diff --git a/sepolicy/ohos_policy/kernel/linux/system/accountmgr.te b/sepolicy/ohos_policy/kernel/linux/system/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..9852cf284f5b243172f47ac096543dbc2c5bc162 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/accountmgr.te @@ -0,0 +1,14 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr memmgrservice:binder { transfer }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/appspawn.te b/sepolicy/ohos_policy/kernel/linux/system/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..55ad12d400bf45f024baba712d4d3ed509609802 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/appspawn.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn appspawn:process { setcurrent }; +allow appspawn normal_hap:process { dyntransition }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/foundation.te b/sepolicy/ohos_policy/kernel/linux/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..75aa68bec45273090a01b8903d7b75bf74f0f3ba --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/foundation.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation memmgrservice:binder { call }; +allow foundation memmgrservice:binder { transfer }; +allow foundation proc_file:file { open }; +allow foundation proc_file:file { read }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/hdcd.te b/sepolicy/ohos_policy/kernel/linux/system/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..f9d46c0bb5bce35ab80c426361d8ac050e1db8fd --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/hdcd.te @@ -0,0 +1,271 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdcd accessibility:dir { getattr }; +allow hdcd accessibility:dir { search }; +allow hdcd accessibility:file { open }; +allow hdcd accesstoken_service:dir { getattr }; +allow hdcd accesstoken_service:dir { search }; +allow hdcd accesstoken_service:file { open }; +allow hdcd accountmgr:dir { getattr }; +allow hdcd accountmgr:dir { search }; +allow hdcd accountmgr:file { open }; +allow hdcd appspawn:dir { getattr }; +allow hdcd appspawn:dir { search }; +allow hdcd appspawn:file { open }; +allow hdcd audio_hdi_server_host:dir { getattr }; +allow hdcd audio_hdi_server_host:dir { search }; +allow hdcd audio_hdi_server_host:file { open }; +allow hdcd audio_policy:dir { getattr }; +allow hdcd audio_policy:dir { search }; +allow hdcd audio_policy:file { open }; +allow hdcd battery_stats:dir { getattr }; +allow hdcd battery_stats:dir { search }; +allow hdcd battery_stats:file { open }; +allow hdcd bgtaskmgr_service:dir { getattr }; +allow hdcd bgtaskmgr_service:dir { search }; +allow hdcd bgtaskmgr_service:file { open }; +allow hdcd blue_host:dir { getattr }; +allow hdcd blue_host:dir { search }; +allow hdcd blue_host:file { open }; +allow hdcd bluetooth_service:dir { getattr }; +allow hdcd bluetooth_service:dir { search }; +allow hdcd bluetooth_service:file { open }; +allow hdcd camera_host:dir { getattr }; +allow hdcd camera_host:dir { search }; +allow hdcd camera_host:file { open }; +allow hdcd camera_service:dir { getattr }; +allow hdcd camera_service:dir { search }; +allow hdcd camera_service:file { open }; +allow hdcd codec_host:dir { getattr }; +allow hdcd codec_host:dir { search }; +allow hdcd codec_host:file { open }; +allow hdcd console:dir { getattr }; +allow hdcd console:dir { search }; +allow hdcd console:file { open }; +allow hdcd console:lnk_file { read }; +allow hdcd device_usage_stats_service:dir { getattr }; +allow hdcd device_usage_stats_service:dir { search }; +allow hdcd device_usage_stats_service:file { open }; +allow hdcd deviceinfoservice:dir { getattr }; +allow hdcd deviceinfoservice:dir { search }; +allow hdcd deviceinfoservice:file { open }; +allow hdcd disp_gralloc_host:dir { getattr }; +allow hdcd disp_gralloc_host:dir { search }; +allow hdcd disp_gralloc_host:file { open }; +allow hdcd distributeddata:dir { getattr }; +allow hdcd distributeddata:dir { search }; +allow hdcd distributeddata:file { open }; +allow hdcd distributedfiledaemon:dir { getattr }; +allow hdcd distributedfiledaemon:dir { search }; +allow hdcd distributedfiledaemon:file { open }; +allow hdcd distributedfileservice:dir { getattr }; +allow hdcd distributedfileservice:dir { search }; +allow hdcd distributedfileservice:file { open }; +allow hdcd distributedsche:dir { getattr }; +allow hdcd distributedsche:dir { search }; +allow hdcd distributedsche:file { open }; +allow hdcd download_server:dir { getattr }; +allow hdcd download_server:dir { search }; +allow hdcd download_server:file { open }; +allow hdcd dslm_service:dir { getattr }; +allow hdcd dslm_service:dir { search }; +allow hdcd dslm_service:file { open }; +allow hdcd edm_sa:dir { getattr }; +allow hdcd edm_sa:dir { search }; +allow hdcd edm_sa:file { open }; +allow hdcd faceauth:dir { getattr }; +allow hdcd faceauth:dir { search }; +allow hdcd faceauth:file { open }; +allow hdcd faultloggerd:dir { getattr }; +allow hdcd faultloggerd:dir { search }; +allow hdcd faultloggerd:file { open }; +allow hdcd fms_service:dir { getattr }; +allow hdcd fms_service:dir { search }; +allow hdcd fms_service:file { open }; +allow hdcd foundation:dir { getattr }; +allow hdcd foundation:dir { search }; +allow hdcd foundation:file { open }; +allow hdcd hdf_devmgr:dir { getattr }; +allow hdcd hdf_devmgr:dir { search }; +allow hdcd hdf_devmgr:file { open }; +allow hdcd hidumper_service:dir { getattr }; +allow hdcd hidumper_service:dir { search }; +allow hdcd hidumper_service:file { open }; +allow hdcd hilogd:dir { getattr }; +allow hdcd hilogd:dir { search }; +allow hdcd hilogd:file { open }; +allow hdcd hiview:dir { getattr }; +allow hdcd hiview:dir { search }; +allow hdcd hiview:file { open }; +allow hdcd huks_service:dir { getattr }; +allow hdcd huks_service:dir { search }; +allow hdcd huks_service:file { open }; +allow hdcd init:dir { getattr }; +allow hdcd init:dir { search }; +allow hdcd init:file { open }; +allow hdcd input_user_host:dir { getattr }; +allow hdcd input_user_host:dir { search }; +allow hdcd input_user_host:file { open }; +allow hdcd inputmethod_service:dir { getattr }; +allow hdcd inputmethod_service:dir { search }; +allow hdcd inputmethod_service:file { open }; +allow hdcd installs:dir { getattr }; +allow hdcd installs:dir { search }; +allow hdcd installs:file { open }; +allow hdcd kernel:dir { getattr }; +allow hdcd kernel:dir { search }; +allow hdcd kernel:file { open }; +allow hdcd light_dal_host:dir { getattr }; +allow hdcd light_dal_host:dir { search }; +allow hdcd light_dal_host:file { open }; +allow hdcd limit_domain:dir { getattr }; +allow hdcd limit_domain:dir { search }; +allow hdcd limit_domain:file { open }; +allow hdcd locationhub:dir { getattr }; +allow hdcd locationhub:dir { search }; +allow hdcd locationhub:file { open }; +allow hdcd media_service:dir { getattr }; +allow hdcd media_service:dir { search }; +allow hdcd media_service:file { open }; +allow hdcd memmgrservice:dir { getattr }; +allow hdcd memmgrservice:dir { search }; +allow hdcd memmgrservice:file { open }; +allow hdcd memmgrservice:file { read }; +allow hdcd mmi_uinput_service:dir { getattr }; +allow hdcd mmi_uinput_service:dir { search }; +allow hdcd mmi_uinput_service:file { open }; +allow hdcd msdp_sa:dir { getattr }; +allow hdcd msdp_sa:dir { search }; +allow hdcd msdp_sa:file { open }; +allow hdcd multimodalinput:dir { getattr }; +allow hdcd multimodalinput:dir { search }; +allow hdcd multimodalinput:file { open }; +allow hdcd netmanager:dir { getattr }; +allow hdcd netmanager:dir { search }; +allow hdcd netmanager:file { open }; +allow hdcd netsysnative:dir { getattr }; +allow hdcd netsysnative:dir { search }; +allow hdcd netsysnative:file { open }; +allow hdcd normal_hap:dir { getattr }; +allow hdcd normal_hap:dir { search }; +allow hdcd normal_hap:file { open }; +allow hdcd nwebspawn:dir { getattr }; +allow hdcd nwebspawn:dir { search }; +allow hdcd nwebspawn:file { open }; +allow hdcd param_watcher:dir { getattr }; +allow hdcd param_watcher:dir { search }; +allow hdcd param_watcher:file { open }; +allow hdcd pasteboard_service:dir { getattr }; +allow hdcd pasteboard_service:dir { search }; +allow hdcd pasteboard_service:file { open }; +allow hdcd pinauth:dir { getattr }; +allow hdcd pinauth:dir { search }; +allow hdcd pinauth:file { open }; +allow hdcd power_host:dir { getattr }; +allow hdcd power_host:dir { search }; +allow hdcd power_host:file { open }; +allow hdcd proc_file:file { open }; +allow hdcd proc_file:file { read }; +allow hdcd proc_file:file { write }; +allow hdcd proc_meminfo_file:file { open }; +allow hdcd proc_meminfo_file:file { read }; +allow hdcd proc_version_file:file { open }; +allow hdcd proc_version_file:file { read }; +allow hdcd pulseaudio:dir { getattr }; +allow hdcd pulseaudio:dir { search }; +allow hdcd pulseaudio:file { open }; +allow hdcd render_service:dir { getattr }; +allow hdcd render_service:dir { search }; +allow hdcd render_service:file { open }; +allow hdcd resource_schedule_service:dir { getattr }; +allow hdcd resource_schedule_service:dir { search }; +allow hdcd resource_schedule_service:file { open }; +allow hdcd samgr:dir { getattr }; +allow hdcd samgr:dir { search }; +allow hdcd samgr:file { open }; +allow hdcd screenlock_server:dir { getattr }; +allow hdcd screenlock_server:dir { search }; +allow hdcd screenlock_server:file { open }; +allow hdcd sensor_dal_host:dir { getattr }; +allow hdcd sensor_dal_host:dir { search }; +allow hdcd sensor_dal_host:file { open }; +allow hdcd sensors:dir { getattr }; +allow hdcd sensors:dir { search }; +allow hdcd sensors:file { open }; +allow hdcd softbus_server:dir { getattr }; +allow hdcd softbus_server:dir { search }; +allow hdcd softbus_server:file { open }; +allow hdcd storage_daemon:dir { getattr }; +allow hdcd storage_daemon:dir { search }; +allow hdcd storage_daemon:file { open }; +allow hdcd storage_manager:dir { getattr }; +allow hdcd storage_manager:dir { search }; +allow hdcd storage_manager:file { open }; +allow hdcd system_basic_hap:dir { getattr }; +allow hdcd system_basic_hap:dir { search }; +allow hdcd system_basic_hap:file { open }; +allow hdcd telephony_sa:dir { getattr }; +allow hdcd telephony_sa:dir { search }; +allow hdcd telephony_sa:file { open }; +allow hdcd thermal:dir { getattr }; +allow hdcd thermal:dir { search }; +allow hdcd thermal:file { open }; +allow hdcd time_service:dir { getattr }; +allow hdcd time_service:dir { search }; +allow hdcd time_service:file { open }; +allow hdcd token_sync_service:dir { getattr }; +allow hdcd token_sync_service:dir { search }; +allow hdcd token_sync_service:file { open }; +allow hdcd udevd:dir { getattr }; +allow hdcd udevd:dir { search }; +allow hdcd udevd:file { open }; +allow hdcd ui_service:dir { getattr }; +allow hdcd ui_service:dir { search }; +allow hdcd ui_service:file { open }; +allow hdcd updater_sa:dir { getattr }; +allow hdcd updater_sa:dir { search }; +allow hdcd updater_sa:file { open }; +allow hdcd usb_host:dir { getattr }; +allow hdcd usb_host:dir { search }; +allow hdcd usb_host:file { open }; +allow hdcd usb_service:dir { getattr }; +allow hdcd usb_service:dir { search }; +allow hdcd usb_service:file { open }; +allow hdcd usbfnMaster_host:dir { getattr }; +allow hdcd usbfnMaster_host:dir { search }; +allow hdcd usbfnMaster_host:file { open }; +allow hdcd user_auth_host:dir { getattr }; +allow hdcd user_auth_host:dir { search }; +allow hdcd user_auth_host:file { open }; +allow hdcd useriam:dir { getattr }; +allow hdcd useriam:dir { search }; +allow hdcd useriam:file { open }; +allow hdcd vibrator_dal_host:dir { getattr }; +allow hdcd vibrator_dal_host:dir { search }; +allow hdcd vibrator_dal_host:file { open }; +allow hdcd watchdog_service:dir { getattr }; +allow hdcd watchdog_service:dir { search }; +allow hdcd watchdog_service:file { open }; +allow hdcd wifi_hal_service:dir { getattr }; +allow hdcd wifi_hal_service:dir { search }; +allow hdcd wifi_hal_service:file { open }; +allow hdcd wifi_host:dir { getattr }; +allow hdcd wifi_host:dir { search }; +allow hdcd wifi_host:file { open }; +allow hdcd wifi_manager_service:dir { getattr }; +allow hdcd wifi_manager_service:dir { search }; +allow hdcd wifi_manager_service:file { open }; +allow hdcd work_scheduler_service:dir { getattr }; +allow hdcd work_scheduler_service:dir { search }; +allow hdcd work_scheduler_service:file { open }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/hdf_devmgr.te b/sepolicy/ohos_policy/kernel/linux/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..2b22ff3774b1fd31341b53048658a1f8f46ca539 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/hdf_devmgr.te @@ -0,0 +1,39 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr bluetooth_service:dir { search }; +allow hdf_devmgr bluetooth_service:file { open }; +allow hdf_devmgr bluetooth_service:file { read }; +allow hdf_devmgr camera_host:dir { search }; +allow hdf_devmgr camera_host:file { open }; +allow hdf_devmgr camera_host:file { read }; +allow hdf_devmgr camera_service:dir { search }; +allow hdf_devmgr camera_service:file { open }; +allow hdf_devmgr camera_service:file { read }; +allow hdf_devmgr foundation:dir { search }; +allow hdf_devmgr foundation:file { open }; +allow hdf_devmgr foundation:file { read }; +allow hdf_devmgr normal_hap:dir { search }; +allow hdf_devmgr normal_hap:file { open }; +allow hdf_devmgr normal_hap:file { read }; +allow hdf_devmgr normal_hap:process { getattr }; +allow hdf_devmgr system_basic_hap:dir { search }; +allow hdf_devmgr system_basic_hap:file { open }; +allow hdf_devmgr system_basic_hap:file { read }; +allow hdf_devmgr system_core_hap:dir { search }; +allow hdf_devmgr system_core_hap:file { open }; +allow hdf_devmgr system_core_hap:file { read }; +allow hdf_devmgr useriam:dir { search }; +allow hdf_devmgr useriam:file { open }; +allow hdf_devmgr useriam:file { read }; +allow hdf_devmgr useriam:process { getattr }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/hidumper_service.te b/sepolicy/ohos_policy/kernel/linux/system/hidumper_service.te new file mode 100644 index 0000000000000000000000000000000000000000..bfc82ac0f57d12554d1de3022e817eeaaa8adfbf --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/hidumper_service.te @@ -0,0 +1,198 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hidumper_service accessibility:dir { search }; +allow hidumper_service accessibility:file { open }; +allow hidumper_service accesstoken_service:dir { search }; +allow hidumper_service accesstoken_service:file { open }; +allow hidumper_service accountmgr:dir { search }; +allow hidumper_service accountmgr:file { open }; +allow hidumper_service accountmgr:file { read }; +allow hidumper_service appspawn:dir { search }; +allow hidumper_service appspawn:file { open }; +allow hidumper_service appspawn:file { read }; +allow hidumper_service audio_hdi_server_host:dir { search }; +allow hidumper_service audio_hdi_server_host:file { open }; +allow hidumper_service audio_hdi_server_host:file { read }; +allow hidumper_service battery_stats:dir { search }; +allow hidumper_service battery_stats:file { open }; +allow hidumper_service bgtaskmgr_service:dir { search }; +allow hidumper_service bgtaskmgr_service:file { open }; +allow hidumper_service bgtaskmgr_service:file { read }; +allow hidumper_service blue_host:dir { search }; +allow hidumper_service blue_host:file { open }; +allow hidumper_service bluetooth_service:dir { search }; +allow hidumper_service bluetooth_service:file { open }; +allow hidumper_service camera_host:dir { search }; +allow hidumper_service camera_host:file { open }; +allow hidumper_service camera_host:file { read }; +allow hidumper_service camera_service:dir { search }; +allow hidumper_service camera_service:file { open }; +allow hidumper_service codec_host:dir { search }; +allow hidumper_service codec_host:file { open }; +allow hidumper_service console:dir { search }; +allow hidumper_service console:file { open }; +allow hidumper_service console:file { read }; +allow hidumper_service device_usage_stats_service:dir { search }; +allow hidumper_service device_usage_stats_service:file { open }; +allow hidumper_service deviceinfoservice:dir { search }; +allow hidumper_service deviceinfoservice:file { open }; +allow hidumper_service disp_gralloc_host:dir { search }; +allow hidumper_service disp_gralloc_host:file { open }; +allow hidumper_service distributeddata:dir { search }; +allow hidumper_service distributeddata:file { open }; +allow hidumper_service distributedfiledaemon:dir { search }; +allow hidumper_service distributedfiledaemon:file { open }; +allow hidumper_service distributedfileservice:dir { search }; +allow hidumper_service distributedfileservice:file { open }; +allow hidumper_service distributedsche:dir { search }; +allow hidumper_service distributedsche:file { open }; +allow hidumper_service download_server:dir { search }; +allow hidumper_service download_server:file { open }; +allow hidumper_service download_server:file { read }; +allow hidumper_service dslm_service:dir { search }; +allow hidumper_service dslm_service:file { open }; +allow hidumper_service edm_sa:dir { search }; +allow hidumper_service edm_sa:file { open }; +allow hidumper_service faceauth:dir { search }; +allow hidumper_service faceauth:file { open }; +allow hidumper_service faultloggerd:dir { search }; +allow hidumper_service faultloggerd:file { open }; +allow hidumper_service faultloggerd:file { read }; +allow hidumper_service fms_service:dir { search }; +allow hidumper_service fms_service:file { open }; +allow hidumper_service foundation:dir { search }; +allow hidumper_service foundation:file { open }; +allow hidumper_service foundation:file { read }; +allow hidumper_service hdcd:dir { search }; +allow hidumper_service hdcd:file { open }; +allow hidumper_service hdf_devmgr:dir { search }; +allow hidumper_service hdf_devmgr:file { open }; +allow hidumper_service hilogd:dir { search }; +allow hidumper_service hilogd:file { open }; +allow hidumper_service hiview:dir { search }; +allow hidumper_service hiview:file { open }; +allow hidumper_service huks_service:dir { search }; +allow hidumper_service huks_service:file { open }; +allow hidumper_service init:dir { search }; +allow hidumper_service init:file { open }; +allow hidumper_service input_user_host:dir { search }; +allow hidumper_service input_user_host:file { open }; +allow hidumper_service inputmethod_service:dir { search }; +allow hidumper_service inputmethod_service:file { open }; +allow hidumper_service installs:dir { search }; +allow hidumper_service installs:file { open }; +allow hidumper_service kernel:dir { search }; +allow hidumper_service kernel:file { open }; +allow hidumper_service light_dal_host:dir { search }; +allow hidumper_service light_dal_host:file { open }; +allow hidumper_service limit_domain:dir { search }; +allow hidumper_service limit_domain:file { open }; +allow hidumper_service locationhub:dir { search }; +allow hidumper_service locationhub:file { open }; +allow hidumper_service media_service:dir { search }; +allow hidumper_service media_service:file { open }; +allow hidumper_service media_service:file { read }; +allow hidumper_service memmgrservice:dir { search }; +allow hidumper_service memmgrservice:file { open }; +allow hidumper_service memmgrservice:file { read }; +allow hidumper_service mmi_uinput_service:dir { search }; +allow hidumper_service mmi_uinput_service:file { open }; +allow hidumper_service msdp_sa:dir { search }; +allow hidumper_service msdp_sa:file { open }; +allow hidumper_service multimodalinput:dir { search }; +allow hidumper_service multimodalinput:file { open }; +allow hidumper_service netmanager:dir { search }; +allow hidumper_service netmanager:file { open }; +allow hidumper_service netsysnative:dir { search }; +allow hidumper_service netsysnative:file { open }; +allow hidumper_service normal_hap:dir { search }; +allow hidumper_service normal_hap:file { open }; +allow hidumper_service nwebspawn:dir { search }; +allow hidumper_service nwebspawn:file { open }; +allow hidumper_service param_watcher:dir { search }; +allow hidumper_service param_watcher:file { open }; +allow hidumper_service pasteboard_service:dir { search }; +allow hidumper_service pasteboard_service:file { open }; +allow hidumper_service pinauth:dir { search }; +allow hidumper_service pinauth:file { open }; +allow hidumper_service power_host:dir { search }; +allow hidumper_service power_host:file { open }; +allow hidumper_service proc_stat_file:file { open }; +allow hidumper_service proc_stat_file:file { read }; +allow hidumper_service render_service:dir { search }; +allow hidumper_service render_service:file { open }; +allow hidumper_service render_service:file { read }; +allow hidumper_service resource_schedule_service:dir { search }; +allow hidumper_service resource_schedule_service:file { open }; +allow hidumper_service samgr:dir { search }; +allow hidumper_service samgr:file { open }; +allow hidumper_service screenlock_server:dir { search }; +allow hidumper_service screenlock_server:file { open }; +allow hidumper_service sensor_dal_host:dir { search }; +allow hidumper_service sensor_dal_host:file { open }; +allow hidumper_service sensors:dir { search }; +allow hidumper_service sensors:file { open }; +allow hidumper_service softbus_server:dir { search }; +allow hidumper_service softbus_server:file { open }; +allow hidumper_service storage_daemon:dir { search }; +allow hidumper_service storage_daemon:file { open }; +allow hidumper_service storage_manager:dir { search }; +allow hidumper_service storage_manager:file { open }; +allow hidumper_service system_basic_hap:dir { search }; +allow hidumper_service system_basic_hap:file { open }; +allow hidumper_service system_core_hap:dir { search }; +allow hidumper_service system_core_hap:file { open }; +allow hidumper_service telephony_sa:dir { search }; +allow hidumper_service telephony_sa:file { open }; +allow hidumper_service thermal:dir { search }; +allow hidumper_service thermal:file { open }; +allow hidumper_service time_service:dir { search }; +allow hidumper_service time_service:file { open }; +allow hidumper_service token_sync_service:dir { search }; +allow hidumper_service token_sync_service:file { open }; +allow hidumper_service token_sync_service:file { read }; +allow hidumper_service udevd:dir { search }; +allow hidumper_service udevd:file { open }; +allow hidumper_service udevd:file { read }; +allow hidumper_service ueventd:dir { search }; +allow hidumper_service ueventd:file { open }; +allow hidumper_service ui_service:dir { search }; +allow hidumper_service ui_service:file { open }; +allow hidumper_service updater_sa:dir { search }; +allow hidumper_service updater_sa:file { open }; +allow hidumper_service usb_host:dir { search }; +allow hidumper_service usb_host:file { open }; +allow hidumper_service usb_service:dir { search }; +allow hidumper_service usb_service:file { open }; +allow hidumper_service usb_service:file { read }; +allow hidumper_service usbfnMaster_host:dir { search }; +allow hidumper_service usbfnMaster_host:file { open }; +allow hidumper_service user_auth_host:dir { search }; +allow hidumper_service user_auth_host:file { open }; +allow hidumper_service useriam:dir { search }; +allow hidumper_service useriam:file { open }; +allow hidumper_service vibrator_dal_host:dir { search }; +allow hidumper_service vibrator_dal_host:file { open }; +allow hidumper_service vibrator_dal_host:file { read }; +allow hidumper_service watchdog_service:dir { search }; +allow hidumper_service watchdog_service:file { open }; +allow hidumper_service wifi_hal_service:dir { search }; +allow hidumper_service wifi_hal_service:file { open }; +allow hidumper_service wifi_hal_service:file { read }; +allow hidumper_service wifi_host:dir { search }; +allow hidumper_service wifi_host:file { open }; +allow hidumper_service wifi_manager_service:dir { search }; +allow hidumper_service wifi_manager_service:file { open }; +allow hidumper_service work_scheduler_service:dir { search }; +allow hidumper_service work_scheduler_service:file { open }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/init.te b/sepolicy/ohos_policy/kernel/linux/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..3373c80da6d565c7c6c9295e79d42d3fc67139f8 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/init.te @@ -0,0 +1,48 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init data_file:dir { add_name }; +allow init data_file:dir { remove_name }; +allow init data_file:dir { search }; +allow init data_file:dir { write }; +allow init data_file:file { create }; +allow init data_file:file { ioctl }; +allow init data_file:file { open }; +allow init data_file:file { read append }; +allow init data_file:file { rename }; +allow init data_file:file { unlink }; +allow init data_file:file { write }; +allow init dev_at_file:chr_file { ioctl }; +allow init dev_file:chr_file { ioctl }; +allow init dev_kmsg_file:chr_file { write }; +allow init dev_unix_socket:dir { search }; +allow init dev_unix_socket:sock_file { write }; +allow init init:capability { setgid }; +allow init init:capability { setuid }; +allow init init:capability { sys_chroot }; +allow init init:process { setexec }; +allow init kernel:unix_stream_socket { write }; +allow init lib_file:lnk_file { read }; +allow init system_basic_hap:dir { search }; +allow init system_basic_hap:file { open }; +allow init system_bin_file:dir { search }; +allow init thermal:process { rlimitinh }; +allow init thermal:process { siginh }; +allow init thermal:process { transition }; +allow init thermal_protector_exec:file { execute }; +allow init thermal_protector_exec:file { read open }; +allow init vendor_bin_file:dir { search }; +allow init vendor_bin_file:file { getattr }; +allowxperm init data_file:file ioctl 0x5413; +allowxperm init dev_at_file:chr_file ioctl 0x4102; +allowxperm init dev_file:chr_file ioctl 0x6202; diff --git a/sepolicy/ohos_policy/kernel/linux/system/memmgrservice.te b/sepolicy/ohos_policy/kernel/linux/system/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..fc1d0f3a555c2b7df01173649d7660f71f506a43 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/memmgrservice.te @@ -0,0 +1,291 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice accessibility:dir { search }; +allow memmgrservice accessibility:file { open }; +allow memmgrservice accessibility:file { read }; +allow memmgrservice accesstoken_service:dir { search }; +allow memmgrservice accesstoken_service:file { open }; +allow memmgrservice accesstoken_service:file { read }; +allow memmgrservice accountmgr:binder { call }; +allow memmgrservice accountmgr:binder { transfer }; +allow memmgrservice accountmgr:dir { search }; +allow memmgrservice accountmgr:file { open }; +allow memmgrservice accountmgr:file { read }; +allow memmgrservice appspawn:dir { search }; +allow memmgrservice appspawn:file { open }; +allow memmgrservice appspawn:file { read }; +allow memmgrservice audio_hdi_server_host:dir { search }; +allow memmgrservice audio_hdi_server_host:file { open }; +allow memmgrservice audio_hdi_server_host:file { read }; +allow memmgrservice battery_stats:dir { search }; +allow memmgrservice battery_stats:file { open }; +allow memmgrservice battery_stats:file { read }; +allow memmgrservice bgtaskmgr_service:binder { call }; +allow memmgrservice bgtaskmgr_service:binder { transfer }; +allow memmgrservice bgtaskmgr_service:dir { search }; +allow memmgrservice bgtaskmgr_service:file { open }; +allow memmgrservice bgtaskmgr_service:file { read }; +allow memmgrservice blue_host:dir { search }; +allow memmgrservice blue_host:file { open }; +allow memmgrservice blue_host:file { read }; +allow memmgrservice bluetooth_service:dir { search }; +allow memmgrservice bluetooth_service:file { open }; +allow memmgrservice bluetooth_service:file { read }; +allow memmgrservice bootanimation:dir { search }; +allow memmgrservice bootanimation:file { open }; +allow memmgrservice bootanimation:file { read }; +allow memmgrservice camera_host:dir { search }; +allow memmgrservice camera_host:file { open }; +allow memmgrservice camera_host:file { read }; +allow memmgrservice camera_service:dir { search }; +allow memmgrservice camera_service:file { open }; +allow memmgrservice camera_service:file { read }; +allow memmgrservice cgroup:dir { add_name }; +allow memmgrservice cgroup:dir { create }; +allow memmgrservice cgroup:dir { search }; +allow memmgrservice cgroup:dir { write }; +allow memmgrservice cgroup:file { append }; +allow memmgrservice cgroup:file { create }; +allow memmgrservice cgroup:file { getattr }; +allow memmgrservice cgroup:file { ioctl }; +allow memmgrservice cgroup:file { open }; +allow memmgrservice cgroup:file { read }; +allow memmgrservice cgroup:file { write }; +allow memmgrservice codec_host:dir { search }; +allow memmgrservice codec_host:file { open }; +allow memmgrservice codec_host:file { read }; +allow memmgrservice console:dir { search }; +allow memmgrservice console:file { open }; +allow memmgrservice console:file { read }; +allow memmgrservice dev_unix_socket:dir { search }; +allow memmgrservice device_usage_stats_service:dir { search }; +allow memmgrservice device_usage_stats_service:file { open }; +allow memmgrservice device_usage_stats_service:file { read }; +allow memmgrservice deviceinfoservice:dir { search }; +allow memmgrservice deviceinfoservice:file { open }; +allow memmgrservice deviceinfoservice:file { read }; +allow memmgrservice disp_gralloc_host:dir { search }; +allow memmgrservice disp_gralloc_host:file { open }; +allow memmgrservice disp_gralloc_host:file { read }; +allow memmgrservice distributeddata:dir { search }; +allow memmgrservice distributeddata:file { open }; +allow memmgrservice distributeddata:file { read }; +allow memmgrservice distributedfiledaemon:dir { search }; +allow memmgrservice distributedfiledaemon:file { open }; +allow memmgrservice distributedfiledaemon:file { read }; +allow memmgrservice distributedfileservice:dir { search }; +allow memmgrservice distributedfileservice:file { open }; +allow memmgrservice distributedfileservice:file { read }; +allow memmgrservice distributedsche:dir { search }; +allow memmgrservice distributedsche:file { open }; +allow memmgrservice distributedsche:file { read }; +allow memmgrservice download_server:dir { search }; +allow memmgrservice download_server:file { open }; +allow memmgrservice download_server:file { read }; +allow memmgrservice dslm_service:dir { search }; +allow memmgrservice dslm_service:file { open }; +allow memmgrservice dslm_service:file { read }; +allow memmgrservice edm_sa:dir { search }; +allow memmgrservice edm_sa:file { open }; +allow memmgrservice edm_sa:file { read }; +allow memmgrservice faceauth:dir { search }; +allow memmgrservice faceauth:file { open }; +allow memmgrservice faceauth:file { read }; +allow memmgrservice faultloggerd:dir { search }; +allow memmgrservice faultloggerd:file { open }; +allow memmgrservice faultloggerd:file { read }; +allow memmgrservice fms_service:dir { search }; +allow memmgrservice fms_service:file { open }; +allow memmgrservice fms_service:file { read }; +allow memmgrservice foundation:binder { call }; +allow memmgrservice foundation:binder { transfer }; +allow memmgrservice foundation:dir { search }; +allow memmgrservice foundation:file { open }; +allow memmgrservice foundation:file { read }; +allow memmgrservice hdcd:dir { search }; +allow memmgrservice hdcd:file { open }; +allow memmgrservice hdcd:file { read }; +allow memmgrservice hdf_devmgr:dir { search }; +allow memmgrservice hdf_devmgr:file { open }; +allow memmgrservice hdf_devmgr:file { read }; +allow memmgrservice hidumper_service:dir { search }; +allow memmgrservice hidumper_service:file { open }; +allow memmgrservice hidumper_service:file { read }; +allow memmgrservice hilogd:dir { search }; +allow memmgrservice hilogd:file { open }; +allow memmgrservice hilogd:file { read }; +allow memmgrservice hiview:dir { search }; +allow memmgrservice hiview:file { open }; +allow memmgrservice hiview:file { read }; +allow memmgrservice huks_service:dir { search }; +allow memmgrservice huks_service:file { open }; +allow memmgrservice huks_service:file { read }; +allow memmgrservice init:dir { search }; +allow memmgrservice init:file { open }; +allow memmgrservice init:file { read }; +allow memmgrservice input_user_host:dir { search }; +allow memmgrservice input_user_host:file { open }; +allow memmgrservice input_user_host:file { read }; +allow memmgrservice inputmethod_service:dir { search }; +allow memmgrservice inputmethod_service:file { open }; +allow memmgrservice inputmethod_service:file { read }; +allow memmgrservice installs:dir { search }; +allow memmgrservice installs:file { open }; +allow memmgrservice installs:file { read }; +allow memmgrservice kernel:dir { search }; +allow memmgrservice kernel:file { open }; +allow memmgrservice kernel:file { read }; +allow memmgrservice light_dal_host:dir { search }; +allow memmgrservice light_dal_host:file { open }; +allow memmgrservice light_dal_host:file { read }; +allow memmgrservice limit_domain:dir { search }; +allow memmgrservice limit_domain:file { open }; +allow memmgrservice limit_domain:file { read }; +allow memmgrservice locationhub:dir { search }; +allow memmgrservice locationhub:file { open }; +allow memmgrservice locationhub:file { read }; +allow memmgrservice media_service:dir { search }; +allow memmgrservice media_service:file { open }; +allow memmgrservice media_service:file { read }; +allow memmgrservice mmi_uinput_service:dir { search }; +allow memmgrservice mmi_uinput_service:file { open }; +allow memmgrservice mmi_uinput_service:file { read }; +allow memmgrservice msdp_sa:dir { search }; +allow memmgrservice msdp_sa:file { open }; +allow memmgrservice msdp_sa:file { read }; +allow memmgrservice multimodalinput:dir { search }; +allow memmgrservice multimodalinput:file { open }; +allow memmgrservice multimodalinput:file { read }; +allow memmgrservice netmanager:dir { search }; +allow memmgrservice netmanager:file { open }; +allow memmgrservice netmanager:file { read }; +allow memmgrservice netsysnative:dir { search }; +allow memmgrservice netsysnative:file { open }; +allow memmgrservice netsysnative:file { read }; +allow memmgrservice normal_hap:dir { search }; +allow memmgrservice normal_hap:file { open }; +allow memmgrservice normal_hap:file { read }; +allow memmgrservice normal_hap:file { write }; +allow memmgrservice normal_hap:process { sigkill }; +allow memmgrservice param_watcher:dir { search }; +allow memmgrservice param_watcher:file { open }; +allow memmgrservice param_watcher:file { read }; +allow memmgrservice pasteboard_service:dir { search }; +allow memmgrservice pasteboard_service:file { open }; +allow memmgrservice pasteboard_service:file { read }; +allow memmgrservice pinauth:dir { search }; +allow memmgrservice pinauth:file { open }; +allow memmgrservice pinauth:file { read }; +allow memmgrservice power_host:dir { search }; +allow memmgrservice power_host:file { open }; +allow memmgrservice power_host:file { read }; +allow memmgrservice proc_file:file { open }; +allow memmgrservice proc_file:file { write }; +allow memmgrservice proc_meminfo_file:file { open }; +allow memmgrservice proc_meminfo_file:file { read }; +allow memmgrservice render_service:dir { search }; +allow memmgrservice render_service:file { open }; +allow memmgrservice render_service:file { read }; +allow memmgrservice resource_schedule_service:dir { search }; +allow memmgrservice resource_schedule_service:file { open }; +allow memmgrservice resource_schedule_service:file { read }; +allow memmgrservice samgr:dir { search }; +allow memmgrservice samgr:file { open }; +allow memmgrservice samgr:file { read }; +allow memmgrservice screenlock_server:dir { search }; +allow memmgrservice screenlock_server:file { open }; +allow memmgrservice screenlock_server:file { read }; +allow memmgrservice sensor_dal_host:dir { search }; +allow memmgrservice sensor_dal_host:file { open }; +allow memmgrservice sensor_dal_host:file { read }; +allow memmgrservice sensors:dir { search }; +allow memmgrservice sensors:file { open }; +allow memmgrservice sensors:file { read }; +allow memmgrservice softbus_server:dir { search }; +allow memmgrservice softbus_server:file { open }; +allow memmgrservice softbus_server:file { read }; +allow memmgrservice storage_daemon:dir { search }; +allow memmgrservice storage_daemon:file { open }; +allow memmgrservice storage_daemon:file { read }; +allow memmgrservice storage_manager:dir { search }; +allow memmgrservice storage_manager:file { open }; +allow memmgrservice storage_manager:file { read }; +allow memmgrservice system_basic_hap:dir { search }; +allow memmgrservice system_basic_hap:file { open }; +allow memmgrservice system_basic_hap:file { read }; +allow memmgrservice system_basic_hap:file { write }; +allow memmgrservice system_basic_hap:process { sigkill }; +allow memmgrservice system_core_hap:dir { search }; +allow memmgrservice system_core_hap:file { open }; +allow memmgrservice system_core_hap:file { read }; +allow memmgrservice system_core_hap:file { write }; +allow memmgrservice system_core_hap:process { sigkill }; +allow memmgrservice telephony_sa:dir { search }; +allow memmgrservice telephony_sa:file { open }; +allow memmgrservice telephony_sa:file { read }; +allow memmgrservice thermal:dir { search }; +allow memmgrservice thermal:file { open }; +allow memmgrservice thermal:file { read }; +allow memmgrservice time_service:dir { search }; +allow memmgrservice time_service:file { open }; +allow memmgrservice time_service:file { read }; +allow memmgrservice token_sync_service:dir { search }; +allow memmgrservice token_sync_service:file { open }; +allow memmgrservice token_sync_service:file { read }; +allow memmgrservice udevd:dir { search }; +allow memmgrservice udevd:file { open }; +allow memmgrservice udevd:file { read }; +allow memmgrservice ueventd:dir { search }; +allow memmgrservice ueventd:file { open }; +allow memmgrservice ueventd:file { read }; +allow memmgrservice ui_service:dir { search }; +allow memmgrservice ui_service:file { open }; +allow memmgrservice ui_service:file { read }; +allow memmgrservice updater_sa:dir { search }; +allow memmgrservice updater_sa:file { open }; +allow memmgrservice updater_sa:file { read }; +allow memmgrservice usb_host:dir { search }; +allow memmgrservice usb_host:file { open }; +allow memmgrservice usb_host:file { read }; +allow memmgrservice usb_service:dir { search }; +allow memmgrservice usb_service:file { open }; +allow memmgrservice usb_service:file { read }; +allow memmgrservice usbfnMaster_host:dir { search }; +allow memmgrservice usbfnMaster_host:file { open }; +allow memmgrservice usbfnMaster_host:file { read }; +allow memmgrservice user_auth_host:dir { search }; +allow memmgrservice user_auth_host:file { open }; +allow memmgrservice user_auth_host:file { read }; +allow memmgrservice useriam:dir { search }; +allow memmgrservice useriam:file { open }; +allow memmgrservice useriam:file { read }; +allow memmgrservice vibrator_dal_host:dir { search }; +allow memmgrservice vibrator_dal_host:file { open }; +allow memmgrservice vibrator_dal_host:file { read }; +allow memmgrservice watchdog_service:dir { search }; +allow memmgrservice watchdog_service:file { open }; +allow memmgrservice watchdog_service:file { read }; +allow memmgrservice wifi_hal_service:dir { search }; +allow memmgrservice wifi_hal_service:file { open }; +allow memmgrservice wifi_hal_service:file { read }; +allow memmgrservice wifi_host:dir { search }; +allow memmgrservice wifi_host:file { open }; +allow memmgrservice wifi_host:file { read }; +allow memmgrservice wifi_manager_service:dir { search }; +allow memmgrservice wifi_manager_service:file { open }; +allow memmgrservice wifi_manager_service:file { read }; +allow memmgrservice work_scheduler_service:dir { search }; +allow memmgrservice work_scheduler_service:file { open }; +allow memmgrservice work_scheduler_service:file { read }; +allowxperm memmgrservice cgroup:file ioctl 0x5413; diff --git a/sepolicy/ohos_policy/kernel/linux/system/normal_hap.te b/sepolicy/ohos_policy/kernel/linux/system/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..4365b5517ecd4dd44f52e577bfff9926f552c8d0 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/normal_hap.te @@ -0,0 +1,156 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap accesstoken_service:binder { call }; +allow normal_hap configfs:dir { mounton }; +allow normal_hap data_app_el1_file:dir { mounton }; +allow normal_hap data_app_el1_file:file { execute }; +allow normal_hap data_file:dir { mounton }; +allow normal_hap data_init_agent:dir { search }; +allow normal_hap data_init_agent:file { ioctl }; +allow normal_hap data_init_agent:file { open }; +allow normal_hap data_init_agent:file { read append }; +allow normal_hap data_service_el2_file:dir { add_name }; +allow normal_hap data_service_el2_file:dir { create }; +allow normal_hap data_service_el2_file:dir { getattr }; +allow normal_hap data_service_el2_file:dir { read open }; +allow normal_hap data_service_el2_file:dir { search }; +allow normal_hap data_service_el2_file:dir { write }; +allow normal_hap data_service_el2_file:file { create }; +allow normal_hap data_service_el2_file:file { getattr }; +allow normal_hap data_storage:dir { mounton }; +allow normal_hap dev_ashmem_file:chr_file { open }; +allow normal_hap dev_dri_file:chr_file { getattr }; +allow normal_hap dev_dri_file:chr_file { ioctl }; +allow normal_hap dev_dri_file:chr_file { open }; +allow normal_hap dev_dri_file:chr_file { read write }; +allow normal_hap dev_dri_file:dir { search }; +allow normal_hap dev_file:dir { mounton }; +allow normal_hap dev_mali:chr_file { getattr }; +allow normal_hap dev_mali:chr_file { map }; +allow normal_hap dev_unix_socket:dir { search }; +allow normal_hap disp_gralloc_host:fd { use }; +allow normal_hap distributeddata:binder { call }; +allow normal_hap distributeddata:binder { transfer }; +allow normal_hap distributedsche:binder { call }; +allow normal_hap hdcd:unix_stream_socket { connectto }; +allow normal_hap hisysevent_socket:sock_file { write }; +allow normal_hap hmdfs:dir { add_name }; +allow normal_hap hmdfs:dir { create }; +allow normal_hap hmdfs:dir { mounton }; +allow normal_hap hmdfs:dir { open }; +allow normal_hap hmdfs:dir { read }; +allow normal_hap hmdfs:dir { search }; +allow normal_hap hmdfs:dir { write }; +allow normal_hap hmdfs:file { create }; +allow normal_hap hmdfs:file { getattr }; +allow normal_hap hmdfs:file { ioctl }; +allow normal_hap hmdfs:file { open }; +allow normal_hap hmdfs:file { read }; +allow normal_hap hmdfs:file { write open }; +allow normal_hap media_service:binder { call }; +allow normal_hap media_service:binder { transfer }; +allow normal_hap multimodalinput:unix_stream_socket { read write }; +allow normal_hap normal_hap:binder { call }; +allow normal_hap normal_hap:binder { transfer }; +allow normal_hap normal_hap:unix_dgram_socket { getopt }; +allow normal_hap normal_hap:unix_dgram_socket { setopt }; +allow normal_hap normal_hap_data_file:dir { add_name }; +allow normal_hap normal_hap_data_file:dir { create }; +allow normal_hap normal_hap_data_file:dir { getattr }; +allow normal_hap normal_hap_data_file:dir { mounton }; +allow normal_hap normal_hap_data_file:dir { open }; +allow normal_hap normal_hap_data_file:dir { read }; +allow normal_hap normal_hap_data_file:dir { remove_name }; +allow normal_hap normal_hap_data_file:dir { search }; +allow normal_hap normal_hap_data_file:dir { write }; +allow normal_hap normal_hap_data_file:file { create }; +allow normal_hap normal_hap_data_file:file { getattr }; +allow normal_hap normal_hap_data_file:file { ioctl }; +allow normal_hap normal_hap_data_file:file { lock }; +allow normal_hap normal_hap_data_file:file { map }; +allow normal_hap normal_hap_data_file:file { open }; +allow normal_hap normal_hap_data_file:file { read write open }; +allow normal_hap normal_hap_data_file:file { read write }; +allow normal_hap normal_hap_data_file:file { read }; +allow normal_hap normal_hap_data_file:file { unlink }; +allow normal_hap normal_hap_data_file:file { write }; +allow normal_hap proc_cpuinfo_file:file { getattr }; +allow normal_hap proc_cpuinfo_file:file { open }; +allow normal_hap proc_cpuinfo_file:file { read }; +allow normal_hap proc_file:file { open }; +allow normal_hap proc_file:file { read }; +allow normal_hap render_service:unix_stream_socket { read }; +allow normal_hap render_service:unix_stream_socket { write }; +allow normal_hap resource_schedule_service:binder { call }; +allow normal_hap rootfs:dir { mounton }; +allow normal_hap sys_file:dir { mounton }; +allow normal_hap sys_file:dir { open }; +allow normal_hap sys_file:dir { read }; +allow normal_hap sys_file:file { open }; +allow normal_hap sys_file:file { read }; +allow normal_hap system_basic_hap:binder { call }; +allow normal_hap system_basic_hap:fd { use }; +allow normal_hap system_bin_file:dir { mounton }; +allow normal_hap system_core_hap:binder { transfer }; +allow normal_hap system_etc_file:dir { mounton }; +allow normal_hap system_file:dir { mounton }; +allow normal_hap system_fonts_file:dir { mounton }; +allow normal_hap system_fonts_file:dir { search }; +allow normal_hap system_fonts_file:file { getattr }; +allow normal_hap system_fonts_file:file { map }; +allow normal_hap system_fonts_file:file { open }; +allow normal_hap system_fonts_file:file { read }; +allow normal_hap system_lib_file:dir { mounton }; +allow normal_hap system_lib_file:dir { open }; +allow normal_hap system_lib_file:dir { read }; +allow normal_hap system_profile_file:dir { mounton }; +allow normal_hap system_usr_file:dir { mounton }; +allow normal_hap system_usr_file:dir { search }; +allow normal_hap telephony_sa:binder { call }; +allow normal_hap tmpfs:dir { add_name }; +allow normal_hap tmpfs:dir { create }; +allow normal_hap tmpfs:dir { mounton }; +allow normal_hap tmpfs:dir { write }; +allow normal_hap tmpfs:lnk_file { create }; +allow normal_hap tracefs:dir { search }; +allow normal_hap tracefs:file { open }; +allow normal_hap tracefs:file { write }; +allow normal_hap tracefs_trace_marker_file:file { open }; +allow normal_hap tracefs_trace_marker_file:file { write }; +allowxperm normal_hap data_init_agent:file ioctl 0x5413; +allowxperm normal_hap dev_dri_file:chr_file ioctl 0x641f; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8000; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8001; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8002; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8003; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8005; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8006; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8007; +allowxperm normal_hap dev_mali:chr_file ioctl 0x800e; +allowxperm normal_hap dev_mali:chr_file ioctl 0x800f; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8011; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8016; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8018; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8019; +allowxperm normal_hap dev_mali:chr_file ioctl 0x801d; +allowxperm normal_hap dev_mali:chr_file ioctl 0x801e; +allowxperm normal_hap dev_mali:chr_file ioctl 0x8026; +allowxperm normal_hap dev_sched_rtg_ctrl:chr_file ioctl 0xab02; +allowxperm normal_hap dev_sched_rtg_ctrl:chr_file ioctl 0xab05; +allowxperm normal_hap dev_sched_rtg_ctrl:chr_file ioctl 0xab06; +allowxperm normal_hap dev_sched_rtg_ctrl:chr_file ioctl 0xab09; +allowxperm normal_hap dev_sched_rtg_ctrl:chr_file ioctl 0xab0c; +allowxperm normal_hap dev_sched_rtg_ctrl:chr_file ioctl 0xab0d; +allowxperm normal_hap hmdfs:file ioctl 0x5413; +allowxperm normal_hap normal_hap_data_file:file ioctl 0xf50c; diff --git a/sepolicy/ohos_policy/kernel/linux/system/render_service.te b/sepolicy/ohos_policy/kernel/linux/system/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..7fc4f6e5a3c945d0e4a3c66481c39141687e235e --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/render_service.te @@ -0,0 +1,15 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service proc_file:file { open }; +allow render_service proc_file:file { read }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/resource_schedule_service.te b/sepolicy/ohos_policy/kernel/linux/system/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..3358f9f61180028f6ad6434bc0cc155ed969aa08 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/resource_schedule_service.te @@ -0,0 +1,17 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow resource_schedule_service dev_sched_rtg_ctrl:chr_file { ioctl }; +allow resource_schedule_service dev_sched_rtg_ctrl:chr_file { open }; +allow resource_schedule_service dev_sched_rtg_ctrl:chr_file { read write }; +allowxperm resource_schedule_service dev_sched_rtg_ctrl:chr_file ioctl 0xab02; diff --git a/sepolicy/ohos_policy/kernel/linux/system/samgr.te b/sepolicy/ohos_policy/kernel/linux/system/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..24b4571a0012adba3b0b2bc5ada820ed19325736 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/samgr.te @@ -0,0 +1,108 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr audio_policy:dir { search }; +allow samgr audio_policy:file { open }; +allow samgr audio_policy:file { read }; +allow samgr bgtaskmgr_service:dir { search }; +allow samgr bgtaskmgr_service:file { open }; +allow samgr bgtaskmgr_service:file { read }; +allow samgr bluetooth_service:dir { search }; +allow samgr bluetooth_service:file { open }; +allow samgr bluetooth_service:file { read }; +allow samgr camera_host:dir { search }; +allow samgr camera_host:file { open }; +allow samgr camera_host:file { read }; +allow samgr camera_service:dir { search }; +allow samgr camera_service:file { open }; +allow samgr camera_service:file { read }; +allow samgr device_usage_stats_service:dir { search }; +allow samgr device_usage_stats_service:file { open }; +allow samgr device_usage_stats_service:file { read }; +allow samgr deviceinfoservice:dir { search }; +allow samgr deviceinfoservice:file { open }; +allow samgr deviceinfoservice:file { read }; +allow samgr distributeddata:dir { search }; +allow samgr distributeddata:file { open }; +allow samgr distributeddata:file { read }; +allow samgr distributeddata:process { getattr }; +allow samgr foundation:dir { search }; +allow samgr foundation:file { open }; +allow samgr foundation:file { read }; +allow samgr foundation:process { getattr }; +allow samgr hiview:dir { search }; +allow samgr hiview:file { open }; +allow samgr hiview:file { read }; +allow samgr inputmethod_service:dir { search }; +allow samgr inputmethod_service:file { open }; +allow samgr inputmethod_service:file { read }; +allow samgr limit_domain:dir { search }; +allow samgr limit_domain:file { open }; +allow samgr limit_domain:file { read }; +allow samgr locationhub:dir { search }; +allow samgr locationhub:file { open }; +allow samgr locationhub:file { read }; +allow samgr memmgrservice:dir { search }; +allow samgr memmgrservice:file { open }; +allow samgr memmgrservice:file { read }; +allow samgr memmgrservice:process { getattr }; +allow samgr msdp_sa:dir { search }; +allow samgr msdp_sa:file { open }; +allow samgr msdp_sa:file { read }; +allow samgr multimodalinput:dir { search }; +allow samgr multimodalinput:file { open }; +allow samgr multimodalinput:file { read }; +allow samgr netmanager:dir { search }; +allow samgr netmanager:file { open }; +allow samgr netmanager:file { read }; +allow samgr normal_hap:dir { search }; +allow samgr normal_hap:file { open }; +allow samgr normal_hap:file { read }; +allow samgr normal_hap:process { getattr }; +allow samgr pinauth:dir { search }; +allow samgr pinauth:file { open }; +allow samgr pinauth:file { read }; +allow samgr screenlock_server:dir { search }; +allow samgr screenlock_server:file { open }; +allow samgr screenlock_server:file { read }; +allow samgr softbus_server:dir { search }; +allow samgr softbus_server:file { open }; +allow samgr softbus_server:file { read }; +allow samgr storage_manager:dir { search }; +allow samgr storage_manager:file { open }; +allow samgr storage_manager:file { read }; +allow samgr system_basic_hap:dir { search }; +allow samgr system_basic_hap:file { open }; +allow samgr system_basic_hap:file { read }; +allow samgr system_core_hap:dir { search }; +allow samgr system_core_hap:file { open }; +allow samgr system_core_hap:file { read }; +allow samgr telephony_sa:dir { search }; +allow samgr telephony_sa:file { open }; +allow samgr telephony_sa:file { read }; +allow samgr time_service:dir { search }; +allow samgr time_service:file { open }; +allow samgr time_service:file { read }; +allow samgr token_sync_service:dir { search }; +allow samgr token_sync_service:file { open }; +allow samgr token_sync_service:file { read }; +allow samgr useriam:dir { search }; +allow samgr useriam:file { open }; +allow samgr useriam:file { read }; +allow samgr useriam:process { getattr }; +allow samgr wifi_manager_service:dir { search }; +allow samgr wifi_manager_service:file { open }; +allow samgr wifi_manager_service:file { read }; +allow samgr work_scheduler_service:dir { search }; +allow samgr work_scheduler_service:file { open }; +allow samgr work_scheduler_service:file { read }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/system_basic_hap.te b/sepolicy/ohos_policy/kernel/linux/system/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..f565d1db89bf768e81e7a37893c547da3817be60 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/system_basic_hap.te @@ -0,0 +1,68 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap accountmgr:binder { call }; +allow system_basic_hap configfs:dir { mounton }; +allow system_basic_hap data_app_el1_file:dir { mounton }; +allow system_basic_hap data_init_agent:dir { search }; +allow system_basic_hap data_init_agent:file { ioctl }; +allow system_basic_hap data_init_agent:file { open }; +allow system_basic_hap data_init_agent:file { read append }; +allow system_basic_hap dev_file:dir { mounton }; +allow system_basic_hap dev_mali:chr_file { getattr }; +allow system_basic_hap dev_mali:chr_file { map }; +allow system_basic_hap dev_unix_socket:dir { search }; +allow system_basic_hap dev_unix_socket:sock_file { write }; +allow system_basic_hap disp_gralloc_host:fd { use }; +allow system_basic_hap hdcd:unix_stream_socket { connectto }; +allow system_basic_hap multimodalinput:unix_stream_socket { read }; +allow system_basic_hap multimodalinput:unix_stream_socket { write }; +allow system_basic_hap proc_file:file { open }; +allow system_basic_hap proc_file:file { read }; +allow system_basic_hap render_service:unix_stream_socket { read }; +allow system_basic_hap rootfs:dir { mounton }; +allow system_basic_hap screenlock_server:binder { call }; +allow system_basic_hap sys_file:dir { mounton }; +allow system_basic_hap system_basic_hap_data_file:dir { mounton }; +allow system_basic_hap system_basic_hap_data_file:dir { open }; +allow system_basic_hap system_basic_hap_data_file:dir { read }; +allow system_basic_hap system_bin_file:dir { mounton }; +allow system_basic_hap system_etc_file:dir { mounton }; +allow system_basic_hap system_file:dir { mounton }; +allow system_basic_hap system_fonts_file:dir { mounton }; +allow system_basic_hap system_fonts_file:dir { search }; +allow system_basic_hap system_fonts_file:file { getattr }; +allow system_basic_hap system_fonts_file:file { map }; +allow system_basic_hap system_fonts_file:file { open }; +allow system_basic_hap system_fonts_file:file { read }; +allow system_basic_hap system_lib_file:dir { mounton }; +allow system_basic_hap system_lib_file:dir { open }; +allow system_basic_hap system_lib_file:dir { read }; +allow system_basic_hap system_profile_file:dir { mounton }; +allow system_basic_hap system_usr_file:dir { mounton }; +allow system_basic_hap system_usr_file:dir { search }; +allow system_basic_hap tmpfs:dir { add_name }; +allow system_basic_hap tmpfs:dir { create }; +allow system_basic_hap tmpfs:dir { mounton }; +allow system_basic_hap tmpfs:dir { write }; +allow system_basic_hap tmpfs:lnk_file { create }; +allow system_basic_hap tracefs:dir { search }; +allow system_basic_hap tracefs_trace_marker_file:file { open }; +allow system_basic_hap tracefs_trace_marker_file:file { write }; +allow system_basic_hap useriam:binder { call }; +allow system_basic_hap useriam:binder { transfer }; +allowxperm system_basic_hap data_init_agent:file ioctl 0x5413; +allowxperm system_basic_hap dev_mali:chr_file ioctl 0x8000; +allowxperm system_basic_hap dev_mali:chr_file ioctl 0x800f; +allowxperm system_basic_hap dev_mali:chr_file ioctl 0x8016; +allowxperm system_basic_hap dev_sched_rtg_ctrl:chr_file ioctl 0xab0d; diff --git a/sepolicy/ohos_policy/kernel/linux/system/system_core_hap.te b/sepolicy/ohos_policy/kernel/linux/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..cc2b4c579c62fb72800bc992d3b48a55ece5b2e3 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap proc_file:file { open }; +allow system_core_hap proc_file:file { read }; +allowxperm system_core_hap dev_sched_rtg_ctrl:chr_file ioctl 0xab0d; diff --git a/sepolicy/ohos_policy/kernel/linux/system/thermal.te b/sepolicy/ohos_policy/kernel/linux/system/thermal.te new file mode 100644 index 0000000000000000000000000000000000000000..8c4ef8eee213ff6031b90d72d4fc7fc3e75670a3 --- /dev/null +++ b/sepolicy/ohos_policy/kernel/linux/system/thermal.te @@ -0,0 +1,28 @@ +# Copyright (c) 2021-2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow thermal data_file:dir { search }; +allow thermal data_file:file { ioctl }; +allow thermal data_file:file { open }; +allow thermal data_file:file { read write }; +allow thermal dev_unix_socket:dir { search }; +allow thermal dev_unix_socket:sock_file { write }; +allow thermal sys_file:file { open }; +allow thermal sys_file:file { read }; +allow thermal system_bin_file:dir { search }; +allow thermal thermal_protector_exec:file { entrypoint }; +allow thermal thermal_protector_exec:file { execute }; +allow thermal thermal_protector_exec:file { map }; +allow thermal thermal_protector_exec:file { read }; +allow thermal vendor_lib_file:dir { search }; +allowxperm thermal data_file:file ioctl 0x5413;