From cd28d2e8ad822f8093e46422e27a5a81428e2e49 Mon Sep 17 00:00:00 2001 From: LianRuiyang <995621404@qq.com> Date: Fri, 12 Sep 2025 01:43:47 +0000 Subject: [PATCH 1/5] update sepolicy/base/public/attributes. Signed-off-by: LianRuiyang <995621404@qq.com> --- sepolicy/base/public/attributes | 1 + 1 file changed, 1 insertion(+) diff --git a/sepolicy/base/public/attributes b/sepolicy/base/public/attributes index 7561c01e1..5e6d9476d 100644 --- a/sepolicy/base/public/attributes +++ b/sepolicy/base/public/attributes @@ -151,6 +151,7 @@ attribute cap_violator_perfmon; attribute cap_violator_sysmodule; attribute cap_violator_syslog; attribute cap_violator_sysrawio; +attribute cap_violator_devassistant; attribute data_file_attr_violator_exec; attribute data_local_tmp_violator_dir; -- Gitee From d4d2a18fcfae46c5a22caf33e7b16fc7bd2001df Mon Sep 17 00:00:00 2001 From: LianRuiyang <995621404@qq.com> Date: Fri, 12 Sep 2025 01:47:13 +0000 Subject: [PATCH 2/5] update sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te. Signed-off-by: LianRuiyang <995621404@qq.com> --- .../ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te b/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te index 588a9b4f9..7a440d128 100644 --- a/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te +++ b/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te @@ -47,7 +47,8 @@ use_faultloggerd_file({ hiview hidumper }) use_faultloggerd_sdkdump({ hiview hidumper foundation }) neverallow { domain -processdump } faultloggerd_socket_crash:sock_file { write read ioctl }; -neverallow { domain -processdump -foundation -hidumper -hiview -dumpcatcher -appspawn } faultloggerd_socket_sdkdump:sock_file { write read ioctl }; +neverallow { domain -processdump -foundation -hidumper -hiview -dumpcatcher -appspawn -cap_violator_devassistan } faultloggerd_socket_sdkdump:sock_file { write }; +neverallow { domain -processdump -foundation -hidumper -hiview -dumpcatcher -appspawn } faultloggerd_socket_sdkdump:sock_file { read ioctl }; ######################### ## faultloggerd rules: ## ######################### -- Gitee From 48be9d25c7e175a2a0c4cfef3fe0a4a53a1ffd0b Mon Sep 17 00:00:00 2001 From: LianRuiyang <995621404@qq.com> Date: Fri, 12 Sep 2025 02:21:45 +0000 Subject: [PATCH 3/5] update sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te. Signed-off-by: LianRuiyang <995621404@qq.com> --- .../ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te b/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te index 7a440d128..169f9ee39 100644 --- a/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te +++ b/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/faultloggerd.te @@ -47,7 +47,7 @@ use_faultloggerd_file({ hiview hidumper }) use_faultloggerd_sdkdump({ hiview hidumper foundation }) neverallow { domain -processdump } faultloggerd_socket_crash:sock_file { write read ioctl }; -neverallow { domain -processdump -foundation -hidumper -hiview -dumpcatcher -appspawn -cap_violator_devassistan } faultloggerd_socket_sdkdump:sock_file { write }; +neverallow { domain -processdump -foundation -hidumper -hiview -dumpcatcher -appspawn -devinfo_type_allow_attr } faultloggerd_socket_sdkdump:sock_file { write }; neverallow { domain -processdump -foundation -hidumper -hiview -dumpcatcher -appspawn } faultloggerd_socket_sdkdump:sock_file { read ioctl }; ######################### ## faultloggerd rules: ## -- Gitee From 5b6dd011d2ef4ccccd33abdce89c187ae7895f5c Mon Sep 17 00:00:00 2001 From: LianRuiyang <995621404@qq.com> Date: Fri, 12 Sep 2025 02:22:21 +0000 Subject: [PATCH 4/5] update sepolicy/base/public/attributes. Signed-off-by: LianRuiyang <995621404@qq.com> --- sepolicy/base/public/attributes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sepolicy/base/public/attributes b/sepolicy/base/public/attributes index 5e6d9476d..867d081c2 100644 --- a/sepolicy/base/public/attributes +++ b/sepolicy/base/public/attributes @@ -151,7 +151,7 @@ attribute cap_violator_perfmon; attribute cap_violator_sysmodule; attribute cap_violator_syslog; attribute cap_violator_sysrawio; -attribute cap_violator_devassistant; +attribute devinfo_type_allow_attr; attribute data_file_attr_violator_exec; attribute data_local_tmp_violator_dir; -- Gitee From b91fd38ca6b3d3dfbdef4ac5792b2885ea5bbd5f Mon Sep 17 00:00:00 2001 From: LianRuiyang <995621404@qq.com> Date: Fri, 12 Sep 2025 02:57:24 +0000 Subject: [PATCH 5/5] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20sepo?= =?UTF-8?q?licy/base/public/attributes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sepolicy/base/public/attributes | 348 -------------------------------- 1 file changed, 348 deletions(-) delete mode 100644 sepolicy/base/public/attributes diff --git a/sepolicy/base/public/attributes b/sepolicy/base/public/attributes deleted file mode 100644 index 867d081c2..000000000 --- a/sepolicy/base/public/attributes +++ /dev/null @@ -1,348 +0,0 @@ -# Copyright (c) 2021-2023 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# Type of all devices. -# i.e. /dev/camera_dev -attribute dev_attr; - -# Type of all processes, including the hap process and native process. -# i.e. hdbd, media -attribute domain; - -# Type of all virtual file system files. -# i.e. /sys/block, -# /sys/bus, -# /proc/mtd, -# /dev/camera_dev -attribute fs_attr; - -# Type of all proc files. -# i.e. /proc/mtd -attribute proc_attr; - -# Type of all common files. -# i.e. /data/user, -# /system/bin -attribute file_attr; - -# Type of all rootfs files. -# i.e. /* -attribute rootfs_file_attr; - -# Type of all system files. -# i.e. /system/* -attribute system_file_attr; - -# Type of all sys_prod files. -# i.e. /sys_prod/* -attribute sys_prod_file_attr; - -# Type of all vendor files. -# i.e. /vendor/* -attribute vendor_file_attr; - -# Type of all chip_prod files. -# i.e. /chip_prod/* -attribute chip_prod_file_attr; - -# Type of all chip_ckm files. -# i.e. /chip_ckm/* -attribute chip_ckm_file_attr; - -# Type of all domain access points, which is used in domain trasition. -# i.e. vold_exec, -# appspawn_exec -attribute exec_attr; - -# Types of all files in the /data directory. -# i.e. /data/user -attribute data_file_attr; - -# All types in the sysfs file system. -# i.e. /sys/firmware -attribute sysfs_attr; - -# All types in the debugfs file system. -# i.e. /sys/kernel/debug/* -attribute debugfs_attr; - -# All types of parameters. -# i.e. ohos_param -attribute parameter_attr; - -# All types of services. -# i.e. bms_service -attribute sa_service_attr; - -# All types of hdf_services. -# i.e. camera_service -attribute hdf_service_attr; - -# Type of all processes in the hap format. -# i.e. com.ohos.setting -attribute hap_domain; - -# Type of all haps in apl normal. -attribute normal_hap_attr; - -# Type of all haps in apl system_basic. -attribute system_basic_hap_attr; - -# Type of all haps in apl system_core. -attribute system_core_hap_attr; - -# File type of all processes in the hap format. -# i.e. com.ohos.setting -attribute hap_file_attr; - -# File type of all haps in apl normal. -attribute normal_hap_data_file_attr; - -# File type of all haps in apl system_basic. -attribute system_basic_hap_data_file_attr; - -# File type of all haps in apl system_core. -attribute system_core_hap_data_file_attr; - -# Type of hdf processes. -# i.e. hdv_devmgr, -attribute hdfdomain; - -# Type of all native processes. -# i.e. at, -attribute sadomain; - -# Type of all native system processes not in sadomain. -# i.e. init, -attribute native_system_domain; - -# Type of all native chipset processes not in sadomain. -# i.e. chipset-init, -attribute native_chipset_domain; - -#define some violator attribute for neverallows. -attribute cap_violator_chown; -attribute cap_violator_dacoverride; -attribute cap_violator_dacreadsearch; -attribute cap_violator_fowner; -attribute cap_violator_fsetid; -attribute cap_violator_kill; -attribute cap_violator_setuid; -attribute cap_violator_setgid; -attribute cap_violator_netbindservice; -attribute cap_violator_netadmin; -attribute cap_violator_netraw; -attribute cap_violator_sysptrace; -attribute cap_violator_sysadmin; -attribute cap_violator_wakealarm; -attribute cap_violator_sysnice; -attribute cap_violator_perfmon; -attribute cap_violator_sysmodule; -attribute cap_violator_syslog; -attribute cap_violator_sysrawio; -attribute devinfo_type_allow_attr; - -attribute data_file_attr_violator_exec; -attribute data_local_tmp_violator_dir; -attribute data_local_tmp_violator_file_open; -attribute system_core_hap_data_file_attr_violator_dir; -attribute system_basic_hap_data_file_attr_violator_dir; -attribute normal_hap_data_file_attr_violator_dir; -attribute normal_hap_data_file_attr_violator_dir_file_create_unlink; -attribute normal_hap_data_file_attr_violator_file_open; -attribute accesstoken_data_file_violator_dir; -attribute accesstoken_data_file_violator_file; -attribute module_update_file_violator_file_dir; -attribute module_update_binary_file_violator_file_dir; -attribute normal_hap_data_file_attr_violator_relabel; -attribute file_migrate_hap_data_file_attr_violator_opt; - -attribute exec_attr_violator_file_create_unlink; -attribute exec_attr_violator_file_write; -attribute exec_attr_violator_file_rename; - -attribute data_user_file_dir_violator; -attribute data_user_file_file_violator; - -attribute dev_fuse_file_violator; - -attribute nativespawn_mount_filesystem_violator; - -attribute proc_violator; -attribute sh_exec_violator; -attribute proc_sys_writer; - -attribute violator_hdfdomain_binder_call; - -attribute modem_file_attr; - -attribute cgroup_creator; - -attribute violator_exec_file_attr; -attribute violator_execute_no_trans_data_file_attr; -attribute violator_execute_data_file_attr; - -# Type of all module_update file -# i.e. /module_update/* -attribute module_update_file_attr; - -attribute dev_attr_violator; -attribute dev_file_violator; -attribute dev_attr_violator_chr_file_rw; -attribute dev_attr_violator_file_rw; -attribute samgr_binder_violator; -attribute installs_binder_violator; -attribute binder_call_installs_violators; -attribute permissions_mount_file_attr; -attribute log_file_attr; -attribute appspawn_unmount_filesystem_violators; -attribute hap_domain_lnk_file_violators; - -attribute filesystem_violator; - -# Type of develop process -# i.e. sh -attribute develop_domain; - -# define some violator attribute for neverallows. -attribute vendor_file_violator_dir; -attribute vendor_file_violator_dir_getattr; -attribute vendor_file_violator_dir_relabelto; -attribute vendor_file_violator_dir_read; -attribute vendor_file_violator_dir_open; -attribute vendor_file_violator_file; -attribute vendor_file_violator_file_map; -attribute vendor_file_violator_file_open; -attribute vendor_file_violator_file_read; -attribute vendor_file_violator_file_getattr; -attribute vendor_file_violator_file_execute; -attribute vendor_bin_file_violator_dir; -attribute vendor_bin_file_violator_dir_search; -attribute vendor_bin_file_violator_file; -attribute vendor_bin_file_violator_file_entrypoint; -attribute vendor_bin_file_violator_file_execute; -attribute vendor_bin_file_violator_file_map; -attribute vendor_bin_file_violator_file_read; -attribute vendor_bin_file_violator_file_getattr; -attribute vendor_bin_file_violator_file_open; -attribute vendor_etc_file_violator_dir; -attribute vendor_etc_file_violator_dir_search; -attribute vendor_etc_file_violator_dir_getattr; -attribute vendor_etc_file_violator_dir_read; -attribute vendor_etc_file_violator_dir_open; -attribute vendor_etc_file_violator_file; -attribute vendor_etc_file_violator_file_map; -attribute vendor_etc_file_violator_file_open; -attribute vendor_etc_file_violator_file_read; -attribute vendor_etc_file_violator_file_getattr; - -attribute system_file_violator_dir; -attribute system_file_violator_file; -attribute system_bin_file_violator_dir; -attribute system_bin_file_violator_dir_search; -attribute system_bin_file_violator_dir_getattr; -attribute system_bin_file_violator_file; -attribute system_bin_file_violator_file_execute; -attribute system_bin_file_violator_file_execute_no_trans; -attribute system_bin_file_violator_file_map; -attribute system_bin_file_violator_file_read; -attribute system_bin_file_violator_file_open; -attribute system_bin_file_violator_file_getattr; -attribute system_bin_file_violator_lnk_file; -attribute system_bin_file_violator_lnk_file_read; -attribute system_etc_file_violator_dir; -attribute system_etc_file_violator_file; -attribute system_etc_file_violator_lnk_file; -attribute system_profile_file_violator_dir; -attribute system_fonts_file_violator_dir_mounton; - -attribute system_bin_file_violator_file_entrypoint; -attribute system_etc_file_violator_lnk_file_relabelto; -attribute system_etc_file_violator_lnk_file_read; -attribute system_etc_file_violator_lnk_file_getattr; - -attribute vendor_file_violator_dir_mounton; -attribute vendor_file_violator_file_relabelto; -attribute vendor_file_violator_file_setattr; -attribute vendor_bin_file_violator_dir_getattr; -attribute vendor_bin_file_violator_dir_open; -attribute vendor_bin_file_violator_dir_read; -attribute vendor_bin_file_violator_dir_mounton; -attribute vendor_bin_file_violator_dir_relabelto; -attribute vendor_bin_file_violator_file_execute_no_trans; -attribute vendor_bin_file_violator_file_relabelto; -attribute vendor_bin_file_violator_file_setattr; -attribute vendor_bin_file_violator_file_lnk_file; -attribute vendor_bin_file_violator_file_lnk_file_read; -attribute vendor_etc_file_violator_dir_mounton; -attribute vendor_etc_file_violator_dir_relabelto; -attribute vendor_etc_file_violator_file_relabelto; - -attribute violator_hdf_devmgr_class_get; - -attribute binder_call_hdfdomain_violators; - -attribute hiview_host; - -attribute rgm_violator_filesystem_mount; - -attribute system_bin_file_quickfix; - -#define some rgm_violator_ohos attribute for neverallows -attribute rgm_violator_ohos_filesystem_unmount; - -attribute rgmli_violator_exec_file_attr; - -attribute violator_code_sign_utils_file_attr; -attribute violator_dev_code_sign_chr_file_attr; -attribute violator_dev_encaps_chr_file_attr; - -# define some hap_domain violator attribute for neverallows -attribute hap_domain_dev_ptmx_violators; -attribute hap_domain_cgroup_violators; -attribute hap_domain_proc_stat_file_violators; -attribute hap_domain_proc_modules_file_violators; - -attribute hap_domain_lnk_file_operation_viloator; -attribute hap_attr_link_violators; -attribute sp_daemon_get; - -attribute normal_hap_system_basic_hap_data_file_violators; - -attribute violator_sa_domain_data_local_tmp; -attribute violator_data_local_tmp_file_open; -attribute violator_sa_capability_dac_override; - -# define storage_violator attribute for neverallows -attribute violator_storage_binder; - -attribute violator_lldb_data_local_tmp; -attribute violator_lldb_server_file; -attribute violator_lldb_server_file_execute; -attribute violator_debug_domain_sa_lldb_server_file; -attribute violator_lldb_server_file_entrypoint; -attribute violator_lldb_server_transition; -attribute violator_debug_domain_sa_lldb_server_transition; -attribute violator_lldb_server_ptrace; -attribute violator_ptrace_debug_hap; - -attribute violator_hap_domain_file_sock_file; - -attribute violator_samgr_class_add_remote; -attribute violator_isolated_render_execute_data_file_attr; -attribute violator_isolated_gpu_execute_data_file_attr; -attribute violator_appspawn_hap_file_attr_dir; -attribute violator_appspawn_execute_data_file_attr_violator_file; -attribute violator_appspawn_execute_hap_file_attr_file; -attribute violator_domain_sys_boot; -- Gitee