1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14define(`use_hidumper', ` 15 allow $1 hidumper_service:fd use; 16 allow $1 hidumper_service:fifo_file write; 17') 18developer_only(` 19 # avc: denied { use } for pid=1994 comm="hidumper" path="pipe:[39192]" dev="pipefs" ino=39192 scontext=u:r:hidumper_service:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1 20 allow hidumper_service sh:fd { use }; 21 # avc: denied { write } for pid=1994 comm="hidumper" path="pipe:[39192]" dev="pipefs" ino=39192 scontext=u:r:hidumper_service:s0 tcontext=u:r:sh:s0 tclass=fifo_file permissive=1 22 allow hidumper_service sh:fifo_file { write }; 23') 24use_hidumper({ sadomain hdfdomain }); 25 26allow hidumper_service appspawn:dir { getattr open read search }; 27allow hidumper_service appspawn:file { getattr open read }; 28allow hidumper_service appspawn:lnk_file read; 29allow hidumper_service appspawn_exec:file { getattr map open read }; 30 31allow hidumper_service data_file:dir { getattr open read search }; 32allow hidumper_service data_init_agent:dir search; 33allow hidumper_service data_init_agent:file { append ioctl open read }; 34allow hidumper_service data_log:dir { open read search }; 35allow hidumper_service data_log:file { getattr open read }; 36allow hidumper_service data_misc:dir search; 37 38allow hidumper_service debugfs:dir { open read }; 39 40allow hidumper_service dev_block_file:blk_file getattr; 41allow hidumper_service dev_block_file:dir search; 42allow hidumper_service dev_block_file:lnk_file read; 43allow hidumper_service dev_file:dir getattr; 44allow hidumper_service dev_kmsg_file:chr_file { open read }; 45allow hidumper_service dev_pts_file:dir getattr; 46allow hidumper_service dev_unix_socket:dir search; 47allow hidumper_service dev_unix_socket:sock_file write; 48 49allow hidumper_service deviceauth_service_exec:file { getattr map open read }; 50allow hidumper_service devpts:chr_file { read write }; 51 52allow hidumper_service faultloggerd:fifo_file read; 53allow hidumper_service faultloggerd:unix_stream_socket connectto; 54allow hidumper_service faultloggerd_exec:file { getattr map open read }; 55 56allow hidumper_service hdcd:dir { getattr open read search }; 57allow hidumper_service hdcd:fd use; 58allow hidumper_service hdcd:file { getattr open read }; 59allow hidumper_service hdcd:lnk_file read; 60allow hidumper_service hdcd_exec:file { getattr map open read }; 61 62allow hidumper_service hdf_devmgr_exec:file { getattr map open read }; 63 64allow hidumper_service hidumper:binder call; 65allow hidumper_service hidumper:dir { getattr open read search }; 66allow hidumper_service hidumper:file { getattr open read }; 67allow hidumper_service hidumper:lnk_file read; 68allow hidumper_service hidumper:fd use; 69allow hidumper_service hidumper_exec:file { getattr map open read }; 70 71allow hidumper_service hidumper_file:dir { add_name open read remove_name search write }; 72allow hidumper_service hidumper_file:file { create ioctl open unlink write getattr append }; 73 74allow hidumper_service hilogd_exec:file { getattr map open read }; 75allow hidumper_service hiview_exec:file { getattr map open read }; 76 77allow hidumper_service init:dir { getattr open read search }; 78allow hidumper_service init:file { getattr open read }; 79allow hidumper_service init:lnk_file { read getattr }; 80allow hidumper_service init:unix_stream_socket connectto; 81 82allow hidumper_service installs_exec:file { getattr map open read }; 83 84allow hidumper_service kernel:dir { getattr open read search }; 85allow hidumper_service kernel:file { getattr open read }; 86allow hidumper_service kernel:lnk_file read; 87allow hidumper_service kernel:system syslog_read; 88 89allow hidumper_service normal_hap_attr:dir { getattr open read search }; 90allow hidumper_service normal_hap_attr:file { getattr open read }; 91allow hidumper_service normal_hap_attr:lnk_file read; 92 93allow hidumper_service proc_cmdline_file:file { getattr open read }; 94allow hidumper_service proc_loadavg_file:file { open read }; 95allow hidumper_service proc_meminfo_file:file { open read }; 96allow hidumper_service proc_modules_file:file { getattr open read }; 97allow hidumper_service proc_net:file { getattr open read }; 98allow hidumper_service proc_net_tcp_udp:file { open read }; 99allow hidumper_service proc_slabinfo_file:file { getattr open read }; 100allow hidumper_service proc_stat_file:file { open read }; 101allow hidumper_service proc_version_file:file { getattr open read }; 102allow hidumper_service proc_vmallocinfo_file:file { getattr open read }; 103allow hidumper_service proc_vmstat_file:file { getattr open read }; 104allow hidumper_service proc_zoneinfo_file:file { getattr open read }; 105 106allow hidumper_service render_service_exec:file { getattr map open read }; 107 108allow hidumper_service self:udp_socket { create ioctl }; 109 110allow hidumper_service sh_exec:file { execute execute_no_trans getattr map open read }; 111allow hidumper_service storage_daemon_exec:file { getattr map open read }; 112 113allow hidumper_service sys_file:dir { open read }; 114allow hidumper_service sys_file:file { getattr open read }; 115 116allow hidumper_service system_basic_hap_attr:dir { getattr open read search }; 117allow hidumper_service system_basic_hap_attr:file { getattr open read }; 118allow hidumper_service system_basic_hap_attr:lnk_file read; 119 120allow hidumper_service system_bin_file:dir { getattr search }; 121allow hidumper_service system_bin_file:file { execute execute_no_trans getattr map open read }; 122allow hidumper_service system_bin_file:lnk_file read; 123allow hidumper_service toybox_exec:file { execute execute_no_trans getattr map open read }; 124allow hidumper_service toybox_exec:lnk_file read; 125allow hidumper_service system_file:dir getattr; 126allow hidumper_service system_fonts_file:dir getattr; 127allow hidumper_service system_lib_file:dir getattr; 128allow hidumper_service system_profile_file:dir getattr; 129allow hidumper_service system_usr_file:dir getattr; 130 131allow hidumper_service tty_device:chr_file { open read write }; 132 133allow hidumper_service udevd:dir { getattr open read search }; 134allow hidumper_service udevd:file { getattr read open }; 135allow hidumper_service udevd:lnk_file read; 136allow hidumper_service udevd_exec:file { getattr map open read }; 137 138allow hidumper_service ueventd:dir { getattr open read search }; 139allow hidumper_service ueventd:file { getattr open read }; 140allow hidumper_service ueventd:lnk_file read; 141allow hidumper_service ueventd_exec:file { getattr map open read }; 142 143allow hidumper_service uinput_inject_exec:file { getattr map open read }; 144 145allow hidumper_service vendor_bin_file:dir search; 146allow hidumper_service vendor_bin_file:file { getattr map open read }; 147allow hidumper_service vendor_file:dir getattr; 148allow hidumper_service vendor_lib_file:dir search; 149allow hidumper_service vendor_lib_file:file { getattr map open read }; 150 151allow hidumper_service watchdog_service_exec:file { getattr map open read }; 152allow hidumper_service wifi_hal_service_exec:file { getattr map open read }; 153 154allow hidumper_service { sadomain -installs }:binder call; 155allow hidumper_service { hdfdomain sadomain }:dir { getattr open read search }; 156allow hidumper_service { hdfdomain sadomain }:file { getattr open read }; 157allow hidumper_service { hdfdomain sadomain }:lnk_file read; 158 159#avc: denied { get } for service=3301 pid=611 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 160allow hidumper_service sa_powermgr_powermgr_service:samgr_class { get }; 161 162binder_call(hidumper_service, powermgr); 163 164#avc: denied { get } for service=3302 pid=581 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=1 165allow hidumper_service sa_powermgr_battery_service:samgr_class { get }; 166 167#avc: denied { get } for service=3308 pid=581 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_displaymgr_service:s0 tclass=samgr_class permissive=1 168allow hidumper_service sa_powermgr_displaymgr_service:samgr_class { get }; 169 170#avc: denied { get } for service=3303 pid=553 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_powermgr_thermal_service:s0 tclass=samgr_class permissive=1 171allow hidumper_service sa_powermgr_thermal_service:samgr_class { get }; 172 173allow hidumper_service sa_dfx_sys_hidumper_cpu_ability:samgr_class get; 174 175allow hidumper_service dev_at_file:chr_file ioctl; 176allow hidumper_service dev_block_volfile:dir search; 177allow hidumper_service dev_console_file:chr_file getattr; 178allow hidumper_service devpts:chr_file getattr; 179allow hidumper_service hidumper_file:dir getattr; 180allow hidumper_service hidumper_file:file read; 181allow hidumper_service hilog_exec:file { execute execute_no_trans getattr map open read }; 182allow hidumper_service proc_file:file { open read }; 183allow hidumper_service processdump:dir search; 184allow hidumper_service processdump:file { open read }; 185allow hidumper_service sysfs_devices_system_cpu:file { open read }; 186allow hidumper_service tty_device:chr_file getattr; 187allow hidumper_service hdcd:fifo_file write; 188 189allow hidumper_service sa_samgr_service:samgr_class get; 190allow hidumper_service sa_accessibleabilityms:samgr_class get; 191allow hidumper_service sa_accountmgr:samgr_class get; 192allow hidumper_service sa_bgtaskmgr:samgr_class get; 193allow hidumper_service sa_bluetooth_server:samgr_class get; 194allow hidumper_service sa_comm_dns_manager_service:samgr_class get; 195allow hidumper_service sa_comm_ethernet_manager_service:samgr_class get; 196allow hidumper_service sa_comm_mdns_manager_service:samgr_class get; 197allow hidumper_service sa_comm_net_stats_manager_service:samgr_class get; 198allow hidumper_service sa_dataobs_mgr_service_service:samgr_class get; 199allow hidumper_service sa_device_usage_statistics_service:samgr_class get; 200allow hidumper_service sa_dfx_sys_hidumper_ability:samgr_class get; 201allow hidumper_service sa_distributeddata_service:samgr_class get; 202allow hidumper_service sa_distributeschedule:samgr_class get; 203allow hidumper_service sa_enterprise_device_manager_service:samgr_class get; 204allow hidumper_service sa_form_mgr_service:samgr_class get; 205allow hidumper_service sa_foundation_abilityms:samgr_class get; 206allow hidumper_service sa_foundation_appms:samgr_class get; 207allow hidumper_service sa_foundation_bms:samgr_class get; 208allow hidumper_service sa_hiview_service:samgr_class get; 209allow hidumper_service sa_installd_service:samgr_class get; 210allow hidumper_service sa_net_conn_manager:samgr_class get; 211allow hidumper_service sa_net_policy_manager:samgr_class get; 212allow hidumper_service sa_netsys_native_manager:samgr_class get; 213allow hidumper_service sa_render_service:samgr_class get; 214allow hidumper_service sa_resource_schedule:samgr_class get; 215allow hidumper_service sa_resource_schedule_socperf_server:samgr_class get; 216allow hidumper_service sa_sys_event_service:samgr_class get; 217allow hidumper_service sa_uri_permission_mgr_service:samgr_class get; 218allow hidumper_service sa_useriam_authexecutormgr_service:samgr_class get; 219allow hidumper_service sa_useriam_faceauth_service:samgr_class get; 220allow hidumper_service sa_useriam_userauth_service:samgr_class get; 221allow hidumper_service sa_wifi_device_ability:samgr_class get; 222allow hidumper_service sa_wifi_hotspot_ability:samgr_class get; 223allow hidumper_service sa_wifi_p2p_ability:samgr_class get; 224allow hidumper_service sa_wifi_scan_ability:samgr_class get; 225allow hidumper_service sa_work_schedule_service:samgr_class get; 226allow hidumper_service sa_accesstoken_manager_service:samgr_class get; 227allow hidumper_service sa_audio_policy_service:samgr_class get; 228allow hidumper_service sa_camera_service:samgr_class get; 229allow hidumper_service sa_device_auth_service:samgr_class get; 230allow hidumper_service sa_device_profile_service:samgr_class get; 231allow hidumper_service sa_device_security_level_manager_service:samgr_class get; 232allow hidumper_service sa_drm_service:samgr_class get; 233allow hidumper_service sa_device_service_manager:samgr_class get; 234allow hidumper_service sa_download_service:samgr_class get; 235allow hidumper_service sa_file_access_service:samgr_class get; 236allow hidumper_service sa_filemanagement_distributed_file_daemon_service:samgr_class get; 237allow hidumper_service sa_foundation_ans:samgr_class get; 238allow hidumper_service sa_foundation_cesfwk_service:samgr_class get; 239allow hidumper_service sa_foundation_devicemanager_service:samgr_class get; 240allow hidumper_service sa_foundation_dms:samgr_class get; 241allow hidumper_service sa_foundation_tel_call_manager:samgr_class get; 242allow hidumper_service sa_foundation_tel_state_registry:samgr_class get; 243allow hidumper_service sa_huks_service:samgr_class get; 244allow hidumper_service sa_inputmethod_service:samgr_class get; 245allow hidumper_service sa_location_geo_convert_service:samgr_class get; 246allow hidumper_service sa_location_locator_service:samgr_class get; 247allow hidumper_service sa_locationhub_lbsservice_gnss:samgr_class get; 248allow hidumper_service sa_locationhub_lbsservice_network:samgr_class get; 249allow hidumper_service sa_locationhub_lbsservice_passive:samgr_class get; 250allow hidumper_service sa_media_service:samgr_class get; 251allow hidumper_service sa_memory_manager_service:samgr_class get; 252allow hidumper_service sa_msdp_devicestatus_service:samgr_class get; 253allow hidumper_service sa_multimodalinput_service:samgr_class get; 254allow hidumper_service sa_pasteboard_service:samgr_class get; 255allow hidumper_service sa_privacy_service:samgr_class get; 256allow hidumper_service sa_pulseaudio_audio_service:samgr_class get; 257allow hidumper_service sa_screenlock_service:samgr_class get; 258allow hidumper_service sa_softbus_service:samgr_class get; 259allow hidumper_service sa_storage_manager_daemon:samgr_class get; 260allow hidumper_service sa_storage_manager_service:samgr_class get; 261allow hidumper_service sa_subsys_ace_service:samgr_class get; 262allow hidumper_service sa_telephony_tel_cellular_call:samgr_class get; 263allow hidumper_service sa_telephony_tel_cellular_data:samgr_class get; 264allow hidumper_service sa_telephony_tel_core_service:samgr_class get; 265allow hidumper_service sa_telephony_tel_sms_mms:samgr_class get; 266allow hidumper_service sa_time_service:samgr_class get; 267allow hidumper_service sa_update_distributed_service:samgr_class get; 268allow hidumper_service sa_usb_service:samgr_class get; 269allow hidumper_service sa_useriam_pinauth_service:samgr_class get; 270allow hidumper_service sa_useriam_useridm_service:samgr_class get; 271allow hidumper_service sa_wallpaper_manager_service:samgr_class get; 272allow hidumper_service sa_devattest_service:samgr_class get; 273allow hidumper_service sa_device_standby:samgr_class get; 274allow hidumper_service sa_task_heartbeat_mgr:samgr_class get; 275allow hidumper_service sa_el5_filekey_manager:samgr_class get; 276allow hidumper_service sa_app_fwk_update_service:samgr_class get; 277allow hidumper_service samgr:samgr_class list; 278 279allow hidumper_service hiprofiler_cmd:file getattr; 280allow hidumper_service hiprofiler_plugins:file getattr; 281allow hidumper_service hiprofilerd:file getattr; 282allow hidumper_service musl_param:file { map open read }; 283allow hidumper_service native_daemon:dir search; 284allow hidumper_service native_daemon:file { getattr open read }; 285allow hidumper_service proc_loadavg_file:file getattr; 286allow hidumper_service proc_meminfo_file:file getattr; 287allow hidumper_service proc_net_tcp_udp:file getattr; 288allow hidumper_service proc_stat_file:file getattr; 289allow hidumper_service self:rawip_socket create; 290allow hidumper_service system_etc_file:file lock; 291 292allow hidumper_service debugfs_failed_transaction_log:file { getattr open read }; 293allow hidumper_service debugfs_transactions:file { getattr open read }; 294allow hidumper_service debugfs_transaction_log:file { getattr open read }; 295allow hidumper_service debugfs_used:file { getattr open read }; 296allow hidumper_service debugfs_wakeup_sources:file { getattr open read }; 297allow hidumper_service debugfs_stats:file { getattr open read }; 298allow hidumper_service debugfs_state:file { getattr open read }; 299allow hidumper_service data_log:file { read write append }; 300 301allow hidumper_service hiperf:file { getattr }; 302 303neverallow hidumper_service *:process ptrace; 304 305allow hidumper_service render_service:binder transfer; 306 307allow hidumper_service arkcompiler_param:file { map open read }; 308allow hidumper_service ark_writeable_param:file { map open read }; 309 310allow hidumper_service hap_domain:lnk_file { read getattr }; 311 312allow hidumper_service isolated_render:file { getattr open read }; 313allow hidumper_service isolated_render:dir { search }; 314 315allow hidumper_service chip_prod_file:dir { search }; 316