!2535 feature: add hdf_ext_devmgr sepolicy

Merge pull request !2535 from 吴成文/master

sepolicy/ohos_policy/drivers/adapter/public/type.te

@@ -12,6 +12,8 @@
 # limitations under the License.
 
 type hdf_devmgr, sadomain, domain;
+type hdf_ext_devmgr, sadomain, domain;
+type sa_hdf_ext_devmgr, sa_service_attr;
 
 type blue_host, hdfdomain, domain;
 type a2dp_host, hdfdomain, domain;

sepolicy/ohos_policy/drivers/external_device_manager/system/accountmgr.te

@@ -0,0 +1,15 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# avc:  denied  { transfer } for  pid=521 comm="IPC_1_643" scontext=u:r:accountmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1
+allow accountmgr hdf_ext_devmgr:binder { transfer };

sepolicy/ohos_policy/drivers/external_device_manager/system/appspawn.te

@@ -0,0 +1,27 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# avc:  denied  { map } for  pid=246 comm="appspawn" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
+# avc:  denied  { open } for  pid=246 comm="appspawn" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
+# avc:  denied  { read } for  pid=246 comm="appspawn" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=82 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
+allow appspawn arkcompiler_param:file { map open read };
+
+# avc:  denied  { map } for  pid=246 comm="appspawn" path="/dev/__parameters__/u:object_r:arkui_param:s0" dev="tmpfs" ino=83 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkui_param:s0 tclass=file permissive=1
+# avc:  denied  { open } for  pid=246 comm="appspawn" path="/dev/__parameters__/u:object_r:arkui_param:s0" dev="tmpfs" ino=83 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkui_param:s0 tclass=file permissive=1
+# avc:  denied  { read } for  pid=246 comm="appspawn" name="u:object_r:arkui_param:s0" dev="tmpfs" ino=83 scontext=u:r:appspawn:s0 tcontext=u:object_r:arkui_param:s0 tclass=file permissive=1
+allow appspawn arkui_param:file { map open read };
+
+# avc:  denied  { getattr } for  pid=246 comm="appspawn" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:appspawn:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
+# avc:  denied  { open } for  pid=246 comm="appspawn" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:appspawn:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
+# avc:  denied  { read } for  pid=246 comm="appspawn" name="online" dev="sysfs" ino=4917 scontext=u:r:appspawn:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
+allow appspawn sysfs_devices_system_cpu:file { getattr open read };

sepolicy/ohos_policy/drivers/external_device_manager/system/chipset_init.te

@@ -0,0 +1,19 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# avc:  denied  { open } for  pid=231 comm="chipset_init" path="/data/service/el1/public/usb/mode" dev="mmcblk0p14" ino=166 scontext=u:r:chipset_init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
+# avc:  denied  { write } for  pid=231 comm="chipset_init" name="mode" dev="mmcblk0p14" ino=166 scontext=u:r:chipset_init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
+allow chipset_init data_service_el1_file:file { open write };
+
+# avc:  denied  { open } for  pid=231 comm="chipset_init" path="/dev/kmsg" dev="tmpfs" ino=6 scontext=u:r:chipset_init:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
+allow chipset_init dev_kmsg_file:chr_file { open };

sepolicy/ohos_policy/drivers/external_device_manager/system/foundation.te

@@ -0,0 +1,15 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# avc:  denied  { call } for  pid=644 comm="CesSrvUnorderEv" scontext=u:r:foundation:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1
+allow foundation hdf_ext_devmgr:binder { call };

sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_devmgr.te

@@ -0,0 +1,25 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# avc:  denied  { transfer } for  pid=243 comm="IPC_3_507" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=binder permissive=1
+allow hdf_devmgr hdf_ext_devmgr:binder { transfer };
+
+# avc:  denied  { search } for  pid=243 comm="IPC_3_507" name="721" dev="proc" ino=20918 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=dir permissive=1
+allow hdf_devmgr hdf_ext_devmgr:dir { search };
+
+# avc:  denied  { open } for  pid=243 comm="IPC_3_507" path="/proc/721/attr/current" dev="proc" ino=29742 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=file permissive=1
+# avc:  denied  { read } for  pid=243 comm="IPC_3_507" name="current" dev="proc" ino=29742 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=file permissive=1
+allow hdf_devmgr hdf_ext_devmgr:file { open read };
+
+# avc:  denied  { getattr } for  pid=243 comm="IPC_3_507" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_ext_devmgr:s0 tclass=process permissive=1
+allow hdf_devmgr hdf_ext_devmgr:process { getattr };

sepolicy/ohos_policy/drivers/external_device_manager/system/hdf_ext_devmgr.te

@@ -0,0 +1,74 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow hdf_ext_devmgr debug_param:file { map open read };
+allow hdf_ext_devmgr dev_console_file:chr_file { read write };
+# avc:  denied  { get } for service=usb_interface_service pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hdf_usb_interface_service:s0 tclass=hdf_devmgr_class permissive=1
+allow hdf_ext_devmgr hdf_usb_interface_service:hdf_devmgr_class { get };
+
+# avc:  denied  { get } for service=200 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1
+allow hdf_ext_devmgr sa_accountmgr:samgr_class { get };
+
+# avc:  denied  { get } for service=5100 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1
+allow hdf_ext_devmgr sa_device_service_manager:samgr_class { get };
+
+# avc:  denied  { get } for service=401 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
+allow hdf_ext_devmgr sa_foundation_bms:samgr_class { get };
+
+# avc:  denied  { get } for service=3299 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1
+allow hdf_ext_devmgr sa_foundation_cesfwk_service:samgr_class { get };
+
+# avc:  denied  { add } for service=5110 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1
+allow hdf_ext_devmgr sa_hdf_ext_devmgr:samgr_class { add };
+
+# avc:  denied  { get } for service=3901 pid=1412 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1
+allow hdf_ext_devmgr sa_param_watcher:samgr_class { get };
+
+# avc:  denied  { search } for  pid=1416 comm="SaInit0" name="socket" dev="tmpfs" ino=43 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0
+allow hdf_ext_devmgr dev_unix_socket:dir { search };
+
+# avc:  denied  { call } for  pid=1416 comm="SaInit0" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=0
+allow hdf_ext_devmgr hdf_devmgr:binder { call };
+
+# avc:  denied  { call } for  pid=1546 comm="CesFwkListener" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
+allow hdf_ext_devmgr foundation:binder { call transfer };
+
+# avc:  denied  { map } for  pid=1546 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
+# avc:  denied  { open } for  pid=1546 comm="sa_main" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
+# avc:  denied  { read } for  pid=1546 comm="sa_main" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=69 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
+allow hdf_ext_devmgr hilog_param:file { map open read };
+
+# avc:  denied  { call } for  pid=1546 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
+allow hdf_ext_devmgr param_watcher:binder { call transfer };
+
+# avc:  denied  { search } for  pid=1546 comm="hdf_ext_devmgr" name="/" dev="tracefs" ino=1 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
+allow hdf_ext_devmgr tracefs:dir { search };
+
+# avc:  denied  { open } for  pid=1546 comm="hdf_ext_devmgr" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=16975 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
+# avc:  denied  { write } for  pid=1546 comm="hdf_ext_devmgr" name="trace_marker" dev="tracefs" ino=16975 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
+allow hdf_ext_devmgr tracefs_trace_marker_file:file { open write };
+
+# avc:  denied  { call } for  pid=721 comm="SaInit0" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=1
+allow hdf_ext_devmgr accountmgr:binder { call };
+
+# avc:  denied  { getattr } for  pid=721 comm="hdf_ext_devmgr" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
+# avc:  denied  { open } for  pid=721 comm="hdf_ext_devmgr" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
+# avc:  denied  { read } for  pid=721 comm="hdf_ext_devmgr" name="online" dev="sysfs" ino=4917 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
+allow hdf_ext_devmgr sysfs_devices_system_cpu:file { getattr open read };
+
+# avc:  denied  { call } for  pid=721 comm="hdf_ext_devmgr" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:usb_host:s0 tclass=binder permissive=1
+# avc:  denied  { transfer } for  pid=721 comm="SaInit0" scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:usb_host:s0 tclass=binder permissive=1
+allow hdf_ext_devmgr usb_host:binder { call transfer };
+
+# avc:  denied  { use } for  pid=569 comm="IPC_4_888" path="/dev/ashmem" dev="tmpfs" ino=230 scontext=u:r:hdf_ext_devmgr:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=1
+allow hdf_ext_devmgr foundation:fd { use };

sepolicy/ohos_policy/drivers/external_device_manager/system/init.te

@@ -0,0 +1,14 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+allow init hdf_ext_devmgr:process { rlimitinh siginh transition };

sepolicy/ohos_policy/drivers/external_device_manager/system/service_contexts

@@ -0,0 +1,14 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+5110                                   u:object_r:sa_hdf_ext_devmgr:s0

sepolicy/ohos_policy/drivers/peripheral/usb/vendor/debug_hap.te

@@ -0,0 +1,23 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# avc:  denied  { get } for service=usb_ddk_service pid=1431 scontext=u:r:debug_hap:s0 tcontext=u:object_r:hdf_usb_ddk_service:s0 tclass=hdf_devmgr_class permissive=1
+allow debug_hap hdf_usb_ddk_service:hdf_devmgr_class { get };
+
+debug_only(`
+# avc:  denied  { get } for service=usb_interface_service pid=1431 scontext=u:r:debug_hap:s0 tcontext=u:object_r:hdf_usb_interface_service:s0 tclass=hdf_devmgr_class permissive=1
+allow debug_hap hdf_usb_interface_service:hdf_devmgr_class { get };
+')
+
+# avc:  denied  { use } for  pid=499 comm="IPC_2_1896" path="/data/service/el1/public/usb/005_003" dev="mmcblk0p14" ino=2577 scontext=u:r:system_core_hap:s0 tcontext=u:r:usb_host:s0 tclass=fd permissive=1
+allow debug_hap usb_host:fd { use };

sepolicy/ohos_policy/drivers/peripheral/usb/vendor/system_core_hap.te

@@ -0,0 +1,22 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# avc:  denied  { get } for service=usb_ddk_service pid=1442 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:hdf_usb_ddk_service:s0 tclass=hdf_devmgr_class permissive=1
+allow system_core_hap hdf_usb_ddk_service:hdf_devmgr_class { get };
+debug_only(`
+# avc:  denied  { get } for service=usb_interface_service pid=1442 scontext=u:r:system_core_hap:s0 tcontext=u:object_r:hdf_usb_interface_service:s0 tclass=hdf_devmgr_class permissive=1
+allow system_core_hap hdf_usb_interface_service:hdf_devmgr_class { get };
+')
+
+# avc:  denied  { use } for  pid=499 comm="IPC_2_1896" path="/data/service/el1/public/usb/005_003" dev="mmcblk0p14" ino=2577 scontext=u:r:system_core_hap:s0 tcontext=u:r:usb_host:s0 tclass=fd permissive=1
+allow system_core_hap usb_host:fd { use };

sepolicy/ohos_policy/drivers/peripheral/usb/vendor/usb_host.te

@@ -134,3 +134,7 @@ allowxperm usb_host dev_bus_usb_file:chr_file ioctl { 0x5500 0x5504 0x5508 0x550
 allowxperm usb_host dev_file:chr_file ioctl { 0x6201 0x6202 0x6203 0x6731 0x6732 0x6734 0x673c 0x6782 0x6736 0x673d 0x6735 0x6738 };
 allowxperm usb_host dev_hdf_kevent:chr_file ioctl { 0x6202 0x6201 0x6203 };
 allowxperm usb_host dev_hdf_usb_pnp:chr_file ioctl { 0x6201 0x6202 0x6203 0x6206 };
+# avc:  denied  { add } for service=5110 pid=512 scontext=u:r:usb_host:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1
+# avc:  denied  { get } for service=5110 pid=512 scontext=u:r:usb_host:s0 tcontext=u:object_r:sa_hdf_ext_devmgr:s0 tclass=samgr_class permissive=1
+allow usb_host sa_hdf_ext_devmgr:samgr_class { add get };
+allow usb_host hdf_ext_devmgr:binder { call };