1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14allow distributedfiledaemon sys_fs_hmdfs:dir { read search setattr getattr open };
15allow distributedfiledaemon sys_fs_hmdfs:file { setattr getattr open read write };
16
17#avc:  denied  { transfer } for  pid=604 comm="distributedfile" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
18#avc:  denied  { call } for  pid=556 comm="foundation" scontext=u:r:foundation:s0 tcontext=u:r:distributedfiledaemon:s0 tclass=binder permissive=1
19allow distributedfiledaemon foundation:binder { call transfer };
20
21#avc:  denied  { read } for  pid=2101 comm="dfs_rcv1_1_7" laddr=192.168.43.48 lport=57666 faddr=192.168.43.20 fport=45047 scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
22#avc:  denied  { write } for  pid=182 comm="kworker/u8:5" laddr=192.168.43.48 lport=39379 faddr=192.168.43.20 fport=59752 scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
23allow distributedfiledaemon softbus_server:tcp_socket { read write };
24
25#avc:  denied  { search } for  pid=182 comm="kworker/u8:5" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
26allow distributedfiledaemon data_file:dir { search };
27
28#avc:  denied  { search } for  pid=182 comm="kworker/u8:5" name="service" dev="mmcblk0p11" ino=1044481 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
29allow distributedfiledaemon data_service_file:dir { search };
30
31#avc:  denied  { search } for  pid=7 comm="kworker/u8:0" name="el2" dev="mmcblk0p11" ino=130569 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1
32allow distributedfiledaemon data_service_el2_file:dir { search };
33
34#avc:  denied  { search } for  pid=182 comm="kworker/u8:5" name="el2" dev="mmcblk0p11" ino=1044488 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1
35#avc:  denied  { write } for  pid=182 comm="kworker/u8:5" name="account_cache" dev="mmcblk0p11" ino=1044562 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=dir permissive=1
36allow distributedfiledaemon data_service_el2_hmdfs:dir { rw_dir_perms rmdir create };
37
38#avc:  denied  { read write open } for  pid=183 comm="kworker/u8:4" path=2F646174612F736572766963652F656C322F3130302F686D6466732F63616368652F6163636F756E745F63616368652F23333933303937202864656C6574656429 dev="mmcblk0p11" ino=393097 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:data_service_el2_file:s0 tclass=file permissive=1
39allow distributedfiledaemon data_service_el2_hmdfs:file { rw_file_perms };
40
41#avc:  denied  { search } for  pid=659 comm="distributedfile" name="socket" dev="tmpfs" ino=40 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
42allow distributedfiledaemon dev_unix_socket:dir { search };
43
44#avc:  denied  { call } for  pid=548 comm="distributedfile" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:dslm_service:s0 tclass=binder permissive=1
45allow distributedfiledaemon dslm_service:binder { call };
46
47#avc:  denied  { get } for service=3299 pid=609 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0
48allow distributedfiledaemon sa_foundation_cesfwk_service:samgr_class { get };
49
50neverallow { domain -pasteboard_service -dslm_service -foundation -softbus_server -accountmgr -device_manager -param_watcher -sadomain -hidumper_service -hap_domain } distributedfiledaemon:binder { call };
51
52allow distributedfiledaemon sa_filemanagement_distributed_file_daemon_service:samgr_class { get_remote };
53
54allow distributedfiledaemon data_app_file:dir { search };
55
56allow distributedfiledaemon data_app_el2_file:dir { search };
57
58allow distributedfiledaemon distributedfiledaemon:capability { dac_read_search chown net_raw };
59
60allow distributedfiledaemon distributedfiledaemon:tcp_socket { create setopt bind getattr listen getopt shutdown connect accept write read };
61
62allow distributedfiledaemon node:tcp_socket { node_bind };
63
64allow distributedfiledaemon distributedfiledaemon:udp_socket { ioctl shutdown create read write getattr bind connect getopt setopt accept };
65
66allowxperm distributedfiledaemon distributedfiledaemon:udp_socket ioctl { 0x8912 0x8913 0x8915 0x891b };
67
68allow distributedfiledaemon normal_hap_data_file_attr:dir { getattr write search read open add_name create setattr };
69
70allow distributedfiledaemon normal_hap_data_file_attr:file { write setattr getattr read open create };
71
72allow distributedfiledaemon system_basic_hap_data_file_attr:dir { getattr write search read open add_name create setattr };
73
74allow distributedfiledaemon system_basic_hap_data_file_attr:file { write setattr getattr read open create };
75
76allow distributedfiledaemon system_core_hap_data_file_attr:dir { getattr write search read open add_name create setattr };
77
78allow distributedfiledaemon system_core_hap_data_file_attr:file { write setattr getattr read open create };
79
80allow distributedfiledaemon port:tcp_socket { name_connect name_bind };
81
82allow distributedfiledaemon sysfs_devices_system_cpu:dir { open read };
83
84allow distributedfiledaemon sysfs_devices_system_cpu:file { read open getattr };
85
86allow distributedfiledaemon data_file:file { getattr read open };
87
88allow distributedfiledaemon proc_stat_file:file { open read };
89
90allow distributedfiledaemon data_user_file:dir { search getattr write add_name create read open };
91
92allow distributedfiledaemon data_user_file:file { getattr open read write create };
93
94allow distributedfiledaemon hap_domain:binder { call };
95
96allow distributedfiledaemon hmdfs:dir { search read open write add_name create setattr remove_name rmdir };
97
98allow distributedfiledaemon hmdfs:file { read open getattr create write setattr rename unlink ioctl };
99
100allowxperm distributedfiledaemon hmdfs:file ioctl { 0x5413 };
101
102allow distributedfiledaemon dev_kmsg_file:chr_file { write open };
103
104allow distributedfiledaemon data_service_el2_hmdfs:file { create rename unlink };
105
106allow distributedfiledaemon sa_uri_permission_mgr_service:samgr_class { get };
107
108#avc:  denied  { get } for service=6001 pid=5338 scontext=u:r:distributedfiledaemon:s0 tcontext=u:object_r:sa_device_profile_service:s0 tclass=samgr_class permissive=0
109allow distributedfiledaemon sa_device_profile_service:samgr_class { get };
110
111#avc:  denied  { call } for  pid=4447 comm="/system/bin/sa_main" scontext=u:r:distributedfiledaemon:s0 tcontext=u:r:distributedsche:s0 tclass=binder permissive=0
112allow distributedfiledaemon distributedsche:binder { call };
113
114allow distributedfiledaemon sa_storage_manager_service:samgr_class { get };
115
116allow distributedfiledaemon storage_manager:binder { call };
117
118allow distributedfiledaemon distributeddata:binder { call };
119
120allow distributedfiledaemon chip_prod_file:dir { search };
121
122allow distributedfiledaemon tty_device:chr_file { read write };
123
124allow distributedfiledaemon data_service_el1_file:dir { search };
125
126allow distributedfiledaemon node:udp_socket { node_bind };
127