1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14define(`use_hidumper', ` 15 allow $1 hidumper_service:fd use; 16 allow $1 hidumper_service:fifo_file write; 17') 18 19use_hidumper({ sadomain hdfdomain }); 20 21allow hidumper_service appspawn:dir { getattr open read search }; 22allow hidumper_service appspawn:file { getattr open read }; 23allow hidumper_service appspawn:lnk_file read; 24allow hidumper_service appspawn_exec:file { getattr map open read }; 25 26allow hidumper_service data_file:dir { getattr open read search }; 27allow hidumper_service data_init_agent:dir search; 28allow hidumper_service data_init_agent:file { append ioctl open read }; 29allow hidumper_service data_log:dir { open read search }; 30allow hidumper_service data_log:file { getattr open read }; 31allow hidumper_service data_misc:dir search; 32 33allow hidumper_service debugfs:dir { open read }; 34 35allow hidumper_service dev_block_file:blk_file getattr; 36allow hidumper_service dev_block_file:dir search; 37allow hidumper_service dev_block_file:lnk_file read; 38allow hidumper_service dev_file:dir getattr; 39allow hidumper_service dev_kmsg_file:chr_file { open read }; 40allow hidumper_service dev_pts_file:dir getattr; 41allow hidumper_service dev_unix_socket:dir search; 42allow hidumper_service dev_unix_socket:sock_file write; 43 44allow hidumper_service deviceauth_service_exec:file { getattr map open read }; 45allow hidumper_service devpts:chr_file { read write }; 46 47allow hidumper_service faultloggerd:fifo_file read; 48allow hidumper_service faultloggerd:unix_stream_socket connectto; 49allow hidumper_service faultloggerd_exec:file { getattr map open read }; 50 51allow hidumper_service hdcd:dir { getattr open read search }; 52allow hidumper_service hdcd:fd use; 53allow hidumper_service hdcd:file { getattr open read }; 54allow hidumper_service hdcd:lnk_file read; 55allow hidumper_service hdcd_exec:file { getattr map open read }; 56 57allow hidumper_service hdf_devmgr_exec:file { getattr map open read }; 58 59allow hidumper_service hidumper:binder call; 60allow hidumper_service hidumper:dir { getattr open read search }; 61allow hidumper_service hidumper:file { getattr open read }; 62allow hidumper_service hidumper:lnk_file read; 63allow hidumper_service hidumper_exec:file { getattr map open read }; 64 65allow hidumper_service hidumper_file:dir { add_name open read remove_name search write }; 66allow hidumper_service hidumper_file:file { create ioctl open unlink write }; 67 68allow hidumper_service hilogd_exec:file { getattr map open read }; 69allow hidumper_service hiview_exec:file { getattr map open read }; 70 71allow hidumper_service init:dir { getattr open read search }; 72allow hidumper_service init:file { getattr open read }; 73allow hidumper_service init:lnk_file read; 74allow hidumper_service init:unix_stream_socket connectto; 75 76allow hidumper_service installs_exec:file { getattr map open read }; 77 78allow hidumper_service kernel:dir { getattr open read search }; 79allow hidumper_service kernel:file { getattr open read }; 80allow hidumper_service kernel:lnk_file read; 81allow hidumper_service kernel:system syslog_read; 82 83allow hidumper_service limit_domain:file { getattr open read }; 84allow hidumper_service limit_domain:lnk_file read; 85 86allow hidumper_service normal_hap:dir { getattr open read search }; 87allow hidumper_service normal_hap:file { getattr open read }; 88allow hidumper_service normal_hap:lnk_file read; 89 90allow hidumper_service proc_cmdline_file:file { getattr open read }; 91allow hidumper_service proc_loadavg_file:file { open read }; 92allow hidumper_service proc_meminfo_file:file { open read }; 93allow hidumper_service proc_modules_file:file { getattr open read }; 94allow hidumper_service proc_net:file { getattr open read }; 95allow hidumper_service proc_net_tcp_udp:file { open read }; 96allow hidumper_service proc_slabinfo_file:file { getattr open read }; 97allow hidumper_service proc_stat_file:file { open read }; 98allow hidumper_service proc_version_file:file { getattr open read }; 99allow hidumper_service proc_vmallocinfo_file:file { getattr open read }; 100allow hidumper_service proc_vmstat_file:file { getattr open read }; 101allow hidumper_service proc_zoneinfo_file:file { getattr open read }; 102 103allow hidumper_service render_service_exec:file { getattr map open read }; 104 105allow hidumper_service self:udp_socket { create ioctl }; 106 107allow hidumper_service sh_exec:file { execute execute_no_trans getattr map open read }; 108allow hidumper_service storage_daemon_exec:file { getattr map open read }; 109 110allow hidumper_service sys_file:dir { open read }; 111allow hidumper_service sys_file:file { getattr open read }; 112 113allow hidumper_service system_basic_hap:dir { getattr open read search }; 114allow hidumper_service system_basic_hap:file { getattr open read }; 115allow hidumper_service system_basic_hap:lnk_file read; 116 117allow hidumper_service system_bin_file:dir { getattr search }; 118allow hidumper_service system_bin_file:file { execute execute_no_trans getattr map open read }; 119allow hidumper_service system_bin_file:lnk_file read; 120allow hidumper_service system_file:dir getattr; 121allow hidumper_service system_fonts_file:dir getattr; 122allow hidumper_service system_lib_file:dir getattr; 123allow hidumper_service system_profile_file:dir getattr; 124allow hidumper_service system_usr_file:dir getattr; 125 126allow hidumper_service tty_device:chr_file { open read write }; 127 128allow hidumper_service udevd:dir { getattr open read search }; 129allow hidumper_service udevd:file { getattr read open }; 130allow hidumper_service udevd:lnk_file read; 131allow hidumper_service udevd_exec:file { getattr map open read }; 132 133allow hidumper_service ueventd:dir { getattr open read search }; 134allow hidumper_service ueventd:file { getattr open read }; 135allow hidumper_service ueventd:lnk_file read; 136allow hidumper_service ueventd_exec:file { getattr map open read }; 137 138allow hidumper_service uinput_inject_exec:file { getattr map open read }; 139 140allow hidumper_service vendor_bin_file:dir search; 141allow hidumper_service vendor_bin_file:file { getattr map open read }; 142allow hidumper_service vendor_file:dir getattr; 143allow hidumper_service vendor_lib_file:dir search; 144allow hidumper_service vendor_lib_file:file { getattr map open read }; 145 146allow hidumper_service watchdog_service_exec:file { getattr map open read }; 147allow hidumper_service wifi_hal_service_exec:file { getattr map open read }; 148 149allow hidumper_service { sadomain -installs }:binder call; 150allow hidumper_service { hdfdomain sadomain }:dir { getattr open read search }; 151allow hidumper_service { hdfdomain sadomain }:file { getattr open read }; 152allow hidumper_service { hdfdomain sadomain }:lnk_file read; 153 154#avc: denied { get } for service=3301 pid=611 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_foundation_powermgr_service:s0 tclass=samgr_class permissive=1 155allow hidumper_service sa_foundation_powermgr_service:samgr_class { get }; 156 157#avc: denied { get } for service=3302 pid=581 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_foundation_battery_service:s0 tclass=samgr_class permissive=1 158allow hidumper_service sa_foundation_battery_service:samgr_class { get }; 159 160#avc: denied { get } for service=3308 pid=581 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_foundation_displaymgr_service:s0 tclass=samgr_class permissive=1 161allow hidumper_service sa_foundation_displaymgr_service:samgr_class { get }; 162 163#avc: denied { get } for service=3303 pid=553 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_foundation_thermal_service:s0 tclass=samgr_class permissive=1 164allow hidumper_service sa_foundation_thermal_service:samgr_class { get }; 165 166allow hidumper_service dev_at_file:chr_file ioctl; 167allow hidumper_service dev_block_volfile:dir search; 168allow hidumper_service dev_console_file:chr_file getattr; 169allow hidumper_service devpts:chr_file getattr; 170allow hidumper_service hidumper_file:dir getattr; 171allow hidumper_service hidumper_file:file read; 172allow hidumper_service hilog_exec:file { execute execute_no_trans getattr map open read }; 173allow hidumper_service proc_file:file { open read }; 174allow hidumper_service processdump:dir search; 175allow hidumper_service processdump:file { open read }; 176allow hidumper_service sh:dir { getattr open read }; 177allow hidumper_service sh:fifo_file getattr; 178allow hidumper_service sh:file getattr; 179allow hidumper_service sh:lnk_file read; 180allow hidumper_service sysfs_devices_system_cpu:file { open read }; 181allow hidumper_service tty_device:chr_file getattr; 182allow hidumper_service hdcd:fifo_file write; 183allow hidumper_service sh:fd use; 184 185allow hidumper_service sa_accessibleabilityms:samgr_class get; 186allow hidumper_service sa_accountmgr:samgr_class get; 187allow hidumper_service sa_bgtaskmgr:samgr_class get; 188allow hidumper_service sa_bluetooth_server:samgr_class get; 189allow hidumper_service sa_comm_dns_manager_service:samgr_class get; 190allow hidumper_service sa_comm_ethernet_manager_service:samgr_class get; 191allow hidumper_service sa_comm_mdns_manager_service:samgr_class get; 192allow hidumper_service sa_comm_net_stats_manager_service:samgr_class get; 193allow hidumper_service sa_dataobs_mgr_service_service:samgr_class get; 194allow hidumper_service sa_device_usage_statistics_service:samgr_class get; 195allow hidumper_service sa_dfx_sys_hidumper_ability:samgr_class get; 196allow hidumper_service sa_distributeddata_service:samgr_class get; 197allow hidumper_service sa_distributeschedule:samgr_class get; 198allow hidumper_service sa_enterprise_device_manager_service:samgr_class get; 199allow hidumper_service sa_form_mgr_service:samgr_class get; 200allow hidumper_service sa_foundation_abilityms:samgr_class get; 201allow hidumper_service sa_foundation_appms:samgr_class get; 202allow hidumper_service sa_foundation_bms:samgr_class get; 203allow hidumper_service sa_hiview_service:samgr_class get; 204allow hidumper_service sa_installd_service:samgr_class get; 205allow hidumper_service sa_net_conn_manager:samgr_class get; 206allow hidumper_service sa_net_policy_manager:samgr_class get; 207allow hidumper_service sa_netsys_native_manager:samgr_class get; 208allow hidumper_service sa_render_service:samgr_class get; 209allow hidumper_service sa_resource_schedule:samgr_class get; 210allow hidumper_service sa_resource_schedule_socperf_server:samgr_class get; 211allow hidumper_service sa_sys_event_service:samgr_class get; 212allow hidumper_service sa_uri_permission_mgr_service:samgr_class get; 213allow hidumper_service sa_useriam_authexecutormgr_service:samgr_class get; 214allow hidumper_service sa_useriam_faceauth_service:samgr_class get; 215allow hidumper_service sa_useriam_userauth_service:samgr_class get; 216allow hidumper_service sa_wifi_device_ability:samgr_class get; 217allow hidumper_service sa_wifi_hotspot_ability:samgr_class get; 218allow hidumper_service sa_wifi_p2p_ability:samgr_class get; 219allow hidumper_service sa_wifi_scan_ability:samgr_class get; 220allow hidumper_service sa_work_schedule_service:samgr_class get; 221allow hidumper_service sa_accesstoken_manager_service:samgr_class get; 222allow hidumper_service sa_audio_policy_service:samgr_class get; 223allow hidumper_service sa_camera_service:samgr_class get; 224allow hidumper_service sa_device_auth_service:samgr_class get; 225allow hidumper_service sa_device_profile_service:samgr_class get; 226allow hidumper_service sa_device_security_level_manager_service:samgr_class get; 227allow hidumper_service sa_device_service_manager:samgr_class get; 228allow hidumper_service sa_download_service:samgr_class get; 229allow hidumper_service sa_file_manager_service:samgr_class get; 230allow hidumper_service sa_filemanagement_distributed_file_daemon_service:samgr_class get; 231allow hidumper_service sa_foundation_ans:samgr_class get; 232allow hidumper_service sa_foundation_cesfwk_service:samgr_class get; 233allow hidumper_service sa_foundation_devicemanager_service:samgr_class get; 234allow hidumper_service sa_foundation_dms:samgr_class get; 235allow hidumper_service sa_foundation_tel_call_manager:samgr_class get; 236allow hidumper_service sa_foundation_tel_state_registry:samgr_class get; 237allow hidumper_service sa_huks_service:samgr_class get; 238allow hidumper_service sa_inputmethod_service:samgr_class get; 239allow hidumper_service sa_location_geo_convert_service:samgr_class get; 240allow hidumper_service sa_location_locator_service:samgr_class get; 241allow hidumper_service sa_locationhub_lbsservice_gnss:samgr_class get; 242allow hidumper_service sa_locationhub_lbsservice_network:samgr_class get; 243allow hidumper_service sa_locationhub_lbsservice_passive:samgr_class get; 244allow hidumper_service sa_media_service:samgr_class get; 245allow hidumper_service sa_memory_manager_service:samgr_class get; 246allow hidumper_service sa_msdp_devicestatus_service:samgr_class get; 247allow hidumper_service sa_multimodalinput_service:samgr_class get; 248allow hidumper_service sa_pasteboard_service:samgr_class get; 249allow hidumper_service sa_privacy_service:samgr_class get; 250allow hidumper_service sa_pulseaudio_audio_service:samgr_class get; 251allow hidumper_service sa_screenlock_service:samgr_class get; 252allow hidumper_service sa_softbus_service:samgr_class get; 253allow hidumper_service sa_storage_manager_daemon:samgr_class get; 254allow hidumper_service sa_storage_manager_service:samgr_class get; 255allow hidumper_service sa_subsys_ace_service:samgr_class get; 256allow hidumper_service sa_telephony_tel_cellular_call:samgr_class get; 257allow hidumper_service sa_telephony_tel_cellular_data:samgr_class get; 258allow hidumper_service sa_telephony_tel_core_service:samgr_class get; 259allow hidumper_service sa_telephony_tel_sms_mms:samgr_class get; 260allow hidumper_service sa_time_service:samgr_class get; 261allow hidumper_service sa_update_distributed_service:samgr_class get; 262allow hidumper_service sa_usb_service:samgr_class get; 263allow hidumper_service sa_useriam_pinauth_service:samgr_class get; 264allow hidumper_service sa_useriam_useridm_service:samgr_class get; 265allow hidumper_service sa_wallpaper_manager_service:samgr_class get; 266allow hidumper_service samgr:samgr_class list; 267allow hidumper_service sa_devattest_service:samgr_class get; 268 269allow hidumper_service hiprofiler_cmd:file getattr; 270allow hidumper_service hiprofiler_plugins:file getattr; 271allow hidumper_service hiprofilerd:file getattr; 272allow hidumper_service musl_param:file { map open read }; 273allow hidumper_service native_daemon:dir search; 274allow hidumper_service native_daemon:file { getattr open read }; 275allow hidumper_service proc_loadavg_file:file getattr; 276allow hidumper_service proc_meminfo_file:file getattr; 277allow hidumper_service proc_net_tcp_udp:file getattr; 278allow hidumper_service proc_stat_file:file getattr; 279allow hidumper_service self:rawip_socket create; 280allow hidumper_service system_etc_file:file lock; 281 282allow hidumper_service debugfs_failed_transaction_log:file { getattr open read }; 283allow hidumper_service debugfs_transactions:file { getattr open read }; 284allow hidumper_service debugfs_transaction_log:file { getattr open read }; 285allow hidumper_service debugfs_used:file { getattr open read }; 286allow hidumper_service debugfs_wakeup_sources:file { getattr open read }; 287allow hidumper_service debugfs_stats:file { getattr open read }; 288allow hidumper_service debugfs_state:file { getattr open read }; 289allow hidumper_service data_log:file { read write }; 290