From 190f01cc6667eb518f990a4fb59b7ed15184df2d Mon Sep 17 00:00:00 2001 From: dzin <2363448374@qq.com> Date: Wed, 10 Sep 2025 02:51:05 +0000 Subject: [PATCH 1/2] update sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te. Signed-off-by: dzin <2363448374@qq.com> --- .../ohos_policy/web/webview/system/app_fwk_update_service.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te b/sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te index babc3e374..9bf02797c 100755 --- a/sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te +++ b/sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te @@ -70,4 +70,7 @@ allow app_fwk_update_service appspawn:unix_stream_socket { connectto }; # avc_audit_slow:267] avc: denied { write } for pid=6914, comm="/system/bin/sa_main" path="/dev/unix/socket/AppSpawn" dev="" ino=857 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:appspawn_socket:s0 tclass=sock_file permissive=1 allow app_fwk_update_service appspawn_socket:sock_file { write }; +# avc: denied { set } for parameter=web.engine.install.completed pid=12719 uid=3350 gid=3350 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:webengine_param:s0 tclass=parameter_service permissive=0 +allow app_fwk_update_service webengine_param:parameter_service { set }; + neverallow { domain -foundation } app_fwk_update_service:samgr_class { get }; -- Gitee From 7d04df092ec862744736b1314e5c04e9ca800205 Mon Sep 17 00:00:00 2001 From: dzin <2363448374@qq.com> Date: Wed, 10 Sep 2025 10:54:50 +0800 Subject: [PATCH 2/2] update param selinux Signed-off-by: dzin <2363448374@qq.com> --- .../ohos_policy/web/webview/system/app_fwk_update_service.te | 2 +- sepolicy/ohos_policy/web/webview/system/webview.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te b/sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te index 9bf02797c..b0843e14c 100755 --- a/sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te +++ b/sepolicy/ohos_policy/web/webview/system/app_fwk_update_service.te @@ -71,6 +71,6 @@ allow app_fwk_update_service appspawn:unix_stream_socket { connectto }; allow app_fwk_update_service appspawn_socket:sock_file { write }; # avc: denied { set } for parameter=web.engine.install.completed pid=12719 uid=3350 gid=3350 scontext=u:r:app_fwk_update_service:s0 tcontext=u:object_r:webengine_param:s0 tclass=parameter_service permissive=0 -allow app_fwk_update_service webengine_param:parameter_service { set }; +allow app_fwk_update_service web_private_param:parameter_service { set }; neverallow { domain -foundation } app_fwk_update_service:samgr_class { get }; diff --git a/sepolicy/ohos_policy/web/webview/system/webview.te b/sepolicy/ohos_policy/web/webview/system/webview.te index 824051ba8..004b352f7 100644 --- a/sepolicy/ohos_policy/web/webview/system/webview.te +++ b/sepolicy/ohos_policy/web/webview/system/webview.te @@ -14,5 +14,5 @@ # avc: denied { set } for parameter=web.engine.default pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0 # avc: denied { set } for parameter=web.engine.enforce pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0 allow appspawn web_private_param:parameter_service { set }; -allow { hap_domain isolated_render appspawn init isolated_gpu } web_private_param:file { map open read }; +allow { hap_domain isolated_render appspawn init isolated_gpu nwebspawn} web_private_param:file { map open read }; -- Gitee