diff --git a/sepolicy/ohos_policy/web/webview/public/type.te b/sepolicy/ohos_policy/web/webview/public/type.te index 4947833b427889a75ae6fa233b83917605c79cfa..c426cc8f09d521487d019cfbac1d20dd01e6dae5 100644 --- a/sepolicy/ohos_policy/web/webview/public/type.te +++ b/sepolicy/ohos_policy/web/webview/public/type.te @@ -16,3 +16,4 @@ type isolated_gpu, domain; type web_private_param, parameter_attr; type app_fwk_update_service, sadomain, domain; type arkweb_crashpad_handler_exec, exec_attr, file_attr, system_file_attr; +type web_native_messaging_service, sadomain, domain; diff --git a/sepolicy/ohos_policy/web/webview/system/foudation.te b/sepolicy/ohos_policy/web/webview/system/foudation.te index ee62af3313e257982fd2095f52e43351d63b7307..cd52bfc4a84e0625932250bad4e14b1026b26e00 100644 --- a/sepolicy/ohos_policy/web/webview/system/foudation.te +++ b/sepolicy/ohos_policy/web/webview/system/foudation.te @@ -27,3 +27,5 @@ allow foundation app_fwk_update_service:binder { call transfer }; allow foundation isolated_gpu:binder { call transfer }; allow foundation isolated_gpu:process { sigkill }; + +allow foundation web_native_messaging_service:binder { call transfer }; diff --git a/sepolicy/ohos_policy/web/webview/system/hap_domain.te b/sepolicy/ohos_policy/web/webview/system/hap_domain.te index ec6725af77f80ec0ef369f2b561cb45bcaeda764..e04014f343b7885d2b23c8f5f16ac3d53a0b1c9a 100644 --- a/sepolicy/ohos_policy/web/webview/system/hap_domain.te +++ b/sepolicy/ohos_policy/web/webview/system/hap_domain.te @@ -27,3 +27,7 @@ allow hap_domain isolated_gpu:fd { use }; allow hap_domain isolated_gpu:unix_stream_socket { read write shutdown getopt }; allow hap_domain isolated_gpu:binder { call transfer }; + +allow hap_domain sa_web_native_messaging_service:samgr_class { get }; + +allow hap_domain web_native_messaging_service:binder { call transfer }; diff --git a/sepolicy/ohos_policy/web/webview/system/init.te b/sepolicy/ohos_policy/web/webview/system/init.te index a9103342cdf56a03fdc20f2b15507656522f3a35..91a0826cc3bd8fa6d10005c7d59ae32d6ef5799b 100644 --- a/sepolicy/ohos_policy/web/webview/system/init.te +++ b/sepolicy/ohos_policy/web/webview/system/init.te @@ -15,3 +15,5 @@ # avc_audit_slow:267] avc: denied { siginh } for pid=6959, comm="/system/bin/sa_main" scontext=u:r:init:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=process permissive=1 # avc_audit_slow:267] avc: denied { transition } for pid=6959, comm="/bin/init" scontext=u:r:init:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=process permissive=1 allow init app_fwk_update_service:process { rlimitinh siginh transition }; + +allow init web_native_messaging_service:process { rlimitinh siginh transition }; diff --git a/sepolicy/ohos_policy/web/webview/system/service.te b/sepolicy/ohos_policy/web/webview/system/service.te index d3498534faa112521024b6ca1bf687fb26dc4731..df401ff3449ae5dae53b538cfb55a9a7035c3b46 100644 --- a/sepolicy/ohos_policy/web/webview/system/service.te +++ b/sepolicy/ohos_policy/web/webview/system/service.te @@ -12,3 +12,4 @@ # limitations under the License. type sa_app_fwk_update_service, sa_service_attr; +type sa_web_native_messaging_service, sa_service_attr; diff --git a/sepolicy/ohos_policy/web/webview/system/service_contexts b/sepolicy/ohos_policy/web/webview/system/service_contexts index 149673716c5b5a9d7e4f06d080c8a9b410e7a20e..68a9fd1b7ff1b51ea7252af880a19db03e46de55 100755 --- a/sepolicy/ohos_policy/web/webview/system/service_contexts +++ b/sepolicy/ohos_policy/web/webview/system/service_contexts @@ -12,3 +12,4 @@ # limitations under the License. 8350 u:object_r:sa_app_fwk_update_service:s0 +8610 u:object_r:sa_web_native_messaging_service:s0 diff --git a/sepolicy/ohos_policy/web/webview/system/web_native_messaging_service.te b/sepolicy/ohos_policy/web/webview/system/web_native_messaging_service.te new file mode 100755 index 0000000000000000000000000000000000000000..09e66fac95550572894ca1c0de3ecfdc050aeca5 --- /dev/null +++ b/sepolicy/ohos_policy/web/webview/system/web_native_messaging_service.te @@ -0,0 +1,49 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +binder_call(web_native_messaging_service, samgr); + +allow web_native_messaging_service arkcompiler_param:file { map open read }; + +allow web_native_messaging_service hap_domain:binder { call }; + +allow web_native_messaging_service hap_domain:fd { use }; + +allow web_native_messaging_service debug_hap_data_file:file { read write }; + +allow web_native_messaging_service debug_param:file { map open read }; + +allow web_native_messaging_service dev_kmsg_file:chr_file { write }; + +allow web_native_messaging_service foundation:binder { call transfer }; + +allow web_native_messaging_service persist_sys_param:file { map open read }; + +allow web_native_messaging_service sa_foundation_abilityms:samgr_class { get }; + +allow web_native_messaging_service sa_web_native_messaging_service:samgr_class { add }; + +allow web_native_messaging_service sysfs_devices_system_cpu:file { getattr open read }; + +allow web_native_messaging_service system_usr_file:file { getattr map open read }; + +allow web_native_messaging_service web_native_messaging_service:unix_dgram_socket { getopt setopt }; + +allow web_native_messaging_service sa_foundation_bms:samgr_class { get }; + +allow web_native_messaging_service hap_domain:fifo_file { read write }; + +allow web_native_messaging_service tty_device:chr_file { write }; + +allow hidumper_service sa_web_native_messaging_service:samgr_class { get }; + +allow web_native_messaging_service dev_unix_socket:dir { search };