!2228 cloudfiledaemon selinux

Merge pull request !2228 from 1286321420/master

sepolicy/base/public/hap_domain.te

@@ -125,9 +125,9 @@ neverallow normal_hap_attr system_basic_hap_data_file:dir_file_class_set { creat
 #limit access to normal_hap_data_file_attr
 neverallow { domain -hap_domain -installs debug_only(`-hdcd') -distributeddata -storage_daemon -hiview } normal_hap_data_file_attr:dir_file_class_set { create unlink };
 
-neverallow { domain -hap_domain -installs -appspawn -nwebspawn debug_only(`-hdcd') -distributeddata -sh -storage_daemon -hiview } normal_hap_data_file_attr:dir *;
+neverallow { domain -hap_domain -installs -appspawn -nwebspawn debug_only(`-hdcd') -distributeddata -sh -storage_daemon -hiview -cloudfiledaemon } normal_hap_data_file_attr:dir *;
 
-neverallow { domain -hap_domain -installs debug_only(`-hdcd') -distributeddata -storage_daemon -hiview } normal_hap_data_file_attr:file_class_set open;
+neverallow { domain -hap_domain -installs debug_only(`-hdcd') -distributeddata -storage_daemon -hiview -cloudfiledaemon } normal_hap_data_file_attr:file_class_set open;
 
 neverallow { domain -installs } normal_hap_data_file_attr:dir_file_class_set { relabelfrom relabelto };
 

sepolicy/ohos_policy/filemanagement/dfs_service/public/type.te

@@ -18,3 +18,4 @@ type ntfs, fs_attr;
 
 type distributedfiledaemon, sadomain, domain;
 type data_service_el2_hmdfs, file_attr, data_file_attr;
+type cloudfiledaemon, sadomain, domain;

sepolicy/ohos_policy/filemanagement/dfs_service/system/cloudfiledaemon.te

@@ -0,0 +1,60 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow cloudfiledaemon sa_accesstoken_manager_service:samgr_class { get };
+allow cloudfiledaemon sa_param_watcher:samgr_class { get };
+allow cloudfiledaemon param_watcher:binder { call transfer };
+allow cloudfiledaemon dev_unix_socket:dir { search };
+allow cloudfiledaemon paramservice_socket:sock_file { write };
+allow cloudfiledaemon kernel:unix_stream_socket { connectto };
+allow cloudfiledaemon netsysnative:unix_stream_socket { connectto };
+allow cloudfiledaemon netmanager:binder { call transfer };
+allow cloudfiledaemon accesstoken_service:binder { call };
+allow cloudfiledaemon data_service_file:dir { search };
+allow cloudfiledaemon sa_foundation_cesfwk_service:samgr_class { get };
+allow cloudfiledaemon foundation:binder { transfer call };
+allow cloudfiledaemon sa_foundation_abilityms:samgr_class { get };
+allow cloudfiledaemon sa_foundation_battery_service:samgr_class { get };
+allow cloudfiledaemon data_app_file:dir { search open read write };
+allow cloudfiledaemon data_app_el2_file:dir { search read write open };
+allow cloudfiledaemon data_app_el2_file:file { lock getattr open read write ioctl map };
+allow cloudfiledaemon dev_fuse_file:chr_file { read write };
+allow cloudfiledaemon data_service_el2_file:dir { search };
+allow cloudfiledaemon data_service_el2_hmdfs:dir { create search read open write add_name };
+allow cloudfiledaemon data_service_el2_hmdfs:file { create setattr getattr read open write };
+allow cloudfiledaemon hmdfs:dir { search write remove_name add_name create open };
+allow cloudfiledaemon hmdfs:file { read open ioctl getattr create append rename };
+allow cloudfiledaemon storage_daemon:fd { use };
+allow cloudfiledaemon sa_filemanagement_cloud_sync_service:samgr_class { add };
+allow cloudfiledaemon hap_domain:binder { call transfer };
+debug_only(`
+    allow cloudfiledaemon sh:binder { call };
+')
+allow cloudfiledaemon sa_net_conn_manager:samgr_class { get };
+allow cloudfiledaemon dev_console_file:chr_file { read write };
+allow cloudfiledaemon sa_filemanagement_cloud_daemon_service:samgr_class { add };
+allow cloudfiledaemon data_service_el1_file:dir { search write add_name create remove_name };
+allow cloudfiledaemon data_service_el1_file:file { create write open getattr ioctl setattr read rename unlink };
+allow cloudfiledaemon hap_domain:binder { call };
+allow cloudfiledaemon data_file:dir { search };
+allow cloudfiledaemon dev_ashmem_file:chr_file { open };
+allow cloudfiledaemon distributeddata:binder { transfer call };
+allow cloudfiledaemon data_user_file:dir { read open search add_name write remove_name create };
+allow cloudfiledaemon data_user_file:file { read open getattr write create rename };
+allow cloudfiledaemon cloudfiledaemon:udp_socket { create bind read write node_bind };
+allow cloudfiledaemon node:udp_socket { node_bind };
+allow cloudfiledaemon cloudfiledaemon:tcp_socket { read create setopt connect  getopt  getattr write };
+allow cloudfiledaemon port:tcp_socket { name_connect };
+allow cloudfiledaemon system_bin_file:dir { search };
+allow cloudfiledaemon medialibrary_hap_data_file:dir { search read open };
+allow cloudfiledaemon medialibrary_hap_data_file:file { read open getattr write ioctl lock map };

sepolicy/ohos_policy/filemanagement/dfs_service/system/distributeddata.te

@@ -0,0 +1,14 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow distributeddata cloudfiledaemon:binder { call transfer };

sepolicy/ohos_policy/filemanagement/dfs_service/system/distributedfiledaemon.te

@@ -47,66 +47,3 @@ allow distributedfiledaemon dslm_service:binder { call };
 #avc:  denied  { get } for service=3299 pid=609 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0
 allow distributedfiledaemon sa_foundation_cesfwk_service:samgr_class { get };
 
-#avc:  denied  { add } for service=5204 pid=1784 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_filemanagement_cloud_sync_service:s0 tclass=samgr_class permissive=0
-allow distributedfiledaemon sa_filemanagement_cloud_sync_service:samgr_class { add };
-
-#avc:  denied  { get } for service=3302 pid=599 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_foundation_battery_service:s0 tclass=samgr_class permissive=0
-allow  distributedfiledaemon sa_foundation_battery_service:samgr_class { get };
-
-#kmsg: audit: type=1400 audit(1676302293.484:6726): avc:  denied  { call } for  pid=622 comm="IPC_1_896" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0
-
-#avc:  denied  { get } for service=5204 pid=1345 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:sa_filemanagement_cloud_sync_service:s0 tclass=samgr_class permissive=1
-allow hap_domain sa_filemanagement_cloud_sync_service:samgr_class { get };
-
-#avc:  denied  { call } for  pid=1572 comm="IPC_3_1618" scontext=u:r:system_core_hap:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=binder permissive=1
-allow hap_domain distributedfiledaemon:binder { call };
-
-debug_only(`
-    allow distributedfiledaemon sh:binder { call };
-')
-
-#avc: denied { call } for pid=1110 comm="SaOndemand" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:netmanager:s0 tclass=binder permissive=0
-#avc: denied { transfer } for pid=1110 comm="SaOndemand" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:netmanager:s0 tclass=binder permissive=0
-allow distributedfiledaemon netmanager:binder { call transfer };
-
-#avc: denied { call } for pid=656 comm="IPC_0_770" scontext=u:r:netmanager:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=binder permissive=0
-allow netmanager distributedfiledaemon:binder { call };
-
-#avc:  denied  { get } for service=1151 pid=1608 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=0
-allow distributedfiledaemon sa_net_conn_manager:samgr_class { get };
-
-#avc:  denied  { write } for  pid=498 comm="SaOndemand" name="paramservice" dev="tmpfs" ino=37 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1
-allow distributedfiledaemon paramservice_socket:sock_file { write };
-
-#avc:  denied  { connectto } for  pid=498 comm="SaOndemand" path="/dev/unix/socket/paramservice" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1
-allow distributedfiledaemon kernel:unix_stream_socket { connectto };
-
-#avc:  denied  { read write } for  pid=2061 comm="sa_main" path="/dev/console" dev="tmpfs" ino=27 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
-#avc:  denied  { read } for  pid=2061 comm="sa_main" name="u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
-#avc:  denied  { open } for  pid=2061 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
-#avc:  denied  { map } for  pid=2061 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
-#avc:  denied  { use } for  pid=2060 comm="storage_daemon" path="/dev/fuse" dev="tmpfs" ino=180 scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:storage_daemon:s0 tclass=fd permissive=1
-#avc:  denied  { read write } for  pid=2153 comm="storage_daemon" path="/dev/fuse" dev="tmpfs" ino=180 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=1
-#avc:  denied  { add } for service=5205 pid=502 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:default_service:s0 tclass=samgr_class permissive=0
-#avc:  denied  { add } for service=5205 pid=1784 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_filemanagement_cloud_daemon_service:s0 tclass=samgr_class permissive=0
-allow distributedfiledaemon sa_filemanagement_cloud_daemon_service:samgr_class { add };
-allow  distributedfiledaemon dev_console_file:chr_file { read write };
-allow  distributedfiledaemon musl_param:file { open read map };
-allow  distributedfiledaemon storage_daemon:fd { use };
-allow  distributedfiledaemon dev_fuse_file:chr_file { read write };
-
-#avc:  denied  { search } for  pid=487 comm="IPC_1_571" name="el1" dev="mmcblk0p12" ino=11 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
-#avc:  denied  { write } for  pid=953 comm="cloudfiledaemon" name="cloudfile" dev="mmcblk0p12" ino=1380 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
-#avc:  denied  { add_name } for  pid=953 comm="cloudfiledaemon" name="100" scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
-#avc:  denied  { create } for  pid=953 comm="cloudfiledaemon" name="100" scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
-allow distributedfiledaemon data_service_el1_file:dir { search write add_name create remove_name };
-
-#avc:  denied  { create } for  pid=953 comm="cloudfiledaemon" name="com.example.cloudsync" scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
-#avc:  denied  { write open } for  pid=953 comm="cloudfiledaemon" path="/data/service/el1/public/cloudfile/100/com.example.cloudsync" dev="mmcblk0p12" ino=1477 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
-#avc:  denied  { getattr } for  pid=953 comm="cloudfiledaemon" path="/data/service/el1/public/cloudfile/100/com.example.cloudsync" dev="mmcblk0p12" ino=1477 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
-#avc:  denied  { ioctl } for  pid=953 comm="cloudfiledaemon" path="/data/service/el1/public/cloudfile/100/com.example.cloudsync" dev="mmcblk0p12" ino=1477 ioctlcmd=0x5413 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
-#avc:  denied  { setattr } for  pid=953 comm="cloudfiledaemon" name="com.example.cloudsync" dev="mmcblk0p12" ino=1477 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
-allow distributedfiledaemon data_service_el1_file:file { create write open getattr ioctl setattr read rename unlink };
-
-#avc:  denied  { call } for  pid=552 comm="IPC_1_623" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1
-allow distributedfiledaemon hap_domain:binder { call transfer };

sepolicy/ohos_policy/filemanagement/dfs_service/system/foundation.te

@@ -0,0 +1,17 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow foundation cloudfiledaemon:binder { transfer call };
+allow foundation cloudfiledaemon:file { read open getattr };
+allow foundation cloudfiledaemon:dir { search };
+

sepolicy/ohos_policy/filemanagement/dfs_service/system/hap_domain.te

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow hap_domain sa_filemanagement_cloud_sync_service:samgr_class { get };
+allow hap_domain cloudfiledaemon:binder { call transfer };
+allow hap_domain cloudfiledaemon:binder { call };

sepolicy/ohos_policy/filemanagement/dfs_service/system/init.te

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow init cloudfiledaemon:process { rlimitinh siginh transition };
+allow init sa_filemanagement_cloud_daemon_service:samgr_class { add };
+

sepolicy/ohos_policy/filemanagement/dfs_service/system/medialibrary_hap.te

@@ -0,0 +1,14 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow medialibrary_hap cloudfiledaemon:binder { transfer };

sepolicy/ohos_policy/filemanagement/dfs_service/system/memmgrservice.te

@@ -0,0 +1,14 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow memmgrservice cloudfiledaemon:file { getattr };

sepolicy/ohos_policy/filemanagement/dfs_service/system/netmanager.te

@@ -0,0 +1,14 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow netmanager cloudfiledaemon:binder { call };

sepolicy/ohos_policy/filemanagement/dfs_service/system/param_watcher.te

@@ -0,0 +1,14 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow param_watcher cloudfiledaemon:binder { call };

sepolicy/ohos_policy/filemanagement/dfs_service/system/storage_daemon.te

@@ -0,0 +1,15 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow storage_daemon cloudfiledaemon:fd { use };
+allow storage_daemon cloudfiledaemon:binder { call };