!2523 添加vpn相关权限

Merge pull request !2523 from 徐杰/feature_vpn_dev
This commit is contained in:
openharmony_ci
2023-06-29 03:02:40 +00:00
committed by Gitee
4 changed files with 22 additions and 2 deletions
+6 -2
View File
@@ -73,8 +73,12 @@ neverallow hap_domain { vendor_file_attr -vendor_lib_file }:{ file fifo_file lnk
neverallow hap_domain dev_attr:blk_file { read write };
#limit hap access dev file.
neverallow hap_domain { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file -dev_zero_file
-dev_unix_socket_file -dev_mali -tty_device -dev_fuse_file -dev_bbox }:chr_file { open ioctl read write};
neverallow { hap_domain -system_basic_hap } { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file
-dev_zero_file -dev_unix_socket_file -dev_mali -tty_device -dev_fuse_file -dev_bbox }:chr_file { open ioctl read write};
neverallow system_basic_hap { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file -dev_zero_file
-dev_unix_socket_file -dev_mali -tty_device -dev_fuse_file -dev_tun_file -dev_bbox }:chr_file { open ioctl read write};
neverallow hap_domain dev_bbox:chr_file { read };
neverallowxperm hap_domain dev_bbox:chr_file ioctl ~{ 0xab01 0xab04 0xab09 0xad01 0xaf04 0xaf06 };
neverallow { hap_domain -dev_fuse_file_violator } dev_fuse_file:chr_file { open ioctl read write};
@@ -75,6 +75,12 @@ allow netsysnative netmanager:tcp_socket { read write bind getopt setopt connect
allow netmanager data_service_el1_file:file { rename };
allow netmanager sa_foundation_appms:samgr_class { get };
allow netmanager sa_comm_vpn_manager_service:samgr_class { add };
allow netmanager dev_console_file:chr_file { read write };
allow netmanager sa_accountmgr:samgr_class { get };
allow netmanager accountmgr:binder { call };
allow accountmgr netmanager:binder { transfer };
debug_only(`
allow sh sa_comm_ethernet_manager_service:samgr_class { add get };
allow netmanager sh:binder { call };
@@ -51,6 +51,11 @@ allow netsysnative normal_hap_attr:unix_stream_socket { read write getopt setopt
allow init dev_unix_file:sock_file { unlink };
allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8933 };
allow netsysnative system_basic_hap:fd { use };
allow netsysnative system_basic_hap:tcp_socket { read write getopt setopt };
allow netsysnative dev_tun_file:chr_file { open read write ioctl };
allow netsysnative netsysnative:tun_socket { create relabelfrom relabelto };
allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8927 0x8954 };
allow netsysnative iptables_exec:file { execute read open execute_no_trans map };
@@ -20,6 +20,11 @@ allow system_basic_hap netsysnative:unix_stream_socket { connectto read write };
allow system_basic_hap system_basic_hap:tcp_socket { getattr create setopt bind connect getopt read write };
allow system_basic_hap system_basic_hap:udp_socket { getattr create setopt bind connect getopt read write };
allow system_basic_hap netmsg:tcp_socket { node_bind name_connect };
allow system_basic_hap sa_comm_vpn_manager_service:samgr_class { get };
allow system_basic_hap netsysnative:fd { use };
allow system_basic_hap dev_tun_file:chr_file { read write };
allow system_basic_hap sa_comm_net_stats_manager_service:samgr_class { get };
allow system_basic_hap sa_netsys_ext_service:samgr_class { add get };