1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14#avc: denied { search } blue_host data_file tclass=dir 15allow blue_host data_file:dir { search }; 16 17#avc: denied { search } blue_host data_vendor tclass=dir 18allow blue_host data_vendor:dir { search }; 19 20#avc: denied { read } blue_host vendor_file tclass=file 21#avc: denied { open } blue_host vendor_file tclass=file 22allow blue_host vendor_file:file { read open }; 23 24#avc: denied { open } blue_host tmpfs tclass=file 25allow blue_host tmpfs:file { open }; 26 27#avc: denied { get } for service=hdf_device_manager pid=362 scontext=u:r:blue_host:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 28#avc: denied { add } for service=hci_interface_service pid=362 scontext=u:r:blue_host:s0 tcontext=u:object_r:hdf_hci_interface_service:s0 tclass=hdf_devmgr_class permissive=1 29allow blue_host hdf_device_manager:hdf_devmgr_class { get }; 30allow blue_host hdf_hci_interface_service:hdf_devmgr_class { add }; 31 32allow blue_host blue_host:capability { net_admin }; 33allow blue_host bluetooth_service:binder { call }; 34allow blue_host bootevent_param:file { map open read }; 35allow blue_host bootevent_samgr_param:file { map open read }; 36allow blue_host build_version_param:file { map open read }; 37allow blue_host const_allow_mock_param:file { map open read }; 38allow blue_host const_allow_param:file { map open read }; 39allow blue_host const_build_param:file { map open read }; 40allow blue_host const_display_brightness_param:file { map open read }; 41allow blue_host const_param:file { map open read }; 42allow blue_host const_postinstall_fstab_param:file { map open read }; 43allow blue_host const_postinstall_param:file { map open read }; 44allow blue_host const_product_param:file { map open read }; 45allow blue_host debug_param:file { map open read }; 46allow blue_host default_param:file { map open read }; 47allow blue_host dev_hdf_kevent:chr_file { getattr ioctl open read write }; 48allow blue_host dev_unix_socket:dir { search }; 49allow blue_host distributedsche_param:file { map open read }; 50allow blue_host hdf_devmgr:binder { call transfer }; 51allow blue_host hilog_param:file { map open read }; 52allow blue_host hw_sc_build_os_param:file { map open read }; 53allow blue_host hw_sc_build_param:file { map open read }; 54allow blue_host hw_sc_param:file { map open read }; 55allow blue_host init_param:file { map open read }; 56allow blue_host init_svc_param:file { map open read }; 57allow blue_host input_pointer_device_param:file { map open read }; 58allow blue_host net_param:file { map open read }; 59allow blue_host net_tcp_param:file { map open read }; 60allow blue_host ohos_boot_param:file { map open read }; 61allow blue_host ohos_param:file { map open read }; 62allow blue_host persist_param:file { map open read }; 63allow blue_host persist_sys_param:file { map open read }; 64allow blue_host sa_device_service_manager:samgr_class { get }; 65allow blue_host samgr:binder { call }; 66allow blue_host security_param:file { map open read }; 67allow blue_host startup_param:file { map open read }; 68allow blue_host sys_file:file { open read read open write }; 69allow blue_host sys_param:file { map open read }; 70allow blue_host system_bin_file:dir { search }; 71allow blue_host sys_usb_param:file { map open read }; 72allow blue_host tty_device:chr_file { ioctl open read write }; 73allow blue_host vendor_etc_file:dir { search }; 74allow blue_host vendor_etc_file:file { getattr open read }; 75allowxperm blue_host dev_hdf_kevent:chr_file ioctl { 0x6201 0x6202 0x6203 }; 76allowxperm blue_host tty_device:chr_file ioctl { 0x5401 0x5402 0x540b }; 77 78 79#avc: denied { add_name } for pid=987 comm="IPC_3_3086" name="bluetooth" dev="sdd78" ino=7746 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=dir permissive=0 80#avc: denied { write } for pid=990 comm="IPC_0_1010" name="bluetooth" dev="sdd78" ino=7746 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=dir permissive=0 81allow blue_host data_vendor:dir { add_name write }; 82 83#avc: denied { create } for pid=986 comm="IPC_3_2618" name="btmac.txt" scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=file permissive=0 84#avc: denied { read write open } for pid=1007 comm="IPC_1_1005" path="/data/vender/bluetooth/btmac.txt" dev="sdd78" ino=8371 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=file permissive=0 85#avc: denied { read } for pid=1007 comm="IPC_3_3026" name="btmac.txt" dev="sdd78" ino=8371 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=file permissive=0 86#avc: denied { read write } for pid=1007 comm="IPC_3_3026" name="btmac.txt" dev="sdd78" ino=8371 scontext=u:r:blue_host:s0 tcontext=u:object_r:data_vendor:s0 tclass=file permissive=0 87allow blue_host data_vendor:file { create read write open }; 88allow blue_host blue_host:capability { sys_nice }; 89 90