1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14allow isolated_render allocator_host:fd { use };
15
16# avc:  denied  { search } for  pid=5103 comm="ThreadPoolForeg" name="/" dev="cgroup2" ino=1 scontext=u:r:isolated_render:s0 tcontext=u:object_r:cgroup2:s0 tclass=dir permissive=1
17allow isolated_render cgroup2:dir { search };
18
19# avc:  denied  { getattr } for  pid=5103 comm="ei.hmos.browser" path="/data/storage/el1/bundle/arkwebcore" dev="sdd78" ino=1840 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
20allow isolated_render data_app_el1_file:dir { getattr search };
21
22# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/dev/ashmem" dev="tmpfs" ino=490 scontext=u:r:isolated_render:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=1
23allow isolated_render dev_ashmem_file:chr_file { open };
24
25# avc:  denied  { search } for  pid=3061 comm="ei.hmos.browser" name="socket" dev="tmpfs" ino=79 scontext=u:r:isolated_render:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0
26allow isolated_render dev_unix_socket:dir { search };
27
28allow isolated_render hap_domain:binder { call };
29allow isolated_render hap_domain:fd { use };
30
31# avc:  denied  { exec_anon_mem } for  pid=5103 comm="ei.hmos.browser" scontext=u:r:isolated_render:s0 tcontext=u:r:isolated_render:s0 tclass=xpm permissive=0
32allow isolated_render isolated_render:xpm { exec_anon_mem };
33
34allow isolated_render normal_hap_data_file_attr:file { read write getattr lock };
35
36# avc:  denied  { use } for  pid=5103 comm="ei.hmos.browser" path="socket:[33368]" dev="sockfs" ino=33368 scontext=u:r:isolated_render:s0 tcontext=u:r:nwebspawn:s0 tclass=fd permissive=1
37allow isolated_render nwebspawn:fd { use };
38
39# avc:  denied  { write } for  pid=5103 comm="ei.hmos.browser" path="pipe:[45491]" dev="pipefs" ino=45491 scontext=u:r:isolated_render:s0 tcontext=u:r:nwebspawn:s0 tclass=fifo_file permissive=1
40allow isolated_render nwebspawn:fifo_file { write };
41
42# avc:  denied  { write } for  pid=5103 comm="CompositorTileW" path="socket:[33368]" dev="sockfs" ino=33368 scontext=u:r:isolated_render:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=1
43allow isolated_render nwebspawn:unix_dgram_socket { write };
44
45# avc:  denied  { map } for  pid=5103 comm="ei.hmos.browser" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=89 scontext=u:r:isolated_render:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1
46# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=89 scontext=u:r:isolated_render:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1
47# avc:  denied  { read } for  pid=5103 comm="ei.hmos.browser" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=89 scontext=u:r:isolated_render:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1
48allow isolated_render ohos_boot_param:file { map open read };
49
50# avc:  denied  { map } for  pid=5103 comm="ei.hmos.browser" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=107 scontext=u:r:isolated_render:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1
51# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=107 scontext=u:r:isolated_render:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1
52# avc:  denied  { read } for  pid=5103 comm="ei.hmos.browser" name="u:object_r:persist_param:s0" dev="tmpfs" ino=107 scontext=u:r:isolated_render:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1
53allow isolated_render persist_param:file { map open read };
54
55# avc:  denied  { map } for  pid=4445 comm="e.simplewebview" path=2F646174612F726167652F656C322F626173652F63616368652F7765622F5375627265736F757263652046696C7465722F496E64657865642052756C65732F33362F302F52756C657365742044617461 dev="sdd78" ino=34505 scontext=u:r:isolated_render:s0 tcontext=u:object_r:debug_hap_data_file:s0 tclass=file permissive=1
56allow isolated_render hap_file_attr:file { map };
57
58# avc:  denied  { getattr } for  pid=5103 comm="CompositorTileW" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:isolated_render:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
59# avc:  denied  { open } for  pid=5103 comm="CompositorTileW" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:isolated_render:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
60# avc:  denied  { read } for  pid=5103 comm="CompositorTileW" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:isolated_render:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
61allow isolated_render proc_cpuinfo_file:file { getattr open read };
62
63# avc:  denied  { call } for  pid=5103 comm="ei.hmos.browser" scontext=u:r:isolated_render:s0 tcontext=u:r:resource_schedule_service:s0 tclass=binder permissive=1
64allow isolated_render resource_schedule_service:binder { call };
65
66# avc:  denied  { get } for service=501 pid=5103 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1
67allow isolated_render sa_foundation_appms:samgr_class { get };
68
69# avc:  denied  { get } for service=401 pid=5103 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
70allow isolated_render sa_foundation_bms:samgr_class { get };
71
72# avc:  denied  { get } for service=3901 pid=5103 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1
73allow isolated_render sa_param_watcher:samgr_class { get };
74
75# avc:  denied  { get } for service=1906 pid=5103 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_resource_schedule_socperf_server:s0 tclass=samgr_class permissive=1
76allow isolated_render sa_resource_schedule_socperf_server:samgr_class { get };
77
78# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/sys/devices/system/cpu" dev="sysfs" ino=33247 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
79# avc:  denied  { read } for  pid=5103 comm="ei.hmos.browser" name="cpu" dev="sysfs" ino=33247 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
80allow isolated_render sysfs_devices_system_cpu:dir { open read };
81
82# avc:  denied  { getattr } for  pid=5103 comm="ei.hmos.browser" path="/sys/devices/system/cpu/cpu0/regs/identification/midr_el1" dev="sysfs" ino=69186 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
83# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/sys/devices/system/cpu/cpu0/regs/identification/midr_el1" dev="sysfs" ino=69186 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
84# avc:  denied  { read } for  pid=5103 comm="ei.hmos.browser" name="midr_el1" dev="sysfs" ino=69186 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
85allow isolated_render sysfs_devices_system_cpu:file { getattr open read };
86
87# avc:  denied  { read write } for  pid=1077 comm="AppMgrService" path="socket:[43723]" dev="sockfs" ino=43723 scontext=u:r:isolated_render:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1
88# avc:  denied  { write } for  pid=4973 comm="e.myapplication" scontext=u:r:isolated_render:s0 tcontext=u:r:system_core_hap:s0 tclass=unix_stream_socket permissive=1
89allow isolated_render hap_domain:unix_stream_socket { read write shutdown };
90
91allow isolated_render system_core_hap_data_file_attr:file { append read write getattr lock map };
92
93allow isolated_render system_basic_hap_data_file_attr:file { append read write getattr lock map};
94
95# avc:  denied  { getattr } for  pid=5103 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=123 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
96# avc:  denied  { map } for  pid=5103 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=123 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
97# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=123 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
98# avc:  denied  { read } for  pid=5103 comm="ei.hmos.browser" name="ArkWebCore.hap" dev="sdd74" ino=123 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
99allow isolated_render system_file:file { getattr map open read };
100
101# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/system/fonts" dev="sdd74" ino=2210 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1
102# avc:  denied  { read } for  pid=5103 comm="ei.hmos.browser" name="fonts" dev="sdd74" ino=2210 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1
103# avc:  denied  { search } for  pid=5103 comm="ei.hmos.browser" name="fonts" dev="sdd74" ino=2210 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=dir permissive=1
104allow isolated_render system_fonts_file:dir { open read search };
105
106# avc:  denied  { getattr } for  pid=5103 comm="ei.hmos.browser" path="/system/fonts/HarmonyOS_Sans_Light.ttf" dev="sdd74" ino=2229 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1
107# avc:  denied  { map } for  pid=5103 comm="ei.hmos.browser" path="/system/fonts/HarmonyOS_Sans_Light.ttf" dev="sdd74" ino=2229 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1
108# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/system/fonts/HarmonyOS_Sans_Light.ttf" dev="sdd74" ino=2229 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1
109# avc:  denied  { read } for  pid=5103 comm="ei.hmos.browser" name="HarmonyOS_Sans_Light.ttf" dev="sdd74" ino=2229 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_fonts_file:s0 tclass=file permissive=1
110allow isolated_render system_fonts_file:file { getattr map open read };
111
112# avc:  denied  { search } for  pid=5103 comm="ei.hmos.browser" name="/" dev="tracefs" ino=1 scontext=u:r:isolated_render:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
113allow isolated_render tracefs:dir { search };
114
115# avc:  denied  { open } for  pid=5103 comm="ei.hmos.browser" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=13214 scontext=u:r:isolated_render:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
116# avc:  denied  { write } for  pid=5103 comm="ei.hmos.browser" name="trace_marker" dev="tracefs" ino=13214 scontext=u:r:isolated_render:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
117allow isolated_render tracefs_trace_marker_file:file { open write };
118
119# avc: denied { nnp_transition } for pid=4000 comm="dump_tmp_thread" scontext=u:r:isolated_render:s0 tcontext=u:r:processdump:s0 tclass=process2 permissive=1
120allow isolated_render processdump:process2 { nnp_transition };
121
122# avc: denied { search } for pid=4000 comm="dump_tmp_thread" name="bin" dev="sdd74" ino=282 scontext=u:r:isolated_render:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1
123allow isolated_render system_bin_file:dir { search };
124
125#avc: denied { connect } for pid=1795 comm="IPC_0_1796" scontext=u:r:isolated_render:s0 tcontext=u:r:nwebspawn:s0 tclass=unix_dgram_socket permissive=0
126allow isolated_render nwebspawn:unix_dgram_socket { connect };
127
128#avc: denied { execute } for pid=2265 comm="e.myapplication" path="/data/storage/el1/bundle/nweb/libs/arm/libweb_engine.so" dev="mmcblk0p14" ino=600 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=0
129allow isolated_render data_app_el1_file:file { execute getattr open read };
130
131#avc: denied { call } for pid=3693 comm="e.myapplication" scontext=u:r:isolated_render:s0 tcontext=u:r:time_service:s0 tclass=binder permissive=1
132allow isolated_render time_service:binder { call };
133
134#avc: denied { get } for service=3702 pid=13433 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_time_service:s0 tclass=samgr_class permissive=0
135
136allow isolated_render sa_time_service:samgr_class { get };
137
138allow isolated_render isolated_render:hideaddr { hide_exec_anon_mem };
139
140allow isolated_render isolated_render:jit_memory { exec_mem_ctrl };
141
142allow isolated_render sa_resource_schedule:samgr_class { get };
143
144# avc_audit_slow:260] avc: denied { ptrace } for pid=15, comm="/system/bin/appspawn"  scontext=u:r:isolated_render:s0 tcontext=u:r:isolated_render:s0 tclass=process permissive=1
145allow isolated_render isolated_render:process { ptrace execmem };
146
147allow isolated_render web_private_param:file { map open read };
148
149# avc: denied { map } for pid=1, comm="/system/bin/appspawn"  path="/data/themes/a/app/fonts/*.ttf" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16350 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
150# avc: denied { read } for pid=1, comm="/system/bin/appspawn"  path="/data/themes/a/app/fonts/*.ttf" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=17270 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
151# avc: denied { getattr } for pid=1, comm="/system/bin/appspawn"  path="/data/themes/a/app/fonts/*.ttf" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=18442 scontext=u:r:isolated_render:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
152allow isolated_render data_service_el1_file:file { getattr map read };
153
154# avc_audit_slow:262] avc: denied { write } for pid=1, comm="/system/bin/appspawn"  scontext=u:r:isolated_render:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1
155allow isolated_render appspawn:unix_dgram_socket { write connect };
156
157# avc_audit_slow:262] avc: denied { call } for pid=1, comm="/system/bin/appspawn"  scontext=u:r:isolated_render:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
158# avc_audit_slow:262] avc: denied { transfer } for pid=1, comm="/system/bin/appspawn"  scontext=u:r:isolated_render:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
159allow isolated_render foundation:binder { call transfer };
160
161# avc_audit_slow:262] avc: denied { map } for pid=1, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=215 scontext=u:r:isolated_render:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
162# avc_audit_slow:262] avc: denied { open } for pid=1, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=215 scontext=u:r:isolated_render:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
163# avc_audit_slow:262] avc: denied { read } for pid=1, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=215 scontext=u:r:isolated_render:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
164allow isolated_render hichecker_writable_param:file { map open read };
165
166# avc_audit_slow:262] avc: denied { call } for pid=1, comm="/system/bin/appspawn"  scontext=u:r:isolated_render:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
167# avc_audit_slow:262] avc: denied { transfer } for pid=1, comm="/system/bin/appspawn"  scontext=u:r:isolated_render:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
168allow isolated_render param_watcher:binder { call transfer };
169
170# avc_audit_slow:262] avc: denied { call } for pid=1, comm="/system/bin/appspawn"  scontext=u:r:isolated_render:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
171# avc_audit_slow:262] avc: denied { transfer } for pid=1, comm="/system/bin/appspawn"  scontext=u:r:isolated_render:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
172allow isolated_render samgr:binder { call transfer };
173
174# avc:  denied  { use } for  pid=21118 comm=".browser:render" path="socket:[14595]" dev="sockfs" ino=14595 scontext=u:r:isolated_render:s0 tcontext=u:r:appspawn:s0 tclass=fd permissive=1
175allow isolated_render appspawn:fd { use };
176
177# avc:  denied  { search } for  pid=8252 comm=".browser:render" scontext=u:r:isolated_render:s0 tcontext=u:r:key_enable:s0 tclass=key permissive=1
178allow isolated_render key_enable:key { search };
179
180debug_only(`
181    allow isolated_render isolated_render:hideaddr { hide_exec_anon_mem_debug };
182')
183
184
185#avc: denied  { get } for service=1901 pid=3409 scontext=u:r:isolated_render:s0 tcontext=u:object_r:sa_resource_schedule:s0 tclass=samgr_class permissive=0
186allow isolated_render sa_resource_schedule:samgr_class { get };
187
188# avc_audit_slow:267] avc: denied { write } for pid=1, comm="/system/bin/appspawn"
189allow isolated_render sharefs:file { read write open getattr append };
190