From c6df3f3375f4e7aafbfa65a5ef04e7d67ffb1bc3 Mon Sep 17 00:00:00 2001 From: xujie Date: Wed, 17 May 2023 22:18:51 +0800 Subject: [PATCH 1/3] =?UTF-8?q?=E8=A7=A3=E5=86=B3USB=E5=85=B1=E4=BA=AB?= =?UTF-8?q?=E9=9C=80=E8=A6=81=E5=85=B3=E9=97=ADselinux=E6=9D=83=E9=99=90?= =?UTF-8?q?=E7=9A=84=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: xujie --- sepolicy/base/public/domain.te | 2 +- .../ohos_policy/communication/netmanager/system/netmanager.te | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te index dbd26af8c..17c692950 100644 --- a/sepolicy/base/public/domain.te +++ b/sepolicy/base/public/domain.te @@ -286,7 +286,7 @@ neverallow { domain -init -appspawn -nwebspawn -storage_daemon debug_only(`-cons neverallow { domain -init -ueventd -appspawn -nwebspawn -storage_daemon debug_only(`-console -hdcd -hiperf -hiprofilerd -hiprofiler_plugins -hiprofiler_cmd -native_daemon -bytrace -hitrace') updater_only(` -updater ') } self:{ capability cap_userns } setgid; neverallow { domain -init } self:{ capability cap_userns } setpcap; neverallow * self:{ capability cap_userns } linux_immutable; -neverallow { domain -wifi_manager_service -netsysnative } self:{ capability cap_userns } net_bind_service; +neverallow { domain -wifi_manager_service -netsysnative -netmanager} self:{ capability cap_userns } net_bind_service; neverallow * self:{ capability cap_userns } net_broadcast; neverallow { domain -init -ueventd -wifi_hal_service -wifi_manager_service -softbus_server -netsysnative -storage_daemon -udevd -blue_host -netmanager -riladapter_host -bluetooth_service -cap_violator_netadmin } self:{ capability cap_userns } net_admin; neverallow { domain -wifi_hal_service -wifi_manager_service -netmanager -netsysnative } self:{ capability cap_userns } net_raw; diff --git a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te index 53677059a..58f2cb8b1 100644 --- a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te +++ b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te @@ -33,6 +33,7 @@ allow netmanager foundation:binder { call transfer }; allow netmanager kernel:unix_stream_socket { connectto }; allow netmanager musl_param:file { read }; allow netmanager netmanager:capability { net_admin }; +allow netmanager netmanager:capability { net_bind_service }; allow netmanager netmanager:capability { net_raw }; allow netmanager netmanager:netlink_route_socket { create nlmsg_read read write }; allow netmanager netmanager:packet_socket { bind create read write }; -- Gitee From 34ff520fbfb4c02147849233b9568b92b34d37a4 Mon Sep 17 00:00:00 2001 From: xujie Date: Mon, 22 May 2023 12:07:59 +0800 Subject: [PATCH 2/3] update 5.22 Signed-off-by: xujie --- sepolicy/base/public/domain.te | 2 +- .../ohos_policy/communication/netmanager/system/netmanager.te | 1 - .../ohos_policy/communication/netmanager/system/netsysnative.te | 1 + 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te index 17c692950..dbd26af8c 100644 --- a/sepolicy/base/public/domain.te +++ b/sepolicy/base/public/domain.te @@ -286,7 +286,7 @@ neverallow { domain -init -appspawn -nwebspawn -storage_daemon debug_only(`-cons neverallow { domain -init -ueventd -appspawn -nwebspawn -storage_daemon debug_only(`-console -hdcd -hiperf -hiprofilerd -hiprofiler_plugins -hiprofiler_cmd -native_daemon -bytrace -hitrace') updater_only(` -updater ') } self:{ capability cap_userns } setgid; neverallow { domain -init } self:{ capability cap_userns } setpcap; neverallow * self:{ capability cap_userns } linux_immutable; -neverallow { domain -wifi_manager_service -netsysnative -netmanager} self:{ capability cap_userns } net_bind_service; +neverallow { domain -wifi_manager_service -netsysnative } self:{ capability cap_userns } net_bind_service; neverallow * self:{ capability cap_userns } net_broadcast; neverallow { domain -init -ueventd -wifi_hal_service -wifi_manager_service -softbus_server -netsysnative -storage_daemon -udevd -blue_host -netmanager -riladapter_host -bluetooth_service -cap_violator_netadmin } self:{ capability cap_userns } net_admin; neverallow { domain -wifi_hal_service -wifi_manager_service -netmanager -netsysnative } self:{ capability cap_userns } net_raw; diff --git a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te index 58f2cb8b1..53677059a 100644 --- a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te +++ b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te @@ -33,7 +33,6 @@ allow netmanager foundation:binder { call transfer }; allow netmanager kernel:unix_stream_socket { connectto }; allow netmanager musl_param:file { read }; allow netmanager netmanager:capability { net_admin }; -allow netmanager netmanager:capability { net_bind_service }; allow netmanager netmanager:capability { net_raw }; allow netmanager netmanager:netlink_route_socket { create nlmsg_read read write }; allow netmanager netmanager:packet_socket { bind create read write }; diff --git a/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te b/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te index 39e1ffab5..c6dd4b903 100644 --- a/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te +++ b/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te @@ -66,6 +66,7 @@ allow netsysnative netsysnative:bpf { map_read prog_load map_create prog_run map allow netsysnative data_file:file { read }; allow netsysnative sa_netsys_ext_service:samgr_class { add get }; allow netmanager sa_netsys_ext_service:samgr_class { add get }; +allow netmanager netmanager:capability { net_bind_service }; allow sa_netsys_ext_service sa_netsys_ext_service:samgr_class { add get }; allow system_basic_hap sa_netsys_ext_service:samgr_class { add get }; allow system_core_hap sa_netsys_ext_service:samgr_class { add get }; -- Gitee From 74e626e118b079202f7e7ba54cb48cf6202a32c7 Mon Sep 17 00:00:00 2001 From: xujie Date: Mon, 22 May 2023 15:11:33 +0800 Subject: [PATCH 3/3] update 5.22 Signed-off-by: xujie --- .../ohos_policy/communication/netmanager/system/netsysnative.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te b/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te index c6dd4b903..5d1736567 100644 --- a/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te +++ b/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te @@ -66,7 +66,6 @@ allow netsysnative netsysnative:bpf { map_read prog_load map_create prog_run map allow netsysnative data_file:file { read }; allow netsysnative sa_netsys_ext_service:samgr_class { add get }; allow netmanager sa_netsys_ext_service:samgr_class { add get }; -allow netmanager netmanager:capability { net_bind_service }; allow sa_netsys_ext_service sa_netsys_ext_service:samgr_class { add get }; allow system_basic_hap sa_netsys_ext_service:samgr_class { add get }; allow system_core_hap sa_netsys_ext_service:samgr_class { add get }; @@ -99,6 +98,7 @@ allow netsysnative netsysnative:netlink_route_socket { setopt bind setattr getat allow netsysnative sa_distributed_net_service:samgr_class { add get }; allow netmanager sa_distributed_net_service:samgr_class { add get }; +allow netmanager netmanager:capability { net_bind_service }; allow sa_distributed_net_service sa_distributed_net_service:samgr_class { add get }; allow system_basic_hap sa_distributed_net_service:samgr_class { add get }; allow system_core_hap sa_distributed_net_service:samgr_class { add get }; -- Gitee