1# Copyright (c) 2022-2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#avc:  denied  { get } for service=3503 pid=589 scontext=u:r:sensors:s0 tcontext=i:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1
15allow sensors sa_accesstoken_manager_service:samgr_class { get };
16
17#avc:  denied  { get } for service=vibrator_interface_service pid=620 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_vibrator_interface_service:s0 tclass=hdf_devmgr_class permissive=1
18allow sensors hdf_vibrator_interface_service:hdf_devmgr_class { get };
19
20#avc:  denied  { get } for service=sensor_interface_service pid=655 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_sensor_interface_service:s0 tclass=hdf_devmgr_class permissive=1
21allow sensors hdf_sensor_interface_service:hdf_devmgr_class { get };
22
23#avc:  denied  { get } for service=5100 pid=546 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1
24allow sensors sa_device_service_manager:samgr_class { get };
25
26#avc:  denied  { add } for service=3601 pid=572 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_sensor_service:s0 tclass=samgr_class permissive=1
27allow sensors sa_sensor_service:samgr_class { add };
28
29#avc:  denied  { call } for  pid=2043 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
30#avc:  denied  { transfer } for pid=1208 comm="IPC_2_2791" scontext=u:r:sensors:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
31allow sensors accesstoken_service:binder { call transfer };
32
33#avc:  denied  { call } for  pid=2043 comm="sensors" scontext=u:r:accesstoken_service:s0 tcontext=u:r:sensors:s0 tclass=binder permissive=1
34allow accesstoken_service sensors:binder { call };
35
36#avc:  denied  { use } for pid=2519 comm="wei.hmos.health" path="socket:[39017]" dev="sockfs" ino=39017 scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=fd permissive=0
37#avc:  denied  { use } for pid=2748 comm="wei.hmos.health" path="socket:[39096]" dev="sockfs" ino=39096 scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=fd permissive=1
38allow sensors system_basic_hap_attr:fd { use };
39
40#avc:  denied  { read write } for pid=2748 comm="wei.hmos.health" path="socket:[39036]" dev="sockfs" ino=39036 scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=unix_stream_socket permissive=1
41allow sensors system_basic_hap_attr:unix_stream_socket { read write };
42
43#avc:  denied  { call } for pid=1208 comm="IPC_0_1342" scontext=u:r:sensors:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1
44allow sensors system_basic_hap_attr:binder { call };
45
46#avc:  denied  { use } for  pid=1963 comm="jsThread-1" path="socket:[26923]" dev="sockfs" ino=26923 scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=fd permissive=1
47allow sensors normal_hap_attr:fd { use };
48
49#avc:  denied  { read write } for  pid=1963 comm="jsThread-1" path="socket:[26923]" dev="sockfs" ino=26923 scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=unix_stream_socket permissive=1
50allow sensors normal_hap_attr:unix_stream_socket { read write };
51
52#avc:  denied  { call } for  pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1
53allow sensors normal_hap_attr:binder { call };
54
55#avc:  denied  { setopt } for  pid=650 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=unix_dgram_socket permissive=1
56#avc:  denied  { getopt } for  pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensors:s0 tclass=unix_dgram_socket permissive=1
57allow sensors sensors:unix_dgram_socket { getopt setopt };
58
59#avc:  denied  { search } for  pid=645 comm="sensors" name="socket" dev="tmpfs" ino=40 scontext=u:r:sensors:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
60allow sensors dev_unix_socket:dir { search };
61
62#avc:  denied  { call } for  pid=645 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:vibrator_host:s0 tclass=binder permissive=1
63allow sensors vibrator_host:binder { call };
64
65#avc:  denied  { search } for  pid=451 comm="sensors" name="/" dev="tracefs" ino=1 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
66allow sensors tracefs:dir { search };
67
68#avc:  denied  { write } for  pid=451 comm="sensors" name="trace_marker" dev="tracefs" ino=15134 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
69#avc:  denied  { open } for  pid=451 comm="sensors" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=15134 scontext=u:r:sensors:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
70allow sensors tracefs_trace_marker_file:file { write open };
71
72#avc:  denied  { use } for  pid=475 comm="hidumper_servic" path="pipe:[32513]" dev="pipefs" ino=32513 scontext=u:r:sensors:s0 tcontext=u:r:hidumper_service:s0 tclass=fd permissive=1
73allow sensors hidumper_service:fd { use };
74
75#avc:  denied  { write } for  pid=475 comm="hidumper_servic" path="pipe:[32513]" dev="pipefs" ino=32513 scontext=u:r:sensors:s0 tcontext=u:r:hidumper_service:s0 tclass=fifo_file permissive=1
76allow sensors hidumper_service:fifo_file { write };
77
78#avc:  denied  { transfer } for  pid=2152 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sensor_host:s0 tclass=binder permissive=1
79allow sensors sensor_host:binder { transfer };
80
81#avc:  denied  { use } for  pid=2778 comm="processdump" dev="mmcblk0p11" ino=652843 scontext=u:r:sensors:s0 tcontext=u:r:faultloggerd:s0 tclass=fd permissive=1
82allow sensors faultloggerd:fd { use };
83
84#avc:  denied  { write } for  pid=621 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1
85#avc:  denied  { read write } for  pid=2097 comm="jsThread-1" path="socket:[40085]" dev="sockfs" ino=40085 scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1
86allow sensors system_core_hap_attr:unix_stream_socket { write read };
87
88#avc:  denied  { use } for  pid=2097 comm="jsThread-1" path="socket:[40085]" dev="sockfs" ino=40085 scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1allow
89allow sensors system_core_hap_attr:fd { use };
90
91#avc:  denied  { call } for  pid=687 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=0
92allow sensors system_core_hap_attr:binder { call };
93
94#avc:  denied  { get } for service=3505 pid=575 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0
95allow sensors sa_privacy_service:samgr_class { get };
96
97#avc:  denied  { call } for  pid=549 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=0
98allow sensors privacy_service:binder { call };
99
100#avc:  denied  { read } for  pid=2827 comm="sa_main" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:sensors:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0
101allow sensors accessibility_param:file { read };
102
103allow sensors vendor_etc_file:dir { search };
104allow sensors vendor_etc_file:file { getattr open read };
105
106#avc:  denied  { call } for  pid=440 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:light_host:s0 tclass=binder permissive=1
107allow sensors light_host:binder { call };
108
109#avc:  denied  { read } for  pid=508 comm="sensors" name="u:object_r:musl_param:s0" dev="tmpfs" ino=55 scontext=u:r:sensors:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
110allow sensors musl_param:file { read };
111
112#avc:  denied  { get } for service=light_interface_service pid=2262 scontext=u:r:sensors:s0 tcontext=u:object_r:hdf_light_interface_service:s0 tclass=hdf_devmgr_class permissive=1
113allow sensors hdf_light_interface_service:hdf_devmgr_class { get };
114
115#avc:  denied  { use } for  pid=585 comm="IPC_1_745" path="socket:[34684]" dev="sockfs" ino=34684 scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=fd permissive=0
116allow sensors foundation:fd { use };
117
118#avc:  denied  { read write } for  pid=554 comm="foundation" path="socket:[41126]" dev="sockfs" ino=41126 scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=unix_stream_socket permissive=0
119allow sensors foundation:unix_stream_socket { read write };
120
121#avc:  denied  { call } for  pid=585 comm="IPC_2_1283" scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=0
122#avc:  denied  { transfer } for  pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
123allow sensors foundation:binder { call transfer };
124
125#avc:  denied { getattr } for  pid=1324 comm="IPC_1_1486" path="/data/storage/el2/base/files/coin_drop.json" dev="sdd78" ino=4521 scontext=u:r:sensors:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1
126#avc:  denied { read } for  pid=4754 comm="jsThread-1" path="/data/storage/el2/base/files/coin_drop.json" dev="sdd78" ino=4521 scontext=u:r:sensors:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=0
127allow sensors normal_hap_data_file_attr:file { getattr read };
128
129#avc:  denied { getattr } for  pid=1308 comm="IPC_1_1470" path="/data/local/tmp/test_128_event.json" dev="sdd78" ino=8191 scontext=u:r:sensors:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1
130#avc:  denied { read } for  pid=3199 comm="HitsVibrateTest" path="/data/local/tmp/test_128_event.json" dev="sdd78" ino=8191 scontext=u:r:sensors:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=1
131allow sensors data_local_tmp:file { getattr read };
132
133#avc:  denied { getattr } for  pid=1324 comm="sensors" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
134#avc:  denied { open } for  pid=1324 comm="sensors" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
135#avc:  denied { read } for  pid=1324 comm="sensors" name="online" dev="sysfs" ino=33211 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
136allow sensors sysfs_devices_system_cpu:file { getattr open read };
137
138allow sensors render_service:fd { use };
139allow sensors render_service:unix_stream_socket { read write };
140allow sensors render_service:binder { call };
141
142allow sensors camera_service:fd { use };
143allow sensors camera_service:unix_stream_socket { read write };
144allow sensors camera_service:binder { call };
145
146allow sensors powermgr:fd { use };
147allow sensors powermgr:unix_stream_socket { read write };
148allow sensors powermgr:binder { call transfer };
149
150allow sensors audio_server:unix_stream_socket { read write };
151
152# avc:  denied  { use } for  pid=356 comm="audio_server" path="socket:[30765]" dev="sockfs" ino=30765 scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=fd permissive=1
153allow sensors audio_server:fd { use };
154
155# avc:  denied  { call } for  pid=580 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1
156allow sensors audio_server:binder { call };
157
158#avc:  denied  { call } for  pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1
159#avc:  denied  { transfer } for  pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1
160allow sensors audio_server:binder { call transfer };
161
162#avc:  denied  { call } for  pid=1143 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1
163#avc:  denied { transfer } for pid=1447, comm="/system/bin/sa_main"  scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=0
164allow sensors distributeddata:binder { call transfer };
165
166#avc:  denied  { use } for  pid=1143 comm="sensors" path="/dev/ashmem" dev ="tmpfs" ino=619 ioctlcmd=0x7706 scontext=u:r:sensors:s0 tcontext=u:r:distributeddata:s0 tclass=fd permissive=1
167allow sensors distributeddata:fd { use };
168
169#avc:  denied  { get } for service=1301 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=0
170allow sensors sa_distributeddata_service:samgr_class { get };
171
172#avc:  denied  { get } for service=180 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0
173allow sensors sa_foundation_abilityms:samgr_class { get };
174
175#avc:  denied  { get } for service=3009 pid=599 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=0
176allow sensors sa_audio_policy_service:samgr_class { get };
177
178#avc:  denied  { get } for service=3001 pid=608 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=0
179allow sensors sa_pulseaudio_audio_service:samgr_class { get };
180
181#avc:  denied  { call } for  pid=1458 comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:pinauth:s0 tclass=binder permissive=1
182allow sensors pinauth:binder { call };
183
184#avc:  denied  { get } for service=1909 pid=1053 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_memory_manager_service:s0 tclass=samgr_class permissive=1
185allow sensors sa_memory_manager_service:samgr_class { get };
186allow sensors memmgrservice:binder { call };
187
188#avc: denied { transfer } for pid=1415, comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=0
189allow sensors normal_hap_attr:binder { transfer };
190
191#avc: denied { search } for pid=1415, comm="/system/bin/sa_main" name="/lib64" dev="/dev/block/platform/fa500000.ufs/by-name/chip_prod" ino=9188 scontext=u:r:sensors:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=0
192allow sensors chip_prod_file:dir { search };
193
194#avc: denied { get } for service=180 pid=1453 scontext=u:r:render_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0
195allow sensors sa_foundation_cesfwk_service:samgr_class { get };
196
197#avc: denied { getattr } for pid=1373, comm="/system/bin/sa_main" path="/data/themes/a/system/sub_screen/lock/base/resources/rich_tap/charging_2.json" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=46896 scontext=u:r:sensors:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
198allow sensors data_service_el1_file:file { getattr };
199
200#avc: denied { call } for pid=1420, comm="/system/bin/sa_main" scontext=u:r:sensors:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=1
201allow sensors accountmgr:binder { call };
202
203#avc: denied { write } for pid=1489, comm="/system/bin/sa_main" path="pipe:[13]" dev="tmpfs" ino=13 scontext=u:r:sensors:s0 tcontext=u:r:init:s0 tclass=fifo_file permissive=0
204allow sensors init:fifo_file { write };
205
206#avc: denied { get } for service=200 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1
207allow sensors sa_accountmgr:samgr_class { get };
208
209#avc: denied { get } for service=501 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0
210allow sensors sa_foundation_appms:samgr_class { get };
211
212#avc: denied { get } for service=401 sid=u:r:sensors:s0 scontext=u:r:sensors:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
213allow sensors sa_foundation_bms:samgr_class { get };
214
215debug_only(`
216    #avc:  denied  { use } for  pid=2011 comm="SensorAgentTest" path="socket:[39791]" dev="sockfs" ino=39791 scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=fd permissive=0
217    allow sensors sh:fd { use };
218
219    # avc:  denied  { call } for  pid=687 comm="sensors" scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0
220    allow sensors sh:binder { call };
221
222    #avc:  denied  { read write } for  pid=2132 comm="SensorAgentTest" path="socket:[39407]" dev="sockfs" ino=39407 scontext=u:r:sensors:s0 tcontext=u:r:sh:s0 tclass=unix_stream_socket permissive=0
223    allow sensors sh:unix_stream_socket { read write };
224')
225