mirror of
https://github.com/openharmony/security_selinux.git
synced 2026-07-01 22:24:05 -04:00
@@ -73,8 +73,12 @@ neverallow hap_domain { vendor_file_attr -vendor_lib_file }:{ file fifo_file lnk
|
||||
neverallow hap_domain dev_attr:blk_file { read write };
|
||||
|
||||
#limit hap access dev file.
|
||||
neverallow hap_domain { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file -dev_zero_file
|
||||
-dev_unix_socket_file -dev_mali -tty_device -dev_fuse_file -dev_bbox }:chr_file { open ioctl read write};
|
||||
neverallow { hap_domain -system_basic_hap } { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file
|
||||
-dev_zero_file -dev_unix_socket_file -dev_mali -tty_device -dev_fuse_file -dev_bbox }:chr_file { open ioctl read write};
|
||||
|
||||
neverallow system_basic_hap { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file -dev_zero_file
|
||||
-dev_unix_socket_file -dev_mali -tty_device -dev_fuse_file -dev_tun_file -dev_bbox }:chr_file { open ioctl read write};
|
||||
|
||||
neverallow hap_domain dev_bbox:chr_file { read };
|
||||
neverallowxperm hap_domain dev_bbox:chr_file ioctl ~{ 0xab01 0xab04 0xab09 0xad01 0xaf04 0xaf06 };
|
||||
neverallow { hap_domain -dev_fuse_file_violator } dev_fuse_file:chr_file { open ioctl read write};
|
||||
|
||||
@@ -75,6 +75,12 @@ allow netsysnative netmanager:tcp_socket { read write bind getopt setopt connect
|
||||
allow netmanager data_service_el1_file:file { rename };
|
||||
allow netmanager sa_foundation_appms:samgr_class { get };
|
||||
|
||||
allow netmanager sa_comm_vpn_manager_service:samgr_class { add };
|
||||
allow netmanager dev_console_file:chr_file { read write };
|
||||
allow netmanager sa_accountmgr:samgr_class { get };
|
||||
allow netmanager accountmgr:binder { call };
|
||||
allow accountmgr netmanager:binder { transfer };
|
||||
|
||||
debug_only(`
|
||||
allow sh sa_comm_ethernet_manager_service:samgr_class { add get };
|
||||
allow netmanager sh:binder { call };
|
||||
|
||||
@@ -51,6 +51,11 @@ allow netsysnative normal_hap_attr:unix_stream_socket { read write getopt setopt
|
||||
allow init dev_unix_file:sock_file { unlink };
|
||||
allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8933 };
|
||||
|
||||
allow netsysnative system_basic_hap:fd { use };
|
||||
allow netsysnative system_basic_hap:tcp_socket { read write getopt setopt };
|
||||
allow netsysnative dev_tun_file:chr_file { open read write ioctl };
|
||||
allow netsysnative netsysnative:tun_socket { create relabelfrom relabelto };
|
||||
|
||||
allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8927 0x8954 };
|
||||
|
||||
allow netsysnative iptables_exec:file { execute read open execute_no_trans map };
|
||||
|
||||
@@ -20,6 +20,11 @@ allow system_basic_hap netsysnative:unix_stream_socket { connectto read write };
|
||||
allow system_basic_hap system_basic_hap:tcp_socket { getattr create setopt bind connect getopt read write };
|
||||
allow system_basic_hap system_basic_hap:udp_socket { getattr create setopt bind connect getopt read write };
|
||||
|
||||
allow system_basic_hap netmsg:tcp_socket { node_bind name_connect };
|
||||
allow system_basic_hap sa_comm_vpn_manager_service:samgr_class { get };
|
||||
allow system_basic_hap netsysnative:fd { use };
|
||||
allow system_basic_hap dev_tun_file:chr_file { read write };
|
||||
|
||||
allow system_basic_hap sa_comm_net_stats_manager_service:samgr_class { get };
|
||||
|
||||
allow system_basic_hap sa_netsys_ext_service:samgr_class { add get };
|
||||
|
||||
Reference in New Issue
Block a user