1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#avc:  denied  { add } for service=1401 pid=406 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_1401_service:s0 tclass=samgr_class permissive=1
15allow distributedsche sa_distributeschedule:samgr_class { add get_remote };
16allow distributedsche sa_distributeddata_service:samgr_class { get };
17allow distributedsche sa_softbus_service:samgr_class { get };
18allow distributedsche sa_param_watcher:samgr_class { get };
19allow distributedsche sa_accesstoken_manager_service:samgr_class { get };
20allow distributedsche sa_foundation_bms:samgr_class { get };
21allow distributedsche sa_accountmgr:samgr_class { get };
22allow distributedsche sa_foundation_abilityms:samgr_class { get };
23allow distributedsche sa_foundation_appms:samgr_class { get };
24allow distributedsche accessibility_param:file { map open read };
25allow distributedsche accesstoken_service:binder { call };
26allow distributedsche accountmgr:binder { call };
27allow distributedsche data_file:dir { search };
28allow distributedsche data_service_file:dir { search };
29allow distributedsche data_service_el1_file:dir { add_name open read search write getattr create remove_name rmdir };
30allow distributedsche data_service_el1_file:file { create getattr ioctl open read write lock map unlink rename};
31allow distributedsche deviceauth_service:binder { call };
32allow distributedsche device_manager:binder { transfer };
33allow distributedsche dev_ashmem_file:chr_file { open };
34allow distributedsche dev_unix_socket:dir { search };
35allow distributedsche distributeddata:binder { call transfer };
36allow distributedsche distributedsche_param:parameter_service { set };
37allow distributedsche distributedsche:binder { call };
38allow distributedsche distributedsche:unix_dgram_socket { getopt setopt };
39allow distributedsche foundation:binder { call transfer };
40allow distributedsche foundation:fd { use };
41allow distributedsche kernel:unix_stream_socket { connectto };
42allow distributedsche normal_hap_attr:binder { call transfer };
43allow distributedsche system_basic_hap_attr:binder { call transfer };
44allow distributedsche system_core_hap_attr:binder { call transfer };
45allow distributedsche paramservice_socket:sock_file { write };
46allow distributedsche proc_cpuinfo_file:file { open read };
47allow distributedsche proc_file:file { open read };
48allow distributedsche softbus_server:binder { call transfer };
49allow distributedsche softbus_server:fd { use };
50allow distributedsche softbus_server:tcp_socket { read setopt shutdown write };
51allow distributedsche sa_device_security_level_manager_service:samgr_class { get };
52allow distributedsche dslm_service:binder { call transfer };
53allow distributedsche dev_console_file:chr_file { read write };
54allow distributedsche sa_foundation_wms:samgr_class { get };
55
56allow distributedsche sa_foundation_devicemanager_service:samgr_class { get };
57allow distributedsche devinfo_private_param:file { map open read};
58allow distributedsche sa_form_mgr_service:samgr_class { get };
59
60debug_only(`
61    allow distributedsche sh:binder { call };
62')
63
64#avc:  denied  { get } for service=1903 pid=469 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_bgtaskmgr:s0 tclass=samgr_class permissive=1
65allow distributedsche sa_bgtaskmgr:samgr_class { get };
66#avc:  denied  { get } for service=1909 pid=560 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_memory_manager_service:s0 tclass=samgr_class permissive=0
67allow distributedsche sa_memory_manager_service:samgr_class { get };
68#avc:  denied  { call } for  pid=479 comm="DmsComponentCha" scontext=u:r:distributedsche:s0 tcontext=u:r:memmgrservice:s0 tclass=binder permissive=0
69allow distributedsche memmgrservice:binder { call };
70#avc:  denied  { get } for service=402 pid=3055 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_distributed_bundle_mgr_service_service:s0 tclass=samgr_class permissive=1
71allow distributedsche sa_distributed_bundle_mgr_service_service:samgr_class { get };
72#avc:  denied  { call } for  pid=479 comm="continue_manage" scontext=u:r:distributedsche:s0 tcontext=u:r:d-bms:s0 tclass=binder permissive=0
73allow distributedsche d-bms:binder { call };
74#avc:  denied  { get } for service=4606 pid=2716 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1
75allow distributedsche sa_foundation_wms:samgr_class { get };
76#avc:  denied  { get } for service=3299 pid=3829 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0
77allow distributedsche sa_foundation_cesfwk_service:samgr_class { get };
78#avc:  denied  { read } for  pid=2255 comm="distributedsche" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=148 scontext=u:r:distributedsche:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0
79allow distributedsche arkcompiler_param:file { read map open };
80allow distributedsche ark_writeable_param:file { read map open };
81#avc:  denied  { read } for  pid=2255 comm="distributedsche" name="online" dev="sysfs" ino=27676 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
82allow distributedsche sysfs_devices_system_cpu:file { read };
83#avc:  denied  { setattr } for  pid=2255 comm="dmsDataStorageH" name="gen_natural_store.db" dev="sdd78" ino=60840 scontext=u:r:distributedsche:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
84allow distributedsche data_service_el1_file:file { setattr };
85#avc:  denied  { use } for  pid=2263 comm="IPC_1_2266" path="/dev/ashmem" dev="tmpfs" ino=612 scontext=u:r:distributedsche:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1
86allow distributedsche render_service:fd { use };
87#avc:  denied  { open } for  pid=3435 comm="deviceprofile" path="/sys/devices/system/cpu/online" dev="sysfs" ino=30137 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
88allow distributedsche sysfs_devices_system_cpu:file { open };
89#avc:  denied  { read } for  pid=4101 comm="mmi_EventHdr" scontext=u:r:distributedsche:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1
90allow distributedsche multimodalinput:unix_stream_socket { read };
91#avc:  denied  { get } for service=3101 pid=3284 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1
92allow distributedsche sa_multimodalinput_service:samgr_class { get };
93#avc:  denied  { use } for  pid=761 comm="IPC_1_779" path="socket:[100099]" dev="sockfs" ino=100099 scontext=u:r:distributedsche:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=0
94allow distributedsche multimodalinput:fd { use };
95#avc:  denied  { write } for  pid=761 comm="multimodalinput" path="socket:[47027]" dev="sockfs" ino=47027 scontext=u:r:distributedsche:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=0
96allow distributedsche multimodalinput:unix_stream_socket { write };
97#avc:  denied  { getattr } for  pid=10752 comm="distributedsche" path="/sys/devices/system/cpu/online" dev="sysfs" ino=30409 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
98allow distributedsche sysfs_devices_system_cpu:file { getattr };
99#avc:  denied  { write } for  pid=10752 comm="sa_main" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:distributedsche:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=0
100allow distributedsche dev_kmsg_file:chr_file { write };
101#avc: denied { read write } for pid=2684, comm="/system/bin/sa_main"  path="/dev/tty0" dev="" ino=44 scontext=u:r:distributedsche:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
102allow distributedsche tty_device:chr_file { read write };
103#avc: denied { use } for pid=1524, comm="/system/bin/sa_main"  path="/dev/ashmem" dev="" ino=1 scontext=u:r:distributedsche:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=1
104allow distributedsche distributeddata:fd { use };
105#avc: denied { call } for pid=4101, comm="/system/bin/sa_main" scontext=u:r:distributedsche:s0 tcontext=u:r:wifi_manager_service:s0 tclass=binder permissive=1
106allow distributedsche wifi_manager_service:binder { call };
107#avc: denied { get } for service=1120 pid=4038 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_wifi_device_ability:s0 tclass=samgr_class permissive=1
108allow distributedsche sa_wifi_device_ability:samgr_class { get };
109#avc: denied { transfer } for pid=2414, comm="/system/bin/sa_main"  scontext=u:r:wifi_manager_service:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=1
110allow wifi_manager_service distributedsche:binder { transfer };
111#avc: denied { use } for pid=2445, comm="/system/bin/appspawn" scontext=u:r:distributedsche:s0 tcontext=u:r:filemanager_hap:s0 tclass=fd permissive=1
112allow distributedsche hap_domain:fd { use };
113#avc: denied { read write } for pid=4134, comm="IPC_3_4189" scontext=u:r:distributedsche:s0 tcontext=u:r:hmdfs:s0 tclass=file permissive=1
114allow distributedsche hmdfs:file { read write };
115#avc: denied { get } for service=1901 pid=5366 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_resource_schedule:s0 tclass=samgr_class permissive=0
116allow distributedsche sa_resource_schedule:samgr_class { get };
117#avc: denied { use } for pid=5776, comm="/system/bin/sa_main"  path="/dev/ashmem" dev="" ino=1 scontext=u:r:distributedsche:s0 tcontext=u:r:accountmgr:s0 tclass=fd permissive=1
118allow distributedsche accountmgr:fd { use };
119#avc: denied { transfer } for pid=5776, comm="/system/bin/sa_main"  scontext=u:r:distributedsche:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1
120allow distributedsche multimodalinput:binder { transfer };
121
122neverallow {domain -samgr -distributedsche} sa_distributeschedule:samgr_class { get_remote };
123