# Copyright (c) 2023 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. type chipset_init, native_chipset_domain, domain; allow chipset_init self:capability { chown dac_override dac_read_search fsetid setgid setuid sys_admin sys_boot sys_chroot sys_rawio sys_resource fowner }; allow domain chipset_init:fd use; allow init init:process { setcurrent }; allow init chipset_init:process { setcurrent dyntransition }; allow chipset_init chipset_init:process { setexec setsockcreate }; allow chipset_init composer_host:process { rlimitinh siginh transition }; allow chipset_init allocator_host:process { rlimitinh siginh transition }; allow chipset_init system_lib_file:dir { open read }; allow chipset_init system_lib_file:lnk_file { relabelto getattr }; allow chipset_init system_bin_file:dir { search }; allow chipset_init system_bin_file:file { execute getattr read read open }; allow chipset_init toybox_exec:file { execute getattr map read open }; allow chipset_init system_etc_file:dir { open read search getattr }; allow chipset_init system_etc_file:file { getattr open read }; allow chipset_init system_etc_file:lnk_file { relabelto read getattr }; allow chipset_init vendor_bin_file:dir { search }; allow chipset_init vendor_bin_file:file { execute getattr read read open }; allow chipset_init vendor_etc_file:dir { open read search getattr }; allow chipset_init vendor_etc_file:file { getattr open read }; allow chipset_init dev_kmsg_file:chr_file { write ioctl }; allow chipset_init dev_binder_file:chr_file { relabelto }; allow chipset_init dev_block_file:blk_file { getattr ioctl open read read write relabelto setattr write }; allow chipset_init dev_block_file:dir { open read relabelto search }; allow chipset_init dev_block_file:lnk_file { read relabelto }; allow chipset_init dev_block_volfile:dir { open read relabelto search }; allow chipset_init dev_char_file:dir { getattr open read relabelto setattr }; allow chipset_init dev_console_file:chr_file { getattr ioctl open read write }; allow chipset_init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write }; allow chipset_init dev_file:lnk_file { create }; allow chipset_init dev_fscklogs_file:dir { open read relabelto search setattr }; allow chipset_init dev_fuse_file:chr_file { setattr }; allow chipset_init dev_graphics_file:chr_file { setattr }; allow chipset_init dev_graphics_file:dir { search }; allow chipset_init dev_hdf_audio_capture:chr_file { setattr }; allow chipset_init dev_hdf_audio_control:chr_file { setattr }; allow chipset_init dev_hdf_audio_render:chr_file { setattr }; allow chipset_init dev_hdf_disp:chr_file { setattr }; allow chipset_init dev_hdf_file:chr_file { setattr }; allow chipset_init dev_hdf_input:chr_file { setattr }; allow chipset_init { dev_mgr_file dev_hdf_kevent dev_hdf_sensor_mgr dev_hdf_misc_vibrator dev_hdf_light dev_mpp dev_rga dev_video_file }:chr_file { setattr }; allow chipset_init sys_file:file { setattr }; allow chipset_init sysfs_wake_lck:file { setattr }; allowxperm chipset_init dev_at_file:chr_file ioctl { 0x4102 }; allow chipset_init dev_at_file:chr_file { ioctl setattr }; allow chipset_init hidumper_service:file { open read }; # avc: denied { read } for pid=579 comm="hidumper_servic" scontext=u:r:hidumper_service:s0 tcontext=u:r:chipset_init:s0 tclass=file permissive=0 allow hidumper_service chipset_init:dir { getattr open read search }; allow hidumper_service chipset_init:file { getattr open read }; allow hidumper_service chipset_init:lnk_file read; # avc: denied { rlimitinh } for pid=2969 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1 # avc: denied { siginh } for pid=2969 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1 # avc: denied { transition } for pid=2969 comm="init" path="/vendor/bin/hdf_devhost" dev="sdd84" ino=33 scontext=u:r:chipset_init:s0 tcontext=u:r:intell_voice_host:s0 tclass=process permissive=1 #for for start process in subcontext hdf_devhost.cfg chipset_init_daemon_domain(hdf_devmgr); allow chipset_init { user_auth_host pin_auth_host fingerprint_auth_host face_auth_host codec_host vibrator_host sensor_host }:process { rlimitinh siginh transition }; allow chipset_init { light_host input_user_host wifi_host camera_host power_host audio_host }:process { rlimitinh siginh transition }; allow chipset_init { usb_host blue_host partitionslot_host location_host dcamera_host a2dp_host daudio_host sample_host intell_voice_host }:process { rlimitinh siginh transition }; #for init.usb.configfs.cfg allow chipset_init configfs:dir { add_name create mounton open read search setattr write remove_name rmdir }; allow chipset_init configfs:lnk_file { create unlink }; allow chipset_init configfs:file { write create getattr open }; allow chipset_init configfs:lnk_file { create getattr unlink }; # for /data/service/el0/ allow chipset_init data_file:dir { add_name create getattr mounton open read relabelfrom relabelto remove_name search setattr write rmdir }; allow chipset_init data_file:sock_file { getattr relabelfrom }; allowxperm chipset_init data_file:file ioctl { 0x5413 }; allow chipset_init data_service_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write remove_name }; allow chipset_init data_service_file:file { ioctl rename relabelfrom create getattr unlink write write open }; allow chipset_init data_service_el0_file:dir { add_name create getattr open read relabelto search setattr write relabelfrom }; allow chipset_init data_service_el0_file:file { create getattr read write open relabelfrom }; allow chipset_init data_service_el1_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; allow chipset_init data_service_el1_file:file { create getattr setattr relabelto }; # for ifup,hostname,domainname allow chipset_init chipset_init:udp_socket { create ioctl }; allow chipset_init init:unix_dgram_socket { write connect }; allow chipset_init proc_file:file { write open }; allow chipset_init self:capability { net_admin }; # avc: denied { write } for comm="/bin/init" scontext=u:r:chipset_init:s0 tcontext=u:r:sysfs_devices_system_cpu:s0 tclass=file allow chipset_init sysfs_devices_system_cpu:file { write open }; # avc: denied { getopt } for pid=245 comm="chipset_init" scontext=u:r:chipset_init:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=0 allow chipset_init init:unix_stream_socket { getopt }; # avc: denied { rlimitinh } for pid=491 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1 # avc: denied { siginh } for pid=491 comm="hdf_devhost" scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1 # avc: denied { transition } for pid=491 comm="init" path="/vendor/bin/hdf_devhost" dev="mmcblk0p8" ino=13 scontext=u:r:chipset_init:s0 tcontext=u:r:clearplay_host:s0 tclass=process permissive=1 allow chipset_init clearplay_host:process { rlimitinh siginh transition };