• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14# avc:  denied  { open } for  pid=1601 comm="nwebspawn" path="/system/bin/nwebspawn" dev="mmcblk0p7" ino=300 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1
15allow nwebspawn system_bin_file:file { open };
16
17# avc:  denied  { execute_no_trans } for  pid=1601 comm="nwebspawn" path="/system/bin/nwebspawn" dev="mmcblk0p7" ino=300 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_bin_file:s0 tclass=file permissive=1
18allow nwebspawn system_bin_file:file { execute_no_trans };
19
20# avc:  denied  { execute } for  pid=1601 comm="nwebspawn" path="/system/app/com.ohos.nweb/NWeb.hap" dev="mmcblk0p7" ino=78 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
21allow nwebspawn system_file:file { execute };
22
23#avc:  denied  { search } for  pid=1852 comm="nwebspawn" name="socket" dev="tmpfs" ino=40 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
24allow nwebspawn dev_unix_socket:dir { search };
25
26#avc:  denied  { search } for  pid=1852 comm="nwebspawn" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:nwebspawn:s0tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
27allow nwebspawn data_file:dir { search };
28
29#avc:  denied  { read append } for  pid=1852 comm="nwebspawn" name="begetctl.log" dev="mmcblk0p11" ino=15 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
30#avc:  denied  { open } for  pid=1852 comm="nwebspawn" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=15 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
31#avc:  denied  { ioctl } for  pid=2616 comm="nwebspawn" path="/data/init_agent/begetctl.log" dev="mmcblk0p11" ino=22 ioctlcmd=0x5413 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
32allow nwebspawn data_init_agent:file { read append open ioctl };
33
34#avc:  denied  { search } for  pid=2616 comm="nwebspawn" name="init_agent" dev="mmcblk0p11" ino=89761 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:data_init_agent:s0 tclass=dir permissive=1
35allow nwebspawn data_init_agent:dir { search };
36
37#avc:  denied  { accept } for  pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
38#avc:  denied  { getattr } for  pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
39#avc:  denied  { getopt } for  pid=3598 comm="nwebspawn" path="/dev/unix/socket/NWebSpawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
40allow nwebspawn init:unix_stream_socket { accept getattr getopt };
41
42#avc:  denied  { ioctl } for  pid=4499 comm="nwebspawn" path="/dev/access_token_id" dev="tmpfs" ino=172 ioctlcmd=0x4102 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_at_file:s0 tclass=chr_file permissive=1
43allow nwebspawn dev_at_file:chr_file { ioctl };
44
45#avc:  denied  { search } for  pid=4499 comm="nwebspawn" name="/" dev="selinuxfs" ino=1 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir permissive=1
46allow nwebspawn selinuxfs:dir { search };
47
48#avc:  denied  { read write } for  pid=4499 comm="nwebspawn" name="context" dev="selinuxfs" ino=5 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
49#avc:  denied  { open } for  pid=4499 comm="nwebspawn" path="/sys/fs/selinux/context" dev="selinuxfs" ino=5 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
50allow nwebspawn selinuxfs:file { read write open };
51
52#avc:  denied  { check_context } for  pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:object_r:security:s0 tclass=security permissive=1
53allow nwebspawn security:security { check_context };
54
55#avc:  denied  { setcurrent } for  pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=1
56#avc:  denied  { dyntransition } for  pid=4499 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:normal_hap:s0 tclass=process permissive=
57allow nwebspawn normal_hap_attr:process { setcurrent };
58
59#avc:  denied  { setcurrent } for  pid=4868 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=1
60allow nwebspawn nwebspawn:process { setcurrent };
61
62#avc:  denied  { mounton } for  pid=4868 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/config" dev="configfs" ino=14342 scontext=u:r:normal_hap:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1
63allow nwebspawn configfs:dir { mounton };
64
65#avc:  denied  { mounton } for  pid=4868 comm="nwebspawn" path="/mnt/sandbox/com.example.web0422stage/dev" dev="tmpfs" ino=1 scontext=u:r:normal_hap:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1
66allow nwebspawn dev_file:dir { mounton };
67
68#avc:  denied  { mounton } for  pid=2318 comm="nwebspawn" path="/" dev="tmpfs" ino=3 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
69allow nwebspawn tmpfs:dir { mounton create_dir_perms };
70
71allow nwebspawn tmpfs:lnk_file { create };
72
73#avc:  denied  { mounton } for  pid=2318 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/sys" dev="sysfs" ino=1 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:sys_file:s0 tclass=dir permissive=1
74allow nwebspawn sys_file:dir { mounton };
75
76#avc:  denied  { mounton } for  pid=2318 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/sys_prod" dev="mmcblk0p6" ino=26 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1
77allow nwebspawn rootfs:dir { mounton };
78
79#avc:  denied  { mounton } for  pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/app" dev="mmcblk0p6" ino=28 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
80allow nwebspawn system_file:dir { mounton };
81
82#avc:  denied  { mounton } for  pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/fonts" dev="mmcblk0p6" ino=1491 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1
83allow nwebspawn system_fonts_file:dir { mounton };
84
85#avc:  denied  { mounton } for  pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/lib" dev="mmcblk0p6" ino=1540 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1
86allow nwebspawn system_lib_file:dir { mounton };
87
88#avc:  denied  { mounton } for  pid=2763 comm="nwebspawn" path="/mnt/sandbox/com.example.web330/system/usr" dev="mmcblk0p6" ino=2476 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1
89allow nwebspawn system_usr_file:dir { mounton };
90
91allow nwebspawn data_app_el1_file:file { getattr map read };
92allow nwebspawn data_app_file:dir { search };
93allow nwebspawn nwebspawn_socket:sock_file { setattr };
94allow nwebspawn system_bin_file:dir { search };
95allow nwebspawn system_bin_file:file { entrypoint execute map read };
96allow nwebspawn vendor_lib_file:dir { search };
97allow nwebspawn vendor_lib_file:file { execute getattr map open read };
98allowxperm nwebspawn data_init_agent:file ioctl { 0x5413 };
99allowxperm nwebspawn dev_at_file:chr_file ioctl { 0x4102 };
100
101allow nwebspawn accessibility_param:file { open read map };
102allow nwebspawn system_basic_hap_data_file_attr:dir { mounton };
103
104allow nwebspawn dev_console_file:chr_file { read write };
105allow nwebspawn kernel:unix_stream_socket { connectto };
106allow nwebspawn musl_param:file { map open read };
107allow nwebspawn normal_hap_attr:process { sigkill };
108allow nwebspawn paramservice_socket:sock_file { write };
109
110allow nwebspawn data_misc:dir { add_name search write remove_name };
111allow nwebspawn data_misc:file { create map open read write unlink };
112
113# avc:  denied  { dyntransition } for  pid=5103 comm="ei.hmos.browser" scontext=u:r:nwebspawn:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1
114allow nwebspawn isolated_render:process { dyntransition };
115
116# avc:  denied  { ioctl } for  pid=1405 comm="com.ohos.note" path="/dev/xpm" dev="tmpfs" ino=224 ioctlcmd=0x7801 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=1
117# avc:  denied  { open } for  pid=1405 comm="com.ohos.note" path="/dev/xpm" dev="tmpfs" ino=224 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=1
118# avc:  denied  { read write } for  pid=1405 comm="com.ohos.note" name="xpm" dev="tmpfs" ino=224 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=1
119allow nwebspawn dev_xpm:chr_file { ioctl open read write };
120
121# avc:  denied  { ioctl } for  pid=1405 comm="com.ohos.note" path="/dev/xpm" dev="tmpfs" ino=224 ioctlcmd=0x7801 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=1
122allowxperm nwebspawn dev_xpm:chr_file ioctl { 0x7801 };
123
124# avc:  denied  { search } for  pid=308 comm="appspawn" name="etc" dev="mmcblk0p8" ino=16 scontext=u:r:nwebspawn:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1
125allow nwebspawn vendor_etc_file:dir { search };
126
127# avc: denied { use } for pid=306 comm="appspawn" path="socket:[19696]" dev="sockfs" ino=19696 scontext=u:r:nwebspawn:s0 tcontext=u:r:appspawn:s0 tclass=fd permissive=0
128# avc:  denied  { use } for  pid=308 comm="appspawn" path="socket:[19920]" dev="sockfs" ino=19920 scontext=u:r:nwebspawn:s0 tcontext=u:r:appspawn:s0 tclass=fd permissive=1
129allow nwebspawn appspawn:fd { use };
130
131# avc:  denied  { connect } for  pid=306 comm="appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=0
132# avc:  denied  { write } for  pid=308 comm="appspawn" path="socket:[19920]" dev="sockfs" ino=19920 scontext=u:r:nwebspawn:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1
133allow nwebspawn appspawn:unix_dgram_socket { connect write };
134
135
136# avc: denied { getopt } for pid=426 comm="appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=1
137# avc: denied { setopt } for pid=426 comm="appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=1
138allow nwebspawn nwebspawn:unix_dgram_socket { getopt setopt };
139
140# avc: denied { unmount } for pid=1365 comm="appspawn" scontext=u:r:nwebspawn:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
141allow nwebspawn labeledfs:filesystem { unmount };
142
143debug_only(`
144    allow nwebspawn data_storage:dir { mounton };
145    allow nwebspawn data_file:dir { mounton };
146')
147
148