• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the License);
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14debug_only(`
15    #avc:  denied  { search } for  pid=2064 comm="killall" name="247" dev="proc" ino=38088 scontext=u:r:sh:s0 tcontext=u:r:appspawn:s0 tclass=dir permissive=1
16    allow sh appspawn:dir { search };
17    #avc:  denied  { open } for  pid=2064 comm="killall" path="/proc/247/comm" dev="proc" ino=41455 scontext=u:r:sh:s0 tcontext=u:r:appspawn:s0 tclass=file permissive=1
18    allow sh appspawn:file { open };
19    #avc:  denied  { execute } for  pid=2232 comm="sh" name="appspawn" dev="mmcblk0p6" ino=114 scontext=u:r:sh:s0 tcontext=u:object_r:appspawn_exec:s0 tclass=file permissive=1
20    allow sh appspawn_exec:file { execute };
21    #avc:  denied  { getattr } for  pid=2232 comm="sh" path="/system/bin/appspawn" dev="mmcblk0p6" ino=114 scontext=u:r:sh:s0 tcontext=u:object_r:appspawn_exec:s0 tclass=file permissive=1
22    allow sh appspawn_exec:file { getattr };
23    #avc:  denied  { search } for  pid=8568 comm="sh" name="el2" dev="mmcblk0p11" ino=261129 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1
24    #avc:  denied  { getattr } for  pid=2061 comm="chmod" path="/data/service/el2/100/hmdfs/account" dev="mmcblk0p11" ino=261292 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1
25    #avc:  denied  { search } for  pid=1983 comm="sh" name="account" dev="mmcblk0p11" ino=261292 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1
26    allow sh data_service_el2_file:dir { search getattr search };
27    #avc:  denied  { add_name } for  pid=8264 comm="mkdir" name="Pictures" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
28    allow sh hmdfs:dir { add_name };
29    #avc:  denied  { open } for  pid=1983 comm="sh" path="/storage/media/100/local/files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
30    allow sh hmdfs:dir { open };
31    #avc:  denied  { read } for  pid=1983 comm="sh" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
32    allow sh hmdfs:dir { read };
33    #avc:  denied  { remove_name } for  pid=14740 comm="rm" name="audioEncode_function_promise_01.aac" dev="hmdfs" ino=2305843009213955505 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
34    allow sh hmdfs:dir { remove_name };
35    #avc:  denied  { search } for  pid=2284 comm="sh" name="device_view" dev="hmdfs" ino=2 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
36    allow sh hmdfs:dir { search };
37    #avc:  denied  { setattr } for  pid=2061 comm="chmod" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
38    allow sh hmdfs:dir { setattr };
39    #avc:  denied  { write } for  pid=2636 comm="rm" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
40    allow sh hmdfs:dir { write };
41    #avc:  denied  { create } for  pid=8277 comm="cp" name="01.jpg" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1
42    allow sh hmdfs:file { create };
43    #avc:  denied  { getattr } for  pid=2636 comm="rm" path="/storage/media/100/local/files/Audios/audioEncode_function_callback_04.aac" dev="hmdfs" ino=2305843009213955431 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1
44    allow sh hmdfs:file { getattr };
45    #avc:  denied  { read write open } for  pid=8277 comm="cp" path="/storage/media/100/local/files/Pictures/Static/01.jpg" dev="hmdfs" ino=2305843009213955546 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1
46    allow sh hmdfs:file { read write open };
47    #avc:  denied  { setattr } for  pid=2669 comm="chmod" name="audioEncode_function_callback_05.aac" dev="hmdfs" ino=2305843009213955432 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1
48    allow sh hmdfs:file { setattr };
49    #avc:  denied  { getattr } for  pid=2232 comm="sh" path="/system/bin/init" dev="mmcblk0p6" ino=240 scontext=u:r:sh:s0 tcontext=u:object_r:init_exec:s0 tclass=file permissive=1
50    allow sh init_exec:file { getattr };
51    #avc:  denied  { getattr } for  pid=8144 comm="mkdir" path="/data/app/el2/100/base/ohos.acts.multimedia.video.videodecoder/haps/entry/files" dev="mmcblk0p11" ino=1307090 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1
52    allow sh normal_hap_data_file_attr:dir { getattr };
53    #avc:  denied  { search } for  pid=8144 comm="mkdir" name="ohos.acts.multimedia.video.videodecoder" dev="mmcblk0p11" ino=1307057 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1
54    allow sh normal_hap_data_file_attr:dir { search };
55    #avc:  denied  { search } for  pid=2064 comm="killall" name="244" dev="proc" ino=38085 scontext=u:r:sh:s0 tcontext=u:r:param_watcher:s0 tclass=dir permissive=1
56    allow sh param_watcher:dir { search };
57    #avc:  denied  { open } for  pid=2064 comm="killall" path="/proc/244/comm" dev="proc" ino=41449 scontext=u:r:sh:s0 tcontext=u:r:param_watcher:s0 tclass=file permissive=1
58    allow sh param_watcher:file { open };
59    #avc:  denied  { execute } for  pid=2270 comm="sh" name="power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1
60    allow sh power_shell_exec:file { execute };
61    #avc:  denied  { execute_no_trans } for  pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1
62    allow sh power_shell_exec:file { execute_no_trans };
63    #avc:  denied  { getattr } for  pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1
64    allow sh power_shell_exec:file { getattr };
65    #avc:  denied  { map } for  pid=2270 comm="power-shell" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1
66    allow sh power_shell_exec:file { map };
67    #avc:  denied  { read open } for  pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1
68    allow sh power_shell_exec:file { read open };
69    #avc:  denied  { getattr } for  pid=2232 comm="sh" path="/system/bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1
70    allow sh system_bin_file:dir { getattr };
71    #avc:  denied  { open } for  pid=2232 comm="sh" path="/system/bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1
72    allow sh system_bin_file:dir { open };
73    #avc:  denied  { read } for  pid=2232 comm="sh" name="bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1
74    allow sh system_bin_file:dir { read };
75    #avc:  denied  { getattr } for  pid=2232 comm="sh" path="/system/bin/ability_tool" dev="mmcblk0p6" ino=111 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
76    allow sh system_bin_file:lnk_file { getattr };
77    #avc:  denied  { getattr } for  pid=14785 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.video.codecformat/haps/entry/files" dev="mmcblk0p11" ino=1307350 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1
78    #avc:  denied  { open } for  pid=4183 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.audio.audioencoder/haps/entry/files" dev="mmcblk0p11" ino=1307313 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1
79    #avc:  denied  { add_name } for  pid=2007 comm="mkdir" name="entry" scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1
80    #avc:  denied  { create } for  pid=2007 comm="mkdir" name="entry" scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1
81    #allow sh system_core_hap_data_file_attr:dir { getattr open read search setattr getattr add_name create };
82    #avc:  denied  { getattr } for  pid=4183 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.audio.audioencoder/haps/entry/files/S16LE.pcm" dev="mmcblk0p11" ino=1307314 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1
83    #avc:  denied  { setattr } for  pid=4183 comm="chmod" name="S16LE.pcm" dev="mmcblk0p11" ino=1307314 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1
84    allow sh system_core_hap_data_file_attr:file { getattr setattr };
85    #avc:  denied  { open } for  pid=8136 comm="bm" path="/system/app/ActsVideoDecoderJsTest.hap" dev="mmcblk0p6" ino=2547 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
86    allow sh system_file:file { open read };
87    #avc:  denied  { getattr } for  pid=2232 comm="sh" path="/system/lib64" dev="mmcblk0p6" ino=1579 scontext=u:r:sh:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1
88    allow sh system_lib_file:dir { getattr open read };
89    #avc:  denied  { read } for  pid=2672 comm="killall" scontext=u:r:sh:s0 tcontext=u:r:wifi_host:s0 tclass=file permissive=1
90    allow sh wifi_host:file { read };
91    #avc:  denied  { search } for  pid=20594 comm="player_unit_tes" name="usr" dev="mmcblk0p6" ino=2529 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1
92    allow sh system_usr_file:dir { search };
93    #avc:  denied  { getattr } for  pid=20594 comm="player_unit_tes" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
94    #avc:  denied  { read } for  pid=20594 comm="player_unit_tes" name="supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
95    #avc:  denied  { map } for  pid=20594 comm="player_unit_tes" path="/system/usr/ohos_icu/icudt67l.dat" dev="mmcblk0p6" ino=2531 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
96    #avc:  denied  { open } for  pid=20594 comm="player_unit_tes" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
97    allow sh system_usr_file:file { getattr read open map };
98    #avc:  denied  { call } for  pid=20594 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
99    #avc:  denied  { transfer } for  pid=20594 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
100    allow sh media_service:binder { call transfer };
101    #avc:  denied  { use } for  pid=475 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=178 scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1
102    allow sh media_service:fd { use };
103    #avc:  denied  { call } for  pid=20638 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
104    #avc:  denied  { transfer } for  pid=20638 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
105    allow sh render_service:binder { call transfer };
106    #avc:  denied  { open } for  pid=14734 comm="rm" path="/data/data/resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1
107    #avc:  denied  { remove_name } for  pid=14734 comm="rm" name="resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1
108    #avc:  denied  { rmdir } for  pid=14734 comm="rm" name="resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1
109    allow sh data_data_file:dir { open remove_name rmdir };
110    #avc:  denied  { search } for  pid=2502 comm="killall" name="507" dev="proc" ino=35525 scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=dir permissive=1
111    allow sh privacy_service:dir { search getattr };
112    #avc:  denied  { open } for  pid=2502 comm="killall" path="/proc/507/comm" dev="proc" ino=46944 scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=file permissive=1
113    allow sh privacy_service:file { open };
114    #avc:  denied  { read } for  pid=2502 comm="killall" scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=file permissive=1
115    allow sh privacy_service:file { read };
116    #avc:  denied  { create } for  pid=6080 comm="mkdir" name="Pictures" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
117    #avc:  denied  { rmdir } for  pid=6077 comm="rm" name="Audios" dev="hmdfs" ino=2305843009213824862 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1
118    #avc:  denied  { unlink } for  pid=6077 comm="rm" name="audio_16.m4a" dev="hmdfs" ino=2305843009213824879 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1
119    allow sh hmdfs:dir { create rmdir unlink };
120    #avc:  denied  { getattr } for  pid=2320 comm="mkdir" path="/data/app/el1/bundle/public/ohos.acts.multimedia.video.videoplayer/ohos.acts.multimedia.video.videoplayer/assets/entry/resources/rawfile" dev="mmcblk0p11" ino=1176976 scontext=u:r:sh:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
121    # allow sh data_app_el1_file:dir { getattr };
122    #avc:  denied  { read open } for  pid=2006 comm="rm" path="/data/service/el2/100/hmdfs/account/files" dev="mmcblk0p11" ino=130730 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissive=1
123    # allow sh data_user_file:dir { read open add_name remove_name rmdir write search setattr getattr };
124    #avc:  denied  { getattr } for  pid=2636 comm="rm" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_04.aac" dev="mmcblk0p11" ino=261479 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
125    #avc:  denied  { create } for  pid=8277 comm="cp" name="01.jpg" scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
126    #avc:  denied  { write } for  pid=2669 comm="chmod" name="audioEncode_function_callback_05.aac" dev="mmcblk0p11" ino=261480 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
127    #avc:  denied  { setattr } for  pid=6274 comm="chmod" name="02.mp3" dev="mmcblk0p11" ino=131035 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
128    #avc:  denied  { unlink } for  pid=6077 comm="rm" name="audio_16.m4a" dev="mmcblk0p11" ino=130927 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
129    # allow sh data_user_file:file { create getattr write setattr unlink };
130    #avc:  denied  { setattr } for  pid=8881 comm="chmod" name="files" dev="mmcblk0p11" ino=523608 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1
131    # allow sh normal_hap_data_file_attr:dir { setattr };
132    #avc:  denied  { execute } for  pid=20586 comm="sh" name="player_unit_test" dev="mmcblk0p11" ino=1044488 scontext=u:r:sh:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1
133    #avc:  denied  { execute_no_trans } for  pid=20594 comm="sh" path="/data/test/player_unit_test" dev="mmcblk0p11" ino=1044488 scontext=u:r:sh:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1
134    # allow sh data_file:file { execute execute_no_trans };
135    #avc:  denied  { fowner } for  pid=5811 comm="chmod" capability=3  scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1
136    #avc:  denied  { fsetid } for  pid=5811 comm="chmod" capability=4  scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1
137    # allow sh sh:capability { fowner fsetid };
138    #avc:  denied  { dac_override } for  pid=2565 comm="hilog" capability=1  scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1
139    #avc:  denied  { sys_admin } for  pid=3329 comm="mount" capability=21  scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1
140    #avc:  denied  { sys_ptrace } for  pid=2064 comm="killall" capability=19  scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1
141    # allow sh sh:capability { dac_override sys_admin sys_ptrace };
142    # allow sh sh:capability { sys_admin };
143    # allow sh sh:capability { sys_ptrace };
144    #avc:  denied  { search } for  pid=2058 comm="chmod" name="el2" dev="mmcblk0p11" ino=1175045 scontext=u:r:sh:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1
145    #allow sh data_app_el2_file:dir { search };
146
147    #avc:  denied  { get } for service=4700 pid=2591 scontext=u:r:sh:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1
148    allow sh sa_softbus_service:samgr_class { get };
149
150    #avc:  denied  { get } for service=10 pid=2661 scontext=u:r:sh:s0 tcontext=u:object_r:sa_render_service:s0 tclass=samgr_class permissive=1
151    allow sh sa_render_service:samgr_class { get };
152
153    #avc:  denied  { get } for service=3002 pid=2661 scontext=u:r:sh:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1
154    allow sh sa_media_service:samgr_class { get };
155
156    #avc:  denied  { read } for  pid=1731 comm="sh" name="system" dev="mmcblk0p6" ino=27 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
157    #avc:  denied  { open } for  pid=1731 comm="sh" path="/system" dev="mmcblk0p6" ino=27 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
158    allow sh system_file:dir { read open };
159
160    #avc:  denied  { call } for  pid=2880 comm="distributedScre" scontext=u:r:sh:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
161    #avc:  denied  { transfer } for  pid=2880 comm="distributedScre" scontext=u:r:sh:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
162    allow sh softbus_server:binder { call transfer };
163')
164
165