diff --git a/BUILD.gn b/BUILD.gn index 2badcfcda7a28ad844531aef556fd7f47daa683e..baca0b81119be3c93f116cacfb0353497fe767c4 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -158,8 +158,8 @@ ohos_shared_library("libparaperm_checker") { subsystem_name = "security" } -ohos_static_library("libservice_checker_static") { - output_name = "libservice_checker_static" +ohos_shared_library("libservice_checker") { + output_name = "libservice_checker" sources = [ "$SELINUX_ROOT_DIR/interfaces/policycoreutils/src/service_checker.cpp" ] include_dirs = [ @@ -270,7 +270,7 @@ ohos_executable("service_check") { include_dirs = [ "$SELINUX_ROOT_DIR/interfaces/policycoreutils/include" ] deps = [ ":libselinux_error_static", - ":libservice_checker_static", + ":libservice_checker", ] cflags = [ "-D_GNU_SOURCE", diff --git a/bundle.json b/bundle.json index 27caf6c36c9921f939d29064c87b78527c9a20f0..e49bf0920b642bf5f5a4aa732903408d38e014ac 100644 --- a/bundle.json +++ b/bundle.json @@ -67,6 +67,16 @@ ], "header_base": "//base/security/selinux/interfaces/policycoreutils/include" } + }, + { + "name": "//base/security/selinux:libservice_checker", + "header": { + "header_files": [ + "service_checker.h", + "hdf_service_checker.h" + ], + "header_base": "//base/security/selinux/interfaces/policycoreutils/include" + } } ], "test": [ @@ -74,4 +84,4 @@ ] } } -} +} \ No newline at end of file diff --git a/interfaces/policycoreutils/include/hdf_service_checker.h b/interfaces/policycoreutils/include/hdf_service_checker.h new file mode 100644 index 0000000000000000000000000000000000000000..89dd579098ba114c8ac835d211fa948e28ac0340 --- /dev/null +++ b/interfaces/policycoreutils/include/hdf_service_checker.h @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef HDF_SERVICE_CHECKER_H +#define HDF_SERVICE_CHECKER_H +#include + +#ifdef __cplusplus +extern "C" { +#endif + +int HdfListServiceCheck(pid_t callingPid); +int HdfGetServiceCheck(pid_t callingPid, const char *serviceName); +int HdfAddServiceCheck(pid_t callingPid, const char *serviceName); + +#ifdef __cplusplus +} +#endif + +#endif // HDF_SERVICE_CHECKER_H diff --git a/interfaces/policycoreutils/include/service_checker.h b/interfaces/policycoreutils/include/service_checker.h index 2b0f1f4d6f6429beed69fdff17e36f4e7667841a..c92ee52c2782aa9afc37ec2949b7490e44e4dbcb 100644 --- a/interfaces/policycoreutils/include/service_checker.h +++ b/interfaces/policycoreutils/include/service_checker.h @@ -46,6 +46,8 @@ public: int AddServiceCheck(const pid_t &callingPid, const std::string &serviceName); + static ServiceChecker& GetInstance(); + protected: private: void SetSelinuxLogCallback(); diff --git a/interfaces/policycoreutils/src/paraperm_checker.cpp b/interfaces/policycoreutils/src/paraperm_checker.cpp index 87bc8ed2bc88550069080ca2dd4d9850ad5e740f..aa2d47bd97743570e99dfe60480df74126240fde 100644 --- a/interfaces/policycoreutils/src/paraperm_checker.cpp +++ b/interfaces/policycoreutils/src/paraperm_checker.cpp @@ -270,7 +270,7 @@ int GetParamLabel(const char *paraName, char **context) } if (!g_contextsTrie->Search(std::string(paraName), context)) { - return -SELINUX_KEY_NOT_FOUND; + *context = strdup(DEFAULT_CONTEXT); } selinux_log(SELINUX_INFO, "find context: %s\n", *context); return SELINUX_SUCC; @@ -296,8 +296,10 @@ int ReadParamCheck(const char *paraName) ucred uc = {.pid = getpid(), .uid = getuid(), .gid = getgid()}; msg.ucred = &uc; char *destContext = nullptr; - if (GetParamLabel(paraName, &destContext) != 0) { - destContext = strdup(DEFAULT_CONTEXT); + int res = GetParamLabel(paraName, &destContext); + if (res != SELINUX_SUCC) { + freecon(srcContext); + return res; } if (srcContext == nullptr || destContext == nullptr) { freecon(srcContext); @@ -305,7 +307,7 @@ int ReadParamCheck(const char *paraName) } selinux_log(SELINUX_INFO, "srcContext[%s] is reading param[%s] destContext[%s]\n", srcContext, paraName, destContext); - int res = selinux_check_access(srcContext, destContext, "file", "read", &msg); + res = selinux_check_access(srcContext, destContext, "file", "read", &msg); freecon(srcContext); free(destContext); return res == 0 ? SELINUX_SUCC : -SELINUX_PERMISSION_DENY; @@ -331,10 +333,12 @@ int SetParamCheck(const char *paraName, struct ucred *uc) return -SELINUX_GET_CONTEXT_ERROR; } char *destContext = nullptr; - if (GetParamLabel(paraName, &destContext) != 0) { - destContext = strdup(DEFAULT_CONTEXT); + int res = GetParamLabel(paraName, &destContext); + if (res != SELINUX_SUCC) { + freecon(srcContext); + return res; } - int res = CheckPerm(std::string(paraName), srcContext, destContext, *uc); + res = CheckPerm(std::string(paraName), srcContext, destContext, *uc); freecon(srcContext); free(destContext); return res; diff --git a/interfaces/policycoreutils/src/service_checker.cpp b/interfaces/policycoreutils/src/service_checker.cpp index 0845c0d7da941fe910c74df876e17a1912f6b4ef..52d136b54826a6a40da9f99220ab61541f71921c 100644 --- a/interfaces/policycoreutils/src/service_checker.cpp +++ b/interfaces/policycoreutils/src/service_checker.cpp @@ -34,6 +34,21 @@ static const int CONTEXTS_LENGTH_MAX = 1024; static pthread_once_t FC_ONCE = PTHREAD_ONCE_INIT; } // namespace +extern "C" int HdfListServiceCheck(pid_t callingPid) +{ + return ServiceChecker::GetInstance().ListServiceCheck(callingPid); +} + +extern "C" int HdfGetServiceCheck(pid_t callingPid, const char *serviceName) +{ + return ServiceChecker::GetInstance().GetServiceCheck(callingPid, serviceName); +} + +extern "C" int HdfAddServiceCheck(pid_t callingPid, const char *serviceName) +{ + return ServiceChecker::GetInstance().AddServiceCheck(callingPid, serviceName); +} + struct AuditMsg { pid_t pid; const char *name; @@ -259,3 +274,9 @@ int ServiceChecker::AddServiceCheck(const pid_t &callingPid, const std::string & { return CheckPerm(callingPid, serviceName, "add"); } + +ServiceChecker& ServiceChecker::GetInstance() +{ + static ServiceChecker instance(true); + return instance; +} diff --git a/interfaces/tools/service_check/test.cpp b/interfaces/tools/service_check/test.cpp index 29bb80829f1c670ca9af06260ca7f86242546622..d07e9d14388a93808cdd458c1b3a81109808c2a8 100644 --- a/interfaces/tools/service_check/test.cpp +++ b/interfaces/tools/service_check/test.cpp @@ -17,6 +17,7 @@ #include #include #include "service_checker.h" +#include "hdf_service_checker.h" #include "selinux_error.h" using namespace Selinux; @@ -102,33 +103,38 @@ int main(int argc, char *argv[]) testInput input; SetOptions(argc, argv, options, input); - if (input.isHdf) { - g_service = std::make_unique(true); - } else { + if (!input.isHdf) { g_service = std::make_unique(false); } std::string serName; switch (input.cmd) { case 'a': { while (std::cin >> serName) { - std::cout << GetErrStr(g_service->AddServiceCheck(getpid(), serName)) << std::endl; + std::cout << GetErrStr(input.isHdf ? HdfAddServiceCheck(getpid(), serName.c_str()) + : g_service->AddServiceCheck(getpid(), serName)) + << std::endl; } exit(0); } case 'g': { while (std::cin >> serName) { - std::cout << GetErrStr(g_service->GetServiceCheck(getpid(), serName)) << std::endl; + std::cout << GetErrStr(input.isHdf ? HdfGetServiceCheck(getpid(), serName.c_str()) + : g_service->GetServiceCheck(getpid(), serName)) + << std::endl; } exit(0); } case 'r': { while (std::cin >> serName) { - std::cout << GetErrStr(g_service->GetRemoteServiceCheck(getpid(), serName)) << std::endl; + std::cout << GetErrStr(input.isHdf ? SELINUX_PERMISSION_DENY + : g_service->GetRemoteServiceCheck(getpid(), serName)) + << std::endl; } exit(0); } case 'l': { - std::cout << GetErrStr(g_service->ListServiceCheck(getpid())) << std::endl; + std::cout << GetErrStr(input.isHdf ? HdfListServiceCheck(getpid()) : g_service->ListServiceCheck(getpid())) + << std::endl; exit(0); } default: diff --git a/sepolicy/base/public/hap_domain.te b/sepolicy/base/public/hap_domain.te index 6de45ab6e089462f1154bfcc2d581d5afe1651bb..928afa5cf6478e306f5ce4de249ed1efa55f4659 100644 --- a/sepolicy/base/public/hap_domain.te +++ b/sepolicy/base/public/hap_domain.te @@ -11,10 +11,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -type platform_hap_domain, domain; -type priv_hap_domain, domain; -type normal_hap_domain, domain; +type system_core_hap, domain; +type system_basic_hap, domain; +type normal_hap, domain; -type platform_hap_data_file, file_type; -type priv_hap_data_file, file_type; +type system_core_hap_data_file, file_type; +type system_basic_hap_data_file, file_type; type normal_hap_data_file, file_type; diff --git a/sepolicy/base/rk3568/accessibility.te b/sepolicy/base/rk3568/accessibility.te index ca8945fb2ac7c0455a597bab7ac84bc0f1d75130..c62f18dd85047fb4690bff34cdfd719248f718ed 100644 --- a/sepolicy/base/rk3568/accessibility.te +++ b/sepolicy/base/rk3568/accessibility.te @@ -37,9 +37,9 @@ allow accessibility init:netlink_kobject_uevent_socket { read write }; allow accessibility init:unix_dgram_socket { sendto }; allow accessibility init:unix_stream_socket { read write }; allow accessibility kernel:fd { use }; -allow accessibility normal_hap_domain:binder { call }; -allow accessibility platform_hap_domain:binder { call }; -allow accessibility priv_hap_domain:binder { call }; +allow accessibility normal_hap:binder { call }; +allow accessibility system_core_hap:binder { call }; +allow accessibility system_basic_hap:binder { call }; allow accessibility proc_file:dir { search }; allow accessibility proc_file:lnk_file { read }; allow accessibility rootfs:dir { search }; diff --git a/sepolicy/base/rk3568/accountmgr.te b/sepolicy/base/rk3568/accountmgr.te index 1c43c6eb0d9dc6e57581332f15674903930ece8c..5a2c013209ee950349a5a545a5c8433915cdfc4f 100644 --- a/sepolicy/base/rk3568/accountmgr.te +++ b/sepolicy/base/rk3568/accountmgr.te @@ -51,9 +51,9 @@ allow accountmgr init:unix_stream_socket { read write }; allow accountmgr kernel:fd { use }; allow accountmgr lib_file:lnk_file { read }; allow accountmgr memmgrservice:binder { call transfer }; -allow accountmgr normal_hap_domain:binder { transfer }; +allow accountmgr normal_hap:binder { transfer }; allow accountmgr param_watcher:binder { call transfer }; -allow accountmgr priv_hap_domain:binder { call transfer }; +allow accountmgr system_basic_hap:binder { call transfer }; allow accountmgr proc_file:dir { search }; allow accountmgr proc_file:lnk_file { read }; allow accountmgr rootfs:dir { getattr search }; diff --git a/sepolicy/base/rk3568/appspawn.te b/sepolicy/base/rk3568/appspawn.te index 58e42d15f31c67aa23d9d15be4d89ab71e822de2..c75ef1b509e3a2bde8a4603a7856992cf6a59352 100644 --- a/sepolicy/base/rk3568/appspawn.te +++ b/sepolicy/base/rk3568/appspawn.te @@ -46,9 +46,9 @@ allow appspawn init:unix_stream_socket { read write }; allow appspawn kernel:fd { use }; allow appspawn kernel:unix_stream_socket { connectto }; allow appspawn lib_file:lnk_file { read }; -allow appspawn normal_hap_domain:process { dyntransition }; -allow appspawn platform_hap_domain:process { dyntransition }; -allow appspawn priv_hap_domain:process { dyntransition }; +allow appspawn normal_hap:process { dyntransition }; +allow appspawn system_core_hap:process { dyntransition }; +allow appspawn system_basic_hap:process { dyntransition }; allow appspawn proc_file:dir { search }; allow appspawn proc_file:lnk_file { read }; allow appspawn rootfs:dir { getattr search }; diff --git a/sepolicy/base/rk3568/audio_policy.te b/sepolicy/base/rk3568/audio_policy.te index 73fd0aef2c9213d137d60f88b76133c040d6ab06..d6134ccdddb65be90ff3772cb7908abc229868da 100644 --- a/sepolicy/base/rk3568/audio_policy.te +++ b/sepolicy/base/rk3568/audio_policy.te @@ -49,7 +49,7 @@ allow audio_policy multimodalinput:binder { call }; allow audio_policy multimodalinput:fd { use }; allow audio_policy multimodalinput:unix_stream_socket { read write }; allow audio_policy param_watcher:binder { call transfer }; -allow audio_policy priv_hap_domain:binder { call }; +allow audio_policy system_basic_hap:binder { call }; allow audio_policy proc_file:dir { search }; allow audio_policy proc_file:lnk_file { read }; allow audio_policy pulseaudio:binder { call }; diff --git a/sepolicy/base/rk3568/bluetooth_service.te b/sepolicy/base/rk3568/bluetooth_service.te index d7f388fadab925a467ca3823f62c0748e4cd89da..7d7e216a50fbac61a212ac3d9f1e87d27863a731 100644 --- a/sepolicy/base/rk3568/bluetooth_service.te +++ b/sepolicy/base/rk3568/bluetooth_service.te @@ -35,7 +35,7 @@ allow bluetooth_service init:netlink_kobject_uevent_socket { read write }; allow bluetooth_service init:unix_dgram_socket { sendto }; allow bluetooth_service init:unix_stream_socket { read write }; allow bluetooth_service kernel:fd { use }; -allow bluetooth_service priv_hap_domain:binder { call transfer }; +allow bluetooth_service system_basic_hap:binder { call transfer }; allow bluetooth_service proc_file:dir { search }; allow bluetooth_service proc_file:lnk_file { read }; allow bluetooth_service rootfs:dir { search }; diff --git a/sepolicy/base/rk3568/camera_service.te b/sepolicy/base/rk3568/camera_service.te index 3f4097db60246c1e936a464b27675388d165590f..28a606464e243256bf7182c65cbf28459b39038b 100644 --- a/sepolicy/base/rk3568/camera_service.te +++ b/sepolicy/base/rk3568/camera_service.te @@ -34,7 +34,7 @@ allow camera_service init:netlink_kobject_uevent_socket { read write }; allow camera_service init:unix_dgram_socket { sendto }; allow camera_service init:unix_stream_socket { read write }; allow camera_service kernel:fd { use }; -allow camera_service normal_hap_domain:binder { call transfer }; +allow camera_service normal_hap:binder { call transfer }; allow camera_service proc_file:dir { search }; allow camera_service proc_file:lnk_file { read }; allow camera_service rootfs:dir { search }; diff --git a/sepolicy/base/rk3568/distributeddata.te b/sepolicy/base/rk3568/distributeddata.te index 0527dc770c3f880fe75154c574f84815e657d652..189320dc3d96b65e2b6f29d50ba4b629f13a46f0 100644 --- a/sepolicy/base/rk3568/distributeddata.te +++ b/sepolicy/base/rk3568/distributeddata.te @@ -50,7 +50,7 @@ allow distributeddata init:unix_dgram_socket { sendto }; allow distributeddata init:unix_stream_socket { read write }; allow distributeddata kernel:fd { use }; allow distributeddata lib_file:lnk_file { read }; -allow distributeddata normal_hap_domain:binder { call transfer }; +allow distributeddata normal_hap:binder { call transfer }; allow distributeddata param_watcher:binder { call transfer }; allow distributeddata proc_file:dir { search }; allow distributeddata proc_file:lnk_file { read }; diff --git a/sepolicy/base/rk3568/faultloggerd.te b/sepolicy/base/rk3568/faultloggerd.te index 5ebe7a86b054984c80487bbf650c14342007e4e0..0a319b52b2321bb13bd7f18a760818e5b010fd33 100644 --- a/sepolicy/base/rk3568/faultloggerd.te +++ b/sepolicy/base/rk3568/faultloggerd.te @@ -34,8 +34,8 @@ allow faultloggerd init:netlink_kobject_uevent_socket { read write }; allow faultloggerd init:unix_dgram_socket { sendto }; allow faultloggerd init:unix_stream_socket { read write }; allow faultloggerd kernel:fd { use }; -allow faultloggerd normal_hap_domain:process { signal }; -allow faultloggerd priv_hap_domain:process { signal }; +allow faultloggerd normal_hap:process { signal }; +allow faultloggerd system_basic_hap:process { signal }; allow faultloggerd rootfs:dir { search }; allow faultloggerd system_etc_file:dir { search }; allow faultloggerd system_etc_file:file { open read }; diff --git a/sepolicy/base/rk3568/filesystem.te b/sepolicy/base/rk3568/filesystem.te index 5ab795320a74628b72a066d54a81482216a41d06..ff3b5a852974886ed796b88e74e56d4689af37da 100644 --- a/sepolicy/base/rk3568/filesystem.te +++ b/sepolicy/base/rk3568/filesystem.te @@ -68,8 +68,8 @@ allow dev_vndbinder_file tmpfs:filesystem { associate }; allow dev_watchdog_file tmpfs:filesystem { associate }; allow dev_zero_file tmpfs:filesystem { associate }; allow normal_hap_data_file labeledfs:filesystem { associate }; -allow platform_hap_data_file labeledfs:filesystem { associate }; -allow priv_hap_data_file labeledfs:filesystem { associate }; +allow system_core_hap_data_file labeledfs:filesystem { associate }; +allow system_basic_hap_data_file labeledfs:filesystem { associate }; allow sys_file sys_file:filesystem { associate }; allow tmpfs tmpfs:filesystem { associate }; allow tty_device tmpfs:filesystem { associate }; diff --git a/sepolicy/base/rk3568/foundation.te b/sepolicy/base/rk3568/foundation.te index 82e57983284b8fe48ca3ba276d0d4ffcc24421a0..acd2fec7ba3c275635b9dcc2c33f915960ee09d4 100644 --- a/sepolicy/base/rk3568/foundation.te +++ b/sepolicy/base/rk3568/foundation.te @@ -74,11 +74,11 @@ allow foundation memmgrservice:binder { call transfer }; allow foundation multimodalinput:binder { call }; allow foundation multimodalinput:fd { use }; allow foundation multimodalinput:unix_stream_socket { read write write }; -allow foundation normal_hap_domain:binder { call transfer }; +allow foundation normal_hap:binder { call transfer }; allow foundation param_watcher:binder { call transfer }; -allow foundation platform_hap_domain:binder { call transfer }; +allow foundation system_core_hap:binder { call transfer }; allow foundation power_host:binder { call transfer }; -allow foundation priv_hap_domain:binder { call transfer }; +allow foundation system_basic_hap:binder { call transfer }; allow foundation proc_file:dir { search }; allow foundation proc_file:file { open read }; allow foundation proc_file:lnk_file { read }; diff --git a/sepolicy/base/rk3568/hdcd.te b/sepolicy/base/rk3568/hdcd.te index 7a2c6e8c25c643c3be016a7946db688c88257e27..867c84a94cfb0d68f249cb0e8bb87f40ff9cc99c 100644 --- a/sepolicy/base/rk3568/hdcd.te +++ b/sepolicy/base/rk3568/hdcd.te @@ -385,11 +385,11 @@ allow hdcd netmanager:process { getattr }; allow hdcd netmanager:unix_dgram_socket { getattr }; allow hdcd normal_hap_data_file:dir { getattr open read search }; allow hdcd normal_hap_data_file:file { getattr }; -allow hdcd normal_hap_domain:dir { getattr open read search }; -allow hdcd normal_hap_domain:fifo_file { getattr }; -allow hdcd normal_hap_domain:file { getattr open read }; -allow hdcd normal_hap_domain:lnk_file { getattr read }; -allow hdcd normal_hap_domain:process { getattr }; +allow hdcd normal_hap:dir { getattr open read search }; +allow hdcd normal_hap:fifo_file { getattr }; +allow hdcd normal_hap:file { getattr open read }; +allow hdcd normal_hap:lnk_file { getattr read }; +allow hdcd normal_hap:process { getattr }; allow hdcd param_watcher:dir { getattr open read search }; allow hdcd param_watcher:file { getattr open read }; allow hdcd param_watcher:lnk_file { getattr read }; @@ -401,21 +401,21 @@ allow hdcd pinauth_service:file { getattr open read }; allow hdcd pinauth_service:lnk_file { getattr read }; allow hdcd pinauth_service:process { getattr }; allow hdcd pinauth_service:unix_dgram_socket { getattr }; -allow hdcd platform_hap_data_file:dir { getattr open read search }; -allow hdcd platform_hap_data_file:file { getattr }; +allow hdcd system_core_hap_data_file:dir { getattr open read search }; +allow hdcd system_core_hap_data_file:file { getattr }; allow hdcd power_host:dir { getattr open read search }; allow hdcd power_host:file { getattr open read }; allow hdcd power_host:lnk_file { getattr read }; allow hdcd power_host:netlink_kobject_uevent_socket { getattr }; allow hdcd power_host:process { getattr }; allow hdcd power_host:unix_dgram_socket { getattr }; -allow hdcd priv_hap_data_file:dir { getattr open read search }; -allow hdcd priv_hap_data_file:file { getattr }; -allow hdcd priv_hap_domain:dir { getattr open read search }; -allow hdcd priv_hap_domain:fifo_file { getattr }; -allow hdcd priv_hap_domain:file { getattr open read }; -allow hdcd priv_hap_domain:lnk_file { getattr read }; -allow hdcd priv_hap_domain:process { getattr }; +allow hdcd system_basic_hap_data_file:dir { getattr open read search }; +allow hdcd system_basic_hap_data_file:file { getattr }; +allow hdcd system_basic_hap:dir { getattr open read search }; +allow hdcd system_basic_hap:fifo_file { getattr }; +allow hdcd system_basic_hap:file { getattr open read }; +allow hdcd system_basic_hap:lnk_file { getattr read }; +allow hdcd system_basic_hap:process { getattr }; allow hdcd proc_bluetooth_file:dir { getattr open read search }; allow hdcd proc_bluetooth_file:file { getattr }; allow hdcd proc_buddyinfo_file:file { getattr }; diff --git a/sepolicy/base/rk3568/hdf_devmgr.te b/sepolicy/base/rk3568/hdf_devmgr.te index fd84f35d77b92941452dd89b8cc46096f1f0859a..d1dc444058db2f65dbd446c2620a26285f56eb45 100644 --- a/sepolicy/base/rk3568/hdf_devmgr.te +++ b/sepolicy/base/rk3568/hdf_devmgr.te @@ -46,10 +46,10 @@ allow hdf_devmgr input_user_host:binder { call transfer }; allow hdf_devmgr kernel:fd { use }; allow hdf_devmgr kernel:unix_stream_socket { connectto }; allow hdf_devmgr light_dal_host:binder { call transfer }; -allow hdf_devmgr normal_hap_domain:binder { transfer }; -allow hdf_devmgr platform_hap_domain:binder { transfer }; +allow hdf_devmgr normal_hap:binder { transfer }; +allow hdf_devmgr system_core_hap:binder { transfer }; allow hdf_devmgr power_host:binder { call transfer }; -allow hdf_devmgr priv_hap_domain:binder { transfer }; +allow hdf_devmgr system_basic_hap:binder { transfer }; allow hdf_devmgr proc_file:dir { search }; allow hdf_devmgr proc_file:lnk_file { read }; allow hdf_devmgr pulseaudio:binder { transfer }; diff --git a/sepolicy/base/rk3568/hiview.te b/sepolicy/base/rk3568/hiview.te index 0c04b638e0d67ec4392047f54694530485205cea..d60b44e6e33afa9a9d66acf96212b7731cad26a3 100644 --- a/sepolicy/base/rk3568/hiview.te +++ b/sepolicy/base/rk3568/hiview.te @@ -50,10 +50,10 @@ allow hiview init:netlink_kobject_uevent_socket { read write }; allow hiview init:unix_dgram_socket { getattr getopt read sendto setopt write }; allow hiview init:unix_stream_socket { read write }; allow hiview kernel:fd { use }; -allow hiview normal_hap_domain:dir { search }; -allow hiview normal_hap_domain:file { open read }; -allow hiview priv_hap_domain:dir { search }; -allow hiview priv_hap_domain:file { open read }; +allow hiview normal_hap:dir { search }; +allow hiview normal_hap:file { open read }; +allow hiview system_basic_hap:dir { search }; +allow hiview system_basic_hap:file { open read }; allow hiview proc_file:dir { search }; allow hiview proc_file:lnk_file { read }; allow hiview rootfs:dir { search }; diff --git a/sepolicy/base/rk3568/inputmethod_service.te b/sepolicy/base/rk3568/inputmethod_service.te index ea13b98ed4286f37ca47cc58450d10866dcf8d76..7fd85e7bb5de0b85db2e6796b7bba0e32c88ec9e 100644 --- a/sepolicy/base/rk3568/inputmethod_service.te +++ b/sepolicy/base/rk3568/inputmethod_service.te @@ -41,9 +41,9 @@ allow inputmethod_service inputmethod_service:unix_dgram_socket { connect create allow inputmethod_service inputmethod_service:unix_stream_socket { connect create read setopt write }; allow inputmethod_service kernel:fd { use }; allow inputmethod_service lib_file:lnk_file { read }; -allow inputmethod_service normal_hap_domain:binder { call transfer }; -allow inputmethod_service platform_hap_domain:binder { call transfer }; -allow inputmethod_service priv_hap_domain:binder { call transfer }; +allow inputmethod_service normal_hap:binder { call transfer }; +allow inputmethod_service system_core_hap:binder { call transfer }; +allow inputmethod_service system_basic_hap:binder { call transfer }; allow inputmethod_service proc_file:dir { search }; allow inputmethod_service proc_file:lnk_file { read }; allow inputmethod_service rootfs:dir { getattr search }; diff --git a/sepolicy/base/rk3568/media_service.te b/sepolicy/base/rk3568/media_service.te index fbe6974c737e5d3eacc5cf7ee15c97a2f218612c..720d082fe879933d833f475e63bd470d52bdf8d0 100644 --- a/sepolicy/base/rk3568/media_service.te +++ b/sepolicy/base/rk3568/media_service.te @@ -41,8 +41,8 @@ allow media_service media_service:lnk_file { read }; allow media_service media_service:process { fork getsched }; allow media_service media_service:unix_dgram_socket { connect create write }; allow media_service media_service:unix_stream_socket { connect create getattr getopt read setopt write }; -allow media_service normal_hap_domain:binder { call transfer }; -allow media_service priv_hap_domain:binder { call transfer }; +allow media_service normal_hap:binder { call transfer }; +allow media_service system_basic_hap:binder { call transfer }; allow media_service proc_file:dir { search }; allow media_service proc_file:lnk_file { read }; allow media_service pulseaudio:binder { call }; diff --git a/sepolicy/base/rk3568/memmgrservice.te b/sepolicy/base/rk3568/memmgrservice.te index 36cad2630640cbacfac7aff32e7920920a167782..9cda400cbabf2d834137a939cd6130d12f66422d 100644 --- a/sepolicy/base/rk3568/memmgrservice.te +++ b/sepolicy/base/rk3568/memmgrservice.te @@ -38,12 +38,12 @@ allow memmgrservice memmgrservice:dir { search }; allow memmgrservice memmgrservice:lnk_file { read }; allow memmgrservice memmgrservice:process { fork getsched }; allow memmgrservice memmgrservice:unix_dgram_socket { connect create write }; -allow memmgrservice normal_hap_domain:dir { search }; -allow memmgrservice normal_hap_domain:file { open read write }; -allow memmgrservice platform_hap_domain:dir { search }; -allow memmgrservice platform_hap_domain:file { open read write }; -allow memmgrservice priv_hap_domain:dir { search }; -allow memmgrservice priv_hap_domain:file { open read write }; +allow memmgrservice normal_hap:dir { search }; +allow memmgrservice normal_hap:file { open read write }; +allow memmgrservice system_core_hap:dir { search }; +allow memmgrservice system_core_hap:file { open read write }; +allow memmgrservice system_basic_hap:dir { search }; +allow memmgrservice system_basic_hap:file { open read write }; allow memmgrservice proc_file:dir { search }; allow memmgrservice proc_file:file { open write }; allow memmgrservice proc_file:lnk_file { read }; diff --git a/sepolicy/base/rk3568/normal_hap.te b/sepolicy/base/rk3568/normal_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..148cf9b7d01a15a257ca151fc79dae5aea3da125 --- /dev/null +++ b/sepolicy/base/rk3568/normal_hap.te @@ -0,0 +1,115 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap accessibility:binder { call transfer }; +allow normal_hap accountmgr:binder { call }; +allow normal_hap appspawn_exec:file { getattr map open read }; +allow normal_hap appspawn:fd { use }; +allow normal_hap appspawn:fifo_file { write }; +allow normal_hap appspawn:unix_dgram_socket { connect write }; +allow normal_hap camera_service:binder { call transfer }; +allow normal_hap config_file:dir { mounton }; +allow normal_hap data_app_el1_file:dir { add_name create mounton open read search setattr write }; +allow normal_hap data_app_el1_file:file { execute getattr map open read }; +allow normal_hap data_app_el2_file:dir { search }; +allow normal_hap data_app_file:dir { search }; +allow normal_hap data_file:dir { add_name getattr mounton search write }; +allow normal_hap data_file:file { create getattr ioctl lock map open read write }; +allow normal_hap data_log:file { read write }; +allow normal_hap data_service_el2_file:dir { getattr read open search }; +allow normal_hap data_service_file:dir { search }; +allow normal_hap debugfs:dir { search }; +allow normal_hap dev_ashmem_file:chr_file { getattr ioctl map open read write }; +allow normal_hap dev_at_file:chr_file { ioctl open read write }; +allow normal_hap dev_binder_file:chr_file { ioctl map open read write }; +allow normal_hap dev_dri_file:chr_file { getattr ioctl open read write }; +allow normal_hap dev_dri_file:dir { search }; +allow normal_hap dev_file:chr_file { getattr ioctl map open read write }; +allow normal_hap dev_file:dir { mounton search }; +allow normal_hap dev_null_file:chr_file { ioctl open read write }; +allow normal_hap dev_parameters_file:dir { search }; +allow normal_hap dev_parameters_file:file { map open read }; +allow normal_hap dev_random_file:chr_file { open read }; +allow normal_hap dev_unix_file:dir { search }; +allow normal_hap dev_unix_socket_file:dir { search }; +allow normal_hap dev_unix_socket_file:sock_file { write }; +allow normal_hap display_gralloc_host:binder { call }; +allow normal_hap display_gralloc_host:fd { use }; +allow normal_hap distributeddata:binder { call transfer }; +allow normal_hap faultloggerd:fd { use }; +allow normal_hap faultloggerd:unix_stream_socket { connectto }; +allow normal_hap foundation:binder { call transfer }; +allow normal_hap foundation:fd { use }; +allow normal_hap hdcd:unix_stream_socket { connectto }; +allow normal_hap hdf_devmgr:binder { call }; +allow normal_hap hiview:binder { call }; +allow normal_hap hmdfs:dir { getattr mounton open read search }; +allow normal_hap init:unix_dgram_socket { sendto }; +allow normal_hap inputmethod_service:binder { call transfer }; +allow normal_hap labeledfs:filesystem { unmount }; +allow normal_hap medialibrary_service:binder { call }; +allow normal_hap media_service:binder { call transfer }; +allow normal_hap multimodalinput:binder { call }; +allow normal_hap multimodalinput:fd { use }; +allow normal_hap multimodalinput:unix_stream_socket { read read write write }; +allow normal_hap normal_hap_data_file:dir { add_name create getattr mounton open read remove_name search write }; +allow normal_hap normal_hap_data_file:file { append create getattr ioctl lock map open read rename setattr unlink write write open }; +allow normal_hap normal_hap:binder { call transfer }; +allow normal_hap normal_hap:capability { setgid setuid sys_admin }; +allow normal_hap normal_hap:dir { getattr open read search }; +allow normal_hap normal_hap:fifo_file { read write }; +allow normal_hap normal_hap:file { getattr open read write }; +allow normal_hap normal_hap:lnk_file { read }; +allow normal_hap normal_hap:lockdown { confidentiality }; +allow normal_hap normal_hap:process { execmem fork getcap getsched ptrace setcap setsched sigkill }; +allow normal_hap normal_hap:unix_dgram_socket { connect create getopt setopt write }; +allow normal_hap normal_hap:unix_stream_socket { accept bind connect create getopt listen read setopt write }; +allow normal_hap param_watcher:binder { call transfer }; +allow normal_hap system_basic_hap:binder { call transfer }; +allow normal_hap system_basic_hap:fd { use }; +allow normal_hap proc_file:dir { mounton search }; +allow normal_hap proc_file:file { open read }; +allow normal_hap proc_file:lnk_file { read }; +allow normal_hap render_service:binder { call transfer }; +allow normal_hap render_service:fd { use }; +allow normal_hap render_service:unix_stream_socket { read read write write }; +allow normal_hap resource_schedule_service:binder { call }; +allow normal_hap rootfs:dir { mounton search }; +allow normal_hap samgr:binder { call }; +allow normal_hap sys_file:dir { mounton open read search }; +allow normal_hap sys_file:file { open read }; +allow normal_hap sys_file:lnk_file { read }; +allow normal_hap system_bin_file:dir { search }; +allow normal_hap system_bin_file:file { execute execute_no_trans map read open }; +allow normal_hap system_etc_file:dir { search }; +allow normal_hap system_etc_file:file { getattr map open read }; +allow normal_hap system_file:dir { mounton search }; +allow normal_hap system_fonts_file:dir { search }; +allow normal_hap system_fonts_file:file { getattr map open read }; +allow normal_hap system_lib_file:dir { search }; +allow normal_hap system_lib_file:file { execute getattr map open read }; +allow normal_hap system_usr_file:dir { search }; +allow normal_hap telephony_sa:binder { call }; +allow normal_hap tmpfs:dir { add_name create getattr mounton search write }; +allow normal_hap tmpfs:lnk_file { create read }; +allow normal_hap tracefs:dir { search }; +allow normal_hap tracefs:file { open write }; +allow normal_hap upms:binder { call }; +allowxperm normal_hap data_file:file ioctl { 0xf50c }; +allowxperm normal_hap dev_ashmem_file:chr_file ioctl { 0x7701 0x7703 0x7704 0x7706 }; +allowxperm normal_hap dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm normal_hap dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm normal_hap dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm normal_hap dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; +allowxperm normal_hap dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm normal_hap normal_hap_data_file:file ioctl { 0x5413 0xf50c }; diff --git a/sepolicy/base/rk3568/normal_hap_domain.te b/sepolicy/base/rk3568/normal_hap_domain.te deleted file mode 100644 index 36ba358d97fb3a6ec024623161a3109770b861de..0000000000000000000000000000000000000000 --- a/sepolicy/base/rk3568/normal_hap_domain.te +++ /dev/null @@ -1,115 +0,0 @@ -# Copyright (c) 2022 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the License); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -allow normal_hap_domain accessibility:binder { call transfer }; -allow normal_hap_domain accountmgr:binder { call }; -allow normal_hap_domain appspawn_exec:file { getattr map open read }; -allow normal_hap_domain appspawn:fd { use }; -allow normal_hap_domain appspawn:fifo_file { write }; -allow normal_hap_domain appspawn:unix_dgram_socket { connect write }; -allow normal_hap_domain camera_service:binder { call transfer }; -allow normal_hap_domain config_file:dir { mounton }; -allow normal_hap_domain data_app_el1_file:dir { add_name create mounton open read search setattr write }; -allow normal_hap_domain data_app_el1_file:file { execute getattr map open read }; -allow normal_hap_domain data_app_el2_file:dir { search }; -allow normal_hap_domain data_app_file:dir { search }; -allow normal_hap_domain data_file:dir { add_name getattr mounton search write }; -allow normal_hap_domain data_file:file { create getattr ioctl lock map open read write }; -allow normal_hap_domain data_log:file { read write }; -allow normal_hap_domain data_service_el2_file:dir { getattr read open search }; -allow normal_hap_domain data_service_file:dir { search }; -allow normal_hap_domain debugfs:dir { search }; -allow normal_hap_domain dev_ashmem_file:chr_file { getattr ioctl map open read write }; -allow normal_hap_domain dev_at_file:chr_file { ioctl open read write }; -allow normal_hap_domain dev_binder_file:chr_file { ioctl map open read write }; -allow normal_hap_domain dev_dri_file:chr_file { getattr ioctl open read write }; -allow normal_hap_domain dev_dri_file:dir { search }; -allow normal_hap_domain dev_file:chr_file { getattr ioctl map open read write }; -allow normal_hap_domain dev_file:dir { mounton search }; -allow normal_hap_domain dev_null_file:chr_file { ioctl open read write }; -allow normal_hap_domain dev_parameters_file:dir { search }; -allow normal_hap_domain dev_parameters_file:file { map open read }; -allow normal_hap_domain dev_random_file:chr_file { open read }; -allow normal_hap_domain dev_unix_file:dir { search }; -allow normal_hap_domain dev_unix_socket_file:dir { search }; -allow normal_hap_domain dev_unix_socket_file:sock_file { write }; -allow normal_hap_domain display_gralloc_host:binder { call }; -allow normal_hap_domain display_gralloc_host:fd { use }; -allow normal_hap_domain distributeddata:binder { call transfer }; -allow normal_hap_domain faultloggerd:fd { use }; -allow normal_hap_domain faultloggerd:unix_stream_socket { connectto }; -allow normal_hap_domain foundation:binder { call transfer }; -allow normal_hap_domain foundation:fd { use }; -allow normal_hap_domain hdcd:unix_stream_socket { connectto }; -allow normal_hap_domain hdf_devmgr:binder { call }; -allow normal_hap_domain hiview:binder { call }; -allow normal_hap_domain hmdfs:dir { getattr mounton open read search }; -allow normal_hap_domain init:unix_dgram_socket { sendto }; -allow normal_hap_domain inputmethod_service:binder { call transfer }; -allow normal_hap_domain labeledfs:filesystem { unmount }; -allow normal_hap_domain medialibrary_service:binder { call }; -allow normal_hap_domain media_service:binder { call transfer }; -allow normal_hap_domain multimodalinput:binder { call }; -allow normal_hap_domain multimodalinput:fd { use }; -allow normal_hap_domain multimodalinput:unix_stream_socket { read read write write }; -allow normal_hap_domain normal_hap_data_file:dir { add_name create getattr mounton open read remove_name search write }; -allow normal_hap_domain normal_hap_data_file:file { append create getattr ioctl lock map open read rename setattr unlink write write open }; -allow normal_hap_domain normal_hap_domain:binder { call transfer }; -allow normal_hap_domain normal_hap_domain:capability { setgid setuid sys_admin }; -allow normal_hap_domain normal_hap_domain:dir { getattr open read search }; -allow normal_hap_domain normal_hap_domain:fifo_file { read write }; -allow normal_hap_domain normal_hap_domain:file { getattr open read write }; -allow normal_hap_domain normal_hap_domain:lnk_file { read }; -allow normal_hap_domain normal_hap_domain:lockdown { confidentiality }; -allow normal_hap_domain normal_hap_domain:process { execmem fork getcap getsched ptrace setcap setsched sigkill }; -allow normal_hap_domain normal_hap_domain:unix_dgram_socket { connect create getopt setopt write }; -allow normal_hap_domain normal_hap_domain:unix_stream_socket { accept bind connect create getopt listen read setopt write }; -allow normal_hap_domain param_watcher:binder { call transfer }; -allow normal_hap_domain priv_hap_domain:binder { call transfer }; -allow normal_hap_domain priv_hap_domain:fd { use }; -allow normal_hap_domain proc_file:dir { mounton search }; -allow normal_hap_domain proc_file:file { open read }; -allow normal_hap_domain proc_file:lnk_file { read }; -allow normal_hap_domain render_service:binder { call transfer }; -allow normal_hap_domain render_service:fd { use }; -allow normal_hap_domain render_service:unix_stream_socket { read read write write }; -allow normal_hap_domain resource_schedule_service:binder { call }; -allow normal_hap_domain rootfs:dir { mounton search }; -allow normal_hap_domain samgr:binder { call }; -allow normal_hap_domain sys_file:dir { mounton open read search }; -allow normal_hap_domain sys_file:file { open read }; -allow normal_hap_domain sys_file:lnk_file { read }; -allow normal_hap_domain system_bin_file:dir { search }; -allow normal_hap_domain system_bin_file:file { execute execute_no_trans map read open }; -allow normal_hap_domain system_etc_file:dir { search }; -allow normal_hap_domain system_etc_file:file { getattr map open read }; -allow normal_hap_domain system_file:dir { mounton search }; -allow normal_hap_domain system_fonts_file:dir { search }; -allow normal_hap_domain system_fonts_file:file { getattr map open read }; -allow normal_hap_domain system_lib_file:dir { search }; -allow normal_hap_domain system_lib_file:file { execute getattr map open read }; -allow normal_hap_domain system_usr_file:dir { search }; -allow normal_hap_domain telephony_sa:binder { call }; -allow normal_hap_domain tmpfs:dir { add_name create getattr mounton search write }; -allow normal_hap_domain tmpfs:lnk_file { create read }; -allow normal_hap_domain tracefs:dir { search }; -allow normal_hap_domain tracefs:file { open write }; -allow normal_hap_domain upms:binder { call }; -allowxperm normal_hap_domain data_file:file ioctl { 0xf50c }; -allowxperm normal_hap_domain dev_ashmem_file:chr_file ioctl { 0x7701 0x7703 0x7704 0x7706 }; -allowxperm normal_hap_domain dev_at_file:chr_file ioctl { 0x4101 }; -allowxperm normal_hap_domain dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; -allowxperm normal_hap_domain dev_dri_file:chr_file ioctl { 0x641f }; -allowxperm normal_hap_domain dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; -allowxperm normal_hap_domain dev_null_file:chr_file ioctl { 0x5413 }; -allowxperm normal_hap_domain normal_hap_data_file:file ioctl { 0x5413 0xf50c }; diff --git a/sepolicy/base/rk3568/param_watcher.te b/sepolicy/base/rk3568/param_watcher.te index cee6d0d1bee130cb5eabfed18ab95aa0db4ae3f2..1ed5bac1262f7ca2dd50018456fa367ef147de35 100644 --- a/sepolicy/base/rk3568/param_watcher.te +++ b/sepolicy/base/rk3568/param_watcher.te @@ -42,15 +42,15 @@ allow param_watcher init:unix_stream_socket { read write }; allow param_watcher kernel:fd { use }; allow param_watcher kernel:unix_stream_socket { connectto }; allow param_watcher multimodalinput:binder { call }; -allow param_watcher normal_hap_domain:binder { call }; +allow param_watcher normal_hap:binder { call }; allow param_watcher param_watcher:dir { search }; allow param_watcher param_watcher:lnk_file { read }; allow param_watcher param_watcher:process { fork getsched }; allow param_watcher param_watcher:unix_dgram_socket { connect create write }; allow param_watcher param_watcher:unix_stream_socket { connect create read write }; allow param_watcher pinauth_service:binder { call }; -allow param_watcher platform_hap_domain:binder { call }; -allow param_watcher priv_hap_domain:binder { call }; +allow param_watcher system_core_hap:binder { call }; +allow param_watcher system_basic_hap:binder { call }; allow param_watcher proc_file:dir { search }; allow param_watcher proc_file:lnk_file { read }; allow param_watcher render_service:binder { call }; diff --git a/sepolicy/base/rk3568/platform_hap_domain.te b/sepolicy/base/rk3568/platform_hap_domain.te deleted file mode 100644 index 6f4f73b78f40be91e62e30e860e5ab0feabdc9c4..0000000000000000000000000000000000000000 --- a/sepolicy/base/rk3568/platform_hap_domain.te +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright (c) 2022 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the License); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -allow platform_hap_domain accessibility:binder { call transfer }; -allow platform_hap_domain accesstoken_service:binder { call }; -allow platform_hap_domain appspawn:fd { use }; -allow platform_hap_domain appspawn:fifo_file { write }; -allow platform_hap_domain appspawn:unix_dgram_socket { connect write }; -allow platform_hap_domain config_file:dir { mounton }; -allow platform_hap_domain data_app_el1_file:dir { add_name create mounton open read search setattr write }; -allow platform_hap_domain data_app_el1_file:file { getattr map open read }; -allow platform_hap_domain data_app_el2_file:dir { search }; -allow platform_hap_domain data_app_file:dir { search }; -allow platform_hap_domain data_file:dir { mounton search }; -allow platform_hap_domain data_service_el2_file:dir { search }; -allow platform_hap_domain debugfs:dir { search }; -allow platform_hap_domain dev_at_file:chr_file { ioctl open read write }; -allow platform_hap_domain dev_binder_file:chr_file { ioctl map open read write }; -allow platform_hap_domain dev_dri_file:chr_file { getattr ioctl open read write }; -allow platform_hap_domain dev_dri_file:dir { search }; -allow platform_hap_domain dev_file:chr_file { getattr ioctl map open read write }; -allow platform_hap_domain dev_file:dir { mounton search }; -allow platform_hap_domain dev_null_file:chr_file { ioctl open read write }; -allow platform_hap_domain dev_random_file:chr_file { open read }; -allow platform_hap_domain dev_unix_file:dir { search }; -allow platform_hap_domain dev_unix_socket_file:dir { search }; -allow platform_hap_domain dev_unix_socket_file:sock_file { write }; -allow platform_hap_domain display_gralloc_host:binder { call }; -allow platform_hap_domain display_gralloc_host:fd { use }; -allow platform_hap_domain foundation:binder { call transfer }; -allow platform_hap_domain hdf_devmgr:binder { call }; -allow platform_hap_domain hmdfs:dir { mounton search }; -allow platform_hap_domain init:unix_dgram_socket { sendto }; -allow platform_hap_domain inputmethod_service:binder { call transfer }; -allow platform_hap_domain labeledfs:filesystem { unmount }; -allow platform_hap_domain multimodalinput:binder { call }; -allow platform_hap_domain multimodalinput:fd { use }; -allow platform_hap_domain multimodalinput:unix_stream_socket { read write }; -allow platform_hap_domain param_watcher:binder { call transfer }; -allow platform_hap_domain platform_hap_data_file:dir { add_name create mounton open read search write }; -allow platform_hap_domain platform_hap_data_file:file { create getattr ioctl map read write open }; -allow platform_hap_domain platform_hap_domain:capability { setgid setuid sys_admin }; -allow platform_hap_domain platform_hap_domain:dir { search }; -allow platform_hap_domain platform_hap_domain:fifo_file { write }; -allow platform_hap_domain platform_hap_domain:file { open read }; -allow platform_hap_domain platform_hap_domain:lnk_file { read }; -allow platform_hap_domain platform_hap_domain:lockdown { confidentiality }; -allow platform_hap_domain platform_hap_domain:process { fork getsched setcap setsched }; -allow platform_hap_domain platform_hap_domain:unix_dgram_socket { create getopt setopt write }; -allow platform_hap_domain priv_hap_domain:binder { call }; -allow platform_hap_domain proc_file:dir { mounton search }; -allow platform_hap_domain proc_file:lnk_file { read }; -allow platform_hap_domain render_service:binder { call transfer }; -allow platform_hap_domain render_service:fd { use }; -allow platform_hap_domain render_service:unix_stream_socket { read write }; -allow platform_hap_domain resource_schedule_service:binder { call }; -allow platform_hap_domain rootfs:dir { mounton search }; -allow platform_hap_domain samgr:binder { call }; -allow platform_hap_domain sys_file:dir { mounton search }; -allow platform_hap_domain system_etc_file:dir { search }; -allow platform_hap_domain system_file:dir { mounton search }; -allow platform_hap_domain system_fonts_file:dir { search }; -allow platform_hap_domain system_fonts_file:file { getattr map open read }; -allow platform_hap_domain system_lib_file:dir { search }; -allow platform_hap_domain system_lib_file:file { execute getattr map open read }; -allow platform_hap_domain system_usr_file:dir { search }; -allow platform_hap_domain tmpfs:dir { add_name create mounton search write }; -allow platform_hap_domain tmpfs:lnk_file { create read }; -allow platform_hap_domain tracefs:dir { search }; -allow platform_hap_domain tracefs:file { open write }; -allow platform_hap_domain upms:binder { call }; -allowxperm platform_hap_domain dev_at_file:chr_file ioctl { 0x4101 }; -allowxperm platform_hap_domain dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; -allowxperm platform_hap_domain dev_dri_file:chr_file ioctl { 0x641f }; -allowxperm platform_hap_domain dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; -allowxperm platform_hap_domain dev_null_file:chr_file ioctl { 0x5413 }; -allowxperm platform_hap_domain platform_hap_data_file:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/priv_hap_domain.te b/sepolicy/base/rk3568/priv_hap_domain.te deleted file mode 100644 index 2a6c97facdd9411575918e98bca8fffd9a5a0841..0000000000000000000000000000000000000000 --- a/sepolicy/base/rk3568/priv_hap_domain.te +++ /dev/null @@ -1,116 +0,0 @@ -# Copyright (c) 2022 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the License); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -allow priv_hap_domain accessibility:binder { call transfer }; -allow priv_hap_domain accountmgr:binder { call transfer }; -allow priv_hap_domain appspawn_exec:file { getattr map open read }; -allow priv_hap_domain appspawn:fd { use }; -allow priv_hap_domain appspawn:fifo_file { write }; -allow priv_hap_domain appspawn:unix_dgram_socket { connect write }; -allow priv_hap_domain audio_policy:binder { call transfer }; -allow priv_hap_domain bluetooth_service:binder { call transfer }; -allow priv_hap_domain config_file:dir { mounton }; -allow priv_hap_domain data_app_el1_file:dir { add_name create mounton open read search setattr write }; -allow priv_hap_domain data_app_el1_file:file { getattr map open read }; -allow priv_hap_domain data_app_el2_file:dir { search }; -allow priv_hap_domain data_app_file:dir { search }; -allow priv_hap_domain data_file:dir { add_name getattr mounton open read remove_name search write }; -allow priv_hap_domain data_file:file { create getattr ioctl lock map open read read write rename setattr unlink write open }; -allow priv_hap_domain data_log:file { read read write write }; -allow priv_hap_domain data_service_el2_file:dir { search }; -allow priv_hap_domain debugfs:dir { search }; -allow priv_hap_domain dev_ashmem_file:chr_file { getattr ioctl map open read write }; -allow priv_hap_domain dev_at_file:chr_file { ioctl open read write }; -allow priv_hap_domain dev_binder_file:chr_file { ioctl map open read write }; -allow priv_hap_domain dev_dri_file:chr_file { getattr ioctl open read write }; -allow priv_hap_domain dev_dri_file:dir { search }; -allow priv_hap_domain dev_file:chr_file { getattr ioctl map open read write }; -allow priv_hap_domain dev_file:dir { mounton search }; -allow priv_hap_domain dev_null_file:chr_file { ioctl open read write }; -allow priv_hap_domain dev_parameters_file:dir { search }; -allow priv_hap_domain dev_parameters_file:file { map open read }; -allow priv_hap_domain dev_random_file:chr_file { open read }; -allow priv_hap_domain dev_unix_file:dir { search }; -allow priv_hap_domain dev_unix_socket_file:dir { search }; -allow priv_hap_domain dev_unix_socket_file:sock_file { write }; -allow priv_hap_domain display_gralloc_host:binder { call }; -allow priv_hap_domain display_gralloc_host:fd { use }; -allow priv_hap_domain faultloggerd:fd { use }; -allow priv_hap_domain faultloggerd:unix_stream_socket { connectto }; -allow priv_hap_domain foundation:binder { call transfer }; -allow priv_hap_domain hdf_devmgr:binder { call }; -allow priv_hap_domain hiview:binder { call }; -allow priv_hap_domain hmdfs:dir { mounton search }; -allow priv_hap_domain init:unix_dgram_socket { sendto }; -allow priv_hap_domain inputmethod_service:binder { call transfer }; -allow priv_hap_domain kernel:unix_stream_socket { connectto }; -allow priv_hap_domain labeledfs:filesystem { unmount }; -allow priv_hap_domain media_service:binder { call transfer }; -allow priv_hap_domain multimodalinput:binder { call }; -allow priv_hap_domain multimodalinput:fd { use }; -allow priv_hap_domain multimodalinput:unix_stream_socket { read read write write }; -allow priv_hap_domain normal_hap_domain:binder { call transfer }; -allow priv_hap_domain param_watcher:binder { call transfer }; -allow priv_hap_domain priv_hap_data_file:dir { add_name create mounton open read search write }; -allow priv_hap_domain priv_hap_data_file:file { create getattr ioctl map read write open }; -allow priv_hap_domain priv_hap_domain:binder { call transfer }; -allow priv_hap_domain priv_hap_domain:capability { setgid setuid sys_admin }; -allow priv_hap_domain priv_hap_domain:dir { getattr open read search }; -allow priv_hap_domain priv_hap_domain:fifo_file { read write }; -allow priv_hap_domain priv_hap_domain:file { getattr open read write }; -allow priv_hap_domain priv_hap_domain:lnk_file { read }; -allow priv_hap_domain priv_hap_domain:lockdown { confidentiality }; -allow priv_hap_domain priv_hap_domain:process { execmem fork getcap getsched ptrace setcap setsched sigkill }; -allow priv_hap_domain priv_hap_domain:unix_dgram_socket { connect create getopt setopt write }; -allow priv_hap_domain priv_hap_domain:unix_stream_socket { connect create read setopt write }; -allow priv_hap_domain proc_file:dir { mounton search }; -allow priv_hap_domain proc_file:file { open read }; -allow priv_hap_domain proc_file:lnk_file { read }; -allow priv_hap_domain pulseaudio:binder { call }; -allow priv_hap_domain render_service:binder { call transfer }; -allow priv_hap_domain render_service:fd { use }; -allow priv_hap_domain render_service:unix_stream_socket { read read write write }; -allow priv_hap_domain resource_schedule_service:binder { call }; -allow priv_hap_domain rootfs:dir { mounton search }; -allow priv_hap_domain samgr:binder { call }; -allow priv_hap_domain sys_file:dir { mounton open read search }; -allow priv_hap_domain sys_file:file { open read }; -allow priv_hap_domain sys_file:lnk_file { read }; -allow priv_hap_domain system_bin_file:dir { search }; -allow priv_hap_domain system_bin_file:file { execute execute_no_trans map read open }; -allow priv_hap_domain system_etc_file:dir { search }; -allow priv_hap_domain system_etc_file:file { getattr map open read }; -allow priv_hap_domain system_file:dir { mounton search }; -allow priv_hap_domain system_fonts_file:dir { search }; -allow priv_hap_domain system_fonts_file:file { getattr map open read }; -allow priv_hap_domain system_lib_file:dir { search }; -allow priv_hap_domain system_lib_file:file { execute getattr map open read }; -allow priv_hap_domain system_usr_file:dir { search }; -allow priv_hap_domain telephony_sa:binder { call }; -allow priv_hap_domain tmpfs:dir { add_name create getattr mounton search write }; -allow priv_hap_domain tmpfs:filesystem { getattr }; -allow priv_hap_domain tmpfs:lnk_file { create read }; -allow priv_hap_domain tracefs:dir { search }; -allow priv_hap_domain tracefs:file { open write }; -allow priv_hap_domain upms:binder { call }; -allow priv_hap_domain usb_service:binder { call }; -allow priv_hap_domain useriam:binder { call transfer }; -allow priv_hap_domain wifi_manager_service:binder { call transfer }; -allowxperm priv_hap_domain data_file:file ioctl { 0x5413 0xf50c }; -allowxperm priv_hap_domain dev_ashmem_file:chr_file ioctl { 0x7701 0x7703 0x7704 0x7706 }; -allowxperm priv_hap_domain dev_at_file:chr_file ioctl { 0x4101 }; -allowxperm priv_hap_domain dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; -allowxperm priv_hap_domain dev_dri_file:chr_file ioctl { 0x641f }; -allowxperm priv_hap_domain dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; -allowxperm priv_hap_domain dev_null_file:chr_file ioctl { 0x5413 }; -allowxperm priv_hap_domain priv_hap_data_file:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/render_service.te b/sepolicy/base/rk3568/render_service.te index 292f5f8f1bb605ba3d8ec0cba4907acbf9a01f77..2723bcdda11f0457a0928de5c0536dc1baa50691 100644 --- a/sepolicy/base/rk3568/render_service.te +++ b/sepolicy/base/rk3568/render_service.te @@ -43,10 +43,10 @@ allow render_service init:unix_dgram_socket { sendto }; allow render_service init:unix_stream_socket { read write }; allow render_service kernel:fd { use }; allow render_service lib_file:lnk_file { read }; -allow render_service normal_hap_domain:binder { call transfer }; +allow render_service normal_hap:binder { call transfer }; allow render_service param_watcher:binder { call transfer }; -allow render_service platform_hap_domain:binder { call transfer }; -allow render_service priv_hap_domain:binder { call transfer }; +allow render_service system_core_hap:binder { call transfer }; +allow render_service system_basic_hap:binder { call transfer }; allow render_service proc_file:dir { search }; allow render_service proc_file:file { open read }; allow render_service proc_file:lnk_file { read }; diff --git a/sepolicy/base/rk3568/samgr.te b/sepolicy/base/rk3568/samgr.te index 5c9f389b0f678393c8e247083e94db84240c7e0e..6d05f3322c85f3813d3cb21c113514477aaacd53 100644 --- a/sepolicy/base/rk3568/samgr.te +++ b/sepolicy/base/rk3568/samgr.te @@ -65,12 +65,12 @@ allow samgr media_service:binder { call transfer }; allow samgr memmgrservice:binder { call transfer }; allow samgr multimodalinput:binder { call transfer }; allow samgr netmanager:binder { call transfer }; -allow samgr normal_hap_domain:binder { transfer }; +allow samgr normal_hap:binder { transfer }; allow samgr param_watcher:binder { call }; allow samgr pinauth_service:binder { call transfer }; -allow samgr platform_hap_domain:binder { transfer }; +allow samgr system_core_hap:binder { transfer }; allow samgr power_host:binder { transfer }; -allow samgr priv_hap_domain:binder { transfer }; +allow samgr system_basic_hap:binder { transfer }; allow samgr proc_file:dir { search }; allow samgr proc_file:lnk_file { read }; allow samgr pulseaudio:binder { call transfer }; diff --git a/sepolicy/base/rk3568/system_basic_hap.te b/sepolicy/base/rk3568/system_basic_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..57f8663710bf3918c1765f47f03314f128796092 --- /dev/null +++ b/sepolicy/base/rk3568/system_basic_hap.te @@ -0,0 +1,116 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_basic_hap accessibility:binder { call transfer }; +allow system_basic_hap accountmgr:binder { call transfer }; +allow system_basic_hap appspawn_exec:file { getattr map open read }; +allow system_basic_hap appspawn:fd { use }; +allow system_basic_hap appspawn:fifo_file { write }; +allow system_basic_hap appspawn:unix_dgram_socket { connect write }; +allow system_basic_hap audio_policy:binder { call transfer }; +allow system_basic_hap bluetooth_service:binder { call transfer }; +allow system_basic_hap config_file:dir { mounton }; +allow system_basic_hap data_app_el1_file:dir { add_name create mounton open read search setattr write }; +allow system_basic_hap data_app_el1_file:file { getattr map open read }; +allow system_basic_hap data_app_el2_file:dir { search }; +allow system_basic_hap data_app_file:dir { search }; +allow system_basic_hap data_file:dir { add_name getattr mounton open read remove_name search write }; +allow system_basic_hap data_file:file { create getattr ioctl lock map open read read write rename setattr unlink write open }; +allow system_basic_hap data_log:file { read read write write }; +allow system_basic_hap data_service_el2_file:dir { search }; +allow system_basic_hap debugfs:dir { search }; +allow system_basic_hap dev_ashmem_file:chr_file { getattr ioctl map open read write }; +allow system_basic_hap dev_at_file:chr_file { ioctl open read write }; +allow system_basic_hap dev_binder_file:chr_file { ioctl map open read write }; +allow system_basic_hap dev_dri_file:chr_file { getattr ioctl open read write }; +allow system_basic_hap dev_dri_file:dir { search }; +allow system_basic_hap dev_file:chr_file { getattr ioctl map open read write }; +allow system_basic_hap dev_file:dir { mounton search }; +allow system_basic_hap dev_null_file:chr_file { ioctl open read write }; +allow system_basic_hap dev_parameters_file:dir { search }; +allow system_basic_hap dev_parameters_file:file { map open read }; +allow system_basic_hap dev_random_file:chr_file { open read }; +allow system_basic_hap dev_unix_file:dir { search }; +allow system_basic_hap dev_unix_socket_file:dir { search }; +allow system_basic_hap dev_unix_socket_file:sock_file { write }; +allow system_basic_hap display_gralloc_host:binder { call }; +allow system_basic_hap display_gralloc_host:fd { use }; +allow system_basic_hap faultloggerd:fd { use }; +allow system_basic_hap faultloggerd:unix_stream_socket { connectto }; +allow system_basic_hap foundation:binder { call transfer }; +allow system_basic_hap hdf_devmgr:binder { call }; +allow system_basic_hap hiview:binder { call }; +allow system_basic_hap hmdfs:dir { mounton search }; +allow system_basic_hap init:unix_dgram_socket { sendto }; +allow system_basic_hap inputmethod_service:binder { call transfer }; +allow system_basic_hap kernel:unix_stream_socket { connectto }; +allow system_basic_hap labeledfs:filesystem { unmount }; +allow system_basic_hap media_service:binder { call transfer }; +allow system_basic_hap multimodalinput:binder { call }; +allow system_basic_hap multimodalinput:fd { use }; +allow system_basic_hap multimodalinput:unix_stream_socket { read read write write }; +allow system_basic_hap normal_hap:binder { call transfer }; +allow system_basic_hap param_watcher:binder { call transfer }; +allow system_basic_hap system_basic_hap_data_file:dir { add_name create mounton open read search write }; +allow system_basic_hap system_basic_hap_data_file:file { create getattr ioctl map read write open }; +allow system_basic_hap system_basic_hap:binder { call transfer }; +allow system_basic_hap system_basic_hap:capability { setgid setuid sys_admin }; +allow system_basic_hap system_basic_hap:dir { getattr open read search }; +allow system_basic_hap system_basic_hap:fifo_file { read write }; +allow system_basic_hap system_basic_hap:file { getattr open read write }; +allow system_basic_hap system_basic_hap:lnk_file { read }; +allow system_basic_hap system_basic_hap:lockdown { confidentiality }; +allow system_basic_hap system_basic_hap:process { execmem fork getcap getsched ptrace setcap setsched sigkill }; +allow system_basic_hap system_basic_hap:unix_dgram_socket { connect create getopt setopt write }; +allow system_basic_hap system_basic_hap:unix_stream_socket { connect create read setopt write }; +allow system_basic_hap proc_file:dir { mounton search }; +allow system_basic_hap proc_file:file { open read }; +allow system_basic_hap proc_file:lnk_file { read }; +allow system_basic_hap pulseaudio:binder { call }; +allow system_basic_hap render_service:binder { call transfer }; +allow system_basic_hap render_service:fd { use }; +allow system_basic_hap render_service:unix_stream_socket { read read write write }; +allow system_basic_hap resource_schedule_service:binder { call }; +allow system_basic_hap rootfs:dir { mounton search }; +allow system_basic_hap samgr:binder { call }; +allow system_basic_hap sys_file:dir { mounton open read search }; +allow system_basic_hap sys_file:file { open read }; +allow system_basic_hap sys_file:lnk_file { read }; +allow system_basic_hap system_bin_file:dir { search }; +allow system_basic_hap system_bin_file:file { execute execute_no_trans map read open }; +allow system_basic_hap system_etc_file:dir { search }; +allow system_basic_hap system_etc_file:file { getattr map open read }; +allow system_basic_hap system_file:dir { mounton search }; +allow system_basic_hap system_fonts_file:dir { search }; +allow system_basic_hap system_fonts_file:file { getattr map open read }; +allow system_basic_hap system_lib_file:dir { search }; +allow system_basic_hap system_lib_file:file { execute getattr map open read }; +allow system_basic_hap system_usr_file:dir { search }; +allow system_basic_hap telephony_sa:binder { call }; +allow system_basic_hap tmpfs:dir { add_name create getattr mounton search write }; +allow system_basic_hap tmpfs:filesystem { getattr }; +allow system_basic_hap tmpfs:lnk_file { create read }; +allow system_basic_hap tracefs:dir { search }; +allow system_basic_hap tracefs:file { open write }; +allow system_basic_hap upms:binder { call }; +allow system_basic_hap usb_service:binder { call }; +allow system_basic_hap useriam:binder { call transfer }; +allow system_basic_hap wifi_manager_service:binder { call transfer }; +allowxperm system_basic_hap data_file:file ioctl { 0x5413 0xf50c }; +allowxperm system_basic_hap dev_ashmem_file:chr_file ioctl { 0x7701 0x7703 0x7704 0x7706 }; +allowxperm system_basic_hap dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm system_basic_hap dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm system_basic_hap dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm system_basic_hap dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; +allowxperm system_basic_hap dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm system_basic_hap system_basic_hap_data_file:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/system_core_hap.te b/sepolicy/base/rk3568/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..30c6a6eda62a5df63d32c9e25c4157eb6350f312 --- /dev/null +++ b/sepolicy/base/rk3568/system_core_hap.te @@ -0,0 +1,87 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap accessibility:binder { call transfer }; +allow system_core_hap accesstoken_service:binder { call }; +allow system_core_hap appspawn:fd { use }; +allow system_core_hap appspawn:fifo_file { write }; +allow system_core_hap appspawn:unix_dgram_socket { connect write }; +allow system_core_hap config_file:dir { mounton }; +allow system_core_hap data_app_el1_file:dir { add_name create mounton open read search setattr write }; +allow system_core_hap data_app_el1_file:file { getattr map open read }; +allow system_core_hap data_app_el2_file:dir { search }; +allow system_core_hap data_app_file:dir { search }; +allow system_core_hap data_file:dir { mounton search }; +allow system_core_hap data_service_el2_file:dir { search }; +allow system_core_hap debugfs:dir { search }; +allow system_core_hap dev_at_file:chr_file { ioctl open read write }; +allow system_core_hap dev_binder_file:chr_file { ioctl map open read write }; +allow system_core_hap dev_dri_file:chr_file { getattr ioctl open read write }; +allow system_core_hap dev_dri_file:dir { search }; +allow system_core_hap dev_file:chr_file { getattr ioctl map open read write }; +allow system_core_hap dev_file:dir { mounton search }; +allow system_core_hap dev_null_file:chr_file { ioctl open read write }; +allow system_core_hap dev_random_file:chr_file { open read }; +allow system_core_hap dev_unix_file:dir { search }; +allow system_core_hap dev_unix_socket_file:dir { search }; +allow system_core_hap dev_unix_socket_file:sock_file { write }; +allow system_core_hap display_gralloc_host:binder { call }; +allow system_core_hap display_gralloc_host:fd { use }; +allow system_core_hap foundation:binder { call transfer }; +allow system_core_hap hdf_devmgr:binder { call }; +allow system_core_hap hmdfs:dir { mounton search }; +allow system_core_hap init:unix_dgram_socket { sendto }; +allow system_core_hap inputmethod_service:binder { call transfer }; +allow system_core_hap labeledfs:filesystem { unmount }; +allow system_core_hap multimodalinput:binder { call }; +allow system_core_hap multimodalinput:fd { use }; +allow system_core_hap multimodalinput:unix_stream_socket { read write }; +allow system_core_hap param_watcher:binder { call transfer }; +allow system_core_hap system_core_hap_data_file:dir { add_name create mounton open read search write }; +allow system_core_hap system_core_hap_data_file:file { create getattr ioctl map read write open }; +allow system_core_hap system_core_hap:capability { setgid setuid sys_admin }; +allow system_core_hap system_core_hap:dir { search }; +allow system_core_hap system_core_hap:fifo_file { write }; +allow system_core_hap system_core_hap:file { open read }; +allow system_core_hap system_core_hap:lnk_file { read }; +allow system_core_hap system_core_hap:lockdown { confidentiality }; +allow system_core_hap system_core_hap:process { fork getsched setcap setsched }; +allow system_core_hap system_core_hap:unix_dgram_socket { create getopt setopt write }; +allow system_core_hap system_basic_hap:binder { call }; +allow system_core_hap proc_file:dir { mounton search }; +allow system_core_hap proc_file:lnk_file { read }; +allow system_core_hap render_service:binder { call transfer }; +allow system_core_hap render_service:fd { use }; +allow system_core_hap render_service:unix_stream_socket { read write }; +allow system_core_hap resource_schedule_service:binder { call }; +allow system_core_hap rootfs:dir { mounton search }; +allow system_core_hap samgr:binder { call }; +allow system_core_hap sys_file:dir { mounton search }; +allow system_core_hap system_etc_file:dir { search }; +allow system_core_hap system_file:dir { mounton search }; +allow system_core_hap system_fonts_file:dir { search }; +allow system_core_hap system_fonts_file:file { getattr map open read }; +allow system_core_hap system_lib_file:dir { search }; +allow system_core_hap system_lib_file:file { execute getattr map open read }; +allow system_core_hap system_usr_file:dir { search }; +allow system_core_hap tmpfs:dir { add_name create mounton search write }; +allow system_core_hap tmpfs:lnk_file { create read }; +allow system_core_hap tracefs:dir { search }; +allow system_core_hap tracefs:file { open write }; +allow system_core_hap upms:binder { call }; +allowxperm system_core_hap dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm system_core_hap dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm system_core_hap dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm system_core_hap dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; +allowxperm system_core_hap dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm system_core_hap system_core_hap_data_file:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/useriam.te b/sepolicy/base/rk3568/useriam.te index 10b1dc12b1f5d40193123fe7209304a0b948082f..09dc0e08f3bb37d7bdc6029ba63278328f7c313a 100644 --- a/sepolicy/base/rk3568/useriam.te +++ b/sepolicy/base/rk3568/useriam.te @@ -33,7 +33,7 @@ allow useriam init:unix_stream_socket { read write }; allow useriam kernel:fd { use }; allow useriam kernel:unix_stream_socket { connectto }; allow useriam pinauth_service:binder { call transfer }; -allow useriam priv_hap_domain:binder { call }; +allow useriam system_basic_hap:binder { call }; allow useriam proc_file:dir { search }; allow useriam proc_file:lnk_file { read }; allow useriam rootfs:dir { search }; diff --git a/sepolicy/base/rk3568/wifi_manager_service.te b/sepolicy/base/rk3568/wifi_manager_service.te index 108fde127392b41582874bd78fba94c21493b532..c0627aac7871aafa341b35963f915e3a8e418d5f 100644 --- a/sepolicy/base/rk3568/wifi_manager_service.te +++ b/sepolicy/base/rk3568/wifi_manager_service.te @@ -36,7 +36,7 @@ allow wifi_manager_service init:unix_stream_socket { read write }; allow wifi_manager_service kernel:fd { use }; allow wifi_manager_service lib_file:lnk_file { read }; allow wifi_manager_service netmanager:binder { call transfer }; -allow wifi_manager_service priv_hap_domain:binder { call }; +allow wifi_manager_service system_basic_hap:binder { call }; allow wifi_manager_service proc_file:dir { search }; allow wifi_manager_service proc_file:lnk_file { read }; allow wifi_manager_service rootfs:dir { search }; diff --git a/sepolicy/sehap_contexts b/sepolicy/sehap_contexts index 02ea19bfe6e31636dc6c4858058726859a894b1b..a2a4263f9b5e601fe3c4e6c31184adb4aebec7f9 100644 --- a/sepolicy/sehap_contexts +++ b/sepolicy/sehap_contexts @@ -11,6 +11,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -apl=system_core domain=platform_hap_domain type=platform_hap_data_file -apl=system_basic domain=priv_hap_domain type=priv_hap_data_file -apl=normal domain=normal_hap_domain type=normal_hap_data_file +apl=system_core domain=system_core_hap type=system_core_hap_data_file +apl=system_basic domain=system_basic_hap type=system_basic_hap_data_file +apl=normal domain=normal_hap type=normal_hap_data_file diff --git a/test/unittest/src/selinux_unit_test.cpp b/test/unittest/src/selinux_unit_test.cpp index 54048aee47a01b97957cc47617cfabbb64e638f8..db87bdcb3ed6db011035e2f20ab564f2c65600ac 100644 --- a/test/unittest/src/selinux_unit_test.cpp +++ b/test/unittest/src/selinux_unit_test.cpp @@ -751,7 +751,7 @@ HWTEST_F(SelinuxUnitTest, GetParamLabel001, TestSize.Level1) ASSERT_EQ(-SELINUX_ARG_INVALID, GetParamLabel(para.c_str(), &context)); } - ASSERT_EQ(-SELINUX_KEY_NOT_FOUND, GetParamLabel(TEST_NOT_EXIST_PARA_NAME.c_str(), &context)); + ASSERT_EQ(SELINUX_SUCC, GetParamLabel(TEST_NOT_EXIST_PARA_NAME.c_str(), &context)); if (!context) { free(context); }