From 0da10fb57d87efd7700758a53a3af1cef8595cbc Mon Sep 17 00:00:00 2001
From: zhangchenyang <zhangchenyang30@h-partners.com>
Date: Sat, 13 Sep 2025 11:04:52 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E3=80=90master=E3=80=91=E3=80=90storage?=
 =?UTF-8?q?=E3=80=91=E7=A9=BA=E9=97=B4=E7=BB=9F=E8=AE=A1=E5=A2=9E=E5=BC=BA?=
 =?UTF-8?q?=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: zhangchenyang <zhangchenyang30@h-partners.com>
---
 sepolicy/base/public/domain.te                              | 2 +-
 .../filemanagement/storage_service/system/storage_daemon.te | 6 ++++++
 sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te       | 3 +++
 sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te    | 6 ++++--
 .../ohos_policy/security/access_token/system/neverallow.te  | 6 ++++--
 sepolicy/ohos_policy/update/module_update/system/domain.te  | 4 +++-
 6 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te
index 4fc2fa1ed..be16cd358 100644
--- a/sepolicy/base/public/domain.te
+++ b/sepolicy/base/public/domain.te
@@ -101,7 +101,7 @@ neverallow { domain -init -appspawn -nwebspawn -cjappspawn -nativespawn -rgm_vio
 # /data/local/tmp dir using for debug.
 neverallow { domain -data_local_tmp_violator_dir developer_only(`-wukong -atm -snapshot_display -bm -mediatool -perftest') -hdcd -SP_daemon -installs -init -hiprofilerd -hiprofiler_plugins -native_daemon -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -sh -uitest updater_only(`-updater') } data_local_tmp:dir never_write_dir;
 
-neverallow { domain developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir -mediatool -perftest') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') -violator_sa_domain_data_local_tmp -violator_lldb_data_local_tmp } data_local_tmp:dir { open search };
+neverallow { domain -storage_daemon developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir -mediatool -perftest') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') -violator_sa_domain_data_local_tmp -violator_lldb_data_local_tmp } data_local_tmp:dir { open search };
 
 # only samgr can be binder manager.
 neverallow { domain -samgr } *:binder set_context_mgr;
diff --git a/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te b/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te
index 959db241e..7950e0ec2 100644
--- a/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te
+++ b/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te
@@ -43,6 +43,12 @@ allow storage_daemon domain:dir { search read open };
 allow storage_daemon domain:lnk_file { read };
 allow storage_daemon domain:process { sigkill };
 
+allow storage_daemon data_file_attr:dir { getattr read open search };
+allow storage_daemon data_file_attr:file { getattr };
+allow storage_daemon data_file_attr:lnk_file { getattr };
+allow storage_daemon data_file_attr:fifo_file { getattr };
+allow storage_daemon data_file_attr:sock_file { getattr };
+
 #avc:  denied  { call } for  pid=255 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
 allow storage_daemon accesstoken_service:binder { call };
 
diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te
index 035115ca0..e0ab495f0 100644
--- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te
+++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te
@@ -92,6 +92,7 @@ neverallow * hilogd:process dyntransition;
 # protect persist tmp file and info file
 neverallow {
     domain
+    -storage_daemon
     -installs
     developer_only(`-wukong')
     developer_only(`-hiprofiler_plugins')
@@ -104,6 +105,8 @@ neverallow {
     updater_only(`-hiview_light')
 } data_hilogd_file:file { rw_file_perms };
 
+neverallow storage_daemon data_hilogd_file:file ~{ getattr };
+
 # shell can read but cannot write hilogd files
 neverallow { domain -hilogd -installs } data_hilogd_file:file { append create rename setattr write };
 
diff --git a/sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te b/sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te
index 4400fa06b..f6fc2a3ad 100644
--- a/sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te
+++ b/sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te
@@ -13,8 +13,10 @@
 
 neverallow { domain -hitrace -bytrace -hiview -hiprofiler_plugins } hitrace_param:parameter_service set;
 
-neverallow { domain -hitrace -bytrace -hiview -updater -init } data_log_hitrace:dir { add_name open read search watch write create remove_name getattr };
-neverallow { domain -hitrace -bytrace -hiview -updater -init } data_log_hitrace:file { create getattr lock map open read write unlink rename append ioctl };
+neverallow { domain -storage_daemon -hitrace -bytrace -hiview -updater -init } data_log_hitrace:dir { add_name open read search watch write create remove_name getattr };
+neverallow storage_daemon data_log_hitrace:dir ~{ getattr read open search };
+neverallow { domain -storage_daemon -hitrace -bytrace -hiview -updater -init } data_log_hitrace:file { create getattr lock map open read write unlink rename append ioctl };
+neverallow storage_daemon data_log_hitrace:file ~{ getattr };
 neverallow { domain -hiview -updater } data_log_hitrace:fifo_file { create read write open unlink };
 
 allow hitrace_param tmpfs:filesystem { associate };
diff --git a/sepolicy/ohos_policy/security/access_token/system/neverallow.te b/sepolicy/ohos_policy/security/access_token/system/neverallow.te
index 8be5be872..3ebce8c0b 100644
--- a/sepolicy/ohos_policy/security/access_token/system/neverallow.te
+++ b/sepolicy/ohos_policy/security/access_token/system/neverallow.te
@@ -11,8 +11,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-neverallow { domain -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_dir updater_only(`-updater') } accesstoken_data_file:dir *;
-neverallow { domain -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_file updater_only(`-updater') } accesstoken_data_file:file *;
+neverallow { domain -storage_daemon -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_dir updater_only(`-updater') } accesstoken_data_file:dir *;
+neverallow storage_daemon accesstoken_data_file:dir ~{ getattr read open search };
+neverallow { domain -storage_daemon -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_file updater_only(`-updater') } accesstoken_data_file:file *;
+neverallow storage_daemon accesstoken_data_file:file ~{ getattr };
 
 neverallow accesstoken_service accesstoken_data_file:dir ~{ create search add_name open read write remove_name ioctl };
 neverallow accesstoken_service accesstoken_data_file:file ~{ open read getattr ioctl lock write create unlink map setattr };
diff --git a/sepolicy/ohos_policy/update/module_update/system/domain.te b/sepolicy/ohos_policy/update/module_update/system/domain.te
index 44ebb53ab..0e460789f 100644
--- a/sepolicy/ohos_policy/update/module_update/system/domain.te
+++ b/sepolicy/ohos_policy/update/module_update/system/domain.te
@@ -11,8 +11,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-neverallow { domain -init -module_update_service -module_update_file_violator_file_dir updater_only(`-updater') } { data_module_update
+neverallow { domain -storage_daemon -init -module_update_service -module_update_file_violator_file_dir updater_only(`-updater') } { data_module_update
   data_module_update_package system_module_update_file }:{ file dir } *;
+neverallow storage_daemon { data_module_update data_module_update_package system_module_update_file }:file ~{ getattr }
+neverallow storage_daemon { data_module_update data_module_update_package system_module_update_file }:dir ~{ getattr read open search }
 
 # sa process which support module update should add itself here
 neverallow { domain -init -module_update_service -foundation -module_update_binary_file_violator_file_dir } { module_update_file
-- 
Gitee


From 254eac46c817daf88dcbbd321103d14a1ffd79e1 Mon Sep 17 00:00:00 2001
From: zhangchenyang <zhangchenyang30@h-partners.com>
Date: Sat, 13 Sep 2025 13:29:31 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E3=80=90master=E3=80=91=E3=80=90storage?=
 =?UTF-8?q?=E3=80=91=E7=A9=BA=E9=97=B4=E7=BB=9F=E8=AE=A1=E5=A2=9E=E5=BC=BA?=
 =?UTF-8?q?=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: zhangchenyang <zhangchenyang30@h-partners.com>
---
 sepolicy/ohos_policy/update/module_update/system/domain.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sepolicy/ohos_policy/update/module_update/system/domain.te b/sepolicy/ohos_policy/update/module_update/system/domain.te
index 0e460789f..13d63d8a1 100644
--- a/sepolicy/ohos_policy/update/module_update/system/domain.te
+++ b/sepolicy/ohos_policy/update/module_update/system/domain.te
@@ -13,8 +13,8 @@
 
 neverallow { domain -storage_daemon -init -module_update_service -module_update_file_violator_file_dir updater_only(`-updater') } { data_module_update
   data_module_update_package system_module_update_file }:{ file dir } *;
-neverallow storage_daemon { data_module_update data_module_update_package system_module_update_file }:file ~{ getattr }
-neverallow storage_daemon { data_module_update data_module_update_package system_module_update_file }:dir ~{ getattr read open search }
+neverallow storage_daemon { data_module_update data_module_update_package system_module_update_file }:file ~{ getattr };
+neverallow storage_daemon { data_module_update data_module_update_package system_module_update_file }:dir ~{ getattr read open search };
 
 # sa process which support module update should add itself here
 neverallow { domain -init -module_update_service -foundation -module_update_binary_file_violator_file_dir } { module_update_file
-- 
Gitee