• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022-2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#avc:  denied  { get } for service=3503 pid=589 scontext=u:r:sensors:s0 tcontext=i:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1
15allow sensors sa_accesstoken_manager_service:samgr_class { get };
16
17#avc:  denied  { get } for service=vibrator_interface_service pid=620 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_vibrator_interface_service:s0 tclass=hdf_devmgr_class permissive=1
18allow sensors hdf_vibrator_interface_service:hdf_devmgr_class { get };
19
20#avc:  denied  { get } for service=sensor_interface_service pid=655 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_sensor_interface_service:s0 tclass=hdf_devmgr_class permissive=1
21allow sensors hdf_sensor_interface_service:hdf_devmgr_class { get };
22
23#avc:  denied  { get } for service=5100 pid=546 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1
24allow sensors sa_device_service_manager:samgr_class { get };
25
26#avc:  denied  { add } for service=3601 pid=572 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1
27allow sensors sa_sensor_service:samgr_class { add };
28
29#avc:  denied  { call } for  pid=2043 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
30#avc:  denied  { transfer } for pid=1208 comm="IPC_2_2791" scontext=u:r:sensors:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
31allow sensors accesstoken_service:binder { call transfer };
32
33#avc:  denied  { call } for  pid=2043 comm="sensors" scontext=u:r:accesstoken_service:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1
34allow accesstoken_service sensors:binder { call };
35
36allow sensors system_basic_hap_attr:fd { use };
37allow sensors system_basic_hap_attr:unix_stream_socket { read write };
38
39#avc:  denied  { call } for pid=1208 comm="IPC_0_1342" scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1
40allow sensors system_basic_hap_attr:binder { call };
41
42#avc:  denied  { use } for  pid=1963 comm="jsThread-1" path="socket:[26923]" dev="sockfs" ino=26923 scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1
43allow sensors normal_hap_attr:fd { use };
44
45#avc:  denied  { read write } for  pid=1963 comm="jsThread-1" path="socket:[26923]" dev="sockfs" ino=26923 scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=unix_stream_socket permissive=1
46allow sensors normal_hap_attr:unix_stream_socket { read write };
47
48#avc:  denied  { call } for  pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1
49allow sensors normal_hap_attr:binder { call };
50
51#avc:  denied  { setopt } for  pid=650 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=unix_dgram_socket permissive=1
52#avc:  denied  { getopt } for  pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=unix_dgram_socket permissive=1
53allow sensors sensors:unix_dgram_socket { getopt setopt };
54
55#avc:  denied  { search } for  pid=645 comm="sensors" name="socket" dev="tmpfs" ino=40 scontext=u:r:sensors:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
56allow sensors dev_unix_socket:dir { search };
57
58#avc:  denied  { call } for  pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:vibrator_host:s0 tclass=binder permissive=1
59allow sensors vibrator_host:binder { call };
60
61#avc:  denied  { transfer } for  pid=1472 comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:vibrator_host:s0 tclass=binder permissive=0
62allow sensors vibrator_host:binder { transfer };
63
64#avc:  denied  { search } for  pid=451 comm="sensors" name="/" dev="tracefs" ino=1 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
65allow sensors tracefs:dir { search };
66
67#avc:  denied  { write } for  pid=451 comm="sensors" name="trace_marker" dev="tracefs" ino=15134 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
68#avc:  denied  { open } for  pid=451 comm="sensors" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=15134 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
69allow sensors tracefs_trace_marker_file:file { write open };
70
71#avc:  denied  { use } for  pid=475 comm="hidumper_servic" path="pipe:[32513]" dev="pipefs" ino=32513 scontext=u:r:sensors:s0 tcontext=u:r:hidumper_service:s0 tclass=fd permissive=1
72allow sensors hidumper_service:fd { use };
73
74#avc:  denied  { write } for  pid=475 comm="hidumper_servic" path="pipe:[32513]" dev="pipefs" ino=32513 scontext=u:r:sensors:s0 tcontext=u:r:hidumper_service:s0 tclass=fifo_file permissive=1
75allow sensors hidumper_service:fifo_file { write };
76
77#avc:  denied  { transfer } for  pid=2152 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensor_host:s0 tclass=binder permissive=1
78allow sensors sensor_host:binder { transfer };
79
80#avc:  denied  { use } for  pid=2778 comm="processdump" dev="mmcblk0p11" ino=652843 scontext=u:r:sensors:s0 tcontext=u:r:faultloggerd:s0 tclass=fd permissive=1
81allow sensors faultloggerd:fd { use };
82
83#avc:  denied  { write } for  pid=621 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1
84#avc:  denied  { read write } for  pid=2097 comm="jsThread-1" path="socket:[40085]" dev="sockfs" ino=40085 scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1
85allow sensors system_core_hap_attr:unix_stream_socket { write read };
86
87#avc:  denied  { use } for  pid=2097 comm="jsThread-1" path="socket:[40085]" dev="sockfs" ino=40085 scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1allow
88allow sensors system_core_hap_attr:fd { use };
89
90#avc:  denied  { call } for  pid=687 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=0
91allow sensors system_core_hap_attr:binder { call };
92
93#avc:  denied  { get } for service=3505 pid=575 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0
94allow sensors sa_privacy_service:samgr_class { get };
95
96#avc:  denied  { call } for  pid=549 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=0
97binder_call(sensors, privacy_service);
98
99#avc:  denied  { read } for  pid=2827 comm="sa_main" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:sensors:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0
100allow sensors accessibility_param:file { read };
101
102allow sensors vendor_etc_file:dir { search };
103allow sensors vendor_etc_file:file { getattr open read };
104
105#avc:  denied  { call } for  pid=440 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:light_host:s0 tclass=binder permissive=1
106allow sensors light_host:binder { call };
107
108#avc:  denied  { read } for  pid=508 comm="sensors" name="u:object_r:musl_param:s0" dev="tmpfs" ino=55 scontext=u:r:sensors:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
109allow sensors musl_param:file { read };
110
111#avc:  denied  { get } for service=light_interface_service pid=2262 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_light_interface_service:s0 tclass=hdf_devmgr_class permissive=1
112allow sensors hdf_light_interface_service:hdf_devmgr_class { get };
113
114#avc:  denied  { use } for  pid=585 comm="IPC_1_745" path="socket:[34684]" dev="sockfs" ino=34684 scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=0
115allow sensors foundation:fd { use };
116
117#avc:  denied  { read write } for  pid=554 comm="foundation" path="socket:[41126]" dev="sockfs" ino=41126 scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=unix_stream_socket permissive=0
118allow sensors foundation:unix_stream_socket { read write };
119
120#avc:  denied  { call } for  pid=585 comm="IPC_2_1283" scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0
121#avc:  denied  { transfer } for  pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
122allow sensors foundation:binder { call transfer };
123
124#avc:  denied { getattr } for  pid=1324 comm="IPC_1_1486" path="/data/storage/el2/base/files/coin_drop.json" dev="sdd78" ino=4521 scontext=u:r:sensors:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1
125#avc:  denied { read } for  pid=4754 comm="jsThread-1" path="/data/storage/el2/base/files/coin_drop.json" dev="sdd78" ino=4521 scontext=u:r:sensors:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=0
126allow sensors normal_hap_data_file_attr:file { getattr read };
127
128#avc:  denied { getattr } for  pid=1308 comm="IPC_1_1470" path="/data/local/tmp/test_128_event.json" dev="sdd78" ino=8191 scontext=u:r:sensors:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1
129#avc:  denied { read } for  pid=3199 comm="HitsVibrateTest" path="/data/local/tmp/test_128_event.json" dev="sdd78" ino=8191 scontext=u:r:sensors:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1
130allow sensors data_local_tmp:file { getattr read };
131
132#avc:  denied { getattr } for  pid=1324 comm="sensors" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
133#avc:  denied { open } for  pid=1324 comm="sensors" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
134#avc:  denied { read } for  pid=1324 comm="sensors" name="online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
135allow sensors sysfs_devices_system_cpu:file { getattr open read };
136
137allow sensors render_service:fd { use };
138allow sensors render_service:unix_stream_socket { read write };
139allow sensors render_service:binder { call };
140
141allow sensors camera_service:fd { use };
142allow sensors camera_service:unix_stream_socket { read write };
143allow sensors camera_service:binder { call };
144
145allow sensors powermgr:fd { use };
146allow sensors powermgr:unix_stream_socket { read write };
147allow sensors powermgr:binder { call transfer };
148
149allow sensors audio_server:unix_stream_socket { read write };
150
151# avc:  denied  { use } for  pid=356 comm="audio_server" path="socket:[30765]" dev="sockfs" ino=30765 scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=fd permissive=1
152allow sensors audio_server:fd { use };
153
154# avc:  denied  { call } for  pid=580 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1
155allow sensors audio_server:binder { call };
156
157#avc:  denied  { call } for  pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1
158#avc:  denied  { transfer } for  pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1
159allow sensors audio_server:binder { call transfer };
160
161#avc:  denied  { call } for  pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1
162#avc:  denied { transfer } for pid=1447, comm="/system/bin/sa_main"  scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=0
163allow sensors distributeddata:binder { call transfer };
164
165#avc:  denied  { use } for  pid=1143 comm="sensors" path="/dev/ashmem" dev ="tmpfs" ino=619 ioctlcmd=0x7706 scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=1
166allow sensors distributeddata:fd { use };
167
168#avc:  denied  { get } for service=1301 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=0
169allow sensors sa_distributeddata_service:samgr_class { get };
170
171#avc:  denied  { get } for service=180 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0
172allow sensors sa_foundation_abilityms:samgr_class { get };
173
174#avc:  denied  { get } for service=3009 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=0
175allow sensors sa_audio_policy_service:samgr_class { get };
176
177#avc:  denied  { get } for service=3001 pid=608 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=0
178allow sensors sa_pulseaudio_audio_service:samgr_class { get };
179
180#avc:  denied  { call } for  pid=1458 comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:pinauth:s0 tclass=binder permissive=1
181allow sensors pinauth:binder { call };
182
183#avc:  denied  { get } for service=1909 pid=1053 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_memory_manager_service:s0 tclass=samgr_class permissive=1
184allow sensors sa_memory_manager_service:samgr_class { get };
185allow sensors memmgrservice:binder { call };
186
187#avc: denied { transfer } for pid=1415, comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0
188allow sensors normal_hap_attr:binder { transfer };
189
190#avc: denied { search } for pid=1415, comm="/system/bin/sa_main" name="/lib64" dev="/dev/block/platform/fa500000.ufs/by-name/chip_prod" ino=9188 scontext=u:r:sensors:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=0
191allow sensors chip_prod_file:dir { search };
192
193#avc: denied { get } for service=180 pid=1453 scontext=u:r:render_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0
194allow sensors sa_foundation_cesfwk_service:samgr_class { get };
195
196#avc: denied { getattr } for pid=1373, comm="/system/bin/sa_main" path="/data/themes/a/system/sub_screen/lock/base/resources/rich_tap/charging_2.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=46896 scontext=u:r:sensors:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
197allow sensors data_service_el1_file:file { getattr };
198
199#avc: denied { call } for pid=1420, comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=1
200allow sensors accountmgr:binder { call };
201
202#avc: denied { write } for pid=1489, comm="/system/bin/sa_main" path="pipe:[13]" dev="tmpfs" ino=13 scontext=u:r:sensors:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0
203allow sensors init:fifo_file { write };
204
205#avc: denied { get } for service=200 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1
206allow sensors sa_accountmgr:samgr_class { get };
207
208#avc: denied { get } for service=501 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0
209allow sensors sa_foundation_appms:samgr_class { get };
210
211#avc: denied { get } for service=401 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
212allow sensors sa_foundation_bms:samgr_class { get };
213
214#avc: denied { search } for pid=1381, comm="/system/bin/sa_main" name="/service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=9 scontext=u:r:sensors:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
215allow sensors data_service_file:dir { search };
216
217#avc: denied { search } for pid=1381, comm="/system/bin/sa_main" name="/service/el1" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=13 scontext=u:r:sensors:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
218allow sensors data_service_el1_file:dir { search };
219
220#avc: denied { getattr } for pid=1381, comm="/system/bin/sa_main" path="/data/storage/el2/base/haps/entry/files/vib.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=22829 scontext=u:r:sensors:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=1
221#avc: denied { read } for pid=1381, comm="/system/bin/sa_main" path="/data/storage/el2/base/haps/entry/files/vib.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=22829 scontext=u:r:sensors:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=1
222allow sensors system_basic_hap_data_file:file { read getattr };
223
224#avc: denied { get } for service=4607 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1
225allow sensors sa_foundation_dms:samgr_class { get };
226
227#avc: denied { write } for pid=1518, comm="/system/bin/sa_main"  scontext=u:r:sensors:s0 tcontext=u:r:wifi_manager_service:s0 tclass=unix_stream_socket permissive=0
228allow sensors wifi_manager_service:unix_stream_socket { write };
229
230#avc: denied  { call } for pid=1518 comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=0
231allow sensors wifi_manager_service:binder { call };
232
233#avc: denied { use } for pid=1518, comm="/system/bin/sa_main"  ioctlcmd=0x0  scontext=u:r:sensors:s0 tcontext=u:r:wifi_manager_service:s0 tclass=fd permissive=0
234allow sensors wifi_manager_service:fd { use };
235
236debug_only(`
237    #avc:  denied  { use } for  pid=2011 comm="SensorAgentTest" path="socket:[39791]" dev="sockfs" ino=39791 scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=fd permissive=0
238    allow sensors sh:fd { use };
239
240    # avc:  denied  { call } for  pid=687 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0
241    allow sensors sh:binder { call };
242
243    #avc:  denied  { read write } for  pid=2132 comm="SensorAgentTest" path="socket:[39407]" dev="sockfs" ino=39407 scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=unix_stream_socket permissive=0
244    allow sensors sh:unix_stream_socket { read write };
245')
246