scontext=u:r:hidumper_service:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1 + allow hidumper_service sh:fd { use }; + # avc: denied { write } for pid=1994 comm="hidumper" path="pipe:[39192]" dev="pipefs" ino=39192 scontext=u:r:hidumper_service:s0 tcontext=u:r:sh:s0 tclass=fifo_file permissive=1 + allow hidumper_service sh:fifo_file { write }; +') +use_hidumper({ sadomain hdfdomain }); + +allow hidumper_service appspawn:dir { getattr open read search }; +allow hidumper_service appspawn:file { getattr open read }; +allow hidumper_service appspawn:lnk_file read; +allow hidumper_service appspawn_exec:file { getattr map open read }; + +allow hidumper_service data_file:dir { getattr open read search }; +allow hidumper_service data_init_agent:dir search; +allow hidumper_service data_init_agent:file { append ioctl open read }; +allow hidumper_service data_log:dir { open read search }; +allow hidumper_service data_log:file { getattr open read }; +allow hidumper_service data_misc:dir search; + +allow hidumper_service debugfs:dir { open read }; + +allow hidumper_service dev_block_file:blk_file getattr; +allow hidumper_service dev_block_file:dir search; +allow hidumper_service dev_block_file:lnk_file read; +allow hidumper_service dev_file:dir getattr; +allow hidumper_service dev_kmsg_file:chr_file { open read }; +allow hidumper_service dev_pts_file:dir getattr; +allow hidumper_service dev_unix_socket:dir search; +allow hidumper_service dev_unix_socket:sock_file write; + +allow hidumper_service deviceauth_service_exec:file { getattr map open read }; +allow hidumper_service devpts:chr_file { read write }; + +allow hidumper_service faultloggerd:fifo_file read; +allow hidumper_service faultloggerd:unix_stream_socket connectto; +allow hidumper_service faultloggerd_exec:file { getattr map open read }; + +allow hidumper_service hdcd:dir { getattr open read search }; +allow hidumper_service hdcd:fd use; +allow hidumper_service hdcd:file { getattr open read }; +allow hidumper_service hdcd:lnk_file read; +allow hidumper_service hdcd_exec:file { getattr map open read }; + +allow hidumper_service hdf_devmgr_exec:file { getattr map open read }; + +allow hidumper_service hidumper:binder call; +allow hidumper_service hidumper:dir { getattr open read search }; +allow hidumper_service hidumper:file { getattr open read }; +allow hidumper_service hidumper:lnk_file read; +allow hidumper_service hidumper:fd use; +allow hidumper_service hidumper_exec:file { getattr map open read }; + +allow hidumper_service hidumper_file:dir { add_name open read remove_name search write }; +allow hidumper_service hidumper_file:file { create ioctl open unlink write getattr append }; + +allow hidumper_service hilogd_exec:file { getattr map open read }; +allow hidumper_service hiview_exec:file { getattr map open read }; + +allow hidumper_service init:dir { getattr open read search }; +allow hidumper_service init:file { getattr open read }; +allow hidumper_service init:lnk_file { read getattr }; +allow hidumper_service init:unix_stream_socket connectto; + +allow hidumper_service installs_exec:file { getattr map open read }; + +allow hidumper_service kernel:dir { getattr open read search }; +allow hidumper_service kernel:file { getattr open read }; +allow hidumper_service kernel:lnk_file read; +allow hidumper_service kernel:system syslog_read; + +allow hidumper_service normal_hap_attr:dir { getattr open read search }; +allow hidumper_service normal_hap_attr:file { getattr open read }; +allow hidumper_service normal_hap_attr:lnk_file read; + +allow hidumper_service proc_cmdline_file:file { getattr open read }; +allow hidumper_service proc_loadavg_file:file { open read }; +allow hidumper_service proc_meminfo_file:file { open read }; +allow hidumper_service proc_modules_file:file { getattr open read }; +allow hidumper_service proc_net:file { getattr open read }; +allow hidumper_service proc_net_tcp_udp:file { open read }; +allow hidumper_service proc_slabinfo_file:file { getattr open read }; +allow hidumper_service proc_stat_file:file { open read }; +allow hidumper_service proc_version_file:file { getattr open read }; +allow hidumper_service proc_vmallocinfo_file:file { getattr open read }; +allow hidumper_service proc_vmstat_file:file { getattr open read }; +allow hidumper_service proc_zoneinfo_file:file { getattr open read }; + +allow hidumper_service render_service_exec:file { getattr map open read }; + +allow hidumper_service self:udp_socket { create ioctl }; + +allow hidumper_service sh_exec:file { execute execute_no_trans getattr map open read }; +allow hidumper_service storage_daemon_exec:file { getattr map open read }; + +allow hidumper_service sys_file:dir { open read }; +allow hidumper_service sys_file:file { getattr open read }; + +allow hidumper_service system_basic_hap_attr:dir { getattr open read search }; +allow hidumper_service system_basic_hap_attr:file { getattr open read }; +allow hidumper_service system_basic_hap_attr:lnk_file read; + +allow hidumper_service system_bin_file:dir { getattr search }; +allow hidumper_service system_bin_file:file { execute execute_no_trans getattr map open read }; +allow hidumper_service system_bin_file:lnk_file read; +allow hidumper_service toybox_exec:file { execute execute_no_trans getattr map open read }; +allow hidumper_service toybox_exec:lnk_file read; +allow hidumper_service system_file:dir getattr; +allow hidumper_service system_fonts_file:dir getattr; +allow hidumper_service system_lib_file:dir getattr; +allow hidumper_service system_profile_file:dir getattr; +allow hidumper_service system_usr_file:dir getattr; + +allow hidumper_service tty_device:chr_file { open read write }; + +allow hidumper_service udevd:dir { getattr open read search }; +allow hidumper_service udevd:file { getattr read open }; +allow hidumper_service udevd:lnk_file read; +allow hidumper_service udevd_exec:file { getattr map open read }; + +allow hidumper_service ueventd:dir { getattr open read search }; +allow hidumper_service ueventd:file { getattr open read }; +allow hidumper_service ueventd:lnk_file read; +allow hidumper_service ueventd_exec:file { getattr map open read }; + +allow hidumper_service uinput_inject_exec:file { getattr map open read }; + +allow hidumper_service vendor_bin_file:dir search; +allow hidumper_service vendor_bin_file:file { getattr map open read }; +allow hidumper_service vendor_file:dir getattr; +allow hidumper_service vendor_lib_file:dir search; +allow hidumper_service vendor_lib_file:file { getattr map open read }; + +allow hidumper_service watchdog_service_exec:file { getattr map open read }; +allow hidumper_service wifi_hal_service_exec:file { getattr map open read }; + +allow hidumper_service { sadomain -installs }:binder call; +allow hidumper_service { hdfdomain sadomain }:dir { getattr open read search }; +allow hidumper_service { hdfdomain sadomain }:file { getattr open read }; +allow hidumper_service { hdfdomain sadomain }:lnk_file read; + +#avc: denied { get } for service=3301 pid=611 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_powermgr_powermgr_service:samgr_class { get }; + +binder_call(hidumper_service, powermgr); + +#avc: denied { get } for service=3302 pid=581 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_powermgr_battery_service:samgr_class { get }; + +#avc: denied { get } for service=3308 pid=581 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_displaymgr_service:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_powermgr_displaymgr_service:samgr_class { get }; + +#avc: denied { get } for service=3303 pid=553 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_thermal_service:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_powermgr_thermal_service:samgr_class { get }; + +allow hidumper_service sa_dfx_sys_hidumper_cpu_ability:samgr_class get; + +allow hidumper_service dev_at_file:chr_file ioctl; +allow hidumper_service dev_block_volfile:dir search; +allow hidumper_service dev_console_file:chr_file getattr; +allow hidumper_service devpts:chr_file getattr; +allow hidumper_service hidumper_file:dir getattr; +allow hidumper_service hidumper_file:file read; +allow hidumper_service hilog_exec:file { execute execute_no_trans getattr map open read }; +allow hidumper_service proc_file:file { open read }; +allow hidumper_service processdump:dir search; +allow hidumper_service processdump:file { open read }; +allow hidumper_service sysfs_devices_system_cpu:file { open read }; +allow hidumper_service tty_device:chr_file getattr; +allow hidumper_service hdcd:fifo_file write; + +allow hidumper_service sa_samgr_service:samgr_class get; +allow hidumper_service sa_accessibleabilityms:samgr_class get; +allow hidumper_service sa_accountmgr:samgr_class get; +allow hidumper_service sa_bgtaskmgr:samgr_class get; +allow hidumper_service sa_bluetooth_server:samgr_class get; +allow hidumper_service sa_comm_dns_manager_service:samgr_class get; +allow hidumper_service sa_comm_ethernet_manager_service:samgr_class get; +allow hidumper_service sa_comm_mdns_manager_service:samgr_class get; +allow hidumper_service sa_comm_net_stats_manager_service:samgr_class get; +allow hidumper_service sa_dataobs_mgr_service_service:samgr_class get; +allow hidumper_service sa_device_usage_statistics_service:samgr_class get; +allow hidumper_service sa_dfx_sys_hidumper_ability:samgr_class get; +allow hidumper_service sa_distributeddata_service:samgr_class get; +allow hidumper_service sa_distributeschedule:samgr_class get; +allow hidumper_service sa_enterprise_device_manager_service:samgr_class get; +allow hidumper_service sa_form_mgr_service:samgr_class get; +allow hidumper_service sa_foundation_abilityms:samgr_class get; +allow hidumper_service sa_foundation_appms:samgr_class get; +allow hidumper_service sa_foundation_bms:samgr_class get; +allow hidumper_service sa_hiview_service:samgr_class get; +allow hidumper_service sa_installd_service:samgr_class get; +allow hidumper_service sa_net_conn_manager:samgr_class get; +allow hidumper_service sa_net_policy_manager:samgr_class get; +allow hidumper_service sa_netsys_native_manager:samgr_class get; +allow hidumper_service sa_render_service:samgr_class get; +allow hidumper_service sa_resource_schedule:samgr_class get; +allow hidumper_service sa_resource_schedule_socperf_server:samgr_class get; +allow hidumper_service sa_sys_event_service:samgr_class get; +allow hidumper_service sa_uri_permission_mgr_service:samgr_class get; +allow hidumper_service sa_useriam_authexecutormgr_service:samgr_class get; +allow hidumper_service sa_useriam_faceauth_service:samgr_class get; +allow hidumper_service sa_useriam_userauth_service:samgr_class get; +allow hidumper_service sa_wifi_device_ability:samgr_class get; +allow hidumper_service sa_wifi_hotspot_ability:samgr_class get; +allow hidumper_service sa_wifi_p2p_ability:samgr_class get; +allow hidumper_service sa_wifi_scan_ability:samgr_class get; +allow hidumper_service sa_work_schedule_service:samgr_class get; +allow hidumper_service sa_accesstoken_manager_service:samgr_class get; +allow hidumper_service sa_audio_policy_service:samgr_class get; +allow hidumper_service sa_camera_service:samgr_class get; +allow hidumper_service sa_device_auth_service:samgr_class get; +allow hidumper_service sa_device_profile_service:samgr_class get; +allow hidumper_service sa_device_security_level_manager_service:samgr_class get; +allow hidumper_service sa_drm_service:samgr_class get; +allow hidumper_service sa_device_service_manager:samgr_class get; +allow hidumper_service sa_download_service:samgr_class get; +allow hidumper_service sa_file_access_service:samgr_class get; +allow hidumper_service sa_filemanagement_distributed_file_daemon_service:samgr_class get; +allow hidumper_service sa_foundation_ans:samgr_class get; +allow hidumper_service sa_foundation_cesfwk_service:samgr_class get; +allow hidumper_service sa_foundation_devicemanager_service:samgr_class get; +allow hidumper_service sa_foundation_dms:samgr_class get; +allow hidumper_service sa_foundation_tel_call_manager:samgr_class get; +allow hidumper_service sa_foundation_tel_state_registry:samgr_class get; +allow hidumper_service sa_huks_service:samgr_class get; +allow hidumper_service sa_inputmethod_service:samgr_class get; +allow hidumper_service sa_location_geo_convert_service:samgr_class get; +allow hidumper_service sa_location_locator_service:samgr_class get; +allow hidumper_service sa_locationhub_lbsservice_gnss:samgr_class get; +allow hidumper_service sa_locationhub_lbsservice_network:samgr_class get; +allow hidumper_service sa_locationhub_lbsservice_passive:samgr_class get; +allow hidumper_service sa_media_service:samgr_class get; +allow hidumper_service sa_memory_manager_service:samgr_class get; +allow hidumper_service sa_msdp_devicestatus_service:samgr_class get; +allow hidumper_service sa_multimodalinput_service:samgr_class get; +allow hidumper_service sa_pasteboard_service:samgr_class get; +allow hidumper_service sa_privacy_service:samgr_class get; +allow hidumper_service sa_pulseaudio_audio_service:samgr_class get; +allow hidumper_service sa_screenlock_service:samgr_class get; +allow hidumper_service sa_softbus_service:samgr_class get; +allow hidumper_service sa_storage_manager_daemon:samgr_class get; +allow hidumper_service sa_storage_manager_service:samgr_class get; +allow hidumper_service sa_subsys_ace_service:samgr_class get; +allow hidumper_service sa_telephony_tel_cellular_call:samgr_class get; +allow hidumper_service sa_telephony_tel_cellular_data:samgr_class get; +allow hidumper_service sa_telephony_tel_core_service:samgr_class get; +allow hidumper_service sa_telephony_tel_sms_mms:samgr_class get; +allow hidumper_service sa_time_service:samgr_class get; +allow hidumper_service sa_update_distributed_service:samgr_class get; +allow hidumper_service sa_usb_service:samgr_class get; +allow hidumper_service sa_useriam_pinauth_service:samgr_class get; +allow hidumper_service sa_useriam_useridm_service:samgr_class get; +allow hidumper_service sa_wallpaper_manager_service:samgr_class get; +allow hidumper_service sa_devattest_service:samgr_class get; +allow hidumper_service sa_device_standby:samgr_class get; +allow hidumper_service sa_task_heartbeat_mgr:samgr_class get; +allow hidumper_service sa_el5_filekey_manager:samgr_class get; +allow hidumper_service sa_app_fwk_update_service:samgr_class get; +allow hidumper_service samgr:samgr_class list; + +allow hidumper_service hiprofiler_cmd:file getattr; +allow hidumper_service hiprofiler_plugins:file getattr; +allow hidumper_service hiprofilerd:file getattr; +allow hidumper_service musl_param:file { map open read }; +allow hidumper_service native_daemon:dir search; +allow hidumper_service native_daemon:file { getattr open read }; +allow hidumper_service proc_loadavg_file:file getattr; +allow hidumper_service proc_meminfo_file:file getattr; +allow hidumper_service proc_net_tcp_udp:file getattr; +allow hidumper_service proc_stat_file:file getattr; +allow hidumper_service self:rawip_socket create; +allow hidumper_service system_etc_file:file lock; + +allow hidumper_service debugfs_failed_transaction_log:file { getattr open read }; +allow hidumper_service debugfs_transactions:file { getattr open read }; +allow hidumper_service debugfs_transaction_log:file { getattr open read }; +allow hidumper_service debugfs_used:file { getattr open read }; +allow hidumper_service debugfs_wakeup_sources:file { getattr open read }; +allow hidumper_service debugfs_stats:file { getattr open read }; +allow hidumper_service debugfs_state:file { getattr open read }; +allow hidumper_service data_log:file { read write append }; + +allow hidumper_service hiperf:file { getattr }; + +neverallow hidumper_service *:process ptrace; + +allow hidumper_service render_service:binder transfer; + +allow hidumper_service arkcompiler_param:file { map open read }; +allow hidumper_service ark_writeable_param:file { map open read }; + +allow hidumper_service hap_domain:lnk_file { read getattr }; + +allow hidumper_service isolated_render:file { getattr open read }; +allow hidumper_service isolated_render:dir { search }; + +allow hidumper_service chip_prod_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/init.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..9ecc49cdada41fe793bcac07dd4660ffa19357cc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init hidumper_file:dir search; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/inputmethod_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/inputmethod_service.te new file mode 100644 index 0000000000000000000000000000000000000000..32b8beec49f01075dc93d015790b5a606a43df20 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/inputmethod_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow inputmethod_service accesstoken_service:binder call; +allow inputmethod_service sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..75f8d7810e7b925630e0aa833fc394d27b3119a8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/memmgrservice.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice accesstoken_service:binder call; +allow memmgrservice sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..d2de37a736cef88deb47d1645afd61c0de1a8457 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/multimodalinput.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow multimodalinput hidumper:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/netsysnative.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/netsysnative.te new file mode 100644 index 0000000000000000000000000000000000000000..0df77a7a7e442a7d54823cdd9a28124b431c0f31 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/netsysnative.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netsysnative accesstoken_service:binder call; +allow netsysnative sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..638e20d6199f94cd6b89d22fb227563f79d81be8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/pasteboard_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/pasteboard_service.te new file mode 100644 index 0000000000000000000000000000000000000000..404ee97c9635af98ff66faf19e80c19fb957f7f3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/pasteboard_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pasteboard_service accesstoken_service:binder call; +allow pasteboard_service sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/render_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..c1d18b7b7aa5b1c1dbce8456758afafb01a4feee --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/render_service.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service accesstoken_service:binder call; +allow render_service sa_accesstoken_manager_service:samgr_class get; +allow render_service hidumper_service:binder { call transfer }; +allow render_service hidumper:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/resource_schedule_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..cb84b32e00db59ad76f879b7f54f01f10522f9be --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/resource_schedule_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow resource_schedule_service sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/sadomain.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/sadomain.te new file mode 100644 index 0000000000000000000000000000000000000000..bd8a438db3fcd795d6e5c5feec132ab4cc860734 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/sadomain.te @@ -0,0 +1,24 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + allow sadomain devpts:chr_file { read write }; + allow sadomain hdcd:fd { use }; + allow sadomain hdcd:fifo_file { write }; + allow sadomain hidumper:fd { use }; + allow {sadomain -hilogd} hidumper_file:file { write }; + debug_only(` + allow sadomain su:fd { use }; + allow sadomain su:fifo_file { write }; + ') +') diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/samgr.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..b27a96411670b4ae7c81a72450a88a2f0e151b85 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/samgr.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr hidumper:binder transfer; +allow samgr hidumper:dir search; +allow samgr hidumper:fd { use }; +allow samgr hidumper:file { open read }; +allow samgr hidumper:process getattr; +allow samgr data_log:file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/screenlock_server.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/screenlock_server.te new file mode 100644 index 0000000000000000000000000000000000000000..fad9ee4d2da8ae4b8645f29ebb2b40bd7dc66e3d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/screenlock_server.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow screenlock_server accesstoken_service:binder call; +allow screenlock_server sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/service_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..10f09f96966085a491dfdcc10464a190d3447bd8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +1215 u:object_r:sa_dfx_sys_hidumper_cpu_ability:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/ui_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/ui_service.te new file mode 100644 index 0000000000000000000000000000000000000000..d947bb33b7a3b9f5a47ce14908a962a7ce34f7f4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/ui_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ui_service accesstoken_service:binder call; +allow ui_service sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/usb_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/usb_service.te new file mode 100644 index 0000000000000000000000000000000000000000..c825669c2763bf4e1a67417e8acd95f4396b0071 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hidumper/system/usb_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow usb_service accesstoken_service:binder call; +allow usb_service sa_accesstoken_manager_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/public/attributes b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..ba62fde7dadd368d71b9961b49abdc864ddadf00 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute data_hilogd_file_viloator; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/public/hilogd.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/public/hilogd.te new file mode 100644 index 0000000000000000000000000000000000000000..0727b786f204c03a06a243123771ec784e005902 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/public/hilogd.te @@ -0,0 +1,28 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################## +## Type define: ## +################## +type hilogd, sadomain, domain; + +type hilogd_exec, exec_attr, file_attr, system_file_attr; +type hilog_exec, exec_attr, file_attr, system_file_attr; +type hilog_control_socket, dev_attr, file_attr; +type hilog_input_socket, dev_attr, file_attr; +type hilog_output_socket, dev_attr, file_attr; +type hilog_control_pub_socket, dev_attr, file_attr; +type data_hilogd_file, file_attr, data_file_attr; +type hilog_whitelist_file, file_attr, data_file_attr; +init_daemon_domain(hilogd); +neverallow { domain debug_only(`-su') -hilogd -init -sh -aa -snapshot_display -hiprofiler_plugins -hiview -hap_domain } hilog_output_socket:sock_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/console.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/console.te new file mode 100644 index 0000000000000000000000000000000000000000..fe3b0fdd11f996323664acb8db9a344591a2007f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/console.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + allow console hilog_param:file { map open read }; +') diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/file_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..0bbc73b2b8d04b5913470939e219b0ac25779bab --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/file_contexts @@ -0,0 +1,23 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/hilogd u:object_r:hilogd_exec:s0 +/system/bin/hilog u:object_r:hilog_exec:s0 + +/dev/unix/socket/hilogControl u:object_r:hilog_control_socket:s0 +/dev/unix/socket/hilogControlPub u:object_r:hilog_control_pub_socket:s0 +/dev/unix/socket/hilogOutput u:object_r:hilog_output_socket:s0 +/dev/unix/socket/hilogInput u:object_r:hilog_input_socket:s0 + +/data/log/hilog(/.*)? u:object_r:data_hilogd_file:s0 +/data/service/el0/public/for-all-app/hilog(/.*)? u:object_r:hilog_whitelist_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilog.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilog.te new file mode 100644 index 0000000000000000000000000000000000000000..c4fce20a256aaf5b70ff1362a86b63afc1648da8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilog.te @@ -0,0 +1,35 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################## +## Type define: ## +################## +type hilog, native_system_domain, domain; +type hilog_private_param, parameter_attr; + +debug_only(` + allow hilog hilog_private_param:parameter_service { set }; +') + +allow hilog proc_file:file { open read }; +allow hilog musl_param:file { open read map }; +allow hilog dev_unix_socket:dir { search }; +allow hilog hilog_control_socket:sock_file { write }; +allow hilog hilogd:unix_stream_socket { connectto }; +allow hilog paramservice_socket:sock_file { write }; +allow hilog kernel:unix_stream_socket { connectto }; +allow hilog hilog_param:parameter_service { set }; +allow domain hilog_param:file { read map open }; +allow domain hilog_private_param:file { read map open }; + +neverallow ~{ hilog hilogd } hilog_private_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilog_whitelist_file.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilog_whitelist_file.te new file mode 100644 index 0000000000000000000000000000000000000000..c3d10cb36bda22e6ae8b23f631a37ee2d1911f01 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilog_whitelist_file.te @@ -0,0 +1,22 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hilogd data_service_el0_file:dir { search }; +allow hilogd data_service_file:dir { search }; +allow hilogd hilog_whitelist_file:dir { search write add_name }; +allow hilogd hilog_whitelist_file:file { create getattr ioctl open read write }; +allow hilogd hiview_file:file { getattr }; +allowxperm hilogd hilog_whitelist_file:file ioctl { 0x5413 }; +allow domain data_service_el0_file:dir { search }; +allow domain hilog_whitelist_file:dir { search }; +allow domain hilog_whitelist_file:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilogd.te new file mode 100644 index 0000000000000000000000000000000000000000..c5b01b3221f10d7263ae31c0a0ffca33d9f0b414 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/hilogd.te @@ -0,0 +1,116 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################### +## Read/Use/Control hilog rules: ## +################################### +read_hilog(hap_domain) + +use_hilog({ domain -kernel }) + +####################### +## Allow rule below: ## +####################### +allow hilogd hilogd_exec:file { entrypoint execute map read getattr }; +allow init hilogd_exec:file { execute read open getattr }; + +allow hilogd hilog_input_socket:unix_dgram_socket { rw_socket_perms }; +allow hilogd hilog_input_socket:sock_file { create_file_perms }; +allow hilogd hilog_output_socket:unix_dgram_socket { rw_socket_perms }; +allow hilogd hilog_output_socket:sock_file { create_file_perms }; +allow hilogd hilog_control_socket:unix_dgram_socket { rw_socket_perms }; +allow hilogd hilog_control_socket:sock_file { create_file_perms }; + +allow hilogd data_hilogd_file:dir { create_dir_perms }; +allow hilogd data_hilogd_file:file { create_file_perms }; + +allow init data_hilogd_file:dir { create_dir_perms }; +allow { hiview hdcd } data_hilogd_file:dir { read_dir_perms }; +allow { hiview hdcd } data_hilogd_file:file { read_file_perms }; + +allow hilogd data_file:dir { search }; +allow hilogd data_log:dir { getattr open read search }; + +allow hilogd cgroup:dir { search }; + +allow hilogd data_init_agent:dir { add_name search write }; +allow hilogd data_init_agent:file { create ioctl open read append }; + +allow hilogd dev_kmsg_file:chr_file { read }; + +allow hilogd kernel:unix_stream_socket { connectto }; +allow hilogd init:unix_dgram_socket { getattr getopt read write }; +allow hilogd init:unix_stream_socket { accept getattr getopt listen }; + +allow hilogd hilog_param:parameter_service { set }; +allow hilogd paramservice_socket:sock_file { write }; + +allow hilogd hilog:file { getattr }; +allow hilogd init:file { getattr }; + +allowxperm hilogd data_init_agent:file ioctl { 0x5413 }; +allowxperm hilogd data_log:file ioctl { 0x5413 }; + +allow hilogd domain:dir { search }; +allow hilogd domain:file { open read getattr }; +############################ +## Neverallow rule below: ## +############################ +# hilogd is not allowed to write anywhere other than /data/log/hilog +neverallow hilogd { + file_attr + -hilog_whitelist_file + -data_hilogd_file + -data_init_agent + -data_log +}:file { create write append }; + +# ptrace any other app +neverallow hilogd domain:process ptrace; + +# ... and nobody may ptrace me (except init) +neverallow { domain -init -processdump } hilogd:process ptrace; + +# write to /system +neverallow hilogd system_file:dir_file_class_set write; + +# write to hap files +neverallow hilogd { normal_hap_data_file_attr system_basic_hap_data_file_attr system_core_hap_data_file_attr }:dir_file_class_set write; + +# only init is allowed to enter the hilogd domain via exec() +neverallow { domain -init } hilogd:process transition; +neverallow * hilogd:process dyntransition; + +# protect persist tmp file and info file +neverallow { + domain + developer_only(`-wukong') + developer_only(`-hiprofiler_plugins') + -data_hilogd_file_viloator + -init + -hilogd + -hiview # write is covered next + -hdcd # write is covered next + updater_only(`-updater') + updater_only(`-hiview_light') +} data_hilogd_file:file { rw_file_perms }; + +# shell can read but cannot write hilogd files +neverallow { domain -hilogd } data_hilogd_file:file { append create rename setattr write }; + +allow hilogd hilog_private_param:parameter_service { set }; + +allow hilogd data_log:dir { write add_name write remove_name }; +allow hilogd data_log:file { create getattr ioctl open rename write unlink }; +allow domain hilogd:unix_stream_socket { connectto }; +allow domain hilog_control_pub_socket:sock_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/init.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..17622d2a6486b5b1283ff9d5b593231fb605530f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hilog/system/init.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init hilog_input_socket:sock_file { getattr relabelto unlink }; +allow init hilog_output_socket:sock_file { getattr relabelto unlink }; +allow init hilog_control_socket:sock_file { getattr relabelto unlink }; + +allow init hilogd:file { getattr open read relabelto setattr }; +allow init hilogd:dir { getattr open read relabelto setattr search }; +allow init hilogd:process { getattr rlimitinh siginh transition }; + +init_daemon_domain(hilog); diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/public/type.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..7b2b5d6ecaf08a77d758290e9f8b2aea71974e1d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/public/type.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +type hisysevent_exec, exec_attr, file_attr, system_file_attr; +type hisysevent, native_system_domain, domain; + +domain_auto_transition_pattern(native_system_domain, hisysevent_exec, hisysevent); diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/system/file_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..add88b6a6f563635a48d851be0fd910d65da17bd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +/system/bin/hisysevent u:object_r:hisysevent_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/system/hisysevent.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/system/hisysevent.te new file mode 100644 index 0000000000000000000000000000000000000000..72a69f2959efc5e2cf732763508e27eedd04dd48 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hisysevent/system/hisysevent.te @@ -0,0 +1,49 @@ +# Copyright (c) 2023-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hisysevent hdcd:fd { use }; +allow hisysevent hdcd:fifo_file { read write }; +allow hisysevent hdcd:unix_stream_socket { read write }; +allow hdcd hisysevent:process { signal }; + +allow hisysevent hiview:fd { use }; +allow hisysevent hiview:binder { call transfer }; + +allow hisysevent debug_param:file { read open map }; +allow hisysevent hilog_param:file { read open map }; +allow hisysevent dev_unix_socket:dir { search }; +allow hisysevent dev_console_file:chr_file { read write }; + +allow hisysevent samgr:binder { call }; +allow hisysevent sa_sys_event_service:samgr_class get; +allow samgr hisysevent:dir { search }; +allow samgr hisysevent:file { read open }; +allow samgr hisysevent:process { getattr }; +allow samgr hisysevent:binder { call transfer }; + +allow hisysevent tty_device:chr_file { read write }; +allow hisysevent devpts:chr_file { read write ioctl }; +allowxperm hisysevent devpts:chr_file ioctl { 0x5413 }; + +allow hisysevent hiprofiler_plugins:fd { use }; +allow hisysevent hiprofiler_plugins:fifo_file { ioctl write }; + +allow hisysevent data_local_tmp:file { write ioctl }; +allowxperm hisysevent data_local_tmp:file ioctl { 0x5413 }; + +developer_only(` +allow hisysevent sh:fd { use }; +allow hisysevent sh:fifo_file { write ioctl }; +allowxperm hisysevent sh:fifo_file ioctl { 0x5413 }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/public/domain.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/public/domain.te new file mode 100644 index 0000000000000000000000000000000000000000..d5fa551ee2389751954c033fb630ee66e863c9fc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/public/domain.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow domain tracefs_trace_marker_file:file {open write read append }; +allow domain tracefs:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/public/type.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..ca0c376d3dec46a7cf210cdfacc8378360ab192a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/public/type.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +type hitrace_exec, exec_attr, file_attr, system_file_attr; + +type hitrace, native_system_domain, domain; + +domain_auto_transition_pattern(native_system_domain, hitrace_exec, hitrace); diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/file_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..9449bd94422d50d98dec21f0a22e789ed6d3070a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +/system/bin/hitrace u:object_r:hitrace_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..495b4d3317e7a8a1641a891bc659631caa392135 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +allow hidumper_service hitrace:dir search; +allow hidumper_service hitrace:file { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/hitrace.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/hitrace.te new file mode 100644 index 0000000000000000000000000000000000000000..da77570011b3f359878df46cbcd2f81679034464 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hitrace/system/hitrace.te @@ -0,0 +1,92 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +#allow hitrace data_file:file write; +allow hitrace data_file:dir search; +allow hitrace data_local:dir search; +allow hitrace data_log:dir { add_name search write }; +allow hitrace data_log:file { create getattr open write }; +allow hitrace data_local_tmp:dir { add_name search write create }; +allow hitrace data_local_tmp:file { create getattr open write }; +allow hitrace debug_param:parameter_service set; +allow hitrace debug_param:file { open read map }; +allow hitrace hilog_param:file { read map open }; +allow hitrace dev_unix_socket:dir search; +allow hitrace devpts:chr_file { read write }; +allow hitrace hdcd:fd use; +allow hitrace hdcd:unix_stream_socket { read write }; +allow hitrace system_bin_file:dir search; +allow hitrace tracefs:dir search; +allow hitrace tracefs_trace_marker_file:file { getattr open write }; +allow hitrace tty_device:chr_file { read write }; +allow hitrace tracefs:file { getattr ioctl open read write }; + +allow hitrace ohos_param:file { read map open }; + +allow hitrace kernel:unix_stream_socket connectto; +allow hitrace paramservice_socket:sock_file write; + +allow hitrace ohos_boot_param:file { map open read }; +allow hitrace sys_param:file { open read map }; + +allow hitrace net_param:file { map open read }; +allow hitrace net_tcp_param:file read; +allow hitrace sys_usb_param:file { map open read }; + +allow hitrace hw_sc_build_param:file { open read map }; +allow hitrace hw_sc_param:file { map open read }; +allow hitrace net_tcp_param:file { map open }; + +allow hitrace data_local_tmp:file { read write }; + +allow hitrace domain:dir { getattr search }; +allow hitrace domain:file { open read }; +allow hitrace hw_sc_build_os_param:file { open read map }; + +allow hitrace hw_sc_build_os_param:file { open read }; +allow hitrace init_param:file { map open read }; +allow hitrace init_svc_param:file { map open read }; + +allow hitrace hdcd:fifo_file { ioctl write }; + +allow hitrace const_param:file { map open read }; +allow hitrace const_postinstall_fstab_param:file { map open read }; +allow hitrace const_postinstall_param:file { map open read }; + +allow hitrace proc_file:file { read open }; + +allow hitrace sa_hiview_service:samgr_class get; +allow hitrace dev_console_file:chr_file { read write }; +allow hitrace samgr:binder { call }; +allow hitrace hiview:binder { call transfer }; + +allow hitrace system_usr_file:file { read open getattr }; +allow hitrace system_usr_file:dir { search }; + +allow samgr hitrace:dir { search }; +allow samgr hitrace:file { read open }; +allow samgr hitrace:process { getattr }; +allow samgr hitrace:binder { call transfer }; + +allow domain hiviewdfx_profiler_param:file { map open read }; +allow hiview hiviewdfx_profiler_param:parameter_service { set }; +allow hiprofiler_plugins hiviewdfx_profiler_param:parameter_service { set }; +allow bytrace hiviewdfx_profiler_param:parameter_service { set }; +allow hitrace hiviewdfx_profiler_param:parameter_service { set }; + +developer_only(` + allow hitrace sh:fd use; + allow hitrace sh:fifo_file { read write }; +') + +neverallow { domain -hitrace -hiview -hiprofiler_plugins -hiperf -hiebpf -bytrace -init -audio_server -multimodalinput -media_monitor} tracefs:file write_file_perms; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/public/hiview.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/public/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..76e757f6302cdfcd7f95bff3396c5b23b4b74293 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/public/hiview.te @@ -0,0 +1,29 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hiview, sadomain, domain; + +type hiview_exec, exec_attr, file_attr, system_file_attr; +type usage_report_exec, exec_attr, file_attr, system_file_attr; +type hiview_file, file_attr, data_file_attr; +type hisysevent_socket, dev_attr, file_attr; +type dev_ucollection, dev_attr, file_attr; +type dev_sysevent, dev_attr; + +attribute vendor_violator_data_log_file_createwrite; +attribute vendor_violator_data_log_dir_createwrite; +attribute public_violator_data_log_file_createwrite; +attribute public_violator_data_log_dir_createwrite; + +neverallow { domain -vendor_violator_data_log_file_createwrite -public_violator_data_log_file_createwrite -rgm_violator_data_log_file_createwrite -hiview -render_service -foundation -telephony_sa -sh -hidumper_service -hitrace -power_host -usb_host -camera_host -wifi_hal_service -hiperf -bytrace -download_server -faultloggerd -hidumper -netmanager -softbus_server -bluetooth_service -sadomain -hap_domain -multimodalinput -resource_schedule_service -huks_service -init -kernel updater_only(`-hiview_light') } data_log:file {create write}; +neverallow { domain -vendor_violator_data_log_dir_createwrite -public_violator_data_log_dir_createwrite -rgm_violator_data_log_dir_createwrite -hiview -render_service -foundation -telephony_sa -sh -hidumper_service -hitrace -power_host -usb_host -camera_host -wifi_hal_service -hiperf -bytrace -download_server -faultloggerd -hidumper -netmanager -softbus_server -bluetooth_service -sadomain -hap_domain -multimodalinput -resource_schedule_service -huks_service -init -kernel updater_only(`-hiview_light') } data_log:dir {create write}; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/public/service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/public/service.te new file mode 100644 index 0000000000000000000000000000000000000000..c742702ea1fcbd56b96d65a6e62eb7874bbe9713 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/public/service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_sys_event_service, sa_service_attr; +type sa_hiview_service, sa_service_attr; +type sa_hiview_faultlogger_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..8621e6c1670f26f2c0c32f4e73b59221e36696cd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/distributeddata.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata hiview:binder { transfer call }; + diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/faultlogger_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/faultlogger_service.te new file mode 100644 index 0000000000000000000000000000000000000000..81086efdcc85c42a57071fefa51e2ef1285245b2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/faultlogger_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow domain sa_hiview_faultlogger_service:samgr_class get; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/file_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..bb255437fcd224a384c08c6a4e85e9cb726aad43 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/file_contexts @@ -0,0 +1,24 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/hiview u:object_r:hiview_exec:s0 +/system/bin/usage_report u:object_r:usage_report_exec:s0 + +/dev/unix/socket/hisysevent u:object_r:hisysevent_socket:s0 + +/data/log/hiview(/.*)? u:object_r:hiview_file:s0 +/data/system/hiview(/.*)? u:object_r:hiview_file:s0 + +/dev/ucollection u:object_r:dev_ucollection:s0 + +/dev/sysevent u:object_r:dev_sysevent:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/foundation.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..b5595361938a639051a4535fe7167b0c896c986c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/foundation.te @@ -0,0 +1,49 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied {write} for comm="foundation" name="userlist" dev="sysfs" ino=80052 scontext=u:r:foundation:s0 tcontext=u:object_r:sysfs_hungtask_userlist:s0 tclass=file permissive=1 +#avc: denied {ioctl} for pid=1088 comm="DfxWatchdog" path="/sys/kernel/hungtask/userlist" dev="sysfs" ino=80052 ioctlcmd=0x5413 scontext=u:r:foundation:s0 tcontext=u:object_r:sysfs_hungtask_userlist:s0 tclass=file permissive=1 +#avc: denied {getattr} for pid=1088 comm="DfxWatchdog" path="/sys/kernel/hungtask/userlist" dev="sysfs" ino=80052 scontext=u:r:foundation:s0 tcontext=u:object_r:sysfs_hungtask_userlist:s0 tclass=file permissive=1 +allow foundation sysfs_hungtask_userlist:file { open write ioctl getattr }; + +#avc: denied { read } for pid=4718 comm="/bin/param" path="/dev/__parameters__/u:object_r:hiviewdfx_hiview_param:s0" dev="" ino=239 scontext=u:r:foundation:s0 tcontext=u:object_r:hiviewdfx_hiview_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=4718 comm="/bin/param" path="/dev/__parameters__/u:object_r:hiviewdfx_hiview_param:s0" dev="" ino=239 scontext=u:r:foundation:s0 tcontext=u:object_r:hiviewdfx_hiview_param:s0 tclass=file permissive=1 +allow foundation hiviewdfx_hiview_param:file { map open read }; + +#avc: denied { write } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=dir permissive=1 +#avc: denied { setattr } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=dir permissive=1 +#avc: denied { add_name } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=dir permissive=1 +#avc: denied { create } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=dir permissive=1 +allow foundation data_log:dir { write setattr add_name create open read }; +#avc: denied { read } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +#avc: denied { write } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +#avc: denied { create } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +#avc: denied { setattr } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +#avc: denied { open } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +#avc: denied { append } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=6966 comm="/system/bin/sa_main" path="/data/log/eventlog/freeze" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17796 ioctlcmd=0x5413 scontext=u:r:foundation:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +allow foundation data_log:file { ioctl read write create setattr getattr open append }; +allowxperm foundation data_log:file ioctl { 0x5413 }; + +allow foundation hiview:fd { use }; +#avc: denied { write } for pid=1431 comm="/system/bin/sa_main" path="pipe:[4036]" dev="tmpfs" ino=4036 scontext=u:r:foundation:s0 tcontext=u:r:hiview:s0 tclass=fifo_file permissive=1 +allow foundation hiview:fifo_file { write }; + +#avc: denied { open } for pid=1386 comm="/system/bin/sa_main" path="/proc/meminfo" dev="" ino=5 scontext=u:r:foundation:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=1386 comm="/system/bin/sa_main" path="/proc/meminfo" dev="" ino=5 ioctlcmd=0x5413 scontext=u:r:foundation:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=1 +allow foundation proc_meminfo_file:file { open getattr read }; + +allow foundation hiview_file:file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/hidumper_cpu_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/hidumper_cpu_service.te new file mode 100644 index 0000000000000000000000000000000000000000..c378cf71b2571411bf96226145bb4f38fd579ba0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/hidumper_cpu_service.te @@ -0,0 +1,48 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hiview sa_dfx_sys_hidumper_cpu_ability:samgr_class { add get }; + +allow hiview appspawn:dir search; +allow hiview appspawn:file { getattr open read }; + +allow hiview hdcd:dir search; +allow hiview hdcd:file { getattr open read }; + +allow hiview init:dir { getattr open read search }; +allow hiview init:file { getattr open read }; + +allow hiview kernel:dir { getattr open read search }; +allow hiview kernel:file { getattr open read }; + +allow hiview medialibrary_hap:file getattr; + +allow hiview normal_hap:file getattr; + +allow hiview proc_loadavg_file:file { getattr open read }; +allow hiview proc_stat_file:file {getattr open read }; + +allow hiview ueventd:dir search; +allow hiview ueventd:file { getattr open read }; + +allow hiview udevd:dir search; +allow hiview udevd:file { getattr open read }; + +allow hiview { hdfdomain sadomain }:dir { getattr open read search }; +allow hiview { hdfdomain sadomain }:file { getattr open read }; + +allow hiview self:capability dac_read_search; + +allow hiview sa_foundation_appms:samgr_class get; +allow hiview sa_foundation_cesfwk_service:samgr_class get; + diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/hiview.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..f4b5b6a7a5ef4c63b233b41e3b98d12b8466da3c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/hiview.te @@ -0,0 +1,271 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(hiview); + +define(`use_hisysevent', ` + allow $1 hisysevent_socket:sock_file write; +') + +use_hisysevent({ domain -kernel }) + +allow hiview hiview:capability2 { syslog }; +allow hiview hiview:dir { search }; +allow hiview hiview_exec:file { entrypoint execute map read }; +allow hiview hiview:capability { sys_ptrace }; +neverallow hiview *:process ptrace; + +allow hiview hiview:unix_dgram_socket { getopt setopt }; +allow hiview init:unix_dgram_socket { getattr getopt read write setopt }; +allow hiview init:unix_stream_socket { connectto }; +allow hiview faultloggerd:unix_stream_socket { connectto }; + +allow hiview hiview_file:dir { search getattr read open write add_name remove_name rmdir }; +allow hiview hiview_file:file { getattr setattr append ioctl unlink map read write getattr open lock rename }; + +allow hiview data_file:dir { search }; +allow hiview data_log:dir { add_name open read search watch write create remove_name }; +#avc: denied { ioctl } for pid=2354 comm="plat_shared" path="/data/log/faultlog/JS_ERROR1501989881389" dev="mmcblk0p15" ino=9492 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +allow hiview data_log:file { create getattr lock map open read write unlink rename append ioctl }; +allowxperm hiview data_log:file ioctl { 0x5413 0xf546 0xf547 }; +allow hiview data_system:dir { search getattr }; +allow hiview system_etc_file:dir { open read }; +allow hiview system_bin_file:dir { search }; +allow hiview system_bin_file:file { read execute entrypoint }; +allow hiview system_bin_file:lnk_file { read }; +allow hiview toybox_exec:file { read execute entrypoint getattr map open }; +allow hiview toybox_exec:lnk_file { read }; +allow hiview sys_file:dir { read open }; +allow hiview sys_file:file { read open }; +allow hiview dev_bbox:chr_file { ioctl read open }; +allow hiview normal_hap_attr:dir { getattr open read search }; +allow hiview normal_hap_attr:file { getattr open read }; +allow hiview proc_cpuinfo_file:file { read open }; +allow hiview rootfs:chr_file { read write }; +allow hiview faultloggerd_temp_file:file { getattr }; +allow hiview faultloggerd:fifo_file { read }; +allow hiview system_basic_hap_attr:dir { search }; +allow hiview system_basic_hap_attr:file { getattr read open }; +allow hiview system_core_hap_attr:file { getattr read open }; +allow hiview usage_report_exec:file { getattr read open execute_no_trans map execute }; +allow hiview vendor_bin_file:dir { search }; +allow hiview proc_meminfo_file:file { open read }; + +allow hiview data_init_agent:dir { search }; +allow hiview data_init_agent:file { ioctl open read append }; + +allow hiview foundation:binder { call transfer }; +allow hiview init:binder { call transfer }; +allow hiview samgr:binder { call transfer }; +allow hiview tmpfs:lnk_file { read }; +allow hiview time_service:binder { call transfer }; +allow hiview param_watcher:binder { call transfer }; +binder_call(hiview, powermgr); +allow hiview hdcd:binder { call transfer }; +allow hiview resource_schedule_service:binder { call transfer }; +allow hiview normal_hap_attr:binder { call transfer }; +allow hiview system_basic_hap_attr:binder { call transfer }; +allow hiview system_core_hap_attr:binder { call transfer }; +allow hiview accountmgr:binder { call transfer }; +allow hiview device_usage_stats_service:binder { call transfer }; + +allow hiview dev_unix_socket:dir { search }; +allow hiview dev_unix_socket:sock_file { write }; +allow hiview faultloggerd_socket:sock_file { write }; + +allow hiview tracefs:dir { search }; +allow hiview tracefs_trace_marker_file:file { write open }; + +allow hiview vendor_lib_file:dir { search }; +allow hiview vendor_lib_file:file { read open getattr map execute }; + +allow hiview bgtaskmgr_service:dir { search }; +allow hiview bgtaskmgr_service:file { open read }; + +allowxperm hiview dev_bbox:chr_file ioctl { 0x4264 }; +allowxperm hiview dev_bbox:chr_file ioctl { 0x4266 }; +allowxperm hiview dev_bbox:chr_file ioctl { 0x426f }; + +#avc: denied { get } for service=3301 pid=618 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow hiview sa_powermgr_powermgr_service:samgr_class { get }; +allow hiview sa_powermgr_displaymgr_service:samgr_class { get }; + +allowxperm hiview data_init_agent:file ioctl { 0x5413 }; + +allow hiview sa_sys_event_service:samgr_class { add get }; +allow hiview sa_hiview_service:samgr_class { add get }; +allow hiview sa_hiview_faultlogger_service:samgr_class { add get }; + +#avc: denied { read write } for pid=1955 comm="hiview" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 +allow hiview dev_console_file:chr_file { read write }; +#avc: denied { write } for pid=1961 comm="hiview" name="paramservice" dev="tmpfs" ino=28 scontext=u:r:hiview:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0 +allow hiview paramservice_socket:sock_file { write }; +#avc: denied { connectto } for pid=1130 comm="hiview" path="/dev/unix/socket/paramservice" scontext=u:r:hiview:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0 +allow hiview kernel:unix_stream_socket { connectto }; + +#avc: denied { read } for pid=4200 comm="usage_report" name="u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=1594 comm="hiview" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=1594 comm="hiview" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +allow hiview musl_param:file { read open map }; + + + +#avc: denied { getattr } for pid=1123 comm="hdcd" path="/dev/asanlog" dev="tmpfs" ino=629 scontext=u:r:hdcd:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=0 +allow hdcd dev_asanlog_file:dir { read_dir_perms write add_name create }; +#avc: denied { write create open } for pid=1358 comm="hdcd" path="/dev/asanlog/asan.log.3273" dev="tmpfs" ino=727 scontext=u:r:hdcd:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=file permissive=1 +allow hdcd dev_asanlog_file:file { write create read_file_perms }; + + +#avc: denied { read } for pid=3520 comm="hiview" name="asanlog" dev="tmpfs" ino=726 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 +#allow hiview dev_asanlog_file:dir { read open watch getattr create search }; +allow hiview dev_asanlog_file:dir { read_dir_perms }; + +#avc: denied { read } for pid=449 comm="hiview" name="asan.log.2718" dev="tmpfs" ino=731 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_file:s0 tclass=file permissive=0 +allow hiview dev_asanlog_file:file { read_file_perms }; + +#avc: denied { relabelto } for pid=3281 comm="init" name="asanlog" dev="tmpfs" ino=629 scontext=u:r:init:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=0 +#avc: denied { getattr } for pid=3281 comm="init" path="/dev/asanlog/asan.log.2718" dev="tmpfs" ino=727 scontext=u:r:init:s0 tcontext=u:object_r:dev_file:s0 tclass=file permissive=0 +allow init dev_asanlog_file:dir { setattr read getattr relabelto }; + +allow hiview kernel:system { syslog_read }; + +allow hiview hilog_exec:file { execute read open execute_no_trans map }; +allow hiview hilog_output_socket:sock_file { write }; +allow hiview hilogd:unix_stream_socket { connectto }; + +allow hiview hitrace_exec:file { execute read open execute_no_trans map }; +allow hiview tracefs:file { write }; + +allow hiview proc_sysrq_trigger_file:file { open getattr write ioctl }; + +#avc: denied { search } for pid=252 comm="exportSysEventT" name="app" dev="mmcblk0p12" ino=43 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=0 +allow hiview data_app_file:dir { search }; + +#avc: denied { search } for pid=247 comm="exportSysEventT" name="el2" dev="mmcblk0p12" ino=47 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=0 +#avc: denied { add_name } for pid=2716 comm="freeze_detector" name="APP_FREEZE_1501994090092_2792.log" scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=266 comm="freeze_detector" name="hiappevent" dev="mmcblk0p15" ino=2265 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=0 +allow hiview data_app_el2_file:dir { search read open add_name write create setattr getattr remove_name }; + +#avc: denied { create } for pid=2716 comm="freeze_detector" name="APP_FREEZE_1501994090092_2792.log" scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=2716 comm="freeze_detector" path="/data/app/el2/100/log/com.example.myapplication/hiappevent/APP_FREEZE_1501994090092_2792.log" dev="mmcblk0p15" ino=2352 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=1 +#avc: denied { setattr } for pid=263 comm="plat_shared" name="APP_CRASH_1501997026177_1964.log" dev="mmcblk0p15" ino=2180 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=0 +allow hiview data_app_el2_file:file { open getattr read write create ioctl setattr append rename }; +allowxperm hiview data_app_el2_file:file ioctl { 0x5413 }; + +#avc: denied { search } for pid=247 comm="exportSysEventT" name="com.huawei.myapplication" dev="mmcblk0p12" ino=2366 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0 +#avc: denied { write } for pid=252 comm="exportSysEventT" name="hiview" dev="mmcblk0p12" ino=2417 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0 +#avc: denied { add_name } for pid=251 comm="exportSysEventT" name="Reliability-EVENT-20170816160811-000-0.evt" scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0 +allow hiview system_basic_hap_data_file_attr:dir { add_name search write }; + +#avc: denied { create write open } for pid=256 comm="exportSysEventT" name="Reliability-EVENT-20170816164943-000-0.evt" scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=0 +allow hiview system_basic_hap_data_file_attr:file { create write open }; + +#avc: denied { search } for pid=241 comm="exportSysEventT" name="com.huawei.myapplicationtest" dev="mmcblk0p12" ino=1615 scontext=u:r:hiview:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=dir permissive=0 +allow hiview normal_hap_data_file:dir { search }; + +#avc: denied { write } for pid=245 comm="exportSysEventT" name="cache" dev="mmcblk0p12" ino=1616 scontext=u:r:hiview:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=dir permissive=0 +allow hiview normal_hap_data_file:dir { write add_name }; + +allow hiview normal_hap_data_file:file { create write open }; + +#avc: denied { setattr } for pid=246 comm="exportSysEventT" name="RELIABILITY-20170806025113-000-0.evt" dev="mmcblk0p12" ino=2052 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=0 +allow hiview system_basic_hap_data_file_attr:file { setattr }; +allow hiview normal_hap_data_file:file { setattr }; + +debug_only(` + allow hiview sh:dir { getattr open read search}; + allow hiview sh:file { getattr read open }; + allow hiview sh:binder { call transfer }; +') + +#avc: denied { call } for pid=256 comm="IPC_3_1647" scontext=u:r:hiview:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=0 +allow hiview system_basic_hap_attr:binder { call }; + +#avc: denied { getattr } for pid=1989 comm="sysevent_source" path="/dev/unix/socket/hisysevent" scontext=u:r:hiview:s0 tcontext=u:r:hiview:s0 tclass=unix_dgram_socket permissive=1 +allow hiview hiview:unix_dgram_socket { getattr }; + +#avc: denied { open } for pid=262 comm="hiview" path="/dev/ashmem" dev="tmpfs" ino=177 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=1 +allow hiview dev_ashmem_file:chr_file { open }; + +#avc: denied { search } for pid=2001 comm="hiview" name="etc" dev="mmcblk0p8" ino=16 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1 +allow hiview vendor_etc_file:dir { search }; + +#avc: denied { read } for pid=2001 comm="hiview" name="hisysevent.def" dev="mmcblk0p8" ino=265 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2001 comm="hiview" path="/vendor/etc/hiview/hisysevent.def" dev="mmcblk0p8" ino=265 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +allow hiview vendor_etc_file:file { read open }; + +allow hiview hisysevent:binder { call transfer }; +allow hiview hisysevent:dir { search }; +allow hiview hisysevent:file { read open getattr }; + +allow hiview dev_ucollection:chr_file { ioctl open read write }; + +#avc: denied { read } for pid=1853 comm="plat_shared" name="possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1853 comm="plat_shared" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=1853 comm="plat_shared" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow hiview sysfs_devices_system_cpu:file { read open getattr }; + +#avc: denied { read } for pid=260 comm="IPC_2_721" name="tracing_on" dev="tracefs" ino=18185 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=0 +#avc: denied { open } for pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1 +allow hiview tracefs:file { read open ioctl getattr }; +allowxperm hiview tracefs:file ioctl { 0x5413 }; + +#avc: denied { read } for pid=3130 comm="plat_shared" name="diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=3130 comm="plat_shared" path="/proc/diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=3130 comm="plat_shared" path="/proc/diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1 +allow hiview proc_diskstats_file:file { read open getattr }; + +#avc: denied { kill } for pid=7601 comm="hiview" capability=5 scontext=u:r:hiview:s0 tcontext=u:r:hiview:s0 tclass=capability permissive=1 +#avc: denied { signal } for pid=7601 comm="hiview" scontext=u:r:hiview:s0 tcontext=u:r:system_basic_hap:s0 tclass=process permissive=1 +allow hiview domain:process signal; +allow hiview hiview:capability kill; + +#avc: denied { call } for pid=519 comm="IPC_0_576" scontext=u:r:hiview:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=0 +allow hiview softbus_server:binder { call }; + +#avc: denied { search } for pid=251 comm="OS_IPC_3_2826" name="com.example.myapplication" dev="mmcblk0p15" ino=2012 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=251 comm="OS_IPC_3_2826" name="hiappevent" dev="mmcblk0p15" ino=2058 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 +#avc: denied { add_name } for pid=251 comm="OS_IPC_3_2826" name="hiappevent_1501934018028.txt" scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=2811 comm="XperfMainThr" name="hiappevent" dev="mmcblk0p15" ino=25209 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=2811 comm="XperfMainThr" name="hiappevent" dev="mmcblk0p15" ino=25209 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 +allow hiview normal_hap_data_file_attr:dir { search write add_name read getattr }; + +#avc: denied { create } for pid=251 comm="OS_IPC_3_2826" name="hiappevent_1501934018028.txt" scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 +#avc: denied { write open } for pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 +#avc: denied { append } for pid=617 comm="/system/bin/hiview" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1712134642860.txt" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25137 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=0 +allow hiview normal_hap_data_file_attr:file { create write open ioctl getattr append }; +allowxperm hiview normal_hap_data_file_attr:file ioctl { 0x5413 }; + +allow hiview sa_distributeddata_service:samgr_class { get }; +allow hiview processdump:fd { use }; +allow hiview processdump:fifo_file { read }; + +allow hiview distributeddata:binder { call transfer }; +allow hiview distributeddata:fd { use }; + +allow sadomain dev_bbox:chr_file { ioctl read open write }; +allowxperm sadomain dev_bbox:chr_file ioctl { 0xab09 }; + +neverallowxperm hiview dev_bbox:chr_file ioctl ~{ 0xab09 0xaf01 0xaf02 0xaf03 0xaf04 0xaf05 0xaf06 0xaf07 0xaf08 0x4264 0x4265 0x4266 0x426a 0x426f 0x5413 0x601 }; + +#avc: denied { get } for service=4607 pid=8375 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=0 +allow hiview sa_foundation_dms:samgr_class { get }; + +allow hiview hidumper:fd {use }; + +# avc: denied { use } for pid=2181, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:hiview:s0 tcontext=u:r:wifi_manager_service:s0 tclass=fd permissive=0 +allow hiview wifi_manager_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/init.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..fa62562cbaf6f9f5eb9c63da58e2aad6fffa3ce5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/init.te @@ -0,0 +1,33 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { setattr } for pid=1 comm="init" name="bbox" dev="tmpfs" ino=198 scontext=u:r:init:s0 tcontext=u:object_r:dev_bbox:s0 tclass=chr_file permissive=0 +allow init dev_bbox:chr_file { setattr ioctl }; + +#avc: denied { write } for pid=4175 comm="init" name="hiview" dev="mmcblk0p11" ino=18 scontext=u:r:init:s0 tcontext=u:object_r:hiview_file:s0 tclass=dir permissive=0 +#avc: denied { add_name } for pid=1594 comm="init" name="temp" scontext=u:r:init:s0 tcontext=u:object_r:hiview_file:s0 tclass=dir permissive=0 +#avc: denied { create } for pid=1594 comm="init" name="temp" scontext=u:r:init:s0 tcontext=u:object_r:hiview_file:s0 tclass=dir permissive=0 +allow init hiview_file:dir { write add_name create }; + +#avc: denied { setattr } for pid=899 comm="init" name="userlist" dev="sysfs" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_hungtask_userlist:s0 tclass=file permissive=0 +allow init sysfs_hungtask_userlist:file { setattr }; + +allow init dev_ucollection:chr_file { setattr }; + +allow init data_system:dir { relabelfrom }; + +allowxperm init dev_bbox:chr_file ioctl { 0x426a 0x4202 0x4203}; + +#avc: denied { use } for pid=10540, comm="/bin/init" ioctlcmd=0x4 scontext=u:r:init:s0 tcontext=u:r:hiview:s0 tclass=fd permissive=1 +allow init hiview:fd { use }; + diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..d79e017c71b481b7a8c6c00cf869ca37f2949b46 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/multimodalinput.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow multimodalinput hiview:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d572c001b23e7989977ae51acbce5f3bf21d2ad2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/normal_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { getattr } for pid=1812 comm="e.myapplication" path="/data/storage/el2/log/hiappevent" dev="mmcblk0p15" ino=6049 scontext=u:r:debug_hap:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=0 +allow normal_hap_attr data_app_el2_file:dir { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..21eda58918afccdc23b3830c5031f0b64b6d027c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +hiviewdfx.freeze.filter. u:object_r:hiviewdfx_hiview_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/render_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..f96d2f1c300e64d46e627a824ae26743396305a2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/render_service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service hiview:fd { use }; + +allow render_service hiview_file:file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/sa_sys_event_service.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/sa_sys_event_service.te new file mode 100644 index 0000000000000000000000000000000000000000..f7fd9c12c8a91aa29d5760e047c635fa3bca1d02 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/sa_sys_event_service.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=1203 pid=1913 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_sys_event_service:s0 tclass=samgr_class permissive=0 +allow normal_hap_attr sa_sys_event_service:samgr_class { get }; +allow system_basic_hap_attr sa_sys_event_service:samgr_class { get }; +allow system_core_hap_attr sa_sys_event_service:samgr_class { get }; + diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/samgr.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..b6cff445560bff169dd5b4fb6dd6d5a55e450255 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/samgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr hiview:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/ueventd.te b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..39c63b9e39b5479157d62512d1b8a59402369c28 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/hiviewdfx/hiview/system/ueventd.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ueventd dev_ucollection:chr_file { relabelto }; + diff --git a/prebuilts/api/5.0/ohos_policy/iam/iamwork/.gitkeep b/prebuilts/api/5.0/ohos_policy/iam/iamwork/.gitkeep new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/public/attributes b/prebuilts/api/5.0/ohos_policy/kernel/linux/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..6c5bd15cde0d6b65050f7b35c613855e3166a860 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute sharefs_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/public/kernel.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/public/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..b5fe51e61aa89fe172926c39f66c6e55350d0692 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/public/kernel.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type kernel, domain; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..1949d11842b02357e8f4af814b15d831e96ca774 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/accountmgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr memmgrservice:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/foundation.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..118c7aa2e45b48bf3403e2e500a0d33a11f5bfc8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation memmgrservice:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..c057041a7fcad3102b12e316081336feb7d05f70 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/hap_domain.te @@ -0,0 +1,19 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#hap_domain: normal_hap, system_basic_hap, system_core_hap +allow hap_domain self:udp_socket { ioctl }; + +#SIOCGIFADDR +#SIOCGIFCONF +allowxperm hap_domain self:udp_socket ioctl { 0x8912 0x8915 }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..0f83236f8cf9813bfe32e78c1c9916e3c100a569 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper_service memmgrservice:dir { search }; +allow hidumper_service memmgrservice:file { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/kernel.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..9d876b04bf3cf176beaf153dce1242f8ae0fd289 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/kernel.te @@ -0,0 +1,22 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#domain_auto_transition_pattern(kernel, init_exec, init) + +#allow kernel tmpfs:chr_file read_file_perms; +#allow kernel kernel:process setsched; +allow kernel debugfs_usb:dir { search }; +allow kernel device:dir { create }; +allow kernel sys_file:dir { open }; +allow kernel vendor_etc_file:dir { open read search }; +allow kernel vendor_etc_file:file { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..c49df288840e2998e6b75f6412a3910826e6b81c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/memmgrservice.te @@ -0,0 +1,99 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice data_file:dir { search }; +allow memmgrservice data_init_agent:dir { search }; +allow memmgrservice data_init_agent:file { ioctl open read append }; +allow memmgrservice domain:dir { search }; +allow memmgrservice domain:file { open read getattr }; +allow memmgrservice accountmgr:binder { call transfer }; +allow memmgrservice dev_unix_socket:dir { search }; +allow memmgrservice bgtaskmgr_service:binder { call transfer }; +allow memmgrservice cgroup:dir { add_name create search open read write }; +allow memmgrservice cgroup:file { append getattr ioctl open read write }; +allow memmgrservice foundation:binder { call transfer }; +allow memmgrservice data_vendor:dir { search }; +allow memmgrservice hyperhold_sys:dir { search relabelto write add_name getattr setattr remove_name }; +allow memmgrservice hyperhold_sys:file { getattr open read write create rename unlink }; + +allow memmgrservice memmgrservice:capability { kill sys_resource dac_override sys_ptrace }; +neverallow memmgrservice *:process ptrace; + +allow memmgrservice normal_hap_attr:file { write getattr }; +allow memmgrservice normal_hap_attr:process { sigkill }; + +# denied { read } for pid=274 comm="event_runner#9" name="enable" dev="proc" ino=305072 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +# denied { create } for pid=286 comm="event_runner#11" name="lmkd_dbg_trigger" scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +# denied { ioctl } for pid=286 comm="event_runner#11" path="/proc/lmkd_dbg_trigger" dev="proc" ino=4026532101 ioctlcmd=0x5413 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +allow memmgrservice proc_file:file { write open read create ioctl getattr }; + +allow memmgrservice proc_meminfo_file:file { open read getattr }; +allow memmgrservice system_basic_hap_attr:file { write getattr }; +allow memmgrservice system_basic_hap_attr:process { sigkill }; +allow memmgrservice system_core_hap_attr:file { write }; +allow memmgrservice system_core_hap_attr:process { sigkill }; +allow memmgrservice vendor_lib_file:file { read }; +allowxperm memmgrservice cgroup:file ioctl { 0x5413 }; +allowxperm memmgrservice data_init_agent:file ioctl 0x5413; + +# denied { set } for parameter=persist.sys.eswap.permanently.closed pid=287 uid=1111 gid=1111 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=parameter_service permissive=1 +allow memmgrservice persist_sys_param:parameter_service { set }; + +# denied { write } for pid=1798 comm="memmgrservice" name="paramservice" dev="tmpfs" ino=45 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1 +allow memmgrservice paramservice_socket:sock_file { write }; + +# denied { connectto } for pid=1798 comm="memmgrservice" path="/dev/unix/socket/paramservice" scontext=u:r:memmgrservice:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 +allow memmgrservice kernel:unix_stream_socket { connectto }; + +# denied { get } for service=200 pid=275 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 +allow memmgrservice sa_accountmgr:samgr_class { get }; + +# denied { get } for service=501 pid=275 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 +allow memmgrservice sa_foundation_appms:samgr_class { get }; + +allow memmgrservice sa_foundation_cesfwk_service:samgr_class { get }; + +allow memmgrservice sa_foundation_abilityms:samgr_class { get }; + +allow memmgrservice sa_bgtaskmgr:samgr_class { get }; + +allow memmgrservice sa_foundation_bms:samgr_class { get }; +allow memmgrservice netsysnative:file { getattr }; + +# vendor +allow memmgrservice vendor_etc_file:dir { search }; +allow memmgrservice vendor_etc_file:file { getattr map open read }; + +# chip +allow memmgrservice chip_prod_file:dir { search }; +allow memmgrservice chip_prod_file:file { getattr map open read }; + +# sys +allow memmgrservice sys_prod_file:dir { search }; +allow memmgrservice sys_prod_file:file { getattr map open read }; + +# host +allow memmgrservice user_auth_host:file { getattr }; +allow memmgrservice pin_auth_host:file { getattr }; +allow memmgrservice face_auth_host:file { getattr }; +allow memmgrservice codec_host:file { getattr }; +allow memmgrservice light_host:file { getattr }; +allow memmgrservice vibrator_host:file { getattr }; +allow memmgrservice sensor_host:file { getattr }; +allow memmgrservice input_user_host:file { getattr }; + +# nandlife_controller +allow memmgrservice data_service_file:dir { search }; +allow memmgrservice data_service_el1_file:dir { search write add_name }; +allow memmgrservice data_service_el1_file:file { read open lock write getattr create }; +allow memmgrservice sysfs_devices_system_cpu:file { read open getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/memory.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/memory.te new file mode 100644 index 0000000000000000000000000000000000000000..24166fcd59c1c7bf7f37445a92cd554461d8fe0c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/memory.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, +# musl c reads /sys/kernel/mm/transparent_hugepage/enabled +type sysfs_transparent_hugepage, fs_attr, sysfs_attr; + +allow domain sysfs_transparent_hugepage:dir { search }; +allow domain sysfs_transparent_hugepage:file { open read }; + diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..965abac195fd02fa6721b7dbb0be809f05c4c739 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr normal_hap_attr:file { ioctl open read write }; +allow normal_hap_attr self:icmp_socket { create write read connect bind setopt getattr getopt shutdown }; +allow normal_hap_attr normal_hap_attr:unix_dgram_socket { append bind getattr getopt lock map read sendto setattr setopt shutdown }; +allow normal_hap_attr normal_hap_attr:unix_stream_socket { read write setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/resource_schedule_service.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..4b143744728e3ea7b69d60499adc209b9e05ca43 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/resource_schedule_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow resource_schedule_service dev_sched_rtg_ctrl:chr_file { ioctl open read write }; +allow resource_schedule_service resource_schedule_service:file { ioctl open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/samgr.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..e2ea2ef921e7d50f2f08ee9039cd71b8f664f3fe --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/samgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr memmgrservice:binder { call transfer }; +allow samgr memmgrservice:dir { search }; +allow samgr memmgrservice:file { open read }; +allow samgr memmgrservice:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/su.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/su.te new file mode 100644 index 0000000000000000000000000000000000000000..508aa9f1b9dc951862c2581b8ba61555c22b0b76 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/su.te @@ -0,0 +1,13 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +type su_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..3f71dc248e8ed9481644f9fcee5743100c237570 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/system_basic_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr system_basic_hap_attr:file { ioctl open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d5708ae604e66bb6291e119c538e424a9e059c73 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/system_core_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr system_core_hap_attr:file { ioctl open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/type.te b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..07c569d72e0f0fc2eab3928f2395fbebef5aef7f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/type.te @@ -0,0 +1,18 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type f2fs_hc_file, fs_attr, sysfs_attr; + +# for sandbox appdata +type sharefs_appdata_file, sharefs_file_attr, fs_attr; +type sharefs_appdata_bundle_file, sharefs_file_attr, fs_attr; diff --git a/prebuilts/api/5.0/ohos_policy/kernel/linux/system/virtfs_contexts b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/virtfs_contexts new file mode 100644 index 0000000000000000000000000000000000000000..66e82cf978a4cb1f9acd19794d632e1e96d53320 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/linux/system/virtfs_contexts @@ -0,0 +1,27 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# please put short path ahead. +# use relative path to mount point. + +genfscon sysfs /fs/f2fs u:object_r:f2fs_hc_file:s0 + +# for memory, transparent_hugepage +genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0 + +# for sandbox appdata +genfscon sharefs /currentUser/appdata u:object_r:sharefs_appdata_file:s0 +genfscon sharefs /currentUser/appdata/el1/base/ u:object_r:sharefs_appdata_bundle_file:s0 +genfscon sharefs /currentUser/appdata/el2/base/ u:object_r:sharefs_appdata_bundle_file:s0 +genfscon sharefs /currentUser/appdata/el2/cloud/ u:object_r:sharefs_appdata_bundle_file:s0 +genfscon sharefs /currentUser/appdata/el2/distributedfiles/ u:object_r:sharefs_appdata_bundle_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/kernel/xpm/public/xpm.te b/prebuilts/api/5.0/ohos_policy/kernel/xpm/public/xpm.te new file mode 100644 index 0000000000000000000000000000000000000000..b614129af1053e680305d5b06579f40837a1cc31 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/kernel/xpm/public/xpm.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { domain -print_driver -sane_service } self:xpm {exec_allow_sa_plugin}; diff --git a/prebuilts/api/5.0/ohos_policy/liteos/toybox/public/sh.te b/prebuilts/api/5.0/ohos_policy/liteos/toybox/public/sh.te new file mode 100644 index 0000000000000000000000000000000000000000..03e97ecaf3d75afa3016a8f3760cf91edcfa259d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/liteos/toybox/public/sh.te @@ -0,0 +1,81 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################## +## Type define: ## +################## + +type toybox_exec, exec_attr, file_attr, system_file_attr; + +developer_only(` +# avc_audit_slow:261] avc: denied { connect } for pid=6561, comm="/bin/ftpget" scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=udp_socket permissive=0 +# avc_audit_slow:261] avc: denied { create } for pid=6113, comm="/bin/ftpget" scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=udp_socket permissive=0 +allow sh sh:udp_socket { connect create }; + +# avc_audit_slow:261] avc: denied { create } for pid=5705, comm="/bin/ftpget" scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=tcp_socket permissive=0 +# avc_audit_slow:261] avc: denied { getattr } for pid=6311, comm="/bin/ftpget" scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=tcp_socket permissive=0 +# avc_audit_slow:261] avc: denied { read } for pid=5863, comm="/bin/ftpget" scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=tcp_socket permissive=0 +# avc_audit_slow:261] avc: denied { setopt } for pid=5868, comm="/bin/ftpget" scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=tcp_socket permissive=0 +allow sh sh:tcp_socket { connect create setopt getattr read write }; + +# avc_audit_slow:261] avc: denied { name_connect } for pid=6202, comm="/bin/ftpget" scontext=u:r:sh:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=0 +allow sh port:tcp_socket { name_connect }; + +# avc: denied { ioctl } for pid=6685, comm="/bin/top" path="dev/pts/0" ioctlcmd=0x5401 scontext=u:r:sh:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 +# avc: denied { ioctl } for pid=6685, comm="/bin/top" path="dev/pts/0" ioctlcmd=0x5404 scontext=u:r:sh:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 +allow sh devpts:chr_file { ioctl }; +allowxperm sh devpts:chr_file ioctl { 0x5401 0x5404 }; + +# avc: denied { read open } for pid=6685, comm="/bin/top" path="/proc/6052/task" scontext=u:r:sh:s0 tcontext=u:r:debug_hap:s0 tclass=dir permissive=0 +allow sh debug_hap:dir { read open }; + +# avc: denied { read open } for pid=6685, comm="/bin/top" path="/proc/stat" scontext=u:r:sh:s0 tcontext=u:object_r:proc_stat_file:s0 tclass=file permissive=0 +allow sh proc_stat_file:file { read open }; + +# avc: denied { read open } for pid=6685, comm="/bin/top" path="/proc/meminfo" scontext=u:r:sh:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=0 +allow sh proc_meminfo_file:file { read open }; + +# avc: denied { read open } for pid=6685, comm="/bin/top" path="/sys/devices/system/cpu" scontext=u:r:sh:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=0 +allow sh sysfs_devices_system_cpu:dir { read open }; + +#avc: denied { create getattr read unlink } for pid=13532, comm="/bin/mkfifo" scontext=u:r:sh:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=fifo_file permissions=0 +allow sh data_local_tmp:fifo_file { create getattr read unlink }; + +# avc: denied { search } for pid=32697, comm="bin/tty" scontext=u:r:sh:s0 tcontext=u:object_r:dev_pts_file:s0 tclass=dir permissions=0 +allow sh dev_pts_file:dir { search }; + +# avc: denied { create getattr read unlink open } for pid=10562, comm="bin/sh" scontext=u:r:sh:s0 tcontext=u:object_r:dev_encaps:s0 tclass=chr_file permissions=0 +allow sh dev_encaps:chr_file { create getattr read unlink open }; + +# avc: denied { create getattr read unlink } for pid=45334, comm="bin/ln" scontext=u:r:sh:s0 tcontext=u:object_r:lnk_file:s0 tclass=dir permissions=0 +allow sh data_local_tmp:lnk_file { create getattr read unlink }; + +# avc: denied { execute_no_trans } for pid=51536, comm="bin/watch" scontext=u:r:sh:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissions=0 +# avc: denied { execute open read getattr unlink } for pid=24239, comm="bin/sh" scontext=u:r:sh:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissions=0 +allow sh sh_exec:file { execute_no_trans execute open read getattr unlink}; + +# avc: denied { getattr } for pid=25100, comm="bin/stat" scontext=u:r:sh:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissions=0 +allow sh labeledfs:filesystem { getattr }; + +# avc: denied { write remove_name search } for pid=25100, comm="bin/rm" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissions=0 +allow sh hmdfs:dir { write remove_name search rmdir }; + +# avc: denied { unlink } for pid=25100, comm="bin/rm" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissions=0 +allow sh hmdfs:file { unlink }; + +# avc: denied { write remove_name search } for pid=25100, comm="bin/rm" scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissions=0 +allow sh data_user_file:dir { write remove_name search rmdir }; + +# avc: denied { unlink } for pid=25100, comm="bin/rm" scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissions=0 +allow sh data_user_file:file { unlink }; +') diff --git a/prebuilts/api/5.0/ohos_policy/liteos/toybox/system/file_contexts b/prebuilts/api/5.0/ohos_policy/liteos/toybox/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..bc6b0261a8f5697f75528bf84102fe65af09bb5f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/liteos/toybox/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for toybox +/system/bin/toybox u:object_r:toybox_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/location/public/type.te b/prebuilts/api/5.0/ohos_policy/location/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..e20d19e4e4d32a3471767c43331af4c56b008d85 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/location/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type locationhub, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/location/system/foundation.te b/prebuilts/api/5.0/ohos_policy/location/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..c928c4a82db51940326170ca53f9c4a1e3652559 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/location/system/foundation.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation locationhub:binder { call transfer }; + +allow foundation locationhub:file { read }; + +allow foundation locationhub:dir { search }; + diff --git a/prebuilts/api/5.0/ohos_policy/location/system/locationhub.te b/prebuilts/api/5.0/ohos_policy/location/system/locationhub.te new file mode 100644 index 0000000000000000000000000000000000000000..2137c56d1f30d9a58bb6a55ae2e9c3f8ea87a8b6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/location/system/locationhub.te @@ -0,0 +1,113 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=2803 pid=284 scontext=u:r:locationhub:s0 tcontext=u:object_r:sa_locationhub_lbsservice_gnss:s0 tclass=samgr_class permissive=1 +allow locationhub sa_locationhub_lbsservice_gnss:samgr_class { get }; + +#avc: denied { get } for service=2804 pid=284 scontext=u:r:locationhub:s0 tcontext=u:object_r:sa_locationhub_lbsservice_network:s0 tclass=samgr_class permissive=1 +allow locationhub sa_locationhub_lbsservice_network:samgr_class { get }; + +#avc: denied { get } for service=2805 pid=284 scontext=u:r:locationhub:s0 tcontext=u:object_r:sa_locationhub_lbsservice_passive:s0 tclass=samgr_class permissive=1 +allow locationhub sa_locationhub_lbsservice_passive:samgr_class { get }; + +#avc: denied { get } for service=2801 pid=284 scontext=u:r:locationhub:s0 tcontext=u:object_r:default_service:s0 tclass=samgr_class permissive=1 +allow locationhub hdf_device_manager:hdf_devmgr_class { get }; + +#avc: denied { get } for service=3299 pid=284 scontext=u:r:locationhub:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow locationhub sa_foundation_cesfwk_service:samgr_class { get }; + +#avc: denied { get } for service=3901 pid=317 scontext=u:r:locationhub:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow locationhub sa_param_watcher:samgr_class { get }; + +#avc: denied { get } for service=gnss_interface_service pid=317 scontext=u:r:locationhub:s0 tcontext=u:object_r:hdf_gnss_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow locationhub hdf_gnss_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=agnss_interface_service pid=317 scontext=u:r:locationhub:s0 tcontext=u:object_r:hdf_agnss_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow locationhub hdf_agnss_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=geofence_interface_service pid=317 scontext=u:r:locationhub:s0 tcontext=u:object_r:hdf_geofence_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow locationhub hdf_geofence_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=3503 pid=317 scontext=u:r:locationhub:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow locationhub sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { get } for service=2801 pid=303 scontext=u:r:locationhub:s0 tcontext=u:object_r:sa_location_geo_convert_service:s0 tclass=samgr_class permissive=1 +allow locationhub sa_location_geo_convert_service:samgr_class { get }; + +allow locationhub sa_foundation_bms:samgr_class { get }; + +allow locationhub sa_telephony_tel_core_service:samgr_class { get }; + +allow locationhub sa_telephony_tel_cellular_data:samgr_class { get }; + +allow locationhub sa_foundation_appms:samgr_class { get }; + +allow locationhub data_service_file:dir { search }; + +allow locationhub data_service_el1_file:dir { search write add_name remove_name getattr }; + +allow locationhub data_service_el1_file:file { create read write open getattr setattr ioctl }; + +allow locationhub telephony_sa:binder { call transfer }; + +debug_only(` + #avc: denied { call } for pid=353 comm="IPC_1_409" scontext=u:r:locationhub:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 + allow locationhub sh:binder { call }; +') + +allow locationhub sa_privacy_service:samgr_class { get }; + +allow locationhub sa_foundation_abilityms:samgr_class { get }; + +allow locationhub accesstoken_service:binder { call transfer }; + +allow locationhub privacy_service:binder { call transfer }; + +allow locationhub normal_hap_attr:binder { call transfer }; + +allow locationhub musl_param:file { read }; + +allow locationhub dev_console_file:chr_file { read write }; + +allow locationhub sa_location_locator_service:samgr_class { get }; +allow locationhub sa_distributeddata_service:samgr_class { get }; +allow locationhub distributeddata:binder { call }; +allow locationhub distributeddata:fd { use }; +allow locationhub vendor_bin_file:dir { search }; + +allow locationhub musl_param:file { open }; +allow locationhub dev_file:dir { getattr }; + +allow locationhub sa_bluetooth_server:samgr_class { get }; +allow locationhub sa_wifi_scan_ability:samgr_class { get }; + +allow locationhub sa_bgtaskmgr:samgr_class { get }; +allow locationhub bgtaskmgr_service:binder { call }; + +allow locationhub sa_form_mgr_service:samgr_class { get }; +allow locationhub sa_foundation_ans:samgr_class { get }; +allow locationhub sa_telephony_tel_sms_mms:samgr_class { get }; +allow locationhub sa_foundation_tel_call_manager:samgr_class { get }; + +allow locationhub time_service:binder { call }; +allow locationhub sa_resource_schedule:samgr_class { get }; +allow locationhub sa_device_standby:samgr_class { get }; +allow locationhub sa_msdp_movement_service:samgr_class { get }; +allow locationhub wifi_manager_service:fd { use }; +allow locationhub sa_net_conn_manager:samgr_class { get }; + +allow locationhub paramservice_socket:sock_file { write }; +allow locationhub kernel:unix_stream_socket { connectto }; +allow locationhub persist_param:parameter_service { set }; + +allow locationhub sa_wifi_device_ability:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/location/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/location/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..c7f20ae98bd9f3dda24c13e81e85c6fbeb4c2796 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/location/system/normal_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=2802 pid=2113 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_location_locator_service:s0 tclass=samgr_class permissive=0 +allow normal_hap_attr sa_location_locator_service:samgr_class { get }; + +allow normal_hap_attr locationhub:binder { call transfer }; + +allow system_core_hap_attr locationhub:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/misc/input_framework/.gitkeep b/prebuilts/api/5.0/ohos_policy/misc/input_framework/.gitkeep new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..cac2f6a9dd5d41ceb4c0a1056fa9384d41aeca8e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/accountmgr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr download_server:binder { call transfer }; +binder_call(download_server, accountmgr); diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/download_server.te b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/download_server.te new file mode 100644 index 0000000000000000000000000000000000000000..f7b3bc5bc8c033b74144ff8d0c73f9f32b5fcd64 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/download_server.te @@ -0,0 +1,141 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow download_server { domain -download_server }:socket_class_set { setattr }; +neverallow download_server { file_attr -data_service_el1_file -data_log_sanitizer_file }:{ file_class_set dir_file_class_set } { setattr }; + +allow download_server accesstoken_service:binder { call }; +allow download_server download_server:tcp_socket { read }; +allow download_server normal_hap_attr:binder { call }; +allow download_server normal_hap_data_file_attr:file { write }; +allow download_server normal_hap_attr:fd { use }; +allow download_server sa_accesstoken_manager_service:samgr_class { get }; +allow download_server normal_hap_data_file_attr:file { read }; +allow download_server dev_file:sock_file { write }; +allow download_server download_server:udp_socket { bind connect create getattr getopt ioctl read setopt write }; +allow download_server download_server:tcp_socket { accept bind connect create getattr getopt listen read setopt shutdown write setattr }; +allow download_server download_server:capability { chown }; +allow download_server port:tcp_socket { name_connect }; +allow download_server node:udp_socket { node_bind }; +allow download_server port:udp_socket { name_bind }; +allow download_server netsysnative:unix_stream_socket { connectto }; +allow download_server accessibility_param:file { map open read }; +allow download_server foundation:binder { call transfer }; +allow download_server sysfs_hctosys:file { open read }; +allow download_server sysfs_rtc:dir { open read }; +allow download_server sa_foundation_ans:samgr_class { get }; +# avc: denied { read write } for pid=2360 comm="sa_main" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:download_server:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 +allow download_server dev_console_file:chr_file { read write }; +#avc: denied { call } for pid=2168 comm="download_server" scontext=u:r:download_server:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=0 +allow download_server system_core_hap_attr:binder { call }; +#avc: denied { use } for pid=2588 comm="download_server" scontext=u:r:download_server:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=0 +allow download_server system_core_hap_attr:fd { use }; +#avc: denied { call } for pid=2158 comm="download_server" scontext=u:r:download_server:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=0 +allow download_server system_basic_hap_attr:binder { call }; +#avc: denied { use } for pid=2568 comm="download_server" scontext=u:r:download_server:s0 tcontext=u:r:system_basic_hap:s0 tclass=fd permissive=0 +allow download_server system_basic_hap_attr:fd { use }; +#avc: denied { get } for service=501 pid=1640 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow download_server sa_foundation_appms:samgr_class { get }; +#avc: denied { search } for pid=1640 comm="SaInit0" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:download_server:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow download_server data_file:dir { add_name open read search write }; +#avc: denied { open read map } for pid=1640 comm="SaInit0" name="u:object_r:musl_param:s0" dev="tmpfs" ino=55 scontext=u:r:download_server:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +allow download_server musl_param:file { open read map }; +#avc: denied { write } for pid=1689 comm="SaInit0" name="dnsproxyd" dev="mmcblk0p12" ino=3397 scontext=u:r:download_server:s0 tcontext=u:object_r:dnsproxy_service:s0 tclass=sock_file permissive=0 +allow download_server dnsproxy_service:sock_file { write }; +#avc: denied { getattr } for pid=1612 comm="sa_main" path="/dev" dev="tmpfs" ino=1 scontext=u:r:download_server:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 +allow download_server dev_file:dir { getattr }; +#avc: denied { search } for pid=1612 comm="download_server" name="usr" dev="mmcblk0p7" ino=2983 scontext=u:r:download_server:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=0 +allow download_server system_usr_file:dir { search }; +#avc: denied { getattr } for pid=1587 comm="download_server" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p7" ino=2990 scontext=u:r:download_server:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=0 +allow download_server system_usr_file:file { getattr open read map }; +#avc: denied { read } for pid=1435 comm="download_server" name="online" dev="sysfs" ino=4917 scontext=u:r:download_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +allow download_server sysfs_devices_system_cpu:file { getattr open read map }; +#avc: denied { getattr } for pid=1439 comm="IPC_0_1440" path="/data/storage/el2/base/haps/entry/cache/cacert.pem" dev="mmcblk0p12" ino=1331 scontext=u:r:download_server:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=file permissive=0 +allow download_server normal_hap_data_file:file { getattr }; +#avc: denied { search } for pid=1424 comm="tokio-runtime-w" name="data" dev="mmcblk0p12" ino=89 scontext=u:r:download_server:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=0 +allow download_server data_data_file:dir { search }; +#avc: denied { get } for service=180 pid=1535 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 +allow download_server sa_foundation_abilityms:samgr_class { get }; +#avc: denied { getattr } for pid=1782 comm="IPC_2_1869" path="/data/storage/el2/base/haps/entry/cache/cacert.pem" dev="mmcblk0p12" ino=2874 scontext=u:r:download_server:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=0 +allow download_server system_basic_hap_data_file_attr:file { getattr }; +#avc: denied { getattr } for pid=1584 comm="IPC_3_1733" path="/data/storage/el2/base/haps/entry/cache/cacert.pem" dev="mmcblk0p12" ino=2862 scontext=u:r:download_server:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=0 +allow download_server system_core_hap_data_file_attr:file { getattr }; +#avc: denied { getattr } for pid=1593 comm="IPC_3_1711" path="/data/storage/el2/base/haps/entry/cache/upload1.txt" dev="mmcblk0p12" ino=1926 scontext=u:r:download_server:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=0 +allow download_server debug_hap_data_file:file { getattr }; +# avc: denied { getattr } for pid=1574 comm="IPC_2_1581" path="/data/service/el1/public/database/request/request.db" dev="mmcblk0p14" ino=3889 scontext=u:r:download_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow download_server data_service_el1_file:dir { add_name create open read remove_name search write }; +#avc: denied { read write } for pid=1574 comm="IPC_2_1581" name="request.db" dev="mmcblk0p14" ino=3889 scontext=u:r:download_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow download_server data_service_el1_file:file { create lock ioctl map getattr open read setattr unlink write }; +#avc: denied { search } for pid=1574 comm="IPC_2_1581" name="service" dev="mmcblk0p14" ino=7 scontext=u:r:download_server:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 +allow download_server data_service_file:dir { search }; +#avc: denied { ioctl } for pid=1574 comm="IPC_2_1581" path="/data/service/el1/public/database/request/request.db" dev="mmcblk0p14" ino=3889 ioctlcmd=0xf50c scontext=u:r:download_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allowxperm download_server data_service_el1_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; +#avc: denied { open } for pid=1574 comm="download_server" path="/dev/ashmem" dev="tmpfs" ino=230 scontext=u:r:download_server:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=1 +allow download_server dev_ashmem_file:chr_file { open }; +#avc: denied { call } for pid=1524 comm="IPC_1_1526" scontext=u:r:download_server:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=1 +allow download_server huks_service:binder { call }; +#avc: denied { get } for service=3510 pid=1524 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_huks_service:s0 tclass=samgr_class permissive=1 +allow download_server sa_huks_service:samgr_class { get }; +#avc: denied { get } for service=4606 pid=12649 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=0 +allow download_server sa_foundation_wms:samgr_class { get }; +#avc: denied { get } for service=3299 pid=1836 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow download_server sa_foundation_cesfwk_service:samgr_class { get }; +#avc: denied { search } for pid=2496 comm="IPC_2_2504" name="app" dev="mmcblk0p14" ino=54 scontext=u:r:download_server:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=1 +allow download_server data_app_file:dir { search }; +#avc: denied { search } for pid=18412 comm="OS_IPC_1_18414" name="el1" dev="mmcblk0p15" ino=57 scontext=u:r:download_server:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +allow download_server data_app_el1_file:dir { search }; +#avc: denied { search } for pid=2496 comm="IPC_2_2504" name="el2" dev="mmcblk0p14" ino=58 scontext=u:r:download_server:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 +allow download_server data_app_el2_file:dir { search }; +allow download_server data_app_el5_file:dir { search }; +#avc: denied { search } for pid=2496 comm="IPC_2_2504" name="com.example.mytest1" dev="mmcblk0p14" ino=1984 scontext=u:r:download_server:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=2496 comm="IPC_2_2504" name="updown" dev="mmcblk0p14" ino=2026 scontext=u:r:download_server:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 +#avc: denied { add_name } for pid=2496 comm="IPC_2_2504" name="test.txt" scontext=u:r:download_server:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 +allow download_server normal_hap_data_file_attr:dir { search write add_name }; +allow download_server system_basic_hap_data_file_attr:dir { search write add_name }; +allow download_server system_core_hap_data_file_attr:dir { search write add_name }; +#avc: denied { create } for pid=2496 comm="IPC_2_2504" name="test.txt" scontext=u:r:download_server:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 +#avc: denied { append open } for pid=2496 comm="IPC_2_2504" path="/data/app/el2/100/base/com.example.mytest1/cache/updown/test.txt" dev="mmcblk0p14" ino=2027 scontext=u:r:download_server:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 +allow download_server normal_hap_data_file_attr:file {create append open}; +allow download_server system_basic_hap_data_file_attr:file { create append open }; +allow download_server system_core_hap_data_file_attr:file { create append open }; +#avc: denied { read } for pid=6848 comm="download_server" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=154 scontext=u:r:download_server:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=3942 comm="download_server" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=154 scontext=u:r:download_server:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=3942 comm="download_server" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=154 scontext=u:r:download_server:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +allow download_server arkcompiler_param:file { read map open }; +allow download_server ark_writeable_param:file { read map open }; +#avc: denied { write } for pid=6848 comm="async-2" name="dnsproxyd" dev="tmpfs" ino=185 scontext=u:r:download_server:s0 tcontext=u:dev_unix_file:sock_file:s0 tclass=sock_file permissive=1 +allow download_server dev_unix_file:sock_file { write }; +#avc: denied { get } for service=4007 pid=28302 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_telephony_tel_cellular_data:s0 tclass=samgr_class permissive=0 +allow download_server sa_telephony_tel_cellular_data:samgr_class { get }; +#avc: denied { shutdown } for pid=2940 comm="async-3" scontext=u:r:download_server:s0 tcontext=u:r:download_server:s0 tclass=unix_dgram_socket permissive=0 +#avc: denied { sendto } for pid=1710 comm="async-1" scontext=u:r:download_server:s0 tcontext=u:r:download_server:s0 tclass=unix_dgram_socket permissive=0 +#avc: denied { read } for pid=1553 comm="async-0" scontext=u:r:download_server:s0 tcontext=u:r:download_server:s0 tclass=unix_dgram_socket permissive=0 +allow download_server download_server:unix_dgram_socket { shutdown sendto read }; +#avc: denied { read } for pid=1956 comm="example.mytest" ... scontext=u:r:download_server:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=0 +#avc: denied { getattr } for pid=1956 comm="example.mytest" ... scontext=u:r:download_server:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=0 +allow download_server hmdfs:file { read getattr }; +#avc: denied { read } for pid=1956 comm="example.mytest" ... scontext=u:r:download_server:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=0 +allow download_server data_user_file:file { read getattr }; +allow download_server sys_prod_file:dir { search }; +allow download_server chip_prod_file:dir { search }; +allow download_server dev_kmsg_file:chr_file { write }; +#avc: denied { call } for pid=3596 comm="async-3" ... scontext=u:r:download_server:s0 tcontext=u:r:cert_manager_service:s0 tclass=binder permissive=1 +allow download_server cert_manager_service:binder { call }; +#avc: denied { get } for service=3512 pid=3596 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_cert_manager_service:s0 tclass=samgr_class permissive=1 +allow download_server sa_cert_manager_service:samgr_class { get }; +allow download_server sa_accountmgr:samgr_class { get }; +allow download_server accountmgr:binder { call transfer }; +allow download_server accountmgr:fd { use }; +allow download_server epfs:file { read getattr write }; +#avc: denied { get } for service=401 sid=u:r:download_server:s0 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow download_server sa_foundation_bms:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/foundation.te b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..d8aba47d0555f0098c07b96ed6922e915c944000 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call transfer } for pid=1615 comm="IPC_8_1739" scontext=u:r:foundation:s0 tcontext=u:r:download_server:s0 tclass=binder permissive=0 +allow foundation download_server:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/init.te b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..5fafcf5ae79a0f7cd714ef7e2590d9aad74411bc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init data_service_el1_file:dir { add_name create open read remove_name search write }; +allow init data_service_el1_file:file { create lock ioctl map getattr open read setattr unlink write }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..ee30203a15ca356333839a2a521195ddf8201567 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/normal_hap.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_download_service:samgr_class { get }; +allow normal_hap_attr download_server:binder { call }; +allow normal_hap_attr download_server:binder { transfer }; +#avc: denied { use } for pid=1481 comm="download_server" path="socket:[37160]" dev="sockfs" ino=37160 scontext=u:r:debug_hap:s0 tcontext=u:r:download_server:s0 tclass=fd permissive=0 +allow normal_hap_attr download_server:fd { use }; +#avc: denied { read write } for pid=2215 comm="OS_IPC_1_2244" path="socket:[41327]" dev="sockfs" ino=41327 scontext=u:r:debug_hap:s0 tcontext=u:r:download_server:s0 tclass=unix_dgram_socket permissive=0 +allow normal_hap_attr download_server:unix_dgram_socket { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..7aadce092195b3a66d5c5bc5d21f5f7205edaf59 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/system_basic_hap.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=2094 comm="1.ui" scontext=u:r:system_basic_hap:s0 tcontext=u:r:download_server:s0 tclass=binder permissive=0 +allow system_basic_hap_attr download_server:binder { call transfer }; +# avc: denied { get } for service=3706 pid=4299 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_download_server:s0 tclass=samgr_class permissive=0 +allow system_basic_hap_attr sa_download_service:samgr_class { get }; +#avc: denied { use } for pid=20830 comm="download_server" path="socket:[117183]" dev="sockfs" ino=117183 scontext=u:r:system_basic_hap:s0 tcontext=u:r:download_server:s0 tclass=fd permissive=0 +allow system_basic_hap_attr download_server:fd { use }; +allow system_basic_hap_attr download_server:unix_dgram_socket { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..147b1d2b9f5d06a0e662887bcfd6dfb21ed68887 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/download_server/system/system_core_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for pid=2095 comm="1.ui" scontext=u:r:system_core_hap:s0 tcontext=u:r:download_server:s0 tclass=binder permissive=0 +allow system_core_hap_attr sa_download_service:samgr_class { get }; +# avc: denied { call transfer } for pid=2093 comm="1.ui" scontext=u:r:system_core_hap:s0 tcontext=u:r:download_server:s0 tclass=binder permissive=0 +allow system_core_hap_attr download_server:binder { call transfer }; +allow system_core_hap_attr download_server:fd { use }; +allow system_core_hap_attr download_server:unix_dgram_socket { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/attributes b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..efc9f277862e388bf6737c354f617d66e813564b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute input_isolate_attr; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/input_isolate_debug_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/input_isolate_debug_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..8de2ca91508251b9ab0026e86c3338214d0b9e50 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/input_isolate_debug_hap.te @@ -0,0 +1,189 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + # allow input_isolate_debug_hap to get sa + allow input_isolate_debug_hap sa_accessibleabilityms:samgr_class { get }; + allow input_isolate_debug_hap sa_concurrent_task_service:samgr_class { get }; + allow input_isolate_debug_hap sa_foundation_abilityms:samgr_class { get }; + allow input_isolate_debug_hap sa_foundation_appms:samgr_class { get }; + allow input_isolate_debug_hap sa_foundation_bms:samgr_class { get }; + allow input_isolate_debug_hap sa_foundation_dms:samgr_class { get }; + allow input_isolate_debug_hap sa_foundation_wms:samgr_class { get }; + allow input_isolate_debug_hap sa_inputmethod_service:samgr_class { get }; + allow input_isolate_debug_hap sa_multimodalinput_service:samgr_class { get }; + allow input_isolate_debug_hap sa_param_watcher:samgr_class { get }; + allow input_isolate_debug_hap sa_privacy_service:samgr_class { get }; + allow input_isolate_debug_hap sa_render_service:samgr_class { get }; + allow input_isolate_debug_hap sa_resource_schedule:samgr_class { get }; + #avc: denied { get } for service=3702 sid=u:r:input_isolate_hap:s0 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:sa_time_service:s0 tclass=samgr_class permissive=0 + allow input_isolate_debug_hap sa_time_service:samgr_class { get }; + + #avc: denied { write } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1 + allow input_isolate_debug_hap appspawn:unix_dgram_socket { write connect }; + #avc: denied { use } for pid=6797, comm="/system/bin/appspawn" path="pipe:[1031]" dev="tmpfs" ino=1031 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:appspawn:s0 tclass=fd permissive=0 + allow input_isolate_debug_hap appspawn:fd { use }; + #avc: denied { write } for pid=7200, comm="/system/bin/appspawn" path="pipe:[1138]" dev="tmpfs" ino=1138 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:appspawn:s0 tclass=fifo_file permissive=1 + allow input_isolate_debug_hap appspawn:fifo_file { write }; + #avc: denied { dyntransition } for pid=5191, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=process permissive=0 + allow appspawn input_isolate_debug_hap:process { dyntransition sigkill }; + #avc: denied { read } for pid=622, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=file permissive=0 + allow appspawn input_isolate_debug_hap:file { read }; + + #avc: denied { call } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:accessibility:s0 tclass=binder permissive=1 + #avc: denied { transfer } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:accessibility:s0 tclass=binder permissive=1 + allow input_isolate_debug_hap accessibility:binder { call transfer }; + #avc: denied { call } for pid=774, comm="/system/bin/sa_main" scontext=u:r:accessibility:s0 tcontext=u:r:input_isolate_hap:s0 tclass=binder permissive=0 + allow accessibility input_isolate_debug_hap:binder { call }; + + #avc: denied { call } for pid=13933, comm="/system/bin/appspawn" scontext=u:r:debug_hap:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=binder permissive=1 + allow debug_hap input_isolate_debug_hap:binder { call }; + #avc: denied { call } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:debug_hap:s0 tclass=binder permissive=1 + allow input_isolate_debug_hap debug_hap:binder { call }; + + #avc: denied { getopt } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=unix_dgram_socket permissive=1 + #avc: denied { setopt } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=unix_dgram_socket permissive=1 + allow input_isolate_debug_hap input_isolate_debug_hap:unix_dgram_socket { getopt setopt }; + #avc: denied { create } for pid=4262, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=netlink_route_socket permissive=1 + allow input_isolate_debug_hap input_isolate_debug_hap:netlink_route_socket { create bind }; + + #avc: denied { read } for pid=6797, comm="/system/bin/appspawn" path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=0 + allow input_isolate_debug_hap hichecker_writable_param:file { read open map }; + + #avc: denied { search } for pid=7200, comm="/system/bin/appspawn" name="/app/el2/100/base/com.example.myowninputmethod" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19088 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 + allow input_isolate_debug_hap debug_hap_data_file:dir { search read open getattr rmdir create setattr write add_name remove_name rename }; + + allow input_isolate_debug_hap debug_hap_data_file:file { create read write open getattr setattr map append rename unlink lock ioctl }; + allowxperm input_isolate_debug_hap debug_hap_data_file:file ioctl { 0x5413 0xf50c 0xf546 }; + + #avc: denied { read } for pid=7200, comm="/system/bin/appspawn" path="/sys/devices/system/cpu/online" dev="" ino=336 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 + allow input_isolate_debug_hap sysfs_devices_system_cpu:file { read open getattr }; + + #avc: denied { search } for pid=7200, comm="/system/bin/appspawn" name="/app/el1/bundle/public/com.example.myowninputmethod" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19085 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 + allow input_isolate_debug_hap data_app_el1_file:dir { search getattr map open read }; + #avc: denied { getattr } for pid=7200, comm="/system/bin/appspawn" path="/data/storage/el1/bundle/entry.hap" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19124 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 + allow input_isolate_debug_hap data_app_el1_file:file { map read open getattr execute create setattr }; + + allow input_isolate_debug_hap data_app_el2_file:dir { add_name search read write create open remove_name setattr getattr }; + allow input_isolate_debug_hap data_app_file:dir { search }; + allow input_isolate_debug_hap data_service_el2_file:file { getattr create write read open unlink setattr }; + allow input_isolate_debug_hap faultloggerd:fifo_file write; + + allow input_isolate_debug_hap dev_ashmem_file:chr_file { open }; + + #avc: denied { search } for pid=7200, comm="/system/bin/appspawn" name="/variant" dev="/dev/block/dm-2" ino=44306556 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=1 + allow input_isolate_debug_hap sys_prod_file:dir { search }; + #avc: denied { getattr } for pid=7200, comm="/system/bin/appspawn" path="/sys_prod/etc/frame_aware_sched/hwrme.xml" dev="/dev/block/dm-2" ino=43782140 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=file permissive=1 + allow input_isolate_debug_hap sys_prod_file:file { read open getattr }; + + #avc: denied { search } for pid=7200, comm="/system/bin/appspawn" name="/service/el1/public/themes/100/a/app" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=7071 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 + allow input_isolate_debug_hap data_service_el1_file:dir { search read open }; + #avc: denied { getattr } for pid=7200, comm="/system/bin/appspawn" path="/data/themes/a/app/flag" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=6959 scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 + allow input_isolate_debug_hap data_service_el1_file:file { getattr }; + + #avc: denied { call } for pid=7200, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:inputmethod_service:s0 tclass=binder permissive=1 + allow input_isolate_debug_hap inputmethod_service:binder { call transfer }; + allow inputmethod_service input_isolate_debug_hap:binder { call transfer }; + allow inputmethod_service input_isolate_debug_hap:fd { use }; + + allow input_isolate_debug_hap system_usr_file:dir { search }; + + allow input_isolate_debug_hap ffrt_param:file { read open map }; + + allow input_isolate_debug_hap resource_schedule_service:binder { call }; + + allow input_isolate_debug_hap hiview:unix_dgram_socket { sendto }; + allow input_isolate_debug_hap hiview:binder { call }; + allow hiview input_isolate_debug_hap:binder { transfer }; + + allow input_isolate_debug_hap multimodalinput:unix_stream_socket { read write }; + + allow input_isolate_debug_hap normal_hap:binder { call transfer }; + allow normal_hap input_isolate_debug_hap:binder { call }; + + allow input_isolate_debug_hap foundation:binder { call transfer }; + allow foundation input_isolate_debug_hap:binder { call transfer }; + allow foundation input_isolate_debug_hap:fd { use }; + #avc: denied { read } for pid=1319, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=file permissive=1 + #avc: denied { getattr } for pid=1319, comm="/system/bin/sa_main" path="/proc/20252/status" dev="" ino=79645 scontext=u:r:foundation:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=file permissive=1 + allow foundation input_isolate_debug_hap:file { read getattr open }; + #avc: denied { search } for pid=1319, comm="/system/bin/sa_main" name="/20252" dev="" ino=79644 scontext=u:r:foundation:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=dir permissive=1 + allow foundation input_isolate_debug_hap:dir { search read }; + #avc: denied { sigkill } for pid=1319, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=process permissive=1 + allow foundation input_isolate_debug_hap:process { sigkill }; + + allow processdump input_isolate_debug_hap:file { write }; + allow processdump input_isolate_debug_hap:netlink_route_socket { read write }; + + allow input_isolate_debug_hap param_watcher:binder { call transfer }; + allow param_watcher input_isolate_debug_hap:binder { call }; + + allow input_isolate_debug_hap system_fonts_file:file { read open getattr map }; + allow input_isolate_debug_hap system_fonts_file:dir { search }; + + #avc: denied { call } for pid=22317, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 + allow input_isolate_debug_hap samgr:binder { call transfer }; + #avc: denied { transfer } for pid=611, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=binder permissive=1 + allow samgr input_isolate_debug_hap:binder { call transfer }; + + #avc: denied { read } for pid=31066, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:render_service:s0 tclass=unix_stream_socket permissive=1 + allow input_isolate_debug_hap render_service:unix_stream_socket { read }; + #avc: denied { call } for pid=31731, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 + #avc: denied { transfer } for pid=33917, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:render_service:s0 tclass=unix_stream_socket permissive=1 + allow input_isolate_debug_hap render_service:binder { call transfer }; + + allow input_isolate_debug_hap render_service:fd { use }; + allow render_service input_isolate_debug_hap:fd { use }; + allow render_service input_isolate_debug_hap:binder { call transfer }; + + #avc: denied { call } for pid=31731, comm="/system/bin/appspawn" scontext=u:r:input_isolate_debug_hap:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 + allow input_isolate_debug_hap system_basic_hap:binder { call }; + #avc: denied { call } for pid=32818, comm="/system/bin/appspawn" scontext=u:r:system_basic_hap:s0 tcontext=u:r:input_isolate_debug_hap:s0 tclass=binder permissive=1 + allow system_basic_hap input_isolate_debug_hap:binder { call }; + + allow input_isolate_debug_hap time_service:binder { call }; + + allow input_isolate_debug_hap sys_param:file { read open map }; + + allow input_isolate_debug_hap faultloggerd_temp_file:file { write }; + + allow input_isolate_debug_hap hiviewdfx_hiview_param:file { read open map }; + + allow input_isolate_debug_hap proc_meminfo_file:file { read open getattr }; + + allow input_isolate_debug_hap dev_ucollection:chr_file { read open ioctl }; + allowxperm input_isolate_debug_hap dev_ucollection:chr_file ioctl { 0x6 0x8 }; + + allow input_isolate_debug_hap hdf_devmgr:binder { call }; + allow hdf_devmgr input_isolate_debug_hap:binder { transfer }; + + allow input_isolate_debug_hap powermgr:binder { call }; + + allow input_isolate_debug_hap msdp_sa:binder { call }; + + allow hiperf input_isolate_debug_hap:lnk_file { read }; + allow input_isolate_debug_hap data_app_el2_file:file { read open getattr map }; + allow input_isolate_debug_hap hdf_allocator_service:hdf_devmgr_class { get }; + allow input_isolate_debug_hap sa_device_service_manager:samgr_class { get }; + allow input_isolate_debug_hap allocator_host:binder { call }; + allow input_isolate_debug_hap allocator_host:fd { use }; + + binder_call(input_isolate_debug_hap, multimodalinput); + binder_call(multimodalinput, input_isolate_debug_hap); + allow input_isolate_debug_hap dev_mali:chr_file { getattr ioctl map open read write }; + allowxperm input_isolate_debug_hap dev_mali:chr_file ioctl { + 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x8008 0x8009 0x800c 0x800d 0x800e 0x800f + 0x8010 0x8011 0x8012 0x8014 0x8015 0x8016 0x8017 0x8018 0x8019 0x801b 0x801d 0x801e 0x801f + 0x8020 0x8023 0x8024 0x8025 0x8026 0x8027 0x8028 0x8029 0x802a 0x802b 0x802c 0x802d 0x802e 0x802f + 0x8030 0x8031 0x8032 0x8033 0x8034 0x8035 0x8036 0x8037 0x8038 0x8039 0x803a 0x803b 0x803c 0x803e 0x803f }; +') diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/input_isolate_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/input_isolate_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..b3e69e6fae92216f376940f73b9302279de6f027 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/input_isolate_hap.te @@ -0,0 +1,175 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# allow input_isolate_hap to get sa +allow input_isolate_hap sa_accessibleabilityms:samgr_class { get }; +allow input_isolate_hap sa_concurrent_task_service:samgr_class { get }; +allow input_isolate_hap sa_foundation_abilityms:samgr_class { get }; +allow input_isolate_hap sa_foundation_appms:samgr_class { get }; +allow input_isolate_hap sa_foundation_bms:samgr_class { get }; +allow input_isolate_hap sa_foundation_dms:samgr_class { get }; +allow input_isolate_hap sa_foundation_wms:samgr_class { get }; +allow input_isolate_hap sa_inputmethod_service:samgr_class { get }; +allow input_isolate_hap sa_multimodalinput_service:samgr_class { get }; +allow input_isolate_hap sa_param_watcher:samgr_class { get }; +allow input_isolate_hap sa_privacy_service:samgr_class { get }; +allow input_isolate_hap sa_render_service:samgr_class { get }; +allow input_isolate_hap sa_resource_schedule:samgr_class { get }; +#avc: denied { get } for service=3702 sid=u:r:input_isolate_hap:s0 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:sa_time_service:s0 tclass=samgr_class permissive=0 +allow input_isolate_hap sa_time_service:samgr_class { get }; + +#avc: denied { write } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1 +allow input_isolate_hap appspawn:unix_dgram_socket { write connect }; +#avc: denied { use } for pid=6797, comm="/system/bin/appspawn" path="pipe:[1031]" dev="tmpfs" ino=1031 scontext=u:r:input_isolate_hap:s0 tcontext=u:r:appspawn:s0 tclass=fd permissive=0 +allow input_isolate_hap appspawn:fd { use }; +#avc: denied { write } for pid=7200, comm="/system/bin/appspawn" path="pipe:[1138]" dev="tmpfs" ino=1138 scontext=u:r:input_isolate_hap:s0 tcontext=u:r:appspawn:s0 tclass=fifo_file permissive=1 +allow input_isolate_hap appspawn:fifo_file { write }; +#avc: denied { dyntransition } for pid=5191, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:input_isolate_hap:s0 tclass=process permissive=0 +allow appspawn input_isolate_hap:process { dyntransition sigkill }; +#avc: denied { read } for pid=622, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:input_isolate_hap:s0 tclass=file permissive=0 +allow appspawn input_isolate_hap:file { read }; + +#avc: denied { call } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:accessibility:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:accessibility:s0 tclass=binder permissive=1 +allow input_isolate_hap accessibility:binder { call transfer }; +#avc: denied { call } for pid=774, comm="/system/bin/sa_main" scontext=u:r:accessibility:s0 tcontext=u:r:input_isolate_hap:s0 tclass=binder permissive=0 +allow accessibility input_isolate_hap:binder { call }; + +#avc: denied { getopt } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:input_isolate_hap:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=13826, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:input_isolate_hap:s0 tclass=unix_dgram_socket permissive=1 +allow input_isolate_hap input_isolate_hap:unix_dgram_socket { getopt setopt }; +#avc: denied { create } for pid=4262, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:input_isolate_hap:s0 tclass=netlink_route_socket permissive=1 +allow input_isolate_hap input_isolate_hap:netlink_route_socket { create bind }; + +#avc: denied { read } for pid=6797, comm="/system/bin/appspawn" path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=0 +allow input_isolate_hap hichecker_writable_param:file { read open map }; + +#avc: denied { read } for pid=7200, comm="/system/bin/appspawn" path="/sys/devices/system/cpu/online" dev="" ino=336 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow input_isolate_hap sysfs_devices_system_cpu:file { read open getattr }; + +#avc: denied { search } for pid=7200, comm="/system/bin/appspawn" name="/app/el1/bundle/public/com.example.myowninputmethod" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19085 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +allow input_isolate_hap data_app_el1_file:dir { search getattr map open read }; +#avc: denied { getattr } for pid=7200, comm="/system/bin/appspawn" path="/data/storage/el1/bundle/entry.hap" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19124 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allow input_isolate_hap data_app_el1_file:file { map read open getattr execute create setattr }; + +allow input_isolate_hap data_app_el2_file:dir { add_name search read write create open remove_name setattr getattr }; +allow input_isolate_hap data_app_file:dir { search }; +allow input_isolate_debug_hap data_service_el2_file:file { getattr create write read open unlink setattr }; +allow input_isolate_hap faultloggerd:fifo_file write; + +allow input_isolate_hap dev_ashmem_file:chr_file { open }; + +#avc: denied { search } for pid=7200, comm="/system/bin/appspawn" name="/variant" dev="/dev/block/dm-2" ino=44306556 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=1 +allow input_isolate_hap sys_prod_file:dir { search }; +#avc: denied { getattr } for pid=7200, comm="/system/bin/appspawn" path="/sys_prod/etc/frame_aware_sched/hwrme.xml" dev="/dev/block/dm-2" ino=43782140 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=file permissive=1 +allow input_isolate_hap sys_prod_file:file { read open getattr }; + +#avc: denied { search } for pid=7200, comm="/system/bin/appspawn" name="/service/el1/public/themes/100/a/app" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=7071 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow input_isolate_hap data_service_el1_file:dir { search read open }; +#avc: denied { getattr } for pid=7200, comm="/system/bin/appspawn" path="/data/themes/a/app/flag" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=6959 scontext=u:r:input_isolate_hap:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow input_isolate_hap data_service_el1_file:file { getattr }; + +#avc: denied { call } for pid=7200, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:inputmethod_service:s0 tclass=binder permissive=1 +allow input_isolate_hap inputmethod_service:binder { call transfer }; +allow inputmethod_service input_isolate_hap:binder { call transfer }; +allow inputmethod_service input_isolate_hap:fd { use }; + +allow input_isolate_hap system_usr_file:dir { search }; + +allow input_isolate_hap ffrt_param:file { read open map }; + +allow input_isolate_hap resource_schedule_service:binder { call }; + +allow input_isolate_hap hiview:unix_dgram_socket { sendto }; +allow input_isolate_hap hiview:binder { call }; +allow hiview input_isolate_hap:binder { transfer }; + +allow input_isolate_hap multimodalinput:unix_stream_socket { read write }; + +allow input_isolate_hap normal_hap:binder { call transfer }; +allow normal_hap input_isolate_hap:binder { call }; + +allow input_isolate_hap foundation:binder { call transfer }; +allow foundation input_isolate_hap:binder { call transfer }; +allow foundation input_isolate_hap:fd { use }; +#avc: denied { read } for pid=1319, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:input_isolate_hap:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=1319, comm="/system/bin/sa_main" path="/proc/20252/status" dev="" ino=79645 scontext=u:r:foundation:s0 tcontext=u:r:input_isolate_hap:s0 tclass=file permissive=1 +allow foundation input_isolate_hap:file { read getattr open }; +#avc: denied { search } for pid=1319, comm="/system/bin/sa_main" name="/20252" dev="" ino=79644 scontext=u:r:foundation:s0 tcontext=u:r:input_isolate_hap:s0 tclass=dir permissive=1 +allow foundation input_isolate_hap:dir { search read }; +#avc: denied { sigkill } for pid=1319, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:input_isolate_hap:s0 tclass=process permissive=1 +allow foundation input_isolate_hap:process { sigkill }; + +allow processdump input_isolate_hap:file { write }; +allow processdump input_isolate_hap:netlink_route_socket { read write }; + +allow input_isolate_hap param_watcher:binder { call transfer }; +allow param_watcher input_isolate_hap:binder { call }; + +allow input_isolate_hap system_fonts_file:file { read open getattr map }; +allow input_isolate_hap system_fonts_file:dir { search }; + +#avc: denied { call } for pid=22317, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +allow input_isolate_hap samgr:binder { call transfer }; +#avc: denied { transfer } for pid=611, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:input_isolate_hap:s0 tclass=binder permissive=1 +allow samgr input_isolate_hap:binder { call transfer }; + +#avc: denied { read } for pid=31066, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:render_service:s0 tclass=unix_stream_socket permissive=1 +allow input_isolate_hap render_service:unix_stream_socket { read }; +#avc: denied { call } for pid=31731, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=33917, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:render_service:s0 tclass=unix_stream_socket permissive=1 +allow input_isolate_hap render_service:binder { call transfer }; + +allow input_isolate_hap render_service:fd { use }; +allow render_service input_isolate_hap:fd { use }; +allow render_service input_isolate_hap:binder { call transfer }; + +#avc: denied { call } for pid=31731, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 +allow input_isolate_hap system_basic_hap:binder { call }; +#avc: denied { call } for pid=32818, comm="/system/bin/appspawn" scontext=u:r:system_basic_hap:s0 tcontext=u:r:input_isolate_hap:s0 tclass=binder permissive=1 +allow system_basic_hap input_isolate_hap:binder { call }; + +allow input_isolate_hap time_service:binder { call }; + +allow input_isolate_hap sys_param:file { read open map }; + +allow input_isolate_hap faultloggerd_temp_file:file { write }; + +allow input_isolate_hap hiviewdfx_hiview_param:file { read open map }; + +allow input_isolate_hap proc_meminfo_file:file { read open getattr }; + +allow input_isolate_hap dev_ucollection:chr_file { read open ioctl }; +allowxperm input_isolate_hap dev_ucollection:chr_file ioctl { 0x6 0x8 }; + +allow input_isolate_hap hdf_devmgr:binder { call }; +allow hdf_devmgr input_isolate_hap:binder { transfer }; + +allow input_isolate_hap powermgr:binder { call }; + +allow input_isolate_hap msdp_sa:binder { call }; + +allow hiperf input_isolate_hap:lnk_file { read }; +allow input_isolate_hap data_app_el2_file:file { read open getattr map }; +allow input_isolate_hap hdf_allocator_service:hdf_devmgr_class { get }; +allow input_isolate_hap sa_device_service_manager:samgr_class { get }; +allow input_isolate_hap allocator_host:binder { call }; +allow input_isolate_hap allocator_host:fd { use }; +binder_call(input_isolate_hap, multimodalinput); +binder_call(multimodalinput, input_isolate_hap); +allow input_isolate_hap dev_mali:chr_file { getattr ioctl map open read write }; +allowxperm input_isolate_hap dev_mali:chr_file ioctl { + 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x8008 0x8009 0x800c 0x800d 0x800e 0x800f + 0x8010 0x8011 0x8012 0x8014 0x8015 0x8016 0x8017 0x8018 0x8019 0x801b 0x801d 0x801e 0x801f + 0x8020 0x8023 0x8024 0x8025 0x8026 0x8027 0x8028 0x8029 0x802a 0x802b 0x802c 0x802d 0x802e 0x802f + 0x8030 0x8031 0x8032 0x8033 0x8034 0x8035 0x8036 0x8037 0x8038 0x8039 0x803a 0x803b 0x803c 0x803e 0x803f }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/inputmethod_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/inputmethod_service.te new file mode 100644 index 0000000000000000000000000000000000000000..811a2dcade9e07739b0ffe7a0d9d230a090a9ebe --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/inputmethod_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type inputmethod_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/sehap_contexts b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/sehap_contexts new file mode 100644 index 0000000000000000000000000000000000000000..3a7d9db91aee5a729fb710031257a72cd7ab9c55 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/sehap_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apl=normal extra=input_isolate domain=input_isolate_hap type=normal_hap_data_file +apl=normal debuggable=true extra=input_isolate domain=input_isolate_debug_hap type=normal_hap_data_file diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/type.te b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..ed7a445dbb34cabe0156b2c41d737a2c926825cd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/public/type.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type input_isolate_hap, domain; +type input_isolate_debug_hap, domain; +typeattribute input_isolate_hap input_isolate_attr; +typeattribute input_isolate_debug_hap input_isolate_attr; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/init.te b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..89ff613a43f88af5e27adc06a23be62856d82acb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init inputmethod_service:dir { search }; +allow init inputmethod_service:file { open read }; +allow init inputmethod_service:process { getattr }; + diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/input_isolate_debug_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/input_isolate_debug_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..fe9cfd0540f5dd31137791673a6f2304a7d569f6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/input_isolate_debug_hap.te @@ -0,0 +1,38 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + allow input_isolate_debug_hap su:unix_stream_socket { connectto }; +') + +developer_only(` + allow input_isolate_debug_hap normal_hap_data_file_attr:dir { rmdir create setattr getattr write add_name remove_name search open read rename }; + allow input_isolate_debug_hap normal_hap_data_file_attr:file { create read write open getattr setattr map append rename unlink lock ioctl }; + allowxperm input_isolate_debug_hap normal_hap_data_file_attr:file ioctl { 0x5413 0xf50c 0xf546 }; + + allow input_isolate_debug_hap concurrent_task_service:binder { call }; + + allow input_isolate_debug_hap ark_profile:file { read open map }; + + allow input_isolate_debug_hap data_local_arkprofile:dir { search }; + + allow input_isolate_debug_hap hisysevent_socket:sock_file { write }; + allow input_isolate_debug_hap hilog_input_socket:sock_file { write }; + + binder_call(input_isolate_debug_hap, hap_domain); + binder_call(hap_domain, input_isolate_debug_hap); + + allow input_isolate_debug_hap system_file:file { open read getattr }; + + allow input_isolate_debug_hap hdcd:unix_stream_socket { connectto }; +') diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/input_isolate_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/input_isolate_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..432d075c3005a0911cd1cb6c227fd2fe018f1e3f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/input_isolate_hap.te @@ -0,0 +1,35 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(input_isolate_hap, hap_domain); +binder_call(hap_domain, input_isolate_hap); +developer_only(` + binder_call(input_isolate_hap, debug_hap); + binder_call(debug_hap, input_isolate_hap); +') + +allow input_isolate_hap system_file:file { open read getattr }; + +allow input_isolate_hap normal_hap_data_file_attr:dir { rmdir create setattr getattr write add_name remove_name search open read rename }; +allow input_isolate_hap normal_hap_data_file_attr:file { create read write open getattr setattr map append rename unlink lock ioctl }; +allowxperm input_isolate_hap normal_hap_data_file_attr:file ioctl { 0x5413 0xf50c 0xf546 }; + +# avc: denied { call } for pid=59649, comm="/system/bin/appspawn" scontext=u:r:input_isolate_hap:s0 tcontext=u:r:concurrent_task_service:s0 tclass=binder permissive=1 +allow input_isolate_hap concurrent_task_service:binder { call }; + +allow input_isolate_hap ark_profile:file { read open map }; + +allow input_isolate_hap data_local_arkprofile:dir { search }; + +allow input_isolate_hap hisysevent_socket:sock_file { write }; +allow input_isolate_hap hilog_input_socket:sock_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/inputmethod_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/inputmethod_service.te new file mode 100644 index 0000000000000000000000000000000000000000..8eb03cf2d5b389387586781b9a1d43f230a452e9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/inputmethod_native/system/inputmethod_service.te @@ -0,0 +1,93 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow inputmethod_service vendor_lib_file:file { open read getattr }; +allow inputmethod_service sa_foundation_bms:samgr_class { get }; +allow inputmethod_service dev_unix_socket:dir { search }; +allow inputmethod_service dev_unix_socket:sock_file { write }; +allow inputmethod_service normal_hap_attr:binder { call }; +allow inputmethod_service system_basic_hap_attr:binder { call }; +allow inputmethod_service system_core_hap_attr:binder { call }; +allow inputmethod_service data_file:dir { search }; +allow inputmethod_service inputmethod_service:unix_dgram_socket { getopt setopt }; +allow inputmethod_service kernel:unix_stream_socket { connectto }; +allow inputmethod_service paramservice_socket:sock_file { write }; +allow inputmethod_service sa_subsys_ace_service:samgr_class { get }; +allow inputmethod_service pasteboard_service:binder { call transfer }; +allow inputmethod_service inputmethod_param:parameter_service { set }; +allow domain inputmethod_param:file { map open read }; +#avc: denied { get } for service=200 pid=475 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=0 +#avc: denied { call } for pid=485 comm="IPC_1_1016" scontext=u:r:inputmethod_service:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=504 comm="IPC_1_928" scontext=u:r:accountmgr:s0 tcontext=u:r:inputmethod_service:s0 tclass=binder permissive=0 +allow inputmethod_service sa_accountmgr:samgr_class { get }; +allow inputmethod_service accountmgr:binder { call }; +allow accountmgr inputmethod_service:binder { transfer }; +#avc: denied { signal } for pid=1549 comm="sh" scontext=u:r:sh:s0 tcontext=u:r:inputmethod_service:s0 tclass=process permissive=1 +#avc: denied { read write } for pid=1633 comm="sa_main" path="/dev/console" dev="tmpfs" ino=27 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 +#avc: denied { read } for pid=1633 comm="sa_main" name="u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=1633 comm="inputmethod_ser" name="u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { search } for pid=1633 comm="SaInit0" name="service" dev="mmcblk0p12" ino=7 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0 +#avc: denied { open } for pid=1560 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=1560 comm="inputmethod_ser" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { search } for pid=1626 comm="SaInit0" name="el1" dev="mmcblk0p12" ino=11 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +#avc: denied { map } for pid=1576 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=1576 comm="inputmethod_ser" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { write } for pid=1553 comm="SaInit0" name="imf" dev="mmcblk0p12" ino=1014 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +#avc: denied { add_name } for pid=1557 comm="SaInit0" name="ime_cfg" scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +#avc: denied { create } for pid=1555 comm="SaInit0" name="ime_cfg" scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0 +#avc: denied { create } for pid=658 comm="SaInit3" name="ime_cfg.json" scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +#avc: denied { read } for pid=1607 comm="SaInit0" name="ime_cfg.json" dev="mmcblk0p12" ino=2292 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +#avc: denied { write } for pid=634 comm="SaInit0" name="ime_cfg.json" dev="mmcblk0p12" ino=2310 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +#avc: denied { open } for pid=621 comm="SaInit2" path="/data/service/el1/public/imf/ime_cfg/ime_cfg.json" dev="mmcblk0p12" ino=2310 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allow inputmethod_service dev_console_file:chr_file { read write }; +allow inputmethod_service musl_param:file { read open map }; +allow inputmethod_service data_service_file:dir { search }; +allow inputmethod_service data_service_el1_file:dir { search write add_name create }; +allow inputmethod_service data_service_el1_file:file {create read write open }; +allow inputmethod_service data_service_el1_file:file { getattr }; +allow inputmethod_service sysfs_devices_system_cpu:file { open read getattr }; + +#avc: denied { search } for pid=528 comm="IPC_2_1183" name="app" dev="mmcblk0p12" ino=38 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=0 +allow inputmethod_service data_app_file:dir { search }; +#avc: denied { search } for pid=504 comm="IPC_0_1025" name="el1" dev="mmcblk0p12" ino=39 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=0 +allow inputmethod_service data_app_el1_file:dir { search }; + +# add for TDD +debug_only(` + allow inputmethod_service sh:binder { call transfer }; +') + +# avc: denied { get } for service=4606 pid=1372 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=0 +allow inputmethod_service sa_foundation_wms:samgr_class { get }; + +# avc: denied { transfer } for pid=505 comm="WindowManagerSe" scontext=u:r:foundation:s0 tcontext=u:r:inputmethod_service:s0 tclass=binder permissive=0 +allow foundation inputmethod_service:binder { transfer }; + +#avc: denied { get } for service=1301 pid=1216 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:sa_distributeddate_service:s0 tclass=samgr_class permissive=0 +allow inputmethod_service sa_distributeddata_service:samgr_class { get }; + +# avc: denied { read } for pid=3271 comm="inputmethod_ser" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=84 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +# avc: denied { open } for pid=1806 comm="inputmethod_ser" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=84 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +# avc: denied { call } for pid=3271 comm="SaInit0" scontext=u:r:inputmethod_service:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=0 +# avc: denied { use } for pid=562 comm="OS_IPC_3_1292" path="/dev/ashmem" dev="tmpfs" ino=240 scontext=u:r:inputmethod_service:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=0 +allow inputmethod_service arkcompiler_param:file { read open map }; +allow inputmethod_service ark_writeable_param:file { read open map }; +allow inputmethod_service distributeddata:binder { call transfer }; +allow inputmethod_service distributeddata:fd { use }; +allow inputmethod_service sa_memory_manager_service:samgr_class { get }; +allow inputmethod_service memmgrservice:binder { call }; + +# avc: denied { get } for service=501 sid=u:r:inputmethod_service:s0 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow inputmethod_service sa_foundation_appms:samgr_class { get }; + +allow inputmethod_service sa_screenlock_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/public/pasteboard_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/public/pasteboard_service.te new file mode 100644 index 0000000000000000000000000000000000000000..da8d69103cea3fd2c501d1d18fa1d7d90a0a58af --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/public/pasteboard_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type pasteboard_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..108715ee776dbc7b2a1650f9f9ef388ac74edbb5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/accountmgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr pasteboard_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..92029a752f890d57d73dcbb223aeb69e8a53fe74 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/distributeddata.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata pasteboard_service:binder { call transfer }; +allow distributeddata pasteboard_service:dir { search }; +allow distributeddata pasteboard_service:file { open read getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/domain.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/domain.te new file mode 100644 index 0000000000000000000000000000000000000000..0528d3ebfc83d2c749451c5aa49bc0c45d24ddda --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/domain.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow domain pasteboard_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..3096f80431094cc6b9f7cf4f3fca8b4e44933d2d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/normal_hap_attr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_pasteboard_service:samgr_class { get }; +allow normal_hap_attr pasteboard_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/pasteboard_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/pasteboard_service.te new file mode 100644 index 0000000000000000000000000000000000000000..8ff159db2cf9cda6af9ae8ec85826f38f70073e0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/pasteboard_service.te @@ -0,0 +1,108 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pasteboard_service system_core_hap_attr:binder { call transfer }; +allow pasteboard_service system_basic_hap_attr:binder { call transfer }; +allow pasteboard_service normal_hap_attr:binder { call transfer }; +allow pasteboard_service time_service:binder { call }; +allow pasteboard_service dev_unix_socket:dir { search }; +allow pasteboard_service foundation:binder { call transfer }; +allow pasteboard_service sa_foundation_bms:samgr_class { get }; +allow pasteboard_service accessibility_param:file { read open map }; +allow pasteboard_service system_usr_file:dir { search }; +allow pasteboard_service sa_foundation_wms:samgr_class { get }; +allow pasteboard_service sa_time_service:samgr_class { get }; + +allow pasteboard_service data_service_el1_file:dir { create open getattr add_name remove_name search write read rmdir }; +allow pasteboard_service data_service_el1_file:file { create getattr setattr ioctl unlink write open read lock map }; +allow pasteboard_service distributeddata:binder { call transfer }; +allow pasteboard_service sa_distributeddata_service:samgr_class { get }; +allow pasteboard_service sa_foundation_devicemanager_service:samgr_class { get }; +allow pasteboard_service sa_device_profile_service:samgr_class { get }; +allow pasteboard_service device_manager:binder { call transfer }; +allow pasteboard_service distributedsche:binder { call transfer }; +allow pasteboard_service system_usr_file:file { getattr read open map }; +allow pasteboard_service paramservice_socket:sock_file { write }; +allow pasteboard_service pasteboard_service:unix_dgram_socket { getopt setopt }; +allow pasteboard_service kernel:unix_stream_socket { connectto }; +allow pasteboard_service pasteboard_param:parameter_service { set }; + +allow pasteboard_service sa_inputmethod_service:samgr_class { get }; +allow pasteboard_service inputmethod_service:binder { call transfer }; +allow pasteboard_service hmdfs:file { read open write getattr }; +allow pasteboard_service data_service_el2_hmdfs:file { read open write getattr }; +allow pasteboard_service hmdfs:dir { search read open write add_name create remove_name ioctl rmdir }; +allow pasteboard_service data_service_el2_hmdfs:dir { search read open write add_name create remove_name rmdir }; +allow pasteboard_service normal_hap_data_file_attr:file { read getattr }; +allow pasteboard_service sa_accountmgr:samgr_class { get }; +allow pasteboard_service accountmgr:binder { call transfer }; +allow pasteboard_service foundation:binder { call transfer }; +allow pasteboard_service data_file:dir { search }; +allow pasteboard_service data_service_file:dir { search }; + +#avc: denied { get } for service=4607 pid=533 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow pasteboard_service sa_foundation_dms:samgr_class { get }; + +#avc: denied { get } for service=7001 pid=533 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_subsys_ace_service:s0 tclass=samgr_class permissive=1 +allow pasteboard_service sa_subsys_ace_service:samgr_class { get }; + +#avc: denied { call } for pid=561 scontext=u:r:pasteboard_service:s0 tcontext=u:r:ui_service:s0 tclass=binder permissive=1 +allow pasteboard_service ui_service:binder { call transfer }; + +#avc: denied { use } for pid=555 comm="IPC_1_843" path="/dev/ashmem" dev="tmpfs" ino=166 scontext=u:r:sh:s0 tcontext=u:r:pasteboard_service:s0 tclass=fd permissive=1 +debug_only(` + allow pasteboard_service sh:fd { use }; + allow pasteboard_service sh:binder { call transfer }; +') + +#avc: denied { get } for service=180 pid=1811 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 +allow pasteboard_service sa_foundation_abilityms:samgr_class { get }; + +#avc: denied { use } for pid=2176 comm="jsThread-1" path="/dev/ashmem" dev="tmpfs" ino=176 scontext=u:r:pasteboard_service:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1 +allow pasteboard_service system_core_hap_attr:fd { use }; + +allow pasteboard_service system_basic_hap_attr:fd { use }; + +#avc: denied { get } for service=183 pid=1599 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_uri_permission_mgr_service:s0 tclass=samgr_class permissive=1 +allow pasteboard_service sa_uri_permission_mgr_service:samgr_class { get }; + +#avc: denied { get } for service=5201 pid=1972 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_filemanagement_distributed_file_daemon_service:s0 tclass=samgr_class permissive=1 +allow pasteboard_service sa_filemanagement_distributed_file_daemon_service:samgr_class { get }; + +#avc: denied { get } for service=4700 pid=1972 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1 +allow pasteboard_service sa_softbus_service:samgr_class { get }; + +#avc: denied { getattr } for pid=2167 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 +allow pasteboard_service data_user_file:file { getattr }; + +#avc: denied { call } for pid=2167 scontext=u:r:pasteboard_service:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=binder permissive=1 +allow pasteboard_service distributedfiledaemon:binder { call }; + +#avc: denied { call } for pid=2167 scontext=u:r:pasteboard_service:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2167 scontext=u:r:pasteboard_service:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 +allow pasteboard_service softbus_server:binder { call transfer }; + +#avc: denied { search } for pid=2106 comm="IPC_0_2119" name="el2" dev="sdd91" ino=74 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=0 +allow pasteboard_service data_service_el2_file:dir { search }; + +#avc: denied { search } for pid=2175 comm="IPC_1_2216" name="app" dev="sdd91" ino=62 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=0 +allow pasteboard_service data_app_file:dir { search }; + +#avc: denied { search } for pid=2175 comm="IPC_2_2479" name="el2" dev="sdd91" ino=67 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=0 +allow pasteboard_service data_app_el2_file:dir { search }; + +#avc: denied { create } for pid=2147 comm="IPC_3_2709" name="t3.jpeg" scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=lnk_file permissive=0 +allow pasteboard_service data_service_el2_hmdfs:lnk_file { create }; + +#avc: denied { get } for service=3299 pid=2135 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 +allow pasteboard_service sa_foundation_cesfwk_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..e06faba3e07d5762073636ae5c5c7270e34fa1e8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_pasteboard_service:samgr_class { get }; +allow system_basic_hap_attr pasteboard_service:binder { call transfer }; +allow system_basic_hap_attr pasteboard_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..b4be299c69203d8547007114efd5e64514626bb7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/system_core_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_pasteboard_service:samgr_class { get }; +allow system_core_hap_attr pasteboard_service:binder { call transfer }; + +#avc: denied { use } for pid=524 comm="pasteboard_serv" path="/dev/ashmem" dev="tmpfs" ino=176 scontext=u:r:system_core_hap:s0 tcontext=u:r:pasteboard_service:s0 tclass=fd permissive=1 +allow system_core_hap_attr pasteboard_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/ui_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/ui_service.te new file mode 100644 index 0000000000000000000000000000000000000000..b791755c6f5dd83a960c630a398cfe0cd2730399 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/pasteboard_native/system/ui_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=640 scontext=u:r:ui_service:s0 tcontext=u:r:pasteboard_service:s0 tclass=binder permissive=1 +allow ui_service pasteboard_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/public/screen_server.te b/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/public/screen_server.te new file mode 100644 index 0000000000000000000000000000000000000000..711a16f862fcee668c550d2ee1cf193d5e1bd46f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/public/screen_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type screenlock_server, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..20408163596dce68d40565f973f11aa468036e96 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/hap_domain.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain sa_screenlock_service:samgr_class { get }; +allow hap_domain screenlock_server:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/screen_server.te b/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/screen_server.te new file mode 100644 index 0000000000000000000000000000000000000000..32956e128eeb863aaa1c6938cd92afdbbba32587 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/screen_server.te @@ -0,0 +1,27 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow screenlock_server dev_unix_socket:dir { search }; +allow screenlock_server system_core_hap_attr:binder { call transfer }; +allow screenlock_server system_basic_hap_attr:binder { call transfer }; +allow screenlock_server normal_hap_attr:binder { call transfer }; +allow screenlock_server system_usr_file:file { map }; +allow screenlock_server sa_foundation_abilityms:samgr_class { get }; +allow screenlock_server sa_useriam_useridm_service:samgr_class { get }; +allow screenlock_server sa_telephony_tel_core_service:samgr_class { get }; +allow screenlock_server sa_foundation_cesfwk_service:samgr_class { get }; +allow screenlock_server useriam:binder { call }; +allow screenlock_server useriam:binder { transfer }; +debug_only(` + allow screenlock_server sh:binder { call transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/useriam.te b/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/useriam.te new file mode 100644 index 0000000000000000000000000000000000000000..5277ce962904aa87fee6f2e4301b49e119757f4e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/screenlock/system/useriam.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow useriam screenlock_server:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/time_native/public/time_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/public/time_service.te new file mode 100644 index 0000000000000000000000000000000000000000..788e1dcb2a139566ba5ceb55c93e466a7a399f7f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/public/time_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type time_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..c198dc2ad6d9dcdcdd00d1cb264c87ca091abb8c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/normal_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_time_service:samgr_class { get }; +allow normal_hap_attr time_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..4a9a5d7cfa7d8d4ce6742507d3ee7d9af86a1d63 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/system_basic_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_time_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..611875ba2eeb90d8350d2515826466093d7e440c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_time_service:samgr_class { get }; +allow system_core_hap_attr time_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/time_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/time_service.te new file mode 100644 index 0000000000000000000000000000000000000000..0e50cbca05e6600cd4cf261cd52df619f9de654b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/time_native/system/time_service.te @@ -0,0 +1,69 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow time_service sa_foundation_abilityms:samgr_class { get }; +allow time_service foundation:binder { call transfer }; +allow time_service accesstoken_service:binder { call }; +allow time_service time_service:capability { sys_time }; +allow time_service sa_accesstoken_manager_service:samgr_class { get }; +allow time_service sa_param_watcher:samgr_class { get }; +allow time_service dev_rtc_file:chr_file { ioctl open read write}; +allowxperm time_service dev_rtc_file:chr_file ioctl 0x700a; +allow time_service node:udp_socket { node_bind }; +allow time_service time_service:capability2 { wake_alarm }; +allow time_service time_service:udp_socket { bind connect create read setopt write}; +allow time_service time_service:tcp_socket { connect create getattr getopt read setopt write }; +allow time_service dev_unix_socket:dir { search }; +allow time_service normal_hap_attr:binder { call transfer }; +allow time_service system_core_hap_attr:binder { call transfer }; +allow time_service system_basic_hap_attr:binder { call transfer }; +allow time_service time_param:parameter_service { set }; +allow domain time_param:file { map open read }; +allow time_service kernel:unix_stream_socket { connectto }; +allow time_service paramservice_socket:sock_file { write }; +allow time_service sa_device_standby:samgr_class { get }; +binder_call(time_service, powermgr); +allow time_service sa_powermgr_powermgr_service:samgr_class { get }; +debug_only(` + allow time_service sh:binder { call }; + allow time_service su:binder { call transfer }; + allow time_service su:process { signal }; +') +#avc: denied { write } for pid=936 comm="IPC_5_2549" name="dnsproxyd" dev="tmpfs" ino=805 scontext=u:r:time_service:s0 tcontext=u:dev_unix_file:sock_file:s0 tclass=sock_file permissive=1 +allow time_service dev_unix_file:sock_file { write }; +allow time_service wifi_manager_service:binder { call transfer }; +allow time_service data_service_el1_file:file { ioctl lock }; +allowxperm time_service data_service_el1_file:file ioctl { 0xf50c 0xf546 0xf547 }; +allow time_service dev_ashmem_file:chr_file { open }; +allow time_service dev_kmsg_file:chr_file { write }; +allow time_service tty_device:chr_file { read write }; +allow time_service dev_console_file:chr_file { read write }; +allow time_service sysfs_devices_system_cpu:file { read }; +allow time_service data_service_el1_file:file { getattr }; +#avc: denied { setattr } for name="/service/el1/public/database/time/time.db" +allow time_service data_service_el1_file:file { setattr }; +allow time_service sysfs_devices_system_cpu:file { open }; +allow time_service data_service_el1_file:file { map }; +allow time_service sa_huks_service:samgr_class { get }; +allow bgtaskmgr_service sa_powermgr_powermgr_service:samgr_class { get }; +allow time_service sysfs_devices_system_cpu:file { getattr }; +allow time_service huks_service:binder { call }; +allow time_service data_service_el1_file:dir { read open }; +allow time_service hiviewdfx_hiview_param:file { read }; +allow time_service dev_bbox:chr_file { write }; +allow time_service data_service_el1_file:dir { remove_name unlink }; +allow time_service data_service_el1_file:file { unlink }; +allow time_service distributeddata:binder { call }; +allow time_service sa_memory_manager_service:samgr_class { get }; +allow time_service memmgrservice:binder { call }; + diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/public/wallpaper_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/public/wallpaper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..2750eb8485dbb5de1b7160ca7b17947d9a3814e9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/public/wallpaper_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type wallpaper_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..b4b7f391f562630c43965551c48408daf93217a0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/accountmgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr wallpaper_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/foundation.te b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..ab59c99fe4fe55bd92f5eb57efc6c1e79263792b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation wallpaper_service:dir { search }; +allow foundation wallpaper_service:binder { transfer }; +allow foundation wallpaper_service:file { read getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..b8d27be7aa6d126fe9d66909c4756390ee90b432 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/hap_domain.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain sa_wallpaper_manager_service:samgr_class { get }; +allow hap_domain wallpaper_service:binder { call transfer }; +allow hap_domain wallpaper_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..3c99bba0fbe03e4d15ec0432d0d1a2f82d3a0c5c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/hdf_devmgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr wallpaper_service:dir { search }; +allow hdf_devmgr wallpaper_service:file { read open }; +allow hdf_devmgr wallpaper_service:process { getattr }; +allow hdf_devmgr wallpaper_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/media_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ccaec4c40f7d2067f09159eb634585a49c5c4364 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/media_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_service wallpaper_service:fd { use }; +allow media_service data_service_el1_file:file { read open getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/wallpaper_service.te b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/wallpaper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..4890f9032fe8d9d12cb46b9846b37818d197feac --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/miscservices/wallpaper_native/system/wallpaper_service.te @@ -0,0 +1,58 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wallpaper_service sa_foundation_dms:samgr_class { get }; +allow wallpaper_service sa_foundation_bms:samgr_class { get }; +allow wallpaper_service system_core_hap_attr:binder { call transfer }; +allow wallpaper_service system_basic_hap_attr:binder { call transfer }; +allow wallpaper_service normal_hap_attr:binder { call transfer }; +allow wallpaper_service data_service_el1_file:dir { getattr remove_name read create open rmdir }; +allow wallpaper_service data_service_el1_file:file { getattr unlink rename setattr map }; +allow wallpaper_service proc_cpuinfo_file:file { open read }; +allow wallpaper_service system_basic_hap_attr:fd { use }; +allow wallpaper_service system_core_hap_attr:fd { use }; +allow wallpaper_service normal_hap_attr:fd { use }; +allow wallpaper_service system_basic_hap_attr:fifo_file { read }; +allow wallpaper_service system_core_hap_attr:fifo_file { read }; +allow wallpaper_service normal_hap_attr:fifo_file { read }; +allow wallpaper_service sa_accountmgr:samgr_class { get }; +allow wallpaper_service accessibility_param:file { map open read }; +allow wallpaper_service accountmgr:binder { call }; +allow wallpaper_service ohos_dev_param:file { map open read }; +allow wallpaper_service tmpfs:chr_file { read write }; +allow wallpaper_service system_basic_hap_data_file_attr:file { read }; +allow wallpaper_service system_core_hap_data_file_attr:file { read }; +allow wallpaper_service normal_hap_data_file_attr:file { read }; +allow wallpaper_service data_file:file { read }; +allow wallpaper_service musl_param:file { read open map }; +allow wallpaper_service dev_file:dir { getattr }; +allow wallpaper_service sysfs_devices_system_cpu:file { getattr open read }; +allow wallpaper_service sa_foundation_wms:samgr_class { get }; +allow wallpaper_service dev_ashmem_file:chr_file { open }; +allow wallpaper_service sa_uri_permission_mgr_service:samgr_class { get }; +allow wallpaper_service sys_prod_file:dir { search open read }; +allow wallpaper_service sa_device_service_manager:samgr_class { get }; +allow wallpaper_service hdf_devmgr:binder { call }; +allow wallpaper_service hdf_allocator_service:hdf_devmgr_class { get }; +allow wallpaper_service hdf_codec_image_service:hdf_devmgr_class { get }; +allow wallpaper_service allocator_host:binder { call }; +allow wallpaper_service allocator_host:fd { use }; +allow wallpaper_service codec_host:binder { call }; +allow wallpaper_service sa_memory_manager_service:samgr_class { get }; +allow wallpaper_service memmgrservice:binder { call }; +debug_only(` + allow wallpaper_service sh:fd { use }; + allow wallpaper_service sh:fifo_file { read }; + allow wallpaper_service sh:binder { call }; + allow wallpaper_service dev_console_file:chr_file { read write }; +') diff --git a/prebuilts/api/5.0/ohos_policy/msdp/common/system/file.te b/prebuilts/api/5.0/ohos_policy/msdp/common/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..ee4c9097d3394c807d01b42067e9d164d183b1b0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/common/system/file.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type msdp_data_file, file_attr, data_file_attr; +type vdevadm, native_system_domain, domain; +type vdevadm_exec, exec_attr, file_attr, system_file_attr; + +developer_only(` + allow vdevadm vdevadm_exec:file { read map execute entrypoint }; +') diff --git a/prebuilts/api/5.0/ohos_policy/msdp/common/system/file_contexts b/prebuilts/api/5.0/ohos_policy/msdp/common/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..ad4f448d7139bdde3853f1fe565eca3aa4c875a0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/common/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/msdp(/.*)? u:object_r:msdp_data_file:s0 +/system/bin/vdevadm u:object_r:vdevadm_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/msdp/common/system/init.te b/prebuilts/api/5.0/ohos_policy/msdp/common/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..6e586c1afeff924c8d8371d4185051f475480df8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/common/system/init.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { relabelto } for pid=1 comm="init" name="msdp" dev="sdd78" ino=3059 scontext=u:r:init:s0 tcontext=u:object_r:msdp_data_file:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=1 comm="init" name="msdp" dev="sdd78" ino=3059 scontext=u:r:init:s0 tcontext=u:object_r:msdp_data_file:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/msdp" dev="sdd78" ino=3059 scontext=u:r:init:s0 tcontext=u:object_r:msdp_data_file:s0 tclass=dir permissive=1 +#avc: denied { setattr } for pid=1 comm="init" name="msdp" dev="sdd78" ino=3059 scontext=u:r:init:s0 tcontext=u:object_r:msdp_data_file:s0 tclass=dir permissive=1 +allow init msdp_data_file:dir { relabelto read open setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/.gitkeep b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/.gitkeep new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/accessibility.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..22ef77640138a4c11049bbd8e495c59bc127f1b9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/accessibility.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=335 comm="IPC_3_1374" scontext=u:r:accessibility:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=0 +allow accessibility msdp_sa:binder { call }; + diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/composer_host.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/composer_host.te new file mode 100644 index 0000000000000000000000000000000000000000..336663ae76e844ff39d5b7a322678909cd3f0357 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/composer_host.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { use } for pid=497 comm="render_service" path="anon_inode:sync_file" dev="anon_inodefs" ino=18258 scontext=u:r:composer_host:s0 tcontext=u:r:msdp_sa:s0 tclass=fd permissive=0 +allow composer_host msdp_sa:fd { use }; + diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..e7b31ac3107000a0163408df7f38a7ed637947bf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/distributeddata.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#acv: denied { transfer } for pid=1176 comm="distributeddata" scontext=u:r:distributeddata:s0 tcontext+u:r:msdp_sa:s0 tclass=binder permissive=1 +allow distributeddata msdp_sa:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/distributedsche.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/distributedsche.te new file mode 100644 index 0000000000000000000000000000000000000000..420b0759139aa07d4bda86a57b2aba65f011fcb0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/distributedsche.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=1216 comm="IPC_1_1702" scontext=u:r:distributedsche:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=1 +allow distributedsche msdp_sa:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/foundation.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..36def27ed623d883fb3aabccb789d8ecd5ab9f0d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=2902 pid=612 scontext=u:r:foundation:s0 tcontext=u:object_r:sa_msdp_devicestatus_service:s0 tclass=samgr_class permissive=1 +allow foundation sa_msdp_devicestatus_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..dada817d4671f6e86fb4e580fc3d0e32a9ec42a5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/hidumper_service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=2902 pid=557 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_msdp_devicestatus_service:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_msdp_devicestatus_service:samgr_class { get }; + diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/init.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..281a4ba781cfc65fb90dca115fc22e4e50352339 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { getattr } for pid=1 comm="init" path="/data/service/el1/public/msdp" dev="sdd78" ino=224 scontext=u:r:init:s0 tcontext=u:object_r:msdp_data_file:s0 tclass=dir permissive=0 +allow init msdp_data_file:dir { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/msdp_sa.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/msdp_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..6cb38d35433da2b5b959ef57210f26f35c8915e6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/msdp_sa.te @@ -0,0 +1,229 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { getopt } for pid=563 comm="msdp" scontext=u:r:msdp_sa:s0 tcontext=u:r:msdp_sa:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=563 comm="msdp" scontext=u:r:msdp_sa:s0 tcontext=u:r:msdp_sa:s0 tclass=unix_dgram_socket permissive=1 +allow msdp_sa msdp_sa:unix_dgram_socket { getopt setopt }; + +#avc: denied { search } for pid=538 comm="msdp" name="socket" dev="tmpfs" ino=40 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow msdp_sa dev_unix_socket:dir { search }; + +#avc: denied { call } for pid=543 comm="msdp" scontext=u:r:msdp_sa:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +debug_only(` + allow msdp_sa sh:binder { call }; +') + +#avc: denied { call } for pid=571 comm="msdp" scontext=u:r:msdp_sa:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow msdp_sa accesstoken_service:binder { call }; + +#avc: denied { add } for service=2902 pid=387 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_msdp_devicestatus_service:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_msdp_devicestatus_service:samgr_class { add }; + +#avc: denied { get } for service=3901 pid=387 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_param_watcher:samgr_class { get }; + +#avc: denied { call } for pid=435 comm="msdp" scontext=u:r:msdp_sa:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0 +allow msdp_sa normal_hap_attr:binder { call }; + +#avc: denied { search } for pid=431 comm="msdp" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow msdp_sa data_file:dir { search }; + +#avc: denied { call } for pid=429 comm="msdp" scontext=u:r:msdp_sa:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=0 +allow msdp_sa system_core_hap_attr:binder { call }; + +#avc: denied { watch } for pid=453 comm="device_status_s" path="/dev/input" dev="tmpfs" ino=77 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=dir permissive=0 +#avc: denied { open } for pid=1729 comm="device_status_s" path="/dev/input" dev="tmpfs" ino=77 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=dir permissive=0 +#avc: denied { read } for pid=1765 comm="device_status_s" name="input" dev="tmpfs" ino=77 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=dir permissive=0 +#avc: denied { search } for pid=1737 comm="device_status_s" name="input" dev="tmpfs" ino=77 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=dir permissive=0 +#avc: denied { getattr } for pid=1741 comm="device_status_s" path="/dev/input" dev="tmpfs" ino=77 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=dir permissive=0 +allow msdp_sa dev_input_file:dir { watch open read search getattr }; + +#avc: denied { getattr } for pid=1741 comm="device_status_s" path="/dev/input/event3" dev="tmpfs" ino=107 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=chr_file permissive=0 +#avc: denied { read write } for pid=1897 comm="device_status_s" name="event7" dev="tmpfs" ino=328 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=1897 comm="device_status_s" path="/dev/input/event7" dev="tmpfs" ino=328 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=1748 comm="device_status_s" path="/dev/input/event7" dev="tmpfs" ino=328 ioctlcmd=0x4521 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_input_file:s0 tclass=chr_file permissive=0 +allow msdp_sa dev_input_file:chr_file { getattr read write open ioctl }; + +#avc: denied { getattr } for pid=1741 comm="device_status_s" path="/dev" dev="tmpfs" ino=1 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 +allow msdp_sa dev_file:dir { getattr }; + +#avc: denied { search } for pid=1771 comm="device_status_s" name="etc" dev="mmcblk0p8" ino=17 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1 +allow msdp_sa vendor_etc_file:dir { search }; + +#avc: denied { call } for pid=457 comm="device_status_s" scontext=u:r:msdp_sa:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 +allow msdp_sa multimodalinput:binder { call }; + +#avc: denied { use } for pid=257 comm="IPC_0_324" path="socket:[33166]" dev="sockfs" ino=33166 scontext=u:r:msdp_sa:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=1 +allow msdp_sa multimodalinput:fd { use }; + +#avc: denied { read write } for pid=257 comm="IPC_0_324" path="socket:[33166]" dev="sockfs" ino=33166 scontext=u:r:msdp_sa:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +allow msdp_sa multimodalinput:unix_stream_socket { read write }; + +#avc: denied { map } for pid=482 comm="IPC_1_549" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=448 comm="IPC_1_490" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=477 comm="IPC_1_657" name="u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +allow msdp_sa musl_param:file { map open read }; + +#avc: denied { transfer } for pid=477 comm="IPC_1_657" scontext=u:r:msdp_sa:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow msdp_sa sensors:binder { transfer }; + +#avc: denied { get } for service=3101 pid=445 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=0 +allow msdp_sa sa_multimodalinput_service:samgr_class { get }; + +debug_only(` + allow msdp_sa data_file:file { getattr open read}; + #avc: denied { read write } for pid=1903 comm="sa_main" path="/dev/console" dev="tmpfs" ino=27 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 + allow msdp_sa dev_console_file:chr_file { read write }; + #avc: denied { use } for pid=1794 comm="InteractionMana" path="/dev/ashmem" dev="tmpfs" ino=197 scontext=u:r:msdp_sa:s0 tcontext=u:r:sh:s0 tclass=fd permissive=0 + allow msdp_sa sh:fd { use }; +') + +#avc: denied { call } for pid=923 comm="device_status_s" scontext=u:r:msdp_sa:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=923 comm="device_status_s" scontext=u:r:msdp_sa:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=1 +allow msdp_sa distributedsche:binder { call transfer }; + +#avc: denied { get } for service=4810 pid=892 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_distributed_hardware_input_sink_service:s0 tclass=samgr_class permissive=0 +allow msdp_sa sa_distributed_hardware_input_sink_service:samgr_class { get }; + +#avc: denied { get } for service=4809 pid=892 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_distributed_hardware_input_source_service:s0 tclass=samgr_class permissive=0 +allow msdp_sa sa_distributed_hardware_input_source_service:samgr_class { get }; + +#avc: denied { get } for service=4607 pid=923 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_foundation_dms:samgr_class { get }; + +#avc: denied { use } for pid=1210 comm="SoftBusConnect" path="socket:[18000]" dev="sockfs" ino=18000 scontext=u:r:msdp_sa:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1 +allow msdp_sa softbus_server:fd { use }; + +#avc: denied { read } for pid=923 comm="SoftBusConnect" laddr=192.168.43.17 lport=41775 faddr=192.168.43.46 fport=42169 scontext=u:r:msdp_sa:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { setopt } for pid=923 comm="device_status_s" laddr=192.168.43.17 lport=41775 faddr=192.168.43.46 fport=42169 scontext=u:r:msdp_sa:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { write } for pid=923 comm="device_status_s" laddr=192.168.43.17 lport=41775 faddr=192.168.43.46 fport=42169 scontext=u:r:msdp_sa:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1 +#avc: denied { shutdown } for pid=867 comm="EventRunner#41" laddr=192.168.43.46 lport=44711 faddr=192.168.43.17 fport=38953 scontext=u:r:msdp_sa:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=0 +allow msdp_sa softbus_server:tcp_socket { read setopt write shutdown }; + +#avc: denied { get } for service=6001 pid=932 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_device_profile_service:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_device_profile_service:samgr_class { get }; + +#avc: denied { get } for service=401 pid=375 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0 +allow msdp_sa sa_foundation_bms:samgr_class { get }; + +#avc: denied { get } for service=10 pid=397 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_render_service:s0 tclass=samgr_class permissive=0 +allow msdp_sa sa_render_service:samgr_class { get }; + +#avc: denied { get } for service=4606 pid=381 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_foundation_wms:samgr_class { get }; + +#avc: denied { get } for service=801 pid=363 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_accessibleabilityms:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_accessibleabilityms:samgr_class { get }; + +#avc: denied { get } for service=1901 pid=363 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_resource_schedule:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_resource_schedule:samgr_class { get }; + +#avc: denied { call } for pid=379 comm="device_status_s" scontext=u:r:msdp_sa:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=429 comm="device_status_s" scontext=u:r:msdp_sa:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=0 +allow msdp_sa render_service:binder { call transfer }; + +#avc: denied { use } for pid=480 comm="IPC_3_1378" path="socket:[31810]" dev="sockfs" ino=31810 scontext=u:r:msdp_sa:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=0 +allow msdp_sa render_service:fd { use }; + +#avc: denied { transfer } for pid=391 comm="device_status_s" scontext=u:r:msdp_sa:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0 +allow msdp_sa foundation:binder { transfer }; + +#avc: denied { call } for pid=416 comm="device_status_s" scontext=u:r:msdp_sa:s0 tcontext=u:r:accessibility:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=421 comm="device_status_s" scontext=u:r:msdp_sa:s0 tcontext=u:r:accessibility:s0 tclass=binder permissive=0 +allow msdp_sa accessibility:binder { call transfer }; + +#avc: denied { open } for pid=372 comm="device_status_s" path="/dev/ashmem" dev="tmpfs" ino=191 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +allow msdp_sa dev_ashmem_file:chr_file { open }; + +#avc: denied { getattr } for pid=404 comm="RSRenderThread" path="/dev/mali0" dev="tmpfs" ino=133 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=404 comm="RSRenderThread" path="/dev/mali0" dev="tmpfs" ino=133 ioctlcmd=0x8000 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +#avc: denied { map } for pid=404 comm="RSRenderThread" path="/dev/mali0" dev="tmpfs" ino=133 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=404 comm="RSRenderThread" path="/dev/mali0" dev="tmpfs" ino=133 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=372 comm="RSRenderThread" name="mali0" dev="tmpfs" ino=133 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=0 +allow msdp_sa dev_mali:chr_file { getattr ioctl map open read write }; +allowxperm msdp_sa dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800f 0x800e 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 }; + +#avc: denied { read write } for pid=453 comm="IPC_0_469" path="socket:[28935]" dev="sockfs" ino=28935 scontext=u:r:msdp_sa:s0 tcontext=u:r:render_service:s0 tclass=unix_stream_socket permissive=0 +allow msdp_sa render_service:unix_stream_socket { read write }; +#avc: denied { search } for pid=404 comm="msdp" name="usr" dev="mmcblk0p7" ino=2921 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 +allow msdp_sa system_usr_file:dir { search }; + +#avc: denied { getattr } for pid=404 comm="msdp" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p7" ino=2928 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=404 comm="msdp" name="supported_regions.xml" dev="mmcblk0p7" ino=2928 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=404 comm="msdp" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p7" ino=2928 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +allow msdp_sa system_usr_file:file { getattr read open }; + + +#avc: denied { getattr } for pid=1613 comm="msdp" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +#avc: denied { open } for pid=1672 comm="msdp" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +#avc: denied { read } for pid=1734 comm="msdp" name="online" dev="sysfs" ino=4917 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 +allow msdp_sa sysfs_devices_system_cpu:file { getattr open read }; + +#avc: denied { open } for pid=421 comm="RSRenderThread" path="/sys/devices/system/cpu" dev="sysfs" ino=4915 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=0 +#avc: denied { read } for pid=380 comm="RSRenderThread" name="cpu" dev="sysfs" ino=4915 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=0 +allow msdp_sa sysfs_devices_system_cpu:dir { open read }; + +#avc: denied { use } for pid=1172 comm="com.ohos.launch" path="/dev/ashmem" dev="tmpfs" ino=188 scontext=u:r:msdp_sa:s0 tcontext=u:r:system_basic_hap:s0 tclass=fd permissive=1 +allow msdp_sa system_basic_hap_attr:fd { use }; + +allow msdp_sa sa_distributeddata_service:samgr_class { get }; + +#avc: denied { use } for pid=468 comm="IPC_0_499" path="/dmabuf:" dev="dmabuf" ino=32242 scontext=u:r:msdp_sa:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=0 +allow msdp_sa allocator_host:fd { use }; + +#avc: denied { getattr } for pid=433 comm="device_status_s" path="/system/fonts/HarmonyOS_Sans_Condensed_Medium_Italic.ttf" dev="mmcblk0p7" ino=1683 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=0 +#avc: denied { map } for pid=426 comm="device_status_s" path="/system/fonts/HarmonyOS_Sans_SC_Light.ttf" dev="mmcblk0p7" ino=1710 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=0 +#avc: denied { open } for pid=413 comm="device_status_s" path="/system/fonts/HarmonyOS_Sans_Digit.ttf" dev="mmcblk0p7" ino=1688 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=0 +#avc: denied { read } for pid=426 comm="device_status_s" name="HarmonyOS_Sans_SC_Thin.ttf" dev="mmcblk0p7" ino=1713 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=0 +allow msdp_sa system_fonts_file:file { getattr map open read }; + +#avc: denied { open } for pid=435 comm="device_status_s" path="/system/fonts" dev="mmcblk0p7" ino=1671 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=0 +#avc: denied { read } for pid=450 comm="device_status_s" name="fonts" dev="mmcblk0p7" ino=1671 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=0 +#avc: denied { search } for pid=424 comm="device_status_s" name="fonts" dev="mmcblk0p7" ino=1671 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=0 +allow msdp_sa system_fonts_file:dir { open read search }; + +#avc: denied { call } for pid=3255 comm="mmi_EventHdr" scontext=u:r:msdp_sa:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1 +allow msdp_sa distributeddata:binder { call }; + +#avc: denied { use } for pid=2822 comm="mos.filemanager" path="/dev/ashmem" dev="tmpfs" ino=480 scontext=u:r:msdp_sa:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=0 +allow msdp_sa system_core_hap_attr:fd { use }; + +#avc: denied { read } for pid=2361 comm="ClientEventHand" scontext=u:r:system_core_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=unix_stream_socket permissive=1 +allow msdp_sa system_core_hap_attr:unix_stream_socket { read }; + +#avc: denied { use } for pid=4218 comm="awei.ohos.clock" path="/dev/ashmem" dev="tmpfs" ino=487 scontext=u:r:msdp_sa:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1 +allow msdp_sa normal_hap_attr:fd { use }; + +#avc: denied { transfer } for pid=858 comm="SoftBusConnect" scontext=u:r:msdp_sa:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 +allow msdp_sa multimodalinput:binder { transfer }; + +#avc: denied { get } for service=3299 pid=470 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 +allow msdp_sa sa_foundation_cesfwk_service:samgr_class { get }; + +#avc: denied { get } for service=501 pid=762 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow msdp_sa sa_foundation_appms:samgr_class { get }; + +allow msdp_sa sa_filemanagement_distributed_file_daemon_service:samgr_class { get }; +allow msdp_sa distributedfiledaemon:binder { call }; +allow msdp_sa inputmethod_service:binder { call transfer }; + +#avc: denied { get } for service=1912 pid=1070 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_concurrent_task_service:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_concurrent_task_service:samgr_class { get }; + +#avc: denied { call } for service=1912 pid=1024, comm="/system/bin/sa_main" scontext=u:r:msdp_sa:s0 tcontext=u:object_r:concurrent_task_service:s0 tclass=binder permissive=0 +allow msdp_sa concurrent_task_service:binder { call }; + +#avc: denied { get } for service=1123 sid=u:r:msdp_sa:s0 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_wifi_p2p_ability:s0 tclass=samgr_class permissive=0 +allow msdp_sa sa_wifi_p2p_ability:samgr_class { get }; + +allow msdp_sa wifi_manager_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..e5fa3cbba042c084a1af68f3f3421146520de225 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/multimodalinput.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=636 comm="IPC_2_1920" scontext=u:r:multimodalinput:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=1 +allow multimodalinput msdp_sa:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..0a373aa33e86bfd4860b21ac1d754bc099349bae --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/normal_hap.te @@ -0,0 +1,24 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=2902 pid=2408 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_msdp_devicestatus_service:s0 tclass=samgr_class permissive=0 +allow normal_hap_attr sa_msdp_devicestatus_service:samgr_class { get }; + +#avc: denied { call transfer } for pid=1627 comm="jsThread-1" scontext=u:r:normal_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=0 +allow normal_hap_attr msdp_sa:binder { call transfer }; + +#avc: denied { use } for pid=4029 comm="msdp" path="socket:[49931]" dev="sockfs" ino=49931 scontext=u:r:normal_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=fd permissive=1 +allow normal_hap_attr msdp_sa:fd { use }; + +#avc: denied { read write } for pid=4029 comm="msdp" path="socket:[49931]" dev="sockfs" ino=49931 scontext=u:r:normal_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=unix_stream_socket permissive=1 +allow normal_hap_attr msdp_sa:unix_stream_socket { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/render_service.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..25be6959d7177661689ec68b72e3e5b0be2af297 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/render_service.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=507 comm="IPC_2_1373" scontext=u:r:render_service:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=506 comm="IPC_0_537" scontext=u:r:render_service:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=0 +allow render_service msdp_sa:binder { call transfer }; + +#avc: denied { use } for pid=420 comm="RSRenderThread" path="anon_inode:sync_file" dev="anon_inodefs" ino=17214 scontext=u:r:render_service:s0 tcontext=u:r:msdp_sa:s0 tclass=fd permissive=0 +allow render_service msdp_sa:fd { use }; + diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/sensors.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/sensors.te new file mode 100644 index 0000000000000000000000000000000000000000..dae1009c3accb6fc1724e03443f4378a77100a2d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/sensors.te @@ -0,0 +1,22 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { use } for pid=477 comm="IPC_1_657" path="socket:[32300]" dev="sockfs" ino=32300 scontext=u:r:sensors:s0 tcontext=u:r:msdp_sa:s0 tclass=fd permissive=0 +allow sensors msdp_sa:fd { use }; + +#avc: denied { read write } for pid=477 comm="IPC_1_657" path="socket:[31654]" dev="sockfs" ino=31654 scontext=u:r:sensors:s0 tcontext=u:r:msdp_sa:s0 tclass=unix_stream_socket permissive=1 +allow sensors msdp_sa:unix_stream_socket { read write }; + +#avc: denied { call } for pid=629 comm="IPC_1_737" scontext=u:r:sensors:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=1 +allow sensors msdp_sa:binder { call }; + diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..04976e97fd7e0ced7a10255289526529e3e35525 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/system_basic_hap.te @@ -0,0 +1,24 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { read write } for pid=923 comm="IPC_1_1099" path="socket:[36387]" dev="sockfs" ino=36387 scontext=u:r:system_basic_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=unix_stream_socket permissive=1 +allow system_basic_hap_attr msdp_sa:unix_stream_socket { read write }; + +#avc: denied { call } for pid=3251 comm="com.example.din" scontext=u:r:system_basic_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=1 +allow system_basic_hap_attr msdp_sa:binder { call }; + +#avc: denied { use } for pid=943 comm="IPC_1_1099" path="socket:[35980]" dev="sockfs" ino=35980 scontext=u:r:system_basic_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=fd permissive=1 +allow system_basic_hap_attr msdp_sa:fd { use }; + +#avc: denied { get } for service=2902 pid=3511 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_msdp_devicestatus_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_msdp_devicestatus_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..6e07c6bf3e01a6debc89f893b92583b32652dee0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/msdp/devicestatus/system/system_core_hap.te @@ -0,0 +1,24 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=2902 pid=2145 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_msdp_devicestatus_service:s0 tclass=samgr_class permissive=0 +allow system_core_hap_attr sa_msdp_devicestatus_service:samgr_class { get }; + +#avc: denied { call transfer } for pid=1636 comm="jsThread-1" scontext=u:r:system_core_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=binder permissive=0 +allow system_core_hap_attr msdp_sa:binder { call transfer}; + +#avc: denied { use } for pid=851 comm="msdp" path="socket:[41650]" dev="sockfs" ino=41650 scontext=u:r:system_core_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=fd permissive=0 +allow system_core_hap_attr msdp_sa:fd { use }; + +#avc: denied { read write } for pid=845 comm="msdp" path="socket:[39318]" dev="sockfs" ino=39318 scontext=u:r:system_core_hap:s0 tcontext=u:r:msdp_sa:s0 tclass=unix_stream_socket permissive=1 +allow system_core_hap_attr msdp_sa:unix_stream_socket { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/public/type.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..bb260e19fdec082d86d6a076cfe57303e95e1c98 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/public/type.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_data_pulse_dir, file_attr, data_file_attr; + +type audio_server, sadomain, domain; +type audio_server_exec, exec_attr, file_attr, system_file_attr; + +type hdf_audio_hdi_service, hdf_service_attr; +type hdf_audio_hdi_usb_service, hdf_service_attr; +type hdf_audio_hdi_a2dp_service, hdf_service_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..81a399a527c233021877235db4a8cd988649f4a5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/audio_server.te @@ -0,0 +1,198 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(audio_server); + +debug_only(` + binder_call(audio_server, sh); +') + +# core func + +allow audio_server sa_audio_policy_service:samgr_class { add get }; + +allow audio_server sa_pulseaudio_audio_service:samgr_class { get add }; + +binder_call(audio_server, audio_server); + +allow audio_server dev_unix_socket:dir { search }; +allow audio_server dev_unix_socket:sock_file { write }; + +allow audio_server native_socket:sock_file { write }; + +allow audio_server init:unix_stream_socket { accept connectto getattr getopt listen setopt }; + +allow audio_server kernel:unix_stream_socket { connectto }; + +allow audio_server audio_server:unix_dgram_socket { getopt setopt }; + +allow audio_server audio_server:netlink_kobject_uevent_socket { getattr read bind create setopt }; + +# dir or file access + +allow audio_server data_data_pulse_dir:dir { add_name getattr open read remove_name search setattr write }; +allow audio_server data_data_pulse_dir:fifo_file { create getattr open read write setattr unlink }; +allow audio_server data_data_pulse_dir:file { create getattr ioctl read write open lock setattr unlink }; +allow audio_server data_data_pulse_dir:sock_file { create setattr unlink write }; +allowxperm audio_server data_data_pulse_dir:file ioctl { 0x5413 }; + +allow audio_server system_bin_file:dir { getattr search }; + +allow audio_server data_log:file { write }; + +allow audio_server hiview:fd { use }; + +allow audio_server data_file:dir { search }; + +allow audio_server data_data_file:dir { search }; + +allow audio_server data_init_agent:dir { search }; +allow audio_server data_init_agent:file { ioctl open read append }; +allowxperm audio_server data_init_agent:file ioctl { 0x5413 }; + +allow audio_server data_service_file:dir { search }; +allow audio_server data_service_el1_file:dir { add_name create getattr open read remove_name rmdir search setattr write }; +allow audio_server data_service_el1_file:file { create getattr ioctl lock map open read rename setattr unlink write }; + +allow audio_server vendor_file:file { execute getattr map open read }; + +allow audio_server vendor_bin_file:dir { search }; + +allow audio_server vendor_etc_file:dir { search }; +allow audio_server vendor_etc_file:file { getattr read open }; + +allow audio_server vendor_lib_file:file { read open getattr map execute }; +allow audio_server vendor_lib_file:dir { search }; + +allow audio_server musl_param:file { open map read }; + +allow audio_server dev_ashmem_file:chr_file { open }; + +allow audio_server rootfs:chr_file { ioctl read write }; +allowxperm audio_server rootfs:chr_file ioctl { 0x5413 }; + +# /dev/input/ +allow audio_server dev_input_file:dir { search }; +allow audio_server dev_input_file:chr_file { read open }; + +# /dev/bus/ +allow audio_server dev_bus:dir { search }; +allow audio_server dev_bus_usb_file:dir { open read search }; +allow audio_server dev_bus_usb_file:chr_file { getattr read open }; + +# /sys/class/switch/ +allow audio_server sysfs_switch:file { open read getattr }; + +# for application call + +binder_call(audio_server, normal_hap_attr); + +binder_call(audio_server, system_core_hap_attr); + +binder_call(audio_server, system_basic_hap_attr); + +# for audio hdf + +allow audio_server hdf_audio_hdi_service:hdf_devmgr_class { get }; + +allow audio_server hdf_audio_hdi_usb_service:hdf_devmgr_class { get }; + +allow audio_server hdf_audio_hdi_a2dp_service:hdf_devmgr_class { get }; + +allow audio_server hdf_audio_bluetooth_hdi_service:hdf_devmgr_class { get }; + +allow audio_server hdf_audio_manager_service:hdf_devmgr_class { get }; + +allow audio_server hdf_effect_model_service:hdf_devmgr_class { get }; + +binder_call(audio_server, audio_host); + +binder_call(audio_server, a2dp_host); + +binder_call(audio_server, hdf_devmgr); + +# interact with others + +binder_call(audio_server, media_service); + +allow audio_server sa_media_monitor:samgr_class { get }; +binder_call(audio_server, media_monitor); + +binder_call(audio_server, bluetooth_service); + +binder_call(audio_server, intell_voice_service); + +allow audio_server sa_distributeddata_service:samgr_class { get }; +binder_call(audio_server, distributeddata); + +binder_call(audio_server, hdcd); + +allow audio_server hidumper_service:fifo_file { write }; +binder_call(audio_server, hidumper_service); + +allow audio_server multimodalinput:unix_stream_socket { read write }; +allow audio_server sa_multimodalinput_service:samgr_class { get }; +binder_call(audio_server, multimodalinput); + +allow audio_server sa_param_watcher:samgr_class { get }; +binder_call(audio_server, param_watcher); + +allow audio_server sa_accesstoken_manager_service:samgr_class { get }; + +allow audio_server sa_powermgr_powermgr_service:samgr_class { get }; +binder_call(audio_server, powermgr); + +allow audio_server sa_device_service_manager:samgr_class { get }; + +binder_call(audio_server, accesstoken_service); + +allow audio_server accessibility_param:file { map open read }; +allow audio_server sa_accessibleabilityms:samgr_class { get }; +binder_call(audio_server, accessibility); + +allow audio_server sa_privacy_service:samgr_class { get }; +binder_call(audio_server, privacy_service); + +allow audio_server persist_audio_param:parameter_service { set }; +allow audio_server persist_param:parameter_service { set }; + +allow audio_server paramservice_socket:sock_file { write }; + +allow audio_server sa_foundation_devicemanager_service:samgr_class { get }; + +binder_call(audio_server, foundation); + +allow audio_server sa_foundation_abilityms:samgr_class { get }; + +allow audio_server sa_foundation_bms:samgr_class { get }; + +allow audio_server sa_foundation_dms:samgr_class { get }; + +allow audio_server sa_dataobs_mgr_service_service:samgr_class { get }; + +binder_call(audio_server, device_manager); + +allow audio_server sa_resource_schedule:samgr_class { get }; + +allow audio_server sa_sensor_service:samgr_class { get }; +binder_call(audio_server, sensors); + +allow audio_server sa_accountmgr:samgr_class { get }; +binder_call(audio_server, accountmgr); + +binder_call(audio_server, camera_service); + +allow audio_server sa_foundation_cesfwk_service:samgr_class { get }; + +# others +allow domain persist_audio_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/bluetooth_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/bluetooth_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9e264c9005cfb778c1fd56aedb7f0748bb9a379b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/bluetooth_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(bluetooth_service, audio_server); diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/device_manager.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/device_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..091392d43f75c89bd654ef25c977c9fb42ae99d4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/device_manager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow device_manager audio_server:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..28dc12c68e4eb59c7714561fa75e62f04b87b846 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/distributeddata.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(distributeddata, audio_server); diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/file_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..d5bfdece7c1e86315d288d4ac4a7c4012bc0af0a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/data/.pulse_dir(/.*)? u:object_r:data_data_pulse_dir:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/foundation.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..0f1de5396cfcb1b282717013f2574ddba5807aef --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(foundation, audio_server); diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..9b8135d5a01eba060101139790ee515177799d60 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/hdf_devmgr.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=229 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +allow hdf_devmgr audio_server:binder { call transfer }; + +#avc: denied { search } for pid=229 comm="hdf_devmgr" name="281" dev="proc" ino=15987 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:audio_server:s0 tclass=dir permissive=1 +allow hdf_devmgr audio_server:dir { search }; + +#avc: denied { open } for pid=229 comm="hdf_devmgr" path="/proc/281/attr/current" dev="proc" ino=23633 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +#avc: denied { read } for pid=229 comm="hdf_devmgr" name="current" dev="proc" ino=23633 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +allow hdf_devmgr audio_server:file { open read }; + +#avc: denied { getattr } for pid=229 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:audio_server:s0 tclass=process permissive=1 +allow hdf_devmgr audio_server:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..371d0fde57720064b7b9f0dc6b070e3055416a37 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/hidumper_service.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=407 comm="hidumper_servic" scontext=u:r:hidumper_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +allow hidumper_service audio_server:binder { call }; + +#avc: denied { search } for pid=384 comm="HiDumperManager" name="352" dev="proc" ino=16857 scontext=u:r:hidumper_service:s0 tcontext=u:r:audio_server:s0 tclass=dir permissive=1 +allow hidumper_service audio_server:dir { search }; + +#avc: denied { open } for pid=384 comm="HiDumperManager" path="/proc/352/stat" dev="proc" ino=25762 scontext=u:r:hidumper_service:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +#avc: denied { read } for pid=384 comm="HiDumperManager" scontext=u:r:hidumper_service:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +allow hidumper_service audio_server:file { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/init.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..60f3c726d85f4f7722df7ae1e67b17a0d2024e64 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/init.te @@ -0,0 +1,34 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { rlimitinh } for pid=355 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:audio_server:s0 tclass=process permissive=1 +#avc: denied { siginh } for pid=355 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:audio_server:s0 tclass=process permissive=1 +#avc: denied { transition } for pid=355 comm="init" path="/system/bin/sa_main" dev="mmcblk0p5" ino=336 scontext=u:r:init:s0 tcontext=u:r:audio_server:s0 tclass=process permissive=1 +allow init audio_server:process { rlimitinh siginh transition }; + +#avc: denied { relabelfrom } for pid=1 comm="init" name=".pulse_dir" dev="mmcblk0p11" ino=783368 scontext=u:r:init:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 +allow init data_data_file:dir { relabelfrom }; + +#avc: denied { add_name } for pid=1 comm="init" name="runtime" scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { create } for pid=1 comm="init" name="runtime" scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=1 comm="init" path="/data/data/.pulse_dir" dev="mmcblk0p11" ino=522246 scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=1 comm="init" path="/data/data/.pulse_dir" dev="mmcblk0p11" ino=783368 scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=1 comm="init" name=".pulse_dir" dev="mmcblk0p11" ino=783368 scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { relabelto } for pid=1 comm="init" name=".pulse_dir" dev="mmcblk0p11" ino=783368 scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { remove_name } for pid=1 comm="init" name="pid" dev="mmcblk0p11" ino=522249 scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=1 comm="init" name=".pulse_dir" dev="mmcblk0p11" ino=522246 scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { setattr } for pid=1 comm="init" name=".pulse_dir" dev="mmcblk0p11" ino=522246 scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1# +#avc: denied { write } for pid=1 comm="init" name="runtime" dev="mmcblk0p11" ino=522247 scontext=u:r:init:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +allow init data_data_pulse_dir:dir { add_name create getattr open read relabelto remove_name search setattr write }; + +allow init native_socket:sock_file { unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/intell_voice_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/intell_voice_service.te new file mode 100644 index 0000000000000000000000000000000000000000..768b5995730be33c285c0df58fc36ef8efadc88e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/intell_voice_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow intell_voice_service audio_server:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/media_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..1b2d08c480e97b40feaa74e1bdd5190dee6ceb4c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/media_service.te @@ -0,0 +1,42 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=434 comm="wavparse0:sink" scontext=u:r:media_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=434 comm="aqueue:src" scontext=u:r:media_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +allow media_service audio_server:binder { call transfer }; + +#avc: denied { getattr } for pid=431 comm="threaded-ml" path="/data/data/.pulse_dir/state" dev="mmcblk0p11" ino=522248 scontext=u:r:media_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=431 comm="threaded-ml" path="/data/data/.pulse_dir/state" dev="mmcblk0p11" ino=522248 scontext=u:r:media_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=431 comm="threaded-ml" name="state" dev="mmcblk0p11" ino=522248 scontext=u:r:media_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=431 comm="threaded-ml" name=".pulse_dir" dev="mmcblk0p11" ino=522246 scontext=u:r:media_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1 +allow media_service data_data_pulse_dir:dir { getattr open read search }; + +#avc: denied { lock } for pid=431 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="mmcblk0p11" ino=522251 scontext=u:r:media_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=1 +#avc: denied { open } for pid=431 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="mmcblk0p11" ino=522251 scontext=u:r:media_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=1 +#avc: denied { read write } for pid=431 comm="threaded-ml" name="cookie" dev="mmcblk0p11" ino=522251 scontext=u:r:media_service:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=1 +allow media_service data_data_pulse_dir:file { lock open read write }; + +#avc: denied { get } for service=3009 pid=512 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=1 +allow media_service sa_audio_policy_service:samgr_class { get }; + +#avc: denied { get } for service=3001 pid=512 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=1 +allow media_service sa_pulseaudio_audio_service:samgr_class { get }; + +#avc: denied { call } for pid=501 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=466 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +allow media_service dcamera:binder { call transfer }; + +allow media_service audio_server:fd { use }; + +#avc denied { get } for service=1901 pid=1427 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_resource_schedule:s0 tclass=samgr_class permissive=0 +allow media_service sa_resource_schedule:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..4754256e098de94349a0e77da4469f1c0adac292 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/memmgrservice.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { search } for pid=272 comm="memmgrservice" name="323" dev="proc" ino=2941 scontext=u:r:memmgrservice:s0 tcontext=u:r:audio_server:s0 tclass=dir permissive=1 +allow memmgrservice audio_server:dir { search }; + +#avc: denied { open } for pid=272 comm="memmgrservice" path="/proc/323/status" dev="proc" ino=16166 scontext=u:r:memmgrservice:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +#avc: denied { read } for pid=272 comm="memmgrservice" scontext=u:r:memmgrservice:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +allow memmgrservice audio_server:file { open read getattr }; +allow memmgrservice audio_host:file { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..7fb3297c0d74baf44440388d7b95aa1c5f49a53b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/normal_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(normal_hap_attr, audio_server); + +allow normal_hap_attr sa_pulseaudio_audio_service:samgr_class { get }; + +allow normal_hap_attr sa_audio_policy_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..1c544dfac43bfc46a80cb19b22f1e40685fa5c28 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/param_watcher.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=239 comm="param_watcher" scontext=u:r:param_watcher:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +allow param_watcher audio_server:binder { call }; + +allow param_watcher accessibility_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/samgr.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..5c7b978cb75c52824759944e2a8840de96dbcfb2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/samgr.te @@ -0,0 +1,26 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=242 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=234 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +allow samgr audio_server:binder { call transfer }; + +#avc: denied { search } for pid=243 comm="samgr" name="371" dev="proc" ino=16359 scontext=u:r:samgr:s0 tcontext=u:r:audio_server:s0 tclass=dir permissive=1 +allow samgr audio_server:dir { search }; + +#avc: denied { open } for pid=243 comm="samgr" path="/proc/371/attr/current" dev="proc" ino=24521 scontext=u:r:samgr:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +#avc: denied { read } for pid=243 comm="samgr" name="current" dev="proc" ino=24521 scontext=u:r:samgr:s0 tcontext=u:r:audio_server:s0 tclass=file permissive=1 +allow samgr audio_server:file { open read }; + +#avc: denied { getattr } for pid=243 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:audio_server:s0 tclass=process permissive=1 +allow samgr audio_server:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..512ec8ba5d6961cc86d249cfb5bc56e5047d311c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/system_basic_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(system_basic_hap_attr, audio_server); + +allow system_basic_hap_attr sa_audio_policy_service:samgr_class { get }; + +allow system_basic_hap_attr sa_pulseaudio_audio_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9d8f97bfa2c9d03bd08ddc866c10fc2ec0c08a32 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/audio/system/system_core_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(system_core_hap_attr, audio_server); + +allow system_core_hap_attr sa_audio_policy_service:samgr_class { get }; + +allow system_core_hap_attr sa_pulseaudio_audio_service:samgr_class { get }; + +allow system_core_hap_attr system_core_hap_data_file_attr:file { append }; + +allow system_core_hap sa_dhardware_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/av_codec_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/av_codec_service.te new file mode 100644 index 0000000000000000000000000000000000000000..fa1724bde7411fcce1e6267589fb61128b2ac9f1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/av_codec_service.te @@ -0,0 +1,142 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type av_codec_service, sadomain, domain; +type sa_av_codec_service, sa_service_attr; + +debug_only(` + allow av_codec_service sh:binder { call transfer }; + allow av_codec_service sh:fd { use }; +') + +allow av_codec_service av_codec_service:unix_dgram_socket { getopt setopt }; +allow av_codec_service data_file:file { read getattr }; +allow av_codec_service dev_ashmem_file:chr_file { open }; +allow av_codec_service param_watcher:binder { call transfer }; +allow av_codec_service system_bin_file:dir { search }; +allow av_codec_service system_lib_file:dir { open read }; +allow av_codec_service tracefs:dir { search }; +allow av_codec_service tracefs_trace_marker_file:file { open write }; +allow av_codec_service sa_param_watcher:samgr_class { get }; +allow av_codec_service allocator_host:binder { call }; +allow av_codec_service allocator_host:fd { use }; +allow av_codec_service dev_dri_file:chr_file { ioctl open read write }; +allow av_codec_service dev_dri_file:dir { search }; +allow av_codec_service hdf_allocator_service:hdf_devmgr_class { get }; +allow av_codec_service hdf_devmgr:binder { call }; +allow av_codec_service sa_device_service_manager:samgr_class { get }; +allow av_codec_service data_test_media_file:file { write read getattr }; +allow av_codec_service system_core_hap_attr:fd { use }; +allow av_codec_service system_basic_hap_attr:fd { use }; +allow av_codec_service system_basic_hap_attr:binder { transfer call }; +allow av_codec_service system_basic_hap_data_file_attr:file { getattr read write }; +allow av_codec_service normal_hap_data_file_attr:file { read getattr }; +allow av_codec_service normal_hap_data_file:file { write }; +allow av_codec_service sa_av_codec_service:samgr_class { add get_remote }; +allow av_codec_service debug_param:file { map open read }; +allow av_codec_service dev_console_file:chr_file { read write }; +allow av_codec_service dev_file:dir { getattr }; +allow av_codec_service dev_unix_socket:dir { search }; +allow av_codec_service hilog_param:file { map open read }; +allow av_codec_service musl_param:file { map open read }; +allow av_codec_service sysfs_devices_system_cpu:file { getattr open read }; +allow av_codec_service sa_memory_manager_service:samgr_class { get }; +allow av_codec_service memmgrservice:binder { call }; + +# avc: denied { call } for pid=564 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 +allow av_codec_service render_service:binder { call }; + +# avc: denied { connect } for pid=546 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { create } for pid=546 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { getattr } for pid=546 comm="av_codec_servic" laddr=192.168.20.74 lport=53692 faddr=183.134.45.132 fport=443 scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { getopt } for pid=546 comm="av_codec_servic" laddr=192.168.20.74 lport=53692 faddr=183.134.45.132 fport=443 scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { read } for pid=546 comm="av_codec_servic" path="socket:" dev="sockfs" ino=30257 scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { setopt } for pid=546 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { write } for pid=546 comm="av_codec_servic" path="socket:" dev="sockfs" ino=30257 scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=tcp_socket permissive=1 +allow av_codec_service av_codec_service:tcp_socket { connect create getattr getopt read setopt write }; + +# avc: denied { bind } for pid=546 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=udp_socket permissive=1 +# avc: denied { create } for pid=546 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=udp_socket permissive=1 +# avc: denied { read } for pid=546 comm="av_codec_servic" lport=53204 scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=udp_socket permissive=1 +# avc: denied { write } for pid=546 comm="av_codec_servic" lport=53204 scontext=u:r:av_codec_service:s0 tcontext=u:r:av_codec_service:s0 tclass=udp_socket permissive=1 +allow av_codec_service av_codec_service:udp_socket { bind create read write }; + +# avc: denied { connectto } for pid=546 comm="av_codec_servic" path="/dev/unix/socket/dnsproxyd" scontext=u:r:av_codec_service:s0 tcontext=u:r:netsysnative:s0 tclass=unix_stream_socket permissive=1 +allow av_codec_service netsysnative:unix_stream_socket { connectto }; + +# avc: denied { node_bind } for pid=546 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1 +allow av_codec_service node:udp_socket { node_bind }; + +# avc: denied { name_connect } for pid=546 comm="av_codec_servic" dest=443 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1 +allow av_codec_service port:tcp_socket { name_connect }; + +# avc: denied { getattr } for pid=548 comm="omx_msg_hdl" path="/proc/version" dev="proc" ino=4026532114 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=548 comm="omx_msg_hdl" path="/proc/version" dev="proc" ino=4026532114 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=548 comm="omx_msg_hdl" name="version" dev="proc" ino=4026532114 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 +allow av_codec_service proc_version_file:file { getattr open read }; + +# avc: denied { open } for pid=548 comm="omx_msg_hdl" path="/sys/firmware/devicetree/base/compatible" dev="sysfs" ino=15 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=548 comm="omx_msg_hdl" name="compatible" dev="sysfs" ino=15 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow av_codec_service sys_file:file { open read }; + +# avc: denied { map } for pid=577 comm="IPC_2_1400" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="tmpfs" ino=60 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=577 comm="IPC_2_1400" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="tmpfs" ino=60 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=577 comm="IPC_2_1400" name="u:object_r:sys_param:s0" dev="tmpfs" ino=60 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +allow av_codec_service sys_param:file { map open read }; + +# avc: denied { search } for pid=548 comm="av_codec_servic" name="etc" dev="mmcblk0p8" ino=16 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1 +allow av_codec_service vendor_etc_file:dir { search }; + +# avc: denied { getattr } for pid=548 comm="av_codec_servic" path="/vendor/etc/hdfconfig/hdf_default.hcb" dev="mmcblk0p8" ino=36 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=548 comm="av_codec_servic" path="/vendor/etc/hdfconfig/hdf_default.hcb" dev="mmcblk0p8" ino=36 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=548 comm="av_codec_servic" name="hdf_default.hcb" dev="mmcblk0p8" ino=36 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +allow av_codec_service vendor_etc_file:file { getattr open read }; + +# avc: denied { call } for pid=1648 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=1648 comm="IPC_3_1816" scontext=u:r:av_codec_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1 +allow av_codec_service codec_host:binder { call transfer }; + +# avc: denied { get } for service=codec_component_manager_service pid=2561 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:hdf_codec_component_manager_service:s0 tclass=hdf_devmgr_class permissive=0 +allow av_codec_service hdf_codec_component_manager_service:hdf_devmgr_class { get }; + +# avc: denied { search } for pid=1648 comm="IPC_3_1816" name="/" dev="mmcblk0p14" ino=3 scontext=u:r:av_codec_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow av_codec_service data_file:dir { search }; + +allow av_codec_service normal_hap_attr:binder { call transfer }; + +# avc: denied { transfer } for pid=595 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=0 +allow av_codec_service render_service:binder { transfer }; + +allow av_codec_service render_service:fd { use }; +allow av_codec_service dev_mpp:chr_file { open read write ioctl }; +allowxperm av_codec_service dev_mpp:chr_file ioctl { 0x7601 }; + +allow av_codec_service dev_rga:chr_file { open read write ioctl }; +allowxperm av_codec_service dev_rga:chr_file ioctl { 0x601b 0x5017 }; + +allow av_codec_service media_service:binder { call transfer }; +allow av_codec_service system_core_hap_attr:binder { call transfer }; + +# avc_audit_slow:260] avc: denied { call } for pid=1654, comm="/system/bin/sa_main" scontext=u:r:av_codec_service:s0 tcontext=u:r:drm_service:s0 tclass=binder permissive=1 +allow av_codec_service drm_service:binder { call }; + +allow av_codec_service camera_service:binder { call transfer }; + +allow av_codec_service dhardware:binder { call transfer }; +allow av_codec_service dscreen:binder { call transfer }; + +allow av_codec_service sa_memory_manager_service:samgr_class { get }; +allow av_codec_service foundation:binder { call }; +allow av_codec_service dev_kmsg_file:chr_file { open read write }; +allow av_codec_service tty_device:chr_file { open read write }; +allow av_codec_service sys_prod_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/bootanimation.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/bootanimation.te new file mode 100644 index 0000000000000000000000000000000000000000..1a89d667c5f86341e669ae8d4550e2a5f8539893 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/bootanimation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bootanimation sa_av_codec_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/codec_host.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/codec_host.te new file mode 100644 index 0000000000000000000000000000000000000000..b93d48032056cd5ad154e23b29700ae327472900 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/codec_host.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow codec_host av_codec_service:fd { use }; +allow codec_host av_codec_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/faultloggerd.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/faultloggerd.te new file mode 100644 index 0000000000000000000000000000000000000000..edadc8d4d8550c34d40e4b11dfc8fd9417648b1d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/faultloggerd.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow faultloggerd init:unix_stream_socket { getopt }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..05c6591352e1a8450f3480e0cfde8037a7e8bbb2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/hdf_devmgr.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transfer } for pid=239 comm="IPC_2_499" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1 +allow hdf_devmgr av_codec_service:binder { transfer call }; + +# avc: denied { search } for pid=239 comm="IPC_2_499" name="553" dev="proc" ino=18935 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:av_codec_service:s0 tclass=dir permissive=1 +allow hdf_devmgr av_codec_service:dir { search }; + +# avc: denied { open } for pid=239 comm="IPC_2_499" path="/proc/553/attr/current" dev="proc" ino=19020 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:av_codec_service:s0 tclass=file permissive=1 +# avc: denied { read } for pid=239 comm="IPC_2_499" name="current" dev="proc" ino=19020 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:av_codec_service:s0 tclass=file permissive=1 +allow hdf_devmgr av_codec_service:file { open read }; + +# avc: denied { getattr } for pid=239 comm="IPC_2_499" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:av_codec_service:s0 tclass=process permissive=1 +allow hdf_devmgr av_codec_service:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..fcd4736b03135d9a148dffe66d8735b706ce549a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=3011 pid=510 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_av_codec_service:s0 tclass=samgr_class permissive=0 +allow hidumper_service sa_av_codec_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/init.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..ba8fe5fde137591af645c685c07358c69fab57b7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { rlimitinh } for pid=1651 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:av_codec_service:s0 tclass=process permissive=1 +# avc: denied { siginh } for pid=1651 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:av_codec_service:s0 tclass=process permissive=1 +# avc: denied { transition } for pid=1651 comm="init" path="/system/bin/sa_main" dev="mmcblk0p7" ino=343 scontext=u:r:init:s0 tcontext=u:r:av_codec_service:s0 tclass=process permissive=1 +allow init av_codec_service:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..ba9fb75ffd6d55d118518a2dfa1adb3fb24cb7a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/memmgrservice.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { getattr } for pid=321 comm="SaInit0" path="/proc/578/status" dev="proc" ino=26251 scontext=u:r:memmgrservice:s0 tcontext=u:r:av_codec_service:s0 tclass=file permissive=1 +allow memmgrservice av_codec_service:file { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..8685eeb9dc2c080ee77b7940c11ec53ac3cf36c4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_av_codec_service:samgr_class { get }; +allow normal_hap_attr av_codec_service:binder { call transfer }; +allow normal_hap_attr av_codec_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..1b91230d0d7be1ad6a921144cd6ba08ed9a29a89 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/param_watcher.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=244 comm="param_watcher" scontext=u:r:param_watcher:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1 +allow param_watcher av_codec_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/render_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..0c47801a633e2bf3d0f7eed246cd343c6881e655 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/render_service.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=1901 pid=580 scontext=u:r:render_service:s0 tcontext=u:object_r:sa_resource_schedule:s0 tclass=samgr_class permissive=0 +allow render_service sa_resource_schedule:samgr_class { get }; + +# avc: denied { call } for pid=556 comm="IPC_1_583" scontext=u:r:render_service:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=0 +allow render_service av_codec_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/service_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..bbb0b9fce2012ffa4864eca09f20b3b710750a44 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/service_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +3011 u:object_r:sa_av_codec_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..dfc3a3b34c4f9d602c85a566266c8861f0b585ff --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/system_basic_hap.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr normal_hap_attr:binder { transfer }; + +allow system_basic_hap_attr av_codec_service:fd { use }; + +allow system_basic_hap_attr av_codec_service:binder { call transfer }; + +allow system_basic_hap_attr sa_av_codec_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..f776abb45b3623213a5d38c669197232a2bf4f74 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_codec/system/system_core_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr av_codec_service:fd { use }; +allow system_core_hap_attr data_user_file:file { getattr }; +allow system_core_hap_attr data_user_file:file { read }; +allow system_core_hap_attr hmdfs:file { getattr }; +allow system_core_hap_attr sa_av_codec_service:samgr_class { get }; +allow system_core_hap_attr av_codec_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..cd59773fccd97ac96abeac35b4132d64e3b7e2eb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/accountmgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr av_session:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..1d569811f98232e2d1f4fa470ad7f06060e50c84 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/audio_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_server av_session:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/av_session.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/av_session.te new file mode 100644 index 0000000000000000000000000000000000000000..06406c64dcc40a0ab4f9ebe027effa3ec78fb7c4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/av_session.te @@ -0,0 +1,81 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type av_session, sadomain, domain; +allow av_session accesstoken_service:binder { call }; +allow av_session sa_avsession_service:samgr_class { add get_remote }; +allow av_session sa_multimodalinput_service:samgr_class { get }; +allow av_session av_session:unix_dgram_socket { getopt setopt }; +allow av_session data_file:dir { search add_name write }; +allow av_session data_service_el1_file:dir { add_name search write }; +allow av_session data_service_el1_file:file { create ioctl open read write }; +allow av_session data_service_el2_file:dir { add_name create getattr remove_name search write }; +allow av_session data_service_el2_file:file { create ioctl open read unlink write }; +allow av_session data_service_file:dir { search }; +allow av_session default_param:file { read map open }; +allow av_session dev_console_file:chr_file { read write }; +allow av_session dev_unix_socket:dir { search }; +allow av_session foundation:binder { call transfer }; +allow av_session hilog_param:file { map open read }; +allow av_session multimodalinput:binder { call }; +allow av_session multimodalinput:fd { use }; +allow av_session multimodalinput:unix_stream_socket { read write }; + +debug_only(` + allow av_session sh:binder { call transfer }; +') + +allow av_session system_core_hap_attr:binder { call transfer }; +allow av_session tracefs:dir { search }; +allow av_session tracefs_trace_marker_file:file { write open }; +allow av_session data_file:file { open }; +allow av_session av_session_data_file:file { append open create write ioctl read unlink getattr }; +allow av_session debug_param:file { map open read }; +allow av_session audio_server:binder { call transfer }; +allow av_session device_manager:binder { call transfer }; +allow av_session param_watcher:binder { call transfer }; +allow av_session sa_accesstoken_manager_service:samgr_class { get }; +allow av_session sa_foundation_appms:samgr_class { get }; +allow av_session av_session_data_file:dir { search write add_name read getattr remove_name}; +allow av_session sa_foundation_abilityms:samgr_class { get }; +allow av_session sa_audio_policy_service:samgr_class { get }; +allow av_session sa_foundation_devicemanager_service:samgr_class { get }; +allow av_session sa_param_watcher:samgr_class { get }; +allow av_session system_bin_file:dir { search }; +allowxperm av_session av_session_data_file:file ioctl 0x5413; +allowxperm av_session data_service_el1_file:file ioctl { 0x5413 }; +allowxperm av_session data_service_el2_file:file ioctl { 0x5413 }; +allow av_session normal_hap_attr:binder { transfer call }; +allow av_session sa_softbus_service:samgr_class { get }; +allow av_session distributeddata:binder { call transfer }; +allow av_session softbus_server:binder { call transfer }; +allow av_session softbus_server:fd { use }; +allow av_session softbus_server:tcp_socket { read write setopt shutdown }; +allow av_session data_log:dir { getattr }; +allow av_session system_basic_hap_attr:binder { transfer call }; +allow av_session sa_foundation_bms:samgr_class { get }; +allow av_session vendor_bin_file:dir { search }; +allow av_session system_usr_file:dir { search }; +allow av_session sa_distributeddata_service:samgr_class { get }; + +allow av_session dev_ashmem_file:chr_file { open }; +allow av_session bgtaskmgr_service:binder { call transfer }; +allow av_session sa_bgtaskmgr:samgr_class { get }; +allow av_session sa_foundation_ans:samgr_class { get }; +allow av_session bootevent_param:file { map open read }; +allow av_session paramservice_socket:sock_file { write }; +allow av_session kernel:unix_stream_socket { connectto }; +allow av_session sa_memory_manager_service:samgr_class { get }; +allow av_session memmgrservice:binder { call }; +allow av_session sa_foundation_cesfwk_service:samgr_class { get }; +allow av_session accountmgr:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/device_manager.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/device_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..0e52b5502a3ad9fb4b987f9371054b4ef44c5318 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/device_manager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow device_manager av_session:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..919d7760db6cb8675314d6f8188920932fe44a93 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/distributeddata.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata av_session:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/file.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..1664fbda57b4d0674e2ab0434b4af5a2d7f6cb8b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type av_session_data_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/file_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b85a55c1390f99f3c9e9a5ff5f70f6fc51362a39 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/av_session(/.*)? u:object_r:av_session_data_file:s0 +/data/service/el1/public/av_session/cache(/.*)? u:object_r:av_session_data_file:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/foundation.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..eb8b5b16964a2398382212b772f762c895fa1685 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation av_session:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/init.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..91655c56978b2c84091d26e9c2842928d3b50195 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init av_session:process { rlimitinh siginh transition }; +allow init av_session_data_file:dir { open read write add_name create getattr relabelto search setattr }; +allow init av_session_data_file:file { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..bb6ce82feb5572a1998e34a54b7d2177d4228a10 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_avsession_service:samgr_class { get }; +allow normal_hap_attr av_session:binder { call transfer }; + +allow normal_hap_attr av_session:fd {use}; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..cf68a551470b7fa690066042f9e8bfd4a7982553 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher av_session:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..47633c4ebda5cef802375e807a6885c5db784775 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/softbus_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server av_session:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..b041e38dc25c80e7fdd7604b2e310d4f6e054688 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_avsession_service:samgr_class { get }; +allow system_basic_hap_attr av_session:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9cb675407a29add14f584a667a65efdb3ca3e7f0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/av_session/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr av_session:binder { call transfer }; +allow system_core_hap_attr sa_avsession_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/camera_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/camera_service.te new file mode 100644 index 0000000000000000000000000000000000000000..043971a1f977e3b2056db3d2d31f08e37333cc11 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/camera_service.te @@ -0,0 +1,112 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { transfer } for pid=478 comm="camera_service" scontext=u:r:camera_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +allow camera_service dcamera:binder { transfer }; + +debug_only(` + allow camera_service sh:binder { call transfer }; +') + +#avc: denied { get } for service=401 pid=599 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow camera_service sa_foundation_bms:samgr_class { get }; + +allow camera_service camera_service:unix_dgram_socket { getopt setopt}; + +allow camera_service normal_hap_attr:binder { call transfer}; + +allow camera_service accesstoken_service:binder { call transfer }; + +allow camera_service privacy_service:binder { call transfer }; +allow privacy_service camera_service:binder { call transfer }; +allow camera_service sa_privacy_service:samgr_class { get }; +allow camera_service sa_sensor_service:samgr_class { get add}; +allow camera_service sensors:binder { call transfer }; +#avc: denied { get } for service=camera_image_process_service pid=1392 scontext=u:r:camera_service:s0 tcontext=u:object_r:hdf_camera_image_process_service:s0 tclass=hdf_devmgr_class permissive=1 +allow camera_service hdf_camera_image_process_service:hdf_devmgr_class { get }; +#avc: denied { use } for pid=3966 comm="OS_FFRT_2_1" path="/dev/ashmem" dev="tmpfs" ino=630 scontext=u:r:camera_service:s0 tcontext=u:r:cameradaemon:s0 tclass=fd permissive=1 +#avc: denied { use } for pid=3966 comm="OS_FFRT_2_1" path="/dmabuf:" dev="dmabuf" ino=35644 scontext=u:r:camera_service:s0 tcontext=u:r:cameradaemon:s0 tclass=fd permissive=1 +#allow camera_service cameradaemon:fd { use }; +allow camera_service foundation:binder { transfer }; +binder_call(camera_service, powermgr); +#avc: denied { get } for service=3303 pid=1767 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_powermgr_thermal_service:s0 tclass=samgr_class permissive=0 +allow camera_service sa_powermgr_thermal_service:samgr_class { get }; +#avc: denied { get } for service=3299 pid=1767 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 +allow camera_service sa_foundation_cesfwk_service:samgr_class { get }; + +#avc: denied { get } for service=allocator_service pid=8082 scontext=u:r:camera_service:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=0 +allow camera_service hdf_allocator_service:hdf_devmgr_class { get }; +#avc: denied { call } for pid=1478, comm="/system/bin/sa_main" scontext=u:r:camera_service:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=0 +allow camera_service allocator_host:binder { call }; +#avc: denied { use } for pid=1386, comm="/vendor/bin/hdf_devhost" path="anon_inode:dmabuf" dev="" ino=0 scontext=u:r:camera_service:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=0 +allow camera_service allocator_host:fd { use }; +#avc: denied { get } for service=3009 pid=1472 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=0 +allow camera_service sa_audio_policy_service:samgr_class { get }; +#avc: denied { call } for pid=1478, comm="/system/bin/sa_main" scontext=u:r:camera_service:s0 tcontext=u:r:audio_policy:s0 tclass=binder permissive=0 +allow camera_service audio_server:binder { call transfer }; +allow camera_service sa_pulseaudio_audio_service:samgr_class { get }; +allow camera_service sa_av_codec_service:samgr_class { get }; +allow camera_service av_codec_service:binder { call transfer }; +allow camera_service codec_host:fd { use }; +#avc: denied { read } for pid=1474, comm="/system/bin/sa_main" path="/system/lib64/media/media_plugins" dev="/dev/block/platform/fa500000.ufs/by-name/system" ino=5362 scontext=u:r:camera_service:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=0 +allow camera_service system_lib_file:dir { open read }; +#avc: denied { open } for pid=1469, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:camera_service:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +allow camera_service dev_ashmem_file:chr_file { open }; +#avc: denied { search } for pid=1469, comm="/system/bin/sa_main" name="/data" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=3615 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=0 +allow camera_service data_data_file:dir { search write add_name }; +allow camera_service data_data_file:file { create open read write }; +allow camera_service hmdfs:file { read write ioctl }; +allowxperm camera_service hmdfs:file ioctl { 0xf207 }; +#avc: denied { use } for pid=5703, comm="/system/bin/appspawn" path="/storage/cloud/files/Photo/1/IMG_27156725_001.mp4" dev="/data/service/el2/100/hmdfs/account" ino=11529215046068485401 scontext=u:r:camera_service:s0 tcontext=u:r:medialibrary_hap:s0 tclass=fd permissive=0 +allow camera_service medialibrary_hap:fd { use }; +#avc: denied { get } for service=180 pid=1480 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 +allow camera_service sa_foundation_abilityms:samgr_class { get }; +#avc: denied { get } for service=501 pid=1448 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow camera_service sa_foundation_appms:samgr_class {get}; +allow camera_service distributeddata:binder { call }; +allow camera_service dev_kmsg_file:chr_file { write }; +allow camera_service tty_device:chr_file { read write }; +allow camera_service chip_prod_file:dir { search }; +allow camera_service normal_hap:fd { use }; +allow camera_service sa_distributeddata_service:samgr_class { get }; +allow camera_service distributeddata:fd { use }; +allow camera_service sa_media_monitor:samgr_class { get }; +allow camera_service dev_at_file:chr_file ioctl; +allowxperm camera_service dev_at_file:chr_file ioctl { 0x4104 }; +#avc: denied { get } for service=4802 sid=u:r:camera_service:s0 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_devicemanager_service:s0 tclass=samgr_class permissive=1 +allow camera_service sa_foundation_devicemanager_service:samgr_class { get }; +allow camera_service device_manager:binder { call transfer }; +#avc: denied { get } for service=3301 sid=u:r:camera_service:s0 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=0 +allow camera_service sa_powermgr_powermgr_service:samgr_class { get }; +#avc: denied { search } for pid=1591, comm="/system/bin/sa_main" name="/service/el1" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=62 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +#avc: denied { write remove_name search } for pid=20408, comm="/bin/rm" name="/service/el1/public/camera_service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=1473 scontext=u:r:su:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=20061, comm="/bin/ls" path="/data/service/el1/public/camera_service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=1473 scontext=u:r:su:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow camera_service data_service_el1_file:dir { search write add_name read getattr remove_name }; +#avc: denied { read } for pid=1591, comm="/system/bin/sa_main" path="/data/service/el1/public/camera_service/VID_9003970_001.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25402 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1591, comm="/system/bin/sa_main" path="/data/service/el1/public/camera_service/VID_9003970_001.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25402 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { create } for pid=1591, comm="/system/bin/sa_main" name="/service/el1/public/camera_service/temp.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=26635 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { read write } for pid=1591, comm="/system/bin/sa_main" path="/data/service/el1/public/camera_service/temp.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=26635 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { unlink } for pid=20408, comm="/bin/rm" name="/service/el1/public/camera_service/temp.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25420 scontext=u:r:su:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=20061, comm="/bin/ls" path="/data/service/el1/public/camera_service/temp.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25420 scontext=u:r:su:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow camera_service data_service_el1_file:file { read open create write unlink getattr map rename setattr }; +#avc: denied { search } for pid=1540, comm="/system/bin/sa_main" name="/service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=58 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0 +allow camera_service data_service_file:dir { search }; +allow camera_service hdf_camera_video_process_service:hdf_devmgr_class { get }; +#avc: denied { getattr } for pid=9729, comm="/system/bin/sa_main" path="/storage/cloud/files/Photo/11/VID_9441076_011.mp4" dev="/data/service/el2/100/hmdfs/account" ino=11529215046068499858 scontext=u:r:camera_service:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=0 +allow camera_service hmdfs:file { getattr }; +#avc: denied { get } for service=3302 sid=u:r:camera_service:s0 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=0 +allow camera_service sa_powermgr_battery_service:samgr_class { get }; +allow camera_service sa_foundation_ans:samgr_class { get }; +allow camera_service sa_msdp_motion_service:samgr_class { get }; +allow camera_service msdp_sa:binder { call transfer }; +allow camera_service sys_prod_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..87ac9dd1764e3275d27a98737f1a5006d527b7a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/distributeddata.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata camera_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/foundation.te b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..a71ddb838781a3e3e89baf0a05c604084fb1fc9e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025-2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation camera_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/msdp_sa.te b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/msdp_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..695d66327d4514eee21365cf30b925f787bb7276 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/msdp_sa.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025-2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow msdp_sa camera_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..74195cfb6a77587950b590b362443ad677f351aa --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/normal_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +#avc: denied { get } for service=3008 pid=1958 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_camera_service:s0 tclass=samgr_class permissive=1 +allow normal_hap_attr sa_camera_service:samgr_class { get }; + +allow normal_hap_attr camera_service:binder { call transfer }; +allow normal_hap_attr camera_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..6c8ccb47a8cf98f6c4e09fb8fe26025a3cdbeec7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/camera/system/system_basic_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025-2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr camera_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/cameraHap/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/cameraHap/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..7c391295359eeaf0fe4292885732b51c01243986 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/cameraHap/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +allow hap_domain normal_hap_data_file_attr:file { getattr }; +allow hap_domain { normal_hap_data_file_attr -dlp_sandbox_hap_data_file }:file { open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/drm_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/drm_service.te new file mode 100644 index 0000000000000000000000000000000000000000..94d73f54e0a9d9e387f8d6b7f1773855e89219db --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/drm_service.te @@ -0,0 +1,132 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { read write } for pid=602 comm="sa_main" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 +allow drm_service dev_console_file:chr_file { read write }; + +# avc: denied { getattr } for pid=602 comm="drm_service" path="/dev" dev="tmpfs" ino=1 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1 +allow drm_service dev_file:dir { getattr }; + +# avc: denied { get } for service=clearplay_service pid=602 scontext=u:r:drm_service:s0 tcontext=u:object_r:hdf_clearplay_service:s0 tclass=hdf_devmgr_class permissive=1 +allow drm_service hdf_clearplay_service:hdf_devmgr_class { get }; + +# avc: denied { getattr } for pid=602 comm="drm_service" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { open } for pid=602 comm="drm_service" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { read } for pid=602 comm="drm_service" name="online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow drm_service sysfs_devices_system_cpu:file { getattr open read }; +#avc: denied { transfer } for pid=478 comm="camera_service" scontext=u:r:camera_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 +allow drm_service dcamera:binder { transfer }; + +debug_only(` + allow drm_service sh:binder { call transfer }; + allow drm_service su:binder { call transfer }; +') + +#avc: denied { get } for service=401 pid=599 scontext=u:r:drm_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow drm_service sa_foundation_bms:samgr_class { get }; + +allow drm_service camera_service:unix_dgram_socket { getopt setopt}; + +allow drm_service normal_hap_attr:binder { call transfer}; + +allow drm_service accesstoken_service:binder { call transfer }; + +allow drm_service sa_memory_manager_service:samgr_class { get }; +# avc: denied { call } for pid=2392 comm="SaInit0" scontext=u:r:drm_service:s0 tcontext=u:r:memmgrservice:s0 tclass=binder permissive=1 +allow drm_service memmgrservice:binder { call }; + +allow drm_service hdf_device_manager:hdf_devmgr_class { get }; + +allow drm_service privacy_service:binder { call transfer }; +allow privacy_service drm_service:binder { call transfer }; +allow drm_service sa_privacy_service:samgr_class { get }; +# avc: denied { get } for service=clearplay_service pid=602 scontext=u:r:drm_service:s0 tcontext=u:object_r:hdf_clearplay_service:s0 tclass=hdf_devmgr_class permissive=1 +allow drm_service hdf_clearplay_service:hdf_devmgr_class { get }; +allow drm_service data_system:file { create read open getattr write ioctl }; + +# avc: denied { transfer } for pid=608 comm="OS_IPC_2_1673" scontext=u:r:drm_service:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +allow drm_service media_service:binder { transfer }; + +# avc: denied { use } for pid=568 comm="multiqueue4:src" path="/dev/ashmem" dev="tmpfs" ino=238 scontext=u:r:drm_service:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 +allow drm_service media_service:fd { use }; + +#avc: denied { read } for pid=4768 comm="SaInit0" name="oem_certificate_service" dev="sdd74" ino=6055 scontext=u:r:drm_service:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1 +allow drm_service system_lib_file:dir { read }; + +# avc: denied { map } for pid=11141 comm="SaInit0" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=11141 comm="SaInit0" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=11141 comm="SaInit0" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +allow drm_service arkcompiler_param:file { map open read }; +allow drm_service ark_writeable_param:file { map open read }; + +# avc: denied { search } for pid=11141 comm="SaInit0" name="/" dev="sdd91" ino=3 scontext=u:r:drm_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow drm_service data_file:dir { search }; + +# avc: denied { search } for pid=11141 comm="SaInit0" name="system" dev="sdd91" ino=29 scontext=u:r:drm_service:s0 tcontext=u:object_r:data_system:s0 tclass=dir permissive=1 +allow drm_service data_system:dir { search write add_name create read open }; + +# avc: denied { write } for pid=11141 comm="sa_main" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow drm_service dev_kmsg_file:chr_file { write }; + +# avc: denied { connect } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { create } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { getattr } for pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { getopt } for pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { read } for pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { setopt } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 +# avc: denied { write } for pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1 +allow drm_service drm_service:tcp_socket { connect create getattr getopt read setopt write }; + +# avc: denied { bind } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1 +# avc: denied { create } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1 +# avc: denied { read } for pid=11141 comm="OS_WisePlayCert" lport=50730 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1 +# avc: denied { write } for pid=11141 comm="OS_WisePlayCert" lport=50730 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1 +allow drm_service drm_service:udp_socket { bind create read write }; + +# avc: denied { call } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:netmanager:s0 tclass=binder permissive=1 +allow drm_service netmanager:binder { call }; + +# avc: denied { connectto } for pid=11141 comm="OS_WisePlayCert" path="/dev/unix/socket/dnsproxyd" scontext=u:r:drm_service:s0 tcontext=u:r:netsysnative:s0 tclass=unix_stream_socket permissive=1 +allow drm_service netsysnative:unix_stream_socket { connectto }; + +# avc: denied { node_bind } for pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1 +allow drm_service node:udp_socket { node_bind }; + +# avc: denied { name_connect } for pid=11141 comm="OS_WisePlayCert" dest=8080 scontext=u:r:drm_service:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1 +allow drm_service port:tcp_socket { name_connect }; + +# avc: denied { open } for pid=11141 comm="SaInit0" path="/system/lib64/oem_certificate_service" dev="sdd86" ino=6224 scontext=u:r:drm_service:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1 +allow drm_service system_lib_file:dir { open }; + +# avc_audit_slow:260] avc: denied { transfer } for pid=1637, comm="/system/bin/sa_main" scontext=u:r:drm_service:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1 +allow drm_service av_codec_service:binder { transfer }; + +# avc_audit_slow:260] avc: denied { use } for pid=1654, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:drm_service:s0 tcontext=u:r:av_codec_service:s0 tclass=fd permissive=1 +allow drm_service av_codec_service:fd { use }; + +# avc: denied { use } for pid=550 comm="OS_IPC_2_2362" path="/dev/ashmem" dev="tmpfs" ino=245 scontext=u:r:clearplay_host:s0 tcontext=u:r:av_codec_service:s0 tclass=fd permissive=1 +allow clearplay_host av_codec_service:fd { use }; + +#avc: denied { get } for service=1151 pid=5890 scontext=u:r:drm_service:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=1 +allow drm_service sa_net_conn_manager:samgr_class { get }; + +# avc: denied { use } for pid=1622 comm="IPC_0_1803" path="/dmabuf:" dev="dmabuf" ino=38669 scontext=u:r:drm_service:s0 tcontext=u:r:codec_host:s0 tclass=fd permissive=1 +allow drm_service codec_host:fd { use }; + +allow drm_service tty_device:chr_file { read write }; + +allow drm_service hap_domain:fd { use }; + +# avc_audit_slow:260] avc: denied { call } for pid=1540, comm="/system/bin/sa_main" scontext=u:r:drm_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 +# avc_audit_slow:260] avc: denied { transfer } for pid=1540, comm="/system/bin/sa_main" scontext=u:r:drm_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 +allow drm_service system_basic_hap:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..6319602e5af1da8fa6ee5a0508511b0849f88fc1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +#avc: denied { get } for service=3008 pid=1958 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_drm_service:s0 tclass=samgr_class permissive=1 +allow normal_hap_attr sa_drm_service:samgr_class { get }; + +allow normal_hap_attr drm_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d80320f2c9a5761df5cd8cc2f8a2c3f544ca5c4f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/drm/system/system_basic_hap.te @@ -0,0 +1,19 @@ +# Copyright (C) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc_audit_slow:260] avc: denied { call } for pid=4933, comm="/system/bin/appspawn" scontext=u:r:system_basic_hap:s0 tcontext=u:r:drm_service:s0 tclass=binder permissive=1 +# avc_audit_slow:260] avc: denied { transfer } for pid=4933, comm="/system/bin/appspawn" scontext=u:r:system_basic_hap:s0 tcontext=u:r:drm_service:s0 tclass=binder permissive=1 +allow system_basic_hap drm_service:binder { call transfer }; + +# avc: denied { get } for service=3012 pid=4933 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_drm_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap sa_drm_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/image/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/multimedia/image/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..e1c0258074468f3869b0009fa40e7b1334233242 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/image/system/hap_domain.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain hdf_codec_image_service:hdf_devmgr_class { get }; +allow hap_domain codec_host:binder { call transfer }; +allow hap_domain hdf_codec_component_manager_service:hdf_devmgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/public/parameter.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..75fe77c3033eee6af547af8e286e2009b9d81035 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +type media_library_param, parameter_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/public/type.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..09f4af8b091329ea920efe306993f2817318af02 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type medialibrary_hap, normal_hap_attr, hap_domain, domain; +type medialibrary_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/file_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..52b5c82f49317cf68734729cd6135cd20d802525 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/mediatool u:object_r:mediatool_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/media_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..60ca97d88b98c74bc58c2ea0d9e7883167b42f81 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/media_service.te @@ -0,0 +1,18 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { read write } for pid=1332 comm="MtpMonitor::Run" path="/storage/External/0E3919F70E3919F7/VID_2017818_121206.mp4" dev="mmcblk1p1" ino=319 scontext=u:r:media_service:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=563 comm="AVMetadata" path="/storage/External/0E3919F70E3919F7/VID_2017818_121206.mp4" dev="mmcblk1p1" ino=319 scontext=u:r:media_service:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +allow media_service ntfs:file { read write getattr }; +allow media_service exfat:file { read write getattr }; +allow media_service vfat:file { read write getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/medialibrary_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/medialibrary_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..877d4d1d388582a8374af1fc099fb7f7109df51e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/medialibrary_hap.te @@ -0,0 +1,36 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow medialibrary_hap mimetype_file:file { open read getattr }; +allow medialibrary_hap privacy_service:binder call; +allow medialibrary_hap media_library_param:parameter_service { set }; +allow medialibrary_hap paramservice_socket:sock_file { write }; +allow medialibrary_hap kernel:unix_stream_socket { connectto }; + +neverallow { hap_domain -ringtonelibrary_hap -medialibrary_hap -system_basic_hap -init -samgr -hdf_devmgr } media_library_param:parameter_service { set }; + +allow medialibrary_hap hmdfs:dir { ioctl }; +allowxperm medialibrary_hap hmdfs:dir ioctl { 0xf547 0xf546 }; +neverallowxperm medialibrary_hap hmdfs:dir ioctl ~{ 0xf547 0xf546 }; + +#avc: denied { use } for pid=1650, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:medialibrary_hap:s0 tcontext=u:r:camera_service:s0 tclass=fd permissive=0 +allow medialibrary_hap camera_service:fd { use }; + +# avc: denied { get } for service=usbfn_mtp_interface_service sid=u:r:medialibrary_hap:s0 scontext=u:r:medialibrary_hap:s0 tcontext=u:object_r:hdf_usbfn_mtp_interface_service:s0 tclass=hdf_devmgr_class permissive=0 +allow medialibrary_hap hdf_usbfn_mtp_interface_service:hdf_devmgr_class { get }; + +# avc: denied { watch } for pid=1261 comm="MtpMonitor::Run" path="/storage/External/6342293E7EBCAF49" dev="mmcblk1p2" ino=5 scontext=u:r:medialibrary_hap:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 +# avc: denied { watch_reads } for pid=1257 comm="MtpMonitor::Run" path="/storage/External/0F83-08EF" dev="mmcblk1p1" ino=1 scontext=u:r:medialibrary_hap:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 +allow medialibrary_hap ntfs:dir { watch watch_reads }; +allow medialibrary_hap exfat:dir { watch watch_reads }; +allow medialibrary_hap vfat:dir { watch_reads }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/mediatool.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/mediatool.te new file mode 100644 index 0000000000000000000000000000000000000000..eccb51a2c51518a5252b10bc08952093758ac2f6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/mediatool.te @@ -0,0 +1,51 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type mediatool, native_system_domain, domain; +type mediatool_exec, exec_attr, file_attr, system_file_attr; + +developer_only(` +allow mediatool sh:fd { use }; +allow mediatool medialibrary_hap:fd { use }; +allow mediatool chip_prod_file:dir { search }; +allow mediatool debug_param:file { read open map }; +allow mediatool dev_unix_socket:dir { search }; +allow mediatool hdcd:fd { use }; +allow mediatool persist_param:file { read open map }; +allow mediatool persist_sys_param:file { read open map }; +allow mediatool samgr:binder { call }; +allow mediatool sys_prod_file:dir { search }; +allow mediatool system_usr_file:dir { search getattr }; +allow mediatool tty_device:chr_file { read write }; +allow mediatool dev_ptmx:chr_file { read write }; +allow mediatool devpts:chr_file { read write }; +allow mediatool system_usr_file:file { read getattr open map }; +allow mediatool sa_storage_manager_service:samgr_class { get }; +allow mediatool storage_manager:binder { call }; +allow mediatool mediatool:unix_dgram_socket { getopt setopt }; +allow mediatool hiview:unix_dgram_socket { sendto }; +allow mediatool sa_foundation_abilityms:samgr_class { get }; +allow mediatool foundation:binder { call transfer }; +allow mediatool medialibrary_hap:binder { call transfer }; +allow mediatool mimetype_file:file { read open getattr }; +allow mediatool devpts:chr_file { ioctl }; +allow mediatool hdcd:fifo_file { read write }; +allowxperm mediatool devpts:chr_file ioctl 0x5413; +allow foundation mediatool:binder { call transfer }; +allow samgr mediatool:dir { search }; +allow samgr mediatool:file { read open }; +allow samgr mediatool:process { getattr }; +allow samgr mediatool:binder { transfer }; +allow medialibrary_hap mediatool:binder { transfer }; +domain_auto_transition_pattern(sh, mediatool_exec, mediatool); +') diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/parameter.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..634a0cfa1258f9e5dc3f0ec1503880576ed32027 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/parameter.te @@ -0,0 +1,13 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..83e46b312ef638b20867affdb0357db04819dc81 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +multimedia.medialibrary. u:object_r:media_library_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/sh.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/sh.te new file mode 100644 index 0000000000000000000000000000000000000000..6e63372fa772161ae612590b9e75696ad6d15395 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_library/system/sh.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for developer_only version +developer_only(` +allow sh kernel:key { search }; +') diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/foundation.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..6289b7c50b0dbe27fb001ee8df455d28e3734802 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation sa_media_monitor:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..062923970c92b8f6bf01f6a3912a7cb5078252c9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=66160 pid=13165 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_media_monitor:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_media_monitor:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/init.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..86687482a1b2ef861edb51634c9de4537ee473bf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init media_monitor:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/media_monitor.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/media_monitor.te new file mode 100644 index 0000000000000000000000000000000000000000..e593b34faa7c24e34c0a6e9dddf6c7a2aaaea287 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/media_monitor.te @@ -0,0 +1,53 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type media_monitor, sadomain, domain; +type sa_media_monitor, sa_service_attr; + +allow media_monitor sa_media_monitor:samgr_class { add get_remote }; + +allow media_monitor audio_server:binder { call transfer }; +allow media_monitor dev_unix_socket:dir { search }; +allow media_monitor distributeddata:binder { call transfer }; +allow media_monitor multimodalinput:binder { call }; +allow media_monitor multimodalinput:fd { use }; +allow media_monitor multimodalinput:unix_stream_socket { read write }; +allow media_monitor param_watcher:binder { call transfer }; +allow media_monitor sa_accesstoken_manager_service:samgr_class { get }; +allow media_monitor sa_distributeddata_service:samgr_class { get }; +allow media_monitor sa_multimodalinput_service:samgr_class { get }; +allow media_monitor sa_param_watcher:samgr_class { get }; +allow media_monitor tracefs:dir { search }; +allow media_monitor tracefs:file { open write }; +allow media_monitor tracefs_trace_marker_file:file { write open }; +allow media_monitor data_service_file:dir { search }; +allow media_monitor accesstoken_service:binder { call transfer }; +allow media_monitor sa_foundation_devicemanager_service:samgr_class { get }; +allow media_monitor device_manager:binder { call transfer }; +allow media_monitor sa_foundation_bms:samgr_class { get }; +allow media_monitor sa_foundation_abilityms:samgr_class { get }; +allow media_monitor normal_hap_attr:binder { transfer call }; +allow media_monitor system_core_hap_attr:binder { call transfer }; +allow media_monitor system_bin_file:dir { getattr search }; +allow media_monitor sa_audio_policy_service:samgr_class { add get }; +allow media_monitor dev_console_file:chr_file { read write }; +allow media_monitor debug_param:file { map open read }; +allow media_monitor dev_kmsg_file:chr_file { open write }; +allow media_monitor sysfs_devices_system_cpu:file { getattr open read }; +allow media_monitor media_monitor:unix_dgram_socket { getopt setopt }; +allow media_monitor foundation:binder { call }; +allow media_monitor persist_param:file { map open read }; +allow media_monitor data_log:dir { open read write add_name write remove_name }; +allow media_monitor data_log:file { append create getattr ioctl open read setattr unlink write }; +allowxperm media_monitor data_log:file ioctl { 0x5413 }; +allow media_monitor dev_ashmem_file:chr_file { open }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..84e0e105cdf66c8adcc43aac14d48e1fa281c278 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_media_monitor:samgr_class { get }; + +allow normal_hap_attr media_monitor:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/service_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..c8e4cc97813f7e05c65d30f4f8101f1ebba2c2f2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3013 u:object_r:sa_media_monitor:s0 diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..2801301a81801da2e7bacb39c86de99ca7dabc15 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_media_monitor:samgr_class { get }; + +allow system_basic_hap_attr media_monitor:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d036136f7e2452602ec6a6dbcfbbd1fabf3aef6b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/media_monitor/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap sa_media_monitor:samgr_class { get }; + +allow system_core_hap media_monitor:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/av_session.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/av_session.te new file mode 100644 index 0000000000000000000000000000000000000000..05997f137757de0f2bb49ffde2d4bc00f8240080 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/av_session.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow av_session media_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/bytrace.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/bytrace.te new file mode 100644 index 0000000000000000000000000000000000000000..a762bf5e9ab1083271dcc05f9e3b19b8dc8d398e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/bytrace.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bytrace data_test_media_file:file { write ioctl }; + +allowxperm bytrace data_test_media_file:file ioctl { 0x5413 }; + +allow bytrace proc_file:file { read open }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/codec_host.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/codec_host.te new file mode 100644 index 0000000000000000000000000000000000000000..24778d63f9d415bec415dc311ec02d4db2a082c3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/codec_host.te @@ -0,0 +1,74 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { ioctl } for pid=413 comm="omx_enc_input" path="/dev/dri/card0" dev="tmpfs" ino=77 ioctlcmd=0x642e scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +allow codec_host dev_dri_file:chr_file { ioctl }; +allowxperm codec_host dev_dri_file:chr_file ioctl { 0x642e 0x64b4 }; + +#avc: denied { ioctl } for pid=428 comm="omx_dec_input" path="/dev/dri/card0" dev="tmpfs" ino=77 ioctlcmd=0x64b2 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +allow codec_host dev_dri_file:chr_file { ioctl }; +allowxperm codec_host dev_dri_file:chr_file ioctl { 0x64b2 0x642d }; + +#avc: denied { open } for pid=413 comm="codec_host" path="/dev/dri/card0" dev="tmpfs" ino=77 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +allow codec_host dev_dri_file:chr_file { open }; + +#avc: denied { read write } for pid=413 comm="codec_host" name="card0" dev="tmpfs" ino=77 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +allow codec_host dev_dri_file:chr_file { read write }; + +#avc: denied { search } for pid=413 comm="codec_host" name="dri" dev="tmpfs" ino=75 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1 +allow codec_host dev_dri_file:dir { search }; + +#avc: denied { ioctl } for pid=413 comm="omx_dec_input" path="/dev/mpp_service" dev="tmpfs" ino=115 ioctlcmd=0x7601 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_mpp:s0 tclass=chr_file permissive=1 +allow codec_host dev_mpp:chr_file { ioctl }; +allowxperm codec_host dev_mpp:chr_file ioctl { 0x7601 }; + +#avc: denied { read write } for pid=413 comm="omx_dec_input" name="mpp_service" dev="tmpfs" ino=115 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_mpp:s0 tclass=chr_file permissive=1 +allow codec_host dev_mpp:chr_file { read write }; + +#avc: denied { ioctl } for pid=413 comm="omx_dec_output" path="/dev/rga" dev="tmpfs" ino=169 ioctlcmd=0x5017 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_rga:s0 tclass=chr_file permissive=1 +allow codec_host dev_rga:chr_file { ioctl }; +allowxperm codec_host dev_rga:chr_file ioctl { 0x5017 0x601b }; + + +#avc: denied { use } for pid=2003 comm="src:src" path="/dmabuf:" dev="dmabuf" ino=37677 scontext=u:r:codec_host:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=1 +allow codec_host allocator_host:fd { use }; + +#avc: denied { call } for pid=413 comm="codec_host" scontext=u:r:codec_host:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +allow codec_host media_service:binder { call }; + +#avc: denied { transfer } for pid=413 comm="codec_host" scontext=u:r:codec_host:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +allow codec_host media_service:binder { transfer }; + +#avc: denied { use } for pid=2003 comm="src:src" path="/dev/ashmem" dev="tmpfs" ino=166 scontext=u:r:codec_host:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 +allow codec_host media_service:fd { use }; + +#avc: denied { open } for pid=413 comm="omx_dec_input" path="/sys/firmware/devicetree/base/compatible" dev="sysfs" ino=15 scontext=u:r:codec_host:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow codec_host sys_file:file { open }; + +#avc: denied { read } for pid=413 comm="omx_dec_input" name="compatible" dev="sysfs" ino=15 scontext=u:r:codec_host:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow codec_host sys_file:file { read }; + +#avc: denied { open } for pid=449 comm="omx_dec_input" path="/dev/mpp_service" dev="tmpfs" ino=115 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_mpp:s0 tclass=chr_file permissive=1 +allow codec_host dev_mpp:chr_file { open }; + +#avc: denied { open } for pid=449 comm="omx_dec_output" path="/dev/rga" dev="tmpfs" ino=169 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_rga:s0 tclass=chr_file permissive=1 +allow codec_host dev_rga:chr_file { open }; + +#avc: denied { read write } for pid=449 comm="omx_dec_output" name="rga" dev="tmpfs" ino=169 scontext=u:r:codec_host:s0 tcontext=u:object_r:dev_rga:s0 tclass=chr_file permissive=1 +allow codec_host dev_rga:chr_file { read write }; + +#avc: denied { open } for pid=449 comm="omx_dec_input" path="/proc/version" dev="proc" ino=4026532114 scontext=u:r:codec_host:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 +allow codec_host proc_version_file:file { open }; + +#avc: denied { read } for pid=449 comm="omx_dec_input" name="version" dev="proc" ino=4026532114 scontext=u:r:codec_host:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 +allow codec_host proc_version_file:file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/faultloggerd.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/faultloggerd.te new file mode 100644 index 0000000000000000000000000000000000000000..1799e1f3d3061cae0571171ae3d78b39fdf43159 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/faultloggerd.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow faultloggerd init:unix_stream_socket { getopt }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/file_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..068465b2f50e68fbd1ad08c81fca2264ee1e6feb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/test/media(/.*)? u:object_r:data_test_media_file:s0 +/data/media/log(/.*)? u:object_r:data_media_log_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/foundation.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..5b3823d880326f80e2508e15f75071a937385dd9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/foundation.te @@ -0,0 +1,19 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { use } for pid=1526, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:foundation:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 +allow foundation media_service:fd { use }; + +# avc: denied { call } for pid=607 comm="OS_IPC_7_930" scontext=u:r:foundation:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=607 comm="OS_IPC_7_930" scontext=u:r:foundation:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1 +allow foundation av_codec_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..97c91fe46a122b21c1bb3ff4c5ed6e5f577f6700 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/hidumper_service.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { getattr } for pid=535 comm="hidumper_servic" path="/proc/10928" dev="proc" ino=102645 scontext=u:r:hidumper_service:s0 tcontext=u:r:system_core_hap:s0 tclass=dir permissive=1 +allow hidumper_service system_core_hap_attr:dir { getattr }; +allow hidumper_service dev_at_file:chr_file { ioctl }; +allowxperm hidumper_service dev_at_file:chr_file ioctl { 0x4104 }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/init.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..374e7d8d020839f141a79682bb0addd6a5c6e582 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/init.te @@ -0,0 +1,36 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { unlink } for pid=1 comm="init" name="hilogControl" dev="tmpfs" ino=494 scontext=u:r:init:s0 tcontext=u:object_r:hilog_control_socket:s0 tclass=sock_file permissive=1 +allow init hilog_control_socket:sock_file { unlink }; +#avc: denied { unlink } for pid=1 comm="init" name="hilogInput" dev="tmpfs" ino=493 scontext=u:r:init:s0 tcontext=u:object_r:hilog_input_socket:s0 tclass=sock_file permissive=1 +allow init hilog_input_socket:sock_file { unlink }; +#avc: denied { sigkill } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:hilogd:s0 tclass=process permissive=1 +allow init hilogd:process { sigkill }; +#avc: denied { getattr } for pid=1 comm="init" path="/data/libinput" dev="mmcblk0p11" ino=652801 scontext=u:r:init:s0 tcontext=u:object_r:data_libinput:s0 tclass=dir permissive=1 +allow init data_libinput:dir { getattr }; +#avc: denied { setattr } for pid=1 comm="init" name="rga" dev="tmpfs" ino=181 scontext=u:r:init:s0 tcontext=u:object_r:dev_rga:s0 tclass=chr_file permissive=1 +allow init dev_rga:chr_file { setattr }; +#avc: denied { rlimitinh } for pid=507 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:privacy_service:s0 tclass=process permissive=1 +allow init privacy_service:process { rlimitinh }; +#avc: denied { siginh } for pid=507 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:privacy_service:s0 tclass=process permissive=1 +allow init privacy_service:process { siginh }; +#avc: denied { transition } for pid=507 comm="init" path="/system/bin/sa_main" dev="mmcblk0p6" ino=348 scontext=u:r:init:s0 tcontext=u:r:privacy_service:s0 tclass=process permissive=1 +allow init privacy_service:process { transition }; +allow init data_service_el1_file:file { relabelfrom }; +allow init data_service_el1_file:sock_file { getattr }; +allow init data_udev:file { getattr }; +allow init faultloggerd_socket:sock_file { unlink }; +allow init data_udev:sock_file { getattr }; +allow init appspawn_socket:sock_file { relabelfrom }; +allow init dev_v_file:chr_file { setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/kernel.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..632ef4587d2da42cc77c3a35e528bc00666fa209 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/kernel.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { search } for pid=177 comm="kworker/u8:3" name="xhci" dev="debugfs" ino=962 scontext=u:r:kernel:s0 tcontext=u:object_r:debugfs_usb:s0 tclass=dir permissive=1 +allow kernel debugfs_usb:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/media_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ee10b8b998ac823434a750889522133ccf08c2e0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/media_service.te @@ -0,0 +1,177 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { getattr } for pid=475 comm="media_service" path="/data/storage/el1/bundle/ohos.acts.multimedia.audio.audioplayer/assets/entry/resources/rawfile/01.mp3" dev="mmcblk0p11" ino=1307144 scontext=u:r:media_service:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allow media_service data_app_el1_file:file { getattr }; + +#avc: denied { getattr } for pid=475 comm="media_service" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_00.aac" dev="mmcblk0p11" ino=261492 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=475 comm="typefind:sink" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_00.aac" dev="mmcblk0p11" ino=261492 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 +#avc: denied { write } for pid=475 comm="queue0:src" path="/data/service/el2/100/hmdfs/account/files/Videos/audio_09.mp4" dev="mmcblk0p11" ino=261565 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 +allow media_service data_user_file:file { getattr read write }; + +#avc: denied { write } for pid=475 comm="media_service" name="hilogInput" dev="tmpfs" ino=495 scontext=u:r:media_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=sock_file permissive=1 +allow media_service dev_unix_socket:sock_file { write }; + +#avc: denied { connect } for pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 +#avc: denied { create } for pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 +#avc: denied { setopt } for pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 +#avc: denied { create } for pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1 +allow media_service media_service:tcp_socket { connect create setopt create }; + +#avc: denied { name_connect } for pid=475 comm="source:src" dest=8000 scontext=u:r:media_service:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1 +allow media_service port:tcp_socket { name_connect }; + +#avc: denied { use } for pid=475 comm="qtdemux5:sink" path="/data/storage/el1/bundle/ohos.acts.multimedia.audio.audioplayer/assets/entry/resources/rawfile/64.mp4" dev="mmcblk0p11" ino=1307154 scontext=u:r:media_service:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1 +allow media_service system_core_hap_attr:fd { use }; + +#avc: denied { getattr } for pid=475 comm="media_service" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=475 comm="media_service" name="H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 +allow media_service data_file:file { getattr read open }; + +#avc: denied { open } for pid=475 comm="conv_src:src" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=150834 scontext=u:r:media_service:s0 tcontext=u:object_r:proc_boot_id:s0 tclass=file permissive=1 +#avc: denied { read } for pid=475 comm="conv_src:src" name="boot_id" dev="proc" ino=150834 scontext=u:r:media_service:s0 tcontext=u:object_r:proc_boot_id:s0 tclass=file permissive=1 +allow media_service proc_boot_id:file { open read }; + +#avc: denied { call } for pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +debug_only(` + allow media_service sh:binder { call transfer }; +') + +#avc: denied { use } for pid=20777 comm="avmetadata_unit" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1 +debug_only(` + allow media_service sh:fd { use }; +') + +#avc: denied { getattr } for pid=499 comm="media_service" path="/data/storage/el2/base/haps/entry/files/H264_AAC.mp4" dev="mmcblk0p11" ino=1307219 scontext=u:r:media_service:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2096 comm="jsThread-1" path="/data/storage/el2/base/haps/entry/files/H264_AAC.mp4" dev="mmcblk0p11" ino=1307219 scontext=u:r:media_service:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=0 +allow media_service system_core_hap_data_file_attr:file { getattr read }; +allow media_service media_service:udp_socket { create }; +allow media_service foundation:binder { call transfer }; +binder_call(media_service, powermgr); + +#avc: denied { call } for pid=2003 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1 +allow media_service codec_host:binder { call }; + +#avc: denied { transfer } for pid=2003 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1 +allow media_service codec_host:binder { transfer }; + +#avc: denied { get } for service=codec_hdi_omx_service pid=2247 scontext=u:r:media_service:s0 tcontext=u:object_r:hdf_codec_hdi_omx_service:s0 tclass=hdf_devmgr_class permissive=0 +allow media_service hdf_codec_hdi_omx_service:hdf_devmgr_class { get }; + +#avc: denied { add_name } for pid=540 comm="media_service" name="check.config" scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +#avc: denied { write } for pid=503 comm="media_service" name="log" dev="mmcblk0p11" ino=1305610 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow media_service data_file:dir { write add_name }; + +#avc: denied { write } for pid=12844 comm="recorder_unit_t" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=391698 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=0 +#avc: denied { getattr } for pid=507 comm="media_service" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=1175048 scontext=u:r:media_service:s0 tcontext=u:object_r:data_test_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1968 comm="recorder_unit_t" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=1175048 scontext=u:r:media_service:s0 tcontext=u:object_r:data_test_file:s0 tclass=file permissive=0 +allow media_service data_test_media_file:file { write read getattr }; + +allow media_service system_basic_hap_attr:fd { use }; + +allow media_service system_basic_hap_attr:binder { transfer call }; + +allow media_service system_basic_hap_data_file_attr:file { getattr read write }; + +allow media_service normal_hap_data_file_attr:file { read getattr }; + +allow media_service musl_param:file { open map read }; + +allow media_service dnsproxy_service:sock_file { write }; + +allow media_service render_service:fd { use }; + +allow media_service data_media_log_file:file { create read open getattr write append ioctl }; + +allowxperm media_service data_media_log_file:file ioctl { 0x5413 }; + +allow media_service data_media_log_file:dir { create add_name write search }; + +allow media_service normal_hap_data_file_attr:file { write }; + +allow media_service hilogd:unix_dgram_socket { sendto }; + +allow media_service sa_avsession_service:samgr_class { get }; + +allow media_service av_session:binder { call transfer }; + +allow media_service sa_foundation_bms:samgr_class { get }; + +#avc: denied { get } for service=4607 pid=624 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=0 +allow media_service sa_foundation_dms:samgr_class { get }; + +#add selinux for get sa_privacy_service +allow media_service sa_privacy_service:samgr_class { get }; + +#add selinux for call privacy_service +allow media_service privacy_service:binder { call transfer }; + +#avc: denied { get } for service=4607 pid=624 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=0 +allow media_service sa_foundation_wms:samgr_class { get }; + +# avc: denied { call } for pid=568 comm="multiqueue4:src" scontext=u:r:media_service:s0 tcontext=u:r:drm_service:s0 tclass=binder permissive=1 +allow media_service drm_service:binder { call }; + +allow media_service sa_concurrent_task_service:samgr_class { get }; + +allow media_service concurrent_task_service:binder { call }; + +allow media_service sa_av_codec_service:samgr_class { get }; + +allow media_service av_codec_service:binder { call transfer }; + +allow media_service av_codec_service:fd { use }; + +allow media_service sa_powermgr_powermgr_service:samgr_class { get }; + +# avc: denied { get } for service=180 pid=1526 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=1 +allow media_service sa_foundation_abilityms:samgr_class { get }; + +# avc: denied { get } for service=3203 pid=1526 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_foundation_ans:s0 tclass=samgr_class permissive=1 +allow media_service sa_foundation_ans:samgr_class { get }; + +allow media_service foundation:fd { use }; + +allow media_service sa_foundation_cesfwk_service:samgr_class { get }; + +allow media_service sa_foundation_tel_state_registry:samgr_class { get }; + +allow media_service resource_schedule_service:binder { call }; + +allow media_service sa_accountmgr:samgr_class { get }; + +allow media_service accountmgr:binder { call transfer }; + +#avc: denied { get } for service=3013 pid=522 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_media_monitor:s0 tclass=samgr_class permissive=1 +allow media_service sa_media_monitor:samgr_class { get }; + +#avc: denied { call } for pid=608 comm="PlayerEngine" scontext=u:r:media_service:s0 tcontext=u:r:media_monitor:s0 tclass=binder permissive=0 +allow media_service media_monitor:binder { call }; + +allow media_service hmdfs:file { ioctl }; +allowxperm media_service hmdfs:file ioctl { 0xf206 0xf207 0xf208 0xf209 }; + +allow media_service normal_hap_data_file:file { ioctl }; +allowxperm media_service normal_hap_data_file:file ioctl { 0xf206 }; + +allow media_service sa_camera_service:samgr_class { get }; + +allow media_service camera_service:binder { call }; + +allow media_service render_service:binder { transfer }; + +allow media_service sa_multimodalinput_service:samgr_class { get }; +allow media_service multimodalinput:unix_stream_socket { read }; +allow media_service sa_foundation_tel_call_manager:samgr_class { get }; + diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..43f58a532594a11302d15e3409fb7b576def5b10 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/multimodalinput.te @@ -0,0 +1,24 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { ioctl } for pid=252 comm="mmi_service" path="/sys/devices/platform/rk-headset/input/input3/uevent" dev="sysfs" ino=32447 ioctlcmd=0x5413 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow multimodalinput sys_file:file { ioctl }; +allowxperm multimodalinput sys_file:file ioctl { 0x5413 }; +#avc: denied { write } for pid=252 comm="mmi_service" name="uevent" dev="sysfs" ino=32447 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow multimodalinput sys_file:file { write }; +#avc: denied { add_name } for pid=246 comm="multimodalinput" name="libinput.log" scontext=u:r:multimodalinput:s0 tcontext=u:object_r:data_libinput:s0 tclass=dir permissive=1 +allow multimodalinput data_libinput:dir { add_name }; +#avc: denied { write } for pid=246 comm="multimodalinput" name="libinput" dev="mmcblk0p11" ino=652801 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:data_libinput:s0 tclass=dir permissive=1 +allow multimodalinput data_libinput:dir { write }; +#avc: denied { create } for pid=246 comm="multimodalinput" name="libinput.log" scontext=u:r:multimodalinput:s0 tcontext=u:object_r:data_libinput:s0 tclass=file permissive=1 +allow multimodalinput data_libinput:file { create }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..0c7f477f13551c54289fc91155995d00bc408f8f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/normal_hap.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { remove_name } for pid=1916 comm="com.ohos.medial" name="03.jpg" dev="mmcblk0p11" ino=1044941 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissive=1 +allow normal_hap_attr data_user_file:dir { remove_name }; +#avc: denied { rename } for pid=1916 comm="com.ohos.medial" name="03.jpg" dev="mmcblk0p11" ino=1044941 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 +allow normal_hap_attr data_user_file:file { rename }; +#avc: denied { call } for pid=1916 comm="com.ohos.medial" scontext=u:r:normal_hap:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=1 +allow normal_hap_attr system_core_hap_attr:binder { call }; +allow normal_hap_attr system_basic_hap_attr:binder {transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/render_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9747cb651e694f4a144d01a09e1463cd561e7971 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/render_service.te @@ -0,0 +1,31 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + #avc: denied { call } for pid=449 comm="render_service" scontext=u:r:render_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 + allow render_service sh:binder { call }; + #avc: denied { transfer } for pid=449 comm="render_service" scontext=u:r:render_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 + allow render_service sh:binder { transfer }; +') + +#avc: denied { transfer } for pid=444 comm="render_service" scontext=u:r:render_service:s0 tcontext=u:r:dscreen:s0 tclass=binder permissive=0 +#avc: denied { call } for pid=563 comm="render_service" scontext=u:r:render_service:s0 tcontext=u:r:dscreen:s0 tclass=binder permissive=0 +allow render_service dscreen:binder { call transfer }; + +#avc: denied { call } for pid=489 comm="render_service" scontext=u:r:render_service:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=0 +allow render_service media_service:binder { call }; + +# avc: denied { use } for pid=2697, comm="/system/bin/appspawn" path="/dev/ashmem" dev="" ino=1 scontext=u:r:render_service:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 +allow render_service media_service:fd { use }; + +allow render_service media_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/resource_schedule_service.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..d8c4cbef77072e622e0306076ba3e8cc42d9283e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/resource_schedule_service.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { setsched } for pid=270 comm="CgroupEventHand" scontext=u:r:resource_schedule_service:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 +debug_only(` + allow resource_schedule_service sh:process { setsched }; +') + +#avc: denied { setsched } for pid=268 comm="CgroupEventHand" scontext=u:r:resource_schedule_service:s0 tcontext=u:r:dscreen:s0 tclass=process permissive=0 +allow resource_schedule_service dscreen:process { setsched }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9e615932978176c1158183f507aa0fc716200117 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/system_basic_hap.te @@ -0,0 +1,23 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr normal_hap_attr:binder { transfer }; + +#avc: denied { use } for pid=601 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=180 scontext=u:r:system_basic_hap:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=0 +allow system_basic_hap_attr media_service:fd { use }; + +allow system_basic_hap_attr media_service:binder { call transfer }; + +allow system_basic_hap sys_prod_file:dir { search }; + +allow system_basic_hap system_core_hap:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..c91ba2f5e24eee731d50adbcb66b00844985312a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/system_core_hap.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { use } for pid=475 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=178 scontext=u:r:system_core_hap:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 +allow system_core_hap_attr media_service:fd { use }; +#avc: denied { getattr } for pid=6124 comm="ohos.acts.multi" path="/data/service/el2/100/hmdfs/account/files/Pictures/SR001PRO/01.jpg" dev="mmcblk0p11" ino=1045005 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 +allow system_core_hap_attr data_user_file:file { getattr }; +#avc: denied { read } for pid=6124 comm="ohos.acts.multi" path="/data/service/el2/100/hmdfs/account/files/Documents/Dynamic01/01.dat" dev="mmcblk0p11" ino=1044996 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 +allow system_core_hap_attr data_user_file:file { read }; +#avc: denied { getattr } for pid=6124 comm="ohos.acts.multi" path="/storage/media/local/files/Pictures/SR001PRO/01.jpg" dev="hmdfs" ino=2305843009214738957 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 +allow system_core_hap_attr hmdfs:file { getattr }; +#avc: denied { call } for pid=11801 comm="AVRecorderNapi" scontext=u:r:system_core_hap:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=0 +allow system_core_hap_attr av_codec_service:binder {call}; + +allow system_core_hap system_basic_hap_data_file:file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/type.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..cdd38f4cc0a6c2cb2132794398fcb9c7bdf188e5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_test_media_file, file_attr, data_file_attr; +type data_media_log_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/player/system/udevd.te b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/udevd.te new file mode 100644 index 0000000000000000000000000000000000000000..d479c740cfae22e25a98b8930ec2c754b574256a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/player/system/udevd.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow udevd data_service_file:dir { search }; +allow udevd data_service_el1_file:dir { search write ioctl add_name create getattr remove_name read }; +allow udevd data_service_el1_file:file { create write open rename ioctl }; +allowxperm udevd data_service_el1_file:file ioctl { 0x5413 }; +allow udevd data_service_el1_file:sock_file { unlink create read }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/parameter.te b/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..e102d703179bf60b7140b7ca8303d21703540c0f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/parameter.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_library_param tmpfs:filesystem associate; +allow init media_library_param:file { map open read relabelto relabelfrom }; +allow { system_basic_hap init samgr hdf_devmgr } media_library_param:parameter_service { set }; +allow { hap_domain } media_library_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..73ae7430f6efe1736fed6cbb77a33f0f11db826d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/parameter_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ringtone.scanner. u:object_r:media_library_param:s0 +persist.ringtone.setting. u:object_r:media_library_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/ringtonelibrary_hap.te b/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/ringtonelibrary_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..6de71cdc04058cedc46d296615b966eb4506e7dd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/ringtonelibrary_hap.te @@ -0,0 +1,25 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type ringtonelibrary_hap, normal_hap_attr, hap_domain, domain; + +type ringtonelibrary_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; + +allow ringtonelibrary_hap privacy_service:binder call; +allow storage_manager system_basic_hap:binder { call }; +allow ringtonelibrary_hap mimetype_file:file { open read getattr }; +allow ringtonelibrary_hap hmdfs:file {open read write getattr }; +allow ringtonelibrary_hap media_library_param:parameter_service { set }; +allow ringtonelibrary_hap kernel:unix_stream_socket { connectto }; +allow ringtonelibrary_hap paramservice_socket:sock_file { write }; +allow ringtonelibrary_hap media_library_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/sehap_contexts b/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/sehap_contexts new file mode 100644 index 0000000000000000000000000000000000000000..d40512523aa92a30577bc71d08fc3ab673b61633 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimedia/ringtone/system/sehap_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +apl=normal name=com.ohos.ringtonelibrary.ringtonelibrarydata domain=ringtonelibrary_hap type=ringtonelibrary_hap_data_file +apl=normal name=com.ohos.ringtonelibrary.ringtonelibrarydata:backup domain=ringtonelibrary_hap type=ringtonelibrary_hap_data_file diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..56d23c656b1646553c461c19787eac25d5443dea --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/multimodalinput.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type multimodalinput, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/parameter.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..b12484dc142ed56739678e44a85c0f3272f5baa3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type input_pointer_device_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/udevadm.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/udevadm.te new file mode 100644 index 0000000000000000000000000000000000000000..ec4f16b80a4195a2c207a117e19881125441414f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/udevadm.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type udevadm, native_system_domain, domain; +type udevadm_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/udevd.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/udevd.te new file mode 100644 index 0000000000000000000000000000000000000000..ee9bc6b12621a6149b33756bc6758951173560cd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/udevd.te @@ -0,0 +1,18 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type udevd, native_system_domain, domain; + +type udevd_exec, exec_attr, file_attr, system_file_attr; +type udevd_socket, file_attr, data_file_attr; +type udevd_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/uinput.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/uinput.te new file mode 100644 index 0000000000000000000000000000000000000000..7942fcd27dd1f68d15b3844aa511fc58116e4a01 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/uinput.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type uinput, native_system_domain, domain; +type uinput_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/uinput_inject.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/uinput_inject.te new file mode 100644 index 0000000000000000000000000000000000000000..45a71fd9dc2720a6ac38e4336fb58f6e22772c83 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/public/uinput_inject.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type uinput_inject, sadomain, domain; +type uinput_inject_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/accessibility.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..2faa49980ede1ae8f23978851fdc41363fe674a8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/accessibility.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accessibility sa_foundation_abilityms:samgr_class { get }; +allow accessibility sa_multimodalinput_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/bytrace.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/bytrace.te new file mode 100644 index 0000000000000000000000000000000000000000..110382d8ba8f08c8f36a6e797b1b2972798ffc47 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/bytrace.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bytrace hdcd:fifo_file { ioctl write }; +allowxperm bytrace hdcd:fifo_file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/distributedsche.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/distributedsche.te new file mode 100644 index 0000000000000000000000000000000000000000..92be6544e59da988d272fc8dde2a57b985b68b7e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/distributedsche.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedsche accessibility:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/file_contexts b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..2f4c33e016e03b1b37c5a88647729f8b611eeae2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/file_contexts @@ -0,0 +1,28 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/udevadm u:object_r:udevadm_exec:s0 + +# for udevd +/system/bin/udevd u:object_r:udevd_exec:s0 +/data/service/el1/public/udev/control u:object_r:udevd_socket:s0 + +# for uinput_inject +/system/bin/uinput_inject u:object_r:uinput_inject_exec:s0 + +# for data_multimodalinput +/data/service/el1/public/multimodalinput u:object_r:data_multimodalinput:s0 +/data/service/el1/public/multimodalinput(/.*)? u:object_r:data_multimodalinput:s0 + +# for uinput +/system/bin/uinput u:object_r:uinput_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/foundation.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..c373a1811d55a9a356a75c79fd1a5791440463ee --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation accessibility:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..45781ec950633b4ca14f39c98bf43a61f1eff22c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/multimodalinput.te @@ -0,0 +1,116 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow multimodalinput accessibility_param:file { read }; +allow multimodalinput arkcompiler_param:file { read open map }; +allow multimodalinput audio_server:binder { call }; +allow multimodalinput bootanimation:fd { use }; +allow multimodalinput data_file:dir { search }; +allow multimodalinput data_init_agent:dir { search }; +allow multimodalinput data_init_agent:file { open read append ioctl }; +allow multimodalinput data_log:dir { search write add_name create }; +allow multimodalinput data_log:file { create open read write ioctl }; +allow multimodalinput data_multimodalinput:dir { add_name create getattr open read remove_name search watch write }; +allow multimodalinput data_multimodalinput:file { create open read rename unlink write setattr getattr ioctl }; +allow multimodalinput data_service_file:dir { search }; +allow multimodalinput data_service_el1_file:dir { search }; +allow multimodalinput data_service_el1_file:file { open read }; +allow multimodalinput data_vendor:dir { search }; +allow multimodalinput dev_ashmem_file:chr_file { open }; +allow multimodalinput dev_console_file:chr_file { open read write getattr ioctl }; +allow multimodalinput dev_dri_file:dir { search }; +allow multimodalinput dev_dri_file:chr_file { open read write getattr ioctl }; +allow multimodalinput dev_kmsg_file:chr_file { open write }; +allow multimodalinput dev_input_file:chr_file { ioctl }; +allow multimodalinput dev_input_file:dir { watch open read search getattr }; +allow multimodalinput dev_unix_socket:dir { search }; +allow multimodalinput dev_unix_socket:sock_file { write }; +allow multimodalinput distributeddata:binder { call transfer }; +allow multimodalinput distributeddata:fd { use }; +allow multimodalinput allocator_host:binder { call }; +allow multimodalinput allocator_host:fd { use }; +allow multimodalinput hdf_allocator_service:hdf_devmgr_class { get }; +allow multimodalinput faultloggerd_socket:sock_file { write }; +allow multimodalinput faultloggerd:unix_stream_socket { connectto }; +allow multimodalinput foundation:binder { call transfer }; +allow multimodalinput hdf_devmgr:binder { call }; +allow multimodalinput input_pointer_device_param:parameter_service { set }; +allow multimodalinput media_service:binder { call transfer }; +allow multimodalinput multimodalinput:netlink_kobject_uevent_socket { bind create getattr setopt read }; +#allow multimodalinput multimodalinput:process { ptrace }; +allow multimodalinput musl_param:file { map open read }; +allow multimodalinput param_watcher:binder { call transfer }; +binder_call(multimodalinput, powermgr); +allow multimodalinput render_service:binder { call transfer }; +allow multimodalinput render_service:fd { use }; +allow multimodalinput resource_schedule_service:binder { call }; +allow multimodalinput resource_schedule_service:dir { search }; +allow multimodalinput rootfs:chr_file { write }; +allow multimodalinput sa_audio_policy_service:samgr_class { get }; +allow multimodalinput sa_device_service_manager:samgr_class { get }; +allow multimodalinput sa_distributeddata_service:samgr_class { get }; +allow multimodalinput sa_foundation_dms:samgr_class { get }; +allow multimodalinput sa_foundation_tel_call_manager:samgr_class { get }; +allow multimodalinput sa_foundation_wms:samgr_class { get }; +allow multimodalinput sa_media_service:samgr_class { get }; +allow multimodalinput sa_multimodalinput_service:samgr_class { get }; +allow multimodalinput sa_render_service:samgr_class { get }; +allow multimodalinput sys_file:dir { open read }; +allow multimodalinput sys_file:file { getattr open read }; +allow multimodalinput system_bin_file:dir { search }; +allow multimodalinput system_bin_file:file { execute execute_no_trans map read open }; +allow multimodalinput tracefs:dir { search }; +allow multimodalinput tracefs:file { open write }; +allow multimodalinput tracefs_trace_marker_file:file { open write }; +allow multimodalinput tty_device:chr_file { read write }; +allow multimodalinput vendor_etc_file:dir { search }; +allow multimodalinput vendor_etc_file:file { getattr open read }; +allow multimodalinput data_file:dir { remove_name }; +allow multimodalinput data_multimodalinput:file { lock }; +allow multimodalinput sysfs_devices_system_cpu:file { open read getattr }; +allow multimodalinput data_file:sock_file { setattr create unlink }; +# avc: denied { get } for service=3299 pid=722 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow multimodalinput sa_foundation_cesfwk_service:samgr_class { get }; +allow multimodalinput sa_foundation_appms:samgr_class { get }; +allow multimodalinput normal_hap_attr:binder { call }; +allow multimodalinput normal_hap_attr:fd { use }; +allow multimodalinput system_basic_hap:fd { use }; +allow init data_multimodalinput:file { getattr }; +allow multimodalinput system_fonts_file:dir { read open search }; +allow multimodalinput system_fonts_file:file { read open getattr map }; +allow multimodalinput sa_powermgr_powermgr_service:samgr_class { get }; +allow media_service multimodalinput:binder { call transfer }; +allow normal_hap_attr multimodalinput:unix_stream_socket { read write }; +allow normal_hap_attr sa_multimodalinput_service:samgr_class { get }; +allow normal_hap_attr multimodalinput:fd { use }; +allow system_basic_hap_attr multimodalinput:unix_stream_socket { read }; +allow system_basic_hap_attr multimodalinput:unix_stream_socket { read write }; +allow system_core_hap_attr multimodalinput:unix_stream_socket { read }; +allow init data_multimodalinput:dir { create getattr open read relabelfrom relabelto search setattr write }; +# avc: denied { read } scontext=u:r:useriam:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +allow useriam multimodalinput:unix_stream_socket { read }; +# avc: denied { get } scontext=u:r:useriam:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 +allow useriam sa_multimodalinput_service:samgr_class { get }; +allowxperm multimodalinput data_log:file ioctl { 0x5413 }; +allowxperm multimodalinput dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm multimodalinput dev_input_file:chr_file ioctl { 0x4503 0x4560 0x4542 0x4548 0x456f 0x450a 0x4559 0x4568 0x455a 0x455b 0x4577 0x4545 0x4549 0x454a 0x4550 0x4551 0x4561 0x456c }; +allowxperm multimodalinput data_multimodalinput:file ioctl { 0x5413 }; +debug_only(` + allow multimodalinput sh:binder { call }; +') + +# avc: denied { get } for service=3704 sid=u:r:multimodalinput:s0 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sa_screenlock_service:s0 tclass=samgr_class permissive=0 +allow multimodalinput sa_screenlock_service:samgr_class { get }; +allow multimodalinput sys_prod_file:dir { open read }; +allow multimodalinput input_isolate_debug_hap:unix_stream_socket { read write }; +allow multimodalinput input_isolate_hap:unix_stream_socket { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..e7bacb576d045d21fe3b7cb449a63dc1607519f6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/normal_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_bluetooth_server:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..1820bd52897ff6009f12110526ed04f08f4bf436 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/parameter_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +input.pointer.device u:object_r:input_pointer_device_param:s0 +persist.input.switch u:object_r:input_pointer_device_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/udevadm.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/udevadm.te new file mode 100644 index 0000000000000000000000000000000000000000..c7e7e390f0b790df7e662d8996a1a97f675a9ea3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/udevadm.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +domain_auto_transition_pattern(init, udevadm_exec, udevadm); + +#allow udevadm udevd_socket:sock_file write; +#allow udevadm udevd:unix_stream_socket { connectto }; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/udevd.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/udevd.te new file mode 100644 index 0000000000000000000000000000000000000000..2dc30e96259c65b3e4d12f06a307cb4c535cda0f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/udevd.te @@ -0,0 +1,42 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(udevd); + +allow udevd data_file:dir { open search getattr rmdir }; +allow udevd data_file:file { open }; +allow udevd data_service_el1_file:dir { search write add_name create getattr remove_name read open watch rmdir }; +allow udevd data_service_el1_file:file { create unlink write open ioctl read rename }; +allow udevd data_service_el1_file:sock_file { create unlink }; +allow udevd data_service_file:dir { search }; +allow udevd data_udev:dir { rmdir }; +allow udevd dev_bus_usb_file:chr_file { setattr }; +allow udevd dev_char_file:dir { search write remove_name }; +allow udevd dev_char_file:lnk_file { unlink }; +allow udevd dev_dri_file:chr_file { getattr write }; +allow udevd dev_dri_file:dir { add_name search write }; +allow udevd dev_file:dir { add_name create write }; +allow udevd dev_file:lnk_file { create getattr }; +allow udevd dev_input_file:dir { remove_name rmdir }; +allow udevd dev_input_file:lnk_file { getattr read write unlink rename }; +allow udevd dev_ptmx:chr_file { write getattr }; +#allow udevd sh_exec:file { read open execute execute_no_trans map }; +allow udevd system_bin_file:dir { search }; +allow udevd sys_file:file { getattr open read }; +allow udevd tty_device:chr_file { open read write }; +allow udevd udevd:capability { net_admin }; +allow udevd udevd:netlink_kobject_uevent_socket { read create bind }; +allow udevd udevd:netlink_kobject_uevent_socket { getattr setopt write }; +allow udevd udevd:unix_dgram_socket { sendto read }; +allow udevd vendor_lib_file:dir { search }; +allowxperm udevd data_service_el1_file:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/uinput.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/uinput.te new file mode 100644 index 0000000000000000000000000000000000000000..c1ec64fd9eb217569ddcf19f2f9fc650784ed1b4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/uinput.te @@ -0,0 +1,91 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + # for uinput run + domain_auto_transition_pattern(su, uinput_exec, uinput); + + # avc: denied { use } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fd permissive=0 + # avc: denied { ioctl } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1 + # avc: denied { read } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1 + # avc: denied { write } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1 + # avc: denied { read write } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0 + # avc: denied { ioctl } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1 + allow uinput su:fd { use }; + allow uinput su:fifo_file { ioctl read write }; + allow uinput su:unix_stream_socket { read write }; + allowxperm uinput su:fifo_file ioctl { 0x5413 }; +') + +developer_only(` + # avc: denied { get } scontext=u:r:uinput:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 + allow uinput sa_multimodalinput_service:samgr_class { get }; + + # avc: denied { read write } scontext=u:r:uinput:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 + allow uinput tty_device:chr_file { read write }; + + # avc: denied { search } for scontext=u:r:uinput:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 + allow uinput dev_unix_socket:dir { search }; + + # avc: denied { call } tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 + allow uinput multimodalinput:binder { call }; + + # avc: denied { map } scontext=u:r:uinput:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 + # avc: denied { open } scontext=u:r:uinput:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 + # avc: denied { read } scontext=u:r:uinput:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 + allow uinput arkcompiler_param:file { map open read }; + allow uinput ark_writeable_param:file { map open read }; + + # avc: denied { map } scontext=u:r:uinput:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 + # avc: denied { open } scontext=u:r:uinput:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 + # avc: denied { read } scontext=u:r:uinput:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 + allow uinput debug_param:file { map open read }; + + # avc: denied { ioctl } scontext=u:r:uinput:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 + # avc: denied { read write } scontext=u:r:uinput:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 + allow uinput devpts:chr_file { ioctl read write }; + + # avc: denied { read } scontext=u:r:uinput:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 + allow uinput hilog_param:file { read }; + + # avc: denied { map } scontext=u:r:uinput:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 + # avc: denied { open } scontext=u:r:uinput:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 + allow uinput hilog_param:file { map open }; + + # avc: denied { call } scontext=u:r:uinput:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0 + allow uinput samgr:binder { call }; + + # avc: denied { search } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=dir permissive=0 + allow samgr uinput:dir { search }; + + # avc: denied { transfer } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=binder permissive=1 + allow samgr uinput:binder { transfer }; + + # avc: denied { open } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=file permissive=1 + # avc: denied { read } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=file permissive=0 + allow samgr uinput:file { open read }; + + # avc: denied { getattr } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=process permissive=1 + allow samgr uinput:process { getattr }; + + # avc: denied { ioctl } scontext=u:r:uinput:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 + allowxperm uinput devpts:chr_file ioctl { 0x5413 }; + + #for uinput run + domain_auto_transition_pattern(sh, uinput_exec, uinput); + + allow uinput sh:fd { use }; + allow uinput sh:fifo_file { ioctl read write }; + allow uinput sh:unix_stream_socket { read write }; + allowxperm uinput sh:fifo_file ioctl { 0x5413 }; +') diff --git a/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/uinput_inject.te b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/uinput_inject.te new file mode 100644 index 0000000000000000000000000000000000000000..46b03d53f2da4f19247a431d1bf62208d37ef534 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/multimodalinput/input/system/uinput_inject.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +domain_auto_transition_pattern(init, uinput_inject_exec, uinput_inject); + +allow mmi_uinput_service dev_hdf_file:chr_file { ioctl }; +allow mmi_uinput_service sa_memory_manager_service:samgr_class { get }; +allow mmi_uinput_service memmgrservice:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/cem.te b/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/cem.te new file mode 100644 index 0000000000000000000000000000000000000000..b406b93d294ce108db78cc00754e6411095e6f4c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/cem.te @@ -0,0 +1,72 @@ +# Copyright (c) 2024-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type cem, native_system_domain, domain; +type cem_exec, exec_attr, file_attr, system_file_attr; + +developer_only(` +domain_auto_transition_pattern(sh, cem_exec, cem); +allow cem sa_foundation_cesfwk_service:samgr_class { get }; +allow cem debug_param:file { map read open }; +allow cem devpts:chr_file { ioctl read write }; +allowxperm cem devpts:chr_file ioctl 0x5413; +allow cem foundation:binder { call }; +allow cem samgr:binder { call }; +allow samgr cem:binder { call transfer }; +allow samgr cem:dir { search }; +allow samgr cem:file { read open }; +allow samgr cem:process { getattr }; +allow cem cem:hmcap { supervsable }; +allow cem chip_prod_file:dir { search }; +allow cem dev_kmsg_file:chr_file { write }; +allow cem dev_ptmx:chr_file { read write }; +allow cem dev_unix_socket:dir { search }; +allow cem tty_device:chr_file { read write }; +allow cem dev_console_file:chr_file { read write }; +allow cem persist_param:file { map read open }; +# avc: denied { use } for pid=unknown, comm=unknown, cidx=0x0 path="/system/bin/cem" dev="/dev/block/platform/fa500000.ufs/by-name/system" ino=78051464 scontext=u:r:cem:s0 tcontext=u:r:sh:s0 tclass=fd permissive=0 +allow cem sh:fd { use }; +allow cem sh:unix_stream_socket { read write }; +allow cem sh:fifo_file { ioctl read write }; +allowxperm cem sh:fifo_file ioctl { 0x5413 }; +allow cem hdcd:fd { use }; +allow cem hdcd:unix_stream_socket { read write }; +') + +debug_only(` +domain_auto_transition_pattern(su, cem_exec, cem); +allow cem su:fd { use }; +allow cem su:unix_stream_socket { read write }; +allow cem su:fifo_file { ioctl read write }; +allowxperm cem su:fifo_file ioctl { 0x5413 }; +allow cem sa_foundation_cesfwk_service:samgr_class { get }; +allow cem debug_param:file { map read open }; +allow cem devpts:chr_file { ioctl read write }; +allowxperm cem devpts:chr_file ioctl 0x5413; +allow cem foundation:binder { call }; +allow cem samgr:binder { call }; +allow samgr cem:binder { call transfer }; +allow samgr cem:dir { search }; +allow samgr cem:file { read open }; +allow samgr cem:process { getattr }; +allow cem cem:hmcap { supervsable }; +allow cem chip_prod_file:dir { search }; +allow cem dev_kmsg_file:chr_file { write }; +allow cem dev_ptmx:chr_file { read write }; +allow cem dev_unix_socket:dir { search }; +allow cem tty_device:chr_file { read write }; +allow cem dev_console_file:chr_file { read write }; +allow cem persist_param:file { map read open }; +allow cem hdcd:fd { use }; +allow cem hdcd:unix_stream_socket { read write }; +') diff --git a/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/file_contexts b/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..c20986b9255cd20f2910e8a0af07b5a6f5198737 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/cem u:object_r:cem_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..bd101d5eb5ef1619867810e4a67b6cb5f8c7b06e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/foundation.te @@ -0,0 +1,33 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation data_app_file:dir { search }; +allow foundation data_service_el1_file:dir { add_name search write }; +allow foundation data_service_el1_file:file { create getattr ioctl read write open }; +allow foundation data_service_file:dir { search }; +allow foundation dev_unix_socket:dir { search }; +allow foundation dev_unix_socket:sock_file { write }; +allow foundation distributeddata:binder { call }; +allow foundation foundation:unix_dgram_socket { getopt setopt }; +allow foundation hdf_devmgr:binder { call transfer }; +allow foundation multimodalinput:unix_stream_socket { read }; +allow foundation power_host:binder { call }; +allow foundation render_service:binder { call }; +allow foundation samgr:binder { call transfer }; +allow foundation sa_time_service:samgr_class { get }; +allow foundation screenlock_server:binder { call }; +allow foundation sys_file:file { ioctl open write }; +allow foundation system_core_hap_attr:process { sigkill }; +allowxperm foundation data_service_el1_file:file ioctl { 0x5413 }; +allowxperm foundation sys_file:file ioctl { 0x5413 }; + diff --git a/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e2c03b72ff8073fc471a304c734d4bd719640682 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/notification/common_event_service/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +hiviewdfx.ces.subscriber_limit u:object_r:hiviewdfx_hiview_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..6153cec42ecee90beb26d17a23ad60d5da445928 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/foundation.te @@ -0,0 +1,38 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation accountmgr:binder { call }; +allow foundation appspawn:unix_stream_socket { connectto }; +allow foundation appspawn_socket:sock_file { write }; +allow foundation bgtaskmgr_service:binder { call }; +allow foundation data_app_el1_file:dir { search }; +allow foundation data_app_el1_file:file { getattr read }; +allow foundation data_app_file:dir { search }; +allow foundation data_service_el1_file:dir { add_name search write }; +allow foundation data_service_el1_file:file { create getattr ioctl open read write open write }; +allow foundation data_service_file:dir { search }; +allow foundation dev_mali:chr_file { ioctl }; +allow foundation allocator_host:fd { use }; +allow foundation distributeddata:binder { call transfer }; +allow foundation foundation:unix_dgram_socket { getopt setopt }; +allow foundation hiview:binder { transfer }; +allow foundation inputmethod_service:binder { call }; +allow foundation media_service:binder { call transfer }; +allow foundation power_host:binder { call }; +allow foundation samgr:binder { call transfer }; +allow foundation sa_media_service:samgr_class { get }; +allow foundation system_basic_hap_attr:binder { call }; +allow foundation system_basic_hap_attr:fd { use }; +allowxperm foundation data_service_el1_file:file ioctl { 0x5413 }; +allowxperm foundation dev_mali:chr_file ioctl { 0x801e }; + diff --git a/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..12e1bd1a66924897b4d570192c88f2287ab7e139 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_bluetooth_server:samgr_class { get }; +allow normal_hap_attr sa_time_service:samgr_class { get }; +allow normal_hap_attr time_service:binder { call }; + diff --git a/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d9f23fb92b1d67160b31624fb4809ca415e21caa --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/notification/distributed_notification_service/system/system_core_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_foundation_ans:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/public/type.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..73adeaae36e57690f8d6b4ee4d6a0e9b44f8e078 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/public/type.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type charger, sadomain, domain; +type charger_exec, exec_attr, file_attr, system_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/charger.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/charger.te new file mode 100644 index 0000000000000000000000000000000000000000..b25cf746961ee10464a40da3ef9594fd0378a50e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/charger.te @@ -0,0 +1,209 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(charger); + +#avc: denied { search } for pid=268 comm="charger" name="socket" dev="tmpfs" ino=21 scontext=u:r:charger:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +allow charger dev_unix_socket:dir { search }; + +#avc: denied { search } for pid=238 comm="charger" name="processdump" dev="mmcblk0p6" ino=321 scontext=u:r:charger:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 +allow charger system_bin_file:dir { search }; + +#avc: denied { entrypoint } for pid=258 comm="charger" name="bin" dev="mmcblk0p6" ino=321 scontext=u:r:charger:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +#avc: denied { read execute } for pid=239 comm="charger" name="bin" dev="mmcblk0p6" ino=321 scontext=u:r:charger:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +#avc: denied { map } for pid=233 comm="charger" name="bin" dev="mmcblk0p6" ino=321 scontext=u:r:charger:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +allow charger system_bin_file:file { entrypoint map read execute }; +allow charger toybox_exec:file { entrypoint map read execute open getattr }; + +#avc: denied { entrypoint } for pid=235 comm="init" path="/vendor/bin/charger" dev="mmcblk0p6" ino=14 scontext=u:r:charger:s0 tcontext=u:charger_exec:s0 tclass=file permissive=1 +allow charger charger_exec:file { entrypoint }; + +#avc: denied { read map } for process="unknown process" parameter=startup.device.ctl pid=268 uid=6667 gid=6667 scontext=u:r:charger:s0 tcontext=u:object_r:startup_param:s0 tclass=file permissive=0 +allow charger startup_param:file { open read map }; + +#avc: denied { read } for pid=307 comm="charger" name="u:object_r:ohos_param:s0" dev="tmpfs" ino=30 scontext=u:r:charger:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=300 comm="charger" name="u:object_r:ohos_param:s0" dev="tmpfs" ino=30 scontext=u:r:charger:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=312 comm="charger" name="u:object_r:ohos_param:s0" dev="tmpfs" ino=30 scontext=u:r:charger:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=k +allow charger ohos_param:file { read open map }; + +#avc: denied { read } for pid=219 comm="charger" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=28 scontext=u:r:charger:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=223 comm="charger" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=28 scontext=u:r:charger:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=225 comm="charger" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=28 scontext=u:r:charger:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 +allow charger ohos_boot_param:file { read open map }; + +#avc: denied { read } for pid=296 comm="charger" path="/dev/parameters/u:object_r:sys_param:s0" dev="tmpfs" ino=48 scontext=u:r:charger:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +#avc: denied { open map } for pid=296 comm="charger" path="/dev/parameters/u:object_r:sys_param:s0" dev="tmpfs" ino=48 scontext=u:r:charger:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +allow charger sys_param:file { read open map }; + +#avc: denied { read } for pid=281 comm="charger" name="u:object_r:net_param:s0" dev="tmpfs" ino=50 scontext=u:r:charger:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=222 comm="charger" path="/dev/__parameters__/u:object_r:net_param:s0" dev="tmpfs" ino=50 scontext=u:r:charger:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=235 comm="charger" path="/dev/__parameters__/u:object_r:net_param:s0" dev="tmpfs" ino=50 scontext=u:r:charger:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=1 +allow charger net_param:file { read open map }; + +#avc: denied { read } for pid=256 comm="charger" name="u:object_r:net_tcp_param:s0" dev="tmpfs" ino=51 scontext=u:r:charger:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=265 comm="charger" path="/dev/__parameters__/u:object_r:net_tcp_param:s0" dev="tmpfs" ino=51 scontext=u:r:charger:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=269 comm="charger" path="/dev/__parameters__/u:object_r:net_tcp_param:s0" dev="tmpfs" ino=51 scontext=u:r:charger:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=1 +allow charger net_tcp_param:file { read open map }; + +#avc: denied { search } for pid=271 comm="charger" name="/" dev="mmcblk0p11" ino=3 scontext=u:r:charger:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow charger data_file:dir { search }; + +#avc: denied { write } for pid=291 comm="charger" name="paramservice" dev="tmpfs" ino=27 scontext=u:r:charger:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0 +allow charger paramservice_socket:sock_file { write }; + +#avc: denied { read } for pid=204 comm="charger" name="u:object_r:const_allow_param:s0" dev="tmpfs" ino=60 scontext=u:r:charger:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=197 comm="charger" path="/dev/__parameters__/u:object_r:const_allow_param:s0" dev="tmpfs" ino=60 scontext=u:r:charger:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=172 comm="charger" path="/dev/__parameters__/u:object_r:const_allow_param:s0" dev="tmpfs" ino=60 scontext=u:r:charger:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=1 +allow charger const_allow_param:file { open read map }; + +#avc: denied { read } for pid=220 comm="charger" name="u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=61 scontext=u:r:charger:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=0 +#avc: denied { open } for pid=234 comm="charger" path="/dev/__parameters__/u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=61 scontext=u:r:charger:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=214 comm="charger" path="/dev/__parameters__/u:object_r:const_allow_mock_param:s0" dev="tmpfs" ino=61 scontext=u:r:charger:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=1 +allow charger const_allow_mock_param:file { open read map }; + +#avc: denied { connectto } for pid=262 comm="charger" path="/dev/unix/socket/paramservice" scontext=u:r:charger:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0 +allow charger kernel:unix_stream_socket { connectto }; + +#avc: denied { read } for pid=192 comm="charger" name="u:object_r:security_param:s0" dev="tmpfs" ino=64 scontext=u:r:charger:s0 tcontext=u:object_r:security_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=211 comm="charger" path="/dev/__parameters__/u:object_r:security_param:s0" dev="tmpfs" ino=64 scontext=u:r:charger:s0 tcontext=u:object_r:security_param:s0 tclass=file permissive=1 +allow charger security_param:file { open read map }; + +#avc: denied { open } for pid=212 comm="charger" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=65 scontext=u:r:charger:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=209 comm="charger" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=65 scontext=u:r:charger:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow charger hilog_param:file { open read map }; + +#avc: denied { read } for pid=205 comm="charger" name="u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=73 scontext=u:r:charger:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=209 comm="charger" path="/dev/__parameters__/u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=73 scontext=u:r:charger:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=200 comm="charger" path="/dev/__parameters__/u:object_r:input_pointer_device_param:s0" dev="tmpfs" ino=73 scontext=u:r:charger:s0 tcontext=u:object_r:input_pointer_device_param:s0 tclass=file permissive=1 +allow charger input_pointer_device_param:file { open read map }; + +#avc: denied { read } for pid=258 comm="charger" name="u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=74 scontext=u:r:charger:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=244 comm="charger" path="/dev/__parameters__/u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=74 scontext=u:r:charger:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=248 comm="charger" path="/dev/__parameters__/u:object_r:const_display_brightness_param:s0" dev="tmpfs" ino=74 scontext=u:r:charger:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=1 +allow charger const_display_brightness_param:file { open read map }; + +#avc: denied { read } for pid=250 comm="hdf_devhost" name="u:object_r:default_param:s0" dev="tmpfs" ino=75 scontext=u:r:charger:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=245 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=75 scontext=u:r:charger:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=215 comm="hdf_devhost" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=75 scontext=u:r:charger:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1 +allow charger default_param:file { open read map }; + +#avc: denied { getattr } for pid=262 comm="charger" path="/dev/dev_mgr" dev="tmpfs" ino=188 scontext=u:r:charger:s0 tcontext=u:object_r:dev_mgr_file:s0 tclass=chr_file permissive=0 +allow charger dev_mgr_file:chr_file { getattr }; + +#avc: denied { search } for pid=275 comm="charger" name="service" dev="mmcblk0p11" ino=7 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0 +allow charger data_service_file:dir { search }; + +#avc: denied { search } for pid=267 comm="charger" name="el0" dev="mmcblk0p11" ino=8 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +#avc: denied { add_name } for pid=242 comm="charger" name="el0" dev="mmcblk0p11" ino=8 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +#avc: denied { read } for pid=253 comm="charger" name="el0" dev="mmcblk0p11" ino=8 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +#avc: denied { write } for pid=253 comm="charger" name="el0" dev="mmcblk0p11" ino=8 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +allow charger data_service_el0_file:dir { search open read write add_name }; + +#avc: denied { read } for pid=268 comm="charger" name="capacity" dev="mmcblk0p11" ino=240 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +#avc: denied { write } for pid=296 comm="charger" name="capacity" dev="mmcblk0p11" ino=242 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 +#avc: denied { ioctl } for pid=202 comm="charger" dev="mmcblk0p11" ino=204 ioctlcmd=0x6203 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { create } for pid=202 comm="charger" dev="mmcblk0p11" ino=204 ioctlcmd=0x6203 scontext=u:r:charger:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +allow charger data_service_el0_file:file { open read write create ioctl }; + +#avc: denied { read } for pid=306 comm="charger" name="leds" scontext=u:r:charger:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0 +allow charger sysfs_leds:dir { open read }; + +#avc: denied { call } for pid=275 comm="charger" scontext=u:r:charger:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1 +allow charger hdf_devmgr:binder { call }; + +#avc: denied { call } for pid=327 comm="charger" scontext=u:r:charger:s0 tcontext=u:r:light_host:s0 tclass=binder permissive=1 +allow charger light_host:binder { call }; + +#avc: denied { search } for pid=271 comm="charger" name="dri" dev="tmpfs" ino=81 scontext=u:r:charger:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=0 +allow charger dev_dri_file:dir { search }; + +#avc: denied { open } for pid=235 comm="charger" name="card0" dev="tmpfs" ino=83 scontext=u:r:charger:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 +#avc: denied { read write } for pid=275 comm="charger" name="card0" dev="tmpfs" ino=83 scontext=u:r:charger:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 +#avc: denied { map } for pid=239 comm="charger" name="card0" dev="tmpfs" ino=83 scontext=u:r:charger:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 +#avc: denied { ioctl } for pid=267 comm="charger" name="card0" dev="tmpfs" ino=83 scontext=u:r:charger:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 +allow charger dev_dri_file:chr_file { open ioctl read write map }; + +#avc: denied { getattr } for pid=262 comm="charger" path="/dev/hdf_input_event1" dev="tmpfs" ino=198 scontext=u:r:charger:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=0 +#avc: denied { ioctl } for pid=253 comm="charger" path="/dev/hdf_input_event1" dev="tmpfs" ino=198 scontext=u:r:charger:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=0 +#avc: denied { write} for pid=260 comm="charger" path="/dev/hdf_input_event1" dev="tmpfs" ino=198 scontext=u:r:charger:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=0 +#avc: denied { map } for pid=257 comm="charger" path="/dev/hdf_input_event1" dev="tmpfs" ino=198 scontext=u:r:charger:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=0 +#avc: denied { read } for pid=257 comm="charger" path="/dev/hdf_input_event1" dev="tmpfs" ino=198 scontext=u:r:charger:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=0 +allow charger dev_hdf_input:chr_file { getattr open read write ioctl map }; + +#avc: denied { read } for pid=271 comm="charger" scontext=u:r:charger:s0 tcontext=u:r:charger:s0 tclass=netlink_kobject_uevent_socket permissive=1 +#avc: denied { create } for pid=271 comm="charger" scontext=u:r:charger:s0 tcontext=u:r:charger:s0 tclass=netlink_kobject_uevent_socket permissive=1 +#avc: denied { setopt } for pid=266 comm="charger" scontext=u:r:charger:s0 tcontext=u:r:charger:s0 tclass=netlink_kobject_uevent_socket permissive=1 +#avc: denied { bind } for pid=266 comm="charger" scontext=u:r:charger:s0 tcontext=u:r:charger:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow charger charger:netlink_kobject_uevent_socket { read create setopt bind }; + +#avc: denied { get } for service=5100 pid=280 scontext=u:r:charger:s0 tcontext=u:object_r:hdf_light_interface_service:s0 tclass=hdf_devmgr_class permissive=0 +allow charger hdf_light_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=5100 pid=270 scontext=u:r:charger:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=0 +allow charger sa_device_service_manager:samgr_class { get }; + +#avc: denied { read } for pid=278 comm="charger" scontext=u:r:charger:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=278 comm="charger" scontext=u:r:charger:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +allow charger accessibility_param:file { open read map }; + +#avc: denied { search } for pid=271 comm="charger" name="etc" dev="mmcblk0p7" ino=20 scontext=u:r:charger:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=0 +allow charger vendor_etc_file:dir { search }; + +#avc: denied { read } for pid=275 comm="charger" name="loop00000.png" dev="mmcblk0p7" ino=31 scontext=u:r:charger:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=0 +allow charger vendor_etc_file:file { open read }; + +#avc: denied { set } for process="unknown process" parameter=startup.device.ctl pid=268 uid=6667 gid=6667 scontext=u:r:charger:s0 tcontext=u:object_r:startup_param:s0 tclass=parameter_service permissive=0 +allow charger startup_param:parameter_service { set }; + +#avc: denied { set } for process="unknown process" parameter=startup.device.ctl pid=299 uid=6667 gid=6667 scontext=u:r:charger:s0 tcontext=u:object_r:ohos_param:s0 tclass=parameter_service permissive=0 +allow charger ohos_param:parameter_service { set }; + +#avc: denied { search } for pid=279 comm="charger" name="graphics" dev="tmpfs" ino=77 scontext=u:r:charger:s0 tcontext=u:object_r:dev_graphics_file:s0 tclass=dir permissive=0 +allow charger dev_graphics_file:dir { search }; + +#avc: denied { getattr } for pid=281 comm="charger" path="/vendor/etc/charger/resources/animation.json" dev="mmcblk0p7" ino=29 scontext=u:r:charger:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=0 +allow charger vendor_etc_file:dir { getattr }; + +#avc: denied { getattr } for pid=281 comm="charger" path="/dev/dri/renderD128" dev="tmpfs" ino=80 scontext=u:r:charger:s0 tcontext=uobject_r:dev_dri_file:s0 tclass=chr_file permissive=0 +allow charger dev_dri_file:chr_file { getattr }; + + #avc: denied { getattr } for pid=281 comm="charger" path="/vendor/etc/charger/resources/animation.json" dev="mmcblk0p7" ino=29 scontext=u:r:charger:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=0 +allow charger vendor_etc_file:file { getattr }; + +#avc: denied { read write } for pid=281 comm="charger" name="fb0" dev="tmpfs" ino=78 scontext=u:r:charger:s0 tcontext=u:object_r:dev_graphics_file:s0 tclass=chr_file permissive=0 +#avc: denied { ioctl } for pid=278 comm="charger" path="/dev/graphics/fb0" dev="tmpfs" ino=78 ioctlcmd=0x4611 scontext=u:r:charger:s0 tcontext=u:object_r:dev_graphics_file:s0 tclass=chr_file permissive=0 +allow charger dev_graphics_file:chr_file { open read write ioctl }; + +# avc: denied { set } for process="charger" parameter=startup.device.ctl pid=277 uid=6667 gid=6667 scontext=u:r:charger:s0 tcontext=u:object_r:servicectrl_reboot_param:s0 tclass=parameter_service permissive=1 +allow charger servicectrl_reboot_param:parameter_service { set }; + +#avc: denied { get } for service=display_composer_service pid=281 scontext=u:r:charger:s0 tcontext=u:object_r:hdf_display_composer_service:s0 tclass=hdf_devmgr_class permissive=0 +allow charger hdf_display_composer_service:hdf_devmgr_class { get }; + +#avc: denied { call } for pid=281 comm="charger" scontext=u:r:charger:s0 tcontext=u:r:composer_host:s0 tclass=binder permissive=0 +allow charger composer_host:binder { call }; + +allow charger dev_console_file:chr_file { read write }; + +allow charger musl_param:file { map open read }; + +allow charger chip_prod_file:dir { search }; + +allow charger dev_ashmem_file:chr_file { open }; + +allow charger sys_prod_file:dir { search }; + +allow charger composer_host:fd { use }; + +#avc: denied { open } for pid=279 comm="charger" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=60 scontext=u:r:charger:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +allow charger debug_param:file { open read map }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/composer_host.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/composer_host.te new file mode 100644 index 0000000000000000000000000000000000000000..ba3596e062febb61afe015abec2968a0b22fd5d0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/composer_host.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow composer_host charger:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..8a40197c7bc3a1d1b9c5948b88b2f53d26f050de --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/charger u:object_r:charger_exec:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..0f3c0db02d99557b08c29eb57ddcde53fd9dbd4d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/hdf_devmgr.te @@ -0,0 +1,24 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { search } for pid=379 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:charger:s0 tclass=dir permissive=1 +allow hdf_devmgr charger:dir { search }; + +#avc: denied { read } for pid=370 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:charger:s0 tclass=file permissive=1 +allow hdf_devmgr charger:file { open read }; + +#avc: denied { getattr } for pid=390 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:charger:s0 tclass=process permissive=1 +allow hdf_devmgr charger:process { getattr }; + +#avc: denied { transfer } for pid=271 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:charger:s0 tclass=binder permissive=1 +allow hdf_devmgr charger:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/init.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..d974e5e75ba81d7ce7facf34333163dc3255b51f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/init.te @@ -0,0 +1,29 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { getattr } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:charger:s0 tclass=process permissive=1 +# avc: denied { rlimitinh } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:charger:s0 tclass=process permissive=1 +# avc: denied { siginh } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:charger:s0 tclass=process permissive=1 +# avc: denied { transition } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:charger:s0 tclass=process permissive=1 +allow init charger:process { getattr rlimitinh siginh transition }; + +#avc: denied { execute } for pid=235 comm="init" path="/vendor/bin/charger" dev="mmcblk0p6" ino=14 scontext=u:r:init:s0 tcontext=u:object_r:charger:s0 tclass=file permissive=1 +#avc: denied { read } for pid=217 scontext=u:r:init:s0 tcontext=u:object_r:charger_exec:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=218 scontext=u:r:init:s0 tcontext=u:object_r:charger_exec:s0 tclass=file permissive=0 +allow init charger_exec:file { execute getattr read open }; + +#avc: denied { read } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:usb_host:s0 tclass=file permissive=1 +allow init charger:file { open read }; + +#avc: denied { search } for pid=228 comm="init" name="charger" dev="mmcblk0p11" ino=31 scontext=u:r:init:s0 tcontext=u:object_r:charger:s0 tclass=dir permissive=1 +allow init charger:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..c0087f155a5ce622c95622b5009c756a5fc9fadf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/normal_hap_attr.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3302 pid=2830 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=1 +allow normal_hap_attr sa_powermgr_battery_service:samgr_class { get }; +binder_call(normal_hap_attr, powermgr); diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..2c500bf7082a85ee8146ff061dac497645060406 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/powermgr.te @@ -0,0 +1,27 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { add } for service=3302 pid=608 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_powermgr_battery_service:samgr_class { add get}; + +#avc: denied { get } for service=3602 pid=577 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_miscdevice_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_miscdevice_service:samgr_class { get }; +allow powermgr devpts:chr_file { write }; +binder_call(powermgr, sensors); + +#avc: denied { get } for service=3001 sid=u:r:powermgr:s0 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=0 +allow powermgr sa_pulseaudio_audio_service:samgr_class { get }; + +debug_only(` + allow powermgr su:fd { use }; +') diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..fff15c79bb5da865290a47ea3313bb03cd500c6d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/system_basic_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3302 pid=1451 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_powermgr_battery_service:samgr_class { get }; +binder_call(system_basic_hap_attr, powermgr); + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..63c56d8033c29824ae43438f39d0f0531da8eb93 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/system/system_core_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3302 pid=1546 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=0 +allow system_core_hap_attr sa_powermgr_battery_service:samgr_class { get }; +binder_call(system_core_hap_attr, powermgr); + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/vendor/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/vendor/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..d22832918d49acf3df7dff366697764d8342ccd7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_manager/vendor/powermgr.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=battery_interface_service pid=592 scontext=u:r:powermgr:s0 tcontext=u:object_r:hdf_battery_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow powermgr hdf_battery_interface_service:hdf_devmgr_class { get }; + +#avc: denied { call } for service=light_host pid=681 scontext=u:r:powermgr:s0 tcontext=u:object_r:light_host:s0 tclass=binder permissive=1 +allow powermgr light_host:binder { call }; + +#avc: denied { get } for service=hdf_light_interface_service pid=677 scontext=u:r:powermgr:s0 tcontext=u:object_r:hdf_light_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow powermgr hdf_light_interface_service:hdf_devmgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/file.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..ed9b114c6d75bf17fd92d1e8a3664c5aef17e4f1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type system_etc_batterystats_file, system_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/file_contexts b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..8cc34fe32466dd72fbe9c4a000c7d6ec4dc2b890 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/etc/profile/power_average.json u:object_r:system_etc_batterystats_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hidumper.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hidumper.te new file mode 100644 index 0000000000000000000000000000000000000000..214083a82622230e6fefb1f1f71482bee443aa91 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hidumper.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { open } for pid=1783 comm="hidumper" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hidumper:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1783 comm="hidumper" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hidumper:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1783 comm="hidumper" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hidumper:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +allow hidumper accessibility_param:file { open read map }; + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9f9c4266fcfa621f1112ba67a5ecf8122b86bbcc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hidumper_service.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3304 pid=476 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_batterystats_service:s0 tclass=samgr_class permissive=0 +allow hidumper_service sa_powermgr_batterystats_service:samgr_class { get }; +binder_call(hidumper_service, powermgr); + +#avc: denied { open } for pid=1888 comm="sh" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1888 comm="sh" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1888 comm="sh" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +allow hidumper_service accessibility_param:file { open read map }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hiview.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..d0680a639f3073f7014ba9df93d67324de43724f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/hiview.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3304 pid=2168 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_powermgr_batterystats_service:s0 tclass=samgr_class permissive=0 +allow hiview sa_powermgr_batterystats_service:samgr_class { get }; +binder_call(hiview, powermgr); + +#avc: denied { open } for pid=1782 comm="sh" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1782 comm="sh" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1782 comm="sh" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +allow hiview accessibility_param:file { open read map }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..6db227aff5d6dc8cdb7232a88b068085441ece4b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/normal_hap_attr.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3304 pid=2144 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_powermgr_batterystats_service:s0 tclass=samgr_class permissive=0 +allow normal_hap_attr sa_powermgr_batterystats_service:samgr_class { get }; +binder_call(normal_hap_attr, powermgr); diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..a67c2cd13a15422267beab38c3630b2e02304a8e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/powermgr.te @@ -0,0 +1,42 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { add } for service=3304 pid=469 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_powermgr_batterystats_service:s0 tclass=samgr_class permissive=0 +allow powermgr sa_powermgr_batterystats_service:samgr_class { add get}; + +#avc: denied { read } for pid=542 comm="powermgr" name="power_average.json" dev="mmcblk0p6" ino=830 scontext=u:r:powermgr:s0 tcontext=u:object_r:system_etc_batterystats_file:s0 tclass=file permissive=0 +allow powermgr system_etc_batterystats_file:file { open read }; + +#avc: denied { create } for pid=520 comm="CesFwkListener" name="battery_stats.json" scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=520 comm="powermgr" path="/data/service/el0/stats/battery_stats.json" dev="mmcblk0p11" ino=6893 scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=520 comm="powermgr" name="battery_stats.json" dev="mmcblk0p11" ino=6893 scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +#avc: denied { write } for pid=520 comm="CesFwkListener" name="battery_stats.json" dev="mmcblk0p11" ino=6893 scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +allow powermgr data_service_el0_file:file { create ioctl open read write }; + +#avc: denied { add_name } for pid=520 comm="CesFwkListener" name="battery_stats.json" scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=476 comm="powermgr" name="el0" dev="mmcblk0p11" ino=8 scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 +#avc: denied { write } for pid=520 comm="CesFwkListener" name="stats" dev="mmcblk0p11" ino=197 scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=1 +allow powermgr data_service_el0_file:dir { add_name search write }; + +#avc: denied { get } for service=1203 pid=598 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_sys_event_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_sys_event_service:samgr_class { get }; +binder_call(powermgr, hisysevent); + +#avc: denied { ioctl } for pid=520 comm="CesFwkListener" path="/data/service/el0/stats/battery_stats.json" dev="mmcblk0p11" ino=6893 ioctlcmd=0x5413 scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +allowxperm powermgr data_service_el0_file:file ioctl { 0x5413 }; + +#avc: denied { getattr } for pid=668 comm="SaInit2" path="/system/etc/profile/power_average.json" dev="mmcblk0p7" ino=752 scontext=u:r:powermgr:s0 tcontext=u:object_r:system_etc_batterystats_file:s0 tclass=file permissive=0 +allow powermgr system_etc_batterystats_file:file { getattr }; + +#avc: denied { search } for pid=668 comm="IPC_6_1023" name="etc" dev="mmcblk0p9" ino=12 scontext=u:r:powermgr:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=0 +allow powermgr sys_prod_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/processdump.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/processdump.te new file mode 100644 index 0000000000000000000000000000000000000000..14d7302f34fe7112798041760ecafb63daaf0b32 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/processdump.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { open } for pid=1777 comm="processdump" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:processdump:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1777 comm="processdump" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:processdump:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=1777 comm="processdump" path="/dev/__parameters__/u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:processdump:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1 +allow processdump accessibility_param:file { open read map }; + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..56972242e868cc1b2e16a3068444d02c34dbd9ad --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3304 pid=2578 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_powermgr_batterystats_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_powermgr_batterystats_service:samgr_class { get }; +binder_call(system_basic_hap_attr, powermgr); diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..0d2840d713f4ce54deb4bd1bd3dfa876d9e0d298 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/battery_statistics/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3304 pid=1546 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_powermgr_batterystats_service:s0 tclass=samgr_class permissive=0 +allow system_core_hap_attr sa_powermgr_batterystats_service:samgr_class { get }; +binder_call(system_core_hap_attr, powermgr); diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/public/parameter.te b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..38c9febde6d2568254d2a80e0ab40e82b330fdcb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type const_display_brightness_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/console.te b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/console.te new file mode 100644 index 0000000000000000000000000000000000000000..a48fbb3395a3e3704d778ad7489e969481df2f4a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/console.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + allow console const_display_brightness_param:file { map open read }; +') diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..2c9ed7b7ebd13db4c6b3759b5c68effffd42ffa3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/normal_hap_attr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3308 pid=3579 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_powermgr_displaymgr_service:s0 tclass=samgr_class permissive=1 +allow normal_hap_attr sa_powermgr_displaymgr_service:samgr_class { get }; +binder_call(normal_hap_attr, powermgr); + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..2f8db1e7ed5f489a6e53d93a2076af8173ab5892 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +const.display.brightness. u:object_r:const_display_brightness_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..e32c501cacdbe419f398a39196c2b13751fe489a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/powermgr.te @@ -0,0 +1,23 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3308 pid=597 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_powermgr_displaymgr_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_powermgr_displaymgr_service:samgr_class { get add }; + +#avc: denied { use } for pid=522 comm="distributeddata" path="/dev/ashmem" dev="tmpfs" ino=183 scontext=u:r:powermgr:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=1 +allow powermgr distributeddata:fd { use }; + +#avc: denied { get } for service=1914 pid=1434 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_device_standby:s0 tclass=samger_class permissive=0 +allow powermgr sa_device_standby:samgr_class { get }; +binder_call(powermgr, resource_schedule_service); + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..fc849398eef223fb0063c37f47373a1b3fcfd144 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/display_manager/system/system_basic_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3308 pid=1552 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_powermgr_displaymgr_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_powermgr_displaymgr_service:samgr_class { get }; +binder_call(system_basic_hap_attr, powermgr); diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/file.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..2c65f07f42e073eea76fe62320cdaa42fb127cea --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type system_etc_power_mode_config_file, system_file_attr, file_attr; +type power_shell_exec, exec_attr, system_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/parameter.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..fc4b34a7b22e88cffe63a7247ecd0ccb20e0c9bc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type powermgr_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/parameter_contexts b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..16cadf38f03c66d9beac298b2f4e14d8a835074c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.powermgr. u:object_r:powermgr_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/power_shell.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/power_shell.te new file mode 100644 index 0000000000000000000000000000000000000000..5ab93ced14dc64d9915ce5fc4c4e565d549d5a5a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/power_shell.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type power_shell, native_system_domain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..4100c56e16fcdf4e3a6fc1d680fb0eb66fcf5c7f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/public/powermgr.te @@ -0,0 +1,538 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { map } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +allow powermgr arkcompiler_param:file { read open getattr map }; + +# avc: denied { map } pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=1 +# avc: denied { open } pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=1 +# avc: denied { read } pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:bootevent_param:s0 tclass=file permissive=1 +allow powermgr bootevent_param:file { map open read }; + +# avc: denied { set } for scontext=u:r:powermgr:s0 tcontext=u:object_r:bootevent_param:s0 tclass=parameter_service permissive=0 +allow powermgr bootevent_param:parameter_service { set }; + +# avc: denied { read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=1 +# avc: denied { map } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:bootevent_samgr_param:s0 tclass=file permissive=1 +allow powermgr bootevent_samgr_param:file { map open read }; + +# avc: denied { set } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:bootevent_wms_param:s0 tclass=parameter_service permissive=1 +allow powermgr bootevent_wms_param:parameter_service { set }; + +# avc: denied { read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=1 +# avc: denied { map } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:build_version_param:s0 tclass=file permissive=1 +allow powermgr build_version_param:file { map open read }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:chip_prod_file:s0 tclass=dir permissive=1 +allow powermgr chip_prod_file:dir { search }; + +# avc: denied { create } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:configfs:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:configfs:s0 tclass=dir permissive=1 +allow powermgr configfs:dir { add_name create open read remove_name rmdir search write }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:configfs:s0 tclass=file permissive=1 +allow powermgr configfs:file { open write }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:const_allow_mock_param:s0 tclass=file permissive=1 +allow powermgr const_allow_mock_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:const_allow_param:s0 tclass=file permissive=1 +allow powermgr const_allow_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:const_build_param:s0 tclass=file permissive=1 +allow powermgr const_build_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:const_display_brightness_param:s0 tclass=file permissive=1 +allow powermgr const_display_brightness_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:const_param:s0 tclass=file permissive=1 +allow powermgr const_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:const_postinstall_fstab_param:s0 tclass=file permissive=1 +allow powermgr const_postinstall_fstab_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:const_postinstall_param:s0 tclass=file permissive=1 +allow powermgr const_postinstall_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:const_product_param:s0 tclass=file permissive=1 +allow powermgr const_product_param:file { map open read }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_app_el1_file:s0 tclass=dir permissive=1 +allow powermgr data_app_el1_file:dir { search }; + +# avc: denied { getattr map read open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_app_el1_file:s0 tclass=file permissive=1 +allow powermgr data_app_el1_file:file { getattr map read open }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_app_file:s0 tclass=dir permissive=1 +allow powermgr data_app_file:dir { search }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_data_file:s0 tclass=dir permissive=1 +allow powermgr data_data_file:dir { search }; + +# avc: denied { getattr open read search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_data_pulse_dir:s0 tclass=dir permissive=1 +allow powermgr data_data_pulse_dir:dir { getattr open read search }; + +# avc: denied { lock open read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_data_pulse_dir:s0 tclass=file permissive=1 +allow powermgr data_data_pulse_dir:file { lock open read write }; + +# avc: denied { getattr open read search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_file:s0 tclass=dir permissive=1 +allow powermgr data_file:dir { getattr open read search }; + +# avc: denied { getattr map read open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_file:s0 tclass=file permissive=1 +allow powermgr data_file:file { getattr map read open }; + +# avc: denied { getattr map read open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_init_agent:s0 tclass=dir permissive=1 +allow powermgr data_init_agent:dir { search }; + +# avc: denied { create getattr map read open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_service_el1_file:s0 tclass=dir permissive=1 +allow powermgr data_service_el1_file:dir { add_name create remove_name search open write getattr rmdir setattr }; + +# avc: denied { create getattr map read open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_service_el1_file:s0 tclass=file permissive=1 +allow powermgr data_service_el1_file:file { create getattr setattr ioctl open read write append lock map unlink }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_service_file:s0 tclass=dir permissive=1 +allow powermgr data_service_file:dir { search }; + +# avc: denied { getattr } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_service_el0_file:s0 tclass=file permissive=1 +allow powermgr data_service_el0_file:file { getattr }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:data_storage:s0 tclass=dir permissive=1 +allow powermgr data_storage:dir { search }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow powermgr debug_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1 +allow powermgr default_param:file { map open read }; + +# avc: denied { open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:dev_ashmem_file:s0 tclass=chr_file permissive=1 +allow powermgr dev_ashmem_file:chr_file { open }; + +# avc: denied { open write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow powermgr dev_kmsg_file:chr_file { open write }; + +# avc: denied { read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:dev_console_file:s0 tclass=chr_file permissive=1 +allow powermgr dev_console_file:chr_file { read write }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:dev_unix_socket:s0 tclass=dir permissive=1 +allow powermgr dev_unix_socket:dir { search }; + +# avc: denied { write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:dev_unix_socket:s0 tclass=sock_file permissive=1 +allow powermgr dev_unix_socket:sock_file { write }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:devinfo_private_param:s0 tclass=file permissive=1 +allow powermgr devinfo_private_param:file { map open read }; + +# avc: denied { read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:exfat:s0 tclass=file permissive=1 +allow powermgr exfat:file { read write }; + +# avc: denied { read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:faultloggerd:s0 tclass=fifo_file permissive=1 +allow powermgr faultloggerd:fifo_file { read }; + +# avc: denied { read open map } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:ffrt_param:s0 tclass=file permissive=1 +allow powermgr ffrt_param:file { read open map }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow powermgr powermgr:binder { call transfer }; +allow powermgr powermgr:unix_dgram_socket { getopt setopt }; + +# avc: denied { read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:fuse_file:s0 tclass=file permissive=1 +allow powermgr fuse_file:file { read write }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=dir permissive=1 +allow powermgr hdf_ext_devmgr:dir { search }; + +# avc: denied { getattr open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=file permissive=1 +allow powermgr hdf_ext_devmgr:file { getattr open read }; + +# avc: denied { use } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hidumper_service:s0 tclass=fd permissive=1 +allow powermgr hidumper_service:fd { use }; + +# avc: denied { write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hidumper_service:s0 tclass=fifo_file permissive=1 +allow powermgr hidumper_service:fifo_file { write }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hilog_param:s0 tclass=file permissive=1 +allow powermgr hilog_param:file { map open read }; + +# avc: denied { sendto } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hiview:s0 tclass=unix_dgram_socket permissive=1 +allow powermgr hiview:unix_dgram_socket { sendto }; + +# avc: denied { open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:hiviewdfx_hiview_param:s0 tclass=file permissive=1 +allow powermgr hiviewdfx_hiview_param:file { open read }; + +# avc: denied { read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hmdfs:s0 tclass=file permissive=1 +allow powermgr hmdfs:file { read write }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:hw_sc_build_os_param:s0 tclass=file permissive=1 +allow powermgr hw_sc_build_os_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hw_sc_build_param:s0 tclass=file permissive=1 +allow powermgr hw_sc_build_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hw_sc_param:s0 tclass=file permissive=1 +allow powermgr hw_sc_param:file { map open read }; + +# avc: denied { connectto } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 +allow powermgr init:unix_stream_socket { connectto }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:init_param:s0 tclass=file permissive=1 +allow powermgr init_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:init_svc_param:s0 tclass=file permissive=1 +allow powermgr init_svc_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:input_pointer_device_param:s0 tclass=file permissive=1 +allow powermgr input_pointer_device_param:file { map open read }; + +# avc: denied { connectto } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 +allow powermgr kernel:unix_stream_socket { connectto }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:key_enable:s0 tclass=key permissive=1 +allow powermgr key_enable:key { search }; + +# avc: denied { read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +allow powermgr multimodalinput:unix_stream_socket { read write }; + +# avc: denied { map open open } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow powermgr musl_param:file { map open open}; + +# avc: denied { write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:native_socket:s0 tclass=sock_file permissive=1 +allow powermgr native_socket:sock_file { write }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:net_param:s0 tclass=file permissive=1 +allow powermgr net_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:net_tcp_param:s0 tclass=file permissive=1 +allow powermgr net_tcp_param:file { map open read }; + +# avc: denied { read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:ntfs:s0 tclass=file permissive=1 +allow powermgr ntfs:file { read write }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +allow powermgr ohos_boot_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:ohos_param:s0 tclass=file permissive=1 +allow powermgr ohos_param:file { map open read }; + +# avc: denied { set } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:ohos_param:s0 tclass=parameter_service permissive=1 +allow powermgr ohos_param:parameter_service { set }; + +# avc: denied { write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:paramservice_socket:s0 tclass=sock_file permissive=1 +allow powermgr paramservice_socket:sock_file { write }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +allow powermgr persist_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:persist_param:s0 tclass=parameter_service permissive=1 +allow powermgr persist_param:parameter_service { set }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +allow powermgr persist_sys_param:file { map open read }; + +# avc: denied { open read getattr } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:proc_file:s0 tclass=file permissive=1 +allow powermgr proc_file:file { open read getattr }; + +# avc: denied { set } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:servicectrl_reboot_param:s0 tclass=parameter_service permissive=1 +allow powermgr servicectrl_reboot_param:parameter_service { set }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:devinfo_private_param:s0 tclass=file permissive=1 +allow powermgr devinfo_private_param:file { map open read }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_privacy_service:samgr_class { get }; +binder_call(powermgr, token_sync_service); + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:security_param:s0 tclass=file permissive=1 +allow powermgr security_param:file { map open read }; + +# avc: denied { set } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:servicectrl_param:s0 tclass=parameter_service permissive=1 +allow powermgr servicectrl_param:parameter_service { set }; + +# avc: denied { semap open readt } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:startup_param:s0 tclass=file permissive=1 +allow powermgr startup_param:file { map open read }; + +# avc: denied { set } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:startup_param:s0 tclass=parameter_service permissive=1 +allow powermgr startup_param:parameter_service { set }; + +# avc: denied { open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:sys_file:s0 tclass=dir permissive=1 +allow powermgr sys_file:dir { open read }; + +# avc: denied { ioctl open read write getattr } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:sys_file:s0 tclass=file permissive=1 +allow powermgr sys_file:file { ioctl open read write getattr }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:sys_param:s0 tclass=file permissive=1 +allow powermgr sys_param:file { map open read }; + +# avc: denied { map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sys_usb_param:s0 tclass=file permissive=1 +allow powermgr sys_usb_param:file { map open read }; + +# avc: denied { open read getattr } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow powermgr sysfs_devices_system_cpu:file { open read getattr }; + +# avc: denied { open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:sysfs_hctosys:s0 tclass=file permissive=1 +allow powermgr sysfs_hctosys:file { open read }; + +# avc: denied { open write ioctl getattr } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:sysfs_hungtask_userlist:s0 tclass=file permissive=1 +allow powermgr sysfs_hungtask_userlist:file { open write ioctl getattr }; + +# avc: denied { open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:sysfs_leds:s0 tclass=dir permissive=1 +allow powermgr sysfs_leds:dir { open read }; + +# avc: denied { open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:sysfs_rtc:s0 tclass=dir permissive=1 +allow powermgr sysfs_rtc:dir { open read }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_bin_file:s0 tclass=dir permissive=1 +allow powermgr system_bin_file:dir { search }; + +# avc: denied { getattr open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_etc_power_mode_config_file:s0 tclass=file permissive=1 +allow powermgr system_etc_power_mode_config_file:file { getattr open read }; + +# avc: denied { getattr open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_file:s0 tclass=dir permissive=1 +allow powermgr system_file:dir { getattr open read }; + +# avc: denied { getattr map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_file:s0 tclass=file permissive=1 +allow powermgr system_file:file { getattr map open read }; + +# avc: denied { getattr } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_lib_file:s0 tclass=dir permissive=1 +allow powermgr system_lib_file:dir { getattr }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_usr_file:s0 tclass=dir permissive=1 +allow powermgr system_usr_file:dir { search }; + +# avc: denied { getattr map open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_usr_file:s0 tclass=file permissive=1 +allow powermgr system_usr_file:file { getattr map open read }; + +# avc: denied { use } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_basic_hap_attr:s0 tclass=fd permissive=1 +allow powermgr system_basic_hap_attr:fd { use }; + +# avc: denied { sigkill signal } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_basic_hap_attr:s0 tclass=process permissive=1 +allow powermgr system_basic_hap_attr:process { sigkill signal }; + +# avc: denied { read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_basic_hap_data_file_attr:s0 tclass=file permissive=1 +allow powermgr system_basic_hap_data_file_attr:file { read }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_core_hap_attr:s0 tclass=dir permissive=1 +allow powermgr system_core_hap_attr:dir { search }; + +# avc: denied { getattr open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_core_hap_attr:s0 tclass=file permissive=1 +allow powermgr system_core_hap_attr:file { getattr open read }; + +# avc: denied { sigkill signal } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_core_hap_attr:s0 tclass=process permissive=1 +allow powermgr system_core_hap_attr:process { sigkill signal }; + +# avc: denied { read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_core_hap_data_file_attr:s0 tclass=file permissive=1 +allow powermgr system_core_hap_data_file_attr:file { read }; + +# avc: denied { read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_core_hap_attr:s0 tclass=unix_stream_socket permissive=1 +allow powermgr system_core_hap_attr:unix_stream_socket { read write }; + +# avc: denied { use } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_core_hap_attr:s0 tclass=fd permissive=1 +allow powermgr system_core_hap_attr:fd { use }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:tracefs:s0 tclass=dir permissive=1 +allow powermgr tracefs:dir { search }; + +# avc: denied { open write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow powermgr tracefs_trace_marker_file:file { open write }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:vendor_etc_file:s0 tclass=dir permissive=1 +allow powermgr vendor_etc_file:dir { search }; + +# avc: denied { getattr open read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:vendor_etc_file:s0 tclass=file permissive=1 +allow powermgr vendor_etc_file:file { getattr open read }; + +# avc: denied { search } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:vendor_lib_file:s0 tclass=dir permissive=1 +allow powermgr vendor_lib_file:dir { search }; + +# avc: denied { read } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:vendor_lib_file:s0 tclass=file permissive=1 +allow powermgr vendor_lib_file:file { read }; + +# avc: denied { read write } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:vfat:s0 tclass=file permissive=1 +allow powermgr vfat:file { read write }; + +allowxperm powermgr data_service_el1_file:file ioctl { 0x5413 0xf50c }; +allowxperm powermgr sys_file:file ioctl { 0x5413 }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_media_service:samgr_class { get }; +binder_call(powermgr, media_service); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_bgtaskmgr:s0 tclass=samgr_class permissive=1 +allow powermgr sa_bgtaskmgr:samgr_class { get }; +binder_call(powermgr, bgtaskmgr_service); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_render_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_render_service:samgr_class { get }; +binder_call(powermgr, render_service); +binder_call(render_service, powermgr); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=1 +allow powermgr sa_net_conn_manager:samgr_class { get }; +binder_call(powermgr, netmanager); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_accesstoken_manager_service:samgr_class { get }; +binder_call(powermgr, accesstoken_service); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 +allow powermgr sa_accountmgr:samgr_class { get }; +binder_call(powermgr, accountmgr); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_distributeddata_service:samgr_class { get }; +binder_call(powermgr, distributeddata); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_multimodalinput_service:samgr_class { get }; +binder_call(powermgr, multimodalinput); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow powermgr sa_param_watcher:samgr_class { get }; +binder_call(powermgr, param_watcher); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_privacy_service:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_sensor_service:samgr_class { get }; +binder_call(powermgr, sensors); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_time_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_time_service:samgr_class { get }; +binder_call(powermgr, time_service); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow powermgr sa_device_service_manager:samgr_class { get }; +binder_call(powermgr, hdf_devmgr); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_abilityms:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_appms:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_bms:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_cesfwk_service:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_devicemanager_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_devicemanager_service:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_dms:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_tel_call_manager:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_tel_call_manager:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_tel_state_registry:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_tel_state_registry:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_wms:samgr_class { get }; + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_uri_permission_mgr_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_uri_permission_mgr_service:samgr_class { get }; +binder_call(powermgr, foundation); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_accessibleabilityms:s0 tclass=samgr_class permissive=1 +allow powermgr sa_accessibleabilityms:samgr_class { get }; +binder_call(powermgr, accessibility); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=1 +allow powermgr sa_bluetooth_server:samgr_class { get }; +binder_call(powermgr, bluetooth_service); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_camera_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_camera_service:samgr_class { get }; +binder_call(powermgr, camera_service); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_telephony_tel_core_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_telephony_tel_core_service:samgr_class { get }; +binder_call(powermgr, telephony_sa); + +# avc: denied { get } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_memory_manager_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_memory_manager_service:samgr_class { get }; +binder_call(powermgr, memmgrservice); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hdcd:s0 tclass=binder permissive=1 +binder_call(powermgr, hdcd); + +# avc: denied { call transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1 +binder_call(powermgr, hdf_ext_devmgr); + +# avc: denied { call transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:hiview:s0 tclass=binder permissive=1 +binder_call(powermgr, hiview); + +# avc: denied { call transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:power_host:s0 tclass=binder permissive=1 +binder_call(powermgr, power_host); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +binder_call(powermgr, samgr); + +# avc: denied { transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_basic_hap_attr:s0 tclass=binder permissive=1 +binder_call(powermgr, system_basic_hap_attr); + +# avc: denied { transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:system_core_hap_attr:s0 tclass=binder permissive=1 +binder_call(powermgr, system_core_hap_attr); + +# avc: denied { transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:normal_hap_attr:s0 tclass=binder permissive=1 +binder_call(powermgr, normal_hap_attr); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1 +binder_call(powermgr, wifi_manager_service); + +# avc: denied { call transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:riladapter_host:s0 tclass=binder permissive=1 +binder_call(powermgr, riladapter_host); + +# avc: denied { call transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:pasteboard_service:s0 tclass=binder permissive=1 +binder_call(powermgr, pasteboard_service); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=1 +binder_call(powermgr, dhardware); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:ui_service:s0 tclass=binder permissive=1 +binder_call(powermgr, ui_service); + +# avc: denied { call transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:useriam:s0 tclass=binder permissive=1 +binder_call(powermgr, useriam); + +# avc: denied { call transfer } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:drm_service:s0 tclass=binder permissive=1 +binder_call(powermgr, drm_service); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:dscreen:s0 tclass=binder permissive=1 +binder_call(powermgr, dscreen); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:edm_sa:s0 tclass=binder permissive=1 +binder_call(powermgr, edm_sa); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:inputmethod_service:s0 tclass=binder permissive=1 +binder_call(powermgr, inputmethod_service); + +# avc: denied { call } for pid=1216 scontext=u:r:powermgr:s0 tcontext=u:r:memmgrservice:s0 tclass=binder permissive=1 +binder_call(powermgr, memmgrservice); + +# avc: denied { call } for pid=1480 scontext=u:r:powermgr:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=1 +binder_call(powermgr, distributedsche); + +# avc: denied { map open read } for pid=1480 scontext=u:r:powermgr:s0 tcontext=u:object_r:distributedsche_param:s0 tclass=file permissive=1 +allow powermgr distributedsche_param:file { map open read }; + +# avc: denied { set } for parameter=persist.powermgr.stopservice pid=1262 uid=5528 gid=1000 scontext=u:r:powermgr:s0 tcontext=u:object_r:powermgr_param:s0 tclass=parameter_service permissive=1 +allow powermgr powermgr_param:parameter_service { set }; + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..9e6dfce6a30c86b5c09548a775013dd79ac1aaef --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/etc/power_config/power_mode_config.xml u:object_r:system_etc_power_mode_config_file:s0 +/system/bin/power-shell u:object_r:power_shell_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..dec249651e31227b0c2e45b15c89aeb459f689f4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/normal_hap_attr.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3301 pid=3579 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow normal_hap_attr sa_powermgr_powermgr_service:samgr_class { get }; +binder_call(normal_hap_attr, powermgr); + +debug_only(` +#avc: denied { transfer } for pid=1615 comm="com.ohos.settin" scontext=u:r:normal_hap:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +allow normal_hap_attr sh:binder { transfer }; +') diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/power_shell.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/power_shell.te new file mode 100644 index 0000000000000000000000000000000000000000..1e64e52a1ac0be8c98254b47ed7bb30ff6502b11 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/power_shell.te @@ -0,0 +1,108 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { map } for pid=4345 comm="power-shell" path="/dev/parameters/u:object_r:debug_param:s0" dev="tmpfs" ino=148 scontext=u:r:power_shell:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=4345 comm="power-shell" path="/dev/parameters/u:object_r:debug_param:s0" dev="tmpfs" ino=148 scontext=u:r:power_shell:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=4345 comm="power-shell" path="/dev/parameters/u:object_r:debug_param:s0" dev="tmpfs" ino=148 scontext=u:r:power_shell:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow power_shell debug_param:file { map read open read }; + +# avc: denied { write } for pid=4345 comm="power-shell" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:power_shell:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow power_shell dev_kmsg_file:chr_file { write }; + +# avc: denied { search } for pid=4337 comm="power-shell" name="socket" dev="tmpfs" ino=118 scontext=u:r:power_shell:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow power_shell dev_unix_socket:dir { search }; + +# avc: denied { ioctl } for pid=4337 comm="power-shell" path="/dev/pts/2" dev="devpts" ino=5 ioctlcmd=0x5413 scontext=u:r:power_shell:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 +# avc: denied { read write } for pid=4345 comm="power-shell" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:power_shell:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 +# avc: denied { write } for pid=4337 comm="power-shell" path="/dev/pts/2" dev="devpts" ino=5 scontext=u:r:power_shell:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 +allow power_shell devpts:chr_file { ioctl read write write }; + +# avc: denied { call } for pid=4337 comm="power-shell" scontext=u:r:power_shell:s0 tcontext=u:r:powermgr:s0 tclass=binder permissive=1 +binder_call(power_shell, powermgr); + +# avc: denied { map } for pid=4337 comm="power-shell" path="/dev/parameters/u:object_r:hilog_param:s0" dev="tmpfs" ino=144 scontext=u:r:power_shell:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=4337 comm="power-shell" path="/dev/parameters/u:object_r:hilog_param:s0" dev="tmpfs" ino=144 scontext=u:r:power_shell:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=4337 comm="power-shell" path="/dev/parameters/u:object_r:hilog_param:s0" dev="tmpfs" ino=144 scontext=u:r:power_shell:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow power_shell hilog_param:file { map read open read }; + +# avc: denied { get } for service=3301 pid=4256 scontext=u:r:power_shell:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow power_shell sa_powermgr_powermgr_service:samgr_class { get }; + +# avc: denied { call } for pid=4337 comm="power-shell" scontext=u:r:power_shell:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +allow power_shell samgr:binder { call }; + +# avc: denied { read write } for pid=4345 comm="power-shell" path="/dev/tty" dev="tmpfs" ino=115 scontext=u:r:power_shell:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allow power_shell tty_device:chr_file { read write }; + +# avc: denied { ioctl } for pid=4337 comm="power-shell" path="/dev/pts/2" dev="devpts" ino=5 ioctlcmd=0x5413 scontext=u:r:power_shell:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 +allowxperm power_shell devpts:chr_file ioctl { 0x5413 }; + +# avc: denied { transfer } for pid=643 comm="IPC_0_662" scontext=u:r:samgr:s0 tcontext=u:r:power_shell:s0 tclass=binder permissive=1 +allow samgr power_shell:binder { transfer }; + +# avc: denied { search } for pid=643 comm="IPC_0_662" name="attr" dev="proc" ino=41686 scontext=u:r:samgr:s0 tcontext=u:r:power_shell:s0 tclass=dir permissive=1 +allow samgr power_shell:dir { search }; + +# avc: denied { open } for pid=604 comm="IPC_2_629" path="/proc/4859/attr/current" dev="proc" ino=49337 scontext=u:r:samgr:s0 tcontext=u:r:power_shell:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=643 comm="IPC_0_662" path="/proc/4257/attr/current" dev="proc" ino=41687 scontext=u:r:samgr:s0 tcontext=u:r:power_shell:s0 tclass=file permissive=1 +# avc: denied { read } for pid=643 comm="IPC_0_662" name="current" dev="proc" ino=41687 scontext=u:r:samgr:s0 tcontext=u:r:power_shell:s0 tclass=file permissive=1 +allow samgr power_shell:file { open read open read }; + +# avc: denied { getattr } for pid=643 comm="IPC_0_662" scontext=u:r:samgr:s0 tcontext=u:r:power_shell:s0 tclass=process permissive=1 +allow samgr power_shell:process { getattr }; + +# avc: denied { use } for pid=4605, comm="/bin/power-shell" path="pipe:[350]" dev="tmpfs" ino=350 scontext=u:r:power_shell:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=1 +allow power_shell hdcd:fd { use }; + +# avc: denied { ioctl } for pid=4605, comm="/bin/power-shell" path="pipe:[350]" dev="tmpfs" ino=350 ioctlcmd=0x5413 scontext=u:r:power_shell:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1 +# avc: denied { read } for pid=4605, comm="/bin/power-shell" path="pipe:[350]" dev="tmpfs" ino=350 scontext=u:r:power_shell:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1 +# avc: denied { write } for pid=4605, comm="/bin/power-shell" path="pipe:[350]" dev="tmpfs" ino=350 scontext=u:r:power_shell:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1 +allow power_shell hdcd:fifo_file { ioctl read write }; + +# avc: denied { ioctl } for pid=4605, comm="/bin/power-shell" path="pipe:[350]" dev="tmpfs" ino=350 ioctlcmd=0x5413 scontext=u:r:power_shell:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1 +allowxperm power_shell hdcd:fifo_file ioctl { 0x5413 }; + +debug_only(` + #for power-shell run + domain_auto_transition_pattern(su, power_shell_exec, power_shell); + + # avc: denied { get } for service=3308 pid=4719 scontext=u:r:power_shell:s0 tcontext=u:object_r:sa_powermgr_displaymgr_service:s0 tclass=samgr_class permissive=1 + allow power_shell sa_powermgr_displaymgr_service:samgr_class { get }; + + # avc: denied { getattr } for pid=4346 comm="ps" path="/proc/4337" dev="proc" ino=36480 scontext=u:r:su:s0 tcontext=u:r:power_shell:s0 tclass=dir permissive=1 + # avc: denied { search } for pid=4346 comm="ps" name="4337" dev="proc" ino=36480 scontext=u:r:su:s0 tcontext=u:r:power_shell:s0 tclass=dir permissive=1 + # avc: denied { read open } for pid=4346 comm="ps" path="/proc/4337/cmdline" dev="proc" ino=45889 scontext=u:r:su:s0 tcontext=u:r:power_shell:s0 tclass=file permissive=1 + # avc: denied { read } for pid=4346 comm="ps" name="cmdline" dev="proc" ino=45889 scontext=u:r:su:s0 tcontext=u:r:power_shell:s0 tclass=file permissive=1 + # avc: denied { read } for pid=4346 comm="ps" name="0" dev="proc" ino=40752 scontext=u:r:su:s0 tcontext=u:r:power_shell:s0 tclass=lnk_file permissive=1 + # avc: denied { getattr } for pid=4346 comm="ps" scontext=u:r:su:s0 tcontext=u:r:power_shell:s0 tclass=process permissive=1 + allow su power_shell:dir { getattr search }; + allow su power_shell:file { read open read }; + allow su power_shell:lnk_file { read }; + allow su power_shell:process { getattr }; + allow power_shell su:fd { use }; + allow power_shell su:unix_stream_socket { read write }; + allow power_shell su:fifo_file { ioctl read write }; + allowxperm power_shell su:fifo_file ioctl { 0x5413 }; +') + +developer_only(` + #for power-shell run + domain_auto_transition_pattern(sh, power_shell_exec, power_shell); + + allow sh power_shell:dir { getattr search }; + allow sh power_shell:file { read open read }; + allow sh power_shell:lnk_file { read }; + allow sh power_shell:process { getattr }; + allow power_shell sh:fd { use }; + allow power_shell sh:unix_stream_socket { read write }; +') diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..f32ca75864c203689f370684311c256ad90c559d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/powermgr.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3301 pid=597 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +#avc: denied { add } for service=3301 pid=597 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_powermgr_powermgr_service:samgr_class { get add }; + +#avc: denied { transfer } for pid=571 comm="IPC_15_1220" scontext=u:r:powermgr:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=0 +binder_call(powermgr, sensors); + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..0d568ec3a98045f44f9d4a91d59dc26a3c91426e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/system/system_basic_hap.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3301 pid=1399 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_powermgr_powermgr_service:samgr_class { get }; +binder_call(system_basic_hap_attr, powermgr); + +debug_only(` +#avc: denied { transfer } for pid=1529 comm="com.ohos.settin" scontext=u:r:system_basic_hap:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 +allow system_basic_hap_attr sh:binder { transfer }; +') + +#avc: denied { ioctl } for pid=4710 comm = "system/bin/appspawn" path="/dev/bbox" dev="" ino=71 ioctlcmd=0x426a scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:dev_bbox:s0 tclass=chr_file permissive=0 +allow system_basic_hap_attr dev_bbox:chr_file { ioctl }; +allowxperm system_basic_hap_attr dev_bbox:chr_file ioctl { 0x426a 0x426d }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/file.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/file.te new file mode 100644 index 0000000000000000000000000000000000000000..853094292a77c75923746b81a410afd273cd33f1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type vendor_etc_power_mode_config_file, system_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/file_contexts b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..cb5cc9cdcee8a856624d1500989ef500bc8b95a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/vendor/etc/power_config/power_mode_config.xml u:object_r:vendor_etc_power_mode_config_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..8ee9c2e3cd23a464d40dda36d9d92b3b87e14f5c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/power_manager/vendor/powermgr.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=power_interface_service pid=597 scontext=u:r:powermgr:s0 tcontext=u:object_r:hdf_power_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow powermgr hdf_power_interface_service:hdf_devmgr_class { get }; + +allow powermgr vendor_etc_power_mode_config_file:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/file.te b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..b607792c5b49348f735d3b2feaf08f7c9a10b65f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type system_etc_thermal_file, system_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..75a09eb8d79090b05fa53ddba8daf717bcca970c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/etc/thermal_config(/.*)? u:object_r:system_etc_thermal_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..2bf5dd90a5f901d31cd5ae46f3fb3aacf0bc51df --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/normal_hap_attr.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3303 pid=10482 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_thermal_service:s0 tclass=samgr_class permissive=1 +allow normal_hap_attr sa_powermgr_thermal_service:samgr_class { get }; +binder_call(normal_hap_attr, powermgr); diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..76a09aa39023b7738aaef10fd41588c203978638 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/powermgr.te @@ -0,0 +1,61 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=5100 pid=622 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow powermgr sa_device_service_manager:samgr_class { get }; +binder_call(powermgr, hdf_devmgr); + +#avc: denied { get } for service=3299 pid=622 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_foundation_cesfwk_service:samgr_class { get }; + +#avc: denied { call } for pid=472 comm="thermal" scontext=u:r:thermal:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +debug_only(` + allow powermgr sh:binder { call }; +') + +#avc: denied { call } for pid=472 comm="thermal" scontext=u:r:thermal:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1 +allow powermgr normal_hap_attr:binder { call }; + +#avc: denied { get } for service=1906 pid=470 scontext=u:r:thermal:s0 tcontext=u:object_r:sa_resource_schedule_socperf_server:s0 tclass=samgr_class permissive=1 +allow powermgr sa_resource_schedule_socperf_server:samgr_class { get }; + +#avc: denied { call } for pid=412 comm="thermal" scontext=u:r:thermal:s0 tcontext=u:r:resource_schedule_service:s0 tclass=binder permissive=1 +binder_call(powermgr, resource_schedule_service); + +#avc: denied { add } for service=3303 pid=530 scontext=u:r:thermal:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +allow powermgr vendor_etc_file:file { getattr open read }; + +#avc: denied { get } for service=3009 pid=2003 scontext=u:r:thermal:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_audio_policy_service:samgr_class { get }; +binder_call(powermgr, audio_server); + +#avc: denied { add } for service=3303 pid=487 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_thermal_service:s0 tclass=samgr_class permissive=1 +allow powermgr sa_powermgr_thermal_service:samgr_class { add get}; + +#avc: denied { search } for pid=538 comm="powermgr" name="thermal_config" dev="mmcblk0p6" ino=874 scontext=u:r:powermgr:s0 tcontext=u:object_r:system_etc_thermal_file:s0 tclass=dir permissive=1 +allow powermgr system_etc_thermal_file:dir { search }; + +#avc: denied { get } for service=801 pid=510 scontext=u:r:powermgr:s0 tcontext=u:object_r:sa_accessibleabilityms:s0 tclass=samgr_class permissive=1 +allow powermgr sa_accessibleabilityms:samgr_class { get }; +binder_call(powermgr, accessibility); + +#avc: denied { getattr } for pid=493 comm="powermgr" path="/system/etc/thermal_config/thermal_service_config.xml" dev="mmcblk0p6" ino=916 scontext=u:r:powermgr:s0 tcontext=u:object_r:system_etc_thermal_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2200 comm="powermgr" name="thermal_service_config.xml" dev="mmcblk0p6" ino=916 scontext=u:r:powermgr:s0 tcontext=u:object_r:system_etc_thermal_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2205 comm="powermgr" path="/system/etc/thermal_config/thermal_service_config.xml" dev="mmcblk0p6" ino=916 scontext=u:r:powermgr:s0 tcontext=u:object_r:system_etc_thermal_file:s0 tclass=file permissive=1 +allow powermgr system_etc_thermal_file:file { getattr read open }; + +#avc: denied { search } for pid=552 comm="powermgr" name="el0" dev="mmcblk0p11" ino=8 scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=1 +allow powermgr data_service_el0_file:dir { search write add_name }; + +#avc: denied { read } for pid=458 comm="powermgr" name="charge" dev="mmcblk0p11" ino=4494 scontext=u:r:powermgr:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=1 +allow powermgr data_service_el0_file:file { create ioctl open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..f38176431d069d6346cc49e0adcd22e2bc439520 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/system_basic_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3303 pid=2578 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_powermgr_thermal_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_powermgr_thermal_service:samgr_class { get }; +binder_call(system_basic_hap_attr, powermgr); + diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..43116d4d1e9e238a901dddc4e55fd52e0eb35379 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3303 pid=1546 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_powermgr_thermal_service:s0 tclass=samgr_class permissive=0 +allow system_core_hap_attr sa_powermgr_thermal_service:samgr_class { get }; +binder_call(system_core_hap_attr, powermgr); diff --git a/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/vendor/powermgr.te b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/vendor/powermgr.te new file mode 100644 index 0000000000000000000000000000000000000000..2444d7d5ede1707fd5dcde46183405a7cf15eb30 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/powermgr/thermal_manager/vendor/powermgr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=thermal_interface_service pid=481 scontext=u:r:powermgr:s0 tcontext=u:object_r:hdf_thermal_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow powermgr hdf_thermal_interface_service:hdf_devmgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/public/file.te b/prebuilts/api/5.0/ohos_policy/print/print_service/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..057a0cb8a080f3e1921af774908874039ee0c82e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/public/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type system_bin_uni_print_driver_file, system_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/public/scan_driver_file.te b/prebuilts/api/5.0/ohos_policy/print/print_service/public/scan_driver_file.te new file mode 100644 index 0000000000000000000000000000000000000000..9831219a12b3ee407ba22ec17a1c283ddda24f18 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/public/scan_driver_file.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow sane_service { data_file_attr -data_service_scan_service_driver_file }:file { execute }; +neverallow { domain -installs } data_service_scan_service_driver_file:file { write }; +neverallow { domain -installs updater_only(`-updater') } data_service_scan_service_driver_file:dir { write }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/public/type.te b/prebuilts/api/5.0/ohos_policy/print/print_service/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..7a0c90a091064712c83209b4160b0eabcd6464b0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/public/type.te @@ -0,0 +1,20 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_service_scan_service_driver_file, file_attr, data_file_attr; +type print_driver_exec, exec_attr, file_attr, data_file_attr; +type print_driver_tmp, file_attr, data_file_attr; +type print_driver_read, file_attr, data_file_attr; +type sane_service, sadomain, domain; +type print_driver, sadomain, domain; +domain_auto_transition_pattern(cupsd, print_driver_exec, print_driver); diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..a62b2a7e84b9625792060ae16993e5a1f85a4b4d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/accountmgr.te @@ -0,0 +1,14 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr print_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/cupsd.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/cupsd.te new file mode 100644 index 0000000000000000000000000000000000000000..2c2c4ae2f688d98ae26ccdcb73f1a42583a9b166 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/cupsd.te @@ -0,0 +1,63 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(cupsd); +allow cupsd data_file:dir { search }; +allow cupsd system_bin_file:dir { search getattr read open}; +allow cupsd system_bin_file:file { entrypoint execute execute_no_trans getattr map read open }; +allow cupsd toybox_exec:file { entrypoint execute execute_no_trans getattr map read open }; +allow cupsd cupsd_exec:file { entrypoint execute map read }; +allow cupsd sh_exec:file { execute execute_no_trans map open read }; +allow cupsd cupsd:tcp_socket { accept bind connect create getattr listen read setopt getopt write shutdown }; +allow cupsd data_local:dir { search }; +allow cupsd data_local_tmp:dir { getattr }; +allow cupsd dev_unix_socket:dir { search }; +allow cupsd musl_param:file { map open read }; +allow cupsd debug_param:file { map open read }; +allow cupsd netsysnative:unix_stream_socket { connectto }; +allow cupsd node:tcp_socket { node_bind }; +allow cupsd node:udp_socket { node_bind }; +allow cupsd port:tcp_socket { name_bind name_connect }; +allow cupsd proc_file:file { open read }; +allow cupsd sysfs_devices_system_cpu:file { getattr open read }; +allow cupsd cupsd:udp_socket { create setopt read write bind getattr getopt }; +allow cupsd data_service_el1_file:dir { write search }; +allow cupsd data_service_el1_public_print_service_file:dir { open read add_name remove_name search write create getattr setattr }; +allow cupsd data_service_el1_public_print_service_file:file { append open create getattr read rename setattr write open map unlink execute execute_no_trans ioctl lock }; +allowxperm cupsd data_service_el1_public_print_service_file:file ioctl { 0x5413 }; +allow cupsd print_driver_exec:dir { open read add_name remove_name search write create getattr setattr }; +allow cupsd print_driver_exec:file { append open create getattr read rename setattr write open map unlink execute execute_no_trans ioctl lock }; +allowxperm cupsd print_driver_exec:file ioctl { 0x5413 }; +allow cupsd data_service_file:dir { search }; +allow cupsd proc_cpuinfo_file:file { getattr open read }; +allow cupsd dev_console_file:chr_file { read write }; +neverallow cupsd { data_file_attr -data_service_el1_public_print_service_file -print_driver_exec }:file {execute execute_no_trans entrypoint}; +allow cupsd data_service_el1_public_print_service_file:lnk_file { read }; +allow cupsd print_driver_exec:lnk_file { read }; +allow cupsd sa_usb_service:samgr_class { get }; +allow cupsd usb_service:binder { call }; +allow cupsd tty_device:chr_file { getattr ioctl open read write }; +allowxperm cupsd tty_device:chr_file ioctl { 0x5413 }; +allow cupsd print_service:dir { search getattr }; +allow cupsd print_service:file { open read }; +allow cupsd system_fonts_file:dir { open read search }; +allow cupsd system_fonts_file:file { getattr open read }; +allow cupsd system_fonts_file:lnk_file { read }; +allow cupsd system_bin_file:lnk_file { read }; +allow cupsd system_bin_uni_print_driver_file:dir { search }; +allow cupsd system_bin_uni_print_driver_file:file { execute execute_no_trans getattr map read open }; +allow cupsd print_driver:process2 { nosuid_transition }; +allow cupsd print_driver_tmp:dir { create getattr open read search setattr write add_name remove_name }; +allow cupsd print_driver_tmp:file { create getattr open read rename setattr unlink write }; +allow cupsd print_driver_read:dir { create getattr open read search setattr write add_name remove_name }; +allow cupsd print_driver_read:file { create getattr open read rename setattr unlink write }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/file_contexts b/prebuilts/api/5.0/ohos_policy/print/print_service/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b8948016d991238226a2237a74bb053f82d06840 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/file_contexts @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/cupsd u:object_r:cupsd_exec:s0 +/system/bin/cupsfilter u:object_r:cupsd_exec:s0 +/system/bin/uni_print_driver(/.*)? u:object_r:system_bin_uni_print_driver_file:s0 +/data/service/el1/public/print_service/sane/backend(/.*)? u:object_r:data_service_scan_service_driver_file:s0 +/data/service/el1/public/print_service/sane/config(/.*)? u:object_r:data_service_sane_service_config_file:s0 +/data/service/el2/public/print_service/sane(/.*)? u:object_r:data_service_sane_service_tmp_file:s0 +/data/service/el1/public/print_service/cups/serverbin/filter u:object_r:print_driver_exec:s0 +/data/service/el1/public/print_service/cups/serverbin/backend u:object_r:print_driver_exec:s0 +/data/service/el1/public/print_service/cups/cache u:object_r:print_driver_tmp:s0 +/data/service/el1/public/print_service/cups/spool/tmp u:object_r:print_driver_tmp:s0 +/data/service/el1/public/print_service/cups/spool u:object_r:print_driver_read:s0 +/data/service/el1/public/print_service/cups/ppd u:object_r:print_driver_read:s0 diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..abc23c0309f1288905c293daeffbc988f636faf1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation print_service:binder { call transfer }; +allow foundation scan_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/init.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..5b15777b82da1f6bac8b55ca6e6193d6d0272835 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/init.te @@ -0,0 +1,31 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init print_service:process { rlimitinh siginh transition }; +allow init scan_service:process { rlimitinh siginh transition }; +allow init cupsd_exec:file { execute getattr read open }; +allow init cupsd:process { rlimitinh siginh transition }; +allow init data_service_el1_public_print_service_file:dir { add_name create write getattr open read relabelto search setattr }; +allow init data_service_el1_public_print_service_file:file { relabelto }; +allow init print_driver_exec:dir { add_name create write getattr open read relabelto search setattr }; +allow init print_driver_exec:file { relabelto }; +allow init print_driver_read:dir { add_name create write getattr open read relabelto relabelfrom search setattr }; +allow init print_driver_tmp:dir { add_name create write getattr open read relabelto search setattr }; +allow init data_service_sane_service_config_file:dir { getattr setattr open read relabelto }; +allow init data_service_sane_service_tmp_file:dir { search setattr }; +allow init data_service_scan_service_driver_file:dir { getattr setattr open read }; +allow init sane_service:dir { getattr }; +allow init scan_service:dir { getattr }; +allow init sane_service:process { rlimitinh siginh transition }; +allow init data_service_sane_service_config_file:dir { open read relabelto }; +allow init data_service_sane_service_tmp_file:dir { create getattr open read relabelto write add_name }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/installs.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..919958a93e800e0184cf8679a68716965b6f4d97 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/installs.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow installs data_service_el1_public_print_service_file:dir { add_name getattr write search }; +allow installs data_service_el1_public_print_service_file:file { create getattr ioctl setattr write open relabelto }; +allow installs data_service_scan_service_driver_file:file { getattr unlink rename }; +allowxperm installs data_service_el1_public_print_service_file:file ioctl { 0x5413 }; +allow installs print_driver_exec:dir { add_name getattr write search }; +allow installs print_driver_exec:file { create getattr ioctl setattr write open relabelto }; +allowxperm installs print_driver_exec:file ioctl { 0x5413 }; +allow installs data_service_sane_service_config_file:dir { getattr search write add_name search remove_name }; +allow installs data_service_sane_service_config_file:file { relabelto getattr unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/mdnsmanager.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/mdnsmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..578fac5913c41baa2d5b0a9a668904ffef38d087 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/mdnsmanager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow mdnsmanager scan_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..a783753dce297d42e8bfe3dfe783fd3192000858 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/normal_hap.te @@ -0,0 +1,27 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr appspawn:unix_stream_socket { read write }; +allow normal_hap_attr normal_hap_data_file_attr:file { ioctl }; +allow normal_hap_attr print_service:binder { call transfer }; +allow normal_hap_attr scan_service:binder { call transfer }; +allow normal_hap_attr sa_print_service:samgr_class { get }; +allow normal_hap_attr sa_scan_service:samgr_class { get }; +allowxperm normal_hap_attr normal_hap_data_file_attr:file ioctl { 0xf501 0xf502 }; +allow normal_hap_attr print_service:tcp_socket { read write }; +allow normal_hap_attr print_service:fd { use }; +allow normal_hap_attr print_service:unix_dgram_socket { read write }; +allow normal_hap hichecker_writable_param:file { map open read }; +allow normal_hap_attr data_service_el1_public_print_service_file:file { getattr read map }; +allow normal_hap_attr print_driver_exec:file { getattr read map }; +allow normal_hap scan_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..c26936165f937d3b4f280ac426171a99e35d5aea --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/param_watcher.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher print_service:binder { call }; +allow param_watcher scan_service:binder { call }; +allow param_watcher dev_kmsg_file:chr_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/parameter.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..090e43fa37bd9dd0ea2856a0e24fa9c555b63fd0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type scan_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/print/print_service/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..36f984677c7b513248e05a30c5a9184de8ecf272 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +scan. u:object_r:scan_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/print_driver.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/print_driver.te new file mode 100644 index 0000000000000000000000000000000000000000..817feed7da3dcffa220c128e056fa6d3f304ae71 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/print_driver.te @@ -0,0 +1,34 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow print_driver data_file:dir { search }; +allow print_driver cupsd:fd { use }; +allow print_driver cupsd:fifo_file { read write }; +allow print_driver print_driver_exec:dir { search }; +allow print_driver print_driver_exec:file { execute execute_no_trans }; +allow print_driver print_driver_tmp:dir { create getattr open read search setattr write add_name remove_name }; +allow print_driver print_driver_tmp:file { append create getattr open read write rename setattr unlink map }; +allow print_driver print_driver_read:file { open read }; +allow print_driver print_driver_read:dir { search }; +allow print_driver data_service_el1_file:dir { search }; +allow print_driver data_service_file:dir { search }; +allow print_driver data_service_el1_public_print_service_file:dir { search }; +allow print_driver sh_exec:file { execute execute_no_trans map open read }; +allow print_driver self:xpm { exec_allow_sa_plugin }; +neverallow print_driver { data_file_attr -print_driver_exec }:file { execute execute_no_trans }; +allow print_driver port:tcp_socket { name_connect }; +allow print_driver print_driver:tcp_socket { connect create read write }; +allow print_driver print_driver:udp_socket { connect create getattr }; +allow print_driver system_fonts_file:dir { getattr open read search }; +allow print_driver system_fonts_file:file { getattr open read }; +allow print_driver system_fonts_file:lnk_file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/print_service.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/print_service.te new file mode 100644 index 0000000000000000000000000000000000000000..7f77fce8d8259ba22baa19a00d0c111bec860543 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/print_service.te @@ -0,0 +1,102 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow print_service accesstoken_service:binder { call }; +allow print_service bootevent_param:file { map open read }; +allow print_service bootevent_samgr_param:file { map open read }; +allow print_service build_version_param:file { map open read }; +allow print_service const_allow_mock_param:file { map open read }; +allow print_service const_allow_param:file { map open read }; +allow print_service const_build_param:file { map open read }; +allow print_service const_display_brightness_param:file { map open read }; +allow print_service const_param:file { map open read }; +allow print_service const_postinstall_fstab_param:file { map open read }; +allow print_service const_postinstall_param:file { map open read }; +allow print_service const_product_param:file { map open read }; +allow print_service data_file:dir { search }; +allow print_service data_service_el1_file:dir { search setattr write }; +allow print_service data_service_el1_public_print_service_file:dir { add_name search write create setattr getattr open read remove_name }; +allow print_service data_service_el1_public_print_service_file:file { create ioctl open read write open getattr setattr unlink lock}; +allow print_service data_service_file:dir { search }; +allow print_service debug_param:file { map open read }; +allow print_service default_param:file { map open read }; +allow print_service dev_unix_socket:dir { search }; +allow print_service distributedsche_param:file { map open read }; +allow print_service foundation:binder { call transfer }; +allow print_service hilog_param:file { map open read }; +allow print_service hw_sc_build_os_param:file { map open read }; +allow print_service hw_sc_build_param:file { map open read }; +allow print_service hw_sc_param:file { map open read }; +allow print_service init_param:file { map open read }; +allow print_service init_svc_param:file { map open read }; +allow print_service input_pointer_device_param:file { map open read }; +allow print_service net_param:file { map open read }; +allow print_service net_tcp_param:file { map open read }; +allow print_service ohos_boot_param:file { map open read }; +allow print_service ohos_param:file { map open read }; +allow print_service param_watcher:binder { call transfer }; +allow print_service persist_param:file { map open read }; +allow print_service persist_sys_param:file { map open read }; +allow print_service sa_accesstoken_manager_service:samgr_class { get }; +allow print_service sa_foundation_abilityms:samgr_class { get }; +allow print_service sa_foundation_cesfwk_service:samgr_class { get }; +allow print_service sa_param_watcher:samgr_class { get }; +allow print_service sa_print_service:samgr_class { add }; +allow print_service security_param:file { map open read }; +allow print_service startup_param:file { map open read }; +allow print_service sys_param:file { map open read }; +allow print_service system_basic_hap_attr:binder { call }; +allow print_service system_bin_file:dir { search getattr open read }; +allow print_service sys_usb_param:file { map open read }; +allow print_service tracefs:dir { search }; +allow print_service tracefs_trace_marker_file:file { open write }; +allow print_service print_service:unix_dgram_socket { getopt setopt }; +allow print_service sa_foundation_bms:samgr_class { get }; +allow print_service sa_accountmgr:samgr_class { get }; +allowxperm print_service data_service_el1_file:file ioctl { 0x5413 }; +allow print_service accountmgr:binder { call }; +allow print_service system_basic_hap_attr:fd { use }; +allow print_service system_basic_hap_data_file_attr:file { read }; +allow print_service system_core_hap_attr:binder { call }; +allow print_service sysfs_devices_system_cpu:file { open read getattr }; +allow print_service dev_console_file:chr_file { read write }; +allow print_service normal_hap_attr:binder { call }; +allow print_service normal_hap_attr:fd { use }; +allow print_service normal_hap_data_file_attr:file { read }; +allow print_service port:tcp_socket { name_connect }; +allow print_service print_service:tcp_socket { connect create read setopt getopt write }; +allow print_service print_service:udp_socket { bind create getattr setopt getopt write read }; +allow print_service print_service:netlink_route_socket { create nlmsg_read write read }; +allow print_service print_param:parameter_service { set }; +allow print_service kernel:unix_stream_socket { connectto }; +allow print_service paramservice_socket:sock_file { write }; +allow print_service print_param:file { open read map }; +allow print_service system_bin_file:file { getattr open read }; +allow print_service system_bin_uni_print_driver_file:dir { search open read }; +allow print_service system_bin_uni_print_driver_file:file { getattr open read map execute execute_no_trans}; +allow print_service toybox_exec:file { getattr map open read }; +neverallow { domain -print_service } print_param:parameter_service { set }; +allow print_service sa_usb_service:samgr_class { get }; +allow print_service node:tcp_socket { node_bind }; +allow print_service node:udp_socket { node_bind }; +allow print_service print_service:tcp_socket { accept bind getattr listen shutdown }; +allow print_service usb_service:binder { call }; +allow print_service sa_wifi_device_ability:samgr_class { get }; +allow print_service sa_wifi_p2p_ability:samgr_class { get }; +allow print_service wifi_manager_service:binder { call }; +allow print_service data_service_el1_public_print_service_file:lnk_file { create getattr }; +allow print_service data_service_el2_file:dir { add_name search write create read }; +allow print_service data_service_el2_file:file { create getattr read open write }; +allow print_service tty_device:chr_file { read write }; +allow print_service print_driver_exec:dir { search write add_name }; +allow print_service print_driver_exec:lnk_file { create getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/sane_service.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/sane_service.te new file mode 100644 index 0000000000000000000000000000000000000000..dbd918fe8b1b619402a67be8f5e63cd84a576379 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/sane_service.te @@ -0,0 +1,41 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sane_service data_service_el1_file:dir { search }; +allow sane_service data_service_el1_public_print_service_file:dir { search }; +allow sane_service data_service_el2_file:dir { search }; +allow sane_service data_service_file:dir { search }; +allow sane_service data_service_sane_service_config_file:dir { open read search }; +allow sane_service data_service_sane_service_config_file:file { getattr open read }; +allow sane_service data_service_sane_service_tmp_file:dir { search write add_name search write remove_name search create getattr open read rmdir }; +allow sane_service data_service_sane_service_tmp_file:file { create getattr ioctl open read write unlink append }; +allow sane_service data_service_scan_service_driver_file:dir { open read search }; +allow sane_service data_service_scan_service_driver_file:file { getattr map open read execute read }; +allow sane_service dev_bus:dir { search }; +allow sane_service dev_bus_usb_file:chr_file { ioctl open read write }; +allow sane_service dev_bus_usb_file:dir { open read search }; +allow sane_service dev_bus_usb_file:file { open read }; +allowxperm sane_service dev_bus_usb_file:chr_file ioctl { 0x551a 0x550a 0x550d 0x5504 0x550f 0x5510 0x5508 0x550b }; +allow sane_service dev_unix_socket:dir { search }; +allow sane_service node:udp_socket { node_bind }; +allow sane_service port:tcp_socket { name_connect }; +allow sane_service sa_sane_service:samgr_class { add }; +allow sane_service sane_service:netlink_kobject_uevent_socket { bind create read setopt }; +allow sane_service sane_service:netlink_route_socket { create nlmsg_read read write }; +allow sane_service sane_service:tcp_socket { connect create getopt read setopt write shutdown }; +allow sane_service sane_service:udp_socket { bind create ioctl read setopt write getattr }; +allow sane_service sane_service:unix_dgram_socket { getopt setopt }; +allowxperm sane_service data_service_sane_service_tmp_file:file ioctl { 0x5413 }; +allowxperm sane_service sane_service:udp_socket ioctl { 0x8912 0x8915 0x891b }; +allow sane_service sys_file:dir { open read }; +allow sane_service self:xpm { exec_allow_sa_plugin }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/scan_service.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/scan_service.te new file mode 100644 index 0000000000000000000000000000000000000000..344e46e3755da505c11384ae63d6c34a1f8d7d15 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/scan_service.te @@ -0,0 +1,72 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow scan_service dev_unix_socket:dir { search }; +allow scan_service sa_comm_mdns_manager_service:samgr_class { get }; +allow scan_service sa_scan_service:samgr_class { add }; +allow scan_service scan_service:netlink_kobject_uevent_socket { read bind create setopt}; +allow scan_service scan_service:tcp_socket { create read write connect getopt setopt }; +allow scan_service arkcompiler_param:file { open read map }; +allow scan_service debug_param:file { map open read }; +allow scan_service dev_kmsg_file:chr_file { write open }; +allow scan_service hilog_param:file { map open read }; +allow scan_service mdnsmanager:binder { call transfer }; +allow scan_service port:tcp_socket { name_connect }; +allow scan_service tracefs:dir { search }; +allow scan_service data_file:dir { search }; +allow scan_service data_service_el1_file:dir { search }; +allow scan_service data_service_el1_public_print_service_file:dir { search remove_name add_name write getattr }; +allow scan_service data_service_el1_public_print_service_file:file { read unlink create ioctl write getattr open }; +allow scan_service data_service_el1_public_print_service_file:lnk_file { read }; +allow scan_service data_service_file:dir { search }; +allow scan_service debug_hap:binder { call }; +allow scan_service scan_service:udp_socket { ioctl read write create setopt bind getattr }; +allow scan_service sysfs_devices_system_cpu:file { getattr open read }; +allow scan_service dev_bus:dir { search }; +allow scan_service dev_bus_usb_file:dir { open read search }; +allow scan_service dev_bus_usb_file:chr_file { ioctl open read write }; +allow scan_service proc_cpuinfo_file:file { getattr open read }; +allow scan_service netsysnative:unix_stream_socket { connectto }; +allow scan_service normal_hap:binder { call }; +allow scan_service normal_hap:fd { use }; +allow scan_service system_basic_hap:binder { call }; +allow scan_service system_basic_hap:fd { use }; +allow scan_service sys_file:dir { open read }; +allow scan_service system_bin_file:dir { search }; +allow scan_service scan_service:netlink_route_socket { create nlmsg_read nlmsg_readpriv write }; +allow scan_service sys_file:file { read open }; +allow scan_service usb_service:binder { call }; +allow scan_service sa_usb_service:samgr_class { get }; +allowxperm scan_service scan_service:udp_socket ioctl { 0x8912 0x8915 0x891b }; +allowxperm scan_service data_service_el1_public_print_service_file:file ioctl { 0x5413 }; +allowxperm scan_service dev_bus_usb_file:chr_file ioctl { 0x5504 0x550a 0x550d 0x550f 0x5510 0x551a 0x5508 0x550b }; +allow scan_service scan_service:unix_dgram_socket { setopt getopt ioctl }; +allowxperm scan_service scan_service:unix_dgram_socket ioctl { 0x8910 }; +allow scan_service foundation:binder { call transfer }; +allow scan_service debugfs_usb:dir { search }; +allow scan_service sa_foundation_cesfwk_service:samgr_class { get }; +allow scan_service persist_param:file { read open map }; +allow scan_service data_service_el2_file:dir { add_name remove_name search write }; +allow scan_service data_service_el2_file:file { create getattr ioctl open read write unlink append }; +allowxperm scan_service data_service_el2_file:file ioctl { 0x5413 }; +allow scan_service data_service_el1_public_print_service_file:dir { open read }; +allow scan_service data_service_el2_file:dir { getattr }; +allow scan_service node:udp_socket { node_bind }; +allow init data_service_el1_public_print_service_file:dir { relabelfrom }; +allow init data_service_scan_service_driver_file:dir { relabelto }; +allow data_service_scan_service_driver_file labeledfs:filesystem { associate }; +allow installs data_service_scan_service_driver_file:file { relabelto }; +allow installs data_service_scan_service_driver_file:dir { write add_name search getattr remove_name }; +allow scan_service dev_bus_usb_file:file { open read }; +allow scan_service sa_sane_service:samgr_class { get }; +allow scan_service sane_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/service.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..949d36832a66e2e1d986e4c4b94e25f1a567ad12 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_print_service, sa_service_attr; +type sa_scan_service, sa_service_attr; +type sa_sane_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/service_contexts b/prebuilts/api/5.0/ohos_policy/print/print_service/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..bed83b26e5eef42f6002d515d0d9688aa23819da --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/service_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3707 u:object_r:sa_print_service:s0 +3708 u:object_r:sa_scan_service:s0 +3709 u:object_r:sa_sane_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..70a7ed97aa157154092098573ab149aefa6b3c53 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/system_basic_hap.te @@ -0,0 +1,23 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr print_service:binder { call transfer }; +allow system_basic_hap_attr sa_print_service:samgr_class { get }; +allow system_basic_hap_attr system_basic_hap_data_file_attr:file { getattr }; +allow system_basic_hap_attr scan_service:binder { call transfer }; +allow system_basic_hap_attr sa_scan_service:samgr_class { get }; +allow system_basic_hap_attr hichecker_writable_param:file { map open read }; +allow system_basic_hap_attr hichecker_writable_param:file { map open read }; +allow system_basic_hap_attr data_service_el1_public_print_service_file:file { getattr read }; +allow system_basic_hap_attr print_driver_exec:file { getattr read }; +allow system_basic_hap_attr scan_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9a8c013eb7a23504b9a989dde6f87cfffc973bc0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr print_service:binder { call transfer }; +allow system_core_hap_attr sa_print_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/type.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..491369d775052cd47d6528c037d38d648feea14a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/type.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type print_service, sadomain, domain; +type cupsd_exec, exec_attr, file_attr, system_file_attr; +type scan_service, sadomain, domain; +type data_service_sane_service_config_file, file_attr, data_file_attr; +type data_service_sane_service_tmp_file, file_attr, data_file_attr; +#domain_auto_transition_pattern(init, cupsd_exec, cupsd); + diff --git a/prebuilts/api/5.0/ohos_policy/print/print_service/system/wifi_manager_service.te b/prebuilts/api/5.0/ohos_policy/print/print_service/system/wifi_manager_service.te new file mode 100644 index 0000000000000000000000000000000000000000..f5709b729b67b9e76137fc836965d0b7acaaca41 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/print/print_service/system/wifi_manager_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_manager_service print_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/request/public/download_server.te b/prebuilts/api/5.0/ohos_policy/request/public/download_server.te new file mode 100644 index 0000000000000000000000000000000000000000..e720b6dc6910e7574dcea97e2b778dd5fdde70a5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/request/public/download_server.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#allow Perception of upload and download scene(Overlay scene recognition) +allow download_server resource_schedule_service:binder {call}; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/public/bgtaskmgr_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/public/bgtaskmgr_service.te new file mode 100644 index 0000000000000000000000000000000000000000..b60670b8db1de26a84c164437a8c534e212ecddb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/public/bgtaskmgr_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type bgtaskmgr_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ffa70a92aca1d127ff82296c4eef528673f18dc7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/bgtaskmgr_service.te @@ -0,0 +1,178 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#moke test +#avc: denied { search } for pid=488 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow bgtaskmgr_service data_file:dir { search }; + +# device start-up +#avc: denied { search } for pid=1067, ino=171 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow bgtaskmgr_service dev_unix_socket:dir { search }; +#avc: denied { search } for pid=1067, ino=4022 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=1 +allow bgtaskmgr_service sys_prod_file:dir { search }; +#avc: denied { map } for pid=1067, ino=12 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1067, ino=12 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1067, ino=12 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=1067, ino=12 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=file permissive=1 +allow bgtaskmgr_service chip_prod_file:file { map open read getattr }; +#avc: denied { search } for pid=1067, ino=6413 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 +allow bgtaskmgr_service system_usr_file:dir { search }; +#avc: denied { getopt } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:r:bgtaskmgr_service:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:r:bgtaskmgr_service:s0 tclass=unix_dgram_socket permissive=1 +allow bgtaskmgr_service bgtaskmgr_service:unix_dgram_socket { getopt setopt }; +allow bgtaskmgr_service tracefs:dir { search }; +allow bgtaskmgr_service tracefs_trace_marker_file:file { open write }; +#avc: denied { get } for service=401 pid=473 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_accountmgr:samgr_class { get }; +#avc: denied { get } for service=3299 pid=1173 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_foundation_cesfwk_service:samgr_class { get }; +#avc: denied { get } for service=3203 pid=1173 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_foundation_ans:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_foundation_ans:samgr_class { get }; +#avc: denied { add } for service=1904 pid=1059 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_work_schedule_service:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_work_schedule_service:samgr_class { add }; +#avc: denied { search } for pid=1059, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_storage:s0 tclass=dir permissive=0 +allow bgtaskmgr_service data_storage:dir { search }; +#avc: denied { read } for pid=1059, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0 +allow bgtaskmgr_service persist_param:file { read }; +#avc: denied { read write } for pid=53703, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 +allow bgtaskmgr_service tty_device:chr_file { read write }; +#avc: denied { write } for pid=53703, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=0 +allow bgtaskmgr_service dev_kmsg_file:chr_file { write }; + +# workschedule task get cpu info +#avc: denied { read } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow bgtaskmgr_service sysfs_devices_system_cpu:file { read }; +#avc: denied { get } for service=1067 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_hiview_service:s0 tclass=samgr_class permissive=1 +allow bgtaskmgr_service sa_hiview_service:samgr_class { get }; +#avc: denied { open } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=1 +allow bgtaskmgr_service proc_meminfo_file:file { open read }; +#avc: denied { get } for service=5300 sid=u:r:bgtaskmgr_service:s0 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_ark_aot_compiler:s0 tclass=samgr_class +allow bgtaskmgr_service sa_ark_aot_compiler:samgr_class { get }; +# workschedule use reportData +allow bgtaskmgr_service sa_resource_schedule:samgr_class { get }; + +# device_usage_stats database read/write, Record events,bgtask info persistence +#avc: denied { search } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { add_name } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow bgtaskmgr_service data_service_el1_file:dir { add_name write search read}; +#avc: denied { ioctl } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { setattr } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { create } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +#avc: denied { lock } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow bgtaskmgr_service data_service_el1_file:file { create getattr ioctl open read write lock setattr}; +allow bgtaskmgr_service data_service_file:dir { search }; +#avc: denied { 0x5413 } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file ioctl permissive=1 +#avc: denied { 0xf50c } for pid=1067, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file ioctl permissive=1 +allowxperm bgtaskmgr_service data_service_el1_file:file ioctl { 0x5413 0xf50c 0xf546 0xf547 }; +#avc: denied { get } for service=1301 pid=1014 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_distributeddata_service:samgr_class { get }; +#avc: denied { call } for pid=1070, commm="/system/bin/sa_main" scontext=u:r:bgtaskmgr_service:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=0 +allow bgtaskmgr_service distributeddata:binder { call }; +#avc: denied { transfer } for pid=1594, commm="/system/bin/sa_main" scontext=u:r:distributeddata:s0 tcontext=u:r:bgtaskmgr_service:s0 tclass=binder permissive=0 +allow distributeddata bgtaskmgr_service:binder { transfer }; +#avc: denied { use } for pid=1417, comm="/system/bin/sa_main" path="/dev/ashmen" dev="" ino=1 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=0 +allow bgtaskmgr_service distributeddata:fd { use }; + +# transient task apply +#avc: denied { search } for pid=1114, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=0 +allow bgtaskmgr_service data_app_file:dir { search }; + +# transient task set/get param +#avc: denied { read open map } for pid=53703, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 +allow bgtaskmgr_service persist_sys_param:file { read open map }; + +# continous task apply +#avc: denied { get } for service=1067 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=1 +allow bgtaskmgr_service sa_foundation_abilityms:samgr_class { get }; +#avc: denied { search } for scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=0 +allow bgtaskmgr_service data_app_el1_file:dir { search }; + +# get service from samgr +#avc: denied { get } for service=1067 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_bgtaskmgr:s0 tclass=samgr_class permissive=1 +allow bgtaskmgr_service sa_bgtaskmgr:samgr_class { get }; + +# get power and net service +#avc: denied { call } for pid=1137, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:r:netmanager:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1137, scontext=u:r:bgtaskmgr_service:s0 tcontext=u:r:netmanager:s0 tclass=binder permissive=1 +allow bgtaskmgr_service netmanager:binder { call transfer }; +#avc: denied { get } for service=1067 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_powermgr_thermal_service:s0 tclass=samgr_class +allow bgtaskmgr_service sa_powermgr_thermal_service:samgr_class { get }; +#avc: denied { get } for service=1151 pid=1063 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_net_conn_manager:samgr_class { get }; +#avc: denied { get } for service=3302 pid=1063 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=0 +allow bgtaskmgr_service sa_powermgr_battery_service:samgr_class { get }; +#avc: denied { get } for service=3301 pid=282 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow bgtaskmgr_service sa_powermgr_powermgr_service:samgr_class { get }; + +# Add the corresponding selinux permission +# for the device_usage_stats.service process +# from security_selinux_adapter\sepolicy\base\te\device_usage_stats_service.te +# device_usage_stats IPC authentication, get current user +#avc: denied { get } for service=3301 pid=282 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow bgtaskmgr_service sa_accesstoken_manager_service:samgr_class { get }; +#avc: denied { get } for service=3301 pid=282 scontext=u:r:bgtaskmgr_service:s0 tcontext=u:object_r:sa_device_usage_statistics_service:s0 tclass=samgr_class permissive=1 +allow bgtaskmgr_service sa_device_usage_statistics_service:samgr_class { get add }; +# device_usage_stats Event timing usage,workschedule task trigger,get device start-up time +allow bgtaskmgr_service sa_time_service:samgr_class { get }; + +allow audio_server bgtaskmgr_service:binder { call transfer }; +allow hiview bgtaskmgr_service:dir { getattr open read }; +allow hiview bgtaskmgr_service:file { getattr }; + +# Due to the merging of the device_usage_stats_service process +# into the bgtaskmgr_service process, +# it is necessary to add the corresponding selinux permission +# for the device_usage_stats.service process. +# device_usage_stats interface call and return result +allow normal_hap_attr sa_device_usage_statistics_service:samgr_class { get }; +allow system_basic_hap_attr sa_device_usage_statistics_service:samgr_class { get }; +allow system_core_hap_attr sa_device_usage_statistics_service:samgr_class { get }; + +debug_only(` + allow bgtaskmgr_service debug_param:file { map open read }; +') + +binder_call(bgtaskmgr_service, accountmgr); +binder_call(bgtaskmgr_service, accesstoken_service); +binder_call(bgtaskmgr_service, device_usage_stats_service); +binder_call(bgtaskmgr_service, foundation); +binder_call(bgtaskmgr_service, memmgrservice); +binder_call(bgtaskmgr_service, normal_hap_attr); +binder_call(bgtaskmgr_service, param_watcher); +binder_call(bgtaskmgr_service, powermgr); +binder_call(bgtaskmgr_service, resource_schedule_service); +binder_call(bgtaskmgr_service, system_core_hap_attr); +binder_call(bgtaskmgr_service, system_basic_hap_attr); +binder_call(bgtaskmgr_service, hiview); +binder_call(bgtaskmgr_service, distributedsche); +binder_call(bgtaskmgr_service, bluetooth_service); +binder_call(bgtaskmgr_service, time_service); +binder_call(normal_hap_attr, bgtaskmgr_service); +binder_call(system_core_hap_attr, bgtaskmgr_service); +binder_call(param_watcher, bgtaskmgr_service); +binder_call(foundation, bgtaskmgr_service); +binder_call(powermgr, bgtaskmgr_service); +binder_call(hiview, bgtaskmgr_service); +binder_call(distributedsche, bgtaskmgr_service); +binder_call(bluetooth_service, bgtaskmgr_service); +binder_call(system_basic_hap_attr, bgtaskmgr_service); + +debug_only(` + binder_call(bgtaskmgr_service, sh); +') diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/file.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..d3a98f4d87918895c11db07436dd4efd69d885ad --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type app_el1_bundle_public, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/file_contexts b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..133c488f23ab1795ca516ef79bfa023c95f8da5c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/app/el1/bundle/public(/.*)? u:object_r:app_el1_bundle_public:s0 diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/foundation.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..007eef32e951d11cd6c090469ee6f501e70f0c71 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/foundation.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation bgtaskmgr_service:binder { call transfer }; + +allow foundation device_usage_stats_service:binder { call transfer }; +allow foundation sa_resource_schedule:samgr_class { get }; +allow foundation bgtaskmgr_service:dir { search }; +allow foundation bgtaskmgr_service:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..aa71195a48cea4574f1f2718dc56b8f783f2b6c8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/normal_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr sa_bgtaskmgr:samgr_class { get }; +allow normal_hap_attr sa_work_schedule_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/samgr.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..9b36c4c9c9b184fc444de0ae35e4e935e813985c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/samgr.te @@ -0,0 +1,27 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr bgtaskmgr_service:binder { call transfer }; +allow samgr bgtaskmgr_service:dir { search }; +allow samgr bgtaskmgr_service:file { open read }; +allow samgr bgtaskmgr_service:process { getattr }; + +allow samgr device_usage_stats_service:binder { call transfer }; +allow samgr device_usage_stats_service:dir { search }; +allow samgr device_usage_stats_service:file { open read }; +allow samgr device_usage_stats_service:process { getattr }; + +allow samgr work_scheduler_service:binder { call transfer }; +allow samgr work_scheduler_service:dir { search }; +allow samgr work_scheduler_service:file { open read }; +allow samgr work_scheduler_service:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..8dbd3576dc9b760cd177816cd6bc43983addddd8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/background_task_mgr/system/system_basic_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr bluetooth_service:fd { use }; +allow system_basic_hap_attr bluetooth_service:unix_stream_socket { read write shutdown }; +allow system_basic_hap_attr softbus_server:fd { use }; +allow system_basic_hap_attr sa_bgtaskmgr:samgr_class { get }; +allow system_core_hap_attr sa_bgtaskmgr:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/public/attributes b/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..d49b27cc0469329911cca88c439ef88c90055ddd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute dev_auth_ctrl_violator_chr_file; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/public/other.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/public/other.te new file mode 100644 index 0000000000000000000000000000000000000000..f09fbe2c2e22be034a103b1da917a93f745eb0a1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/public/other.te @@ -0,0 +1,18 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type concurrent_task_service, sadomain, domain; + +#never_allow +neverallow { domain -concurrent_task_service -resource_schedule_service -udevd } dev_sched_rtg_ctrl:chr_file { write }; +neverallow { domain -concurrent_task_service -dev_auth_ctrl_violator_chr_file -udevd } dev_auth_ctrl:chr_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/system/concurrent_task_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/system/concurrent_task_service.te new file mode 100644 index 0000000000000000000000000000000000000000..fd5412854b0b3820e6e68a5ef3804304fc239a71 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/system/concurrent_task_service.te @@ -0,0 +1,50 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#service_binder +allow concurrent_task_service foundation:binder { call transfer }; + +#system +allow concurrent_task_service system_basic_hap_attr:process { setsched }; +allow concurrent_task_service system_core_hap_attr:process { setsched }; +allow concurrent_task_service system_usr_file:dir { search map }; +allow concurrent_task_service system_usr_file:file { getattr read }; +allow concurrent_task_service system_lib_file:dir { search }; +allow concurrent_task_service system_lib_file:file { getattr map open read }; +allow concurrent_task_service system_etc_file:dir { search }; +allow concurrent_task_service system_etc_file:file { getattr map open read }; +allow concurrent_task_service vendor_etc_file:dir { search }; +allow concurrent_task_service vendor_etc_file:file { getattr map open read }; +allow concurrent_task_service sa_concurrent_task_service:samgr_class { add }; +allow concurrent_task_service sys_prod_file:dir { search }; +allow concurrent_task_service sys_prod_file:file { open read }; +#ui_service +allow concurrent_task_service ui_service:process { setsched }; +#normal_hap +allow concurrent_task_service normal_hap_attr:process { setsched }; +#rtg_dev +allow concurrent_task_service dev_sched_rtg_ctrl:chr_file { ioctl open read write }; +allow concurrent_task_service dev_auth_ctrl:chr_file { ioctl open read write }; +#dev +allow concurrent_task_service dev_unix_socket:dir { search }; +allow concurrent_task_service dev_unix_socket:sock_file { write }; +allow concurrent_task_service hilog_param:file { map open read }; +allow concurrent_task_service debug_param:file { map open read }; +#persist param +allow concurrent_task_service paramservice_socket:sock_file { write }; +allow concurrent_task_service kernel:unix_stream_socket { connectto }; +allow concurrent_task_service persist_param:file { read open map }; +allow concurrent_task_service persist_param:parameter_service { set }; +#cgroup +allow concurrent_task_service cgroup:dir { search open read write }; +allow concurrent_task_service cgroup:file { open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/system/other.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/system/other.te new file mode 100644 index 0000000000000000000000000000000000000000..11b1e41e419d4f565dfe4115b045f5c5854440c7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/concurrent_task_service/system/other.te @@ -0,0 +1,51 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#init +allow init concurrent_task_service:process { rlimitinh siginh transition }; +dontaudit init concurrent_task_service:process { noatsecure }; +#normal_hap +allow normal_hap_attr sa_concurrent_task_service:samgr_class { get }; +allow normal_hap_attr concurrent_task_service:binder { call }; +#system_core_hap +allow system_core_hap_attr sa_concurrent_task_service:samgr_class { get }; +allow system_core_hap_attr concurrent_task_service:binder { call }; +#system_basic_hap +allow system_basic_hap_attr sa_concurrent_task_service:samgr_class { get }; +allow system_basic_hap_attr concurrent_task_service:binder { call }; +#resource_schedule_service +allow resource_schedule_service sa_concurrent_task_service:samgr_class { get }; +allow resource_schedule_service concurrent_task_service:binder { call }; +#hiview +allow hiview concurrent_task_service:dir { search }; +allow hiview concurrent_task_service:file { open read }; +#ui_service +allow ui_service sa_concurrent_task_service:samgr_class { get }; +allow ui_service concurrent_task_service:binder { call }; +#foundation +allow foundation concurrent_task_service:binder { call transfer }; +#dev_auth_ctrl +allow init dev_auth_ctrl:chr_file { setattr }; +allow udevd dev_auth_ctrl:chr_file { getattr write }; +allow ueventd dev_auth_ctrl:chr_file { relabelto }; +#ffrt_param +allow init render_service:file { getattr }; +allow render_service ffrt_param:parameter_service { set }; +allow render_service ffrt_param:file { read open map }; +allow render_service sa_concurrent_task_service:samgr_class { get }; +allow render_service concurrent_task_service:binder { call }; +allow normal_hap_attr ffrt_param:file { read open map }; +allow system_basic_hap_attr ffrt_param:file { read open map }; +allow system_core_hap_attr ffrt_param:file { read open map }; +allow foundation ffrt_param:file { read open map }; +allow foundation sa_concurrent_task_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/device_standby/system/foundation.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/device_standby/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..ed305ff2fa94587df3b5c4eec7c93e32c067a3c1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/device_standby/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation sa_device_standby:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/device_usage_statistics/public/device_usage_stats_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/device_usage_statistics/public/device_usage_stats_service.te new file mode 100644 index 0000000000000000000000000000000000000000..439193d00710f776f23277b1679fc19b12cf9951 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/device_usage_statistics/public/device_usage_stats_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type device_usage_stats_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/file.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..5908dfbfb298c6a1eda71f6c3c7785a7fa433563 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/file.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type tracefs_trace_marker_file, fs_attr; +# resource_schedule_service config file +type sys_prod_ressched_file, sys_prod_file_attr, file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/resource_schedule_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..7d79d90fd578525cb03fa7e3e8726f0f55c6d505 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/resource_schedule_service.te @@ -0,0 +1,23 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type resource_schedule_service, sadomain, domain; +type sa_task_heartbeat_mgr, sa_service_attr; +#allow resource_schedule_service set system parameter to record systemload level +type resourceschedule_writeable_param, parameter_attr; +type resource_schedule_executor, sadomain, domain; +type sa_resource_schedule_executor, sa_service_attr; + +#allow Perception of upload and download scene(Overlay scene recognition) +allow resource_schedule_service sa_download_service:samgr_class { get }; +allow resource_schedule_service download_server:binder {call transfer}; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/service_contexts b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..f31b3c02a63aa2ec7e47b5a8d1e35b12f46ca637 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/public/service_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +1915 u:object_r:sa_task_heartbeat_mgr:s0 +1918 u:object_r:sa_resource_schedule_executor:s0 diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..9914ab605ce1dde43569715b92c66fb1393a530a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/audio_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_server resource_schedule_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/av_session.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/av_session.te new file mode 100644 index 0000000000000000000000000000000000000000..3716109026da480edff09348061fcab783588a0c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/av_session.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#av_session +allow av_session resource_schedule_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/file_contexts b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..7895dd6291dd834151a3c2229a280107b54e7e7f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# resource_schedule_service config file +/sys_prod/etc/ressched(/.*)? u:object_r:sys_prod_ressched_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..ef622b3a64c246f85eccf8522c1237c0a8112df0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#foundation +allow foundation resource_schedule_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/hiview.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..9a291278f1799b7f4093a8a814cc9bef1e2903f0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/hiview.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#hiview +allow hiview resource_schedule_service:dir { getattr }; +allow hiview resource_schedule_service:file { getattr read }; +allow hiview resource_schedule_service:dir { search }; +allow hiview resource_schedule_service:file { open read }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/init.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..326712eea8336a7a7acee186f6f0ac9e7ac6ae34 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#init +allow init resource_schedule_service:process { rlimitinh siginh transition }; +allow init resource_schedule_executor:process { rlimitinh siginh transition }; +dontaudit init resource_schedule_service:process { noatsecure }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/msdp_sa.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/msdp_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..d66f3220b8b0c6c7eda82a401d90f8df1c1fe552 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/msdp_sa.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#msdp_sa +allow msdp_sa resource_schedule_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..d1222cf2babfce69355cee66addea7b4b2dc352b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/normal_hap_attr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#transfer : allow normal_hap_attr register systemload callback to rss +allow normal_hap_attr resource_schedule_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..3c2135720aa39a449b323d9366b9d7d7339f238e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/param_watcher.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#param_watcher +allow param_watcher resource_schedule_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b73d403e8a478792c5f452d60fed263b7454deb7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/parameter_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#allow resource_schedule_service set system parameter to record systemload level +resourceschedule.systemload.level u:object_r:resourceschedule_writeable_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/render_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..022f23e7284f29c8b80ef3d7b9fdc5f11a3d64d3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/render_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#render_service +allow render_service resource_schedule_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/resource_schedule_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..1e8ec09db789e28e60ceefab1b18e68aaab63d00 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/resource_schedule_service.te @@ -0,0 +1,200 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#resource_schedule_service +allow resource_schedule_service accesstoken_service:binder { call }; +binder_call(resource_schedule_service, powermgr); +allow resource_schedule_service param_watcher:binder { call transfer }; +allow resource_schedule_service bgtaskmgr_service:binder { call transfer }; +allow resource_schedule_service audio_server:binder { call transfer }; +allow resource_schedule_service msdp_sa:binder { call transfer }; +allow resource_schedule_service bluetooth_service:binder { call }; +allow resource_schedule_service locationhub:binder { call }; +allow resource_schedule_service time_service:binder { call }; +allow resource_schedule_service appspawn:dir { search }; +allow resource_schedule_service appspawn:file { getattr open read }; +allow resource_schedule_service appspawn_exec:file { open read }; +allow resource_schedule_service cgroup:dir { add_name write search }; +allow resource_schedule_service cgroup:file { append getattr ioctl open read write }; +allow resource_schedule_service chip_prod_file:dir { search }; +allow resource_schedule_service data_service_el1_file:dir { add_name create getattr open read remove_name rmdir search write }; +allow resource_schedule_service data_service_el1_file:file { create getattr ioctl lock open read unlink write }; +# avc: denied { transfer } for pid=892, comm="/system/bin/sa_main" scountext=u:resource_schedule_service:s0 tcountext=u:r:distributeddata:s0 tclass=binder permissive=0 +# Before obtaining the application list, the rss service needs to call the DataShare interface to query the database information to check whether the user agrees to the authorization +allow resource_schedule_service distributeddata:binder { transfer }; +allow resource_schedule_service vendor_bin_file:dir { search }; +allow resource_schedule_service vendor_file:dir { search }; +allow resource_schedule_service vendor_file:file { execute getattr map open read }; +allow resource_schedule_service vendor_etc_file:dir { search }; +allow resource_schedule_service vendor_etc_file:file { getattr map open read }; +allow resource_schedule_service system_basic_hap_attr:process { setsched }; +allow resource_schedule_service system_usr_file:dir { search map }; +allow resource_schedule_service system_usr_file:file { getattr read }; +allow resource_schedule_service system_etc_file:dir { search }; +allow resource_schedule_service system_etc_file:file { getattr map open read }; +allow resource_schedule_service tracefs:dir { search }; +allow resource_schedule_service tracefs_trace_marker_file:file { open write }; +allow resource_schedule_service dev_unix_socket:dir { search }; +allow resource_schedule_service normal_hap_attr:process { setsched }; +allow resource_schedule_service resource_schedule_service:unix_dgram_socket { getopt setopt }; +allow resource_schedule_service data_log:file { read write }; +allow resource_schedule_service faultloggerd:fd { use }; +allow resource_schedule_service faultloggerd:unix_stream_socket { connectto }; +allow resource_schedule_service resource_schedule_service:netlink_socket { read }; +allow resource_schedule_service proc_file:file { read open }; +debug_only(` + allow resource_schedule_service sh_exec:file { execute_no_trans map open read }; +') +allow resource_schedule_service sys_file:file { getattr write open ioctl create read }; +allow resource_schedule_service sys_file:dir { open read search }; +allow resource_schedule_service system_file:file { open read }; +allow resource_schedule_service sys_prod_file:dir { search }; +allow resource_schedule_service sys_prod_file:file { open read }; +allow resource_schedule_service sysfs_devices_system_cpu:file { getattr write open ioctl create read }; +allow resource_schedule_service sysfs_devices_system_cpu:dir { open read search }; +allow resource_schedule_service tty_device:chr_file { open read write }; +allow resource_schedule_service dev_sched_rtg_ctrl:chr_file { ioctl open read write }; +allowxperm resource_schedule_service dev_file:chr_file ioctl { 0x7102 0x7104 0x7165 }; +allowxperm resource_schedule_service dev_sched_rtg_ctrl:chr_file ioctl { 0xab01 0xab02 }; +allowxperm resource_schedule_service cgroup:file ioctl { 0x5413 }; +allowxperm resource_schedule_service sys_file:file ioctl { 0x5413 }; +allowxperm resource_schedule_service data_service_el1_file:file ioctl { 0x5413 0xf501 0xf502 0xf50c 0xf546 0xf547 }; +allow resource_schedule_service sa_pulseaudio_audio_service:samgr_class { get }; +# Subscribing to public events is required. +# acv: denied { get } for service=1152 pid=641 scontext=u:r:resource_schedule_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow resource_schedule_service sa_foundation_cesfwk_service:samgr_class { get }; +# Standby management SIM card. +# avc: denied { call } for pid=679 comm="IPC_3_2276" scontext=u:r:resource_schedule_service:s0 tcontext=u:r:telephony_sa:s0 tclass=binder permissive=1 +allow resource_schedule_service telephony_sa:binder { call }; +# Standby moden enables or disables data services. +# avc: denied { get } for service=4010 pid=675 scontext=u:r:resource_schedule_service:s0 tcontext=u:object_r:sa_telephony_tel_core_service:s0 tclass=samgr_class permissive=1 +allow resource_schedule_service sa_telephony_tel_core_service:samgr_class { get }; +# Standby management Determine data status Service requirements. +# avc: denied { get } for service=4007 pid=668 scontext=u:r:resource_schedule_service:s0 tcontext=u:object_r:sa_telephony_tel_cellular_data:s0 tclass=samgr_class permissive=1 +allow resource_schedule_service sa_telephony_tel_cellular_data:samgr_class { get }; +# Standby control network restriction. +# avc: denied { get } for service=1152 pid=641 scontext=u:r:resource_schedule_service:s0 tcontext=u:object_r:sa_net_policy_manager:s0 tclass=samgr_class permissive=1 +allow resource_schedule_service sa_net_policy_manager:samgr_class { get }; +# avc: denied { add } for pid=946,comm="/system/bin/sa_man" scontext=u:r:sa_device_standby:s0 tcontext=u:r:resource_schedule_service:s0 tclass=samgr_class permissive=1 +# avc: denied { get } for service=1043 pid=622 scontext=u:r:resource_schedule_service:s0 tcontext=u:object_r:sa_device_standby:s0 tclass=samgr_class permissive=1 +allow resource_schedule_service sa_device_standby:samgr_class { add get }; +# Standby This parameter is required when the monitoring device is ststionary. +# avc: denied { call } for pid=681 comm="IPC_2_14413" scontext=u:r:resource_schedule_service:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow resource_schedule_service sensors:binder { call }; +# avc: denied { transfer } for pid=657 comm="IPC_3_2264" scontext=u:r:resource_schedule_service:s0 tcontext=u:r:transfer:s0 tclass=binder permissive=1 +allow resource_schedule_service sensors:binder { transfer }; +allow resource_schedule_service sa_sensor_service:samgr_class { get }; +allow resource_schedule_service sa_powermgr_battery_service:samgr_class { get }; +allow resource_schedule_service sa_powermgr_powermgr_service:samgr_class { get }; +allow resource_schedule_service sa_time_service:samgr_class { get }; +allow resource_schedule_service sa_time_service:binder { transfer }; +allow resource_schedule_service sa_foundation_bms:samgr_class { get }; +allow resource_schedule_service time_service:binder { transfer }; +allow resource_schedule_service sa_task_heartbeat_mgr:samgr_class { add get }; +allow bgtaskmgr_service sa_device_standby:samgr_class { get }; +allow normal_hap_attr sa_device_standby:samgr_class { get }; +allow system_basic_hap_attr sa_device_standby:samgr_class { get }; +allow system_core_hap_attr sa_device_standby:samgr_class { get }; +allow resource_schedule_service multimodalinput:binder { call }; +allow resource_schedule_service multimodalinput:fd { use }; +allow resource_schedule_service multimodalinput:unix_stream_socket { write }; +allow resource_schedule_service sa_comm_net_stats_manager_service:samgr_class { get }; +#get : allow resource_schedule_service get dms services to mointer fold status on soc_perf +allow resource_schedule_service sa_foundation_dms:samgr_class { get }; +debug_only(` + allow resource_schedule_service sh:dir { search }; + allow resource_schedule_service sh:file { open }; + allow resource_schedule_service sh:binder { call }; +') + +#systemload +#set : allow resource_schedule_service set system parameter to record systemload level +allow resource_schedule_service resourceschedule_writeable_param:parameter_service { set }; +#call : allow rss to read normal_hap_attr/system_basic_hap_attr/system_core_hap_attr register systemload callback +#transfer : allow rss to transfer result to normal_hap_attr/system_basic_hap_attr/system_core_hap_attr +allow resource_schedule_service normal_hap_attr:binder { call transfer }; +allow resource_schedule_service system_basic_hap_attr:binder { call transfer }; +allow resource_schedule_service system_core_hap_attr:binder { call transfer }; + +#proc_protect_lru +# avc: denied { search } for pid=873, comm="/system/bin/sa_main" scountext=u:resource_schedule_service:s0 tcountext=u:r:data_service_file:s0 tclass=dir permissive=0 +allow resource_schedule_service data_service_file:dir { search }; +# avc: denied { open read search } for pid=873, comm="/system/bin/sa_main" scountext=u:resource_schedule_service:s0 tcountext=u:r:system_fonts_file:s0 tclass=dir permissive=0 +allow resource_schedule_service system_fonts_file:dir { open read search }; +allow resource_schedule_service data_service_el2_file:dir { search }; +allow resource_schedule_service data_service_el2_hmdfs:dir { search }; + +#for resource_schedule_service cgroup +# avc: denied { search } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:kernel:s0 tclass=dir permissive=1 +allow resource_schedule_service kernel:dir { search }; +# avc: denied { read } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:kernel:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:kernel:s0 tclass=file permissive=1 +# avc: denied { open } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:kernel:s0 tclass=file permissive=1 +allow resource_schedule_service kernel:file { getattr open read }; +# avc: denied { read } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:storage_daemon:s0 tclass=file permissive=1 +allow resource_schedule_service storage_daemon:file { read }; +# avc: denied { read } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:storage_manager:s0 tclass=file permissive=1 +allow resource_schedule_service storage_manager:file { read }; +allow resource_schedule_service foundation:binder { call transfer }; +allow resource_schedule_service hiview:binder { call transfer }; +allow resource_schedule_service av_session:binder { call transfer }; +allow resource_schedule_service device_manager:file { read }; +# avc: denied { read } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:hdf_devmgr:s0 tclass=file permissive=1 +allow resource_schedule_service hdf_devmgr:file { read }; +allow resource_schedule_service hilogd:file { read }; +allow resource_schedule_service system_basic_hap_attr:dir { open read search }; +allow resource_schedule_service system_basic_hap_attr:file { getattr open read }; +allow resource_schedule_service system_core_hap_attr:dir { open read search }; +allow resource_schedule_service system_core_hap_attr:file { getattr open read }; +allow resource_schedule_service system_core_hap_attr:process { setsched }; +allow resource_schedule_service ui_service:process { setsched }; +allow resource_schedule_service normal_hap_attr:dir { open read search }; +allow resource_schedule_service normal_hap_attr:file { getattr open read }; +allow resource_schedule_service init:dir { search }; +allow resource_schedule_service init:file { getattr open read }; +allow resource_schedule_service param_watcher:file { read }; +allow resource_schedule_service sa_audio_policy_service:samgr_class { get }; +# avc: denied { search } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:ueventd:s0 tclass=dir permissive=1 +allow resource_schedule_service ueventd:dir { search }; +# avc: denied { getattr } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:ueventd:s0 tclass=file permissive=1 +# avc: denied { open } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:ueventd:s0 tclass=file permissive=1 +# avc: denied { read } for pid=953, comm="CgroupEventHand" scountext=u:resource_schedule_service:s0 tcountext=u:r:ueventd:s0 tclass=file permissive=1 +allow resource_schedule_service ueventd:file { getattr open read }; + +# resource_schedule_service config +allow resource_schedule_service sys_prod_ressched_file:dir { search }; +allow resource_schedule_service sys_prod_ressched_file:file { getattr open read }; + +#for os_account_manager binder +allow resource_schedule_service accountmgr:binder { transfer }; +allow accountmgr resource_schedule_service:binder { call }; + +#for devinfo param +allow resource_schedule_service devinfo_type_param:file { read open map }; + +# for camera_service +allow resource_schedule_service sa_camera_service:samgr_class { get }; +allow resource_schedule_service camera_service:binder { call transfer }; + +#for notify render_service start report events +allow render_service resource_schedule_service:binder { transfer }; +allow resource_schedule_service render_service:binder { call transfer }; + +allow resource_schedule_service sharing_service:dir { open search read }; +allow resource_schedule_service sharing_service:file { open read getattr }; + +allow resource_schedule_service av_codec_service:dir { open search read }; +allow resource_schedule_service av_codec_service:file { open read getattr }; + +allow resource_schedule_service sa_device_usage_statistics_service:samgr_class { get }; + diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te new file mode 100644 index 0000000000000000000000000000000000000000..dfc5ce2b434ca5d15c9c66c6abf853fbea163c92 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/ressched_executor.te @@ -0,0 +1,52 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow resource_schedule_executor resource_schedule_executor:unix_dgram_socket { getopt setopt }; +allow resource_schedule_executor sa_resource_schedule_executor:samgr_class { add }; +allow resource_schedule_executor chip_prod_file:dir { search }; +allow resource_schedule_executor sys_prod_file:dir { search }; +allow resource_schedule_executor sys_prod_file:file { open read }; +allow resource_schedule_executor dev_unix_socket:dir { search }; +allow resource_schedule_executor dev_unix_socket:sock_file { write }; +allow resource_schedule_executor data_service_file:dir { search }; +allow resource_schedule_executor sys_file:file { getattr write open ioctl create read }; +allow resource_schedule_executor sys_file:dir { open read search }; +allow resource_schedule_executor system_usr_file:dir { search map }; +allow resource_schedule_executor system_usr_file:file { getattr read map open }; +allow resource_schedule_executor foundation:binder { call transfer }; +allow resource_schedule_executor persist_param:file { map open read }; +allow resource_schedule_executor persist_sys_param:file { map open read }; +allow resource_schedule_executor ohos_boot_param:file { map open read }; +allow resource_schedule_executor debug_param:file { map open read }; + +allow foundation resource_schedule_executor:binder { call transfer }; +allow hidumper_service sa_resource_schedule_executor:samgr_class { get }; +allow resource_schedule_service resource_schedule_executor:binder { call }; +allow resource_schedule_service sa_resource_schedule_executor:samgr_class { get }; + +allowxperm resource_schedule_executor sys_file:file ioctl { 0x5413 }; + +# resource_schedule_service config +allow resource_schedule_executor sys_prod_ressched_file:dir { search }; +allow resource_schedule_executor sys_prod_ressched_file:file { getattr open read }; +allow resource_schedule_executor normal_hap_attr:process { sigkill }; +allow resource_schedule_executor system_core_hap_attr:process { sigkill }; +allow resource_schedule_executor system_basic_hap_attr:process { sigkill }; +allow resource_schedule_executor sadomain:process { sigkill }; +allow resource_schedule_executor resource_schedule_executor:capability { kill }; + +# socperf_executor +allow resource_schedule_executor sysfs_devices_system_cpu:file { getattr open read write }; +allow resource_schedule_executor sysfs_devices_system_cpu:dir { open read search }; +allow resource_schedule_executor cgroup:dir { search }; +allow resource_schedule_executor cgroup:file { open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/sensors.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/sensors.te new file mode 100644 index 0000000000000000000000000000000000000000..c2d1581e74c12b222a89d1dd5c6ae4c93743a9b8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/sensors.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#sensors +allow sensors resource_schedule_service:fd { use }; +allow sensors resource_schedule_service:unix_stream_socket { read write }; +allow sensors resource_schedule_service:binder {call}; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..2bd31e1d99bb6407e66568e5631df7094d1eaab9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#transfer : allow system_basic_hap register systemload callback to rss +allow system_basic_hap_attr resource_schedule_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..3b731509f164b141cc7d31295bd8d9501e2a527b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#transfer : allow system_core_hap register systemload callback to rss +allow system_core_hap_attr resource_schedule_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/telephony_sa.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/telephony_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..abb3f349b5796ba019b4f012c3db9d1c6017b00b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/telephony_sa.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#telephony_sa +allow telephony_sa resource_schedule_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/time_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/time_service.te new file mode 100644 index 0000000000000000000000000000000000000000..5d722a48d1f51334e54a5655d3989b4fb7ea94e2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/time_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#time_service +allow time_service resource_schedule_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/ui_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/ui_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ed88a72425b100ce063a45eb2e2b1374616a45e6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/ui_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#ui_service +allow ui_service resource_schedule_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/virtfs_contexts b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/virtfs_contexts new file mode 100644 index 0000000000000000000000000000000000000000..d7bc9df881eab79bbb57c1d7893d35ffc2f4a64c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/resource_schedule_service/system/virtfs_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +genfscon tracefs /trace_marker u:object_r:tracefs_trace_marker_file:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/resourceschedule/work_scheduler/system/work_scheduler_service.te b/prebuilts/api/5.0/ohos_policy/resourceschedule/work_scheduler/system/work_scheduler_service.te new file mode 100644 index 0000000000000000000000000000000000000000..52f8fb54eb3647977a1ffe34b2c997d3453dba34 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/resourceschedule/work_scheduler/system/work_scheduler_service.te @@ -0,0 +1,40 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type work_scheduler_service, sadomain, domain; + +allow system_core_hap_attr sa_work_schedule_service:samgr_class { get }; +allow system_basic_hap_attr sa_work_schedule_service:samgr_class { get }; +allow work_scheduler_service data_file:dir { search }; +allow work_scheduler_service data_service_el1_file:dir { add_name write search }; +allow work_scheduler_service data_service_el1_file:file { create getattr ioctl open read write }; +allow work_scheduler_service data_service_file:dir { search }; +allow work_scheduler_service dev_unix_socket:dir { search }; +allow work_scheduler_service dev_unix_socket:sock_file { write }; +allow work_scheduler_service proc_meminfo_file:file { open read }; +allow work_scheduler_service tracefs:dir { search }; +allow work_scheduler_service tracefs_trace_marker_file:file { open write }; +allow work_scheduler_service work_scheduler_service:unix_dgram_socket { getopt setopt }; +allowxperm work_scheduler_service data_service_el1_file:file ioctl 0x5413; + +binder_call(work_scheduler_service, accountmgr); +binder_call(work_scheduler_service, foundation); +binder_call(work_scheduler_service, normal_hap_attr); +binder_call(work_scheduler_service, param_watcher); +binder_call(param_watcher, work_scheduler_service); +binder_call(foundation, work_scheduler_service); +binder_call(normal_hap_attr, work_scheduler_service); + +debug_only(` + binder_call(work_scheduler_service, sh); +') diff --git a/prebuilts/api/5.0/ohos_policy/rgm/public/attributes b/prebuilts/api/5.0/ohos_policy/rgm/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..3a81c79def26be9ca4343cdb538dd70cf1eef5f5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/rgm/public/attributes @@ -0,0 +1,30 @@ +# Copyright (c) 2024-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute rgm_violator_cap_sysadmin; +attribute rgm_violator_cap_setgid; +attribute rgm_violator_cap_setuid; +attribute rgm_violator_system_v_ipc; +attribute rgm_violator_cap_chown; +attribute rgm_violator_normal_hap_data_file_attr_dir; +attribute rgm_violator_normal_hap_data_file_attr_file_open; +attribute rgm_violator_filesystem_relabelfrom; +attribute rgm_violator_normal_hap_data_file_attr_dir_file_create_unlink; +attribute rgm_violator_ohos_dev_encaps_chr_file; +attribute rgm_violator_exec_no_sign; +attribute rgm_violator_execmem; +attribute rgm_violator_su_process_dyntransition; +attribute rgm_violator_domain; +attribute rgm_violator_sadomain; +attribute rgm_violator_domain_oh_to_box; + diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/public/type.te b/prebuilts/api/5.0/ohos_policy/security/access_token/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..73991aa8afe62f7c9a61a47a5d182b4c9317902f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/public/type.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type accesstoken_data_file, file_attr, data_file_attr; +type permissionmanager_hap, normal_hap_attr, hap_domain, domain; +type permissionmanager_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/access_token.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/access_token.te new file mode 100644 index 0000000000000000000000000000000000000000..85a52ae35ee34efbf2a0ce5f3c93e7e6a1c72052 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/access_token.te @@ -0,0 +1,125 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow domain accesstoken_perm_param:file { map open read }; +# [ 325.498791] audit: type=1400 audit(1501923927.700:2295): avc: denied { ioctl } for pid=2232 comm="SaInit1" path="/data/service/el1/public/access_token" dev="mmcblk0p15" ino=2902 ioctlcmd=0xf546 scontext=u:r:accesstoken_service:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=1 +allow accesstoken_service accesstoken_data_file:dir { search add_name ioctl open read write remove_name }; +allowxperm accesstoken_service accesstoken_data_file:dir ioctl { 0xf546 }; +# [ 324.857258] audit: type=1400 audit(1501923927.060:2293): avc: denied { map } for pid=2232 comm="SaInit1" path="/data/service/el1/public/access_token/access_token.db-shm" dev="mmcblk0p15" ino=3066 scontext=u:r:accesstoken_service:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=file permissive=1 +# [ 324.863783] audit: type=1400 audit(1501923927.066:2294): avc: denied { setattr } for pid=2232 comm="SaInit1" name="access_token.db" dev="mmcblk0p15" ino=3063 scontext=u:r:accesstoken_service:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=file permissive=1 +allow accesstoken_service accesstoken_data_file:file { create open read getattr ioctl lock map setattr unlink write }; +allow accesstoken_service accesstoken_perm_param:parameter_service { set }; +allow accesstoken_service accesstoken_service:unix_dgram_socket { getopt setopt }; +allow accesstoken_service audio_server:binder { call transfer }; +allow accesstoken_service bootevent_param:file { map open read }; +allow accesstoken_service bootevent_samgr_param:file { map open read }; +allow accesstoken_service build_version_param:file { map open read }; +allow accesstoken_service camera_service:binder { call transfer }; +allow accesstoken_service const_allow_mock_param:file { map open read }; +allow accesstoken_service const_allow_param:file { map open read }; +allow accesstoken_service const_build_param:file { map open read }; +allow accesstoken_service const_display_brightness_param:file { map open read }; +allow accesstoken_service const_param:file { map open read }; +allow accesstoken_service const_postinstall_fstab_param:file { map open read }; +allow accesstoken_service const_postinstall_param:file { map open read }; +allow accesstoken_service const_product_param:file { map open read }; +allow accesstoken_service data_file:dir { search }; +allow accesstoken_service data_service_el0_file:dir { search }; +allow accesstoken_service data_service_el1_file:dir { add_name getattr open read remove_name search write }; +allow accesstoken_service data_service_el1_file:file { create getattr ioctl lock read write open unlink relabelfrom }; +allow accesstoken_service data_service_file:dir { search }; +allow accesstoken_service data_system:dir { add_name getattr open read remove_name search write }; +allow accesstoken_service data_system:file { create getattr open read unlink write }; +allow accesstoken_service debug_param:file { map open read }; +allow accesstoken_service default_param:file { map open read }; +allow accesstoken_service dev_ashmem_file:chr_file { open }; +allow accesstoken_service dev_unix_socket:dir { search }; +allow accesstoken_service dev_unix_socket:sock_file { write }; +#avc: denied { call } for pid=515 comm="accesstoken_ser" scontext=u:r:accesstoken_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=684 comm="accesstoken_ser" scontext=u:r:accesstoken_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +allow accesstoken_service device_manager:binder { call transfer }; +allow accesstoken_service devinfo_private_param:file { map open read }; +allow accesstoken_service distributedsche_param:file { map open read }; +allow accesstoken_service drm_service:binder { call transfer }; +allow accesstoken_service hilog_param:file { map open read }; +allow accesstoken_service hw_sc_build_os_param:file { map open read }; +allow accesstoken_service hw_sc_build_param:file { map open read }; +allow accesstoken_service hw_sc_param:file { map open read }; +allow accesstoken_service init_param:file { map open read }; +allow accesstoken_service init_svc_param:file { map open read }; +allow accesstoken_service input_pointer_device_param:file { map open read }; +allow accesstoken_service kernel:unix_stream_socket { connectto }; +allow accesstoken_service net_param:file { map open read }; +allow accesstoken_service net_tcp_param:file { map open read }; +allow accesstoken_service ohos_boot_param:file { map open read }; +allow accesstoken_service ohos_param:file { map open read }; +allow accesstoken_service param_watcher:binder { call transfer }; +#avc: denied { write } for pid=545 comm="accesstoken_ser" name="paramservice" dev="tmpfs" ino=30 scontext=u:r:accesstoken_service:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0 +allow accesstoken_service paramservice_socket:sock_file { write }; +allow accesstoken_service persist_param:file { map open read }; +allow accesstoken_service persist_sys_param:file { map open read }; +#avc: denied { call } for pid=504 comm="accesstoken_ser" scontext=u:r:accesstoken_service:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=1 +allow accesstoken_service privacy_service:binder { call }; +allow accesstoken_service sa_accesstoken_manager_service:samgr_class { add get }; +allow accesstoken_service sa_distributeddata_service:samgr_class { get }; +allow accesstoken_service sa_foundation_devicemanager_service:samgr_class { get }; +allow accesstoken_service sa_powermgr_powermgr_service:samgr_class { get }; +allow accesstoken_service sa_param_watcher:samgr_class { get }; +allow accesstoken_service sa_privacy_service:samgr_class { get }; +allow accesstoken_service sa_softbus_service:samgr_class { get }; +allow accesstoken_service sa_token_sync_manager_service:samgr_class { get }; +allow accesstoken_service security_param:file { map open read }; +allow accesstoken_service startup_param:file { map open read }; +allow accesstoken_service sys_param:file { map open read }; +allow accesstoken_service sys_usb_param:file { map open read }; +allow accesstoken_service system_basic_hap_attr:binder {call}; +allow accesstoken_service system_bin_file:dir { search }; +allow accesstoken_service system_core_hap_attr:binder {call}; +allow accesstoken_service token_sync_service:binder { call }; +allow accesstoken_service tracefs_trace_marker_file:file { open write }; +allow accesstoken_service tracefs:dir { search }; +allow accesstoken_service sa_bgtaskmgr:samgr_class { get }; +allow accesstoken_service sa_form_mgr_service:samgr_class { get }; + +# avc: denied { get } for service=501 pid=537 scontext=u:r:accesstoken_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow accesstoken_service sa_foundation_appms:samgr_class { get }; + +allowxperm accesstoken_service data_service_el1_file:file ioctl { 0xf50c }; + +allow domain dev_at_file:chr_file { ioctl open read write }; +allowxperm domain dev_at_file:chr_file ioctl { 0x4101 0x4103 0x4107 }; + +allowxperm accountmgr dev_at_file:chr_file ioctl { 0x4104 }; +allowxperm hiview dev_at_file:chr_file ioctl { 0x4104 }; +allowxperm privacy_service dev_at_file:chr_file ioctl { 0x4104 }; +allowxperm token_sync_service dev_at_file:chr_file ioctl { 0x4104 }; +allowxperm msdp_sa dev_at_file:chr_file ioctl { 0x4104 }; +allowxperm init dev_at_file:chr_file ioctl { 0x4104 }; +allowxperm distributedsche dev_at_file:chr_file ioctl { 0x4104 }; +allowxperm av_session dev_at_file:chr_file ioctl { 0x4104 }; +allowxperm msdp_sa dev_at_file:chr_file ioctl { 0x4104 }; + +allowxperm accesstoken_service dev_at_file:chr_file ioctl { 0x4105 0x4106 0x4108 }; +neverallowxperm ~{ accesstoken_service } dev_at_file:chr_file ioctl { 0x4105 0x4106 0x4108 }; +neverallowxperm hap_domain dev_at_file:chr_file ioctl { 0x4102 0x4104 }; + +binder_call(accesstoken_service, bgtaskmgr_service); +binder_call(accesstoken_service, distributeddata); +binder_call(accesstoken_service, foundation); +binder_call(accesstoken_service, privacy_service); +binder_call(accesstoken_service, softbus_server); + +debug_only(` + binder_call(accesstoken_service, sh); + binder_call(accesstoken_service, su); +') diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/atm.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/atm.te new file mode 100644 index 0000000000000000000000000000000000000000..2e96ec21787b6efcb71b753cf59499204a6e5c1e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/atm.te @@ -0,0 +1,36 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` + domain_auto_transition_pattern(sh, atm_exec, atm); + + allow samgr atm:dir { search }; + allow samgr atm:file { open read }; + allow samgr atm:process { getattr }; + allow samgr atm:binder { call transfer }; + + allow atm sa_accesstoken_manager_service:samgr_class { get }; + allow atm sa_privacy_service:samgr_class { get }; + allow atm sh:fd { use }; + allow atm hdcd:fd { use }; + + allow atm devpts:chr_file { read write ioctl }; + allowxperm atm devpts:chr_file ioctl { 0x5413 }; + + allow atm dev_unix_socket:dir { search }; + + allow atm samgr:binder { call }; + allow atm accesstoken_service:binder { call }; + + allow atm privacy_service:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/access_token/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e352bc41713280c6075a163066974705435f2993 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/file_contexts @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/access_token(/.*)? u:object_r:accesstoken_data_file:s0 +/data/service/el0/access_token/nativetoken.json u:object_r:accesstoken_data_file:s0 +/data/service/el0/access_token/nativetoken.json.lock u:object_r:accesstoken_data_file:s0 + +# for atm tool +/system/bin/atm u:object_r:atm_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/init.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..21e1497e5ac4f35b070f87928809f11263d77e8d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/init.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { relabelto } for pid=1 comm="init" name="access_token" dev="mmcblk0p12" ino=7387 scontext=u:r:init:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=1 comm="init" name="access_token" dev="mmcblk0p12" ino=7387 scontext=u:r:init:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/access_token" dev="mmcblk0p12" ino=7387 scontext=u:r:init:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=1 +# avc: denied { getattr } for pid=1 comm="init" path="/data/service/el1/public/access_token" dev="mmcblk0p12" ino=140 scontext=u:r:init:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=0 +allow init accesstoken_data_file:dir { getattr open read relabelto setattr}; +allow init privacy_service:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/neverallow.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/neverallow.te new file mode 100644 index 0000000000000000000000000000000000000000..3a29b496daca0dfcfff0d2bba7de0d3e64928dde --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/neverallow.te @@ -0,0 +1,24 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { domain -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_dir updater_only(`-updater') } accesstoken_data_file:dir *; +neverallow { domain -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_file updater_only(`-updater') } accesstoken_data_file:file *; + +neverallow accesstoken_service accesstoken_data_file:dir ~{ search add_name open read write remove_name ioctl }; +neverallow accesstoken_service accesstoken_data_file:file ~{ open read getattr ioctl lock write create unlink map setattr }; + +neverallow init accesstoken_data_file:dir ~{ getattr open read relabelto setattr search }; +neverallow init accesstoken_data_file:file ~{ read write getattr setattr relabelto open lock }; + +neverallow privacy_service accesstoken_data_file:dir ~{ search add_name open read write remove_name ioctl }; +neverallow privacy_service accesstoken_data_file:file ~{ open read getattr ioctl lock write create unlink map setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..3173cd7b0ce45073ad41727f15fcfe82f58b1de1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/normal_hap_attr.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=4745 comm="com.example.web" scontext=u:r:normal_hap:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow normal_hap_attr accesstoken_service:binder { call }; +allow normal_hap_attr privacy_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..76f6191d8a78e9c5d7de06beaff62e7f6044b83b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher privacy_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/privacy.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/privacy.te new file mode 100644 index 0000000000000000000000000000000000000000..72dba9e3b7b9d055ff0b54d0592b03080d3eb6cb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/privacy.te @@ -0,0 +1,97 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type privacy_service, sadomain, domain; + +allow privacy_service accesstoken_data_file:dir { search add_name open read write remove_name }; +# [ 324.857258] audit: type=1400 audit(1501923927.060:2293): avc: denied { map } for pid=2232 comm="SaInit1" path="/data/service/el1/public/access_token/permission_used_record.db-shm" dev="mmcblk0p15" ino=3066 scontext=u:r:privacy_service:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=file permissive=1 +# [ 324.863783] audit: type=1400 audit(1501923927.066:2294): avc: denied { setattr } for pid=2232 comm="SaInit1" name="permission_used_record.db" dev="mmcblk0p15" ino=3063 scontext=u:r:privacy_service:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=file permissive=1 +allow privacy_service accesstoken_data_file:file { open read getattr ioctl lock write create unlink map setattr }; +allow privacy_service accesstoken_service:binder { call }; +allow privacy_service audio_server:binder { call transfer }; +allow privacy_service bootevent_param:file { map open read }; +allow privacy_service bootevent_samgr_param:file { map open read }; +allow privacy_service build_version_param:file { map open read }; +allow privacy_service const_allow_mock_param:file { map open read }; +allow privacy_service const_allow_param:file { map open read }; +allow privacy_service const_build_param:file { map open read }; +allow privacy_service const_display_brightness_param:file { map open read }; +allow privacy_service const_param:file { map open read }; +allow privacy_service const_postinstall_fstab_param:file { map open read }; +allow privacy_service const_postinstall_param:file { map open read }; +allow privacy_service const_product_param:file { map open read }; +allow privacy_service data_file:dir { search }; +allow privacy_service data_service_el1_file:dir { add_name getattr open read remove_name search write }; +allow privacy_service data_service_el1_file:file { create getattr ioctl lock read write open unlink relabelfrom }; +allow privacy_service data_service_file:dir { search }; +allow privacy_service debug_param:file { map open read }; +allow privacy_service default_param:file { map open read }; +allow privacy_service dev_console_file:chr_file { read write }; +allow privacy_service dev_unix_socket:dir { search }; +allow privacy_service devinfo_private_param:file { map open read }; +allow privacy_service distributedsche_param:file { map open read }; +allow privacy_service hilog_param:file { map open read }; +allow privacy_service hw_sc_build_os_param:file { map open read }; +allow privacy_service hw_sc_build_param:file { map open read }; +allow privacy_service hw_sc_param:file { map open read }; +allow privacy_service init_param:file { map open read }; +allow privacy_service init_svc_param:file { map open read }; +allow privacy_service input_pointer_device_param:file { map open read }; +allow privacy_service net_param:file { map open read }; +allow privacy_service net_tcp_param:file { map open read }; +allow privacy_service normal_hap_attr:binder { call }; +allow privacy_service ohos_boot_param:file { map open read }; +allow privacy_service ohos_param:file { map open read }; +allow privacy_service param_watcher:binder { call transfer }; +allow privacy_service persist_param:file { map open read }; +allow privacy_service persist_sys_param:file { map open read }; +allow privacy_service sa_accesstoken_manager_service:samgr_class { get }; +allow privacy_service sa_audio_policy_service:samgr_class { get }; +# avc: denied { get } for service=3008 pid=500 scontext=u:r:privacy_service:s0 tcontext=u:object_r:sa_camera_service:s0 tclass=samgr_class permissive=0 +allow privacy_service sa_camera_service:samgr_class { get }; +allow privacy_service sa_drm_service:samgr_class { get }; +allow privacy_service sa_foundation_abilityms:samgr_class { get }; +allow privacy_service sa_foundation_appms:samgr_class { get }; +# avc: denied { get } for service=3301 pid=531 scontext=u:r:privacy_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow privacy_service sa_powermgr_powermgr_service:samgr_class { get }; +allow privacy_service sa_foundation_wms:samgr_class { get }; +allow privacy_service sa_param_watcher:samgr_class { get }; +allow privacy_service sa_privacy_service:samgr_class { add get }; +allow privacy_service sa_pulseaudio_audio_service:samgr_class { get }; +allow privacy_service security_param:file { map open read }; +allow privacy_service startup_param:file { map open read }; +allow privacy_service sys_param:file { map open read }; +allow privacy_service sys_usb_param:file { map open read }; +allow privacy_service system_basic_hap_attr:binder {call}; +allow privacy_service system_bin_file:dir { search }; +allow privacy_service system_core_hap_attr:binder {call}; +allow privacy_service tracefs_trace_marker_file:file { open write }; +allow privacy_service tracefs:dir { search }; + +allow privacy_service sa_foundation_cesfwk_service:samgr_class { get }; +allow privacy_service sa_screenlock_service:samgr_class { get }; +allow privacy_service sa_bgtaskmgr:samgr_class { get }; + +binder_call(foundation, privacy_service); +binder_call(powermgr, privacy_service); +binder_call(privacy_service, accesstoken_service); +binder_call(privacy_service, foundation); +binder_call(privacy_service, powermgr); +binder_call(system_basic_hap_attr, privacy_service); +binder_call(system_core_hap_attr, privacy_service); +binder_call(privacy_service, bgtaskmgr_service); + +debug_only(` + binder_call(privacy_service, sh); + binder_call(privacy_service, su); +') diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/sehap_contexts b/prebuilts/api/5.0/ohos_policy/security/access_token/system/sehap_contexts new file mode 100644 index 0000000000000000000000000000000000000000..ec91fffdbfbf968ac0378f69e6514ef8240487dd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/sehap_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apl=normal name=com.ohos.permissionmanager domain=permissionmanager_hap type=permissionmanager_hap_data_file diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..6bc89f33c3d6d577f0b801be84dc08658afae2ca --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/system_basic_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr accesstoken_service:binder { call }; +allow system_basic_hap_attr sa_accesstoken_manager_service:samgr_class { get }; +allow system_basic_hap_attr sa_privacy_service:samgr_class { get }; + +binder_call(system_basic_hap_attr, accesstoken_service); diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..638876d56af2e4986f1e1269e784f7c1bacb0a0e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/system_core_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr accesstoken_service:binder { call }; +allow system_core_hap_attr sa_accesstoken_manager_service:samgr_class { get }; +allow system_core_hap_attr sa_privacy_service:samgr_class { get }; + +binder_call(system_core_hap_attr, accesstoken_service); diff --git a/prebuilts/api/5.0/ohos_policy/security/access_token/system/token_sync.te b/prebuilts/api/5.0/ohos_policy/security/access_token/system/token_sync.te new file mode 100644 index 0000000000000000000000000000000000000000..6bf3cdc526cbd972bcecb449787aa7e2fd7f3ac0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/access_token/system/token_sync.te @@ -0,0 +1,28 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow token_sync_service data_file:dir { search }; +allow token_sync_service data_init_agent:dir { search }; +allow token_sync_service dev_unix_socket:dir { search }; +#avc: denied { call } for pid=2110 comm="token_sync_serv" scontext=u:r:token_sync_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=2110 comm="token_sync_serv" scontext=u:r:token_sync_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1 +allow token_sync_service device_manager:binder { call transfer }; +allow token_sync_service devinfo_private_param:file { map open read }; +allow token_sync_service sa_foundation_devicemanager_service:samgr_class { get }; +allow token_sync_service sa_softbus_service:samgr_class { get }; +allow token_sync_service sa_token_sync_manager_service:samgr_class { add get }; +allow token_sync_service system_bin_file:dir { search }; +allow token_sync_service system_file:file { getattr map open read }; + +binder_call(token_sync_service, foundation); +binder_call(token_sync_service, softbus_server); diff --git a/prebuilts/api/5.0/ohos_policy/security/asset/public/type.te b/prebuilts/api/5.0/ohos_policy/security/asset/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..8f802a8ba1e3f7fbc2e0f5ca0797e1eb82a652bd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/asset/public/type.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_asset_service, sa_service_attr; +type asset_service, sadomain, domain; +type data_service_el1_public_asset_service_file, file_attr, data_file_attr; +type data_service_el2_user_id_asset_service_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/asset/system/asset_service.te b/prebuilts/api/5.0/ohos_policy/security/asset/system/asset_service.te new file mode 100644 index 0000000000000000000000000000000000000000..dff93779eae95998a43e1bd8fa5e621fd4480b50 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/asset/system/asset_service.te @@ -0,0 +1,50 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow asset_service sa_asset_service:samgr_class { get add }; + +allow asset_service data_service_el1_public_asset_service_file:dir { add_name create open read remove_name search write rmdir getattr setattr ioctl }; +allowxperm asset_service data_service_el1_public_asset_service_file:dir ioctl { 0xf546 0xf547 }; + +allow asset_service data_service_el1_public_asset_service_file:file { create getattr open read setattr unlink write lock ioctl }; +allowxperm asset_service data_service_el1_public_asset_service_file:file ioctl { 0xf501 0xf502 0xf50c 0xf546 0xf547 }; + +allow asset_service data_service_el2_user_id_asset_service_file:dir { search write add_name open read remove_name ioctl }; +allowxperm asset_service data_service_el2_user_id_asset_service_file:dir ioctl { 0xf546 0xf547 }; + +allow asset_service data_service_el2_user_id_asset_service_file:file { create write open read setattr getattr lock unlink ioctl }; +allowxperm asset_service data_service_el2_user_id_asset_service_file:file ioctl { 0xf546 0xf547 0xf50c }; + +allow asset_service data_service_el1_file:dir { search }; +allow asset_service data_service_el2_file:dir { search }; +allow asset_service data_service_file:dir { search }; +allow asset_service data_file:dir { search }; +allow asset_service dev_unix_socket:dir { search }; +allow asset_service tracefs:dir { search }; +allow asset_service hilog_param:file { read map open }; +allow asset_service debug_param:file { read map open }; + +allow asset_service sa_huks_service:samgr_class { get }; + +allow asset_service sa_accesstoken_manager_service:samgr_class { get }; + +allow asset_service sa_foundation_abilityms:samgr_class { get }; +allow asset_service sa_foundation_cesfwk_service:samgr_class { get }; +allow asset_service sa_foundation_bms:samgr_class { get }; + +allow asset_service sa_accountmgr:samgr_class { get }; +binder_call(asset_service, normal_hap_attr); +binder_call(asset_service, accountmgr); +binder_call(asset_service, foundation); +binder_call(asset_service, accesstoken_service); +binder_call(asset_service, huks_service); diff --git a/prebuilts/api/5.0/ohos_policy/security/asset/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/asset/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a820938347208fb291c2373cad60e05e0e542ece --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/asset/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (C) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/asset_service(/.*)? u:object_r:data_service_el1_public_asset_service_file:s0 +/data/service/el2/[0-9]+/asset_service(/.*)? u:object_r:data_service_el2_user_id_asset_service_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/asset/system/foundation.te b/prebuilts/api/5.0/ohos_policy/security/asset/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..8f79e4466da11406f667b31ad89aeede0ac91dc8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/asset/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation asset_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/asset/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/security/asset/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..ec360ea84731a7e442d3405554ca293b406c7f1f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/asset/system/hap_domain.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain asset_service:binder { call transfer }; +allow hap_domain sa_asset_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/security/asset/system/init.te b/prebuilts/api/5.0/ohos_policy/security/asset/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..e94b86a480849bf690011f159f04ca4b57dd8da7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/asset/system/init.te @@ -0,0 +1,19 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init data_service_el1_public_asset_service_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_service_el1_public_asset_service_file:file { relabelto setattr }; + +allow init asset_service:process { rlimitinh siginh transition }; + +init_relabel(data_service_el1_public_asset_service_file); diff --git a/prebuilts/api/5.0/ohos_policy/security/asset/system/service_contexts b/prebuilts/api/5.0/ohos_policy/security/asset/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..931467d66a05cfe29548c21bf249c6bae5b4cbe3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/asset/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (C) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +8100 u:object_r:sa_asset_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/asset/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/security/asset/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..cb70eece649220b11644d7c1f646b51921705b2a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/asset/system/storage_daemon.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +storage_daemon_relabel(data_service_el2_user_id_asset_service_file); + +allow storage_daemon data_service_el2_user_id_asset_service_file:dir { getattr read open write remove_name rmdir }; +allow storage_daemon data_service_el2_user_id_asset_service_file:file { unlink }; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..6dd4a870aaf87fd1aa0c34ecacd9ed471dd02949 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/appspawn.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { search } for pid=3855 comm="s.certframework" name="cert_manager_service" dev="mmcblk0p14" ino=149 scontext=u:r:appspawn:s0 tcontext=u:object_r:cert_manager_service_file:s0 tclass=dir permissive=0 +allow appspawn cert_manager_service_file:dir { search getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/cert_manager.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/cert_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..9db8f24cab92ab7bce373099030bac9c6ea3bb7e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/cert_manager.te @@ -0,0 +1,77 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type cert_manager_service, sadomain, domain; +type cert_manager_service_exec, exec_attr, file_attr, system_file_attr; + +init_daemon_domain(cert_manager_service); + +binder_call(cert_manager_service, samgr); + +allow cert_manager_service accesstoken_service:binder { call }; +allow cert_manager_service data_file:dir { search }; +allow cert_manager_service data_service_el1_file:dir { search }; +allow cert_manager_service cert_manager_service_file:dir { add_name create open read remove_name search write rmdir getattr setattr }; +allow cert_manager_service cert_manager_service_file:file { create getattr ioctl open read setattr unlink write }; +allow cert_manager_service data_service_file:dir { search }; +allow cert_manager_service debug_param:file { read open map }; +allow cert_manager_service dev_console_file:chr_file { read write }; +allow cert_manager_service dev_unix_socket:dir { search }; +allow cert_manager_service foundation:binder { call transfer }; +allow cert_manager_service hilog_param:file { read open map }; +allow cert_manager_service huks_service:binder { call }; +allow cert_manager_service param_watcher:binder { call transfer }; +allow cert_manager_service sa_accesstoken_manager_service:samgr_class { get add }; +allow cert_manager_service sa_cert_manager_service:samgr_class { get add }; +allow cert_manager_service sa_foundation_cesfwk_service:samgr_class { get }; +allow cert_manager_service sa_huks_service:samgr_class { get add }; +allow cert_manager_service sa_param_watcher:samgr_class { get }; +allow cert_manager_service tracefs:dir { search }; +allow cert_manager_service tracefs_trace_marker_file:file { open write }; +allowxperm cert_manager_service cert_manager_service_file:file ioctl { 0x5413 0xf546 0xf547 }; + +#avc: denied { read } for pid=6711 comm="cert_manager_se" name="u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=6711 comm="cert_manager_se" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=6711 comm="cert_manager_se" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=56 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow cert_manager_service musl_param:file { map open read }; + +#avc: denied { search } for pid=6764 comm="cert_manager_se" name="bin" dev="mmcblk0p7" ino=112 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 +allow cert_manager_service system_bin_file:dir { search }; + +#avc: denied { getopt } for pid=1564 comm="cert_manager_se" scontext=u:r:cert_manager_service:s0 tcontext=u:r:cert_manager_service:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { getopt } for pid=1564 comm="cert_manager_se" scontext=u:r:cert_manager_service:s0 tcontext=u:r:cert_manager_service:s0 tclass=unix_dgram_socket permissive=1 +allow cert_manager_service cert_manager_service:unix_dgram_socket { getopt setopt }; + +#avc: denied { read } for pid=18044 comm="cert_manager_se" name="online" dev="sysfs" ino=27674 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { open } for pid=18044 comm="cert_manager_se" path="/sys/devices/system/cpu/online" dev="sysfs" ino=27674 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=18044 comm="cert_manager_se" path="/sys/devices/system/cpu/online" dev="sysfs" ino=27674 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow cert_manager_service sysfs_devices_system_cpu:file { read open getattr }; + +allow cert_manager_service distributeddata:binder { transfer call }; +allow cert_manager_service distributeddata:fd { use }; + +#avc: denied { get } for service=3524 sid=u:r:cert_manager_service:s0 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:sa_sg_collect_service:s0 tclass=samgr_class permissive=0 +allow cert_manager_service sa_sg_collect_service:samgr_class { get }; + +#avc: denied { call } for pid=1456 comm="cert_manager_se" scontext=u:r:cert_manager_service:s0 tcontext=u:r:security_guard:s0 tclass=binder permissive=0 +allow cert_manager_service security_guard:binder { call }; + +#avc: denied { lock } for pid=1456 comm="OS_IPC_0_1471" path="/data/service/el1/public/cert_manager_service/rdb/cert_manager.db" dev="mmcblk0p15" ino=3210 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:cert_manager_service_file:s0 tclass=file permissive=0 +#avc: denied { map } for pid=1462 comm="OS_IPC_2_1490" path="/data/service/el1/public/cert_manager_service/rdb/cert_manager.db-shm" dev="mmcblk0p15" ino=4138 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:cert_manager_service_file:s0 tclass=file permissive=0 +allow cert_manager_service cert_manager_service_file:file { lock map }; + +#avc: denied { ioctl } for pid=1462 comm="OS_IPC_2_1490" path="/data/service/el1/public/cert_manager_service/rdb/cert_manager.db" dev="mmcblk0p15" ino=3210 ioctlcmd=0xf50c scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:cert_manager_service_file:s0 tclass=file permissive=0 +allowxperm cert_manager_service cert_manager_service_file:file ioctl { 0xf50c }; + +#avc: denied { open } for pid=1430 comm="OS_IPC_1_1446" path="/dev/ashmem" dev="tmpfs" ino=256 scontext=u:r:cert_manager_service:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 +allow cert_manager_service dev_ashmem_file:chr_file { open }; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/file.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..299f55678b13b6e433a1a3ca88e683081c1697e9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type cert_manager_service_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..4fcf662afb7677004f0bb31c3c501d23d1ed1bfd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/cert_manager_service u:object_r:cert_manager_service_exec:s0 +/data/service/el1/public/cert_manager_service(/.*)? u:object_r:cert_manager_service_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/foundation.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..612b9a0d19e2c69e730ada512419e1f02bff2839 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation cert_manager_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..ec756a574ea3e512abe854c9062d5f1cf4fdbf31 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/hap_domain.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain cert_manager_service_file:file { open read getattr }; +allow hap_domain cert_manager_service_file:dir { open getattr search read }; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/init.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..b714bc513addd2deea70ace3adf14e9c9e015a17 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init cert_manager_service_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init cert_manager_service_file:file { relabelto }; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..5742dae54bbf0fc32a37f069bbdd66c717d5f965 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/normal_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr cert_manager_service:binder { call }; +allow normal_hap_attr sa_cert_manager_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..ff8e89f39f507498eaaaa3440de8187e3b581912 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher cert_manager_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/service.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..0c554af58bde09968d6fcd9f734e6f34c30d7e51 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_cert_manager_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/service_contexts b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..3ee3eb0eee505e858df26e60a0cb55b723801512 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3512 u:object_r:sa_cert_manager_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..a6eba15716d5d63b72f95a9bd6d257e47f81e427 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/cert_manager/system/system_basic_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_cert_manager_service:samgr_class { get }; +allow system_basic_hap_attr cert_manager_service:binder { call }; +allow system_basic_hap_attr sa_file_access_service:samgr_class { get }; +allow system_basic_hap_attr hmdfs:file { read }; +allow system_basic_hap_attr data_user_file:file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/public/attributes b/prebuilts/api/5.0/ohos_policy/security/code_signature/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..c399b9165630c0907220b73037da2ae4bdf73f19 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute trusted_profile_data_file_violator_file_write; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/public/type.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..b31f3881b107393bd819193960d3dedda8a4a73c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/public/type.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type key_enable, native_system_domain, domain; + +type local_code_sign, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_jit_lib.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_jit_lib.te new file mode 100644 index 0000000000000000000000000000000000000000..97bdb6950a0216d3ed8c314e7cd0ee74ebe1599c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_jit_lib.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type code_sign_jit_lib, system_file_attr, exec_attr, jitfort_lib_attr, file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_profile.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_profile.te new file mode 100644 index 0000000000000000000000000000000000000000..f2d7e64d3bf9887342159a897dea94b0a43972d6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_profile.te @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type trusted_profile_data_file, file_attr, data_file_attr; + +neverallow {domain -installs -trusted_profile_data_file_violator_file_write } trusted_profile_data_file:file { write }; + +debug_only(` +allow su trusted_profile_data_file:dir { getattr open read remove_name rmdir search write }; +allow su trusted_profile_data_file:file { getattr unlink }; +') diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_utils.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_utils.te new file mode 100644 index 0000000000000000000000000000000000000000..5735e0626ac4e80c0b8840d995e5542a4d8fbd9b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/code_sign_utils.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +type code_sign_utils, exec_attr, system_file_attr, file_attr; +neverallow {domain -installs -ark_aot_compiler developer_only(`-hnp')} code_sign_utils:file { execute }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/dev_code_sign.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/dev_code_sign.te new file mode 100644 index 0000000000000000000000000000000000000000..1a7d6138e3fbffa2aecfdca4ee644ab8e35228c8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/dev_code_sign.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dev_code_sign, dev_attr; + +neverallow {domain -key_enable -installs} dev_code_sign:chr_file { ioctl read write open }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..14f76a300eecf13deaacbbd212b5e3a66811a30e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/file_contexts @@ -0,0 +1,27 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/lib(64)?/libcode_sign_utils.z.so u:object_r:code_sign_utils:s0 + +/dev/code_sign u:object_r:dev_code_sign:s0 + +/data/service/el0/profiles(/.*)? u:object_r:trusted_profile_data_file:s0 + +/data/service/el1/profiles(/.*)? u:object_r:trusted_profile_data_file:s0 + +/data/service/el1/public/profiles(/.*)? u:object_r:trusted_profile_data_file:s0 + +/system/bin/key_enable u:object_r:key_enable_exec:s0 + +/system/lib(64)?/libjit_code_sign.z.so u:object_r:code_sign_jit_lib:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/foundation.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..cba6c9d79f92110f42682a3ff0112b47cfe188a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation key_enable:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/init.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..82fa0e585ebe066183b257290c772f694c5015cd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/init.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { relabelto } for pid=1 comm="init" name="access_token" dev="mmcblk0p12" ino=7387 scontext=u:r:init:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=1 comm="init" name="access_token" dev="mmcblk0p12" ino=7387 scontext=u:r:init:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/access_token" dev="mmcblk0p12" ino=7387 scontext=u:r:init:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=1 +# avc: denied { getattr } for pid=1 comm="init" path="/data/service/el1/public/access_token" dev="mmcblk0p12" ino=140 scontext=u:r:init:s0 tcontext=u:object_r:accesstoken_data_file:s0 tclass=dir permissive=0 +#allow init accesstoken_data_file:dir { getattr open read relabelto setattr}; +#allow init privacy_service:process { rlimitinh siginh transition }; + +allow init local_code_sign:process { rlimitinh siginh transition }; + +allow init trusted_profile_data_file:dir { add_name create write open read relabelto getattr setattr search }; + +allow init trusted_profile_data_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/installs.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..2c5e7517a2a9ab43492b3075b92dd2d9c43df0c1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/installs.te @@ -0,0 +1,32 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow installs code_sign_utils:file { execute getattr map open read }; + +allow installs key_enable:key { search }; + +allow installs local_code_sign:binder { call }; + +allow installs sa_local_code_sign:samgr_class { get }; + +allow installs data_service_el0_file:dir { search }; + +allow installs installs:code_sign { add_cert_chain remove_cert_chain }; + +allow installs dev_code_sign:chr_file { ioctl write open }; + +allowxperm installs dev_code_sign:chr_file ioctl { 0x6b01 0x6b02 }; + +allow installs trusted_profile_data_file:dir { add_name create search write open read getattr setattr remove_name rmdir }; + +allow installs trusted_profile_data_file:file { getattr read unlink create setattr write open }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/key_enable.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/key_enable.te new file mode 100644 index 0000000000000000000000000000000000000000..90f3427f735f1b1e359ae215e668ca4d85db40f1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/key_enable.te @@ -0,0 +1,95 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type key_enable_exec, exec_attr, file_attr, system_file_attr; + +init_daemon_domain(key_enable); + +binder_call(key_enable, samgr); + + +allow key_enable debug_param:file { map open read }; + +allow key_enable dev_unix_socket:dir { search }; + +allow key_enable hilog_param:file { map open read }; + +allow key_enable kernel:key { search setattr view write }; + +allow key_enable local_code_sign:binder { call }; + +allow key_enable proc_keys_file:file { getattr open read }; + +allow key_enable sa_local_code_sign:samgr_class { get }; + +allow key_enable storage_daemon:key { view }; + +allow key_enable system_bin_file:file { entrypoint execute map read }; + +allow key_enable sysfs_devices_system_cpu:file { getattr open read }; + +allow key_enable musl_param:file {map open read }; + +allow key_enable proc_file:file { open read }; + +allow key_enable sysfs_devices_system_cpu:file { getattr open read }; + +allow key_enable hiview:unix_dgram_socket { sendto }; + +allow key_enable key_enable:unix_dgram_socket { getopt setopt }; + +neverallow { domain -key_enable -storage_daemon} kernel:key { write setattr }; + +allow key_enable tmpfs:blk_file { read write }; + +allow key_enable tmpfs:chr_file { ioctl map open read write }; + +allow key_enable tmpfs:file { open }; + +allow key_enable tmpfs:sock_file { write }; + +allow key_enable dev_code_sign:chr_file { ioctl read write open }; + +allowxperm key_enable dev_code_sign:chr_file ioctl { 0x6b01 }; + +allow key_enable key_enable:code_sign { add_cert_chain }; + +allowxperm key_enable tmpfs:chr_file ioctl { 0x6201 0x6209}; + +allow key_enable data_file:dir { search }; + +allow key_enable data_service_el0_file:dir { getattr read search }; + +allow key_enable data_service_el1_file:dir { getattr read search }; + +allow key_enable data_service_file:dir { search }; + +allow key_enable trusted_profile_data_file:dir { getattr open read search }; + +allow key_enable trusted_profile_data_file:file { getattr open read }; + +allow key_enable data_service_el0_file:file { getattr read open }; + +allow key_enable data_service_el1_file:file { getattr read open }; + +allow key_enable devinfo_private_param:file { map open read }; + +allow key_enable foundation:binder { call transfer }; + +allow key_enable sa_foundation_cesfwk_service:samgr_class { get }; + +allow key_enable sa_screenlock_service:samgr_class {get}; + +allow key_enable proc_cmdline_file:file { open read }; + +neverallow { sh normal_hap_attr } key_enable_exec:file never_execute_file; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/local_code_sign.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/local_code_sign.te new file mode 100644 index 0000000000000000000000000000000000000000..78caee9105dc76f5ad7eacdd9d353bcbd8bf6683 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/local_code_sign.te @@ -0,0 +1,68 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(local_code_sign, samgr); + +binder_call(local_code_sign, huks_service); + +allow local_code_sign accesstoken_service:binder { call }; + +allow local_code_sign sa_param_watcher:samgr_class { get }; + +allow local_code_sign sa_local_code_sign:samgr_class { add get }; + +allow local_code_sign sa_huks_service:samgr_class { get }; + +allow local_code_sign sa_accesstoken_manager_service:samgr_class { get }; + +allow local_code_sign musl_param:file { map open read }; + +allow local_code_sign huks_service:binder { call }; + +allow local_code_sign hilog_param:file { map open read }; + +allow local_code_sign dev_unix_socket:dir { search }; + +allow local_code_sign debug_param:file { map open read }; + +allow local_code_sign proc_file:file { open read }; + +allow local_code_sign sysfs_devices_system_cpu:file { getattr open read }; + +allow local_code_sign data_file:dir { search }; + +allow local_code_sign data_local:dir { search }; + +debug_only(` +allow local_code_sign data_local:file { getattr open read }; +') + +allow local_code_sign local_code_sign:unix_dgram_socket { getopt setopt }; + +allow local_code_sign param_watcher:binder { call transfer }; + +allow local_code_sign tracefs:dir { search }; + +allow local_code_sign tracefs_trace_marker_file:file { open write }; + +allow local_code_sign tmpfs:chr_file { ioctl map open read write }; + +allow local_code_sign tmpfs:file { open }; + +allow local_code_sign tmpfs:sock_file { write }; + +allowxperm local_code_sign tmpfs:chr_file ioctl { 0x6201 0x6209 0x621f }; + +allow local_code_sign data_local_arkcache:dir { search }; + +allow local_code_sign data_local_arkcache:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..b5ba003cac41b9a336719036d4c485502404323e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher local_code_sign:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/samgr.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..a25ee413b136dd6bd21863793a422b70acea7e68 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/samgr.te @@ -0,0 +1,20 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr key_enable:dir { search open read getattr }; + +allow samgr key_enable:file { open read }; + +allow samgr key_enable:process { getattr }; + +allow samgr key_enable:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/service.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..46a914c451c327d76be368733c280091d42d5220 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_local_code_sign, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/service_contexts b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a835675cab3839be2e791117c0c39977bbc3ec63 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3507 u:object_r:sa_local_code_sign:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/su.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/su.te new file mode 100644 index 0000000000000000000000000000000000000000..01a3e2343f3bf8be426b1e34941e893aa60572f6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/su.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` +allow su self:xpm { exec_no_sign exec_anon_mem }; +') diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d27c7042fbeb4c93839074b2e068e99719e42052 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { search } for pid=1329 comm="m.ohos.launcher" scontext=u:r:system_basic_hap:s0 tcontext=u:r:kernel:s0 tclass=key permissive=0 +allow system_basic_hap kernel:key { search }; diff --git a/prebuilts/api/5.0/ohos_policy/security/code_signature/system/ueventd.te b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..cdf342455e0c68e792596a07f07a6baad2ad172f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/code_signature/system/ueventd.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ueventd dev_code_sign:chr_file { relabelto }; diff --git a/prebuilts/api/5.0/ohos_policy/security/device_security_level/public/dslm.te b/prebuilts/api/5.0/ohos_policy/security/device_security_level/public/dslm.te new file mode 100644 index 0000000000000000000000000000000000000000..59a329dae64f21eeb9339bc72d77193cbdd8aff2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/device_security_level/public/dslm.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dslm_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/device_manager.te b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/device_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..afed2dc9db64e644b646bcb6b3645564a1ae12eb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/device_manager.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=251 comm="device_manager" scontext=u:r:device_manager:s0 tcontext=u:r:dslm_service:s0 tclass=binder permissive=0 +allow device_manager dslm_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/dslm.te b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/dslm.te new file mode 100644 index 0000000000000000000000000000000000000000..cb06dace0dfcca04e601c9a2e916b3aad49ac922 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/dslm.te @@ -0,0 +1,36 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(dslm_service, deviceauth_service); +binder_call(dslm_service, huks_service); +binder_call(dslm_service, accesstoken_service); +binder_call(dslm_service, softbus_server); +binder_call(dslm_service, samgr); +binder_call(dslm_service, device_manager); + +#avc: denied { getopt } for pid=434 comm="dslm_service" scontext=u:r:dslm_service:s0 tcontext=u:r:dslm_service:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=434 comm="dslm_service" scontext=u:r:dslm_service:s0 tcontext=u:r:dslm_service:s0 tclass=unix_dgram_socket permissive=1 +allow dslm_service dslm_service:unix_dgram_socket { getopt setopt }; + +#avc: denied { search } for pid=444 comm="dslm_service" name="socket" dev="tmpfs" ino=40 scontext=u:r:dslm_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow dslm_service dev_unix_socket:dir { search }; + +allow dslm_service softbus_server:tcp_socket { read setopt write }; + +allow dslm_service system_etc_file:dir { getattr open read }; + +allow dslm_service system_profile_file:dir { search }; + +allow dslm_service sa_foundation_devicemanager_service:samgr_class { get }; + +allow dslm_service daudio:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/hdcd.te b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..e1d2e5d6eed18743e821c4009112f89c07c6f59d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/hdcd.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=434 comm="dslm_service" scontext=u:r:dslm_service:s0 tcontext=u:r:hdcd:s0 tclass=binder permissive=1 +binder_call(hdcd, dslm_service); diff --git a/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/hidumper.te b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/hidumper.te new file mode 100644 index 0000000000000000000000000000000000000000..884b556e01e737c610326dc27a147b38b4aead86 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/hidumper.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { read } for pid=507 comm="HiDumperManager" scontext=u:r:hidumper_service:s0 tcontext=u:r:dslm_service:s0 tclass=file permissive=1 +#avc: denied { open } for pid=507 comm="HiDumperManager" path="/proc/424/stat" dev="proc" ino=27413 scontext=u:r:hidumper_service:s0 tcontext=u:r:dslm_service:s0 tclass=file permissive=1 +allow hidumper_service dslm_service:file { read open }; + +#avc: denied { search } for pid=511 comm="HiDumperManager" name="434" dev="proc" ino=2632 scontext=u:r:hidumper_service:s0 tcontext=u:r:dslm_service:s0 tclass=dir permissive=1 +allow hidumper_service dslm_service:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/samgr.te b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..8f9f0ee852291b29e2404e73461c0dbd893fd667 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/device_security_level/system/samgr.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { read } for pid=240 comm="samgr" name="current" dev="proc" ino=33107 scontext=u:r:samgr:s0 tcontext=u:r:dslm_service:s0 tclass=file permissive=1 +#avc: denied { open } for pid=240 comm="samgr" name="samgr" path="/proc/389/attr/current" dev="proc" ino=27413 scontext=u:r:samgr:s0 tcontext=u:r:dslm_service:s0 tclass=file permissive=1 +allow samgr dslm_service:file { read open }; + +#avc: denied { search } for pid=240 comm="samgr" name="389" dev="proc" ino=33947 scontext=u:r:samgr:s0 tcontext=u:r:dslm_service:s0 tclass=dir permissive=1 +allow samgr dslm_service:dir { search }; + +#avc: denied { getattr } for pid=240 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:dslm_service:s0 tclass=process permissive=1 +allow samgr dslm_service:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/security/deviceauth/public/deviceauth.te b/prebuilts/api/5.0/ohos_policy/security/deviceauth/public/deviceauth.te new file mode 100644 index 0000000000000000000000000000000000000000..e318176aa22123f4cd21bce05a67056b6cd76cc8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/deviceauth/public/deviceauth.te @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type deviceauth_service, sadomain, domain; +type deviceauth_service_exec, exec_attr, file_attr, system_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/security/deviceauth/public/file.te b/prebuilts/api/5.0/ohos_policy/security/deviceauth/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..80df0af2e2696baa753a017a97eb6a3bf0db7940 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/deviceauth/public/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_service_el1_public_deviceauthService_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/deviceauth/system/deviceauth.te b/prebuilts/api/5.0/ohos_policy/security/deviceauth/system/deviceauth.te new file mode 100644 index 0000000000000000000000000000000000000000..23ada2370eacbed6de420b5e47bb9058dccd2613 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/deviceauth/system/deviceauth.te @@ -0,0 +1,33 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(deviceauth_service); + +binder_call(deviceauth_service, samgr); +allow deviceauth_service dev_unix_socket:dir { search }; +allow deviceauth_service data_file:dir { search }; +allow deviceauth_service system_bin_file:dir { search }; +allow deviceauth_service data_service_file:dir { search }; +allow deviceauth_service data_service_el1_file:dir { search }; +allow deviceauth_service data_service_el1_public_deviceauthService_file:dir { add_name create open read remove_name search write rmdir getattr setattr }; +allow deviceauth_service data_service_el1_public_deviceauthService_file:file { create getattr ioctl open read setattr unlink write }; +allow deviceauth_service deviceauth_service:unix_dgram_socket { getopt setopt }; +allow deviceauth_service accesstoken_service:binder { call }; +allow deviceauth_service foundation:binder { call transfer}; +allow deviceauth_service softbus_server:binder { call transfer }; +allow deviceauth_service accountmgr:binder { call }; +allow deviceauth_service huks_service:binder { call }; +allow deviceauth_service devinfo_private_param:file { map open read}; +allow deviceauth_service sa_foundation_cesfwk_service:samgr_class { get }; +allow deviceauth_service data_service_el2_file:dir { add_name create search write }; +allow deviceauth_service data_service_el2_file:file { create getattr ioctl open read setattr write }; diff --git a/prebuilts/api/5.0/ohos_policy/security/deviceauth/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/deviceauth/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..f4d26b9567dbff683c813af6100a875e2125cb01 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/deviceauth/system/file_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/deviceauth_service u:object_r:deviceauth_service_exec:s0 +/data/service/el1/public/deviceauth(/.*)? u:object_r:data_service_el1_public_deviceauthService_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/public/sehap_contexts b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/public/sehap_contexts new file mode 100644 index 0000000000000000000000000000000000000000..9d8f04ec164925843a53bcf576690dfeb53bcd12 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/public/sehap_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apl=normal name=com.ohos.dlpmanager domain=dlpmanager_hap type=normal_hap_data_file +apl=normal extra=dlp_sandbox domain=dlp_sandbox_hap type=dlp_sandbox_hap_data_file diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/public/type.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..07ca81cb65606b4be4803b64d4b1ef15490f2015 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/public/type.te @@ -0,0 +1,19 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dlp_permission_service, sadomain, domain; +type dlpmanager_hap, normal_hap_attr, hap_domain, domain; +type dlp_fuse_file, fs_attr; + +type dlp_sandbox_hap, normal_hap_attr, hap_domain, domain; +type dlp_sandbox_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..8536867b1af7f6269f40451e3b1882965fa9a46f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/appspawn.te @@ -0,0 +1,39 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { open } for pid=14357 comm="appspawn" path="/dev/fuse" dev="tmpfs" ino=434 scontext=u:r:appspawn:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=1 +# avc: denied { read write } for pid=14357 comm="appspawn" name="fuse" dev="tmpfs" ino=434 scontext=u:r:appspawn:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=1 +allow appspawn dev_fuse_file:chr_file { open read write }; + +# avc: denied { mounton } for pid=3454 comm="appspawn" path="/mnt/sandbox/com.ohos.dlpmanager/data/fuse" dev="fuse" ino=1 scontext=u:r:appspawn:s0 tcontext=u:object_r:fuse_file:s0 tclass=dir permissive=1 +allow appspawn fuse_file:dir { mounton }; + +# avc: denied { mount } for pid=3454 comm="appspawn" name="/" dev="fuse" ino=1 scontext=u:r:appspawn:s0 tcontext=u:object_r:fuse_file:s0 tclass=filesystem permissive=1 +allow appspawn fuse_file:filesystem { mount }; + +# avc: denied { unmount } for pid=7670 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:object_r:fuse_file:s0 tclass=filesystem permissive=1 +allow appspawn fuse_file:filesystem { unmount }; + +# avc: denied { mounton } for pid=4924 comm="ohos.dlpmanager" path="/mnt/sandbox/com.ohos.dlpmanager/mnt/data/fuse" dev="fuse" ino=1 scontext=u:r:appspawn:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=dir permissive=1 +allow appspawn dlp_fuse_file:dir { mounton }; + +# avc: denied { mount } for pid=4924 comm="ohos.dlpmanager" name="/" dev="fuse" ino=1 scontext=u:r:appspawn:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=filesystem permissive=1 +# avc: denied { relabelfrom } for pid=4924 comm="ohos.dlpmanager" scontext=u:r:appspawn:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=filesystem permissive=1 +# avc: denied { relabelto } for pid=4924 comm="ohos.dlpmanager" scontext=u:r:appspawn:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=filesystem permissive=1 +allow appspawn dlp_fuse_file:filesystem { mount relabelfrom relabelto }; + +# avc: denied { relabelfrom } for pid=4924 comm="ohos.dlpmanager" scontext=u:r:appspawn:s0 tcontext=u:object_r:fuse_file:s0 tclass=filesystem permissive=1 +allow appspawn fuse_file:filesystem { relabelfrom }; + +# avc: denied { unmount } for pid=3664 comm="ohos.dlpmanager" scontext=u:r:appspawn:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=filesystem permissive=0 +allow appspawn dlp_fuse_file:filesystem { unmount }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9a231943265cf80a422a80c7a485a751c7b41abf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlp_permission_service.te @@ -0,0 +1,122 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=14376 comm="dlp_permission_" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +binder_call(dlp_permission_service, accesstoken_service); + +# avc: denied { search } for pid=14085 comm="sa_main" name="socket" dev="tmpfs" ino=44 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow dlp_permission_service dev_unix_socket:dir { search }; + +# avc: denied { call } for pid=14376 comm="IPC_2_14413" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +binder_call(dlp_permission_service, foundation); + +# avc: denied { map } for pid=14085 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=14085 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=14376 comm="dlp_permission_" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow dlp_permission_service hilog_param:file { map open read }; + +# avc: denied { map } for pid=3614 comm="dlp_permission_" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=3614 comm="dlp_permission_" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=3614 comm="dlp_permission_" name="u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow dlp_permission_service debug_param:file { map open read }; + +# avc: denied { map } for pid=3614 comm="dlp_permission_" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=75 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=3614 comm="dlp_permission_" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=75 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=3614 comm="dlp_permission_" name="u:object_r:musl_param:s0" dev="tmpfs" ino=75 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow dlp_permission_service musl_param:file { map open read }; + +# avc: denied { call } for pid=14376 comm="dlp_permission_" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1 +binder_call(dlp_permission_service, hap_domain); + +# avc: denied { open } for pid=14376 comm="sa_main" path="/proc/sys/vm/overcommit_memory" dev="proc" ino=113 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=14376 comm="sa_main" name="overcommit_memory" dev="proc" ino=113 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +allow dlp_permission_service proc_file:file { open read }; + +# avc: denied { get } for service=3503 pid=5063 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow dlp_permission_service sa_accesstoken_manager_service:samgr_class { get }; + +# avc: denied { get } for service=200 pid=5063 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 +allow dlp_permission_service sa_accountmgr:samgr_class { get }; + +# avc: denied { call } for pid=3544 comm="dlp_permission_" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=1 +binder_call(dlp_permission_service, accountmgr); + +# avc: denied { add } for service=3521 pid=5063 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_dlp_permission:s0 tclass=samgr_class permissive=1 +allow dlp_permission_service sa_dlp_permission:samgr_class { add }; + +# avc: denied { get } for service=501 pid=5063 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 +allow dlp_permission_service sa_foundation_appms:samgr_class { get }; + +# avc: denied { get } for service=401 pid=5670 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow dlp_permission_service sa_foundation_bms:samgr_class { get }; + +# avc: denied { transfer } for pid=3614 comm="SaInit0" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow dlp_permission_service foundation:binder { transfer }; +#avc: denied { use } for pid=635 comm="IPC_5_976" path="/dev/ashmem" dev="tmpfs" ino=237 scontext=u:r:dlp_permission_service:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=0 +allow dlp_permission_service foundation:fd { use }; +# avc: denied { get } for service=3901 pid=5063 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow dlp_permission_service sa_param_watcher:samgr_class { get }; + +# avc: denied { call } for pid=3614 comm="dlp_permission_" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=3614 comm="dlp_permission_" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +binder_call(dlp_permission_service, param_watcher); + +# avc: denied { search } for pid=13601 comm="dlp_permission_" name="/" dev="tracefs" ino=1 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow dlp_permission_service tracefs:dir { search }; + +# avc: denied { open } for pid=3614 comm="dlp_permission_" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=10956 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=3614 comm="dlp_permission_" name="trace_marker" dev="tracefs" ino=10956 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow dlp_permission_service tracefs_trace_marker_file:file { open write }; + +# avc: denied { call } for pid=12263 comm="IPC_1_12275" scontext=u:r:dlp_permission_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +debug_only(` + allow dlp_permission_service sh:binder { call }; +') + +# avc: denied { add_name } for pid=4702 comm="IPC_1_4704" name="retention_sandbox_info.json" scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=4702 comm="IPC_1_4704" name="dlp_permission_service" dev="sdd78" ino=205 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow dlp_permission_service data_service_el1_file:dir { getattr search add_name write create read open remove_name rmdir }; + +# avc: denied { create } for pid=4702 comm="IPC_1_4704" name="retention_sandbox_info.json" scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=2334 comm="IPC_13_2590" name="retention_sandbox_info.json" dev="sdd78" ino=2807 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { setattr } for pid=2334 comm="IPC_13_2590" name="retention_sandbox_info.json" dev="sdd78" ino=2807 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow dlp_permission_service data_service_el1_file:file { getattr ioctl open write create read setattr unlink lock map }; + +# avc: denied { get } for service=3901 pid=5063 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow dlp_permission_service sa_foundation_cesfwk_service:samgr_class { get }; + +allow dlp_permission_service data_file:dir { search }; +allow dlp_permission_service data_service_file:dir { search }; + +allow dlp_permission_service dev_file:dir { getattr }; +allow dlp_permission_service dlp_permission_data_file:dir { getattr search }; +allow dlp_permission_service dlp_permission_data_file:file { getattr ioctl open setattr write }; +allow dlp_permission_service sa_foundation_cesfwk_service:samgr_class { get }; +allow dlp_permission_service sysfs_devices_system_cpu:file { getattr open read }; +allow dlp_permission_service system_bin_file:dir { search }; +allow dlp_permission_service vendor_bin_file:dir { search }; +allowxperm dlp_permission_service data_service_el1_file:file ioctl { 0x5413 0xf50c }; +allowxperm dlp_permission_service dlp_permission_data_file:file ioctl { 0x5413 }; +allow dlp_permission_service dlp_permission_data_file:file { read }; +allow dlp_permission_service dlp_permission_data_file:dir { add_name write }; +allow dlp_permission_service dlp_permission_data_file:file { create }; +# avc: denied { read write } for pid=3253 comm="sa_main" path="/dev/console" dev="tmpfs" ino=75 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 +allow dlp_permission_service dev_console_file:chr_file { read write }; + +# avc: denied { get } for service=511 pid=2181 scontext=u:r:dlp_permission_service:s0 tcontext=u:object_r:sa_installd_service:s0 tclass=samgr_class permissive=1 +allow dlp_permission_service sa_installd_service:samgr_class { get }; + +allow dlp_permission_service { vendor_etc_file sys_prod_file chip_prod_file }:dir { search }; + +allow dlp_permission_service sa_distributeddata_service:samgr_class { get }; +binder_call(dlp_permission_service, distributeddata); diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlp_sandbox.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlp_sandbox.te new file mode 100644 index 0000000000000000000000000000000000000000..1da1f8dbabc9626fdd142904a680ce59b6a48ba5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlp_sandbox.te @@ -0,0 +1,28 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dlp_sandbox_hap dlp_fuse_file:file { open read write getattr }; +allow dlp_sandbox_hap dlp_fuse_file:dir { search open read write getattr }; +neverallow { domain -dlp_sandbox_hap } dlp_fuse_file:file { open read write }; +neverallow sh dlp_fuse_file:file { open read write }; + +allow dlp_sandbox_hap dlp_sandbox_hap_data_file:file { open read write }; + +neverallow { hap_domain -dlp_sandbox_hap -isolated_render } dlp_sandbox_hap_data_file:file { open read write }; +neverallow sh dlp_sandbox_hap_data_file:file { open read write }; + +#avc: denied { ioctl } for pid=9242 comm="mali-hist-dump" path="/dev/mali0" dev="tmpfs" ino=526 ioctlcmd=0x801b scontext=u:r:dlp_sandbox_hap:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permission=1 +allow dlp_sandbox_hap dev_mali:chr_file { ioctl }; + +#avc: denied { ioctl } for pid=9242 comm="mali-hist-dump" path="/dev/mali0" dev="tmpfs" ino=526 ioctlcmd=0x801b scontext=u:r:dlp_sandbox_hap:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permission=1 +allowxperm dlp_sandbox_hap dev_mali:chr_file ioctl { 0x800f 0x801b }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlpmanager_hap.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlpmanager_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..2f46c55ef2b3c3b93ce6934642b89ed0c19ccb9a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/dlpmanager_hap.te @@ -0,0 +1,33 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { getattr } for pid=3596 comm="com.ohos.dlpman" path="/fuse" dev="tmpfs" ino=438 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=1 +# avc: denied { read } for pid=3596 comm="com.ohos.dlpman" path="/fuse" dev="tmpfs" ino=438 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=1 +# avc: denied { write } for pid=3596 comm="com.ohos.dlpman" path="/fuse" dev="tmpfs" ino=438 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=1 +allow dlpmanager_hap dev_fuse_file:chr_file { getattr read write }; + +# avc: denied { search } for pid=3454 comm="com.ohos.dlpman" name="/" dev="fuse" ino=1 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:fuse_file:s0 tclass=dir permissive=1 +allow dlpmanager_hap fuse_file:dir { search }; + +# avc: denied { getattr } for pid=3454 comm="com.ohos.dlpman" path="/data/fuse/com.example.ohnotes181722182255.dlp.link" dev="fuse" ino=547205767168 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:fuse_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=3454 comm="com.ohos.dlpman" path="/data/fuse/default.dlp" dev="fuse" ino=547205767392 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:fuse_file:s0 tclass=file permissive=1 +# avc: denied { read write } for pid=3454 comm="com.ohos.dlpman" name="default.dlp" dev="fuse" ino=547205767392 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:fuse:s0 tclass=file permissive=1 +allow dlpmanager_hap fuse_file:file { open }; + +# avc: denied { search } for pid=4806 comm="com.ohos.dlpmanager" name="/" dev="fuse" ino=1 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=dir permissive=1 +allow dlpmanager_hap dlp_fuse_file:dir { search }; + +# avc: denied { getattr } for pid=4806 comm="com.ohos.dlpmanager" path="/mnt/data/fuse/com.example.ohnotes_1_17033229925098225126260049263.txt.dlp.link" dev="fuse" ino=548097499168 scontext=u:r:dlpmanager_hap:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=file permissive=1 +allow dlpmanager_hap dlp_fuse_file:file { getattr }; + +neverallow dlpmanager_hap dlp_fuse_file:file { open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/file.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..e643feb571d709e485c9f9611aed707c32177be2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/file.te @@ -0,0 +1,14 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dlp_permission_data_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a58fba07e0d20de51f9a7b0baa0ca4ab1e7142c0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/service/el1/public/dlp_permission_service(/.*)? u:object_r:dlp_permission_data_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/foundation.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..9004554349a394a875e3d48c796372cffaad917e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/foundation.te @@ -0,0 +1,25 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=1170 comm="AppStateObserve" scontext=u:r:foundation:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=1170 comm="AppStateObserve" scontext=u:r:foundation:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1 +allow foundation dlp_permission_service:binder { call transfer }; + +# avc: denied { read write } for pid=5931 comm="com.ohos.dlptes" path="/storage/media/local/files/Documents/file_1671604854140.txt.dlp" dev="hmdfs" ino=2305843009213725239 scontext=u:r:foundation:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 +allow foundation hmdfs:file { read write }; + +# avc: denied { get } for service=3521 pid=1170 scontext=u:r:foundation:s0 tcontext=u:object_r:sa_dlp_permission:s0 tclass=samgr_class permissive=1 +allow foundation sa_dlp_permission:samgr_class { get }; + +# avc: denied { read write } for pid=3454 comm="com.ohos.dlpman" path="/data/fuse/com.example.ohnotes181722182255.dlp.link" dev="fuse" ino=547205767168 scontext=u:r:foundation:s0 tcontext=u:object_r:fuse_file:s0 tclass=file permissive=1 +allow foundation fuse_file:file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..a1bd294833f405e6b41224943d52731918bec338 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/hap_domain.te @@ -0,0 +1,26 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=14357 comm="com.ohos.dlpman" scontext=u:r:normal_hap:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=14357 comm="com.ohos.dlpman" scontext=u:r:normal_hap:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1 +binder_call(hap_domain, dlp_permission_service); + +# avc: denied { get } for service=3521 pid=4804 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_dlp_permission:s0 tclass=samgr_class permissive=1 +allow hap_domain sa_dlp_permission:samgr_class { get }; + +# avc: denied { get } for service=3521 pid=5689 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_dlp_permission:s0 tclass=samgr_class permissive=1 +allow hap_domain sa_dlp_permission:samgr_class { get }; + +# avc: denied { getattr } for pid=3143 comm="com.example.ohn" path="/data/fuse/com.example.ohnotes182158953018.dlp.link" dev="fuse" ino=547686096896 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:fuse_file:s0 tclass=file permissive=1 +# avc: denied { read write } for pid=1218 comm="AppMgrService" path="/data/fuse/com.example.ohnotes182158953018.dlp.link" dev="fuse" ino=547686096896 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:fuse_file:s0 tclass=file permissive=1 +allow hap_domain fuse_file:file { getattr read write open }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..dc4aa1b26bd129a4ccca2a11ce7d63d113d4ceda --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=3521 pid=1553 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_dlp_permission:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_dlp_permission:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/init.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..99767a26f2e88307a8645d88d8be88fca3b8fc4f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/init.te @@ -0,0 +1,29 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { rlimitinh } for pid=14376 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:dlp_permission_service:s0 tclass=process permissive=1 +# avc: denied { siginh } for pid=14376 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:dlp_permission_service:s0 tclass=process permissive=1 +# avc: denied { transition } for pid=14376 comm="init" path="/system/bin/sa_main" dev="sdd74" ino=406 scontext=u:r:init:s0 tcontext=u:r:dlp_permission_service:s0 tclass=process permissive=1 +allow init dlp_permission_service:process { rlimitinh siginh transition }; + +# avc: denied { relabelto } for pid=1 comm="init" name="dlp_permission_service" dev="sdd78" ino=3362 scontext=u:r:init:s0 tcontext=u:object_r:dlp_permission_data_file:s0 tclass=dir permissive=0 +allow init dlp_permission_data_file:dir { relabelto }; +allow init dlp_permission_data_file:file { getattr }; + +# avc: denied { relabelto } for pid=1 comm="init" name="retention_sandbox_info.json" dev="sdd78" ino=6121 scontext=u:r:init:s0 tcontext=u:object_r:dlp_permission_data_file:s0 tclass=file permissive=0 +allow init dlp_permission_data_file:file { relabelto }; +# avc: denied { getattr } for pid=1 comm="init" path="/data/service/el1/public/dlp_permission_service" dev="sdd78" ino=144 scontext=u:r:init:s0 tcontext=u:object_r:dlp_permission_data_file:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/dlp_permission_service" dev="sdd78" ino=144 scontext=u:r:init:s0 tcontext=u:object_r:dlp_permission_data_file:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=1 comm="init" name="dlp_permission_service" dev="sdd78" ino=144 scontext=u:r:init:s0 tcontext=u:object_r:dlp_permission_data_file:s0 tclass=dir permissive=1 +# avc: denied { setattr } for pid=1 comm="init" name="dlp_permission_service" dev="sdd78" ino=144 scontext=u:r:init:s0 tcontext=u:object_r:dlp_permission_data_file:s0 tclass=dir permissive=1 +allow init dlp_permission_data_file:dir { getattr open read setattr }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/isolated_render.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/isolated_render.te new file mode 100644 index 0000000000000000000000000000000000000000..72a252d8ef4dfb94a29819520e11b1c7fc611e1e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/isolated_render.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { read write } for pid=9605 comm="com.example.web" path="2F646174612F73746F726167652F656C322F626173652F63616368652F2E6F72672E6368726F6D69756D2E4368726F6D69756D2E496A504D4C48202864656C6574656429" dev="sdd78" ino=47436 scontext=u:r:isolated_render:s0 tcontext=u:object_r:dlp_sandbox_hap_data_file:s0 tclass=file permission=1 +allow isolated_render dlp_sandbox_hap_data_file:file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..411539b3e6fdfe20802319c9ca9e1d0187cdbbe2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/param_watcher.te @@ -0,0 +1,15 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=460 comm="param_watcher" scontext=u:r:param_watcher:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1 +allow param_watcher dlp_permission_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/pasteboard_service.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/pasteboard_service.te new file mode 100644 index 0000000000000000000000000000000000000000..2e3c6d1854d880c400698eeb995c299150867f6f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/pasteboard_service.te @@ -0,0 +1,18 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=1192 comm="pasteboard_serv" scontext=u:r:pasteboard_service:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1 +binder_call(pasteboard_service, dlp_permission_service); + +# avc: denied { get } for service=3521 pid=1192 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_dlp_permission:s0 tclass=samgr_class permissive=1 +allow pasteboard_service sa_dlp_permission:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/service_contexts b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..218907b6a43dcb0158db480cc7f53f8ca7de3c0a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3521 u:object_r:sa_dlp_permission:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..c2468c0c20398e99a97629511b02a39dd5db62ba --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/storage_daemon.te @@ -0,0 +1,26 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { search } for pid=494 comm="storage_daemon" name="/" dev="fuse" ino=1 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:fuse_file:s0 tclass=dir permissive=1 +allow storage_daemon fuse_file:dir { search }; + +# avc: denied { getattr } for pid=494 comm="storage_daemon" path="/mnt/sandbox/com.ohos.dlpmanager/mnt/data/fuse/com.example.ohnotes_1_1690421751019.txt.dlp.link" dev="fuse" ino=548086857696 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:fuse_file:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=494 comm="storage_daemon" path="/mnt/sandbox/com.ohos.dlpmanager/mnt/data/fuse/com.example.ohnotes_1_1690421704467.txt.dlp.link" dev="fuse" ino=545122760448 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:fuse_file:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=494 comm="storage_daemon" path="/mnt/sandbox/com.ohos.dlpmanager/mnt/data/fuse/com.example.ohnotes_1_1690421742601.txt.dlp.link" dev="fuse" ino=548086857696 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:fuse_file:s0 tclass=file permissive=1 +allow storage_daemon fuse_file:file { getattr }; + +# avc: denied { search } for pid=630 comm="storage_daemon" name="/" dev="fuse" ino=1 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=dir permissive=1 +allow storage_daemon dlp_fuse_file:dir { search }; + +# avc: denied { getattr } for pid=630 comm="storage_daemon" path="/mnt/data/fuse/com.example.ohnotes_1_17033229925098225126260049263.txt.dlp.link" dev="fuse" ino=548126858176 scontext=u:r:storage_daemon:s0 tcontext=u:object_r:dlp_fuse_file:s0 tclass=file permissive=1 +allow storage_daemon dlp_fuse_file:file { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/type.te b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..4e2d6a03cb2ba47e7ae30e1384217a9faa0ef1c1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/dlp_permission_service/system/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_dlp_permission, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/public/type.te b/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..99e7e016e4a23a2138962fc8132ab0a31e44006d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type el5_filekey_manager, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/el5_filekey_manager.te b/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/el5_filekey_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..de41309d7c1c139326ffb9c62dd7237bf6201fa5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/el5_filekey_manager.te @@ -0,0 +1,60 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow el5_filekey_manager sa_accesstoken_manager_service:samgr_class { get }; +allow el5_filekey_manager sa_foundation_cesfwk_service:samgr_class { get }; +allow el5_filekey_manager sa_screenlock_service:samgr_class { get }; +allow el5_filekey_manager sa_el5_filekey_manager:samgr_class { add }; +allow hap_domain sa_el5_filekey_manager:samgr_class { get }; +allow foundation sa_el5_filekey_manager:samgr_class { get }; + +binder_call(hap_domain, el5_filekey_manager); +binder_call(el5_filekey_manager, accesstoken_service); +binder_call(el5_filekey_manager, foundation); +binder_call(foundation, el5_filekey_manager); + +allow init el5_filekey_manager:process { rlimitinh siginh transition }; + +# avc: denied { map } for pid=2030 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=2030 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=2030 comm="sa_main" name="u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow el5_filekey_manager debug_param:file { map open read }; + +# avc: denied { read write } for pid=2030 comm="sa_main" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 +allow el5_filekey_manager dev_console_file:chr_file { read write }; + +# avc: denied { search } for pid=2030 comm="sa_main" name="socket" dev="tmpfs" ino=43 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow el5_filekey_manager dev_unix_socket:dir { search }; + +# avc: denied { getopt } for pid=1643 comm="SaOndemand" scontext=u:r:el5_filekey_manager:s0 tcontext=u:r:el5_filekey_manager:s0 tclass=unix_dgram_socket permissive=1 +# avc: denied { setopt } for pid=1643 comm="SaOndemand" scontext=u:r:el5_filekey_manager:s0 tcontext=u:r:el5_filekey_manager:s0 tclass=unix_dgram_socket permissive=1 +allow el5_filekey_manager el5_filekey_manager:unix_dgram_socket { getopt setopt }; + +# avc: denied { map } for pid=2030 comm="sa_main" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=71 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=2030 comm="sa_main" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=71 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=2030 comm="sa_main" name="u:object_r:persist_param:s0" dev="tmpfs" ino=71 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +allow el5_filekey_manager persist_param:file { map open read }; + +# avc: denied { read } for pid=2030 comm="el5_filekey_man" name="online" dev="sysfs" ino=4921 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow el5_filekey_manager sysfs_devices_system_cpu:file { read getattr open }; + +# avc: denied { search } for pid=2030 comm="el5_filekey_man" name="/" dev="tracefs" ino=1 scontext=u:r:el5_filekey_manager:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow el5_filekey_manager tracefs:dir { search }; + +allow hap_domain data_app_el5_file:dir { add_name search read write create open remove_name setattr }; +allow hap_domain data_app_el5_file:file { create read write open lock unlink map setattr getattr rename }; + +allow el5_filekey_manager devpts:chr_file { write }; +debug_only(` + allow el5_filekey_manager su:fd { use }; +') diff --git a/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/service.te b/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..be7fff25ddbbc50f8632a5a1f08ed4c4e1a1b5fe --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_el5_filekey_manager, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/service_contexts b/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..d343447c77c1544b4d497f41be26ecefbf9e6d1d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/el5_filekey_manager/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +8250 u:object_r:sa_el5_filekey_manager:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/encaps/public/dev_encaps.te b/prebuilts/api/5.0/ohos_policy/security/encaps/public/dev_encaps.te new file mode 100644 index 0000000000000000000000000000000000000000..d34ef8ac77e683b1b96a3ef66266c33951294eea --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/encaps/public/dev_encaps.te @@ -0,0 +1,24 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dev_encaps, dev_attr; + +allow { domain -hap_domain -rgm_violator_ohos_dev_encaps_chr_file } dev_encaps:chr_file { ioctl read open }; +neverallow { hap_domain } dev_encaps:chr_file { ioctl read open }; + +allowxperm { appspawn init } dev_encaps:chr_file ioctl { 0x4518 }; +allowxperm appspawn dev_encaps:chr_file ioctl { 0x451a }; +neverallowxperm { domain -appspawn -init } dev_encaps:chr_file ioctl { 0x4518 0x451a }; +allowxperm { domain -hap_domain -rgm_violator_ohos_dev_encaps_chr_file } dev_encaps:chr_file ioctl { 0x4519 }; +neverallowxperm { domain } dev_encaps:chr_file ioctl ~{ 0x4518 0x4519 0x451a }; +allow { appspawn init } dev_encaps:chr_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/security/encaps/public/file_contexts b/prebuilts/api/5.0/ohos_policy/security/encaps/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..ffbdce33b21cf816f5ac8ad7c96be00d1527f0fa --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/encaps/public/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/dev/encaps u:object_r:dev_encaps:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/huks/public/file.te b/prebuilts/api/5.0/ohos_policy/security/huks/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..7a1a7d6cafccdfbead6007998921c0d3d776572c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/huks/public/file.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_service_el1_public_huksService_file, file_attr, data_file_attr; +type data_service_el2_public_huksService_file, file_attr, data_file_attr; +type data_service_el2_userId_huksService_file, file_attr, data_file_attr; +type data_service_el4_userId_huksService_file, file_attr, data_file_attr; +type data_data_huksService_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/huks/public/type.te b/prebuilts/api/5.0/ohos_policy/security/huks/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..3c4a1679071f403081c9d06d91db5eb82f9dd2bf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/huks/public/type.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_huks_service, sa_service_attr; + +type huks_service, sadomain, domain; +type huks_service_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/security/huks/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/huks/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..797faeee5a044077a86a68c545d8cffa04e0b303 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/huks/system/file_contexts @@ -0,0 +1,19 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/huks_service u:object_r:huks_service_exec:s0 +/data/service/el1/public/huks_service(/.*)? u:object_r:data_service_el1_public_huksService_file:s0 +/data/service/el2/public/huks_service(/.*)? u:object_r:data_service_el2_public_huksService_file:s0 +/data/service/el2/[0-9]+/huks_service(/.*)? u:object_r:data_service_el2_userId_huksService_file:s0 +/data/service/el4/[0-9]+/huks_service(/.*)? u:object_r:data_service_el4_userId_huksService_file:s0 +/data/data/huks_service(/.*)? u:object_r:data_data_huksService_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/huks/system/huks.te b/prebuilts/api/5.0/ohos_policy/security/huks/system/huks.te new file mode 100644 index 0000000000000000000000000000000000000000..83514c3061060684c94554bea33de5c6917a063f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/huks/system/huks.te @@ -0,0 +1,80 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(huks_service); + +binder_call(huks_service, samgr); +#allow huks_service default_service:samgr_class { get add }; +allow huks_service data_file:dir { search }; +allow huks_service data_service_file:dir { search }; +allow huks_service data_service_el1_file:dir { search create write open read add_name remove_name }; +allow huks_service data_service_el1_file:file { create write open read unlink getattr setattr }; +allow huks_service data_service_el1_public_huksService_file:dir { add_name create open read remove_name search write rmdir getattr setattr rename }; +allow huks_service data_service_el1_public_huksService_file:file { create getattr ioctl open read setattr unlink write }; +allow huks_service data_service_el2_file:dir { search create write open read add_name remove_name }; +allow huks_service data_service_el2_file:file { create write open read unlink getattr setattr }; +allow huks_service data_service_el2_public_huksService_file:dir { add_name create open read remove_name search write rmdir getattr setattr rename }; +allow huks_service data_service_el2_public_huksService_file:file { create getattr ioctl open read setattr unlink write }; +allow huks_service data_service_el4_file:dir { search create write open read add_name remove_name }; +allow huks_service data_service_el4_file:file { create write open read unlink getattr setattr }; +allow huks_service data_service_el2_userId_huksService_file:dir { add_name create open read remove_name search write getattr rmdir }; +allow huks_service data_service_el2_userId_huksService_file:file { create getattr ioctl open read setattr unlink write }; +allow huks_service data_service_el4_userId_huksService_file:dir { add_name create open read remove_name search write getattr rmdir }; +allow huks_service data_service_el4_userId_huksService_file:file { create getattr ioctl open read setattr unlink write }; +allow huks_service data_data_file:dir { search }; +allow huks_service data_data_huksService_file:dir { add_name create open read remove_name search write rmdir getattr setattr }; +allow huks_service data_data_huksService_file:file { create getattr ioctl open read setattr unlink write }; +allowxperm huks_service data_data_huksService_file:file ioctl { 0x5705 }; +allowxperm huks_service data_service_el2_userId_huksService_file:file ioctl { 0x5413 }; +allowxperm huks_service data_service_el4_userId_huksService_file:file ioctl { 0x5413 }; +allow huks_service foundation:binder { call transfer }; +allow huks_service vendor_lib_file:dir { search }; +allow huks_service samain_exec:file { entrypoint execute map read }; +allow huks_service samgr:binder { call }; +allow huks_service system_profile_file:dir { search }; +allow huks_service tmpfs:lnk_file { read }; +allow huks_service accesstoken_service:binder { call }; +allow huks_service data_log:file { read write }; +allow huks_service faultloggerd:fd { use }; +allow huks_service faultloggerd:unix_stream_socket { connectto }; +allow huks_service hiview:binder { call }; +allow huks_service dev_unix_socket:dir { search }; +allow huks_service sa_huks_service:samgr_class { get add }; +allow huks_service sa_foundation_cesfwk_service:samgr_class { get }; +allow huks_service sa_useriam_useridm_service:samgr_class { get }; +allow huks_service telephony_sa:binder { call }; + +#avc: denied { transfer } for pid=273 comm="huks_service" scontext=u:r:huks_service:s0 tcontext=u:r:useriam:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=452 comm="useriam" scontext=u:r:useriam:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=1 +allow huks_service useriam:binder { call transfer }; + +#avc: denied { getopt } for pid=273 comm="huks_service" scontext=u:r:huks_service:s0 tcontext=u:r:huks_service:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { setopt } for pid=273 comm="huks_service" scontext=u:r:huks_service:s0 tcontext=u:r:huks_service:s0 tclass=unix_dgram_socket permissive=1 +allow huks_service huks_service:unix_dgram_socket { getopt setopt }; + +allow huks_service devinfo_private_param:file { map open read }; + +#avc: denied { get } for service=401 pid=342 scontext=u:r:huks_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0 +allow huks_service sa_foundation_bms:samgr_class { get }; +allow huks_service sa_ca_daemon_service:samgr_class { add get }; + +debug_only(` + allow huks_service su:binder { call transfer }; + allow su huks_service:binder { call transfer }; +') + +allow dslm_service huks_service:binder { call transfer }; +allow huks_service dslm_service:binder { call transfer }; + +allow hap_domain huks_service:binder { call transfer }; +allow huks_service hap_domain:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/huks/system/service_contexts b/prebuilts/api/5.0/ohos_policy/security/huks/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..fffdd719b669003b503b20094b004a733302069c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/huks/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3510 u:object_r:sa_huks_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/jitfort/public/attributes b/prebuilts/api/5.0/ohos_policy/security/jitfort/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..002b1c77c94ca7d87d94dc41a34940c7f7948522 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/jitfort/public/attributes @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute jitfort_lib_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/security/jitfort/system/jitfort.te b/prebuilts/api/5.0/ohos_policy/security/jitfort/system/jitfort.te new file mode 100644 index 0000000000000000000000000000000000000000..f9ea0b834c55da63b5134f40b441fd315064d188 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/jitfort/system/jitfort.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow jitfort_lib_attr jitfort_lib_attr:xpm { exec_in_jitfort }; +allow domain jitfort_lib_attr:file { execute getattr map open read }; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..d2ab0389e5386b9931a7ebd1f01c0d29da7c68b6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/distributeddata.te @@ -0,0 +1,15 @@ +# Copyright (C) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied {transfer} for pid=1471, comm="/system/bin/sa_main" scontext=u:r:distributeddata:s0 tcontext=u:r:security_component_service:s0 tclass=binder permissive=1 +allow distributeddata security_component_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/foundation.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..4884e866a986e5066bc68af2ed74d7bd464b828f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/foundation.te @@ -0,0 +1,17 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=1197 comm="AppStateObserve" scontext=u:r:foundation:s0 tcontext=u:r:security_component_service:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=1197 comm="AppStateObserve" scontext=u:r:foundation:s0 tcontext=u:r:security_component_service:s0 tclass=binder permissive=1 +allow foundation security_component_service:binder { call transfer }; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ab62a0958cce1c4e8f62e0d91b3645f2dd7b66f2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/hidumper_service.te @@ -0,0 +1,15 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=3506 pid=1202 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_security_component:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_security_component:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/init.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..2540b3bfc04bae07c9461795b15ae19ddbf13199 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/init.te @@ -0,0 +1,18 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { rlimitinh } for pid=3239 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:security_component_service:s0 tclass=process permissive=1 +# avc: denied { siginh } for pid=3239 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:security_component_service:s0 tclass=process permissive=1 +# avc: denied { transition } for pid=3239 comm="init" path="/system/bin/sa_main" dev="sdd74" ino=382 scontext=u:r:init:s0 tcontext=u:r:security_component_service:s0 tclass=process permissive=1 +allow init security_component_service:process { rlimitinh siginh transition }; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..4e9c2f3bafe4f239b71a9d9f2c074c919ac77947 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/normal_hap.te @@ -0,0 +1,18 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { get } for service=3506 pid=3201 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_security_component:s0 tclass=samgr_class permissive=1 +allow hap_domain sa_security_component:samgr_class { get }; + +# avc: denied { call } for pid=3201 comm="com.example.tes" scontext=u:r:normal_hap:s0 tcontext=u:r:security_component_service:s0 tclass=binder permissive=1 +allow hap_domain security_component_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..ff229870242d7c0a6dfa9d78fbe8a941f1d1b6c8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/param_watcher.te @@ -0,0 +1,15 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=451 comm="IPC_0_492" scontext=u:r:param_watcher:s0 tcontext=u:r:security_component_service:s0 tclass=binder permissive=1 +allow param_watcher security_component_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/privacy.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/privacy.te new file mode 100644 index 0000000000000000000000000000000000000000..4f948881b4477c4612f83a63c28ea328689203b8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/privacy.te @@ -0,0 +1,15 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transfer } for pid=1427 comm="IPC_4_2567" scontext=u:r:privacy_service:s0 tcontext=u:r:security_component_service:s0 tclass=binder permissive=1 +allow privacy_service security_component_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/security_component_service.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/security_component_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ed4fdfffc562e2901a61d0bf97049808bcc9d161 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/security_component_service.te @@ -0,0 +1,156 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=3239 comm="IPC_3_3307" scontext=u:r:security_component_service:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow security_component_service accesstoken_service:binder { call transfer }; + +# avc: denied { map } for pid=3239 comm="security_compon" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=106 scontext=u:r:security_component_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=3239 comm="security_compon" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=106 scontext=u:r:security_component_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=3239 comm="security_compon" name="u:object_r:debug_param:s0" dev="tmpfs" ino=106 scontext=u:r:security_component_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow security_component_service debug_param:file { map open read }; + +# avc: denied { search } for pid=3239 comm="sa_main" name="socket" dev="tmpfs" ino=76 scontext=u:r:security_component_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow security_component_service dev_unix_socket:dir { search }; + +# avc: denied { call } for pid=3239 comm="IPC_3_3307" scontext=u:r:security_component_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=3239 comm="SaInit0" scontext=u:r:security_component_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow security_component_service foundation:binder { call transfer }; + +# avc: denied { map } for pid=3239 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=102 scontext=u:r:security_component_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=3239 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=102 scontext=u:r:security_component_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=3239 comm="sa_main" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=102 scontext=u:r:security_component_service:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow security_component_service hilog_param:file { map open read }; + +# avc: denied { map } for pid=3239 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=108 scontext=u:r:security_component_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=3239 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=108 scontext=u:r:security_component_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=3239 comm="sa_main" name="u:object_r:musl_param:s0" dev="tmpfs" ino=108 scontext=u:r:security_component_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow security_component_service musl_param:file { map open read }; + +# avc: denied { call } for pid=3239 comm="security_compon" scontext=u:r:security_component_service:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=3239 comm="security_compon" scontext=u:r:security_component_service:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +allow security_component_service param_watcher:binder { call transfer }; + +# avc: denied { open } for pid=3239 comm="sa_main" path="/proc/sys/vm/overcommit_memory" dev="proc" ino=29356 scontext=u:r:security_component_service:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=3239 comm="sa_main" name="overcommit_memory" dev="proc" ino=29356 scontext=u:r:security_component_service:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +allow security_component_service proc_file:file { open read }; + +# avc: denied { get } for service=3503 pid=3239 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_accesstoken_manager_service:samgr_class { get }; + +# avc: denied { get } for service=501 pid=3239 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_foundation_appms:samgr_class { get }; + +# avc: denied { get } for service=3901 pid=3239 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_param_watcher:samgr_class { get }; + +# avc: denied { add } for service=3506 pid=3239 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_security_component:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_security_component:samgr_class { add }; + +# avc: denied { search } for pid=3239 comm="sa_main" name="bin" dev="sdd74" ino=152 scontext=u:r:security_component_service:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 +allow security_component_service system_bin_file:dir { search }; + +# avc: denied { search } for pid=3239 comm="security_compon" name="/" dev="tracefs" ino=1 scontext=u:r:security_component_service:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow security_component_service tracefs:dir { search }; + +# avc: denied { open } for pid=3239 comm="security_compon" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=13064 scontext=u:r:security_component_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=3239 comm="security_compon" name="trace_marker" dev="tracefs" ino=13064 scontext=u:r:security_component_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow security_component_service tracefs_trace_marker_file:file { open write }; + +# avc: denied { search } for pid=3239 comm="sa_main" name="bin" dev="sdd72" ino=12 scontext=u:r:security_component_service:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=dir permissive=1 +allow security_component_service vendor_bin_file:dir { search }; + +# avc: denied { call } for pid=3201 comm="com.example.tes" scontext=u:r:normal_hap:s0 tcontext=u:r:security_component_service:s0 tclass=binder permissive=1 +allow security_component_service hap_domain:binder { call transfer }; + +# avc: denied { get } for service=4607 pid=3515 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_foundation_dms:samgr_class { get }; + +# avc: denied { get } for service=3505 pid=3288 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_privacy_service:samgr_class { get }; + +#avc: denied { get } for service=3101 pid=3924 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_multimodalinput_service:samgr_class { get }; + +# avc: denied { getopt } for pid=3924 comm="SaInit7" scontext=u:r:security_component_service:s0 tcontext=u:r:security_component_service:s0 tclass=unix_dgram_socket permissive=1 +# avc: denied { setopt } for pid=2942 comm="SaInit0" scontext=u:r:security_component_service:s0 tcontext=u:r:security_component_service:s0 tclass=unix_dgram_socket permissive=1 +allow security_component_service security_component_service:unix_dgram_socket { getopt setopt }; + +# avc: denied { call } for pid=2942 comm="IPC_1_2944" scontext=u:r:security_component_service:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 +allow security_component_service multimodalinput:binder { call }; + +# avc: denied { use } for pid=639 comm="IPC_1_759" path="socket:[34903]" dev="sockfs" ino=34903 scontext=u:r:security_component_service:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=1 +allow security_component_service multimodalinput:fd { use }; + +# avc: denied { read write } for pid=639 comm="IPC_1_759" path="socket:[34903]" dev="sockfs" ino=34903 scontext=u:r:security_component_service:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +# avc: denied { write } for pid=2942 comm="security_compon" scontext=u:r:security_component_service:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +allow security_component_service multimodalinput:unix_stream_socket { read write write }; + +# avc: denied { call } for pid=2942 comm="SaInit0" scontext=u:r:security_component_service:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=1 +allow security_component_service privacy_service:binder { call transfer }; + +# avc: denied { call } for pid=2854 comm="IPC_1_2877" scontext=u:r:security_component_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=2854 comm="IPC_1_2877" scontext=u:r:security_component_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 +debug_only(` + allow security_component_service sh:binder { call transfer }; +') + +# avc: denied { search } for pid=2765 comm="SaInit0" name="/" dev="sdd78" ino=3 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow security_component_service data_file:dir { search }; + +# avc: denied { add_name } for pid=2600 comm="EventRunner#1" name="first_use_record.json" scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +# avc: denied { getattr } for pid=2600 comm="EventRunner#1" path="/data/service/el1/public/security_component_service" dev="sdd78" ino=10693 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=2765 comm="SaInit0" name="el1" dev="sdd78" ino=10469 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=2600 comm="EventRunner#1" name="security_component_service" dev="sdd78" ino=10693 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow security_component_service data_service_el1_file:dir { add_name getattr search write }; + +# avc: denied { create } for pid=2600 comm="EventRunner#1" name="first_use_record.json" scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=2765 comm="SaInit0" path="/data/service/el1/public/security_component_service/first_use_record.json" dev="sdd78" ino=19788 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { ioctl } for pid=2600 comm="EventRunner#1" path="/data/service/el1/public/security_component_service/first_use_record.json" dev="sdd78" ino=19788 ioctlcmd=0x5413 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=2765 comm="SaInit0" path="/data/service/el1/public/security_component_service/first_use_record.json" dev="sdd78" ino=19788 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=2765 comm="SaInit0" name="first_use_record.json" dev="sdd78" ino=19788 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { write open } for pid=2600 comm="EventRunner#1" path="/data/service/el1/public/security_component_service/first_use_record.json" dev="sdd78" ino=19788 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow security_component_service data_service_el1_file:file { create getattr ioctl open read write }; + +# avc: denied { search } for pid=2765 comm="SaInit0" name="service" dev="sdd78" ino=10465 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 +allow security_component_service data_service_file:dir { search }; + +# avc: denied { map } for pid=2765 comm="security_compon" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=136 scontext=u:r:security_component_service:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=2765 comm="security_compon" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=136 scontext=u:r:security_component_service:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=2765 comm="security_compon" name="u:object_r:persist_sys_param:s0" dev="tmpfs" ino=136 scontext=u:r:security_component_service:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +allow security_component_service persist_sys_param:file { map open read }; + +# avc: denied { get } for service=180 pid=2600 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_foundation_abilityms:samgr_class { get }; + +# avc: denied { getattr } for pid=2765 comm="security_compon" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33381 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { open } for pid=2765 comm="security_compon" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33381 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { read } for pid=2765 comm="security_compon" name="online" dev="sysfs" ino=33381 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow security_component_service sysfs_devices_system_cpu:file { getattr open read }; + +# avc: denied { ioctl } for pid=2600 comm="EventRunner#1" path="/data/service/el1/public/security_component_service/first_use_record.json" dev="sdd78" ino=19788 ioctlcmd=0x5413 scontext=u:r:security_component_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allowxperm security_component_service data_service_el1_file:file ioctl { 0x5413 }; + +# avc: denied { get } for service=4606 pid=2034 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=0 +allow security_component_service sa_foundation_wms:samgr_class { get }; + +# avc: denied { get } for service=401 pid=6860 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0 +allow security_component_service sa_foundation_bms:samgr_class { get }; + +# avc: denied { call } for pid=6745, comm="/system/bin/sa_main" scontext=u:r:security_component_service:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1 +allow security_component_service distributeddata:binder { call }; + +# avc: denied { use } for pid=6745, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 ioctlcmd=0xaaaa scontext=u:r:security_component_service:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=1 +allow security_component_service distributeddata:fd { use }; + +# avc: denied { get } for service=1301 sid=u:r:security_component_service:s0 scontext=u:r:security_component_service:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=1 +allow security_component_service sa_distributeddata_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/service_contexts b/prebuilts/api/5.0/ohos_policy/security/security_component/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a2b6c724d03ce7b5a238d70d0f51c401cdeacaa1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/service_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3506 u:object_r:sa_security_component:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_component/system/type.te b/prebuilts/api/5.0/ohos_policy/security/security_component/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..266cd308d9ebcce7b89f9635c05aa2bb81857cb3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_component/system/type.te @@ -0,0 +1,16 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type security_component_service, sadomain, domain; +type sa_security_component, sa_service_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/public/type.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..3e6e4ef614c927f25649267c456e26ee67d57f1a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/public/type.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type security_guard, sadomain, domain; +type security_collector, sadomain, domain; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..0d1b9840aee4fa494c976171e922ac5fde3a834a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/distributeddata.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata security_guard:binder { transfer call }; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/file.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..f1f703d0fa5cce4c200f380519634e1093b72718 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/file.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type system_etc_security_guard_file, system_file_attr, file_attr; +type data_service_el1_public_security_guard_file, data_file_attr, file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e5174a9857c96d53225f7ca54ed766e9ec093e18 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/file_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/etc/security_guard_model.cfg u:object_r:system_etc_security_guard_file:s0 +/system/etc/security_guard_event.cfg u:object_r:system_etc_security_guard_file:s0 +/system/etc/security_guard.cfg u:object_r:system_etc_security_guard_file:s0 +/data/service/el1/public/security_guard(/.*)? u:object_r:data_service_el1_public_security_guard_file:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/foundation.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..f6b00f7efcdeb09672bcb26ef89a7ee1e5fe446f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation security_guard:binder { call }; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/hiview.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..f9c77d445fed4d35bd87071e0f35c5c6e4e65353 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/hiview.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hiview security_guard:dir { search }; +allow hiview security_guard:file { getattr read open }; +allow hiview security_guard:binder { call }; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/init.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..9a2e790a81d65b315de3a4d9b19bef8493b37220 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init security_guard:process { siginh transition rlimitinh }; +allow init data_service_el1_public_security_guard_file:dir { relabelto getattr read setattr open write add_name create search }; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..b251c0a154c4338e3dee88701b1be4b640787c34 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/normal_hap.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain sa_sg_classify_service:samgr_class { get }; +allow hap_domain sa_sg_collect_service:samgr_class { get }; +allow hap_domain security_guard:binder { call transfer }; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/security_collector.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/security_collector.te new file mode 100644 index 0000000000000000000000000000000000000000..2d56deeb37a0d1227d337db867af837e9a258732 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/security_collector.te @@ -0,0 +1,114 @@ +# Copyright (C) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(security_collector, samgr); + +# avc: denied { call } for pid=1696 comm="IPC_1_1707" scontext=u:r:sceneboard_hap:s0 tcontext=u:r:security_collector:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=1758 comm="IPC_5_2010" scontext=u:r:sceneboard_hap:s0 tcontext=u:r:security_collector:s0 tclass=binder permissive=1 +allow hap_domain security_collector:binder { call transfer }; + +# avc: denied { call } for pid=2872 comm="security_collec" scontext=u:r:security_collector:s0 tcontext=u:r:sceneboard_hap:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=2872 comm="security_collec" scontext=u:r:security_collector:s0 tcontext=u:r:sceneboard_hap:s0 tclass=binder permissive=1 +allow security_collector hap_domain:binder { transfer call }; + +# avc: denied { call } for pid=2872 comm="security_collec" scontext=u:r:security_collector:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow security_collector accesstoken_service:binder { call }; + +# avc: denied { call } for pid=2872 comm="IPC_2_4085" scontext=u:r:security_collector:s0 tcontext=u:r:time_service:s0 tclass=binder permissive=1 +allow security_collector time_service:binder { call }; + +# avc: denied { transfer } for pid=2872 comm="IPC_1_2876" scontext=u:r:security_collector:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +# avc: denied { call } for pid=2872 comm="IPC_2_4085" scontext=u:r:security_collector:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +# avc: denied { call } for pid=2872 comm="IPC_3_4407" scontext=u:r:security_collector:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow security_collector foundation:binder { transfer call }; + +# avc: denied { call } for pid=2872 comm="IPC_0_2875" scontext=u:r:security_collector:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 +allow security_collector multimodalinput:binder { call }; + +# avc: denied { write } for pid=2872 comm="IPC_0_2875" name="kmsg" dev="tmpfs" ino=107 scontext=u:r:security_collector:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +# avc: denied { open } for pid=2872 comm="IPC_0_2875" path="/dev/kmsg" dev="tmpfs" ino=107 scontext=u:r:security_collector:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow security_collector dev_kmsg_file:chr_file { open write }; + +# avc: denied { read } for pid=2872 comm="mmi_EventHdr" scontext=u:r:security_collector:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +allow security_collector multimodalinput:unix_stream_socket { read }; + +# avc: denied { call } for pid=1033 comm="OS_FFRT_2_165" scontext=u:r:foundation:s0 tcontext=u:r:security_collector:s0 tclass=binder permissive=1 +# avc: denied { transfer } for pid=1033 comm="OS_FFRT_2_165" scontext=u:r:foundation:s0 tcontext=u:r:security_collector:s0 tclass=binder permissive=1 +allow foundation security_collector:binder { transfer call }; + +# avc: denied { siginh } for pid=3408 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:security_collector:s0 tclass=process permissive=1 +# avc: denied { rlimitinh } for pid=3408 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:security_collector:s0 tclass=process permissive=1 +# avc: denied { transition } for pid=3408 comm="init" path="/system/bin/sa_main" dev="sdd74" ino=519 scontext=u:r:init:s0 tcontext=u:r:security_collector:s0 tclass=process permissive=1 +allow init security_collector:process { siginh transition rlimitinh }; + +# avc: denied { read } for pid=3408 comm="IPC_2_3660" scontext=u:r:security_collector:s0 tcontext=u:r:security_collector:s0 tclass=netlink_connector_socket permissive=1 +# avc: denied { write } for pid=3408 comm="IPC_2_3660" scontext=u:r:security_collector:s0 tcontext=u:r:security_collector:s0 tclass=netlink_connector_socket permissive=1 +# avc: denied { bind } for pid=3408 comm="IPC_2_3660" scontext=u:r:security_collector:s0 tcontext=u:r:security_collector:s0 tclass=netlink_connector_socket permissive=1 +# avc: denied { create } for pid=3408 comm="IPC_2_3660" scontext=u:r:security_collector:s0 tcontext=u:r:security_collector:s0 tclass=netlink_connector_socket permissive=1 +allow security_collector security_collector:netlink_connector_socket { write create bind read }; + +# avc: denied { use } for pid=542 comm="IPC_3_1730" path="socket:[58351]" dev="sockfs" ino=58351 scontext=u:r:security_collector:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=1 +allow security_collector multimodalinput:fd { use }; + +# avc: denied { write } for pid=542 comm="IPC_3_1730" path="socket:[58351]" dev="sockfs" ino=58351 scontext=u:r:security_collector:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 +allow security_collector multimodalinput:unix_stream_socket { write }; + +# avc: denied { add } for service=3525 pid=3321 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_security_collector_service:s0 tclass=samgr_class permissive=1 +allow security_collector sa_security_collector_service:samgr_class { add }; + +# avc: denied { get } for service=3503 pid=3321 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow security_collector sa_accesstoken_manager_service:samgr_class { get }; + +# avc: denied { get } for service=3702 pid=3321 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_time_service:s0 tclass=samgr_class permissive=1 +allow security_collector sa_time_service:samgr_class { get }; + +# avc: denied { setopt } for pid=3321 comm="security_collec" scontext=u:r:security_collector:s0 tcontext=u:r:security_collector:s0 tclass=unix_dgram_socket permissive=1 +# avc: denied { getopt } for pid=3321 comm="security_collec" scontext=u:r:security_collector:s0 tcontext=u:r:security_collector:s0 tclass=unix_dgram_socket permissive=1 +allow security_collector security_collector:unix_dgram_socket { getopt setopt }; + +# avc: denied { get } for service=4607 pid=3635 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow security_collector sa_foundation_dms:samgr_class { get }; + +# avc: denied { get } for service=501 pid=3557 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 +allow security_collector sa_foundation_appms:samgr_class { get }; + +# avc: denied { get } for service=3299 pid=3557 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow security_collector sa_foundation_cesfwk_service:samgr_class { get }; + +# avc: denied { get } for service=3101 pid=3557 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 +allow security_collector sa_multimodalinput_service:samgr_class { get }; + +# avc: denied { call } for pid=3728 comm="OS_cesComLstnr" scontext=u:r:security_collector:s0 tcontext=u:r:storage_manager:s0 tclass=binder permissive=0 +allow security_collector storage_manager:binder { call transfer }; + +# avc: denied { call } for pid=4414 comm="IPC_1_4419" scontext=u:r:security_collector:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +allow security_collector device_manager:binder { call transfer }; + +# avc: denied { call } for pid=3359 comm="IPC_1_3364" scontext=u:r:security_collector:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=0 +# avc: denied { call } for pid=3359 comm="IPC_1_3364" scontext=u:r:security_collector:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=0 +allow security_collector camera_service:binder { call transfer }; + +# avc: denied { get } for service=5003 pid=3415 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_storage_manager_service:s0 tclass=samgr_class permissive=0 +allow security_collector sa_foundation_devicemanager_service:samgr_class { get }; + +# avc: denied { get } for service=3008 pid=3430 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_camera_service:s0 tclass=samgr_class permissive=0 +allow security_collector sa_camera_service:samgr_class { get }; + +# avc: denied { get } for service=5003 pid=3415 scontext=u:r:security_collector:s0 tcontext=u:object_r:sa_storage_manager_service:s0 tclass=samgr_class permissive=0 +allow security_collector sa_storage_manager_service:samgr_class { get }; + +# avc: denied { call } for pid=2912 comm="security_collec" scontext=u:r:security_collector:s0 tcontext=u:r:security_guard:s0 tclass=binder permissive=1 +allow security_collector security_guard:binder { call }; + +# avc: denied { search } for pid=2912 comm="security_collec" name="socket" dev="tmpfs" ino=43 scontext=u:r:security_collector:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow security_collector dev_unix_socket:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/security_guard.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/security_guard.te new file mode 100644 index 0000000000000000000000000000000000000000..fc93ac7a4c46e4a24b6c605436dccfc41a9794c8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/security_guard.te @@ -0,0 +1,76 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +binder_call(security_guard, samgr); + +allow security_guard sa_accesstoken_manager_service:samgr_class { get }; + +allow security_guard accesstoken_service:binder { call }; + +allow security_guard data_service_el1_public_security_guard_file:dir { search add_name write remove_name }; + +allow security_guard data_service_el1_public_security_guard_file:file { read create getattr ioctl write open unlink }; +allowxperm security_guard data_service_el1_public_security_guard_file:file ioctl { 0x5413 }; + +allow security_guard data_service_el1_file:file { lock read getattr write map open setattr create ioctl unlink }; +allowxperm security_guard data_service_el1_file:file ioctl { 0xf50c }; + +allow security_guard data_service_el1_file:dir { read search open getattr add_name create write remove_name}; + +allow security_guard data_file:dir { search }; + +allow security_guard dev_unix_socket:dir { search }; + +allow security_guard tracefs:dir { search }; + +allow security_guard hilog_param:file { read map open }; + +allow security_guard debug_param:file { map open read }; + +allow security_guard foundation:binder { call transfer }; + +allow security_guard sa_foundation_cesfwk_service:samgr_class { get }; + +allow security_guard data_service_file:dir { search }; + +allow security_guard system_etc_security_guard_file:file { getattr open read }; + +allow security_guard dev_ashmem_file:chr_file { open }; + +allow security_guard self:netlink_kobject_uevent_socket { read create bind }; + +allow security_guard hiview:binder { call transfer }; + +allow security_guard system_bin_file:dir { search }; + +allow security_guard system_bin_file:lnk_file { read }; + +allow security_guard sa_accountmgr:samgr_class { get }; + +allow security_guard sa_sg_classify_service:samgr_class { get add }; + +allow security_guard sa_sg_collect_service:samgr_class { get add }; + +allow security_guard hap_domain:binder { call }; + +allow security_guard sa_sys_event_service:samgr_class { get }; + +allow security_guard sa_security_collector_service:samgr_class { get add }; + +binder_call(security_guard, security_collector); + +# avc: denied { use } for pid=2037 comm="OS_FFRT_2_1" path="/data/storage/el2/base/files/text.json" dev="mmcblk0p15" ino=2627 scontext=u:r:security_guard:s0 tcontext=u:r:debug_hap:s0 tclass=fd permissive=1 +allow security_guard normal_hap_attr:fd { use }; + +# avc: denied { read } for pid=2037 comm="OS_FFRT_2_1" path="/data/storage/el2/base/files/text.json" dev="mmcblk0p15" ino=2627 scontext=u:r:security_guard:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=file permissive=1 +allow security_guard normal_hap_data_file:file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/service.te b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..907a6cc094bcf8cdedb834fe2f0d7d17e615d633 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/service.te @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_sg_classify_service, sa_service_attr; +type sa_sg_collect_service, sa_service_attr; +type sa_security_collector_service, sa_service_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/security/security_guard/system/service_contexts b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a75da4084d31a6763436d809ad1887e85817705d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/security_guard/system/service_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +3523 u:object_r:sa_sg_classify_service:s0 +3524 u:object_r:sa_sg_collect_service:s0 +3525 u:object_r:sa_security_collector_service:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/security/system_security/system/file_contexts b/prebuilts/api/5.0/ohos_policy/security/system_security/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a93d025a2e6b98a914ffdfa92271213217e10c44 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/system_security/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/data/log/sanitizer(/.*)? u:object_r:data_log_sanitizer_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/security/system_security/system/sanitizer.te b/prebuilts/api/5.0/ohos_policy/security/system_security/system/sanitizer.te new file mode 100644 index 0000000000000000000000000000000000000000..684467be32211949ab7ce5da1a8d349d799dca50 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/security/system_security/system/sanitizer.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_log_sanitizer_file, file_attr, data_file_attr; + +#avc: denied { getattr } for pid=1853 comm="ls" path="/data/log/sanitizer/ubsan/ubsan.log.394" dev="mmcblk0p11" ino=4712 scontext=u:r:sh:s0 tcontext=u:object_r:data_log_sanitizer_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=1805 comm="sh" path="/data/log/sanitizer/ubsan/ubsan.log.394" dev="mmcblk0p11" ino=4712 scontext=u:r:sh:s0 tcontext=u:object_r:data_log_sanitizer_file:s0 tclass=file permissive=1 +allow { domain -hilogd } data_log_sanitizer_file:dir { create getattr open read remove_name search setattr write add_name }; +allow { domain -hilogd } data_log_sanitizer_file:file { create getattr ioctl open read append rename unlink write open }; + +allow { domain -hilogd } data_log:dir { search }; + +#avc: denied { search } for pid=1 comm="init" name="sanitizer" dev="mmcblk0p11" ino=579 scontext=u:r:init:s0 tcontext=u:object_r:data_log_sanitizer_file:s0 tclass=dir permissive=0 +allow init data_log_sanitizer_file:dir { relabelto create_dir_perms }; +allow init data_log_sanitizer_file:file { relabelto }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/sensors/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..6d6b5f0160654ab6529e39af55ca7a5bb412cdf2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/accountmgr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { transfer } for pid=1417, comm="/system/bin/sa_main" scontext=u:r:accountmgr:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow accountmgr sensors:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/sensors/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..001ed5eecae7348a36a0289e7ade88d0db788094 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/audio_server.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=1262 comm="IPC_0_1276" scontext=u:r:audio_server:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow audio_server sensors:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/distributeddata.te b/prebuilts/api/5.0/ohos_policy/sensors/system/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..382fee0243fdaf9b83f53706851f04cc23d08789 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/distributeddata.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { transfer } for pid=1472 comm="IPC_4_2543" scontext=u:r:distributeddata:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow distributeddata sensors:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/foundation.te b/prebuilts/api/5.0/ohos_policy/sensors/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..28355e0258866e4fdd84d67c8015cd59b5e68191 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/foundation.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3601 pid=591 scontext=u:r:foundation:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1 +allow foundation sa_sensor_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/sensors/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..f37d4b7a71e50fa7829db486543e48094bd2bec8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/hdf_devmgr.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { getattr } for pid=245 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sensors:s0 tclass=process permissive=1 +allow hdf_devmgr sensors:process { getattr }; + +#avc: denied { transfer } for pid=245 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow hdf_devmgr sensors:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/hidumper_service.te b/prebuilts/api/5.0/ohos_policy/sensors/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..96b45045c12420ec70bc895fcb6856f8724c08ba --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/hidumper_service.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3601 pid=475 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_sensor_service:samgr_class { get }; + +#avc: denied { get } for service=3602 pid=475 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_miscdevice_service:s0 tclass=samgr_class permissive=1 +allow hidumper_service sa_miscdevice_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/msdp_sa.te b/prebuilts/api/5.0/ohos_policy/sensors/system/msdp_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..7c5147c6c876b2dc5afbc72d25a3f84952d48eac --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/msdp_sa.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3601 pid=518 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1 +allow msdp_sa sa_sensor_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/sensors/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..8c035987861f331b1a87d5fcf86e19cbe8d52784 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/normal_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3601 pid=1720 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1 +allow normal_hap_attr sa_sensor_service:samgr_class { get }; + +#avc: denied { call } for pid=2335 comm="jsThread-1" scontext=u:r:normal_hap:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2335 comm="jsThread-1" scontext=u:r:normal_hap:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow normal_hap_attr sensors:binder { call transfer }; + +#avc: denied { get } for service=3602 pid=2065 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_miscdevice_service:s0 tclass=samgr_class permissive=1 +allow normal_hap_attr sa_miscdevice_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/pinauth.te b/prebuilts/api/5.0/ohos_policy/sensors/system/pinauth.te new file mode 100644 index 0000000000000000000000000000000000000000..6b42c28179a75517e4925e525f98d73118b21817 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/pinauth.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { transfer } for pid=1968 comm="/system/bin/sa_main" scontext=u:r:pinauth:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow pinauth sensors:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/sensor_host.te b/prebuilts/api/5.0/ohos_policy/sensors/system/sensor_host.te new file mode 100644 index 0000000000000000000000000000000000000000..27a725c7e715ee6563404871b766c6eb580eb4e2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/sensor_host.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=2061 comm="sensor_host" scontext=u:r:sensor_host:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow sensor_host sensors:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/sensors.te b/prebuilts/api/5.0/ohos_policy/sensors/system/sensors.te new file mode 100644 index 0000000000000000000000000000000000000000..9dc49268d0cece477af67f3668d26008242d7734 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/sensors.te @@ -0,0 +1,224 @@ +# Copyright (c) 2022-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3503 pid=589 scontext=u:r:sensors:s0 tcontext=i:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow sensors sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { get } for service=vibrator_interface_service pid=620 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_vibrator_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow sensors hdf_vibrator_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=sensor_interface_service pid=655 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_sensor_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow sensors hdf_sensor_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=5100 pid=546 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow sensors sa_device_service_manager:samgr_class { get }; + +#avc: denied { add } for service=3601 pid=572 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1 +allow sensors sa_sensor_service:samgr_class { add }; + +#avc: denied { call } for pid=2043 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1208 comm="IPC_2_2791" scontext=u:r:sensors:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow sensors accesstoken_service:binder { call transfer }; + +#avc: denied { call } for pid=2043 comm="sensors" scontext=u:r:accesstoken_service:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow accesstoken_service sensors:binder { call }; + +#avc: denied { use } for pid=2519 comm="wei.hmos.health" path="socket:[39017]" dev="sockfs" ino=39017 scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=fd permissive=0 +#avc: denied { use } for pid=2748 comm="wei.hmos.health" path="socket:[39096]" dev="sockfs" ino=39096 scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=fd permissive=1 +allow sensors system_basic_hap_attr:fd { use }; + +#avc: denied { read write } for pid=2748 comm="wei.hmos.health" path="socket:[39036]" dev="sockfs" ino=39036 scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=unix_stream_socket permissive=1 +allow sensors system_basic_hap_attr:unix_stream_socket { read write }; + +#avc: denied { call } for pid=1208 comm="IPC_0_1342" scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 +allow sensors system_basic_hap_attr:binder { call }; + +#avc: denied { use } for pid=1963 comm="jsThread-1" path="socket:[26923]" dev="sockfs" ino=26923 scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1 +allow sensors normal_hap_attr:fd { use }; + +#avc: denied { read write } for pid=1963 comm="jsThread-1" path="socket:[26923]" dev="sockfs" ino=26923 scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=unix_stream_socket permissive=1 +allow sensors normal_hap_attr:unix_stream_socket { read write }; + +#avc: denied { call } for pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1 +allow sensors normal_hap_attr:binder { call }; + +#avc: denied { setopt } for pid=650 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { getopt } for pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=unix_dgram_socket permissive=1 +allow sensors sensors:unix_dgram_socket { getopt setopt }; + +#avc: denied { search } for pid=645 comm="sensors" name="socket" dev="tmpfs" ino=40 scontext=u:r:sensors:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow sensors dev_unix_socket:dir { search }; + +#avc: denied { call } for pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:vibrator_host:s0 tclass=binder permissive=1 +allow sensors vibrator_host:binder { call }; + +#avc: denied { search } for pid=451 comm="sensors" name="/" dev="tracefs" ino=1 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow sensors tracefs:dir { search }; + +#avc: denied { write } for pid=451 comm="sensors" name="trace_marker" dev="tracefs" ino=15134 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=451 comm="sensors" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=15134 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow sensors tracefs_trace_marker_file:file { write open }; + +#avc: denied { use } for pid=475 comm="hidumper_servic" path="pipe:[32513]" dev="pipefs" ino=32513 scontext=u:r:sensors:s0 tcontext=u:r:hidumper_service:s0 tclass=fd permissive=1 +allow sensors hidumper_service:fd { use }; + +#avc: denied { write } for pid=475 comm="hidumper_servic" path="pipe:[32513]" dev="pipefs" ino=32513 scontext=u:r:sensors:s0 tcontext=u:r:hidumper_service:s0 tclass=fifo_file permissive=1 +allow sensors hidumper_service:fifo_file { write }; + +#avc: denied { transfer } for pid=2152 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensor_host:s0 tclass=binder permissive=1 +allow sensors sensor_host:binder { transfer }; + +#avc: denied { use } for pid=2778 comm="processdump" dev="mmcblk0p11" ino=652843 scontext=u:r:sensors:s0 tcontext=u:r:faultloggerd:s0 tclass=fd permissive=1 +allow sensors faultloggerd:fd { use }; + +#avc: denied { write } for pid=621 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1 +#avc: denied { read write } for pid=2097 comm="jsThread-1" path="socket:[40085]" dev="sockfs" ino=40085 scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1 +allow sensors system_core_hap_attr:unix_stream_socket { write read }; + +#avc: denied { use } for pid=2097 comm="jsThread-1" path="socket:[40085]" dev="sockfs" ino=40085 scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1allow +allow sensors system_core_hap_attr:fd { use }; + +#avc: denied { call } for pid=687 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=0 +allow sensors system_core_hap_attr:binder { call }; + +#avc: denied { get } for service=3505 pid=575 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0 +allow sensors sa_privacy_service:samgr_class { get }; + +#avc: denied { call } for pid=549 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=0 +allow sensors privacy_service:binder { call }; + +#avc: denied { read } for pid=2827 comm="sa_main" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:sensors:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0 +allow sensors accessibility_param:file { read }; + +allow sensors vendor_etc_file:dir { search }; +allow sensors vendor_etc_file:file { getattr open read }; + +#avc: denied { call } for pid=440 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:light_host:s0 tclass=binder permissive=1 +allow sensors light_host:binder { call }; + +#avc: denied { read } for pid=508 comm="sensors" name="u:object_r:musl_param:s0" dev="tmpfs" ino=55 scontext=u:r:sensors:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 +allow sensors musl_param:file { read }; + +#avc: denied { get } for service=light_interface_service pid=2262 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_light_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow sensors hdf_light_interface_service:hdf_devmgr_class { get }; + +#avc: denied { use } for pid=585 comm="IPC_1_745" path="socket:[34684]" dev="sockfs" ino=34684 scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=0 +allow sensors foundation:fd { use }; + +#avc: denied { read write } for pid=554 comm="foundation" path="socket:[41126]" dev="sockfs" ino=41126 scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=unix_stream_socket permissive=0 +allow sensors foundation:unix_stream_socket { read write }; + +#avc: denied { call } for pid=585 comm="IPC_2_1283" scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0 +#avc: denied { transfer } for pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow sensors foundation:binder { call transfer }; + +#avc: denied { getattr } for pid=1324 comm="IPC_1_1486" path="/data/storage/el2/base/files/coin_drop.json" dev="sdd78" ino=4521 scontext=u:r:sensors:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=4754 comm="jsThread-1" path="/data/storage/el2/base/files/coin_drop.json" dev="sdd78" ino=4521 scontext=u:r:sensors:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=0 +allow sensors normal_hap_data_file_attr:file { getattr read }; + +#avc: denied { getattr } for pid=1308 comm="IPC_1_1470" path="/data/local/tmp/test_128_event.json" dev="sdd78" ino=8191 scontext=u:r:sensors:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1 +#avc: denied { read } for pid=3199 comm="HitsVibrateTest" path="/data/local/tmp/test_128_event.json" dev="sdd78" ino=8191 scontext=u:r:sensors:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1 +allow sensors data_local_tmp:file { getattr read }; + +#avc: denied { getattr } for pid=1324 comm="sensors" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1324 comm="sensors" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +#avc: denied { read } for pid=1324 comm="sensors" name="online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow sensors sysfs_devices_system_cpu:file { getattr open read }; + +allow sensors render_service:fd { use }; +allow sensors render_service:unix_stream_socket { read write }; +allow sensors render_service:binder { call }; + +allow sensors camera_service:fd { use }; +allow sensors camera_service:unix_stream_socket { read write }; +allow sensors camera_service:binder { call }; + +allow sensors powermgr:fd { use }; +allow sensors powermgr:unix_stream_socket { read write }; +allow sensors powermgr:binder { call transfer }; + +allow sensors audio_server:unix_stream_socket { read write }; + +# avc: denied { use } for pid=356 comm="audio_server" path="socket:[30765]" dev="sockfs" ino=30765 scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=fd permissive=1 +allow sensors audio_server:fd { use }; + +# avc: denied { call } for pid=580 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +allow sensors audio_server:binder { call }; + +#avc: denied { call } for pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 +allow sensors audio_server:binder { call transfer }; + +#avc: denied { call } for pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1447, comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=0 +allow sensors distributeddata:binder { call transfer }; + +#avc: denied { use } for pid=1143 comm="sensors" path="/dev/ashmem" dev ="tmpfs" ino=619 ioctlcmd=0x7706 scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=1 +allow sensors distributeddata:fd { use }; + +#avc: denied { get } for service=1301 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=0 +allow sensors sa_distributeddata_service:samgr_class { get }; + +#avc: denied { get } for service=180 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 +allow sensors sa_foundation_abilityms:samgr_class { get }; + +#avc: denied { get } for service=3009 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=0 +allow sensors sa_audio_policy_service:samgr_class { get }; + +#avc: denied { get } for service=3001 pid=608 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=0 +allow sensors sa_pulseaudio_audio_service:samgr_class { get }; + +#avc: denied { call } for pid=1458 comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:pinauth:s0 tclass=binder permissive=1 +allow sensors pinauth:binder { call }; + +#avc: denied { get } for service=1909 pid=1053 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_memory_manager_service:s0 tclass=samgr_class permissive=1 +allow sensors sa_memory_manager_service:samgr_class { get }; +allow sensors memmgrservice:binder { call }; + +#avc: denied { transfer } for pid=1415, comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0 +allow sensors normal_hap_attr:binder { transfer }; + +#avc: denied { search } for pid=1415, comm="/system/bin/sa_main" name="/lib64" dev="/dev/block/platform/fa500000.ufs/by-name/chip_prod" ino=9188 scontext=u:r:sensors:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=0 +allow sensors chip_prod_file:dir { search }; + +#avc: denied { get } for service=180 pid=1453 scontext=u:r:render_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 +allow sensors sa_foundation_cesfwk_service:samgr_class { get }; + +#avc: denied { getattr } for pid=1373, comm="/system/bin/sa_main" path="/data/themes/a/system/sub_screen/lock/base/resources/rich_tap/charging_2.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=46896 scontext=u:r:sensors:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allow sensors data_service_el1_file:file { getattr }; + +#avc: denied { call } for pid=1420, comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=1 +allow sensors accountmgr:binder { call }; + +#avc: denied { write } for pid=1489, comm="/system/bin/sa_main" path="pipe:[13]" dev="tmpfs" ino=13 scontext=u:r:sensors:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0 +allow sensors init:fifo_file { write }; + +#avc: denied { get } for service=200 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 +allow sensors sa_accountmgr:samgr_class { get }; + +#avc: denied { get } for service=501 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow sensors sa_foundation_appms:samgr_class { get }; + +#avc: denied { get } for service=401 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow sensors sa_foundation_bms:samgr_class { get }; + +debug_only(` + #avc: denied { use } for pid=2011 comm="SensorAgentTest" path="socket:[39791]" dev="sockfs" ino=39791 scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=fd permissive=0 + allow sensors sh:fd { use }; + + # avc: denied { call } for pid=687 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 + allow sensors sh:binder { call }; + + #avc: denied { read write } for pid=2132 comm="SensorAgentTest" path="socket:[39407]" dev="sockfs" ino=39407 scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=unix_stream_socket permissive=0 + allow sensors sh:unix_stream_socket { read write }; +') diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/sensors/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..bf745d3451f7e3bc77879529c4a2a82530964d88 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/system_basic_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3601 pid=23547 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=0 +allow system_basic_hap_attr sa_sensor_service:samgr_class { get }; + +#avc: denied { get } for service=3602 pid=2065 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_miscdevice_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_miscdevice_service:samgr_class { get }; + +#avc: denied { call } for pid=2335 comm="jsThread-1" scontext=u:r:system_basic_hap:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2335 comm="jsThread-1" scontext=u:r:system_basic_hap:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow system_basic_hap_attr sensors:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sensors/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/sensors/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..a23de21062278a46176683db60ceaefd6a01ec23 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sensors/system/system_core_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3601 pid=1727 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1 +allow system_core_hap_attr sa_sensor_service:samgr_class { get }; + +#avc: denied { transfer } for pid=2097 comm="jsThread-1" scontext=u:r:system_core_hap:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=2097 comm="jsThread-1" scontext=u:r:system_core_hap:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1 +allow system_core_hap_attr sensors:binder { transfer call }; + +#avc: denied { get } for service=3602 pid=2004 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_miscdevice_service:s0 tclass=samgr_class permissive=0 +allow system_core_hap_attr sa_miscdevice_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/public/service_contexts b/prebuilts/api/5.0/ohos_policy/sharing_service/public/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..f686f14b42bddc074b7a36d2ccac912362e004c0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/public/service_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +5527 u:object_r:sa_sharing_service:s0 +5528 u:object_r:sa_sharing_service_domain:s0 diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/public/type.te b/prebuilts/api/5.0/ohos_policy/sharing_service/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..29072e1c022ca5ee0340fbef0e285acd68cd7b07 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_sharing_service, sa_service_attr; +type sa_sharing_service_domain, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..182200bb205fddaac7d4a307af0eb30bb7677bb8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/audio_server.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#audio_policy => audio_server +allow audio_server sharing_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/av_codec_service.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/av_codec_service.te new file mode 100644 index 0000000000000000000000000000000000000000..7804ad7f1a901f5916ffd1ee324bdd03c2d54f23 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/av_codec_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow av_codec_service sharing_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/device_manager.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/device_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..8ff3f20141a97ca2fe0888b2c1b1eae4e5f8b80f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/device_manager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow device_manager sharing_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/init.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..c1d2b1f100d5bfef0dc6d44fa58907a5fff4ba9e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init sharing_service:process { transition rlimitinh siginh }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/media_service.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..184bee62be39254b2b26d61d267dc323cb545613 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/media_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_service sharing_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/render_service.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..0bc49b45cd134249ae3a4c65bf6af8b978f99aca --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/render_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service sharing_service:binder {call transfer}; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/sharing_service.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/sharing_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9485f253d3872479ae15b3c0ceafddf5f79de6f9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/sharing_service.te @@ -0,0 +1,83 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sharing_service, sadomain, domain; +allow sharing_service foundation:binder { call transfer }; +allow sharing_service hilog_param:file { map read open }; +allow sharing_service media_service:binder { call }; +allow sharing_service net_param:file { map open read }; +allow sharing_service net_tcp_param:file { map open read }; +allow sharing_service ohos_param:file { map open read }; +allow sharing_service sa_accesstoken_manager_service:samgr_class { get }; +allow sharing_service sa_sharing_service:samgr_class { add }; +allow sharing_service sa_device_service_manager:samgr_class { get }; +allow sharing_service sa_foundation_dms:samgr_class { get }; +allow sharing_service security_param:file { map open read }; +allow sharing_service startup_param:file { map open read }; +allow sharing_service dev_unix_socket:dir { search }; +allow sharing_service debug_param:file { map open read }; +allow sharing_service sys_param:file { map open read }; +allow sharing_service persist_param:file { map open read }; +allow sharing_service persist_sys_param:file { map open read }; +allow sharing_service system_bin_file:dir { search }; +allow sharing_service system_core_hap_attr:binder { call transfer }; +allow sharing_service tracefs:dir { search }; +allow sharing_service dev_console_file:chr_file { read write }; +allow sharing_service tracefs_trace_marker_file:file { open write }; +allow sharing_service sa_memory_manager_service:samgr_class { get }; +allow sharing_service sa_audio_policy_service:samgr_class { get }; +allow sharing_service sa_media_service:samgr_class { get }; +allow sharing_service sa_softbus_service:samgr_class { get }; +allow sharing_service sa_foundation_devicemanager_service:samgr_class { get }; +allow sharing_service device_manager:binder { call transfer }; +allow sharing_service softbus_server:binder { call transfer }; +allow sharing_service softbus_server:fd { use }; +allow sharing_service softbus_server:tcp_socket { read write setopt shutdown }; +allow sharing_service media_service:binder { call transfer }; +allow sharing_service sharing_service:unix_dgram_socket { getopt setopt }; +allow sharing_service sysfs_devices_system_cpu:file { getattr read open }; +allow sharing_service sharing_service:udp_socket { write read bind create setopt getattr connect shutdown}; +allow sharing_service sharing_service:tcp_socket { write read bind create setopt getattr connect listen accept shutdown }; +allow sharing_service node:udp_socket { node_bind }; +allow sharing_service node:tcp_socket { node_bind }; +allow sharing_service wifi_manager_service:binder { call transfer}; +allow wifi_manager_service sharing_service:binder { call transfer }; +allow sharing_service resource_schedule_service:binder { call }; +allow sharing_service sa_resource_schedule:samgr_class { get }; +allow sharing_service av_codec_service:binder { call transfer }; +allow sharing_service av_codec_service:fd { use }; +allow sharing_service codec_host:fd { use }; +allow sharing_service sa_av_codec_service:samgr_class { get }; +allow sharing_service sa_wifi_p2p_ability:samgr_class { get }; +allow sharing_service sa_sharing_service:samgr_class { get add }; +allow sharing_service sa_sharing_service_domain:samgr_class { get add }; +allow sharing_service arkcompiler_param:file { map open read }; +allow sharing_service dev_kmsg_file:chr_file { open read write }; +allow sharing_service tty_device:chr_file { open read write }; +allow sharing_service chip_prod_file:dir { search }; +allow sharing_service dev_ashmem_file:chr_file { open }; +allow foundation sharing_service:binder { call }; +allow sharing_service sa_pulseaudio_audio_service:samgr_class { get }; +allow sharing_service sa_media_monitor:samgr_class { get }; +allow sharing_service sa_foundation_bms:samgr_class { get }; +allow sharing_service audio_server:fd { use }; +allow sharing_service audio_server:binder { call transfer }; +allow sharing_service sa_render_service:samgr_class { get }; +allow sharing_service sa_powermgr_powermgr_service:samgr_class { get }; +allow sharing_service powermgr:binder { call }; +allow sharing_service render_service:binder { call }; +allow sharing_service render_service:fd { use }; +allow sharing_service sa_render_service:samgr_class { get }; +allow sharing_service render_service:binder { transfer }; +allow render_service sharing_service:binder { call }; +allow render_service sharing_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/softbus_server.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..f4ec1d99584f250941f3032489b3cfd02cddb1a2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/softbus_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server sharing_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..0183f65b9ecfe07cb5d68486c30ae090c5b3955c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_sharing_service:samgr_class { get }; +allow system_basic_hap_attr sharing_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..844aadee06c1581be3912edcc8a157951dc2347f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sharing_service:binder { call transfer }; +allow system_core_hap_attr sa_sharing_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/sharing_service/system/wifi_manager_service.te b/prebuilts/api/5.0/ohos_policy/sharing_service/system/wifi_manager_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ddeb9bfe51c340da31629c32afc2736655d1803b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/sharing_service/system/wifi_manager_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_manager_service sharing_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/appspawn.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..28c097e0a7929b8e9d97c33d35bc99f86662415f --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/appspawn.te @@ -0,0 +1,27 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type appspawn, native_system_domain, domain; +type appspawn_exec, system_file_attr, exec_attr, file_attr; +type pid_ns_init, native_system_domain, domain; +type pid_ns_init_exec, system_file_attr, exec_attr, file_attr; +## audit: type=1400 audit(1501988181.483:2582): avc: denied { use } for pid=280 comm="appspawn" path="/data/storage/el2/base/haps/entry/files/test.txt" +## dev="mmcblk0p15" ino=2554 scontext=u:r:appspawn:s0 tcontext=u:r:system_basic_hap:s0 tclass=fd permissive=0 +allow appspawn hap_domain:fd { use }; +## audit: type=1400 audit(1502003391.146:2748): avc: denied { read write } for pid=275 comm="appspawn" path="/data/storage/el2/base/haps/entry/files/test.txt" +## dev="mmcblk0p15" ino=2483 scontext=u:r:appspawn:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=1 +allow appspawn hap_file_attr:file { read write } ; + +allow appspawn nativespawn:process { dyntransition sigkill }; +neverallow appspawn *:process ptrace; + diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/attributes b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..3897376988799ba8951299d83df689001598a197 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/attributes @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute hnp_hap_domain_attr; +attribute hnp_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/cjappspawn.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/cjappspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..0f44fc1a4f303cea491e3943c47d4a5f3aa1ac19 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/cjappspawn.te @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type cjappspawn, native_system_domain, domain; +type cjappspawn_exec, system_file_attr, exec_attr, file_attr; +neverallow cjappspawn *:process ptrace; diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/devicedebug.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/devicedebug.te new file mode 100644 index 0000000000000000000000000000000000000000..a157cf2d78543c91c3dd16e28a324fc5672125d2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/devicedebug.te @@ -0,0 +1,29 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type devicedebug, native_system_domain, domain; +type devicedebug_exec, system_file_attr, exec_attr, file_attr; + +developer_only(` + domain_auto_transition_pattern(sh, devicedebug_exec, devicedebug); + + allow sh devicedebug_exec:file { execute execute_no_trans getattr map open read }; + allow devicedebug default_param:file { map open read }; + allow devicedebug appspawn:unix_stream_socket { connectto }; + allow devicedebug appspawn_socket:sock_file { write }; + allow devicedebug sh:fd { use }; + allow devicedebug dev_unix_socket:dir { search }; + allow appspawn hap_domain:process { signal }; + allow devicedebug hdcd:fd { use }; + allow devicedebug devpts:chr_file { read write }; +') diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/file_contexts b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b2cf04d608c2f7f9b7a1778355c675e5164814b4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/file_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/hnp u:object_r:hnp_exec:s0 +/data/app/el1/bundle/[0-9]+/hnppublic(/.*)? u:object_r:hnp_file:s0 +/system/bin/devicedebug u:object_r:devicedebug_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/hnp.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/hnp.te new file mode 100644 index 0000000000000000000000000000000000000000..b75da18f354d62e3ec0ee06fde968738425918d7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/hnp.te @@ -0,0 +1,319 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hnp, native_system_domain, domain; +type hnp_exec, system_file_attr, exec_attr, file_attr; +type hnp_file, exec_attr, file_attr, data_file_attr; +type hnp_native, native_system_domain, domain; + +developer_only(` +# avc: denied { search } for pid=12202 comm="hnp" name="app" dev="sdd78" ino=634 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=1 +allow hnp data_app_file:dir { search }; + +# avc: denied { ioctl } for pid=6695 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11577 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=6695 comm="hnp" name="hnp_info.json" dev="sdd78" ino=11577 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow hnp data_service_el1_file:file { ioctl write }; + +# avc: denied { map } for pid=5378 comm="hnp" path="/data/service/el1/public/bms/bundle_manager_service/security_stream_install/606593336461000/6065932/28786a5ac.hap" dev="sdd78" ino=12581 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow hnp data_service_el1_file:file { map }; + +# avc: denied { create } for pid=8919 comm="hnp" name="hnp_info.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow hnp data_service_el1_file:file { create }; + +# avc: denied { getattr } for pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=12202 comm="hnp" name="hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow hnp data_service_el1_file:file { getattr open read open read }; + +# avc: denied { ioctl } for pid=6695 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11577 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allowxperm hnp data_service_el1_file:file ioctl { 0x5413 }; + +# avc: denied { add_name } for pid=8919 comm="hnp" name="hnp_info.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=8919 comm="hnp" name="startup" dev="sdd78" ino=14 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow hnp data_service_el1_file:dir { add_name write }; + +# avc: denied { search } for pid=12202 comm="hnp" name="startup" dev="sdd78" ino=14 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow hnp data_service_el1_file:dir { search }; + +# avc: denied { write } for pid=6695 comm="hnp" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +# avc: denied { getattr } for pid=9207 comm="lsof" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow hnp dev_kmsg_file:chr_file { write getattr }; + +# avc: denied { dac_override } for pid=8158 comm="hnp" capability=1 scontext=u:r:hnp:s0 tcontext=u:r:hnp:s0 tclass=capability permissive=1 +allow hnp hnp:capability { dac_override }; + +# avc: denied { add_name } for pid=7556 comm="hnp" name="cfg" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +# avc: denied { create } for pid=7556 comm="hnp" name="cfg" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +# avc: denied { getattr } for pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib" dev="sdd78" ino=12153 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=7556 comm="hnp" name="hnpsample_1.1" dev="sdd78" ino=12152 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +allow hnp data_app_el1_file:dir { add_name create getattr write }; + +# avc: denied { remove_name } for pid=9178 comm="hnp" name="hnpsample.org" dev="sdd78" ino=12101 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +# avc: denied { rmdir } for pid=9178 comm="hnp" name="hnpsample.org" dev="sdd78" ino=12101 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +allow hnp data_app_el1_file:dir { remove_name rmdir }; + +# avc: denied { read open } for pid=12202 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org" dev="sdd78" ino=11810 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=12202 comm="hnp" name="hnpsample.org" dev="sdd78" ino=11810 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=12202 comm="hnp" name="bundle" dev="sdd78" ino=638 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +allow hnp data_app_el1_file:dir { read open read search }; + +# avc: denied { create } for pid=7556 comm="hnp" name="hnp.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +# avc: denied { ioctl } for pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +# avc: denied { setattr } for pid=7556 comm="hnp" name="hnp.json" dev="sdd78" ino=12155 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allow hnp data_app_el1_file:file { create ioctl setattr }; + +# avc: denied { unlink } for pid=9178 comm="hnp" name="hnpsample" dev="sdd78" ino=12109 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allow hnp data_app_el1_file:file { unlink }; + +# avc: denied { ioctl } for pid=5378 comm="EnableCodeSign0" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib/libhnpsamplelib.z.so" dev="sdd78" ino=12622 ioctlcmd=0x66c8 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allow hnp data_app_el1_file:file { ioctl }; + +# avc: denied { create } for pid=5378 comm="hnp" name="hnpsample" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=lnk_file permissive=1 +allow hnp data_app_el1_file:lnk_file { create }; + +# avc: denied { ioctl } for pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allowxperm hnp data_app_el1_file:file ioctl { 0x5413 }; + +# avc: denied { ioctl } for pid=5378 comm="EnableCodeSign0" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib/libhnpsamplelib.z.so" dev="sdd78" ino=12622 ioctlcmd=0x66c8 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allowxperm hnp data_app_el1_file:file ioctl { 0x66c8 }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7470, comm="/system/bin/hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { open } for pid=7265, comm="/system/bin/hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { read } for pid=7265, comm="/system/bin/hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { write } for pid=7265, comm="/system/bin/hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allow hnp data_app_el1_file:file { getattr open read write }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/buddyinfo" dev="proc" ino=4026531856 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_buddyinfo_file:s0 tclass=file permissive=1 +allow hnp proc_buddyinfo_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/cgroups" dev="proc" ino=4026531855 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cgroups_file:s0 tclass=file permissive=1 +allow hnp proc_cgroups_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/cmdline" dev="proc" ino=4026532315 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cmdline_file:s0 tclass=file permissive=1 +allow hnp proc_cmdline_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/config.gz" dev="proc" ino=4026532479 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_config_gz_file:s0 tclass=file permissive=1 +allow hnp proc_config_gz_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/cpuinfo" dev="proc" ino=4026532317 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +allow hnp proc_cpuinfo_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/diskstats" dev="proc" ino=4026532506 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1 +allow hnp proc_diskstats_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/data-ready" dev="proc" ino=4026532862 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +allow hnp proc_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/iomem" dev="proc" ino=4026532470 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_iomem_file:s0 tclass=file permissive=1 +allow hnp proc_iomem_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/keys" dev="proc" ino=4026532500 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_keys_file:s0 tclass=file permissive=1 +allow hnp proc_keys_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/kmsg" dev="proc" ino=4026532326 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_kmsg_file:s0 tclass=file permissive=1 +allow hnp proc_kmsg_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/loadavg" dev="proc" ino=4026532320 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_loadavg_file:s0 tclass=file permissive=1 +allow hnp proc_loadavg_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/meminfo" dev="proc" ino=4026532321 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=1 +allow hnp proc_meminfo_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/misc" dev="proc" ino=4026532216 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_misc_file:s0 tclass=file permissive=1 +allow hnp proc_misc_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/modules" dev="proc" ino=4026532477 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_modules_file:s0 tclass=file permissive=1 +allow hnp proc_modules_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/slabinfo" dev="proc" ino=4026532480 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_slabinfo_file:s0 tclass=file permissive=1 +allow hnp proc_slabinfo_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/softirqs" dev="proc" ino=4026532325 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_softirqs_file:s0 tclass=file permissive=1 +allow hnp proc_softirqs_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/stat" dev="proc" ino=4026532322 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_stat_file:s0 tclass=file permissive=1 +allow hnp proc_stat_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/swaps" dev="proc" ino=4026532482 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_swaps_file:s0 tclass=file permissive=1 +allow hnp proc_swaps_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/uptime" dev="proc" ino=4026532323 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_uptime_file:s0 tclass=file permissive=1 +allow hnp proc_uptime_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/version" dev="proc" ino=4026532324 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 +allow hnp proc_version_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/vmstat" dev="proc" ino=4026531858 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_vmstat_file:s0 tclass=file permissive=1 +allow hnp proc_vmstat_file:file { getattr }; + +# avc: denied { getattr } for pid=9325 comm="lsof" path="/proc/zoneinfo" dev="proc" ino=4026531859 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_zoneinfo_file:s0 tclass=file permissive=1 +allow hnp proc_zoneinfo_file:file { getattr }; + +# avc: denied { execute } for pid=9325 comm="hnp" name="sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1 +# avc: denied { execute_no_trans } for pid=9325 comm="hnp" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1 +# avc: denied { map } for pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1 +# avc: denied { read execute } for pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=9325 comm="hnp" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1 +# avc: denied { read } for pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1 +allow hnp sh_exec:file { execute execute_no_trans map read execute read open read }; + +# avc: denied { read } for pid=9325 comm="sh" name="lsof" dev="sdd74" ino=573 scontext=u:r:hnp:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1 +allow hnp system_bin_file:lnk_file { read }; + +# avc: denied { execute } for pid=9325 comm="sh" name="toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1 +# avc: denied { execute_no_trans } for pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1 +# avc: denied { map } for pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1 +# avc: denied { read execute } for pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1 +# avc: denied { read } for pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1 +allow hnp toybox_exec:file { execute execute_no_trans getattr map read execute read open read }; + +# avc: denied { read write open } for pid=9325 comm="sh" path="/dev/tty" dev="tmpfs" ino=94 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +# avc: denied { read write } for pid=9325 comm="sh" name="tty" dev="tmpfs" ino=94 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allow hnp tty_device:chr_file { read write open read write }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=275 scontext=u:r:hnp:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1 +allow hnp default_param:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:hiviewdfx_profiler_param:s0" dev="tmpfs" ino=151 scontext=u:r:hnp:s0 tcontext=u:object_r:hiviewdfx_profiler_param:s0 tclass=file permissive=1 +allow hnp hiviewdfx_profiler_param:file { getattr }; + +# avc: denied { dac_read_search } for pid=9207 comm="lsof" capability=2 scontext=u:r:hnp:s0 tcontext=u:r:hnp:s0 tclass=capability permissive=1 +allow hnp hnp:capability { dac_read_search }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=147 scontext=u:r:hnp:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1 +allow hnp hook_param:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=153 scontext=u:r:hnp:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow hnp musl_param:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/proc/filesystems" dev="proc" ino=4026532487 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=1 +allow hnp proc_filesystems_file:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/proc/interrupts" dev="proc" ino=4026532319 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_interrupts_file:s0 tclass=file permissive=1 +allow hnp proc_interrupts_file:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/proc/pagetypeinfo" dev="proc" ino=4026531857 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_pagetypeinfo_file:s0 tclass=file permissive=1 +allow hnp proc_pagetypeinfo_file:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/proc/sysrq-trigger" dev="proc" ino=4026532528 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_sysrq_trigger_file:s0 tclass=file permissive=1 +allow hnp proc_sysrq_trigger_file:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/proc/timer_list" dev="proc" ino=4026532476 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_timer_list_file:s0 tclass=file permissive=1 +allow hnp proc_timer_list_file:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/proc/vmallocinfo" dev="proc" ino=4026532481 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_vmallocinfo_file:s0 tclass=file permissive=1 +allow hnp proc_vmallocinfo_file:file { getattr }; + +# avc: denied { getattr } for pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=132 scontext=u:r:hnp:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1 +allow hnp startup_init_param:file { getattr }; + +# avc: denied { getattr } for pid=7385 comm="lsof" path="/proc/partitions" dev="proc" ino=4026532507 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_partitions_file:s0 tclass=file permissive=1 +allow hnp proc_partitions_file:file { getattr }; + +# avc: denied { search } for pid=12202 comm="hnp" name="/" dev="sdd78" ino=3 scontext=u:r:hnp:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow hnp data_file:dir { search }; + +# avc: denied { search } for pid=12202 comm="hnp" name="service" dev="sdd78" ino=9 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 +allow hnp data_service_file:dir { search }; + +# avc: denied { search } for pid=12202 comm="hnp" name="socket" dev="tmpfs" ino=118 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow hnp dev_unix_socket:dir { search }; + +# avc: denied { use } for pid=12202 comm="hnp" path="/system/bin/hnp" dev="sdd74" ino=531 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=fd permissive=1 +allow hnp installs:fd { use }; + +# avc_audit_slow:262] avc: denied { search } for pid=7470, comm="/system/bin/hnp" name="/lib64" dev="/dev/block/platform/fa500000.ufs/by-name/chip_prod" ino=9189 scontext=u:r:hnp:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=1 +allow hnp chip_prod_file:dir { search }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof" path="/dev/binder" dev="" ino=10 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_binder_file:s0 tclass=chr_file permissive=1 +allow hnp dev_binder_file:chr_file { getattr }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="" ino=201 scontext=u:r:hnp:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow hnp hilog_param:file { getattr }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof" path="/proc/2646" dev="" ino=7484 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1 +# avc_audit_slow:262] avc: denied { open } for pid=7471, comm="/bin/lsof" path="/proc/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1 +# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof" path="/proc/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1 +# avc_audit_slow:262] avc: denied { search } for pid=7471, comm="/bin/lsof" name="/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1 +allow hnp installs:dir { getattr open read search }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof" path="/proc/2646/maps" dev="" ino=18076 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { open } for pid=7471, comm="/bin/lsof" path="/proc/2646/maps" dev="" ino=18076 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof" scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1 +allow hnp installs:file { getattr open read }; + +# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof" name="/2646/fd/3" dev="" ino=18087 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=lnk_file permissive=1 +allow hnp installs:lnk_file { read }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof" path="/system/bin/sa_main" dev="/dev/block/platform/fa500000.ufs/by-name/system" ino=775 scontext=u:r:hnp:s0 tcontext=u:object_r:samain_exec:s0 tclass=file permissive=1 +allow hnp samain_exec:file { getattr }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof" path="/dev/__parameters__/u:object_r:time_param:s0" dev="" ino=222 scontext=u:r:hnp:s0 tcontext=u:object_r:time_param:s0 tclass=file permissive=1 +allow hnp time_param:file { getattr }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof" path="/sys/kernel/debug/tracing/trace_marker" dev="" ino=9 scontext=u:r:hnp:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow hnp tracefs_trace_marker_file:file { getattr }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof" path="/dev/tty0" dev="" ino=47 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +# avc_audit_slow:262] avc: denied { ioctl } for pid=7471, comm="/bin/sh" path="/dev/tty" dev="" ino=20 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allow hnp tty_device:chr_file { getattr ioctl }; + +# avc_audit_slow:262] avc: denied { search } for pid=7265, comm="/system/bin/hnp" name="/etc/selinux/targeted/contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5687 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1 +allow hnp vendor_etc_file:dir { search }; + +# avc_audit_slow:262] avc: denied { getattr } for pid=7265, comm="/system/bin/hnp" path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { open } for pid=7265, comm="/system/bin/hnp" path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { read } for pid=7265, comm="/system/bin/hnp" path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 +allow hnp vendor_etc_file:file { getattr open read }; + +# avc_audit_slow:262] avc: denied { ioctl } for pid=7471, comm="/bin/sh" path="/dev/tty" dev="" ino=20 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allowxperm hnp tty_device:chr_file ioctl { 0x5413 }; + +# avc_audit_slow:262] avc: denied { unlink } for pid=7534, comm="/system/bin/hnp" name="/app/el1/bundle/100/hnppublic/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19136 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=lnk_file permissive=1 +allow hnp data_app_el1_file:lnk_file { unlink }; + +allow hnp installs:fifo_file { ioctl write }; +allowxperm hnp installs:fifo_file ioctl { 0x5413 }; +allow hnp hnp_file:dir { getattr read open remove_name search rmdir write add_name create mounton }; +allow hnp hnp_file:file { getattr unlink create ioctl read open setattr write }; +allowxperm hnp hnp_file:file ioctl { 0x5413 0x66c8 }; +allow hnp hnp_file:lnk_file { getattr unlink create }; +allow hnp data_app_el1_file:dir { relabelfrom }; +allow hnp hnp_file:dir { relabelto setattr }; +allow appspawn hnp_file:dir { getattr mounton search }; +allow hiperf hnp_exec:file { getattr map read open }; + +domain_auto_transition_pattern(sh, hnp_file, hnp_native); +allow sh hnp_file:dir { search getattr read open }; +allow sh hnp_file:file { execute execute_no_trans getattr map read open }; +allow sh hnp_file:lnk_file { read }; +allow sh key_enable:key { search }; +allow sh storage_daemon:key { search }; +allow hnp_native hnp_file:dir { search getattr read open }; +allow hnp_native hnp_file:file { execute execute_no_trans getattr map read open }; +allow hnp_native hnp_file:lnk_file { read }; +allow hnp_native self:xpm { exec_allow_debug_id}; +allow hnp_native data_app_el1_file:dir { search }; +allow hnp_native data_app_file:dir { search }; +allow hnp_native dev_unix_socket:dir { search }; +allow hnp_native devpts:chr_file { read write }; +allow hnp_native sh:fd { use }; +allow hnp_native sh:unix_stream_socket { read write }; +allow hnp_native hdcd:fd { use }; +allow sh hnp_native:process {noatsecure }; +allow sh hnp_native:process2 { nosuid_transition }; +') diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/installs.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..daaad697922b190df9cc0896f4d6701bcf04747a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/installs.te @@ -0,0 +1,20 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## add hnp exec type +developer_only(` +allow installs hnp_exec:file { execute execute_no_trans map read open }; +allow installs hnp_file:lnk_file { create getattr }; + +domain_auto_transition_pattern(installs, hnp_exec, hnp); +') diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/nativespawn.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/nativespawn.te new file mode 100644 index 0000000000000000000000000000000000000000..363cd2a047cd628a5cbbc0133da21bf7903e3082 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/nativespawn.te @@ -0,0 +1,83 @@ +# Copyright (c) 2024-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type nativespawn, native_system_domain, domain; +type nativespawn_exec, system_file_attr, exec_attr, file_attr; + +allow nativespawn appspawn:unix_dgram_socket { connect write }; +allow nativespawn appspawn:unix_stream_socket { getopt setopt getattr listen accept read write }; +allow nativespawn nativespawn:capability { setuid setgid sys_admin net_admin kill }; +allow nativespawn chip_prod_file:dir { search }; +allow nativespawn sys_prod_file:dir { search }; +allow nativespawn system_lib_file:dir { read open }; +allow nativespawn dev_unix_socket:dir { search }; +allow nativespawn system_file:file { getattr read open }; +allow nativespawn dev_unix_file:sock_file {setattr}; + +allow nativespawn data_app_el1_file:dir { getattr mounton search }; +allow nativespawn nativespawn:process { setcurrent }; +allow nativespawn samgr:binder { call }; +allow nativespawn security:security { check_context }; +allow nativespawn selinuxfs:dir { search }; +allow nativespawn selinuxfs:file { read write open }; +allow nativespawn system_bin_file:dir { getattr mounton }; +allow nativespawn system_lib_file:dir { getattr mounton }; +allow nativespawn vendor_lib_file:dir { getattr mounton }; +allow nativespawn data_app_el2_file:dir { search }; +allow nativespawn data_app_file:dir { search }; +allow nativespawn data_file:dir { search }; +allow nativespawn data_service_el1_file:dir { search }; +allow nativespawn data_service_file:dir { search }; +allow nativespawn dev_file:dir { getattr mounton }; +allow nativespawn labeledfs:filesystem { unmount }; +allow nativespawn proc_file:dir { mounton }; +allow nativespawn rootfs:dir { mounton }; +allow nativespawn sys_file:dir { mounton }; +allow nativespawn system_etc_file:dir { mounton }; +allow nativespawn system_fonts_file:dir { getattr mounton }; +allow nativespawn tmpfs:dir { mounton add_name create write }; +allow nativespawn tmpfs:file { mounton }; +allow nativespawn dev_at_file:chr_file { ioctl }; +allowxperm nativespawn dev_at_file:chr_file ioctl { 0x4102 }; +allow nativespawn appspawn:fd { use }; +allow hap_domain nativespawn:fd { use }; +allow hap_domain nativespawn:fifo_file { write }; +allow nativespawn hap_domain:process { dyntransition sigkill }; +allow nativespawn cgroup:dir { add_name search create remove_name rmdir write }; +allow nativespawn cgroup:file { getattr read append open }; +allow nativespawn sysfs_net:file { open write }; +allow nativespawn dev_xpm:chr_file { ioctl read write open }; +allowxperm nativespawn dev_xpm:chr_file ioctl { 0x7801 0x7802 }; +allow nativespawn normal_hap_data_file_attr:dir { getattr mounton }; +allow nativespawn hap_domain:fd { use }; +allow nativespawn normal_hap_data_file_attr:file { read write }; +allow nativespawn system_bin_file:file { entrypoint execute map open read }; +allow nativespawn init:unix_stream_socket { accept getattr getopt listen }; +allow nativespawn nativespawn:unix_dgram_socket { getopt setopt }; +allow init nativespawn:process { rlimitinh siginh transition }; +allow hap_domain nativespawn:unix_dgram_socket { write }; +allow nativespawn cgroup:file { write }; +allow nativespawn tmpfs:lnk_file { create }; +allow nativespawn appspawn_socket:sock_file { setattr }; +allow nativespawn isolated_render:process { dyntransition sigkill }; +allow isolated_render nativespawn:fd { use }; +allow isolated_render nativespawn:fifo_file { write }; +allow isolated_render nativespawn:unix_dgram_socket { write connect }; + +## Before killing the isolated process of nativespawn by ams, it will read the /proc/pid/status. +allow foundation isolated_render:dir { search }; +allow foundation isolated_render:file { getattr read }; +allow nativespawn nativespawn_exec:file { entrypoint execute map read open }; +allow init nativespawn_exec:file { execute getattr read open }; + +neverallow nativespawn *:process ptrace; diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/nwebspawn.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/nwebspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..f0715d0d93b15c4c3b1eb9225380e6c58acc8033 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/public/nwebspawn.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow nwebspawn *:process ptrace; diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..bd69405154b5a1f46b567cceb1628e2e1b8ad5b8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/appspawn.te @@ -0,0 +1,243 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(appspawn); + +allow appspawn appspawn_socket:sock_file { setattr }; +allow appspawn dev_unix_socket:sock_file unlink; + +allow appspawn appspawn_exec:file { execute_no_trans }; +allow appspawn bootevent_param:parameter_service { set }; +allow appspawn paramservice_socket:sock_file { write }; +allow appspawn kernel:unix_stream_socket { connectto }; +allow appspawn dev_unix_socket:sock_file write; +allow appspawn data_service_el2_file:dir { search write add_name create }; +allow appspawn data_app_el2_file:dir { search mounton write add_name create setattr getattr}; +allow appspawn data_app_el3_file:dir { search mounton write add_name create setattr getattr}; +allow appspawn data_app_el4_file:dir { search mounton write add_name create setattr getattr}; +allow appspawn data_app_el5_file:dir { search mounton write add_name create setattr getattr}; +allow appspawn sharefs:dir { create_dir_perms mounton getattr }; +allow appspawn sharefs_file_attr:dir { create_dir_perms_without_ioctl mounton getattr }; +allow appspawn sharefs:filesystem { mount }; +allow appspawn data_service_el2_share:dir { create_dir_perms mounton getattr }; + +# read cfg from +#avc: denied { getattr } for pid=1802 comm="appspawn" path="/dev" dev="tmpfs" ino=1 scontext=u:r:appspawn:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 +allow appspawn dev_file:dir { getattr }; +allow appspawn chip_prod_file:dir { open read search getattr }; +allow appspawn chip_prod_file:file { getattr open read }; +allow appspawn sys_prod_file:dir { open read search getattr }; +allow appspawn sys_prod_file:file { getattr open read map }; +allow appspawn vendor_etc_file:dir { open read search getattr }; +allow appspawn vendor_etc_file:file { getattr open read }; + +allow appspawn appspawn:capability { dac_override kill setgid setuid sys_admin chown dac_read_search }; +allow appspawn appspawn:process { setcurrent }; +allow appspawn appspawn:unix_dgram_socket { getopt setopt }; +allow appspawn bootevent_param:file { map open read }; +allow appspawn bootevent_samgr_param:file { map open read }; +allow appspawn build_version_param:file { map open read }; +allow appspawn configfs:dir { mounton getattr }; +allow appspawn const_allow_mock_param:file { map open read }; +allow appspawn const_allow_param:file { map open read }; +allow appspawn const_build_param:file { map open read }; +allow appspawn const_display_brightness_param:file { map open read }; +allow appspawn const_param:file { map open read }; +allow appspawn const_postinstall_fstab_param:file { map open read }; +allow appspawn const_postinstall_param:file { map open read }; +allow appspawn const_product_param:file { map open read }; +allow appspawn data_app_el1_file:dir { add_name create mounton search write getattr }; +allow appspawn data_app_el2_file:dir { search mounton getattr }; +allow appspawn data_app_file:dir { search }; +allow appspawn data_file:dir { add_name create mounton search write getattr }; +allow appspawn data_service_el2_file:dir { search }; +allow appspawn data_service_el2_hmdfs:dir { search }; +allow appspawn data_service_file:dir { search }; +allow appspawn data_storage:dir { mounton getattr }; +allow appspawn debug_param:file { map open read }; +allow appspawn default_param:file { map open read }; +allow appspawn dev_at_file:chr_file { ioctl }; +allow appspawn dev_file:dir { mounton getattr }; +allow appspawn dev_unix_socket:dir { add_name search write remove_name }; +allow appspawn dev_unix_socket:sock_file { create setattr }; +allow appspawn distributedsche_param:file { map open read }; +allow appspawn hilog_param:file { map open read }; +allow appspawn hiview:unix_dgram_socket { sendto }; +allow appspawn hmdfs:dir { mounton search getattr }; +allow appspawn hw_sc_build_os_param:file { map open read }; +allow appspawn hw_sc_build_param:file { map open read }; +allow appspawn hw_sc_param:file { map open read }; +allow appspawn init_param:file { map open read }; +allow appspawn init_svc_param:file { map open read }; +allow appspawn input_pointer_device_param:file { map open read }; +allow appspawn labeledfs:filesystem { unmount }; +allow appspawn net_param:file { map open read }; +allow appspawn net_tcp_param:file { map open read }; +allow appspawn normal_hap_data_file_attr:dir { mounton getattr }; +allow appspawn normal_hap_attr:process { sigkill }; +allow appspawn ohos_boot_param:file { map open read }; +allow appspawn ohos_param:file { map open read }; +allow appspawn persist_param:file { map open read }; +allow appspawn persist_sys_param:file { map open read }; +allow appspawn proc_file:dir { mounton getattr }; +allow appspawn proc_file:filesystem { mount unmount getattr }; +allow appspawn rootfs:dir { mounton getattr }; +allow appspawn security_param:file { map open read }; +allow appspawn security:security { check_context }; +allow appspawn selinuxfs:dir { search }; +allow appspawn selinuxfs:file { open read write }; +allow appspawn startup_param:file { map open read }; +allow appspawn sys_file:dir { mounton getattr }; +allow appspawn sys_param:file { map open read }; +allow appspawn system_basic_hap_data_file_attr:dir { mounton getattr }; +allow appspawn system_basic_hap_attr:process { dyntransition sigkill }; +allow appspawn system_bin_file:dir { mounton search getattr }; +allow appspawn system_core_hap_data_file_attr:dir { mounton getattr }; +# avc: denied { sigkill } for pid=2375 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:system_core_hap:s0 tclass=process permissive=1 +allow appspawn system_core_hap_attr:process { dyntransition sigkill }; +allow appspawn system_etc_file:dir { mounton getattr }; +allow appspawn system_file:dir { mounton getattr }; +allow appspawn system_fonts_file:dir { mounton open read search getattr }; +allow appspawn system_fonts_file:file { getattr map open read }; +allow appspawn system_lib_file:dir { mounton getattr }; + +# avc: denied { mounton } for pid=1604 comm="amples.etsclock" path="/mnt/sandbox/100/ohos.samples.etsclock/system/lib/ld-musl-arm.so.1" dev="mmcblk0p7" ino=1823 scontext=u:r:appspawn:s0 tcontext=u:object_r:system_lib_file:s0 tclass=file permissive=1 +allow appspawn system_lib_file:file { mounton getattr }; +allow appspawn system_profile_file:dir { mounton getattr }; +allow appspawn system_usr_file:dir { mounton search getattr }; +allow appspawn system_usr_file:file { getattr map open read }; +allow appspawn sys_usb_param:file { map open read }; +allow appspawn tmpfs:dir { add_name create mounton write getattr remove_name}; + +# avc: denied { create } for pid=1604 comm="amples.etsclock" name="ld-musl-arm.so.1" scontext=u:r:appspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +allow appspawn tmpfs:file { create mounton open unlink}; + +allow appspawn tmpfs:lnk_file { create }; +allow appspawn vendor_lib_file:dir { mounton getattr }; +allow appspawn self:process execmem; +allowxperm appspawn dev_at_file:chr_file ioctl { 0x4102 }; +allow appspawn dev_xpm:chr_file { open read write ioctl }; +allow appspawn system_file:file { map }; +allow appspawn nwebspawn:process{ dyntransition }; +# avc: denied { signal } for pid=2762 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=0 +allow appspawn nwebspawn:process{ sigkill signal }; +allow appspawn dev_asanlog_file:dir { getattr }; +allow appspawn share_public_file:dir { search }; +# avc_audit_slow:260] avc: denied { dyntransition } for pid=1, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=process permissive=1 +allow appspawn pid_ns_init:process { dyntransition }; +allow appspawn share_public_file:dir { search create add_name write }; +# for app cgroup pids +allow appspawn cgroup:dir { add_name create search open read write remove_name rmdir }; +allow appspawn cgroup:file { append getattr ioctl open read write }; +allowxperm appspawn cgroup:file ioctl { 0x5413 }; + +# avc: denied { getattr } for pid=2327 comm="edialibrarydata" path="/data/misc" dev="mmcblk0p15" ino=109 scontext=u:r:appspawn:s0 tcontext=u:object_r:data_misc:s0 tclass=dir permissive=1 +allow appspawn data_misc:dir { getattr }; + +# avc: denied { search } for pid=274 comm="appspawn" name="648" dev="proc" ino=19134 scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=dir permissive=1 +allow appspawn pid_ns_init:dir { search }; + +# avc: denied { read } for pid=274 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=file permissive=1 +allow appspawn pid_ns_init:file { open getattr read }; + +# avc: denied { read } for pid=274 comm="appspawn" name="pid" dev="proc" ino=31171 scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=lnk_file permissive=1 +allow appspawn pid_ns_init:lnk_file { read }; + +# avc: denied { sys_ptrace } for pid=265 comm="appspawn" capability=19 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=1 +allow appspawn appspawn:capability { sys_ptrace }; + +# avc: denied { open } for pid=277 comm="appspawn" path="pid:[4026532800]" dev="nsfs" ino=4026532800 scontext=u:r:appspawn:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +# avc: denied { read } for pid=277 comm="appspawn" dev="nsfs" ino=4026532800 scontext=u:r:appspawn:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +allow appspawn unlabeled:file { open read }; + +# avc: denied { mounton } for pid=2058 comm="honydataability" path="/mnt/sandbox/100/app-root/data/certificates/user_cacerts" dev="mmcblk0p15" ino=149 scontext=u:r:appspawn:s0 tcontext=u:object_r:cert_manager_service_file:s0 tclass=dir permissive=0 +allow appspawn cert_manager_service_file:dir { mounton }; +# avc: denied { getattr } for pid=2058 comm="honydataability" path="/system/bin/sh" dev="mmcblk0p7" ino=390 scontext=u:r:appspawn:s0 tcontext=u:object_r:sh_exec:s0tclass=file permissive=0 +allow appspawn sh_exec:file { getattr }; +# avc: denied { read } for pid=2058 comm="honydataability" name="bin" dev="mmcblk0p7" ino=129 scontext=u:r:appspawn:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=0 +allow appspawn system_bin_file:dir { open read }; +# avc: denied { read } for pid=2058 comm="honydataability" name="el1" dev="tmpfs" ino=159 scontext=u:r:appspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 +allow appspawn tmpfs:dir { open read }; + +#allow appspawn normal_hap_data_file:dir { open read search }; +allow appspawn data_misc:dir { open read search }; +allow appspawn data_file:dir { open read search }; +allow appspawn hmdfs:dir { open read search }; +allow appspawn data_app_el2_file:dir { open read search }; +allow appspawn data_app_el1_file:dir { open read search }; +#allow appspawn system_basic_hap_data_file:dir { open read search }; + +#allow appspawn system_core_hap_data_file:dir { open read search }; +#allow appspawn medialibrary_hap_data_file:dir { open read search }; +#allow appspawn permissionmanager_hap_data_file:dir { open read search }; +#allow appspawn formrenderservice_hap_data_file:dir { open read search }; +allow appspawn data_service_el2_hmdfs:dir { mounton }; + +allow appspawn normal_hap_data_file_attr:dir { create write add_name setattr }; + +# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el1/100/base/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20489 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el1_file:s0 tclass=dir permissive=1 +# avc: denied { setattr } for pid=5327 comm="/system/bin/appspawn" name="app/el1/100/base/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20489 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el1_file:s0 tclass=dir permissive=1 +allow appspawn data_app_el1_file:dir { relabelfrom setattr }; + +# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el2/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20488 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el2_file:s0 tclass=dir permissive=1 +allow appspawn data_app_el2_file:dir { relabelfrom }; + +# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el3/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20492 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el3_file:s0 tclass=dir permissive=1 +allow appspawn data_app_el3_file:dir { relabelfrom }; + +# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el4/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20496 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el4_file:s0 tclass=dir permissive=1 +allow appspawn data_app_el4_file:dir { relabelfrom }; + +# avc: denied { relabelto } for pid=5327 comm="/system/bin/appspawn" name="app/el4/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20496 scontext=u:r:appspawn:s0 tcontext=u:r:debug_hap_data_file:s0 tclass=dir permissive=1 +allow appspawn { debug_hap_data_file normal_hap_data_file system_basic_hap_data_file system_core_hap_data_file }:dir { relabelto }; + +# avc: denied { fsetid } for pid=274 comm="appspawn" capability=4 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=0 + +#init extend command, support to enter the application sandbox. +debug_only(` + allow appspawn system_bin_file:lnk_file { read }; + allow appspawn system_bin_file:file { getattr execute read open execute_no_trans map }; + allow appspawn toybox_exec:lnk_file { read }; + allow appspawn toybox_exec:file { getattr execute read open execute_no_trans map }; + allow appspawn tty_device:chr_file { getattr ioctl open read write }; + allowxperm appspawn tty_device:chr_file ioctl { 0x5401 0x5403 0x540f 0x5413 0x5410 }; + allow appspawn devpts:chr_file { read write open getattr ioctl }; + allow appspawn dev_pts_file:dir { search }; + allow appspawn tmpfs:lnk_file { getattr }; +') + +# avc: denied { read } for pid=2685 comm="OS_FFRT_5_2" name="appdata-sandbox.json" dev="mmcblk0p7" ino=996 scontext=u:r:foundation:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=0 +allow foundation system_etc_file:lnk_file { read }; +allow appspawn system_etc_file:lnk_file { read }; + +#avc: denied { sigkill } for pid=282 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1 +allow nwebspawn isolated_render:process { sigkill }; + +# for enable net namespace +# avc: denied { net_admin } for pid=262 comm="appspawn" capability=12 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=1 +allow appspawn appspawn:capability { net_admin }; +allow appspawn sysfs_net:file { write open }; + +#avc: denied { remount } for pid=22332 comm="example.demo100" scontext=u:r:appspawn:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1 +allow appspawn labeledfs:filesystem { remount }; +allow appspawn bootuptrace_file:dir { add_name getattr open read search write relabelto }; +allow appspawn bootuptrace_file:file { create getattr write open relabelto }; + +#avc: denied { write } for pid=4946 comm="appspawn" name="faultloggerd.sdkdump.server" dev="tmpfs" ino=395 scontext=u:r:appspawn:s0 tcontext=u:object_r:faultloggerd_socket_sdkdump:s0 tclass=sock_file permissive=1 +allow appspawn faultloggerd_socket_sdkdump:sock_file { write }; +# avc: denied { read } for pid=4946 comm="appspawn" path="pipe:[43284]" dev="pipefs" ino=43284 scontext=u:r:appspawn:s0 tcontext=u:r:faultloggerd:s0 tclass=fifo_file permissive=1 +allow appspawn faultloggerd:fifo_file { read }; +allow appspawn appspawn:capability { sys_nice }; + +#avc: denied { unmount } for pid=654, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:object_r:sharefs:s0 tclass=filesystem permissive=1 +allow appspawn { sharefs tmpfs }:filesystem { unmount }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/cjappspawn.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/cjappspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..61bd84829cb36594929a50b96f613a82bf02688c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/cjappspawn.te @@ -0,0 +1,281 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(cjappspawn); + +allow init cjappspawn_exec:file { execute }; +allow cjappspawn appspawn_socket:sock_file { setattr }; +allow normal_hap_attr cjappspawn_exec:file { getattr map open read }; +allow foundation cjappspawn:fd { use }; + +allow debug_hap cjappspawn:unix_dgram_socket { write }; +allow debug_hap cjappspawn:fd { use }; +allow debug_hap cjappspawn:fifo_file { write }; +allow hap_domain cjappspawn:fifo_file write; +allow hap_domain cjappspawn:fd use; +allow hap_domain cjappspawn:fifo_file write; +allow hap_domain cjappspawn:unix_dgram_socket { connect write }; +allow cjappspawn normal_hap_attr:process dyntransition; +allow normal_hap_attr cjappspawn_exec:file { getattr map open read }; +allow normal_hap_attr cjappspawn:unix_stream_socket { read write }; +allow normal_hap_attr cjappspawn:unix_dgram_socket { write connect }; +allow normal_hap_attr cjappspawn:fd { use }; + +allow cjappspawn dev_unix_socket:sock_file unlink; + +allow cjappspawn dev_null_file:chr_file { read write open }; +allow cjappspawn kernel:fd { use }; +allow cjappspawn dev_kmsg_file:chr_file { write }; +allow cjappspawn init:unix_stream_socket { read write }; +allow cjappspawn init:netlink_kobject_uevent_socket { read write }; +allow cjappspawn dev_parameters_file:file { read open }; +allow cjappspawn dev_parameters_file:dir { search }; +allow cjappspawn proc_file:lnk_file { read }; +allow cjappspawn debug_param:file { read open }; +allow cjappspawn etc_file:lnk_file { read }; +allow cjappspawn system_file:dir { search getattr }; +allow cjappspawn system_etc_file:file { read open getattr }; +allow cjappspawn system_lib_file:dir { search }; +allow cjappspawn vendor_lib_file:dir { search }; +allow cjappspawn system_lib_file:file { read open getattr }; +allow cjappspawn sys_file:dir { search }; +allow cjappspawn dev_random_file:chr_file { read open }; +allow cjappspawn system_bin_file:file { read }; +allow cjappspawn default_param:file { read open }; +allow cjappspawn hook_param:file { read open }; +allow cjappspawn musl_param:file { read open }; +allow cjappspawn startup_init_param:file { read open }; +allow cjappspawn selinuxfs:filesystem { getattr }; +allow cjappspawn hilog_param:file { read open }; +allow cjappspawn rootfs:lnk_file { read }; +allow cjappspawn system_bin_file:dir { search }; +allow cjappspawn persist_sys_param:file { read open }; +allow cjappspawn vendor_lib_file:file { read open getattr }; +allow cjappspawn system_etc_file:dir { read open }; +allow cjappspawn arkcompiler_param:file { read open }; +allow cjappspawn arkcompiler_param:file { map }; +allow cjappspawn devinfo_public_param:file { read open }; +allow cjappspawn system_usr_file:file { read open getattr }; +allow cjappspawn system_bin_file:file { execute open execute_no_trans }; +allow cjappspawn lib_file:lnk_file { read }; +allow cjappspawn system_lib_file:file { execute }; +allow cjappspawn hilog_private_param:file { read open }; +allow cjappspawn time_param:file { read open }; +allow cjappspawn dev_unix_file:dir { search }; +allow cjappspawn dev_unix_socket:dir { search }; +allow cjappspawn hilog_input_socket:sock_file { write }; +allow cjappspawn hilogd:unix_dgram_socket { sendto }; +allow cjappspawn init:unix_stream_socket { getopt getattr listen }; +allow cjappspawn dev_unix_file:sock_file { setattr }; +allow cjappspawn chip_prod_file:dir { search }; +allow cjappspawn sys_prod_file:dir { search }; +allow cjappspawn init:unix_stream_socket { accept }; +allow cjappspawn data_app_file:dir { search }; +allow cjappspawn data_app_el2_file:dir { search }; +allow cjappspawn dev_at_file:chr_file { read write open ioctl }; +allow cjappspawn tmpfs:dir { create mounton write add_name search }; +allow cjappspawn rootfs:dir { mounton }; +allow cjappspawn configfs:dir { mounton }; +allow cjappspawn dev_file:dir { mounton }; +allow cjappspawn proc_file:dir { mounton }; +allow cjappspawn sys_file:dir { mounton }; +allow cjappspawn system_file:dir { mounton }; +allow cjappspawn system_usr_file:dir { mounton }; +allow cjappspawn system_etc_file:dir { mounton }; +allow cjappspawn data_app_el1_file:dir { mounton }; +allow cjappspawn data_app_el2_file:dir { mounton }; +allow cjappspawn hmdfs:dir { search mounton }; +allow cjappspawn data_local:dir { mounton search }; +allow cjappspawn data_local_arkcache:dir { search }; +allow cjappspawn data_local_arkprofile:dir { search mounton }; +allow cjappspawn data_service_el2_share:dir { search }; +allow cjappspawn data_service_file:dir { search }; +allow cjappspawn data_service_el1_file:dir { search mounton }; +allow cjappspawn cert_manager_service_file:dir { search getattr }; +allow cjappspawn data_app_el3_file:dir { search }; +allow cjappspawn data_app_el4_file:dir { search }; +allow cjappspawn vendor_lib_file:dir { mounton }; +allow cjappspawn kernel:key { search }; +allow cjappspawn data_app_el1_file:dir { write add_name create }; +allow cjappspawn data_misc:dir { mounton }; +allow cjappspawn tmpfs:lnk_file { create }; +allow cjappspawn vendor_etc_file:file { read open getattr }; +allow cjappspawn selinuxfs:file { read write open }; +allow cjappspawn security:security { check_context }; +allow cjappspawn debug_hap:process { dyntransition }; +allow cjappspawn dev_file:dir { write add_name search create }; +allow cjappspawn debug_hap:binder { call }; +allow cjappspawn cgroup:dir { search }; +allow cjappspawn cgroup:file { read open getattr }; +allow cjappspawn limit_domain:unix_dgram_socket { getopt setopt write }; +allow cjappspawn hisysevent_socket:sock_file { write }; +allow cjappspawn hiview:unix_dgram_socket { sendto }; + + +allow cjappspawn cjappspawn_exec:file { execute_no_trans }; +allow cjappspawn paramservice_socket:sock_file { write }; +allow cjappspawn kernel:unix_stream_socket { connectto }; +allow cjappspawn dev_unix_socket:sock_file write; +allow cjappspawn data_service_el2_file:dir { search write add_name create }; +allow cjappspawn data_app_el2_file:dir { search mounton write add_name create setattr getattr}; +allow cjappspawn data_app_el3_file:dir { search mounton write add_name create setattr getattr}; +allow cjappspawn data_app_el4_file:dir { search mounton write add_name create setattr getattr}; +allow cjappspawn sharefs:dir { getattr mounton }; +allow cjappspawn sharefs_file_attr:dir { getattr mounton }; +allow cjappspawn sharefs:filesystem { mount }; +allow cjappspawn data_service_el2_share:dir { mounton }; + +# read cfg from +#avc: denied { getattr } for pid=1802 comm="cjappspawn" path="/dev" dev="tmpfs" ino=1 scontext=u:r:cjappspawn:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 +allow cjappspawn dev_file:dir { getattr }; +allow cjappspawn chip_prod_file:dir { open read search getattr }; +allow cjappspawn chip_prod_file:file { getattr open read }; +allow cjappspawn sys_prod_file:dir { open read search getattr }; +allow cjappspawn sys_prod_file:file { getattr open read map }; +allow cjappspawn vendor_etc_file:dir { open read search getattr }; + +allow cjappspawn cjappspawn:capability { dac_override kill setgid setuid sys_admin dac_read_search }; +allow cjappspawn cjappspawn:process { setcurrent }; +allow cjappspawn cjappspawn:unix_dgram_socket { getopt setopt }; +allow cjappspawn build_version_param:file { map open read }; +allow cjappspawn configfs:dir { mounton }; +allow cjappspawn const_allow_mock_param:file { map open read }; +allow cjappspawn const_allow_param:file { map open read }; +allow cjappspawn const_build_param:file { map open read }; +allow cjappspawn const_display_brightness_param:file { map open read }; +allow cjappspawn const_param:file { map open read }; +allow cjappspawn const_postinstall_fstab_param:file { map open read }; +allow cjappspawn const_postinstall_param:file { map open read }; +allow cjappspawn const_product_param:file { map open read }; +allow cjappspawn data_app_el1_file:dir { add_name create mounton search }; +allow cjappspawn data_app_el2_file:dir { search mounton }; +allow cjappspawn data_app_file:dir { search }; +allow cjappspawn data_file:dir { add_name create mounton search write }; +allow cjappspawn data_service_el2_file:dir { search }; +allow cjappspawn data_service_el2_hmdfs:dir { search }; +allow cjappspawn data_service_file:dir { search }; +allow cjappspawn data_storage:dir { mounton }; +allow cjappspawn debug_param:file { map open read }; +allow cjappspawn default_param:file { map open read }; +allow cjappspawn dev_at_file:chr_file { ioctl }; +allow cjappspawn dev_file:dir { mounton }; +allow cjappspawn dev_unix_socket:dir { add_name search write remove_name }; +allow cjappspawn dev_unix_socket:sock_file { create setattr }; +allow cjappspawn distributedsche_param:file { map open read }; +allow cjappspawn hilog_param:file { map open read }; +allow cjappspawn hiview:unix_dgram_socket { sendto }; +allow cjappspawn hmdfs:dir { mounton search }; +allow cjappspawn hw_sc_build_os_param:file { map open read }; +allow cjappspawn hw_sc_build_param:file { map open read }; +allow cjappspawn hw_sc_param:file { map open read }; +allow cjappspawn init_param:file { map open read }; +allow cjappspawn init_svc_param:file { map open read }; +allow cjappspawn input_pointer_device_param:file { map open read }; +allow cjappspawn labeledfs:filesystem { unmount }; +allow cjappspawn net_param:file { map open read }; +allow cjappspawn net_tcp_param:file { map open read }; +allow cjappspawn normal_hap_data_file_attr:dir { mounton getattr }; +allow cjappspawn normal_hap_attr:process { sigkill }; +allow cjappspawn ohos_boot_param:file { map open read }; +allow cjappspawn ohos_param:file { map open read }; +allow cjappspawn persist_param:file { map open read }; +allow cjappspawn persist_sys_param:file { map open read }; +allow cjappspawn proc_file:dir { mounton }; +allow cjappspawn rootfs:dir { mounton }; +allow cjappspawn security_param:file { map open read }; +allow cjappspawn security:security { check_context }; +allow cjappspawn selinuxfs:dir { search }; +allow cjappspawn selinuxfs:file { open read write }; +allow cjappspawn startup_param:file { map open read }; +allow cjappspawn sys_file:dir { mounton }; +allow cjappspawn sys_param:file { map open read }; +allow cjappspawn system_bin_file:dir { mounton search getattr }; +allow cjappspawn system_etc_file:dir { mounton }; +allow cjappspawn system_file:dir { mounton }; +allow cjappspawn system_fonts_file:dir { mounton open read search getattr }; +allow cjappspawn system_fonts_file:file { getattr map open read }; +allow cjappspawn system_lib_file:dir { mounton getattr }; +allow cjappspawn system_profile_file:dir { mounton getattr }; +allow cjappspawn system_usr_file:dir { mounton search getattr }; +allow cjappspawn system_usr_file:file { getattr map open read }; +allow cjappspawn sys_usb_param:file { map open read }; +allow cjappspawn tmpfs:dir { add_name create mounton write }; +allow cjappspawn tmpfs:lnk_file { create }; +allow cjappspawn vendor_lib_file:dir { mounton }; +allowxperm cjappspawn dev_at_file:chr_file ioctl { 0x4102 }; +allow cjappspawn dev_xpm:chr_file { open read write ioctl }; +allowxperm cjappspawn dev_xpm:chr_file ioctl { 0x7801 0x7802 }; +allow cjappspawn system_file:file { map }; +allow cjappspawn dev_asanlog_file:dir { getattr }; +allow cjappspawn share_public_file:dir { search }; +# avc_audit_slow:260] avc: denied { dyntransition } for pid=1, comm="/system/bin/cjappspawn" scontext=u:r:cjappspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=process permissive=1 +allow cjappspawn pid_ns_init:process { dyntransition }; +allow cjappspawn share_public_file:dir { search create add_name write }; + +# for app cgroup pids +allow cjappspawn cgroup:dir { add_name create search open read write }; +allow cjappspawn cgroup:file { append getattr ioctl open read write }; +allowxperm cjappspawn cgroup:file ioctl { 0x5413 }; + + +allow cjappspawn data_misc:dir { getattr }; + +allow cjappspawn pid_ns_init:dir { search }; + +allow cjappspawn pid_ns_init:file { open getattr read }; + +allow cjappspawn pid_ns_init:lnk_file { read }; + +allow cjappspawn cert_manager_service_file:dir { mounton }; +allow cjappspawn sh_exec:file { getattr }; +allow cjappspawn system_bin_file:dir { open read }; +allow cjappspawn tmpfs:dir { open read }; + +allow cjappspawn data_misc:dir { open read search }; +allow cjappspawn data_file:dir { open read search }; +allow cjappspawn hmdfs:dir { open read search }; +allow cjappspawn data_app_el2_file:dir { open read search }; +allow cjappspawn data_app_el1_file:dir { open read search }; + +allow cjappspawn data_service_el2_hmdfs:dir { mounton }; + +# taken from sepolicy/ohos_policy/developtools/profiler/system/other.te +allow cjappspawn accesstoken_service:binder call; +allow cjappspawn accountmgr:binder call; +allow cjappspawn dev_console_file:chr_file { read write }; +allow cjappspawn foundation:binder { call transfer }; +allow cjappspawn hdcd:unix_stream_socket connectto; +allow cjappspawn multimodalinput:binder call; +allow cjappspawn multimodalinput:fd use; +allow cjappspawn multimodalinput:unix_stream_socket { read write }; +allow cjappspawn musl_param:file { map open read }; +allow cjappspawn normal_hap_attr:binder { call transfer }; +allow cjappspawn normal_hap_attr:fd use; +allow cjappspawn normal_hap_data_file_attr:dir search; +allow cjappspawn render_service:binder { call transfer }; +allow cjappspawn render_service:fd use; +allow cjappspawn resource_schedule_service:binder call; +allow cjappspawn samgr:binder call; +allow cjappspawn system_file:file { getattr open read }; +allow cjappspawn system_lib_file:dir { open read }; +allow cjappspawn tracefs:dir search; +allow cjappspawn tracefs_trace_marker_file:file { open write }; +allow cjappspawn accessibility:binder { call transfer }; +allow cjappspawn dev_mali:chr_file { getattr open read write }; +allow cjappspawn param_watcher:binder { call transfer }; + +# taken from sepolicy/ohos_policy/filemanagement/user_file_service/system/appspawn.te +allow cjappspawn data_service_el1_file:dir { mounton search getattr }; +allow cjappspawn permissions_mount_file_attr:dir { mounton }; +allow cjappspawn data_user_file:dir { add_name create write }; +allow cjappspawn tmpfs:file { create mounton open }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/file_contexts b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..c09fd3845ec09d92c2c7143862fe63687ba1dce0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/file_contexts @@ -0,0 +1,25 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/appspawn u:object_r:appspawn_exec:s0 + +/system/bin/cjappspawn u:object_r:cjappspawn_exec:s0 + +/system/bin/nativespawn u:object_r:nativespawn_exec:s0 + +/system/bin/pid_ns_init u:object_r:pid_ns_init_exec:s0 + +/dev/unix/socket/CJAppSpawn u:object_r:appspawn_socket:s0 + +/dev/unix/socket/NativeSpawn u:object_r:appspawn_socket:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/hnp.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/hnp.te new file mode 100644 index 0000000000000000000000000000000000000000..03473f28bed8a3b90ef060fb43edfb538aaf748a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/hnp.te @@ -0,0 +1,23 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` +# avc: denied { getattr } for pid=12202 comm="hnp" path="/system/lib64/libcode_sign_utils.z.so" dev="sdd74" ino=3320 scontext=u:r:hnp:s0 tcontext=u:object_r:code_sign_utils:s0 tclass=file permissive=1 +# avc: denied { map } for pid=12202 comm="hnp" path="/system/lib64/libcode_sign_utils.z.so" dev="sdd74" ino=3320 scontext=u:r:hnp:s0 tcontext=u:object_r:code_sign_utils:s0 tclass=file permissive=1 +# avc: denied { read execute } for pid=12202 comm="hnp" path="/system/lib64/libcode_sign_utils.z.so" dev="sdd74" ino=3320 scontext=u:r:hnp:s0 tcontext=u:object_r:code_sign_utils:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=12202 comm="hnp" path="/system/lib64/libcode_sign_utils.z.so" dev="sdd74" ino=3320 scontext=u:r:hnp:s0 tcontext=u:object_r:code_sign_utils:s0 tclass=file permissive=1 +# avc: denied { read } for pid=12202 comm="hnp" path="/system/lib64/libcode_sign_utils.z.so" dev="sdd74" ino=3320 scontext=u:r:hnp:s0 tcontext=u:object_r:code_sign_utils:s0 tclass=file permissive=1 +allow hnp code_sign_utils:file { getattr map read execute read open read }; + +allow hnp key_enable:key { search }; +') diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/nwebspawn.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/nwebspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..0563129ffd51b80f5fa071df1419dd31f17d4c6e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/nwebspawn.te @@ -0,0 +1,18 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { getattr } for pid=1 comm="/system/bin/appspawn" path="/dev/asanlog" dev="" ino=807 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=1 +allow nwebspawn dev_asanlog_file:dir { getattr }; + +# avc: denied { nnp_transition } for pid=21500, comm="/system/bin/appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:object_r:processdump:s0 tclass=process2 permissive=1 +allow nwebspawn processdump:process2 { nnp_transition }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/pid_ns_init.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/pid_ns_init.te new file mode 100644 index 0000000000000000000000000000000000000000..10f0f068eabdeae9ebb76d87d34b80ed1bc8e29a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/pid_ns_init.te @@ -0,0 +1,45 @@ +# Copyright (c) 2024-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pid_ns_init pid_ns_init_exec:file { execute execute_no_trans open read }; + +# avc_audit_slow:260] avc: denied { open } for pid=1, comm="/system/bin/pid_ns_init" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="" ino=223 scontext=u:r:pid_ns_init:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc_audit_slow:260] avc: denied { read } for pid=1, comm="/system/bin/pid_ns_init" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="" ino=223 scontext=u:r:pid_ns_init:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow pid_ns_init debug_param:file { open read }; + +# avc: denied { search } for pid=268 comm="plat_shared" name="708" dev="proc" ino=30028 scontext=u:r:hiview:s0 tcontext=u:r:pid_ns_init:s0 tclass=dir permissive=1 +allow hiview pid_ns_init:dir { search }; +# avc: denied { getattr } for pid=268 comm="plat_shared" path="/proc/708/comm" dev="proc" ino=33421 scontext=u:r:hiview:s0 tcontext=u:r:pid_ns_init:s0 tclass=file permissive=1 +# avc: denied { open } for pid=268 comm="plat_shared" path="/proc/708/comm" dev="proc" ino=33421 scontext=u:r:hiview:s0 tcontext=u:r:pid_ns_init:s0 tclass=file permissive=1 +# avc: denied { read } for pid=268 comm="plat_shared" name="comm" dev="proc" ino=33421 scontext=u:r:hiview:s0 tcontext=u:r:pid_ns_init:s0 tclass=file permissive=1 +allow hiview pid_ns_init:file { getattr open read }; + +# avc: denied { map } for pid=768 comm="pid_ns_init" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:pid_ns_init:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow pid_ns_init debug_param:file { map }; +# avc: denied { map } for pid=768 comm="pid_ns_init" path="/system/bin/pid_ns_init" dev="mmcblk0p7" ino=335 scontext=u:r:pid_ns_init:s0 tcontext=u:object_r:pid_ns_init_exec:s0 tclass=file permissive=1 +allow pid_ns_init pid_ns_init_exec:file { map }; + +debug_only(` + # avc: denied { getattr } for pid=1654 comm="ls" path="/proc/708/ns" dev="proc" ino=33493 scontext=u:r:su:s0 tcontext=u:r:pid_ns_init:s0 tclass=dir permissive=1 + # avc: denied { open } for pid=1654 comm="ls" path="/proc/708/ns" dev="proc" ino=33493 scontext=u:r:su:s0 tcontext=u:r:pid_ns_init:s0 tclass=dir permissive=1 + # avc: denied { read } for pid=1654 comm="ls" name="ns" dev="proc" ino=33493 scontext=u:r:su:s0 tcontext=u:r:pid_ns_init:s0 tclass=dir permissive=1 + # avc: denied { search } for pid=1654 comm="ls" name="708" dev="proc" ino=30028 scontext=u:r:su:s0 tcontext=u:r:pid_ns_init:s0 tclass=dir permissive=1 + allow su pid_ns_init:dir { getattr open read search }; + # avc: denied { read } for pid=1654 comm="ls" scontext=u:r:su:s0 tcontext=u:r:pid_ns_init:s0 tclass=file permissive=1 + allow su pid_ns_init:file { read }; + # avc: denied { getattr } for pid=1654 comm="ls" path="/proc/708/ns/net" dev="proc" ino=33494 scontext=u:r:su:s0 tcontext=u:r:pid_ns_init:s0 tclass=lnk_file permissive=1 + # avc: denied { read } for pid=1654 comm="ls" name="net" dev="proc" ino=33494 scontext=u:r:su:s0 tcontext=u:r:pid_ns_init:s0 tclass=lnk_file permissive=1 + allow su pid_ns_init:lnk_file { getattr read }; + # avc: denied { open } for pid=1761 comm="ps" path="/proc/768/status" dev="proc" ino=37714 scontext=u:r:su:s0 tcontext=u:r:pid_ns_init:s0 tclass=file permissive=1 + allow su pid_ns_init:file { open }; +') diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..63dd55ce0bc56c656a63459045dc9ee2db29bd91 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/system_basic_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr bootevent_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9ca1a4d794f82fe04722dca07785d2bcff7693a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/appspawn/system/system_core_hap.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr bootevent_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/public/attributes b/prebuilts/api/5.0/ohos_policy/startup/init/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..6f20a45e31f24f9c5c8ef587dc30fcc860119137 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/public/attributes @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute param_set_allow_attr; +attribute devinfo_type_allow_attr; +attribute sys_param_set_allow_attr; +attribute init_module_system_bin_file; diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/public/chipset_init.te b/prebuilts/api/5.0/ohos_policy/startup/init/public/chipset_init.te new file mode 100644 index 0000000000000000000000000000000000000000..bea3d63a9824b47a05f46492c978a1e51d66b6d7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/public/chipset_init.te @@ -0,0 +1,115 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type chipset_init, native_chipset_domain, domain; +allow chipset_init self:capability { chown dac_override dac_read_search fsetid setgid setuid sys_admin sys_boot sys_chroot sys_rawio sys_resource fowner }; + +allow domain chipset_init:fd use; + +allow init init:process { setcurrent }; +allow init chipset_init:process { setcurrent dyntransition }; +allow chipset_init chipset_init:process { setexec setsockcreate }; +allow chipset_init composer_host:process { rlimitinh siginh transition }; +allow chipset_init allocator_host:process { rlimitinh siginh transition }; + +allow chipset_init system_lib_file:dir { open read }; +allow chipset_init system_lib_file:lnk_file { relabelto getattr }; +allow chipset_init system_bin_file:dir { search }; +allow chipset_init system_bin_file:file { execute getattr read read open }; +allow chipset_init toybox_exec:file { execute getattr map read open }; +allow chipset_init system_etc_file:dir { open read search getattr }; +allow chipset_init system_etc_file:file { getattr open read }; +allow chipset_init system_etc_file:lnk_file { relabelto read getattr }; + +allow chipset_init vendor_bin_file:dir { search }; +allow chipset_init vendor_bin_file:file { execute getattr read read open }; +allow chipset_init vendor_etc_file:dir { open read search getattr }; +allow chipset_init vendor_etc_file:file { getattr open read }; + +allow chipset_init dev_kmsg_file:chr_file { write ioctl }; +allow chipset_init dev_binder_file:chr_file { relabelto }; +allow chipset_init dev_block_file:blk_file { getattr ioctl open read read write relabelto setattr write }; +allow chipset_init dev_block_file:dir { open read relabelto search }; +allow chipset_init dev_block_file:lnk_file { read relabelto }; +allow chipset_init dev_block_volfile:dir { open read relabelto search }; +allow chipset_init dev_char_file:dir { getattr open read relabelto setattr }; +allow chipset_init dev_console_file:chr_file { getattr ioctl open read write }; +allow chipset_init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write }; +allow chipset_init dev_file:lnk_file { create }; +allow chipset_init dev_fscklogs_file:dir { open read relabelto search setattr }; +allow chipset_init dev_fuse_file:chr_file { setattr }; +allow chipset_init dev_graphics_file:chr_file { setattr }; +allow chipset_init dev_graphics_file:dir { search }; +allow chipset_init dev_hdf_audio_capture:chr_file { setattr }; +allow chipset_init dev_hdf_audio_control:chr_file { setattr }; +allow chipset_init dev_hdf_audio_render:chr_file { setattr }; +allow chipset_init dev_hdf_disp:chr_file { setattr }; +allow chipset_init dev_hdf_file:chr_file { setattr }; +allow chipset_init dev_hdf_input:chr_file { setattr }; +allow chipset_init { dev_mgr_file dev_hdf_kevent dev_hdf_sensor_mgr dev_hdf_misc_vibrator dev_hdf_light dev_mpp dev_rga dev_video_file }:chr_file { setattr }; + +allow chipset_init sys_file:file { setattr }; +allow chipset_init sysfs_wake_lck:file { setattr }; + +allowxperm chipset_init dev_at_file:chr_file ioctl { 0x4102 }; +allow chipset_init dev_at_file:chr_file { ioctl setattr }; + +allow chipset_init hidumper_service:file { open read }; + +# avc: denied { read } for pid=579 comm="hidumper_servic" scontext=u:r:hidumper_service:s0 tcontext=u:r:chipset_init:s0 tclass=file permissive=0 +allow hidumper_service chipset_init:dir { getattr open read search }; +allow hidumper_service chipset_init:file { getattr open read }; +allow hidumper_service chipset_init:lnk_file read; + +# avc: denied { rlimitinh } for pid=2969 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1 +# avc: denied { siginh } for pid=2969 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1 +# avc: denied { transition } for pid=2969 comm="init" path="/vendor/bin/hdf_devhost" dev="sdd84" ino=33 scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1 +#for for start process in subcontext hdf_devhost.cfg +chipset_init_daemon_domain(hdf_devmgr); +allow chipset_init { user_auth_host pin_auth_host fingerprint_auth_host face_auth_host codec_host vibrator_host sensor_host }:process { rlimitinh siginh transition }; +allow chipset_init { light_host input_user_host wifi_host camera_host power_host audio_host }:process { rlimitinh siginh transition }; +allow chipset_init { usb_host blue_host partitionslot_host location_host dcamera_host a2dp_host daudio_host sample_host intell_voice_host }:process { rlimitinh siginh transition }; + +#for init.usb.configfs.cfg +allow chipset_init configfs:dir { add_name create mounton open read search setattr write remove_name rmdir }; +allow chipset_init configfs:lnk_file { create unlink }; +allow chipset_init configfs:file { write create getattr open }; +allow chipset_init configfs:lnk_file { create getattr unlink }; + +# for /data/service/el0/ +allow chipset_init data_file:dir { add_name create getattr mounton open read relabelfrom relabelto remove_name search setattr write rmdir }; +allow chipset_init data_file:sock_file { getattr relabelfrom }; +allowxperm chipset_init data_file:file ioctl { 0x5413 }; +allow chipset_init data_service_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write remove_name }; +allow chipset_init data_service_file:file { ioctl rename relabelfrom create getattr unlink write write open }; + +allow chipset_init data_service_el0_file:dir { add_name create getattr open read relabelto search setattr write relabelfrom }; +allow chipset_init data_service_el0_file:file { create getattr read write open relabelfrom }; +allow chipset_init data_service_el1_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow chipset_init data_service_el1_file:file { create getattr setattr relabelto }; + +# for ifup,hostname,domainname +allow chipset_init chipset_init:udp_socket { create ioctl }; +allow chipset_init init:unix_dgram_socket { write connect }; +allow chipset_init proc_file:file { write open }; +allow chipset_init self:capability { net_admin }; + +# avc: denied { getopt } for pid=245 comm="chipset_init" scontext=u:r:chipset_init:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=0 +allow chipset_init init:unix_stream_socket { getopt }; +# avc: denied { rlimitinh } for pid=491 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1 +# avc: denied { siginh } for pid=491 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1 +# avc: denied { transition } for pid=491 comm="init" path="/vendor/bin/hdf_devhost" dev="mmcblk0p8" ino=13 scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1 +allow chipset_init clearplay_host:process { rlimitinh siginh transition }; + +# avc: denied { open } for pid=638 comm="/bin/init" path="/sys/devices/virtual/gadget_usb/gadget0/f_rndis/wceis" dev="" ino=9426 scontext=u:r:chipset_init:s0 tcontext=u:r:object_r:sysfs_gadget_usb:s0 tclass=file permissive=1 +allow chipset_init sysfs_gadget_usb:file { open }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/public/file.te b/prebuilts/api/5.0/ohos_policy/startup/init/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..fed4a1e7b3cb9652c3cf79e228e1ee06df7282a0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/public/file.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for hyperhold +type hyperhold_sys, file_attr, data_file_attr; + +# for bootup.trace +type bootuptrace_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/public/file_contexts b/prebuilts/api/5.0/ohos_policy/startup/init/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..634a0cfa1258f9e5dc3f0ec1503880576ed32027 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/public/file_contexts @@ -0,0 +1,13 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/public/init.te b/prebuilts/api/5.0/ohos_policy/startup/init/public/init.te new file mode 100644 index 0000000000000000000000000000000000000000..4fec1b595ef5420879a2891df35f0372176cbddb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/public/init.te @@ -0,0 +1,122 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type init, native_system_domain, domain; +type init_exec, exec_attr, file_attr, system_file_attr; +type ueventd, native_system_domain, domain; +type ueventd_exec, system_file_attr, exec_attr, file_attr; +type remount_exec, system_file_attr, exec_attr, file_attr; + + +debug_only(` + allow init console:process { rlimitinh siginh transition getattr }; +') +allow init data_startup:dir { create getattr open read relabelfrom relabelto remove_name search setattr write add_name }; +allow init data_startup:file { create ioctl open read append relabelto rename unlink write open }; +allow init proc_stat_file:file { setattr read open }; +allow init proc_diskstats_file:file { read open }; +allow init kernel:file { read open }; +allow init kernel:dir { search }; +allow bootevent_wms_param tmpfs:filesystem associate; +allow init bootevent_wms_param:file { map open read relabelto relabelfrom}; +allow dhardware_dm_param tmpfs:filesystem associate; +allow init dhardware_dm_param:file { map open read relabelto relabelfrom }; +allow persist_audio_param tmpfs:filesystem associate; +allow init persist_audio_param:file { map open read relabelto relabelfrom }; +allow arkcompiler_param tmpfs:filesystem associate; +allow init arkcompiler_param:file { map open read relabelto relabelfrom }; +allow init arkcompiler_param:parameter_service { set }; +allow arkui_param tmpfs:filesystem associate; +allow init arkui_param:file { map open read relabelto relabelfrom }; +allow init arkui_param:parameter_service { set }; +allow hap_domain arkui_param:file { map open read }; +allow init inputmethod_param:file { map open read relabelto relabelfrom }; +allow init inputmethod_param:parameter_service { set }; + +allow pasteboard_param tmpfs:filesystem associate; +allow init pasteboard_param:file { map open read relabelto relabelfrom }; +allow time_param tmpfs:filesystem associate; +allow init time_param:file { map open read relabelto relabelfrom }; +allow accesstoken_perm_param tmpfs:filesystem associate; +allow init accesstoken_perm_param:file { map open read relabelto relabelfrom }; + +allow xts_devattest_authresult_param tmpfs:filesystem associate; +allow init xts_devattest_authresult_param:file { map open read relabelto relabelfrom }; +allow init xts_devattest_authresult_param:parameter_service { set }; +allow init hiviewdfx_profiler_param:file { map open read relabelto relabelfrom }; +allow init devpts:chr_file { ioctl }; + +allow i18n_param tmpfs:filesystem associate; +allow init i18n_param:file { map open read relabelto relabelfrom }; +allow init i18n_param:parameter_service { set }; +allow { domain -limit_domain } i18n_param:file { map open read }; +allow const_i18n_param tmpfs:filesystem associate; +allow init const_i18n_param:file { map open read relabelto relabelfrom }; +allow i18n_param_tz_override tmpfs:filesystem associate; +allow init i18n_param_tz_override:file { map open read relabelto relabelfrom }; +allow init i18n_param_tz_override:parameter_service { set }; +allow { domain } i18n_param_tz_override:file { map open read }; +developer_only(` + allow sh i18n_param_tz_override:file { map open read }; +') +allow { domain -limit_domain } const_i18n_param:file { map open read }; + +allow { domain } data_service_el1_i18n_timezone_file:dir { search open read getattr mounton }; +allow { domain } data_service_el1_i18n_timezone_file:file { open read getattr map }; +developer_only(` + allow sh data_service_el1_i18n_timezone_file:dir { search }; + allow sh data_service_el1_i18n_timezone_file:file { open read getattr map }; +') + +#for bootchart to read +allow init domain:file { open read }; +allow init domain:dir { search }; + +# for init trace +allow init hiview:unix_dgram_socket { sendto }; + +# all can read +allow domain musl_param:file { map open read }; + +#for crash handle +allow init init_exec:file { open read getattr map }; +allow init faultloggerd_temp_file:dir { add_name remove_name write open read search }; +allow init faultloggerd_temp_file:file { create getattr setattr write open read unlink }; +allow init sa_device_service_manager:samgr_class{ get }; + +allow edm_writable_param tmpfs:filesystem associate; +allow init edm_writable_param:file { map open read relabelto }; +allow init edm_writable_param:parameter_service { set }; +allow { domain } edm_writable_param:file { map open read }; + +define(`init_relabel', ` + allow init $1:{ file dir sock_file } { relabelto setattr }; + allow init $1:dir { search }; +') +init_relabel(data_service_el1_public_print_service_file); +init_relabel(print_driver_exec); +init_relabel(data_service_el1_i18n_timezone_file); +init_relabel(data_parameters); +init_relabel(data_udev); +init_relabel(data_multimodalinput); +init_relabel(sandbox_manager_data_file); +init_relabel(account_data_file); +init_relabel(hdf_ext_devmgr_file); +init_relabel(cloudfile_data_file); +init_relabel(udevd_socket); +init_relabel(accesstoken_data_file); +init_relabel(data_service_el1_public_deviceauthService_file); +init_relabel(data_service_el1_public_huksService_file); +init_relabel(update_dupdate_engine_file); +init_relabel(update_update_service_file); +neverallow init *:process ptrace; diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/public/parameter.te b/prebuilts/api/5.0/ohos_policy/startup/init/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..e23ca92ee076090f874e2368e79e5fb3180a3aa2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/public/parameter.te @@ -0,0 +1,42 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { normal_hap debug_hap } parameter_attr:parameter_service { set }; +neverallow { normal_hap debug_hap } paramservice_socket:sock_file { write }; + +typeattribute accessibility devinfo_type_allow_attr; +typeattribute bgtaskmgr_service devinfo_type_allow_attr; +typeattribute distributeddata devinfo_type_allow_attr; +typeattribute foundation devinfo_type_allow_attr; +typeattribute hidumper_service devinfo_type_allow_attr; +typeattribute hiview devinfo_type_allow_attr; +typeattribute inputmethod_service devinfo_type_allow_attr; +typeattribute locationhub devinfo_type_allow_attr; +typeattribute msdp_sa devinfo_type_allow_attr; +typeattribute netmanager devinfo_type_allow_attr; +typeattribute render_service devinfo_type_allow_attr; +typeattribute softbus_server devinfo_type_allow_attr; +typeattribute wallpaper_service devinfo_type_allow_attr; +typeattribute param_watcher devinfo_type_allow_attr; +typeattribute multimodalinput devinfo_type_allow_attr; +typeattribute bluetooth_service devinfo_type_allow_attr; +typeattribute resource_schedule_service devinfo_type_allow_attr; +typeattribute telephony_sa devinfo_type_allow_attr; + +neverallow {sadomain -devinfo_type_allow_attr} devinfo_type_param:file {open read map}; +allow {domain -sadomain } devinfo_type_param:file {open read map}; +allow devinfo_type_allow_attr devinfo_type_param:file {open read map}; + +type devinfo_type_param, parameter_attr; + +neverallow {domain developer_only(`-hdcd') -usb_host updater_only(`-updater') -sys_param_set_allow_attr} sys_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/public/parameter_contexts b/prebuilts/api/5.0/ohos_policy/startup/init/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..ba39331fb37f790efa2cc2df02bbf0df7cd233b1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/public/parameter_contexts @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +const.product.devicetype u:object_r:devinfo_type_param:s0 +const.build.characteristics u:object_r:devinfo_type_param:s0 +ohos.boot.time. u:object_r:devinfo_public_param:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/system/console.te b/prebuilts/api/5.0/ohos_policy/startup/init/system/console.te new file mode 100644 index 0000000000000000000000000000000000000000..29b496bfcf39da633580c2683c7488cf48a724cc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/system/console.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + allow console paramservice_socket:sock_file { write }; + allow console kernel:unix_stream_socket { connectto }; +') diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/system/file_contexts b/prebuilts/api/5.0/ohos_policy/startup/init/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b513c1fc75d1f8426b5b69942880181616a82aec --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/system/file_contexts @@ -0,0 +1,21 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/ueventd u:object_r:ueventd_exec:s0 +/system/bin/remount u:object_r:remount_exec:s0 + +# for hyperhold +/data/vendor/hyperhold(/.*)? u:object_r:hyperhold_sys:s0 + +# for bootup.trace +/data/log/startup(/.*)? u:object_r:bootuptrace_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/system/init.te b/prebuilts/api/5.0/ohos_policy/startup/init/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..23f53900d54fb29a418766b908ca8ecfc787c269 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/system/init.te @@ -0,0 +1,542 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + allow system_file tmpfs:filesystem associate; + allow vendor_file tmpfs:filesystem associate; +') + +allow init nwebspawn_socket:sock_file { unlink }; +allow init appspawn_socket:sock_file { unlink }; +allow init data_ethernet:dir { getattr }; +allow init data_log:file { getattr }; +allow init bootuptrace_file:dir { add_name getattr open read search write relabelto }; +allow init bootuptrace_file:file { create getattr write open relabelto }; +allow init data_parameters:file { getattr }; +allow init data_udev:dir { relabelfrom }; +allow init privacy_service:process { transition }; +allow init hisysevent_socket:sock_file { unlink setattr }; +allow init system_core_hap_attr:file { read open }; +allow init system_core_hap_attr:dir { search }; +allow init system_core_hap_attr:process { getattr }; +allow init system_lib_file:dir { open read }; + +allow init accessibility_param:file { map open read relabelto relabelfrom }; +allow init const_postinstall_param:file { map open read relabelto relabelfrom }; +allow init hilog_param:file { map open read relabelto relabelfrom }; + +allow accessibility_param tmpfs:filesystem associate; +allow init data_service_file:file { ioctl rename relabelfrom }; +allow init data_service_file:dir { remove_name }; +allow init dev_console_file:chr_file { relabelto }; + +# for create map file +allow servicectrl_param tmpfs:filesystem associate; +allow servicectrl_reboot_param tmpfs:filesystem associate; +allow startup_init_param tmpfs:filesystem associate; +allow startup_appspawn_param tmpfs:filesystem associate; +allow startup_uevent_param tmpfs:filesystem associate; +allow devinfo_private_param tmpfs:filesystem associate; +allow devinfo_public_param tmpfs:filesystem associate; +allow devinfo_type_param tmpfs:filesystem associate; +allow useriam_fwkready_param tmpfs:filesystem associate; +allow useriam_enable_writable_param tmpfs:filesystem associate; +allow bluetooth_param tmpfs:filesystem associate; + +allow init servicectrl_param:file { map open read relabelto relabelfrom }; +allow init servicectrl_reboot_param:file { map open read relabelto relabelfrom }; +allow init startup_init_param:file { map open read relabelto relabelfrom }; +allow init startup_appspawn_param:file { map open read relabelto relabelfrom }; +allow init startup_uevent_param:file { map open read relabelto relabelfrom }; +allow init devinfo_private_param:file { map open read relabelto relabelfrom }; +allow init devinfo_public_param:file { map open read relabelto relabelfrom }; +allow init devinfo_type_param:file { map open read relabelto relabelfrom }; +allow init useriam_fwkready_param:file { map open read relabelto relabelfrom }; +allow init useriam_enable_writable_param:file { map open read relabelto relabelfrom }; +allow init bluetooth_param:file { map open read relabelto relabelfrom }; + +#for set +allow { init samgr hdf_devmgr } servicectrl_param:parameter_service { set }; +allow { init updater_sa power_host foundation } servicectrl_reboot_param:parameter_service { set }; +allow init startup_init_param:parameter_service { set }; +allow init devinfo_private_param:parameter_service { set }; +allow { init appspawn } startup_appspawn_param:parameter_service { set }; +allow { init ueventd } startup_uevent_param:parameter_service { set }; +allow init devinfo_public_param:parameter_service { set }; +allow init devinfo_type_param:parameter_service { set }; +allow { sadomain hdfdomain native_system_domain native_chipset_domain } bootevent_param:parameter_service { set }; +allow { useriam } useriam_fwkready_param:parameter_service { set }; +allow { init bluetooth_service } bluetooth_param:parameter_service { set }; + +#for read +allow domain servicectrl_param:file { map open read }; +allow domain servicectrl_reboot_param:file { map open read }; +allow domain startup_init_param:file { map open read }; +allow domain startup_appspawn_param:file { map open read }; +allow domain startup_uevent_param:file { map open read }; +allow domain devinfo_public_param:file { map open read }; +allow domain telephony_param:file { map open read }; +allow domain useriam_fwkready_param:file { map open read }; +allow domain useriam_enable_writable_param:file { map open read }; +allow domain bluetooth_param:file { map open read }; + +#for udid +allow { init deviceinfoservice samgr hdf_devmgr softbus_server } devinfo_private_param:file { map open read }; +allow { distributedsche accountmgr device_manager foundation d-bms } devinfo_private_param:file { map open read }; + +allow domain accessibility_param:file { map open read }; +allow domain default_param:file { map open read }; + +#for connect to param service +allow deviceinfoservice paramservice_socket:sock_file { write }; +allow deviceinfoservice kernel:unix_stream_socket { connectto }; +allow deviceinfoservice init:file { getattr open read }; + +allow init deviceinfoservice:file { getattr open read }; +allow init deviceinfoservice:process { getattr }; +allow init deviceinfoservice:dir { getattr search open read }; +#for hidumper_service +allow hidumper_service sa_sysparam_device_service:samgr_class { get }; + +#for param watcher to watch, must allow read +allow { param_watcher pin_auth_host softbus_server } devinfo_private_param:file { map open read }; +allow { param_watcher } accessibility_param:file { map open read }; + +#for fs size +allowxperm init dev_block_file:blk_file ioctl { 0x1268 0x2285 }; + +#for sysrq +allow init proc_sysrq_trigger_file:file { getattr open write ioctl }; + +#for init trace +allow init tracefs_trace_marker_file:file { getattr write open read ioctl }; +allow init tracefs:file { getattr ioctl open read write }; +allow init tracefs:filesystem { mount }; + +debug_only(` + allow init sh:file { map open read relabelto relabelfrom }; + allow init sh:dir { search }; + allow init sh:process { getattr }; +') + +allow init a2dp_host:process { rlimitinh siginh sigkill transition }; +allow init accessibility:process { rlimitinh siginh transition }; +allow init accesstoken_data_file:file { getattr open read write relabelto setattr lock }; +allow init accesstoken_service:process { rlimitinh siginh transition }; +allow init appspawn:process { signal }; +allow init appspawn_socket:sock_file { getattr relabelto }; +allow init bgtaskmgr_service:process { rlimitinh siginh transition }; +allow init blue_host:process { rlimitinh siginh transition }; +allow init bluetooth_service:process { rlimitinh siginh transition }; +allow init bootanimation:dir { search }; +allow init bootanimation:file { open read }; +allow init bootanimation:process { getattr rlimitinh siginh transition }; +allow init bootevent_param:file { map open read relabelto }; +allow init bootevent_samgr_param:file { map open read relabelto }; +allow init build_version_param:file { map open read relabelto }; +allow init camera_service:process { rlimitinh siginh transition }; +allow init mdnsmanager:process { rlimitinh siginh transition }; +allow init cgroup:dir { add_name create open read search setattr write }; +allow init cgroup:file { getattr open setattr }; +allow init cgroup:filesystem { mount }; +allow init cgroup:file { write }; +allow init config_file:dir { mounton }; +allow init configfs:dir { add_name create mounton open read search setattr write }; +allow init configfs:file { create getattr open }; +allow init configfs:filesystem { mount }; +allow init configfs:file { write }; +allow init configfs:lnk_file { create }; +allow init const_allow_mock_param:file { map open read relabelto }; +allow init const_allow_param:file { map open read relabelto }; +allow init const_build_param:file { map open read relabelto }; +allow init const_display_brightness_param:file { map open read relabelto }; +allow init const_param:file { map open read relabelto }; +allow init const_postinstall_fstab_param:file { map open read relabelto }; +allow init const_postinstall_param:file { map open read relabelto }; +allow init const_product_param:file { map open read relabelto }; +allow init data_appasec:dir { getattr open read relabelto setattr }; +allow init data_app_el1_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_app_el2_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_app_el3_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_app_el4_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_app_el5_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_appephemeral:dir { getattr open read relabelto setattr }; +allow init data_app_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_applib:dir { getattr open read relabelto setattr }; +allow init data_appprivate:dir { getattr open read relabelto setattr }; +allow init data_appstaging:dir { getattr open read relabelto setattr }; +allow init data_backup:dir { getattr open read relabelto setattr }; +allow init data_bluetooth:dir { getattr open read relabelto search setattr add_name create write }; +allow init data_cache:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_chipset_el1_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_chipset_el2_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_chipset_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_data_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_data_pulse_dir:file { unlink }; +allow init data_drm:dir { getattr open read relabelto setattr }; +allow init data_ethernet:dir { open read relabelto setattr }; +allow init data_file:dir { add_name create getattr mounton open read relabelfrom relabelto remove_name search setattr write }; +allow init data_drm:dir { getattr open read relabelto setattr }; +allow init data_file:sock_file { getattr relabelfrom }; +allow init data_hilogd_file:dir { relabelto }; +allow init data_libinput:dir { getattr open read relabelto search setattr }; +allow init data_libinput:file { relabelto }; +allow init data_local:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_local_tmp:dir { getattr open read relabelto setattr }; +allow init data_local_traces:dir { getattr open read relabelto setattr }; +allow init data_local_arkcache:dir { getattr open read relabelto setattr }; +allow init data_local_arkprofile:dir { getattr open read relabelto setattr }; +allow init data_log:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_log:file { relabelto }; +allow init data_media:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_misc_ce:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_misc_ce:file { getattr setattr }; +allow init data_misc_de:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_misc_de:file { getattr setattr }; +allow init data_misc:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_nfc:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_ota:dir { getattr open read relabelto setattr }; +allow init data_ota_package:dir { getattr open read relabelto setattr }; +allow init data_parameters:dir { add_name getattr open read relabelto remove_name search setattr write }; +allow init data_parameters:file { create ioctl open read read append relabelto rename unlink write write open }; +allow init data_preloads:dir { getattr open read relabelto setattr }; +allow init data_resourcecache:dir { getattr open read relabelto setattr }; +allow init data_service_el0_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_service_el0_file:file { create getattr read write open relabelfrom }; +allow init data_service_el1_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_service_el1_file:file { getattr setattr relabelto }; +allow init data_service_el1_public_deviceauthService_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_service_el1_public_huksService_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_service_el2_public_huksService_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_service_el2_userId_huksService_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_service_el4_userId_huksService_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_data_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_data_file:file { getattr setattr relabelto }; +allow init data_data_huksService_file:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_data_huksService_file:file { create getattr ioctl open read setattr unlink write }; +allowxperm init data_data_huksService_file:file ioctl { 0x5705 }; +allow init data_service_el2_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_service_el2_hmdfs:dir { getattr open read relabelto setattr }; +allow init data_service_el3_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_service_el4_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_service_el5_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_service_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; +allow init data_service_file:file { create getattr unlink write write open }; +allow init data_ss:dir { getattr open read relabelto setattr }; +allow init data_storage:dir { getattr open read relabelto setattr }; +allow init data_system_ce:dir { getattr open read relabelto setattr }; +allow init data_system_de:dir { getattr open read relabelto setattr }; +allow init data_system:dir { add_name create getattr open read relabelto search setattr write }; +allow init data_udev:dir { getattr open read relabelto search setattr }; +allow init data_updater_file:dir { getattr open read relabelto search setattr }; +allow init data_updater_file:file { relabelto create getattr map open read rename setattr unlink write append }; +allow init data_user_de:dir { getattr open read relabelto setattr }; +allow init data_user:dir { add_name getattr open read relabelto search setattr write }; +allow init data_user:lnk_file { create }; +allow init data_vendor_ce:dir { getattr open read relabelto setattr }; +allow init data_vendor_de:dir { getattr open read relabelto setattr }; +allow init data_vendor:dir { add_name create getattr open read relabelto search setattr write }; +allow init d-bms:process { rlimitinh siginh sigkill transition }; +allow init dcamera_host:process { rlimitinh siginh sigkill transition }; +allow init dcamera:process { rlimitinh siginh transition }; +allow init debugfs:dir { mounton }; +allow init debugfs:filesystem { mount }; +allow init debugfs_usb:dir { search }; +allow init debug_param:file { map open read relabelto }; +allow init default_param:file { map open read relabelto }; +allow init dev_at_file:chr_file { ioctl setattr }; +allow init dev_binder_file:chr_file { relabelto }; +allow init dev_block_file:blk_file { getattr ioctl open read read write relabelto setattr write }; +allow init dev_block_file:dir { open read relabelto search }; +allow init dev_block_file:lnk_file { read relabelto }; +allow init dev_block_volfile:dir { open read relabelto search }; +allow init dev_char_file:dir { getattr open read relabelto setattr }; +allow init dev_console_file:chr_file { getattr ioctl open read write }; +allow init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write }; +allow init dev_file:lnk_file { create }; +allow init dev_fscklogs_file:dir { open read relabelto search setattr }; +allow init dev_fuse_file:chr_file { setattr }; +allow init dev_graphics_file:chr_file { setattr }; +allow init dev_graphics_file:dir { search }; +allow init dev_hdf_disp:chr_file { setattr }; +allow init dev_hdf_file:chr_file { setattr }; +allow init dev_hdf_input:chr_file { setattr }; +allow init dev_hdf_kevent:chr_file { setattr }; +allow init deviceinfoservice:process { rlimitinh siginh transition }; +allow init device_usage_stats_service:process { rlimitinh siginh transition }; +allow init dev_kmsg_file:chr_file { getattr open read relabelto setattr write }; +allow init dev_mali:chr_file { setattr }; +allow init dev_mgr_file:chr_file { setattr }; +allow init dev_mpp:chr_file { setattr }; +allow init dev_null_file:chr_file { relabelto }; +allow init dev_parameters_file:dir { add_name open read relabelto write }; +allow init dev_parameters_file:file { create relabelfrom relabelto write }; +allow init devpts:chr_file { getattr relabelfrom read write open }; +allow init devpts:dir { relabelfrom }; +allow init dev_pts_file:chr_file { relabelto }; +allow init dev_pts_file:dir { open read relabelto search }; +allow init dev_random_file:chr_file { relabelto }; +allow init dev_rga:chr_file { setattr }; +allow init dev_sched_rtg_ctrl:chr_file { setattr }; +allow init dev_uhid_file:chr_file { setattr }; +allow init dev_tun_file:chr_file { setattr }; +allow init dev_unix_file:dir { getattr open read relabelto }; +allow init dev_unix_file:sock_file { getattr relabelto write }; +allow init dev_unix_socket:dir { add_name getattr open read relabelto remove_name search write }; +allow init dev_unix_socket:sock_file { create getattr relabelfrom setattr }; +allow init dev_usb_ffs:dir { add_name create getattr mounton open read relabelto search setattr write }; +allow init dev_v_file:dir { open getattr read relabelto setattr }; +allow init dev_v_file:chr_file { setattr }; +allow init dev_media_file:chr_file { setattr }; +allow init dev_video_file:chr_file { setattr }; +allow init dhardware:process { rlimitinh siginh transition }; +allow init distributeddata:process { rlimitinh siginh transition }; +allow init distributedfiledaemon:process { rlimitinh siginh transition }; +allow init distributedsche_param:file { map open read relabelto }; +allow init distributedsche:process { rlimitinh siginh transition }; +allow init download_server:process { rlimitinh siginh transition }; +allow init dscreen:process { rlimitinh siginh transition }; +allow init dslm_service:process { rlimitinh siginh transition }; +allow init edm_sa:process { rlimitinh siginh transition }; +allow init faultloggerd_exec:file { execute getattr read open }; +allow init faultloggerd:process { rlimitinh siginh transition }; +allow init faultloggerd_socket:sock_file { getattr relabelto unlink }; +allow init faultloggerd_temp_file:dir { getattr open read relabelfrom relabelto setattr }; +allow init faultloggerd_socket_sdkdump:sock_file { getattr relabelto unlink }; +allow init fd_holder_socket:sock_file { getattr relabelto write }; +allow init foundation:dir { search }; +allow init foundation:file { open read }; +allow init foundation:process { getattr rlimitinh siginh transition }; +allow init powermgr:dir { search }; +allow init powermgr:file { open read }; +allow init powermgr:process { getattr rlimitinh siginh transition }; +allow init functionfs:filesystem { mount }; +allow init hdcd_exec:file { execute getattr open read }; +allow init hdcd:process { rlimitinh siginh transition getattr }; +allow init hdcd:file { read open }; +allow init hdcd:dir { search }; +allow init hdcd_socket:sock_file { getattr relabelto unlink }; +allow init hdf_devmgr:dir { search }; +allow init hdf_devmgr:file { open read }; +allow init hdf_devmgr:process { getattr }; +allow init hidumper_file:dir { getattr open read relabelto setattr }; +allow init hidumper_service:process { rlimitinh siginh transition }; +allow init hilog_control_socket:sock_file { getattr relabelto }; +allow init hilog_input_socket:sock_file { getattr relabelto }; +allow init hilog_param:file { map open read relabelto }; +allow init hisysevent_socket:sock_file { getattr relabelto }; +allow init hiview_file:dir { getattr open read relabelto setattr search }; +allow init hw_sc_build_os_param:file { map open read relabelto }; +allow init hw_sc_build_param:file { map open read relabelto }; +allow init hw_sc_param:file { map open read relabelto }; +allow init init:capability { chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_admin sys_boot sys_chroot sys_rawio sys_resource }; +allow init init:netlink_kobject_uevent_socket { bind create setopt }; +allow init init_param:file { map open read relabelto }; +allow init init:process { setexec setsockcreate }; +allow init init_svc_param:file { map open read relabelto }; +allow init init:udp_socket { create ioctl }; +allow init init:unix_dgram_socket { bind setopt getopt getattr read }; +allow init inputmethod_service:process { rlimitinh siginh transition }; +allow init input_pointer_device_param:file { map open read relabelto }; +allow init input_user_host:process { rlimitinh siginh transition }; +allow init ispserver:process { rlimitinh siginh transition }; +allow init kernel:process { setsched }; +allow init kernel:system { syslog_read }; +allow init kernel:unix_stream_socket { write }; +allow init labeledfs:filesystem { mount remount unmount }; +allow init location_host:process { rlimitinh siginh transition }; +allow init locationhub:process { rlimitinh siginh transition }; +allow init media_service:process { rlimitinh siginh transition }; +allow init memmgrservice:dir { search }; +allow init memmgrservice:file { open read }; +allow init memmgrservice:process { getattr rlimitinh siginh transition }; +allow init misc:process { rlimitinh siginh transition }; +allow init mmi_uinput_service:process { rlimitinh siginh transition }; +allow init msdp_sa:process { rlimitinh siginh transition }; +allow init multimodalinput:dir { search }; +allow init multimodalinput:file { open read }; +allow init multimodalinput:process { getattr rlimitinh siginh transition }; +allow init native_socket:sock_file { getattr relabelto }; +allow init netmanager:process { rlimitinh siginh transition }; +allow init net_param:file { map open read relabelto }; +allow init netsysnative:process { rlimitinh siginh transition }; +allow init net_tcp_param:file { map open read relabelto }; +allow init nwebspawn:process { rlimitinh siginh transition }; +allow init nwebspawn_socket:sock_file { getattr relabelto }; +allow init ohos_boot_param:file { map open read relabelto }; +allow init ohos_param:file { map open read relabelfrom relabelto }; +allow init paramservice_socket:sock_file { getattr relabelto }; +allow init param_watcher:process { rlimitinh siginh transition }; +allow init pasteboard_service:process { rlimitinh siginh transition }; +allow init persist_param:file { map open read relabelto }; +allow init persist_sys_param:file { map open read relabelto }; +allow init power_host:process { rlimitinh siginh transition }; +allow init proc_cmdline_file:file { getattr open read setattr }; +allow init proc_file:file { getattr open setattr write }; +allow init proc_interrupts_file:file { setattr }; +allow init proc_kmsg_file:file { setattr }; +allow init proc_net:file { setattr }; +allow init proc_slabinfo_file:file { setattr }; +allow init proc_swaps_file:file { read }; +allow init proc_vmallocinfo_file:file { setattr }; +allow init pstorefs:dir { setattr }; +allow init pstorefs:filesystem { mount }; +allow init rootfs:dir { mounton }; +allow init samain_exec:file { execute getattr open read open }; +allow init samgr:dir { search }; +allow init samgr:file { open read }; +allow init samgr:process { getattr }; +allow init screenlock_server:process { rlimitinh siginh transition }; +allow init security_param:file { map open read relabelto }; +allow init security:security { compute_av }; +allow init selinuxfs:dir { open read search }; +allow init selinuxfs:file { map open read write setattr }; +allow init sh_exec:file { execute getattr read open }; +allow init softbus_server:process { rlimitinh siginh transition }; +allow init startup_param:file { map open read relabelto }; +allow init storage_daemon_exec:file { execute getattr read open }; +allow init storage_daemon:process { rlimitinh siginh transition }; +allow init storage_manager:process { rlimitinh siginh transition }; +allow init sys_file:dir { add_name mounton write }; +allow init sys_file:file { create getattr open read setattr write }; +allow init sysfs_block_zram:file { getattr open setattr write }; +allow init sysfs_devices_system_cpu:file { setattr }; +allow init sysfs_power:file { setattr }; +allow init sysfs_state:file { setattr }; +allow init sysfs_wake_lck:file { setattr }; +allow init sys_param:file { map open read relabelto }; +allow init system_basic_hap_attr:dir { search }; +allow init system_basic_hap_attr:file { open read }; +allow init system_basic_hap_attr:process { getattr }; +allow init system_bin_file:dir { search }; +allow init system_bin_file:file { execute execute_no_trans getattr map open read read open }; +allow init system_bin_file:lnk_file { read }; +allow init toybox_exec:file { execute execute_no_trans getattr map open read }; +allow init toybox_exec:lnk_file { read }; +allow init sys_usb_param:file { map open read relabelto }; +allow init thermal_protector_exec:file { execute getattr read open }; +allow init time_service:process { rlimitinh siginh transition }; +allow init tmpfs:blk_file { getattr relabelfrom }; +allow init tmpfs:chr_file { getattr relabelfrom write open read }; +allow init tmpfs:dir { add_name create mounton open read relabelfrom setattr write }; +allow init tmpfs:file { getattr relabelfrom create open mounton }; +allow init tmpfs:lnk_file { create getattr relabelfrom }; +allow init tmpfs:sock_file { getattr relabelfrom }; +allow init token_sync_service:process { rlimitinh siginh transition }; +allow init tracefs:dir { mounton search setattr }; +allow init tracefs:file { getattr open setattr write }; +allow init tracefs_trace_marker_file:file { setattr }; +allow init tty_device:chr_file { relabelto setattr }; +allow init udevd_socket:sock_file { relabelto }; +allow init ui_service:process { rlimitinh siginh transition }; +allow init unlabeled:dir { getattr relabelfrom }; +allow init unlabeled:file { getattr open read relabelfrom }; +allow init updater_sa:dir { search }; +allow init updater_sa:file { open read }; +allow init updater_sa:process { getattr rlimitinh siginh transition }; +allow init usb_host:process { rlimitinh siginh transition }; +allow init usb_service:process { rlimitinh siginh transition }; +allow init vendor_bin_file:dir { search }; +allow init vendor_bin_file:file { execute getattr read read open }; +allow init vendor_etc_file:dir { open read search getattr }; +allow init vendor_etc_file:file { getattr open read }; +allow init wallpaper_service:process { rlimitinh siginh transition }; +allow init watchdog_service_exec:file { execute getattr read open }; +allow init watchdog_service:process { rlimitinh siginh transition }; +allow init wifi_hal_service_exec:file { execute getattr read read open }; +allow init wifi_hal_service:process { rlimitinh siginh transition }; +allow init wifi_manager_service:process { rlimitinh siginh transition }; +allow init kernel:unix_dgram_socket { sendto }; +allowxperm init data_file:file ioctl { 0x5413 }; +allowxperm init data_parameters:file ioctl { 0x5413 }; +allowxperm init dev_at_file:chr_file ioctl { 0x4102 }; +allowxperm init dev_block_file:blk_file ioctl { 0x125e 0x1272 0x127c 0x5413 }; +allowxperm init dev_console_file:chr_file ioctl { 0x540e }; +allowxperm init init:udp_socket ioctl { 0x8913 0x8914 }; +allowxperm init devpts:chr_file ioctl { 0x5413 }; + +# for hyperhold +allow init zram_device:blk_file { read open write ioctl getattr }; +allow init hyperhold_sys:dir { search relabelto write add_name getattr setattr remove_name }; +allow init hyperhold_sys:file { setattr getattr open read write create relabelto rename unlink }; +allowxperm init zram_device:blk_file ioctl { 0x126e }; + +# avc: denied { getattr } for pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { ioctl } for pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { open } for pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { read } for pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { write } for pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +allow init updater_block_file:blk_file { getattr ioctl open read write }; + +# avc: denied { ioctl } for pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +allowxperm init updater_block_file:blk_file ioctl { 0x5413 }; + +# avc: denied { relabelto } for pid=1 comm="init" name="misc" dev="tmpfs" ino=37 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=0 +allow init updater_block_file:lnk_file { relabelto }; + +# avc: denied { ioctl } for pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1 +allowxperm init tmpfs:blk_file ioctl { 0x5413 }; + +# avc: denied { rlimitinh } for pid=602 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:drm_service:s0 tclass=process permissive=1 +# avc: denied { siginh } for pid=602 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:drm_service:s0 tclass=process permissive=1 +# avc: denied { transition } for pid=602 comm="init" path="/system/bin/sa_main" dev="mmcblk0p7" ino=366 scontext=u:r:init:s0 tcontext=u:r:drm_service:s0 tclass=process permissive=1 +allow init drm_service:process { rlimitinh siginh transition }; +# avc: denied { ioctl } for pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1 +# avc: denied { open } for pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1 +# avc: denied { read } for pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1 +# avc: denied { write } for pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1 +allow init tmpfs:blk_file { ioctl open read write }; +# for developer +allow init proc_developer_file:file { open read getattr }; +allow init appspawn:file { read open write }; +allow init render_service:file { read open write }; +allow init foundation:file { read open write }; +allow init powermgr:file { read open write }; +allow init sysfs_hungtask_userlist:file { read open write }; +allow init data_service_el1_public_huksService_file:file { getattr }; +allow init share_public_file:dir { getattr }; + +# for chip ckm +# avc: denied { getattr } for pid=1 comm="init" path="/chip_ckm" dev="mmcblk0p7" ino=13 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=dir permissive=0 +# avc: denied { mounton } for pid=1 comm="init" path="/chip_ckm" dev="mmcblk0p7" ino=13 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=dir permissive=0 +# avc: denied { search } for pid=1 comm="init" name="/" dev="mmcblk0p14" ino=2 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=dir permissive=0 +allow init chip_ckm_file:dir { getattr mounton search }; + +# avc: denied { read } for pid=1 comm="init" name="kosample.ko" dev="mmcblk0p14" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=file permissive=0 +# avc: denied { open } for pid=1 comm="init" path="/chip_ckm/kosample.ko" dev="mmcblk0p14" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=file permissive=0 +allow init chip_ckm_file:file { read open }; + +allow init sysfs_block_file:dir { read open }; +allow init sysfs_block_file:file { open write }; + +init_relabel(data_service_el1_public_device_attest); +init_relabel(share_public_file); +init_relabel(msdp_data_file); +init_relabel(av_session_data_file); +init_relabel(cert_manager_service_file); +init_relabel(dlp_permission_data_file); + +allow ark_writeable_param tmpfs:filesystem associate; +allow init ark_writeable_param:file { map open read relabelto relabelfrom }; +allow init ark_writeable_param:parameter_service { set }; +# avc: denied { read append } for pid=1 comm="init" path="/data/service/el1/startup/parameters/persist_parameters" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=42 scontext=u:r:init:s0 tcontext=u:object_r:data_service_file:s0 tclass=file permissive=0 +allow init data_service_file:file {read append}; +# avc: denied { read } for pid=1 comm="init" path="/console" dev="" ino=70 scontext=u:r:init:s0 tcontext=u:object_r:dev_console_file:s0 tclass=lnk_file permissive=0 +allow init dev_console_file:lnk_file { read}; + +# avc: denied { setpcap } for pid=4977 comm="init" capability=8 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=0 +allow init init:capability { setpcap }; + +# avc: denied { append } for pid=1 comm="init" name="private_persist_parameters" dev="mmcblk0p15" ino=2386 scontext=u:r:init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { rename } for pid=1 comm="init" name="tmp_private_persist_parameters" dev="mmcblk0p15" ino=2703 scontext=u:r:init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allow init data_service_el1_file:file { open read append rename map }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/startup/init/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..6976b48d9a73360aa7dac940fcf806a82e0c2e77 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/system/normal_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=3902 pid=6878 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sa_sysparam_device_service:s0 tclass=samgr_class permissive=0 +allow normal_hap_attr sa_sysparam_device_service:samgr_class { get }; +allow normal_hap_attr deviceinfoservice:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/startup/init/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..0fd3ae5be259e8b460e434ee1fdd15ba4603d5cb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/system/param_watcher.te @@ -0,0 +1,115 @@ +# Copyright (c) 2021-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher bootevent_param:parameter_service { set }; + +allow param_watcher { parameter_attr -usb_setting_param }:file { map open read }; + +allow param_watcher accessibility:binder { call }; +allow param_watcher accesstoken_service:binder { call }; +allow param_watcher accountmgr:binder { call }; +allow param_watcher bgtaskmgr_service:binder { call }; +allow param_watcher bluetooth_service:binder { call }; +allow param_watcher bootanimation:binder { call }; +allow param_watcher bootevent_param:file { map open read }; +allow param_watcher bootevent_samgr_param:file { map open read }; +allow param_watcher build_version_param:file { map open read }; +allow param_watcher camera_service:binder { call }; +allow param_watcher drm_service:binder { call }; +allow param_watcher const_allow_mock_param:file { map open read }; +allow param_watcher const_allow_param:file { map open read }; +allow param_watcher const_build_param:file { map open read }; +allow param_watcher const_display_brightness_param:file { map open read }; +allow param_watcher const_param:file { map open read }; +allow param_watcher const_postinstall_fstab_param:file { map open read }; +allow param_watcher const_postinstall_param:file { map open read }; +allow param_watcher const_product_param:file { map open read }; +allow param_watcher d-bms:binder { call }; +allow param_watcher dcamera:binder { call }; +allow param_watcher debug_param:file { map open read }; +allow param_watcher default_param:file { map open read }; +allow param_watcher deviceinfoservice:binder { call }; +allow param_watcher device_usage_stats_service:binder { call }; +allow param_watcher dev_unix_socket:dir { search }; +allow param_watcher dhardware:binder { call }; +allow param_watcher distributeddata:binder { call }; +allow param_watcher distributedfiledaemon:binder { call }; +allow param_watcher distributedsche:binder { call }; +allow param_watcher distributedsche_param:file { map open read }; +allow param_watcher download_server:binder { call }; +allow param_watcher dscreen:binder { call }; +allow param_watcher dslm_service:binder { call }; +allow param_watcher edm_sa:binder { call }; +allow param_watcher foundation:binder { call }; +allow param_watcher powermgr:binder { call }; +allow param_watcher hidumper_service:binder { call }; +allow param_watcher hilog_param:file { map open read }; +allow param_watcher hiview:binder { call }; +allow param_watcher huks_service:binder { call }; +allow param_watcher hw_sc_build_os_param:file { map open read }; +allow param_watcher hw_sc_build_param:file { map open read }; +allow param_watcher hw_sc_param:file { map open read }; +allow param_watcher init_param:file { map open read }; +allow param_watcher init_svc_param:file { map open read }; +allow param_watcher inputmethod_service:binder { call }; +allow param_watcher input_pointer_device_param:file { map open read }; +allow param_watcher kernel:unix_stream_socket { connectto }; +allow param_watcher locationhub:binder { call }; +allow param_watcher media_service:binder { call }; +allow param_watcher memmgrservice:binder { call }; +allow param_watcher msdp_sa:binder { call }; +allow param_watcher multimodalinput:binder { call }; +allow param_watcher netmanager:binder { call }; +allow param_watcher net_param:file { map open read }; +allow param_watcher netsysnative:binder { call }; +allow param_watcher net_tcp_param:file { map open read }; +allow param_watcher normal_hap_attr:binder { call }; +allow param_watcher ohos_boot_param:file { map open read }; +allow param_watcher ohos_param:file { map open read }; +allow param_watcher paramservice_socket:sock_file { write }; +allow param_watcher pasteboard_service:binder { call }; +allow param_watcher persist_param:file { map open read }; +allow param_watcher persist_sys_param:file { map open read }; +allow param_watcher pinauth:binder { call }; +allow param_watcher audio_server:binder { call }; +allow param_watcher render_service:binder { call }; +allow param_watcher resource_schedule_service:binder { call }; +allow param_watcher sa_param_watcher:samgr_class { add get }; +allow param_watcher screenlock_server:binder { call }; +allow param_watcher security_param:file { map open read }; +allow param_watcher sensors:binder { call }; +allow param_watcher softbus_server:binder { call }; +allow param_watcher startup_param:file { map open read }; +allow param_watcher storage_manager:binder { call }; +allow param_watcher sys_param:file { map open read }; +allow param_watcher system_basic_hap_attr:binder { call }; +allow param_watcher system_bin_file:dir { search }; +allow param_watcher system_core_hap_attr:binder { call }; +allow param_watcher sys_usb_param:file { map open read }; +allow param_watcher telephony_sa:binder { call }; +allow param_watcher time_service:binder { call }; +allow param_watcher token_sync_service:binder { call }; +allow param_watcher tracefs:dir { search }; +allow param_watcher tracefs_trace_marker_file:file { open write }; +allow param_watcher ui_service:binder { call }; +allow param_watcher updater_sa:binder { call }; +allow param_watcher usb_service:binder { call }; +allow param_watcher useriam:binder { call }; +allow param_watcher wallpaper_service:binder { call }; +allow param_watcher wifi_manager_service:binder { call }; +allow param_watcher composer_host:binder { call }; + +debug_only(` + allow param_watcher console:binder { call }; + allow param_watcher sh:binder { call }; +') diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/system/parameter.te b/prebuilts/api/5.0/ohos_policy/startup/init/system/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..50823a0d44a594bc44b18b1094f3acf27aaafdf5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/system/parameter.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +typeattribute av_session devinfo_type_allow_attr; +typeattribute devattest_service devinfo_type_allow_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/system/ueventd.te b/prebuilts/api/5.0/ohos_policy/startup/init/system/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..57b9dbc9bf6a0b75ef7d639ba267e0566e54fd7a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/system/ueventd.te @@ -0,0 +1,191 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +init_daemon_domain(ueventd); +allow ueventd dev_media_file:chr_file { getattr setattr unlink}; +allow ueventd dev_video_file:chr_file { getattr setattr unlink}; +allow ueventd musl_param:file { read }; + +allow ueventd accessibility_param:file { map open read }; +allow ueventd bootevent_param:file { map open read }; +allow ueventd bootevent_samgr_param:file { map open read }; +allow ueventd build_version_param:file { map open read }; +allow ueventd const_allow_mock_param:file { map open read }; +allow ueventd const_allow_param:file { map open read }; +allow ueventd const_build_param:file { map open read }; +allow ueventd const_display_brightness_param:file { map open read }; +allow ueventd const_param:file { map open read }; +allow ueventd const_postinstall_fstab_param:file { map open read }; +allow ueventd const_postinstall_param:file { map open read }; +allow ueventd const_product_param:file { map open read }; +allow ueventd debug_param:file { map open read }; +allow ueventd default_param:file { map open read }; +allow ueventd dev_ashmem_file:chr_file { relabelto }; +allow ueventd dev_at_file:chr_file { relabelto }; +allow ueventd dev_bbox:chr_file { relabelto }; +allow ueventd dev_binder_file:chr_file { getattr setattr }; +allow ueventd dev_block_file:blk_file { create getattr relabelto setattr }; +allow ueventd dev_block_file:dir { add_name getattr search write }; +allow ueventd dev_block_file:lnk_file { create }; +allow ueventd dev_block_volfile:blk_file { create getattr relabelfrom setattr }; +allow ueventd dev_block_volfile:dir { add_name getattr search write }; +allow ueventd dev_bus:dir { getattr relabelto search }; +allow ueventd dev_bus_usb_file:chr_file { create getattr relabelto setattr unlink }; +allow ueventd dev_bus_usb_file:dir { add_name create getattr relabelto remove_name search write }; +allow ueventd dev_console_file:chr_file { relabelto }; +allow ueventd dev_cpu_dma_latency_file:chr_file { relabelto }; +allow ueventd dev_dev_cec0:chr_file { relabelto }; +allow ueventd dev_dma_heap_file:chr_file { create getattr relabelto setattr }; +allow ueventd dev_dma_heap_file:dir { add_name getattr relabelto search write }; +allow ueventd dev_dri_file:chr_file { create getattr relabelto setattr }; +allow ueventd dev_dri_file:dir { add_name getattr relabelto search write }; +allow ueventd dev_file:chr_file { create getattr relabelfrom setattr unlink }; +allow ueventd dev_mapper_control_file:chr_file { create getattr relabelfrom setattr unlink }; +allow ueventd dev_file:dir { add_name create getattr relabelfrom write remove_name }; +allow ueventd dev_file:file { create read write open }; +allow ueventd dev_full:chr_file { relabelto }; +allow ueventd dev_fuse_file:chr_file { relabelto }; +allow ueventd dev_gpiochip:chr_file { relabelto }; +allow ueventd dev_graphics_file:chr_file { relabelto }; +allow ueventd dev_graphics_file:dir { getattr relabelto search }; +allow ueventd dev_hdf_audio_capture:chr_file { relabelto }; +allow ueventd dev_hdf_audio_codec_primary:chr_file { relabelto }; +allow ueventd dev_hdf_audio_codec_hdmi:chr_file { getattr open read write }; +allow ueventd dev_hdf_audio_control:chr_file { relabelto }; +allow ueventd dev_hdf_audio_render:chr_file { relabelto }; +allow ueventd dev_hdf_bl:chr_file { relabelto }; +allow ueventd dev_hdf_disp:chr_file { relabelto }; +allow ueventd dev_hdf_file:chr_file { relabelto }; +allow ueventd dev_hdf_i2c_mgr:chr_file { relabelto }; +allow ueventd dev_hdf_input:chr_file { relabelto getattr setattr unlink }; +allow ueventd dev_hdf_kevent:chr_file { relabelto }; +allow ueventd dev_hdf_light:chr_file { relabelto }; +allow ueventd dev_hdf_misc_vibrator:chr_file { relabelto }; +allow ueventd dev_hdf_sensor_mgr:chr_file { relabelto }; +allow ueventd dev_hdf_test:chr_file { relabelto }; +allow ueventd dev_hdf_usb_pnp:chr_file { relabelto }; +allow ueventd dev_hdmi_hdcp1x:chr_file { relabelto }; +allow ueventd dev_xpm:chr_file { relabelto }; +allow ueventd dev_hwbinder_file:chr_file { relabelto }; +allow ueventd dev_hwrng:chr_file { relabelto }; +allow ueventd dev_i2c:chr_file { relabelto }; +allow ueventd dev_i2c_test:chr_file { relabelto }; +allow ueventd dev_iio_file:chr_file { relabelto }; +allow ueventd dev_input_file:chr_file { create getattr relabelto setattr unlink }; +allow ueventd dev_input_file:dir { add_name getattr relabelto search write remove_name }; +allow ueventd hidraw_device_file:chr_file { create getattr relabelto setattr unlink }; +allow ueventd hidraw_device_file:dir { add_name getattr relabelto search write remove_name }; +allow ueventd dev_kmsg_file:chr_file { getattr open setattr write }; +allow ueventd dev_loop_control_file:chr_file { relabelto }; +allow ueventd dev_mali:chr_file { relabelto }; +allow ueventd dev_media_file:chr_file { relabelto }; +allow ueventd dev_mem:chr_file { relabelto }; +allow ueventd dev_mgr_file:chr_file { relabelto }; +allow ueventd dev_mpp:chr_file { relabelto }; +allow ueventd dev_null_file:chr_file { setattr }; +allow ueventd dev_pm_test:chr_file { relabelto }; +allow ueventd dev_port:chr_file { relabelto }; +allow ueventd dev_ptmx:chr_file { relabelto }; +allow ueventd dev_ptp:chr_file { relabelto }; +allow ueventd dev_random_file:chr_file { setattr }; +allow ueventd dev_rfkill:chr_file { relabelto }; +allow ueventd dev_rga:chr_file { relabelto }; +allow ueventd dev_rpmb_file:chr_file { relabelto }; +allow ueventd dev_rtc_file:chr_file { relabelto }; +allow ueventd dev_sample_svc:chr_file { relabelto }; +allow ueventd dev_sched_rtg_ctrl:chr_file { relabelto }; +allow ueventd dev_snapshot:chr_file { relabelto }; +allow ueventd dev_svc_mgr_file:chr_file { relabelto }; +allow ueventd dev_sw_sync:chr_file { relabelto }; +allow ueventd dev_tee_file:chr_file { relabelto }; +allow ueventd dev_ubi_file:chr_file { relabelto }; +allow ueventd dev_uhid_file:chr_file { relabelto }; +allow ueventd dev_tun_file:chr_file { relabelto }; +allow ueventd dev_uinput:chr_file { relabelto }; +allow ueventd dev_unix_socket:dir { search }; +allow ueventd dev_vcs_file:chr_file { relabelto }; +allow ueventd dev_v_file:chr_file { relabelto }; +allow ueventd dev_vhci_file:chr_file { relabelto }; +allow ueventd dev_video_file:chr_file { relabelto }; +allow ueventd dev_vndbinder_file:chr_file { relabelto }; +allow ueventd dev_watchdog_file:chr_file { relabelto }; +allow ueventd dev_zero_file:chr_file { relabelto }; +allow ueventd distributedsche_param:file { map open read }; +allow ueventd hilog_param:file { map open read }; +allow ueventd hw_sc_build_os_param:file { map open read }; +allow ueventd hw_sc_build_param:file { map open read }; +allow ueventd hw_sc_param:file { map open read }; +allow ueventd init:netlink_kobject_uevent_socket { getopt }; +allow ueventd init_param:file { map open read }; +allow ueventd init_svc_param:file { map open read }; +allow ueventd input_pointer_device_param:file { map open read }; +allow ueventd net_param:file { map open read }; +allow ueventd net_tcp_param:file { map open read }; +allow ueventd ohos_boot_param:file { map open read }; +allow ueventd ohos_param:file { map open read }; +allow ueventd persist_param:file { map open read }; +allow ueventd persist_sys_param:file { map open read }; +allow ueventd proc_cmdline_file:file { open read }; +allow ueventd security_param:file { map open read }; +allow ueventd startup_param:file { map open read }; +allow ueventd sys_file:dir { open read }; +allow ueventd sys_file:file { open write }; +allow ueventd sysfs_gadget_usb:dir { open read }; +allow ueventd sysfs_block_file:dir { open read }; +allow ueventd sysfs_block_file:file { open write }; +allow ueventd sysfs_block_loop:dir { open read }; +allow ueventd sysfs_block_loop:file { open write }; +allow ueventd sysfs_block_zram:dir { open read }; +allow ueventd sysfs_block_zram:file { open write }; +allow ueventd sysfs_devices_system_cpu:dir { open read }; +allow ueventd sysfs_devices_system_cpu:file { open write }; +allow ueventd sysfs_extcon:dir { open read }; +allow ueventd sysfs_leds:dir { open read }; +allow ueventd sysfs_net:dir { open read }; +allow ueventd sysfs_net:file { open write }; +allow ueventd sysfs_rtc:dir { open read }; +allow ueventd sysfs_wakeup:dir { open read }; +allow ueventd sysfs_wakeup:file { open write }; +allow ueventd sys_param:file { map open read }; +allow ueventd system_bin_file:dir { search }; +allow ueventd sys_usb_param:file { map open read }; +allow ueventd tmpfs:dir { relabelfrom write }; +allow ueventd tty_device:chr_file { getattr relabelto setattr }; +allow ueventd ueventd:capability { chown fowner fsetid mknod setgid net_admin dac_override }; +allow ueventd ueventd:netlink_kobject_uevent_socket { create setopt bind read }; +allow ueventd vendor_etc_file:dir { search }; +allow ueventd init:unix_dgram_socket { read write }; +allow ueventd paramservice_socket:sock_file { write }; +allow ueventd kernel:unix_stream_socket { connectto }; +allow ueventd dev_block_file:blk_file { relabelfrom }; +allow ueventd dev_block_file:lnk_file { relabelfrom getattr }; +allow ueventd dev_block_file:dir { open read }; +allow ueventd dev_block_volfile:lnk_file { setattr getattr relabelfrom}; + +# for hyperhold +allow ueventd zram_device:blk_file { relabelto getattr setattr }; + +# avc: denied { getattr } for pid=250 comm="ueventd" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { relabelfrom } for pid=250 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { setattr } for pid=250 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { relabelto } for pid=245 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +allow ueventd updater_block_file:blk_file { getattr relabelfrom setattr relabelto }; + +# avc: denied { getattr } for pid=242 comm="ueventd" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0 +# avc: denied { relabelfrom } for pid=242 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0 +# avc: denied { setattr } for pid=242 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0 +allow ueventd tmpfs:blk_file { getattr relabelfrom setattr }; + +# avc: denied { getattr } for pid=245 comm="ueventd" path="/dev/block/by-name/misc" dev="tmpfs" ino=37 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=1 +allow ueventd updater_block_file:lnk_file { getattr }; + diff --git a/prebuilts/api/5.0/ohos_policy/startup/init/system/watchdog_service.te b/prebuilts/api/5.0/ohos_policy/startup/init/system/watchdog_service.te new file mode 100644 index 0000000000000000000000000000000000000000..55cb8b86f3a049b443fe01bd3b4a4bb9af0870fe --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/startup/init/system/watchdog_service.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allowxperm watchdog_service dev_watchdog_file:chr_file ioctl { 0x5708 0x5709 }; + +allow watchdog_service dev_watchdog_file:chr_file { getattr ioctl open read write }; +allow watchdog_service watchdog_service_exec:file { entrypoint execute map read }; +allow watchdog_service dev_unix_socket:dir { search }; +allowxperm watchdog_service dev_watchdog_file:chr_file ioctl { 0x5705 0x5706 0x5707 }; diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_client/public/file_contexts b/prebuilts/api/5.0/ohos_policy/tee/tee_client/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..9b957e5693d2fe891adc727786ae8f91774b3b86 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_client/public/file_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/sec_storage(/.*)? u:object_r:teecd_data_file:s0 +/data/vendor/sec_storage_data(/.*)? u:object_r:teecd_data_file_vendor:s0 +/data/vendor/sec_storage_data_users(/.*)? u:object_r:teecd_data_file_vendor:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_client/public/teecd.te b/prebuilts/api/5.0/ohos_policy/tee/tee_client/public/teecd.te new file mode 100644 index 0000000000000000000000000000000000000000..dab3b3bf1e761725733f7bb8c1b9e6f2093532e8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_client/public/teecd.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type teecd, native_chipset_domain, domain; +type teecd_data_file, file_attr, dev_attr; +type teecd_data_file_vendor, file_attr, data_file_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/cadaemon.te b/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/cadaemon.te new file mode 100644 index 0000000000000000000000000000000000000000..a099bc69e503bc881151b845bdedd1c3d15c2e87 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/cadaemon.te @@ -0,0 +1,79 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +type cadaemon, sadomain, domain; + +allow cadaemon system_bin_file: dir { search }; +allow cadaemon system_bin_file: file { read open getattr }; +allow cadaemon dev_tee_public:chr_file { read write open ioctl map }; +allow cadaemon dev_tee_private:chr_file { read write open ioctl }; + +#avc: denied { add } for service=8001 pid=2904 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sa_cadaemon_service:s0 tclass=samgr_class permissive=0 +allow cadaemon sa_ca_daemon_service:samgr_class { add }; +#avc: denied { get } for service=3901 pid=2935 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=0 +allow cadaemon sa_param_watcher:samgr_class { get }; +#avc: denied { call } for pid=2854 comm="cadaemon" scontext=u:r:cadaemon:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2854 comm="cadaemon" scontext=u:r:cadaemon:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +#avc: denied { call } for pid=462 comm="IPC_2_1662" scontext=u:r:param_watcher:s0 tcontext=u:r:cadaemon:s0 tclass=binder permissive=1 +allow cadaemon param_watcher:binder { call transfer }; +allow param_watcher cadaemon:binder { call }; +#avc: denied { search } for pid=2902 comm="cadaemon" name="/" dev="tracefs" ino=1 scontext=u:r:cadaemon:s0 tcontext=u:object_r:tracefs:s0 tclass=dir +allow cadaemon tracefs:dir { search }; +#avc: denied { open } for pid=439 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=74 scontext=u:r:cadaemon:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +#avc: denied { read } for pid=2846 comm="sa_main" name="u:object_r:debug_param:s0" dev="tmpfs" ino=74 scontext=u:r:cadaemon:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +#avc: denied { map } for pid=3019 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=74 scontext=u:r:cadaemon:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 +allow cadaemon debug_param:file { open read map }; +#avc: denied { open } for pid=2846 comm="cadaemon" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=9933 scontext=u:r:cadaemon:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=0 +#avc: denied { open write } for pid=2902 comm="cadaemon" name="trace_marker" dev="tracefs" ino=9933 scontext=u:r:cadaemon:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file +allow cadaemon tracefs_trace_marker_file:file { open write }; +#avc: denied { call } for pid=440 comm="cadaemon" scontext=u:r:cadaemon:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1 +allow cadaemon accesstoken_service:binder { call }; +#avc: denied { search } for pid=460 comm="sa_main" name="socket" dev="tmpfs" ino=38 scontext=u:r:cadaemon:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow cadaemon dev_unix_socket:dir { search }; +#avc: denied { read } for pid=460 comm="sa_main" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:cadaemon:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=460 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:cadaemon:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=460 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:cadaemon:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow cadaemon hilog_param:file { map open read }; +#avc: denied { read } for pid=460 comm="cadaemon" name="u:object_r:musl_param:s0" dev="tmpfs" ino=69 scontext=u:r:cadaemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=460 comm="cadaemon" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=69 scontext=u:r:cadaemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=460 comm="cadaemon" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=69 scontext=u:r:cadaemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow cadaemon musl_param:file { map open read }; +#avc: denied { read } for pid=460 comm="sa_main" name="overcommit_memory" dev="proc" ino=3092 scontext=u:r:cadaemon:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=460 comm="sa_main" path="/proc/sys/vm/overcommit_memory" dev="proc" ino=3092 scontext=u:r:cadaemon:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +allow cadaemon proc_file:file { open read }; +#avc: denied { read } for pid=4055 comm="SaInit0" name="c_state" dev="sysfs" ino=68128 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=0 +#avc: denied { open } for pid=4055 comm="SaInit0" name="c_state" dev="sysfs" ino=68128 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=0 +#avc: denied { getattr } for pid=3407 comm="SaInit0" path="/sys/kernel/tui/c_state" dev="sysfs" ino=68182 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow cadaemon sys_file:file { open read getattr }; +#avc: denied { get } for service=3503 pid=438 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow cadaemon sa_accesstoken_manager_service:samgr_class { get }; +#avc: denied { get } for service=3301 pid=472 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 +allow cadaemon sa_powermgr_powermgr_service:samgr_class { get }; +#avc: denied { get } for service=4005 pid=472 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sa_foundation_tel_call_manager:s0 tclass=samgr_class permissive=1 +allow cadaemon sa_foundation_tel_call_manager:samgr_class { get }; +#avc: denied { get } for service=4607 pid=472 scontext=u:r:cadaemon:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 +allow cadaemon sa_foundation_dms:samgr_class { get }; +#avc: denied { call } for pid=1123 comm="SaInit2" scontext=u:r:cadaemon:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=1123 comm="SaInit2" scontext=u:r:cadaemon:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow cadaemon foundation:binder { call transfer }; +binder_call(cadaemon, powermgr); +#avc: denied { call } for pid=1220 comm="IPC_6_1660" scontext=u:r:foundation:s0 tcontext=u:r:cadaemon:s0 tclass=binder permissive=1 +allow foundation cadaemon:binder { call }; + +debug_only(` + allow cadaemon sh:binder { call }; + allow cadaemon sh:dir { search }; + allow cadaemon sh:file { read open getattr }; + allow cadaemon sh:fd { use }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/init.te b/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..11eee395f46b651578d9a9eaeeda172108333e88 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init cadaemon:process { rlimitinh siginh transition }; +allow init tlogcat:process { rlimitinh siginh transition }; + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/tlogcat.te b/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/tlogcat.te new file mode 100644 index 0000000000000000000000000000000000000000..8e4e2ee711a819d0259265f05733f01201902b30 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_client/system/tlogcat.te @@ -0,0 +1,44 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License + +type tlogcat, native_system_domain, domain; + +allow tlogcat dev_tee_log:chr_file { read open ioctl }; +allow tlogcat data_log:dir { create search setattr getattr read open write add_name remove_name relabelto rmdir }; +#avc: denied { ioctl } for pid=677 comm="tlogcat" path="/data/log/tee/teeOS_log-0" dev="sdd80" ino=125 ioctlcmd=0x5413 scontext=u:r:tlogcat:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 +allow tlogcat data_log:file { open read write getattr setattr append rename create unlink ioctl }; +allow tlogcat data_log:lnk_file { getattr }; + +#avc: denied { read } for pid=654 comm="tlogcat" name="u:object_r:debug_param:s0" dev="tmpfs" ino=74 scontext=u:r:tlogcat:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=654 comm="tlogcat" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=74 scontext=u:r:tlogcat:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=654 comm="tlogcat" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=74 scontext=u:r:tlogcat:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow tlogcat debug_param:file { read open map }; +#avc: denied { search } for pid=677 comm="tlogcat" name="/" dev="sdd80" ino=3 scontext=u:r:tlogcat:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow tlogcat data_file:dir { search }; +#avc: denied { search } for pid=677 comm="tlogcat" name="socket" dev="tmpfs" ino=38 scontext=u:r:tlogcat:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow tlogcat dev_unix_socket:dir { search }; +#avc: denied { read } for pid=677 comm="tlogcat" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:tlogcat:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=677 comm="tlogcat" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:tlogcat:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=677 comm="tlogcat" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:tlogcat:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow tlogcat hilog_param:file { map open read }; +#avc: denied { read } for pid=677 comm="tlogcat" name="overcommit_memory" dev="proc" ino=3092 scontext=u:r:tlogcat:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=677 comm="tlogcat" path="/proc/sys/vm/overcommit_memory" dev="proc" ino=3092 scontext=u:r:tlogcat:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +allow tlogcat proc_file:file { open read }; +#avc: denied { entrypoint } for pid=677 comm="init" path="/system/bin/tlogcat" dev="sdd76" ino=428 scontext=u:r:tlogcat:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +#avc: denied { map } for pid=677 comm="tlogcat" path="/system/bin/tlogcat" dev="sdd76" ino=428 scontext=u:r:tlogcat:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=677 comm="tlogcat" path="/system/bin/tlogcat" dev="sdd76" ino=428 scontext=u:r:tlogcat:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +#avc: denied { execute } for pid=677 comm="tlogcat" path="/system/bin/tlogcat" dev="sdd76" ino=428 scontext=u:r:tlogcat:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +allow tlogcat system_bin_file:file { entrypoint execute map read }; + +typeattribute tlogcat public_violator_data_log_dir_createwrite; +typeattribute tlogcat public_violator_data_log_file_createwrite; diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_client/vendor/init.te b/prebuilts/api/5.0/ohos_policy/tee/tee_client/vendor/init.te new file mode 100644 index 0000000000000000000000000000000000000000..b7e9e6822a6b931850ae30cf29b6dd15b3df5ccb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_client/vendor/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init teecd:process { rlimitinh siginh transition }; +allow init teecd_data_file_vendor:dir { relabelto getattr setattr }; + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_client/vendor/teecd.te b/prebuilts/api/5.0/ohos_policy/tee/tee_client/vendor/teecd.te new file mode 100644 index 0000000000000000000000000000000000000000..32d35dbb4b1a9c9053f3dce17dab30bb483626b9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_client/vendor/teecd.te @@ -0,0 +1,55 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow teecd dev_tee_public:chr_file { read write open ioctl }; +allow teecd dev_tee_private:chr_file { read write open ioctl }; + +allow teecd teecd_data_file:dir create_dir_perms; +allow teecd teecd_data_file:filesystem { getattr }; +allow teecd teecd_data_file:file create_file_perms; +allow teecd teecd_data_file:lnk_file { unlink create read setattr getattr }; +allow teecd teecd_data_file:dir { setattr mounton }; +allow teecd teecd_data_file_vendor:dir create_dir_perms; +allow teecd teecd_data_file_vendor:filesystem { getattr }; +allow teecd teecd_data_file_vendor:file create_file_perms; +allow teecd teecd_data_file_vendor:lnk_file { unlink create read setattr getattr }; + +#avc: denied { search } for pid=1149 comm="teecd" name="/" dev="sdd78" ino=3 scontext=u:r:teecd:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow teecd data_file:dir { search }; +#avc: denied { search } for pid=1149 comm="teecd" name="vendor" dev="sdd78" ino=93 scontext=u:r:teecd:s0 tcontext=u:object_r:data_vendor:s0 tclass=dir permissive=1 +allow teecd data_vendor:dir { search }; +#avc: denied { search } for pid=626 comm="teecd" name="socket" dev="tmpfs" ino=38 scontext=u:r:teecd:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow teecd dev_unix_socket:dir { search }; +#avc: denied { read } for pid=626 comm="teecd" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:teecd:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=626 comm="teecd" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:teecd:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=626 comm="teecd" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=63 scontext=u:r:teecd:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow teecd hilog_param:file { map open read }; +#avc: denied { read } for pid=626 comm="teecd" name="overcommit_memory" dev="proc" ino=3092 scontext=u:r:teecd:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=626 comm="teecd" path="/proc/sys/vm/overcommit_memory" dev="proc" ino=3092 scontext=u:r:teecd:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 +allow teecd proc_file:file { open read }; +#avc: denied { entrypoint } for pid=626 comm="init" path="/vendor/bin/teecd" dev="sdd74" ino=20 scontext=u:r:teecd:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=file permissive=1 +#avc: denied { map } for pid=626 comm="teecd" path="/vendor/bin/teecd" dev="sdd74" ino=20 scontext=u:r:teecd:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=626 comm="teecd" path="/vendor/bin/teecd" dev="sdd74" ino=20 scontext=u:r:teecd:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=file permissive=1 +#avc: denied { execute } for pid=626 comm="teecd" path="/vendor/bin/teecd" dev="sdd74" ino=20 scontext=u:r:teecd:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=file permissive=1 +allow teecd vendor_bin_file:file { entrypoint execute map read open getattr }; +allow teecd vendor_bin_file:dir { search }; +allow teecd vendor_etc_file:dir { search }; +allow teecd vendor_etc_file:file { read open getattr }; +allow teecd dev_console_file:chr_file { read write }; +allow teecd debug_param:file { read open map }; + +debug_only(` + allow teecd sh:dir { search }; + allow teecd sh:file { read open getattr }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/file.te b/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..e9261d2ff3725cb7d46fa9baa8c2a979faa69f9d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/file.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dev_tee_public, dev_attr; +type dev_tee_private, dev_attr; +type dev_tee_log, dev_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/file_contexts b/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..d2fdae7a043c6f933e7ec22951415771b3defbe1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/file_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/dev/tc_ns_client u:object_r:dev_tee_public:s0 +/dev/teelog u:object_r:dev_tee_log:s0 +/dev/tc_private u:object_r:dev_tee_private:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/init.te b/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/init.te new file mode 100644 index 0000000000000000000000000000000000000000..ae50ba463e733b61eb101c1576047f327d070905 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/init.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init dev_tee_public:chr_file { setattr }; +allow init dev_tee_private:chr_file { setattr }; +allow init dev_tee_log:chr_file { setattr }; + diff --git a/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/ueventd.te b/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..ec97297e75175ef58a130f4f7e5570b78d582473 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/tee/tee_tzdriver/public/ueventd.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ueventd dev_tee_public:chr_file { relabelto }; +allow ueventd dev_tee_log:chr_file { relabelto }; +allow ueventd dev_tee_private:chr_file { relabelto }; + diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/public/telephony_sa.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/public/telephony_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..d8fc6f573c61a036d5bbca02c7e8a804330412a6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/public/telephony_sa.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_foundation_tel_state_registry, sa_service_attr; +type sa_net_policy_manager, sa_service_attr; +type sa_telephony_tel_cellular_data, sa_service_attr; +type sa_telephony_tel_sms_mms, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/accountmgr.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..aeaffb28b9aaac11286fc6030e9cfd5de853c6f2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/accountmgr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr telephony_sa:binder transfer; + diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..66f211cbdffd94225a801ba5c10dcfd09de368e9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/appspawn.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn normal_hap_attr:process dyntransition; + diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/av_codec_service.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/av_codec_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9e550676d748d9e945657ff22de41c84f861d04a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/av_codec_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow av_codec_service telephony_sa:binder { call transfer }; +allow av_codec_service telephony_sa:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/camera_service.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/camera_service.te new file mode 100644 index 0000000000000000000000000000000000000000..e71179ae88caff3cdc6e09ab8f09f1a90414d6aa --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/camera_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow camera_service telephony_sa:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/chipset_init.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/chipset_init.te new file mode 100644 index 0000000000000000000000000000000000000000..2f759696d78ba4c4b369d27f98ef0dca221170a8 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/chipset_init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow chipset_init riladapter_host:process { rlimitinh siginh transition }; + diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/composer_host.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/composer_host.te new file mode 100644 index 0000000000000000000000000000000000000000..9a8370ba9105754b2e5d7c33253bc8fe8ff64ca0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/composer_host.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow composer_host telephony_sa:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/file.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/file.te new file mode 100644 index 0000000000000000000000000000000000000000..3750ae443b1161b9783f8c6040938b41fcc7dccd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/file.te @@ -0,0 +1,14 @@ +# Copyright (C) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dev_voice_proxy, dev_attr; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/foundation.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..c2325b83df78b2db473c89e289713018314aa944 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/foundation.te @@ -0,0 +1,37 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation audio_server:binder { call transfer }; +allow foundation camera_service:binder { call transfer }; +allow foundation drm_service:binder { call transfer }; +allow foundation persist_param:parameter_service set; +allow foundation riladapter_host:binder { call transfer }; +allow foundation sa_audio_policy_service:samgr_class get; +allow foundation sa_camera_service:samgr_class get; +allow foundation sa_drm_service:samgr_class get; +allow foundation sa_device_usage_statistics_service:samgr_class get; +allow foundation sa_foundation_tel_call_manager:samgr_class { add get }; +allow foundation sa_foundation_tel_state_registry:samgr_class { add get }; +allow foundation sa_pulseaudio_audio_service:samgr_class get; +allow foundation sa_telephony_tel_cellular_call:samgr_class get; +allow foundation sa_telephony_tel_cellular_data:samgr_class get; +allow foundation sa_telephony_tel_core_service:samgr_class get; +allow foundation sa_telephony_tel_sms_mms:samgr_class get; +allow foundation telephony_sa:dir search; +allow foundation telephony_sa:file { open read getattr }; +allow foundation data_data_file:dir { search }; +allow foundation data_data_pulse_dir:dir { getattr open read search }; +allow foundation data_data_pulse_dir:file { lock open read write }; +allow foundation native_socket:sock_file { write }; +allow foundation audio_server:unix_stream_socket { connectto }; +allow foundation sa_miscdevice_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..36d974a25be473c61091e928ba9705f7ad26b0ae --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/hap_domain.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr normal_hap_data_file_attr:dir { add_name write }; +allow normal_hap_attr normal_hap_data_file_attr:file create; +allow normal_hap_attr proc_boot_id:file { open read }; +allow normal_hap_attr rootfs:dir mounton; +allow normal_hap_attr sa_foundation_tel_call_manager:samgr_class get; +allow normal_hap_attr sa_telephony_tel_sms_mms:samgr_class get; +allow normal_hap_attr telephony_sa:binder transfer; +allow normal_hap_attr tmpfs:dir { add_name create mounton write }; + diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..7063a5d2e9b478695dd65a7f2868567b69d4b58e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/hdf_devmgr.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr riladapter_host:binder { call transfer }; +allow hdf_devmgr riladapter_host:dir search; +allow hdf_devmgr riladapter_host:file { open read }; +allow hdf_devmgr riladapter_host:process getattr; +debug_only(` + allow hdf_devmgr sh:binder transfer; + allow hdf_devmgr sh:dir search; + allow hdf_devmgr sh:file { open read }; + allow hdf_devmgr sh:process getattr; +') +allow hdf_devmgr telephony_sa:binder transfer; + diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/init.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..79065c5df26d1b71f16b58b6734208a7581be165 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/init.te @@ -0,0 +1,37 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init normal_hap_attr:dir { getattr search }; +allow init normal_hap_attr:file { open read }; +allow init normal_hap_attr:lnk_file read; +allow init normal_hap_attr:process getattr; +allow init riladapter_host:process { rlimitinh siginh transition }; +allow init telephony_sa:binder { call transfer }; +allow init telephony_sa:dir { getattr search }; +allow init telephony_sa:file { open read }; +allow init telephony_sa:lnk_file read; +allow init telephony_sa:process getattr; +allow init telephony_sa:process { rlimitinh siginh transition }; + +# for create map file +allow const_telephony_param tmpfs:filesystem associate; +allow telephony_param tmpfs:filesystem associate; +allow init const_telephony_param:file { map open read relabelto relabelfrom }; +allow init telephony_param:file { map open read relabelto relabelfrom }; + +#for set +allow { init telephony_sa riladapter_host } telephony_param:parameter_service { set }; + +#for read +allow domain const_telephony_param:file { map open read }; +allow domain telephony_param:file { map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..d6f2a7071ede3dad099b00a8ca9e0797868312d2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/memmgrservice.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice riladapter_host:file getattr; +allow memmgrservice telephony_sa:file getattr; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/netsysnative.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/netsysnative.te new file mode 100644 index 0000000000000000000000000000000000000000..94178d9e34733f1d45d95d4242dc08576b1e2569 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/netsysnative.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netsysnative telephony_sa:binder call; +allow netsysnative telephony_sa:tcp_socket { read write bind getopt setopt connect }; +allow netsysnative telephony_sa:udp_socket { read write bind getopt setopt connect }; +allow netsysnative telephony_sa:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/render_service.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..d499fd55f205fa23d0b3289c9786aec7549ab928 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/render_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service telephony_sa:fd { use }; +allow render_service sys_prod_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/riladapter_host.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/riladapter_host.te new file mode 100644 index 0000000000000000000000000000000000000000..28be848de12478a5492acea0b7a36dfe730a5aeb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/riladapter_host.te @@ -0,0 +1,87 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hdf_cellular_radio_ext, hdf_service_attr; +type hdf_ril_service, hdf_service_attr; + +allow riladapter_host accessibility_param:file { map open read }; +allow riladapter_host bootevent_param:file { map open read }; +allow riladapter_host bootevent_samgr_param:file { map open read }; +allow riladapter_host build_version_param:file { map open read }; +allow riladapter_host chip_prod_file:dir search; +allow riladapter_host chip_prod_file:file { getattr open read }; +allow riladapter_host const_allow_mock_param:file { map open read }; +allow riladapter_host const_allow_param:file { map open read }; +allow riladapter_host const_build_param:file { map open read }; +allow riladapter_host const_display_brightness_param:file { map open read }; +allow riladapter_host const_param:file { map open read }; +allow riladapter_host const_postinstall_fstab_param:file { map open read }; +allow riladapter_host const_postinstall_param:file { map open read }; +allow riladapter_host const_product_param:file { map open read }; +allow riladapter_host debug_param:file { map open read }; +allow riladapter_host default_param:file { map open read }; +allow riladapter_host dev_file:chr_file { open read write ioctl }; +allow riladapter_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; +allow riladapter_host dev_unix_socket:dir search; +allow riladapter_host distributedsche_param:file { map open read }; +allow riladapter_host foundation:binder { call transfer }; +allow riladapter_host hilog_param:file { map open read }; +allow riladapter_host hdf_device_manager:hdf_devmgr_class get; +allow riladapter_host hdf_devmgr:binder { call transfer }; +allow riladapter_host hw_sc_build_os_param:file { map open read }; +allow riladapter_host hw_sc_build_param:file { map open read }; +allow riladapter_host hw_sc_param:file { map open read }; +allow riladapter_host init_param:file { map open read }; +allow riladapter_host init_svc_param:file { map open read }; +allow riladapter_host input_pointer_device_param:file { map open read }; +allow riladapter_host musl_param:file { map open read }; +allow riladapter_host net_param:file { map open read }; +allow riladapter_host net_tcp_param:file { map open read }; +allow riladapter_host ohos_boot_param:file { map open read }; +allow riladapter_host ohos_param:file { map open read }; +allow riladapter_host persist_param:file { map open read }; +allow riladapter_host persist_sys_param:file { map open read }; +allow riladapter_host power_host:binder call; +binder_call(riladapter_host, powermgr); +allow riladapter_host proc_net:file { getattr open }; +allow riladapter_host samgr:binder call; +#avc: denied { get } for service=power_interface_service pid=439 scontext=u:r:riladapter_host:s0 tcontext=u:object_r:hdf_power_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow riladapter_host hdf_power_interface_service:hdf_devmgr_class get; +#avc: denied { add } for service=ril_service pid=439 scontext=u:r:riladapter_host:s0 tcontext=u:object_r:hdf_ril_service:s0 tclass=hdf_devmgr_class permissive=1 +allow riladapter_host hdf_ril_service:hdf_devmgr_class add; +allow riladapter_host sa_device_service_manager:samgr_class get; +allow riladapter_host sa_powermgr_powermgr_service:samgr_class get; +allow riladapter_host security_param:file { open read map }; +allow riladapter_host self:capability net_admin; +allow riladapter_host self:udp_socket { create ioctl }; +debug_only(` + allow riladapter_host sh:binder call; +') +allow riladapter_host sh_exec:file { execute execute_no_trans map open read }; +allow riladapter_host startup_param:file { map open read }; +allow riladapter_host sys_file:dir { open read }; +allow riladapter_host sys_file:file getattr; +allow riladapter_host sys_param:file { map open read }; +allow riladapter_host sys_usb_param:file { map open read }; +allow riladapter_host system_bin_file:dir search; +allow riladapter_host system_bin_file:file { execute execute_no_trans getattr map open read }; +allow riladapter_host system_bin_file:lnk_file read; +allow riladapter_host toybox_exec:file { execute execute_no_trans getattr map open read }; +allow riladapter_host toybox_exec:lnk_file read; +allow riladapter_host telephony_sa:binder call; +allow riladapter_host tty_device:chr_file { open read write }; +allow riladapter_host vendor_etc_file:dir search; +allow riladapter_host vendor_etc_file:file { getattr open read }; +allow riladapter_host data_file:dir search; +allow riladapter_host data_local:dir search; +allow riladapter_host dev_console_file:chr_file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/samgr.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..230354eef6c7f41bb114b3dcd6c9b92e207cadea --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/samgr.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr telephony_sa:binder transfer; + diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..426e3afe6ec0ab8714fd10844ff04930fef1762b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/system_basic_hap.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr sa_foundation_tel_state_registry:samgr_class get; +allow system_basic_hap_attr sa_telephony_tel_core_service:samgr_class get; +allow system_basic_hap_attr sa_telephony_tel_cellular_data:samgr_class get; +allow system_basic_hap_attr sa_telephony_tel_sms_mms:samgr_class get; +allow system_basic_hap_attr telephony_sa:binder { call transfer }; +allow system_basic_hap_attr sa_foundation_tel_call_manager:samgr_class get; + diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..a516e99ab0c65f037284bec5aafa56324be7b2b2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/system_core_hap.te @@ -0,0 +1,26 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_comm_ethernet_manager_service:samgr_class get; +allow system_core_hap_attr sa_comm_mdns_manager_service:samgr_class get; +allow system_core_hap_attr sa_foundation_tel_call_manager:samgr_class get; +allow system_core_hap_attr sa_foundation_tel_state_registry:samgr_class get; +allow system_core_hap_attr sa_net_policy_manager:samgr_class get; +allow system_core_hap_attr sa_netsys_native_manager:samgr_class get; +allow system_core_hap_attr sa_telephony_tel_cellular_data:samgr_class get; +allow system_core_hap_attr sa_telephony_tel_core_service:samgr_class get; +allow system_core_hap_attr sa_telephony_tel_sms_mms:samgr_class get; +allow system_core_hap_attr telephony_sa:binder { call transfer }; +allow system_core_hap_attr paramservice_socket:sock_file { write }; +allow system_core_hap_attr kernel:unix_stream_socket { connectto }; +allow system_core_hap_attr const_param:parameter_service { set }; diff --git a/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/telephony_sa.te b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/telephony_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..a4b03cfde93f37206f6e333110aa88f142f82718 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/telephony/telephony_sa/system/telephony_sa.te @@ -0,0 +1,137 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow telephony_sa accesstoken_service:binder call; +allow telephony_sa accountmgr:binder call; +allow telephony_sa chip_prod_file:dir search; +allow telephony_sa data_file:dir search; +allow telephony_sa data_app_el1_file:dir search; +allow telephony_sa data_app_el1_file:file { getattr open read }; +allow telephony_sa data_app_file:dir search; +allow telephony_sa data_service_el1_file:dir { add_name create search write getattr remove_name open read rmdir }; +allow telephony_sa data_service_el1_file:file { create ioctl open read write getattr setattr rename unlink }; +allow telephony_sa data_service_file:dir search; +allow telephony_sa dev_console_file:chr_file { read write }; +allow telephony_sa distributeddata:binder { call transfer }; +allow telephony_sa distributeddata:fd use; +allow distributeddata telephony_sa:binder { call }; +allow telephony_sa foundation:binder { call transfer }; +allow telephony_sa hdf_cellular_radio_ext:hdf_devmgr_class get; +allow telephony_sa init:binder { call transfer }; +allow telephony_sa kernel:unix_stream_socket connectto; +allow telephony_sa musl_param:file { map open read }; +allow telephony_sa netmanager:binder { call transfer }; +allow telephony_sa netsysnative:binder { call transfer }; +allow telephony_sa normal_hap_attr:binder { call transfer }; +allow telephony_sa normal_hap_attr:fd use; +allow telephony_sa paramservice_socket:sock_file write; +allow telephony_sa persist_param:parameter_service set; +allow telephony_sa privacy_service:binder call; +binder_call(telephony_sa, powermgr); +allow telephony_sa riladapter_host:binder { call transfer }; +allow telephony_sa sa_accesstoken_manager_service:samgr_class get; +allow telephony_sa sa_accountmgr:samgr_class get; +allow telephony_sa sa_comm_net_tethering_manager_service:samgr_class get; +allow telephony_sa sa_device_service_manager:samgr_class get; +allow telephony_sa sa_dataobs_mgr_service_service:samgr_class get; +allow telephony_sa sa_distributeddata_service:samgr_class get; +allow telephony_sa sa_foundation_abilityms:samgr_class get; +allow telephony_sa sa_powermgr_battery_service:samgr_class get; +allow telephony_sa sa_foundation_bms:samgr_class get; +allow telephony_sa sa_foundation_cesfwk_service:samgr_class get; +allow telephony_sa sa_powermgr_powermgr_service:samgr_class get; +allow telephony_sa sa_foundation_tel_call_manager:samgr_class get; +allow telephony_sa sa_foundation_tel_state_registry:samgr_class get; +allow telephony_sa sa_location_locator_service:samgr_class get; +allow telephony_sa sa_netsys_native_manager:samgr_class get; +allow telephony_sa sa_net_conn_manager:samgr_class get; +allow telephony_sa sa_net_policy_manager:samgr_class get; +allow telephony_sa sa_param_watcher:samgr_class get; +allow telephony_sa sa_privacy_service:samgr_class get; +allow telephony_sa sa_telephony_tel_cellular_call:samgr_class { add get }; +allow telephony_sa sa_telephony_tel_cellular_data:samgr_class { add get }; +allow telephony_sa sa_telephony_tel_core_service:samgr_class { add get }; +allow telephony_sa sa_telephony_tel_ims:samgr_class { add get }; +allow telephony_sa sa_telephony_tel_sms_mms:samgr_class { add get }; +allow telephony_sa netsysnative:unix_stream_socket connectto; +allow telephony_sa port:tcp_socket { name_bind name_connect}; +allow telephony_sa self:tcp_socket { bind connect create getattr getopt read setopt write }; +allow telephony_sa node:tcp_socket { node_bind }; +allow telephony_sa self:udp_socket { bind node_bind connect create read setopt write }; +allow telephony_sa node:udp_socket { node_bind }; +allow telephony_sa sysfs_devices_system_cpu:file read; +allow telephony_sa sysfs_devices_system_cpu:file { getattr open }; +allow telephony_sa data_app_file:file { getattr open read }; +allow telephony_sa sa_time_service:samgr_class get; +allow telephony_sa self:unix_dgram_socket { getopt setopt }; +debug_only(` + allow telephony_sa sh:binder { call transfer }; +') +allow telephony_sa sysfs_net:dir { open read }; +allow telephony_sa system_basic_hap_attr:binder { call transfer }; +allow telephony_sa system_basic_hap_attr:fd use; +allow telephony_sa system_core_hap_attr:binder call; +allow telephony_sa sys_file:dir { open read }; +allow telephony_sa sys_file:file { open read }; +allow telephony_sa sys_prod_file:dir search; +allow telephony_sa time_service:binder call; +allow telephony_sa vendor_etc_file:dir search; +allow telephony_sa sa_foundation_tel_call_manager:samgr_class get; + +#avc: denied { get } for service=ril_service pid=317 scontext=u:r:telephony_sa:s0 tcontext=u:object_r:hdf_ril_service:s0 tclass=hdf_devmgr_class permissive=1 +allow telephony_sa hdf_ril_service:hdf_devmgr_class get; + +allow telephony_sa rootfs:file { read open }; +allow telephony_sa vendor_etc_file:file { read open }; +allow telephony_sa chip_prod_file:file { read open }; +allow telephony_sa sys_prod_file:file { read open }; +allow telephony_sa sysfs_net:file { getattr open read }; +allow telephony_sa locationhub:binder { call transfer }; +allow telephony_sa system_usr_file:dir { read open }; +allow telephony_sa sysfs_devices_system_cpu:file { getattr open read }; + +allow telephony_sa netsysnative:bpf { map_read }; +allow telephony_sa netsysnative:unix_stream_socket { connectto read write }; +allow telephony_sa telephony_sa:netlink_route_socket { connect getopt setopt bind setattr getattr listen read nlmsg_read nlmsg_readpriv nlmsg_write create write }; +allow telephony_sa sa_av_codec_service:samgr_class { get }; +allow telephony_sa av_codec_service:binder { call transfer }; +allow telephony_sa av_codec_service:fd { use }; +allow telephony_sa camera_service:binder { call transfer }; +allow telephony_sa sa_camera_service:samgr_class { get }; +allow telephony_sa sa_foundation_wms:samgr_class { get }; +allow telephony_sa sa_foundation_devicemanager_service:samgr_class { get }; +allow telephony_sa data_log:dir { add_name create getattr open read remove_name rmdir search setattr write }; +allow telephony_sa data_log:file { create getattr lock map open read rename setattr unlink write append }; +allow telephony_sa device_manager:binder { call transfer }; +allow telephony_sa render_service:binder { call }; +allow telephony_sa render_service:fd { use }; +allow telephony_sa hdf_allocator_service:hdf_devmgr_class { get }; +allow telephony_sa sysfs_devices_system_cpu:file { getattr open read }; +allow telephony_sa sysfs_devices_system_cpu:dir { open read }; +allow telephony_sa allocator_host:binder { call }; +allow telephony_sa allocator_host:fd { use }; +allow telephony_sa sa_foundation_dms:samgr_class { get }; +allow telephony_sa dev_ashmem_file:chr_file { open }; +allow telephony_sa data_local:dir search; +allow telephony_sa proc_net:file { getattr open read }; +allow telephony_sa dev_voice_proxy:chr_file { open read write }; +allow telephony_sa telephony_sa:udp_socket { read write create getattr bind connect getopt setopt shutdown }; +allow telephony_sa telephony_sa:tcp_socket { read write create getattr bind connect getopt setopt shutdown }; +allow telephony_sa tty_device:chr_file { read write open }; +allow telephony_sa data_local_tmp:dir { getattr }; +allow telephony_sa system_bin_file:lnk_file { read }; +allow telephony_sa sa_huks_service:samgr_class { get }; +allow telephony_sa huks_service:binder { call transfer }; + +allow telephony_sa tty_device:chr_file { ioctl }; +allowxperm telephony_sa tty_device:chr_file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/public/type.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..6998118212b54da013606e728826d7e17f43cf22 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_local_tmp_wukong, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/accessibility.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..e854f50917d0a60af45039eff81738b98d4014d0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/accessibility.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` +allow accessibility wukong:binder { call transfer }; +') + + diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/appspawn.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..51382e2950a998766b7ee68ba312373a3979461b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/appspawn.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn data_storage:dir { mounton }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/console.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/console.te new file mode 100644 index 0000000000000000000000000000000000000000..726e198cfd02f585bfcf6c5f07d7a69ac388fc22 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/console.te @@ -0,0 +1,28 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` +allow console system_bin_file:lnk_file { read }; +allow console system_bin_file:file { execute getattr }; +allow console toybox_exec:lnk_file { read }; +allow console tty_device:chr_file { ioctl }; +allow console system_bin_file:file { read open execute_no_trans map }; +allow console toybox_exec:file { execute execute_no_trans getattr map read open }; +allow console rootfs:dir { read open }; +allow console lib_file:lnk_file { getattr }; +allowxperm console tty_device:chr_file ioctl 0x5410; +allow console data_file:dir { getattr }; +allow console etc_file:lnk_file { getattr }; +allow console system_file:dir { getattr }; +allow console updater_file:dir { getattr }; +') diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/faultloggerd.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/faultloggerd.te new file mode 100644 index 0000000000000000000000000000000000000000..6cc92473fb35a6f6743356f3c9b86d57c59bcc29 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/faultloggerd.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow faultloggerd system_basic_hap_attr:process { signal }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/file_contexts b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..3c04f5dc2b12675a5669e81f28bf93b0e64ee00e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/file_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# for wukong tool +/system/bin/wukong u:object_r:wukong_exec:s0 + +/data/local/tmp/wukong(/.*)? u:object_r:data_local_tmp_wukong:s0 diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/foundation.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..115bbdb0faf51e37db79ec4009df4f8cd9dc5ecc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/foundation.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation hdf_allocator_service:hdf_devmgr_class { get }; + +developer_only(` +allow foundation wukong:binder { call transfer }; +') + + diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..b2aec354bfd98d4a938998b4a20eba3ad48a9e16 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hap_domain.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` +allow hap_domain wukong:binder { call }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hdcd.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..d4d058c63f14d70a21ac1d34dc3bc4346cc7d24d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hdcd.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` +allow hdcd wukong:process { signal }; +') diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hiview.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..6c9d4ce5d4ac287a0e6cbb17e05004b297436519 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/hiview.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` +allow hiview faultloggerd_temp_file:file { getattr }; +allow hiview system_basic_hap_attr:dir { search }; +allow hiview system_basic_hap_attr:file { open read }; +allow hiview wukong:binder { call }; +allow hiview wukong:dir { search getattr }; +allow hiview wukong:file { getattr open read }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/inputmethod_service.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/inputmethod_service.te new file mode 100644 index 0000000000000000000000000000000000000000..2318d410e91c98d62052b360b7f71f3a63ef07cc --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/inputmethod_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow inputmethod_service system_core_hap_attr:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/multimodalinput.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..a318019032dfbed2cd5ffb5b16e1c27750862b1b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/multimodalinput.te @@ -0,0 +1,26 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow multimodalinput render_service:binder { call }; +allow multimodalinput render_service:binder { transfer }; +allow multimodalinput foundation:binder { transfer }; +allow multimodalinput allocator_host:fd { use }; +allow multimodalinput system_core_hap_attr:fd { use }; +allow multimodalinput dev_dri_file:dir { search }; +allow multimodalinput dev_dri_file:chr_file { getattr }; +allow multimodalinput hdf_allocator_service:hdf_devmgr_class { get }; +allow multimodalinput sa_device_service_manager:samgr_class { get }; +allow multimodalinput sa_foundation_dms:samgr_class { get }; +allow multimodalinput sa_foundation_wms:samgr_class { get }; +allow multimodalinput sa_multimodalinput_service:samgr_class { get }; +allow multimodalinput sa_render_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/netmanager.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/netmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..c3bea582bffda27bb2288feb476d5bf445e7a343 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/netmanager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netmanager normal_hap_attr:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..78412b64c5a9f46a236c668c64126c6f9bef7533 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/normal_hap.te @@ -0,0 +1,35 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` +allow normal_hap_attr sh:binder { call }; +allowxperm normal_hap_attr dev_mali:chr_file ioctl { 0x800f }; +allow normal_hap_attr dev_mali:chr_file { ioctl }; +') + +allow normal_hap_attr build_version_param:file { read open map }; +allow normal_hap_attr bootevent_samgr_param:file { read open map }; +allow normal_hap_attr input_pointer_device_param:file { read open map }; +allow normal_hap_attr const_display_brightness_param:file { read }; +allow normal_hap_attr netmanager:binder { call transfer }; +allow normal_hap_attr const_display_brightness_param:file { map open }; +allow normal_hap_attr default_param:file { map open read }; +allow normal_hap_attr dev_unix_socket:sock_file { write }; +allow normal_hap_attr distributedsche_param:file { map open read }; +allow normal_hap_attr faultloggerd_temp_file:file { read write }; +allow normal_hap_attr netmanager:binder { call transfer }; +allow normal_hap_attr appspawn_exec:file { getattr map open read }; +allow normal_hap_attr dev_unix_socket:sock_file { write }; +allow normal_hap_attr faultloggerd_temp_file:file { read write read write }; + + diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..b77c3775b2a32c81065f39e51b853cc50b187bc2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/param_watcher.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` +allow param_watcher wukong:binder { call }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/power_host.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/power_host.te new file mode 100644 index 0000000000000000000000000000000000000000..2395a0aa6f7f6b1b8d1f446556df8c28bc622ab2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/power_host.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow power_host data_log:dir { search }; +allow power_host data_log:file { append ioctl open read }; +allowxperm power_host data_log:file ioctl { 0x5413 }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/processdump.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/processdump.te new file mode 100644 index 0000000000000000000000000000000000000000..9afccfc6902397cdb475c6c0f3f6dd9aa2b390b6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/processdump.te @@ -0,0 +1,25 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow processdump debug_param:file { map }; +allow processdump startup_param:file { read open map }; +allow processdump bootevent_param:file { read open map }; +allow processdump build_version_param:file { read open map }; +allow processdump bootevent_samgr_param:file { map open read }; +allow processdump const_display_brightness_param:file { map open read }; +allow processdump default_param:file { map open read }; +allow processdump dev_kmsg_file:chr_file { open write }; +allow processdump distributedsche_param:file { map open read }; +allow processdump input_pointer_device_param:file { map open read }; +allow processdump system_bin_file:file { getattr map open read }; +allow processdump toybox_exec:file { getattr map open read }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/render_service.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..0ff9294b1699848c69dcc23edc9639567c0de343 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/render_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service multimodalinput:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/samgr.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..2a8f66ecbb9ad64ffc88af6c4c786271438be568 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/samgr.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr processdump:binder { transfer }; + +developer_only(` +allow samgr wukong:binder { call transfer }; +allow samgr wukong:dir { search }; +allow samgr wukong:file { open read }; +allow samgr wukong:process { getattr }; +') + diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..39a29202fb8a4706791afa24aed7ae00e6f9b068 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/system_basic_hap.te @@ -0,0 +1,53 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` +allow system_basic_hap_attr sh:binder { call }; +') +allow system_basic_hap_attr appspawn_exec:file { getattr map open read }; +allow system_basic_hap_attr bootevent_param:file { map open read }; +allow system_basic_hap_attr bootevent_samgr_param:file { map open read }; +allow system_basic_hap_attr build_version_param:file { map open read }; +allow system_basic_hap_attr const_allow_mock_param:file { map open read }; +allow system_basic_hap_attr const_allow_param:file { map open read }; +allow system_basic_hap_attr const_build_param:file { map open read }; +allow system_basic_hap_attr const_display_brightness_param:file { map open read }; +allow system_basic_hap_attr const_param:file { map open read }; +allow system_basic_hap_attr const_postinstall_fstab_param:file { map open read }; +allow system_basic_hap_attr const_postinstall_param:file { map open read }; +allow system_basic_hap_attr const_product_param:file { map open read }; +allow system_basic_hap_attr debug_param:file { map open read }; +allow system_basic_hap_attr default_param:file { map open read }; +allow system_basic_hap_attr dev_unix_socket:sock_file { write }; +allow system_basic_hap_attr distributedsche_param:file { map open read }; +allow system_basic_hap_attr faultloggerd_temp_file:file { read write read write }; +allow system_basic_hap_attr hilog_param:file { map open read }; +allow system_basic_hap_attr hw_sc_build_os_param:file { map open read }; +allow system_basic_hap_attr hw_sc_build_param:file { map open read }; +allow system_basic_hap_attr hw_sc_param:file { map open read }; +allow system_basic_hap_attr init_param:file { map open read }; +allow system_basic_hap_attr init_svc_param:file { map open read }; +allow system_basic_hap_attr input_pointer_device_param:file { map open read }; +allow system_basic_hap_attr net_param:file { map open read }; +allow system_basic_hap_attr net_tcp_param:file { map open read }; +allow system_basic_hap_attr ohos_boot_param:file { map open read }; +allow system_basic_hap_attr ohos_param:file { map open read }; +allow system_basic_hap_attr persist_param:file { map open read }; +allow system_basic_hap_attr persist_sys_param:file { map open read }; +allow system_basic_hap_attr security_param:file { map open read }; +allow system_basic_hap_attr startup_param:file { map open read }; +allow system_basic_hap_attr sys_param:file { map open read }; +allow system_basic_hap_attr sys_usb_param:file { map open read }; +allow system_basic_hap_attr system_basic_hap_attr:process { ptrace }; +allow system_basic_hap_attr system_bin_file:dir { search }; + diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..7d2e5c3110aa9d5d02fef6a9c26aea8974d73257 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/system_core_hap.te @@ -0,0 +1,21 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` +allow system_core_hap_attr sh:binder { call }; +') + +allow system_core_hap_attr system_basic_hap_attr:binder { call }; +allow system_core_hap_attr dev_unix_socket:sock_file { write }; +allow system_core_hap_attr distributedsche_param:file { map open read }; +allow system_core_hap_attr faultloggerd_temp_file:file { read write write }; diff --git a/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/wukong.te b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/wukong.te new file mode 100644 index 0000000000000000000000000000000000000000..cbd732899bc5374f87254c878d74c69a8f57a5ec --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/test_framework/wukong/system/wukong.te @@ -0,0 +1,74 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# neverallow +neverallow wukong { sadomain developer_only(` -sa_accessibleabilityms -sa_foundation_abilityms -sa_foundation_bms -sa_foundation_dms -sa_foundation_wms -sa_multimodalinput_service -sa_sys_event_service -sa_param_watcher -sa_powermgr_powermgr_service')}:samgr_class { get }; + +developer_only(` +allow wukong accessibility:binder { call transfer }; +allow wukong accessibility:dir { search }; +allow wukong accessibility:file { open read }; +allow wukong data_file:dir { search read open }; +allow wukong data_hilogd_file:dir { open read search }; +allow wukong data_hilogd_file:file { getattr open read }; +allow wukong data_local:dir { search read open }; +allow wukong data_log:dir { read watch }; +allow wukong data_log:file { getattr open read }; +allow wukong data_service_el0_file:dir { search }; +allow wukong data_service_file:dir { search }; +allow wukong devpts:chr_file { read write ioctl }; +allow wukong foundation:fd { use }; +allow wukong foundation:binder { call }; +allow wukong foundation:binder { transfer }; +allow wukong hiview:binder { call transfer }; +allow wukong multimodalinput:binder { call }; +allow wukong samgr:binder { call transfer }; +allow wukong sh:fd { use }; +allow wukong sh:file { read open }; +allow wukong sh:dir { search }; +allow wukong sh_exec:file { execute_no_trans execute read open map }; +allow wukong power_shell_exec:file { execute execute_no_trans getattr map read open }; +allow wukong system_bin_file:file { execute execute_no_trans getattr map read open }; +allow wukong system_bin_file:lnk_file { read }; +allow wukong toybox_exec:file { execute execute_no_trans getattr map read open }; +allow wukong toybox_exec:lnk_file { read }; +allow wukong system_bin_file:dir { search }; +allow wukong multimodalinput:fd { use }; +allow wukong multimodalinput:unix_stream_socket { write read }; +allow wukong dev_unix_socket:dir { search }; +binder_call(wukong, powermgr); + +allowxperm wukong data_local_tmp:file ioctl { 0x5413 }; +allowxperm wukong devpts:chr_file ioctl { 0x5413 }; + +allow wukong sa_accessibleabilityms:samgr_class { get }; +allow wukong sa_foundation_abilityms:samgr_class { get }; +allow wukong sa_foundation_bms:samgr_class { get }; +allow wukong sa_foundation_dms:samgr_class { get }; +allow wukong sa_foundation_wms:samgr_class { get }; +allow wukong sa_multimodalinput_service:samgr_class { get }; +allow wukong sa_sys_event_service:samgr_class { get }; +allow wukong sa_param_watcher:samgr_class { get }; +allow wukong sa_powermgr_powermgr_service:samgr_class { get }; +allow wukong render_service:fd { use }; + +# for data_local_tmp +allow wukong data_local_tmp:file { create getattr read relabelfrom ioctl write open unlink append }; +allow wukong data_local_tmp:dir { add_name create getattr read write open search remove_name }; + +# hdcd +allow wukong hdcd:fifo_file { read write }; +allow wukong hdcd:unix_stream_socket { read write }; +allow wukong hdcd:fd { use }; + +') diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/public/file.te b/prebuilts/api/5.0/ohos_policy/update/module_update/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..66c6f6d8d6c465b2a970cf9586b0be446db057f3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/public/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type dev_mapper_control_file, dev_attr; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/public/parameter_contexts b/prebuilts/api/5.0/ohos_policy/update/module_update/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..4520f9b1458a67b7a3f4f762a65d07515998dfe5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/public/parameter_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +persist.moduleupdate.bms. u:object_r:update_updater_param:s0 +persist.moduleupdate.bms.install. u:object_r:update_updater_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/public/type.te b/prebuilts/api/5.0/ohos_policy/update/module_update/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..86d5433205dce1685c6a5354b7983584ec918a28 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/public/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type module_update_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/domain.te b/prebuilts/api/5.0/ohos_policy/update/module_update/system/domain.te new file mode 100644 index 0000000000000000000000000000000000000000..d323b4a67f611a001cf94f0b70bd62e70e921a71 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/domain.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +neverallow { domain -init -module_update_service -module_update_file_violator_file_dir updater_only(`-updater') } { data_module_update + data_module_update_package system_module_update_file }:{ file dir } *; + +# sa process which support module update should add itself here +neverallow { domain -init -module_update_service -foundation -module_update_binary_file_violator_file_dir } { module_update_file + module_update_bin_file module_update_lib_file }:{ file dir } *; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/file_contexts b/prebuilts/api/5.0/ohos_policy/update/module_update/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..939049a5d8d4f430a75057775fa8ed57df929ff9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/file_contexts @@ -0,0 +1,26 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/module_update u:object_r:rootfs:s0 +/module_update(/.*)? u:object_r:module_update_file:s0 +/module_update/bin(/.*)? u:object_r:module_update_bin_file:s0 +/module_update/lib(/.*)? u:object_r:module_update_lib_file:s0 +/module_update/lib64(/.*)? u:object_r:module_update_lib_file:s0 +/data/module_update u:object_r:data_module_update:s0 +/data/module_update/(.*)? u:object_r:data_module_update:s0 +/data/module_update_package u:object_r:data_module_update_package:s0 +/data/module_update_package/(.*)? u:object_r:data_module_update_package:s0 +/system/module_update(/.*)? u:object_r:system_module_update_file:s0 +/system/bin/module_update_client u:object_r:module_update_service_exec:s0 +/system/bin/check_module_update u:object_r:module_update_service_exec:s0 +/dev/mapper/control u:object_r:dev_mapper_control_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/foundation.te b/prebuilts/api/5.0/ohos_policy/update/module_update/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..5707d6e6479f1c72c454e1c8eba57dbf438d9ca0 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/foundation.te @@ -0,0 +1,22 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation sysfs_devices_system_cpu:file { open read getattr }; +allow foundation musl_param:file { map }; +allow foundation module_update_file:dir { search }; +allow foundation module_update_file:file { open read getattr }; +allow foundation module_update_lib_file:dir { search }; +allow foundation module_update_lib_file:file { open read getattr map execute }; + +#avc: denied { transfer } for pid=1378 comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:module_update_service:s0 tclass=binder permissive=1 +allow foundation module_update_service:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/init.te b/prebuilts/api/5.0/ohos_policy/update/module_update/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..302bd381267a39a4a206dbe43036e9b0ca73d596 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/init.te @@ -0,0 +1,36 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init data_module_update:dir { add_name create getattr link open read relabelto remove_name search setattr unlink write }; +allow init data_module_update_package:dir { getattr open read relabelto search setattr write }; +allow init data_module_update_package:file { getattr link open read map unlink relabelfrom write }; +allow init data_module_update:file { getattr link open read map relabelto unlink write }; +allowxperm init dev_block_file:blk_file ioctl { 0x1261 0x4c00 0x4c01 0x4c04 0x4c09 0x4c0a }; +allow init dev_file:chr_file { ioctl open read write }; +allowxperm init dev_file:chr_file ioctl { 0xfd03 0xfd06 0xfd07 0xfd09 }; +allow init dev_mapper_control_file:chr_file { ioctl open read write relabelto getattr setattr }; +allowxperm init dev_mapper_control_file:chr_file ioctl { 0xfd03 0xfd06 0xfd07 0xfd09 0xfd04 }; +allow init dev_loop_control_file:chr_file { getattr ioctl open read write }; +allowxperm init dev_loop_control_file:chr_file ioctl { 0x4c80 0x4c82 }; +allow init module_update_file:dir { search }; +allow init module_update_service:binder { call }; +allow init sa_module_update_service:samgr_class { get }; +allow init sysfs_block_loop:file { open read write }; +allow init system_file:dir { open read }; +allow init system_file:file { open read getattr }; +allow init system_module_update_file:dir { getattr open read search }; +allow init system_module_update_file:file { getattr open read }; +allow init system_profile_file:file { getattr open read }; +allow init tmpfs:dir { remove_name rmdir }; +allow init tmpfs:filesystem { mount }; +allow init sysfs_block_loop:file { getattr open read write }; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/module_update_service.te b/prebuilts/api/5.0/ohos_policy/update/module_update/system/module_update_service.te new file mode 100644 index 0000000000000000000000000000000000000000..1503da324d4f7a7dbf049ba164a70c6e975f105d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/module_update_service.te @@ -0,0 +1,113 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type module_update_service_exec, exec_attr, file_attr, system_file_attr; + +init_daemon_domain(module_update_service); + +allow module_update_service bootevent_param:file { map open read }; +allow module_update_service data_file:dir { remove_name search write add_name create setattr read open rmdir getattr relabelfrom }; +allow module_update_service data_module_update:dir { getattr open read remove_name rmdir write search add_name create setattr rename }; +allow module_update_service data_module_update_package:dir { open read remove_name rmdir search write getattr setattr add_name relabelto create }; +allow module_update_service data_module_update_package:file { create read write open unlink ioctl getattr map link }; +allowxperm module_update_service data_module_update_package:file ioctl { 0x5413 }; +allow module_update_service data_module_update:file { create read write open unlink ioctl getattr link map }; +allowxperm module_update_service data_module_update:file ioctl { 0x5413 }; +allow module_update_service debug_param:file { map open read }; +allow module_update_service dev_console_file:chr_file { open read write }; +allow module_update_service dev_unix_socket:dir { search }; +allow module_update_service hilog_param:file { map open read }; +allow module_update_service hiview:binder { call transfer }; +allow module_update_service musl_param:file { map open read }; +allow module_update_service param_watcher:binder { call transfer }; +allow module_update_service proc_file:file { open read }; +allow module_update_service sa_module_update_service:samgr_class { add get }; +allow module_update_service sa_param_watcher:samgr_class { get }; +allow module_update_service sa_sys_event_service:samgr_class { get }; +allow module_update_service sysfs_devices_system_cpu:file { getattr open read }; +allow module_update_service system_bin_file:dir { search }; +allow module_update_service system_bin_file:file { entrypoint map read execute }; +allow module_update_service system_module_update_file:dir { getattr open read search }; +allow module_update_service system_module_update_file:file { getattr open read }; +allow module_update_service vendor_bin_file:dir { search }; +allow module_update_service system_file:dir { read search getattr open }; +allow module_update_service update_firmware_file:dir { add_name search write remove_name getattr append read open }; +allow module_update_service update_firmware_file:file { append create open read write rename unlink getattr setattr map }; +allow module_update_service data_updater_file:dir { add_name search write remove_name getattr }; +allow module_update_service data_updater_file:file { append create open read write rename unlink getattr setattr relabelfrom }; +allow module_update_service kernel:unix_stream_socket { connectto }; +allow module_update_service servicectrl_reboot_param:parameter_service { set }; +allow module_update_service paramservice_socket:sock_file { write }; +allow module_update_service accesstoken_service:binder { call }; +allow module_update_service sa_accesstoken_manager_service:samgr_class { get }; +allow module_update_service updater_sa:binder { call }; +allow module_update_service vendor_etc_file:dir { search }; +allow module_update_service module_update_service:unix_dgram_socket { getopt setopt }; +allow module_update_service dev_kmsg_file:chr_file { write open }; +allow module_update_service module_update_service:binder { call }; +allow module_update_service chip_prod_file:dir { search }; +allow module_update_service data_service_el1_file:dir { search }; +allow module_update_service dev_block_volfile:dir { open read search }; +allow module_update_service samgr_writable_param:parameter_service { set }; +allow module_update_service sysfs_block_file:dir { open read }; +allow module_update_service sysfs_block_file:file { open write }; +allow module_update_service sysfs_block_loop:file { getattr open write read }; +allow module_update_service tmpfs:dir { create mounton open read rmdir setattr write add_name write remove_name }; +allow module_update_service tty_device:chr_file { read write }; +debug_only(` + allow module_update_service sh:binder { call transfer }; +') + +allow module_update_service update_updater_param:file { map read open}; +allow module_update_service update_updater_param:parameter_service { set }; + +#avc denied { ioctl open read write getattr setattr unlink } for pid=606, comm="system/bin/check_module_update" path="dev/block/loop0" dev="" ino=426 scontext=u:r:module_update_service:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +allow module_update_service dev_block_file:blk_file { ioctl open read write getattr setattr unlink }; +allowxperm module_update_service dev_block_file:blk_file ioctl { 0x1261 0x4c00 0x4c04 0x4c09 0x4c0a 0x4c01 0x4c05 }; + +allow module_update_service dev_loop_control_file:chr_file { getattr ioctl open read write }; +allowxperm module_update_service dev_loop_control_file:chr_file ioctl { 0x4c80 0x4c82 0x4c81 }; + +#avc denied { ioctl open read write } for pid=612, comm="system/bin/check_module_update" path="dev/mapper/control" dev="" ino=59 scontext=u:r:module_update_service:s0 tcontext=u:object_r:dev_mapper_control_file:s0 tclass=chr_file permissive=1 +allow module_update_service dev_mapper_control_file:chr_file { ioctl open read write }; +allowxperm module_update_service dev_mapper_control_file:chr_file ioctl { 0xfd03 0xfd04 0xfd06 0xfd07 0xfd09 }; + +#avc denied { sys_admin } for pid=603, comm="system/bin/check_module_update" capability=21 scontext=u:r:module_update_service:s0 tcontext=u:object_r:module_update_service:s0 tclass=capability permissive=1 +allow module_update_service module_update_service:capability { sys_admin }; + +#avc denied { mount unmount } for pid=606, comm="system/bin/check_module_update" name="" dev="dev/block/loop0" ino=2 scontext=u:r:module_update_service:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1 +allow module_update_service labeledfs:filesystem { mount unmount }; + +#avc denied { setattr } for pid=609, comm="system/bin/check_module_update" name="/devices/virtual/block/loop0/queue/read_ahead_kb" dev="" ino=85 scontext=u:r:module_update_service:s0 tcontext=u:object_r:sysfs_block_loop:s0 tclass=file permissive=1 +allow module_update_service sysfs_block_loop:file { setattr }; + +#avc denied { reparent } for pid=5784, comm="system/bin/sa_main" name="/module_update/backup/arkweb" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=74744 scontext=u:r:module_update_service:s0 tcontext=u:object_r:data_module_update:s0 tclass=dir permissive=1 +allow module_update_service data_module_update:dir { reparent }; + +#avc denied { setattr getattr } for pid=5784, comm="system/bin/sa_main" name="/block/dm-6" dev="" ino=2934 scontext=u:r:module_update_service:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=blk_file permissive=1 +allow module_update_service dev_block_volfile:blk_file { setattr getattr }; + +#avc denied { write remove_name } for pid=5784, comm="system/bin/sa_main" name="/block" dev="" ino=50 scontext=u:r:module_update_service:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 +allow module_update_service dev_block_volfile:dir { write remove_name }; + +#avc denied { call } for pid=5784, comm="system/bin/sa_main" scontext=u:r:module_update_service:s0 tcontext=u:object_r:foundation:s0 tclass=binder permissive=1 +allow module_update_service foundation:binder { call }; + +#avc denied { get } for service=501 sid=u:r:module_update_service:s0 scontext=u:r:module_update_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 +allow module_update_service sa_foundation_appms:samgr_class { get }; + +#avc denied { get } for service=401 sid=u:r:module_update_service:s0 scontext=u:r:module_update_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow module_update_service sa_foundation_bms:samgr_class { get }; + +#avc denied { bind create read setopt } for pid=5576, comm="system/bin/sa_main" scontext=u:r:module_update_service:s0 tcontext=u:object_r:module_update_service:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow module_update_service module_update_service:netlink_kobject_uevent_socket { bind create read setopt }; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/update/module_update/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..f694b8858d8d4ed14dd1c9ad35de1a9f8d11ce11 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher module_update_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/samgr.te b/prebuilts/api/5.0/ohos_policy/update/module_update/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..742cfdfbe8f6035ba1d3a42943e0f6568aacf93c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/samgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr update_updater_param:file { map read open}; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/service.te b/prebuilts/api/5.0/ohos_policy/update/module_update/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..ae6c6fd541e86677c26d860462e7ab21f6332361 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_module_update_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/update/module_update/system/service_contexts b/prebuilts/api/5.0/ohos_policy/update/module_update/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..c73a15c75dd22ea0e1b0484322f525707f5ffca9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/module_update/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +4103 u:object_r:sa_module_update_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/public/type.te b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..49171441d3187e7697691713cd30ebd2c3b1e841 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/public/type.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sys_installer_sa, sadomain, domain; +type sa_sys_installer_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/init.te b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..dabddb965bfe8d5da7dcb09ced4699abc0c5a211 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/init.te @@ -0,0 +1,16 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init sys_installer_sa:dir { search }; +allow init sys_installer_sa:file { open read }; +allow init sys_installer_sa:process { getattr rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..e58e6638fa3fa223e54aff32d356118aa8dbf4e5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/param_watcher.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher sys_installer_sa:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/service_contexts b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..393dc5e439d1bddd07dcab9dd350340a06327122 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +4101 u:object_r:sa_sys_installer_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/sys_installer_sa.te b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/sys_installer_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..d0cd2f0e4cb82edfd0198f48e243730b834cd78c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/sys_installer_sa.te @@ -0,0 +1,125 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sys_installer_sa accesstoken_service:binder { call }; +allow sys_installer_sa bootevent_param:file { map open read }; +allow sys_installer_sa bootevent_samgr_param:file { map open read }; +allow sys_installer_sa build_version_param:file { map open read }; +allow sys_installer_sa const_allow_mock_param:file { map open read }; +allow sys_installer_sa const_allow_param:file { map open read }; +allow sys_installer_sa const_build_param:file { map open read }; +allow sys_installer_sa const_display_brightness_param:file { map open read }; +allow sys_installer_sa const_param:file { map open read }; +allow sys_installer_sa const_postinstall_fstab_param:file { map open read }; +allow sys_installer_sa const_postinstall_param:file { map open read }; +allow sys_installer_sa const_product_param:file { map open read }; +allow sys_installer_sa debug_param:file { map open read }; +allow sys_installer_sa default_param:file { map open read }; +allow sys_installer_sa distributedsche_param:file { map open read }; +allow sys_installer_sa hilog_param:file { map open read }; +allow sys_installer_sa hw_sc_build_os_param:file { map open read }; +allow sys_installer_sa hw_sc_build_param:file { map open read }; +allow sys_installer_sa hw_sc_param:file { map open read }; +allow sys_installer_sa init_param:file { map open read }; +allow sys_installer_sa init_svc_param:file { map open read }; +allow sys_installer_sa input_pointer_device_param:file { map open read }; +allow sys_installer_sa kernel:unix_stream_socket { connectto }; +allow sys_installer_sa net_param:file { map open read }; +allow sys_installer_sa net_tcp_param:file { map open read }; +allow sys_installer_sa ohos_boot_param:file { map open read }; +allow sys_installer_sa ohos_param:file { map open read }; +allow sys_installer_sa ohos_param:parameter_service { set }; +allow sys_installer_sa paramservice_socket:sock_file { write }; +allow sys_installer_sa param_watcher:binder { call transfer }; +allow sys_installer_sa persist_param:file { map open read }; +allow sys_installer_sa persist_sys_param:file { map open read }; +allow sys_installer_sa sa_accesstoken_manager_service:samgr_class { get }; +allow sys_installer_sa sa_param_watcher:samgr_class { get }; +allow sys_installer_sa sa_sys_installer_service:samgr_class { add }; +allow sys_installer_sa security_param:file { map open read }; +allow sys_installer_sa startup_param:file { map open read }; +allow sys_installer_sa startup_param:parameter_service { set }; +allow sys_installer_sa sys_param:file { map open read }; +allow sys_installer_sa system_bin_file:dir { search }; +allow sys_installer_sa sys_usb_param:file { map open read }; +allow sys_installer_sa tracefs:dir { search }; +allow sys_installer_sa tracefs_trace_marker_file:file { open write }; + +allow sys_installer_sa data_file:dir { search }; +allow sys_installer_sa data_ota_package:dir { add_name search write remove_name }; +allow sys_installer_sa data_ota_package:dir { append ioctl open read }; +allow sys_installer_sa data_ota_package:file { append create ioctl open read write rename unlink getattr }; +allow sys_installer_sa data_file:dir { getattr }; +allow sys_installer_sa data_updater_file:dir { add_name search write remove_name getattr }; +allow sys_installer_sa data_updater_file:dir { append ioctl open read }; +allow sys_installer_sa ohos_dev_param:file { read }; + +debug_only(` +allow sys_installer_sa sh:binder { call }; +') + +allow sys_installer_sa tmpfs:chr_file { read }; +allow sys_installer_sa update_firmware_file:dir { add_name search write remove_name getattr append ioctl open read }; +allowxperm sys_installer_sa update_firmware_file:dir ioctl { 0x5413 }; +allow sys_installer_sa update_firmware_file:file { append create ioctl open read write rename unlink getattr setattr }; +allowxperm sys_installer_sa update_firmware_file:file ioctl { 0x5413 }; + +allow sys_installer_sa sys_installer_sa:process { setcurrent }; +allow sys_installer_sa updater_binary:process { dyntransition }; +allow sys_installer_sa vendor_etc_file:dir { search }; + +allow sys_installer_sa musl_param:file { read open map }; +allow sys_installer_sa dev_unix_socket:dir { search }; +allow sys_installer_sa dev_console_file:chr_file { read write }; +allow sys_installer_sa sysfs_devices_system_cpu:file { read open getattr }; +allow sys_installer_sa updater_sa:binder { call }; +allow sys_installer_sa vendor_etc_file:dir { search }; +allow sys_installer_sa dev_block_volfile:dir { search }; +allow sys_installer_sa update_firmware_file:file { map }; + +allow sys_installer_sa system_bin_file:file { getattr }; +allow sys_installer_sa toybox_exec:file { getattr map read open }; + +# avc: denied { create } for pid=1109 comm="IPC_1_1111" name="updater_binary" scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=1109 comm="IPC_1_1111" path="/data/updater/update.bin.tmp" dev="mmcblk0p18" ino=1844 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { ioctl } for pid=1109 comm="IPC_1_1111" path="/data/updater/update.bin.tmp" dev="mmcblk0p18" ino=1844 ioctlcmd=0x5413 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1109 comm="IPC_1_1111" path="/data/updater/update.bin.tmp" dev="mmcblk0p18" ino=1844 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { read write } for pid=1109 comm="IPC_1_1111" name="update.bin.tmp" dev="mmcblk0p18" ino=1844 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { setattr } for pid=1092 comm="IPC_2_1100" name="updater_binary" dev="mmcblk0p18" ino=1875 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { unlink } for pid=1092 comm="IPC_2_1100" name="updater_binary" dev="mmcblk0p18" ino=1869 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { append } for pid=1071 comm="IPC_1_1073" name="sys_installer.log" dev="mmcblk0p18" ino=1703 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +allow sys_installer_sa data_updater_file:file { append create getattr ioctl open read write setattr unlink }; + +# avc: denied { ioctl } for pid=1109 comm="IPC_1_1111" path="/data/updater/update.bin.tmp" dev="mmcblk0p18" ino=1844 ioctlcmd=0x5413 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +allowxperm sys_installer_sa data_updater_file:file ioctl { 0x5413 }; + +# avc: denied { add_name } for pid=1092 comm="IPC_2_1112" name="updater_binary" scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=1092 comm="IPC_2_1112" path="/mnt/sys_installer" dev="tmpfs" ino=61 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +# avc: denied { read write } for pid=1092 comm="IPC_2_1112" name="sys_installer" dev="tmpfs" ino=61 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +# avc: denied { remove_name } for pid=1092 comm="IPC_2_1112" name="updater_binary" dev="tmpfs" ino=110 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +allow sys_installer_sa tmpfs:dir { add_name open read write remove_name }; + +# avc: denied { create } for pid=1092 comm="IPC_2_1112" name="updater_binary" scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=1092 comm="IPC_2_1112" path="/mnt/sys_installer/updater_binary" dev="tmpfs" ino=110 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +# avc: denied { ioctl } for pid=1092 comm="IPC_2_1112" path="/mnt/sys_installer/updater_binary" dev="tmpfs" ino=110 ioctlcmd=0x5413 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1092 comm="IPC_2_1112" path="/mnt/sys_installer/updater_binary" dev="tmpfs" ino=110 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +# avc: denied { setattr } for pid=1092 comm="IPC_2_1112" name="updater_binary" dev="tmpfs" ino=110 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +# avc: denied { unlink } for pid=1092 comm="IPC_2_1112" name="updater_binary" dev="tmpfs" ino=110 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +allow sys_installer_sa tmpfs:file { create getattr ioctl open setattr unlink }; + +# avc: denied { ioctl } for pid=1092 comm="IPC_2_1112" path="/mnt/sys_installer/updater_binary" dev="tmpfs" ino=110 ioctlcmd=0x5413 scontext=u:r:sys_installer_sa:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +allowxperm sys_installer_sa tmpfs:file ioctl { 0x5413 }; + +allow sys_installer_sa updater_block_file:lnk_file { read }; +allow sys_installer_sa updater_block_file:blk_file { write getattr read open }; + diff --git a/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/updater_binary.te b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/updater_binary.te new file mode 100644 index 0000000000000000000000000000000000000000..d0ed7949699a8584e6aeca66b1a980b023d99412 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/sys_installer_sa/system/updater_binary.te @@ -0,0 +1,69 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow updater_binary data_file:dir { search }; +allow updater_binary data_updater_file:dir { search }; +allow updater_binary data_updater_file:file { map read open append }; +allow updater_binary dev_block_file:blk_file { read write open }; +allow updater_binary dev_block_file:dir { search }; +allow updater_binary dev_block_file:lnk_file { read }; +allow updater_binary dev_block_volfile:dir { search }; +allow updater_binary musl_param:file { read open map }; +allow updater_binary ohos_boot_param:file { open map read }; +allow updater_binary sys_installer_sa:fifo_file { write getattr ioctl }; +allowxperm updater_binary sys_installer_sa:fifo_file ioctl { 0x5413 }; +allow updater_binary sys_installer_sa:fd { use }; +allow updater_binary dev_unix_socket:dir { search }; +allow updater_binary sys_installer_sa:unix_dgram_socket { connect write }; +allow updater_binary system_bin_file:dir { search }; +allow updater_binary system_bin_file:file { execute execute_no_trans read open map }; +allow updater_binary toybox_exec:file { execute execute_no_trans getattr read open map }; +allow updater_binary vendor_etc_file:dir { search }; + +# avc: denied { read } for pid=1204 comm="updater_binary" name="u:object_r:debug_param:s0" dev="tmpfs" ino=79 scontext=u:r:updater_binary:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow updater_binary debug_param:file { map open read }; + +# avc: denied { ioctl } for pid=1127 comm="updater_binary" path="/data/updater/log/error_code.log" dev="mmcblk0p18" ino=1730 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=0 +# avc: denied { create } for pid=1137 comm="updater_binary" name="updater_log" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=1137 comm="updater_binary" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=5742 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=1137 comm="updater_binary" name="update.bin.tmp" dev="mmcblk0p18" ino=2016 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=1101 comm="updater_binary" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=5742 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { ioctl } for pid=1101 comm="updater_binary" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=5742 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=1101 comm="updater_binary" name="update.bin.tmp" dev="mmcblk0p18" ino=2016 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +allow updater_binary data_updater_file:file { ioctl create getattr write }; +allowxperm updater_binary data_updater_file:file ioctl { 0x5413 }; + +# avc: denied { getattr } for pid=1101 comm="updater_binary" path="/data/updater" dev="mmcblk0p18" ino=1396 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +# avc: denied { read write } for pid=1101 comm="updater_binary" name="updater" dev="mmcblk0p18" ino=1396 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=1087 comm="updater_binary" name="log" dev="mmcblk0p18" ino=3425 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 +# avc: denied { add_name } for pid=1122 comm="updater_binary" name="error_code.log" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 +allow updater_binary data_updater_file:dir { getattr read write write add_name }; + +# avc: denied { read } for pid=1101 comm="updater_binary" name="ota_package" dev="mmcblk0p18" ino=197 scontext=u:r:updater_binary:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=1101 comm="updater_binary" name="ota_package" dev="mmcblk0p18" ino=197 scontext=u:r:updater_binary:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=dir permissive=1 +allow updater_binary update_firmware_file:dir { read search }; + +# avc: denied { map } for pid=1101 comm="updater_binary" path="/data/update/ota_package/update.zip" dev="mmcblk0p18" ino=1585 scontext=u:r:updater_binary:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1101 comm="updater_binary" path="/data/update/ota_package/update.zip" dev="mmcblk0p18" ino=1585 scontext=u:r:updater_binary:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=1101 comm="updater_binary" name="update.zip" dev="mmcblk0p18" ino=1585 scontext=u:r:updater_binary:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=file permissive=1 +allow updater_binary update_firmware_file:file { map open read }; + +# avc: denied { execute } for pid=1156 comm="IPC_2_1112" name="updater_binary" dev="tmpfs" ino=110 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +# avc: denied { execute_no_trans } for pid=1156 comm="IPC_2_1112" path="/mnt/sys_installer/updater_binary" dev="tmpfs" ino=110 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1156 comm="IPC_2_1112" path="/mnt/sys_installer/updater_binary" dev="tmpfs" ino=110 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +allow updater_binary tmpfs:file { execute execute_no_trans open }; + +allow updater_binary updater_block_file:blk_file { read write open }; +allow updater_binary updater_block_file:dir { search }; +allow updater_binary updater_block_file:lnk_file { read }; + diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/public/file.te b/prebuilts/api/5.0/ohos_policy/update/updater/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..16fa8c722292c71e2e49e962a5bfce14d67f435e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/public/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type data_updater_file, file_attr, data_file_attr; +type hiview_light_file, file_attr, data_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/public/parameter.te b/prebuilts/api/5.0/ohos_policy/update/updater/public/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..98e5b01a1cde249a660573e61dcadca378853049 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/public/parameter.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +type update_updater_param, parameter_attr; +type updater_flashd_param, parameter_attr; + diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/public/parameter_contexts b/prebuilts/api/5.0/ohos_policy/update/updater/public/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..682af7652b0dc12d918379acb0205e37322ea7b2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/public/parameter_contexts @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +updater.hdc.configfs u:object_r:update_updater_param:s0 +updater.flashd.configfs u:object_r:updater_flashd_param:s0 +updater.data.configs u:object_r:update_updater_param:s0 +updater.data.ready u:object_r:update_updater_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/public/updater.te b/prebuilts/api/5.0/ohos_policy/update/updater/public/updater.te new file mode 100644 index 0000000000000000000000000000000000000000..b64c1b982e31f1e73daab3779d9d64ee6e2ab55e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/public/updater.te @@ -0,0 +1,28 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +domain_auto_transition_pattern(updater, processdump_exec, processdump); +domain_auto_transition_pattern(updater_binary, processdump_exec, processdump); + +type updater_binary, native_system_domain, domain; +type updater_binary_exec, exec_attr, file_attr, system_file_attr; + +type write_updater, native_system_domain, domain; +type write_updater_exec, exec_attr, file_attr, system_file_attr; + +domain_auto_transition_pattern(updater, updater_binary_exec, updater_binary); +domain_auto_transition_pattern(init, write_updater_exec, write_updater); + +type hiview_light, native_system_domain, domain; +type hiview_light_exec, exec_attr, file_attr, system_file_attr; +domain_auto_transition_pattern(updater, hiview_light_exec, hiview_light); diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/faultloggerd.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/faultloggerd.te new file mode 100644 index 0000000000000000000000000000000000000000..016dc0e91194876d8530d41d9e43bc0dbb6b4e64 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/faultloggerd.te @@ -0,0 +1,46 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +updater_only(` + +#avc_audit_slow:267] avc: denied { getopt } for pid=553, comm="/system/bin/faultloggerd" tcontext=u:r:faultloggerd:s0 tclass=unix_dgram_socket permissive=0 +#avc_audit_slow:267] avc: denied { setopt } for pid=553, comm="/system/bin/faultloggerd" tcontext=u:r:faultloggerd:s0 tclass=unix_dgram_socket permissive=0 +allow faultloggerd faultloggerd:unix_dgram_socket { getopt setopt }; + +#avc: denied { entrypoint } for pid=238 comm="init" path="/bin/faultloggerd" dev="rootfs" ino=17767 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { map } for pid=238 comm="faultloggerd" path="/bin/faultloggerd" dev="rootfs" ino=17767 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { read } for pid=238 comm="faultloggerd" path="/bin/faultloggerd" dev="rootfs" ino=17767 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { execute } for pid=233 comm="faultloggerd" path="/bin/faultloggerd" dev="rootfs" ino=17095 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { open } for pid=233 comm="faultloggerd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16765 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=233 comm="faultloggerd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16765 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow faultloggerd rootfs:file { entrypoint map read execute open getattr }; + +#avc: denied { read write } for pid=238 comm="faultloggerd" path="/dev/console" dev="rootfs" ino=17411 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +allow faultloggerd rootfs:chr_file { read write }; + +#allow faultloggerd rootfs:netlink_kobject_uevent_socket { read write }; + +#avc: denied { read write } for pid=238 comm="faultloggerd" path="socket:[18134]" dev="sockfs" ino=18134 scontext=u:r:faultloggerd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow faultloggerd ueventd:netlink_kobject_uevent_socket { read write }; + +#avc: denied { read } for pid=233 comm="faultloggerd" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=233 comm="faultloggerd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=229 comm="faultloggerd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow faultloggerd musl_param:file { read open map }; + +#avc: denied { read } for pid=229 comm="faultloggerd" name="etc" dev="rootfs" ino=16666 scontext=u:r:faultloggerd:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +allow faultloggerd system_etc_file:lnk_file { read }; + +#avc: denied { associate } for pid=238 comm="init" name="temp" dev="rootfs" ino=27737 scontext=u:object_r:faultloggerd_temp_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow faultloggerd_temp_file rootfs:filesystem { associate }; + +') diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/file_contexts b/prebuilts/api/5.0/ohos_policy/update/updater/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..eabf2e98972518d250b88da2d974668806e7ba08 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/file_contexts @@ -0,0 +1,28 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/write_updater u:object_r:write_updater_exec:s0 +/data/updater u:object_r:data_updater_file:s0 +/data/updater/(.*)? u:object_r:data_updater_file:s0 +/tmp/updater_binary u:object_r:updater_binary_exec:s0 +/bin/updater_binary u:object_r:updater_binary_exec:s0 + +# processdump +/bin/processdump u:object_r:processdump_exec:s0 +# faultloggerd +/bin/faultloggerd u:object_r:faultloggerd_exec:s0 + +/bin/hiview_light u:object_r:hiview_light_exec:s0 + +/etc/hiview/hiview_light u:object_r:hiview_light_file:s0 +/etc/hiview/hiview_light/(.*)? u:object_r:hiview_light_file:s0 diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/filesystem.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/filesystem.te new file mode 100644 index 0000000000000000000000000000000000000000..a2d3dea615381c3b7fef982c74b134d83c5364ce --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/filesystem.te @@ -0,0 +1,26 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +updater_only(` +# avc: denied { associate } for pid=1 comm="init" name="/" dev="tmpfs" ino=1 scontext=u:object_r:rootfs:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=1 +allow rootfs tmpfs:filesystem { associate }; + +# avc: denied { associate } for pid=233 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:object_r:updater_binary_exec:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=1 +allow updater_binary_exec tmpfs:filesystem { associate }; + +# avc_audit_slow:267] avc: denied { associate } for pid=1, comm="/init" name="/bin/faultloggerd" dev="tmpfs" ino=718 scontext=u:object_r:faultloggerd_exec:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow faultloggerd_exec rootfs:filesystem { associate }; + +# avc_audit_slow:267] avc: denied { associate } for pid=1, comm="/init" name="/bin/processdump" dev="tmpfs" ino=720 scontext=u:object_r:processdump_exec:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow processdump_exec rootfs:filesystem { associate }; +') diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/hdcd.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..35c6bdc06e18cdd177c208cbacdde85d312bb24b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/hdcd.te @@ -0,0 +1,70 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +updater_only(` + +# avc: denied { read write } for pid=243 comm="hdcd" path="/dev/console" dev="rootfs" ino=3504 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=234 comm="hdcd" path="/dev/console" dev="rootfs" ino=1979 ioctlcmd=0x5413 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +allow hdcd rootfs:chr_file { read write ioctl }; +allowxperm hdcd rootfs:chr_file ioctl { 0x5413 }; + +# avc: denied { entrypoint } for pid=243 comm="init" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc: denied { map } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc: denied { read } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc: denied { execute } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc: denied { open } for pid=235 comm="hdcd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=18288 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=235 comm="hdcd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=18288 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow hdcd rootfs:file { entrypoint map read execute open getattr }; + +# avc: denied { setcurrent } for pid=270 comm="hdcd" scontext=u:r:hdcd:s0 tcontext=u:r:hdcd:s0 tclass=process permissive=1 +allow hdcd hdcd:process { setcurrent }; + +debug_only(` +# avc: denied { dyntransition } for pid=270 comm="hdcd" scontext=u:r:hdcd:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 +allow hdcd sh:process { dyntransition }; +') + +#avc: denied { read write } for pid=235 comm="hdcd" path="socket:[20967]" dev="sockfs" ino=20967 scontext=u:r:hdcd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow hdcd ueventd:netlink_kobject_uevent_socket { read write }; + +# avc: denied { map } for pid=235 comm="hdcd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:hdcd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow hdcd musl_param:file { read open map }; + +# avc: denied { read } for pid=235 comm="hdcd" name="etc" dev="rootfs" ino=18266 scontext=u:r:hdcd:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +allow hdcd system_etc_file:lnk_file { read }; + +debug_only(` + # avc: denied { search } for pid=235 comm="hdcd" name="/" dev="mmcblk1p1" ino=5 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 + # avc: denied { write } for pid=236 comm="hdcd" name="updater" dev="mmcblk1p1" ino=64 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 + # avc: denied { add_name } for pid=235 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 + allow hdcd ntfs:dir { search write add_name }; + + # avc: denied { search } for pid=246 comm="hdcd" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 + allow hdcd exfat:dir { search write add_name }; + + # avc: denied { create } for pid=240 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 + # avc: denied { write open } for pid=235 comm="hdcd" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 + allow hdcd ntfs:file { write open create }; + + # avc: denied { getattr } for pid=238 comm="hdcd" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:hdcd:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 + allow hdcd exfat:file { create write open getattr }; + + # avc: denied { search } for pid=235 comm="hdcd" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 + # avc: denied { write } for pid=239 comm="hdcd" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 + # avc: denied { add_name } for pid=241 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 + allow hdcd vfat:dir { add_name write search }; + + # avc: denied { create } for pid=234 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 + allow hdcd vfat:file { create write open getattr }; +') +') + diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/hilogd.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/hilogd.te new file mode 100644 index 0000000000000000000000000000000000000000..4b41b165e11d1013dd6c8eb4ed4800a42f94d29c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/hilogd.te @@ -0,0 +1,42 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +updater_only(` + +# avc: denied { read write } for pid=221 comm="hilogd" path="/dev/console" dev="rootfs" ino=5960 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=227 comm="hilogd.pst_res" path="/dev/console" dev="rootfs" ino=17236 ioctlcmd=0x5413 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +allow hilogd rootfs:chr_file { read write ioctl }; +allowxperm hilogd rootfs:chr_file ioctl { 0x5413 }; + +# avc: denied { read write } for pid=221 comm="hilogd" path="socket:[27872]" dev="sockfs" ino=27872 scontext=u:r:hilogd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow hilogd ueventd:netlink_kobject_uevent_socket { read write }; + +# avc: denied { read } for pid=227 comm="hilogd" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:hilogd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=227 comm="hilogd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:hilogd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +# avc: denied { map } for pid=227 comm="hilogd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:hilogd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow hilogd musl_param:file { read open map }; + +# avc: denied { read } for pid=227 comm="hilogd" name="etc" dev="rootfs" ino=17240 scontext=u:r:hilogd:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +allow hilogd system_etc_file:lnk_file { read }; + +#avc: denied { write } for pid=230 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_2.info" dev="rootfs" ino=27737 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { entrypoint } for pid=221 comm="init" path="/bin/hilogd" dev="rootfs" ino=17505 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { map } for pid=221 comm="hilogd" path="/bin/hilogd" dev="rootfs" ino=17505 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { read } for pid=221 comm="hilogd" path="/bin/hilogd" dev="rootfs" ino=17505 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { execute } for pid=221 comm="hilogd" path="/bin/hilogd" dev="rootfs" ino=17505 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { open } for pid=221 comm="hilogd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=5986 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=221 comm="hilogd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=5986 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=227 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_1.info" dev="rootfs" ino=27542 ioctlcmd=0x5413 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow hilogd rootfs:file { entrypoint map read execute open getattr ioctl }; +allowxperm hilogd rootfs:file ioctl { 0x5413 }; + +') diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/init.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..74b4c9d05a28dd1d08be2db31c91f42334e8556e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/init.te @@ -0,0 +1,196 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +updater_only(` + +# avc_audit_slow:267] avc: denied { relabelto } for pid=1, comm="/init" name="/bin/faultloggerd" dev="tmpfs" ino=727 scontext=u:r:init:s0 tcontext=u:object_r:faultloggerd_exec:s0 tclass=file permissive=0 +allow init faultloggerd_exec:file { relabelto }; +# avc_audit_slow:267] avc: denied { relabelto } for pid=1, comm="/init" name="/bin/processdump" dev="tmpfs" ino=726 scontext=u:r:init:s0 tcontext=u:object_r:processdump_exec:s0 tclass=file permissive=0 +allow init processdump_exec:file { relabelto }; +# avc_audit_slow:267] avc: denied { relabelto } for pid=1, comm="/init" name="/bin/updater_binary" dev="tmpfs" ino=957 scontext=u:r:init:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=0 +allow init updater_binary_exec:file { relabelto }; + +#avc: denied { read } for pid=1 comm="init" name="ohos.para.size" dev="rootfs" ino=17448 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +#avc: denied { getattr } for pid=1 comm="init" path="/etc/selinux/targeted/contexts/file_contexts" dev="rootfs" ino=17429 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +#avc: denied { open } for pid=1 comm="init" path="/etc/selinux/targeted/contexts/file_contexts" dev="rootfs" ino=17429 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +#avc: denied { open } for pid=1 comm="init" path="/etc/param/ohos.para.size" dev="rootfs" ino=17448 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +#avc: denied { execute } for pid=231 comm="init" name="ueventd" dev="rootfs" ino=17717 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +#avc: denied { execute_no_trans } for pid=233 comm="init" path="/bin/hilog" dev="rootfs" ino=797 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +#avc: denied { map } for pid=1 comm="init" path="/lib/init/librebootmodule.z.so" dev="rootfs" ino=17620 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +#avc: denied { map } for pid=235 comm="hilog" path="/bin/hilog" dev="rootfs" ino=17650 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { write } for pid=227 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_1.info" dev="rootfs" ino=26950 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow init rootfs:file { getattr read open execute map }; + +# avc: denied { read } for pid=1 comm="init" name="etc" dev="rootfs" ino=399 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=1 comm="init" path="/etc" dev="rootfs" ino=16655 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +# avc: denied { relabelfrom } for pid=1 comm="init" name="system" dev="rootfs" ino=386 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +# avc: denied { write } for pid=1 comm="init" name="/" dev="rootfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +# avc: denied { add_name } for pid=1 comm="init" name="config" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +# avc: denied { create } for pid=1 comm="init" name="config" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +# avc: denied { setattr } for pid=1 comm="init" name="param" dev="rootfs" ino=17987 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 +# avc: denied { relabelto } for pid=1 comm="init" name="/" dev="tmpfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 +allow init rootfs:dir { read open write relabelfrom add_name create setattr relabelto }; + +# avc: denied { create } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +# avc: denied { setopt } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +# avc: denied { bind } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow init ueventd:netlink_kobject_uevent_socket { create setopt bind }; + +# avc: denied { relabelto } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=1 comm="init" path="/system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 +# avc: denied { getattr } for pid=1 comm="init" path="/system" dev="rootfs" ino=17413 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 +allow init system_file:dir { read open relabelto getattr }; + +# avc: denied { associate } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:object_r:system_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow system_file rootfs:filesystem { associate }; + +#avc: denied { relabelfrom } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 +allow init rootfs:lnk_file { relabelfrom }; + +#avc: denied { relabelto } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:r:init:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1 +# avc: denied { getattr } for pid=1 comm="init" path="/system/bin" dev="rootfs" ino=17417 scontext=u:r:init:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1 +allow init system_bin_file:lnk_file { relabelto getattr }; + +#avc: denied { associate } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:object_r:system_bin_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow system_bin_file rootfs:filesystem { associate }; + +#avc: denied { relabelto } for pid=1 comm="init" name="lib" dev="rootfs" ino=2031 scontext=u:r:init:s0 tcontext=u:object_r:system_lib_file:s0 tclass=lnk_file permissive=1 +# avc: denied { getattr } for pid=1 comm="init" path="/system/lib" dev="rootfs" ino=17416 scontext=u:r:init:s0 tcontext=u:object_r:system_lib_file:s0 tclass=lnk_file permissive=1 +allow init system_lib_file:lnk_file { relabelto getattr }; + +#avc: denied { associate } for pid=1 comm="init" name="lib" dev="rootfs" ino=2031 scontext=u:object_r:system_lib_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow system_lib_file rootfs:filesystem { associate }; + +#avc: denied { relabelto } for pid=1 comm="init" name="etc" dev="rootfs" ino=2030 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +#avc: denied { read } for pid=235 comm="hilog" name="etc" dev="rootfs" ino=17415 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +# avc: denied { getattr } for pid=1 comm="init" path="/system/etc" dev="rootfs" ino=17415 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +allow init system_etc_file:lnk_file { relabelto read getattr }; + +#avc: denied { associate } for pid=1 comm="init" name="etc" dev="rootfs" ino=2030 scontext=u:object_r:system_etc_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow system_etc_file rootfs:filesystem { associate }; + +#avc: denied { read } for pid=1 comm="init" name="vendor" dev="rootfs" ino=16661 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=1 comm="init" path="/vendor" dev="rootfs" ino=16661 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1 +#avc: denied { relabelto } for pid=1 comm="init" name="vendor" dev="rootfs" ino=2038 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1 +# avc: denied { getattr } for pid=1 comm="init" path="/vendor" dev="rootfs" ino=17423 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1 +allow init vendor_file:dir { relabelto read open getattr }; + +#avc: denied { associate } for pid=1 comm="init" name="vendor" dev="rootfs" ino=16661 scontext=u:object_r:vendor_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow vendor_file rootfs:filesystem { associate }; + + +#avc: denied { associate } for pid=1 comm="init" name="data" dev="rootfs" ino=20555 scontext=u:object_r:data_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow data_file rootfs:filesystem { associate }; + +#avc: denied { mount } for pid=1 comm="init" name="/" dev="tmpfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=1 +allow init tmpfs:filesystem { mount }; + +#avc: denied { associate } for pid=1 comm="init" name="log" dev="rootfs" ino=20558 scontext=u:object_r:data_log:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow data_log rootfs:filesystem { associate }; + +#avc: denied { associate } for pid=1 comm="init" name="hilog" dev="rootfs" ino=20559 scontext=u:object_r:data_hilogd_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow data_hilogd_file rootfs:filesystem { associate }; + +#avc: denied { relabelto } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=1 comm="init" path="/config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1 +#avc: denied { setattr } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1 +allow init config_file:dir { relabelto read open setattr }; + +#avc: denied { associate } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:object_r:config_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1 +allow config_file rootfs:filesystem { associate }; + +#avc: denied { getattr } for pid=1 comm="init" path="/config/usb_gadget/g1/os_desc/b.1" dev="configfs" ino=20701 scontext=u:r:init:s0 tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=1 +allow init configfs:lnk_file { getattr }; + +#avc: denied { read } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=1 comm="init" path="/dev/usb-ffs/hdc" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 +#avc: denied { setattr } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 +#avc: denied { mounton } for pid=1 comm="init" path="/dev/usb-ffs/hdc" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 +allow init functionfs:dir { read open search setattr mounton }; + +#avc: denied { getattr } for pid=1 comm="init" path="/dev/usb-ffs/hdc/ep0" dev="functionfs" ino=19955 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 +allow init functionfs:file { getattr }; + +#avc: denied { transition } for pid=234 comm="init" path="/bin/updater" dev="rootfs" ino=17825 scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1 +#avc: denied { rlimitinh } for pid=234 comm="updater" scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1 +#avc: denied { siginh } for pid=234 comm="updater" scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1 +allow init updater:process { transition rlimitinh siginh }; + +#avc: denied { open } for pid=236 comm="hilog" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:init:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=235 comm="hilog" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:init:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow init musl_param:file { open map }; + +#avc: denied { write } for pid=234 comm="hilog" name="hilogControl" dev="tmpfs" ino=67 scontext=u:r:init:s0 tcontext=u:object_r:hilog_control_socket:s0 tclass=sock_file permissive=1 +allow init hilog_control_socket:sock_file { write }; + +#avc: denied { connectto } for pid=234 comm="hilog" path="/dev/unix/socket/hilogControl" scontext=u:r:init:s0 tcontext=u:r:hilogd:s0 tclass=unix_stream_socket permissive=1 +allow init hilogd:unix_stream_socket { connectto }; + +#avc: denied { ioctl } for pid=234 comm="hilog" path="/dev/console" dev="rootfs" ino=16652 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +#avc: denied { write } for pid=234 comm="hilog" path="/dev/console" dev="rootfs" ino=16652 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +allow init rootfs:chr_file { ioctl write }; +allowxperm init rootfs:chr_file ioctl { 0x5413 }; + +# avc: denied { read } for pid=1 comm="init" name="misc" dev="tmpfs" ino=133 scontext=u:r:init:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1 +allow init dev_file:lnk_file { read }; + +#avc: denied { relabelto } for pid=1 comm="init" name="lib64" dev="rootfs" ino=18269 scontext=u:r:init:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=lnk_file permissive=0 +# avc: denied { getattr } for pid=1 comm="init" path="/vendor/lib64" dev="rootfs" ino=17424 scontext=u:r:init:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=lnk_file permissive=1 +allow init vendor_lib_file:lnk_file { relabelto getattr }; + +#avc: denied { associate } for pid=1 comm="init" name="lib64" dev="rootfs" ino=395 scontext=u:object_r:vendor_lib_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=0 +allow vendor_lib_file rootfs:filesystem { associate }; + +#avc: denied { mount } for pid=1 comm="init" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:exfat:s0 tclass=filesystem permissive=0 +allow init exfat:filesystem { mount }; + +# avc: denied { mounton } for pid=1 comm="init" path="/sdcard" dev="mmcblk1p1" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 +allow init exfat:dir { mounton }; + +#avc: denied { execute_no_trans } for pid=234 comm="init" path="/bin/hilog" dev="rootfs" ino=19711 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow init rootfs:file { execute_no_trans }; + +# avc: denied { getattr } for pid=238 comm="init" path="/data/log/hilog/.persisterInfo_2" dev="rootfs" ino=27803 scontext=u:r:init:s0 tcontext=u:object_r:data_hilogd_file:s0 tclass=file permissive=1 +# avc: denied { relabelto } for pid=238 comm="init" name=".persisterInfo_2" dev="rootfs" ino=27803 scontext=u:r:init:s0 tcontext=u:object_r:data_hilogd_file:s0 tclass=file permissive=1 +allow init data_hilogd_file:file { getattr relabelto }; + +# avc: denied { getattr } for pid=1 comm="init" path="/proc/235/status" dev="proc" ino=27295 scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=file permissive=1 +allow init updater:file { getattr }; + +# avc: denied { relabelfrom } for pid=237 comm="init" name=".persisterInfo_1" dev="rootfs" ino=28034 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow init rootfs:file { relabelfrom }; + +allow init updater_block_file:blk_file { getattr ioctl open read write }; +allowxperm init updater_block_file:blk_file ioctl { 0x5413 }; +') + +# avc: denied { execute } for pid=1849 comm="init" name="write_updater" dev="mmcblk0p7" ino=455 scontext=u:r:init:s0 tcontext=u:object_r:write_updater_exec:s0 tclass=file permissive=1 +# avc: denied { execute_no_trans } for pid=1849 comm="init" path="/system/bin/write_updater" dev="mmcblk0p7" ino=455 scontext=u:r:init:s0 tcontext=u:object_r:write_updater_exec:s0 tclass=file permissive=1 +# avc: denied { map } for pid=1849 comm="write_updater" path="/system/bin/write_updater" dev="mmcblk0p7" ino=455 scontext=u:r:init:s0 tcontext=u:object_r:write_updater_exec:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=1849 comm="init" path="/system/bin/write_updater" dev="mmcblk0p7" ino=455 scontext=u:r:init:s0 tcontext=u:object_r:write_updater_exec:s0 tclass=file permissive=1 +#allow init write_updater_exec:file { execute execute_no_trans map read open }; + +# avc: denied { open } for pid=271 comm="init" path="/dev/asanlog" dev="tmpfs" ino=377 scontext=u:r:init:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=1 +allow init dev_asanlog_file:dir { open }; + +# avc: denied { getattr } for pid=591 comm="init" path="/dev/unix/socket/faultloggerd.crash.server" dev="tmpfs" ino=385 scontext=u:r:init:s0 tcontext=u:object_r:faultloggerd_socket_crash:s0 tclass=sock_file permissive=1 +# avc: denied { relabelto } for pid=591 comm="init" name="faultloggerd.crash.server" dev="tmpfs" ino=385 scontext=u:r:init:s0 tcontext=u:object_r:faultloggerd_socket_crash:s0 tclass=sock_file permissive=1 +allow init faultloggerd_socket_crash:sock_file { getattr relabelto }; + +# avc: denied { setattr } for pid=271 comm="init" name="sysrq-trigger" dev="proc" ino=4026532372 scontext=u:r:init:s0 tcontext=u:object_r:proc_sysrq_trigger_file:s0 tclass=file permissive=1 +allow init proc_sysrq_trigger_file:file { setattr }; + +# avc: denied { relabelto } for pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +allow init updater_block_file:blk_file { relabelto }; diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/processdump.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/processdump.te new file mode 100644 index 0000000000000000000000000000000000000000..710677645dd9077c337be7f4b6b54c7177e4e8a5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/processdump.te @@ -0,0 +1,27 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +updater_only(` + +# avc_audit_slow:267] avc: denied { supervsable } for pid=796, comm="/bin/updater_binary" scontext=u:r:processdump:s0 tcontext=u:r:processdump:s0 tclass=hmcap permissive=1 +allow processdump processdump:hmcap { supervsable }; + +# avc_audit_slow:267] avc: denied { getattr } for pid=796, comm="/bin/processdump" path="/etc/ld-musl-namespace-aarch64.ini" dev="tmpfs" ino=323 scontext=u:r:processdump:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { open } for pid=796, comm="/bin/processdump" path="/etc/ld-musl-namespace-aarch64.ini" dev="tmpfs" ino=323 scontext=u:r:processdump:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { read execute } for pid=unknown, comm=unknown, cidx=0x0 path="/lib/ld-musl-aarch64.so.1" dev="tmpfs" ino=781 scontext=u:r:processdump:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { read } for pid=unknown, comm=unknown, cidx=0x0 path="/lib/ld-musl-aarch64.so.1" dev="tmpfs" ino=781 scontext=u:r:processdump:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { map } for pid=unknown, comm=unknown, cidx=0x0 path="/lib/ld-musl-aarch64.so.1" dev="tmpfs" ino=779 scontext=u:r:processdump:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +allow processdump rootfs:file { getattr open read execute read map}; + +# avc_audit_slow:267] avc: denied { read } for pid=796, comm="/bin/processdump" name="/system/etc" dev="tmpfs" ino=997 scontext=u:r:processdump:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +allow processdump system_etc_file:lnk_file { read }; +') diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/ueventd.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..119fd20157b06d86283c92cdbcac105ebacd2872 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/ueventd.te @@ -0,0 +1,89 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +updater_only(` + +#avc: denied { map } for pid=227 comm="ueventd" path="/bin/ueventd" dev="rootfs" ino=16964 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { read } for pid=227 comm="ueventd" path="/bin/ueventd" dev="rootfs" ino=16964 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { execute } for pid=227 comm="ueventd" path="/bin/ueventd" dev="rootfs" ino=16964 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { open } for pid=227 comm="ueventd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16683 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=227 comm="ueventd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16683 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { entrypoint } for pid=227 comm="init" path="/bin/ueventd" dev="rootfs" ino=16964 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow ueventd rootfs:file { entrypoint map read execute open getattr }; + +#avc: denied { read write } for pid=227 comm="ueventd" path="/dev/console" dev="rootfs" ino=16657 scontext=u:r:ueventd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +allow ueventd rootfs:chr_file { write read }; + +#avc: denied { write } for pid=227 comm="ueventd" path="socket:[19887]" dev="sockfs" ino=19887 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +#avc: denied { getopt } for pid=229 comm="ueventd" scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow ueventd ueventd:netlink_kobject_uevent_socket { write getopt }; + + +#avc: denied { read } for pid=229 comm="ueventd" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:ueventd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=229 comm="ueventd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:ueventd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=229 comm="ueventd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:ueventd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow ueventd musl_param:file { read open map }; + +#avc: denied { execute_no_trans } for pid=231 comm="init" path="/bin/hilog" dev="rootfs" ino=17826 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { write } for pid=224 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_2.info" dev="rootfs" ino=16921 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow ueventd dev_file:file { create setattr }; + +#avc: denied { create } for pid=229 comm="ueventd" name="mmcblk0" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=blk_file permissive=1 +#avc: denied { setattr } for pid=229 comm="ueventd" name="mmcblk0" dev="tmpfs" ino=100 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=blk_file permissive=1 +#avc: denied { getattr } for pid=223 comm="ueventd" path="/dev/block/mmcblk0" dev="tmpfs" ino=100 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=blk_file permissive=1 +#avc: denied { relabelfrom } for pid=223 comm="ueventd" name="mmcblk0" dev="tmpfs" ino=100 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=blk_file permissive=1 +allow ueventd dev_file:blk_file { create setattr getattr relabelfrom }; + +#avc: denied { create } for pid=229 comm="ueventd" name="mmcblk0" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1 +allow ueventd dev_file:lnk_file { create }; + +#avc: denied { create } for pid=223 comm="ueventd" name="by-name" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1 +#avc: denied { read } for pid=223 comm="ueventd" name="by-name" dev="tmpfs" ino=106 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1 +allow ueventd dev_block_volfile:lnk_file { create read }; + +#avc: denied { relabelto } for pid=229 comm="ueventd" name="block" dev="tmpfs" ino=99 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 +allow ueventd dev_block_volfile:dir { relabelto }; + +#avc: denied { relabelto } for pid=223 comm="ueventd" name="binder" dev="tmpfs" ino=181 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_binder_file:s0 tclass=chr_file permissive=1 +allow ueventd dev_binder_file:chr_file { relabelto }; + +#avc: denied { read } for pid=224 comm="ueventd" name="etc" dev="rootfs" ino=17415 scontext=u:r:ueventd:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +allow ueventd system_etc_file:lnk_file { read }; + +# avc: denied { relabelto } for pid=226 comm="ueventd" name="xpm" dev="tmpfs" ino=193 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=1 +allow ueventd dev_xpm:chr_file { relabelto }; + +# avc: denied { create } for pid=234 comm="ueventd" name="by-name" scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 +allow ueventd dev_block_volfile:dir { create }; + +# avc: denied { relabelto } for pid=241 comm="ueventd" name="eng_system" dev="tmpfs" ino=109 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_file:s0 tclass=lnk_file permissive=1 +allow ueventd dev_block_file:lnk_file { relabelto }; + +# avc: denied { relabelto } for pid=238 comm="ueventd" name="mmcblk0p3" dev="tmpfs" ino=129 scontext=u:r:ueventd:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=blk_file permissive=0 +allow ueventd dev_block_volfile:blk_file { relabelto }; + +# avc: denied { getattr } for pid=250 comm="ueventd" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { relabelfrom } for pid=250 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { setattr } for pid=250 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { relabelto } for pid=241 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=147 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +allow ueventd updater_block_file:blk_file { getattr relabelfrom setattr relabelto }; + +# avc: denied { getattr } for pid=242 comm="ueventd" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0 +# avc: denied { relabelfrom } for pid=242 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0 +# avc: denied { setattr } for pid=242 comm="ueventd" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=0 +allow ueventd tmpfs:blk_file { getattr relabelfrom setattr }; + +# avc: denied { getattr } for pid=245 comm="ueventd" path="/dev/block/by-name/misc" dev="tmpfs" ino=37 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=1 +# avc: denied { relabelto } for pid=231 comm="ueventd" name="misc" dev="tmpfs" ino=149 scontext=u:r:ueventd:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=0 +allow ueventd updater_block_file:lnk_file { getattr relabelto }; +') diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/updater.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/updater.te new file mode 100644 index 0000000000000000000000000000000000000000..3a7de713c0c6b36ba957409ba0a2f504029de456 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/updater.te @@ -0,0 +1,434 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +updater_only(` + +#avc: denied { read } for pid=240 comm="updater" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=240 comm="updater" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=240 comm="updater" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 +allow updater hilog_param:file { read open map }; + +#avc: denied { getattr } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=240 comm="updater" name="hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 ioctlcmd=0x6201 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1 +allow updater dev_hdf_file:chr_file { getattr read write open ioctl }; +allowxperm updater dev_hdf_file:chr_file ioctl { 0x6201 }; + +#avc: denied { getattr } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=233 comm="updater" name="hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 ioctlcmd=0x6203 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=233 comm="evt_listen" path="/dev/hdf_input_event1" dev="tmpfs" ino=234 ioctlcmd=0x6202 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 +allow updater dev_hdf_input:chr_file { getattr read write open ioctl }; +allowxperm updater dev_hdf_input:chr_file ioctl { 0x6203 0x6202 }; + +#avc: denied { write } for pid=235 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +#avc: denied { add_name } for pid=235 comm="updater" name="mainpage.png" scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=235 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +# avc: denied { remove_name } for pid=238 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 +allow updater tmpfs:dir { write add_name read remove_name }; + +#avc: denied { create } for pid=231 comm="updater" name="updater.log" scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { open } for pid=231 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=231 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { setattr } for pid=229 comm="updater" name="updater_result" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { execute } for pid=272 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 +#avc: denied { execute_no_trans } for pid=278 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 +# avc: denied { relabelfrom } for pid=234 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 +# avc: denied { unlink } for pid=238 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 +allow updater tmpfs:file { unlink append ioctl create open getattr setattr execute execute_no_trans relabelfrom }; +allowxperm updater tmpfs:file ioctl { 0x5413 }; + +#avc: denied { write } for pid=262 comm="resize.f2fs" name="mmcblk0p12" dev="tmpfs" ino=98 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { read } for pid=228 comm="updater" name="mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { open } for pid=228 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { getattr } for pid=228 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { ioctl } for pid=274 comm="resize.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x1268 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { ioctl } for pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x125e scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +#avc: denied { lock } for pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +allow updater dev_block_file:blk_file { write getattr read open ioctl lock }; + +# avc: denied { ioctl } for pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x125e scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { ioctl } for pid=274 comm="resize.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x1268 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { ioctl } for pid=269 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x1271 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { ioctl } for pid=265 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 ioctlcmd=0x1272 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { ioctl } for pid=265 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 ioctlcmd=0x127d scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { ioctl } for pid=278 comm="mkfs.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x2285 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { ioctl } for pid=239 comm="updater" path="/dev/block/mmcblk0p14" dev="tmpfs" ino=151 ioctlcmd=0x1277 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +allowxperm updater dev_block_file:blk_file ioctl { 0x2285 0x5413 0x1268 0x125e 0x1271 0x1272 0x127d 0x1277 }; + +#avc: denied { read } for pid=274 comm="resize.f2fs" name="version" dev="proc" ino=4026532114 scontext=u:r:updater:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=274 comm="resize.f2fs" path="/proc/version" dev="proc" ino=4026532114 scontext=u:r:updater:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 +allow updater proc_version_file:file { read open }; + +#denied { getattr } for pid=274 comm="resize.f2fs" path="/sys/devices/platform/fe310000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p12/partition" dev="sysfs" ino=31854 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=274 comm="resize.f2fs" name="zoned" dev="sysfs" ino=31912 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +#denied { open } for pid=274 comm="resize.f2fs" path="/sys/devices/platform/fe310000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/queue/zoned" dev="sysfs" ino=31912 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow updater sys_file:file { read getattr open }; + +#avc: denied { getattr } for pid=231 comm="updater" path="/data/updater" dev="mmcblk0p12" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=238 comm="updater" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=238 comm="updater" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=238 comm="updater" path="/data/updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=238 comm="updater" name="log" dev="mmcblk0p12" ino=954 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { add_name } for pid=238 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { remove_name } for pid=227 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=5006 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { create } for pid=231 comm="updater" name="log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 +# avc: denied { rmdir } for pid=231 comm="updater" name="update_tmp" dev="mmcblk0p12" ino=3277 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 +# avc: denied { setattr } for pid=249 comm="updater" name="updater" dev="mmcblk0p12" ino=144 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +allow updater data_updater_file:dir { read getattr add_name search write open remove_name create rmdir setattr }; +allow updater update_firmware_file:dir { read getattr add_name search write open remove_name create rmdir }; + +#avc: denied { create } for pid=238 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { append } for pid=238 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=238 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=228 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=228 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=228 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { setattr } for pid=228 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { unlink } for pid=235 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { write } for pid=235 comm="updater" path="/data/updater/update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +allow updater data_updater_file:file { create open append getattr ioctl read setattr unlink write }; +allowxperm updater data_updater_file:file ioctl { 0x5413 }; + +allow updater update_firmware_file:file { create open append getattr ioctl read setattr unlink write }; +allowxperm updater update_firmware_file:file ioctl { 0x5413 }; + +#avc: denied { search } for pid=228 comm="updater" name="block" dev="tmpfs" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 +allow updater dev_block_volfile:dir { search }; + +# avc: denied { set } for process="updater" parameter=updater.hdc.configfs pid=234 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:update_updater_param:s0 tclass=parameter_service permissive=1 +#avc: denied { set } for process="unknown process" parameter=updater.data.configs pid=232 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:update_updater_param:s0 tclass=parameter_service permissive=0 +allow updater update_updater_param:parameter_service { set }; + +#avc: denied { read } for pid=227 comm="updater" name="bin" dev="rootfs" ino=17791 scontext=u:r:updater:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1 +allow updater system_bin_file:lnk_file { read }; + +# avc: denied { module_request } for pid=227 comm="updater" kmod="quota_v2" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 +allow updater kernel:system { module_request }; + +# avc: denied { read } for pid=234 comm="updater" name="usb-ffs" dev="tmpfs" ino=314 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=235 comm="updater" path="/dev/usb-ffs" dev="tmpfs" ino=322 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=235 comm="updater" name="usb-ffs" dev="tmpfs" ino=322 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1 +allow updater dev_usb_ffs:dir { read open search }; + +# avc: denied { read write } for pid=234 comm="updater" name="ep0" dev="functionfs" ino=27986 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 +# avc: denied { open } for pid=235 comm="updater" path="/dev/usb-ffs/hdc/ep0" dev="functionfs" ino=18354 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 +allow updater functionfs:file { read write open }; + +# avc: denied { search } for pid=234 comm="updater" name="local" dev="mmcblk0p12" ino=87 scontext=u:r:updater:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 +allow updater data_local:dir { search }; + + +# avc: denied { dyntransition } for pid=281 comm="updater" scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary:s0 tclass=process permissive=1 +allow updater updater_binary:process { dyntransition }; + +# avc: denied { setcurrent } for pid=279 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=process permissive=1 +allow updater updater:process { setcurrent }; + +# avc: denied { read write } for pid=292 comm="sh" name="tty" dev="tmpfs" ino=282 scontext=u:r:updater:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allow updater tty_device:chr_file { read write }; + +#avc: denied { read } for pid=227 comm="updater" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=227 comm="updater" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=227 comm="updater" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow updater musl_param:file { read map open }; + +# avc: denied { read } for pid=236 comm="updater" name="etc" dev="rootfs" ino=17422 scontext=u:r:updater:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +allow updater system_etc_file:lnk_file { read }; + +# avc: denied { chown } for pid=227 comm="updater" capability=0 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0 +# avc: denied { sys_admin } for pid=228 comm="updater" capability=21 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0 +allow updater updater:capability { sys_admin chown }; + +# avc: denied { read write } for pid=239 comm="updater" name="ptmx" dev="tmpfs" ino=232 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 +allow updater dev_ptmx:chr_file { read write }; + +# avc: denied { search } for pid=266 comm="updater" name="/" dev="devpts" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:dev_pts_file:s0 tclass=dir permissive=1 +allow updater dev_pts_file:dir { search }; + +# avc: denied { read write } for pid=266 comm="updater" name="0" dev="devpts" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 +allow updater devpts:chr_file { read write }; + +# avc: denied { ioctl } for pid=266 comm="sh" path="/dev/tty" dev="tmpfs" ino=282 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allow updater tty_device:chr_file { ioctl}; +allowxperm updater tty_device:chr_file ioctl { 0x5413 }; + +#avc: denied { read write } for pid=227 comm="updater" path="/dev/console" dev="rootfs" ino=16653 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=229 comm="updater" path="/dev/console" dev="rootfs" ino=3976 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +allow updater rootfs:chr_file { read write ioctl }; +allowxperm updater rootfs:chr_file ioctl { 0x5413 }; + +#avc: denied { read write } for pid=226 comm="updater" name="card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x640c scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { map } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a0 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a7 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a6 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a1 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b2 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b8 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a2 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b3 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=233 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x6409 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=233 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x64af scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +allow updater dev_dri_file:chr_file { ioctl read write open map }; +allowxperm updater dev_dri_file:chr_file ioctl { 0x640c 0x64a0 0x64a7 0x64a6 0x64a1 0x64b2 0x64b8 0x64a2 0x64b3 0x6409 0x64af }; + +#avc: denied { search } for pid=229 comm="updater" name="dri" dev="tmpfs" ino=89 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1 +allow updater dev_dri_file:dir { search }; + +#avc: denied { read } for pid=228 comm="updater" name="by-name" dev="tmpfs" ino=106 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1 +allow updater dev_block_volfile:lnk_file { read }; + +#avc: denied { read } for pid=228 comm="updater" name="misc" dev="tmpfs" ino=133 scontext=u:r:updater:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1 +allow updater dev_file:lnk_file { read }; + +#avc: denied { search } for pid=231 comm="updater" name="socket" dev="tmpfs" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow updater dev_unix_socket:dir { search }; + +#avc: denied { write } for pid=229 comm="updater" name="paramservice" dev="tmpfs" ino=15 scontext=u:r:updater:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1 +allow updater paramservice_socket:sock_file { write }; + +#avc: denied { connectto } for pid=229 comm="updater" path="/dev/unix/socket/paramservice" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 +allow updater kernel:unix_stream_socket { connectto }; + +#avc: denied { entrypoint } for pid=226 comm="init" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { map } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { read } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { execute } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { open } for pid=226 comm="updater" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16682 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=227 comm="updater" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16679 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { write } for pid=221 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_2.info" dev="rootfs" ino=20796 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc: denied { setattr } for pid=231 comm="updater" name="updater_binary" dev="rootfs" ino=19417 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +# avc: denied { execute_no_trans } for pid=278 comm="updater" path="/bin/mkfs.f2fs" dev="rootfs" ino=17686 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow updater rootfs:file { entrypoint map read execute open getattr write setattr execute_no_trans }; + +#avc: denied { read write } for pid=226 comm="updater" path="socket:[17326]" dev="sockfs" ino=17326 scontext=u:r:updater:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 +allow updater ueventd:netlink_kobject_uevent_socket { read write}; + +#avc: denied { read } for pid=269 comm="updater_binary" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 +# avc: denied { map } for pid=263 comm="updater_binary" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 +allow updater ohos_boot_param:file { read map open }; + +#avc: denied { mount } for pid=241 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1 +#avc: denied { unmount } for pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 +allow updater labeledfs:filesystem { mount unmount }; + +#avc: denied { set } for process="updater" parameter=startup.device.ctl pid=241 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:servicectrl_reboot_param:s0 tclass=parameter_service permissive=1 +allow updater servicectrl_reboot_param:parameter_service { set }; + +# avc: denied { read write } for pid=275 comm="processdump" path="/data/log/faultlog/temp/cppcrash-270-1502782678223" dev="mmcblk0p12" ino=3328 scontext=u:r:updater:s0 tcontext=u:object_r:faultloggerd_temp_file:s0 tclass=file permissive=0 +allow updater faultloggerd_temp_file:file { read write }; + +# avc: denied { mounton } for pid=237 comm="updater" path="/sdcard" dev="rootfs" ino=27932 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +allow updater rootfs:dir { mounton }; + +# avc: denied { setgid } for pid=270 comm="mount.ntfs" capability=6 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0 +# avc: denied { setuid } for pid=265 comm="mount.ntfs" capability=7 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0 +allow updater updater:capability { setuid setgid }; + +# avc: denied { getattr } for pid=272 comm="mount.ntfs" path="/dev/fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0 +# avc: denied { read write } for pid=269 comm="mount.ntfs" name="fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0 +# avc: denied { open } for pid=272 comm="mount.ntfs" path="/dev/fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0 +allow updater dev_fuse_file:chr_file { getattr read write open }; + +# avc: denied { open } for pid=272 comm="mount.ntfs" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0 +# avc: denied { read } for pid=272 comm="mount.ntfs" name="filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=265 comm="mount.ntfs" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0 +allow updater proc_filesystems_file:file { read open getattr }; + +# avc: denied { read write } for pid=235 comm="updater" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 +# avc: denied { add_name } for pid=234 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=238 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1 +# avc: denied { remove_name } for pid=238 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1 +allow updater exfat:dir { read write search add_name open remove_name }; + +# avc: denied { read } for pid=240 comm="updater" name="updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { open } for pid=235 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=235 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { create } for pid=233 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { write } for pid=240 comm="updater" path="/sdcard/updater/update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=235 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { unlink } for pid=238 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=1 +allow updater exfat:file { read open getattr create write ioctl unlink }; + +# avc: denied { mount } for pid=242 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=filesystem permissive=0 +allow updater exfat:filesystem { mount }; + +# avc: denied { ioctl } for pid=235 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +allowxperm updater exfat:file ioctl { 0x5413 }; + +# avc: denied { write } for pid=272 comm="updater_binary" name="data" dev="rootfs" ino=27999 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +#avc: denied { search } for pid=229 comm="updater" name="data" dev="rootfs" ino=18958 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +#avc: denied { remove_name } for pid=235 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=241 comm="updater" path="/data" dev="rootfs" ino=20430 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +#avc: denied { mounton } for pid=241 comm="updater" path="/data" dev="rootfs" ino=20430 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=234 comm="updater" path="/data" dev="mmcblk0p18" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=234 comm="updater" name="/" dev="mmcblk0p18" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +# avc: denied { relabelfrom } for pid=234 comm="updater" name="log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow updater data_file:dir { write search remove_name getattr mounton open read relabelfrom}; + +# avc: denied { unlink } for pid=234 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=1 +allow updater updater_binary_exec:file { unlink }; + +# avc: denied { mount } for pid=235 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=filesystem permissive=0 +allow updater vfat:filesystem { mount }; + +# avc: denied { read write } for pid=231 comm="updater" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 +# avc: denied { ioctl } for pid=230 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +# avc: denied { unlink } for pid=228 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1 +allow updater vfat:file { create read open getattr write ioctl unlink }; + +# avc: denied { ioctl } for pid=230 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +allowxperm updater vfat:file ioctl { 0x5413 }; + +# avc: denied { open } for pid=235 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=228 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 +# avc: denied { remove_name } for pid=228 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 +allow updater vfat:dir { read write search add_name open remove_name }; + +# avc: denied { read write } for pid=235 comm="updater" name="updater" dev="mmcblk1p1" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 +# avc: denied { search } for pid=235 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 +# avc: denied { add_name } for pid=232 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=237 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1 +# avc: denied { remove_name } for pid=237 comm="updater" name="build_tools.zip.tmp" dev="mmcblk1p1" ino=67 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1 +allow updater ntfs:dir { read write search add_name open remove_name }; + +# avc: denied { read } for pid=227 comm="updater" name="updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +# avc: denied { open } for pid=229 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=233 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +# avc: denied { unlink } for pid=237 comm="updater" name="build_tools.zip.tmp" dev="mmcblk1p1" ino=67 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=1 +allow updater ntfs:file { read create open getattr write ioctl unlink }; + +# avc: denied { ioctl } for pid=233 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +allowxperm updater ntfs:file ioctl { 0x5413 }; + +# avc: denied { mount } for pid=262 comm="mount.ntfs" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=filesystem permissive=0 +allow updater ntfs:filesystem { mount }; + +# avc: denied { search } for pid=235 comm="updater" name="/" dev="functionfs" ino=18353 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 +allow updater functionfs:dir { search }; + +# avc: denied { set } for process="unknown process" parameter=sys.usb.ffs.ready pid=265 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:sys_param:s0 tclass=parameter_service permissive=1 +allow updater sys_param:parameter_service { set }; + +# avc: denied { dac_override } for pid=235 comm="updater" capability=1 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=1 +allow updater updater:capability { dac_override }; + +debug_only(` +# avc: denied { dyntransition } for pid=285 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 +# avc: denied { signal } for pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 +# avc: denied { sigkill } for pid=241 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 +allow updater sh:process { dyntransition signal sigkill }; + +# avc: denied { dyntransition } for pid=255 comm="hdcd_shellfork" scontext=u:r:updater:s0 tcontext=u:r:su:s0 tclass=process permissive=0 +allow updater su:process { dyntransition }; +') + +# avc: denied { set } for process="unknown process" parameter=updater.flashd.configfs pid=235 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=parameter_service permissive=1 +allow updater updater_flashd_param:parameter_service { set }; + +# avc: denied { map } for pid=233 comm="updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=233 comm="updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=233 comm="updater" name="u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow updater debug_param:file { map open read }; + +# avc: denied { dac_read_search } for pid=233 comm="updater" capability=2 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=1 +allow updater updater:capability { dac_read_search }; + +# avc: denied { ioctl } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 ioctlcmd=0x5431 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 +# avc: denied { open } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 +allow updater dev_ptmx:chr_file { ioctl open }; + +# avc: denied { ioctl } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 ioctlcmd=0x5431 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 +allowxperm updater dev_ptmx:chr_file ioctl { 0x5431 0x5430 }; + +allow updater data_file:dir { add_name create }; +allow updater data_file:file { create getattr ioctl read write open setattr }; +allowxperm updater data_file:file ioctl { 0x5413 }; + +# denied { map } for pid=246 comm="updater" path="/data/update/ota_package/firmware/versions/updater_diff.zip" dev="mmcblk0p12" ino=1409 scontext=u:r:updater:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=file permissive=1 +allow updater update_firmware_file:file { map }; +allow updater data_updater_file:file { map }; +allow updater exfat:file { map }; +allow updater ntfs:file { map }; +allow updater vfat:file { map }; + +# avc: denied { relabelto } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +# avc: denied { setattr } for pid=235 comm="updater" name="updater" dev="mmcblk0p12" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow updater data_file:dir { relabelto setattr }; + +# avc: denied { append } for pid=235 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=9 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 +allow updater data_file:file { append }; + +# avc: denied { getattr } for pid=235 comm="updater" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { relabelfrom } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +allow updater unlabeled:dir { getattr relabelfrom }; +allow updater devinfo_private_param:file { map open read }; + +# avc: denied { relabelto } for pid=232 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=1 +allow updater updater_binary_exec:file { relabelto }; + +# avc: denied { syslog_read } for pid=230 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 +allow updater kernel:system { syslog_read }; + +# avc: denied { read } for pid=232 comm="updater" name="misc" dev="tmpfs" ino=161 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=lnk_file permissive=1 +allow updater dev_block_file:lnk_file { read }; + +# avc: denied { add_name } for pid=232 comm="updater" name="log" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { create } for pid=232 comm="updater" name="updater" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=232 comm="updater" path="/data/updater/log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=232 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=232 comm="updater" name="updater" dev="mmcblk0p18" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { setattr } for pid=232 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { write } for pid=232 comm="updater" name="updater" dev="mmcblk0p18" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { getattr } for pid=235 comm="updater" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +# avc: denied { relabelfrom } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 +allow updater unlabeled:dir { getattr relabelfrom add_name create open read search setattr write }; + +# avc: denied { relabelto } for pid=246 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +allow updater data_updater_file:dir { relabelto }; + +# avc: denied { append open } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +# avc: denied { create } for pid=246 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +# avc: denied { getattr } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +# avc: denied { ioctl } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +# avc: denied { read } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +# avc: denied { relabelfrom } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +# avc: denied { setattr } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +allow updater unlabeled:file { append open create getattr ioctl read relabelfrom setattr }; + +# avc: denied { ioctl } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 +allowxperm updater unlabeled:file ioctl { 0x5413 }; + +# avc: denied { relabelto } for pid=238 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +allow updater data_updater_file:file { relabelto }; + +allow updater updater_block_file:blk_file { write getattr read open ioctl lock }; +allowxperm updater updater_block_file:blk_file ioctl { 0x2285 0x5413 0x1268 0x125e 0x1271 0x1272 0x127d 0x1277 }; +allow updater updater_block_file:lnk_file { read }; + +# avc: denied { map } for pid=261 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=261 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=261 comm="hdcd_shellfork" name="u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +allow updater persist_param:file { map open read }; + +# avc: denied { map } for pid=265 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=265 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=265 comm="hdcd_shellfork" name="u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1 +allow updater updater_flashd_param:file { map open read }; + +') diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/updater_binary.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/updater_binary.te new file mode 100644 index 0000000000000000000000000000000000000000..bce2c225b6369b57a5b548250f62e2bfa1e38cc4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/updater_binary.te @@ -0,0 +1,260 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +updater_only(` + +# avc_audit_slow:267] avc: denied { map } for pid=793, comm="/bin/updater_binary" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="" ino=179 scontext=u:r:updater_binary:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { open } for pid=793, comm="/bin/updater_binary" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="" ino=179 scontext=u:r:updater_binary:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +allow updater_binary persist_param:file { map open }; + +#avc: denied { search } for pid=281 comm="updater" name="/" dev="rootfs" ino=1 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 +# avc: denied { read write } for pid=273 comm="updater_binary" name="updater" dev="rootfs" ino=20121 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +# avc: denied { add_name } for pid=269 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 +# avc: denied { create } for pid=264 comm="updater_binary" name="update_tmp" scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 +# avc: denied { open } for pid=264 comm="updater_binary" path="/data/updater/update_tmp" dev="rootfs" ino=20420 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 +# avc: denied { remove_name } for pid=264 comm="updater_binary" name="system" dev="rootfs" ino=20402 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 +allow updater_binary rootfs:dir { search read write add_name create open remove_name }; + +#avc: denied { execute } for pid=279 comm="updater" name="ld-musl-arm.so.1" dev="rootfs" ino=596 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { read open } for pid=279 comm="updater" path="/lib/ld-musl-arm.so.1" dev="rootfs" ino=596 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { map } for pid=279 comm="updater_binary" path="/lib/ld-musl-arm.so.1" dev="rootfs" ino=596 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=279 comm="updater_binary" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=418 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc: denied { execute_no_trans } for pid=277 comm="updater_binary" path="/bin/processdump" dev="rootfs" ino=17428 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +# avc: denied { create } for pid=267 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +# avc: denied { write } for pid=269 comm="updater_binary" path="/data/updater/loadScript.us" dev="rootfs" ino=27819 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=265 comm="updater_binary" path="/data/updater/Verse-script.us" dev="rootfs" ino=18908 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=264 comm="updater_binary" path="/data/updater/system" dev="rootfs" ino=20402 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +# avc: denied { rename } for pid=264 comm="updater_binary" name="system" dev="rootfs" ino=20402 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 +allow updater_binary rootfs:file { execute read open map getattr execute_no_trans create write ioctl rename }; + +# avc: denied { ioctl } for pid=265 comm="updater_binary" path="/data/updater/Verse-script.us" dev="rootfs" ino=18908 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 +allowxperm updater_binary rootfs:file ioctl { 0x5413 }; + +#avc: denied { ioctl } for pid=270 comm="updater_binary" path="/dev/console" dev="rootfs" ino=17411 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +#avc: denied { write } for pid=270 comm="updater_binary" path="/dev/console" dev="rootfs" ino=17411 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 +allow updater_binary rootfs:chr_file { ioctl write }; +allowxperm updater_binary rootfs:chr_file ioctl { 0x5413 }; + +#avc: denied { search } for pid=281 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +allow updater_binary tmpfs:dir { search }; + +#avc: denied { execute } for pid=279 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { open } for pid=279 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { execute_no_trans } for pid=279 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { read open } for pid=281 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=5 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { append } for pid=270 comm="updater_binary" name="updater.log" dev="tmpfs" ino=2 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=270 comm="updater_binary" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=270 comm="updater_binary" path="/tmp/updater.log" dev="tmpfs" ino=2 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +allow updater_binary tmpfs:file { execute read open execute_no_trans append getattr ioctl create write}; +allowxperm updater_binary tmpfs:file ioctl { 0x5413 }; + +# avc: denied { fork } for pid=281 comm="updater_binary" scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:updater_binary:s0 tclass=process permissive=1 +allow updater_binary updater_binary:process { fork }; + +# avc: denied { write } for pid=281 comm="updater_binary" path="pipe:[1664]" dev="pipefs" ino=1664 scontext=u:object_r:updater_binary:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1 +# avc: denied { getattr } for pid=270 comm="updater_binary" path="pipe:[18906]" dev="pipefs" ino=18906 scontext=u:r:updater_binary:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1 +# avc: denied { ioctl } for pid=270 comm="updater_binary" path="pipe:[20191]" dev="pipefs" ino=20191 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1 +allow updater_binary updater:fifo_file { write getattr ioctl }; +allowxperm updater_binary updater:fifo_file ioctl { 0x5413 }; + +# avc: denied { use } for pid=270 comm="updater_binary" path="pipe:[20191]" dev="pipefs" ino=20191 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:r:updater:s0 tclass=fd permissive=1 +allow updater_binary updater:fd { use }; + +#avc: denied { read } for pid=279 comm="updater_binary" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=279 comm="updater_binary" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=279 comm="updater_binary" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +allow updater_binary ohos_boot_param:file { open map read }; + +# avc: denied { search } for pid=268 comm="updater_binary" name="/" dev="tmpfs" ino=1 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1 +allow updater_binary dev_file:dir { search }; + +# avc: denied { read } for pid=268 comm="updater_binary" name="misc" dev="tmpfs" ino=128 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1 +allow updater_binary dev_file:lnk_file { read }; + +# avc: denied { read } for pid=268 comm="updater_binary" name="urandom" dev="tmpfs" ino=5 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_random_file:s0 tclass=chr_file permissive=1 +allow updater_binary dev_random_file:chr_file { read }; + +#avc: denied { search } for pid=268 comm="updater_binary" name="block" dev="tmpfs" ino=94 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 +allow updater_binary dev_block_volfile:dir { search }; + +#avc: denied { read } for pid=268 comm="updater_binary" name="by-name" dev="tmpfs" ino=101 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1 +allow updater_binary dev_block_volfile:lnk_file { read }; + +#avc: denied { read write } for pid=268 comm="updater_binary" name="mmcblk0p2" dev="tmpfs" ino=127 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +#avc: denied { open } for pid=270 comm="updater_binary" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { map } for pid=267 comm="updater_binary" path="/dev/block/mmcblk0p6" dev="tmpfs" ino=122 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { getattr } for pid=266 comm="updater_binary" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=128 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +# avc: denied { ioctl } for pid=266 comm="updater_binary" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=120 ioctlcmd=0x1277 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +allow updater_binary dev_block_file:blk_file { read write open map getattr ioctl }; + +# avc: denied { ioctl } for pid=266 comm="updater_binary" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=120 ioctlcmd=0x1277 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 +allowxperm updater_binary dev_block_file:blk_file ioctl { 0x1277 }; + +# avc: denied { search } for pid=282 comm="updater_binary" name="__parameters__" dev="tmpfs" ino=11 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_parameters_file:s0 tclass=dir permissive=1 +allow updater_binary dev_parameters_file:dir { search }; + +# avc: denied { read } for pid=282 comm="updater_binary" name="param_selinux" dev="tmpfs" ino=12 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_parameters_file:s0 tclass=file permissive=1 +allow updater_binary dev_parameters_file:file { read }; + +# avc: denied { search } for pid=282 comm="updater_binary" name="/" dev="proc" ino=1 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:proc_file:s0 tclass=dir permissive=1 +allow updater_binary proc_file:dir { search }; + +#avc: denied { search } for pid=277 comm="updater_binary" name="277" dev="proc" ino=27311 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:updater_binary:s0 tclass=dir permissive=1 +allow updater_binary updater_binary:dir { search }; + +#avc: denied { read } for pid=273 comm="updater_binary" name="by-name" dev="tmpfs" ino=105 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1 +allow updater_binary updater_binary:lnk_file { read }; + +# avc: denied { search } for pid=277 comm="updater_binary" name="system" dev="rootfs" ino=18624 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 +allow updater_binary system_file:dir { search }; + +# avc: denied { read } for pid=277 comm="updater_binary" name="lib" dev="rootfs" ino=18625 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:system_lib_file:s0 tclass=lnk_file permissive=1 +allow updater_binary system_lib_file:lnk_file { read }; + +# avc: denied { search } for pid=280 comm="updater_binary" name="vendor" dev="rootfs" ino=17285 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1 +allow updater_binary vendor_file:dir { search }; + +# avc: denied { read } for pid=280 comm="updater_binary" name="u:object_r:hook_param:s0" dev="tmpfs" ino=35 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=273 comm="updater_binary" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=35 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1 +allow updater_binary hook_param:file { read open }; + +#avc: denied { read } for pid=279 comm="updater_binary" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater_binary:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { open } for pid=270 comm="updater_binary" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater_binary:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +#avc: denied { map } for pid=270 comm="updater_binary" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater_binary:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 +allow updater_binary musl_param:file { read open map }; + +# avc: denied { read } for pid=270 comm="updater_binary" name="etc" dev="rootfs" ino=17415 scontext=u:r:updater_binary:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 +allow updater_binary system_etc_file:lnk_file { read }; + +# avc: denied { read } for pid=273 comm="updater_binary" name="u:object_r:time_param:s0" dev="tmpfs" ino=51 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:time_param:s0 tclass=file permissive=1 +allow updater_binary time_param:file { read }; + +# avc: denied { create } for pid=273 comm="updater_binary" scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:updater_binary:s0 tclass=unix_dgram_socket permissive=1 +allow updater_binary updater_binary:unix_dgram_socket { create }; + +# avc: denied { search } for pid=274 comm="updater_binary" name="unix" dev="tmpfs" ino=7 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_unix_file:s0 tclass=dir permissive=1 +allow updater_binary dev_unix_file:dir { search }; + +#avc: denied { search } for pid=270 comm="updater_binary" name="socket" dev="tmpfs" ino=8 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow updater_binary dev_unix_socket:dir { search }; + +# avc: denied { write } for pid=274 comm="updater_binary" name="hilogInput" dev="tmpfs" ino=315 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:hilog_input_socket:s0 tclass=sock_file permissive=1 +allow updater_binary hilog_input_socket:sock_file { write }; + +# avc: denied { use } for pid=274 comm="updater_binary" path="/dev/console" dev="rootfs" ino=17230 ioctlcmd=0x5413 scontext=u:object_r:updater_binary:s0 tcontext=u:r:kernel:s0 tclass=fd permissive=1 +allow updater_binary kernel:fd { use }; + +# avc: denied { search } for pid=270 comm="updater_binary" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +# avc: denied { add_name } for pid=263 comm="updater_binary" name="updater" scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +# avc: denied { create } for pid=271 comm="updater_binary" name="updater" scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +# avc: denied { getattr } for pid=268 comm="updater_binary" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +# avc: denied { write } for pid=266 comm="updater_binary" name="data" dev="rootfs" ino=2725 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 +allow updater_binary data_file:dir { search add_name create getattr write }; + +#avc: denied { add_name } for pid=279 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { search } for pid=270 comm="updater_binary" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { read write } for pid=270 comm="updater_binary" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=270 comm="updater_binary" path="/data/updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 +# avc: denied { setattr } for pid=263 comm="updater_binary" name="update_tmp" dev="mmcblk0p12" ino=3277 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 +# avc: denied { remove_name } for pid=267 comm="updater_binary" name="vendor" dev="mmcblk0p12" ino=4733 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 +# avc: denied { create } for pid=268 comm="updater_binary" name="update_tmp" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 +# avc: denied { open } for pid=270 comm="updater_binary" path="/data/updater/update_tmp" dev="mmcblk0p12" ino=1376 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 +allow updater_binary data_updater_file:dir { open create setattr add_name search read write getattr remove_name }; +allow updater_binary update_firmware_file:dir { open create setattr add_name search read write getattr remove_name }; + +#avc: denied { read } for pid=270 comm="updater_binary" name="updater.zip" dev="mmcblk0p12" ino=4136 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=270 comm="updater_binary" path="/data/updater/updater.zip" dev="mmcblk0p12" ino=4136 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=270 comm="updater_binary" path="/data/updater/updater.zip" dev="mmcblk0p12" ino=4136 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { write } for pid=270 comm="updater_binary" name="update.bin.tmp" dev="mmcblk0p12" ino=5916 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#avc: denied { create } for pid=279 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +#denied { ioctl } for pid=281 comm="updater_binary" path="/data/updater/update.bin.tmp" dev="mmcblk0p12" ino=6829 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 +# avc: denied { rename } for pid=268 comm="updater_binary" name="vendor" dev="mmcblk0p12" ino=1006 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=0 +# avc: denied { setattr } for pid=268 comm="updater_binary" name="vendor_retry" dev="mmcblk0p12" ino=4748 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=0 +# avc: denied { unlink } for pid=269 comm="updater_binary" name="deaf4cd35457797973b4e888888560b4794df92865f14d616ae99853a484605b" dev="mmcblk0p12" ino=1918 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=0 +allow updater_binary data_updater_file:file { read open getattr write create ioctl rename setattr unlink map}; +allowxperm updater_binary data_updater_file:file ioctl { 0x5413 }; + +allow updater_binary update_firmware_file:file { read open getattr write create ioctl rename setattr unlink map}; +allowxperm updater_binary update_firmware_file:file ioctl { 0x5413 }; + +# avc: denied { read } for pid=279 comm="processdump" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater_binary:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +# avc: denied { open } for pid=278 comm="processdump" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater_binary:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +# avc: denied { map } for pid=278 comm="processdump" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater_binary:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 +allow updater_binary hilog_param:file { read open map }; + +# avc: denied { read write } for pid=272 comm="processdump" path="/data/log/faultlog/temp/cppcrash-265-1679413199123" dev="mmcblk0p12" ino=8782 scontext=u:r:updater_binary:s0 tcontext=u:object_r:faultloggerd_temp_file:s0 tclass=file permissive=0 +allow updater_binary faultloggerd_temp_file:file { read write }; + +# avc: denied { search } for pid=279 comm="updater_binary" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 +# avc: denied { read write } for pid=281 comm="updater_binary" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 +allow updater_binary exfat:dir { search read write }; + +# avc: denied { read } for pid=270 comm="updater_binary" name="updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { open } for pid=270 comm="updater_binary" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=265 comm="updater_binary" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { write } for pid=265 comm="updater_binary" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=266 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 +allow updater_binary exfat:file { read open getattr write ioctl }; +allowxperm updater_binary exfat:file ioctl { 0x5413 }; + +# avc: denied { read write } for pid=262 comm="updater_binary" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 +# avc: denied { search } for pid=262 comm="updater_binary" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 +allow updater_binary vfat:dir { search read write }; + +# avc: denied { read } for pid=268 comm="updater_binary" name="updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +# avc: denied { open } for pid=267 comm="updater_binary" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=261 comm="updater_binary" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +# avc: denied { write } for pid=261 comm="updater_binary" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=266 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +allow updater_binary vfat:file { read open getattr write ioctl }; + +# avc: denied { ioctl } for pid=266 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 +allowxperm updater_binary vfat:file ioctl { 0x5413 }; + +# avc: denied { search } for pid=268 comm="updater_binary" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 +allow updater_binary ntfs:dir { search read write }; + +# avc: denied { read } for pid=276 comm="updater_binary" name="updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +# avc: denied { ioctl } for pid=268 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +allow updater_binary ntfs:file { read open getattr write ioctl }; + +# avc: denied { ioctl } for pid=268 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 +allowxperm updater_binary ntfs:file ioctl { 0x5413 }; + +allow updater_binary tmpfs:dir { read write add_name }; + +# avc: denied { map } for pid=272 comm="updater_binary" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater_binary:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=272 comm="updater_binary" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater_binary:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=272 comm="updater_binary" name="u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater_binary:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow updater_binary debug_param:file { map open read }; + +allow updater_binary data_file:file { setattr write create }; + +allow updater_binary exfat:file { map }; +allow updater_binary ntfs:file { map }; +allow updater_binary vfat:file { map }; + +# avc: denied { execute_no_trans } for pid=267 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater_binary:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=0 +allow updater_binary updater_binary_exec:file { execute_no_trans }; + +# avc: denied { ioctl } for pid=267 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x6409 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 +allow updater_binary dev_dri_file:chr_file { ioctl }; + +# avc: denied { ioctl } for pid=267 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x6409 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 +# avc: denied { ioctl } for pid=267 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x64af scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 +allowxperm updater_binary dev_dri_file:chr_file ioctl { 0x6409 0x64af }; + +allow updater_binary updater_block_file:blk_file { read write open map getattr ioctl }; +allowxperm updater_binary updater_block_file:blk_file ioctl { 0x1277 }; +') +allow updater_binary self:xpm { exec_no_sign }; diff --git a/prebuilts/api/5.0/ohos_policy/update/updater/system/write_updater.te b/prebuilts/api/5.0/ohos_policy/update/updater/system/write_updater.te new file mode 100644 index 0000000000000000000000000000000000000000..be28a27278770fc61a62e5fe6a67f33b6fc38792 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater/system/write_updater.te @@ -0,0 +1,43 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { map } for pid=1449 comm="write_updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:write_updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1449 comm="write_updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:write_updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=1449 comm="write_updater" name="u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:write_updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow write_updater debug_param:file { map open read }; + +# avc: denied { search } for pid=1449 comm="write_updater" name="by-name" dev="tmpfs" ino=12 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=dir permissive=1 +allow write_updater dev_block_file:dir { search }; + +# avc: denied { search } for pid=1449 comm="write_updater" name="block" dev="tmpfs" ino=6 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 +allow write_updater dev_block_volfile:dir { search }; + +# avc: denied { read write } for pid=1449 comm="write_updater" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1 +allow write_updater dev_console_file:chr_file { read write }; + +# avc: denied { read } for pid=1449 comm="write_updater" name="misc" dev="tmpfs" ino=37 scontext=u:r:write_updater:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=1 +allow write_updater updater_block_file:lnk_file { read }; + +# avc: denied { read write } for pid=1497 comm="write_updater" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:write_updater:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { open } for pid=1497 comm="write_updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:write_updater:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { ioctl } for pid=1559 comm="write_updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:write_updater:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +# avc: denied { getattr } for pid=1559 comm="write_updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:write_updater:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +allow write_updater updater_block_file:blk_file { read write open ioctl getattr }; + +# avc: denied { search } for pid=1531 comm="write_updater" name="socket" dev="tmpfs" ino=43 scontext=u:r:write_updater:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +allow write_updater dev_unix_socket:dir { search }; + +# avc: denied { read } for pid=591 comm="write_updater" name="u:object_r:persist_param:s0" dev="tmpfs" ino=70 scontext=u:r:write_updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=1546 comm="write_updater" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=70 scontext=u:r:write_updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { map } for pid=1546 comm="write_updater" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=70 scontext=u:r:write_updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +allow write_updater persist_param:file { read open map }; diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/attributes b/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..fffd18eca93e727aa666718980c8d8d4447f9691 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute unlabeled_dir_file_violators; diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/file.te b/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/file.te new file mode 100644 index 0000000000000000000000000000000000000000..fbd4b38ee3479d1490bf302a85e7a2cfcf91a21e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/file.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific + +type update_dupdate_engine_file, data_file_attr, file_attr; +type update_update_service_file, data_file_attr, file_attr; +type update_firmware_file, data_file_attr, file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/file_contexts b/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..b9c13afae58bf25fbac70919f9685294db8b7ee4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/file_contexts @@ -0,0 +1,19 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific + +/data/service/el1/public/update/dupdate_engine u:object_r:update_dupdate_engine_file:s0 +/data/service/el1/public/update/dupdate_engine(/.*)? u:object_r:update_dupdate_engine_file:s0 +/data/service/el1/public/update/update_service u:object_r:update_update_service_file:s0 +/data/service/el1/public/update/update_service(/.*)? u:object_r:update_update_service_file:s0 +/data/update/ota_package u:object_r:update_firmware_file:s0 +/data/update/ota_package/(.*)? u:object_r:update_firmware_file:s0 + diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/type.te b/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..9531bdab24f3fb152c982ffc7aa813e7ce496ee4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/public/type.te @@ -0,0 +1,13 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific + +type updater_sa, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/foundation.te b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..ccd408ca97981ff38487b625e3a208f164244f8d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (C) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=548 comm="OS_IPC_13_968" scontext=u:r:foundation:s0 tcontext=u:r:updater_sa:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=548 comm="OS_FFRT_2_4" scontext=u:r:foundation:s0 tcontext=u:r:updater_sa:s0 tclass=binder permissive=1 +allow foundation updater_sa:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/init.te b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..e40d42b5ef5a144799d411cacc7802a33677f2d1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/init.te @@ -0,0 +1,27 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init update_firmware_file:dir { search write create add_name getattr open read relabelto setattr }; +allow init update_firmware_file:file { getattr }; +allow init update_dupdate_engine_file:dir { getattr open read relabelto search setattr }; +allow init update_dupdate_engine_file:file { getattr relabelto }; +allow init update_update_service_file:dir { getattr open read relabelto search setattr }; +allow init update_update_service_file:file { getattr relabelto }; +allow init updater_sa:file { getattr }; + +# avc: denied { setattr } for pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1 +allow init updater_block_file:blk_file { setattr }; + +# avc: denied { read } for pid=1 comm="init" name="misc" dev="tmpfs" ino=37 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=1 +allow init updater_block_file:lnk_file { read }; + diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..5256b226b767bfa22025a6c87ca9006e658703ac --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/memmgrservice.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice updater_sa:file { getattr }; + diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..372de4e16980bf8e2584b4cef7f8ad78622eef78 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/normal_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr dev_unix_socket:dir { search }; +allow normal_hap_attr system_bin_file:dir { search }; +allow normal_hap_attr system_bin_file:file { execute read }; +allow normal_hap_attr toybox_exec:file { execute execute_no_trans getattr map read open }; +allow normal_hap_attr sysfs_devices_system_cpu:file { getattr }; +allow normal_hap_attr sysfs_devices_system_cpu:dir { read open }; +allow normal_hap_attr sa_update_distributed_service:samgr_class { get }; +allow normal_hap_attr updater_sa:binder { call transfer }; + diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/time_service.te b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/time_service.te new file mode 100644 index 0000000000000000000000000000000000000000..30e861dbcd848ea6d44da9f3f2eba105f9f763ab --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/time_service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { call } for pid=472 comm="timer_loop" scontext=u:r:time_service:s0 tcontext=u:r:updater_sa:s0 tclass=binder permissive=0 +allow time_service updater_sa:binder { call }; + diff --git a/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/updater_sa.te b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/updater_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..9969ac2e105fcf6cdfec08d59769b6ec1ff2647d --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/update/updater_sa/system/updater_sa.te @@ -0,0 +1,81 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +allow updater_sa dev_unix_socket:dir { search }; +allow updater_sa port:tcp_socket { name_connect }; +allow updater_sa updater_sa:tcp_socket { connect create read setopt write getopt getattr }; +allow updater_sa updater_sa:unix_dgram_socket { getopt setopt }; +allow updater_sa data_file:dir { search }; +allow updater_sa data_ota_package:dir { add_name search write remove_name getattr }; +allow updater_sa data_ota_package:dir { append ioctl open read rmdir }; +allow updater_sa data_ota_package:file { append create ioctl open read rename unlink getattr }; +allow updater_sa dev_file:sock_file { write }; +allow updater_sa netsysnative:unix_stream_socket { connectto }; +allow updater_sa updater_sa:udp_socket { create bind connect getattr read write }; +allow updater_sa node:udp_socket { node_bind }; +allow updater_sa system_basic_hap_attr:binder { call }; +allow updater_sa huks_service:binder { call }; +allow updater_sa foundation:binder { call }; +binder_call(updater_sa, powermgr); +allow updater_sa sa_powermgr_battery_service:samgr_class { get }; +allow updater_sa sa_foundation_abilityms:samgr_class { get }; +allow updater_sa data_service_file:dir { search }; +allow updater_sa data_service_el1_file:dir { search write add_name remove_name read open getattr }; +allow updater_sa data_service_el1_file:file { create getattr read write open lock ioctl unlink map setattr rename }; +allow updater_sa dev_ashmem_file:chr_file { open }; +allow updater_sa musl_param:file { read open map }; +allow updater_sa sa_net_conn_manager:samgr_class { get }; +allow updater_sa netmanager:binder { call transfer }; +allow updater_sa normal_hap_attr:binder { call }; +allow updater_sa update_firmware_file:dir { search read open write getattr add_name remove_name }; +allow updater_sa update_firmware_file:file {create read append open getattr unlink setattr ioctl write }; +allowxperm updater_sa update_firmware_file:file ioctl { 0x5413 }; +allow updater_sa data_file:dir { read open write getattr setattr add_name remove_name }; +allow updater_sa tmpfs:dir { read open }; +allow updater_sa data_updater_file:dir { search getattr write add_name create }; +allow updater_sa data_updater_file:file { read open getattr create append setattr ioctl write }; +allow updater_sa dev_console_file:chr_file { read write }; +allow updater_sa sysfs_devices_system_cpu:file { read write open getattr }; +allow updater_sa dev_file:dir { getattr }; +allow updater_sa update_firmware_file:dir { create rmdir setattr }; +allow updater_sa update_dupdate_engine_file:dir { add_name create getattr open read remove_name rmdir search setattr write }; +allow updater_sa update_dupdate_engine_file:file { create getattr ioctl lock map open read rename setattr unlink write }; +allowxperm updater_sa update_dupdate_engine_file:file ioctl { 0x5413 0xf50c 0xf546 0xf547 }; + +allow updater_sa update_update_service_file:dir { add_name create getattr open read remove_name rmdir search setattr write }; +allow updater_sa update_update_service_file:file { create getattr ioctl lock map open read rename setattr unlink write }; +allowxperm updater_sa update_update_service_file:file ioctl { 0x5413 0xf50c 0xf546 0xf547 }; + +allow updater_sa servicectrl_param:parameter_service { set }; +allow updater_sa sa_sys_installer_service:samgr_class { get }; +allow updater_sa sys_installer_sa:binder { call transfer }; +allow updater_sa devinfo_private_param:file { map open read }; + +# avc: denied { search } for pid=1522 comm="updater_sa" name="by-name" dev="tmpfs" ino=12 scontext=u:r:updater_sa:s0 tcontext=u:object_r:dev_block_file:s0 tclass=dir permissive=0 +allow updater_sa dev_block_file:dir { search }; + +# avc: denied { map } for pid=485 comm="updater_sa" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:updater_sa:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=485 comm="updater_sa" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:updater_sa:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=1578 comm="updater_sa" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:updater_sa:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 +allow updater_sa arkcompiler_param:file { map open read }; +allow updater_sa ark_writeable_param:file { map open read }; +#avc: denied { get } for service=3702 pid=472 scontext=u:r:updater_sa:s0 tcontext=u:object_r:sa_time_service:s0 tclass=samgr_class permissive=0 +allow updater_sa sa_time_service:samgr_class { get }; +#avc: denied { call } for service=3702 pid=472 scontext=u:r:updater_sa:s0 tcontext=u:object_r:time_service:s0 tclass=binder permissive=0 +#avc: denied { transfer } for service=3702 pid=472 scontext=u:r:updater_sa:s0 tcontext=u:object_r:time_service:s0 tclass=binder permissive=0 +allow updater_sa time_service:binder { call transfer }; + +#avc: denied { transfer } for pid=473 comm="OS_IPC_2_1087" scontext=u:r:updater_sa:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow updater_sa foundation:binder { transfer }; + diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_driver/public/attributes b/prebuilts/api/5.0/ohos_policy/usb/usb_driver/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..a3537cffcf7b9e5bfc3a76ac2e753f11768b286a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_driver/public/attributes @@ -0,0 +1,17 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + attribute process_dyntransition_su_violators; + attribute ioctl_0x5412_chr_file_devpts_violators; +') diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/public/attributes b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..0753cfd3acb7b6e32ad43628f641c070cdb7cc31 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/public/attributes @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute usb_setting_param_attr; diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/public/usb_service.te b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/public/usb_service.te new file mode 100644 index 0000000000000000000000000000000000000000..8ea0f256326f2c166630572e02b36702ee169bc1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/public/usb_service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_usb_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/foundation.te b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..a5e177fa4e4a1155e86a92ce65c7007cb32ff266 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/foundation.te @@ -0,0 +1,16 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +allow foundation usb_service:binder { call transfer }; +allow foundation usb_service:dir { search }; +allow foundation usb_service:file { getattr open read }; +allow foundation usb_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/normal_hap_attr.te b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..079d4e66b46a72f6244459f9c3c425f7a4f508fe --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/normal_hap_attr.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=1737 comm="IPC_1_1739" scontext=u:r:normal_hap:s0 tcontext=u:r:console:s0 tclass=binder permissive=1 +# avc: denied { getattr } for pid=1812 comm="com.usb.right" path="/data/storage/el1/bundle/entry" dev="mmcblk0p11" ino=1211 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +debug_only(` + allow normal_hap_attr console:binder { call }; +') +allow normal_hap_attr sa_usb_service:samgr_class { get }; +allow normal_hap_attr usb_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..96446e076290af202f20b2342b484ee0bb788a90 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/parameter_contexts @@ -0,0 +1,23 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +persist.usb.setting. u:object_r:usb_setting_param:s0 +usb.setting. u:object_r:usb_setting_param:s0 +persist.sys.usb. u:object_r:sys_usb_param:s0 +sys.usb.config u:object_r:sys_usb_param:s0 +sys.usb.state u:object_r:sys_usb_param:s0 +sys.usb.ffs.ready u:object_r:sys_usb_param:s0 +sys.usb.controller u:object_r:sys_usb_param:s0 +sys.usb.configfs u:object_r:sys_usb_param:s0 +sys.usb.confighdc u:object_r:sys_usb_param:s0 +sys.usb.mtp.ready u:object_r:sys_usb_param:s0 +sys.usb.ncm.ntb_size u:object_r:sys_usb_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..3d6e3d731d7407891b8c624e494072f53405a2b1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/system_basic_hap.te @@ -0,0 +1,19 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +allow system_basic_hap_attr usb_setting_param:file { map open read }; +allow system_basic_hap_attr appspawn:unix_stream_socket { read write }; +allow system_basic_hap_attr data_app_el1_file:dir { getattr }; +allow system_basic_hap_attr sa_usb_service:samgr_class { get }; +allow system_basic_hap_attr usb_service:binder { call }; +allow system_basic_hap_attr usb_setting_param:parameter_service {set}; +allow system_basic_hap_attr usb_service:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..1c2a5fecca83678108f416c013e5655a11e64cfa --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/system_core_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +allow system_core_hap_attr usb_setting_param:file { map open read }; +allow system_core_hap_attr appspawn:unix_stream_socket { read write }; +allow system_core_hap_attr data_app_el1_file:dir { getattr }; +allow system_core_hap_attr sa_usb_service:samgr_class { get }; +allow system_core_hap_attr usb_service:binder { call }; +allow system_core_hap_attr usb_setting_param:parameter_service {set}; diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/type.te b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..eb70cf637a473fadbebb764476a83ecc1d2fe109 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/type.te @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +type usb_setting_param, parameter_attr; +allow init {parameter_attr -usb_setting_param}:file { read getattr open }; diff --git a/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/usb_service.te b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/usb_service.te new file mode 100644 index 0000000000000000000000000000000000000000..a576517c98c3e3ce4ac65e8078c9659bf704a2b6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/usb/usb_manager/system/usb_service.te @@ -0,0 +1,115 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow usb_service accessibility_param:file { map open read }; +debug_only(` + allow usb_service console:binder { call }; + allow usb_service console:fd { use }; +') +allow usb_service sa_enterprise_device_manager_service:samgr_class { get }; +allow usb_service edm_sa:binder { call }; +allow usb_service data_file:dir { search }; +allow usb_service dev_unix_socket:dir { search }; +allow usb_service dev_unix_socket:sock_file { write }; +allow usb_service foundation:binder { call }; +allow usb_service hdf_devmgr:binder { call }; +allow usb_service hdf_usbd:hdf_devmgr_class { get }; +allow usb_service hdf_usb_interface_service:hdf_devmgr_class { get }; +allow usb_service init:binder { call transfer }; +allow usb_service param_watcher:binder { call transfer }; +allow usb_service sa_device_service_manager:samgr_class { get }; +allow usb_service sa_foundation_bms:samgr_class { get }; +allow usb_service sa_foundation_cesfwk_service:samgr_class { get }; +allow usb_service sa_param_watcher:samgr_class { get }; +allow usb_service sa_usb_service:samgr_class { get add }; +allow usb_service samain_exec:file { entrypoint execute }; +allow usb_service samgr:binder { call transfer }; +allow usb_service system_bin_file:dir { search }; +allow usb_service system_etc_file:dir { getattr open read }; +allow usb_service system_lib_file:lnk_file { read }; +allow usb_service system_profile_file:dir { search }; +allow usb_service tracefs:dir { search }; +allow usb_service tracefs_trace_marker_file:file { open write }; +allow usb_service usb_host:binder { call transfer }; +allow usb_service usb_service:dir { search }; +allow usb_service usb_service:lnk_file { read }; +allow usb_service vendor_file:file { execute getattr map open read }; +allow usb_service vendor_lib_file:dir { search }; +allow usb_service vendor_lib_file:file { execute map getattr open read }; +allow usb_service dev_console_file:chr_file { read write }; +allow usb_service sa_foundation_dms:samgr_class { get }; +allow usb_service sa_subsys_ace_service:samgr_class { get }; +allow usb_service ui_service:binder { transfer call }; +allow usb_service sa_foundation_abilityms:samgr_class { get }; +allow usb_service foundation:binder { transfer }; +allow usb_service musl_param:file { read }; +allow usb_service system_core_hap_attr:binder { call }; +allow usb_service data_service_file:dir { search }; +allow usb_service data_service_el1_file:dir { search }; +allow usb_service data_service_el1_file:file { ioctl open read write getattr }; +neverallow { domain -SP_daemon -system_core_hap_attr -system_basic_hap_attr -usb_service -usb_setting_param_attr } usb_setting_param:file { map open read }; +neverallow { domain -system_core_hap_attr -system_basic_hap_attr -usb_setting_param_attr } usb_setting_param:parameter_service { set };; +allow usb_service bootevent_param:file { map read open }; +allow usb_service bootevent_samgr_param:file { map open read }; +allow usb_service build_version_param:file { map open read }; +allow usb_service const_allow_mock_param:file { map open read }; +allow usb_service const_allow_param:file { map open read }; +allow usb_service const_build_param:file { map open read }; +allow usb_service const_display_brightness_param:file { map open read }; +allow usb_service const_param:file { map open read }; +allow usb_service const_postinstall_fstab_param:file { map open read }; +allow usb_service const_postinstall_param:file { map open read }; +allow usb_service const_product_param:file { map open read }; +allow usb_service debug_param:file { map open read }; +allow usb_service default_param:file { map open read }; +allow usb_service distributedsche_param:file { map open read }; +allow usb_service hilog_param:file { map open read }; +allow usb_service hw_sc_build_os_param:file { map open read }; +allow usb_service hw_sc_build_param:file { map read open }; +allow usb_service hw_sc_param:file { map open read }; +allow usb_service init_param:file { map open read }; +allow usb_service init_svc_param:file { map open read }; +allow usb_service input_pointer_device_param:file { map open read }; +allow usb_service net_param:file { map open read }; +allow usb_service net_tcp_param:file { map open read }; +allow usb_service ohos_boot_param:file { map open read }; +allow usb_service ohos_param:file { map open read }; +allow usb_service persist_param:file { map open read }; +allow usb_service persist_sys_param:file { map open read }; +allow usb_service security_param:file { map open read }; +allow usb_service startup_param:file { map open read }; +allow usb_service sys_param:file { map open read }; +allow usb_service sys_usb_param:file { map open read }; +allow usb_service data_service_file:dir { search }; +allow usb_service data_service_el1_file:dir { search add_name open write read remove_name }; +allow usb_service data_service_el1_file:file { ioctl open read write getattr create lock map unlink }; +allow usb_service dev_ashmem_file:chr_file { open }; +allow usb_service usb_setting_param:file { map open read }; +allow usb_service sa_distributeddata_service:samgr_class { get }; +allow usb_service data_service_el1_file:file { setattr }; +allow usb_service distributeddata:binder { call }; +allow usb_service developtools_hdc_control_param:file { map open read }; +allow usb_service sa_foundation_ans:samgr_class { get }; +allow usb_service sa_accountmgr:samgr_class { get }; +allow usb_service accountmgr:binder { call transfer }; +allow usb_service system_basic_hap:binder { call transfer }; +allow usb_service sa_memory_manager_service:samgr_class { get }; +allow usb_service memmgrservice:binder { call }; +allow usb_service usb_host:fd { use }; +allow usb_service dev_bus_usb_file:chr_file { read write }; +allow normal_hap dev_bus_usb_file:chr_file { ioctl read write }; +allow debug_hap dev_bus_usb_file:chr_file { ioctl read write }; +allowxperm normal_hap dev_bus_usb_file:chr_file ioctl { 0x5500 0x5504 0x5505 0x5508 0x550a 0x550b 0x550d 0x550f 0x5510 0x5511 0x5512 0x5514 0x5515 0x5516 0x5517 0x551a 0x551b 0x551c 0x551d 0x551e 0x551f }; +allowxperm debug_hap dev_bus_usb_file:chr_file ioctl { 0x5500 0x5504 0x5505 0x5508 0x550a 0x550b 0x550d 0x550f 0x5510 0x5511 0x5512 0x5514 0x5515 0x5516 0x5517 0x551a 0x551b 0x551c 0x551d 0x551e 0x551f }; +allow normal_hap dev_usb_accessory_file:chr_file { read write }; +allow debug_hap dev_usb_accessory_file:chr_file { read write }; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/public/pinauth.te b/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/public/pinauth.te new file mode 100644 index 0000000000000000000000000000000000000000..fc5d88b5b557f776b39a6afd351c98ceb09381a4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/public/pinauth.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type pinauth, sadomain, domain; +type sa_useriam_pinauth_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/pinauth.te b/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/pinauth.te new file mode 100644 index 0000000000000000000000000000000000000000..d658eae78937c88fd42ac4ced6623bda8bccf958 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/pinauth.te @@ -0,0 +1,80 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { add } for service=941 pid=919 scontext=u:r:pinauth:s0 tcontext=u:object_r:sa_useriam_pinauth_service:s0 tclass=samgr_class permissive=1 +allow pinauth sa_useriam_pinauth_service:samgr_class { add }; + +#avc: denied { get } for service=3503 pid=919 scontext=u:r:pinauth:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow pinauth sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { get } for service=3901 pid=919 scontext=u:r:pinauth:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow pinauth sa_param_watcher:samgr_class { get }; + +#avc: denied { get } for service=931 pid=919 scontext=u:r:pinauth:s0 tcontext=u:object_r:sa_useriam_authexecutormgr_service:s0 tclass=samgr_class permissive=1 +allow pinauth sa_useriam_authexecutormgr_service:samgr_class { get }; + +#avc: denied { get } for service=5100 pid=919 scontext=u:r:pinauth:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow pinauth sa_device_service_manager:samgr_class { get }; + +#avc: denied { get } for service=pin_auth_interface_service pid=919 scontext=u:r:pinauth:s0 tcontext=u:object_r:hdf_pin_auth_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow pinauth hdf_pin_auth_interface_service:hdf_devmgr_class { get }; + +allow pinauth system_core_hap_attr:binder { call transfer }; + +allow pinauth sa_miscdevice_service:samgr_class { get }; +allow pinauth sensors:binder { call }; + +allow pinauth accesstoken_service:binder { call }; +allow pinauth bootevent_param:file { map open read }; +allow pinauth bootevent_samgr_param:file { map open read }; +allow pinauth build_version_param:file { map open read }; +allow pinauth const_allow_mock_param:file { map open read }; +allow pinauth const_allow_param:file { map open read }; +allow pinauth const_build_param:file { map open read }; +allow pinauth const_display_brightness_param:file { map open read }; +allow pinauth const_param:file { map open read }; +allow pinauth const_postinstall_fstab_param:file { map open read }; +allow pinauth const_postinstall_param:file { map open read }; +allow pinauth const_product_param:file { map open read }; +allow pinauth debug_param:file { map open read }; +allow pinauth default_param:file { map open read }; +allow pinauth dev_unix_socket:dir { search }; +allow pinauth distributedsche_param:file { map open read }; +allow pinauth hdf_devmgr:binder { call transfer }; +allow pinauth hilog_param:file { map open read }; +allow pinauth hw_sc_build_os_param:file { map open read }; +allow pinauth hw_sc_build_param:file { map open read }; +allow pinauth hw_sc_param:file { map open read }; +allow pinauth init_param:file { map open read }; +allow pinauth init_svc_param:file { map open read }; +allow pinauth input_pointer_device_param:file { map open read }; +allow pinauth net_param:file { map open read }; +allow pinauth net_tcp_param:file { map open read }; +allow pinauth ohos_boot_param:file { map open read }; +allow pinauth ohos_param:file { map open read }; +allow pinauth param_watcher:binder { call transfer }; +allow pinauth persist_param:file { map open read }; +allow pinauth persist_sys_param:file { map open read }; +allow pinauth pin_auth_host:binder { call transfer }; +allow pinauth pinauth:unix_dgram_socket { getopt setopt }; +allow pinauth security_param:file { map open read }; +allow pinauth startup_param:file { map open read }; +allow pinauth sys_param:file { map open read }; +allow pinauth system_basic_hap_attr:binder { call transfer }; +allow pinauth system_bin_file:dir { search }; +allow pinauth sys_usb_param:file { map open read }; +allow pinauth tracefs:dir { search }; +allow pinauth tracefs_trace_marker_file:file { open write }; +allow pinauth useriam:binder { call transfer }; +allow pinauth dev_at_file:chr_file { ioctl }; +allowxperm pinauth dev_at_file:chr_file ioctl { 0x4103 }; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..f86187f87be90fcde8d6c75eef042ffa9703236e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/system_basic_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=941 pid=919 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_useriam_pinauth_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_useriam_pinauth_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..4db9f277c34f7ac57b7fe1268a3a73bba6fcace9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/pinauth_auth/system/system_core_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_useriam_pinauth_service:samgr_class { get }; +allow system_core_hap_attr pinauth:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/user_auth/public/userauth.te b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/public/userauth.te new file mode 100644 index 0000000000000000000000000000000000000000..6f3e171429ae079ca50bf3a2e001cd6fe2a17cea --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/public/userauth.te @@ -0,0 +1,19 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type useriam, sadomain, domain; +type sa_useriam_userauth_service, sa_service_attr; +type sa_useriam_useridm_service, sa_service_attr; +type sa_useriam_authexecutormgr_service, sa_service_attr; +type sa_useriam_faceauth_service, sa_service_attr; +type sa_useriam_fingerprintauth_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..9bb64493f85abe32e6afebd832a5de7f214955cf --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/normal_hap.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr useriam:binder { call transfer }; +allow normal_hap_attr sa_useriam_userauth_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/parameter.te b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..cf4d1b620de65fd4923694b9f9a5aca1fc850c8c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/parameter.te @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type useriam_fwkready_param, parameter_attr; +type useriam_enable_writable_param, parameter_attr; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..0140bd52804776f08e85af5aeada3fff6e36e55c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/parameter_contexts @@ -0,0 +1,15 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +bootevent.useriam.fwkready u:object_r:useriam_fwkready_param:s0 +persist.useriam.enable. u:object_r:useriam_enable_writable_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..a5e232f4f73807c0e914fd4b75d56164553f239a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/system_basic_hap.te @@ -0,0 +1,27 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { get } for service=901 pid=573 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_useriam_useridm_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_useriam_useridm_service:samgr_class { get }; + +#avc: denied { get } for service=921 pid=573 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_useriam_userauth_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_useriam_userauth_service:samgr_class { get }; + +#avc: denied { get } for service=931 pid=573 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_useriam_authexecutormgr_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_useriam_authexecutormgr_service:samgr_class { get }; + +#avc: denied { get } for service=942 pid=920 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_useriam_faceauth_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_useriam_faceauth_service:samgr_class { get }; + +#avc: denied { get } for service=943 pid=918 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_useriam_fingerprintauth_service:s0 tclass=samgr_class permissive=1 +allow system_basic_hap_attr sa_useriam_fingerprintauth_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/system_core_hap.te b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..1ac78ea4b6342391b2601d54be31c4baa3b3b275 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/system_core_hap.te @@ -0,0 +1,22 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap_attr sa_useriam_useridm_service:samgr_class { get }; + +allow system_core_hap_attr sa_useriam_userauth_service:samgr_class { get }; + +allow system_core_hap_attr sa_useriam_authexecutormgr_service:samgr_class { get }; + +allow system_core_hap_attr sa_useriam_faceauth_service:samgr_class { get }; + +allow system_core_hap_attr sa_useriam_fingerprintauth_service:samgr_class { get }; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/userauth.te b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/userauth.te new file mode 100644 index 0000000000000000000000000000000000000000..9b8fa0118e8e1636fa4a0b1b3e67a0a55b5cdfc4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/userauth.te @@ -0,0 +1,79 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { add } for service=901 pid=573 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_useriam_useridm_service:s0 tclass=samgr_class permissive=1 +allow useriam sa_useriam_useridm_service:samgr_class { add }; + +#avc: denied { add } for service=921 pid=573 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_useriam_userauth_service:s0 tclass=samgr_class permissive=1 +allow useriam sa_useriam_userauth_service:samgr_class { add }; + +#avc: denied { add } for service=931 pid=573 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_useriam_authexecutormgr_service:s0 tclass=samgr_class permissive=1 +allow useriam sa_useriam_authexecutormgr_service:samgr_class { add }; + +#avc: denied { add } for service=942 pid=515 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_useriam_faceauth_service:s0 tclass=samgr_class permissive=1 +allow useriam sa_useriam_faceauth_service:samgr_class { add }; + +#avc: denied { add } for service=943 pid=918 scontext=u:r:fingerprintauth:s0 tcontext=u:object_r:sa_useriam_fingerprintauth_service:s0 tclass=samgr_class permissive=1 +allow useriam sa_useriam_fingerprintauth_service:samgr_class { add }; + +#avc: denied { get } for service=931 pid=515 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_useriam_authexecutormgr_service:s0 tclass=samgr_class permissive=1 +allow useriam sa_useriam_authexecutormgr_service:samgr_class { get }; + +#avc: denied { get } for service=3503 pid=573 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1 +allow useriam sa_accesstoken_manager_service:samgr_class { get }; + +#avc: denied { get } for service=5100 pid=573 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 +allow useriam sa_device_service_manager:samgr_class { get }; + +#avc: denied { get } for service=200 pid=573 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 +allow useriam sa_accountmgr:samgr_class { get }; + +#avc: denied { get } for service=user_auth_interface_service pid=573 scontext=u:r:useriam:s0 tcontext=u:object_r:hdf_user_auth_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow useriam hdf_user_auth_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=face_auth_interface_service pid=552 scontext=u:r:useriam:s0 tcontext=u:object_r:hdf_face_auth_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow useriam hdf_face_auth_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=fingerprint_auth_interface_service pid=918 scontext=u:r:fingerprintauth:s0 tcontext=u:object_r:hdf_fingerprint_auth_interface_service:s0 tclass=hdf_devmgr_class permissive=1 +allow useriam hdf_fingerprint_auth_interface_service:hdf_devmgr_class { get }; + +#avc: denied { get } for service=401 pid=520 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0 +allow useriam sa_foundation_bms:samgr_class { get }; + +#avc: denied { call } for pid=509 comm="IPC_1_853" scontext=u:r:useriam:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0 +allow useriam foundation:binder { call }; + +#avc: denied { get } for service=501 pid=625 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 +allow useriam sa_foundation_appms:samgr_class { get }; + +# avc: denied { get } for service=4802 pid=592 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_foundation_devicemanager_service:s0 tclass=samgr_class permissive=0 +allow useriam sa_foundation_devicemanager_service:samgr_class { get }; + +# avc: denied { call } for pid=546 comm="SoftBusMagInit" scontext=u:r:useriam:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +# avc: denied { transfer } for pid=546 comm="SoftBusMagInit" scontext=u:r:useriam:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 +allow useriam device_manager:binder { call transfer }; + +# avc: denied { call } for pid=265 comm="OS_IPC_1_294" scontext=u:r:device_manager:s0 tcontext=u:r:useriam:s0 tclass=binder permissive=0 +allow device_manager useriam:binder { call }; + +# avc: denied { get } for service=4700 pid=519 scontext=u:r:useriam:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=0 +allow useriam sa_softbus_service:samgr_class { get }; + +# avc: denied { call } for pid=674 comm="SoftBusMagInit" scontext=u:r:useriam:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=0 +# avc: denied { transfer } for pid=674 comm="SoftBusMagInit" scontext=u:r:useriam:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=0 +allow useriam softbus_server:binder { call transfer }; +allow useriam softbus_server:fd { use }; +allow useriam softbus_server:tcp_socket { read write setopt shutdown }; + +# avc: denied { call } for pid=553 comm="OS_IPC_3_1801" scontext=u:r:softbus_server:s0 tcontext=u:r:useriam:s0 tclass=binder permissive=1 +allow softbus_server useriam:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/useriam.te b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/useriam.te new file mode 100644 index 0000000000000000000000000000000000000000..24b2da5da167e62e9e91dee24ca1866ab08e974a --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/useriam/user_auth/system/useriam.te @@ -0,0 +1,93 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow useriam sa_sensor_service:samgr_class { get }; +allow useriam sa_miscdevice_service:samgr_class { get }; +allow useriam sensors:binder { call }; + +allow useriam accesstoken_service:binder { call }; +allow useriam accountmgr:binder { call }; +allow useriam accountmgr:fd { use }; +allow useriam bootevent_param:file { map open read }; +allow useriam bootevent_param:parameter_service { set }; +allow useriam bootevent_samgr_param:file { map open read }; +allow useriam build_version_param:file { map open read }; +allow useriam const_allow_mock_param:file { map open read }; +allow useriam const_allow_param:file { map open read }; +allow useriam const_build_param:file { map open read }; +allow useriam const_display_brightness_param:file { map open read }; +allow useriam const_param:file { map open read }; +allow useriam const_postinstall_fstab_param:file { map open read }; +allow useriam const_postinstall_param:file { map open read }; +allow useriam const_product_param:file { map open read }; +allow useriam debug_param:file { map open read }; +allow useriam default_param:file { map open read }; +allow useriam dev_at_file:chr_file { ioctl }; +allow useriam dev_unix_socket:dir { search }; +allow useriam distributedsche_param:file { map open read }; +allow useriam hdf_devmgr:binder { call transfer }; +allow useriam hilog_param:file { map open read }; +allow useriam hw_sc_build_os_param:file { map open read }; +allow useriam hw_sc_build_param:file { map open read }; +allow useriam hw_sc_param:file { map open read }; +allow useriam init_param:file { map open read }; +allow useriam init_svc_param:file { map open read }; +allow useriam input_pointer_device_param:file { map open read }; +allow useriam kernel:unix_stream_socket { connectto }; +allow useriam net_param:file { map open read }; +allow useriam net_tcp_param:file { map open read }; +allow useriam ohos_boot_param:file { map open read }; +allow useriam ohos_param:file { map open read }; +allow useriam paramservice_socket:sock_file { write }; +allow useriam param_watcher:binder { call transfer }; +allow useriam persist_param:file { map open read }; +allow useriam persist_sys_param:file { map open read }; +allow useriam pinauth:binder { call transfer }; +allow useriam sa_param_watcher:samgr_class { get }; +allow useriam security_param:file { map open read }; +allow useriam startup_param:file { map open read }; +allow useriam sys_param:file { map open read }; +allow useriam system_basic_hap_attr:binder { call }; +allow useriam system_bin_file:dir { search }; +allow useriam sys_usb_param:file { map open read }; +allow useriam tracefs:dir { search }; +allow useriam tracefs_trace_marker_file:file { open write }; +allow useriam user_auth_host:binder { call transfer }; +allow useriam useriam:unix_dgram_socket { getopt setopt }; +allowxperm useriam dev_at_file:chr_file ioctl { 0x4103 }; +allow useriam face_auth_host:binder { call transfer }; +allow useriam fingerprint_auth_host:binder { call transfer }; +allow useriam render_service:binder { call transfer }; +allow useriam foundation:binder { call transfer }; +allow useriam normal_hap_attr:binder { call }; +allow useriam sa_render_service:samgr_class { get }; +allow useriam sa_foundation_cesfwk_service:samgr_class { get }; +allow useriam sa_powermgr_displaymgr_service:samgr_class { get }; +allow useriam sa_foundation_dms:samgr_class { get }; +binder_call(useriam, powermgr); +allow useriam sa_powermgr_powermgr_service:samgr_class { get }; +allow useriam dev_mali:chr_file { getattr ioctl map open read write }; +allow useriam sysfs_devices_system_cpu:dir { read open }; +allow useriam allocator_host:fd { use }; +allow useriam sa_foundation_abilityms:samgr_class { get }; + +# avc: denied { call } for pid=466 comm="useriam" scontext=u:r:useriam:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=1 +allow useriam huks_service:binder { call }; + +allow useriam sensors:binder { transfer }; +allow sensors useriam:fd { use }; +allow sensors useriam:unix_stream_socket { read write }; +allow useriam devinfo_private_param:file { map open read }; +allow sensors useriam:binder { call }; +allow useriam storage_daemon:binder { call }; + diff --git a/prebuilts/api/5.0/ohos_policy/virt_service/rgm_engine/public/attributes b/prebuilts/api/5.0/ohos_policy/virt_service/rgm_engine/public/attributes new file mode 100644 index 0000000000000000000000000000000000000000..4e6b628fac1b709c9de9332746f5e5e6e6486a65 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/virt_service/rgm_engine/public/attributes @@ -0,0 +1,48 @@ +# Copyright (c) 2024-2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attribute rgm_violator_ohos_capability_mknod; +attribute rgm_violator_ohos_capability_setpcap; +attribute rgm_violator_ohos_capability_setgid; +attribute rgm_violator_ohos_capability_syschroot; +attribute rgm_violator_ohos_capability_sysptrace; +attribute rgm_violator_ohos_capability_netadmin; +attribute rgm_violator_ohos_capability_netraw; +attribute rgm_violator_ohos_capability_sysadmin; +attribute rgm_violator_ohos_capability_dacoverride; +attribute rgm_violator_ohos_capability_chown; +attribute rgm_violator_ohos_capability_fowner; +attribute rgm_violator_ohos_capability_kill; +attribute rgm_violator_ohos_capability_dacreadsearch; +attribute rgm_violator_ohos_capability_fsetid; +attribute rgm_violator_ohos_capability_setuid; + +attribute rgm_violator_ohos_filesystem_remount; +attribute rgm_violator_ohos_proc_file_mounton; +attribute rgm_violator_ohos_cgroup_file_create; +attribute rgm_violator_ohos_dev_sock_file_mounton; +attribute rgm_violator_ohos_dev_char_file; +attribute rgm_violator_ohos_dev_blk_file; +attribute rgm_violator_ohos_unlabeled_file; +attribute rgm_violator_ohos_vendor_etc_dir_search; +attribute rgm_violator_ohos_vendor_etc_file_getattr; +attribute rgm_violator_ohos_vendor_etc_file_read; +attribute rgm_violator_ohos_vendor_etc_file_open; +attribute rgm_violator_ohos_iptables_exec_file_execute; +attribute rgm_violator_ohos_sh_exec_file_execute; + +attribute rgm_violator_data_log_file_createwrite; +attribute rgm_violator_data_log_dir_createwrite; +attribute rgm_violator_system_file_mounton; +attribute rgm_violator_vendor_file_mounton; + diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/public/type.te b/prebuilts/api/5.0/ohos_policy/web/webview/public/type.te new file mode 100644 index 0000000000000000000000000000000000000000..ed562a2a419739b564d2800cc26c7744d0c5fac6 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/public/type.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type isolated_render, domain; +type isolated_gpu, hap_domain, domain; +type web_private_param, parameter_attr; +type app_fwk_update_service, sadomain, domain; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/accessibility.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..3dbaf2ed5cf9a752ad1302a2e4aad8d4be812660 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/accessibility.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accessibility render_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/app_fwk_update_service.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/app_fwk_update_service.te new file mode 100644 index 0000000000000000000000000000000000000000..a2b8202823dcd3cda6cee21029ada86cbea0bb21 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/app_fwk_update_service.te @@ -0,0 +1,71 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +binder_call(app_fwk_update_service, samgr); +allow app_fwk_update_service sa_app_fwk_update_service:samgr_class { get add }; + +# avc_audit_slow:267] avc: denied { search } for pid=12579, comm="/system/bin/sa_main" name="/lib64" dev="/dev/block/platform/fa500000.ufs/by-name/chip_prod" ino=12208 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=1 +allow app_fwk_update_service chip_prod_file:dir { search }; + +# avc_audit_slow:267] avc: denied { write } for pid=12579, comm="/system/bin/sa_main" path="/dev/kmsg" dev="" ino=21 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow app_fwk_update_service dev_kmsg_file:chr_file { write }; + +# avc_audit_slow:267] avc: denied { search } for pid=12579, comm="/system/bin/sa_main" name="/unix/socket" dev="" ino=186 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow app_fwk_update_service dev_unix_socket:dir { search }; + +# avc_audit_slow:267] avc: denied { call } for pid=12579, comm="/system/bin/sa_main" scontext=u:r:app_fwk_update_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +# avc_audit_slow:267] avc: denied { transfer } for pid=12579, comm="/system/bin/sa_main" scontext=u:r:app_fwk_update_service:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow app_fwk_update_service foundation:binder { call transfer }; + +# avc: denied { get } for service=401 sid=u:r:app_fwk_update_service:s0 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow app_fwk_update_service sa_foundation_bms:samgr_class { get }; + +# avc: denied { get } for service=3299 sid=u:r:app_fwk_update_service:s0 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow app_fwk_update_service sa_foundation_cesfwk_service:samgr_class { get }; + +# avc_audit_slow:267] avc: denied { getattr } for pid=12579, comm="/system/bin/sa_main" path="/sys/devices/system/cpu/online" dev="" ino=123 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { open } for pid=12579, comm="/system/bin/sa_main" path="/sys/devices/system/cpu/online" dev="" ino=123 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { read } for pid=12579, comm="/system/bin/sa_main" path="/sys/devices/system/cpu/online" dev="" ino=123 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow app_fwk_update_service sysfs_devices_system_cpu:file { getattr open read }; + +# avc_audit_slow:267] avc: denied { read write } for pid=12579, comm="/system/bin/sa_main" path="/dev/tty0" dev="" ino=49 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 +allow app_fwk_update_service tty_device:chr_file { read write }; + +# avc_audit_slow:267] avc: denied { getopt } for pid=12579, comm="/system/bin/sa_main" scontext=u:r:app_fwk_update_service:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=unix_dgram_socket permissive=1 +# avc_audit_slow:267] avc: denied { setopt } for pid=12579, comm="/system/bin/sa_main" scontext=u:r:app_fwk_update_service:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=unix_dgram_socket permissive=1 +allow app_fwk_update_service app_fwk_update_service:unix_dgram_socket { getopt setopt }; + + +# avc_audit_slow:267] avc: denied { map } for pid=6914, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="" ino=229 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { open } for pid=6914, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="" ino=229 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +# avc_audit_slow:267] avc: denied { read } for pid=6914, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="" ino=229 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +allow app_fwk_update_service arkcompiler_param:file { map open read }; + +# avc: denied { set } for parameter=persist.arkwebcore.install_path pid=6914 uid=8350 gid=8350 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=parameter_service permissive=1 +allow app_fwk_update_service arkcompiler_param:parameter_service { set }; + +# avc_audit_slow:267] avc: denied { connectto } for pid=6914, comm="/system/bin/sa_main" scontext=u:r:app_fwk_update_service:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 +allow app_fwk_update_service kernel:unix_stream_socket { connectto }; + +# avc_audit_slow:267] avc: denied { write } for pid=6914, comm="/system/bin/sa_main" path="/dev/unix/socket/paramservice" dev="" ino=194 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1 +allow app_fwk_update_service paramservice_socket:sock_file { write }; + +# avc_audit_slow:267] avc: denied { search } for pid=6959, comm="/system/bin/sa_main" name="/variant/hw_oem/ALN-AL00/etc" dev="overlay" ino=7 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:sys_prod_file:s0 tclass=dir permissive=1 +allow app_fwk_update_service sys_prod_file:dir { search }; + +# avc_audit_slow:267] avc: denied { write } for pid=7950, comm="/system/bin/sa_main" path="/dev/unix/socket/NWebSpawn" dev="" ino=857 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:nwebspawn_socket:s0 tclass=sock_file permissive=1 +allow app_fwk_update_service nwebspawn_socket:sock_file { write }; +# avc_audit_slow:267] avc: denied { connectto } for pid=6914, comm="/system/bin/sa_main" scontext=u:r:app_fwk_update_service:s0 tcontext=u:r:appspawn:s0 tclass=unix_stream_socket permissive=1 +allow app_fwk_update_service appspawn:unix_stream_socket { connectto }; + +# avc_audit_slow:267] avc: denied { write } for pid=6914, comm="/system/bin/sa_main" path="/dev/unix/socket/AppSpawn" dev="" ino=857 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:appspawn_socket:s0 tclass=sock_file permissive=1 +allow app_fwk_update_service appspawn_socket:sock_file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/audio_server.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/audio_server.te new file mode 100644 index 0000000000000000000000000000000000000000..8adf7eec09835ce271bb2de561af7aa29a2e78cd --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/audio_server.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_server bgtaskmgr_service:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/av_codec_service.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/av_codec_service.te new file mode 100644 index 0000000000000000000000000000000000000000..fa0cc72d31e52d24efc6fed1c58a52e9c3f5c6b5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/av_codec_service.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow av_codec_service isolated_gpu:binder { call transfer }; + +allow av_codec_service isolated_gpu:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/composer_host.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/composer_host.te new file mode 100644 index 0000000000000000000000000000000000000000..9ca1a7e33bc3ef39e06648b8771ad57dd7f6481e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/composer_host.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow composer_host isolated_gpu:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/foudation.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/foudation.te new file mode 100644 index 0000000000000000000000000000000000000000..79b08d86e2bb1fccbcb64d51eb2305545b0bdfc4 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/foudation.te @@ -0,0 +1,27 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation system_basic_hap_attr:unix_stream_socket { read write }; + +# avc: denied { call } for pid=1077 comm="IPC_4_1780" scontext=u:r:foundation:s0 tcontext=u:r:isolated_render:s0 tclass=binder permissive=1 +allow foundation isolated_render:binder { call transfer }; + +# avc: denied { sigkill } for pid=1101 comm="IPC_10_2173" scontext=u:r:foundation:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1 +allow foundation isolated_render:process { sigkill }; + +allow foundation isolated_gpu:binder { call }; +allow foundation isolated_gpu:process { sigkill }; + +# avc_audit_slow:267] avc: denied { call } for pid=1475, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=binder permissive=1 +# avc_audit_slow:267] avc: denied { transfer } for pid=1475, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=binder permissive=1 +allow foundation app_fwk_update_service:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/hap_domain.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..b7908e26fbd582b2d4c7a57f1240f1d792b4edd1 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/hap_domain.te @@ -0,0 +1,27 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hap_domain isolated_render:fd { use }; + +allow hap_domain isolated_render:unix_stream_socket { read write shutdown }; + +# avc_audit_slow:260] avc: denied { getattr } for pid=4594, comm="/system/bin/appspawn" path="/data/storage/el2/log/crashpad" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=5159 scontext=u:r:debug_hap:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 +allow hap_domain data_app_el2_file:dir { getattr }; + +allow hap_domain isolated_render:unix_stream_socket { getopt }; + +allow hap_domain isolated_gpu:fd { use }; + +allow hap_domain isolated_gpu:unix_stream_socket { read write shutdown getopt }; + +allow hap_domain isolated_gpu:binder { call transfer }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/hdf_devmgr.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..150d3548e3b86fc1133b8395be030933faa4260c --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/hdf_devmgr.te @@ -0,0 +1,20 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr isolated_gpu:binder { transfer }; + +allow hdf_devmgr isolated_gpu:dir { search }; + +allow hdf_devmgr isolated_gpu:file { open read }; + +allow hdf_devmgr isolated_gpu:process { getattr }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/hiview.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..dc7097a813e9535adbe5aafb7076a46745c55eaa --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/hiview.te @@ -0,0 +1,26 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { search } for pid=248 comm="HiDumperCpuServ" name="2277" dev="proc" ino=37362 scontext=u:r:hiview:s0 tcontext=u:r:isolated_render:s0 tclass=dir permissive=1 +allow hiview isolated_render:dir { search }; + +#avc: denied { getattr } for pid=248 comm="HiDumperCpuServ" path="/proc/2277/stat" dev="proc" ino=37368 scontext=u:r:hiview:s0 tcontext=u:r:isolated_render:s0 tclass=file permissive=1 +#avc: denied { open } for pid=248 comm="HiDumperCpuServ" path="/proc/2277/stat" dev="proc" ino=37368 scontext=u:r:hiview:s0 tcontext=u:r:isolated_render:s0 tclass=file permissive=1 +#avc: denied { read } for pid=248 comm="HiDumperCpuServ" name="stat" dev="proc" ino=37368 scontext=u:r:hiview:s0 tcontext=u:r:isolated_render:s0 tclass=file permissive=1 +allow hiview isolated_render:file { getattr open read }; + +allow hiview isolated_gpu:dir { search }; +allow hiview isolated_gpu:file { getattr open read }; + +# avc: denied { read } for pid=16985 comm="OS_FFRT_2_17" name="exe" dev="proc" ino=87850 scontext=u:r:hiview:s0 tcontext=u:r:isolated_render:s0 tclass=lnk_file permissive=1 +allow hiview isolated_render:lnk_file { read }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/init.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..a9103342cdf56a03fdc20f2b15507656522f3a35 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/init.te @@ -0,0 +1,17 @@ +# Copyright (C) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc_audit_slow:267] avc: denied { rlimitinh } for pid=6959, comm="/system/bin/sa_main" scontext=u:r:init:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=process permissive=1 +# avc_audit_slow:267] avc: denied { siginh } for pid=6959, comm="/system/bin/sa_main" scontext=u:r:init:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=process permissive=1 +# avc_audit_slow:267] avc: denied { transition } for pid=6959, comm="/bin/init" scontext=u:r:init:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=process permissive=1 +allow init app_fwk_update_service:process { rlimitinh siginh transition }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/isolated_gpu.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/isolated_gpu.te new file mode 100644 index 0000000000000000000000000000000000000000..fbd9db6b7bfe16783211aeb0b3eca5c344d15778 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/isolated_gpu.te @@ -0,0 +1,86 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { execute } for pid=3708 comm="ei.hmos.browser" path="/data/storage/el1/bundle/arkwebcore/libs/arm64/libweb_engine.so" dev="sdd78" ino=30131 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allow isolated_gpu data_app_el1_file:dir { getattr }; +# allow isolated_gpu data_app_el1_file:dir { execute }; + +# avc: denied { search } for pid=3708 comm="ei.hmos.browser" name="socket" dev="tmpfs" ino=112 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow isolated_gpu dev_unix_socket:dir { search }; + +# avc: denied { use } for pid=3708 comm="ei.hmos.browser" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:isolated_gpu:s0 tcontext=u:r:nwebspawn:s0 tclass=fd permissive=1 +allow isolated_gpu nwebspawn:fd { use }; +allow isolated_gpu nwebspawn:unix_dgram_socket { write connect}; + +# avc: denied { call } for pid=3708 comm="ei.hmos.browser" scontext=u:r:isolated_gpu:s0 tcontext=u:r:time_service:s0 tclass=binder permissive=1 +allow isolated_gpu time_service:binder { call }; + +# avc: denied { getattr } for pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 +# avc: denied { read open } for pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 +# avc: denied { map } for pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 +allow isolated_gpu system_file:file { getattr read open map }; + +# avc: denied { search } for pid=3708 comm="ei.hmos.browser" name="bin" dev="sdd74" ino=338 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 +allow isolated_gpu system_bin_file:dir { search }; + +# avc: denied { search } for pid=3708 comm="ei.hmos.browser" name="/" dev="tracefs" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow isolated_gpu tracefs:dir { search }; + +allow isolated_gpu sa_foundation_appms:samgr_class { get }; +allow isolated_gpu sa_param_watcher:samgr_class { get }; +allow isolated_gpu sa_render_service:samgr_class { get }; +allow isolated_gpu sa_time_service:samgr_class { get }; +allow isolated_gpu data_app_el1_file:file { execute }; +allow isolated_gpu dev_mali:chr_file { getattr ioctl map read write open }; +# avc: denied { ioctl } for pid=4081 comm="mali-cmar-backe" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8002 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8003 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8005 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8006 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800f scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8016 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8019 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x801d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8026 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8001 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 +allowxperm isolated_gpu dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x800c 0x800e 0x800f 0x8016 0x8019 0x801d 0x8026 }; +allow isolated_gpu hap_domain:binder { call transfer }; +allow isolated_gpu hap_domain:fd { use }; +allow isolated_gpu hap_domain:unix_stream_socket { read write shutdown}; +allow isolated_gpu nwebspawn:fifo_file { write }; +allow isolated_gpu persist_param:file { map read open }; +allow isolated_gpu render_service:unix_stream_socket { write read }; + +allow isolated_gpu sa_foundation_bms:samgr_class { get }; +allow isolated_gpu sysfs_devices_system_cpu:dir { read open }; +allow isolated_gpu sysfs_devices_system_cpu:file { getattr read open }; + +allow isolated_gpu allocator_host:fd { use }; +allow isolated_gpu ohos_boot_param:file { map read open }; +allow isolated_gpu sa_resource_schedule:samgr_class { get }; +allow isolated_gpu web_private_param:file { map open read }; + +allow isolated_gpu allocator_host:binder { call }; +allow isolated_gpu av_codec_service:binder { call transfer }; +allow isolated_gpu dev_ashmem_file:chr_file { open }; +allow isolated_gpu hdf_allocator_service:hdf_devmgr_class { get }; +allow isolated_gpu hiview:unix_dgram_socket { sendto }; +allow isolated_gpu isolated_gpu:unix_dgram_socket { getopt setopt }; +allow isolated_gpu persist_sys_param:file { map open read }; +allow isolated_gpu sa_av_codec_service:samgr_class { get }; +allow isolated_gpu sa_device_service_manager:samgr_class { get }; +allow isolated_gpu codec_host:fd { use }; +allow isolated_gpu av_codec_service:fd { use }; + +allow isolated_gpu isolated_gpu:process { ptrace }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/isolated_render.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/isolated_render.te new file mode 100644 index 0000000000000000000000000000000000000000..985c6c7c40f86de5a2c92010e4a06fa99b7e9ea7 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/isolated_render.te @@ -0,0 +1,196 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow isolated_render allocator_host:fd { use }; + +# avc: denied { search } for pid=5103 comm="ThreadPoolForeg" name="/" dev="cgroup2" ino=1 scontext=u:r:isolated_render:s0 tcontext=u:object_r:cgroup2:s0 tclass=dir permissive=1 +allow isolated_render cgroup2:dir { search }; + +# avc: denied { getattr } for pid=5103 comm="ei.hmos.browser" path="/data/storage/el1/bundle/arkwebcore" dev="sdd78" ino=1840 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +allow isolated_render data_app_el1_file:dir { getattr search }; + +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/dev/ashmem" dev="tmpfs" ino=490 scontext=u:r:isolated_render:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=1 +allow isolated_render dev_ashmem_file:chr_file { open }; + +# avc: denied { search } for pid=3061 comm="ei.hmos.browser" name="socket" dev="tmpfs" ino=79 scontext=u:r:isolated_render:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 +allow isolated_render dev_unix_socket:dir { search }; + +allow isolated_render hap_domain:binder { call }; +allow isolated_render hap_domain:fd { use }; + +# avc: denied { exec_anon_mem } for pid=5103 comm="ei.hmos.browser" scontext=u:r:isolated_render:s0 tcontext=u:r:isolated_render:s0 tclass=xpm permissive=0 +allow isolated_render isolated_render:xpm { exec_anon_mem }; + +allow isolated_render normal_hap_data_file_attr:file { read write getattr lock }; + +# avc: denied { use } for pid=5103 comm="ei.hmos.browser" path="socket:[33368]" dev="sockfs" ino=33368 scontext=u:r:isolated_render:s0 tcontext=u:r:nwebspawn:s0 tclass=fd permissive=1 +allow isolated_render nwebspawn:fd { use }; + +# avc: denied { write } for pid=5103 comm="ei.hmos.browser" path="pipe:[45491]" dev="pipefs" ino=45491 scontext=u:r:isolated_render:s0 tcontext=u:r:nwebspawn:s0 tclass=fifo_file permissive=1 +allow isolated_render nwebspawn:fifo_file { write }; + +# avc: denied { write } for pid=5103 comm="CompositorTileW" path="socket:[33368]" dev="sockfs" ino=33368 scontext=u:r:isolated_render:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=1 +allow isolated_render nwebspawn:unix_dgram_socket { write }; + +# avc: denied { map } for pid=5103 comm="ei.hmos.browser" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=89 scontext=u:r:isolated_render:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=89 scontext=u:r:isolated_render:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=5103 comm="ei.hmos.browser" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=89 scontext=u:r:isolated_render:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 +allow isolated_render ohos_boot_param:file { map open read }; + +# avc: denied { map } for pid=5103 comm="ei.hmos.browser" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=107 scontext=u:r:isolated_render:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=107 scontext=u:r:isolated_render:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +# avc: denied { read } for pid=5103 comm="ei.hmos.browser" name="u:object_r:persist_param:s0" dev="tmpfs" ino=107 scontext=u:r:isolated_render:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 +allow isolated_render persist_param:file { map open read }; + +# avc: denied { map } for pid=4445 comm="e.simplewebview" path=2F646174612F726167652F656C322F626173652F63616368652F7765622F5375627265736F757263652046696C7465722F496E64657865642052756C65732F33362F302F52756C657365742044617461 dev="sdd78" ino=34505 scontext=u:r:isolated_render:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 +allow isolated_render hap_file_attr:file { map }; + +# avc: denied { getattr } for pid=5103 comm="CompositorTileW" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:isolated_render:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=5103 comm="CompositorTileW" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:isolated_render:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=5103 comm="CompositorTileW" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:isolated_render:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +allow isolated_render proc_cpuinfo_file:file { getattr open read }; + +# avc: denied { call } for pid=5103 comm="ei.hmos.browser" scontext=u:r:isolated_render:s0 tcontext=u:r:resource_schedule_service:s0 tclass=binder permissive=1 +allow isolated_render resource_schedule_service:binder { call }; + +# avc: denied { get } for service=501 pid=5103 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 +allow isolated_render sa_foundation_appms:samgr_class { get }; + +# avc: denied { get } for service=401 pid=5103 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow isolated_render sa_foundation_bms:samgr_class { get }; + +# avc: denied { get } for service=3901 pid=5103 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1 +allow isolated_render sa_param_watcher:samgr_class { get }; + +# avc: denied { get } for service=1906 pid=5103 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_resource_schedule_socperf_server:s0 tclass=samgr_class permissive=1 +allow isolated_render sa_resource_schedule_socperf_server:samgr_class { get }; + +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/sys/devices/system/cpu" dev="sysfs" ino=33247 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=5103 comm="ei.hmos.browser" name="cpu" dev="sysfs" ino=33247 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1 +allow isolated_render sysfs_devices_system_cpu:dir { open read }; + +# avc: denied { getattr } for pid=5103 comm="ei.hmos.browser" path="/sys/devices/system/cpu/cpu0/regs/identification/midr_el1" dev="sysfs" ino=69186 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/sys/devices/system/cpu/cpu0/regs/identification/midr_el1" dev="sysfs" ino=69186 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc: denied { read } for pid=5103 comm="ei.hmos.browser" name="midr_el1" dev="sysfs" ino=69186 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow isolated_render sysfs_devices_system_cpu:file { getattr open read }; + +# avc: denied { read write } for pid=1077 comm="AppMgrService" path="socket:[43723]" dev="sockfs" ino=43723 scontext=u:r:isolated_render:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1 +# avc: denied { write } for pid=4973 comm="e.myapplication" scontext=u:r:isolated_render:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1 +allow isolated_render hap_domain:unix_stream_socket { read write shutdown }; + +allow isolated_render system_core_hap_data_file_attr:file { append read write getattr lock map }; + +allow isolated_render system_basic_hap_data_file_attr:file { append read write getattr lock map}; + +# avc: denied { getattr } for pid=5103 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=123 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 +# avc: denied { map } for pid=5103 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=123 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=123 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=5103 comm="ei.hmos.browser" name="ArkWebCore.hap" dev="sdd74" ino=123 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 +allow isolated_render system_file:file { getattr map open read }; + +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/system/fonts" dev="sdd74" ino=2210 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +# avc: denied { read } for pid=5103 comm="ei.hmos.browser" name="fonts" dev="sdd74" ino=2210 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +# avc: denied { search } for pid=5103 comm="ei.hmos.browser" name="fonts" dev="sdd74" ino=2210 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +allow isolated_render system_fonts_file:dir { open read search }; + +# avc: denied { getattr } for pid=5103 comm="ei.hmos.browser" path="/system/fonts/HarmonyOS_Sans_Light.ttf" dev="sdd74" ino=2229 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1 +# avc: denied { map } for pid=5103 comm="ei.hmos.browser" path="/system/fonts/HarmonyOS_Sans_Light.ttf" dev="sdd74" ino=2229 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1 +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/system/fonts/HarmonyOS_Sans_Light.ttf" dev="sdd74" ino=2229 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1 +# avc: denied { read } for pid=5103 comm="ei.hmos.browser" name="HarmonyOS_Sans_Light.ttf" dev="sdd74" ino=2229 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1 +allow isolated_render system_fonts_file:file { getattr map open read }; + +# avc: denied { search } for pid=5103 comm="ei.hmos.browser" name="/" dev="tracefs" ino=1 scontext=u:r:isolated_render:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 +allow isolated_render tracefs:dir { search }; + +# avc: denied { open } for pid=5103 comm="ei.hmos.browser" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=13214 scontext=u:r:isolated_render:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +# avc: denied { write } for pid=5103 comm="ei.hmos.browser" name="trace_marker" dev="tracefs" ino=13214 scontext=u:r:isolated_render:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1 +allow isolated_render tracefs_trace_marker_file:file { open write }; + +# avc: denied { nnp_transition } for pid=4000 comm="dump_tmp_thread" scontext=u:r:isolated_render:s0 tcontext=u:r:processdump:s0 tclass=process2 permissive=1 +allow isolated_render processdump:process2 { nnp_transition }; + +# avc: denied { search } for pid=4000 comm="dump_tmp_thread" name="bin" dev="sdd74" ino=282 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 +allow isolated_render system_bin_file:dir { search }; + +#avc: denied { connect } for pid=1795 comm="IPC_0_1796" scontext=u:r:isolated_render:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=0 +allow isolated_render nwebspawn:unix_dgram_socket { connect }; + +#avc: denied { execute } for pid=2265 comm="e.myapplication" path="/data/storage/el1/bundle/nweb/libs/arm/libweb_engine.so" dev="mmcblk0p14" ino=600 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=0 +allow isolated_render data_app_el1_file:file { execute getattr open read }; + +#avc: denied { call } for pid=3693 comm="e.myapplication" scontext=u:r:isolated_render:s0 tcontext=u:r:time_service:s0 tclass=binder permissive=1 +allow isolated_render time_service:binder { call }; + +#avc: denied { get } for service=3702 pid=13433 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_time_service:s0 tclass=samgr_class permissive=0 + +allow isolated_render sa_time_service:samgr_class { get }; + +allow isolated_render isolated_render:hideaddr { hide_exec_anon_mem }; + +allow isolated_render isolated_render:jit_memory { exec_mem_ctrl }; + +allow isolated_render sa_resource_schedule:samgr_class { get }; + +# avc_audit_slow:260] avc: denied { ptrace } for pid=15, comm="/system/bin/appspawn" scontext=u:r:isolated_render:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1 +allow isolated_render isolated_render:process { ptrace execmem }; + +allow isolated_render web_private_param:file { map open read }; + +# avc: denied { map } for pid=1, comm="/system/bin/appspawn" path="/data/themes/a/app/fonts/*.ttf" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16350 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { read } for pid=1, comm="/system/bin/appspawn" path="/data/themes/a/app/fonts/*.ttf" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17270 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +# avc: denied { getattr } for pid=1, comm="/system/bin/appspawn" path="/data/themes/a/app/fonts/*.ttf" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=18442 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0 +allow isolated_render data_service_el1_file:file { getattr map read }; + +# avc_audit_slow:262] avc: denied { write } for pid=1, comm="/system/bin/appspawn" scontext=u:r:isolated_render:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1 +allow isolated_render appspawn:unix_dgram_socket { write connect }; + +# avc_audit_slow:262] avc: denied { call } for pid=1, comm="/system/bin/appspawn" scontext=u:r:isolated_render:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +# avc_audit_slow:262] avc: denied { transfer } for pid=1, comm="/system/bin/appspawn" scontext=u:r:isolated_render:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow isolated_render foundation:binder { call transfer }; + +# avc_audit_slow:262] avc: denied { map } for pid=1, comm="/system/bin/appspawn" path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=215 scontext=u:r:isolated_render:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { open } for pid=1, comm="/system/bin/appspawn" path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=215 scontext=u:r:isolated_render:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1 +# avc_audit_slow:262] avc: denied { read } for pid=1, comm="/system/bin/appspawn" path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=215 scontext=u:r:isolated_render:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1 +allow isolated_render hichecker_writable_param:file { map open read }; + +# avc_audit_slow:262] avc: denied { call } for pid=1, comm="/system/bin/appspawn" scontext=u:r:isolated_render:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +# avc_audit_slow:262] avc: denied { transfer } for pid=1, comm="/system/bin/appspawn" scontext=u:r:isolated_render:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1 +allow isolated_render param_watcher:binder { call transfer }; + +# avc_audit_slow:262] avc: denied { call } for pid=1, comm="/system/bin/appspawn" scontext=u:r:isolated_render:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +# avc_audit_slow:262] avc: denied { transfer } for pid=1, comm="/system/bin/appspawn" scontext=u:r:isolated_render:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 +allow isolated_render samgr:binder { call transfer }; + +# avc: denied { use } for pid=21118 comm=".browser:render" path="socket:[14595]" dev="sockfs" ino=14595 scontext=u:r:isolated_render:s0 tcontext=u:r:appspawn:s0 tclass=fd permissive=1 +allow isolated_render appspawn:fd { use }; + +# avc: denied { search } for pid=8252 comm=".browser:render" scontext=u:r:isolated_render:s0 tcontext=u:r:key_enable:s0 tclass=key permissive=1 +allow isolated_render key_enable:key { search }; + +debug_only(` + allow isolated_render isolated_render:hideaddr { hide_exec_anon_mem_debug }; +') + + +#avc: denied { get } for service=1901 pid=3409 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_resource_schedule:s0 tclass=samgr_class permissive=0 +allow isolated_render sa_resource_schedule:samgr_class { get }; + +# avc_audit_slow:267] avc: denied { write } for pid=1, comm="/system/bin/appspawn" +allow isolated_render sharefs:file { read write open getattr append }; +# avc_audit_slow:276] avc: denied { open } for pid=1, comm="/system/bin/appspawn" path="/data/service/el1/public/for-all-app/fonts" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=4469 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +# avc_audit_slow:276] avc: denied { read } for pid=1, comm="/system/bin/appspawn" path="/data/service/el1/public/for-all-app/fonts" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=4469 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +# avc_audit_slow:276] avc: denied { search } for pid=1, comm="/system/bin/appspawn" path="/data/service/el1/public/for-all-app/fonts" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=4469 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow isolated_render data_service_el1_file:dir { open read search }; + +#avc_audit_slow:276] denied { open } for pid=1, comm="/system/bin/appspawn" path="/data/service/el1/public/for-all-app/fonts/simsun.ttc" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=30667 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow isolated_render data_service_el1_file:file { open }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/media_service.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ecbd985832db4eee425b96fbfd77941c078eece2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/media_service.te @@ -0,0 +1,44 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { use } for pid=4361 comm="com.example.web" path="/data/storage/el1/bundle/entry/resources/rawfile/vp8.webm" dev="mmcblk0p11" ino=523748 scontext=u:r:media_service:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1 +allow media_service normal_hap_attr:fd { use }; + +#avc: denied { read } for pid=4361 comm="com.example.web" path="/data/storage/el1/bundle/entry/resources/rawfile/vp8.webm" dev="mmcblk0p11" ino=523748 scontext=u:r:media_service:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 +allow media_service data_app_el1_file:file { read }; + + +#avc: denied { use } for pid=2169 comm="com.example.web" path="/dmabuf:" dev="dmabuf" ino=523748 scontext=u:r:media_service:s0 tcontext=u:object_r:allocator_host:s0 tclass=fd permissive=1 +allow media_service allocator_host:fd { use }; + +#avc: denied { write } for pid=464 comm="task3" name="dnsproxyd" dev="tmpfs" ino=376 scontext=u:r:media_service:s0 tcontext=u:object_r:dev_file:s0 tclass=sock_file permissive=0 +allow media_service dev_file:sock_file { write }; + +#avc: denied { bind } for pid=474 comm="task3" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1 +#avc: denied { write } for pid=474 comm="task3" lport=40461 scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1 +#avc: denied { read } for pid=474 comm="task3" lport=40461 scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1 +#avc: denied { connect } for pid=474 comm="task3" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1 +#avc: denied { getattr } for pid=474 comm="task3" laddr=7.247.195.86 lport=33376 faddr=183.2.193.238 fport=65535 scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1 +allow media_service media_service:udp_socket { bind write read connect getattr }; + +#avc: denied { connectto } for pid=474 comm="task3" path="/dev/dnsproxyd" scontext=u:r:media_service:s0 tcontext=u:r:netsysnative:s0 tclass=unix_stream_socket permissive=1 +allow media_service netsysnative:unix_stream_socket { connectto }; + +#avc: denied { node_bind } for pid=474 comm="task3" scontext=u:r:media_service:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1 +allow media_service node:udp_socket { node_bind }; + +#avc: denied { getopt } for pid=474 comm="task3" laddr=7.247.195.86 lport=35616 faddr=49.7.37.71 fport=443 scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 +#avc: denied { getattr } for pid=474 comm="task3" laddr=7.247.195.86 lport=35616 faddr=49.7.37.71 fport=443 scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 +#avc: denied { write } for pid=474 comm="task3" path="socket:[31752]" dev="sockfs" ino=31752 scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 +#avc: denied { read } for pid=474 comm="task3" path="socket:[31752]" dev="sockfs" ino=31752 scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 +allow media_service media_service:tcp_socket { getattr getopt read write }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/memmgrservice.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..679de3cc0f989fed4fb192a08568d6645264b323 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/memmgrservice.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { write } for pid=619 comm="ReclaimPriority" name="oom_score_adj" dev="proc" ino=44928 scontext=u:r:memmgrservice:s0 tcontext=u:r:isolated_render:s0 tclass=file permissive=1 +allow memmgrservice isolated_render:file { write }; + +allow memmgrservice isolated_gpu:file { write }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/netmanager.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/netmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..0c689e4fea756c2909cf62bf6c15674b92618505 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/netmanager.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netmanager system_basic_hap_attr:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/normal_hap.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..8fb0e66744c628a36df9888fad3965f91fd675a3 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/normal_hap.te @@ -0,0 +1,204 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#avc: denied { read write } for pid=1912 comm="nweb_test" path="socket:[26685]" dev="sockfs" ino=26685 scontext=u:r:normal_hap:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 +allow normal_hap_attr init:unix_stream_socket { read write }; + +#avc: denied { read append } for pid=1912 comm="nweb_test" name="begetctl.log" dev="mmcblk0p11" ino=1044487 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1912 comm="nweb_test" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=1044487 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=1912 comm="nweb_test" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=1044487 ioctlcmd=0x5413 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive= +allow normal_hap_attr data_init_agent:file { read append open ioctl }; +allowxperm normal_hap_attr data_init_agent:file ioctl { 0x5413 }; + +#avc: denied { append } for pid=1912 comm="nweb_test" name="debug.log" dev="mmcblk0p11" ino=1175104 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_local:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1912 comm="nweb_test" path="/data/local/debug.log" dev="mmcblk0p11" ino=1175104 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_local:s0 tclass=file permissive=1 +allow normal_hap_attr data_local:file { append open }; + +#avc: denied { search } for pid=1909 comm="com.example.web" name="socket" dev="tmpfs" ino=40 scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow normal_hap_attr dev_unix_socket:dir { search }; + +#avc: denied { search } for pid=21671 comm="nweb_test" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow normal_hap_attr data_file:dir { search }; + +#avc: denied { search } for pid=21671 comm="nweb_test" name="init_agent" dev="mmcblk0p11" ino=89761 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_init_agent:s0 tclass=dir permissive=1 +allow normal_hap_attr data_init_agent:dir { search }; + +#avc: denied { search } for pid=21830 comm="nweb_test" name="local" dev="mmcblk0p11" ino=261121 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 +#avc: denied { write } for pid=21830 comm="nweb_test" name="cache" dev="mmcblk0p11" ino=261173 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 +#avc: denied { add_name } for pid=21830 comm="nweb_test" name=".org.chromium.Chromium.MhPcFg" scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 +allow normal_hap_attr data_local:dir { search write add_name }; + +#avc: denied { call } for pid=21830 comm="nweb_test" scontext=u:r:normal_hap:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 +allow normal_hap_attr foundation:binder { call }; + +#avc: denied { call } for pid=21830 comm="nweb_test" scontext=u:r:normal_hap:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1 +allow normal_hap_attr multimodalinput:binder { call }; + +#avc: denied { read write } for pid=1953 comm="nweb_test" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:normal_hap:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 +allow normal_hap_attr devpts:chr_file { read write }; + +#avc: denied { use } for pid=1953 comm="nweb_test" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:normal_hap:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=1 +allow normal_hap_attr hdcd:fd { use }; + +#avc: denied { use } for pid=1953 comm="nweb_test" path="anon_inode:[eventpoll]" dev="anon_inodefs" ino=16043 scontext=u:r:normal_hap:s0 tcontext=u:r:kernel:s0 tclass=fd permissive=1 +allow normal_hap_attr kernel:fd { use }; + +#avc: denied { call } for pid=2115 comm="com.example.web" scontext=u:r:normal_hap:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 +allow normal_hap_attr system_basic_hap_attr:binder { call }; + +#avc: denied { call } for pid=2526 comm="com.example.web" scontext=u:r:normal_hap:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2526 comm="com.example.web" scontext=u:r:normal_hap:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 +allow normal_hap_attr media_service:binder { call transfer }; + +#avc: denied { getattr } for pid=2827 comm="nweb_test" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2500 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +#avc: denied { read } for pid=2827 comm="nweb_test" name="supported_regions.xml" dev="mmcblk0p6" ino=2500 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2827 comm="nweb_test" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2500 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2827 comm="nweb_test" path="/system/usr/ohos_icu/icudt67l.dat" dev="mmcblk0p6" ino=2495 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 +allow normal_hap_attr system_usr_file:file { getattr read open map }; + +#avc: denied { search } for pid=2526 comm="com.example.web" name="usr" dev="mmcblk0p6" ino=2493 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 +#avc: denied { mounton } for pid=4514 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/system/usr" dev="mmcblk0p6" ino=2493 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 +allow normal_hap_attr system_usr_file:dir { search mounton }; + +#avc: denied { call } for pid=1909 comm="com.example.web" scontext=u:r:normal_hap:s0 tcontext=u:r:resource_schedule_service:s0 tclass=binder permissive=1 +allow normal_hap_attr resource_schedule_service:binder { call }; + +#avc: denied { write } for pid=1980 comm="com.example.web" path="socket:[16372]" dev="sockfs" ino=16372 scontext=u:r:normal_hap:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=1 +#avc: denied { connect } for pid=12410 comm="WebRTC_Signalin" scontext=u:r:normal_hap:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=1 +allow normal_hap_attr nwebspawn:unix_dgram_socket { write connect }; + +#avc: denied { search } for pid=2178 comm="com.example.web" name="fonts" dev="mmcblk0p6" ino=1502 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +#avc: denied { mounton } for pid=4514 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/system/fonts" dev="mmcblk0p6" ino=1502 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +#avc: denied { read } for pid=4433 comm="com.example.web" name="fonts" dev="mmcblk0p6" ino=1502 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=4433 comm="com.example.web" path="/system/fonts" dev="mmcblk0p6" ino=1502 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +allow normal_hap_attr system_fonts_file:dir { search mounton read open }; + +#avc: denied { use } for pid=2178 comm="com.example.web" path="socket:[16372]" dev="sockfs" ino=16372 scontext=u:r:normal_hap:s0 tcontext=u:r:nwebspawn:s0 tclass=fd permissive=1 +allow normal_hap_attr nwebspawn:fd { use }; + +#avc: denied { getattr } for pid=2252 comm="com.example.web" path="/dev/dri/renderD128" dev="tmpfs" ino=94 scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { read write } for pid=2252 comm="com.example.web" name="renderD128" dev="tmpfs" ino=94 scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { open } for pid=2252 comm="com.example.web" path="/dev/dri/renderD128" dev="tmpfs" ino=94 scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +#avc: denied { ioctl } for pid=2252 comm="com.example.web" path="/dev/dri/renderD128" dev="tmpfs" ino=94 ioctlcmd=0x641f scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 +allow normal_hap_attr dev_dri_file:chr_file { getattr read write open ioctl }; +allowxperm normal_hap_attr dev_dri_file:chr_file ioctl { 0x641f }; + +#avc: denied { read } for pid=2314 comm="com.example.web" name="HarmonyOS_Sans_Regular_Italic.ttf" dev="mmcblk0p6" ino=1536 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=2314 comm="com.example.web" path="/system/fonts/HarmonyOS_Sans_Regular_Italic.ttf" dev="mmcblk0p6" ino=1536 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=2314 comm="com.example.web" path="/system/fonts/HarmonyOS_Sans_Regular_Italic.ttf" dev="mmcblk0p6" ino=1536 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1 +#avc: denied { map } for pid=2314 comm="com.example.web" path="/system/fonts/HarmonyOS_Sans_Regular_Italic.ttf" dev="mmcblk0p6" ino=1536 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1 +allow normal_hap_attr system_fonts_file:file { read open getattr map }; + +#avc: denied { search } for pid=2252 comm="NetworkService" name="com.example.web330" dev="mmcblk0p11" ino=784917 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 +#avc: denied { remove_name } for pid=2957 comm="com.example.web" name=".org.chromium.Chromium.DFNANO" dev="mmcblk0p11" ino=785164 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=3965 comm="com.example.web" path="/data/storage/el2/base/haps/entry/cache" dev="mmcblk0p11" ino=654423 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 +#avc: denied { mounton } for pid=4514 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/data/storage/el2/base" dev="mmcblk0p11" ino=654353 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 +#avc: denied { getattr } for pid=4361 comm="CacheThread_Blo" path="/data/storage/el2/base" dev="mmcblk0p11" ino=523589 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 +allow normal_hap_attr normal_hap_data_file_attr:dir { search remove_name read open mounton getattr }; + +#avc: denied { create } for pid=2957 comm="com.example.web" name=".org.chromium.Chromium.coKdNG" scontext=u:r:normal_hap:s0 tcontext=u:ect_r:normal_hap_data_file_attr:s0 tclass=file permissive=1 +#avc: denied { read write open } for pid=2957 comm="com.example.web" path="/data/storage/el2/base/cache/.org.chromium.Chromium.coKdNG" ="mmcblk0p11" ino=785176 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=file permissive=1 +#vc: denied { getattr } for pid=2957 comm="com.example.web" path="/data/storage/el2/base/cache/.org.chromium.Chromium.coKdNG" dev="mmc0p11" ino=785176 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=file permissive=1 +#avc: denied { unlink } for pid=3540 comm="com.example.web" name=".org.chromium.Chromium.IjPMLH" dev="mmcblk0p11" ino=654428 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=file permissive=1 +#avc: denied { map } for pid=3540 comm="com.example.web" path=2F646174612F73746F726167652F656C322F626173652F63616368652F2E6F72672E6368726F6D69756D2E4368726F6D69756D2E496A504D4C48202864656C6574656429 dev="mmcblk0p11" ino=654428 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=4361 comm="ThreadPoolForeg" path="/data/storage/el2/base/cache/cookie.db" dev="mmcblk0p11" ino=523820 ioctlcmd=0xf50c scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=file permissive=1 +#avc: denied { lock } for pid=4361 comm="ThreadPoolForeg" path="/data/storage/el2/base/cache/cookie.db" dev="mmcblk0p11" ino=523820 scontext=u:r:normal_hap:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=file permissive=1 +allow normal_hap_attr normal_hap_data_file_attr:file { create getattr unlink map ioctl lock }; +allow normal_hap_attr { normal_hap_data_file_attr -dlp_sandbox_hap_data_file }:file { read write open }; +allowxperm normal_hap_attr normal_hap_data_file_attr:file ioctl { 0xf50c }; + +#avc: denied { call } for pid=2377 comm="Geolocation" scontext=u:r:normal_hap:s0 tcontext=u:r:locationhub:s0 tclass=binder permissive=1 +#avc: denied { transfer } for pid=2377 comm="Geolocation" scontext=u:r:normal_hap:s0 tcontext=u:r:locationhub:s0 tclass=binder permissive=1 +allow normal_hap_attr locationhub:binder { call transfer }; + + + +#avc: denied { use } for pid=2526 comm="com.example.web" path="/dmabuf:" dev="dmabuf" ino=35030 ioctlcmd=0x6200 scontext=u:r:normal_hap:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=1 +allow normal_hap_attr allocator_host:fd { use }; + +#avc: denied { call } for pid=2169 comm="com.example.web" path="/dmabuf:" dev="dmabuf" ino=35030 ioctlcmd=0x6200 scontext=u:r:normal_hap:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=1 +allow normal_hap_attr allocator_host:binder { call }; + +#avc: denied { read } for pid=3965 comm="com.example.web" name="extensionability" dev="mmcblk0p6" ino=1557 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1 +#avc: denied { open } for pid=3965 comm="com.example.web" path="/system/lib64/extensionability" dev="mmcblk0p6" ino=1557 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1 +allow normal_hap_attr system_lib_file:dir { read open }; + +#avc: denied { create } for pid=4137 comm="ThreadPoolForeg" scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=udp_socket permissive=1 +#avc: denied { connect } for pid=4137 comm="ThreadPoolForeg" scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=udp_socket permissive=1 +#avc: denied { bind } for pid=4137 comm="ThreadPoolForeg" scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=udp_socket permissive=1 +#avc: denied { write } for pid=4137 comm="ThreadPoolForeg" lport=60279 scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=udp_socket permissive=1 +#vc: denied { ioctl } for pid=12742 comm="ThreadPoolForeg" path="socket:[104645]" dev="sockfs" ino=104645 ioctlcmd=0x8910 scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=udp_socket permissive=1 +#avc: denied { setopt } for pid=12742 comm="NetworkService" lport=48535 scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=udp_socket permissive=1 +#avc: denied { read } for pid=4361 comm="ThreadPoolForeg" lport=43704 scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=udp_socket permissive=1 +#avc: denied { getattr } for pid=4745 comm="ThreadPoolForeg" laddr=192.168.137.205 lport=43495 faddr=119.176.24.38 fport=65535 scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=udp_socket permissive=1 +allow normal_hap_attr normal_hap_attr:udp_socket { create connect bind write ioctl setopt read getattr }; +allowxperm normal_hap_attr normal_hap_attr:udp_socket ioctl { 0x8910 }; + +#avc: denied { node_bind } for pid=4137 comm="ThreadPoolForeg" scontext=u:r:normal_hap:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1 +allow normal_hap_attr node:udp_socket { node_bind }; + +#avc: denied { use } for pid=4377 comm="ThreadPoolSingl" path="socket:[52549]" dev="sockfs" ino=52549 scontext=u:r:foundation:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1 +allow normal_hap_attr normal_hap_attr:fd { use }; + +#avc: denied { mounton } for pid=4514 comm="nwebspawn" path="/" dev="tmpfs" ino=3 scontext=u:r:normal_hap:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +allow normal_hap_attr tmpfs:dir { mounton }; + +#avc: denied { mounton } for pid=4514 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/sys_prod" dev="mmcblk0p6" ino=26 scontext=u:r:normal_hap:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 +allow normal_hap_attr rootfs:dir { mounton }; + +#avc: denied { mounton } for pid=4514 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/system/profile" dev="mmcblk0p6" ino=2436 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_profile_file:s0 tclass=dir permissive=1 +allow normal_hap_attr system_profile_file:dir { mounton }; + +#avc: denied { read } for pid=12410 comm="com.example.web" name="cpuinfo" dev="proc" ino=4026532107 scontext=u:r:normal_hap:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=12410 comm="com.example.web" path="/proc/cpuinfo" dev="proc" ino=4026532107 scontext=u:r:normal_hap:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=4745 comm="com.example.web" path="/proc/cpuinfo" dev="proc" ino=4026532107 scontext=u:r:normal_hap:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 +allow normal_hap_attr proc_cpuinfo_file:file { read open getattr }; + +#avc: denied { getopt } for pid=12342 comm="NetworkService" laddr=192.168.137.169 lport=58660 faddr=172.67.70.207 fport=443 scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=tcp_socket permissive=1 +#avc: denied { create } for pid=12342 comm="NetworkService" scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=tcp_socket permissive=1avc: denied { setopt } for pid=12342 comm="NetworkService" scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=tcp_socket permissive=1 +#avc: denied { connect } for pid=12342 comm="N etworkService" scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=tcp_socket permissive=1 +#avc: denied { read } for pid=12342 comm="NetworkService" laddr=192.168.137.169 lport=34658 faddr=104.16.176.44 fport=80 scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=tcp_socket permissive=1 +#avc: denied { write } for pid=12342 comm="NetworkService" path="socket:[97452]" dev="sockfs" ino=97452 scontext=u:r:normal_hap:s0 tcontext=u:r:normal_hap:s0 tclass=tcp_socket permissive=1 +allow normal_hap_attr normal_hap_attr:tcp_socket { getopt create setopt connect read write }; + +#avc: denied { name_connect } for pid=4361 comm="NetworkService" dest=443 scontext=u:r:normal_hap:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1 +allow normal_hap_attr port:tcp_socket { name_connect }; + +#avc: denied { search } for pid=4745 comm="com.example.web" name="bin" dev="mmcblk0p6" ino=108 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 +allow normal_hap_attr system_bin_file:dir { search }; + +#avc: denied { getattr } for pid=4745 comm="com.example.web" path="/data/storage/el1/bundle/arkwebcore/entry/resources/rawfile" dev="mmcblk0p11" ino=523570 scontext=u:r:normal_hap:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 +allow normal_hap_attr data_app_el1_file:dir { getattr }; + +#avc: denied { watch } for pid=4745 comm="ThreadPoolForeg" path="/system/etc" dev="mmcblk0p6" ino=455 scontext=u:r:normal_hap:s0 tcontext=u:object_r:system_etc_file:s0 tclass=dir permissive=1 +allow normal_hap_attr system_etc_file:dir { watch }; + +#avc: denied { read } for pid=4884 comm="com.example.web" name="midr_el1" dev="sysfs" ino=15102 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +#avc: denied { open } for pid=4884 comm="com.example.web" path="/sys/devices/system/cpu/cpu0/regs/identification/midr_el1" dev="sysfs" ino=15102 scontext=u:r:normal_hap:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 +allow normal_hap_attr sysfs_devices_system_cpu:file { read open }; + +allow normal_hap_attr sysfs_devices_system_cpu:file { read open }; + +#avc: denied { mounton } for pid=4914 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/config" dev="configfs" ino=14342 scontext=u:r:normal_hap:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1 +allow normal_hap_attr configfs:dir { mounton }; + +#avc: denied { search } for pid=8454 comm="com.example.web" name="dri" dev="tmpfs" ino=94 scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1 +allow normal_hap_attr dev_dri_file:dir { search }; + +allow normal_hap_attr pasteboard_service:fd { use }; + +allow normal_hap_attr port:tcp_socket { name_bind }; + + +allowxperm normal_hap_attr dev_mali:chr_file ioctl { 0x800f }; + diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/nwebspawn.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/nwebspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..a67eb5afb13147b5c85711b7a0e801c1950ea540 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/nwebspawn.te @@ -0,0 +1,167 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { open } for pid=1601 comm="nwebspawn" path="/system/bin/nwebspawn" dev="mmcblk0p7" ino=300 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +allow nwebspawn system_bin_file:file { open }; + +# avc: denied { execute_no_trans } for pid=1601 comm="nwebspawn" path="/system/bin/nwebspawn" dev="mmcblk0p7" ino=300 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1 +allow nwebspawn system_bin_file:file { execute_no_trans }; + +# avc: denied { execute } for pid=1601 comm="nwebspawn" path="/system/app/ArkWeb/ArkWebCore.hap" dev="mmcblk0p7" ino=78 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 +allow nwebspawn system_file:file { execute }; + +#avc: denied { search } for pid=1852 comm="nwebspawn" name="socket" dev="tmpfs" ino=40 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow nwebspawn dev_unix_socket:dir { search }; + +#avc: denied { search } for pid=1852 comm="nwebspawn" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:nwebspawn:s0tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 +allow nwebspawn data_file:dir { search }; + +#avc: denied { read append } for pid=1852 comm="nwebspawn" name="begetctl.log" dev="mmcblk0p11" ino=15 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1 +#avc: denied { open } for pid=1852 comm="nwebspawn" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=15 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1 +#avc: denied { ioctl } for pid=2616 comm="nwebspawn" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=22 ioctlcmd=0x5413 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1 +allow nwebspawn data_init_agent:file { read append open ioctl }; + +#avc: denied { search } for pid=2616 comm="nwebspawn" name="init_agent" dev="mmcblk0p11" ino=89761 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=dir permissive=1 +allow nwebspawn data_init_agent:dir { search }; + +#avc: denied { accept } for pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 +#avc: denied { getattr } for pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 +#avc: denied { getopt } for pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 +allow nwebspawn init:unix_stream_socket { accept getattr getopt }; + +#avc: denied { ioctl } for pid=4499 comm="nwebspawn" path="/dev/access_token_id" dev="tmpfs" ino=172 ioctlcmd=0x4102 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_at_file:s0 tclass=chr_file permissive=1 +allow nwebspawn dev_at_file:chr_file { ioctl }; + +#avc: denied { search } for pid=4499 comm="nwebspawn" name="/" dev="selinuxfs" ino=1 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir permissive=1 +allow nwebspawn selinuxfs:dir { search }; + +#avc: denied { read write } for pid=4499 comm="nwebspawn" name="context" dev="selinuxfs" ino=5 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 +#avc: denied { open } for pid=4499 comm="nwebspawn" path="/sys/fs/selinux/context" dev="selinuxfs" ino=5 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 +allow nwebspawn selinuxfs:file { read write open }; + +#avc: denied { check_context } for pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:object_r:security:s0 tclass=security permissive=1 +allow nwebspawn security:security { check_context }; + +#avc: denied { setcurrent } for pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=1 +#avc: denied { dyntransition } for pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:normal_hap:s0 tclass=process permissive= +allow nwebspawn normal_hap_attr:process { setcurrent }; + +#avc: denied { setcurrent } for pid=4868 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=1 +allow nwebspawn nwebspawn:process { setcurrent }; + +#avc: denied { mounton } for pid=4868 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/config" dev="configfs" ino=14342 scontext=u:r:normal_hap:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1 +allow nwebspawn configfs:dir { mounton getattr }; + +#avc: denied { mounton } for pid=4868 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/dev" dev="tmpfs" ino=1 scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1 +allow nwebspawn dev_file:dir { mounton getattr }; + +#avc: denied { mounton } for pid=2318 comm="nwebspawn" path="/" dev="tmpfs" ino=3 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 +allow nwebspawn tmpfs:dir { mounton create_dir_perms getattr }; + +# avc: denied { create } for pid=1604 comm="nwebspawn" name="ld-musl-arm.so.1" scontext=u:r:nwebspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 +allow nwebspawn tmpfs:file { create mounton open getattr }; + +allow nwebspawn tmpfs:lnk_file { create }; + +#avc: denied { mounton } for pid=2318 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/sys" dev="sysfs" ino=1 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:sys_file:s0 tclass=dir permissive=1 +allow nwebspawn sys_file:dir { mounton getattr }; + +#avc: denied { mounton } for pid=2318 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/sys_prod" dev="mmcblk0p6" ino=26 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 +allow nwebspawn rootfs:dir { mounton getattr }; + +#avc: denied { mounton } for pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/app" dev="mmcblk0p6" ino=28 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 +allow nwebspawn system_file:dir { mounton getattr }; + +#avc: denied { mounton } for pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/fonts" dev="mmcblk0p6" ino=1491 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1 +allow nwebspawn system_fonts_file:dir { mounton getattr }; + +#avc: denied { mounton } for pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/lib" dev="mmcblk0p6" ino=1540 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1 +allow nwebspawn system_lib_file:dir { mounton getattr }; + +# avc: denied { mounton } for pid=1604 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/lib/ld-musl-arm.so.1" dev="mmcblk0p7" ino=1823 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_lib_file:s0 tclass=file permissive=1 +allow nwebspawn system_lib_file:file { mounton getattr }; + +#avc: denied { mounton } for pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/usr" dev="mmcblk0p6" ino=2476 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 +allow nwebspawn system_usr_file:dir { mounton getattr }; + +allow nwebspawn data_app_el1_file:file { getattr map read }; +allow nwebspawn data_app_file:dir { search }; +allow nwebspawn nwebspawn_socket:sock_file { setattr }; +allow nwebspawn system_bin_file:dir { search }; +allow nwebspawn system_bin_file:file { entrypoint execute map read }; +allow nwebspawn vendor_lib_file:dir { search }; +allow nwebspawn vendor_lib_file:file { execute getattr map open read }; +allowxperm nwebspawn data_init_agent:file ioctl { 0x5413 }; +allowxperm nwebspawn dev_at_file:chr_file ioctl { 0x4102 }; + +allow nwebspawn accessibility_param:file { open read map }; +allow nwebspawn system_basic_hap_data_file_attr:dir { mounton getattr }; + +allow nwebspawn dev_console_file:chr_file { read write }; +allow nwebspawn kernel:unix_stream_socket { connectto }; +allow nwebspawn musl_param:file { map open read }; +allow nwebspawn normal_hap_attr:process { sigkill }; +allow nwebspawn paramservice_socket:sock_file { write }; + +allow nwebspawn data_misc:dir { add_name search write remove_name getattr }; +allow nwebspawn data_misc:file { create map open read write unlink }; + +# avc: denied { dyntransition } for pid=5103 comm="ei.hmos.browser" scontext=u:r:nwebspawn:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1 +allow nwebspawn isolated_render:process { dyntransition }; +allow nwebspawn isolated_gpu:process { dyntransition }; + +# avc: denied { search } for pid=308 comm="appspawn" name="etc" dev="mmcblk0p8" ino=16 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1 +allow nwebspawn vendor_etc_file:dir { search }; + +# avc: denied { use } for pid=306 comm="appspawn" path="socket:[19696]" dev="sockfs" ino=19696 scontext=u:r:nwebspawn:s0 tcontext=u:r:appspawn:s0 tclass=fd permissive=0 +# avc: denied { use } for pid=308 comm="appspawn" path="socket:[19920]" dev="sockfs" ino=19920 scontext=u:r:nwebspawn:s0 tcontext=u:r:appspawn:s0 tclass=fd permissive=1 +allow nwebspawn appspawn:fd { use }; + +# avc: denied { connect } for pid=306 comm="appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=0 +# avc: denied { write } for pid=308 comm="appspawn" path="socket:[19920]" dev="sockfs" ino=19920 scontext=u:r:nwebspawn:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1 +allow nwebspawn appspawn:unix_dgram_socket { connect write }; +allow nwebspawn appspawn:unix_stream_socket { getopt setopt getattr listen accept read write }; + + +# avc: denied { getopt } for pid=426 comm="appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=1 +# avc: denied { setopt } for pid=426 comm="appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=1 +allow nwebspawn nwebspawn:unix_dgram_socket { getopt setopt }; + +# avc: denied { unmount } for pid=1365 comm="appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 +allow nwebspawn labeledfs:filesystem { unmount }; + +#avc: denied { read } for pid=269 comm="nwebspawn" name="nwebspawn" dev="mmcblk0p7" ino=1714 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=0 +allow nwebspawn system_lib_file:dir { search open read }; + +# avc: denied { map } for pid=2795 comm="appspawn" path="/system/bin/appspawn" dev="mmcblk0p7" ino=136 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:appspawn_exec:s0 tclass=file permissive=0 +allow nwebspawn appspawn_exec:file { map }; + +allow nwebspawn vendor_etc_vulkan_file:dir { mounton search }; +neverallow nwebspawn vendor_etc_vulkan_file:dir ~{ open read search getattr mounton }; + +# avc_audit_slow:267] avc: denied { read } for pid=1, comm="/system/bin/appspawn" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="" ino=230 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 +allow nwebspawn arkcompiler_param:file { map open read }; + +debug_only(` + allow nwebspawn data_storage:dir { mounton getattr }; + allow nwebspawn data_file:dir { mounton getattr }; +') + +neverallow { domain -nwebspawn -foundation -app_fwk_update_service } nwebspawn_socket:sock_file { read write }; + +#avc_audit_slow:276] avc: denied { mounton } for pid=1, comm="/system/bin/appspawn" path="/mnt/sandbox/com.ohos.render/com.example.webrender/data/service/el1/public/for-all-app" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=134 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dit permissive=1 +#avc_audit_slow:276] avc: denied { search } for pid=1, comm="/system/bin/appspawn" name="/service/el1/public" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=1298 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow nwebspawn data_service_el1_file:dir { mounton search }; + +#avc_audit_slow:276] avc: denied { search } for pid=1, comm="/system/bin/appspawn" name="service" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=9 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 +allow nwebspawn data_service_file:dir { search }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/param_watcher.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..688add30c0e33662d79d0fba91c9f1d359fb62b9 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/param_watcher.te @@ -0,0 +1,17 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { call } for pid=487 comm="IPC_4_2477" scontext=u:r:param_watcher:s0 tcontext=u:r:isolated_render:s0 tclass=binder permissive=1 +allow param_watcher isolated_render:binder { call }; + +allow param_watcher isolated_gpu:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/parameter_contexts b/prebuilts/api/5.0/ohos_policy/web/webview/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..26e854aadf7b5abdb4907b5d62604f781a2bc968 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +web.debug. u:object_r:debug_param:s0 diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/pasteboard_service.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/pasteboard_service.te new file mode 100644 index 0000000000000000000000000000000000000000..bcb6e67f65a8b0bd27c5c4642f33cad995f555ae --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/pasteboard_service.te @@ -0,0 +1,18 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pasteboard_service dev_ashmem_file:chr_file { open }; +allow pasteboard_service normal_hap_attr:fd { use }; +allow pasteboard_service proc_boot_id:file { open read }; +allow pasteboard_service data_app_el1_file:file { open read getattr }; +allow pasteboard_service system_basic_hap_attr:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/render_service.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..fb721fab1f4ca5272b7f2385869696300335a80b --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/render_service.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service accessibility:binder { call transfer }; + +allow render_service isolated_gpu:binder { call }; +allow render_service isolated_gpu:fd { use }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/resource_schedule_service.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..b35af744c28dc6886dcd99539335f69f360f1459 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/resource_schedule_service.te @@ -0,0 +1,25 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { setsched } for pid=702 comm="CgroupEventHand" scontext=u:r:resource_schedule_service:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1 +allow resource_schedule_service isolated_render:process { setsched }; + +allow resource_schedule_service isolated_gpu:process { setsched }; + +allow resource_schedule_service isolated_render:dir { search }; + +allow resource_schedule_service isolated_gpu:dir { search }; + +allow resource_schedule_service isolated_render:file { getattr open read }; + +allow resource_schedule_service isolated_gpu:file { getattr open read }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/samgr.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..48b1aeb2852ab6adcc3f7e3ff96abccd0b7c1074 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/samgr.te @@ -0,0 +1,30 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { search } for pid=490 comm="IPC_7_1799" name="5103" dev="proc" ino=45492 scontext=u:r:samgr:s0 tcontext=u:r:isolated_render:s0 tclass=dir permissive=1 +allow samgr isolated_render:dir { search }; + +# avc: denied { open } for pid=490 comm="IPC_7_1799" path="/proc/5103/attr/current" dev="proc" ino=44912 scontext=u:r:samgr:s0 tcontext=u:r:isolated_render:s0 tclass=file permissive=1 +# avc: denied { read } for pid=490 comm="IPC_7_1799" name="current" dev="proc" ino=44912 scontext=u:r:samgr:s0 tcontext=u:r:isolated_render:s0 tclass=file permissive=1 +allow samgr isolated_render:file { open read }; + +# avc: denied { getattr } for pid=490 comm="IPC_7_1799" scontext=u:r:samgr:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1 +allow samgr isolated_render:process { getattr }; + +# avc_audit_slow:262] avc: denied { transfer } for pid=630, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:isolated_render:s0 tclass=binder permissive=1 + +allow samgr isolated_render:binder { call transfer }; +allow samgr isolated_gpu:dir { search }; +allow samgr isolated_gpu:file { open read }; +allow samgr isolated_gpu:process { getattr }; +allow samgr isolated_gpu:binder { call }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/service.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..d3498534faa112521024b6ca1bf687fb26dc4731 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_app_fwk_update_service, sa_service_attr; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/service_contexts b/prebuilts/api/5.0/ohos_policy/web/webview/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..149673716c5b5a9d7e4f06d080c8a9b410e7a20e --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +8350 u:object_r:sa_app_fwk_update_service:s0 diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/storage_daemon.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..3a735766fc3c799018a0123a83310906dd02b946 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/storage_daemon.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon data_app_el1_file:file { read open }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webview/system/system_basic_hap.te b/prebuilts/api/5.0/ohos_policy/web/webview/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..57b0cd1016faa0c5f4d2fed368cff61e2f85e1eb --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/web/webview/system/system_basic_hap.te @@ -0,0 +1,60 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap_attr data_app_el1_file:dir { getattr }; +allow system_basic_hap_attr netmanager:binder { transfer }; +allow system_basic_hap_attr proc_cpuinfo_file:file { getattr }; +allow system_basic_hap_attr proc_max_user_watches:file { open read }; +allow system_basic_hap_attr system_etc_file:dir { watch }; +allow system_basic_hap_attr nwebspawn:fd { use }; +allow system_basic_hap_attr nwebspawn:fifo_file { write }; +allow system_basic_hap_attr nwebspawn:unix_dgram_socket { write }; +allow system_basic_hap_attr system_fonts_file:dir { open read }; +allowxperm system_basic_hap_attr dev_mali:chr_file ioctl 0x800c; +allow system_basic_hap_attr netsysnative:unix_stream_socket { connectto }; +allow system_basic_hap_attr port:tcp_socket { name_connect }; +allow system_basic_hap_attr system_basic_hap_attr:tcp_socket { connect getopt }; +allow system_basic_hap_attr system_basic_hap_attr:udp_socket { connect }; +allow system_basic_hap_attr pasteboard_service:fd { use }; + +allow system_core_hap_attr musl_param:file { read }; +allow foundation system_core_hap_attr:unix_stream_socket { read write }; +allow hidumper_service system_core_hap_attr:file { getattr }; +allow system_core_hap_attr proc_max_user_watches:file { read }; +allow system_core_hap_attr system_core_hap_attr:tcp_socket { setopt }; +allow system_core_hap_attr system_etc_file:dir { watch }; +allow system_core_hap_attr tmpfs:lnk_file { getattr }; +allow system_core_hap_attr proc_max_user_watches:file { open }; +allow system_core_hap_attr system_core_hap_attr:tcp_socket { bind }; +allowxperm system_core_hap_attr dev_mali:chr_file ioctl 0x800c; +allow system_core_hap_attr port:tcp_socket { name_bind }; +allow system_core_hap_attr proc_max_user_watches:file { getattr }; +allow nwebspawn system_core_hap_data_file_attr:dir { mounton }; +allow system_core_hap_attr nwebspawn:fd { use }; +allow system_core_hap_attr nwebspawn:fifo_file { write }; +allow system_core_hap_attr nwebspawn:unix_dgram_socket { write }; +allow system_core_hap_attr proc_cpuinfo_file:file { getattr }; +allow system_core_hap_attr system_fonts_file:dir { open }; +allow system_core_hap_attr system_fonts_file:dir { read }; + +allow foundation data_service_el0_file:file { getattr }; +allow foundation musl_param:file { read }; +allow nwebspawn system_core_hap_data_file_attr:dir { mounton }; +allow foundation storage_manager:file { read }; +allow system_core_hap_attr port:tcp_socket { name_connect }; +allow system_core_hap_attr system_core_hap_attr:tcp_socket { connect }; +allow system_core_hap_attr system_core_hap_attr:tcp_socket { getopt }; +allow system_core_hap_attr system_core_hap_attr:tcp_socket { read }; +allow system_core_hap_attr system_core_hap_attr:tcp_socket { write }; +allow system_core_hap_attr system_core_hap_attr:udp_socket { connect }; +allow system_core_hap_attr system_core_hap_attr:udp_socket { read }; diff --git a/prebuilts/api/5.0/ohos_policy/web/webwork/.gitkeep b/prebuilts/api/5.0/ohos_policy/web/webwork/.gitkeep new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/ohos_policy/window/window_manager/public/wms.te b/prebuilts/api/5.0/ohos_policy/window/window_manager/public/wms.te new file mode 100644 index 0000000000000000000000000000000000000000..5fd89e413fcaf2c71da9fa20433e82a3fbdda032 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/window/window_manager/public/wms.te @@ -0,0 +1,17 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_foundation_wms, sa_service_attr; +type sa_foundation_dms, sa_service_attr; +type snapshot_display, native_system_domain, domain; +type snapshot_display_exec, exec_attr, file_attr, system_file_attr; diff --git a/prebuilts/api/5.0/ohos_policy/window/window_manager/system/file_contexts b/prebuilts/api/5.0/ohos_policy/window/window_manager/system/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..952c118e22f65c7111ea3723c30cc3c92ceaf901 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/window/window_manager/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/snapshot_display u:object_r:snapshot_display_exec:s0 diff --git a/prebuilts/api/5.0/ohos_policy/window/window_manager/system/samgr.te b/prebuilts/api/5.0/ohos_policy/window/window_manager/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..f9ff84df5b037844407c92e8d82a2431a3237e90 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/window/window_manager/system/samgr.te @@ -0,0 +1,34 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + # avc: denied { transfer } for pid=261 comm="OS_IPC_3_290" scontext=u:r:samgr:s0 tcontext=u:r:snapshot_display:s0 tclass=binder permissive=1 + allow samgr snapshot_display:binder { transfer }; + # avc: denied { search } for pid=261 comm="OS_IPC_3_290" name="1481" dev="proc" ino=34938 scontext=u:r:samgr:s0 tcontext=u:r:snapshot_display:s0 tclass=dir permissive=1 + allow samgr snapshot_display:dir { search }; + # avc: denied { read } for pid=261 comm="OS_IPC_3_290" name="current" dev="proc" ino=35942 scontext=u:r:samgr:s0 tcontext=u:r:snapshot_display:s0 tclass=file permissive=1 + allow samgr snapshot_display:file { open read }; + # avc: denied { getattr } for pid=261 comm="OS_IPC_3_290" scontext=u:r:samgr:s0 tcontext=u:r:snapshot_display:s0 tclass=process permissive=1 + allow samgr snapshot_display:process { getattr }; +') + +developer_only(` + # avc: denied { transfer } for pid=261 comm="OS_IPC_3_290" scontext=u:r:samgr:s0 tcontext=u:r:snapshot_display:s0 tclass=binder permissive=1 + allow samgr snapshot_display:binder { transfer }; + # avc: denied { search } for pid=261 comm="OS_IPC_3_290" name="1481" dev="proc" ino=34938 scontext=u:r:samgr:s0 tcontext=u:r:snapshot_display:s0 tclass=dir permissive=1 + allow samgr snapshot_display:dir { search }; + # avc: denied { read } for pid=261 comm="OS_IPC_3_290" name="current" dev="proc" ino=35942 scontext=u:r:samgr:s0 tcontext=u:r:snapshot_display:s0 tclass=file permissive=1 + allow samgr snapshot_display:file { open read }; + # avc: denied { getattr } for pid=261 comm="OS_IPC_3_290" scontext=u:r:samgr:s0 tcontext=u:r:snapshot_display:s0 tclass=process permissive=1 + allow samgr snapshot_display:process { getattr }; +') diff --git a/prebuilts/api/5.0/ohos_policy/window/window_manager/system/snapshot_display.te b/prebuilts/api/5.0/ohos_policy/window/window_manager/system/snapshot_display.te new file mode 100644 index 0000000000000000000000000000000000000000..c8f4e112aa4081db12bdbbc15b82eeccf74057b5 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/window/window_manager/system/snapshot_display.te @@ -0,0 +1,175 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug_only(` + # snapshot_display + allow snapshot_display snapshot_display_exec:file { getattr execute execute_no_trans map read open }; + # avc: denied { search } for pid=1481 comm="snapshot_displa" name="/" dev="mmcblk0p15" ino=3 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 + allow snapshot_display data_file:dir { search }; + # avc: denied { search } for pid=1481 comm="snapshot_displa" name="local" dev="mmcblk0p15" ino=112 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 + allow snapshot_display data_local:dir { search }; + # avc: denied { use } for pid=1481 comm="snapshot_displa" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:snapshot_display:s0 tcontext=u:r:su:s0 tclass=fd permissive=1 + allow snapshot_display su:fd { use }; + # avc: denied { read write } for pid=1481 comm="snapshot_displa" path="socket:[20370]" dev="sockfs" ino=20370 scontext=u:r:snapshot_display:s0 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1 + allow snapshot_display su:unix_stream_socket { read write }; + # avc: denied { read } for pid=1636 comm="snapshot_displa" name="u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 + allow snapshot_display debug_param:file { read }; + # avc: denied { read write } for pid=1636 comm="snapshot_displa" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 + allow snapshot_display dev_console_file:chr_file { read write }; + # avc: denied { read write } for pid=1636 comm="snapshot_displa" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 + allow snapshot_display devpts:chr_file { read write }; + # avc: denied { read } for pid=1571 comm="snapshot_displa" name="u:object_r:persist_sys_param:s0" dev="tmpfs" ino=71 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 + allow snapshot_display persist_sys_param:file { read }; + # avc: denied { get } for service=4607 pid=1289 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 + allow snapshot_display sa_foundation_dms:samgr_class { get }; + # avc: denied { read write } for pid=1636 comm="snapshot_displa" path="/dev/tty" dev="tmpfs" ino=40 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 + allow snapshot_display tty_device:chr_file { read write }; + # avc: denied { read } for pid=1475 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=84 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 + allow snapshot_display arkcompiler_param:file { map read open }; + # avc: denied { write search } for pid=1475 comm="snapshot_displa" name="tmp" dev="mmcblk0p15" ino=115 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=dir permissive=1 + allow snapshot_display data_local_tmp:dir { add_name write search }; + # avc: denied { write open } for pid=1475 comm="snapshot_displa" path="/data/local/tmp/snapshot_2017-08-05_17-07-00.jpeg" dev="mmcblk0p15" ino=1924 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1 + allow snapshot_display data_local_tmp:file { create getattr ioctl write open }; + # avc: denied { open } for pid=1475 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 + allow snapshot_display debug_param:file { map open }; + # avc: denied { search } for pid=1475 comm="snapshot_displa" name="socket" dev="tmpfs" ino=43 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 + allow snapshot_display dev_unix_socket:dir { search }; + # avc: denied { ioctl } for pid=1475 comm="snapshot_displa" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5413 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 + allow snapshot_display devpts:chr_file { ioctl }; + # avc: denied { call } for pid=1475 comm="snapshot_displa" scontext=u:r:snapshot_display:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 + allow snapshot_display foundation:binder { call }; + # avc: denied { read } for pid=1475 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=68 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 + allow snapshot_display hilog_param:file { map open read }; + # avc: denied { open } for pid=1475 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=71 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 + allow snapshot_display persist_sys_param:file { map open }; + # avc: denied { use } for pid=1475 comm="snapshot_displa" path="/dev/ashmem" dev="tmpfs" ino=239 scontext=u:r:snapshot_display:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1 + allow snapshot_display render_service:fd { use }; + # avc: denied { call } for pid=1475 comm="snapshot_displa" scontext=u:r:snapshot_display:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 + allow snapshot_display samgr:binder { call }; + # avc: denied { search } for pid=1475 comm="snapshot_displa" name="/" dev="tracefs" ino=1 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 + allow snapshot_display tracefs:dir { search }; + # avc: denied { ioctl } for pid=1475 comm="snapshot_displa" path="/data/local/tmp/snapshot_2017-08-05_17-07-00.jpeg" dev="mmcblk0p15" ino=1924 ioctlcmd=0x5413 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1 + allowxperm snapshot_display data_local_tmp:file ioctl { 0x5413 }; + # avc: denied { ioctl } for pid=1475 comm="snapshot_displa" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5413 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 + allowxperm snapshot_display devpts:chr_file ioctl { 0x5413 }; + # avc: denied { write } for pid=1565 comm="snapshot_displa" path="pipe:[30382]" dev="pipefs" ino=30382 scontext=u:r:snapshot_display:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1 + allow snapshot_display su:fifo_file { ioctl read write }; + # avc: denied { ioctl } for pid=1565 comm="snapshot_displa" path="pipe:[30382]" dev="pipefs" ino=30382 ioctlcmd=0x5413 scontext=u:r:snapshot_display:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1 + allowxperm snapshot_display su:fifo_file ioctl { 0x5413 }; + + allow snapshot_display hdcd:fd { use }; + allow snapshot_display hdcd:fifo_file { read write }; + allow snapshot_display hdcd:unix_stream_socket { read write }; + allow snapshot_display hilog_control_socket:sock_file { write }; + allow snapshot_display hilogd:unix_stream_socket { connectto }; + allow snapshot_display hilog_output_socket:sock_file { write }; + + # avc: denied { open } for pid=8117 comm="snapshot_displa" path="/dev/ashmem" dev="tmpfs" ino=654 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=1 + allow snapshot_display dev_ashmem_file:chr_file { open }; + # avc: denied { write } for pid=8184 comm="snapshot_displa" path="/dev/kmsg" dev="tmpfs" ino=110 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 + allow snapshot_display dev_kmsg_file:chr_file { write }; + # avc: denied { read } for pid=8117 comm="snapshot_displa" name="u:object_r:persist_param:s0" dev="tmpfs" ino=142 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 + # avc: denied { read open } for pid=8117 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=142 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 + allow snapshot_display persist_param:file { read open }; + # avc: denied { search } for pid=8117 comm="snapshot_displa" name="bin" dev="sdd74" ino=357 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 + allow snapshot_display system_bin_file:dir { search }; + + # avc: denied { use } for pid=15278 comm="snapshot_displa" path="/dev/ashmem" dev="tmpfs" ino=653 scontext=u:r:snapshot_display:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=1 + allow snapshot_display foundation:fd { use }; + # avc: denied { getattr } for pid=15286 comm="snapshot_displa" path="/proc/cpuinfo" dev="proc" ino=4026532344 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 + # avc: denied { read } for pid=15286 comm="snapshot_displa" name="cpuinfo" dev="proc" ino=4026532344 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 + # avc: denied { read open } for pid=15286 comm="snapshot_displa" path="/proc/cpuinfo" dev="proc" ino=4026532344 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 + allow snapshot_display proc_cpuinfo_file:file { getattr read open }; +') + +developer_only(` + # snapshot_display + allow snapshot_display snapshot_display_exec:file { getattr execute execute_no_trans map read open }; + # avc: denied { search } for pid=1481 comm="snapshot_displa" name="/" dev="mmcblk0p15" ino=3 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 + allow snapshot_display data_file:dir { search }; + # avc: denied { search } for pid=1481 comm="snapshot_displa" name="local" dev="mmcblk0p15" ino=112 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 + allow snapshot_display data_local:dir { search }; + # avc: denied { use } for pid=1481 comm="snapshot_displa" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:snapshot_display:s0 tcontext=u:r:su:s0 tclass=fd permissive=1 + allow snapshot_display sh:fd { use }; + # avc: denied { read write } for pid=1481 comm="snapshot_displa" path="socket:[20370]" dev="sockfs" ino=20370 scontext=u:r:snapshot_display:s0 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1 + allow snapshot_display sh:unix_stream_socket { read write }; + # avc: denied { read } for pid=1636 comm="snapshot_displa" name="u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 + allow snapshot_display debug_param:file { read }; + # avc: denied { read write } for pid=1636 comm="snapshot_displa" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 + allow snapshot_display dev_console_file:chr_file { read write }; + # avc: denied { read write } for pid=1636 comm="snapshot_displa" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 + allow snapshot_display devpts:chr_file { read write }; + # avc: denied { read } for pid=1571 comm="snapshot_displa" name="u:object_r:persist_sys_param:s0" dev="tmpfs" ino=71 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=0 + allow snapshot_display persist_sys_param:file { read }; + # avc: denied { get } for service=4607 pid=1289 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 + allow snapshot_display sa_foundation_dms:samgr_class { get }; + # avc: denied { read write } for pid=1636 comm="snapshot_displa" path="/dev/tty" dev="tmpfs" ino=40 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 + allow snapshot_display tty_device:chr_file { read write }; + # avc: denied { read } for pid=1475 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=84 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1 + allow snapshot_display arkcompiler_param:file { map open read }; + allow snapshot_display arkcompiler_param:file { map open read }; + # avc: denied { write search } for pid=1475 comm="snapshot_displa" name="tmp" dev="mmcblk0p15" ino=115 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=dir permissive=1 + allow snapshot_display data_local_tmp:dir { add_name write search }; + # avc: denied { write open } for pid=1475 comm="snapshot_displa" path="/data/local/tmp/snapshot_2017-08-05_17-07-00.jpeg" dev="mmcblk0p15" ino=1924 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1 + allow snapshot_display data_local_tmp:file { create getattr ioctl write open }; + # avc: denied { open } for pid=1475 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=72 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 + allow snapshot_display debug_param:file { map open }; + # avc: denied { search } for pid=1475 comm="snapshot_displa" name="socket" dev="tmpfs" ino=43 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 + allow snapshot_display dev_unix_socket:dir { search }; + # avc: denied { ioctl } for pid=1475 comm="snapshot_displa" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5413 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 + allow snapshot_display devpts:chr_file { ioctl }; + # avc: denied { call } for pid=1475 comm="snapshot_displa" scontext=u:r:snapshot_display:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 + allow snapshot_display foundation:binder { call }; + # avc: denied { read } for pid=1475 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=68 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 + allow snapshot_display hilog_param:file { map read open }; + # avc: denied { open } for pid=1475 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="tmpfs" ino=71 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 + allow snapshot_display persist_sys_param:file { map open }; + # avc: denied { use } for pid=1475 comm="snapshot_displa" path="/dev/ashmem" dev="tmpfs" ino=239 scontext=u:r:snapshot_display:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1 + allow snapshot_display render_service:fd { use }; + # avc: denied { call } for pid=1475 comm="snapshot_displa" scontext=u:r:snapshot_display:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 + allow snapshot_display samgr:binder { call }; + # avc: denied { search } for pid=1475 comm="snapshot_displa" name="/" dev="tracefs" ino=1 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 + allow snapshot_display tracefs:dir { search }; + # avc: denied { ioctl } for pid=1475 comm="snapshot_displa" path="/data/local/tmp/snapshot_2017-08-05_17-07-00.jpeg" dev="mmcblk0p15" ino=1924 ioctlcmd=0x5413 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1 + allowxperm snapshot_display data_local_tmp:file ioctl { 0x5413 }; + # avc: denied { ioctl } for pid=1475 comm="snapshot_displa" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5413 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 + allowxperm snapshot_display devpts:chr_file ioctl { 0x5413 }; + # avc: denied { write } for pid=1565 comm="snapshot_displa" path="pipe:[30382]" dev="pipefs" ino=30382 scontext=u:r:snapshot_display:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1 + allow snapshot_display sh:fifo_file { ioctl read write }; + # avc: denied { ioctl } for pid=1565 comm="snapshot_displa" path="pipe:[30382]" dev="pipefs" ino=30382 ioctlcmd=0x5413 scontext=u:r:snapshot_display:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1 + allowxperm snapshot_display sh:fifo_file ioctl { 0x5413 }; + + allow snapshot_display hdcd:fd { use }; + allow snapshot_display hdcd:fifo_file { read write }; + allow snapshot_display hdcd:unix_stream_socket { read write }; + allow snapshot_display hilog_control_socket:sock_file { write }; + allow snapshot_display hilogd:unix_stream_socket { connectto }; + allow snapshot_display hilog_output_socket:sock_file { write }; + + # avc: denied { open } for pid=8117 comm="snapshot_displa" path="/dev/ashmem" dev="tmpfs" ino=654 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=1 + allow snapshot_display dev_ashmem_file:chr_file { open }; + # avc: denied { write } for pid=8184 comm="snapshot_displa" path="/dev/kmsg" dev="tmpfs" ino=110 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 + allow snapshot_display dev_kmsg_file:chr_file { write }; + # avc: denied { read } for pid=8117 comm="snapshot_displa" name="u:object_r:persist_param:s0" dev="tmpfs" ino=142 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 + # avc: denied { read open } for pid=8117 comm="snapshot_displa" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=142 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 + allow snapshot_display persist_param:file { read open }; + # avc: denied { search } for pid=8117 comm="snapshot_displa" name="bin" dev="sdd74" ino=357 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 + allow snapshot_display system_bin_file:dir { search }; + + # avc: denied { use } for pid=15278 comm="snapshot_displa" path="/dev/ashmem" dev="tmpfs" ino=653 scontext=u:r:snapshot_display:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=1 + allow snapshot_display foundation:fd { use }; + # avc: denied { getattr } for pid=15286 comm="snapshot_displa" path="/proc/cpuinfo" dev="proc" ino=4026532344 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 + # avc: denied { read } for pid=15286 comm="snapshot_displa" name="cpuinfo" dev="proc" ino=4026532344 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 + # avc: denied { read open } for pid=15286 comm="snapshot_displa" path="/proc/cpuinfo" dev="proc" ino=4026532344 scontext=u:r:snapshot_display:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1 + allow snapshot_display proc_cpuinfo_file:file { getattr read open }; +') diff --git a/prebuilts/api/5.0/ohos_policy/window/window_manager/system/wms.te b/prebuilts/api/5.0/ohos_policy/window/window_manager/system/wms.te new file mode 100644 index 0000000000000000000000000000000000000000..5dde10e93e4a82fd9f5d3d478353446347baccf2 --- /dev/null +++ b/prebuilts/api/5.0/ohos_policy/window/window_manager/system/wms.te @@ -0,0 +1,57 @@ +# Copyright (c) 2022-2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation accessibility:binder { call }; +allow foundation accesstoken_service:binder { call }; +allow foundation bootanimation:binder { call }; +allow foundation data_file:dir { search }; +allow foundation data_init_agent:dir { search }; +allow foundation dev_ashmem_file:chr_file { open }; +allow foundation dev_unix_socket:dir { search }; +allow foundation foundation:binder { call transfer }; +allow foundation hidumper_service:fd { use }; +allow foundation kernel:unix_stream_socket { connectto }; +allow foundation multimodalinput:binder { call }; +allow foundation multimodalinput:unix_stream_socket { write }; +allow foundation normal_hap_attr:binder { call }; +allow foundation paramservice_socket:sock_file { write }; +allow foundation proc_file:file { open read }; +allow foundation render_service:binder { call transfer }; +allow foundation render_service:fd { use }; +allow foundation resource_schedule_service:binder { call transfer }; +allow foundation sa_accesstoken_manager_service:samgr_class { get }; +allow foundation sa_foundation_abilityms:samgr_class { get }; +allow foundation sa_foundation_dms:samgr_class { add }; +allow foundation sa_foundation_wms:samgr_class { add }; +allow foundation sa_render_service:samgr_class { get }; +allow foundation sa_msdp_motion_service:samgr_class { get }; +allow foundation sa_msdp_motion_service:samgr_class { add }; +allow foundation screenlock_server:binder { call transfer }; + +debug_only(` + allow foundation sh:binder { call transfer }; +') + +allow foundation system_basic_hap_attr:binder { call }; +allow foundation system_core_hap_attr:binder { call }; +allow foundation system_usr_file:dir { search }; +allow foundation system_usr_file:file { getattr map open read }; +allow foundation ui_service:binder { call }; +allow foundation vendor_lib_file:dir { search }; +allow foundation vendor_lib_file:file { read }; +allow foundation render_service:unix_stream_socket { read write }; +allow foundation pasteboard_service:binder { call transfer }; +allow foundation bootevent_wms_param:parameter_service { set }; +allow bootanimation bootevent_wms_param:file { map open read }; +allow foundation data_service_el1_file:file { rename }; + diff --git a/prebuilts/api/5.0/ohos_product/multimedia/player/system/other.te b/prebuilts/api/5.0/ohos_product/multimedia/player/system/other.te new file mode 100644 index 0000000000000000000000000000000000000000..c65d57d3c0aeea10e1acdd3771a35c45e17b71df --- /dev/null +++ b/prebuilts/api/5.0/ohos_product/multimedia/player/system/other.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# avc: denied { transfer } for pid=25995 comm="ot:sys/commonUI" scontext=u:r:system_core_hap:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1 +allow system_core_hap_attr system_basic_hap_attr:binder { transfer }; diff --git a/prebuilts/api/5.0/ohos_product/resourceschedule/concurrent_task_service/public/other.te b/prebuilts/api/5.0/ohos_product/resourceschedule/concurrent_task_service/public/other.te new file mode 100644 index 0000000000000000000000000000000000000000..4015a68a29a210f0ca932a1ddd3fc7ee32f3d4de --- /dev/null +++ b/prebuilts/api/5.0/ohos_product/resourceschedule/concurrent_task_service/public/other.te @@ -0,0 +1,19 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#type_attribute +typeattribute resource_schedule_service dev_auth_ctrl_violator_chr_file; + +#never_allow +neverallow { dev_auth_ctrl_violator_chr_file -resource_schedule_service } dev_auth_ctrl:chr_file { write }; + diff --git a/prebuilts/api/5.0/ohos_product/resourceschedule/concurrent_task_service/system/other.te b/prebuilts/api/5.0/ohos_product/resourceschedule/concurrent_task_service/system/other.te new file mode 100644 index 0000000000000000000000000000000000000000..c20048ba7b46f495c01f80c6026e82de1bdb0595 --- /dev/null +++ b/prebuilts/api/5.0/ohos_product/resourceschedule/concurrent_task_service/system/other.te @@ -0,0 +1,15 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#allow +allow resource_schedule_service dev_auth_ctrl:chr_file { read write open ioctl }; diff --git a/prebuilts/api/5.0/ohos_product/security/public/file_contexts b/prebuilts/api/5.0/ohos_product/security/public/file_contexts new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/whitelist/data_regex_whitelist.txt b/prebuilts/api/5.0/whitelist/data_regex_whitelist.txt new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/prebuilts/api/5.0/whitelist/ioctl_xperm_whitelist.json b/prebuilts/api/5.0/whitelist/ioctl_xperm_whitelist.json new file mode 100644 index 0000000000000000000000000000000000000000..a0c7bf6b5b499cca7e4e233805582a976567304e --- /dev/null +++ b/prebuilts/api/5.0/whitelist/ioctl_xperm_whitelist.json @@ -0,0 +1,335 @@ +{ + "whitelist": { + "user": [ + "accesstoken_service accesstoken_data_file file", + "accountmgr account_data_file file", + "accountmgr data_init_agent file", + "accountmgr data_system file", + "appspawn data_service_el2_share dir", + "appspawn dev_mali chr_file", + "appspawn dev_xpm chr_file", + "appspawn sharefs dir", + "audio_host dev_dma_heap_file chr_file", + "audio_host dev_mgr_file chr_file", + "audio_server data_service_el1_file file", + "av_codec_service dev_dri_file chr_file", + "bluetooth_service data_service_el1_file file", + "bluetooth_service self tun_socket", + "bm data_local dir", + "bm data_local_tmp dir", + "bm data_local_tmp file", + "bytrace hiprofiler_plugins fifo_file", + "bytrace tracefs file", + "cadaemon dev_tee_private chr_file", + "cadaemon dev_tee_public chr_file", + "camera_host dev_dma_heap_file chr_file", + "charger data_service_el0_file file", + "charger dev_dri_file chr_file", + "charger dev_graphics_file chr_file", + "charger dev_hdf_input chr_file", + "chipset_init data_service_file file", + "chipset_init dev_block_file blk_file", + "chipset_init dev_console_file chr_file", + "chipset_init dev_kmsg_file chr_file", + "chipset_init self udp_socket", + "cloudfiledaemon data_app_el2_file file", + "cloudfiledaemon data_service_el2_hmdfs file", + "cloudfiledaemon data_user_file file", + "cloudfiledaemon medialibrary_hap_data_file file", + "concurrent_task_service dev_auth_ctrl chr_file", + "concurrent_task_service dev_sched_rtg_ctrl chr_file", + "d-bms data_service_el1_file file", + "dcamera dev_dri_file chr_file", + "dcamera_host dev_dri_file chr_file", + "devattest_service data_service_el1_public_device_attest file", + "devattest_service self udp_socket", + "devattest_service self unix_dgram_socket", + "deviceauth_service data_service_el1_public_deviceauthService_file file", + "deviceauth_service data_service_el2_file file", + "dhardware data_service_el1_file file", + "dinput dev_uinput chr_file", + "distributedfiledaemon data_service_el2_hmdfs dir", + "distributedfiledaemon data_service_el2_hmdfs file", + "distributedsche data_service_el1_file file", + "domain dev_ashmem_file chr_file", + "domain dev_null_file chr_file", + "domain dev_parameters_file file", + "domain dev_random_file chr_file", + "domain dev_zero_file chr_file", + "domain processdump_exec file", + "download_server self udp_socket", + "drm_service data_system file", + "faultloggerd data_init_agent file", + "foundation sysfs_hungtask_userlist file", + "hap_domain data_app_el2_file file", + "hap_domain data_file file", + "hap_domain data_service_el2_hmdfs dir", + "hap_domain data_service_el2_hmdfs file", + "hap_domain data_user_file dir", + "hap_domain data_user_file file", + "hap_domain epfs dir", + "hap_domain epfs file", + "hdcd data_hilogd_file dir", + "hdcd data_hilogd_file file", + "hdcd dev_asanlog_file dir", + "hdcd dev_asanlog_file file", + "hidumper data_init_agent file", + "hidumper_service data_init_agent file", + "hidumper_service hidumper_file file", + "hidumper_service self udp_socket", + "hiebpf hiprofiler_plugins fifo_file", + "hilogd data_hilogd_file dir", + "hilogd data_hilogd_file file", + "hilogd hilog_control_socket sock_file", + "hilogd hilog_control_socket unix_dgram_socket", + "hilogd hilog_input_socket sock_file", + "hilogd hilog_input_socket unix_dgram_socket", + "hilogd hilog_output_socket sock_file", + "hilogd hilog_output_socket unix_dgram_socket", + "hiperf data_file file", + "hiperf data_local_tmp file", + "hiperf data_local_tmp_hiperf_file dir", + "hiperf data_local_tmp_hiperf_file file", + "hiperf data_log file", + "hiperf data_log_hiperf_file dir", + "hiperf data_log_hiperf_file file", + "hiperf hdcd fifo_file", + "hiperf hiprofiler_plugins fifo_file", + "hiperf proc_file file", + "hiperf rootfs file", + "hiprofiler_cmd tty_device chr_file", + "hiprofiler_plugins data_init_agent file", + "hiprofiler_plugins data_local_tmp file", + "hiprofiler_plugins hdcd fifo_file", + "hiprofiler_plugins tty_device chr_file", + "hiprofilerd data_init_agent file", + "hiprofilerd data_local_tmp file", + "hiprofilerd tty_device chr_file", + "hisysevent hiprofiler_plugins fifo_file", + "hitrace hdcd fifo_file", + "hitrace hiprofiler_plugins fifo_file", + "hitrace tracefs file", + "hiview data_hilogd_file dir", + "hiview data_hilogd_file file", + "hiview dev_asanlog_file dir", + "hiview dev_asanlog_file file", + "hiview dev_ucollection chr_file", + "hiview hiview_file file", + "hiview proc_sysrq_trigger_file file", + "huks_service data_service_el1_public_huksService_file file", + "huks_service data_service_el2_public_huksService_file file", + "init data_app_el1_file dir", + "init data_chipset_el1_file dir", + "init data_hilogd_file dir", + "init data_log_sanitizer_file dir", + "init data_service_el1_file dir", + "init data_service_el1_file file", + "init data_service_el1_public_device_attest file", + "init data_service_file file", + "init data_startup file", + "init proc_sysrq_trigger_file file", + "init tracefs file", + "init tracefs_trace_marker_file file", + "init cjappspawn_exec file", + "installs data_local file", + "installs data_local_arkcache file", + "installs unlabeled dir", + "installs unlabeled file", + "kernel data_service_el2_hmdfs dir", + "kernel data_service_el2_hmdfs file", + "locationhub data_service_el1_file file", + "mdnsmanager self udp_socket", + "mdnsmanager self unix_dgram_socket", + "memmgrservice proc_file file", + "msdp_sa dev_input_file chr_file", + "multimodalinput data_init_agent file", + "multimodalinput dev_console_file chr_file", + "native_daemon data_local_tmp file", + "native_daemon self unix_dgram_socket", + "native_daemon tty_device chr_file", + "native_system_domain bytrace_exec file", + "native_system_domain hidumper_exec file", + "native_system_domain hiebpf_exec file", + "native_system_domain hiperf_exec file", + "native_system_domain hiprofiler_cmd_exec file", + "native_system_domain hiprofiler_plugins_exec file", + "native_system_domain hiprofilerd_exec file", + "native_system_domain hisysevent_exec file", + "native_system_domain hitrace_exec file", + "native_system_domain native_daemon_exec file", + "netmanager data_service_el1_file dir", + "netmanager data_service_file dir", + "netmanager data_system file", + "netsysnative data_service_el1_file file", + "netsysnative dev_tun_file chr_file", + "netsysnative self packet_socket", + "normal_hap_attr dev_asanlog_file dir", + "normal_hap_attr dev_asanlog_file file", + "normal_hap_attr normal_hap_attr file", + "normal_hap_attr normal_hap_data_file_attr dir", + "normal_hap_attr proc_asound_file dir", + "normal_hap_attr proc_bluetooth_file dir", + "normal_hap_attr proc_boot_id dir", + "normal_hap_attr proc_buddyinfo_file dir", + "normal_hap_attr proc_bus_file dir", + "normal_hap_attr proc_cgroups_file dir", + "normal_hap_attr proc_cmdline_file dir", + "normal_hap_attr proc_config_gz_file dir", + "normal_hap_attr proc_cpuinfo_file dir", + "normal_hap_attr proc_developer_file dir", + "normal_hap_attr proc_diskstats_file dir", + "normal_hap_attr proc_drop_caches_file dir", + "normal_hap_attr proc_dynamic_debug_file dir", + "normal_hap_attr proc_file dir", + "normal_hap_attr proc_filesystems_file dir", + "normal_hap_attr proc_fs_file dir", + "normal_hap_attr proc_gt9xx_config_file dir", + "normal_hap_attr proc_interrupts_file dir", + "normal_hap_attr proc_iomem_file dir", + "normal_hap_attr proc_keys_file dir", + "normal_hap_attr proc_kmsg_file dir", + "normal_hap_attr proc_loadavg_file dir", + "normal_hap_attr proc_max_user_watches dir", + "normal_hap_attr proc_meminfo_file dir", + "normal_hap_attr proc_misc_file dir", + "normal_hap_attr proc_modules_file dir", + "normal_hap_attr proc_mounts_file dir", + "normal_hap_attr proc_mpp_service_file dir", + "normal_hap_attr proc_net_tcp_udp dir", + "normal_hap_attr proc_pagetypeinfo_file dir", + "normal_hap_attr proc_panic dir", + "normal_hap_attr proc_partitions_file dir", + "normal_hap_attr proc_rkisp_vir0_file dir", + "normal_hap_attr proc_slabinfo_file dir", + "normal_hap_attr proc_softirqs_file dir", + "normal_hap_attr proc_stat_file dir", + "normal_hap_attr proc_swaps_file dir", + "normal_hap_attr proc_sysrq_trigger_file dir", + "normal_hap_attr proc_timer_list_file dir", + "normal_hap_attr proc_uptime_file dir", + "normal_hap_attr proc_version_file dir", + "normal_hap_attr proc_vmallocinfo_file dir", + "normal_hap_attr proc_vmstat_file dir", + "normal_hap_attr proc_zoneinfo_file dir", + "normal_hap_attr proc_random dir", + "nwebspawn tmpfs dir", + "pasteboard_service data_service_el1_file file", + "pasteboard_service hmdfs dir", + "powermgr sysfs_hungtask_userlist file", + "print_service data_service_el1_public_print_service_file file", + "privacy_service accesstoken_data_file file", + "privacy_service data_service_el1_file file", + "processdump data_init_agent file", + "processdump hidumper_service fifo_file", + "resource_schedule_service data_init_agent file", + "resource_schedule_service dev_auth_ctrl chr_file", + "riladapter_host dev_file chr_file", + "riladapter_host dev_hdf_kevent chr_file", + "riladapter_host self udp_socket", + "sadomain hidumper_exec file", + "sadomain samain_exec file", + "sadomain system_profile_file file", + "samgr init dir", + "storage_daemon data_app_el1_file dir", + "storage_daemon data_app_el2_file dir", + "storage_daemon data_app_el3_file dir", + "storage_daemon data_app_el4_file dir", + "storage_daemon data_chipset_el1_file dir", + "storage_daemon data_chipset_el2_file dir", + "storage_daemon data_data_file file", + "storage_daemon data_file dir", + "storage_daemon data_init_agent file", + "storage_daemon data_service_el0_file dir", + "storage_daemon data_service_el0_file file", + "storage_daemon data_service_el1_file dir", + "storage_daemon data_service_el1_file file", + "storage_daemon data_service_el2_file dir", + "storage_daemon data_service_el2_file file", + "storage_daemon data_service_el2_hmdfs dir", + "storage_daemon data_service_el2_hmdfs file", + "storage_daemon data_service_el2_share dir", + "storage_daemon data_service_el2_share file", + "storage_daemon data_service_el3_file dir", + "storage_daemon data_service_el3_file file", + "storage_daemon data_service_el4_file dir", + "storage_daemon data_service_el4_file file", + "storage_daemon data_user_file dir", + "storage_daemon data_user_file file", + "storage_daemon dev_block_volfile blk_file", + "storage_daemon dev_block_volfile dir", + "storage_daemon normal_hap_data_file_attr dir", + "storage_daemon normal_hap_data_file_attr file", + "storage_daemon sharefs dir", + "storage_daemon sharefs file", + "storage_daemon system_basic_hap_data_file_attr dir", + "storage_daemon system_basic_hap_data_file_attr file", + "storage_daemon system_core_hap_data_file_attr dir", + "storage_daemon system_core_hap_data_file_attr file", + "sys_installer_sa data_ota_package dir", + "sys_installer_sa data_ota_package file", + "sys_installer_sa data_updater_file dir", + "system_basic_hap_attr system_basic_hap_attr file", + "system_basic_hap_attr system_basic_hap_data_file_attr dir", + "system_core_hap_attr system_core_hap_attr file", + "system_core_hap_attr system_core_hap_data_file_attr dir", + "teecd dev_tee_private chr_file", + "teecd dev_tee_public chr_file", + "teecd teecd_data_file dir", + "teecd teecd_data_file file", + "teecd teecd_data_file_vendor dir", + "teecd teecd_data_file_vendor file", + "telephony_sa data_service_el1_file file", + "tlogcat data_log file", + "tlogcat dev_tee_log chr_file", + "udevd data_service_el1_file dir", + "udevd sys_file file", + "updater_sa data_ota_package dir", + "updater_sa data_ota_package file", + "updater_sa data_service_el1_file file", + "updater_sa data_updater_file file", + "usb_host data_service_el1_file file", + "usb_host dev_functionfs_file chr_file", + "usb_host dev_usbfn_file chr_file", + "usb_service data_service_el1_file file", + "useriam dev_mali chr_file", + "wifi_hal_service data_service_el1_file file", + "wifi_hal_service dev_hdfwifi chr_file", + "wifi_host data_service_el1_file file", + "wifi_host dev_hdfwifi chr_file", + "write_updater updater_block_file blk_file" + ], + "developer": [ + "aa uitest_exec file", + "appspawn lldb_server_file file", + "hdcd dev_block_file blk_file", + "hdcd dev_ptmx chr_file", + "hdcd dev_rtc_file chr_file", + "hdcd self tcp_socket", + "hdcd sh_exec file", + "hdcd tty_device chr_file", + "sh SP_daemon_exec file", + "sh aa_exec file", + "sh atm_exec file", + "sh bm_exec file", + "sh bytrace_exec file", + "sh data_hilogd_file dir", + "sh data_hilogd_file file", + "sh data_local dir", + "sh data_local_tmp dir", + "sh data_local_tmp file", + "sh dev_parameters_file file", + "sh hidumper_exec file", + "sh hiperf_exec file", + "sh hiprofiler_cmd_exec file", + "sh hisysevent_exec file", + "sh hitrace_exec file", + "sh power_shell_exec file", + "sh processdump_exec file", + "sh snapshot_display_exec file", + "sh uinput_exec file", + "sh uitest_exec file", + "sh wukong_exec file", + "sh mediatool_exec file" + ] + } +} diff --git a/prebuilts/api/5.0/whitelist/partition_label_use_whitelist.txt b/prebuilts/api/5.0/whitelist/partition_label_use_whitelist.txt new file mode 100644 index 0000000000000000000000000000000000000000..c1aa37e7287949a827ea37c33bc3f6ba32d07d1f --- /dev/null +++ b/prebuilts/api/5.0/whitelist/partition_label_use_whitelist.txt @@ -0,0 +1,20 @@ +/dev(/.*)? u:object_r:dev_file:s0 +/etc(/.*)? u:object_r:etc_file:s0 +/lib(/.*)? u:object_r:lib_file:s0 +/lib64(/.*)? u:object_r:lib_file:s0 +/config(/.*)? u:object_r:config_file:s0 +/updater(/.*)? u:object_r:updater_file:s0 +/system(/.*)? u:object_r:system_file:s0 +/preload u:object_r:system_file:s0 +/version u:object_r:system_file:s0 +/preload(/.*)? u:object_r:system_file:s0 +/version(/.*)? u:object_r:system_file:s0 +/cust(/.*)? u:object_r:system_file:s0 +/sys_prod(/.*)? u:object_r:sys_prod_file:s0 +/chip_prod(/.*)? u:object_r:chip_prod_file:s0 +/eng_system(/.*)? u:object_r:system_file:s0 +/eng_chipset(/.*)? u:object_r:vendor_file:s0 +/chip_ckm(/.*)? u:object_r:chip_ckm_file:s0 +/data(/.*)? u:object_r:data_file:s0 +/vendor(/.*)? u:object_r:vendor_file:s0 +/module_update(/.*)? u:object_r:module_update_file:s0 diff --git a/prebuilts/api/5.0/whitelist/perm_group_whitelist.json b/prebuilts/api/5.0/whitelist/perm_group_whitelist.json new file mode 100644 index 0000000000000000000000000000000000000000..127b15edb946ce80e1965de4666dff373ecc50e3 --- /dev/null +++ b/prebuilts/api/5.0/whitelist/perm_group_whitelist.json @@ -0,0 +1,152 @@ +{ + "whitelist": [ + { + "name": "execute and execute_no_trans", + "user": [ + "appspawn appspawn_exec", + "cjappspawn cjappspawn_exec", + "nwebspawn appspawn_exec", + "cjappspawn system_bin_file", + "audio_host system_bin_file", + "camera_host system_bin_file", + "camera_host toybox_exec", + "cupsd system_bin_file", + "cupsd toybox_exec", + "cupsd sh_exec", + "download_server system_bin_file", + "download_server toybox_exec", + "faultloggerd system_bin_file", + "faultloggerd toybox_exec", + "debug_hap hilog_exec", + "dlpmanager_hap hilog_exec", + "dlp_sandbox_hap hilog_exec", + "isolated_gpu hilog_exec", + "medialibrary_hap hilog_exec", + "ringtonelibrary_hap hilog_exec", + "formrenderservice_hap hilog_exec", + "normal_hap hilog_exec", + "permissionmanager_hap hilog_exec", + "system_basic_hap hilog_exec", + "system_core_hap hilog_exec", + "debug_hap system_bin_file", + "debug_hap toybox_exec", + "dlpmanager_hap system_bin_file", + "dlpmanager_hap toybox_exec", + "dlp_sandbox_hap system_bin_file", + "dlp_sandbox_hap toybox_exec", + "isolated_gpu system_bin_file", + "isolated_gpu toybox_exec", + "medialibrary_hap system_bin_file", + "medialibrary_hap toybox_exec", + "ringtonelibrary_hap system_bin_file", + "ringtonelibrary_hap toybox_exec", + "formrenderservice_hap system_bin_file", + "formrenderservice_hap toybox_exec", + "normal_hap system_bin_file", + "normal_hap toybox_exec", + "permissionmanager_hap system_bin_file", + "permissionmanager_hap toybox_exec", + "system_basic_hap system_bin_file", + "system_basic_hap toybox_exec", + "system_core_hap system_bin_file", + "system_core_hap toybox_exec", + "hidumper system_bin_file", + "hidumper toybox_exec", + "hidumper_service hilog_exec", + "hidumper_service sh_exec", + "hidumper_service system_bin_file", + "hidumper_service toybox_exec", + "hiperf system_bin_file", + "hiperf toybox_exec", + "hiprofiler_cmd system_bin_file", + "hiprofiler_cmd toybox_exec", + "hiprofiler_plugins hilog_exec", + "hiprofiler_plugins hisysevent_exec", + "hiprofiler_plugins system_bin_file", + "hiprofiler_plugins toybox_exec", + "hiprofiler_plugins SP_daemon_exec", + "hiprofilerd system_bin_file", + "hiprofilerd toybox_exec", + "hiview hidumper_exec", + "hiview hilog_exec", + "hiview hitrace_exec", + "hiview usage_report_exec", + "init sdc_exec", + "init system_bin_file", + "init toybox_exec", + "input_user_host system_bin_file", + "installs system_bin_file", + "multimodalinput system_bin_file", + "native_daemon system_bin_file", + "native_daemon toybox_exec", + "netmanager system_bin_file", + "netmanager toybox_exec", + "netsysnative iptables_exec", + "netsysnative sh_exec", + "netsysnative system_bin_file", + "netsysnative toybox_exec", + "nwebspawn system_bin_file", + "riladapter_host sh_exec", + "riladapter_host system_bin_file", + "riladapter_host toybox_exec", + "softbus_server system_bin_file", + "storage_daemon system_bin_file", + "storage_daemon toybox_exec", + "updater_binary tmpfs", + "updater_binary system_bin_file", + "updater_binary toybox_exec", + "usb_host system_bin_file", + "wifi_hal_service sh_exec", + "wifi_hal_service system_bin_file", + "wifi_hal_service toybox_exec", + "wifi_manager_service system_bin_file", + "wifi_manager_service toybox_exec", + "cupsd data_service_el1_public_print_service_file", + "cupsd print_driver_exec", + "print_driver print_driver_exec", + "print_driver sh_exec", + "pid_ns_init pid_ns_init_exec", + "compiler_service ark_aot_compiler_exec", + "print_service system_bin_uni_print_driver_file", + "cupsd system_bin_uni_print_driver_file", + "init bootanimation_exec", + "SP_daemon uitest_exec", + "SP_daemon system_bin_file", + "SP_daemon toybox_exec", + "SP_daemon sh_exec", + "SP_daemon SP_daemon_exec", + "SP_daemon uinput_exec", + "SP_daemon aa_exec", + "SP_daemon snapshot_display_exec" + ], + "developer": [ + "aa sh_exec", + "aa system_bin_file", + "aa toybox_exec", + "aa aa_exec", + "aa bm_exec", + "snapshot_display snapshot_display_exec", + "wukong sh_exec", + "wukong system_bin_file", + "wukong toybox_exec", + "wukong power_shell_exec", + "hdcd hdcd_exec", + "hdcd hilogd_exec", + "hdcd hisysevent_exec", + "hdcd hiview_exec", + "sh hilog_exec", + "sh system_bin_file", + "sh toybox_exec", + "lldb_server lldb_server_file", + "sh data_local_tmp", + "installs hnp_exec", + "hnp sh_exec", + "hnp toybox_exec", + "sh hnp_file", + "hnp_native hnp_file", + "sh sh_exec", + "sh devicedebug_exec" + ] + } + ] +} diff --git a/prebuilts/api/5.0/whitelist/permissive_whitelist.json b/prebuilts/api/5.0/whitelist/permissive_whitelist.json new file mode 100644 index 0000000000000000000000000000000000000000..22ab98b3b74fafcafcc328bb0668726184af373d --- /dev/null +++ b/prebuilts/api/5.0/whitelist/permissive_whitelist.json @@ -0,0 +1,6 @@ +{ + "whitelist": { + "user": [], + "developer": [] + } +} diff --git a/prebuilts/api/5.0/whitelist/sh.baseline b/prebuilts/api/5.0/whitelist/sh.baseline new file mode 100644 index 0000000000000000000000000000000000000000..dd250239db011d4e277f3d1ef5f1c61f47551727 --- /dev/null +++ b/prebuilts/api/5.0/whitelist/sh.baseline @@ -0,0 +1,184 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +developer_only(` +(allow sh aa (process (transition siginh rlimitinh))) +(allow sh aa_exec (file (ioctl read getattr map execute open))) +(allow sh bm (process (transition siginh rlimitinh))) +(allow sh bm_exec (file (ioctl read getattr map execute open))) +(allow sh bytrace (process (transition siginh rlimitinh))) +(allow sh bytrace_exec (file (ioctl read getattr map execute open))) +(allow sh data_file (dir (getattr search))) +(allow sh data_log (dir (search))) +(allow sh data_hilogd_file (dir (ioctl read getattr lock open watch watch_reads search))) +(allow sh data_hilogd_file (file (ioctl read getattr lock map open watch watch_reads))) +(allow sh data_local (dir (ioctl read getattr lock open watch watch_reads search))) +(allow sh data_local_tmp (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) +(allow sh data_local_tmp (file (execute execute_no_trans ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) +(allow sh debug_param (file (read map open))) +(allow sh debug_param (parameter_service (set))) +(allow sh dev_console_file (chr_file (read write getattr))) +(allow sh dev_file (dir (search))) +(allow sh dev_null_file (chr_file (read write open))) +(allow sh dev_parameters_file (dir (search))) +(allow sh dev_parameters_file (file (ioctl read getattr lock map open watch watch_reads))) +(allow sh dev_unix_file (dir (search))) +(allow sh dev_unix_socket (dir (search))) +(allow sh developtools_hdc_control_param (file (read map open))) +(allow sh devpts (chr_file (ioctl read write getattr))) +(allow sh domain (dir (getattr search))) +(allow sh domain (file (read open))) +(allow sh domain (process (getattr))) +(allow sh edm (process (transition getattr siginh rlimitinh))) +(allow sh edm_exec (file (getattr read ioctl open map execute))) +(allow sh etc_file (lnk_file (read))) +(allow sh hdcd (fd (use))) +(allow sh hdcd (fifo_file (ioctl read write))) +(allow sh hdcd (unix_stream_socket (read write))) +(allow sh hidumper (process (transition siginh rlimitinh))) +(allow sh hidumper_exec (file (ioctl read getattr map execute open))) +(allow sh hilog_control_socket (sock_file (write))) +(allow sh hilog_exec (file (read getattr map execute open execute_no_trans))) +(allow sh hilog_input_socket (sock_file (write))) +(allow sh hilog_output_socket (sock_file (write))) +(allow sh hilog_param (file (read map open))) +(allow sh hilog_param (parameter_service (set))) +(allow sh hilogd (unix_dgram_socket (sendto))) +(allow sh hilogd (unix_stream_socket (connectto))) +(allow sh hiperf (process (transition siginh rlimitinh))) +(allow sh hiperf_exec (file (ioctl read getattr map execute open))) +(allow sh hiprofiler_cmd (process (transition siginh rlimitinh))) +(allow sh hiprofiler_cmd_exec (file (ioctl read getattr map execute open))) +(allow sh hisysevent (process (transition siginh rlimitinh))) +(allow sh hisysevent_exec (file (ioctl read getattr map execute open))) +(allow sh hitrace (process (transition siginh rlimitinh))) +(allow sh hitrace_exec (file (ioctl read getattr map execute open))) +(allow sh kernel (unix_stream_socket (connectto))) +(allow sh lib_file (lnk_file (read))) +(allow sh paramservice_socket (sock_file (write))) +(allow sh proc_file (dir (read getattr open search))) +(allow sh proc_file (lnk_file (read getattr))) +(allow sh proc_net (file (read open getattr))) +(allow sh processdump (process (transition sigchld share siginh rlimitinh))) +(allow sh processdump_exec (file (ioctl read getattr map execute open))) +(allow sh rootfs (dir (search))) +(allow sh rootfs (lnk_file (read))) +(allow sh self (dir (ioctl read getattr lock open watch watch_reads search))) +(allow sh self (fd (use))) +(allow sh self (fifo_file (ioctl read write getattr lock append map open watch watch_reads))) +(allow sh self (file (ioctl read write getattr lock append map open watch watch_reads))) +(allow sh self (lnk_file (ioctl read getattr lock map open watch watch_reads))) +(allow sh self (process (fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit))) +(allow sh self (unix_dgram_socket (write create connect))) +(allow sh self (unix_stream_socket (read write create connect setopt))) +(allow sh selinuxfs (filesystem (getattr))) +(allow sh servicectrl_reboot_param (parameter_service (set))) +(allow sh sh_exec (file (read getattr map execute open entrypoint))) +(allow sh sys_file (dir (search))) +(allow sh system_bin_file (dir (read getattr open search))) +(allow sh system_bin_file (file (read getattr map execute open execute_no_trans))) +(allow sh system_bin_file (lnk_file (read))) +(allow sh toybox_exec (file (read getattr map execute open execute_no_trans))) +(allow sh toybox_exec (lnk_file (read))) +(allow sh system_etc_file (dir (search))) +(allow sh system_etc_file (file (read getattr open map))) +(allow sh sysfs_net (dir (search))) +(allow sh sysfs_net (lnk_file (read))) +(allow sh proc_net_tcp_udp (file (getattr))) +(allow sh system_file (dir (search))) +(allow sh system_lib_file (file (read getattr map execute open))) +(allow sh tty_device (chr_file (ioctl read write getattr open))) +(allow sh vendor_lib_file (dir (search))) +(allow sh time_param (file (read map open))) +(allow sh vendor_file (dir (search))) +(allow sh system_lib_file (dir (search))) +(allow sh hichecker_writable_param (parameter_service (set))) +(allow sh arkui_param (parameter_service (set))) +(allow sh devinfo_public_param (file (map open read))) +(allow sh devinfo_type_param (file (map open read))) +(allow sh ark_profile (parameter_service (set))) +(allow sh ark_writeable_param (parameter_service (set))) +(allow sh SP_daemon (process (transition siginh rlimitinh))) +(allow sh SP_daemon_exec (file (ioctl read getattr map execute open))) +(allow sh atm (process (transition siginh rlimitinh))) +(allow sh atm_exec (file (ioctl read getattr map execute open))) +(allow sh uitest (process (transition siginh rlimitinh sigkill))) +(allow sh uitest_exec (file (ioctl read getattr map execute open))) +(allow sh wukong (process (transition siginh rlimitinh))) +(allow sh wukong_exec (file (ioctl read getattr map execute open))) +(allow sh snapshot_display (process (siginh transition rlimitinh getattr))) +(allow sh snapshot_display_exec (file (read map execute getattr open ioctl))) +(allow sh uinput (process (transition rlimitinh siginh getattr))) +(allow sh uinput_exec (file (open map getattr ioctl read execute))) +(allow sh lldb_server_file (dir (create setattr getattr add_name open write remove_name read search rmdir))) +(allow sh lldb_server_file (file (open unlink create write setattr read getattr append))) +(allow sh power_shell (process (transition siginh rlimitinh getattr))) +(allow sh power_shell_exec (file (open map read ioctl execute getattr))) +(allow sh power_shell (lnk_file (read))) +(allow sh tmpfs (dir (search read open getattr))) +(allow sh hmdfs (dir (search read open getattr write remove_name rmdir))) +(allow sh hmdfs (file (write read map create rename append open getattr unlink))) +(allow sh data_service_el2_hmdfs (dir (search read open getattr))) +(allow sh data_user_file (dir (write read add_name create rename open getattr search remove_name rmdir))) +(allow sh data_user_file (file (write read map create rename append open getattr unlink))) +(allow sh data_file (dir (search))) +(allow sh data_app_file (dir (search))) +(allow sh data_app_el1_file (dir (search))) +(allow sh data_app_el2_file (dir (search))) +(allow sh data_app_el3_file (dir (search))) +(allow sh data_app_el4_file (dir (search))) +(allow sh debug_hap_data_file (dir (search getattr read open))) +(allow sh debug_hap_data_file (file (getattr read open))) + +(allow sh system_file (dir (search))) +(allow sh system_fonts_file (dir (getattr search read open))) +(allow sh system_fonts_file (file (getattr read open))) +(allow sh sh (udp_socket (connect create ioctl bind read write))) +(allow sh sh (tcp_socket (connect create setopt getattr read write))) +(allow sh sh (icmp_socket (create setopt write read bind))) +(allow sh sh (rawip_socket (create setopt write read))) +(allow sh dev_random_file (chr_file (read open))) +(allow sh dnsproxy_service (sock_file (read open write))) +(allow sh node (udp_socket (node_bind))) +(allow sh node (icmp_socket (node_bind))) +(allow sh netsysnative (unix_stream_socket (connectto))) +(allow sh proc_net (lnk_file (read))) +(allow sh port (tcp_socket (name_connect))) +(allow sh kernel (key (search))) +(allow sh mediatool (process (getattr rlimitinh transition siginh))) +(allow sh mediatool_exec (file (execute read getattr ioctl map open))) +(allow sh hnp_file (dir (search getattr read open))) +(allow sh hnp_file (file (execute execute_no_trans read getattr map open ioctl))) +(allow sh hnp_file (lnk_file (read))) +(allow sh key_enable (key (search))) +(allow sh storage_daemon (key (search))) +(allow sh cem_exec (file (execute map open getattr ioctl read))) +(allow sh cem (process (getattr rlimitinh transition siginh))) +(allow sh i18n_param_tz_override (file (map open read))) +(allow sh debug_hap (dir (read open))) +(allow sh proc_stat_file (file (read open))) +(allow sh proc_meminfo_file (file (read open))) +(allow sh sysfs_devices_system_cpu (dir (read open))) +(allow sh data_service_el1_i18n_timezone_file (dir (search))) +(allow sh data_service_el1_i18n_timezone_file (file (open read getattr map))) +(allow sh data_local_tmp (fifo_file (create getattr read unlink))) +(allow sh dev_pts_file (dir (search))) +(allow sh dev_encaps (chr_file (create getattr read unlink open))) +(allow sh data_local_tmp (lnk_file (create getattr read unlink))) +(allow sh sh_exec (file (execute_no_trans execute open read getattr unlink))) +(allow sh labeledfs (filesystem (getattr))) +(allow sh hnp_native (process (noatsecure getattr siginh rlimitinh transition))) +(allow sh hnp_native (process2 (nosuid_transition))) +(allow sh devicedebug (process (siginh getattr rlimitinh transition))) +(allow sh devicedebug_exec (file (execute_no_trans open read map getattr execute ioctl))) +') diff --git a/scripts/build_policy.py b/scripts/build_policy.py index 011a40d8dabdd47ea309fb80d447c1da7c8b166e..547cbd103015b071da05ce2e99d678708d949335 100755 --- a/scripts/build_policy.py +++ b/scripts/build_policy.py @@ -57,6 +57,10 @@ def parse_args(): help='output file', required=True) parser.add_argument('--sepolicy-dir-lists', help='sepolicy dir lists', required=True) + parser.add_argument('--build-path', + help='build policy path', required=False) + parser.add_argument('--campat-cil-path', + help='campat cil path', required=False) return parser.parse_args() diff --git a/scripts/build_policy_api.py b/scripts/build_policy_api.py index 4e2eb8ed2a9cbbcbe0e62882f8d2b5f78abf55fe..6654760931d649d44bae637c1ea61aec5c0c89aa 100644 --- a/scripts/build_policy_api.py +++ b/scripts/build_policy_api.py @@ -314,7 +314,10 @@ def prepare_build_path(dir_list, root_dir, build_dir_list, sepolicy_path): def get_policy_dir_list(args): - sepolicy_path = os.path.join(args.source_root_dir, "base/security/selinux_adapter/sepolicy/") + build_policy_path = "base/security/selinux_adapter/sepolicy/" + if args.build_path is not None: + build_policy_path = args.build_path + sepolicy_path = os.path.join(args.source_root_dir, build_policy_path) dir_list = [] prepare_build_path(args.policy_dir_list, args.source_root_dir, dir_list, sepolicy_path) min_policy_dir_list = [os.path.join(sepolicy_path, "min")] diff --git a/scripts/build_policy_treble_test.py b/scripts/build_policy_treble_test.py new file mode 100644 index 0000000000000000000000000000000000000000..b920aba9b269e2aa1207646ad1d0ba0af7d9ca89 --- /dev/null +++ b/scripts/build_policy_treble_test.py @@ -0,0 +1,120 @@ +#!/usr/bin/env python +# coding: utf-8 + +""" +Copyright (c) 2021-2023 Huawei Device Co., Ltd. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os +import argparse +import build_policy_api +import sys +sys.path.append(os.path.join(os.path.dirname( + os.path.dirname(os.path.dirname(os.path.dirname(os.path.dirname(__file__))))), "build")) +from scripts.util import build_utils +import find + +CIL_DIR = ["system.cil", "public.cil", "system_common.cil", "public_common.cil"] + + +def get_policy_types_from_cil(policy_dir): + policy_list = [] + with open(policy_dir, 'r') as file: + for lines in file: + if (lines.startswith("(type") or + lines.startswith("(roletype") or + lines.startswith("(typeattribute") or + lines.startswith("(typeattributeset")) and lines not in policy_list: + policy_list.append(lines) + return policy_list + + +def check_policy_treble_test(old_policy_list, base_policy_list, _old_cil_list, _base_cil_list): + err = False + for type_name in old_policy_list: + if (type_name not in base_policy_list) and (type_name not in _old_cil_list): + print("50.cil has not ", type_name) + err = True + for type_name in base_policy_list: + if (type_name not in old_policy_list) and (type_name not in _base_cil_list): + print("50_ignore.cil has not ", type_name) + err = True + if err: + exit(-1) + + +def treble_test(input_args): + old_diff_cil_dir = os.path.join(input_args.campat_cil_path, "campat/50.cil") + base_diff_cil_dir = os.path.join(input_args.campat_cil_path, "campat/50_ignore.cil") + _old_cil_list = get_policy_types_from_cil(old_diff_cil_dir) + _base_cil_list = get_policy_types_from_cil(base_diff_cil_dir) + + old_policy_list = [] + base_policy_list = [] + for cil_dir in CIL_DIR: + old_policy_dir = os.path.join(os.path.dirname(input_args.dst_file), cil_dir) + base_policy_dir = os.path.join(os.path.dirname(os.path.dirname(input_args.dst_file)), cil_dir) + + if not os.path.exists(old_policy_dir) or os.path.isdir(old_policy_dir): + print("{} is not exit or not cil.".format(old_policy_dir)) + continue + old_policy_list += get_policy_types_from_cil(old_policy_dir) + base_policy_list += get_policy_types_from_cil(base_policy_dir) + + check_policy_treble_test(old_policy_list, base_policy_list, _old_cil_list, _base_cil_list) + + +def parse_args(): + parser = argparse.ArgumentParser() + parser.add_argument( + '--dst-file', help='the policy dest path', required=True) + parser.add_argument('--tool-path', + help='the policy tool bin path', required=True) + parser.add_argument('--source-root-dir', + help='prj root path', required=True) + parser.add_argument('--policy_dir_list', + help='policy dirs need to be included', required=True) + parser.add_argument('--debug-version', + help='build for debug target', required=True) + parser.add_argument('--updater-version', + help='build for updater target', required=True) + parser.add_argument('--components', + help='system or vendor or default', required=True) + parser.add_argument('--vendor-policy-version', + help='plat version of vendor policy', required=False) + parser.add_argument('--product-args', + help='extra product macros for m4', required=False, action='append') + parser.add_argument('--depfile', + help='depfile', required=True) + parser.add_argument('--output-file', + help='output file', required=True) + parser.add_argument('--sepolicy-dir-lists', + help='sepolicy dir lists', required=True) + parser.add_argument('--build-path', + help='build policy path', required=False) + parser.add_argument('--campat-cil-path', + help='campat cil path', required=False) + return parser.parse_args() + + +if __name__ == "__main__": + input_args = parse_args() + if input_args.depfile: + dep_file = find.get_all_sepolicy_file(input_args.sepolicy_dir_lists) + dep_file.sort() + build_utils.write_depfile(input_args.depfile, input_args.output_file, dep_file, add_pydeps=False) + build_policy_api.main(input_args) + + treble_test(input_args) diff --git a/selinux.gni b/selinux.gni index 9f60bd4188619276d17af3442d86cbd36cc1d0b8..acef7098e4b483f3f971e68dc4e73587feadf658 100644 --- a/selinux.gni +++ b/selinux.gni @@ -14,12 +14,15 @@ BUILD_CONFIG_DIR = "//build/config" THIRD_PARTY_DIR = "//third_party" OHOS_PRODUCT_DIR = "base/security/selinux_adapter/sepolicy/ohos_product" +OHOS_PRODUCT_DIR_TREBLE_TEST = "base/security/selinux_adapter/prebuilts/api/5.0/ohos_product" declare_args() { selinux_adapter_build_path = "default" + selinux_adapter_build_path_treble_test = "default" selinux_adapter_components = "default" selinux_adapter_vendor_policy_version = "40" selinux_adapter_special_build_policy_script = "default" + selinux_adapter_special_build_policy_script_treble_test = "default" selinux_adapter_special_build_contexts_script = "default" special_build_ignore_cfg = "default" special_selinux_check_config = "default" @@ -33,4 +36,5 @@ declare_args() { declare_args() { selinux_adapter_enforce = true selinux_adapter_mcs_enable = true + selinux_adapter_campat_cil_path = "base/security/selinux_adapter/prebuilts/api/5.0/campat" }