# Copyright (c) 2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

allow cloudfiledaemon persist_param:parameter_service { set };
allow cloudfiledaemon persist_param:file { map open read };
allow cloudfiledaemon cloudfile_data_file:dir { rmdir };
allow cloudfiledaemon sa_accesstoken_manager_service:samgr_class { get };
allow cloudfiledaemon sa_param_watcher:samgr_class { get };
allow cloudfiledaemon param_watcher:binder { call transfer };
allow cloudfiledaemon dev_unix_socket:dir { search };
allow cloudfiledaemon paramservice_socket:sock_file { write };
allow cloudfiledaemon kernel:unix_stream_socket { connectto };
allow cloudfiledaemon netsysnative:unix_stream_socket { connectto };
allow cloudfiledaemon netmanager:binder { call transfer };
allow cloudfiledaemon accesstoken_service:binder { call };
allow cloudfiledaemon data_service_file:dir { search };
allow cloudfiledaemon sa_foundation_cesfwk_service:samgr_class { get };
allow cloudfiledaemon foundation:binder { transfer call };
allow cloudfiledaemon sa_foundation_abilityms:samgr_class { get };
binder_call(cloudfiledaemon, powermgr);
allow cloudfiledaemon sa_powermgr_battery_service:samgr_class { get };
allow cloudfiledaemon data_app_file:dir { search open read write };
allow cloudfiledaemon data_app_el2_file:dir { search read write open };
allow cloudfiledaemon data_app_el2_file:file { lock getattr open read write ioctl map };
allow cloudfiledaemon dev_fuse_file:chr_file { read write };
allow cloudfiledaemon data_service_el2_file:dir { search };
allow cloudfiledaemon data_service_el2_hmdfs:dir { create search read open write add_name remove_name };
allow cloudfiledaemon data_service_el2_hmdfs:file { create setattr getattr read open write append ioctl rename unlink };
allow cloudfiledaemon hmdfs:dir { search write remove_name add_name create open read rmdir rename reparent };
allow cloudfiledaemon hmdfs:file { read open getattr create append rename unlink ioctl };
allowxperm cloudfiledaemon hmdfs:file ioctl { 0xf202 0x5413 };
allow cloudfiledaemon storage_daemon:fd { use };
allow cloudfiledaemon sa_filemanagement_cloud_sync_service:samgr_class { add get_remote get };
allow cloudfiledaemon hap_domain:binder { call transfer };
debug_only(`
    allow cloudfiledaemon sh:binder { call };
')
allow cloudfiledaemon sa_net_conn_manager:samgr_class { get };
allow cloudfiledaemon dev_console_file:chr_file { read write };
allow cloudfiledaemon sa_filemanagement_cloud_daemon_service:samgr_class { add };
allow cloudfiledaemon data_service_el1_file:dir { search write add_name create remove_name read open };
allow cloudfiledaemon data_service_el1_file:file { create write open getattr setattr read rename unlink lock map };
allow cloudfiledaemon cloudfile_data_file:dir { search write add_name create remove_name read open setattr getattr };
allow cloudfiledaemon cloudfile_data_file:file { create write open getattr setattr read rename unlink lock map ioctl };
allowxperm cloudfiledaemon cloudfile_data_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 };
allow cloudfiledaemon hap_domain:binder { call };
allow cloudfiledaemon data_file:dir { search };
allow cloudfiledaemon dev_ashmem_file:chr_file { open };
allow cloudfiledaemon distributeddata:binder { transfer call };
allow cloudfiledaemon distributeddata:fd { use };
allow cloudfiledaemon data_user_file:dir { read open search add_name write remove_name create rmdir rename reparent };
allow cloudfiledaemon data_user_file:file { read open getattr write create rename unlink append ioctl setattr };
allow cloudfiledaemon cloudfiledaemon:udp_socket { create bind read write node_bind connect getattr ioctl setopt };
allowxperm cloudfiledaemon cloudfiledaemon:udp_socket ioctl { 0x8912 0x8913 0x8915 0x891b };
allow cloudfiledaemon node:udp_socket { node_bind };
allow cloudfiledaemon node:tcp_socket { node_bind };
allow cloudfiledaemon cloudfiledaemon:tcp_socket { read create setopt connect getopt getattr write bind shutdown listen accept };
allow cloudfiledaemon port:tcp_socket { name_connect name_bind };
allow cloudfiledaemon system_bin_file:dir { search };
allow cloudfiledaemon medialibrary_hap_data_file:dir { search read open };
allow cloudfiledaemon medialibrary_hap_data_file:file { read open getattr write ioctl lock map };
allow cloudfiledaemon sa_dataobs_mgr_service_service:samgr_class { get };
allow cloudfiledaemon sa_distributeddata_service:samgr_class { get };
allow cloudfiledaemon normal_hap_attr:fd { use };
allow cloudfiledaemon system_core_hap_attr:fd { use };
allow cloudfiledaemon hmdfs:file { write };
allow cloudfiledaemon data_service_el2_hmdfs:file { lock };
allow cloudfiledaemon data_storage:dir { search };
allow cloudfiledaemon data_service_el2_hmdfs:file { create_file_perms_without_ioctl };
allow cloudfiledaemon data_service_el2_hmdfs:dir { create_dir_perms_without_ioctl };
allow cloudfiledaemon accountmgr:binder { call };
allow accountmgr cloudfiledaemon:binder { transfer };
allow cloudfiledaemon sa_accountmgr:samgr_class { get };
allow cloudfiledaemon sa_powermgr_powermgr_service:samgr_class { get };
allow cloudfiledaemon dev_unix_file:sock_file { write };
allow cloudfiledaemon sa_softbus_service:samgr_class { get };
allow cloudfiledaemon softbus_server:binder { call transfer };
allow cloudfiledaemon softbus_server:fd { use };
allow cloudfiledaemon softbus_server:tcp_socket { read write setopt shutdown };
allow cloudfiledaemon cloudfiledaemon:binder { call };
allow cloudfiledaemon cloudfiledaemon:netlink_route_socket { create };
allow cloudfiledaemon cloudfiledaemon:unix_dgram_socket { getopt };
allow cloudfiledaemon media_library_param:file { map open read };
allow cloudfiledaemon resource_schedule_service:binder { call transfer };
allow cloudfiledaemon sa_resource_schedule:samgr_class { get };
allow resource_schedule_service cloudfiledaemon:binder { call };