• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14###################
15## Macro define: ##
16###################
17define(`use_hilog', `
18    allow $1 hilog_input_socket:sock_file write;
19    allow $1 hilogd:unix_dgram_socket sendto;
20')
21
22define(`read_hilog', `
23    allow $1 hilog_exec:file { getattr open read execute execute_no_trans map };
24    allow $1 hilog_output_socket:sock_file write;
25    allow $1 hilogd:unix_stream_socket connectto;
26')
27
28define(`control_hilog', `
29    allow $1 hilog_exec:file { getattr open read execute execute_no_trans map };
30    allow $1 hilog_control_socket:sock_file write;
31    allow $1 hilogd:unix_stream_socket connectto;
32')
33
34###################################
35## Read/Use/Control hilog rules: ##
36###################################
37debug_only(`
38    read_hilog(sh)
39    control_hilog(sh)
40    allow sh data_hilogd_file:dir { read_dir_perms };
41    allow sh data_hilogd_file:file { read_file_perms };
42
43')
44read_hilog(hap_domain)
45
46use_hilog({ domain -kernel })
47
48#######################
49## Allow rule below: ##
50#######################
51allow hilogd hilogd_exec:file { entrypoint execute map read getattr };
52allow init hilogd_exec:file { execute read open getattr };
53
54allow hilogd hilog_input_socket:unix_dgram_socket { rw_socket_perms };
55allow hilogd hilog_input_socket:sock_file { create_file_perms };
56allow hilogd hilog_output_socket:unix_dgram_socket { rw_socket_perms };
57allow hilogd hilog_output_socket:sock_file { create_file_perms };
58allow hilogd hilog_control_socket:unix_dgram_socket { rw_socket_perms };
59allow hilogd hilog_control_socket:sock_file { create_file_perms };
60
61allow hilogd data_hilogd_file:dir { create_dir_perms };
62allow hilogd data_hilogd_file:file { create_file_perms };
63
64allow init data_hilogd_file:dir { create_dir_perms };
65allow { hiview hdcd } data_hilogd_file:dir { read_dir_perms };
66allow { hiview hdcd } data_hilogd_file:file { read_file_perms };
67
68allow hilogd data_file:dir { search };
69allow hilogd data_log:dir { getattr open read search };
70
71allow hilogd cgroup:dir { search };
72
73allow hilogd data_init_agent:dir { add_name search write };
74allow hilogd data_init_agent:file { create ioctl open read append };
75
76allow hilogd dev_kmsg_file:chr_file { read };
77
78allow hilogd kernel:unix_stream_socket { connectto };
79allow hilogd init:unix_dgram_socket { getattr getopt read write };
80allow hilogd init:unix_stream_socket { accept getattr getopt listen };
81
82allow hilogd hilog_param:parameter_service { set };
83allow hilogd paramservice_socket:sock_file { write };
84
85allow hilogd hilog:file { getattr };
86allow hilogd init:file { getattr };
87
88allowxperm hilogd data_init_agent:file ioctl { 0x5413 };
89
90allow hilogd domain:dir { search };
91allow hilogd domain:file { open read getattr };
92############################
93## Neverallow rule below: ##
94############################
95# hilogd is not allowed to write anywhere other than /data/log/hilog
96neverallow hilogd {
97    file_attr
98    -data_hilogd_file
99    -data_init_agent
100}:file { create write append };
101
102# ptrace any other app
103neverallow hilogd domain:process ptrace;
104
105# ... and nobody may ptrace me (except init)
106neverallow { domain -init -processdump } hilogd:process ptrace;
107
108# write to /system
109neverallow hilogd system_file:dir_file_class_set write;
110
111# write to hap files
112neverallow hilogd { normal_hap_data_file_attr system_basic_hap_data_file_attr system_core_hap_data_file_attr }:dir_file_class_set write;
113
114# only init is allowed to enter the hilogd domain via exec()
115neverallow { domain -init } hilogd:process transition;
116neverallow * hilogd:process dyntransition;
117
118# protect persist tmp file and info file
119neverallow {
120    domain
121    -init
122    -hilogd
123    -sh                 # write is covered next
124    -hiview             # write is covered next
125    -hdcd               # write is covered next
126    -system_basic_hap_attr   # write is covered next
127    -system_core_hap_attr    # write is covered next
128    -normal_hap_attr         # write is covered next
129} data_hilogd_file:file { rw_file_perms };
130
131# shell can read but cannot write hilogd files
132neverallow { sh hiview hdcd system_basic_hap_attr system_core_hap_attr } data_hilogd_file:file { append create rename setattr write };
133
134