openharmony/security_selinux
1
0
Fork 0
mirror of https://gitee.com/openharmony/security_selinux synced 2024-11-23 13:30:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

!14 add sepolicy

Browse Source 
Merge pull request !14 from dapaodexiaoyu2/master
This commit is contained in:
openharmony_ci 2022-01-11 12:30:26 +00:00 committed by Gitee
commit 49938e0213
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
8 changed files with 116 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
interfaces/policycoreutils/src/restorecon.c
View File

@ -66,7 +66,8 @@ int restorecon(void)
return -1;
}
errors = selinux_restorecon("/", opts.restorecon_flags);
errors = selinux_restorecon("/data", opts.restorecon_flags);
errors = selinux_restorecon("/dev", opts.restorecon_flags);
selabel_close(opts.hnd);
return (errors ? -1 : 1);

5
scripts/build_contexts.py
View File

@ -88,11 +88,6 @@ def combine_file_contexts(file_contexts_list, combined_file_contexts):
">", combined_file_contexts]
run_command(grep_cmd)
sort_cmd = ["sort -b",
combined_file_contexts,
"-o", combined_file_contexts]
run_command(sort_cmd)
def main(args):
"""build file_contexts.bin form all file_contexts files."""

6
sepolicy/base/system/basetype.te Normal file
View File

@ -0,0 +1,6 @@
type security;
type port;
type netif;
type netmsg;
type node;
type sysctl;

33
sepolicy/base/system/file.te
View File

@ -30,14 +30,45 @@ type cgroup, fs_type;
type sysfs, fs_type;
type inotify, fs_type;
type debugfs, fs_type;
type config_file, fs_type;
type system_lib_file, system_file_type, file_type;
type system_etc_file, system_file_type, file_type;
type system_data_file, system_file_type, file_type;
type system_hap_file, system_file_type, file_type;
type system_fonts_file, system_file_type, file_type;
type system_profile_file, system_file_type, file_type;
type system_usr_file, system_file_type, file_type;
type system_bin_file, system_file_type, file_type;
type dev_cpu_variant, file_type;
type fontconfig_file, system_file_type, file_type;
type fonts_file, system_file_type, file_type;
type vendor_file, vendor_file_type, file_type;
type system_data_file, file_type, data_file_type;
type sysfs_rtc, fs_type, sysfs_type;
type system_file, file_type;
type lib_file, file_type;
type etc_file, file_type;
type dev_file, file_type;
type sysfs_block_file, sysfs_type;
type sysfs_hisys_file, sysfs_type;
type updater_file, file_type;
type data_file, file_type, data_file_type;
type data_hap_file, file_type, data_file_type;
type data_app_file, file_type, data_file_type;
type data_app_el1_file, file_type, data_file_type;
type data_app_el2_file, file_type, data_file_type;
type data_app_el3_file, file_type, data_file_type;
type data_app_el4_file, file_type, data_file_type;
type data_service_file, file_type, data_file_type;
type data_service_el0_file, file_type, data_file_type;
type data_service_el1_file, file_type, data_file_type;
type data_service_el2_file, file_type, data_file_type;
type data_chipset_file, file_type, data_file_type;
type data_chipset_el1_file, file_type, data_file_type;
type data_chipset_el2_file, file_type, data_file_type;
type data_storage_file, file_type, data_file_type;

50
sepolicy/base/system/file_contexts
View File

@ -1,3 +1,4 @@
# please put shorter config ahead;
# root
/ u:object_r:rootfs:s0
@ -11,38 +12,13 @@
/storage u:object_r:rootfs:s0
/sys-prod u:object_r:rootfs:s0
/tmp u:object_r:rootfs:s0
/config(/.*)? u:object_r:config_file:s0
/data(/.*)? u:object_r:data_file:s0
/data/hap(/.*)? u:object_r:data_hap_file:s0
/data/service(/.*)? u:object_r:data_service_file:s0
/data/chipset(/.*)? u:object_r:data_chipset_file:s0
/data/storage(/.*)? u:object_r:data_storage_file:s0
/sys u:object_r:sys_file:s0
/dev(/.*)? u:object_r:dev_file:s0
/etc(/.*)? u:object_r:etc_file:s0
/lib(/.*)? u:object_r:lib_file:s0
/sys(/.*)? u:object_r:sys_file:s0
/sys/kernel(/.*)? u:object_r:sys_file:s0
/sys/hi3881_debug(/.*)? u:object_r:sys_file:s0
/sys/devices(/.*)? u:object_r:sys_file:s0
/sys/power(/.*)? u:object_r:sys_file:s0
/sys/class(/.*)? u:object_r:sys_file:s0
/sys/dev(/.*)? u:object_r:sys_file:s0
/sys/firmware(/.*)? u:object_r:sys_file:s0
/sys/fs(/.*)? u:object_r:sys_file:s0
/sys/bus(/.*)? u:object_r:sys_file:s0
/sys/module(/.*)? u:object_r:sys_file:s0
/sys/block(/.*)? u:object_r:sys_file:s0
/sys/hisys(/.*)? u:object_r:sys_file:s0
/config(/.*)? u:object_r:config_file:s0
/system(/.*)? u:object_r:system_file:s0
/system/hap(/.*)? u:object_r:system_hap_file:s0
@ -53,12 +29,24 @@
/system/profile(/.*)? u:object_r:system_profile_file:s0
/system/usr(/.*)? u:object_r:system_usr_file:s0
/data(/.*)? u:object_r:data_file:s0
/data/hap(/.*)? u:object_r:data_hap_file:s0
/data/app(/.*)? u:object_r:data_app_file:s0
/data/app/el1(/.*)? u:object_r:data_app_el1_file:s0
/data/app/el2(/.*)? u:object_r:data_app_el2_file:s0
/data/app/el3(/.*)? u:object_r:data_app_el3_file:s0
/data/app/el4(/.*)? u:object_r:data_app_el4_file:s0
/data/service(/.*)? u:object_r:data_service_file:s0
/data/service/el0(/.*)? u:object_r:data_service_el0_file:s0
/data/service/el1(/.*)? u:object_r:data_service_el1_file:s0
/data/service/el2(/.*)? u:object_r:data_service_el2_file:s0
/data/chipset(/.*)? u:object_r:data_chipset_file:s0
/data/chipset/el1(/.*)? u:object_r:data_chipset_el1_file:s0
/data/chipset/el2(/.*)? u:object_r:data_chipset_el2_file:s0
/data/storage(/.*)? u:object_r:data_storage_file:s0
/updater(/.*)? u:object_r:updater_file:s0
/vendor(/.*)? u:object_r:vendor_file:s0
/vendor/firmware(/.*)? u:object_r:vendor_file:s0
/vendor/etc(/.*)? u:object_r:vendor_etc_file:s0
/vendor/lost+found(/.*)? u:object_r:vendor_file:s0
/vendor/modules(/.*)? u:object_r:vendor_file:s0

34
sepolicy/base/system/initial_sid_contexts
View File

@ -1,7 +1,27 @@
sid kernel u:r:kernel:s0
sid security u:object_r:kernel:s0
sid unlabeled u:object_r:unlabeled:s0
sid fs u:object_r:labeledfs:s0
sid file u:object_r:unlabeled:s0
sid init u:object_r:unlabeled:s0
sid untrusted_hap u:object_r:unlabeled:s0
sid kernel u:r:kernel:s0
sid security u:object_r:security:s0
sid unlabeled u:object_r:unlabeled:s0
sid fs u:object_r:labeledfs:s0
sid file u:object_r:unlabeled:s0
sid file_labels u:object_r:unlabeled:s0
sid init u:object_r:unlabeled:s0
sid any_socket u:object_r:unlabeled:s0
sid port u:object_r:port:s0
sid netif u:object_r:netif:s0
sid netmsg u:object_r:netmsg:s0
sid node u:object_r:node:s0
sid igmp_packet u:object_r:unlabeled:s0
sid icmp_socket u:object_r:unlabeled:s0
sid tcp_socket u:object_r:unlabeled:s0
sid sysctl_modprobe u:object_r:unlabeled:s0
sid sysctl u:object_r:sysctl:s0
sid sysctl_fs u:object_r:unlabeled:s0
sid sysctl_kernel u:object_r:unlabeled:s0
sid sysctl_net u:object_r:unlabeled:s0
sid sysctl_net_unix u:object_r:unlabeled:s0
sid sysctl_vm u:object_r:unlabeled:s0
sid sysctl_dev u:object_r:unlabeled:s0
sid kmod u:object_r:unlabeled:s0
sid policy u:object_r:unlabeled:s0
sid scmp_packet u:object_r:unlabeled:s0
sid devnull u:object_r:null_device:s0

23
sepolicy/base/system/initial_sids
View File

@ -16,5 +16,26 @@ sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid untrusted_hap
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull

10
sepolicy/base/system/virtfs_contexts
View File

@ -1,7 +1,13 @@
# please put longer path ahead.
# use relative path to mount point.
genfscon rootfs / u:object_r:rootfs:s0
genfscon proc / u:object_r:proc:s0
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon sysfs /block u:object_r:sysfs_block_file:s0
genfscon sysfs /hisys u:object_r:sysfs_hisys_file:s0
genfscon sysfs / u:object_r:sysfs:s0
genfscon configfs / u:object_r:config_file:s0
genfscon debugfs / u:object_r:debugfs:s0