From c6554e68629f0155753c25afa056a000e0527d5a Mon Sep 17 00:00:00 2001 From: steven_q Date: Thu, 30 Dec 2021 19:40:48 +0800 Subject: [PATCH] add basic policy, and build scripts Signed-off-by: qichanggui Change-Id: Id2bfb4328847946828d09913b0fcbd884b71e2ad --- BUILD.gn | 36 +- scripts/build_contexts.py | 115 ++++ scripts/build_policy.py | 155 ++++++ sepolicy/base/public/attributes | 67 +++ sepolicy/base/public/device.te | 20 + sepolicy/base/public/domain.te | 90 ++++ sepolicy/base/public/glb_never_def.spt | 12 + sepolicy/base/public/glb_perm_def.spt | 42 ++ .../{policy.31 => base/public/glb_roles.spt} | 12 +- sepolicy/base/public/glb_te_def.spt | 37 ++ sepolicy/base/public/mls | 23 + sepolicy/base/public/policy_cap | 16 + sepolicy/base/public/users | 14 + sepolicy/base/system/access_vectors | 497 ++++++++++++++++++ sepolicy/base/system/file.te | 43 ++ sepolicy/base/system/file_contexts | 54 ++ sepolicy/base/system/fs_use | 33 ++ sepolicy/base/system/initial_sid_contexts | 7 + sepolicy/base/system/initial_sids | 20 + sepolicy/base/system/security_classes | 106 ++++ sepolicy/base/system/virtfs_contexts | 7 + sepolicy/file_contexts | 1 - .../appexecfwk/appexecfwk/system/file.te | 14 + .../appexecfwk/system/file_contexts | 18 + .../appexecfwk/system/foundation.te | 39 ++ .../appexecfwk/appexecfwk/system/installs.te | 17 + .../safwk/system/sa_main.te | 14 + .../samgr/system/file_contexts | 14 + .../distributedschedule/samgr/system/samgr.te | 31 ++ .../drivers/adapter/system/file_contexts | 14 + .../drivers/adapter/system/hdf_devmgr.te | 31 ++ .../graphic/graphic/system/file_contexts | 14 + .../graphic/graphic/system/graphic.te | 21 + .../hiviewdfx/hiview/system/hiview.te | 23 + .../ohos_policy/kernel/linux/public/kernel.te | 14 + .../ohos_policy/kernel/linux/public/shell.te | 16 + .../ohos_policy/kernel/linux/system/kernel.te | 17 + .../ohos_policy/kernel/linux/system/shell.te | 15 + .../ohos_policy/kernel/linux/system/su.te | 16 + .../input/system/file_contexts | 18 + .../multimodalinput/input/system/udevadm.te | 20 + .../multimodalinput/input/system/udevd.te | 20 + .../security/deviceauth/system/deviceauth.te | 19 + .../security/deviceauth/system/file_contexts | 14 + .../startup/appspawn/system/appspawn.te | 64 +++ .../startup/appspawn/system/file_contexts | 14 + .../ohos_policy/startup/init/public/init.te | 15 + .../startup/init/system/file_contexts | 14 + .../ohos_policy/startup/init/system/init.te | 57 ++ .../startup/init/system/ueventd.te | 30 ++ 50 files changed, 2006 insertions(+), 14 deletions(-) create mode 100755 scripts/build_contexts.py create mode 100755 scripts/build_policy.py create mode 100644 sepolicy/base/public/attributes create mode 100644 sepolicy/base/public/device.te create mode 100644 sepolicy/base/public/domain.te create mode 100644 sepolicy/base/public/glb_never_def.spt create mode 100644 sepolicy/base/public/glb_perm_def.spt rename sepolicy/{policy.31 => base/public/glb_roles.spt} (74%) create mode 100644 sepolicy/base/public/glb_te_def.spt create mode 100644 sepolicy/base/public/mls create mode 100644 sepolicy/base/public/policy_cap create mode 100644 sepolicy/base/public/users create mode 100644 sepolicy/base/system/access_vectors create mode 100644 sepolicy/base/system/file.te create mode 100644 sepolicy/base/system/file_contexts create mode 100644 sepolicy/base/system/fs_use create mode 100644 sepolicy/base/system/initial_sid_contexts create mode 100644 sepolicy/base/system/initial_sids create mode 100644 sepolicy/base/system/security_classes create mode 100644 sepolicy/base/system/virtfs_contexts delete mode 100644 sepolicy/file_contexts create mode 100644 sepolicy/ohos_policy/appexecfwk/appexecfwk/system/file.te create mode 100644 sepolicy/ohos_policy/appexecfwk/appexecfwk/system/file_contexts create mode 100644 sepolicy/ohos_policy/appexecfwk/appexecfwk/system/foundation.te create mode 100644 sepolicy/ohos_policy/appexecfwk/appexecfwk/system/installs.te create mode 100644 sepolicy/ohos_policy/distributedschedule/safwk/system/sa_main.te create mode 100644 sepolicy/ohos_policy/distributedschedule/samgr/system/file_contexts create mode 100644 sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te create mode 100644 sepolicy/ohos_policy/drivers/adapter/system/file_contexts create mode 100644 sepolicy/ohos_policy/drivers/adapter/system/hdf_devmgr.te create mode 100644 sepolicy/ohos_policy/graphic/graphic/system/file_contexts create mode 100644 sepolicy/ohos_policy/graphic/graphic/system/graphic.te create mode 100644 sepolicy/ohos_policy/hiviewdfx/hiview/system/hiview.te create mode 100644 sepolicy/ohos_policy/kernel/linux/public/kernel.te create mode 100644 sepolicy/ohos_policy/kernel/linux/public/shell.te create mode 100644 sepolicy/ohos_policy/kernel/linux/system/kernel.te create mode 100644 sepolicy/ohos_policy/kernel/linux/system/shell.te create mode 100644 sepolicy/ohos_policy/kernel/linux/system/su.te create mode 100644 sepolicy/ohos_policy/multimodalinput/input/system/file_contexts create mode 100644 sepolicy/ohos_policy/multimodalinput/input/system/udevadm.te create mode 100644 sepolicy/ohos_policy/multimodalinput/input/system/udevd.te create mode 100644 sepolicy/ohos_policy/security/deviceauth/system/deviceauth.te create mode 100644 sepolicy/ohos_policy/security/deviceauth/system/file_contexts create mode 100644 sepolicy/ohos_policy/startup/appspawn/system/appspawn.te create mode 100644 sepolicy/ohos_policy/startup/appspawn/system/file_contexts create mode 100644 sepolicy/ohos_policy/startup/init/public/init.te create mode 100644 sepolicy/ohos_policy/startup/init/system/file_contexts create mode 100644 sepolicy/ohos_policy/startup/init/system/init.te create mode 100644 sepolicy/ohos_policy/startup/init/system/ueventd.te diff --git a/BUILD.gn b/BUILD.gn index f49fd3bf1..e1b2917d1 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -161,12 +161,31 @@ ohos_executable("selinux_test") { } action("build_policy") { - script = "scripts/build_policy.sh" + script = "$SELINUX_ROOT_DIR/scripts/build_policy.py" + args = [ + "--dst-file", + rebase_path(target_out_dir + "/policy.31"), + "--tool-path", + rebase_path(root_build_dir + "/clang_x64/security/selinux/"), + ] deps = [ "$THIRD_PARTY_SELINUX_DIR:checkpolicy($host_toolchain)", "$THIRD_PARTY_SELINUX_DIR:secilc($host_toolchain)", ] - outputs = [ "$root_out_dir/" ] + outputs = [ target_out_dir + "/policy.31" ] +} + +action("build_file_contexts_bin") { + script = "$SELINUX_ROOT_DIR/scripts/build_contexts.py" + args = [ + "--dst-file", + rebase_path(target_out_dir + "/file_contexts.bin"), + "--tool-path", + rebase_path(root_build_dir + "/clang_x64/security/selinux/"), + ] + deps = [ "$THIRD_PARTY_SELINUX_DIR:sefcontext_compile($host_toolchain)" ] + outputs = [ target_out_dir + "/file_contexts.bin" ] + outputs += [ target_out_dir + "/file_contexts" ] } action("enable_selinux") { @@ -176,12 +195,20 @@ action("enable_selinux") { ohos_prebuilt_etc("build_sepolicy") { deps = [ ":build_policy" ] - source = "$SELINUX_ROOT_DIR/sepolicy/policy.31" + source = target_out_dir + "/policy.31" license_file = "$SELINUX_ROOT_DIR/LICENSE" part_name = "selinux" relative_install_dir = "selinux/targeted/policy/" } +ohos_prebuilt_etc("build_file_contexts") { + deps = [ ":build_file_contexts_bin" ] + source = target_out_dir + "/file_contexts.bin" + license_file = "$SELINUX_ROOT_DIR/LICENSE" + part_name = "selinux" + relative_install_dir = "selinux/targeted/contexts/" +} + ohos_prebuilt_etc("config") { source = "$SELINUX_ROOT_DIR/config/config" license_file = "$SELINUX_ROOT_DIR/LICENSE" @@ -193,7 +220,8 @@ ohos_prebuilt_etc("config") { } ohos_prebuilt_etc("file_contexts") { - source = "$SELINUX_ROOT_DIR/sepolicy/file_contexts" + deps = [ ":build_file_contexts_bin" ] + source = target_out_dir + "/file_contexts" license_file = "$SELINUX_ROOT_DIR/LICENSE" part_name = "selinux" diff --git a/scripts/build_contexts.py b/scripts/build_contexts.py new file mode 100755 index 000000000..5df0f10d7 --- /dev/null +++ b/scripts/build_contexts.py @@ -0,0 +1,115 @@ +#!/usr/bin/env python +# coding: utf-8 + +""" +Copyright (c) 2021 Huawei Device Co., Ltd. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os +import argparse + +SCRIPT_PATH = os.path.abspath(os.path.dirname(__file__)) +LOCAL_PATH = os.path.abspath(os.path.join(SCRIPT_PATH, "../")) +FILE_CONTEXTS_PATH = LOCAL_PATH + "/sepolicy" + + +def parse_args(): + """parse arguments.""" + parser = argparse.ArgumentParser() + parser.add_argument( + '--dst-file', help='the file_contexts.bin dest path', required=True) + parser.add_argument('--tool-path', + help='the sefcontext_compile bin path', required=True) + args = parser.parse_args() + return args + + +def run_command(in_cmd): + """run commond in os.system. + + Raises: + OSError: If the cmd return none zero. + """ + cmdstr = " ".join(in_cmd) + rc = os.system(cmdstr) + if rc: + raise Exception(rc) + + +def build_file_contexts_tmp(output_tmp, input_file_contexts_list): + """build file_contexts_tmp from file_contexts.""" + build_tmp_cmd = ["m4", + "--fatal-warnings", + "-s", input_file_contexts_list, ">", output_tmp] + run_command(build_tmp_cmd) + + +def build_file_contexts_bin(args, input_file_contexts_tmp): + """build file_contexts.bin.""" + build_bin_cmd = [args.tool_path + "/sefcontext_compile", + "-o", args.dst_file, + input_file_contexts_tmp] + run_command(build_bin_cmd) + + +def traverse_folder_in_type(search_dir, file_suffix): + """for special folder search_dir, find all files endwith file_suffix.""" + policy_file_list = [] + for root, _, files in os.walk(search_dir): + for each_file in files: + if each_file.endswith(file_suffix): + policy_file_list.append(os.path.join(root, each_file)) + policy_file_list.sort() + return " ".join(str(x) for x in policy_file_list) + + +def combine_file_contexts(file_contexts_list, combined_file_contexts): + """combine all file_contexts.""" + cat_cmd = ["cat", + file_contexts_list, + ">", combined_file_contexts + "_tmp"] + run_command(cat_cmd) + + grep_cmd = ["grep -v ^#", + combined_file_contexts + "_tmp", + "| grep -v ^$", + ">", combined_file_contexts] + run_command(grep_cmd) + + sort_cmd = ["sort -b", + combined_file_contexts, + "-o", combined_file_contexts] + run_command(sort_cmd) + + +def main(args): + """build file_contexts.bin form all file_contexts files.""" + output_path = os.path.abspath(os.path.dirname(args.dst_file)) + + file_contexts_list = traverse_folder_in_type( + FILE_CONTEXTS_PATH, "file_contexts") + + combined_file_contexts = output_path + "/file_contexts" + combine_file_contexts(file_contexts_list, combined_file_contexts) + + file_contexts_tmp = output_path + "/file_contexts.tmp" + build_file_contexts_tmp(file_contexts_tmp, combined_file_contexts) + + build_file_contexts_bin(args, file_contexts_tmp) + + +if __name__ == "__main__": + input_args = parse_args() + main(input_args) diff --git a/scripts/build_policy.py b/scripts/build_policy.py new file mode 100755 index 000000000..e0ee59be7 --- /dev/null +++ b/scripts/build_policy.py @@ -0,0 +1,155 @@ +#!/usr/bin/env python +# coding: utf-8 + +""" +Copyright (c) 2021 Huawei Device Co., Ltd. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os +import argparse + +SCRIPT_PATH = os.path.abspath(os.path.dirname(__file__)) +LOCAL_PATH = os.path.abspath(os.path.join(SCRIPT_PATH, "../")) +POLICY_PATH = LOCAL_PATH + "/sepolicy/ohos_policy" + +# list of all macros and te for sepolicy build +SEPOLICY_TYPE_LIST = ["security_classes", + "initial_sids", + "access_vectors", + "glb_perm_def.spt", + "glb_never_def.spt", + "mls", + "policy_cap", + "glb_te_def.spt", + "attributes", + ".te", + "glb_roles.spt", + "users", + "initial_sid_contexts", + "fs_use", + "virtfs_contexts", + ] + + +def parse_args(): + """parse arguments.""" + parser = argparse.ArgumentParser() + parser.add_argument( + '--dst-file', help='the policy dest path', required=True) + parser.add_argument('--tool-path', + help='the policy tool bin path', required=True) + args = parser.parse_args() + return args + + +def traverse_folder_in_dir_name(search_dir, folder_suffix): + """for special dirname folder_suffix find all dirpath in search_dir.""" + folder_list = [] + for root, dirs, _ in os.walk(search_dir): + for dir_i in dirs: + if dir_i == folder_suffix: + folder_list.append(os.path.join(root, dir_i)) + return folder_list + + +def traverse_folder_in_type(search_dir, file_suffix): + """for special folder search_dir, find all files endswith file_suffix.""" + policy_file_list = [] + for root, _, files in os.walk(search_dir): + for each_file in files: + if each_file.endswith(file_suffix): + policy_file_list.append(os.path.join(root, each_file)) + policy_file_list.sort() + return " ".join(str(x) for x in policy_file_list) + + +def traverse_file_in_each_type(folder_list, sepolicy_type_list): + """for each file in sepolicy_type_list. find all files in the folder_list.""" + policy_files = "" + for policy_type in sepolicy_type_list: + for folder in folder_list: + policy_files += traverse_folder_in_type(folder, policy_type) + " " + return policy_files + + +def run_command(in_cmd): + """run commond in os.system. + + Raises: + OSError: If the cmd return none zero. + """ + cmdstr = " ".join(in_cmd) + rc = os.system(cmdstr) + if rc: + raise Exception(rc) + + +def build_conf(output_conf, input_policy_file_list): + """build .conf from all sepolicy files.""" + build_conf_cmd = ["m4", + "--fatal-warnings", + "-s", input_policy_file_list, ">", output_conf] + run_command(build_conf_cmd) + + +def build_cil(args, output_cil, input_conf): + """build from .conf to .cil.""" + check_policy_cmd = [args.tool_path + "/checkpolicy", + input_conf, + "-M -C -c 31", + "-o " + output_cil] + run_command(check_policy_cmd) + + +def build_policy(args, output_policy, input_cil): + """build from .cil to .31.""" + build_policy_cmd = [args.tool_path + "/secilc", + input_cil, + "-m -M true -G -c 31 -N", + "-f /dev/null", + "-o " + output_policy] + run_command(build_policy_cmd) + + +def main(args): + """build policy.31 from sepolicy files.""" + output_path = os.path.abspath(os.path.dirname(args.dst_file)) + + base_policy = [LOCAL_PATH + "/sepolicy/base"] + public_policy = traverse_folder_in_dir_name(POLICY_PATH, "public") + system_policy = traverse_folder_in_dir_name(POLICY_PATH, "system") + vendor_policy = traverse_folder_in_dir_name(POLICY_PATH, "vendor") + + # list of all policy folders + folder_list = base_policy + public_policy + system_policy + vendor_policy + + # list of all policy files + policy_file_list = traverse_file_in_each_type( + folder_list, SEPOLICY_TYPE_LIST) + + # build ohos.conf + output_ohos_conf = output_path + "/ohos.conf" + build_conf(output_ohos_conf, policy_file_list) + + # build ohos.cil + ohos_cil_path = output_path + "/ohos.cil" + build_cil(args, ohos_cil_path, output_ohos_conf) + + build_policy(args, args.dst_file, ohos_cil_path) + + +if __name__ == "__main__": + input_args = parse_args() + main(input_args) diff --git a/sepolicy/base/public/attributes b/sepolicy/base/public/attributes new file mode 100644 index 000000000..1d990405c --- /dev/null +++ b/sepolicy/base/public/attributes @@ -0,0 +1,67 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# Type of all devices. +# i.e. /dev/camera_dev +attribute dev_type; + +# Type of all processes,including the hap process and native process. +# i.e. hdbd, media +attribute domain; + +# Type of all virtual file system files. +# i.e. /sys/block, +# /sys/bus, +# /proc/mtd, +# /dev/camera_dev +attribute fs_type; + +# Type of all proc files. +# i.e. /proc/mtd +attribute proc_type; + +# Type of all common files. +# i.e. /data/user, +# /system/bin +attribute file_type; + +# Type of all system files. +# i.e. /system/* +attribute system_file_type; + +# Type of all vendor files. +# i.e. /vendor/* +attribute vendor_file_type; + +# Type of all domain access points,which is used in domain trasition. +# i.e. vold_exec, +# appspawn_exec +attribute exec_type; + +# Types of all files in the /data directory. +# i.e. /data/user +attribute data_file_type; + +# All types in the sysfs file system. +# i.e. /sys/firmware +attribute sysfs_type; + +# Type of all processes in the hap format. +# i.e. com.ohos.setting +attribute hapdomain; + +# Type of all native processes. +# i.e. foundation, +# media +attribute nativedomain; diff --git a/sepolicy/base/public/device.te b/sepolicy/base/public/device.te new file mode 100644 index 000000000..be1fcea91 --- /dev/null +++ b/sepolicy/base/public/device.te @@ -0,0 +1,20 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type null_device,dev_type; +type param_device,dev_type; +type param_info,dev_type; +type param_storage,dev_type; +type socket_device,dev_type; +type binder_device,dev_type; +type device,dev_type,fs_type; diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te new file mode 100644 index 000000000..8119b3ecd --- /dev/null +++ b/sepolicy/base/public/domain.te @@ -0,0 +1,90 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow domain init:process sigchld; + +allow domain domain:process { + fork + sigchld + sigkill + sigstop + signull + signal + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + getattr + setrlimit +}; + +allow domain domain:fd use; +allow domain init:fd use; + +allow domain domain:dir read_dir_perms; +allow domain domain:{ file lnk_file } read_file_perms; +allow domain domain:{ fifo_file file } rw_file_perms; +allow domain domain:unix_dgram_socket { create_socket_perms sendto }; + +allow domain proc:dir read_dir_perms; +allow domain proc:lnk_file { getattr read }; + +allow domain tmpfs:dir { getattr search }; +allow domain tmpfs:chr_file { read write open getattr setattr ioctl map }; + +allow domain rootfs:dir search; +allow domain rootfs:lnk_file { read getattr }; + +allow domain device:dir search; + +allow domain dev_type:dir search; +allow domain dev_type:{ lnk_file chr_file } read_file_perms; + +allow domain devpts:dir search; + +allow domain socket_device:dir read_dir_perms; +allow domain { + null_device + binder_device +}:chr_file rw_file_perms; + +allow domain param_storage:file read_file_perms; +allow domain param_info:file read_file_perms; + +allow domain { + system_file + system_lib_file +}:dir read_dir_perms; +allow domain { + system_file + system_lib_file +}:lnk_file { getattr read open }; + +allow domain system_lib_file:file { execute read open getattr map }; + +allow domain sysfs:dir search; +allow domain sysfs:{ lnk_file file } { getattr read }; + +allow domain system_data_file:dir search; + +allow domain selinuxfs:dir search; +allow domain selinuxfs:file getattr; +allow domain selinuxfs:filesystem getattr; + +allow domain debugfs:dir search; + +allow domain fs_type:dir getattr; +allow domain fs_type:filesystem getattr; diff --git a/sepolicy/base/public/glb_never_def.spt b/sepolicy/base/public/glb_never_def.spt new file mode 100644 index 000000000..97ef6768e --- /dev/null +++ b/sepolicy/base/public/glb_never_def.spt @@ -0,0 +1,12 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/sepolicy/base/public/glb_perm_def.spt b/sepolicy/base/public/glb_perm_def.spt new file mode 100644 index 000000000..909e3344a --- /dev/null +++ b/sepolicy/base/public/glb_perm_def.spt @@ -0,0 +1,42 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +define(`notdevfile_class_set',`{ fifo_file file lnk_file sock_file }') +define(`devfile_class_set',`{ blk_file chr_file }') +define(`file_class_set',`{ devfile_class_set notdevfile_class_set }') +define(`dir_file_class_set',`{ dir file_class_set }') + +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }') + +define(`dgram_socket_class_set',`{ udp_socket unix_dgram_socket }') +define(`stream_socket_class_set',`{ tcp_socket unix_stream_socket sctp_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }') + +# permission for ipc +define(`read_ipc_perms', `{ associate getattr read unix_read }') +define(`rw_ipc_perms', `{ read_ipc_perms unix_write write }') +define(`create_ipc_perms', `{ create destroy rw_ipc_perms setattr }') +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') +define(`create_socket_perms', `{ create rw_socket_perms }') + +# permission for dir +define(`read_dir_perms', `{ getattr search open read lock ioctl }') +define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') +define(`create_dir_perms',`{ create reparent rename rmdir setattr rw_dir_perms }') + +# permission for file +define(`read_file_perms',`{ getattr open read lock ioctl map }') +define(`exec_file_perms',`{ getattr open map read execute execute_no_trans }') +define(`write_file_perms',`{ getattr open write append lock map }') +define(`rw_file_perms',`{ write_file_perms read_file_perms }') +define(`create_file_perms',`{ create rename setattr unlink rw_file_perms }') diff --git a/sepolicy/policy.31 b/sepolicy/base/public/glb_roles.spt similarity index 74% rename from sepolicy/policy.31 rename to sepolicy/base/public/glb_roles.spt index f49e1c892..49ba4641c 100644 --- a/sepolicy/policy.31 +++ b/sepolicy/base/public/glb_roles.spt @@ -1,7 +1,4 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2021 北京万里红科技有限公司 -# +# Copyright (c) 2021 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -13,9 +10,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -# -# -# ! DO NOT DELETE THIS FILE ! -# -# This needed by ohos_prebuilt_etc("precompiled_sepolicy") in ..//BUILD.gn +role r; +role r types domain; diff --git a/sepolicy/base/public/glb_te_def.spt b/sepolicy/base/public/glb_te_def.spt new file mode 100644 index 000000000..1ea4ba750 --- /dev/null +++ b/sepolicy/base/public/glb_te_def.spt @@ -0,0 +1,37 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +define(`domain_transition_pattern',` + allow $1 $2:file { getattr open map read execute ioctl }; + allow $1 $3:process transition; + allow $1 $3:process { noatsecure siginh rlimitinh }; +') + +define(`domain_auto_transition_pattern',` + domain_transition_pattern($1,$2,$3) + type_transition $1 $2:process $3; +') + +define(`init_daemon_domain', ` + domain_auto_transition_pattern(init, $1_exec, $1) +') + +define(`appspawn _daemon_domain', ` + domain_auto_transition_pattern(appspawn, $1_exec, $1) +') + +define(`binder_call', ` + allow $1 $2:binder {call transfer}; + allow $2 $1:binder transfer; + allow $1 $2:fd use; +') diff --git a/sepolicy/base/public/mls b/sepolicy/base/public/mls new file mode 100644 index 000000000..4d1b2bb84 --- /dev/null +++ b/sepolicy/base/public/mls @@ -0,0 +1,23 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sensitivity s0; + +dominance { s0 } + +category c0; + +level s0:c0.c0; + +mlsconstrain filesystem relabelto + ( h1 dom h2 ); diff --git a/sepolicy/base/public/policy_cap b/sepolicy/base/public/policy_cap new file mode 100644 index 000000000..f6251d81f --- /dev/null +++ b/sepolicy/base/public/policy_cap @@ -0,0 +1,16 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +policycap network_peer_controls; +policycap open_perms; +policycap extended_socket_class; diff --git a/sepolicy/base/public/users b/sepolicy/base/public/users new file mode 100644 index 000000000..3e883538e --- /dev/null +++ b/sepolicy/base/public/users @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +user u roles {r} level s0 range s0 - s0:c0.c0; diff --git a/sepolicy/base/system/access_vectors b/sepolicy/base/system/access_vectors new file mode 100644 index 000000000..bbde5a2fb --- /dev/null +++ b/sepolicy/base/system/access_vectors @@ -0,0 +1,497 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map + unlink + link + rename + execute + quotaon + mounton + audit_access + open + execmod + watch + watch_mount + watch_sb + watch_with_perm + watch_reads +} +common socket +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + name_bind +} +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} +common cap +{ + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} +common cap2 +{ + mac_override + mac_admin + syslog + wake_alarm + block_suspend + audit_read +} +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + associate + quotamod + quotaget + watch +} +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} +class file +inherits file +{ + execute_no_trans + entrypoint +} +class lnk_file +inherits file +class chr_file +inherits file +{ + execute_no_trans + entrypoint +} +class blk_file +inherits file +class sock_file +inherits file +class fifo_file +inherits file +class fd +{ + use +} +class socket +inherits socket +class tcp_socket +inherits socket +{ + node_bind + name_connect +} +class udp_socket +inherits socket +{ + node_bind +} +class rawip_socket +inherits socket +{ + node_bind +} +class node +{ + recvfrom + sendto +} +class netif +{ + ingress + egress +} +class netlink_socket +inherits socket +class packet_socket +inherits socket +class key_socket +inherits socket +class unix_stream_socket +inherits socket +{ + connectto +} +class unix_dgram_socket +inherits socket +class process +{ + fork + transition + sigchld + sigkill + sigstop + signull + signal + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate + getrlimit +} +class process2 +{ + nnp_transition + nosuid_transition +} +class ipc +inherits ipc +class sem +inherits ipc +class msgq +inherits ipc +{ + enqueue +} +class msg +{ + send + receive +} +class shm +inherits ipc +{ + lock +} +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce + setbool + setsecparam + setcheckreqprot + read_policy + validate_trans +} +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request + module_load +} +class capability +inherits cap +class capability2 +inherits cap2 +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_readpriv +} +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_nflog_socket +inherits socket +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_selinux_socket +inherits socket +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} +class netlink_dnrt_socket +inherits socket +class association +{ + sendto + recvfrom + setcontext + polmatch +} +class netlink_kobject_uevent_socket +inherits socket +class appletalk_socket +inherits socket +class packet +{ + send + recv + relabelto + forward_in + forward_out +} +class key +{ + view + read + write + search + link + setattr + create +} +class dccp_socket +inherits socket +{ + node_bind + name_connect +} +class memprotect +{ + mmap_zero +} +class peer +{ + recv +} +class kernel_service +{ + use_as_override + create_files_as +} +class tun_socket +inherits socket +{ + attach_queue +} +class binder +{ + impersonate + call + set_context_mgr + transfer +} +class netlink_iscsi_socket +inherits socket +class netlink_fib_lookup_socket +inherits socket +class netlink_connector_socket +inherits socket +class netlink_netfilter_socket +inherits socket +class netlink_generic_socket +inherits socket +class netlink_scsitransport_socket +inherits socket +class netlink_rdma_socket +inherits socket +class netlink_crypto_socket +inherits socket +class infiniband_pkey +{ + access +} +class infiniband_endport +{ + manage_subnet +} +class cap_userns +inherits cap +class cap2_userns +inherits cap2 +class sctp_socket +inherits socket +{ + node_bind + name_connect + association +} +class icmp_socket +inherits socket +{ + node_bind +} +class ax25_socket +inherits socket +class ipx_socket +inherits socket +class netrom_socket +inherits socket +class atmpvc_socket +inherits socket +class x25_socket +inherits socket +class rose_socket +inherits socket +class decnet_socket +inherits socket +class atmsvc_socket +inherits socket +class rds_socket +inherits socket +class irda_socket +inherits socket +class pppox_socket +inherits socket +class llc_socket +inherits socket +class can_socket +inherits socket +class tipc_socket +inherits socket +class bluetooth_socket +inherits socket +class iucv_socket +inherits socket +class rxrpc_socket +inherits socket +class isdn_socket +inherits socket +class phonet_socket +inherits socket +class ieee802154_socket +inherits socket +class caif_socket +inherits socket +class alg_socket +inherits socket +class nfc_socket +inherits socket +class vsock_socket +inherits socket +class kcm_socket +inherits socket +class qipcrtr_socket +inherits socket +class smc_socket +inherits socket +class bpf +{ + map_create + map_read + map_write + prog_load + prog_run +} +class xdp_socket +inherits socket +class parameter_service +{ + set +} \ No newline at end of file diff --git a/sepolicy/base/system/file.te b/sepolicy/base/system/file.te new file mode 100644 index 000000000..043950664 --- /dev/null +++ b/sepolicy/base/system/file.te @@ -0,0 +1,43 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Filesystem types +type labeledfs, fs_type; +type pipefs, fs_type; +type sockfs, fs_type; +type rootfs, fs_type; +type proc, fs_type, proc_type; +type proc_panic, fs_type, proc_type; + +type unlabeled, fs_type; +type devpts, fs_type; +type tmpfs, fs_type; +type shm, fs_type; +type mqueue, fs_type; +type sys_file, fs_type; +type selinuxfs, fs_type; +type cgroup, fs_type; +type sysfs, fs_type; +type inotify, fs_type; +type debugfs, fs_type; + +type system_lib_file, system_file_type, file_type; +type dev_cpu_variant, file_type; +type fontconfig_file, system_file_type, file_type; +type fonts_file, system_file_type, file_type; +type vendor_file, vendor_file_type, file_type; + +type system_data_file, file_type, data_file_type; +type sysfs_rtc, fs_type, sysfs_type; +type system_file, file_type; + diff --git a/sepolicy/base/system/file_contexts b/sepolicy/base/system/file_contexts new file mode 100644 index 000000000..a11e50673 --- /dev/null +++ b/sepolicy/base/system/file_contexts @@ -0,0 +1,54 @@ +# root +/ u:object_r:rootfs:s0 + + +/config(/.*)? u:object_r:config_file:s0 +/data(/.*)? u:object_r:data_file:s0 +/data/hap(/.*)? u:object_r:data_hap_file:s0 +/data/service(/.*)? u:object_r:data_service_file:s0 +/data/chipset(/.*)? u:object_r:data_chipset_file:s0 +/data/storage(/.*)? u:object_r:data_storage_file:s0 + + +/dev(/.*)? u:object_r:dev_file:s0 + + +/etc(/.*)? u:object_r:etc_file:s0 + + +/lib(/.*)? u:object_r:lib_file:s0 + + +/sys(/.*)? u:object_r:sys_file:s0 +/sys/kernel(/.*)? u:object_r:sys_file:s0 +/sys/hi3881_debug(/.*)? u:object_r:sys_file:s0 +/sys/devices(/.*)? u:object_r:sys_file:s0 +/sys/power(/.*)? u:object_r:sys_file:s0 +/sys/class(/.*)? u:object_r:sys_file:s0 +/sys/dev(/.*)? u:object_r:sys_file:s0 +/sys/firmware(/.*)? u:object_r:sys_file:s0 +/sys/fs(/.*)? u:object_r:sys_file:s0 +/sys/bus(/.*)? u:object_r:sys_file:s0 +/sys/module(/.*)? u:object_r:sys_file:s0 +/sys/block(/.*)? u:object_r:sys_file:s0 +/sys/hisys(/.*)? u:object_r:sys_file:s0 + + +/system(/.*)? u:object_r:system_file:s0 +/system/hap(/.*)? u:object_r:system_hap_file:s0 +/system/bin(/.*)? u:object_r:system_bin_file:s0 +/system/etc(/.*)? u:object_r:system_etc_file:s0 +/system/fonts(/.*)? u:object_r:system_fonts_file:s0 +/system/lib(/.*)? u:object_r:system_lib_file:s0 +/system/profile(/.*)? u:object_r:system_profile_file:s0 +/system/usr(/.*)? u:object_r:system_usr_file:s0 + + +/updater(/.*)? u:object_r:updater_file:s0 + + +/vendor(/.*)? u:object_r:vendor_file:s0 +/vendor/firmware(/.*)? u:object_r:vendor_file:s0 +/vendor/etc(/.*)? u:object_r:vendor_etc_file:s0 +/vendor/lost+found(/.*)? u:object_r:vendor_file:s0 +/vendor/modules(/.*)? u:object_r:vendor_file:s0 diff --git a/sepolicy/base/system/fs_use b/sepolicy/base/system/fs_use new file mode 100644 index 000000000..e39504483 --- /dev/null +++ b/sepolicy/base/system/fs_use @@ -0,0 +1,33 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +fs_use_xattr ext2 u:object_r:labeledfs:s0; +fs_use_xattr ext3 u:object_r:labeledfs:s0; +fs_use_xattr ext4 u:object_r:labeledfs:s0; +fs_use_xattr xfs u:object_r:labeledfs:s0; +fs_use_xattr btrfs u:object_r:labeledfs:s0; +fs_use_xattr f2fs u:object_r:labeledfs:s0; +fs_use_xattr squashfs u:object_r:labeledfs:s0; +fs_use_xattr overlay u:object_r:labeledfs:s0; +fs_use_xattr erofs u:object_r:labeledfs:s0; +fs_use_xattr incremental-fs u:object_r:labeledfs:s0; +fs_use_xattr hmfs u:object_r:labeledfs:s0; + +fs_use_task pipefs u:object_r:pipefs:s0; +fs_use_task sockfs u:object_r:sockfs:s0; + +fs_use_trans devpts u:object_r:devpts:s0; +fs_use_trans tmpfs u:object_r:tmpfs:s0; +fs_use_trans devtmpfs u:object_r:device:s0; +fs_use_trans shm u:object_r:shm:s0; +fs_use_trans mqueue u:object_r:mqueue:s0; diff --git a/sepolicy/base/system/initial_sid_contexts b/sepolicy/base/system/initial_sid_contexts new file mode 100644 index 000000000..63d723179 --- /dev/null +++ b/sepolicy/base/system/initial_sid_contexts @@ -0,0 +1,7 @@ +sid kernel u:r:kernel:s0 +sid security u:object_r:kernel:s0 +sid unlabeled u:object_r:unlabeled:s0 +sid fs u:object_r:labeledfs:s0 +sid file u:object_r:unlabeled:s0 +sid init u:object_r:unlabeled:s0 +sid untrusted_hap u:object_r:unlabeled:s0 diff --git a/sepolicy/base/system/initial_sids b/sepolicy/base/system/initial_sids new file mode 100644 index 000000000..f4d31132b --- /dev/null +++ b/sepolicy/base/system/initial_sids @@ -0,0 +1,20 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid init +sid untrusted_hap diff --git a/sepolicy/base/system/security_classes b/sepolicy/base/system/security_classes new file mode 100644 index 000000000..17ecde169 --- /dev/null +++ b/sepolicy/base/system/security_classes @@ -0,0 +1,106 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +class security +class process +class system +class capability +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket +class sem +class msg +class msgq +class shm +class ipc +class netlink_route_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_dnrt_socket +class association +class netlink_kobject_uevent_socket +class appletalk_socket +class packet +class key +class dccp_socket +class memprotect +class peer +class capability2 +class kernel_service +class tun_socket +class binder +class netlink_iscsi_socket +class netlink_fib_lookup_socket +class netlink_connector_socket +class netlink_netfilter_socket +class netlink_generic_socket +class netlink_scsitransport_socket +class netlink_rdma_socket +class netlink_crypto_socket +class infiniband_pkey +class infiniband_endport +class cap_userns +class cap2_userns +class sctp_socket +class icmp_socket +class ax25_socket +class ipx_socket +class netrom_socket +class atmpvc_socket +class x25_socket +class rose_socket +class decnet_socket +class atmsvc_socket +class rds_socket +class irda_socket +class pppox_socket +class llc_socket +class can_socket +class tipc_socket +class bluetooth_socket +class iucv_socket +class rxrpc_socket +class isdn_socket +class phonet_socket +class ieee802154_socket +class caif_socket +class alg_socket +class nfc_socket +class vsock_socket +class kcm_socket +class qipcrtr_socket +class smc_socket +class process2 +class bpf +class xdp_socket +class parameter_service diff --git a/sepolicy/base/system/virtfs_contexts b/sepolicy/base/system/virtfs_contexts new file mode 100644 index 000000000..b721abcba --- /dev/null +++ b/sepolicy/base/system/virtfs_contexts @@ -0,0 +1,7 @@ +genfscon rootfs / u:object_r:rootfs:s0 + +genfscon proc / u:object_r:proc:s0 + +genfscon selinuxfs / u:object_r:selinuxfs:s0 + +genfscon sysfs / u:object_r:sysfs:s0 diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts deleted file mode 100644 index b1a5add31..000000000 --- a/sepolicy/file_contexts +++ /dev/null @@ -1 +0,0 @@ -(/.*)? u:object_r:rootfs:s0 diff --git a/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/file.te b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/file.te new file mode 100644 index 000000000..7f9d32f0d --- /dev/null +++ b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/file.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type foundation_data_file, file_type, data_file_type; diff --git a/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/file_contexts b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/file_contexts new file mode 100644 index 000000000..58906b530 --- /dev/null +++ b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/file_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#installs +/system/bin/installs u:object_r:installs_exec:s0 + +# for sa_main Service +/system/bin/sa_main u:object_r:samain_exec:s0 diff --git a/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/foundation.te b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/foundation.te new file mode 100644 index 000000000..a36153585 --- /dev/null +++ b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/foundation.te @@ -0,0 +1,39 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type foundation, domain, nativedomain; + +domain_auto_transition_pattern(init, samain_exec, foundation); + +allow init samain_exec:file execute_no_trans; + +binder_call(foundation, appspawn); +binder_call(foundation, installs); +binder_call(foundation, deviceauth_service); +binder_call(foundation, samgr); +binder_call(foundation, render_service); + +allow foundation hdf_devmgr:binder call; +allow appspawn foundation:binder call; +allow deviceauth_service foundation:binder call; + +allow foundation appspawn:unix_stream_socket connectto; + +allow foundation vendor_file:dir read_dir_perms; + +allow foundation foundation:{ udp_socket netlink_route_socket } { create ioctl setopt bind read }; + +allow foundation init:unix_stream_socket connectto; + +# "/system/profile/foundation.xml", O_RDONLY +allow foundation system_file:file read_file_perms; diff --git a/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/installs.te b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/installs.te new file mode 100644 index 000000000..f0a8fbea7 --- /dev/null +++ b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/installs.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type installs, domain; +type installs_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(installs); diff --git a/sepolicy/ohos_policy/distributedschedule/safwk/system/sa_main.te b/sepolicy/ohos_policy/distributedschedule/safwk/system/sa_main.te new file mode 100644 index 000000000..24f3c826a --- /dev/null +++ b/sepolicy/ohos_policy/distributedschedule/safwk/system/sa_main.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type samain_exec, exec_type, file_type, system_file_type; diff --git a/sepolicy/ohos_policy/distributedschedule/samgr/system/file_contexts b/sepolicy/ohos_policy/distributedschedule/samgr/system/file_contexts new file mode 100644 index 000000000..25aeaa2a6 --- /dev/null +++ b/sepolicy/ohos_policy/distributedschedule/samgr/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/samgr u:object_r:samain_exec:s0 diff --git a/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te b/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te new file mode 100644 index 000000000..4dd1f5a84 --- /dev/null +++ b/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te @@ -0,0 +1,31 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type samgr, domain; +type samgr_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(samgr); + +binder_call(samgr, appspawn); +binder_call(samgr, foundation); +binder_call(samgr, deviceauth_service); +binder_call(samgr, hdf_devmgr); +binder_call(samgr, render_service); +binder_call(render_service, hdf_devmgr); + +allow samgr kernel:fd use; +allow samgr tmpfs:chr_file { open read write getattr ioctl map }; + +allow samgr samgr:binder set_context_mgr; + +allow samgr socket_device:sock_file write; diff --git a/sepolicy/ohos_policy/drivers/adapter/system/file_contexts b/sepolicy/ohos_policy/drivers/adapter/system/file_contexts new file mode 100644 index 000000000..06c5255c2 --- /dev/null +++ b/sepolicy/ohos_policy/drivers/adapter/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/sytem/bin/hdf_devmgr u:object_r:hdf_devmgr_exec:s0 diff --git a/sepolicy/ohos_policy/drivers/adapter/system/hdf_devmgr.te b/sepolicy/ohos_policy/drivers/adapter/system/hdf_devmgr.te new file mode 100644 index 000000000..8856be801 --- /dev/null +++ b/sepolicy/ohos_policy/drivers/adapter/system/hdf_devmgr.te @@ -0,0 +1,31 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type hdf_devmgr, domain; +type hdf_devmgr_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(hdf_devmgr); + +binder_call(hdf_devmgr, samgr); +binder_call(hdf_devmgr, render_service); +binder_call(hdf_devmgr, foundation); + +allow hdf_devmgr device:sock_file { write }; + +allow hdf_devmgr system_file:file execute_no_trans; + +allow hdf_devmgr hdf_devmgr:netlink_kobject_uevent_socket { create_socket_perms }; + +allow hdf_devmgr dev_type:chr_file read_file_perms; + +allow hdf_devmgr sysfs_type:file rw_file_perms; diff --git a/sepolicy/ohos_policy/graphic/graphic/system/file_contexts b/sepolicy/ohos_policy/graphic/graphic/system/file_contexts new file mode 100644 index 000000000..6495a68dc --- /dev/null +++ b/sepolicy/ohos_policy/graphic/graphic/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/render_service u:object_r:render_service_exec:s0 diff --git a/sepolicy/ohos_policy/graphic/graphic/system/graphic.te b/sepolicy/ohos_policy/graphic/graphic/system/graphic.te new file mode 100644 index 000000000..2857b822d --- /dev/null +++ b/sepolicy/ohos_policy/graphic/graphic/system/graphic.te @@ -0,0 +1,21 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type render_service, domain; +type render_service_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(render_service); + +binder_call(render_service, samgr); +binder_call(render_service, appspawn); + diff --git a/sepolicy/ohos_policy/hiviewdfx/hiview/system/hiview.te b/sepolicy/ohos_policy/hiviewdfx/hiview/system/hiview.te new file mode 100644 index 000000000..49fe2fc23 --- /dev/null +++ b/sepolicy/ohos_policy/hiviewdfx/hiview/system/hiview.te @@ -0,0 +1,23 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type logserver_exec, exec_type, file_type, system_file_type; +type hiview, domain; + +domain_auto_transition_pattern(init, logserver_exec, hiview); + +allow hiview shell:fd { use }; +allow hiview shell:fifo_file { write }; + +binder_call(samgr, hiview); +allow hiview samgr:binder { call transfer }; diff --git a/sepolicy/ohos_policy/kernel/linux/public/kernel.te b/sepolicy/ohos_policy/kernel/linux/public/kernel.te new file mode 100644 index 000000000..b5fe51e61 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/public/kernel.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type kernel, domain; diff --git a/sepolicy/ohos_policy/kernel/linux/public/shell.te b/sepolicy/ohos_policy/kernel/linux/public/shell.te new file mode 100644 index 000000000..4da9e62de --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/public/shell.te @@ -0,0 +1,16 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type shell, domain; +type shell_exec, system_file_type, exec_type, file_type; + diff --git a/sepolicy/ohos_policy/kernel/linux/system/kernel.te b/sepolicy/ohos_policy/kernel/linux/system/kernel.te new file mode 100644 index 000000000..d96e8fa98 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/kernel.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +domain_auto_transition_pattern(kernel, init_exec, init) + +allow kernel tmpfs:chr_file read_file_perms; +allow kernel kernel:process setsched; diff --git a/sepolicy/ohos_policy/kernel/linux/system/shell.te b/sepolicy/ohos_policy/kernel/linux/system/shell.te new file mode 100644 index 000000000..fc5da5c0d --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/shell.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +permissive shell; + diff --git a/sepolicy/ohos_policy/kernel/linux/system/su.te b/sepolicy/ohos_policy/kernel/linux/system/su.te new file mode 100644 index 000000000..a2b1e8d9b --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/su.te @@ -0,0 +1,16 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type su, domain; + +type su_exec, exec_type, file_type; diff --git a/sepolicy/ohos_policy/multimodalinput/input/system/file_contexts b/sepolicy/ohos_policy/multimodalinput/input/system/file_contexts new file mode 100644 index 000000000..2e6097e33 --- /dev/null +++ b/sepolicy/ohos_policy/multimodalinput/input/system/file_contexts @@ -0,0 +1,18 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/udevadm u:object_r:udevadm_exec:s0 + +# for udevd +/system/bin/udevd u:object_r:udevd_exec:s0 +/data/udev/control u:object_r:udevd_socket:s0 diff --git a/sepolicy/ohos_policy/multimodalinput/input/system/udevadm.te b/sepolicy/ohos_policy/multimodalinput/input/system/udevadm.te new file mode 100644 index 000000000..b35eae26c --- /dev/null +++ b/sepolicy/ohos_policy/multimodalinput/input/system/udevadm.te @@ -0,0 +1,20 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type udevadm, domain, nativedomain; +type udevadm_exec, exec_type, file_type, system_file_type; + +domain_auto_transition_pattern(init, udevadm_exec, udevadm); + +allow udevadm udevd_socket:sock_file write; +allow udevadm udevd:unix_stream_socket { connectto }; diff --git a/sepolicy/ohos_policy/multimodalinput/input/system/udevd.te b/sepolicy/ohos_policy/multimodalinput/input/system/udevd.te new file mode 100644 index 000000000..37b24e7bd --- /dev/null +++ b/sepolicy/ohos_policy/multimodalinput/input/system/udevd.te @@ -0,0 +1,20 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type udevd, domain, nativedomain; + +type udevd_exec, exec_type, file_type, system_file_type; +type udevd_socket, file_type, data_file_type; +type udevd_file, file_type, data_file_type; + +init_daemon_domain(udevd); diff --git a/sepolicy/ohos_policy/security/deviceauth/system/deviceauth.te b/sepolicy/ohos_policy/security/deviceauth/system/deviceauth.te new file mode 100644 index 000000000..43e8e0e6f --- /dev/null +++ b/sepolicy/ohos_policy/security/deviceauth/system/deviceauth.te @@ -0,0 +1,19 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type deviceauth_service, domain; +type deviceauth_service_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(deviceauth_service); + +binder_call(deviceauth_service, samgr); diff --git a/sepolicy/ohos_policy/security/deviceauth/system/file_contexts b/sepolicy/ohos_policy/security/deviceauth/system/file_contexts new file mode 100644 index 000000000..db4736b3f --- /dev/null +++ b/sepolicy/ohos_policy/security/deviceauth/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/deviceauth_service u:object_r:deviceauth_service_exec:s0 diff --git a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te new file mode 100644 index 000000000..d29773d61 --- /dev/null +++ b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te @@ -0,0 +1,64 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type appspawn, domain, nativedomain; +type appspawn_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(appspawn); + +binder_call(appspawn, render_service); +binder_call(appspawn, hdf_devmgr); + +allow appspawn appspawn:process { execmem }; + +# "/dev/null", O_RDWR +allow appspawn null_device:chr_file rw_file_perms; + +# "/", +allow appspawn rootfs:dir search; + +# "proc", +allow appspawn appspawn:lnk_file read; + +# "/system/lib/*.so", O_RDONLY +allow appspawn system_lib_file:file { read_file_perms map }; +allow appspawn system_lib_file:dir read_dir_perms; + +# "/dev/cpu_variant:arm", O_RDONLY +allow appspawn dev_cpu_variant:file read_file_perms; + +# "/system/etc/fontconfig.json", O_RDONLY +allow appspawn fontconfig_file:file read_file_perms; + +# "/system/fonts/*", O_RDONLY +allow appspawn fonts_file:file read_file_perms; + +# avc: denied {read} for pid = 486 comm="appspawn" path = "pipe:[26660]" dev= "pipefs" ino=26660 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=fifo_file permissive = 1 +allow appspawn self:fifo_file read; + +allow appspawn self:unix_stream_socket { write accept connectto }; + +allow appspawn system_file:dir search; + +allow appspawn self:unix_dgram_socket { write sendto }; + +allow appspawn init_tmpfs:file { read open map }; + +allow appspawn tmpfs:dir { write add_name }; + +allow appspawn tmpfs:sock_file { create setattr }; + +allow appspawn samgr:binder call; + +allow appspawn foundation:unix_stream_socket rw_socket_perms; + diff --git a/sepolicy/ohos_policy/startup/appspawn/system/file_contexts b/sepolicy/ohos_policy/startup/appspawn/system/file_contexts new file mode 100644 index 000000000..f08f19319 --- /dev/null +++ b/sepolicy/ohos_policy/startup/appspawn/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/appspawn u:object_r:appspawn_exec:s0 diff --git a/sepolicy/ohos_policy/startup/init/public/init.te b/sepolicy/ohos_policy/startup/init/public/init.te new file mode 100644 index 000000000..0a7aa144d --- /dev/null +++ b/sepolicy/ohos_policy/startup/init/public/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type init, domain; +type init_exec, exec_type, file_type; diff --git a/sepolicy/ohos_policy/startup/init/system/file_contexts b/sepolicy/ohos_policy/startup/init/system/file_contexts new file mode 100644 index 000000000..5de18f395 --- /dev/null +++ b/sepolicy/ohos_policy/startup/init/system/file_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +/system/bin/ueventd u:object_r:ueventd_exec:s0 diff --git a/sepolicy/ohos_policy/startup/init/system/init.te b/sepolicy/ohos_policy/startup/init/system/init.te new file mode 100644 index 000000000..3332d2398 --- /dev/null +++ b/sepolicy/ohos_policy/startup/init/system/init.te @@ -0,0 +1,57 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type init_tmpfs, file_type; +type trigger_device, dev_type; +type trigger_trigger, dev_type; + +allow init su:process transition; + +allow init { proc_panic }:file getattr; + +domain_auto_transition_pattern(init, shell_exec, shell); + +allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; +allow init tmpfs:blk_file { create setattr unlink rw_file_perms }; +allow init tmpfs:file { relabelfrom }; + +allow init device: { file lnk_file chr_file blk_file sock_file } relabelto; +allow init dev_type: { file lnk_file chr_file blk_file } relabelto; + +allow init dev_type:dir relabelto; + +allow init trigger_device:file rw_file_perms; +allow init trigger_trigger:file { relabelto rw_file_perms }; +allow init param_device:file rw_file_perms; + +allow init devpts:dir relabelfrom; +allow init devpts:chr_file { getattr relabelfrom }; + +# Create sockets for the services. +allow init domain:unix_stream_socket { create bind setopt }; +allow init domain:unix_dgram_socket { create bind setopt }; + +allow init tmpfs:sock_file { create setattr getattr relabelfrom }; + +allow init system_file:file execute_no_trans; + +allow init device:sock_file { create setattr }; + +allow init sysfs:file setattr; + +allow init shell_exec:file { execute_no_trans }; +allow init logserver_exec:file { execute_no_trans }; + +# avc: denied { read } for pid = 1 comm="init" path="pipe:[]" dev="devpts" ino=12016 scontext=u:object_r:device:s0 tcontext=u:object_r:devpts:s0 tclass=filesystem permissive=1 +allow init kernel:fifo_file { read write }; + diff --git a/sepolicy/ohos_policy/startup/init/system/ueventd.te b/sepolicy/ohos_policy/startup/init/system/ueventd.te new file mode 100644 index 000000000..ec05c4e40 --- /dev/null +++ b/sepolicy/ohos_policy/startup/init/system/ueventd.te @@ -0,0 +1,30 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type ueventd, domain, nativedomain; +type ueventd_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(ueventd); + +allow ueventd kernel:fd use; + +allow ueventd sysfs:file write_file_perms; +allow ueventd tmpfs:chr_file { create setattr unlink rw_file_perms }; +allow ueventd tmpfs:dir create_dir_perms; +allow ueventd tmpfs:blk_file { create setattr unlink rw_file_perms }; +allow ueventd tmpfs:lnk_file { create setattr unlink rw_file_perms }; + +allow ueventd sysfs_rtc:dir read_dir_perms; +allow ueventd sysfs_rtc: { file lnk_file } read_file_perms; + +allow ueventd self:netlink_kobject_uevent_socket { read create setopt bind write }; -- Gitee