1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License
13type developtools_hdc_control_param, parameter_attr;
14type developtools_hdc_auth_param, parameter_attr;
15
16developer_only(`
17    allow hdcd data_local:file { read open getattr create write };
18    allow hdcd data_local:dir { search getattr read write add_name open create };
19    allow hdcd data_local_tmp:file { write create setattr read append open getattr unlink };
20    allow hdcd data_local_tmp:dir { add_name remove_name write create setattr search getattr read open };
21    allow hdcd data_local_traces:dir { read open getattr };
22
23    allow hdcd vendor_lib_file:file { read getattr };
24    allow hdcd vendor_lib_file:dir { read getattr search };
25
26    allow hdcd self:tcp_socket { accept ioctl setopt read write create bind listen getattr connect name_connect getopt };
27    allow hdcd port:tcp_socket { name_bind name_connect };
28    allow hdcd node:tcp_socket { node_bind };
29    allow hdcd self:udp_socket { create setopt bind };
30    allow hdcd port:udp_socket { name_bind };
31    allow hdcd node:udp_socket { node_bind };
32    allow hdcd sh:process { signal sigkill };
33    allow hdcd hdcd_exec:file { open execute_no_trans entrypoint execute map read };
34
35    allow hdcd kernel:system { syslog_read };
36    allow hdcd kernel:unix_stream_socket { connectto };
37    allow hdcd kernel:process { setsched };
38
39    allow hdcd dev_rtc_file:chr_file { write open ioctl };
40
41    allow hdcd vendor_file:dir { getattr };
42    allow hdcd tmpfs:dir { open read };
43    allow hdcd data_file:dir { read write open getattr search };
44    allow hdcd system_file:dir { getattr };
45    allow hdcd system_file:file { open };
46
47    allow hdcd tty_device:chr_file { ioctl read write open };
48    allow hdcd system_bin_file:lnk_file { read };
49    allow hdcd toybox_exec:lnk_file { read };
50    allow hdcd system_bin_file:dir { search getattr };
51    allow hdcd system_bin_file:file { open };
52    allow hdcd toybox_exec:file { getattr map open read };
53
54    allow hdcd lib_file:lnk_file { read };
55    allow hdcd vendor_lib_file:file { open map execute };
56
57    allow hdcd dev_unix_socket:dir { search };
58    allow hdcd dev_unix_socket:sock_file { write };
59
60    allow hdcd dev_ptmx:chr_file { read write open ioctl };
61    allow hdcd dev_pts_file:dir { search };
62    allow hdcd devpts:chr_file { read write open };
63    allow hdcd paramservice_socket:sock_file { write };
64
65    allow hdcd dev_block_file:dir { search };
66    allow hdcd dev_block_file:lnk_file { read };
67    allow hdcd dev_block_file:blk_file { ioctl };
68    allow hdcd dev_block_volfile:dir { search };
69
70    allow hdcd bootevent_param:file { map open read };
71    allow hdcd bootevent_samgr_param:file { map open read };
72    allow hdcd build_version_param:file { map open read };
73    allow hdcd const_allow_mock_param:file { map open read };
74    allow hdcd const_allow_param:file { map open read };
75    allow hdcd const_build_param:file { map open read };
76    allow hdcd const_display_brightness_param:file { map open read };
77    allow hdcd const_param:file { map open read };
78    allow hdcd const_postinstall_fstab_param:file { map open read };
79    allow hdcd const_postinstall_param:file { map open read };
80    allow hdcd const_product_param:file { map open read };
81    allow hdcd data_log:dir { search };
82    allow hdcd debug_param:file { map open read };
83    allow hdcd default_param:file { map open read };
84    allow hdcd dev_usb_ffs:dir { open read search };
85    allow hdcd distributedsche_param:file { map open read };
86    allow hdcd faultloggerd_temp_file:dir { search };
87    allow hdcd faultloggerd_temp_file:file { getattr open read };
88    allow hdcd functionfs:dir { search };
89    allow hdcd functionfs:file { open read write };
90    allow hdcd hilog_param:file { map open read };
91    allow hdcd hw_sc_build_os_param:file { map open read };
92    allow hdcd hw_sc_build_param:file { map open read };
93    allow hdcd hw_sc_param:file { map open read };
94    allow hdcd init_param:file { map open read };
95    allow hdcd init_svc_param:file { map open read };
96    allow hdcd input_pointer_device_param:file { map open read };
97    allow hdcd net_param:file { map read open };
98    allow hdcd net_tcp_param:file { map open read };
99    allow hdcd ohos_boot_param:file { map open read };
100    allow hdcd ohos_param:file { map open read };
101    allow hdcd persist_param:file { map open read };
102    allow hdcd persist_sys_param:file { map open read };
103    allow hdcd security_param:file { map open read };
104    allow hdcd startup_param:file { map open read };
105    allow hdcd sys_param:file { map open read };
106    allow hdcd sys_usb_param:file { map open read };
107    allow hdcd tracefs:dir { search };
108    allow hdcd tracefs_trace_marker_file:file { write open };
109    allow hdcd dev_console_file:chr_file { read write };
110    allow hdcd musl_param:file { map read open };
111
112    allow hdcd hmdfs:dir create_dir_perms_without_ioctl;
113    allow hdcd hmdfs:file create_file_perms_without_ioctl;
114
115    allow hdcd samgr:binder { call };
116    allow hdcd param_watcher:binder { call transfer };
117    allow hdcd audio_server:binder { call transfer };
118    allow hdcd sa_audio_policy_service:samgr_class { get };
119    allow hdcd sa_pulseaudio_audio_service:samgr_class { get };
120
121    #for auth user permit: show system dialog
122    #avc: denied { call } for pid=8390, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0
123    allow hdcd_user_permit samgr:binder { call };
124    #avc: denied { search } for pid=592, comm="/system/bin/samgr" name="/7691" dev="" ino=21628 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=dir permissive=0
125    allow samgr hdcd_user_permit:dir { search };
126    #avc: denied { read } for pid=597, comm="/system/bin/samgr" path="/proc/4938/attr/current" dev="" ino=14239 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=file permissive=0
127    allow samgr hdcd_user_permit:file { read };
128    #avc: denied { transfer } for pid=623, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=1
129    allow samgr hdcd_user_permit:binder { call transfer };
130    #avc: denied { write } for pid=5470, comm="/system/bin/hdcd_user_permit" path="/dev/kmsg" dev="" ino=16 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
131    allow hdcd_user_permit dev_kmsg_file:chr_file { write };
132    #avc: denied { call } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
133    #avc: denied { transfer } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
134    allow hdcd_user_permit foundation:binder { call transfer };
135    #avc: denied { open } for pid=5574, comm="/bin/bm" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=200 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1
136    #avc: denied { read } for pid=5574, comm="/bin/bm" path="/dev/__parameters__/u:object_r:persist_sys_param:s0" dev="" ino=200 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=file permissive=1
137    allow hdcd_user_permit persist_sys_param:file { open read };
138    #avc: denied { call } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sceneboard_hap:s0 tclass=binder permissive=1
139    #avc: denied { transfer } for pid=5470, comm="/system/bin/hdcd_user_permit" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sceneboard_hap:s0 tclass=binder permissive=1
140    allow hdcd_user_permit hap_domain:binder { call transfer };
141    #avc: denied { ioctl } for pid=5570, comm="/bin/sh" path="/dev/tty" dev="" ino=17 ioctlcmd=0x5413 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
142    #avc: denied { open } for pid=5570, comm="/bin/sh" path="/dev/tty" dev="" ino=17 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
143    #avc: denied { write } for pid=5470, comm="/system/bin/hdcd_user_permit" path="/dev/tty0" dev="" ino=56 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
144    #avc: denied { read write } for pid=7691, comm="/system/bin/hdcd_user_permit" path="/dev/tty0" dev="" ino=56 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0
145    allow hdcd_user_permit tty_device:chr_file { ioctl open write read };
146    allowxperm hdcd_user_permit tty_device:chr_file ioctl { 0x5413 };
147    # avc: denied { open } for pid=623, comm="/system/bin/samgr" path="/proc/5470/attr/current" dev="" ino=16620 scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=file permissive=1
148    allow samgr hdcd_user_permit:file { open };
149    #avc: denied { getattr } for pid=623, comm="/system/bin/samgr" scontext=u:r:samgr:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=process permissive=1
150    allow samgr hdcd_user_permit:process { getattr };
151    #avc: denied { get } for service=180 pid=5753 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0
152    allow hdcd_user_permit sa_foundation_abilityms:samgr_class { get };
153    #avc denied { get } for service=401 pid=5574 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
154    allow hdcd_user_permit sa_foundation_bms:samgr_class { get };
155    #avc: denied { call } for pid=1495, comm="/system/bin/sa_main" scontext=u:r:foundation:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=0
156    #avc: denied { transfer } for pid=1492, comm="/system/bin/sa_main"  scontext=u:r:foundation:s0 tcontext=u:r:hdcd_user_permit:s0 tclass=binder permissive=0
157    allow foundation hdcd_user_permit:binder { call transfer };
158
159    allow hdcd sa_param_watcher:samgr_class { get };
160    allow hdcd sys_param:parameter_service { set };
161    # hdcd should set sys.usb.ffs.ready
162    allow hdcd sys_usb_param:parameter_service { set };
163    allow hdcd persist_param:parameter_service { set };
164    allow hdcd servicectrl_reboot_param:parameter_service { set };
165    #avc: denied { search } for pid=2387 comm="hdcd_user_permi" name="socket" dev="tmpfs" ino=43 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
166    allow hdcd_user_permit dev_unix_socket:dir { search };
167    #avc: denied { connectto } for pid=2387 comm="hdcd_user_permi" path="/dev/unix/socket/paramservice" scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1
168    allow hdcd_user_permit kernel:unix_stream_socket { connectto };
169    #avc: denied { write } for pid=2387 comm="hdcd_user_permi" name="paramservice" dev="tmpfs" ino=49 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1
170    allow hdcd_user_permit paramservice_socket:sock_file { write };
171    #avc: denied { map } for pid=2387 comm="hdcd_user_permi" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
172    #avc: denied { open } for pid=2387 comm="hdcd_user_permi" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
173    #avc: denied { read } for pid=2387 comm="hdcd_user_permi" name="u:object_r:debug_param:s0" dev="tmpfs" ino=73 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
174    allow hdcd_user_permit debug_param:file { map open read };
175    allow hdcd developtools_hdc_auth_param:parameter_service { set };
176    allow system_basic_hap_attr developtools_hdc_auth_param:parameter_service { set };
177    #avc: denied { relabelfrom } for pid=1 comm="init" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:init:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=0
178    allow init developtools_hdc_auth_param:file { relabelfrom };
179    #avc: denied { map } for pid=716 comm="async-50" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
180    #avc: denied { open } for pid=716 comm="async-50" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
181    #avc: denied { read } for pid=716 comm="async-50" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
182    allow hdcd_user_permit developtools_hdc_auth_param:file { map open read };
183    allow system_basic_hap_attr developtools_hdc_auth_param:file { map open read };
184    #avc: denied { read } for pid=699 comm="async-57" name="u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=0
185    #avc: denied { map } for pid=623 comm="async-46" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
186    #avc: denied { open } for pid=623 comm="async-46" path="/dev/__parameters__/u:object_r:developtools_hdc_auth_param:s0" dev="tmpfs" ino=97 scontext=u:r:hdcd:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=file permissive=1
187    allow hdcd developtools_hdc_auth_param:file { read map open };
188    #avc: denied { ioctl } for pid=3677 comm="async-62" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x540e scontext=u:r:hdcd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
189    allow hdcd devpts:chr_file { ioctl };
190    allowxperm hdcd devpts:chr_file ioctl { 0x540e 0x5414 };
191    #avc: denied { ioctl } for pid=5516 comm="SaInit0" path="/data/service/el1/public/netmanager/net_stats_data.db" dev="mmcblk0p15" ino=239 ioctlcmd=0xf50c scontext=u:r:netmanager:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
192    allow hdcd data_service_el1_file:file { ioctl };
193    allowxperm hdcd data_service_el1_file:file ioctl { 0xf50c };
194    #avc: denied { map } for pid=14537 comm="sh" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=70 scontext=u:r:sh:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1
195    #avc: denied { open } for pid=5554 comm="sh" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=70 scontext=u:r:sh:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1
196    allow hdcd hook_param:file { map open };
197    #avc: denied { use } for pid=5554 comm="sh" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:sh:s0 tcontext=u:r:init:s0 tclass=fd permissive=1
198    allow hdcd init:fd { use };
199    #avc: denied { use } for pid=2387 comm="hdcd_user_permi" path="/system/bin/hdcd_user_permit" dev="mmcblk0p7" ino=238 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1
200    allow hdcd_user_permit sh:fd { use };
201
202    #avc: denied { add_name } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
203    #avc: denied { create } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
204    #avc: denied { write } for pid=623 comm="async-46" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
205    #avc: denied { search } for pid=701 comm="async-18" name="misc" dev="mmcblk0p15" ino=108 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
206    allow hdcd data_hdc_pubkeys:dir { search getattr read open add_name create write };
207    #avc: denied { remove_name } for pid=5502, comm="/system/bin/hdcd" name="/service/el1/public/hdc" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=3876 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
208    allow hdcd data_hdc_pubkeys:dir { remove_name };
209    #avc: denied { getattr } for pid=728 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys" dev="mmcblk0p15" ino=582 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
210    #avc: denied { open } for pid=728 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys" dev="mmcblk0p15" ino=582 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
211    #avc: denied { append } for pid=623 comm="async-46" name="hdc_keys" dev="mmcblk0p15" ino=2116 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
212    #avc: denied { create } for pid=623 comm="async-46" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
213    #avc: denied { write } for pid=623 comm="async-46" path="/data/service/el1/public/hdc/hdc_keys/hdc_keys" dev="mmcblk0p15" ino=2116 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
214    #avc: denied { unlink } for pid=6821, comm="/system/bin/hdcd" name="/service/el1/public/hdc/hdc_keys" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=14932 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=0
215    allow hdcd data_hdc_pubkeys:file { getattr open append create write unlink };
216    #avc: denied { getattr } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
217    #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
218    #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
219    #avc: denied { relabelto } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
220    #avc: denied { setattr } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=0
221    allow init data_hdc_pubkeys:dir { getattr open read relabelto setattr };
222    #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
223    allow init data_hdc_pubkeys:file { read };
224
225    #avc: denied { search } for pid=736 comm="async-40" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
226    allow hdcd_user_permit data_service_el1_file:dir { search };
227    #avc: denied { search } for pid=736 comm="async-40" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
228    allow hdcd_user_permit data_service_file:dir { search };
229
230    #avc: denied { search } for pid=692 comm="async-47" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
231    allow init data_service_el1_file:dir { search };
232    #avc: denied { search } for pid=692 comm="async-47" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
233    allow init data_service_file:dir { search };
234
235    #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
236    allow hdcd data_hdc_pubkeys:file { read };
237    #avc: denied { search } for pid=692 comm="async-47" name="el1" dev="mmcblk0p15" ino=9 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
238    allow hdcd data_service_el1_file:dir { search };
239    #avc: denied { search } for pid=692 comm="async-47" name="service" dev="mmcblk0p15" ino=8 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
240    allow hdcd data_service_file:dir { search };
241    #avc: denied { use } for pid=5024 comm="hdcd_user_permi" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=0
242    allow hdcd hdcd:fd { use };
243    #avc: denied { use } for pid=5024 comm="hdcd_user_permi" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=0
244    allow hdcd_user_permit hdcd:fd { use };
245    #avc: denied { ioctl } for pid=5024 comm="sh" path="/dev/null" dev="tmpfs" ino=3 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:object_r:dev_null_file:s0 tclass=chr_file permissive=0
246    allow hdcd_user_permit dev_null_file:chr_file { ioctl };
247    allowxperm hdcd_user_permit dev_null_file:chr_file ioctl { 0x5413 };
248    #avc: denied { map } for pid=13700 comm="sh" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1
249    #avc: denied { open } for pid=13700 comm="sh" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1
250    #avc: denied { read } for pid=13700 comm="sh" name="u:object_r:startup_init_param:s0" dev="tmpfs" ino=55 scontext=u:r:sh:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1
251    allow hdcd_user_permit startup_init_param:file { map open read };
252    #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
253    #avc: denied { write } for pid=12045 comm="hdcd_user_permi" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
254    allow hdcd_user_permit dev_console_file:chr_file { read write };
255    #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="socket:[20161]" dev="sockfs" ino=20161 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=unix_stream_socket permissive=1
256    #avc: denied { read write } for pid=10916 comm="hdcd_user_permi" path="socket:[20161]" dev="sockfs" ino=20161 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=unix_stream_socket permissive=1
257    allow hdcd_user_permit hdcd:unix_stream_socket { read write };
258    #avc: denied { ioctl } for pid=2387 comm="hdcd_user_permi" path="pipe:[37910]" dev="pipefs" ino=37910 ioctlcmd=0x5413 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1
259    #avc: denied { write } for pid=13700 comm="hdcd_user_permi" path="pipe:[89014]" dev="pipefs" ino=89014 scontext=u:r:hdcd_user_permit:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=1
260    allow hdcd_user_permit hdcd:fifo_file { ioctl write };
261    allowxperm hdcd_user_permit hdcd:fifo_file ioctl { 0x5413 };
262    #avc: denied { set } for parameter=persist.hdc.daemon.auth_result pid=12378 uid=2000 gid=2000 scontext=u:r:hdcd_user_permit:s0 tcontext=u:object_r:developtools_hdc_auth_param:s0 tclass=parameter_service permissive=1
263    allow hdcd_user_permit developtools_hdc_auth_param:parameter_service { set };
264    #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
265    #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
266    #avc: denied { relabelto } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
267    #avc: denied { setattr } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
268    #avc: denied { getattr } for pid=8467 comm="ls" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:sh:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
269    #avc: denied { open } for pid=1 comm="init" path="/data/service/el1/public/hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
270    #avc: denied { read } for pid=1 comm="init" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
271    #avc: denied { add_name } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
272    #avc: denied { create } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
273    #avc: denied { write } for pid=716 comm="async-50" name="hdc" dev="mmcblk0p15" ino=12 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=dir permissive=1
274    allow hdcd_user_permit data_hdc_pubkeys:dir { open read relabelto setattr getattr add_name create write };
275    #avc: denied { append } for pid=716 comm="async-50" name="hdc_keys" dev="mmcblk0p15" ino=2083 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
276    #avc: denied { create } for pid=716 comm="async-50" name="hdc_keys" scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
277    #avc: denied { read } for pid=703 comm="async-26" name="hdc_keys" dev="mmcblk0p15" ino=1974 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
278    #avc: denied { write } for pid=716 comm="async-50" path="/data/service/el1/public/hdc/hdc_keys/hdc_keys" dev="mmcblk0p15" ino=2083 scontext=u:r:hdcd:s0 tcontext=u:object_r:data_hdc_pubkeys:s0 tclass=file permissive=1
279    allow hdcd_user_permit data_hdc_pubkeys:file { append create read write };
280
281    allow hdcd hiprofiler_plugins:process { signal };
282    allow hdcd hiprofilerd:process { signal };
283    allow hdcd bytrace:process { signal };
284    allow hdcd hitrace:process { signal };
285    allow hdcd hidumper:process { signal };
286    allow hdcd hidumper_file:dir { search };
287    allow hdcd hiperf:process { signal };
288    allow hdcd hidumper_file:file { getattr open read };
289    allow hdcd hilogd_exec:file { execute read open getattr execute_no_trans map };
290    allow hdcd hiview_exec:file { execute read open getattr execute_no_trans map };
291    allow hdcd hisysevent_exec:file { execute read open getattr execute_no_trans map };
292
293    # for recv /data/log and /data/log/hilog
294    allow hdcd data_log:dir { getattr read open };
295    allow hdcd data_log:file { getattr read open };
296    allow hdcd data_hilogd_file:dir { getattr read open };
297    allow hdcd data_hilogd_file:file { getattr read open };
298
299    # for read hdc.version
300    allow hdcd debug_param:file { map read open };
301    allow hdcd debug_param:parameter_service { set };
302
303    allow hdcd { normal_hap_attr system_basic_hap_attr system_core_hap_attr sh }:unix_stream_socket { connectto };
304
305    domain_auto_transition_pattern(hdcd, sh_exec, sh);
306
307    ## this is to do temporary change for get app file in sandbox
308    # access /data/app/el2/100/base/<bundleName>
309    allow hdcd data_app_file:dir { search getattr read open };
310    allow hdcd data_app_el2_file:dir { search getattr read open };
311    allow hdcd debug_hap_data_file:dir { search getattr read open };
312    allow hdcd debug_hap_data_file:file { getattr read open };
313
314    allow samgr hdcd:dir { search };
315    allow samgr hdcd:file { read open };
316    allow samgr hdcd:process { getattr };
317    allow samgr hdcd:binder { transfer };
318    allow param_watcher hdcd:binder { call };
319
320    # avc_audit_slow:272] avc: denied { read } for pid=1690, comm="/system/bin/hdcd"  name="/thread-self" dev="" ino=41 scontext=u:r:hdcd:s0 tcontext=u:object_r:proc_file:s0 tclass=lnk_file permissive=0
321    allow hdcd proc_file:lnk_file { read };
322    # avc:  denied  { search } for  pid=5252 comm="OS_FFRT_2_4" name="/" dev="proc" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:proc_file:s0 tclass=dir permissive=1
323    allow hdcd proc_file:dir { search };
324')
325
326neverallow hdcd hmdfs:dir ioctl;
327neverallow hdcd hmdfs:file ioctl;
328
329# hdc control
330neverallow { domain -usb_host -init -edm_sa } developtools_hdc_control_param:parameter_service { set };
331neverallow { domain -hdcd_user_permit -hdcd } hdcd_user_permit_exec:file { execute };
332neverallow { domain -hdcd -hdcd_user_permit -system_basic_hap_attr } developtools_hdc_auth_param:parameter_service { set };
333neverallow hdcd { normal_hap_data_file_attr system_basic_hap_data_file_attr system_core_hap_data_file_attr -debug_hap_data_file }:{ dir file } *;
334