From a0699b65bdacd474361b57ee8402f19a7ab13c85 Mon Sep 17 00:00:00 2001 From: wanghongen Date: Thu, 14 Aug 2025 21:27:45 +0800 Subject: [PATCH 1/5] security devhost Signed-off-by: wanghongen --- .../bootanimation/system/bootanimation.te | 1 + .../ohos_policy/developtools/ebpf/system/hiebpf.te | 2 ++ .../developtools/hiperf/system/hiperf.te | 2 ++ .../developtools/smartperf/system/netmanager.te | 1 + .../device_profile_core/system/deviceprofile.te | 2 +- .../drivers/adapter/vendor/hdf_devhost.te | 14 ++++++++++++++ .../peripheral/camera/vendor/camera_host.te | 1 + .../drivers/peripheral/codec/vendor/codec_host.te | 2 ++ .../peripheral/display/vendor/composer_host.te | 2 ++ .../intelligent_voice/vendor/intell_voice_host.te | 2 ++ .../peripheral/useriam/vendor/face_auth_host.te | 2 ++ .../useriam/vendor/fingerprint_auth_host.te | 2 ++ .../peripheral/useriam/vendor/pin_auth_host.te | 2 ++ .../storage_service/public/storage_daemon.te | 1 + .../storage_service/system/kernel.te | 2 ++ .../ohos_policy/graphic/graphic/system/graphic.te | 1 + .../hiviewdfx/faultloggerd/system/processdump.te | 2 ++ .../ohos_policy/hiviewdfx/hilog/system/hilogd.te | 3 +++ .../msdp/devicestatus/system/msdp_sa.te | 2 ++ sepolicy/ohos_policy/security/huks/system/huks.te | 2 +- .../security_guard/system/security_collector.te | 1 + .../security_guard/system/security_guard.te | 2 ++ sepolicy/ohos_policy/startup/init/system/init.te | 2 ++ .../ohos_policy/tee/tee_client/system/cadaemon.te | 3 ++- .../ohos_policy/tee/tee_client/vendor/teecd.te | 3 ++- .../telephony_sa/system/riladapter_host.te | 2 ++ .../update/updater_sa/system/updater_sa.te | 2 +- .../usb/usb_manager/system/usb_service.te | 1 + 28 files changed, 59 insertions(+), 5 deletions(-) create mode 100644 sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devhost.te diff --git a/sepolicy/ohos_policy/bootanimation/system/bootanimation.te b/sepolicy/ohos_policy/bootanimation/system/bootanimation.te index 9c23ba60c..27d1736a3 100644 --- a/sepolicy/ohos_policy/bootanimation/system/bootanimation.te +++ b/sepolicy/ohos_policy/bootanimation/system/bootanimation.te @@ -18,3 +18,4 @@ allow bootanimation data_service_file:dir { search }; allow bootanimation edm_config_file:dir { search }; allow bootanimation edm_config_file:file { getattr read open }; allow bootanimation devinfo_type_param:file { open read map }; +allow bootanimation hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te b/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te index f2ec6f333..99ab0c9e7 100644 --- a/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te +++ b/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te @@ -83,3 +83,5 @@ allow hiebpf tracefs:file { open read write }; allow hiebpf powermgr:dir search; allow hiebpf powermgr:file { getattr open read }; +allow hiebpf hdf_devhost_exec:dir { search }; +allow hiebpf hdf_devhost_exec:file { getattr map open read }; diff --git a/sepolicy/ohos_policy/developtools/hiperf/system/hiperf.te b/sepolicy/ohos_policy/developtools/hiperf/system/hiperf.te index 1d85e43dd..a05146b7b 100644 --- a/sepolicy/ohos_policy/developtools/hiperf/system/hiperf.te +++ b/sepolicy/ohos_policy/developtools/hiperf/system/hiperf.te @@ -118,6 +118,7 @@ allow hiperf proc_cpuinfo_file:file { open read }; allow hiperf sysfs_devices_system_cpu:file { open read }; allow hiperf uinput_inject_exec:file { getattr map open read }; allow hiperf vendor_bin_file:dir search; +allow hiperf hdf_devhost_exec:dir { search }; allow hiperf domain:dir { add_name getattr search open read write }; allow hiperf domain:file { getattr map open read }; @@ -172,6 +173,7 @@ allow hiperf sysfs_devices_system_cpu:file getattr; allow hiperf udevd_exec:file { getattr map open read }; allow hiperf ueventd_exec:file read; allow hiperf vendor_bin_file:file { getattr map open read }; +allow hiperf hdf_devhost_exec:file { getattr map open read }; allow init data_log:file relabelfrom; allow init data_log_hiperf_file:dir { getattr open read relabelto setattr }; diff --git a/sepolicy/ohos_policy/developtools/smartperf/system/netmanager.te b/sepolicy/ohos_policy/developtools/smartperf/system/netmanager.te index 1f84cea0f..615f12d84 100644 --- a/sepolicy/ohos_policy/developtools/smartperf/system/netmanager.te +++ b/sepolicy/ohos_policy/developtools/smartperf/system/netmanager.te @@ -17,3 +17,4 @@ allow netmanager data_file:dir { search }; allow netmanager sys_file:dir { open read }; allow netmanager sys_file:file { open read }; allowxperm netmanager data_data_file:file ioctl { 0x5413 }; +allow netmanager hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te b/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te index 28869efeb..acb3359e1 100755 --- a/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te +++ b/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te @@ -24,4 +24,4 @@ allow distributedsche sa_asset_service:samgr_class { get }; allow distributedsche asset_service:binder { call transfer }; allow distributedsche sys_file:file { read }; allow distributedsche sys_file:file { open }; - +allow distributedsche hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devhost.te b/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devhost.te new file mode 100644 index 000000000..033c3aff8 --- /dev/null +++ b/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devhost.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ispserver hdf_devhost_exec:file { entrypoint execute map read }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te b/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te index 755e7b4b6..fc55dfb92 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te @@ -119,3 +119,4 @@ allowxperm camera_host dev_mpp:chr_file ioctl { 0x7601 }; allowxperm camera_host dev_rga:chr_file ioctl { 0x5017 0x5019 0x601b }; allowxperm camera_host dev_video_file:chr_file ioctl { 0x5600 0x5605 0x5608 0x5609 0x560f 0x5611 0x5612 0x5613 0x561b 0x564a 0x5602 0x5624 0x564b 0x5625 0x5616 }; allowxperm camera_host hidumper_file:file ioctl 0x5413; +allowxperm camera_host hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te b/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te index 6ee5b7984..ac72e2c13 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te @@ -84,3 +84,5 @@ debug_only(` allow codec_host hdcd:fifo_file { write }; allow codec_host hdcd:fifo_file { read }; ') +allow codec_host hdf_devhost_exec:dir { search }; +allow codec_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te index fc9401243..535abcbb0 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te @@ -94,3 +94,5 @@ allowxperm composer_host dev_graphics_file:chr_file ioctl { 0x4611 }; allowxperm composer_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allowxperm composer_host dev_rga:chr_file ioctl { 0x5017 0x601b }; allow composer_host composer_host:capability {sys_nice}; +allow composer_host hdf_devhost_exec:dir { search }; +allow composer_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te b/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te index d60855372..d05838b30 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te @@ -135,3 +135,5 @@ allow intell_voice_host tty_device:chr_file { read write }; debug_only(` allow intell_voice_host su:binder { transfer }; ') +allow intell_voice_host hdf_devhost_exec:dir { search }; +allow intell_voice_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te index 83df22eab..575f30b69 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te @@ -57,3 +57,5 @@ allow face_auth_host vendor_etc_file:dir { search }; allow face_auth_host vendor_etc_file:file { getattr open read }; allowxperm face_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow face_auth_host useriam:binder { call transfer }; +allow face_auth_host hdf_devhost_exec:dir { search }; +allow face_auth_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te index 0c32201be..538e9c886 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te @@ -57,3 +57,5 @@ allow fingerprint_auth_host vendor_etc_file:dir { search }; allow fingerprint_auth_host vendor_etc_file:file { getattr open read }; allowxperm fingerprint_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow fingerprint_auth_host useriam:binder { call transfer }; +allow fingerprint_auth_host hdf_devhost_exec:dir { search }; +allow fingerprint_auth_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te index 5e9afd2c6..645aef962 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te @@ -63,3 +63,5 @@ allow pin_auth_host vendor_etc_file:dir { search }; allow pin_auth_host vendor_etc_file:file { getattr open read }; allowxperm pin_auth_host data_service_el1_file:file ioctl { 0x5413 }; allowxperm pin_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm pin_auth_host hdf_devhost_exec:dir { search }; +allowxperm pin_auth_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/filemanagement/storage_service/public/storage_daemon.te b/sepolicy/ohos_policy/filemanagement/storage_service/public/storage_daemon.te index aa065cda9..b3c8768fa 100644 --- a/sepolicy/ohos_policy/filemanagement/storage_service/public/storage_daemon.te +++ b/sepolicy/ohos_policy/filemanagement/storage_service/public/storage_daemon.te @@ -49,3 +49,4 @@ allow storage_daemon storage_daemon_exec:file { getattr open }; # avc: denied { open } for pid=12230, comm="/system/bin/storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mtpfs_exec:s0 tclass=file permissive=0 # avc: denied { read } for pid=12230, comm="/system/bin/storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mtpfs_exec:s0 tclass=file permissive=0 allow storage_daemon mtpfs_exec:file { execute execute_no_trans map open read }; +allow storage_daemon hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/filemanagement/storage_service/system/kernel.te b/sepolicy/ohos_policy/filemanagement/storage_service/system/kernel.te index a45a69fc4..00a1b2e90 100644 --- a/sepolicy/ohos_policy/filemanagement/storage_service/system/kernel.te +++ b/sepolicy/ohos_policy/filemanagement/storage_service/system/kernel.te @@ -18,3 +18,5 @@ neverallow kernel hmdfs:dir ioctl; neverallow kernel hmdfs:file ioctl; allow kernel data_service_el2_hmdfs:dir { create_dir_perms }; allow kernel data_service_el2_hmdfs:file { create_file_perms }; +allow kernel hdf_devhost_exec:dir { search }; +allow kernel hdf_devhost_exec:file { getattr open read}; diff --git a/sepolicy/ohos_policy/graphic/graphic/system/graphic.te b/sepolicy/ohos_policy/graphic/graphic/system/graphic.te index c7cdbed48..42782e143 100644 --- a/sepolicy/ohos_policy/graphic/graphic/system/graphic.te +++ b/sepolicy/ohos_policy/graphic/graphic/system/graphic.te @@ -43,6 +43,7 @@ allow render_service system_fonts_file:dir { open read search }; allow render_service system_fonts_file:file { getattr map open read }; allow render_service sa_accessibleabilityms:samgr_class { get }; allow render_service sa_concurrent_task_service:samgr_class { get }; +allow render_service hdf_devhost_exec:dir { search }; allow render_service vendor_bin_file:dir { search }; allow render_service hdf_devhost_exec:dir { search }; allow render_service paramservice_socket:sock_file { write }; diff --git a/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te b/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te index 8637c8630..c05e85f6a 100644 --- a/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te +++ b/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te @@ -176,6 +176,8 @@ allow processdump hiviewdfx_hiview_param:file { map open read }; allow processdump dev_bbox:chr_file { ioctl open write }; allowxperm processdump dev_bbox:chr_file ioctl 0xab09; +allow processdump hdf_devhost_exec:dir { search }; +allow processdump hdf_devhost_exec:file { getattr map open read }; #============= dev_lperf =================== allow init dev_lperf:chr_file { getattr setattr }; diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te index 1279ece10..4b6b6352a 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te @@ -113,3 +113,6 @@ allow hilogd data_log:dir { write add_name write remove_name }; allow hilogd data_log:file { create getattr ioctl open rename write unlink }; allow domain hilogd:unix_stream_socket { connectto }; allow domain hilog_control_pub_socket:sock_file { write }; +allow hilogd hdf_devhost_exec:dir { getattr open read { search } }; +allow hilogd hdf_devhost_exec:file { getattr map open read }; +allow hilogd hdf_devhost_exec:lnk_file read; diff --git a/sepolicy/ohos_policy/msdp/devicestatus/system/msdp_sa.te b/sepolicy/ohos_policy/msdp/devicestatus/system/msdp_sa.te index f893f51da..538ed5782 100644 --- a/sepolicy/ohos_policy/msdp/devicestatus/system/msdp_sa.te +++ b/sepolicy/ohos_policy/msdp/devicestatus/system/msdp_sa.te @@ -265,6 +265,8 @@ allow msdp_sa cgroup:file { getattr open read }; # avc: denied { get } for service=allocator_service sid=u:r:msdp_sa:s0 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=1 allow msdp_sa hdf_allocator_service:hdf_devmgr_class { get }; +allow msdp_sa hdf_devhost_exec:dir { search }; + # avc: denied { get } for service=allocator_service sid=u:r:msdp_sa:s0 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=1 allow msdp_sa hdf_allocator_service:hdf_devmgr_class { get }; diff --git a/sepolicy/ohos_policy/security/huks/system/huks.te b/sepolicy/ohos_policy/security/huks/system/huks.te index 20cf8f3d3..02c47fa9f 100755 --- a/sepolicy/ohos_policy/security/huks/system/huks.te +++ b/sepolicy/ohos_policy/security/huks/system/huks.te @@ -81,4 +81,4 @@ allow huks_service paramservice_socket:sock_file { write }; allow huks_service sa_memory_manager_service:samgr_class { get }; allow huks_service memmgrservice:binder { call }; - +allow huks_service hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/security/security_guard/system/security_collector.te b/sepolicy/ohos_policy/security/security_guard/system/security_collector.te index d7330b11d..e77495972 100644 --- a/sepolicy/ohos_policy/security/security_guard/system/security_collector.te +++ b/sepolicy/ohos_policy/security/security_guard/system/security_collector.te @@ -103,3 +103,4 @@ allow security_collector sa_storage_manager_service:samgr_class { get }; binder_call(security_collector, security_guard); # avc: denied { search } for pid=2912 comm="security_collec" name="socket" dev="tmpfs" ino=43 scontext=u:r:security_collector:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 allow security_collector dev_unix_socket:dir { search }; +allow security_collector hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/security/security_guard/system/security_guard.te b/sepolicy/ohos_policy/security/security_guard/system/security_guard.te index e43ef097d..3acaf2227 100644 --- a/sepolicy/ohos_policy/security/security_guard/system/security_guard.te +++ b/sepolicy/ohos_policy/security/security_guard/system/security_guard.te @@ -84,5 +84,7 @@ allow security_guard normal_hap_attr:fd { use }; # avc: denied { read } for pid=2037 comm="OS_FFRT_2_1" path="/data/storage/el2/base/files/text.json" dev="mmcblk0p15" ino=2627 scontext=u:r:security_guard:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=file permissive=1 allow security_guard normal_hap_data_file:file { read }; +allow security_guard hdf_devhost_exec:dir { search }; + # avc: denied { call } for pid=1516, comm="/system/bin/sa_main" scontext=u:r:security_guard:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=0 binder_call(security_guard, wifi_manager_service); diff --git a/sepolicy/ohos_policy/startup/init/system/init.te b/sepolicy/ohos_policy/startup/init/system/init.te index 14a47676c..e672d8dce 100644 --- a/sepolicy/ohos_policy/startup/init/system/init.te +++ b/sepolicy/ohos_policy/startup/init/system/init.te @@ -544,6 +544,8 @@ allow init ark_writeable_param:parameter_service { set }; # avc: denied { read append } for pid=1 comm="init" path="/data/service/el1/startup/parameters/persist_parameters" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=42 scontext=u:r:init:s0 tcontext=u:object_r:data_service_file:s0 tclass=file permissive=0 allow init data_service_file:file {read append}; # avc: denied { read } for pid=1 comm="init" path="/console" dev="" ino=70 scontext=u:r:init:s0 tcontext=u:object_r:dev_console_file:s0 tclass=lnk_file permissive=0 +allow init hdf_devhost_exec:dir { getattr mounton { search } }; + allow init dev_console_file:lnk_file { read}; # avc: denied { setpcap } for pid=4977 comm="init" capability=8 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=0 diff --git a/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te b/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te index d1a04d6a8..6d13269e9 100644 --- a/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te +++ b/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te @@ -90,4 +90,5 @@ debug_only(` allow cadaemon sh:file { read open getattr }; allow cadaemon sh:fd { use }; ') - +allow cadaemon hdf_devhost_exec:dir { search }; +allow cadaemon hdf_devhost_exec:file { getattr open read }; diff --git a/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te b/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te index 01a74655e..dba4f8044 100644 --- a/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te +++ b/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te @@ -58,6 +58,7 @@ allow teecd tee_src_file:dir { search }; allow teecd vendor_bin_file:dir { search read open }; allow teecd hdf_devhost_exec:file { entrypoint execute map read open getattr }; +allow teecd hdf_devhost_exec:file { read open getattr }; allow teecd hdf_devhost_exec:dir { search }; allow teecd vendor_etc_file:dir { search }; allow teecd vendor_etc_file:file { read open getattr }; @@ -68,4 +69,4 @@ debug_only(` allow teecd sh:dir { search }; allow teecd sh:file { read open getattr }; ') - +allow teecd hdf_devhost_exec:dir { open read { search } }; diff --git a/sepolicy/ohos_policy/telephony/telephony_sa/system/riladapter_host.te b/sepolicy/ohos_policy/telephony/telephony_sa/system/riladapter_host.te index 28be848de..f0de851c5 100644 --- a/sepolicy/ohos_policy/telephony/telephony_sa/system/riladapter_host.te +++ b/sepolicy/ohos_policy/telephony/telephony_sa/system/riladapter_host.te @@ -85,3 +85,5 @@ allow riladapter_host vendor_etc_file:file { getattr open read }; allow riladapter_host data_file:dir search; allow riladapter_host data_local:dir search; allow riladapter_host dev_console_file:chr_file { read write }; +allow riladapter_host hdf_devhost_exec:dir { search }; +allow riladapter_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te b/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te index 9969ac2e1..3ee450a3e 100644 --- a/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te +++ b/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te @@ -78,4 +78,4 @@ allow updater_sa time_service:binder { call transfer }; #avc: denied { transfer } for pid=473 comm="OS_IPC_2_1087" scontext=u:r:updater_sa:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 allow updater_sa foundation:binder { transfer }; - +allow updater_sa hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te index 191ab155c..cb88f213a 100644 --- a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te +++ b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te @@ -135,5 +135,6 @@ allow usb_service paramservice_socket:sock_file { write }; allow usb_service devinfo_type_param:file { read }; allow usb_service tty_device:chr_file { read write open ioctl }; allowxperm usb_service tty_device:chr_file ioctl { 0x5401 0x5402 }; +allow usb_service hdf_devhost_exec:dir { search }; allow usb_service allocator_host:binder { call }; allow usb_service allocator_host:fd { use }; -- Gitee From 9dcc66e03fbb08485f047fd11969d7d613f1fa16 Mon Sep 17 00:00:00 2001 From: wanghongenaf Date: Fri, 15 Aug 2025 09:14:06 +0000 Subject: [PATCH 2/5] update sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te. Signed-off-by: wanghongenaf --- .../ohos_policy/drivers/peripheral/camera/vendor/camera_host.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te b/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te index fc55dfb92..88921e822 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te @@ -119,4 +119,4 @@ allowxperm camera_host dev_mpp:chr_file ioctl { 0x7601 }; allowxperm camera_host dev_rga:chr_file ioctl { 0x5017 0x5019 0x601b }; allowxperm camera_host dev_video_file:chr_file ioctl { 0x5600 0x5605 0x5608 0x5609 0x560f 0x5611 0x5612 0x5613 0x561b 0x564a 0x5602 0x5624 0x564b 0x5625 0x5616 }; allowxperm camera_host hidumper_file:file ioctl 0x5413; -allowxperm camera_host hdf_devhost_exec:dir { search }; +allow camera_host hdf_devhost_exec:dir { search }; -- Gitee From b48acb95fe327852e1935566dbc68819d428feca Mon Sep 17 00:00:00 2001 From: wanghongenaf Date: Fri, 15 Aug 2025 09:31:55 +0000 Subject: [PATCH 3/5] update sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te. Signed-off-by: wanghongenaf --- .../drivers/peripheral/useriam/vendor/pin_auth_host.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te index 645aef962..e04f08d12 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te @@ -63,5 +63,5 @@ allow pin_auth_host vendor_etc_file:dir { search }; allow pin_auth_host vendor_etc_file:file { getattr open read }; allowxperm pin_auth_host data_service_el1_file:file ioctl { 0x5413 }; allowxperm pin_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; -allowxperm pin_auth_host hdf_devhost_exec:dir { search }; -allowxperm pin_auth_host hdf_devhost_exec:file { getattr open }; +allow pin_auth_host hdf_devhost_exec:dir { search }; +allow pin_auth_host hdf_devhost_exec:file { getattr open }; -- Gitee From 3fbbe4423939cf286083bf6ed120c192a86a43c4 Mon Sep 17 00:00:00 2001 From: wanghongenaf Date: Tue, 19 Aug 2025 12:45:18 +0000 Subject: [PATCH 4/5] update sepolicy/ohos_policy/bootanimation/system/bootanimation.te. Signed-off-by: wanghongenaf --- sepolicy/ohos_policy/bootanimation/system/bootanimation.te | 1 - 1 file changed, 1 deletion(-) diff --git a/sepolicy/ohos_policy/bootanimation/system/bootanimation.te b/sepolicy/ohos_policy/bootanimation/system/bootanimation.te index 27d1736a3..9c23ba60c 100644 --- a/sepolicy/ohos_policy/bootanimation/system/bootanimation.te +++ b/sepolicy/ohos_policy/bootanimation/system/bootanimation.te @@ -18,4 +18,3 @@ allow bootanimation data_service_file:dir { search }; allow bootanimation edm_config_file:dir { search }; allow bootanimation edm_config_file:file { getattr read open }; allow bootanimation devinfo_type_param:file { open read map }; -allow bootanimation hdf_devhost_exec:dir { search }; -- Gitee From 5d863cd49de138b7b993c6fa1946aa1a117f336a Mon Sep 17 00:00:00 2001 From: wanghongenaf Date: Tue, 19 Aug 2025 12:46:15 +0000 Subject: [PATCH 5/5] update sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te. Signed-off-by: wanghongenaf --- sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te | 1 - 1 file changed, 1 deletion(-) diff --git a/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te b/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te index 99ab0c9e7..977c2be43 100644 --- a/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te +++ b/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te @@ -83,5 +83,4 @@ allow hiebpf tracefs:file { open read write }; allow hiebpf powermgr:dir search; allow hiebpf powermgr:file { getattr open read }; -allow hiebpf hdf_devhost_exec:dir { search }; allow hiebpf hdf_devhost_exec:file { getattr map open read }; -- Gitee