• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type hnp, native_system_domain, domain;
15type hnp_exec, system_file_attr, exec_attr, file_attr;
16type hnp_file, exec_attr, file_attr, data_file_attr;
17type hnp_native, hap_domain, domain;
18
19developer_only(`
20# avc:  denied  { search } for  pid=12202 comm="hnp" name="app" dev="sdd78" ino=634 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=1
21allow hnp data_app_file:dir { search };
22
23# avc:  denied  { ioctl } for  pid=6695 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11577 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
24# avc:  denied  { write } for  pid=6695 comm="hnp" name="hnp_info.json" dev="sdd78" ino=11577 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
25allow hnp data_service_el1_file:file { ioctl write };
26
27# avc:  denied  { map } for  pid=5378 comm="hnp" path="/data/service/el1/public/bms/bundle_manager_service/security_stream_install/606593336461000/6065932/28786a5ac.hap" dev="sdd78" ino=12581 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
28allow hnp data_service_el1_file:file { map };
29
30# avc:  denied  { create } for  pid=8919 comm="hnp" name="hnp_info.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
31allow hnp data_service_el1_file:file { create };
32
33# avc:  denied  { getattr } for  pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
34# avc:  denied  { open } for  pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
35# avc:  denied  { read open } for  pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
36# avc:  denied  { read } for  pid=12202 comm="hnp" name="hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
37allow hnp data_service_el1_file:file { getattr open read open read };
38
39# avc:  denied  { ioctl } for  pid=6695 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11577 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
40allowxperm hnp data_service_el1_file:file ioctl { 0x5413 };
41
42# avc:  denied  { add_name } for  pid=8919 comm="hnp" name="hnp_info.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
43# avc:  denied  { write } for  pid=8919 comm="hnp" name="startup" dev="sdd78" ino=14 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
44allow hnp data_service_el1_file:dir { add_name write };
45
46# avc:  denied  { search } for  pid=12202 comm="hnp" name="startup" dev="sdd78" ino=14 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
47allow hnp data_service_el1_file:dir { search };
48
49# avc:  denied  { write } for  pid=6695 comm="hnp" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
50# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
51allow hnp dev_kmsg_file:chr_file { write getattr };
52
53# avc:  denied  { dac_override } for  pid=8158 comm="hnp" capability=1  scontext=u:r:hnp:s0 tcontext=u:r:hnp:s0 tclass=capability permissive=1
54allow hnp hnp:capability { dac_override };
55
56# avc:  denied  { add_name } for  pid=7556 comm="hnp" name="cfg" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
57# avc:  denied  { create } for  pid=7556 comm="hnp" name="cfg" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
58# avc:  denied  { getattr } for  pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib" dev="sdd78" ino=12153 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
59# avc:  denied  { write } for  pid=7556 comm="hnp" name="hnpsample_1.1" dev="sdd78" ino=12152 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
60allow hnp data_app_el1_file:dir { add_name create getattr write };
61
62# avc:  denied  { remove_name } for  pid=9178 comm="hnp" name="hnpsample.org" dev="sdd78" ino=12101 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
63# avc:  denied  { rmdir } for  pid=9178 comm="hnp" name="hnpsample.org" dev="sdd78" ino=12101 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
64allow hnp data_app_el1_file:dir { remove_name rmdir };
65
66# avc:  denied  { read open } for  pid=12202 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org" dev="sdd78" ino=11810 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
67# avc:  denied  { read } for  pid=12202 comm="hnp" name="hnpsample.org" dev="sdd78" ino=11810 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
68# avc:  denied  { search } for  pid=12202 comm="hnp" name="bundle" dev="sdd78" ino=638 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
69allow hnp data_app_el1_file:dir { read open read search };
70
71# avc:  denied  { create } for  pid=7556 comm="hnp" name="hnp.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
72# avc:  denied  { ioctl } for  pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
73# avc:  denied  { setattr } for  pid=7556 comm="hnp" name="hnp.json" dev="sdd78" ino=12155 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
74# avc:  denied  { write } for  pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
75allow hnp data_app_el1_file:file { create ioctl setattr };
76
77# avc:  denied  { unlink } for  pid=9178 comm="hnp" name="hnpsample" dev="sdd78" ino=12109 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
78allow hnp data_app_el1_file:file { unlink };
79
80# avc:  denied  { ioctl } for  pid=5378 comm="EnableCodeSign0" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib/libhnpsamplelib.z.so" dev="sdd78" ino=12622 ioctlcmd=0x66c8 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
81allow hnp data_app_el1_file:file { ioctl };
82
83# avc:  denied  { create } for  pid=5378 comm="hnp" name="hnpsample" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=lnk_file permissive=1
84allow hnp data_app_el1_file:lnk_file { create };
85
86# avc:  denied  { ioctl } for  pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
87allowxperm hnp data_app_el1_file:file ioctl { 0x5413 };
88
89# avc:  denied  { ioctl } for  pid=5378 comm="EnableCodeSign0" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib/libhnpsamplelib.z.so" dev="sdd78" ino=12622 ioctlcmd=0x66c8 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
90allowxperm hnp data_app_el1_file:file ioctl { 0x66c8 };
91
92# avc_audit_slow:262] avc: denied { getattr } for pid=7470, comm="/system/bin/hnp"  path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
93# avc_audit_slow:262] avc: denied { open } for pid=7265, comm="/system/bin/hnp"  path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
94# avc_audit_slow:262] avc: denied { read } for pid=7265, comm="/system/bin/hnp"  path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
95# avc_audit_slow:262] avc: denied { write } for pid=7265, comm="/system/bin/hnp"  path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
96allow hnp data_app_el1_file:file { getattr open read write };
97
98# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/buddyinfo" dev="proc" ino=4026531856 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_buddyinfo_file:s0 tclass=file permissive=1
99allow hnp proc_buddyinfo_file:file { getattr };
100
101# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/cgroups" dev="proc" ino=4026531855 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cgroups_file:s0 tclass=file permissive=1
102allow hnp proc_cgroups_file:file { getattr };
103
104# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/cmdline" dev="proc" ino=4026532315 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cmdline_file:s0 tclass=file permissive=1
105allow hnp proc_cmdline_file:file { getattr };
106
107# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/config.gz" dev="proc" ino=4026532479 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_config_gz_file:s0 tclass=file permissive=1
108allow hnp proc_config_gz_file:file { getattr };
109
110# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/cpuinfo" dev="proc" ino=4026532317 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
111allow hnp proc_cpuinfo_file:file { getattr };
112
113# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/diskstats" dev="proc" ino=4026532506 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1
114allow hnp proc_diskstats_file:file { getattr };
115
116# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/data-ready" dev="proc" ino=4026532862 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1
117allow hnp proc_file:file { getattr };
118
119# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/iomem" dev="proc" ino=4026532470 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_iomem_file:s0 tclass=file permissive=1
120allow hnp proc_iomem_file:file { getattr };
121
122# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/keys" dev="proc" ino=4026532500 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_keys_file:s0 tclass=file permissive=1
123allow hnp proc_keys_file:file { getattr };
124
125# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/kmsg" dev="proc" ino=4026532326 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_kmsg_file:s0 tclass=file permissive=1
126allow hnp proc_kmsg_file:file { getattr };
127
128# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/loadavg" dev="proc" ino=4026532320 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_loadavg_file:s0 tclass=file permissive=1
129allow hnp proc_loadavg_file:file { getattr };
130
131# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/meminfo" dev="proc" ino=4026532321 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=1
132allow hnp proc_meminfo_file:file { getattr };
133
134# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/misc" dev="proc" ino=4026532216 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_misc_file:s0 tclass=file permissive=1
135allow hnp proc_misc_file:file { getattr };
136
137# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/modules" dev="proc" ino=4026532477 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_modules_file:s0 tclass=file permissive=1
138allow hnp proc_modules_file:file { getattr };
139
140# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/slabinfo" dev="proc" ino=4026532480 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_slabinfo_file:s0 tclass=file permissive=1
141allow hnp proc_slabinfo_file:file { getattr };
142
143# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/softirqs" dev="proc" ino=4026532325 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_softirqs_file:s0 tclass=file permissive=1
144allow hnp proc_softirqs_file:file { getattr };
145
146# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/stat" dev="proc" ino=4026532322 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_stat_file:s0 tclass=file permissive=1
147allow hnp proc_stat_file:file { getattr };
148
149# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/swaps" dev="proc" ino=4026532482 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_swaps_file:s0 tclass=file permissive=1
150allow hnp proc_swaps_file:file { getattr };
151
152# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/uptime" dev="proc" ino=4026532323 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_uptime_file:s0 tclass=file permissive=1
153allow hnp proc_uptime_file:file { getattr };
154
155# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/version" dev="proc" ino=4026532324 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1
156allow hnp proc_version_file:file { getattr };
157
158# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/vmstat" dev="proc" ino=4026531858 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_vmstat_file:s0 tclass=file permissive=1
159allow hnp proc_vmstat_file:file { getattr };
160
161# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/zoneinfo" dev="proc" ino=4026531859 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_zoneinfo_file:s0 tclass=file permissive=1
162allow hnp proc_zoneinfo_file:file { getattr };
163
164# avc:  denied  { execute } for  pid=9325 comm="hnp" name="sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
165# avc:  denied  { execute_no_trans } for  pid=9325 comm="hnp" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
166# avc:  denied  { map } for  pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
167# avc:  denied  { read execute } for  pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
168# avc:  denied  { read open } for  pid=9325 comm="hnp" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
169# avc:  denied  { read } for  pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
170allow hnp sh_exec:file { execute execute_no_trans map read execute read open read };
171
172# avc:  denied  { read } for  pid=9325 comm="sh" name="lsof" dev="sdd74" ino=573 scontext=u:r:hnp:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
173allow hnp system_bin_file:lnk_file { read };
174
175# avc:  denied  { execute } for  pid=9325 comm="sh" name="toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
176# avc:  denied  { execute_no_trans } for  pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
177# avc:  denied  { getattr } for  pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
178# avc:  denied  { map } for  pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
179# avc:  denied  { read execute } for  pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
180# avc:  denied  { read open } for  pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
181# avc:  denied  { read } for  pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
182allow hnp toybox_exec:file { execute execute_no_trans getattr map read execute read open read };
183
184# avc:  denied  { read write open } for  pid=9325 comm="sh" path="/dev/tty" dev="tmpfs" ino=94 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
185# avc:  denied  { read write } for  pid=9325 comm="sh" name="tty" dev="tmpfs" ino=94 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
186allow hnp tty_device:chr_file { read write open read write };
187
188# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=275 scontext=u:r:hnp:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1
189allow hnp default_param:file { getattr };
190
191# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:hiviewdfx_profiler_param:s0" dev="tmpfs" ino=151 scontext=u:r:hnp:s0 tcontext=u:object_r:hiviewdfx_profiler_param:s0 tclass=file permissive=1
192allow hnp hiviewdfx_profiler_param:file { getattr };
193allow hnp hitrace_param:file { getattr };
194
195# avc:  denied  { dac_read_search } for  pid=9207 comm="lsof" capability=2  scontext=u:r:hnp:s0 tcontext=u:r:hnp:s0 tclass=capability permissive=1
196allow hnp hnp:capability { dac_read_search };
197
198# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=147 scontext=u:r:hnp:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1
199allow hnp hook_param:file { getattr };
200
201# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=153 scontext=u:r:hnp:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
202allow hnp musl_param:file { getattr };
203
204# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/filesystems" dev="proc" ino=4026532487 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=1
205allow hnp proc_filesystems_file:file { getattr };
206
207# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/interrupts" dev="proc" ino=4026532319 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_interrupts_file:s0 tclass=file permissive=1
208allow hnp proc_interrupts_file:file { getattr };
209
210# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/pagetypeinfo" dev="proc" ino=4026531857 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_pagetypeinfo_file:s0 tclass=file permissive=1
211allow hnp proc_pagetypeinfo_file:file { getattr };
212
213# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/sysrq-trigger" dev="proc" ino=4026532528 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_sysrq_trigger_file:s0 tclass=file permissive=1
214allow hnp proc_sysrq_trigger_file:file { getattr };
215
216# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/timer_list" dev="proc" ino=4026532476 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_timer_list_file:s0 tclass=file permissive=1
217allow hnp proc_timer_list_file:file { getattr };
218
219# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/vmallocinfo" dev="proc" ino=4026532481 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_vmallocinfo_file:s0 tclass=file permissive=1
220allow hnp proc_vmallocinfo_file:file { getattr };
221
222# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=132 scontext=u:r:hnp:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1
223allow hnp startup_init_param:file { getattr };
224
225# avc:  denied  { getattr } for  pid=7385 comm="lsof" path="/proc/partitions" dev="proc" ino=4026532507 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_partitions_file:s0 tclass=file permissive=1
226allow hnp proc_partitions_file:file { getattr };
227
228# avc:  denied  { search } for  pid=12202 comm="hnp" name="/" dev="sdd78" ino=3 scontext=u:r:hnp:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
229allow hnp data_file:dir { search };
230
231# avc:  denied  { search } for  pid=12202 comm="hnp" name="service" dev="sdd78" ino=9 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
232allow hnp data_service_file:dir { search };
233
234# avc:  denied  { search } for  pid=12202 comm="hnp" name="socket" dev="tmpfs" ino=118 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
235allow hnp dev_unix_socket:dir { search };
236
237# avc:  denied  { use } for  pid=12202 comm="hnp" path="/system/bin/hnp" dev="sdd74" ino=531 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=fd permissive=1
238allow hnp installs:fd { use };
239
240# avc_audit_slow:262] avc: denied { search } for pid=7470, comm="/system/bin/hnp"  name="/lib64" dev="/dev/block/platform/fa500000.ufs/by-name/chip_prod" ino=9189 scontext=u:r:hnp:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=1
241allow hnp chip_prod_file:dir { search };
242
243# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/dev/binder" dev="" ino=10 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_binder_file:s0 tclass=chr_file permissive=1
244allow hnp dev_binder_file:chr_file { getattr };
245
246# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="" ino=201 scontext=u:r:hnp:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
247allow hnp hilog_param:file { getattr };
248
249# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/proc/2646" dev="" ino=7484 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1
250# avc_audit_slow:262] avc: denied { open } for pid=7471, comm="/bin/lsof"  path="/proc/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1
251# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof"  path="/proc/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1
252# avc_audit_slow:262] avc: denied { search } for pid=7471, comm="/bin/lsof"  name="/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1
253allow hnp installs:dir { getattr open read search };
254
255# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/proc/2646/maps" dev="" ino=18076 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1
256# avc_audit_slow:262] avc: denied { open } for pid=7471, comm="/bin/lsof"  path="/proc/2646/maps" dev="" ino=18076 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1
257# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof"  scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1
258allow hnp installs:file { getattr open read };
259
260# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof"  name="/2646/fd/3" dev="" ino=18087 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=lnk_file permissive=1
261allow hnp installs:lnk_file { read };
262
263# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/system/bin/sa_main" dev="/dev/block/platform/fa500000.ufs/by-name/system" ino=775 scontext=u:r:hnp:s0 tcontext=u:object_r:samain_exec:s0 tclass=file permissive=1
264allow hnp samain_exec:file { getattr };
265
266# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/dev/__parameters__/u:object_r:time_param:s0" dev="" ino=222 scontext=u:r:hnp:s0 tcontext=u:object_r:time_param:s0 tclass=file permissive=1
267allow hnp time_param:file { getattr };
268
269# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/sys/kernel/debug/tracing/trace_marker" dev="" ino=9 scontext=u:r:hnp:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
270allow hnp tracefs_trace_marker_file:file { getattr };
271
272# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/dev/tty0" dev="" ino=47 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
273# avc_audit_slow:262] avc: denied { ioctl } for pid=7471, comm="/bin/sh"  path="/dev/tty" dev="" ino=20 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
274allow hnp tty_device:chr_file { getattr ioctl };
275
276# avc_audit_slow:262] avc: denied { search } for pid=7265, comm="/system/bin/hnp"  name="/etc/selinux/targeted/contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5687 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1
277allow hnp vendor_etc_file:dir { search };
278
279# avc_audit_slow:262] avc: denied { getattr } for pid=7265, comm="/system/bin/hnp"  path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
280# avc_audit_slow:262] avc: denied { open } for pid=7265, comm="/system/bin/hnp"  path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
281# avc_audit_slow:262] avc: denied { read } for pid=7265, comm="/system/bin/hnp"  path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
282allow hnp vendor_etc_file:file { getattr open read };
283
284# avc_audit_slow:262] avc: denied { ioctl } for pid=7471, comm="/bin/sh"  path="/dev/tty" dev="" ino=20 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
285allowxperm hnp tty_device:chr_file ioctl { 0x5413 };
286
287# avc_audit_slow:262] avc: denied { unlink } for pid=7534, comm="/system/bin/hnp"  name="/app/el1/bundle/100/hnppublic/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19136 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=lnk_file permissive=1
288allow hnp data_app_el1_file:lnk_file { unlink };
289
290allow hnp installs:fifo_file { ioctl write };
291allowxperm hnp installs:fifo_file ioctl { 0x5413 };
292allow hnp hnp_file:dir { getattr read open remove_name search rmdir write add_name create mounton };
293allow hnp hnp_file:file { getattr unlink create ioctl read open setattr write };
294allowxperm hnp hnp_file:file ioctl { 0x5413 0x66c8 };
295allow hnp hnp_file:lnk_file { getattr unlink create };
296allow hnp data_app_el1_file:dir { relabelfrom };
297allow hnp hnp_file:dir { relabelto setattr };
298allow appspawn hnp_file:dir { getattr mounton search };
299allow hiperf hnp_exec:file { getattr map read open };
300
301domain_auto_transition_pattern(sh, hnp_file, hnp_native);
302allow sh hnp_file:dir { search getattr read open };
303allow sh hnp_file:file { execute execute_no_trans getattr map read open };
304allow sh hnp_file:lnk_file { read };
305allow sh key_enable:key { search };
306allow sh storage_daemon:key { search };
307allow hnp_native hnp_file:dir { search getattr read open };
308allow hnp_native hnp_file:file { execute execute_no_trans getattr map read open };
309allow hnp_native hnp_file:lnk_file { read };
310allow hnp_native self:xpm { exec_allow_debug_id};
311allow hnp_native data_app_el1_file:dir { search };
312allow hnp_native data_app_file:dir { search };
313allow hnp_native dev_unix_socket:dir { search };
314allow hnp_native devpts:chr_file { read write };
315allow hnp_native sh:fd { use };
316allow hnp_native sh:unix_stream_socket { read write };
317allow hnp_native hdcd:fd { use };
318allow sh hnp_native:process {noatsecure };
319allow sh hnp_native:process2 { nosuid_transition };
320
321
322## add hnp permission for pre-installed app
323allow hnp system_file:file { map open read };
324
325## add hnp permission for read link information
326allow hnp hnp_file:lnk_file { read };
327')
328