# Copyright (c) 2022-2023 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################### ## Read/Use/Control hilog rules: ## ################################### read_hilog(hap_domain) use_hilog({ domain -kernel }) ####################### ## Allow rule below: ## ####################### allow hilogd hilogd_exec:file { entrypoint execute map read getattr }; allow init hilogd_exec:file { execute read open getattr }; allow hilogd hilog_input_socket:unix_dgram_socket { rw_socket_perms }; allow hilogd hilog_input_socket:sock_file { create_file_perms }; allow hilogd hilog_output_socket:unix_dgram_socket { rw_socket_perms }; allow hilogd hilog_output_socket:sock_file { create_file_perms }; allow hilogd hilog_control_socket:unix_dgram_socket { rw_socket_perms }; allow hilogd hilog_control_socket:sock_file { create_file_perms }; allow hilogd data_hilogd_file:dir { create_dir_perms }; allow hilogd data_hilogd_file:file { create_file_perms }; allow init data_hilogd_file:dir { create_dir_perms }; allow { hiview hdcd } data_hilogd_file:dir { read_dir_perms }; allow { hiview hdcd } data_hilogd_file:file { read_file_perms }; allow hilogd data_file:dir { search }; allow hilogd data_log:dir { getattr open read search }; allow hilogd cgroup:dir { search }; allow hilogd data_init_agent:dir { add_name search write }; allow hilogd data_init_agent:file { create ioctl open read append }; allow hilogd dev_kmsg_file:chr_file { read }; allow hilogd kernel:unix_stream_socket { connectto }; allow hilogd init:unix_dgram_socket { getattr getopt read write }; allow hilogd init:unix_stream_socket { accept getattr getopt listen }; allow hilogd hilog_param:parameter_service { set }; allow hilogd paramservice_socket:sock_file { write }; allow hilogd hilog:file { getattr }; allow hilogd init:file { getattr }; allowxperm hilogd data_init_agent:file ioctl { 0x5413 }; allow hilogd domain:dir { search }; allow hilogd domain:file { open read getattr }; ############################ ## Neverallow rule below: ## ############################ # hilogd is not allowed to write anywhere other than /data/log/hilog neverallow hilogd { file_attr -hilog_whitelist_file -data_hilogd_file -data_init_agent }:file { create write append }; # ptrace any other app neverallow hilogd domain:process ptrace; # ... and nobody may ptrace me (except init) neverallow { domain -init -processdump } hilogd:process ptrace; # write to /system neverallow hilogd system_file:dir_file_class_set write; # write to hap files neverallow hilogd { normal_hap_data_file_attr system_basic_hap_data_file_attr system_core_hap_data_file_attr }:dir_file_class_set write; # only init is allowed to enter the hilogd domain via exec() neverallow { domain -init } hilogd:process transition; neverallow * hilogd:process dyntransition; # protect persist tmp file and info file neverallow { domain developer_only(`-wukong') developer_only(`-hiprofiler_plugins') -init -hilogd -hiview # write is covered next -hdcd # write is covered next updater_only(`-updater') updater_only(`-hiview_light') } data_hilogd_file:file { rw_file_perms }; # shell can read but cannot write hilogd files neverallow { domain -hilogd } data_hilogd_file:file { append create rename setattr write }; allow hilogd hilog_private_param:parameter_service { set };