diff --git a/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te b/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te index f2ec6f333074762e1f9896f9762b4eb165efb656..977c2be43e0db6895c352757c004930626f78052 100644 --- a/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te +++ b/sepolicy/ohos_policy/developtools/ebpf/system/hiebpf.te @@ -83,3 +83,4 @@ allow hiebpf tracefs:file { open read write }; allow hiebpf powermgr:dir search; allow hiebpf powermgr:file { getattr open read }; +allow hiebpf hdf_devhost_exec:file { getattr map open read }; diff --git a/sepolicy/ohos_policy/developtools/hiperf/system/hiperf.te b/sepolicy/ohos_policy/developtools/hiperf/system/hiperf.te index 1d85e43dd42640a4fc76a25320cc417fe25d2250..a05146b7b6defbb767d66dd09c759bead9c3fcaf 100644 --- a/sepolicy/ohos_policy/developtools/hiperf/system/hiperf.te +++ b/sepolicy/ohos_policy/developtools/hiperf/system/hiperf.te @@ -118,6 +118,7 @@ allow hiperf proc_cpuinfo_file:file { open read }; allow hiperf sysfs_devices_system_cpu:file { open read }; allow hiperf uinput_inject_exec:file { getattr map open read }; allow hiperf vendor_bin_file:dir search; +allow hiperf hdf_devhost_exec:dir { search }; allow hiperf domain:dir { add_name getattr search open read write }; allow hiperf domain:file { getattr map open read }; @@ -172,6 +173,7 @@ allow hiperf sysfs_devices_system_cpu:file getattr; allow hiperf udevd_exec:file { getattr map open read }; allow hiperf ueventd_exec:file read; allow hiperf vendor_bin_file:file { getattr map open read }; +allow hiperf hdf_devhost_exec:file { getattr map open read }; allow init data_log:file relabelfrom; allow init data_log_hiperf_file:dir { getattr open read relabelto setattr }; diff --git a/sepolicy/ohos_policy/developtools/smartperf/system/netmanager.te b/sepolicy/ohos_policy/developtools/smartperf/system/netmanager.te index 1f84cea0ffe08bf15064d472ff86561a1e23cf5b..615f12d84ba813aa6518fb1954f131b3e8b92f18 100644 --- a/sepolicy/ohos_policy/developtools/smartperf/system/netmanager.te +++ b/sepolicy/ohos_policy/developtools/smartperf/system/netmanager.te @@ -17,3 +17,4 @@ allow netmanager data_file:dir { search }; allow netmanager sys_file:dir { open read }; allow netmanager sys_file:file { open read }; allowxperm netmanager data_data_file:file ioctl { 0x5413 }; +allow netmanager hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te b/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te index 28869efebf8d33962fba54f504cdd76ef44f312f..acb3359e1354461970f17b1ef3c4a3010e5e08d6 100755 --- a/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te +++ b/sepolicy/ohos_policy/deviceprofile/device_profile_core/system/deviceprofile.te @@ -24,4 +24,4 @@ allow distributedsche sa_asset_service:samgr_class { get }; allow distributedsche asset_service:binder { call transfer }; allow distributedsche sys_file:file { read }; allow distributedsche sys_file:file { open }; - +allow distributedsche hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devhost.te b/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devhost.te new file mode 100644 index 0000000000000000000000000000000000000000..033c3aff86c40fa6443b3be114c5637704e8b7c5 --- /dev/null +++ b/sepolicy/ohos_policy/drivers/adapter/vendor/hdf_devhost.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ispserver hdf_devhost_exec:file { entrypoint execute map read }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te b/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te index 755e7b4b6342805f159cb76f7ed048a9e7cf4325..88921e82272a95dac427078a8f8e09dc10c7c0d3 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/camera/vendor/camera_host.te @@ -119,3 +119,4 @@ allowxperm camera_host dev_mpp:chr_file ioctl { 0x7601 }; allowxperm camera_host dev_rga:chr_file ioctl { 0x5017 0x5019 0x601b }; allowxperm camera_host dev_video_file:chr_file ioctl { 0x5600 0x5605 0x5608 0x5609 0x560f 0x5611 0x5612 0x5613 0x561b 0x564a 0x5602 0x5624 0x564b 0x5625 0x5616 }; allowxperm camera_host hidumper_file:file ioctl 0x5413; +allow camera_host hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te b/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te index 6ee5b79844c1de50bb5df80978fdb21a615c80b9..ac72e2c1346d46712c0107562433a748d1f6d2bd 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/codec/vendor/codec_host.te @@ -84,3 +84,5 @@ debug_only(` allow codec_host hdcd:fifo_file { write }; allow codec_host hdcd:fifo_file { read }; ') +allow codec_host hdf_devhost_exec:dir { search }; +allow codec_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te index fc94012434a302b543ac8b65103eab85080fd21e..535abcbb077af6d6ec16335c1e054e2de209ec91 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/display/vendor/composer_host.te @@ -94,3 +94,5 @@ allowxperm composer_host dev_graphics_file:chr_file ioctl { 0x4611 }; allowxperm composer_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allowxperm composer_host dev_rga:chr_file ioctl { 0x5017 0x601b }; allow composer_host composer_host:capability {sys_nice}; +allow composer_host hdf_devhost_exec:dir { search }; +allow composer_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te b/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te index d608553727d50f3230c83b4628891c158e790e04..d05838b30154202cc1e9afd6a3bb7afdafcc259b 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/intelligent_voice/vendor/intell_voice_host.te @@ -135,3 +135,5 @@ allow intell_voice_host tty_device:chr_file { read write }; debug_only(` allow intell_voice_host su:binder { transfer }; ') +allow intell_voice_host hdf_devhost_exec:dir { search }; +allow intell_voice_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te index 83df22eab1f2df98a6abacbc1b776c0edff0fadf..575f30b69670f966ef5dce525c627f0c57187e3d 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/face_auth_host.te @@ -57,3 +57,5 @@ allow face_auth_host vendor_etc_file:dir { search }; allow face_auth_host vendor_etc_file:file { getattr open read }; allowxperm face_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow face_auth_host useriam:binder { call transfer }; +allow face_auth_host hdf_devhost_exec:dir { search }; +allow face_auth_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te index 0c32201be01b3faa6d9b5804ea4bf1af6cd82c1b..538e9c88622cd9cee400c9542d3e17e4e5e70e62 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/fingerprint_auth_host.te @@ -57,3 +57,5 @@ allow fingerprint_auth_host vendor_etc_file:dir { search }; allow fingerprint_auth_host vendor_etc_file:file { getattr open read }; allowxperm fingerprint_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; allow fingerprint_auth_host useriam:binder { call transfer }; +allow fingerprint_auth_host hdf_devhost_exec:dir { search }; +allow fingerprint_auth_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te index 5e9afd2c62031cfb4c9f3ec19e8d9b049f75ffe0..e04f08d126874f540d98e8014ff9c2ebb6ec9227 100644 --- a/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te +++ b/sepolicy/ohos_policy/drivers/peripheral/useriam/vendor/pin_auth_host.te @@ -63,3 +63,5 @@ allow pin_auth_host vendor_etc_file:dir { search }; allow pin_auth_host vendor_etc_file:file { getattr open read }; allowxperm pin_auth_host data_service_el1_file:file ioctl { 0x5413 }; allowxperm pin_auth_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allow pin_auth_host hdf_devhost_exec:dir { search }; +allow pin_auth_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/filemanagement/storage_service/public/storage_daemon.te b/sepolicy/ohos_policy/filemanagement/storage_service/public/storage_daemon.te index aa065cda9dcad1f8b3b2de075211c4d998ed46bf..b3c8768faf9315af467230053acb40d19f6fdb0f 100644 --- a/sepolicy/ohos_policy/filemanagement/storage_service/public/storage_daemon.te +++ b/sepolicy/ohos_policy/filemanagement/storage_service/public/storage_daemon.te @@ -49,3 +49,4 @@ allow storage_daemon storage_daemon_exec:file { getattr open }; # avc: denied { open } for pid=12230, comm="/system/bin/storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mtpfs_exec:s0 tclass=file permissive=0 # avc: denied { read } for pid=12230, comm="/system/bin/storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:object_r:mtpfs_exec:s0 tclass=file permissive=0 allow storage_daemon mtpfs_exec:file { execute execute_no_trans map open read }; +allow storage_daemon hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/filemanagement/storage_service/system/kernel.te b/sepolicy/ohos_policy/filemanagement/storage_service/system/kernel.te index a45a69fc4b1608fbc1d29ba82f1af07b6a9dd589..00a1b2e90338c9753a59b7d1ea0b1d4c57523761 100644 --- a/sepolicy/ohos_policy/filemanagement/storage_service/system/kernel.te +++ b/sepolicy/ohos_policy/filemanagement/storage_service/system/kernel.te @@ -18,3 +18,5 @@ neverallow kernel hmdfs:dir ioctl; neverallow kernel hmdfs:file ioctl; allow kernel data_service_el2_hmdfs:dir { create_dir_perms }; allow kernel data_service_el2_hmdfs:file { create_file_perms }; +allow kernel hdf_devhost_exec:dir { search }; +allow kernel hdf_devhost_exec:file { getattr open read}; diff --git a/sepolicy/ohos_policy/graphic/graphic/system/graphic.te b/sepolicy/ohos_policy/graphic/graphic/system/graphic.te index c7cdbed482c96bf9623613e5586491562aff9de8..42782e143089cdc88e143bf245dacd198e4a164b 100644 --- a/sepolicy/ohos_policy/graphic/graphic/system/graphic.te +++ b/sepolicy/ohos_policy/graphic/graphic/system/graphic.te @@ -43,6 +43,7 @@ allow render_service system_fonts_file:dir { open read search }; allow render_service system_fonts_file:file { getattr map open read }; allow render_service sa_accessibleabilityms:samgr_class { get }; allow render_service sa_concurrent_task_service:samgr_class { get }; +allow render_service hdf_devhost_exec:dir { search }; allow render_service vendor_bin_file:dir { search }; allow render_service hdf_devhost_exec:dir { search }; allow render_service paramservice_socket:sock_file { write }; diff --git a/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te b/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te index 8637c8630a73c5eec827558d941ebd4570eedf84..c05e85f6a5e54e61904b91ba5e9d377a4ecdb30b 100644 --- a/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te +++ b/sepolicy/ohos_policy/hiviewdfx/faultloggerd/system/processdump.te @@ -176,6 +176,8 @@ allow processdump hiviewdfx_hiview_param:file { map open read }; allow processdump dev_bbox:chr_file { ioctl open write }; allowxperm processdump dev_bbox:chr_file ioctl 0xab09; +allow processdump hdf_devhost_exec:dir { search }; +allow processdump hdf_devhost_exec:file { getattr map open read }; #============= dev_lperf =================== allow init dev_lperf:chr_file { getattr setattr }; diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te index 1279ece1076fe76a2b9eba20a4f5ab84fd161f26..4b6b6352ae41a8cc63a6d058e022dabd52b064c0 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te +++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te @@ -113,3 +113,6 @@ allow hilogd data_log:dir { write add_name write remove_name }; allow hilogd data_log:file { create getattr ioctl open rename write unlink }; allow domain hilogd:unix_stream_socket { connectto }; allow domain hilog_control_pub_socket:sock_file { write }; +allow hilogd hdf_devhost_exec:dir { getattr open read { search } }; +allow hilogd hdf_devhost_exec:file { getattr map open read }; +allow hilogd hdf_devhost_exec:lnk_file read; diff --git a/sepolicy/ohos_policy/msdp/devicestatus/system/msdp_sa.te b/sepolicy/ohos_policy/msdp/devicestatus/system/msdp_sa.te index f893f51daaeefbbc634a71a9ef3d8586c35e74eb..538ed578250365f74137922c7c6b5f97ebbe5387 100644 --- a/sepolicy/ohos_policy/msdp/devicestatus/system/msdp_sa.te +++ b/sepolicy/ohos_policy/msdp/devicestatus/system/msdp_sa.te @@ -265,6 +265,8 @@ allow msdp_sa cgroup:file { getattr open read }; # avc: denied { get } for service=allocator_service sid=u:r:msdp_sa:s0 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=1 allow msdp_sa hdf_allocator_service:hdf_devmgr_class { get }; +allow msdp_sa hdf_devhost_exec:dir { search }; + # avc: denied { get } for service=allocator_service sid=u:r:msdp_sa:s0 scontext=u:r:msdp_sa:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=1 allow msdp_sa hdf_allocator_service:hdf_devmgr_class { get }; diff --git a/sepolicy/ohos_policy/security/huks/system/huks.te b/sepolicy/ohos_policy/security/huks/system/huks.te index 20cf8f3d3c3b445f12f8ef9fa6d808069f86e9cc..02c47fa9f10fea0e63200d74c87411c6b567c5f5 100755 --- a/sepolicy/ohos_policy/security/huks/system/huks.te +++ b/sepolicy/ohos_policy/security/huks/system/huks.te @@ -81,4 +81,4 @@ allow huks_service paramservice_socket:sock_file { write }; allow huks_service sa_memory_manager_service:samgr_class { get }; allow huks_service memmgrservice:binder { call }; - +allow huks_service hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/security/security_guard/system/security_collector.te b/sepolicy/ohos_policy/security/security_guard/system/security_collector.te index d7330b11d185179fa8a2577d5a66835165f0938e..e7749597280510e8b834377b58286bacfb48b2fe 100644 --- a/sepolicy/ohos_policy/security/security_guard/system/security_collector.te +++ b/sepolicy/ohos_policy/security/security_guard/system/security_collector.te @@ -103,3 +103,4 @@ allow security_collector sa_storage_manager_service:samgr_class { get }; binder_call(security_collector, security_guard); # avc: denied { search } for pid=2912 comm="security_collec" name="socket" dev="tmpfs" ino=43 scontext=u:r:security_collector:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 allow security_collector dev_unix_socket:dir { search }; +allow security_collector hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/security/security_guard/system/security_guard.te b/sepolicy/ohos_policy/security/security_guard/system/security_guard.te index e43ef097d7563b165705b1c085190b3327ec319c..3acaf2227da5826f0e6de5fb3c839275869bff37 100644 --- a/sepolicy/ohos_policy/security/security_guard/system/security_guard.te +++ b/sepolicy/ohos_policy/security/security_guard/system/security_guard.te @@ -84,5 +84,7 @@ allow security_guard normal_hap_attr:fd { use }; # avc: denied { read } for pid=2037 comm="OS_FFRT_2_1" path="/data/storage/el2/base/files/text.json" dev="mmcblk0p15" ino=2627 scontext=u:r:security_guard:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=file permissive=1 allow security_guard normal_hap_data_file:file { read }; +allow security_guard hdf_devhost_exec:dir { search }; + # avc: denied { call } for pid=1516, comm="/system/bin/sa_main" scontext=u:r:security_guard:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=0 binder_call(security_guard, wifi_manager_service); diff --git a/sepolicy/ohos_policy/startup/init/system/init.te b/sepolicy/ohos_policy/startup/init/system/init.te index 14a47676c7bc61f3201a248350d3a4a9242b523e..e672d8dcee2729738e0cb86c2a3e2041473d3e16 100644 --- a/sepolicy/ohos_policy/startup/init/system/init.te +++ b/sepolicy/ohos_policy/startup/init/system/init.te @@ -544,6 +544,8 @@ allow init ark_writeable_param:parameter_service { set }; # avc: denied { read append } for pid=1 comm="init" path="/data/service/el1/startup/parameters/persist_parameters" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=42 scontext=u:r:init:s0 tcontext=u:object_r:data_service_file:s0 tclass=file permissive=0 allow init data_service_file:file {read append}; # avc: denied { read } for pid=1 comm="init" path="/console" dev="" ino=70 scontext=u:r:init:s0 tcontext=u:object_r:dev_console_file:s0 tclass=lnk_file permissive=0 +allow init hdf_devhost_exec:dir { getattr mounton { search } }; + allow init dev_console_file:lnk_file { read}; # avc: denied { setpcap } for pid=4977 comm="init" capability=8 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=0 diff --git a/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te b/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te index d1a04d6a8facc13652905361f758f8db789de52e..6d13269e98462f4378d0ff980fbee7f40b32a08a 100644 --- a/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te +++ b/sepolicy/ohos_policy/tee/tee_client/system/cadaemon.te @@ -90,4 +90,5 @@ debug_only(` allow cadaemon sh:file { read open getattr }; allow cadaemon sh:fd { use }; ') - +allow cadaemon hdf_devhost_exec:dir { search }; +allow cadaemon hdf_devhost_exec:file { getattr open read }; diff --git a/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te b/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te index 01a74655ea42ea3ef1f7c88307702c3abc4a5b46..dba4f8044779916f435a3d1118f3a16a8417582b 100644 --- a/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te +++ b/sepolicy/ohos_policy/tee/tee_client/vendor/teecd.te @@ -58,6 +58,7 @@ allow teecd tee_src_file:dir { search }; allow teecd vendor_bin_file:dir { search read open }; allow teecd hdf_devhost_exec:file { entrypoint execute map read open getattr }; +allow teecd hdf_devhost_exec:file { read open getattr }; allow teecd hdf_devhost_exec:dir { search }; allow teecd vendor_etc_file:dir { search }; allow teecd vendor_etc_file:file { read open getattr }; @@ -68,4 +69,4 @@ debug_only(` allow teecd sh:dir { search }; allow teecd sh:file { read open getattr }; ') - +allow teecd hdf_devhost_exec:dir { open read { search } }; diff --git a/sepolicy/ohos_policy/telephony/telephony_sa/system/riladapter_host.te b/sepolicy/ohos_policy/telephony/telephony_sa/system/riladapter_host.te index 28be848de12478a5492acea0b7a36dfe730a5aeb..f0de851c54e20d3d1d0ca741a9c433c8077844e4 100644 --- a/sepolicy/ohos_policy/telephony/telephony_sa/system/riladapter_host.te +++ b/sepolicy/ohos_policy/telephony/telephony_sa/system/riladapter_host.te @@ -85,3 +85,5 @@ allow riladapter_host vendor_etc_file:file { getattr open read }; allow riladapter_host data_file:dir search; allow riladapter_host data_local:dir search; allow riladapter_host dev_console_file:chr_file { read write }; +allow riladapter_host hdf_devhost_exec:dir { search }; +allow riladapter_host hdf_devhost_exec:file { getattr open }; diff --git a/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te b/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te index 9969ac2e105fcf6cdfec08d59769b6ec1ff2647d..3ee450a3e5908c48e87af7fb028974aa32f57599 100644 --- a/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te +++ b/sepolicy/ohos_policy/update/updater_sa/system/updater_sa.te @@ -78,4 +78,4 @@ allow updater_sa time_service:binder { call transfer }; #avc: denied { transfer } for pid=473 comm="OS_IPC_2_1087" scontext=u:r:updater_sa:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1 allow updater_sa foundation:binder { transfer }; - +allow updater_sa hdf_devhost_exec:dir { search }; diff --git a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te index 191ab155c1d57d752b306843ac1acfce68f2f6d0..cb88f213a0f7233c2379f811f9ed1d7a7553a956 100644 --- a/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te +++ b/sepolicy/ohos_policy/usb/usb_manager/system/usb_service.te @@ -135,5 +135,6 @@ allow usb_service paramservice_socket:sock_file { write }; allow usb_service devinfo_type_param:file { read }; allow usb_service tty_device:chr_file { read write open ioctl }; allowxperm usb_service tty_device:chr_file ioctl { 0x5401 0x5402 }; +allow usb_service hdf_devhost_exec:dir { search }; allow usb_service allocator_host:binder { call }; allow usb_service allocator_host:fd { use };