# Copyright (c) 2024 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# avc:  denied  { execute } for  pid=3708 comm="ei.hmos.browser" path="/data/storage/el1/bundle/arkwebcore/libs/arm64/libweb_engine.so" dev="sdd78" ino=30131 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
allow isolated_gpu data_app_el1_file:dir { getattr };
# allow isolated_gpu data_app_el1_file:dir { execute };

# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="socket" dev="tmpfs" ino=112 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
allow isolated_gpu dev_unix_socket:dir { search };

# avc:  denied  { use } for  pid=3708 comm="ei.hmos.browser" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:isolated_gpu:s0 tcontext=u:r:nwebspawn:s0 tclass=fd permissive=1
allow isolated_gpu nwebspawn:fd { use };
allow isolated_gpu nwebspawn:unix_dgram_socket { write connect};

# avc:  denied  { call } for  pid=3708 comm="ei.hmos.browser" scontext=u:r:isolated_gpu:s0 tcontext=u:r:time_service:s0 tclass=binder permissive=1
allow isolated_gpu time_service:binder { call };

# avc:  denied  { getattr } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
# avc:  denied  { read open } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
# avc:  denied  { map } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
allow isolated_gpu system_file:file { getattr read open map };

# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="bin" dev="sdd74" ino=338 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1
allow isolated_gpu system_bin_file:dir { search };

# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="/" dev="tracefs" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
allow isolated_gpu tracefs:dir { search };

allow isolated_gpu sa_foundation_appms:samgr_class { get };
allow isolated_gpu sa_param_watcher:samgr_class { get };
allow isolated_gpu sa_render_service:samgr_class { get };
allow isolated_gpu sa_time_service:samgr_class { get };
allow isolated_gpu data_app_el1_file:file { execute };
allow isolated_gpu dev_mali:chr_file { getattr ioctl map read write open };
# avc:  denied  { ioctl } for  pid=4081 comm="mali-cmar-backe" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8002 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8003 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8005 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8006 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800f scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8016 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8019 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x801d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8026 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8001 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
allowxperm isolated_gpu dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x800c 0x800e 0x800f 0x8016 0x8019 0x801d 0x8026 };
allow isolated_gpu hap_domain:binder { call transfer };
allow isolated_gpu hap_domain:fd { use };
allow isolated_gpu hap_domain:unix_stream_socket { read write shutdown};
allow isolated_gpu nwebspawn:fifo_file { write };
allow isolated_gpu persist_param:file { map read open };
allow isolated_gpu render_service:unix_stream_socket { write read };

allow isolated_gpu sa_foundation_bms:samgr_class { get };
allow isolated_gpu sysfs_devices_system_cpu:dir { read open };
allow isolated_gpu sysfs_devices_system_cpu:file { getattr read open };

allow isolated_gpu allocator_host:fd { use };
allow isolated_gpu ohos_boot_param:file { map read open };
allow isolated_gpu sa_resource_schedule:samgr_class { get };
allow isolated_gpu web_private_param:file { map open read };

allow isolated_gpu allocator_host:binder { call };
allow isolated_gpu av_codec_service:binder { call transfer };
allow isolated_gpu dev_ashmem_file:chr_file { open };
allow isolated_gpu hdf_allocator_service:hdf_devmgr_class { get };
allow isolated_gpu hiview:unix_dgram_socket { sendto };
allow isolated_gpu isolated_gpu:unix_dgram_socket { getopt setopt };
allow isolated_gpu persist_sys_param:file { map open read };
allow isolated_gpu sa_av_codec_service:samgr_class { get };
allow isolated_gpu sa_device_service_manager:samgr_class { get };
allow isolated_gpu codec_host:fd { use };
allow isolated_gpu av_codec_service:fd { use };

allow isolated_gpu isolated_gpu:process { ptrace };

# avc_audit_slow:267] avc: denied { write } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1
allow isolated_gpu appspawn:unix_dgram_socket { write };
 
# avc_audit_slow:267] avc: denied { call } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
# avc_audit_slow:267] avc: denied { transfer } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
allow isolated_gpu codec_host:binder { call transfer };
 
# avc_audit_slow:267] avc: denied { search } for pid=43562, comm="/system/bin/appspawn"  name="/app/el1/bundle/public/com.ohos.nweb/libs/arm64" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16288 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
allow isolated_gpu data_app_el1_file:dir { search };
 
# avc_audit_slow:267] avc: denied { getattr } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
# avc_audit_slow:267] avc: denied { map } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
# avc_audit_slow:267] avc: denied { open } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
# avc_audit_slow:267] avc: denied { read } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
allow isolated_gpu data_app_el1_file:file { getattr map open read };
 
# avc_audit_slow:267] avc: denied { call } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
allow isolated_gpu foundation:binder { call transfer };
 
# avc_audit_slow:267] avc: denied { call } for pid=41570, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
allow isolated_gpu hdf_devmgr:binder { call };
 
# avc_audit_slow:267] avc: denied { map } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
# avc_audit_slow:267] avc: denied { open } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
# avc_audit_slow:267] avc: denied { read } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
allow isolated_gpu hichecker_writable_param:file { map open read };
 
# avc_audit_slow:267] avc: denied { use } for pid=37163, comm="/system/bin/appspawn"  path="/dev/ashmem" dev="" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:r:isolated_render:s0 tclass=fd permissive=1
allow isolated_gpu isolated_render:fd { use };
 
# avc_audit_slow:267] avc: denied { call } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
allow isolated_gpu param_watcher:binder { call transfer };
 
# avc_audit_slow:267] avc: denied { call } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
allow isolated_gpu render_service:binder { call transfer };
 
# avc_audit_slow:267] avc: denied { use } for pid=1391, comm="/system/bin/render_service"  path="anon_inode:sync_file" dev="" ino=0 scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1
allow isolated_gpu render_service:fd { use };
 
# avc_audit_slow:267] avc: denied { call } for pid=24439, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
# avc_audit_slow:267] avc: denied { transfer } for pid=24439, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
allow isolated_gpu samgr:binder { call transfer };
 
# avc:  denied  { get } for service=codec_component_manager_service sid=u:r:isolated_gpu:s0 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hdf_codec_component_manager_service:s0 tclass=hdf_devmgr_class permissive=1
allow isolated_gpu hdf_codec_component_manager_service:hdf_devmgr_class { get };