1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the License); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14debug_only(` 15 #avc: denied { search } for pid=2064 comm="killall" name="247" dev="proc" ino=38088 scontext=u:r:sh:s0 tcontext=u:r:appspawn:s0 tclass=dir permissive=1 16 allow sh appspawn:dir { search }; 17 #avc: denied { open } for pid=2064 comm="killall" path="/proc/247/comm" dev="proc" ino=41455 scontext=u:r:sh:s0 tcontext=u:r:appspawn:s0 tclass=file permissive=1 18 allow sh appspawn:file { open }; 19 #avc: denied { execute } for pid=2232 comm="sh" name="appspawn" dev="mmcblk0p6" ino=114 scontext=u:r:sh:s0 tcontext=u:object_r:appspawn_exec:s0 tclass=file permissive=1 20 allow sh appspawn_exec:file { execute }; 21 #avc: denied { getattr } for pid=2232 comm="sh" path="/system/bin/appspawn" dev="mmcblk0p6" ino=114 scontext=u:r:sh:s0 tcontext=u:object_r:appspawn_exec:s0 tclass=file permissive=1 22 allow sh appspawn_exec:file { getattr }; 23 #avc: denied { search } for pid=8568 comm="sh" name="el2" dev="mmcblk0p11" ino=261129 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1 24 #avc: denied { getattr } for pid=2061 comm="chmod" path="/data/service/el2/100/hmdfs/account" dev="mmcblk0p11" ino=261292 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 25 #avc: denied { search } for pid=1983 comm="sh" name="account" dev="mmcblk0p11" ino=261292 scontext=u:r:sh:s0 tcontext=u:object_r:data_service_el2_hmdfs:s0 tclass=dir permissive=1 26 allow sh data_service_el2_file:dir { search getattr search }; 27 #avc: denied { add_name } for pid=8264 comm="mkdir" name="Pictures" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 28 allow sh hmdfs:dir { add_name }; 29 #avc: denied { open } for pid=1983 comm="sh" path="/storage/media/100/local/files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 30 allow sh hmdfs:dir { open }; 31 #avc: denied { read } for pid=1983 comm="sh" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 32 allow sh hmdfs:dir { read }; 33 #avc: denied { remove_name } for pid=14740 comm="rm" name="audioEncode_function_promise_01.aac" dev="hmdfs" ino=2305843009213955505 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 34 allow sh hmdfs:dir { remove_name }; 35 #avc: denied { search } for pid=2284 comm="sh" name="device_view" dev="hmdfs" ino=2 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 36 allow sh hmdfs:dir { search }; 37 #avc: denied { setattr } for pid=2061 comm="chmod" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 38 allow sh hmdfs:dir { setattr }; 39 #avc: denied { write } for pid=2636 comm="rm" name="files" dev="hmdfs" ino=2305843009213955245 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 40 allow sh hmdfs:dir { write }; 41 #avc: denied { create } for pid=8277 comm="cp" name="01.jpg" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 42 allow sh hmdfs:file { create }; 43 #avc: denied { getattr } for pid=2636 comm="rm" path="/storage/media/100/local/files/Audios/audioEncode_function_callback_04.aac" dev="hmdfs" ino=2305843009213955431 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 44 allow sh hmdfs:file { getattr }; 45 #avc: denied { read write open } for pid=8277 comm="cp" path="/storage/media/100/local/files/Pictures/Static/01.jpg" dev="hmdfs" ino=2305843009213955546 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 46 allow sh hmdfs:file { read write open }; 47 #avc: denied { setattr } for pid=2669 comm="chmod" name="audioEncode_function_callback_05.aac" dev="hmdfs" ino=2305843009213955432 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 48 allow sh hmdfs:file { setattr }; 49 #avc: denied { getattr } for pid=2232 comm="sh" path="/system/bin/init" dev="mmcblk0p6" ino=240 scontext=u:r:sh:s0 tcontext=u:object_r:init_exec:s0 tclass=file permissive=1 50 allow sh init_exec:file { getattr }; 51 #avc: denied { getattr } for pid=8144 comm="mkdir" path="/data/app/el2/100/base/ohos.acts.multimedia.video.videodecoder/haps/entry/files" dev="mmcblk0p11" ino=1307090 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 52 allow sh normal_hap_data_file_attr:dir { getattr }; 53 #avc: denied { search } for pid=8144 comm="mkdir" name="ohos.acts.multimedia.video.videodecoder" dev="mmcblk0p11" ino=1307057 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 54 allow sh normal_hap_data_file_attr:dir { search }; 55 #avc: denied { search } for pid=2064 comm="killall" name="244" dev="proc" ino=38085 scontext=u:r:sh:s0 tcontext=u:r:param_watcher:s0 tclass=dir permissive=1 56 allow sh param_watcher:dir { search }; 57 #avc: denied { open } for pid=2064 comm="killall" path="/proc/244/comm" dev="proc" ino=41449 scontext=u:r:sh:s0 tcontext=u:r:param_watcher:s0 tclass=file permissive=1 58 allow sh param_watcher:file { open }; 59 #avc: denied { execute } for pid=2270 comm="sh" name="power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 60 allow sh power_shell_exec:file { execute }; 61 #avc: denied { execute_no_trans } for pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 62 allow sh power_shell_exec:file { execute_no_trans }; 63 #avc: denied { getattr } for pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 64 allow sh power_shell_exec:file { getattr }; 65 #avc: denied { map } for pid=2270 comm="power-shell" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 66 allow sh power_shell_exec:file { map }; 67 #avc: denied { read open } for pid=2270 comm="sh" path="/system/bin/power-shell" dev="mmcblk0p6" ino=318 scontext=u:r:sh:s0 tcontext=u:object_r:power_shell_exec:s0 tclass=file permissive=1 68 allow sh power_shell_exec:file { read open }; 69 #avc: denied { getattr } for pid=2232 comm="sh" path="/system/bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 70 allow sh system_bin_file:dir { getattr }; 71 #avc: denied { open } for pid=2232 comm="sh" path="/system/bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 72 allow sh system_bin_file:dir { open }; 73 #avc: denied { read } for pid=2232 comm="sh" name="bin" dev="mmcblk0p6" ino=106 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 74 allow sh system_bin_file:dir { read }; 75 #avc: denied { getattr } for pid=2232 comm="sh" path="/system/bin/ability_tool" dev="mmcblk0p6" ino=111 scontext=u:r:sh:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1 76 allow sh system_bin_file:lnk_file { getattr }; 77 #avc: denied { getattr } for pid=14785 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.video.codecformat/haps/entry/files" dev="mmcblk0p11" ino=1307350 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1 78 #avc: denied { open } for pid=4183 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.audio.audioencoder/haps/entry/files" dev="mmcblk0p11" ino=1307313 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1 79 #avc: denied { add_name } for pid=2007 comm="mkdir" name="entry" scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1 80 #avc: denied { create } for pid=2007 comm="mkdir" name="entry" scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=dir permissive=1 81 #allow sh system_core_hap_data_file_attr:dir { getattr open read search setattr getattr add_name create }; 82 #avc: denied { getattr } for pid=4183 comm="chmod" path="/data/app/el2/100/base/ohos.acts.multimedia.audio.audioencoder/haps/entry/files/S16LE.pcm" dev="mmcblk0p11" ino=1307314 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1 83 #avc: denied { setattr } for pid=4183 comm="chmod" name="S16LE.pcm" dev="mmcblk0p11" ino=1307314 scontext=u:r:sh:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1 84 allow sh system_core_hap_data_file_attr:file { getattr setattr }; 85 #avc: denied { open } for pid=8136 comm="bm" path="/system/app/ActsVideoDecoderJsTest.hap" dev="mmcblk0p6" ino=2547 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 86 allow sh system_file:file { open read }; 87 #avc: denied { getattr } for pid=2232 comm="sh" path="/system/lib64" dev="mmcblk0p6" ino=1579 scontext=u:r:sh:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1 88 allow sh system_lib_file:dir { getattr open read }; 89 #avc: denied { read } for pid=2672 comm="killall" scontext=u:r:sh:s0 tcontext=u:r:wifi_host:s0 tclass=file permissive=1 90 allow sh wifi_host:file { read }; 91 #avc: denied { search } for pid=20594 comm="player_unit_tes" name="usr" dev="mmcblk0p6" ino=2529 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1 92 allow sh system_usr_file:dir { search }; 93 #avc: denied { getattr } for pid=20594 comm="player_unit_tes" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 94 #avc: denied { read } for pid=20594 comm="player_unit_tes" name="supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 95 #avc: denied { map } for pid=20594 comm="player_unit_tes" path="/system/usr/ohos_icu/icudt67l.dat" dev="mmcblk0p6" ino=2531 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 96 #avc: denied { open } for pid=20594 comm="player_unit_tes" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2536 scontext=u:r:sh:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1 97 allow sh system_usr_file:file { getattr read open map }; 98 #avc: denied { call } for pid=20594 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 99 #avc: denied { transfer } for pid=20594 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1 100 allow sh media_service:binder { call transfer }; 101 #avc: denied { use } for pid=475 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=178 scontext=u:r:sh:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1 102 allow sh media_service:fd { use }; 103 #avc: denied { call } for pid=20638 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 104 #avc: denied { transfer } for pid=20638 comm="player_unit_tes" scontext=u:r:sh:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1 105 allow sh render_service:binder { call transfer }; 106 #avc: denied { open } for pid=14734 comm="rm" path="/data/data/resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 107 #avc: denied { remove_name } for pid=14734 comm="rm" name="resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 108 #avc: denied { rmdir } for pid=14734 comm="rm" name="resource" dev="mmcblk0p11" ino=391694 scontext=u:r:sh:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1 109 allow sh data_data_file:dir { open remove_name rmdir }; 110 #avc: denied { search } for pid=2502 comm="killall" name="507" dev="proc" ino=35525 scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=dir permissive=1 111 allow sh privacy_service:dir { search getattr }; 112 #avc: denied { open } for pid=2502 comm="killall" path="/proc/507/comm" dev="proc" ino=46944 scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=file permissive=1 113 allow sh privacy_service:file { open }; 114 #avc: denied { read } for pid=2502 comm="killall" scontext=u:r:sh:s0 tcontext=u:r:privacy_service:s0 tclass=file permissive=1 115 allow sh privacy_service:file { read }; 116 #avc: denied { create } for pid=6080 comm="mkdir" name="Pictures" scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 117 #avc: denied { rmdir } for pid=6077 comm="rm" name="Audios" dev="hmdfs" ino=2305843009213824862 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=dir permissive=1 118 #avc: denied { unlink } for pid=6077 comm="rm" name="audio_16.m4a" dev="hmdfs" ino=2305843009213824879 scontext=u:r:sh:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=1 119 allow sh hmdfs:dir { create rmdir unlink }; 120 #avc: denied { getattr } for pid=2320 comm="mkdir" path="/data/app/el1/bundle/public/ohos.acts.multimedia.video.videoplayer/ohos.acts.multimedia.video.videoplayer/assets/entry/resources/rawfile" dev="mmcblk0p11" ino=1176976 scontext=u:r:sh:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1 121 # allow sh data_app_el1_file:dir { getattr }; 122 #avc: denied { read open } for pid=2006 comm="rm" path="/data/service/el2/100/hmdfs/account/files" dev="mmcblk0p11" ino=130730 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=dir permissive=1 123 # allow sh data_user_file:dir { read open add_name remove_name rmdir write search setattr getattr }; 124 #avc: denied { getattr } for pid=2636 comm="rm" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_04.aac" dev="mmcblk0p11" ino=261479 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 125 #avc: denied { create } for pid=8277 comm="cp" name="01.jpg" scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 126 #avc: denied { write } for pid=2669 comm="chmod" name="audioEncode_function_callback_05.aac" dev="mmcblk0p11" ino=261480 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 127 #avc: denied { setattr } for pid=6274 comm="chmod" name="02.mp3" dev="mmcblk0p11" ino=131035 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 128 #avc: denied { unlink } for pid=6077 comm="rm" name="audio_16.m4a" dev="mmcblk0p11" ino=130927 scontext=u:r:sh:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 129 # allow sh data_user_file:file { create getattr write setattr unlink }; 130 #avc: denied { setattr } for pid=8881 comm="chmod" name="files" dev="mmcblk0p11" ino=523608 scontext=u:r:sh:s0 tcontext=u:object_r:normal_hap_data_file_attr:s0 tclass=dir permissive=1 131 # allow sh normal_hap_data_file_attr:dir { setattr }; 132 #avc: denied { execute } for pid=20586 comm="sh" name="player_unit_test" dev="mmcblk0p11" ino=1044488 scontext=u:r:sh:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 133 #avc: denied { execute_no_trans } for pid=20594 comm="sh" path="/data/test/player_unit_test" dev="mmcblk0p11" ino=1044488 scontext=u:r:sh:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 134 # allow sh data_file:file { execute execute_no_trans }; 135 #avc: denied { fowner } for pid=5811 comm="chmod" capability=3 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 136 #avc: denied { fsetid } for pid=5811 comm="chmod" capability=4 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 137 # allow sh sh:capability { fowner fsetid }; 138 #avc: denied { dac_override } for pid=2565 comm="hilog" capability=1 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 139 #avc: denied { sys_admin } for pid=3329 comm="mount" capability=21 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 140 #avc: denied { sys_ptrace } for pid=2064 comm="killall" capability=19 scontext=u:r:sh:s0 tcontext=u:r:sh:s0 tclass=capability permissive=1 141 # allow sh sh:capability { dac_override sys_admin sys_ptrace }; 142 # allow sh sh:capability { sys_admin }; 143 # allow sh sh:capability { sys_ptrace }; 144 #avc: denied { search } for pid=2058 comm="chmod" name="el2" dev="mmcblk0p11" ino=1175045 scontext=u:r:sh:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 145 #allow sh data_app_el2_file:dir { search }; 146 147 #avc: denied { get } for service=4700 pid=2591 scontext=u:r:sh:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1 148 allow sh sa_softbus_service:samgr_class { get }; 149 150 #avc: denied { get } for service=10 pid=2661 scontext=u:r:sh:s0 tcontext=u:object_r:sa_render_service:s0 tclass=samgr_class permissive=1 151 allow sh sa_render_service:samgr_class { get }; 152 153 #avc: denied { get } for service=3002 pid=2661 scontext=u:r:sh:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1 154 allow sh sa_media_service:samgr_class { get }; 155 156 #avc: denied { read } for pid=1731 comm="sh" name="system" dev="mmcblk0p6" ino=27 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 157 #avc: denied { open } for pid=1731 comm="sh" path="/system" dev="mmcblk0p6" ino=27 scontext=u:r:sh:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 158 allow sh system_file:dir { read open }; 159 160 #avc: denied { call } for pid=2880 comm="distributedScre" scontext=u:r:sh:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 161 #avc: denied { transfer } for pid=2880 comm="distributedScre" scontext=u:r:sh:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 162 allow sh softbus_server:binder { call transfer }; 163') 164 165