1# Copyright (c) 2021-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14init_daemon_domain(appspawn); 15 16allow appspawn appspawn_socket:sock_file { setattr }; 17allow appspawn dev_unix_socket:sock_file unlink; 18 19allow appspawn appspawn_exec:file { execute_no_trans }; 20allow appspawn bootevent_param:parameter_service { set }; 21allow appspawn paramservice_socket:sock_file { write }; 22allow appspawn kernel:unix_stream_socket { connectto }; 23allow appspawn dev_unix_socket:sock_file write; 24allow appspawn data_service_el2_file:dir { search write add_name create }; 25allow appspawn data_app_el2_file:dir { search mounton write add_name create setattr getattr}; 26allow appspawn data_app_el3_file:dir { search mounton write add_name create setattr getattr}; 27allow appspawn data_app_el4_file:dir { search mounton write add_name create setattr getattr}; 28allow appspawn data_app_el5_file:dir { search mounton write add_name create setattr getattr}; 29allow appspawn sharefs:dir { create_dir_perms mounton getattr }; 30allow appspawn sharefs_file_attr:dir { create_dir_perms_without_ioctl mounton getattr }; 31allow appspawn sharefs:filesystem { mount }; 32allow appspawn data_service_el2_share:dir { create_dir_perms mounton getattr }; 33 34# read cfg from 35#avc: denied { getattr } for pid=1802 comm="appspawn" path="/dev" dev="tmpfs" ino=1 scontext=u:r:appspawn:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 36allow appspawn dev_file:dir { getattr }; 37allow appspawn chip_prod_file:dir { open read search getattr }; 38allow appspawn chip_prod_file:file { getattr open read }; 39allow appspawn sys_prod_file:dir { open read search getattr }; 40allow appspawn sys_prod_file:file { getattr open read map }; 41allow appspawn vendor_etc_file:dir { open read search getattr }; 42allow appspawn vendor_etc_file:file { getattr open read }; 43 44allow appspawn appspawn:capability { dac_override kill setgid setuid sys_admin chown dac_read_search }; 45allow appspawn appspawn:process { setcurrent }; 46allow appspawn appspawn:unix_dgram_socket { getopt setopt }; 47allow appspawn bootevent_param:file { map open read }; 48allow appspawn bootevent_samgr_param:file { map open read }; 49allow appspawn build_version_param:file { map open read }; 50allow appspawn configfs:dir { mounton getattr }; 51allow appspawn const_allow_mock_param:file { map open read }; 52allow appspawn const_allow_param:file { map open read }; 53allow appspawn const_build_param:file { map open read }; 54allow appspawn const_display_brightness_param:file { map open read }; 55allow appspawn const_param:file { map open read }; 56allow appspawn const_postinstall_fstab_param:file { map open read }; 57allow appspawn const_postinstall_param:file { map open read }; 58allow appspawn const_product_param:file { map open read }; 59allow appspawn data_app_el1_file:dir { add_name create mounton search write getattr }; 60allow appspawn data_app_el2_file:dir { search mounton getattr }; 61allow appspawn data_app_file:dir { search }; 62allow appspawn data_file:dir { add_name create mounton search write getattr }; 63allow appspawn data_service_el2_file:dir { search }; 64allow appspawn data_service_el2_hmdfs:dir { search }; 65allow appspawn data_service_file:dir { search }; 66allow appspawn data_storage:dir { mounton getattr }; 67allow appspawn debug_param:file { map open read }; 68allow appspawn default_param:file { map open read }; 69allow appspawn dev_at_file:chr_file { ioctl }; 70allow appspawn dev_file:dir { mounton getattr }; 71allow appspawn dev_unix_socket:dir { add_name search write remove_name }; 72allow appspawn dev_unix_socket:sock_file { create setattr }; 73allow appspawn distributedsche_param:file { map open read }; 74allow appspawn hilog_param:file { map open read }; 75allow appspawn hiview:unix_dgram_socket { sendto }; 76allow appspawn hmdfs:dir { mounton search getattr }; 77allow appspawn hw_sc_build_os_param:file { map open read }; 78allow appspawn hw_sc_build_param:file { map open read }; 79allow appspawn hw_sc_param:file { map open read }; 80allow appspawn init_param:file { map open read }; 81allow appspawn init_svc_param:file { map open read }; 82allow appspawn input_pointer_device_param:file { map open read }; 83allow appspawn labeledfs:filesystem { unmount }; 84allow appspawn net_param:file { map open read }; 85allow appspawn net_tcp_param:file { map open read }; 86allow appspawn normal_hap_data_file_attr:dir { mounton getattr }; 87allow appspawn normal_hap_attr:process { sigkill }; 88allow appspawn ohos_boot_param:file { map open read }; 89allow appspawn ohos_param:file { map open read }; 90allow appspawn persist_param:file { map open read }; 91allow appspawn persist_sys_param:file { map open read }; 92allow appspawn proc_file:dir { mounton getattr }; 93allow appspawn proc_file:filesystem { mount unmount getattr }; 94allow appspawn rootfs:dir { mounton getattr }; 95allow appspawn security_param:file { map open read }; 96allow appspawn security:security { check_context }; 97allow appspawn selinuxfs:dir { search }; 98allow appspawn selinuxfs:file { open read write }; 99allow appspawn startup_param:file { map open read }; 100allow appspawn sys_file:dir { mounton getattr }; 101allow appspawn sys_param:file { map open read }; 102allow appspawn system_basic_hap_data_file_attr:dir { mounton getattr }; 103allow appspawn system_basic_hap_attr:process { dyntransition sigkill }; 104allow appspawn system_bin_file:dir { mounton search getattr }; 105allow appspawn system_core_hap_data_file_attr:dir { mounton getattr }; 106# avc: denied { sigkill } for pid=2375 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:system_core_hap:s0 tclass=process permissive=1 107allow appspawn system_core_hap_attr:process { dyntransition sigkill }; 108allow appspawn system_etc_file:dir { mounton getattr }; 109allow appspawn system_file:dir { mounton getattr }; 110allow appspawn system_fonts_file:dir { mounton open read search getattr }; 111allow appspawn system_fonts_file:file { getattr map open read }; 112allow appspawn system_lib_file:dir { mounton getattr }; 113 114# avc: denied { mounton } for pid=1604 comm="amples.etsclock" path="/mnt/sandbox/100/ohos.samples.etsclock/system/lib/ld-musl-arm.so.1" dev="mmcblk0p7" ino=1823 scontext=u:r:appspawn:s0 tcontext=u:object_r:system_lib_file:s0 tclass=file permissive=1 115allow appspawn system_lib_file:file { mounton getattr }; 116allow appspawn system_profile_file:dir { mounton getattr }; 117allow appspawn system_usr_file:dir { mounton search getattr }; 118allow appspawn system_usr_file:file { getattr map open read }; 119allow appspawn sys_usb_param:file { map open read }; 120allow appspawn tmpfs:dir { add_name create mounton write getattr remove_name}; 121 122# avc: denied { create } for pid=1604 comm="amples.etsclock" name="ld-musl-arm.so.1" scontext=u:r:appspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 123allow appspawn tmpfs:file { create mounton open unlink}; 124 125allow appspawn tmpfs:lnk_file { create }; 126allow appspawn vendor_lib_file:dir { mounton getattr }; 127allow appspawn self:process execmem; 128allowxperm appspawn dev_at_file:chr_file ioctl { 0x4102 }; 129allow appspawn dev_xpm:chr_file { open read write ioctl }; 130allow appspawn system_file:file { map }; 131allow appspawn nwebspawn:process{ dyntransition }; 132# avc: denied { signal } for pid=2762 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:nwebspawn:s0 tclass=process permissive=0 133allow appspawn nwebspawn:process{ sigkill signal }; 134allow appspawn dev_asanlog_file:dir { getattr }; 135allow appspawn share_public_file:dir { search }; 136# avc_audit_slow:260] avc: denied { dyntransition } for pid=1, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=process permissive=1 137allow appspawn pid_ns_init:process { dyntransition }; 138allow appspawn share_public_file:dir { search create add_name write }; 139# for app cgroup pids 140allow appspawn cgroup:dir { add_name create search open read write remove_name rmdir }; 141allow appspawn cgroup:file { append getattr ioctl open read write }; 142allowxperm appspawn cgroup:file ioctl { 0x5413 }; 143 144# avc: denied { getattr } for pid=2327 comm="edialibrarydata" path="/data/misc" dev="mmcblk0p15" ino=109 scontext=u:r:appspawn:s0 tcontext=u:object_r:data_misc:s0 tclass=dir permissive=1 145allow appspawn data_misc:dir { getattr }; 146 147# avc: denied { search } for pid=274 comm="appspawn" name="648" dev="proc" ino=19134 scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=dir permissive=1 148allow appspawn pid_ns_init:dir { search }; 149 150# avc: denied { read } for pid=274 comm="appspawn" scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=file permissive=1 151allow appspawn pid_ns_init:file { open getattr read }; 152 153# avc: denied { read } for pid=274 comm="appspawn" name="pid" dev="proc" ino=31171 scontext=u:r:appspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=lnk_file permissive=1 154allow appspawn pid_ns_init:lnk_file { read }; 155 156# avc: denied { sys_ptrace } for pid=265 comm="appspawn" capability=19 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=1 157allow appspawn appspawn:capability { sys_ptrace }; 158 159# avc: denied { open } for pid=277 comm="appspawn" path="pid:[4026532800]" dev="nsfs" ino=4026532800 scontext=u:r:appspawn:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 160# avc: denied { read } for pid=277 comm="appspawn" dev="nsfs" ino=4026532800 scontext=u:r:appspawn:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 161allow appspawn unlabeled:file { open read }; 162 163# avc: denied { mounton } for pid=2058 comm="honydataability" path="/mnt/sandbox/100/app-root/data/certificates/user_cacerts" dev="mmcblk0p15" ino=149 scontext=u:r:appspawn:s0 tcontext=u:object_r:cert_manager_service_file:s0 tclass=dir permissive=0 164allow appspawn cert_manager_service_file:dir { mounton }; 165# avc: denied { getattr } for pid=2058 comm="honydataability" path="/system/bin/sh" dev="mmcblk0p7" ino=390 scontext=u:r:appspawn:s0 tcontext=u:object_r:sh_exec:s0tclass=file permissive=0 166allow appspawn sh_exec:file { getattr }; 167# avc: denied { read } for pid=2058 comm="honydataability" name="bin" dev="mmcblk0p7" ino=129 scontext=u:r:appspawn:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=0 168allow appspawn system_bin_file:dir { open read }; 169# avc: denied { read } for pid=2058 comm="honydataability" name="el1" dev="tmpfs" ino=159 scontext=u:r:appspawn:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 170allow appspawn tmpfs:dir { open read }; 171 172#allow appspawn normal_hap_data_file:dir { open read search }; 173allow appspawn data_misc:dir { open read search }; 174allow appspawn data_file:dir { open read search }; 175allow appspawn hmdfs:dir { open read search }; 176allow appspawn data_app_el2_file:dir { open read search }; 177allow appspawn data_app_el1_file:dir { open read search }; 178#allow appspawn system_basic_hap_data_file:dir { open read search }; 179 180#allow appspawn system_core_hap_data_file:dir { open read search }; 181#allow appspawn medialibrary_hap_data_file:dir { open read search }; 182#allow appspawn permissionmanager_hap_data_file:dir { open read search }; 183#allow appspawn formrenderservice_hap_data_file:dir { open read search }; 184allow appspawn data_service_el2_hmdfs:dir { mounton }; 185 186allow appspawn normal_hap_data_file_attr:dir { create write add_name setattr }; 187 188# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el1/100/base/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20489 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el1_file:s0 tclass=dir permissive=1 189# avc: denied { setattr } for pid=5327 comm="/system/bin/appspawn" name="app/el1/100/base/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20489 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el1_file:s0 tclass=dir permissive=1 190allow appspawn data_app_el1_file:dir { relabelfrom setattr }; 191 192# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el2/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20488 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el2_file:s0 tclass=dir permissive=1 193allow appspawn data_app_el2_file:dir { relabelfrom }; 194 195# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el3/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20492 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el3_file:s0 tclass=dir permissive=1 196allow appspawn data_app_el3_file:dir { relabelfrom }; 197 198# avc: denied { relabelfrom } for pid=5327 comm="/system/bin/appspawn" name="app/el4/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20496 scontext=u:r:appspawn:s0 tcontext=u:r:data_app_el4_file:s0 tclass=dir permissive=1 199allow appspawn data_app_el4_file:dir { relabelfrom }; 200 201# avc: denied { relabelto } for pid=5327 comm="/system/bin/appspawn" name="app/el4/100/database/+auid-ohosAnonymousUid0+com.example.myapplication" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=20496 scontext=u:r:appspawn:s0 tcontext=u:r:debug_hap_data_file:s0 tclass=dir permissive=1 202allow appspawn { debug_hap_data_file normal_hap_data_file system_basic_hap_data_file system_core_hap_data_file }:dir { relabelto }; 203 204# avc: denied { fsetid } for pid=274 comm="appspawn" capability=4 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=0 205 206#init extend command, support to enter the application sandbox. 207debug_only(` 208 allow appspawn system_bin_file:lnk_file { read }; 209 allow appspawn system_bin_file:file { getattr execute read open execute_no_trans map }; 210 allow appspawn toybox_exec:lnk_file { read }; 211 allow appspawn toybox_exec:file { getattr execute read open execute_no_trans map }; 212 allow appspawn tty_device:chr_file { getattr ioctl open read write }; 213 allowxperm appspawn tty_device:chr_file ioctl { 0x5401 0x5403 0x540f 0x5413 0x5410 }; 214 allow appspawn devpts:chr_file { read write open getattr ioctl }; 215 allow appspawn dev_pts_file:dir { search }; 216 allow appspawn tmpfs:lnk_file { getattr }; 217') 218 219# avc: denied { read } for pid=2685 comm="OS_FFRT_5_2" name="appdata-sandbox.json" dev="mmcblk0p7" ino=996 scontext=u:r:foundation:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=0 220allow foundation system_etc_file:lnk_file { read }; 221allow appspawn system_etc_file:lnk_file { read }; 222 223#avc: denied { sigkill } for pid=282 comm="nwebspawn" scontext=u:r:nwebspawn:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1 224allow nwebspawn isolated_render:process { sigkill }; 225 226# for enable net namespace 227# avc: denied { net_admin } for pid=262 comm="appspawn" capability=12 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=capability permissive=1 228allow appspawn appspawn:capability { net_admin }; 229allow appspawn sysfs_net:file { write open }; 230 231#avc: denied { remount } for pid=22332 comm="example.demo100" scontext=u:r:appspawn:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1 232allow appspawn labeledfs:filesystem { remount }; 233allow appspawn bootuptrace_file:dir { add_name getattr open read search write relabelto }; 234allow appspawn bootuptrace_file:file { create getattr write open relabelto }; 235 236#avc: denied { write } for pid=4946 comm="appspawn" name="faultloggerd.sdkdump.server" dev="tmpfs" ino=395 scontext=u:r:appspawn:s0 tcontext=u:object_r:faultloggerd_socket_sdkdump:s0 tclass=sock_file permissive=1 237allow appspawn faultloggerd_socket_sdkdump:sock_file { write }; 238# avc: denied { read } for pid=4946 comm="appspawn" path="pipe:[43284]" dev="pipefs" ino=43284 scontext=u:r:appspawn:s0 tcontext=u:r:faultloggerd:s0 tclass=fifo_file permissive=1 239allow appspawn faultloggerd:fifo_file { read }; 240allow appspawn appspawn:capability { sys_nice }; 241 242#avc: denied { unmount } for pid=654, comm="/system/bin/appspawn" scontext=u:r:appspawn:s0 tcontext=u:object_r:sharefs:s0 tclass=filesystem permissive=1 243allow appspawn { sharefs tmpfs }:filesystem { unmount }; 244