1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type devattest_service, sadomain, domain;
15type devattest_service_exec, system_file_attr, exec_attr, file_attr;
16
17init_daemon_domain(devattest_service);
18
19#avc:  denied  { search } for  pid=324 comm="IPC_0_424" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:devattest_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0
20allow devattest_service data_file:dir { search };
21allow devattest_service data_service_file:dir { search };
22allow devattest_service data_service_el1_file:dir { search };
23allow devattest_service data_service_el1_public_device_attest:dir { search getattr add_name open read remove_name write create };
24allow devattest_service data_service_el1_public_device_attest:file { append map open read create write getattr setattr unlink lock ioctl rename };
25
26allow devattest_service netsysnative:unix_stream_socket { connectto read write };
27allow devattest_service port:tcp_socket { name_connect };
28allow devattest_service devattest_service:tcp_socket { connect create read setopt write getopt getattr };
29allow devattest_service devattest_service:udp_socket { create bind connect getattr read write };
30
31allow devattest_service accesstoken_service:binder { call };
32allow devattest_service foundation:binder { call transfer };
33allow devattest_service netmanager:binder { call transfer };
34allow devattest_service softbus_server:binder { call };
35
36allow devattest_service accessibility_param:file { read };
37allow devattest_service dev_unix_socket:dir { search };
38
39allow devattest_service node:udp_socket { node_bind };
40allow devattest_service port:udp_socket { name_bind };
41#avc:  denied  { connectto } for  pid=320 comm="IPC_1_566" path="/dev/unix/socket/paramservice" scontext=u:r:devattest_service:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0
42allow devattest_service kernel:unix_stream_socket { connectto };
43
44allow devattest_service devattest_service:netlink_route_socket { create nlmsg_read nlmsg_readpriv read write };
45allow devattest_service devattest_service:packet_socket { bind create read write };
46allow devattest_service devattest_service:udp_socket { bind create ioctl setopt getopt read write };
47allow devattest_service devattest_service:unix_dgram_socket { ioctl getopt setopt };
48
49allow devattest_service paramservice_socket:sock_file { write create setattr getattr relabelto };
50allow devattest_service xts_devattest_authresult_param:file { map open read };
51allow devattest_service xts_devattest_authresult_param:parameter_service { set };
52
53allow devattest_service sa_devattest_service:samgr_class { add };
54allow devattest_service sa_net_conn_manager:samgr_class { get };
55allow devattest_service sa_accesstoken_manager_service:samgr_class { add get };
56allow devattest_service sa_foundation_bms:samgr_class { get };
57
58allow devattest_service devinfo_private_param:file { map open read };
59
60allow devattest_service hilog_param:file { map open read };
61
62allow devattest_service normal_hap_attr:binder { call transfer };
63allow devattest_service system_basic_hap_attr:binder { call transfer };
64allow devattest_service system_core_hap_attr:binder { call transfer };
65
66#avc:  denied  { open } for  pid=326 comm="IPC_2_436" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:devattest_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
67#avc:  denied  { map } for  pid=324 comm="devattest_servi" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:devattest_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
68allow devattest_service musl_param:file { open read map };
69
70#avc:  denied  { search } for  pid=324 comm="devattest_servi" name="/" dev="tracefs" ino=1 scontext=u:r:devattest_service:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=0
71allow devattest_service tracefs:dir { search };
72
73#avc:  denied  { get } for service=3203 pid=324 scontext=u:r:devattest_service:s0 tcontext=u:object_r:sa_foundation_ans:s0 tclass=samgr_class permissive=0
74allow devattest_service sa_foundation_ans:samgr_class { get };
75
76#avc:  denied  { read } for  pid=320 comm="IPC_1_566" name="u:object_r:persist_param:s0" dev="tmpfs" ino=58 scontext=u:r:devattest_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0
77#avc:  denied  { open } for  pid=1587 comm="SaInit0" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=58 scontext=u:r:devattest_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0
78#avc:  denied  { map } for  pid=1601 comm="SaInit2" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=58 scontext=u:r:devattest_service:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=0
79allow devattest_service persist_param:file { read open map };
80
81#avc:  denied  { get } for service=200 pid=1587 scontext=u:r:devattest_service:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=0
82allow devattest_service sa_accountmgr:samgr_class { get };
83
84#avc:  denied  { search } for  pid=2016 comm="devattest_servi" name="usr" dev="mmcblk0p7" ino=3033 scontext=u:r:devattest_service:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=0
85allow devattest_service system_usr_file:dir { search };
86
87#avc:  denied  { read } for  pid=2249 comm="sa_main" name="u:object_r:debug_param:s0" dev="tmpfs" ino=60 scontext=u:r:devattest_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
88#avc:  denied  { open } for  pid=2249 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=60 scontext=u:r:devattest_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
89#avc:  denied  { map } for  pid=2249 comm="sa_main" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=60 scontext=u:r:devattest_service:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
90allow devattest_service debug_param:file { read open map };
91
92#avc:  denied  { write } for  pid=2249 comm="devattest_servi" name="trace_marker" dev="tracefs" ino=17126 scontext=u:r:devattest_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
93#avc:  denied  { open } for  pid=2249 comm="devattest_servi" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=17126 scontext=u:r:devattest_service:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
94allow devattest_service tracefs_trace_marker_file:file { write open };
95
96#avc:  denied  { call } for  pid=2249 comm="devattest_servi" scontext=u:r:devattest_service:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
97#avc:  denied  { transfer } for  pid=2249 comm="devattest_servi" scontext=u:r:devattest_service:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
98allow devattest_service param_watcher:binder { call transfer };
99
100#avc:  denied  { getattr } for  pid=2249 comm="devattest_servi" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p7" ino=3040 scontext=u:r:devattest_service:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
101allow devattest_service system_usr_file:file { getattr };
102
103#avc:  denied  { get } for service=3901 pid=1588 scontext=u:r:devattest_service:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=0
104allow devattest_service sa_param_watcher:samgr_class { get };
105
106#avc:  denied  { call } for  pid=1588 comm="SaInit0" scontext=u:r:devattest_service:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=0
107allow devattest_service accountmgr:binder { call };
108
109#avc:  denied  { get } for service=3510 pid=1486 scontext=u:r:devattest_service:s0 tcontext=u:object_r:sa_huks_service:s0 tclass=samgr_class permissive=0
110allow devattest_service huks_service:binder { call };
111allow devattest_service sa_huks_service:samgr_class { get };
112
113allow devattest_service sysfs_devices_system_cpu:file { open read getattr};
114