1# Copyright (c) 2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14# avc: denied { execute } for pid=3708 comm="ei.hmos.browser" path="/data/storage/el1/bundle/arkwebcore/libs/arm64/libweb_engine.so" dev="sdd78" ino=30131 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 15allow isolated_gpu data_app_el1_file:dir { getattr }; 16# allow isolated_gpu data_app_el1_file:dir { execute }; 17 18# avc: denied { search } for pid=3708 comm="ei.hmos.browser" name="socket" dev="tmpfs" ino=112 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 19allow isolated_gpu dev_unix_socket:dir { search }; 20 21# avc: denied { use } for pid=3708 comm="ei.hmos.browser" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:isolated_gpu:s0 tcontext=u:r:nwebspawn:s0 tclass=fd permissive=1 22allow isolated_gpu nwebspawn:fd { use }; 23allow isolated_gpu nwebspawn:unix_dgram_socket { write connect}; 24 25# avc: denied { call } for pid=3708 comm="ei.hmos.browser" scontext=u:r:isolated_gpu:s0 tcontext=u:r:time_service:s0 tclass=binder permissive=1 26allow isolated_gpu time_service:binder { call }; 27 28# avc: denied { getattr } for pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 29# avc: denied { read open } for pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 30# avc: denied { map } for pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 31allow isolated_gpu system_file:file { getattr read open map }; 32 33# avc: denied { search } for pid=3708 comm="ei.hmos.browser" name="bin" dev="sdd74" ino=338 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1 34allow isolated_gpu system_bin_file:dir { search }; 35 36# avc: denied { search } for pid=3708 comm="ei.hmos.browser" name="/" dev="tracefs" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1 37allow isolated_gpu tracefs:dir { search }; 38 39allow isolated_gpu sa_foundation_appms:samgr_class { get }; 40allow isolated_gpu sa_param_watcher:samgr_class { get }; 41allow isolated_gpu sa_render_service:samgr_class { get }; 42allow isolated_gpu sa_time_service:samgr_class { get }; 43allow isolated_gpu data_app_el1_file:file { execute }; 44allow isolated_gpu dev_mali:chr_file { getattr ioctl map read write open }; 45# avc: denied { ioctl } for pid=4081 comm="mali-cmar-backe" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8002 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 46# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8003 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 47# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8005 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 48# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8006 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 49# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 50# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 51# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800f scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 52# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8016 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 53# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8019 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 54# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x801d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 55# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8026 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 56# avc: denied { ioctl } for pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8001 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1 57allowxperm isolated_gpu dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x800c 0x800e 0x800f 0x8016 0x8019 0x801d 0x8026 }; 58allow isolated_gpu hap_domain:binder { call transfer }; 59allow isolated_gpu hap_domain:fd { use }; 60allow isolated_gpu hap_domain:unix_stream_socket { read write shutdown}; 61allow isolated_gpu nwebspawn:fifo_file { write }; 62allow isolated_gpu persist_param:file { map read open }; 63allow isolated_gpu render_service:unix_stream_socket { write read }; 64 65allow isolated_gpu sa_foundation_bms:samgr_class { get }; 66allow isolated_gpu sysfs_devices_system_cpu:dir { read open }; 67allow isolated_gpu sysfs_devices_system_cpu:file { getattr read open }; 68 69allow isolated_gpu allocator_host:fd { use }; 70allow isolated_gpu ohos_boot_param:file { map read open }; 71allow isolated_gpu sa_resource_schedule:samgr_class { get }; 72allow isolated_gpu web_private_param:file { map open read }; 73 74allow isolated_gpu allocator_host:binder { call }; 75allow isolated_gpu av_codec_service:binder { call transfer }; 76allow isolated_gpu dev_ashmem_file:chr_file { open }; 77allow isolated_gpu hdf_allocator_service:hdf_devmgr_class { get }; 78allow isolated_gpu hiview:unix_dgram_socket { sendto }; 79allow isolated_gpu isolated_gpu:unix_dgram_socket { getopt setopt }; 80allow isolated_gpu persist_sys_param:file { map open read }; 81allow isolated_gpu sa_av_codec_service:samgr_class { get }; 82allow isolated_gpu sa_device_service_manager:samgr_class { get }; 83allow isolated_gpu codec_host:fd { use }; 84allow isolated_gpu av_codec_service:fd { use }; 85 86allow isolated_gpu isolated_gpu:process { ptrace }; 87