1# Copyright (c) 2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type hnp, native_system_domain, domain;
15type hnp_exec, system_file_attr, exec_attr, file_attr;
16type hnp_file, file_attr, data_file_attr;
17
18developer_only(`
19# avc:  denied  { search } for  pid=12202 comm="hnp" name="app" dev="sdd78" ino=634 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_file:s0 tclass=dir permissive=1
20allow hnp data_app_file:dir { search };
21
22# avc:  denied  { ioctl } for  pid=6695 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11577 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
23# avc:  denied  { write } for  pid=6695 comm="hnp" name="hnp_info.json" dev="sdd78" ino=11577 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
24allow hnp data_service_el1_file:file { ioctl write };
25
26# avc:  denied  { map } for  pid=5378 comm="hnp" path="/data/service/el1/public/bms/bundle_manager_service/security_stream_install/606593336461000/6065932/28786a5ac.hap" dev="sdd78" ino=12581 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
27allow hnp data_service_el1_file:file { map };
28
29# avc:  denied  { create } for  pid=8919 comm="hnp" name="hnp_info.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
30allow hnp data_service_el1_file:file { create };
31
32# avc:  denied  { getattr } for  pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
33# avc:  denied  { open } for  pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
34# avc:  denied  { read open } for  pid=12202 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
35# avc:  denied  { read } for  pid=12202 comm="hnp" name="hnp_info.json" dev="sdd78" ino=11821 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
36allow hnp data_service_el1_file:file { getattr open read open read };
37
38# avc:  denied  { ioctl } for  pid=6695 comm="hnp" path="/data/service/el1/startup/hnp_info.json" dev="sdd78" ino=11577 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1
39allowxperm hnp data_service_el1_file:file ioctl { 0x5413 };
40
41# avc:  denied  { add_name } for  pid=8919 comm="hnp" name="hnp_info.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
42# avc:  denied  { write } for  pid=8919 comm="hnp" name="startup" dev="sdd78" ino=14 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
43allow hnp data_service_el1_file:dir { add_name write };
44
45# avc:  denied  { search } for  pid=12202 comm="hnp" name="startup" dev="sdd78" ino=14 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1
46allow hnp data_service_el1_file:dir { search };
47
48# avc:  denied  { write } for  pid=6695 comm="hnp" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
49# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
50allow hnp dev_kmsg_file:chr_file { write getattr };
51
52# avc:  denied  { dac_override } for  pid=8158 comm="hnp" capability=1  scontext=u:r:hnp:s0 tcontext=u:r:hnp:s0 tclass=capability permissive=1
53allow hnp hnp:capability { dac_override };
54
55# avc:  denied  { add_name } for  pid=7556 comm="hnp" name="cfg" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
56# avc:  denied  { create } for  pid=7556 comm="hnp" name="cfg" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
57# avc:  denied  { getattr } for  pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib" dev="sdd78" ino=12153 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
58# avc:  denied  { write } for  pid=7556 comm="hnp" name="hnpsample_1.1" dev="sdd78" ino=12152 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
59allow hnp data_app_el1_file:dir { add_name create getattr write };
60
61# avc:  denied  { remove_name } for  pid=9178 comm="hnp" name="hnpsample.org" dev="sdd78" ino=12101 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
62# avc:  denied  { rmdir } for  pid=9178 comm="hnp" name="hnpsample.org" dev="sdd78" ino=12101 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
63allow hnp data_app_el1_file:dir { remove_name rmdir };
64
65# avc:  denied  { read open } for  pid=12202 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org" dev="sdd78" ino=11810 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
66# avc:  denied  { read } for  pid=12202 comm="hnp" name="hnpsample.org" dev="sdd78" ino=11810 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
67# avc:  denied  { search } for  pid=12202 comm="hnp" name="bundle" dev="sdd78" ino=638 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
68allow hnp data_app_el1_file:dir { read open read search };
69
70# avc:  denied  { create } for  pid=7556 comm="hnp" name="hnp.json" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
71# avc:  denied  { ioctl } for  pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
72# avc:  denied  { setattr } for  pid=7556 comm="hnp" name="hnp.json" dev="sdd78" ino=12155 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
73# avc:  denied  { write } for  pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
74allow hnp data_app_el1_file:file { create ioctl setattr };
75
76# avc:  denied  { unlink } for  pid=9178 comm="hnp" name="hnpsample" dev="sdd78" ino=12109 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
77allow hnp data_app_el1_file:file { unlink };
78
79# avc:  denied  { ioctl } for  pid=5378 comm="EnableCodeSign0" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib/libhnpsamplelib.z.so" dev="sdd78" ino=12622 ioctlcmd=0x66c8 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
80allow hnp data_app_el1_file:file { ioctl };
81
82# avc:  denied  { create } for  pid=5378 comm="hnp" name="hnpsample" scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=lnk_file permissive=1
83allow hnp data_app_el1_file:lnk_file { create };
84
85# avc:  denied  { ioctl } for  pid=7556 comm="hnp" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/hnp.json" dev="sdd78" ino=12155 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
86allowxperm hnp data_app_el1_file:file ioctl { 0x5413 };
87
88# avc:  denied  { ioctl } for  pid=5378 comm="EnableCodeSign0" path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/lib/libhnpsamplelib.z.so" dev="sdd78" ino=12622 ioctlcmd=0x66c8 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
89allowxperm hnp data_app_el1_file:file ioctl { 0x66c8 };
90
91# avc_audit_slow:262] avc: denied { getattr } for pid=7470, comm="/system/bin/hnp"  path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
92# avc_audit_slow:262] avc: denied { open } for pid=7265, comm="/system/bin/hnp"  path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
93# avc_audit_slow:262] avc: denied { read } for pid=7265, comm="/system/bin/hnp"  path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
94# avc_audit_slow:262] avc: denied { write } for pid=7265, comm="/system/bin/hnp"  path="/data/app/el1/bundle/100/hnppublic/hnpsample.org/hnpsample_1.1/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19111 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
95allow hnp data_app_el1_file:file { getattr open read write };
96
97# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/buddyinfo" dev="proc" ino=4026531856 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_buddyinfo_file:s0 tclass=file permissive=1
98allow hnp proc_buddyinfo_file:file { getattr };
99
100# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/cgroups" dev="proc" ino=4026531855 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cgroups_file:s0 tclass=file permissive=1
101allow hnp proc_cgroups_file:file { getattr };
102
103# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/cmdline" dev="proc" ino=4026532315 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cmdline_file:s0 tclass=file permissive=1
104allow hnp proc_cmdline_file:file { getattr };
105
106# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/config.gz" dev="proc" ino=4026532479 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_config_gz_file:s0 tclass=file permissive=1
107allow hnp proc_config_gz_file:file { getattr };
108
109# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/cpuinfo" dev="proc" ino=4026532317 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
110allow hnp proc_cpuinfo_file:file { getattr };
111
112# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/diskstats" dev="proc" ino=4026532506 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_diskstats_file:s0 tclass=file permissive=1
113allow hnp proc_diskstats_file:file { getattr };
114
115# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/data-ready" dev="proc" ino=4026532862 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1
116allow hnp proc_file:file { getattr };
117
118# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/iomem" dev="proc" ino=4026532470 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_iomem_file:s0 tclass=file permissive=1
119allow hnp proc_iomem_file:file { getattr };
120
121# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/keys" dev="proc" ino=4026532500 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_keys_file:s0 tclass=file permissive=1
122allow hnp proc_keys_file:file { getattr };
123
124# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/kmsg" dev="proc" ino=4026532326 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_kmsg_file:s0 tclass=file permissive=1
125allow hnp proc_kmsg_file:file { getattr };
126
127# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/loadavg" dev="proc" ino=4026532320 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_loadavg_file:s0 tclass=file permissive=1
128allow hnp proc_loadavg_file:file { getattr };
129
130# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/meminfo" dev="proc" ino=4026532321 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_meminfo_file:s0 tclass=file permissive=1
131allow hnp proc_meminfo_file:file { getattr };
132
133# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/misc" dev="proc" ino=4026532216 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_misc_file:s0 tclass=file permissive=1
134allow hnp proc_misc_file:file { getattr };
135
136# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/modules" dev="proc" ino=4026532477 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_modules_file:s0 tclass=file permissive=1
137allow hnp proc_modules_file:file { getattr };
138
139# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/slabinfo" dev="proc" ino=4026532480 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_slabinfo_file:s0 tclass=file permissive=1
140allow hnp proc_slabinfo_file:file { getattr };
141
142# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/softirqs" dev="proc" ino=4026532325 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_softirqs_file:s0 tclass=file permissive=1
143allow hnp proc_softirqs_file:file { getattr };
144
145# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/stat" dev="proc" ino=4026532322 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_stat_file:s0 tclass=file permissive=1
146allow hnp proc_stat_file:file { getattr };
147
148# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/swaps" dev="proc" ino=4026532482 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_swaps_file:s0 tclass=file permissive=1
149allow hnp proc_swaps_file:file { getattr };
150
151# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/uptime" dev="proc" ino=4026532323 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_uptime_file:s0 tclass=file permissive=1
152allow hnp proc_uptime_file:file { getattr };
153
154# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/version" dev="proc" ino=4026532324 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1
155allow hnp proc_version_file:file { getattr };
156
157# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/vmstat" dev="proc" ino=4026531858 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_vmstat_file:s0 tclass=file permissive=1
158allow hnp proc_vmstat_file:file { getattr };
159
160# avc:  denied  { getattr } for  pid=9325 comm="lsof" path="/proc/zoneinfo" dev="proc" ino=4026531859 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_zoneinfo_file:s0 tclass=file permissive=1
161allow hnp proc_zoneinfo_file:file { getattr };
162
163# avc:  denied  { execute } for  pid=9325 comm="hnp" name="sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
164# avc:  denied  { execute_no_trans } for  pid=9325 comm="hnp" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
165# avc:  denied  { map } for  pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
166# avc:  denied  { read execute } for  pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
167# avc:  denied  { read open } for  pid=9325 comm="hnp" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
168# avc:  denied  { read } for  pid=9325 comm="sh" path="/system/bin/sh" dev="sdd74" ino=677 scontext=u:r:hnp:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=1
169allow hnp sh_exec:file { execute execute_no_trans map read execute read open read };
170
171# avc:  denied  { read } for  pid=9325 comm="sh" name="lsof" dev="sdd74" ino=573 scontext=u:r:hnp:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
172allow hnp system_bin_file:lnk_file { read };
173
174# avc:  denied  { execute } for  pid=9325 comm="sh" name="toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
175# avc:  denied  { execute_no_trans } for  pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
176# avc:  denied  { getattr } for  pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
177# avc:  denied  { map } for  pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
178# avc:  denied  { read execute } for  pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
179# avc:  denied  { read open } for  pid=9325 comm="sh" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
180# avc:  denied  { read } for  pid=9325 comm="lsof" path="/system/bin/toybox" dev="sdd74" ino=714 scontext=u:r:hnp:s0 tcontext=u:object_r:toybox_exec:s0 tclass=file permissive=1
181allow hnp toybox_exec:file { execute execute_no_trans getattr map read execute read open read };
182
183# avc:  denied  { read write open } for  pid=9325 comm="sh" path="/dev/tty" dev="tmpfs" ino=94 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
184# avc:  denied  { read write } for  pid=9325 comm="sh" name="tty" dev="tmpfs" ino=94 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
185allow hnp tty_device:chr_file { read write open read write };
186
187# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:default_param:s0" dev="tmpfs" ino=275 scontext=u:r:hnp:s0 tcontext=u:object_r:default_param:s0 tclass=file permissive=1
188allow hnp default_param:file { getattr };
189
190# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:hiviewdfx_profiler_param:s0" dev="tmpfs" ino=151 scontext=u:r:hnp:s0 tcontext=u:object_r:hiviewdfx_profiler_param:s0 tclass=file permissive=1
191allow hnp hiviewdfx_profiler_param:file { getattr };
192allow hnp hitrace_param:file { getattr };
193
194# avc:  denied  { dac_read_search } for  pid=9207 comm="lsof" capability=2  scontext=u:r:hnp:s0 tcontext=u:r:hnp:s0 tclass=capability permissive=1
195allow hnp hnp:capability { dac_read_search };
196
197# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=147 scontext=u:r:hnp:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1
198allow hnp hook_param:file { getattr };
199
200# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=153 scontext=u:r:hnp:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
201allow hnp musl_param:file { getattr };
202
203# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/filesystems" dev="proc" ino=4026532487 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=1
204allow hnp proc_filesystems_file:file { getattr };
205
206# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/interrupts" dev="proc" ino=4026532319 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_interrupts_file:s0 tclass=file permissive=1
207allow hnp proc_interrupts_file:file { getattr };
208
209# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/pagetypeinfo" dev="proc" ino=4026531857 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_pagetypeinfo_file:s0 tclass=file permissive=1
210allow hnp proc_pagetypeinfo_file:file { getattr };
211
212# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/sysrq-trigger" dev="proc" ino=4026532528 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_sysrq_trigger_file:s0 tclass=file permissive=1
213allow hnp proc_sysrq_trigger_file:file { getattr };
214
215# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/timer_list" dev="proc" ino=4026532476 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_timer_list_file:s0 tclass=file permissive=1
216allow hnp proc_timer_list_file:file { getattr };
217
218# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/proc/vmallocinfo" dev="proc" ino=4026532481 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_vmallocinfo_file:s0 tclass=file permissive=1
219allow hnp proc_vmallocinfo_file:file { getattr };
220
221# avc:  denied  { getattr } for  pid=9207 comm="lsof" path="/dev/__parameters__/u:object_r:startup_init_param:s0" dev="tmpfs" ino=132 scontext=u:r:hnp:s0 tcontext=u:object_r:startup_init_param:s0 tclass=file permissive=1
222allow hnp startup_init_param:file { getattr };
223
224# avc:  denied  { getattr } for  pid=7385 comm="lsof" path="/proc/partitions" dev="proc" ino=4026532507 scontext=u:r:hnp:s0 tcontext=u:object_r:proc_partitions_file:s0 tclass=file permissive=1
225allow hnp proc_partitions_file:file { getattr };
226
227# avc:  denied  { search } for  pid=12202 comm="hnp" name="/" dev="sdd78" ino=3 scontext=u:r:hnp:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
228allow hnp data_file:dir { search };
229
230# avc:  denied  { search } for  pid=12202 comm="hnp" name="service" dev="sdd78" ino=9 scontext=u:r:hnp:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=1
231allow hnp data_service_file:dir { search };
232
233# avc:  denied  { search } for  pid=12202 comm="hnp" name="socket" dev="tmpfs" ino=118 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
234allow hnp dev_unix_socket:dir { search };
235
236# avc:  denied  { use } for  pid=12202 comm="hnp" path="/system/bin/hnp" dev="sdd74" ino=531 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=fd permissive=1
237allow hnp installs:fd { use };
238
239# avc_audit_slow:262] avc: denied { search } for pid=7470, comm="/system/bin/hnp"  name="/lib64" dev="/dev/block/platform/fa500000.ufs/by-name/chip_prod" ino=9189 scontext=u:r:hnp:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=1
240allow hnp chip_prod_file:dir { search };
241
242# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/dev/binder" dev="" ino=10 scontext=u:r:hnp:s0 tcontext=u:object_r:dev_binder_file:s0 tclass=chr_file permissive=1
243allow hnp dev_binder_file:chr_file { getattr };
244
245# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="" ino=201 scontext=u:r:hnp:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
246allow hnp hilog_param:file { getattr };
247
248# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/proc/2646" dev="" ino=7484 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1
249# avc_audit_slow:262] avc: denied { open } for pid=7471, comm="/bin/lsof"  path="/proc/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1
250# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof"  path="/proc/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1
251# avc_audit_slow:262] avc: denied { search } for pid=7471, comm="/bin/lsof"  name="/2646/fd" dev="" ino=18077 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=dir permissive=1
252allow hnp installs:dir { getattr open read search };
253
254# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/proc/2646/maps" dev="" ino=18076 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1
255# avc_audit_slow:262] avc: denied { open } for pid=7471, comm="/bin/lsof"  path="/proc/2646/maps" dev="" ino=18076 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1
256# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof"  scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=file permissive=1
257allow hnp installs:file { getattr open read };
258
259# avc_audit_slow:262] avc: denied { read } for pid=7471, comm="/bin/lsof"  name="/2646/fd/3" dev="" ino=18087 scontext=u:r:hnp:s0 tcontext=u:r:installs:s0 tclass=lnk_file permissive=1
260allow hnp installs:lnk_file { read };
261
262# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/system/bin/sa_main" dev="/dev/block/platform/fa500000.ufs/by-name/system" ino=775 scontext=u:r:hnp:s0 tcontext=u:object_r:samain_exec:s0 tclass=file permissive=1
263allow hnp samain_exec:file { getattr };
264
265# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/dev/__parameters__/u:object_r:time_param:s0" dev="" ino=222 scontext=u:r:hnp:s0 tcontext=u:object_r:time_param:s0 tclass=file permissive=1
266allow hnp time_param:file { getattr };
267
268# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/sys/kernel/debug/tracing/trace_marker" dev="" ino=9 scontext=u:r:hnp:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
269allow hnp tracefs_trace_marker_file:file { getattr };
270
271# avc_audit_slow:262] avc: denied { getattr } for pid=7471, comm="/bin/lsof"  path="/dev/tty0" dev="" ino=47 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
272# avc_audit_slow:262] avc: denied { ioctl } for pid=7471, comm="/bin/sh"  path="/dev/tty" dev="" ino=20 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
273allow hnp tty_device:chr_file { getattr ioctl };
274
275# avc_audit_slow:262] avc: denied { search } for pid=7265, comm="/system/bin/hnp"  name="/etc/selinux/targeted/contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5687 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1
276allow hnp vendor_etc_file:dir { search };
277
278# avc_audit_slow:262] avc: denied { getattr } for pid=7265, comm="/system/bin/hnp"  path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
279# avc_audit_slow:262] avc: denied { open } for pid=7265, comm="/system/bin/hnp"  path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
280# avc_audit_slow:262] avc: denied { read } for pid=7265, comm="/system/bin/hnp"  path="/vendor/etc/selinux/targeted/contexts/file_contexts" dev="/dev/block/platform/fa500000.ufs/by-name/vendor" ino=5688 scontext=u:r:hnp:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
281allow hnp vendor_etc_file:file { getattr open read };
282
283# avc_audit_slow:262] avc: denied { ioctl } for pid=7471, comm="/bin/sh"  path="/dev/tty" dev="" ino=20 ioctlcmd=0x5413 scontext=u:r:hnp:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
284allowxperm hnp tty_device:chr_file ioctl { 0x5413 };
285
286# avc_audit_slow:262] avc: denied { unlink } for pid=7534, comm="/system/bin/hnp"  name="/app/el1/bundle/100/hnppublic/bin/hnpsample" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=19136 scontext=u:r:hnp:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=lnk_file permissive=1
287allow hnp data_app_el1_file:lnk_file { unlink };
288
289allow hnp installs:fifo_file { ioctl write };
290allowxperm hnp installs:fifo_file ioctl { 0x5413 };
291allow hnp hnp_file:dir { getattr read open remove_name search rmdir write add_name create mounton };
292allow hnp hnp_file:file { getattr unlink create ioctl read open setattr write };
293allowxperm hnp hnp_file:file ioctl { 0x5413 0x66c8 };
294allow hnp hnp_file:lnk_file { getattr unlink create };
295allow hnp data_app_el1_file:dir { relabelfrom };
296allow hnp hnp_file:dir { relabelto setattr };
297allow appspawn hnp_file:dir { getattr mounton search };
298allow hiperf hnp_exec:file { getattr map read open };
299
300allow sh hnp_file:dir { search getattr read open };
301allow sh hnp_file:file { execute execute_no_trans getattr map read open };
302allow sh hnp_file:lnk_file { read };
303allow sh key_enable:key { search };
304allow sh storage_daemon:key { search };
305')
306