init/public/chipset_init.te

# Copyright (c) 2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

type chipset_init, native_chipset_domain, domain;
allow chipset_init self:capability { chown dac_override dac_read_search fsetid setgid setuid sys_admin sys_boot sys_chroot sys_rawio sys_resource fowner };

allow domain chipset_init:fd use;

allow init init:process { setcurrent };
allow init chipset_init:process { setcurrent dyntransition };
allow chipset_init chipset_init:process { setexec setsockcreate };
allow chipset_init composer_host:process { rlimitinh siginh transition };
allow chipset_init allocator_host:process { rlimitinh siginh transition };

allow chipset_init system_lib_file:dir { open read };
allow chipset_init system_lib_file:lnk_file { relabelto getattr };
allow chipset_init system_bin_file:dir { search };
allow chipset_init system_bin_file:file { execute getattr read read open };
allow chipset_init toybox_exec:file { execute getattr map read open };
allow chipset_init system_etc_file:dir { open read search getattr };
allow chipset_init system_etc_file:file { getattr open read };
allow chipset_init system_etc_file:lnk_file { relabelto read getattr };

allow chipset_init vendor_bin_file:dir { search };
allow chipset_init vendor_bin_file:file { execute getattr read read open };
allow chipset_init hdf_devhost_exec:dir { search };
allow chipset_init hdf_devhost_exec:file { execute getattr read read open };
allow chipset_init vendor_etc_file:dir { open read search getattr };
allow chipset_init vendor_etc_file:file { getattr open read };

allow chipset_init dev_kmsg_file:chr_file { write ioctl };
allow chipset_init dev_binder_file:chr_file { relabelto };
allow chipset_init dev_block_file:blk_file { getattr ioctl open read read write relabelto setattr write };
allow chipset_init dev_block_file:dir { open read relabelto search };
allow chipset_init dev_block_file:lnk_file { read relabelto };
allow chipset_init dev_block_volfile:dir { open read relabelto search };
allow chipset_init dev_char_file:dir { getattr open read relabelto setattr };
allow chipset_init dev_console_file:chr_file { getattr ioctl open read write };
allow chipset_init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write };
allow chipset_init dev_file:lnk_file { create };
allow chipset_init dev_fscklogs_file:dir { open read relabelto search setattr };
allow chipset_init dev_fuse_file:chr_file { setattr };
allow chipset_init dev_graphics_file:chr_file { setattr };
allow chipset_init dev_graphics_file:dir { search };
allow chipset_init dev_hdf_audio_capture:chr_file { setattr };
allow chipset_init dev_hdf_audio_control:chr_file { setattr };
allow chipset_init dev_hdf_audio_render:chr_file { setattr };
allow chipset_init dev_hdf_disp:chr_file { setattr };
allow chipset_init dev_hdf_file:chr_file { setattr };
allow chipset_init dev_hdf_input:chr_file { setattr };
allow chipset_init { dev_mgr_file dev_hdf_kevent dev_hdf_sensor_mgr dev_hdf_misc_vibrator dev_hdf_light dev_mpp dev_rga dev_video_file }:chr_file { setattr };

allow chipset_init sys_file:file { setattr };
allow chipset_init sysfs_wake_lck:file { setattr };

allowxperm chipset_init dev_at_file:chr_file ioctl { 0x4102 };
allow chipset_init dev_at_file:chr_file { ioctl setattr };

allow chipset_init hidumper_service:file { open read };

# avc:  denied  { read } for  pid=579 comm="hidumper_servic" scontext=u:r:hidumper_service:s0 tcontext=u:r:chipset_init:s0 tclass=file permissive=0
allow hidumper_service chipset_init:dir { getattr open read search };
allow hidumper_service chipset_init:file { getattr open read };
allow hidumper_service chipset_init:lnk_file read;

# avc:  denied  { rlimitinh } for  pid=2969 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1
# avc:  denied  { siginh } for  pid=2969 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1
# avc:  denied  { transition } for  pid=2969 comm="init" path="/vendor/bin/hdf_devhost" dev="sdd84" ino=33 scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1
#for for start process in subcontext  hdf_devhost.cfg
chipset_init_daemon_domain(hdf_devmgr);
allow chipset_init { user_auth_host pin_auth_host fingerprint_auth_host face_auth_host codec_host vibrator_host sensor_host }:process { rlimitinh siginh transition };
allow chipset_init { light_host input_user_host wifi_host camera_host power_host audio_host ethernet_host }:process { rlimitinh siginh transition };
allow chipset_init { usb_host blue_host partitionslot_host location_host dcamera_host a2dp_host daudio_host sample_host intell_voice_host }:process { rlimitinh siginh transition };

#for init.usb.configfs.cfg
allow chipset_init configfs:dir { add_name create mounton open read search setattr write remove_name rmdir };
allow chipset_init configfs:lnk_file { create unlink };
allow chipset_init configfs:file { write create getattr open };
allow chipset_init configfs:lnk_file { create getattr unlink };

# for /data/service/el0/
allow chipset_init data_file:dir { add_name create getattr mounton open read relabelfrom relabelto remove_name search setattr write rmdir };
allow chipset_init data_file:sock_file { getattr relabelfrom };
allowxperm chipset_init data_file:file ioctl { 0x5413 };
allow chipset_init data_service_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write remove_name };
allow chipset_init data_service_file:file { ioctl rename relabelfrom create getattr unlink write write open };

allow chipset_init data_service_el0_file:dir { add_name create getattr open read relabelto search setattr write relabelfrom };
allow chipset_init data_service_el0_file:file { create getattr read write open relabelfrom };
allow chipset_init data_service_el1_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
allow chipset_init data_service_el1_file:file { create getattr setattr relabelto };

# for ifup,hostname,domainname
allow chipset_init chipset_init:udp_socket { create ioctl };
allow chipset_init init:unix_dgram_socket { write connect };
allow chipset_init proc_file:file { write open };
allow chipset_init self:capability { net_admin };

# avc:  denied  { write } for  comm="/bin/init" scontext=u:r:chipset_init:s0 tcontext=u:r:sysfs_devices_system_cpu:s0 tclass=file
allow chipset_init sysfs_devices_system_cpu:file { write open };

# avc:  denied  { getopt } for  pid=245 comm="chipset_init" scontext=u:r:chipset_init:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=0
allow chipset_init init:unix_stream_socket { getopt };
# avc:  denied  { rlimitinh } for  pid=491 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1
# avc:  denied  { siginh } for  pid=491 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1
# avc:  denied  { transition } for  pid=491 comm="init" path="/vendor/bin/hdf_devhost" dev="mmcblk0p8" ino=13 scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1
allow chipset_init clearplay_host:process { rlimitinh siginh transition };

# avc: denied { open } for pid=638, comm="/bin/init"  path="/sys/devices/virtual/gadget_usb/gadget0/f_rndis/wceis" dev="" ino=94123 scontext=u:r:chipset_init:s0 tcontext=u:object_r:sysfs_gadget_usb:s0 tclass=file permissive=1
allow chipset_init sysfs_gadget_usb:file { open };

allow chipset_init samain_exec:file { execute getattr read read open };