From 4d05e7a1f0714a6fd133cddf1d5827709b5cfe86 Mon Sep 17 00:00:00 2001
From: libing23232323 <libing23@huawei.com>
Date: Fri, 12 Sep 2025 14:41:57 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0webNativeMessaging=E8=A7=84?=
 =?UTF-8?q?=E5=88=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: libing23232323 <libing23@huawei.com>
---
 .../ohos_policy/web/webview/public/type.te    |  1 +
 .../web/webview/system/foudation.te           |  2 +
 .../web/webview/system/hap_domain.te          |  4 ++
 .../ohos_policy/web/webview/system/init.te    |  2 +
 .../ohos_policy/web/webview/system/service.te |  1 +
 .../web/webview/system/service_contexts       |  1 +
 .../system/web_native_messaging_service.te    | 49 +++++++++++++++++++
 7 files changed, 60 insertions(+)
 create mode 100755 sepolicy/ohos_policy/web/webview/system/web_native_messaging_service.te

diff --git a/sepolicy/ohos_policy/web/webview/public/type.te b/sepolicy/ohos_policy/web/webview/public/type.te
index 4947833b4..c426cc8f0 100644
--- a/sepolicy/ohos_policy/web/webview/public/type.te
+++ b/sepolicy/ohos_policy/web/webview/public/type.te
@@ -16,3 +16,4 @@ type isolated_gpu, domain;
 type web_private_param, parameter_attr;
 type app_fwk_update_service, sadomain, domain;
 type arkweb_crashpad_handler_exec, exec_attr, file_attr, system_file_attr;
+type web_native_messaging_service, sadomain, domain;
diff --git a/sepolicy/ohos_policy/web/webview/system/foudation.te b/sepolicy/ohos_policy/web/webview/system/foudation.te
index ee62af331..cd52bfc4a 100644
--- a/sepolicy/ohos_policy/web/webview/system/foudation.te
+++ b/sepolicy/ohos_policy/web/webview/system/foudation.te
@@ -27,3 +27,5 @@ allow foundation app_fwk_update_service:binder { call transfer };
 
 allow foundation isolated_gpu:binder { call transfer };
 allow foundation isolated_gpu:process { sigkill };
+
+allow foundation web_native_messaging_service:binder { call transfer };
diff --git a/sepolicy/ohos_policy/web/webview/system/hap_domain.te b/sepolicy/ohos_policy/web/webview/system/hap_domain.te
index ec6725af7..e04014f34 100644
--- a/sepolicy/ohos_policy/web/webview/system/hap_domain.te
+++ b/sepolicy/ohos_policy/web/webview/system/hap_domain.te
@@ -27,3 +27,7 @@ allow hap_domain isolated_gpu:fd { use };
 allow hap_domain isolated_gpu:unix_stream_socket { read write shutdown getopt };
 
 allow hap_domain isolated_gpu:binder { call transfer };
+
+allow hap_domain sa_web_native_messaging_service:samgr_class { get };
+
+allow hap_domain web_native_messaging_service:binder { call transfer };
diff --git a/sepolicy/ohos_policy/web/webview/system/init.te b/sepolicy/ohos_policy/web/webview/system/init.te
index a9103342c..91a0826cc 100644
--- a/sepolicy/ohos_policy/web/webview/system/init.te
+++ b/sepolicy/ohos_policy/web/webview/system/init.te
@@ -15,3 +15,5 @@
 # avc_audit_slow:267] avc: denied { siginh } for pid=6959, comm="/system/bin/sa_main"  scontext=u:r:init:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=process permissive=1
 # avc_audit_slow:267] avc: denied { transition } for pid=6959, comm="/bin/init"  scontext=u:r:init:s0 tcontext=u:r:app_fwk_update_service:s0 tclass=process permissive=1
 allow init app_fwk_update_service:process { rlimitinh siginh transition };
+
+allow init web_native_messaging_service:process { rlimitinh siginh transition };
diff --git a/sepolicy/ohos_policy/web/webview/system/service.te b/sepolicy/ohos_policy/web/webview/system/service.te
index d3498534f..df401ff34 100644
--- a/sepolicy/ohos_policy/web/webview/system/service.te
+++ b/sepolicy/ohos_policy/web/webview/system/service.te
@@ -12,3 +12,4 @@
 # limitations under the License.
 
 type sa_app_fwk_update_service, sa_service_attr;
+type sa_web_native_messaging_service, sa_service_attr;
diff --git a/sepolicy/ohos_policy/web/webview/system/service_contexts b/sepolicy/ohos_policy/web/webview/system/service_contexts
index 149673716..68a9fd1b7 100755
--- a/sepolicy/ohos_policy/web/webview/system/service_contexts
+++ b/sepolicy/ohos_policy/web/webview/system/service_contexts
@@ -12,3 +12,4 @@
 # limitations under the License.
 
 8350                                   u:object_r:sa_app_fwk_update_service:s0
+8610                                   u:object_r:sa_web_native_messaging_service:s0
diff --git a/sepolicy/ohos_policy/web/webview/system/web_native_messaging_service.te b/sepolicy/ohos_policy/web/webview/system/web_native_messaging_service.te
new file mode 100755
index 000000000..09e66fac9
--- /dev/null
+++ b/sepolicy/ohos_policy/web/webview/system/web_native_messaging_service.te
@@ -0,0 +1,49 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+binder_call(web_native_messaging_service, samgr);
+
+allow web_native_messaging_service arkcompiler_param:file { map open read };
+
+allow web_native_messaging_service hap_domain:binder { call };
+
+allow web_native_messaging_service hap_domain:fd { use };
+
+allow web_native_messaging_service debug_hap_data_file:file { read write };
+
+allow web_native_messaging_service debug_param:file { map open read };
+
+allow web_native_messaging_service dev_kmsg_file:chr_file { write };
+
+allow web_native_messaging_service foundation:binder { call transfer };
+
+allow web_native_messaging_service persist_sys_param:file { map open read };
+
+allow web_native_messaging_service sa_foundation_abilityms:samgr_class { get };
+
+allow web_native_messaging_service sa_web_native_messaging_service:samgr_class { add };
+
+allow web_native_messaging_service sysfs_devices_system_cpu:file { getattr open read };
+
+allow web_native_messaging_service system_usr_file:file { getattr map open read };
+
+allow web_native_messaging_service web_native_messaging_service:unix_dgram_socket { getopt setopt };
+
+allow web_native_messaging_service sa_foundation_bms:samgr_class { get };
+
+allow web_native_messaging_service hap_domain:fifo_file { read write };
+
+allow web_native_messaging_service tty_device:chr_file { write };
+
+allow hidumper_service sa_web_native_messaging_service:samgr_class { get };
+
+allow web_native_messaging_service dev_unix_socket:dir { search };
-- 
Gitee