1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14################## 15## Type define: ## 16################## 17type hilogd, sadomain, domain; 18 19type hilogd_exec, exec_attr, file_attr, system_file_attr; 20type hilog_exec, exec_attr, file_attr, system_file_attr; 21type hilog_control_socket, dev_attr, file_attr; 22type hilog_input_socket, dev_attr, file_attr; 23type hilog_output_socket, dev_attr, file_attr; 24type data_hilogd_file, file_attr, data_file_attr; 25init_daemon_domain(hilogd); 26 27################### 28## Macro define: ## 29################### 30define(`use_hilog', ` 31 allow $1 hilog_input_socket:sock_file write; 32 allow $1 hilogd:unix_dgram_socket sendto; 33') 34 35define(`read_hilog', ` 36 allow $1 hilog_exec:file { getattr open read execute execute_no_trans map }; 37 allow $1 hilog_output_socket:sock_file write; 38 allow $1 hilogd:unix_stream_socket connectto; 39') 40 41define(`control_hilog', ` 42 allow $1 hilog_exec:file { getattr open read execute execute_no_trans map }; 43 allow $1 hilog_control_socket:sock_file write; 44 allow $1 hilogd:unix_stream_socket connectto; 45') 46 47################################### 48## Read/Use/Control hilog rules: ## 49################################### 50read_hilog(sh) 51read_hilog(hap_domain) 52control_hilog(sh) 53 54use_hilog({ domain -kernel }) 55 56####################### 57## Allow rule below: ## 58####################### 59allow hilogd hilogd_exec:file { entrypoint execute map read getattr }; 60allow init hilogd_exec:file { execute read open getattr }; 61 62allow hilogd hilog_input_socket:unix_dgram_socket { rw_socket_perms }; 63allow hilogd hilog_input_socket:sock_file { create_file_perms }; 64allow hilogd hilog_output_socket:unix_dgram_socket { rw_socket_perms }; 65allow hilogd hilog_output_socket:sock_file { create_file_perms }; 66allow hilogd hilog_control_socket:unix_dgram_socket { rw_socket_perms }; 67allow hilogd hilog_control_socket:sock_file { create_file_perms }; 68 69allow hilogd data_hilogd_file:dir { create_dir_perms }; 70allow hilogd data_hilogd_file:file { create_file_perms }; 71 72allow init data_hilogd_file:dir { create_dir_perms }; 73allow { sh hiview hdcd } data_hilogd_file:dir { read_dir_perms }; 74allow { sh hiview hdcd } data_hilogd_file:file { read_file_perms }; 75 76allow hilogd data_file:dir { search }; 77allow hilogd data_log:dir { getattr open read search }; 78 79allow hilogd cgroup:dir { search }; 80 81allow hilogd data_init_agent:dir { add_name search write }; 82allow hilogd data_init_agent:file { create ioctl open read append }; 83 84allow hilogd dev_kmsg_file:chr_file { read }; 85 86allow hilogd kernel:unix_stream_socket { connectto }; 87allow hilogd init:unix_dgram_socket { getattr getopt read write }; 88allow hilogd init:unix_stream_socket { accept getattr getopt listen }; 89 90allow hilogd hilog_param:parameter_service { set }; 91allow hilogd paramservice_socket:sock_file { write }; 92 93allowxperm hilogd data_init_agent:file ioctl { 0x5413 }; 94 95allow hilogd domain:dir { search }; 96allow hilogd domain:file { open read }; 97############################ 98## Neverallow rule below: ## 99############################ 100# hilogd is not allowed to write anywhere other than /data/log/hilog 101neverallow hilogd { 102 file_attr 103 -data_hilogd_file 104 -data_init_agent 105}:file { create write append }; 106 107# ptrace any other app 108neverallow hilogd domain:process ptrace; 109 110# ... and nobody may ptrace me (except init) 111neverallow { domain -init -processdump } hilogd:process ptrace; 112 113# write to /system 114neverallow hilogd system_file:dir_file_class_set write; 115 116# write to hap files 117neverallow hilogd { normal_hap_data_file system_basic_hap_data_file system_core_hap_data_file }:dir_file_class_set write; 118 119# only init is allowed to enter the hilogd domain via exec() 120neverallow { domain -init } hilogd:process transition; 121neverallow * hilogd:process dyntransition; 122 123# protect persist tmp file and info file 124neverallow { 125 domain 126 -init 127 -hilogd 128 -sh # write is covered next 129 -hiview # write is covered next 130 -hdcd # write is covered next 131 -system_basic_hap # write is covered next 132 -system_core_hap # write is covered next 133 -normal_hap # write is covered next 134} data_hilogd_file:file { rw_file_perms }; 135 136# shell can read but cannot write hilogd files 137neverallow { sh hiview hdcd system_basic_hap system_core_hap } data_hilogd_file:file { append create rename setattr write }; 138 139