• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14allow isolated_gpu data_app_el1_file:dir { getattr };
15# allow isolated_gpu data_app_el1_file:dir { execute };
16
17allow isolated_gpu dev_unix_socket:dir { search };
18
19allow isolated_gpu nwebspawn:fd { use };
20allow isolated_gpu nwebspawn:unix_dgram_socket { write connect};
21
22allow isolated_gpu time_service:binder { call };
23
24allow isolated_gpu system_file:file { getattr read open map };
25
26allow isolated_gpu system_bin_file:dir { search };
27
28allow isolated_gpu tracefs:dir { search };
29
30allow isolated_gpu sa_foundation_appms:samgr_class { get };
31allow isolated_gpu sa_param_watcher:samgr_class { get };
32allow isolated_gpu sa_render_service:samgr_class { get };
33allow isolated_gpu sa_time_service:samgr_class { get };
34allow isolated_gpu data_app_el1_file:file { execute };
35allow isolated_gpu dev_mali:chr_file { getattr ioctl map read write open };
36# avc:  denied  { ioctl } for  pid=4081 comm="mali-cmar-backe" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8002 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
37# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8003 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
38# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8005 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
39# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8006 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
40# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
41# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
42# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800f scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
43# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8016 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
44# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8019 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
45# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x801d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
46# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8026 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
47# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8001 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
48# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802f scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
49# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x803b scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
50# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8025 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
51# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x803c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
52# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x801b scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
53# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
54# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x801e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
55# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8018 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
56# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8034 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
57# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8033 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
58# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8036 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
59# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8030 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
60# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x803a scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
61# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
62# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8024 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
63# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8027 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
64# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
65# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
66# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x802b scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
67# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8029 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
68# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8031 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
69# avc:  denied  { ioctl } for  pid=18173 comm="/system/bin/appspawn" path="mali0" dev="mali0" major=10 minor=93  ioctlcmd=0x8036 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
70allowxperm isolated_gpu dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800c 0x800e 0x800f 0x8014 0x8016 0x8018 0x8019 0x801b 0x801d 0x801e 0x8024 0x8025 0x8026 0x8027 0x8029 0x802a 0x802b 0x802c 0x802d 0x802e 0x802f 0x8030 0x8031 0x8033 0x8034 0x8036 0x803a 0x803b 0x803c};
71allow isolated_gpu hap_domain:binder { call transfer };
72allow isolated_gpu hap_domain:fd { use };
73allow isolated_gpu hap_domain:unix_stream_socket { read write shutdown};
74allow isolated_gpu nwebspawn:fifo_file { write };
75allow isolated_gpu persist_param:file { map read open };
76allow isolated_gpu render_service:unix_stream_socket { write read };
77
78allow isolated_gpu sa_foundation_bms:samgr_class { get };
79allow isolated_gpu sysfs_devices_system_cpu:dir { read open };
80allow isolated_gpu sysfs_devices_system_cpu:file { getattr read open };
81
82allow isolated_gpu allocator_host:fd { use };
83allow isolated_gpu ohos_boot_param:file { map read open };
84allow isolated_gpu sa_resource_schedule:samgr_class { get };
85allow isolated_gpu web_private_param:file { map open read };
86
87allow isolated_gpu allocator_host:binder { call };
88allow isolated_gpu av_codec_service:binder { call transfer };
89allow isolated_gpu dev_ashmem_file:chr_file { open };
90allow isolated_gpu hdf_allocator_service:hdf_devmgr_class { get };
91allow isolated_gpu hiview:unix_dgram_socket { sendto };
92allow isolated_gpu isolated_gpu:unix_dgram_socket { getopt setopt };
93allow isolated_gpu persist_sys_param:file { map open read };
94allow isolated_gpu sa_av_codec_service:samgr_class { get };
95allow isolated_gpu sa_device_service_manager:samgr_class { get };
96allow isolated_gpu codec_host:fd { use };
97allow isolated_gpu av_codec_service:fd { use };
98
99allow isolated_gpu isolated_gpu:process { ptrace };
100
101# avc_audit_slow:267] avc: denied { write } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1
102allow isolated_gpu appspawn:unix_dgram_socket { write };
103
104# avc_audit_slow:267] avc: denied { call } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
105# avc_audit_slow:267] avc: denied { transfer } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
106allow isolated_gpu codec_host:binder { call transfer };
107
108# avc_audit_slow:267] avc: denied { search } for pid=43562, comm="/system/bin/appspawn"  name="/app/el1/bundle/public/com.ohos.nweb/libs/arm64" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16288 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
109allow isolated_gpu data_app_el1_file:dir { search };
110
111# avc_audit_slow:267] avc: denied { getattr } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
112# avc_audit_slow:267] avc: denied { map } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
113# avc_audit_slow:267] avc: denied { open } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
114# avc_audit_slow:267] avc: denied { read } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
115allow isolated_gpu data_app_el1_file:file { getattr map open read };
116
117# avc_audit_slow:267] avc: denied { call } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
118# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
119allow isolated_gpu foundation:binder { call transfer };
120
121# avc_audit_slow:267] avc: denied { call } for pid=41570, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
122allow isolated_gpu hdf_devmgr:binder { call };
123
124# avc_audit_slow:267] avc: denied { map } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
125# avc_audit_slow:267] avc: denied { open } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
126# avc_audit_slow:267] avc: denied { read } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
127allow isolated_gpu hichecker_writable_param:file { map open read };
128
129# avc_audit_slow:267] avc: denied { use } for pid=37163, comm="/system/bin/appspawn"  path="/dev/ashmem" dev="" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:r:isolated_render:s0 tclass=fd permissive=1
130allow isolated_gpu isolated_render:fd { use };
131
132# avc_audit_slow:267] avc: denied { call } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
133# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
134allow isolated_gpu param_watcher:binder { call transfer };
135
136# avc_audit_slow:267] avc: denied { call } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
137# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
138allow isolated_gpu render_service:binder { call transfer };
139
140# avc_audit_slow:267] avc: denied { use } for pid=1391, comm="/system/bin/render_service"  path="anon_inode:sync_file" dev="" ino=0 scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1
141allow isolated_gpu render_service:fd { use };
142
143# avc_audit_slow:267] avc: denied { call } for pid=24439, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
144# avc_audit_slow:267] avc: denied { transfer } for pid=24439, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
145allow isolated_gpu samgr:binder { call transfer };
146
147# avc:  denied  { get } for service=codec_component_manager_service sid=u:r:isolated_gpu:s0 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hdf_codec_component_manager_service:s0 tclass=hdf_devmgr_class permissive=1
148allow isolated_gpu hdf_codec_component_manager_service:hdf_devmgr_class { get };
149allow isolated_gpu data_local_shadercache:dir { create open read search write add_name };
150allow isolated_gpu data_local_shadercache:file { create read open write getattr };
151allow isolated_gpu vendor_etc_vulkan_file:dir { open read search };
152allow isolated_gpu vendor_etc_vulkan_file:file { getattr open read };
153
154