• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2021-2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type samgr, sadomain, domain;
15type samgr_exec, exec_attr, file_attr, system_file_attr;
16
17type bootevent_samgr_param, parameter_attr;
18type samgr_perf_param, parameter_attr;
19
20init_daemon_domain(samgr);
21
22allow samgr sadomain:binder { call transfer };
23allow samgr sadomain:dir { search };
24allow samgr sadomain:file { open read };
25allow samgr sadomain:process { getattr };
26
27allow samgr hdfdomain:binder { transfer };
28allow samgr hdfdomain:dir { search };
29allow samgr hdfdomain:file { open read };
30allow samgr hdfdomain:process { getattr };
31
32allow samgr sh:dir { search };
33allow samgr sh:file { open read };
34allow samgr sh:process { getattr };
35allow samgr sh:binder { call transfer };
36
37allow samgr bootevent_samgr_param:parameter_service { set };
38
39allow samgr data_file:dir { search };
40
41allow samgr dev_binder_file:chr_file { ioctl };
42
43allow samgr dev_unix_socket:dir { search };
44
45allow samgr dslm_service:file { getattr open read };
46
47allow samgr kernel:unix_stream_socket { connectto };
48
49allow samgr normal_hap:binder { call };
50allow samgr normal_hap:dir { search };
51allow samgr normal_hap:file { open read };
52allow samgr normal_hap:process { getattr };
53allow samgr ohos_param:parameter_service { set };
54
55allow samgr paramservice_socket:sock_file { write };
56
57allow samgr softbus_server:tcp_socket { read setopt shutdown write };
58
59allow samgr samgr:binder { set_context_mgr };
60allow samgr samgr:unix_dgram_socket { getopt setopt };
61
62allow samgr security:security { check_context compute_av };
63
64allow samgr selinuxfs:dir { open read search };
65allow samgr selinuxfs:file { map open read write };
66
67#avc:  denied  { use } for  pid=677 comm="THREAD_POOL" path="socket:[36108]" dev="sockfs" ino=36108 scontext=u:r:samgr:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1
68#avc:  denied  { shutdown } for  pid=246 comm="THREAD_POOL" laddr=192.168.43.222 lport=34003 faddr=192.168.43.64 fport=39734 scontext=u:r:samgr:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
69#avc:  denied  { shutdown } for  pid=246 comm="samgr" laddr=192.168.43.222 lport=48160 faddr=192.168.43.64 fport=40605 scontext=u:r:samgr:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
70allow samgr softbus_server:tcp_socket { read write setopt shutdown };
71allow samgr softbus_server:fd { use };
72
73#avc:  denied  { get } for service=4700 pid=245 scontext=u:r:samgr:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1
74allow samgr sa_softbus_service:samgr_class { get };
75
76allow samgr system_basic_hap:binder { call };
77allow samgr system_basic_hap:dir { search };
78allow samgr system_basic_hap:file { open read };
79allow samgr system_basic_hap:process { getattr };
80
81allow samgr system_core_hap:binder { call };
82allow samgr system_core_hap:dir { search };
83allow samgr system_core_hap:file { open read };
84allow samgr system_core_hap:process { getattr };
85
86allow samgr system_bin_file:dir { search };
87
88allow samgr system_file:file { getattr map open read };
89
90allow samgr system_profile_file:dir { open read };
91
92#avc:  denied  { getopt } for  pid=245 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:samgr:s0 tclass=unix_dgram_socket permissive=1
93#avc:  denied  { setopt } for  pid=245 comm="samgr" scontext=u:r:samgr:s0 tcontext=u:r:samgr:s0 tclass=unix_dgram_socket permissive=1
94allow samgr samgr:unix_dgram_socket { getopt setopt };
95
96#avc:  denied  { set } for parameter=bootevent.samgr.ready.true pid=254 uid=5555 gid=5555 scontext=u:r:samgr:s0 tcontext=u:object_r:bootevent_param:s0 tclass=parameter_service permissive=0
97allow samgr bootevent_param:parameter_service { set };
98
99allowxperm samgr dev_binder_file:chr_file ioctl { 0x6207 };
100
101allow samgr_perf_param tmpfs:filesystem associate;
102
103allow samgr samgr_perf_param:file { map open read };
104
105