1# Copyright (c) 2022-2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14init_daemon_domain(hiview); 15 16define(`use_hisysevent', ` 17 allow $1 hisysevent_socket:sock_file write; 18') 19 20use_hisysevent({ domain -kernel }) 21 22allow hiview hiview:capability2 { syslog }; 23allow hiview hiview:dir { search }; 24allow hiview hiview_exec:file { entrypoint execute map read }; 25allow hiview hiview:capability { sys_ptrace }; 26neverallow hiview *:process ptrace; 27 28allow hiview hiview:unix_dgram_socket { getopt setopt }; 29allow hiview init:unix_dgram_socket { getattr getopt read write setopt }; 30allow hiview init:unix_stream_socket { connectto }; 31allow hiview faultloggerd:unix_stream_socket { connectto }; 32 33allow hiview hiview_file:dir { search getattr read open write add_name remove_name rmdir }; 34allow hiview hiview_file:file { getattr setattr append ioctl unlink map read write getattr open lock rename }; 35 36allow hiview data_file:dir { search }; 37allow hiview data_log:dir { add_name open read search watch write create remove_name }; 38#avc: denied { ioctl } for pid=2354 comm="plat_shared" path="/data/log/faultlog/JS_ERROR1501989881389" dev="mmcblk0p15" ino=9492 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1 39allow hiview data_log:file { create getattr lock map open read write unlink rename append ioctl }; 40allowxperm hiview data_log:file ioctl { 0x5413 0xf546 0xf547 }; 41allow hiview data_system:dir { search getattr }; 42allow hiview system_etc_file:dir { open read }; 43allow hiview system_bin_file:dir { search }; 44allow hiview system_bin_file:file { read execute entrypoint }; 45allow hiview system_bin_file:lnk_file { read }; 46allow hiview toybox_exec:file { read execute entrypoint getattr map open }; 47allow hiview toybox_exec:lnk_file { read }; 48allow hiview sys_file:dir { read open }; 49allow hiview sys_file:file { read open }; 50allow hiview dev_bbox:chr_file { ioctl read open }; 51allow hiview normal_hap_attr:dir { getattr open read search }; 52allow hiview normal_hap_attr:file { getattr open read }; 53allow hiview proc_cpuinfo_file:file { read open }; 54allow hiview rootfs:chr_file { read write }; 55allow hiview faultloggerd_temp_file:file { getattr }; 56allow hiview faultloggerd:fifo_file { read }; 57allow hiview system_basic_hap_attr:dir { search }; 58allow hiview system_basic_hap_attr:file { getattr read open }; 59allow hiview system_core_hap_attr:file { getattr read open }; 60allow hiview usage_report_exec:file { getattr read open execute_no_trans map execute }; 61allow hiview vendor_bin_file:dir { search }; 62allow hiview hdf_devhost_exec:dir { search }; 63allow hiview proc_meminfo_file:file { open read }; 64 65allow hiview data_init_agent:dir { search }; 66allow hiview data_init_agent:file { ioctl open read append }; 67 68allow hiview foundation:binder { call transfer }; 69allow hiview init:binder { call transfer }; 70allow hiview samgr:binder { call transfer }; 71allow hiview tmpfs:lnk_file { read }; 72allow hiview time_service:binder { call transfer }; 73allow hiview param_watcher:binder { call transfer }; 74binder_call(hiview, powermgr); 75allow hiview hdcd:binder { call transfer }; 76allow hiview resource_schedule_service:binder { call transfer }; 77allow hiview normal_hap_attr:binder { call transfer }; 78allow hiview system_basic_hap_attr:binder { call transfer }; 79allow hiview system_core_hap_attr:binder { call transfer }; 80allow hiview accountmgr:binder { call transfer }; 81allow hiview device_usage_stats_service:binder { call transfer }; 82 83allow hiview dev_unix_socket:dir { search }; 84allow hiview dev_unix_socket:sock_file { write }; 85allow hiview faultloggerd_socket:sock_file { write }; 86 87allow hiview tracefs:dir { search }; 88allow hiview tracefs_trace_marker_file:file { write open }; 89 90allow hiview vendor_lib_file:dir { search }; 91allow hiview vendor_lib_file:file { read open getattr map execute }; 92 93allow hiview bgtaskmgr_service:dir { search }; 94allow hiview bgtaskmgr_service:file { open read }; 95 96allowxperm hiview dev_bbox:chr_file ioctl { 0x4264 }; 97allowxperm hiview dev_bbox:chr_file ioctl { 0x4266 }; 98allowxperm hiview dev_bbox:chr_file ioctl { 0x426f }; 99 100#avc: denied { get } for service=3301 pid=618 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 101allow hiview sa_powermgr_powermgr_service:samgr_class { get }; 102allow hiview sa_powermgr_displaymgr_service:samgr_class { get }; 103 104allowxperm hiview data_init_agent:file ioctl { 0x5413 }; 105 106allow hiview sa_sys_event_service:samgr_class { add get }; 107allow hiview sa_hiview_service:samgr_class { add get }; 108allow hiview sa_hiview_faultlogger_service:samgr_class { add get }; 109 110#avc: denied { read write } for pid=1955 comm="hiview" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0 111allow hiview dev_console_file:chr_file { read write }; 112#avc: denied { write } for pid=1961 comm="hiview" name="paramservice" dev="tmpfs" ino=28 scontext=u:r:hiview:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0 113allow hiview paramservice_socket:sock_file { write }; 114#avc: denied { connectto } for pid=1130 comm="hiview" path="/dev/unix/socket/paramservice" scontext=u:r:hiview:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0 115allow hiview kernel:unix_stream_socket { connectto }; 116 117#avc: denied { read } for pid=4200 comm="usage_report" name="u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 118#avc: denied { open } for pid=1594 comm="hiview" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 119#avc: denied { map } for pid=1594 comm="hiview" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0 120allow hiview musl_param:file { read open map }; 121 122 123 124#avc: denied { getattr } for pid=1123 comm="hdcd" path="/dev/asanlog" dev="tmpfs" ino=629 scontext=u:r:hdcd:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=0 125allow hdcd dev_asanlog_file:dir { read_dir_perms write add_name create }; 126#avc: denied { write create open } for pid=1358 comm="hdcd" path="/dev/asanlog/asan.log.3273" dev="tmpfs" ino=727 scontext=u:r:hdcd:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=file permissive=1 127allow hdcd dev_asanlog_file:file { write create read_file_perms }; 128 129 130#avc: denied { read } for pid=3520 comm="hiview" name="asanlog" dev="tmpfs" ino=726 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 131#allow hiview dev_asanlog_file:dir { read open watch getattr create search }; 132allow hiview dev_asanlog_file:dir { read_dir_perms }; 133 134#avc: denied { read } for pid=449 comm="hiview" name="asan.log.2718" dev="tmpfs" ino=731 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_file:s0 tclass=file permissive=0 135allow hiview dev_asanlog_file:file { read_file_perms }; 136 137#avc: denied { relabelto } for pid=3281 comm="init" name="asanlog" dev="tmpfs" ino=629 scontext=u:r:init:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=0 138#avc: denied { getattr } for pid=3281 comm="init" path="/dev/asanlog/asan.log.2718" dev="tmpfs" ino=727 scontext=u:r:init:s0 tcontext=u:object_r:dev_file:s0 tclass=file permissive=0 139allow init dev_asanlog_file:dir { setattr read getattr relabelto }; 140 141allow hiview kernel:system { syslog_read }; 142 143allow hiview hilog_exec:file { execute read open execute_no_trans map }; 144allow hiview hilog_output_socket:sock_file { write }; 145allow hiview hilogd:unix_stream_socket { connectto }; 146 147allow hiview hitrace_exec:file { execute read open execute_no_trans map }; 148allow hiview tracefs:file { write }; 149 150allow hiview proc_sysrq_trigger_file:file { open getattr write ioctl }; 151 152#avc: denied { search } for pid=252 comm="exportSysEventT" name="app" dev="mmcblk0p12" ino=43 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=0 153allow hiview data_app_file:dir { search }; 154 155#avc: denied { search } for pid=247 comm="exportSysEventT" name="el2" dev="mmcblk0p12" ino=47 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=0 156#avc: denied { add_name } for pid=2716 comm="freeze_detector" name="APP_FREEZE_1501994090092_2792.log" scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1 157#avc: denied { write } for pid=266 comm="freeze_detector" name="hiappevent" dev="mmcblk0p15" ino=2265 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=0 158allow hiview data_app_el2_file:dir { search read open add_name write create setattr getattr remove_name }; 159 160#avc: denied { create } for pid=2716 comm="freeze_detector" name="APP_FREEZE_1501994090092_2792.log" scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=1 161#avc: denied { ioctl } for pid=2716 comm="freeze_detector" path="/data/app/el2/100/log/com.example.myapplication/hiappevent/APP_FREEZE_1501994090092_2792.log" dev="mmcblk0p15" ino=2352 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=1 162#avc: denied { setattr } for pid=263 comm="plat_shared" name="APP_CRASH_1501997026177_1964.log" dev="mmcblk0p15" ino=2180 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=0 163allow hiview data_app_el2_file:file { open getattr read write create ioctl setattr append rename unlink }; 164allowxperm hiview data_app_el2_file:file ioctl { 0x5413 }; 165 166#avc: denied { search } for pid=247 comm="exportSysEventT" name="com.huawei.myapplication" dev="mmcblk0p12" ino=2366 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0 167#avc: denied { write } for pid=252 comm="exportSysEventT" name="hiview" dev="mmcblk0p12" ino=2417 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0 168#avc: denied { add_name } for pid=251 comm="exportSysEventT" name="Reliability-EVENT-20170816160811-000-0.evt" scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0 169allow hiview system_basic_hap_data_file_attr:dir { add_name search write }; 170 171#avc: denied { create write open } for pid=256 comm="exportSysEventT" name="Reliability-EVENT-20170816164943-000-0.evt" scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=0 172allow hiview system_basic_hap_data_file_attr:file { create write open }; 173 174#avc: denied { search } for pid=241 comm="exportSysEventT" name="com.huawei.myapplicationtest" dev="mmcblk0p12" ino=1615 scontext=u:r:hiview:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=dir permissive=0 175allow hiview normal_hap_data_file:dir { search }; 176 177#avc: denied { write } for pid=245 comm="exportSysEventT" name="cache" dev="mmcblk0p12" ino=1616 scontext=u:r:hiview:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=dir permissive=0 178allow hiview normal_hap_data_file:dir { write add_name }; 179 180allow hiview normal_hap_data_file:file { create write open }; 181 182#avc: denied { setattr } for pid=246 comm="exportSysEventT" name="RELIABILITY-20170806025113-000-0.evt" dev="mmcblk0p12" ino=2052 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=0 183allow hiview system_basic_hap_data_file_attr:file { setattr }; 184allow hiview normal_hap_data_file:file { setattr }; 185 186debug_only(` 187 allow hiview sh:dir { getattr open read search}; 188 allow hiview sh:file { getattr read open }; 189 allow hiview sh:binder { call transfer }; 190 allow su hiview_sys_def_file:dir { getattr read open search }; 191 allow su hiview_sys_def_file:file { getattr write open read create }; 192') 193 194#avc: denied { call } for pid=256 comm="IPC_3_1647" scontext=u:r:hiview:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=0 195allow hiview system_basic_hap_attr:binder { call }; 196 197#avc: denied { getattr } for pid=1989 comm="sysevent_source" path="/dev/unix/socket/hisysevent" scontext=u:r:hiview:s0 tcontext=u:r:hiview:s0 tclass=unix_dgram_socket permissive=1 198allow hiview hiview:unix_dgram_socket { getattr }; 199 200#avc: denied { open } for pid=262 comm="hiview" path="/dev/ashmem" dev="tmpfs" ino=177 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=1 201allow hiview dev_ashmem_file:chr_file { open }; 202 203#avc: denied { search } for pid=2001 comm="hiview" name="etc" dev="mmcblk0p8" ino=16 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1 204allow hiview vendor_etc_file:dir { search }; 205 206#avc: denied { read } for pid=2001 comm="hiview" name="hisysevent.def" dev="mmcblk0p8" ino=265 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 207#avc: denied { open } for pid=2001 comm="hiview" path="/vendor/etc/hiview/hisysevent.def" dev="mmcblk0p8" ino=265 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1 208allow hiview vendor_etc_file:file { read open }; 209 210allow hiview hisysevent:binder { call transfer }; 211allow hiview hisysevent:dir { search }; 212allow hiview hisysevent:file { read open getattr }; 213 214allow hiview dev_ucollection:chr_file { ioctl open read write }; 215 216#avc: denied { read } for pid=1853 comm="plat_shared" name="possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 217#avc: denied { open } for pid=1853 comm="plat_shared" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 218#avc: denied { getattr } for pid=1853 comm="plat_shared" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 219allow hiview sysfs_devices_system_cpu:file { read open getattr }; 220 221#avc: denied { read } for pid=260 comm="IPC_2_721" name="tracing_on" dev="tracefs" ino=18185 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=0 222#avc: denied { open } for pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1 223#avc: denied { ioctl } for pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1 224#avc: denied { getattr } for pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1 225allow hiview tracefs:file { read open ioctl getattr }; 226allowxperm hiview tracefs:file ioctl { 0x5413 }; 227 228#avc: denied { read } for pid=3130 comm="plat_shared" name="diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1 229#avc: denied { open } for pid=3130 comm="plat_shared" path="/proc/diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1 230#avc: denied { getattr } for pid=3130 comm="plat_shared" path="/proc/diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1 231allow hiview proc_diskstats_file:file { read open getattr }; 232 233#avc: denied { kill } for pid=7601 comm="hiview" capability=5 scontext=u:r:hiview:s0 tcontext=u:r:hiview:s0 tclass=capability permissive=1 234#avc: denied { signal } for pid=7601 comm="hiview" scontext=u:r:hiview:s0 tcontext=u:r:system_basic_hap:s0 tclass=process permissive=1 235allow hiview domain:process signal; 236allow hiview hiview:capability kill; 237 238#avc: denied { call } for pid=519 comm="IPC_0_576" scontext=u:r:hiview:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=0 239allow hiview softbus_server:binder { call }; 240 241#avc: denied { search } for pid=251 comm="OS_IPC_3_2826" name="com.example.myapplication" dev="mmcblk0p15" ino=2012 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 242#avc: denied { write } for pid=251 comm="OS_IPC_3_2826" name="hiappevent" dev="mmcblk0p15" ino=2058 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 243#avc: denied { add_name } for pid=251 comm="OS_IPC_3_2826" name="hiappevent_1501934018028.txt" scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 244#avc: denied { read } for pid=2811 comm="XperfMainThr" name="hiappevent" dev="mmcblk0p15" ino=25209 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 245#avc: denied { getattr } for pid=2811 comm="XperfMainThr" name="hiappevent" dev="mmcblk0p15" ino=25209 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1 246#avc: denied { open } for pid =655 comm="system/bin/hiview" path="/data/app/el2/100/base/com.ohos.xxx/cache/hiappevent" dev="/dev/block/platform/ee560000.ufs/by-name/userdata" ino=40446 scontext=u:r:hiview:s0 tcontext=o:object_r:debug_hap_data_file:s0:x225,x334,x512,x868,x1024 tclass=dir permissive=0 247allow hiview normal_hap_data_file_attr:dir { search write add_name read getattr open }; 248 249#avc: denied { create } for pid=251 comm="OS_IPC_3_2826" name="hiappevent_1501934018028.txt" scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 250#avc: denied { write open } for pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 251#avc: denied { ioctl } for pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 252#avc: denied { getattr } for pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1 253#avc: denied { append } for pid=617 comm="/system/bin/hiview" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1712134642860.txt" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25137 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=0 254allow hiview normal_hap_data_file_attr:file { create write open ioctl getattr append }; 255allowxperm hiview normal_hap_data_file_attr:file ioctl { 0x5413 }; 256 257allow hiview sa_distributeddata_service:samgr_class { get }; 258allow hiview processdump:fd { use }; 259allow hiview processdump:fifo_file { read }; 260 261allow hiview distributeddata:binder { call transfer }; 262allow hiview distributeddata:fd { use }; 263 264allow sadomain dev_bbox:chr_file { ioctl read open write }; 265allowxperm sadomain dev_bbox:chr_file ioctl { 0xab09 }; 266 267neverallowxperm hiview dev_bbox:chr_file ioctl ~{ 0xab09 0xaf01 0xaf02 0xaf03 0xaf04 0xaf05 0xaf06 0xaf07 0xaf08 0x4264 0x4265 0x4266 0x426a 0x426f 0x5413 0x601 }; 268 269#avc: denied { get } for service=4607 pid=8375 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=0 270allow hiview sa_foundation_dms:samgr_class { get }; 271 272allow hiview hidumper:fd {use }; 273 274#avc: denied { search } for pid=620, comm="/system/bin/hiview" name="/service/el0" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=10 scontext=u:r:hiview:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 275#avc: denied { open } for pid=620, comm="/system/bin/hiview" path="/data/service/el0/render_service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=40 scontext=u:r:hiview:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 276#avc: denied { read } for pid=623, comm="/system/bin/hiview" path="/data/service/el0/render_service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=40 scontext=u:r:hiview:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=dir permissive=0 277allow hiview data_service_el0_file:dir { read open search }; 278 279#avc: denied { getattr } for pid=622, comm="/system/bin/hiview" path="/data/service/el0/render_service/file00.ohr" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=29695 scontext=u:r:hiview:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 280#avc: denied { read } for pid=622, comm="/system/bin/hiview" path="/data/service/el0/render_service/file01.ohr" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=30554 scontext=u:r:hiview:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 281#avc: denied { open } for pid=622, comm="/system/bin/hiview" path="/data/service/el0/render_service/file01.ohr" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=33037 scontext=u:r:hiview:s0 tcontext=u:object_r:data_service_el0_file:s0 tclass=file permissive=0 282allow hiview data_service_el0_file:file { getattr read open }; 283 284allow hiview hitrace_param:parameter_service { set }; 285 286# avc: denied { use } for pid=2181, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:hiview:s0 tcontext=u:r:wifi_manager_service:s0 tclass=fd permissive=0 287allow hiview wifi_manager_service:fd { use }; 288 289allow hiview pstorefs:dir { open read remove_name search write }; 290allow hiview pstorefs:file { open read unlink }; 291 292allow hiview hiview_sys_def_file:dir { search write add_name }; 293allow hiview hiview_sys_def_file:file { create open ioctl getattr write read }; 294allowxperm hiview hiview_sys_def_file:file ioctl { 0x5413 }; 295 296# avc: denied { get } for service=1158 sid=u:r:hiview:s0 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_netsys_native_manager:s0 tclass=samgr_class permissive=O 297allow hiview sa_netsys_native_manager:samgr_class { get }; 298 299allow hiview data_log:fifo_file { create read write open unlink }; 300