1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow download_server accesstoken_service:binder { call }; 15allow download_server download_server:tcp_socket { read }; 16allow download_server normal_hap:binder { call }; 17allow download_server normal_hap_data_file:file { write }; 18allow download_server normal_hap:fd { use }; 19allow download_server sa_accesstoken_manager_service:samgr_class { get }; 20allow download_server normal_hap_data_file:file { read }; 21allow download_server dev_file:sock_file { write }; 22allow download_server download_server:udp_socket { bind connect create getattr getopt ioctl read setopt write }; 23allow download_server download_server:tcp_socket { accept bind connect create getattr getopt listen read setopt shutdown write }; 24allow download_server port:tcp_socket { name_connect }; 25allow download_server node:udp_socket { node_bind }; 26allow download_server port:udp_socket { name_bind }; 27allow download_server netsysnative:unix_stream_socket { connectto }; 28allow download_server accessibility_param:file { map open read }; 29allow download_server foundation:binder { call transfer }; 30allow download_server sysfs_hctosys:file { open read }; 31allow download_server sysfs_rtc:dir { open read }; 32allow download_server sa_foundation_ans:samgr_class { get }; 33allow system_core_hap sa_download_service:samgr_class { get }; 34# avc: denied { read write } for pid=2360 comm="sa_main" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:download_server:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 35allow download_server dev_console_file:chr_file { read write }; 36# avc: denied { call } for pid=2093 comm="1.ui" scontext=u:r:system_core_hap:s0 tcontext=u:r:download_server:s0 tclass=binder permissive=0 37allow system_core_hap download_server:binder { call transfer }; 38# avc: denied { call } for pid=2094 comm="1.ui" scontext=u:r:system_basic_hap:s0 tcontext=u:r:download_server:s0 tclass=binder permissive=0 39allow system_basic_hap download_server:binder { call transfer }; 40#avc: denied { call } for pid=2168 comm="download_server" scontext=u:r:download_server:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=0 41allow download_server system_core_hap:binder { call }; 42#avc: denied { use } for pid=2588 comm="download_server" scontext=u:r:download_server:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=0 43allow download_server system_core_hap:fd { use }; 44#avc: denied { call } for pid=2158 comm="download_server" scontext=u:r:download_server:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=0 45allow download_server system_basic_hap:binder { call }; 46#avc: denied { use } for pid=2568 comm="download_server" scontext=u:r:download_server:s0 tcontext=u:r:system_basic_hap:s0 tclass=fd permissive=0 47allow download_server system_basic_hap:fd { use }; 48# avc: denied { get } for service=3706 pid=4299 scontext=u:r:system_basic_hap:s0 tcontext=u:object_r:sa_download_server:s0 tclass=samgr_class permissive=0 49allow system_basic_hap sa_download_service:samgr_class { get }; 50#avc: denied { get } for service=501 pid=1640 scontext=u:r:download_server:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 51allow download_server sa_foundation_appms:samgr_class { get }; 52#avc: denied { search } for pid=1640 comm="SaInit0" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:download_server:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 53allow download_server data_file:dir { search }; 54#avc: denied { open read map } for pid=1640 comm="SaInit0" name="u:object_r:musl_param:s0" dev="tmpfs" ino=55 scontext=u:r:download_server:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 55allow download_server musl_param:file { open read map }; 56#avc: denied { call transfer } for pid=1615 comm="IPC_8_1739" scontext=u:r:foundation:s0 tcontext=u:r:download_server:s0 tclass=binder permissive=0 57allow foundation download_server:binder { call transfer }; 58#avc: denied { write } for pid=1689 comm="SaInit0" name="dnsproxyd" dev="mmcblk0p12" ino=3397 scontext=u:r:download_server:s0 tcontext=u:object_r:dnsproxy_service:s0 tclass=sock_file permissive=0 59allow download_server dnsproxy_service:sock_file { write }; 60