1# Copyright (c) 2021-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14init_daemon_domain(cjappspawn); 15 16allow init cjappspawn_exec:file { execute }; 17allow cjappspawn appspawn_socket:sock_file { setattr }; 18allow normal_hap_attr cjappspawn_exec:file { getattr map open read }; 19allow foundation cjappspawn:fd { use }; 20 21allow debug_hap cjappspawn:unix_dgram_socket { write }; 22allow debug_hap cjappspawn:fd { use }; 23allow debug_hap cjappspawn:fifo_file { write }; 24allow hap_domain cjappspawn:fifo_file write; 25allow hap_domain cjappspawn:fd use; 26allow hap_domain cjappspawn:fifo_file write; 27allow hap_domain cjappspawn:unix_dgram_socket { connect write }; 28allow cjappspawn normal_hap_attr:process dyntransition; 29allow normal_hap_attr cjappspawn_exec:file { getattr map open read }; 30allow normal_hap_attr cjappspawn:unix_stream_socket { read write }; 31allow normal_hap_attr cjappspawn:unix_dgram_socket { write connect }; 32allow normal_hap_attr cjappspawn:fd { use }; 33 34allow cjappspawn dev_unix_socket:sock_file unlink; 35 36allow cjappspawn dev_null_file:chr_file { read write open }; 37allow cjappspawn kernel:fd { use }; 38allow cjappspawn dev_kmsg_file:chr_file { write }; 39allow cjappspawn init:unix_stream_socket { read write }; 40allow cjappspawn init:netlink_kobject_uevent_socket { read write }; 41allow cjappspawn dev_parameters_file:file { read open }; 42allow cjappspawn dev_parameters_file:dir { search }; 43allow cjappspawn proc_file:lnk_file { read }; 44allow cjappspawn debug_param:file { read open }; 45allow cjappspawn etc_file:lnk_file { read }; 46allow cjappspawn system_file:dir { search getattr }; 47allow cjappspawn system_etc_file:file { read open getattr }; 48allow cjappspawn system_lib_file:dir { search }; 49allow cjappspawn vendor_lib_file:dir { search }; 50allow cjappspawn system_lib_file:file { read open getattr }; 51allow cjappspawn sys_file:dir { search }; 52allow cjappspawn dev_random_file:chr_file { read open }; 53allow cjappspawn system_bin_file:file { read }; 54allow cjappspawn default_param:file { read open }; 55allow cjappspawn hook_param:file { read open }; 56allow cjappspawn musl_param:file { read open }; 57allow cjappspawn startup_init_param:file { read open }; 58allow cjappspawn selinuxfs:filesystem { getattr }; 59allow cjappspawn hilog_param:file { read open }; 60allow cjappspawn rootfs:lnk_file { read }; 61allow cjappspawn system_bin_file:dir { search }; 62allow cjappspawn persist_sys_param:file { read open }; 63allow cjappspawn vendor_lib_file:file { read open getattr }; 64allow cjappspawn system_etc_file:dir { read open }; 65allow cjappspawn arkcompiler_param:file { read open }; 66allow cjappspawn arkcompiler_param:file { map }; 67allow cjappspawn devinfo_public_param:file { read open }; 68allow cjappspawn system_usr_file:file { read open getattr }; 69allow cjappspawn system_bin_file:file { execute open execute_no_trans }; 70allow cjappspawn lib_file:lnk_file { read }; 71allow cjappspawn system_lib_file:file { execute }; 72allow cjappspawn hilog_private_param:file { read open }; 73allow cjappspawn time_param:file { read open }; 74allow cjappspawn dev_unix_file:dir { search }; 75allow cjappspawn dev_unix_socket:dir { search }; 76allow cjappspawn hilog_input_socket:sock_file { write }; 77allow cjappspawn hilogd:unix_dgram_socket { sendto }; 78allow cjappspawn init:unix_stream_socket { getopt getattr listen }; 79allow cjappspawn dev_unix_file:sock_file { setattr }; 80allow cjappspawn chip_prod_file:dir { search }; 81allow cjappspawn sys_prod_file:dir { search }; 82allow cjappspawn init:unix_stream_socket { accept }; 83allow cjappspawn data_app_file:dir { search }; 84allow cjappspawn data_app_el2_file:dir { search }; 85allow cjappspawn dev_at_file:chr_file { read write open ioctl }; 86allow cjappspawn tmpfs:dir { create mounton write add_name search }; 87allow cjappspawn rootfs:dir { mounton }; 88allow cjappspawn configfs:dir { mounton }; 89allow cjappspawn dev_file:dir { mounton }; 90allow cjappspawn proc_file:dir { mounton }; 91allow cjappspawn sys_file:dir { mounton }; 92allow cjappspawn system_file:dir { mounton }; 93allow cjappspawn system_usr_file:dir { mounton }; 94allow cjappspawn system_etc_file:dir { mounton }; 95allow cjappspawn data_app_el1_file:dir { mounton }; 96allow cjappspawn data_app_el2_file:dir { mounton }; 97allow cjappspawn hmdfs:dir { search mounton }; 98allow cjappspawn data_local:dir { mounton search }; 99allow cjappspawn data_local_arkcache:dir { search }; 100allow cjappspawn data_local_arkprofile:dir { search mounton }; 101allow cjappspawn data_service_el2_share:dir { search }; 102allow cjappspawn data_service_file:dir { search }; 103allow cjappspawn data_service_el1_file:dir { search mounton }; 104allow cjappspawn cert_manager_service_file:dir { search getattr }; 105allow cjappspawn data_app_el3_file:dir { search }; 106allow cjappspawn data_app_el4_file:dir { search }; 107allow cjappspawn vendor_lib_file:dir { mounton }; 108allow cjappspawn kernel:key { search }; 109allow cjappspawn data_app_el1_file:dir { write add_name create }; 110allow cjappspawn data_misc:dir { mounton }; 111allow cjappspawn tmpfs:lnk_file { create }; 112allow cjappspawn vendor_etc_file:file { read open getattr }; 113allow cjappspawn selinuxfs:file { read write open }; 114allow cjappspawn security:security { check_context }; 115allow cjappspawn debug_hap:process { dyntransition }; 116allow cjappspawn dev_file:dir { write add_name search create }; 117allow cjappspawn debug_hap:binder { call }; 118allow cjappspawn cgroup:dir { search }; 119allow cjappspawn cgroup:file { read open getattr }; 120allow cjappspawn limit_domain:unix_dgram_socket { getopt setopt write }; 121allow cjappspawn hisysevent_socket:sock_file { write }; 122allow cjappspawn hiview:unix_dgram_socket { sendto }; 123 124 125allow cjappspawn cjappspawn_exec:file { execute_no_trans }; 126allow cjappspawn paramservice_socket:sock_file { write }; 127allow cjappspawn kernel:unix_stream_socket { connectto }; 128allow cjappspawn dev_unix_socket:sock_file write; 129allow cjappspawn data_service_el2_file:dir { search write add_name create }; 130allow cjappspawn data_app_el2_file:dir { search mounton write add_name create setattr getattr}; 131allow cjappspawn data_app_el3_file:dir { search mounton write add_name create setattr getattr}; 132allow cjappspawn data_app_el4_file:dir { search mounton write add_name create setattr getattr}; 133allow cjappspawn sharefs:dir { getattr mounton }; 134allow cjappspawn sharefs_file_attr:dir { getattr mounton }; 135allow cjappspawn sharefs:filesystem { mount }; 136allow cjappspawn data_service_el2_share:dir { mounton }; 137 138# read cfg from 139#avc: denied { getattr } for pid=1802 comm="cjappspawn" path="/dev" dev="tmpfs" ino=1 scontext=u:r:cjappspawn:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0 140allow cjappspawn dev_file:dir { getattr }; 141allow cjappspawn chip_prod_file:dir { open read search getattr }; 142allow cjappspawn chip_prod_file:file { getattr open read }; 143allow cjappspawn sys_prod_file:dir { open read search getattr }; 144allow cjappspawn sys_prod_file:file { getattr open read map }; 145allow cjappspawn vendor_etc_file:dir { open read search getattr }; 146 147allow cjappspawn cjappspawn:capability { dac_override kill setgid setuid sys_admin dac_read_search }; 148allow cjappspawn cjappspawn:process { setcurrent }; 149allow cjappspawn cjappspawn:unix_dgram_socket { getopt setopt }; 150allow cjappspawn build_version_param:file { map open read }; 151allow cjappspawn configfs:dir { mounton }; 152allow cjappspawn const_allow_mock_param:file { map open read }; 153allow cjappspawn const_allow_param:file { map open read }; 154allow cjappspawn const_build_param:file { map open read }; 155allow cjappspawn const_display_brightness_param:file { map open read }; 156allow cjappspawn const_param:file { map open read }; 157allow cjappspawn const_postinstall_fstab_param:file { map open read }; 158allow cjappspawn const_postinstall_param:file { map open read }; 159allow cjappspawn const_product_param:file { map open read }; 160allow cjappspawn data_app_el1_file:dir { add_name create mounton search }; 161allow cjappspawn data_app_el2_file:dir { search mounton }; 162allow cjappspawn data_app_file:dir { search }; 163allow cjappspawn data_file:dir { add_name create mounton search write }; 164allow cjappspawn data_service_el2_file:dir { search }; 165allow cjappspawn data_service_el2_hmdfs:dir { search }; 166allow cjappspawn data_service_file:dir { search }; 167allow cjappspawn data_storage:dir { mounton }; 168allow cjappspawn debug_param:file { map open read }; 169allow cjappspawn default_param:file { map open read }; 170allow cjappspawn dev_at_file:chr_file { ioctl }; 171allow cjappspawn dev_file:dir { mounton }; 172allow cjappspawn dev_unix_socket:dir { add_name search write remove_name }; 173allow cjappspawn dev_unix_socket:sock_file { create setattr }; 174allow cjappspawn distributedsche_param:file { map open read }; 175allow cjappspawn hilog_param:file { map open read }; 176allow cjappspawn hiview:unix_dgram_socket { sendto }; 177allow cjappspawn hmdfs:dir { mounton search }; 178allow cjappspawn hw_sc_build_os_param:file { map open read }; 179allow cjappspawn hw_sc_build_param:file { map open read }; 180allow cjappspawn hw_sc_param:file { map open read }; 181allow cjappspawn init_param:file { map open read }; 182allow cjappspawn init_svc_param:file { map open read }; 183allow cjappspawn input_pointer_device_param:file { map open read }; 184allow cjappspawn labeledfs:filesystem { unmount }; 185allow cjappspawn net_param:file { map open read }; 186allow cjappspawn net_tcp_param:file { map open read }; 187allow cjappspawn normal_hap_data_file_attr:dir { mounton getattr }; 188allow cjappspawn normal_hap_attr:process { sigkill }; 189allow cjappspawn ohos_boot_param:file { map open read }; 190allow cjappspawn ohos_param:file { map open read }; 191allow cjappspawn persist_param:file { map open read }; 192allow cjappspawn persist_sys_param:file { map open read }; 193allow cjappspawn proc_file:dir { mounton }; 194allow cjappspawn rootfs:dir { mounton }; 195allow cjappspawn security_param:file { map open read }; 196allow cjappspawn security:security { check_context }; 197allow cjappspawn selinuxfs:dir { search }; 198allow cjappspawn selinuxfs:file { open read write }; 199allow cjappspawn startup_param:file { map open read }; 200allow cjappspawn sys_file:dir { mounton }; 201allow cjappspawn sys_param:file { map open read }; 202allow cjappspawn system_bin_file:dir { mounton search getattr }; 203allow cjappspawn system_etc_file:dir { mounton }; 204allow cjappspawn system_file:dir { mounton }; 205allow cjappspawn system_fonts_file:dir { mounton open read search getattr }; 206allow cjappspawn system_fonts_file:file { getattr map open read }; 207allow cjappspawn system_lib_file:dir { mounton getattr }; 208allow cjappspawn system_profile_file:dir { mounton getattr }; 209allow cjappspawn system_usr_file:dir { mounton search getattr }; 210allow cjappspawn system_usr_file:file { getattr map open read }; 211allow cjappspawn sys_usb_param:file { map open read }; 212allow cjappspawn tmpfs:dir { add_name create mounton write }; 213allow cjappspawn tmpfs:lnk_file { create }; 214allow cjappspawn vendor_lib_file:dir { mounton }; 215allowxperm cjappspawn dev_at_file:chr_file ioctl { 0x4102 }; 216allow cjappspawn dev_xpm:chr_file { open read write ioctl }; 217allowxperm cjappspawn dev_xpm:chr_file ioctl { 0x7801 0x7802 }; 218allow cjappspawn system_file:file { map }; 219allow cjappspawn dev_asanlog_file:dir { getattr }; 220allow cjappspawn share_public_file:dir { search }; 221# avc_audit_slow:260] avc: denied { dyntransition } for pid=1, comm="/system/bin/cjappspawn" scontext=u:r:cjappspawn:s0 tcontext=u:r:pid_ns_init:s0 tclass=process permissive=1 222allow cjappspawn pid_ns_init:process { dyntransition }; 223allow cjappspawn share_public_file:dir { search create add_name write }; 224 225# for app cgroup pids 226allow cjappspawn cgroup:dir { add_name create search open read write }; 227allow cjappspawn cgroup:file { append getattr ioctl open read write }; 228allowxperm cjappspawn cgroup:file ioctl { 0x5413 }; 229 230 231allow cjappspawn data_misc:dir { getattr }; 232 233allow cjappspawn pid_ns_init:dir { search }; 234 235allow cjappspawn pid_ns_init:file { open getattr read }; 236 237allow cjappspawn pid_ns_init:lnk_file { read }; 238 239allow cjappspawn cert_manager_service_file:dir { mounton }; 240allow cjappspawn sh_exec:file { getattr }; 241allow cjappspawn system_bin_file:dir { open read }; 242allow cjappspawn tmpfs:dir { open read }; 243 244allow cjappspawn data_misc:dir { open read search }; 245allow cjappspawn data_file:dir { open read search }; 246allow cjappspawn hmdfs:dir { open read search }; 247allow cjappspawn data_app_el2_file:dir { open read search }; 248allow cjappspawn data_app_el1_file:dir { open read search }; 249 250allow cjappspawn data_service_el2_hmdfs:dir { mounton }; 251 252# taken from sepolicy/ohos_policy/developtools/profiler/system/other.te 253allow cjappspawn accesstoken_service:binder call; 254allow cjappspawn accountmgr:binder call; 255allow cjappspawn dev_console_file:chr_file { read write }; 256allow cjappspawn foundation:binder { call transfer }; 257allow cjappspawn hdcd:unix_stream_socket connectto; 258allow cjappspawn multimodalinput:binder call; 259allow cjappspawn multimodalinput:fd use; 260allow cjappspawn multimodalinput:unix_stream_socket { read write }; 261allow cjappspawn musl_param:file { map open read }; 262allow cjappspawn normal_hap_attr:binder { call transfer }; 263allow cjappspawn normal_hap_attr:fd use; 264allow cjappspawn normal_hap_data_file_attr:dir search; 265allow cjappspawn render_service:binder { call transfer }; 266allow cjappspawn render_service:fd use; 267allow cjappspawn resource_schedule_service:binder call; 268allow cjappspawn samgr:binder call; 269allow cjappspawn system_file:file { getattr open read }; 270allow cjappspawn system_lib_file:dir { open read }; 271allow cjappspawn tracefs:dir search; 272allow cjappspawn tracefs_trace_marker_file:file { open write }; 273allow cjappspawn accessibility:binder { call transfer }; 274allow cjappspawn dev_mali:chr_file { getattr open read write }; 275allow cjappspawn param_watcher:binder { call transfer }; 276 277# taken from sepolicy/ohos_policy/filemanagement/user_file_service/system/appspawn.te 278allow cjappspawn data_service_el1_file:dir { mounton search getattr }; 279allow cjappspawn permissions_mount_file_attr:dir { mounton }; 280allow cjappspawn data_user_file:dir { add_name create write }; 281allow cjappspawn tmpfs:file { create mounton open }; 282