1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14################################### 15## Read/Use/Control hilog rules: ## 16################################### 17read_hilog(hap_domain) 18 19use_hilog({ domain -kernel }) 20 21####################### 22## Allow rule below: ## 23####################### 24allow hilogd hilogd_exec:file { entrypoint execute map read getattr }; 25allow init hilogd_exec:file { execute read open getattr }; 26 27allow hilogd hilog_input_socket:unix_dgram_socket { rw_socket_perms }; 28allow hilogd hilog_input_socket:sock_file { create_file_perms }; 29allow hilogd hilog_output_socket:unix_dgram_socket { rw_socket_perms }; 30allow hilogd hilog_output_socket:sock_file { create_file_perms }; 31allow hilogd hilog_control_socket:unix_dgram_socket { rw_socket_perms }; 32allow hilogd hilog_control_socket:sock_file { create_file_perms }; 33 34allow hilogd data_hilogd_file:dir { create_dir_perms }; 35allow hilogd data_hilogd_file:file { create_file_perms }; 36 37allow init data_hilogd_file:dir { create_dir_perms }; 38allow { hiview hdcd } data_hilogd_file:dir { read_dir_perms }; 39allow { hiview hdcd } data_hilogd_file:file { read_file_perms }; 40 41allow hilogd data_file:dir { search }; 42allow hilogd data_log:dir { getattr open read search }; 43 44allow hilogd cgroup:dir { search }; 45 46allow hilogd data_init_agent:dir { add_name search write }; 47allow hilogd data_init_agent:file { create ioctl open read append }; 48 49allow hilogd dev_kmsg_file:chr_file { read }; 50 51allow hilogd kernel:unix_stream_socket { connectto }; 52allow hilogd init:unix_dgram_socket { getattr getopt read write }; 53allow hilogd init:unix_stream_socket { accept getattr getopt listen }; 54 55allow hilogd hilog_param:parameter_service { set }; 56allow hilogd paramservice_socket:sock_file { write }; 57 58allow hilogd hilog:file { getattr }; 59allow hilogd init:file { getattr }; 60 61allowxperm hilogd data_init_agent:file ioctl { 0x5413 }; 62 63allow hilogd domain:dir { search }; 64allow hilogd domain:file { open read getattr }; 65############################ 66## Neverallow rule below: ## 67############################ 68# hilogd is not allowed to write anywhere other than /data/log/hilog 69neverallow hilogd { 70 file_attr 71 -hilog_whitelist_file 72 -data_hilogd_file 73 -data_init_agent 74}:file { create write append }; 75 76# ptrace any other app 77neverallow hilogd domain:process ptrace; 78 79# ... and nobody may ptrace me (except init) 80neverallow { domain -init -processdump } hilogd:process ptrace; 81 82# write to /system 83neverallow hilogd system_file:dir_file_class_set write; 84 85# write to hap files 86neverallow hilogd { normal_hap_data_file_attr system_basic_hap_data_file_attr system_core_hap_data_file_attr }:dir_file_class_set write; 87 88# only init is allowed to enter the hilogd domain via exec() 89neverallow { domain -init } hilogd:process transition; 90neverallow * hilogd:process dyntransition; 91 92# protect persist tmp file and info file 93neverallow { 94 domain 95 developer_only(`-wukong') 96 developer_only(`-hiprofiler_plugins') 97 -init 98 -hilogd 99 -hiview # write is covered next 100 -hdcd # write is covered next 101 updater_only(`-updater') 102 updater_only(`-hiview_light') 103} data_hilogd_file:file { rw_file_perms }; 104 105# shell can read but cannot write hilogd files 106neverallow { domain -hilogd } data_hilogd_file:file { append create rename setattr write }; 107 108allow hilogd hilog_private_param:parameter_service { set }; 109