1# Copyright (c) 2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14# avc:  denied  { execute } for  pid=3708 comm="ei.hmos.browser" path="/data/storage/el1/bundle/arkwebcore/libs/arm64/libweb_engine.so" dev="sdd78" ino=30131 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
15allow isolated_gpu data_app_el1_file:dir { getattr };
16# allow isolated_gpu data_app_el1_file:dir { execute };
17
18# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="socket" dev="tmpfs" ino=112 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
19allow isolated_gpu dev_unix_socket:dir { search };
20
21# avc:  denied  { use } for  pid=3708 comm="ei.hmos.browser" path="/dev/null" dev="tmpfs" ino=3 scontext=u:r:isolated_gpu:s0 tcontext=u:r:nwebspawn:s0 tclass=fd permissive=1
22allow isolated_gpu nwebspawn:fd { use };
23allow isolated_gpu nwebspawn:unix_dgram_socket { write connect};
24
25# avc:  denied  { call } for  pid=3708 comm="ei.hmos.browser" scontext=u:r:isolated_gpu:s0 tcontext=u:r:time_service:s0 tclass=binder permissive=1
26allow isolated_gpu time_service:binder { call };
27
28# avc:  denied  { getattr } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
29# avc:  denied  { read open } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
30# avc:  denied  { map } for  pid=3708 comm="ei.hmos.browser" path="/system/app/ArkWeb/ArkWebCore.hap" dev="sdd74" ino=256 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
31allow isolated_gpu system_file:file { getattr read open map };
32
33# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="bin" dev="sdd74" ino=338 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1
34allow isolated_gpu system_bin_file:dir { search };
35
36# avc:  denied  { search } for  pid=3708 comm="ei.hmos.browser" name="/" dev="tracefs" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
37allow isolated_gpu tracefs:dir { search };
38
39allow isolated_gpu sa_foundation_appms:samgr_class { get };
40allow isolated_gpu sa_param_watcher:samgr_class { get };
41allow isolated_gpu sa_render_service:samgr_class { get };
42allow isolated_gpu sa_time_service:samgr_class { get };
43allow isolated_gpu data_app_el1_file:file { execute };
44allow isolated_gpu dev_mali:chr_file { getattr ioctl map read write open };
45# avc:  denied  { ioctl } for  pid=4081 comm="mali-cmar-backe" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8002 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
46# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8003 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
47# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8005 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
48# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8006 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
49# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800c scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
50# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800e scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
51# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x800f scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
52# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8016 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
53# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8019 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
54# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x801d scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
55# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8026 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
56# avc:  denied  { ioctl } for  pid=4081 comm="mos.browser:gpu" path="/dev/mali0" dev="tmpfs" ino=525 ioctlcmd=0x8001 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:dev_mali:s0 tclass=chr_file permissive=1
57allowxperm isolated_gpu dev_mali:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x800c 0x800e 0x800f 0x8016 0x8019 0x801d 0x8026 };
58allow isolated_gpu hap_domain:binder { call transfer };
59allow isolated_gpu hap_domain:fd { use };
60allow isolated_gpu hap_domain:unix_stream_socket { read write shutdown};
61allow isolated_gpu nwebspawn:fifo_file { write };
62allow isolated_gpu persist_param:file { map read open };
63allow isolated_gpu render_service:unix_stream_socket { write read };
64
65allow isolated_gpu sa_foundation_bms:samgr_class { get };
66allow isolated_gpu sysfs_devices_system_cpu:dir { read open };
67allow isolated_gpu sysfs_devices_system_cpu:file { getattr read open };
68
69allow isolated_gpu allocator_host:fd { use };
70allow isolated_gpu ohos_boot_param:file { map read open };
71allow isolated_gpu sa_resource_schedule:samgr_class { get };
72allow isolated_gpu web_private_param:file { map open read };
73
74allow isolated_gpu allocator_host:binder { call };
75allow isolated_gpu av_codec_service:binder { call transfer };
76allow isolated_gpu dev_ashmem_file:chr_file { open };
77allow isolated_gpu hdf_allocator_service:hdf_devmgr_class { get };
78allow isolated_gpu hiview:unix_dgram_socket { sendto };
79allow isolated_gpu isolated_gpu:unix_dgram_socket { getopt setopt };
80allow isolated_gpu persist_sys_param:file { map open read };
81allow isolated_gpu sa_av_codec_service:samgr_class { get };
82allow isolated_gpu sa_device_service_manager:samgr_class { get };
83allow isolated_gpu codec_host:fd { use };
84allow isolated_gpu av_codec_service:fd { use };
85
86allow isolated_gpu isolated_gpu:process { ptrace };
87
88# avc_audit_slow:267] avc: denied { write } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:appspawn:s0 tclass=unix_dgram_socket permissive=1
89allow isolated_gpu appspawn:unix_dgram_socket { write };
90 
91# avc_audit_slow:267] avc: denied { call } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
92# avc_audit_slow:267] avc: denied { transfer } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
93allow isolated_gpu codec_host:binder { call transfer };
94 
95# avc_audit_slow:267] avc: denied { search } for pid=43562, comm="/system/bin/appspawn"  name="/app/el1/bundle/public/com.ohos.nweb/libs/arm64" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16288 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=dir permissive=1
96allow isolated_gpu data_app_el1_file:dir { search };
97 
98# avc_audit_slow:267] avc: denied { getattr } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
99# avc_audit_slow:267] avc: denied { map } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
100# avc_audit_slow:267] avc: denied { open } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
101# avc_audit_slow:267] avc: denied { read } for pid=43562, comm="/system/bin/appspawn"  path="/data/storage/el1/bundle/nweb/libs/arm64/libnweb_render.so" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=16023 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
102allow isolated_gpu data_app_el1_file:file { getattr map open read };
103 
104# avc_audit_slow:267] avc: denied { call } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
105# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
106allow isolated_gpu foundation:binder { call transfer };
107 
108# avc_audit_slow:267] avc: denied { call } for pid=41570, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
109allow isolated_gpu hdf_devmgr:binder { call };
110 
111# avc_audit_slow:267] avc: denied { map } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
112# avc_audit_slow:267] avc: denied { open } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
113# avc_audit_slow:267] avc: denied { read } for pid=43562, comm="/system/bin/appspawn"  path="/dev/__parameters__/u:object_r:hichecker_writable_param:s0" dev="" ino=226 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hichecker_writable_param:s0 tclass=file permissive=1
114allow isolated_gpu hichecker_writable_param:file { map open read };
115 
116# avc_audit_slow:267] avc: denied { use } for pid=37163, comm="/system/bin/appspawn"  path="/dev/ashmem" dev="" ino=1 scontext=u:r:isolated_gpu:s0 tcontext=u:r:isolated_render:s0 tclass=fd permissive=1
117allow isolated_gpu isolated_render:fd { use };
118 
119# avc_audit_slow:267] avc: denied { call } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
120# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
121allow isolated_gpu param_watcher:binder { call transfer };
122 
123# avc_audit_slow:267] avc: denied { call } for pid=37163, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
124# avc_audit_slow:267] avc: denied { transfer } for pid=43562, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
125allow isolated_gpu render_service:binder { call transfer };
126 
127# avc_audit_slow:267] avc: denied { use } for pid=1391, comm="/system/bin/render_service"  path="anon_inode:sync_file" dev="" ino=0 scontext=u:r:isolated_gpu:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=1
128allow isolated_gpu render_service:fd { use };
129 
130# avc_audit_slow:267] avc: denied { call } for pid=24439, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
131# avc_audit_slow:267] avc: denied { transfer } for pid=24439, comm="/system/bin/appspawn"  scontext=u:r:isolated_gpu:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
132allow isolated_gpu samgr:binder { call transfer };
133 
134# avc:  denied  { get } for service=codec_component_manager_service sid=u:r:isolated_gpu:s0 scontext=u:r:isolated_gpu:s0 tcontext=u:object_r:hdf_codec_component_manager_service:s0 tclass=hdf_devmgr_class permissive=1
135allow isolated_gpu hdf_codec_component_manager_service:hdf_devmgr_class { get };
136