1# Copyright (c) 2021-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14neverallow normal_hap_attr data_local_traces:dir *;
15neverallow normal_hap_attr *:{ socket netlink_socket packet_socket appletalk_socket netlink_tcpdiag_socket
16netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
17netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket
18netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket ax25_socket
19ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket
20irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket
21isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
22qipcrtr_socket smc_socket xdp_socket  } *;
23
24neverallow normal_hap_attr domain:netlink_kobject_uevent_socket *;
25
26neverallow normal_hap_attr *:{ netlink_route_socket netlink_selinux_socket } ioctl;
27
28neverallow normal_hap_attr { domain }:netlink_route_socket { bind nlmsg_readpriv };
29
30neverallow normal_hap_attr *:{ netlink_route_socket netlink_selinux_socket } ioctl;
31
32#neverallowxperm normal_hap domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl
33
34neverallow normal_hap_attr dev_kmsg_file:chr_file never_rw_file;
35
36neverallow { normal_hap_attr -dev_fuse_file_violator -dlpmanager_hap} dev_fuse_file:chr_file *;
37
38neverallow normal_hap_attr debugfs_attr:file read;
39
40neverallow normal_hap_attr { normal_hap_data_file_attr system_core_hap_data_file_attr }:file execute_no_trans;
41
42neverallow { normal_hap_attr -hap_attr_link_violators } file_attr:file link;
43
44neverallow normal_hap_attr sysfs_attr:file { never_write_file never_execute_file };
45
46neverallow normal_hap_attr sys_file:file never_rw_file;
47
48typeattribute system_core_hap proc_violator;
49typeattribute system_basic_hap proc_violator;
50
51neverallow { hap_domain -proc_violator } { proc_file proc_asound_file proc_kmsg_file proc_loadavg_file proc_mounts_file proc_pagetypeinfo_file proc_slabinfo_file
52 proc_swaps_file proc_uptime_file proc_version_file proc_vmallocinfo_file proc_vmstat_file }:file { never_rwx_file };
53
54neverallow { hap_domain -proc_violator -hap_domain_proc_stat_file_violators } proc_stat_file:file { never_rwx_file };
55
56neverallow normal_hap_attr proc_filesystems_file:file { never_rwx_file };
57
58neverallow normal_hap_attr proc_config_gz_file:file { never_rwx_file };
59
60#expand to system_file_attr
61neverallow normal_hap_attr system_file_attr:file lock;
62
63# neverallow normal_hap_attr selinuxfs:file never_rw_file;
64neverallow hap_domain selinuxfs:file never_rw_file;
65neverallow sh selinuxfs:file { write };
66
67neverallow { normal_hap_attr -hap_domain_cgroup_violators } cgroup:file *;
68
69#todo closing for debug building.
70neverallow normal_hap_attr debugfs_attr:{ file lnk_file } read;
71
72neverallow normal_hap_attr domain:netlink_socket *;
73
74neverallow normal_hap_attr domain:netlink_kobject_uevent_socket *;
75
76neverallow normal_hap_attr proc_net:file rw_file_perms;
77neverallow normal_hap_attr proc_net:dir ~{ getattr };
78
79# neverallow normal_hap sh restorecon
80neverallow { sh debug_only(`-sh') normal_hap_attr } *:dir_file_class_set { relabelto relabelfrom };
81
82neverallow normal_hap_attr { dev_block_volfile dev_block_file dev_bus dev_char_file dev_pts_file dev_snd_file dev_unix_file dev_v_file }:file { open read };
83
84neverallow { normal_hap_attr -hap_domain_proc_stat_file_violators -hap_domain_proc_modules_file_violators } { proc_attr -proc_meminfo_file -proc_max_user_watches -proc_boot_id -proc_cpuinfo_file -proc_cmdline_file }:file { open read };
85
86neverallow hap_domain proc_attr:file write;
87