• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14# avc:  denied  { execute } for  pid=3708 comm="ei.hmos.browser" path="/data/storage/el1/bundle/arkwebcore/libs/arm64/libweb_engine.so" dev="sdd78" ino=30131 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
15allow isolated_gpu data_app_el1_file:dir { getattr };
16# allow isolated_gpu data_app_el1_file:dir { execute };
17
18# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="socket" dev="tmpfs" ino=112 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
19allow isolated_gpu dev_unix_socket:dir { search };
20
21# avc:  denied  { use } for  pid=3708 comm="ei.hmos.browser" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:isolated_gpu:s0 tcontext=u:r:nwebspawn:s0 tclass=fd permissive=1
22allow isolated_gpu nwebspawn:fd { use };
23allow isolated_gpu nwebspawn:unix_dgram_socket { write connect};
24
25# avc:  denied  { call } for  pid=3708 comm="ei.hmos.browser" scontext=u:r:isolated_gpu:s0 tcontext=u:r:time_service:s0 tclass=binder permissive=1
26allow isolated_gpu time_service:binder { call };
27
28# avc:  denied  { getattr } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
29# avc:  denied  { read open } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
30# avc:  denied  { map } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
31allow isolated_gpu system_file:file { getattr read open map };
32
33# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="bin" dev="sdd74" ino=338 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1
34allow isolated_gpu system_bin_file:dir { search };
35
36# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="/" dev="tracefs" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
37allow isolated_gpu tracefs:dir { search };
38
39allow isolated_gpu sa_foundation_appms:samgr_class { get };
40allow isolated_gpu sa_param_watcher:samgr_class { get };
41allow isolated_gpu sa_render_service:samgr_class { get };
42allow isolated_gpu sa_time_service:samgr_class { get };
43allow isolated_gpu data_app_el1_file:file { execute };
44allow isolated_gpu dev_mali:chr_file { getattr ioctl map read write open };
45# avc:  denied  { ioctl } for  pid=4081 comm="mali-cmar-backe" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8002 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
46# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8003 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
47# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8005 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
48# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8006 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
49# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
50# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
51# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800f scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
52# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8016 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
53# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8019 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
54# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x801d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
55# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8026 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
56# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8001 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
57# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802f scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
58# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x803b scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
59# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8025 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
60# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x803c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
61# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x801b scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
62# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
63# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x801e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
64# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8018 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
65# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8034 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
66# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8033 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
67# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8036 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
68# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8030 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
69# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x803a scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
70# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
71# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8024 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
72# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8027 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
73# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
74# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
75# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802b scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
76# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8029 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
77# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8031 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
78# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8036 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
79allowxperm isolated_gpu dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800c 0x800e 0x800f 0x8014 0x8016 0x8018 0x8019 0x801b 0x801d 0x801e 0x8024 0x8025 0x8026 0x8027 0x8029 0x802a 0x802b 0x802c 0x802d 0x802e 0x802f 0x8030 0x8031 0x8033 0x8034 0x8036 0x803a 0x803b 0x803c};
80allow isolated_gpu hap_domain:binder { call transfer };
81allow isolated_gpu hap_domain:fd { use };
82allow isolated_gpu hap_domain:unix_stream_socket { read write shutdown};
83allow isolated_gpu nwebspawn:fifo_file { write };
84allow isolated_gpu persist_param:file { map read open };
85allow isolated_gpu render_service:unix_stream_socket { write read };
86
87allow isolated_gpu sa_foundation_bms:samgr_class { get };
88allow isolated_gpu sysfs_devices_system_cpu:dir { read open };
89allow isolated_gpu sysfs_devices_system_cpu:file { getattr read open };
90
91allow isolated_gpu allocator_host:fd { use };
92allow isolated_gpu ohos_boot_param:file { map read open };
93allow isolated_gpu sa_resource_schedule:samgr_class { get };
94allow isolated_gpu web_private_param:file { map open read };
95
96allow isolated_gpu allocator_host:binder { call };
97allow isolated_gpu av_codec_service:binder { call transfer };
98allow isolated_gpu dev_ashmem_file:chr_file { open };
99allow isolated_gpu hdf_allocator_service:hdf_devmgr_class { get };
100allow isolated_gpu hiview:unix_dgram_socket { sendto };
101allow isolated_gpu isolated_gpu:unix_dgram_socket { getopt setopt };
102allow isolated_gpu persist_sys_param:file { map open read };
103allow isolated_gpu sa_av_codec_service:samgr_class { get };
104allow isolated_gpu sa_device_service_manager:samgr_class { get };
105allow isolated_gpu codec_host:fd { use };
106allow isolated_gpu av_codec_service:fd { use };
107
108allow isolated_gpu isolated_gpu:process { ptrace };
109
110# avc_audit_slow:267] avc: denied { write } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1
111allow isolated_gpu appspawn:unix_dgram_socket { write };
112
113# avc_audit_slow:267] avc: denied { call } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
114# avc_audit_slow:267] avc: denied { transfer } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
115allow isolated_gpu codec_host:binder { call transfer };
116
117# avc_audit_slow:267] avc: denied { search } for pid=43562, comm="/system/bin/appspawn"  name="/app/el1/bundle/public/com.ohos.nweb/libs/arm64" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16288 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
118allow isolated_gpu data_app_el1_file:dir { search };
119
120# avc_audit_slow:267] avc: denied { getattr } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
121# avc_audit_slow:267] avc: denied { map } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
122# avc_audit_slow:267] avc: denied { open } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
123# avc_audit_slow:267] avc: denied { read } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
124allow isolated_gpu data_app_el1_file:file { getattr map open read };
125
126# avc_audit_slow:267] avc: denied { call } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
127# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
128allow isolated_gpu foundation:binder { call transfer };
129
130# avc_audit_slow:267] avc: denied { call } for pid=41570, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
131allow isolated_gpu hdf_devmgr:binder { call };
132
133# avc_audit_slow:267] avc: denied { map } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
134# avc_audit_slow:267] avc: denied { open } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
135# avc_audit_slow:267] avc: denied { read } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
136allow isolated_gpu hichecker_writable_param:file { map open read };
137
138# avc_audit_slow:267] avc: denied { use } for pid=37163, comm="/system/bin/appspawn"  path="/dev/ashmem" dev="" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:r:isolated_render:s0 tclass=fd permissive=1
139allow isolated_gpu isolated_render:fd { use };
140
141# avc_audit_slow:267] avc: denied { call } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
142# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
143allow isolated_gpu param_watcher:binder { call transfer };
144
145# avc_audit_slow:267] avc: denied { call } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
146# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
147allow isolated_gpu render_service:binder { call transfer };
148
149# avc_audit_slow:267] avc: denied { use } for pid=1391, comm="/system/bin/render_service"  path="anon_inode:sync_file" dev="" ino=0 scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1
150allow isolated_gpu render_service:fd { use };
151allow isolated_gpu composer_host:fd { use };
152
153# avc_audit_slow:267] avc: denied { call } for pid=24439, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
154# avc_audit_slow:267] avc: denied { transfer } for pid=24439, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
155allow isolated_gpu samgr:binder { call transfer };
156
157# avc:  denied  { get } for service=codec_component_manager_service sid=u:r:isolated_gpu:s0 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hdf_codec_component_manager_service:s0 tclass=hdf_devmgr_class permissive=1
158allow isolated_gpu hdf_codec_component_manager_service:hdf_devmgr_class { get };
159allow isolated_gpu data_local_shadercache:dir { create open read search write add_name };
160allow isolated_gpu data_local_shadercache:file { create read open write getattr };
161allow isolated_gpu vendor_etc_vulkan_file:dir { open read search };
162allow isolated_gpu vendor_etc_vulkan_file:file { getattr open read };
163
164