• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2021-2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type hdf_devmgr, sadomain, domain;
15type hdf_devmgr_exec, exec_attr, file_attr, system_file_attr;
16type dev_hdf_kevent, dev_attr;
17type dev_hdfwifi, dev_attr;
18
19init_daemon_domain(hdf_devmgr);
20
21#avc:  denied  { entrypoint } for  pid=235 comm="init" path="/vendor/bin/hdf_devmgr" dev="mmcblk0p6" ino=14 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:hdf_devmgr_exec:s0 tclass=file permissive=1
22allow hdf_devmgr hdf_devmgr_exec:file { entrypoint };
23
24#avc:  denied  { call } for  pid=242 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:power_host:s0 tclass=binder permissive=1
25allow hdf_devmgr power_host:binder call;
26
27#avc:  denied  { call } for  pid=243 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:camera_host:s0 tclass=binder permissive=1
28allow hdf_devmgr camera_host:binder { call };
29
30#avc:  denied  { check_context } for  pid=243 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:security:s0 tclass=security permissive=1
31#avc:  denied  { compute_av } for  pid=236 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:security:s0 tclass=security permissive=1
32allow hdf_devmgr security:security { check_context compute_av };
33
34#avc:  denied  { search } for  pid=243 comm="hdf_devmgr" name="/" dev="selinuxfs" ino=1 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir permissive=1
35allow hdf_devmgr selinuxfs:dir { search };
36
37#avc:  denied  { open } for  pid=243 comm="hdf_devmgr" path="/sys/fs/selinux/context" dev="selinuxfs" ino=5 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
38#avc:  denied  { read write } for  pid=243 comm="hdf_devmgr" name="context" dev="selinuxfs" ino=5 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
39allow hdf_devmgr selinuxfs:file { open read write };
40
41#avc:  denied  { search } for  pid=236 comm="hdf_devmgr" name="643" dev="proc" ino=683 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:telephony_sa:s0 tclass=dir permissive=1
42allow hdf_devmgr telephony_sa:dir { search };
43
44#avc:  denied  { open } for  pid=243 comm="hdf_devmgr" path="/proc/593/attr/current" dev="proc" ino=24187 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:telephony_sa:s0 tclass=file permissive=1
45#avc:  denied  { read } for  pid=243 comm="hdf_devmgr" name="current" dev="proc" ino=24187 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:telephony_sa:s0 tclass=file permissive=1
46allow hdf_devmgr telephony_sa:file { open read };
47
48#avc:  denied  { getattr } for  pid=243 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:telephony_sa:s0 tclass=process permissive=1
49allow hdf_devmgr telephony_sa:process { getattr };
50
51#avc:  denied  { ioctl } for  pid=245 comm="hdf_devmgr" path="/dev/hdf_kevent" dev="tmpfs" ino=199 ioctlcmd=0x6201 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:dev_file:s0 tclass=chr_file permissive=1
52#avc:  denied  { ioctl } for  pid=245 comm="hdf_devmgr" path="/dev/hdf_kevent" dev="tmpfs" ino=199 ioctlcmd=0x6202 scontext=u:r:hdf_devmgr:s0 tcontext=u:object_r:dev_file:s0 tclass=chr_file permissive=1
53allow hdf_devmgr dev_hdf_kevent:chr_file { ioctl };
54allowxperm hdf_devmgr dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 };
55
56#avc:  denied  { create } for  pid=239 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=netlink_kobject_uevent_socket permissive=1
57#avc:  denied  { setopt } for  pid=239 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=netlink_kobject_uevent_socket permissive=1
58#avc:  denied  { bind } for  pid=239 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=netlink_kobject_uevent_socket permissive=1
59#avc:  denied  { read } for  pid=239 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:hdf_devmgr:s0 tclass=netlink_kobject_uevent_socket permissive=1
60allow hdf_devmgr hdf_devmgr:netlink_kobject_uevent_socket { create bind setopt read };
61
62# for testcase start
63#avc:  denied  { call } for  pid=240 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1
64#avc:  denied  { call } for  pid=240 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=binder permissive=1
65#avc:  denied  { read } for  pid=241 comm="hdf_devmgr" name="current" dev="proc" ino=30596 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=file permissive=0
66#avc:  denied  { open } for  pid=246 comm="hdf_devmgr" path="/proc/2127/attr/current" dev="proc" ino=30142 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=file permissive=0
67#avc:  denied  { getattr } for  pid=244 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=process permissive=0
68#avc:  denied  { transfer } for  pid=238 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=binder permissive=0
69#avc:  denied  { search } for  pid=241 comm="hdf_devmgr" name="2029" dev="proc" ino=32820 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sample_host:s0 tclass=dir permissive=1
70#avc:  denied  { transfer } for  pid=241 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1
71#avc:  denied  { search } for  pid=241 comm="hdf_devmgr" name="1998" dev="proc" ino=31745 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=dir permissive=1
72#avc:  denied  { read } for  pid=241 comm="hdf_devmgr" name="current" dev="proc" ino=31058 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=file permissive=1
73#avc:  denied  { open } for  pid=241 comm="hdf_devmgr" path="/proc/2125/attr/current" dev="proc" ino=31058 scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=file permissive=1
74#avc:  denied  { getattr } for  pid=241 comm="hdf_devmgr" scontext=u:r:hdf_devmgr:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
75allow hdf_devmgr sample_host:binder { call transfer };
76allow hdf_devmgr sh:binder { call };
77allow hdf_devmgr sample_host:file { read open };
78allow hdf_devmgr sample_host:process { getattr };
79allow hdf_devmgr sample_host:dir { search };
80allow hdf_devmgr sh:binder { transfer };
81allow hdf_devmgr sh:dir { search };
82allow hdf_devmgr sh:file { open read };
83allow hdf_devmgr sh:process { getattr };
84# for testcase end
85