• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#avc:  denied  { search } for  pid=1852 comm="nwebspawn" name="socket" dev="tmpfs" ino=40 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
15allow nwebspawn dev_unix_socket:dir { search };
16
17#avc:  denied  { search } for  pid=1852 comm="nwebspawn" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:nwebspawn:s0tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
18allow nwebspawn data_file:dir { search };
19
20#avc:  denied  { read append } for  pid=1852 comm="nwebspawn" name="begetctl.log" dev="mmcblk0p11" ino=15 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
21#avc:  denied  { open } for  pid=1852 comm="nwebspawn" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=15 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
22#avc:  denied  { ioctl } for  pid=2616 comm="nwebspawn" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=22 ioctlcmd=0x5413 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
23allow nwebspawn data_init_agent:file { read append open ioctl };
24
25#avc:  denied  { search } for  pid=2616 comm="nwebspawn" name="init_agent" dev="mmcblk0p11" ino=89761 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=dir permissive=1
26allow nwebspawn data_init_agent:dir { search };
27
28#avc:  denied  { accept } for  pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
29#avc:  denied  { getattr } for  pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
30#avc:  denied  { getopt } for  pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
31allow nwebspawn init:unix_stream_socket { accept getattr getopt };
32
33#avc:  denied  { ioctl } for  pid=4499 comm="nwebspawn" path="/dev/access_token_id" dev="tmpfs" ino=172 ioctlcmd=0x4102 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_at_file:s0 tclass=chr_file permissive=1
34allow nwebspawn dev_at_file:chr_file { ioctl };
35
36#avc:  denied  { search } for  pid=4499 comm="nwebspawn" name="/" dev="selinuxfs" ino=1 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir permissive=1
37allow nwebspawn selinuxfs:dir { search };
38
39#avc:  denied  { read write } for  pid=4499 comm="nwebspawn" name="context" dev="selinuxfs" ino=5 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
40#avc:  denied  { open } for  pid=4499 comm="nwebspawn" path="/sys/fs/selinux/context" dev="selinuxfs" ino=5 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
41allow nwebspawn selinuxfs:file { read write open };
42
43#avc:  denied  { check_context } for  pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:object_r:security:s0 tclass=security permissive=1
44allow nwebspawn security:security { check_context };
45
46#avc:  denied  { setcurrent } for  pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=1
47#avc:  denied  { dyntransition } for  pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:normal_hap:s0 tclass=process permissive=
48allow nwebspawn normal_hap:process { setcurrent dyntransition };
49
50#avc:  denied  { setcurrent } for  pid=4868 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=1
51allow nwebspawn nwebspawn:process { setcurrent };
52
53#avc:  denied  { mounton } for  pid=4868 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/config" dev="configfs" ino=14342 scontext=u:r:normal_hap:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1
54allow nwebspawn configfs:dir { mounton };
55
56#avc:  denied  { mounton } for  pid=4868 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/dev" dev="tmpfs" ino=1 scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1
57allow nwebspawn dev_file:dir { mounton };
58
59#avc:  denied  { mounton } for  pid=2318 comm="nwebspawn" path="/" dev="tmpfs" ino=3 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
60allow nwebspawn tmpfs:dir { mounton create_dir_perms };
61
62allow nwebspawn tmpfs:lnk_file { create };
63
64#avc:  denied  { mounton } for  pid=2318 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/sys" dev="sysfs" ino=1 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:sys_file:s0 tclass=dir permissive=1
65allow nwebspawn sys_file:dir { mounton };
66
67#avc:  denied  { mounton } for  pid=2318 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/sys_prod" dev="mmcblk0p6" ino=26 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1
68allow nwebspawn rootfs:dir { mounton };
69
70#avc:  denied  { mounton } for  pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/app" dev="mmcblk0p6" ino=28 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
71allow nwebspawn system_file:dir { mounton };
72
73#avc:  denied  { mounton } for  pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/fonts" dev="mmcblk0p6" ino=1491 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1
74allow nwebspawn system_fonts_file:dir { mounton };
75
76#avc:  denied  { mounton } for  pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/lib" dev="mmcblk0p6" ino=1540 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1
77allow nwebspawn system_lib_file:dir { mounton };
78
79#avc:  denied  { mounton } for  pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/usr" dev="mmcblk0p6" ino=2476 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1
80allow nwebspawn system_usr_file:dir { mounton };
81
82allow nwebspawn data_app_el1_file:file { getattr map read };
83allow nwebspawn data_app_file:dir { search };
84allow nwebspawn nwebspawn_socket:sock_file { setattr };
85allow nwebspawn system_bin_file:dir { search };
86allow nwebspawn system_bin_file:file { entrypoint execute map read };
87allow nwebspawn vendor_lib_file:dir { search };
88allow nwebspawn vendor_lib_file:file { execute getattr map open read };
89allowxperm nwebspawn data_init_agent:file ioctl { 0x5413 };
90allowxperm nwebspawn dev_at_file:chr_file ioctl { 0x4102 };
91
92allow nwebspawn accessibility_param:file { open read map };
93allow nwebspawn system_basic_hap_data_file:dir { mounton };
94allow nwebspawn system_basic_hap:process { dyntransition };
95
96allow nwebspawn dev_console_file:chr_file { read write };
97allow nwebspawn kernel:unix_stream_socket { connectto };
98allow nwebspawn musl_param:file { map open read };
99allow nwebspawn normal_hap:process { sigkill };
100allow nwebspawn paramservice_socket:sock_file { write };
101
102allow nwebspawn data_misc:dir { add_name search write remove_name };
103allow nwebspawn data_misc:file { create map open read write unlink };
104