• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type hiview, sadomain, domain;
15
16type hiview_exec, exec_attr, file_attr, system_file_attr;
17type hisysevent_exec, exec_attr, file_attr, system_file_attr;
18type usage_report_exec, exec_attr, file_attr, system_file_attr;
19type hiview_file, file_attr, data_file_attr;
20type hisysevent_socket, dev_attr, file_attr;
21
22init_daemon_domain(hiview);
23
24define(`use_hisysevent', `
25    allow $1 hisysevent_socket:sock_file write;
26')
27
28use_hisysevent({ domain -kernel })
29
30allow hiview hiview:capability2 { syslog };
31allow hiview hiview:dir { search };
32allow hiview hiview_exec:file { entrypoint execute map read };
33
34allow hiview hiview:unix_dgram_socket { getopt setopt };
35allow hiview init:unix_dgram_socket { getattr getopt read write setopt };
36allow hiview init:unix_stream_socket { connectto };
37allow hiview faultloggerd:unix_stream_socket { connectto };
38
39allow hiview hiview_file:dir { search getattr read open write add_name remove_name };
40allow hiview hiview_file:file { append ioctl unlink map read write getattr open lock };
41
42allow hiview data_file:dir { search };
43allow hiview data_log:dir { add_name open read search watch write create remove_name };
44allow hiview data_log:file { create getattr lock map open read write unlink };
45allow hiview data_system:dir { search getattr };
46allow hiview system_etc_file:dir { open read };
47allow hiview system_bin_file:dir { search };
48allow hiview system_bin_file:file { read execute entrypoint };
49allow hiview system_bin_file:lnk_file { read };
50allow hiview sys_file:dir { read open };
51allow hiview sys_file:file { read open };
52allow hiview dev_bbox:chr_file { read open };
53allow hiview normal_hap:dir { search };
54allow hiview normal_hap:file { read open };
55allow hiview proc_cpuinfo_file:file { read open };
56allow hiview sh:file { read open };
57allow hiview sh:dir { search };
58allow hiview rootfs:chr_file { read write };
59allow hiview faultloggerd_temp_file:file { getattr };
60allow hiview faultloggerd:fifo_file { read };
61allow hiview system_basic_hap:dir { search };
62allow hiview system_basic_hap:file { read open };
63allow hiview usage_report_exec:file { getattr read open execute_no_trans map execute };
64
65allow hiview data_init_agent:dir { search };
66allow hiview data_init_agent:file { ioctl open read append };
67
68allow hiview foundation:binder { call transfer };
69allow hiview init:binder { call transfer };
70allow hiview samgr:binder { call transfer };
71allow hiview tmpfs:lnk_file { read };
72allow hiview time_service:binder { call transfer };
73allow hiview param_watcher:binder { call transfer };
74allow hiview hdcd:binder { call transfer };
75allow hiview resource_schedule_service:binder { call transfer };
76allow hiview normal_hap:binder { call transfer };
77allow hiview sh:binder { call transfer };
78allow hiview accountmgr:binder { call transfer };
79allow hiview device_usage_stats_service:binder { call transfer };
80
81allow hiview dev_unix_socket:dir { search };
82allow hiview dev_unix_socket:sock_file { write };
83allow hiview faultloggerd_socket:sock_file { write };
84
85allow hiview tracefs:dir { search };
86allow hiview tracefs_trace_marker_file:file { write open };
87
88allow hiview vendor_lib_file:dir { search };
89allow hiview vendor_lib_file:file { read open getattr map execute };
90
91allow hiview bgtaskmgr_service:dir { search };
92allow hiview bgtaskmgr_service:file { open read };
93
94#avc:  denied  { get } for service=3301 pid=618 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_foundation_powermgr_service:s0 tclass=samgr_class permissive=1
95allow hiview sa_foundation_powermgr_service:samgr_class { get };
96
97allowxperm hiview data_init_agent:file ioctl { 0x5413 };
98
99allow hiview sa_sys_event_service:samgr_class { add get };
100allow hiview sa_hiview_service:samgr_class { add get };
101allow hiview sa_hiview_faultlogger_service:samgr_class  { add get };
102
103#avc:  denied  { read write } for  pid=1955 comm="hiview" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0
104allow hiview dev_console_file:chr_file  { read write };
105#avc:  denied  { write } for  pid=1961 comm="hiview" name="paramservice" dev="tmpfs" ino=28 scontext=u:r:hiview:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0
106allow hiview paramservice_socket:sock_file  { write };
107#avc:  denied  { connectto } for  pid=1130 comm="hiview" path="/dev/unix/socket/paramservice" scontext=u:r:hiview:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0
108allow hiview kernel:unix_stream_socket  { connectto };
109
110#avc:  denied  { read } for  pid=4200 comm="usage_report" name="u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
111#avc:  denied  { open } for  pid=1594 comm="hiview" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
112#avc:  denied  { map } for  pid=1594 comm="hiview" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
113allow hiview musl_param:file  { read open map };
114
115