1# Copyright (c) 2022-2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14init_daemon_domain(hiview);
15
16define(`use_hisysevent', `
17    allow $1 hisysevent_socket:sock_file write;
18')
19
20use_hisysevent({ domain -kernel })
21
22allow hiview hiview:capability2 { syslog };
23allow hiview hiview:dir { search };
24allow hiview hiview_exec:file { entrypoint execute map read };
25allow hiview hiview:capability { sys_ptrace };
26neverallow hiview *:process ptrace;
27
28allow hiview hiview:unix_dgram_socket { getopt setopt };
29allow hiview init:unix_dgram_socket { getattr getopt read write setopt };
30allow hiview init:unix_stream_socket { connectto };
31allow hiview faultloggerd:unix_stream_socket { connectto };
32
33allow hiview hiview_file:dir { search getattr read open write add_name remove_name rmdir };
34allow hiview hiview_file:file { getattr setattr append ioctl unlink map read write getattr open lock rename };
35
36allow hiview data_file:dir { search };
37allow hiview data_log:dir { add_name open read search watch write create remove_name };
38#avc:  denied  { ioctl } for  pid=2354 comm="plat_shared" path="/data/log/faultlog/JS_ERROR1501989881389" dev="mmcblk0p15" ino=9492 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:data_log:s0 tclass=file permissive=1
39allow hiview data_log:file { create getattr lock map open read write unlink rename append ioctl };
40allowxperm hiview data_log:file ioctl { 0x5413 0xf546 0xf547 };
41allow hiview data_system:dir { search getattr };
42allow hiview system_etc_file:dir { open read };
43allow hiview system_bin_file:dir { search };
44allow hiview system_bin_file:file { read execute entrypoint };
45allow hiview system_bin_file:lnk_file { read };
46allow hiview toybox_exec:file { read execute entrypoint getattr map open };
47allow hiview toybox_exec:lnk_file { read };
48allow hiview sys_file:dir { read open };
49allow hiview sys_file:file { read open };
50allow hiview dev_bbox:chr_file { ioctl read open };
51allow hiview normal_hap_attr:dir { getattr open read search };
52allow hiview normal_hap_attr:file { getattr open read };
53allow hiview proc_cpuinfo_file:file { read open };
54allow hiview rootfs:chr_file { read write };
55allow hiview faultloggerd_temp_file:file { getattr };
56allow hiview faultloggerd:fifo_file { read };
57allow hiview system_basic_hap_attr:dir { search };
58allow hiview system_basic_hap_attr:file { getattr read open };
59allow hiview system_core_hap_attr:file { getattr read open };
60allow hiview usage_report_exec:file { getattr read open execute_no_trans map execute };
61allow hiview vendor_bin_file:dir { search };
62allow hiview proc_meminfo_file:file { open read };
63
64allow hiview data_init_agent:dir { search };
65allow hiview data_init_agent:file { ioctl open read append };
66
67allow hiview foundation:binder { call transfer };
68allow hiview init:binder { call transfer };
69allow hiview samgr:binder { call transfer };
70allow hiview tmpfs:lnk_file { read };
71allow hiview time_service:binder { call transfer };
72allow hiview param_watcher:binder { call transfer };
73binder_call(hiview, powermgr);
74allow hiview hdcd:binder { call transfer };
75allow hiview resource_schedule_service:binder { call transfer };
76allow hiview normal_hap_attr:binder { call transfer };
77allow hiview system_basic_hap_attr:binder { call transfer };
78allow hiview system_core_hap_attr:binder { call transfer };
79allow hiview accountmgr:binder { call transfer };
80allow hiview device_usage_stats_service:binder { call transfer };
81
82allow hiview dev_unix_socket:dir { search };
83allow hiview dev_unix_socket:sock_file { write };
84allow hiview faultloggerd_socket:sock_file { write };
85
86allow hiview tracefs:dir { search };
87allow hiview tracefs_trace_marker_file:file { write open };
88
89allow hiview vendor_lib_file:dir { search };
90allow hiview vendor_lib_file:file { read open getattr map execute };
91
92allow hiview bgtaskmgr_service:dir { search };
93allow hiview bgtaskmgr_service:file { open read };
94
95allowxperm hiview dev_bbox:chr_file ioctl { 0x4264 };
96allowxperm hiview dev_bbox:chr_file ioctl { 0x4266 };
97allowxperm hiview dev_bbox:chr_file ioctl { 0x426f };
98
99#avc:  denied  { get } for service=3301 pid=618 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1
100allow hiview sa_powermgr_powermgr_service:samgr_class { get };
101allow hiview sa_powermgr_displaymgr_service:samgr_class { get };
102
103allowxperm hiview data_init_agent:file ioctl { 0x5413 };
104
105allow hiview sa_sys_event_service:samgr_class { add get };
106allow hiview sa_hiview_service:samgr_class { add get };
107allow hiview sa_hiview_faultlogger_service:samgr_class  { add get };
108
109#avc:  denied  { read write } for  pid=1955 comm="hiview" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0
110allow hiview dev_console_file:chr_file  { read write };
111#avc:  denied  { write } for  pid=1961 comm="hiview" name="paramservice" dev="tmpfs" ino=28 scontext=u:r:hiview:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0
112allow hiview paramservice_socket:sock_file  { write };
113#avc:  denied  { connectto } for  pid=1130 comm="hiview" path="/dev/unix/socket/paramservice" scontext=u:r:hiview:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0
114allow hiview kernel:unix_stream_socket  { connectto };
115
116#avc:  denied  { read } for  pid=4200 comm="usage_report" name="u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
117#avc:  denied  { open } for  pid=1594 comm="hiview" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
118#avc:  denied  { map } for  pid=1594 comm="hiview" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=53 scontext=u:r:hiview:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
119allow hiview musl_param:file  { read open map };
120
121
122
123#avc:  denied  { getattr } for  pid=1123 comm="hdcd" path="/dev/asanlog" dev="tmpfs" ino=629 scontext=u:r:hdcd:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=0
124allow hdcd dev_asanlog_file:dir { read_dir_perms write add_name create };
125#avc:  denied  { write create open } for  pid=1358 comm="hdcd" path="/dev/asanlog/asan.log.3273" dev="tmpfs" ino=727 scontext=u:r:hdcd:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=file permissive=1
126allow hdcd dev_asanlog_file:file { write create read_file_perms };
127
128
129#avc:  denied  { read } for  pid=3520 comm="hiview" name="asanlog" dev="tmpfs" ino=726 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0
130#allow hiview dev_asanlog_file:dir { read open watch getattr create search };
131allow hiview dev_asanlog_file:dir { read_dir_perms };
132
133#avc:  denied  { read } for  pid=449 comm="hiview" name="asan.log.2718" dev="tmpfs" ino=731 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_file:s0 tclass=file permissive=0
134allow hiview dev_asanlog_file:file { read_file_perms };
135
136#avc:  denied  { relabelto } for  pid=3281 comm="init" name="asanlog" dev="tmpfs" ino=629 scontext=u:r:init:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=0
137#avc:  denied  { getattr } for  pid=3281 comm="init" path="/dev/asanlog/asan.log.2718" dev="tmpfs" ino=727 scontext=u:r:init:s0 tcontext=u:object_r:dev_file:s0 tclass=file permissive=0
138allow init dev_asanlog_file:dir { setattr read getattr relabelto };
139
140allow hiview kernel:system { syslog_read };
141
142allow hiview hilog_exec:file { execute read open execute_no_trans map };
143allow hiview hilog_output_socket:sock_file { write };
144allow hiview hilogd:unix_stream_socket { connectto };
145
146allow hiview hitrace_exec:file { execute read open execute_no_trans map };
147allow hiview tracefs:file { write };
148
149allow hiview proc_sysrq_trigger_file:file { open getattr write ioctl };
150
151#avc:  denied  { search } for  pid=252 comm="exportSysEventT" name="app" dev="mmcblk0p12" ino=43 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=0
152allow hiview data_app_file:dir { search };
153
154#avc:  denied  { search } for  pid=247 comm="exportSysEventT" name="el2" dev="mmcblk0p12" ino=47 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=0
155#avc:  denied  { add_name } for  pid=2716 comm="freeze_detector" name="APP_FREEZE_1501994090092_2792.log" scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=1
156#avc:  denied  { write } for  pid=266 comm="freeze_detector" name="hiappevent" dev="mmcblk0p15" ino=2265 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=dir permissive=0
157allow hiview data_app_el2_file:dir { search read open add_name write create setattr getattr remove_name };
158
159#avc:  denied  { create } for  pid=2716 comm="freeze_detector" name="APP_FREEZE_1501994090092_2792.log" scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=1
160#avc:  denied  { ioctl } for  pid=2716 comm="freeze_detector" path="/data/app/el2/100/log/com.example.myapplication/hiappevent/APP_FREEZE_1501994090092_2792.log" dev="mmcblk0p15" ino=2352 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=1
161#avc:  denied  { setattr } for  pid=263 comm="plat_shared" name="APP_CRASH_1501997026177_1964.log" dev="mmcblk0p15" ino=2180 scontext=u:r:hiview:s0 tcontext=u:object_r:data_app_el2_file:s0 tclass=file permissive=0
162allow hiview data_app_el2_file:file { open getattr read write create ioctl setattr append rename };
163allowxperm hiview data_app_el2_file:file ioctl { 0x5413 };
164
165#avc:  denied  { search } for  pid=247 comm="exportSysEventT" name="com.huawei.myapplication" dev="mmcblk0p12" ino=2366 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0
166#avc:  denied  { write } for  pid=252 comm="exportSysEventT" name="hiview" dev="mmcblk0p12" ino=2417 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0
167#avc:  denied  { add_name } for  pid=251 comm="exportSysEventT" name="Reliability-EVENT-20170816160811-000-0.evt" scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=dir permissive=0
168allow hiview system_basic_hap_data_file_attr:dir { add_name search write };
169
170#avc:  denied  { create write open } for  pid=256 comm="exportSysEventT" name="Reliability-EVENT-20170816164943-000-0.evt" scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=0
171allow hiview system_basic_hap_data_file_attr:file { create write open };
172
173#avc:  denied  { search } for  pid=241 comm="exportSysEventT" name="com.huawei.myapplicationtest" dev="mmcblk0p12" ino=1615 scontext=u:r:hiview:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=dir permissive=0
174allow hiview normal_hap_data_file:dir { search };
175
176#avc:  denied  { write } for  pid=245 comm="exportSysEventT" name="cache" dev="mmcblk0p12" ino=1616 scontext=u:r:hiview:s0 tcontext=u:object_r:normal_hap_data_file:s0 tclass=dir permissive=0
177allow hiview normal_hap_data_file:dir { write add_name };
178
179allow hiview normal_hap_data_file:file { create  write open };
180
181#avc:  denied  { setattr } for  pid=246 comm="exportSysEventT" name="RELIABILITY-20170806025113-000-0.evt" dev="mmcblk0p12" ino=2052 scontext=u:r:hiview:s0 tcontext=u:object_r:system_basic_hap_data_file:s0 tclass=file permissive=0
182allow hiview system_basic_hap_data_file_attr:file { setattr };
183allow hiview normal_hap_data_file:file { setattr };
184
185debug_only(`
186    allow hiview sh:dir { getattr open read search};
187    allow hiview sh:file { getattr read open };
188    allow hiview sh:binder { call transfer };
189')
190
191#avc:  denied  { call } for  pid=256 comm="IPC_3_1647" scontext=u:r:hiview:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=0
192allow hiview system_basic_hap_attr:binder { call };
193
194#avc:  denied  { getattr } for  pid=1989 comm="sysevent_source" path="/dev/unix/socket/hisysevent" scontext=u:r:hiview:s0 tcontext=u:r:hiview:s0 tclass=unix_dgram_socket permissive=1
195allow hiview hiview:unix_dgram_socket { getattr };
196
197#avc:  denied  { open } for  pid=262 comm="hiview" path="/dev/ashmem" dev="tmpfs" ino=177 scontext=u:r:hiview:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=1
198allow hiview dev_ashmem_file:chr_file { open };
199
200#avc:  denied  { search } for  pid=2001 comm="hiview" name="etc" dev="mmcblk0p8" ino=16 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1
201allow hiview vendor_etc_file:dir { search };
202
203#avc:  denied  { read } for  pid=2001 comm="hiview" name="hisysevent.def" dev="mmcblk0p8" ino=265 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
204#avc:  denied  { open } for  pid=2001 comm="hiview" path="/vendor/etc/hiview/hisysevent.def" dev="mmcblk0p8" ino=265 scontext=u:r:hiview:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
205allow hiview vendor_etc_file:file { read open };
206
207allow hiview hisysevent:binder { call transfer };
208allow hiview hisysevent:dir { search };
209allow hiview hisysevent:file { read open getattr };
210
211allow hiview dev_ucollection:chr_file { ioctl open read write };
212
213#avc:  denied  { read } for  pid=1853 comm="plat_shared" name="possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
214#avc:  denied  { open } for  pid=1853 comm="plat_shared" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
215#avc:  denied  { getattr } for  pid=1853 comm="plat_shared" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=4918 scontext=u:r:hiview:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
216allow hiview sysfs_devices_system_cpu:file { read open getattr };
217
218#avc:  denied  { read } for  pid=260 comm="IPC_2_721" name="tracing_on" dev="tracefs" ino=18185 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=0
219#avc:  denied  { open } for  pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1
220#avc:  denied  { ioctl } for  pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1
221#avc:  denied  { getattr } for  pid=262 comm="IPC_3_1102" path="/sys/kernel/debug/tracing/events/binder/binder_transaction/enable" dev="tracefs" ino=15693 scontext=u:r:hiview:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1
222allow hiview tracefs:file { read open ioctl getattr };
223allowxperm hiview tracefs:file ioctl { 0x5413 };
224
225#avc:  denied  { read } for  pid=3130 comm="plat_shared" name="diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1
226#avc:  denied  { open } for  pid=3130 comm="plat_shared" path="/proc/diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1
227#avc:  denied  { getattr } for  pid=3130 comm="plat_shared" path="/proc/diskstats" dev="proc" ino=4026532227 scontext=u:r:hiview:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1
228allow hiview proc_diskstats_file:file { read open getattr };
229
230#avc:  denied  { kill } for pid=7601 comm="hiview" capability=5 scontext=u:r:hiview:s0 tcontext=u:r:hiview:s0 tclass=capability permissive=1
231#avc:  denied  { signal } for pid=7601 comm="hiview" scontext=u:r:hiview:s0 tcontext=u:r:system_basic_hap:s0 tclass=process permissive=1
232allow hiview domain:process signal;
233allow hiview hiview:capability kill;
234
235#avc:  denied  { call } for  pid=519 comm="IPC_0_576" scontext=u:r:hiview:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=0
236allow hiview softbus_server:binder { call };
237
238#avc:  denied  { search } for  pid=251 comm="OS_IPC_3_2826" name="com.example.myapplication" dev="mmcblk0p15" ino=2012 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1
239#avc:  denied  { write } for  pid=251 comm="OS_IPC_3_2826" name="hiappevent" dev="mmcblk0p15" ino=2058 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1
240#avc:  denied  { add_name } for  pid=251 comm="OS_IPC_3_2826" name="hiappevent_1501934018028.txt" scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1
241#avc:  denied  { read } for  pid=2811 comm="XperfMainThr" name="hiappevent" dev="mmcblk0p15" ino=25209 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1
242#avc:  denied  { getattr } for  pid=2811 comm="XperfMainThr" name="hiappevent" dev="mmcblk0p15" ino=25209 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=dir permissive=1
243allow hiview normal_hap_data_file_attr:dir { search write add_name read getattr };
244
245#avc:  denied  { create } for  pid=251 comm="OS_IPC_3_2826" name="hiappevent_1501934018028.txt" scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1
246#avc:  denied  { write open } for  pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1
247#avc:  denied  { ioctl } for  pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 ioctlcmd=0x5413 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1
248#avc:  denied  { getattr } for  pid=251 comm="OS_IPC_3_2826" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1501934018028.txt" dev="mmcblk0p15" ino=2832 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1
249#avc:  denied  { append } for  pid=617 comm="/system/bin/hiview" path="/data/app/el2/100/base/com.example.myapplication/cache/hiappevent/hiappevent_1712134642860.txt" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25137 scontext=u:r:hiview:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=0
250allow hiview normal_hap_data_file_attr:file { create write open ioctl getattr append };
251allowxperm hiview normal_hap_data_file_attr:file ioctl { 0x5413 };
252
253allow hiview sa_distributeddata_service:samgr_class { get };
254allow hiview processdump:fd { use };
255allow hiview processdump:fifo_file { read };
256
257allow hiview distributeddata:binder { call transfer };
258allow hiview distributeddata:fd { use };
259
260allow sadomain dev_bbox:chr_file { ioctl read open write };
261allowxperm sadomain dev_bbox:chr_file ioctl { 0xab09 };
262
263neverallowxperm hiview dev_bbox:chr_file ioctl ~{ 0xab09 0xaf01 0xaf02 0xaf03 0xaf04 0xaf05 0xaf06 0xaf07 0xaf08 0x4264 0x4265 0x4266 0x426a 0x426f 0x5413 0x601 };
264
265#avc: denied { get } for service=4607 pid=8375 scontext=u:r:hiview:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=0
266allow hiview sa_foundation_dms:samgr_class { get };
267
268allow hiview hidumper:fd {use };
269
270# avc: denied { use } for pid=2181, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:hiview:s0 tcontext=u:r:wifi_manager_service:s0 tclass=fd permissive=0
271allow hiview wifi_manager_service:fd { use };
272