• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14allow distributedfiledaemon sys_fs_hmdfs:dir { read search setattr getattr open };
15allow distributedfiledaemon sys_fs_hmdfs:file { setattr getattr open read write };
16
17#avc:  denied  { transfer } for  pid=604 comm="distributedfile" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
18#avc:  denied  { call } for  pid=556 comm="foundation" scontext=u:r:foundation:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=binder permissive=1
19allow distributedfiledaemon foundation:binder { call transfer };
20
21#avc:  denied  { read } for  pid=2101 comm="dfs_rcv1_1_7" laddr=192.168.43.48 lport=57666 faddr=192.168.43.20 fport=45047 scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
22#avc:  denied  { write } for  pid=182 comm="kworker/u8:5" laddr=192.168.43.48 lport=39379 faddr=192.168.43.20 fport=59752 scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
23allow distributedfiledaemon softbus_server:tcp_socket { getopt read write };
24
25#avc:  denied  { search } for  pid=182 comm="kworker/u8:5" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
26allow distributedfiledaemon data_file:dir { search };
27
28#avc:  denied  { search } for  pid=182 comm="kworker/u8:5" name="service" dev="mmcblk0p11" ino=1044481 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
29allow distributedfiledaemon data_service_file:dir { search };
30
31#avc:  denied  { search } for  pid=7 comm="kworker/u8:0" name="el2" dev="mmcblk0p11" ino=130569 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1
32allow distributedfiledaemon data_service_el2_file:dir { search };
33
34#avc:  denied  { search } for  pid=182 comm="kworker/u8:5" name="el2" dev="mmcblk0p11" ino=1044488 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1
35#avc:  denied  { write } for  pid=182 comm="kworker/u8:5" name="account_cache" dev="mmcblk0p11" ino=1044562 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1
36allow distributedfiledaemon data_service_el2_hmdfs:dir { rw_dir_perms rmdir create };
37
38#avc:  denied  { read write open } for  pid=183 comm="kworker/u8:4" path=2F646174612F736572766963652F656C322F3130302F686D6466732F63616368652F6163636F756E745F63616368652F23333933303937202864656C6574656429 dev="mmcblk0p11" ino=393097 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=file permissive=1
39allow distributedfiledaemon data_service_el2_hmdfs:file { rw_file_perms };
40
41#avc:  denied  { search } for  pid=659 comm="distributedfile" name="socket" dev="tmpfs" ino=40 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
42allow distributedfiledaemon dev_unix_socket:dir { search };
43
44#avc:  denied  { call } for  pid=548 comm="distributedfile" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:dslm_service:s0 tclass=binder permissive=1
45allow distributedfiledaemon dslm_service:binder { call };
46
47#avc:  denied  { get } for service=3299 pid=609 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0
48allow distributedfiledaemon sa_foundation_cesfwk_service:samgr_class { get };
49
50neverallow { domain -pasteboard_service -dslm_service -foundation -softbus_server -accountmgr -device_manager -param_watcher -sadomain -hidumper_service -hap_domain } distributedfiledaemon:binder { call };
51
52allow distributedfiledaemon sa_filemanagement_distributed_file_daemon_service:samgr_class { add_remote get_remote };
53
54allow distributedfiledaemon data_app_file:dir { search };
55
56allow distributedfiledaemon data_app_el2_file:dir { search };
57
58allow distributedfiledaemon dev_at_file:chr_file { ioctl };
59
60allow distributedfiledaemon distributedfiledaemon:capability { dac_read_search chown net_raw };
61
62allow distributedfiledaemon distributedfiledaemon:tcp_socket { create setopt bind getattr listen getopt shutdown connect accept write read };
63
64allow distributedfiledaemon hmdfs:file { watch };
65
66allow distributedfiledaemon node:tcp_socket { node_bind };
67
68allowxperm distributedfiledaemon dev_at_file:chr_file ioctl { 0x5413 };
69
70allow distributedfiledaemon distributedfiledaemon:udp_socket { ioctl shutdown create read write getattr bind connect getopt setopt accept };
71
72allowxperm distributedfiledaemon distributedfiledaemon:udp_socket ioctl { 0x8912 0x8913 0x8915 0x891b };
73
74allow distributedfiledaemon normal_hap_data_file_attr:dir { getattr write search read open add_name create setattr };
75
76allow distributedfiledaemon normal_hap_data_file_attr:file { write setattr getattr read open create };
77
78allow distributedfiledaemon system_basic_hap_data_file_attr:dir { getattr write search read open add_name create setattr };
79
80allow distributedfiledaemon system_basic_hap_data_file_attr:file { write setattr getattr read open create };
81
82allow distributedfiledaemon system_core_hap_data_file_attr:dir { getattr write search read open add_name create setattr };
83
84allow distributedfiledaemon system_core_hap_data_file_attr:file { write setattr getattr read open create };
85
86allow distributedfiledaemon port:tcp_socket { name_connect name_bind };
87
88allow distributedfiledaemon sysfs_devices_system_cpu:dir { open read };
89
90allow distributedfiledaemon sysfs_devices_system_cpu:file { read open getattr };
91
92allow distributedfiledaemon data_file:file { getattr read open };
93
94allow distributedfiledaemon proc_stat_file:file { open read };
95
96allow distributedfiledaemon data_user_file:dir { search getattr write add_name create read open };
97
98allow distributedfiledaemon data_user_file:file { getattr open read write create };
99
100allow distributedfiledaemon hap_domain:binder { call };
101
102allow distributedfiledaemon hmdfs:dir { search read open write add_name create setattr remove_name rmdir };
103
104allow distributedfiledaemon hmdfs:file { read open getattr create write setattr rename unlink ioctl };
105
106allowxperm distributedfiledaemon hmdfs:file ioctl { 0x5413 };
107
108allow distributedfiledaemon dev_kmsg_file:chr_file { write open };
109
110allow distributedfiledaemon data_service_el2_hmdfs:file { create rename unlink };
111
112allow distributedfiledaemon sa_uri_permission_mgr_service:samgr_class { get };
113
114#avc:  denied  { get } for service=6001 pid=5338 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_device_profile_service:s0 tclass=samgr_class permissive=0
115allow distributedfiledaemon sa_device_profile_service:samgr_class { get };
116
117#avc:  denied  { call } for  pid=4447 comm="/system/bin/sa_main" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=0
118allow distributedfiledaemon distributedsche:binder { call };
119
120allow foundation distributedfiledaemon:binder { transfer };
121
122allow distributedfiledaemon medialibrary_hap:fd { use };
123
124allow distributedfiledaemon pasteboard_service:fd { use };
125
126allow distributedfiledaemon distributeddata:fd { use };
127
128allow distributeddata distributedfiledaemon:fd { use };
129
130allow pasteboard_service distributedfiledaemon:fd { use };
131
132allow distributedfiledaemon sa_storage_manager_service:samgr_class { get };
133
134allow distributedfiledaemon storage_manager:binder { call };
135
136allow distributedfiledaemon distributeddata:binder { call };
137
138allow distributedfiledaemon chip_prod_file:dir { search };
139
140allow distributedfiledaemon tty_device:chr_file { read write };
141
142allow distributedfiledaemon data_service_el1_file:dir { search };
143
144allow distributedfiledaemon node:udp_socket { node_bind };
145
146allow pasteboard_service sa_storage_manager_service:samgr_class { get };
147
148allow distributeddata sa_storage_manager_service:samgr_class { get };
149
150allow distributedfiledaemon hmdfs:lnk_file { read };
151
152allow distributedfiledaemon data_service_el2_hmdfs:lnk_file { read };
153
154allow distributedfiledaemon sa_foundation_ans:samgr_class { get };
155
156allow distributedfiledaemon sa_foundation_bms:samgr_class { get };
157
158allow distributedfiledaemon system_etc_file:file { ioctl };
159
160allowxperm distributedfiledaemon system_etc_file:file ioctl { 0xf207 };
161
162allow distributedfiledaemon dev_ashmem_file:chr_file { open };
163
164allow distributedfiledaemon fuse_file:dir { search };
165