# Copyright (c) 2022-2023 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the License); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. debug_only(` #avc: denied { search } for pid=2064 comm="killall" name="247" dev="proc" ino=38088 scontext=u:r:sh:s0 tcontext=u:r:appspawn:s0 tclass=dir permissive=1 allow sh appspawn:dir { search }; #avc: denied { open } for pid=2064 comm="killall" path="/proc/247/comm" dev="proc" ino=41455 scontext=u:r:sh:s0 tcontext=u:r:appspawn:s0 tclass=file permissive=1 allow sh appspawn:file { open }; #avc: denied { execute } for pid=2232 comm="sh" name="appspawn" dev="mmcblk0p6" ino=114 scontext=u:r:sh:s0 tcontext=u:object_r:appspawn_exec:s0 tclass=file permissive=1 allow sh appspawn_exec:file { execute }; #avc: denied { getattr } for pid=2232 comm="sh" path="/system/bin/appspawn" dev="mmcblk0p6" ino=114 scontext=u:r:sh:s0 tcontext=u:object_r:appspawn_exec:s0 tclass=file permissive=1 allow sh appspawn_exec:file { getattr }; #avc: denied { search } for pid=8568 comm="sh" name="el2" dev="mmcblk0p11" ino=261129 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1 #avc: denied { getattr } for pid=2061 comm="chmod" path="/data/service/el2/100/hmdfs/account" dev="mmcblk0p11" ino=261292 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 #avc: denied { search } for pid=1983 comm="sh" name="account" dev="mmcblk0p11" ino=261292 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 allow sh data_service_el2_file:dir { search getattr search }; #avc: denied { add_name } for pid=8264 comm="mkdir" name="Pictures" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 allow sh hmdfs:dir { add_name }; #avc: denied { open } for pid=1983 comm="sh" path="/storage/media/100/local/files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 allow sh hmdfs:dir { open }; #avc: denied { read } for pid=1983 comm="sh" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 allow sh hmdfs:dir { read }; #avc: denied { remove_name } for pid=14740 comm="rm" name="audioEncode_function_promise_01.aac" dev="hmdfs" ino=2305843009213955505 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 allow sh hmdfs:dir { remove_name }; #avc: denied { search } for pid=2284 comm="sh" name="device_view" dev="hmdfs" ino=2 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 allow sh hmdfs:dir { search }; #avc: denied { setattr } for pid=2061 comm="chmod" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 allow sh hmdfs:dir { setattr }; #avc: denied { write } for pid=2636 comm="rm" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 allow sh hmdfs:dir { write }; #avc: denied { create } for pid=8277 comm="cp" name="01.jpg" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 allow sh hmdfs:file { create }; #avc: denied { getattr } for pid=2636 comm="rm" path="/storage/media/100/local/files/Audios/audioEncode_function_callback_04.aac" dev="hmdfs" ino=2305843009213955431 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 allow sh hmdfs:file { getattr }; #avc: denied { read write open } for pid=8277 comm="cp" path="/storage/media/100/local/files/Pictures/Static/01.jpg" dev="hmdfs" ino=2305843009213955546 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 allow sh hmdfs:file { read write open }; #avc: denied { setattr } for pid=2669 comm="chmod" name="audioEncode_function_callback_05.aac" dev="hmdfs" ino=2305843009213955432 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 allow sh hmdfs:file { setattr }; #avc: denied { getattr } for pid=2232 comm="sh" path="/system/bin/init" dev="mmcblk0p6" ino=240 scontext=u:r:sh:s0 tcontext=u:object_r:init_exec:s0 tclass=file permissive=1 allow sh init_exec:file { getattr }; #avc: denied { getattr } for pid=8144 comm="mkdir" path="/data/app/el2/100/base/ohos.acts.multimedia.video.videodecoder/haps/entry/files" dev="mmcblk0p11" ino=1307090 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 allow sh normal_hap_data_file_attr:dir { getattr }; #avc: denied { search } for pid=8144 comm="mkdir" name="ohos.acts.multimedia.video.videodecoder" dev="mmcblk0p11" ino=1307057 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 allow sh normal_hap_data_file_attr:dir { search }; #avc: denied { search } for pid=2064 comm="killall" name="244" dev="proc" ino=38085 scontext=u:r:sh:s0 tcontext=u:r:param_watcher:s0 tclass=dir permissive=1 allow sh param_watcher:dir { search }; #avc: denied { open } for pid=2064 comm="killall" path="/proc/244/comm" dev="proc" ino=41449 scontext=u:r:sh:s0 tcontext=u:r:param_watcher:s0 tclass=file permissive=1 allow sh param_watcher:file { open }; #avc: denied { execute } for pid=2270 comm="sh" name="power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 allow sh power_shell_exec:file { execute }; #avc: denied { execute_no_trans } for pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 allow sh power_shell_exec:file { execute_no_trans }; #avc: denied { getattr } for pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 allow sh power_shell_exec:file { getattr }; #avc: denied { map } for pid=2270 comm="power-shell" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 allow sh power_shell_exec:file { map }; #avc: denied { read open } for pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 allow sh power_shell_exec:file { read open }; #avc: denied { getattr } for pid=2232 comm="sh" path="/system/bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 allow sh system_bin_file:dir { getattr }; #avc: denied { open } for pid=2232 comm="sh" path="/system/bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 allow sh system_bin_file:dir { open }; #avc: denied { read } for pid=2232 comm="sh" name="bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 allow sh system_bin_file:dir { read }; #avc: denied { getattr } for pid=2232 comm="sh" path="/system/bin/ability_tool" dev="mmcblk0p6" ino=111 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1 allow sh system_bin_file:lnk_file { getattr }; #avc: denied { getattr } for pid=14785 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.video.codecformat/haps/entry/files" dev="mmcblk0p11" ino=1307350 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1 #avc: denied { open } for pid=4183 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.audio.audioencoder/haps/entry/files" dev="mmcblk0p11" ino=1307313 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1 #avc: denied { add_name } for pid=2007 comm="mkdir" name="entry" scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1 #avc: denied { create } for pid=2007 comm="mkdir" name="entry" scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1 #allow sh system_core_hap_data_file_attr:dir { getattr open read search setattr getattr add_name create }; #avc: denied { getattr } for pid=4183 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.audio.audioencoder/haps/entry/files/S16LE.pcm" dev="mmcblk0p11" ino=1307314 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1 #avc: denied { setattr } for pid=4183 comm="chmod" name="S16LE.pcm" dev="mmcblk0p11" ino=1307314 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1 allow sh system_core_hap_data_file_attr:file { getattr setattr }; #avc: denied { open } for pid=8136 comm="bm" path="/system/app/ActsVideoDecoderJsTest.hap" dev="mmcblk0p6" ino=2547 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 allow sh system_file:file { open read }; #avc: denied { getattr } for pid=2232 comm="sh" path="/system/lib64" dev="mmcblk0p6" ino=1579 scontext=u:r:sh:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1 allow sh system_lib_file:dir { getattr open read }; #avc: denied { read } for pid=2672 comm="killall" scontext=u:r:sh:s0 tcontext=u:r:wifi_host:s0 tclass=file permissive=1 allow sh wifi_host:file { read }; #avc: denied { search } for pid=20594 comm="player_unit_tes" name="usr" dev="mmcblk0p6" ino=2529 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 allow sh system_usr_file:dir { search }; #avc: denied { getattr } for pid=20594 comm="player_unit_tes" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 #avc: denied { read } for pid=20594 comm="player_unit_tes" name="supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 #avc: denied { map } for pid=20594 comm="player_unit_tes" path="/system/usr/ohos_icu/icudt67l.dat" dev="mmcblk0p6" ino=2531 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 #avc: denied { open } for pid=20594 comm="player_unit_tes" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 allow sh system_usr_file:file { getattr read open map }; #avc: denied { call } for pid=20594 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 #avc: denied { transfer } for pid=20594 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 allow sh media_service:binder { call transfer }; #avc: denied { use } for pid=475 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=178 scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 allow sh media_service:fd { use }; #avc: denied { call } for pid=20638 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 #avc: denied { transfer } for pid=20638 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 allow sh render_service:binder { call transfer }; #avc: denied { open } for pid=14734 comm="rm" path="/data/data/resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 #avc: denied { remove_name } for pid=14734 comm="rm" name="resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 #avc: denied { rmdir } for pid=14734 comm="rm" name="resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 allow sh data_data_file:dir { open remove_name rmdir }; #avc: denied { search } for pid=2502 comm="killall" name="507" dev="proc" ino=35525 scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=dir permissive=1 allow sh privacy_service:dir { search getattr }; #avc: denied { open } for pid=2502 comm="killall" path="/proc/507/comm" dev="proc" ino=46944 scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=file permissive=1 allow sh privacy_service:file { open }; #avc: denied { read } for pid=2502 comm="killall" scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=file permissive=1 allow sh privacy_service:file { read }; #avc: denied { create } for pid=6080 comm="mkdir" name="Pictures" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 #avc: denied { rmdir } for pid=6077 comm="rm" name="Audios" dev="hmdfs" ino=2305843009213824862 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 #avc: denied { unlink } for pid=6077 comm="rm" name="audio_16.m4a" dev="hmdfs" ino=2305843009213824879 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 allow sh hmdfs:dir { create rmdir unlink }; #avc: denied { getattr } for pid=2320 comm="mkdir" path="/data/app/el1/bundle/public/ohos.acts.multimedia.video.videoplayer/ohos.acts.multimedia.video.videoplayer/assets/entry/resources/rawfile" dev="mmcblk0p11" ino=1176976 scontext=u:r:sh:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 # allow sh data_app_el1_file:dir { getattr }; #avc: denied { read open } for pid=2006 comm="rm" path="/data/service/el2/100/hmdfs/account/files" dev="mmcblk0p11" ino=130730 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissive=1 # allow sh data_user_file:dir { read open add_name remove_name rmdir write search setattr getattr }; #avc: denied { getattr } for pid=2636 comm="rm" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_04.aac" dev="mmcblk0p11" ino=261479 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 #avc: denied { create } for pid=8277 comm="cp" name="01.jpg" scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 #avc: denied { write } for pid=2669 comm="chmod" name="audioEncode_function_callback_05.aac" dev="mmcblk0p11" ino=261480 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 #avc: denied { setattr } for pid=6274 comm="chmod" name="02.mp3" dev="mmcblk0p11" ino=131035 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 #avc: denied { unlink } for pid=6077 comm="rm" name="audio_16.m4a" dev="mmcblk0p11" ino=130927 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 # allow sh data_user_file:file { create getattr write setattr unlink }; #avc: denied { setattr } for pid=8881 comm="chmod" name="files" dev="mmcblk0p11" ino=523608 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 # allow sh normal_hap_data_file_attr:dir { setattr }; #avc: denied { execute } for pid=20586 comm="sh" name="player_unit_test" dev="mmcblk0p11" ino=1044488 scontext=u:r:sh:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 #avc: denied { execute_no_trans } for pid=20594 comm="sh" path="/data/test/player_unit_test" dev="mmcblk0p11" ino=1044488 scontext=u:r:sh:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 # allow sh data_file:file { execute execute_no_trans }; #avc: denied { fowner } for pid=5811 comm="chmod" capability=3 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 #avc: denied { fsetid } for pid=5811 comm="chmod" capability=4 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 # allow sh sh:capability { fowner fsetid }; #avc: denied { dac_override } for pid=2565 comm="hilog" capability=1 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 #avc: denied { sys_admin } for pid=3329 comm="mount" capability=21 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 #avc: denied { sys_ptrace } for pid=2064 comm="killall" capability=19 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 # allow sh sh:capability { dac_override sys_admin sys_ptrace }; # allow sh sh:capability { sys_admin }; # allow sh sh:capability { sys_ptrace }; #avc: denied { search } for pid=2058 comm="chmod" name="el2" dev="mmcblk0p11" ino=1175045 scontext=u:r:sh:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 #allow sh data_app_el2_file:dir { search }; #avc: denied { get } for service=4700 pid=2591 scontext=u:r:sh:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1 allow sh sa_softbus_service:samgr_class { get }; #avc: denied { get } for service=10 pid=2661 scontext=u:r:sh:s0 tcontext=u:object_r:sa_render_service:s0 tclass=samgr_class permissive=1 allow sh sa_render_service:samgr_class { get }; #avc: denied { get } for service=3002 pid=2661 scontext=u:r:sh:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1 allow sh sa_media_service:samgr_class { get }; #avc: denied { read } for pid=1731 comm="sh" name="system" dev="mmcblk0p6" ino=27 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 #avc: denied { open } for pid=1731 comm="sh" path="/system" dev="mmcblk0p6" ino=27 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 allow sh system_file:dir { read open }; #avc: denied { call } for pid=2880 comm="distributedScre" scontext=u:r:sh:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 #avc: denied { transfer } for pid=2880 comm="distributedScre" scontext=u:r:sh:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 allow sh softbus_server:binder { call transfer }; ')