1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License
13type developtools_hdc_control_param, parameter_attr;
14type developtools_hdc_auth_param, parameter_attr;
15
16developer_only(`
17    allow hdcd data_local:file { read open getattr create write };
18    allow hdcd data_local:dir { search getattr read write add_name open create };
19    allow hdcd data_local_tmp:file { write create setattr read append open getattr unlink };
20    allow hdcd data_local_tmp:dir { add_name remove_name write create setattr search getattr read open };
21    allow hdcd data_local_traces:dir { read open getattr };
22
23    allow hdcd vendor_lib_file:file { read getattr };
24    allow hdcd vendor_lib_file:dir { read getattr search };
25
26    allow hdcd self:tcp_socket { accept ioctl setopt read write create bind listen getattr connect name_connect getopt };
27    allow hdcd port:tcp_socket { name_bind name_connect };
28    allow hdcd node:tcp_socket { node_bind };
29    allow hdcd self:udp_socket { create setopt bind };
30    allow hdcd port:udp_socket { name_bind };
31    allow hdcd node:udp_socket { node_bind };
32    allow hdcd sh:process { signal sigkill };
33    allow hdcd hdcd_exec:file { open execute_no_trans entrypoint execute map read };
34
35    allow hdcd kernel:system { syslog_read };
36    allow hdcd kernel:unix_stream_socket { connectto };
37    allow hdcd kernel:process { setsched };
38
39    allow hdcd dev_rtc_file:chr_file { write open ioctl };
40
41    allow hdcd vendor_file:dir { getattr };
42    allow hdcd tmpfs:dir { open read };
43    allow hdcd tmpfs:file { getattr open read };
44    allow hdcd data_file:dir { read write open create getattr search rmdir add_name };
45    allow hdcd data_file:file { read getattr open };
46    allow hdcd system_file:dir { getattr };
47    allow hdcd system_file:file { open };
48
49    allow hdcd tty_device:chr_file { ioctl read write open };
50    allow hdcd system_bin_file:lnk_file { read };
51    allow hdcd toybox_exec:lnk_file { read };
52    allow hdcd system_bin_file:dir { search getattr };
53    allow hdcd system_bin_file:file { open };
54    allow hdcd toybox_exec:file { getattr map open read };
55
56    allow hdcd lib_file:lnk_file { read };
57    allow hdcd dev_kmsg_file:chr_file { read open };
58    allow hdcd vendor_lib_file:file { open map execute };
59
60    allow hdcd dev_unix_socket:dir { search };
61    allow hdcd dev_unix_socket:sock_file { write };
62
63    allow hdcd data_init_agent:dir { search write add_name };
64    allow hdcd data_init_agent:file { create };
65
66    allow hdcd dev_ptmx:chr_file { read write open ioctl };
67    allow hdcd dev_pts_file:dir { search };
68    allow hdcd devpts:chr_file { read write open };
69    allow hdcd paramservice_socket:sock_file { write };
70
71    allow hdcd dev_block_file:dir { search };
72    allow hdcd dev_block_file:lnk_file { read };
73    allow hdcd dev_block_file:blk_file { ioctl };
74    allow hdcd dev_block_volfile:dir { search };
75
76    allow hdcd bootevent_param:file { map open read };
77    allow hdcd bootevent_samgr_param:file { map open read };
78    allow hdcd build_version_param:file { map open read };
79    allow hdcd const_allow_mock_param:file { map open read };
80    allow hdcd const_allow_param:file { map open read };
81    allow hdcd const_build_param:file { map open read };
82    allow hdcd const_display_brightness_param:file { map open read };
83    allow hdcd const_param:file { map open read };
84    allow hdcd const_postinstall_fstab_param:file { map open read };
85    allow hdcd const_postinstall_param:file { map open read };
86    allow hdcd const_product_param:file { map open read };
87    allow hdcd data_log:dir { search };
88    allow hdcd debug_param:file { map open read };
89    allow hdcd default_param:file { map open read };
90    allow hdcd dev_usb_ffs:dir { open read search };
91    allow hdcd distributedsche_param:file { map open read };
92    allow hdcd faultloggerd_temp_file:dir { search };
93    allow hdcd faultloggerd_temp_file:file { getattr open read };
94    allow hdcd functionfs:dir { search };
95    allow hdcd functionfs:file { open read write };
96    allow hdcd hilog_param:file { map open read };
97    allow hdcd hw_sc_build_os_param:file { map open read };
98    allow hdcd hw_sc_build_param:file { map open read };
99    allow hdcd hw_sc_param:file { map open read };
100    allow hdcd init_param:file { map open read };
101    allow hdcd init_svc_param:file { map open read };
102    allow hdcd input_pointer_device_param:file { map open read };
103    allow hdcd net_param:file { map read open };
104    allow hdcd net_tcp_param:file { map open read };
105    allow hdcd ohos_boot_param:file { map open read };
106    allow hdcd ohos_param:file { map open read };
107    allow hdcd persist_param:file { map open read };
108    allow hdcd persist_sys_param:file { map open read };
109    allow hdcd security_param:file { map open read };
110    allow hdcd startup_param:file { map open read };
111    allow hdcd sys_file:file { open read };
112    allow hdcd sys_param:file { map open read };
113    allow hdcd sys_usb_param:file { map open read };
114    allow hdcd tracefs:dir { search };
115    allow hdcd tracefs_trace_marker_file:file { write open };
116    allow hdcd dev_console_file:chr_file { read write };
117    allow hdcd musl_param:file { map read open };
118
119    allow hdcd hmdfs:dir create_dir_perms_without_ioctl;
120    allow hdcd hmdfs:file create_file_perms_without_ioctl;
121
122    allow hdcd samgr:binder { call };
123    allow hdcd param_watcher:binder { call transfer };
124    allow hdcd audio_server:binder { call transfer };
125    allow hdcd sa_audio_policy_service:samgr_class { get };
126    allow hdcd sa_pulseaudio_audio_service:samgr_class { get };
127
128    #for auth user permit: show system dialog
129    #avc: denied { call } for pid=8390, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0
130    allow hdcd_user_permit samgr:binder { call };
131    #avc: denied { search } for pid=592, comm="/system/bin/samgr" name="/7691" dev="" ino=21628 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=dir permissive=0
132    allow samgr hdcd_user_permit:dir { search };
133    #avc: denied { read } for pid=597, comm="/system/bin/samgr" path="/proc/4938/attr/current" dev="" ino=14239 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=file permissive=0
134    allow samgr hdcd_user_permit:file { read };
135    #avc: denied { transfer } for pid=623, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=1
136    allow samgr hdcd_user_permit:binder { call transfer };
137    #avc: denied { write } for pid=5470, comm="/system/bin/hdcd_user_permit" path="/dev/kmsg" dev="" ino=16 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
138    allow hdcd_user_permit dev_kmsg_file:chr_file { write };
139    #avc: denied { call } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
140    #avc: denied { transfer } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
141    allow hdcd_user_permit foundation:binder { call transfer };
142    #avc: denied { open } for pid=5574, comm="/bin/bm" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=200 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1
143    #avc: denied { read } for pid=5574, comm="/bin/bm" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=200 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1
144    allow hdcd_user_permit persist_sys_param:file { open read };
145    #avc: denied { call } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sceneboard_hap:s0 tclass=binder permissive=1
146    #avc: denied { transfer } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sceneboard_hap:s0 tclass=binder permissive=1
147    allow hdcd_user_permit hap_domain:binder { call transfer };
148    #avc: denied { ioctl } for pid=5570, comm="/bin/sh" path="/dev/tty" dev="" ino=17 ioctlcmd=0x5413 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
149    #avc: denied { open } for pid=5570, comm="/bin/sh" path="/dev/tty" dev="" ino=17 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
150    #avc: denied { write } for pid=5470, comm="/system/bin/hdcd_user_permit" path="/dev/tty0" dev="" ino=56 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
151    #avc: denied { read write } for pid=7691, comm="/system/bin/hdcd_user_permit" path="/dev/tty0" dev="" ino=56 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0
152    allow hdcd_user_permit tty_device:chr_file { ioctl open write read };
153    allowxperm hdcd_user_permit tty_device:chr_file ioctl { 0x5413 };
154    # avc: denied { open } for pid=623, comm="/system/bin/samgr" path="/proc/5470/attr/current" dev="" ino=16620 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=file permissive=1
155    allow samgr hdcd_user_permit:file { open };
156    #avc: denied { getattr } for pid=623, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=process permissive=1
157    allow samgr hdcd_user_permit:process { getattr };
158    #avc: denied { get } for service=180 pid=5753 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0
159    allow hdcd_user_permit sa_foundation_abilityms:samgr_class { get };
160    #avc denied { get } for service=401 pid=5574 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
161    allow hdcd_user_permit sa_foundation_bms:samgr_class { get };
162    #avc: denied { call } for pid=1495, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=0
163    #avc: denied { transfer } for pid=1492, comm="/system/bin/sa_main"  scontext=u:r:foundation:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=0
164    allow foundation hdcd_user_permit:binder { call transfer };
165
166    allow hdcd memmgrservice:dir { getattr search };
167    allow hdcd memmgrservice:file { open read };
168
169    allow hdcd sa_param_watcher:samgr_class { get };
170    allow hdcd sys_param:parameter_service { set };
171    # hdcd should set sys.usb.ffs.ready
172    allow hdcd sys_usb_param:parameter_service { set };
173    allow hdcd persist_param:parameter_service { set };
174    allow hdcd servicectrl_reboot_param:parameter_service { set };
175    #avc: denied { search } for pid=2387 comm="hdcd_user_permi" name="socket" dev="tmpfs" ino=43 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
176    allow hdcd_user_permit dev_unix_socket:dir { search };
177    #avc: denied { connectto } for pid=2387 comm="hdcd_user_permi" path="/dev/unix/socket/paramservice" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1
178    allow hdcd_user_permit kernel:unix_stream_socket { connectto };
179    #avc: denied { write } for pid=2387 comm="hdcd_user_permi" name="paramservice" dev="tmpfs" ino=49 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1
180    allow hdcd_user_permit paramservice_socket:sock_file { write };
181    #avc: denied { map } for pid=2387 comm="hdcd_user_permi" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
182    #avc: denied { open } for pid=2387 comm="hdcd_user_permi" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
183    #avc: denied { read } for pid=2387 comm="hdcd_user_permi" name="u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
184    allow hdcd_user_permit debug_param:file { map open read };
185    allow hdcd developtools_hdc_auth_param:parameter_service { set };
186    allow system_basic_hap_attr developtools_hdc_auth_param:parameter_service { set };
187    #avc: denied { relabelfrom } for pid=1 comm="init" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:init:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=0
188    allow init developtools_hdc_auth_param:file { relabelfrom };
189    #avc: denied { map } for pid=716 comm="async-50" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
190    #avc: denied { open } for pid=716 comm="async-50" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
191    #avc: denied { read } for pid=716 comm="async-50" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
192    allow hdcd_user_permit developtools_hdc_auth_param:file { map open read };
193    allow system_basic_hap_attr developtools_hdc_auth_param:file { map open read };
194    #avc: denied { read } for pid=699 comm="async-57" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=0
195    #avc: denied { map } for pid=623 comm="async-46" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
196    #avc: denied { open } for pid=623 comm="async-46" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
197    allow hdcd developtools_hdc_auth_param:file { read map open };
198    #avc: denied { getattr } for pid=641 comm="async-34" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4921 scontext=u:r:hdcd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
199    #avc: denied { open } for pid=691 comm="async-30" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4921 scontext=u:r:hdcd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
200    #avc: denied { read } for pid=791 comm="async-0" name="online" dev="sysfs" ino=4921 scontext=u:r:hdcd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
201    allow hdcd sysfs_devices_system_cpu:file { getattr open read };
202    #avc: denied { ioctl } for pid=3677 comm="async-62" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x540e scontext=u:r:hdcd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
203    allow hdcd devpts:chr_file { ioctl };
204    allowxperm hdcd devpts:chr_file ioctl { 0x540e 0x5414 };
205    #avc: denied { ioctl } for pid=5516 comm="SaInit0" path="/data/service/el1/public/netmanager/net_stats_data.db" dev="mmcblk0p15" ino=239 ioctlcmd=0xf50c scontext=u:r:netmanager:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
206    allow hdcd data_service_el1_file:file { ioctl };
207    allowxperm hdcd data_service_el1_file:file ioctl { 0xf50c };
208    #avc: denied { map } for pid=14537 comm="sh" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=70 scontext=u:r:sh:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1
209    #avc: denied { open } for pid=5554 comm="sh" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=70 scontext=u:r:sh:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1
210    allow hdcd hook_param:file { map open };
211    #avc: denied { use } for pid=5554 comm="sh" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:sh:s0 tcontext=u:r:init:s0 tclass=fd permissive=1
212    allow hdcd init:fd { use };
213    #avc: denied { use } for pid=2387 comm="hdcd_user_permi" path="/system/bin/hdcd_user_permit" dev="mmcblk0p7" ino=238 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1
214    allow hdcd_user_permit sh:fd { use };
215
216    #avc: denied { add_name } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
217    #avc: denied { create } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
218    #avc: denied { write } for pid=623 comm="async-46" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
219    #avc: denied { search } for pid=701 comm="async-18" name="misc" dev="mmcblk0p15" ino=108 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
220    allow hdcd data_hdc_pubkeys:dir { search getattr read open add_name create write };
221    #avc: denied { remove_name } for pid=5502, comm="/system/bin/hdcd" name="/service/el1/public/hdc" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=3876 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
222    allow hdcd data_hdc_pubkeys:dir { remove_name };
223    #avc: denied { getattr } for pid=728 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys" dev="mmcblk0p15" ino=582 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
224    #avc: denied { open } for pid=728 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys" dev="mmcblk0p15" ino=582 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
225    #avc: denied { append } for pid=623 comm="async-46" name="hdc_keys" dev="mmcblk0p15" ino=2116 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
226    #avc: denied { create } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
227    #avc: denied { write } for pid=623 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys/hdc_keys" dev="mmcblk0p15" ino=2116 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
228    #avc: denied { unlink } for pid=6821, comm="/system/bin/hdcd" name="/service/el1/public/hdc/hdc_keys" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=14932 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=0
229    allow hdcd data_hdc_pubkeys:file { getattr open append create write unlink };
230    #avc: denied { getattr } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
231    #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
232    #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
233    #avc: denied { relabelto } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
234    #avc: denied { setattr } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
235    allow init data_hdc_pubkeys:dir { getattr open read relabelto setattr };
236    #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
237    allow init data_hdc_pubkeys:file { read };
238
239    #avc: denied { search } for pid=736 comm="async-40" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
240    allow hdcd_user_permit data_service_el1_file:dir { search };
241    #avc: denied { search } for pid=736 comm="async-40" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
242    allow hdcd_user_permit data_service_file:dir { search };
243
244    #avc: denied { search } for pid=692 comm="async-47" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
245    allow init data_service_el1_file:dir { search };
246    #avc: denied { search } for pid=692 comm="async-47" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
247    allow init data_service_file:dir { search };
248
249    #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
250    allow hdcd data_hdc_pubkeys:file { read };
251    #avc: denied { search } for pid=692 comm="async-47" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
252    allow hdcd data_service_el1_file:dir { search };
253    #avc: denied { search } for pid=692 comm="async-47" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
254    allow hdcd data_service_file:dir { search };
255    #avc: denied { use } for pid=5024 comm="hdcd_user_permi" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=0
256    allow hdcd hdcd:fd { use };
257    #avc: denied { use } for pid=5024 comm="hdcd_user_permi" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=0
258    allow hdcd_user_permit hdcd:fd { use };
259    #avc: denied { ioctl } for pid=5024 comm="sh" path="/dev/null" dev="tmpfs" ino=3 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:object_r:dev_null_file:s0 tclass=chr_file permissive=0
260    allow hdcd_user_permit dev_null_file:chr_file { ioctl };
261    allowxperm hdcd_user_permit dev_null_file:chr_file ioctl { 0x5413 };
262    #avc: denied { map } for pid=13700 comm="sh" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1
263    #avc: denied { open } for pid=13700 comm="sh" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1
264    #avc: denied { read } for pid=13700 comm="sh" name="u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1
265    allow hdcd_user_permit startup_init_param:file { map open read };
266    #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
267    #avc: denied { write } for pid=12045 comm="hdcd_user_permi" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
268    allow hdcd_user_permit dev_console_file:chr_file { read write };
269    #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="socket:[20161]" dev="sockfs" ino=20161 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=unix_stream_socket permissive=1
270    #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="socket:[20161]" dev="sockfs" ino=20161 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=unix_stream_socket permissive=1
271    allow hdcd_user_permit hdcd:unix_stream_socket { read write };
272    #avc: denied { ioctl } for pid=2387 comm="hdcd_user_permi" path="pipe:[37910]" dev="pipefs" ino=37910 ioctlcmd=0x5413 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1
273    #avc: denied { write } for pid=13700 comm="hdcd_user_permi" path="pipe:[89014]" dev="pipefs" ino=89014 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1
274    allow hdcd_user_permit hdcd:fifo_file { ioctl write };
275    allowxperm hdcd_user_permit hdcd:fifo_file ioctl { 0x5413 };
276    #avc: denied { set } for parameter=persist.hdc.daemon.auth_result pid=12378 uid=2000 gid=2000 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=parameter_service permissive=1
277    allow hdcd_user_permit developtools_hdc_auth_param:parameter_service { set };
278    #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
279    #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
280    #avc: denied { relabelto } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
281    #avc: denied { setattr } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
282    #avc: denied { getattr } for pid=8467 comm="ls" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:sh:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
283    #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
284    #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
285    #avc: denied { add_name } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
286    #avc: denied { create } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
287    #avc: denied { write } for pid=716 comm="async-50" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
288    allow hdcd_user_permit data_hdc_pubkeys:dir { open read relabelto setattr getattr add_name create write };
289    #avc: denied { append } for pid=716 comm="async-50" name="hdc_keys" dev="mmcblk0p15" ino=2083 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
290    #avc: denied { create } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
291    #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
292    #avc: denied { write } for pid=716 comm="async-50" path="/data/service/el1/public/hdc/hdc_keys/hdc_keys" dev="mmcblk0p15" ino=2083 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
293    allow hdcd_user_permit data_hdc_pubkeys:file { append create read write };
294
295    allow hdcd hiprofiler_plugins:process { signal };
296    allow hdcd hiprofilerd:process { signal };
297    allow hdcd bytrace:process { signal };
298    allow hdcd hitrace:process { signal };
299    allow hdcd hidumper:process { signal };
300    allow hdcd hidumper_file:dir { search };
301    allow hdcd hiperf:process { signal };
302    allow hdcd hidumper_file:file { getattr open read };
303    allow hdcd hilogd_exec:file { execute read open getattr execute_no_trans map };
304    allow hdcd hiview_exec:file { execute read open getattr execute_no_trans map };
305    allow hdcd hisysevent_exec:file { execute read open getattr execute_no_trans map };
306
307    # for recv /data/log and /data/log/hilog
308    allow hdcd data_log:dir { getattr read open };
309    allow hdcd data_log:file { getattr read open };
310    allow hdcd data_hilogd_file:dir { getattr read open };
311    allow hdcd data_hilogd_file:file { getattr read open };
312
313    # for read hdc.version
314    allow hdcd debug_param:file { map read open };
315    allow hdcd debug_param:parameter_service { set };
316
317    allow hdcd { normal_hap_attr system_basic_hap_attr system_core_hap_attr sh }:unix_stream_socket { connectto };
318
319    domain_auto_transition_pattern(hdcd, sh_exec, sh);
320
321    ## this is to do temporary change for get app file in sandbox
322    # access /data/app/el2/100/base/<bundleName>
323    allow hdcd data_app_file:dir { search getattr read open };
324    allow hdcd data_app_el2_file:dir { search getattr read open };
325    allow hdcd debug_hap_data_file:dir { search getattr read open };
326    allow hdcd debug_hap_data_file:file { getattr read open };
327
328    allow samgr hdcd:dir { search };
329    allow samgr hdcd:file { read open };
330    allow samgr hdcd:process { getattr };
331    allow samgr hdcd:binder { transfer };
332    allow param_watcher hdcd:binder { call };
333')
334
335neverallow hdcd hmdfs:dir ioctl;
336neverallow hdcd hmdfs:file ioctl;
337
338# hdc control
339neverallow { domain -usb_host -init -edm_sa } developtools_hdc_control_param:parameter_service { set };
340neverallow { domain -hdcd_user_permit -hdcd } hdcd_user_permit_exec:file { execute };
341neverallow { domain -hdcd -hdcd_user_permit -system_basic_hap_attr } developtools_hdc_auth_param:parameter_service { set };
342neverallow hdcd { normal_hap_data_file_attr system_basic_hap_data_file_attr system_core_hap_data_file_attr -debug_hap_data_file }:{ dir file } *;
343