From 4345e68bfc8968af0f673136fedf86661733fed2 Mon Sep 17 00:00:00 2001 From: lizeqiang Date: Tue, 12 Aug 2025 15:39:40 +0800 Subject: [PATCH 1/3] dual core code sync Signed-off-by: lizeqiang --- sepolicy/base/public/parameter.te | 1 + sepolicy/base/public/parameter_contexts | 1 + .../ohos_policy/startup/appspawn/system/appspawn.te | 10 ++++++++++ 3 files changed, 12 insertions(+) diff --git a/sepolicy/base/public/parameter.te b/sepolicy/base/public/parameter.te index e3f56fd79..93d985097 100644 --- a/sepolicy/base/public/parameter.te +++ b/sepolicy/base/public/parameter.te @@ -69,6 +69,7 @@ type print_param, parameter_attr; type i18n_param, parameter_attr; type const_i18n_param, parameter_attr; type hichecker_writable_param, parameter_attr; +type webengine_param, parameter_attr; # avc: denied { relabelfrom } for pid=1 comm="init" path="/dev/__paramerters__/u:object_r:hilog_private_param:s0" dev=""ino=218 scontext=u:r:init:s0 tcontext=u:object_r:hilog_private_param:s0 tclass=file permissive=0 allow init parameter_attr:file { relabelto relabelfrom }; allow parameter_attr tmpfs:filesystem associate; diff --git a/sepolicy/base/public/parameter_contexts b/sepolicy/base/public/parameter_contexts index ed8915818..d3fb87108 100644 --- a/sepolicy/base/public/parameter_contexts +++ b/sepolicy/base/public/parameter_contexts @@ -75,3 +75,4 @@ accesstoken.permission. u:object_r:accesstoken_perm_param:s0 persist.bluetooth. u:object_r:bluetooth_param:s0 persist.global. u:object_r:i18n_param:s0 const.global. u:object_r:const_i18n_param:s0 +web.engine. u:object_r:webengine_param:s0 \ No newline at end of file diff --git a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te index e4261689c..ebb77f2b6 100644 --- a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te +++ b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te @@ -260,3 +260,13 @@ allow appspawn dev_kmsg_file:chr_file { open write }; # for create hybridspawn socket allow appspawn init:unix_stream_socket { accept getattr getopt listen }; + +#avc: denied { read } for pid=25920, comm="/system/bin/appspawn" path="/data/service/el1/public/update/param_service/install/system/etc/ArkWebSafeBrowsing/generic/ArkWebCoreCfg.json" dev="/dev/block/platform/ee560000.ufs/by-name/userdata" ino=118368 scontext=u:r:appspawn:s0 tcontext=u:object_r:update_param_install_file_system:s0 tclass=file permissive=1 +#avc: denied { open } for pid=25920, comm="/system/bin/appspawn" path="/data/service/el1/public/update/param_service/install/system/etc/ArkWebSafeBrowsing/generic/ArkWebCoreCfg.json" dev="/dev/block/platform/ee560000.ufs/by-name/userdata" ino=118368 scontext=u:r:appspawn:s0 tcontext=u:object_r:update_param_install_file_system:s0 tclass=file permissive=1 +#avc: denied { getattr } for pid=25920, comm="/system/bin/appspawn" path="/data/service/el1/public/update/param_service/install/system/etc/ArkWebSafeBrowsing/generic/ArkWebCoreCfg.json" dev="/dev/block/platform/ee560000.ufs/by-name/userdata" ino=118368 scontext=u:r:appspawn:s0 tcontext=u:object_r:update_param_install_file_system:s0 tclass=file permissive=1 +allow appspawn update_param_install_file_system:file { read open getattr }; + +# avc: denied { set } for parameter=web.engine.default pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0 +# avc: denied { set } for parameter=web.engine.enforce pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0 +allow appspawn webengine_param:parameter_service { set }; +allow { hap_domain isolated_render appspawn init } webengine_param:file { map open read }; -- Gitee From 057387e2100adb33a34738e158e808941296c922 Mon Sep 17 00:00:00 2001 From: lizeqiang Date: Tue, 12 Aug 2025 15:44:07 +0800 Subject: [PATCH 2/3] dual core code sync Signed-off-by: lizeqiang --- sepolicy/ohos_policy/startup/appspawn/system/appspawn.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te index ebb77f2b6..70b3388f3 100644 --- a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te +++ b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te @@ -269,4 +269,4 @@ allow appspawn update_param_install_file_system:file { read open getattr }; # avc: denied { set } for parameter=web.engine.default pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0 # avc: denied { set } for parameter=web.engine.enforce pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0 allow appspawn webengine_param:parameter_service { set }; -allow { hap_domain isolated_render appspawn init } webengine_param:file { map open read }; +allow { hap_domain isolated_render appspawn init isolated_gpu } webengine_param:file { map open read }; -- Gitee From 07095debbb5acb883c6c54d88ec9dbf2155f0312 Mon Sep 17 00:00:00 2001 From: lizeqiang Date: Wed, 13 Aug 2025 14:19:55 +0800 Subject: [PATCH 3/3] dual core code sync - revert some modify Signed-off-by: lizeqiang --- sepolicy/ohos_policy/startup/appspawn/system/appspawn.te | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te index 70b3388f3..50ee43056 100644 --- a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te +++ b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te @@ -261,12 +261,8 @@ allow appspawn dev_kmsg_file:chr_file { open write }; # for create hybridspawn socket allow appspawn init:unix_stream_socket { accept getattr getopt listen }; -#avc: denied { read } for pid=25920, comm="/system/bin/appspawn" path="/data/service/el1/public/update/param_service/install/system/etc/ArkWebSafeBrowsing/generic/ArkWebCoreCfg.json" dev="/dev/block/platform/ee560000.ufs/by-name/userdata" ino=118368 scontext=u:r:appspawn:s0 tcontext=u:object_r:update_param_install_file_system:s0 tclass=file permissive=1 -#avc: denied { open } for pid=25920, comm="/system/bin/appspawn" path="/data/service/el1/public/update/param_service/install/system/etc/ArkWebSafeBrowsing/generic/ArkWebCoreCfg.json" dev="/dev/block/platform/ee560000.ufs/by-name/userdata" ino=118368 scontext=u:r:appspawn:s0 tcontext=u:object_r:update_param_install_file_system:s0 tclass=file permissive=1 -#avc: denied { getattr } for pid=25920, comm="/system/bin/appspawn" path="/data/service/el1/public/update/param_service/install/system/etc/ArkWebSafeBrowsing/generic/ArkWebCoreCfg.json" dev="/dev/block/platform/ee560000.ufs/by-name/userdata" ino=118368 scontext=u:r:appspawn:s0 tcontext=u:object_r:update_param_install_file_system:s0 tclass=file permissive=1 -allow appspawn update_param_install_file_system:file { read open getattr }; - # avc: denied { set } for parameter=web.engine.default pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0 # avc: denied { set } for parameter=web.engine.enforce pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0 allow appspawn webengine_param:parameter_service { set }; allow { hap_domain isolated_render appspawn init isolated_gpu } webengine_param:file { map open read }; + -- Gitee