diff --git a/sepolicy/ohos_policy/game/game_controller_service/system/debug_hap.te b/sepolicy/ohos_policy/game/game_controller_service/system/debug_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..6351dbe4f794f2f9a3bc2bed09fa115a6e768d7b --- /dev/null +++ b/sepolicy/ohos_policy/game/game_controller_service/system/debug_hap.te @@ -0,0 +1,18 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow debug_hap gamecontroller_server:binder { call transfer }; +allow debug_hap sa_gamecontroller_server:samgr_class { get }; + + + diff --git a/sepolicy/ohos_policy/game/game_controller_service/system/foundation.te b/sepolicy/ohos_policy/game/game_controller_service/system/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..8d460164a302e4b89bcaa3e0da51fd2bb4be9441 --- /dev/null +++ b/sepolicy/ohos_policy/game/game_controller_service/system/foundation.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation gamecontroller_server:binder { transfer call }; diff --git a/sepolicy/ohos_policy/game/game_controller_service/system/gamecontroller_server.te b/sepolicy/ohos_policy/game/game_controller_service/system/gamecontroller_server.te new file mode 100644 index 0000000000000000000000000000000000000000..03b6ad4f286fdc47892d2b856971c2d4eb9abecc --- /dev/null +++ b/sepolicy/ohos_policy/game/game_controller_service/system/gamecontroller_server.te @@ -0,0 +1,87 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow gamecontroller_server sa_gamecontroller_server:samgr_class { add }; + +binder_call(gamecontroller_server, foundation); +binder_call(gamecontroller_server, debug_hap); +binder_call(gamecontroller_server, normal_hap_attr); + +allow gamecontroller_server normal_hap:dir { search open read }; +allow gamecontroller_server normal_hap:file { getattr open read }; + +# avc_audit_slow:277] avc: denied { search } for pid=6681, comm="/system/bin/sa_main" name="/lib64" dev="overlay" ino=1 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=1 +allow gamecontroller_server chip_prod_file:dir { search }; + +# avc_audit_slow:277] avc: denied { map } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="" ino=260 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc_audit_slow:277] avc: denied { open } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="" ino=260 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +# avc_audit_slow:277] avc: denied { read } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="" ino=260 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 +allow gamecontroller_server debug_param:file { map open read }; + +# avc_audit_slow:277] avc: denied { write } for pid=6681, comm="/system/bin/sa_main" path="/dev/kmsg" dev="" ino=23 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1 +allow gamecontroller_server dev_kmsg_file:chr_file { write }; + +# avc_audit_slow:277] avc: denied { getopt } for pid=6681, comm="/system/bin/sa_main" scontext=u:r:gamecontroller_server:s0 tcontext=u:r:gamecontroller_server:s0 tclass=unix_dgram_socket permissive=1 +# avc_audit_slow:277] avc: denied { setopt } for pid=6681, comm="/system/bin/sa_main" scontext=u:r:gamecontroller_server:s0 tcontext=u:r:gamecontroller_server:s0 tclass=unix_dgram_socket permissive=1 +allow gamecontroller_server gamecontroller_server:unix_dgram_socket { getopt setopt }; + +# avc_audit_slow:277] avc: denied { map } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=259 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +# avc_audit_slow:277] avc: denied { open } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=259 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +# avc_audit_slow:277] avc: denied { read } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=259 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1 +allow gamecontroller_server persist_sys_param:file { map open read }; + +# avc_audit_slow:277] avc: denied { map } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="" ino=247 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +# avc_audit_slow:277] avc: denied { open } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="" ino=247 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +# avc_audit_slow:277] avc: denied { read } for pid=6681, comm="/system/bin/sa_main" path="/dev/__parameters__/u:object_r:sys_param:s0" dev="" ino=247 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:sys_param:s0 tclass=file permissive=1 +allow gamecontroller_server sys_param:file { map open read }; + +# avc_audit_slow:277] avc: denied { search } for pid=8143, comm="/system/bin/sa_main" name="/service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=9 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1 +allow gamecontroller_server data_service_file:dir { search }; + +# avc_audit_slow:277] avc: denied { search } for pid=8143, comm="/system/bin/sa_main" name="/unix/socket" dev="" ino=229 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 +allow gamecontroller_server dev_unix_socket:dir { search }; + +# avc: denied { get } for service=401 sid=u:r:gamecontroller_server:s0 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 +allow gamecontroller_server sa_foundation_bms:samgr_class { get }; + +# avc_audit_slow:278] avc: denied { search } for pid=9185, comm="/system/bin/sa_main" name="/service/el1/public/gamecontroller_server" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=3795 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +# avc_audit_slow:278] avc: denied { write add_name search } for pid=9185, comm="/system/bin/sa_main" name="/service/el1/public/gamecontroller_server" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=3795 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 +allow gamecontroller_server data_service_el1_file:dir { search write add_name search }; + +# avc_audit_slow:278] avc: denied { create } for pid=9185, comm="/system/bin/sa_main" name="/service/el1/public/gamecontroller_server/device_config.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=55160 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:278] avc: denied { getattr } for pid=9185, comm="/system/bin/sa_main" path="/data/service/el1/public/gamecontroller_server/game_support_key_mapping.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=55153 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:278] avc: denied { ioctl } for pid=9185, comm="/system/bin/sa_main" path="/data/service/el1/public/gamecontroller_server/game_support_key_mapping.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=55153 ioctlcmd=0x5413 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:278] avc: denied { open } for pid=9185, comm="/system/bin/sa_main" path="/data/service/el1/public/gamecontroller_server/game_support_key_mapping.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=55153 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:278] avc: denied { read } for pid=9185, comm="/system/bin/sa_main" path="/data/service/el1/public/gamecontroller_server/device_config.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=55160 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:278] avc: denied { setattr } for pid=9185, comm="/system/bin/sa_main" name="/service/el1/public/gamecontroller_server/device_config.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=55160 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +# avc_audit_slow:278] avc: denied { write } for pid=9185, comm="/system/bin/sa_main" path="/data/service/el1/public/gamecontroller_server/game_support_key_mapping.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=55153 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allow gamecontroller_server data_service_el1_file:file { create getattr ioctl open read setattr write relabelto}; + + +# avc: denied { get } for service=3299 sid=u:r:gamecontroller_server:s0 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 +allow gamecontroller_server sa_foundation_cesfwk_service:samgr_class { get }; + +# avc_audit_slow:278] avc: denied { getattr } for pid=9185, comm="/system/bin/sa_main" path="/sys/devices/system/cpu/online" dev="" ino=94 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc_audit_slow:278] avc: denied { open } for pid=9185, comm="/system/bin/sa_main" path="/sys/devices/system/cpu/online" dev="" ino=94 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +# avc_audit_slow:278] avc: denied { read } for pid=9185, comm="/system/bin/sa_main" path="/sys/devices/system/cpu/online" dev="" ino=94 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 +allow gamecontroller_server sysfs_devices_system_cpu:file { getattr open read }; + +# avc_audit_slow:278] avc: denied { ioctl } for pid=9185, comm="/system/bin/sa_main" path="/data/service/el1/public/gamecontroller_server/game_support_key_mapping.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=55153 ioctlcmd=0x5413 scontext=u:r:gamecontroller_server:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 +allowxperm gamecontroller_server data_service_el1_file:file ioctl { 0x5413 }; + +allow gamecontroller_server hiviewdfx_hiview_param:file { read open map }; + +allow gamecontroller_server persist_param:file { open read }; + +allow gamecontroller_server data_file:dir { search }; + diff --git a/sepolicy/ohos_policy/game/game_controller_service/system/init.te b/sepolicy/ohos_policy/game/game_controller_service/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..b6fa16ac5efd2f9fd7bc84c773c3d01ab2da57dd --- /dev/null +++ b/sepolicy/ohos_policy/game/game_controller_service/system/init.te @@ -0,0 +1,15 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init gamecontroller_server:process { rlimitinh siginh transition }; + diff --git a/sepolicy/ohos_policy/game/game_controller_service/system/normal_hap_attr.te b/sepolicy/ohos_policy/game/game_controller_service/system/normal_hap_attr.te new file mode 100644 index 0000000000000000000000000000000000000000..98fe1f4e9953dbf2cdcd776957948bb14bdb2734 --- /dev/null +++ b/sepolicy/ohos_policy/game/game_controller_service/system/normal_hap_attr.te @@ -0,0 +1,18 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_attr gamecontroller_server:binder { call transfer }; +allow normal_hap_attr sa_gamecontroller_server:samgr_class { get }; + + + diff --git a/sepolicy/ohos_policy/game/game_controller_service/system/service.te b/sepolicy/ohos_policy/game/game_controller_service/system/service.te new file mode 100644 index 0000000000000000000000000000000000000000..c6451d884948208c177c4fc5bca0c27ebd2c5f56 --- /dev/null +++ b/sepolicy/ohos_policy/game/game_controller_service/system/service.te @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type sa_gamecontroller_server, sa_service_attr; diff --git a/sepolicy/ohos_policy/game/game_controller_service/system/service_contexts b/sepolicy/ohos_policy/game/game_controller_service/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..a884eb2e711d0883706c6635d20e71610c13809a --- /dev/null +++ b/sepolicy/ohos_policy/game/game_controller_service/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +8450 u:object_r:sa_gamecontroller_server:s0 diff --git a/sepolicy/ohos_policy/game/game_controller_service/system/type.te b/sepolicy/ohos_policy/game/game_controller_service/system/type.te new file mode 100644 index 0000000000000000000000000000000000000000..d8b1f35561b2d866b76092954760e77d1e0a03cb --- /dev/null +++ b/sepolicy/ohos_policy/game/game_controller_service/system/type.te @@ -0,0 +1,16 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type gamecontroller_server, sadomain, domain; + +