# Copyright (c) 2021-2023 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. allow memmgrservice data_file:dir { search }; allow memmgrservice data_init_agent:dir { search }; allow memmgrservice data_init_agent:file { ioctl open read append }; allow memmgrservice domain:dir { search }; allow memmgrservice domain:file { open read getattr }; allow memmgrservice accountmgr:binder { call transfer }; allow memmgrservice dev_unix_socket:dir { search }; allow memmgrservice bgtaskmgr_service:binder { call transfer }; allow memmgrservice cgroup:dir { add_name create search open read write }; allow memmgrservice cgroup:file { append getattr ioctl open read write }; allow memmgrservice foundation:binder { call transfer }; allow memmgrservice data_vendor:dir { search }; allow memmgrservice hyperhold_sys:dir { search relabelto write add_name getattr setattr remove_name }; allow memmgrservice hyperhold_sys:file { getattr open read write create rename unlink }; allow memmgrservice memmgrservice:capability { kill sys_resource dac_override sys_ptrace }; neverallow memmgrservice *:process ptrace; allow memmgrservice normal_hap_attr:file { write getattr }; allow memmgrservice normal_hap_attr:process { sigkill }; # denied { read } for pid=274 comm="event_runner#9" name="enable" dev="proc" ino=305072 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 # denied { create } for pid=286 comm="event_runner#11" name="lmkd_dbg_trigger" scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 # denied { ioctl } for pid=286 comm="event_runner#11" path="/proc/lmkd_dbg_trigger" dev="proc" ino=4026532101 ioctlcmd=0x5413 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 allow memmgrservice proc_file:file { write open read create ioctl getattr }; allow memmgrservice proc_meminfo_file:file { open read getattr }; allow memmgrservice system_basic_hap_attr:file { write getattr }; allow memmgrservice system_basic_hap_attr:process { sigkill }; allow memmgrservice system_core_hap_attr:file { write }; allow memmgrservice system_core_hap_attr:process { sigkill }; allow memmgrservice vendor_lib_file:file { read }; allowxperm memmgrservice cgroup:file ioctl { 0x5413 }; allowxperm memmgrservice data_init_agent:file ioctl 0x5413; # denied { set } for parameter=persist.sys.eswap.permanently.closed pid=287 uid=1111 gid=1111 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=parameter_service permissive=1 allow memmgrservice persist_sys_param:parameter_service { set }; # denied { write } for pid=1798 comm="memmgrservice" name="paramservice" dev="tmpfs" ino=45 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1 allow memmgrservice paramservice_socket:sock_file { write }; # denied { connectto } for pid=1798 comm="memmgrservice" path="/dev/unix/socket/paramservice" scontext=u:r:memmgrservice:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 allow memmgrservice kernel:unix_stream_socket { connectto }; # denied { get } for service=200 pid=275 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 allow memmgrservice sa_accountmgr:samgr_class { get }; # denied { get } for service=501 pid=275 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 allow memmgrservice sa_foundation_appms:samgr_class { get }; allow memmgrservice sa_foundation_cesfwk_service:samgr_class { get }; allow memmgrservice sa_foundation_abilityms:samgr_class { get }; allow memmgrservice sa_bgtaskmgr:samgr_class { get }; allow memmgrservice sa_foundation_bms:samgr_class { get }; allow memmgrservice netsysnative:file { getattr }; # vendor allow memmgrservice vendor_etc_file:dir { search }; allow memmgrservice vendor_etc_file:file { getattr map open read }; # chip allow memmgrservice chip_prod_file:dir { search }; allow memmgrservice chip_prod_file:file { getattr map open read }; # sys allow memmgrservice sys_prod_file:dir { search }; allow memmgrservice sys_prod_file:file { getattr map open read }; # host allow memmgrservice user_auth_host:file { getattr }; allow memmgrservice pin_auth_host:file { getattr }; allow memmgrservice face_auth_host:file { getattr }; allow memmgrservice codec_host:file { getattr }; allow memmgrservice light_host:file { getattr }; allow memmgrservice vibrator_host:file { getattr }; allow memmgrservice sensor_host:file { getattr }; allow memmgrservice input_user_host:file { getattr }; # nandlife_controller allow memmgrservice data_service_file:dir { search }; allow memmgrservice data_service_el1_file:dir { search write add_name }; allow memmgrservice data_service_el1_file:file { read open lock write getattr create }; allow memmgrservice sysfs_devices_system_cpu:file { read open getattr };