1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type devattest_service, sadomain, domain; 15type devattest_service_exec, system_file_attr, exec_attr, file_attr; 16 17init_daemon_domain(devattest_service); 18 19allow storage_daemon hmdfs:dir { mounton }; 20allow foundation storage_manager:dir { open read write }; 21allow foundation storage_manager:file { open read write }; 22allow netsysnative netmanager:tcp_socket { create read write getopt setopt }; 23 24allow devattest_service data_file:dir { search }; 25allow devattest_service data_data_file:dir { search getattr add_name open read remove_name search write create }; 26allow devattest_service data_data_file:file { append map open read create write getattr setattr unlink lock ioctl rename }; 27allow devattest_service data_ota_package:dir { append ioctl open read add_name search write remove_name }; 28allow devattest_service data_ota_package:file { append create ioctl open read rename unlink }; 29allow devattest_service dev_file:sock_file { write }; 30 31allow devattest_service data_device_attest:dir { search getattr add_name open read remove_name write create }; 32allow devattest_service data_device_attest:file { append map open read create write getattr setattr unlink lock ioctl rename }; 33 34allow devattest_service netsysnative:unix_stream_socket { connectto }; 35allow devattest_service port:tcp_socket { name_connect }; 36allow devattest_service devattest_service:tcp_socket { connect create read setopt write getopt getattr }; 37allow devattest_service devattest_service:udp_socket { create bind connect getattr read write }; 38 39allow devattest_service accesstoken_service:binder { call }; 40allow devattest_service foundation:binder { call transfer }; 41allow devattest_service netmanager:binder { call transfer }; 42allow netmanager devattest_service:binder { call }; 43allow devattest_service softbus_server:binder { call }; 44 45allow devattest_service data_service_el1_file:dir { add_name remove_name search write create }; 46allow devattest_service data_service_el1_file:file { create getattr ioctl lock open read setattr unlink write }; 47allow devattest_service data_misc:dir { add_name search write }; 48allow devattest_service data_misc:file { create ioctl open read write }; 49allow devattest_service data_misc:sock_file { write }; 50allow devattest_service accessibility_param:file { read }; 51allow devattest_service dev_unix_socket:dir { search }; 52allow devattest_service system_bin_file:dir { search }; 53allow devattest_service system_bin_file:file { execute execute_no_trans map read open }; 54 55allow devattest_service node:udp_socket { node_bind }; 56allow devattest_service port:udp_socket { name_bind }; 57allow devattest_service wifi_hal_service:unix_stream_socket { connectto }; 58allow devattest_service kernel:unix_stream_socket { connectto }; 59 60allow devattest_service devattest_service:netlink_route_socket { create nlmsg_read read write }; 61allow devattest_service devattest_service:packet_socket { bind create read write }; 62allow devattest_service devattest_service:udp_socket { bind create ioctl setopt getopt read write }; 63allow devattest_service devattest_service:unix_dgram_socket { ioctl getopt setopt }; 64allowxperm devattest_service data_service_el1_file:file ioctl { 0x5413 }; 65allowxperm devattest_service data_misc:file ioctl { 0x5413 }; 66allowxperm devattest_service devattest_service:udp_socket ioctl { 0x890B 0x8913 0x8915 0x8916 0x891b 0x891c 0x8927 0x8933 }; 67allowxperm devattest_service devattest_service:unix_dgram_socket ioctl { 0x8910 }; 68 69allow devattest_service paramservice_socket:sock_file { write create setattr getattr relabelto }; 70allow devattest_service xts_devattest_authresult_param:file { map open read }; 71allow devattest_service xts_devattest_authresult_param:parameter_service { set }; 72 73allow devattest_service sa_devattest_service:samgr_class { add }; 74allow devattest_service sa_net_conn_manager:samgr_class { get }; 75allow devattest_service sa_device_service_manager:samgr_class { get }; 76allow devattest_service sa_accesstoken_manager_service:samgr_class { add get }; 77allow devattest_service sa_foundation_bms:samgr_class { get }; 78 79allow devattest_service devinfo_private_param:file { map open read }; 80 81allow devattest_service musl_param:file { read }; 82allow devattest_service hilog_param:file { map open read }; 83allow devattest_service dnsproxy_service:sock_file { write }; 84 85# [18.469899] audit: type=1400 audit(1668560965.423:331): avc: denied { call } for pid=349 comm="netmanager" scontext=u:r:netmanager:s0 tcontext=u:r:devattest_service:s0 tclass=binder permissive=0 86allow netmanager devattest_service:binder { call }; 87 88allow normal_hap sa_devattest_service:samgr_class { get }; 89allow normal_hap devattest_service:fd { use }; 90allow normal_hap devattest_service:binder { call transfer }; 91allow devattest_service normal_hap:binder { call transfer }; 92 93allow system_basic_hap sa_devattest_service:samgr_class { get }; 94allow system_basic_hap devattest_service:fd { use }; 95allow system_basic_hap devattest_service:binder { call transfer }; 96allow devattest_service system_basic_hap:binder { call transfer }; 97 98allow system_core_hap sa_devattest_service:samgr_class { get }; 99allow system_core_hap devattest_service:fd { use }; 100allow system_core_hap devattest_service:binder { call transfer }; 101allow devattest_service system_core_hap:binder { call transfer }; 102