1# Copyright (c) 2021-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14init_daemon_domain(appspawn); 15 16allow appspawn appspawn_socket:sock_file { setattr }; 17allow appspawn dev_unix_socket:sock_file unlink; 18 19allow appspawn appspawn_exec:file { execute_no_trans }; 20allow appspawn bootevent_param:parameter_service { set }; 21allow appspawn paramservice_socket:sock_file { write }; 22allow appspawn kernel:unix_stream_socket { connectto }; 23allow appspawn dev_unix_socket:sock_file write; 24allow appspawn data_service_el2_file:dir { search write add_name create }; 25allow appspawn data_app_el2_file:dir { search mounton write add_name create setattr getattr}; 26allow appspawn data_app_el3_file:dir { search mounton write add_name create setattr getattr}; 27allow appspawn data_app_el4_file:dir { search mounton write add_name create setattr getattr}; 28allow appspawn data_app_el5_file:dir { search mounton write add_name create setattr getattr}; 29allow appspawn sharefs:dir { create_dir_perms mounton getattr }; 30allow appspawn sharefs_file_attr:dir { create_dir_perms_without_ioctl mounton getattr }; 31allow appspawn sharefs:filesystem { mount }; 32allow appspawn data_service_el2_share:dir { create_dir_perms mounton getattr }; 33allow appspawn data_service_el1_file:dir { search getattr write mounton add_name remove_name }; 34allow appspawn data_service_el1_file:file { read write create map open unlink }; 35 36# read cfg from 37#avc: denied { getattr } for pid=1802 comm="appspawn" path="/dev" dev="tmpfs" ino=1 scontext=u:r:appspawn:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 38allow appspawn dev_file:dir { getattr }; 39allow appspawn chip_prod_file:dir { open read search getattr }; 40allow appspawn chip_prod_file:file { getattr open read }; 41allow appspawn sys_prod_file:dir { open read search getattr }; 42allow appspawn sys_prod_file:file { getattr open read map }; 43allow appspawn vendor_etc_file:dir { open read search getattr }; 44allow appspawn vendor_etc_file:file { getattr open read }; 45 46allow appspawn appspawn:capability { dac_override kill setgid setuid sys_admin chown dac_read_search }; 47allow appspawn appspawn:process { setcurrent }; 48allow appspawn appspawn:unix_dgram_socket { getopt setopt }; 49allow appspawn bootevent_param:file { map open read }; 50allow appspawn bootevent_samgr_param:file { map open read }; 51allow appspawn build_version_param:file { map open read }; 52allow appspawn configfs:dir { mounton getattr }; 53allow appspawn const_allow_mock_param:file { map open read }; 54allow appspawn const_allow_param:file { map open read }; 55allow appspawn const_build_param:file { map open read }; 56allow appspawn const_display_brightness_param:file { map open read }; 57allow appspawn const_param:file { map open read }; 58allow appspawn const_postinstall_fstab_param:file { map open read }; 59allow appspawn const_postinstall_param:file { map open read }; 60allow appspawn const_product_param:file { map open read }; 61allow appspawn data_app_el1_file:dir { add_name create mounton search write getattr }; 62allow appspawn data_app_el2_file:dir { search mounton getattr }; 63allow appspawn data_app_file:dir { search }; 64allow appspawn data_file:dir { add_name create mounton search write getattr }; 65allow appspawn data_service_el2_file:dir { search }; 66allow appspawn data_service_el2_hmdfs:dir { search }; 67allow appspawn data_service_file:dir { search }; 68allow appspawn data_storage:dir { mounton getattr }; 69allow appspawn debug_param:file { map open read }; 70allow appspawn default_param:file { map open read }; 71allow appspawn dev_at_file:chr_file { ioctl }; 72allow appspawn dev_file:dir { mounton getattr }; 73allow appspawn dev_unix_socket:dir { add_name search write remove_name }; 74allow appspawn dev_unix_socket:sock_file { create setattr }; 75allow appspawn distributedsche_param:file { map open read }; 76allow appspawn hilog_param:file { map open read }; 77allow appspawn hiview:unix_dgram_socket { sendto }; 78allow appspawn hmdfs:dir { mounton search getattr }; 79allow appspawn hw_sc_build_os_param:file { map open read }; 80allow appspawn hw_sc_build_param:file { map open read }; 81allow appspawn hw_sc_param:file { map open read }; 82allow appspawn init_param:file { map open read }; 83allow appspawn init_svc_param:file { map open read }; 84allow appspawn input_pointer_device_param:file { map open read }; 85allow appspawn labeledfs:filesystem { unmount }; 86allow appspawn net_param:file { map open read }; 87allow appspawn net_tcp_param:file { map open read }; 88allow appspawn normal_hap_data_file_attr:dir { mounton getattr }; 89allow appspawn normal_hap_attr:process { sigkill }; 90allow appspawn ohos_boot_param:file { map open read }; 91allow appspawn ohos_param:file { map open read }; 92allow appspawn persist_param:file { map open read }; 93allow appspawn persist_sys_param:file { map open read }; 94allow appspawn proc_file:dir { mounton getattr }; 95allow appspawn proc_file:filesystem { mount unmount getattr }; 96allow appspawn rootfs:dir { mounton getattr }; 97allow appspawn security_param:file { map open read }; 98allow appspawn security:security { check_context }; 99allow appspawn selinuxfs:dir { search }; 100allow appspawn selinuxfs:file { open read write }; 101allow appspawn startup_param:file { map open read }; 102allow appspawn sys_file:dir { mounton getattr }; 103allow appspawn sys_param:file { map open read }; 104allow appspawn system_basic_hap_data_file_attr:dir { mounton getattr }; 105allow appspawn system_basic_hap_attr:process { dyntransition sigkill }; 106allow appspawn system_bin_file:dir { mounton search getattr }; 107allow appspawn system_core_hap_data_file_attr:dir { mounton getattr }; 108# avc: denied { sigkill } for pid=2375 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:system_core_hap:s0 tclass=process permissive=1 109allow appspawn system_core_hap_attr:process { dyntransition sigkill }; 110allow appspawn system_etc_file:dir { mounton getattr }; 111allow appspawn system_file:dir { mounton getattr }; 112allow appspawn system_fonts_file:dir { mounton open read search getattr }; 113allow appspawn system_fonts_file:file { getattr map open read }; 114allow appspawn system_lib_file:dir { mounton getattr }; 115 116# avc: denied { mounton } for pid=1604 comm="amples.etsclock" path="/mnt/sandbox/100/ohos.samples.etsclock/system/lib/ld-musl-arm.so.1" dev="mmcblk0p7" ino=1823 scontext=u:r:appspawn:s0 tcontext=u:object_r:system_lib_file:s0 tclass=file permissive=1 117allow appspawn system_lib_file:file { mounton getattr }; 118allow appspawn system_profile_file:dir { mounton getattr }; 119allow appspawn system_usr_file:dir { mounton search getattr }; 120allow appspawn system_usr_file:file { getattr map open read }; 121allow appspawn sys_usb_param:file { map open read }; 122allow appspawn tmpfs:dir { add_name create mounton write getattr remove_name}; 123 124# avc: denied { create } for pid=1604 comm="amples.etsclock" name="ld-musl-arm.so.1" scontext=u:r:appspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 125allow appspawn tmpfs:file { create mounton open unlink}; 126 127allow appspawn tmpfs:lnk_file { create }; 128allow appspawn vendor_lib_file:dir { mounton getattr }; 129allow appspawn self:process execmem; 130allowxperm appspawn dev_at_file:chr_file ioctl { 0x4102 }; 131allow appspawn dev_xpm:chr_file { open read write ioctl }; 132allow appspawn system_file:file { map }; 133allow appspawn nwebspawn:process{ dyntransition }; 134# avc: denied { signal } for pid=2762 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=0 135allow appspawn nwebspawn:process{ sigkill signal }; 136allow appspawn dev_asanlog_file:dir { getattr }; 137allow appspawn share_public_file:dir { search }; 138# avc_audit_slow:260] avc: denied { dyntransition } for pid=1, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=process permissive=1 139allow appspawn pid_ns_init:process { dyntransition }; 140allow appspawn share_public_file:dir { search create add_name write }; 141# for app cgroup pids 142allow appspawn cgroup:dir { add_name create search open read write remove_name rmdir }; 143allow appspawn cgroup:file { append getattr ioctl open read write }; 144allowxperm appspawn cgroup:file ioctl { 0x5413 }; 145 146# avc: denied { getattr } for pid=2327 comm="edialibrarydata" path="/data/misc" dev="mmcblk0p15" ino=109 scontext=u:r:appspawn:s0 tcontext=u:object_r:data_misc:s0 tclass=dir permissive=1 147allow appspawn data_misc:dir { getattr }; 148 149# avc: denied { search } for pid=274 comm="appspawn" name="648" dev="proc" ino=19134 scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=dir permissive=1 150allow appspawn pid_ns_init:dir { search }; 151 152# avc: denied { read } for pid=274 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=file permissive=1 153allow appspawn pid_ns_init:file { open getattr read }; 154 155# avc: denied { read } for pid=274 comm="appspawn" name="pid" dev="proc" ino=31171 scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=lnk_file permissive=1 156allow appspawn pid_ns_init:lnk_file { read }; 157 158# avc: denied { sys_ptrace } for pid=265 comm="appspawn" capability=19 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=1 159allow appspawn appspawn:capability { sys_ptrace }; 160 161# avc: denied { open } for pid=277 comm="appspawn" path="pid:[4026532800]" dev="nsfs" ino=4026532800 scontext=u:r:appspawn:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 162# avc: denied { read } for pid=277 comm="appspawn" dev="nsfs" ino=4026532800 scontext=u:r:appspawn:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 163allow appspawn unlabeled:file { open read }; 164 165# avc: denied { mounton } for pid=2058 comm="honydataability" path="/mnt/sandbox/100/app-root/data/certificates/user_cacerts" dev="mmcblk0p15" ino=149 scontext=u:r:appspawn:s0 tcontext=u:object_r:cert_manager_service_file:s0 tclass=dir permissive=0 166allow appspawn cert_manager_service_file:dir { mounton }; 167# avc: denied { getattr } for pid=2058 comm="honydataability" path="/system/bin/sh" dev="mmcblk0p7" ino=390 scontext=u:r:appspawn:s0 tcontext=u:object_r:sh_exec:s0tclass=file permissive=0 168allow appspawn sh_exec:file { getattr }; 169# avc: denied { read } for pid=2058 comm="honydataability" name="bin" dev="mmcblk0p7" ino=129 scontext=u:r:appspawn:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=0 170allow appspawn system_bin_file:dir { open read }; 171# avc: denied { read } for pid=2058 comm="honydataability" name="el1" dev="tmpfs" ino=159 scontext=u:r:appspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 172allow appspawn tmpfs:dir { open read }; 173 174#allow appspawn normal_hap_data_file:dir { open read search }; 175allow appspawn data_misc:dir { open read search }; 176allow appspawn data_file:dir { open read search }; 177allow appspawn hmdfs:dir { open read search }; 178allow appspawn data_app_el2_file:dir { open read search }; 179allow appspawn data_app_el1_file:dir { open read search }; 180#allow appspawn system_basic_hap_data_file:dir { open read search }; 181 182#allow appspawn system_core_hap_data_file:dir { open read search }; 183#allow appspawn medialibrary_hap_data_file:dir { open read search }; 184#allow appspawn permissionmanager_hap_data_file:dir { open read search }; 185#allow appspawn formrenderservice_hap_data_file:dir { open read search }; 186allow appspawn data_service_el2_hmdfs:dir { mounton }; 187 188allow appspawn normal_hap_data_file_attr:dir { create write add_name setattr }; 189 190# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el1/100/base/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20489 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el1_file:s0 tclass=dir permissive=1 191# avc: denied { setattr } for pid=5327 comm="/system/bin/appspawn" name="app/el1/100/base/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20489 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el1_file:s0 tclass=dir permissive=1 192allow appspawn data_app_el1_file:dir { relabelfrom setattr }; 193 194# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el2/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20488 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el2_file:s0 tclass=dir permissive=1 195allow appspawn data_app_el2_file:dir { relabelfrom }; 196 197# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el3/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20492 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el3_file:s0 tclass=dir permissive=1 198allow appspawn data_app_el3_file:dir { relabelfrom }; 199 200# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el4/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20496 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el4_file:s0 tclass=dir permissive=1 201allow appspawn data_app_el4_file:dir { relabelfrom }; 202 203# avc: denied { relabelto } for pid=5327 comm="/system/bin/appspawn" name="app/el4/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20496 scontext=u:r:appspawn:s0 tcontext=u:r:debug_hap_data_file:s0 tclass=dir permissive=1 204allow appspawn { debug_hap_data_file normal_hap_data_file system_basic_hap_data_file system_core_hap_data_file }:dir { relabelto }; 205 206# avc: denied { fsetid } for pid=274 comm="appspawn" capability=4 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=0 207 208#init extend command, support to enter the application sandbox. 209debug_only(` 210 allow appspawn system_bin_file:lnk_file { read }; 211 allow appspawn system_bin_file:file { getattr execute read open execute_no_trans map }; 212 allow appspawn toybox_exec:lnk_file { read }; 213 allow appspawn toybox_exec:file { getattr execute read open execute_no_trans map }; 214 allow appspawn tty_device:chr_file { getattr ioctl open read write }; 215 allowxperm appspawn tty_device:chr_file ioctl { 0x5401 0x5403 0x540f 0x5413 0x5410 }; 216 allow appspawn devpts:chr_file { read write open getattr ioctl }; 217 allow appspawn dev_pts_file:dir { search }; 218 allow appspawn tmpfs:lnk_file { getattr }; 219') 220 221# avc: denied { read } for pid=2685 comm="OS_FFRT_5_2" name="appdata-sandbox.json" dev="mmcblk0p7" ino=996 scontext=u:r:foundation:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=0 222allow foundation system_etc_file:lnk_file { read }; 223allow appspawn system_etc_file:lnk_file { read }; 224 225#avc: denied { sigkill } for pid=282 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1 226allow nwebspawn isolated_render:process { sigkill }; 227 228# for enable net namespace 229# avc: denied { net_admin } for pid=262 comm="appspawn" capability=12 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=1 230allow appspawn appspawn:capability { net_admin }; 231allow appspawn sysfs_net:file { write open }; 232 233#avc: denied { remount } for pid=22332 comm="example.demo100" scontext=u:r:appspawn:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1 234allow appspawn labeledfs:filesystem { remount }; 235allow appspawn bootuptrace_file:dir { add_name getattr open read search write relabelto }; 236allow appspawn bootuptrace_file:file { create getattr write open relabelto }; 237 238#avc: denied { write } for pid=4946 comm="appspawn" name="faultloggerd.sdkdump.server" dev="tmpfs" ino=395 scontext=u:r:appspawn:s0 tcontext=u:object_r:faultloggerd_socket_sdkdump:s0 tclass=sock_file permissive=1 239allow appspawn faultloggerd_socket_sdkdump:sock_file { write }; 240# avc: denied { read } for pid=4946 comm="appspawn" path="pipe:[43284]" dev="pipefs" ino=43284 scontext=u:r:appspawn:s0 tcontext=u:r:faultloggerd:s0 tclass=fifo_file permissive=1 241allow appspawn faultloggerd:fifo_file { read }; 242allow appspawn appspawn:capability { sys_nice }; 243 244# avc: denied { ioctl } for pid=748, comm="/system/bin/appspawn" path="/data/app/el2/100" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=11203 ioctlcmd=0x661a scontext=u:r:appspawn:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 245# avc: denied { ioctl } for pid=748, comm="/system/bin/appspawn" path="/data/app/el2/100" dev="/dev/block/platform/b0000000.hi_pcie/by-name/userdata" ino=11203 ioctlcmd=0x6616 scontext=u:r:appspawn:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 246allow appspawn data_app_el2_file:dir { ioctl }; 247allowxperm appspawn data_app_el2_file:dir ioctl { 0x6616 0x661a }; 248 249# avc: denied { rmdir } for pid=744, comm="/system/bin/appspawn" name="/sandbox/100/com.ohos.sceneboard/Users/currentUser" dev="tmpfs" ino=414 scontext=u:r:appspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 250allow appspawn tmpfs:dir { rmdir }; 251 252#avc: denied { unmount } for pid=654, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:object_r:sharefs:s0 tclass=filesystem permissive=1 253allow appspawn { sharefs tmpfs }:filesystem { unmount }; 254 255#avc: denied { use } for pid=51347, comm="/system/bin/appspawn" path="pipe:[8763]" dev="tmpfs" ino=8763 scontext=u:r:appspawn:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=1 256allow appspawn foundation:fd { use }; 257#avc: denied { write } for pid=51347, comm="/system/bin/appspawn" path="pipe:[8763]" dev="tmpfs" ino=8763 scontext=u:r:appspawn:s0 tcontext=u:r:foundation:s0 tclass=fifo_file permissive=1 258allow appspawn foundation:fifo_file { write }; 259