# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

allow netsysnative dev_unix_socket:dir { search };
allow netsysnative dev_unix_socket:sock_file { write };
allow netsysnative netsysnative:capability { net_admin net_raw net_bind_service sys_resource sys_admin };
allow netsysnative netsysnative:netlink_route_socket { create listen nlmsg_write write };
allow netsysnative netsysnative:unix_dgram_socket { ioctl };
allow netsysnative netsysnative:tcp_socket { connect create getattr getopt read setopt write };
allow netsysnative sh_exec:file { execute execute_no_trans map open read };
allow netsysnative netsysnative:bpf { map_create map_read map_write prog_load prog_run };
allow netsysnative sys_file:dir { mounton };
allow netsysnative system_bin_file:lnk_file { read };
allow netsysnative toybox_exec:lnk_file { read };
allow netsysnative netsysnative:netlink_nflog_socket { bind getopt setopt };
allow netsysnative netsysnative:rawip_socket { create getopt setopt };
allow netsysnative proc_file:file { write open read };
allow netsysnative proc_net:file { getattr };
allow netsysnative system_bin_file:file { execute execute_no_trans getattr map open read };
allow netsysnative toybox_exec:file { execute execute_no_trans getattr map open read };
allow netsysnative system_etc_file:file { lock };
allow netsysnative tty_device:chr_file { open read write };
allow netsysnative netsysnative:udp_socket { bind read getopt setopt connect write ioctl };
allow netsysnative port:udp_socket { name_bind };
allow netsysnative node:udp_socket { node_bind };
allow netsysnative netsysnative:netlink_nflog_socket { read };
allow netsysnative dev_file:sock_file { write unlink };
allow netsysnative dev_console_file:chr_file { read write };
allow netsysnative dev_file:dir { remove_name };
allow netsysnative netsysnative:netlink_netfilter_socket { listen };
allow netsysnative netsysnative:netlink_kobject_uevent_socket { listen };
allow netsysnative system_bin_file:lnk_file { read };
allow netsysnative toybox_exec:lnk_file { read };
allow netsysnative accessibility_param:file { read open map };
allow netsysnative data_service_file:dir { search };
allow netsysnative data_service_el1_file:dir { search write add_name };
allow netsysnative data_service_el1_file:file { create write open ioctl read };
allow netsysnative fwmark_service:sock_file { create unlink setattr write };
allow netsysnative dnsproxy_service:sock_file { create unlink setattr };
allow netsysnative netsysnative:process { setfscreate };
allow netsysnative normal_hap_attr:fd { use };
allow netsysnative normal_hap_attr:tcp_socket { read write getopt setopt };
allow netsysnative normal_hap_attr:unix_dgram_socket { read write getopt setopt };
allow netsysnative normal_hap_attr:udp_socket { read write getopt setopt };
allow netsysnative normal_hap_attr:unix_stream_socket { read write getopt setopt };
allow init dev_unix_file:sock_file { unlink };
allowxperm netsysnative netsysnative:udp_socket ioctl { 0x8933 0x8953 0x8955 0x8915 0x891b 0x8913 0x8927 0x8914 0x8916 0x891c 0x8922 };
allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8933 };

allow netsysnative system_basic_hap_attr:fd { use };
allow netsysnative system_basic_hap_attr:tcp_socket { read write getopt setopt };
allow netsysnative dev_tun_file:chr_file { open read write ioctl };
allow netsysnative netsysnative:tun_socket { create relabelfrom relabelto };
allow netsysnative system_basic_hap_attr:udp_socket { read write getopt setopt };

allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8927 0x8954 };

allow netsysnative iptables_exec:lnk_file { read };
allow netsysnative iptables_exec:file { execute read open execute_no_trans map };
allow netsysnative netsysnative:packet_socket { read bind create ioctl setopt };
allow netsysnative netsysnative:bpf { map_read prog_load map_create prog_run map_write };
allow netsysnative data_file:file { read };
allow netsysnative sa_netsys_ext_service:samgr_class { add get };

allow netsysnative sys_file:filesystem { mount };
allow netsysnative netsysnative:process { rlimitinh transition siginh };
allow netsysnative netsysnative:capability2 { bpf };
allow netsysnative netsysnative:capability { net_raw sys_resource sys_admin net_admin };
allow netsysnative netsysnative:rawip_socket { write setopt getopt create };
allow netsysnative netsysnative:unix_dgram_socket { ioctl };
allow netsysnative debug_param:file { map open read };
allow netsysnative dev_console_file:chr_file { write read };
allow netsysnative dev_unix_socket:dir { search };
allow netsysnative hilog_param:file { map open read };
allow netsysnative musl_param:file { map open read };
allow netsysnative param_watcher:binder { call transfer };
allow netsysnative proc_net:file { getattr };
allow netsysnative sa_param_watcher:samgr_class { get };
allow netsysnative sh_exec:file { read map execute_no_trans execute open };
allow netsysnative sysfs_net:dir { open read };
allow netsysnative system_bin_file:dir { search };
allow netsysnative system_bin_file:file { read map execute_no_trans execute open };
allow netsysnative toybox_exec:file { read map execute_no_trans execute open getattr };
allow netsysnative system_etc_file:file { lock };
allow netsysnative tracefs:dir { search };
allow netsysnative tracefs_trace_marker_file:file { write open };
allow netsysnative sys_file:dir { mounton };
allow netsysnative fs_bpf:dir { getattr search mounton add_name create write };
allow netsysnative fs_bpf:file { create setattr write read };
allow netsysnative fs_bpf:filesystem { mount };
allow netsysnative netsysnative:netlink_route_socket { setopt bind setattr getattr listen read nlmsg_read nlmsg_readpriv nlmsg_write create write };
allow netsysnative netsysnative:netlink_tcpdiag_socket { create connect write nlmsg_read read nlmsg_write };
allow netsysnative system_core_hap_attr:fd { use };
allow netsysnative system_core_hap_attr:tcp_socket { read write getopt setopt };
allow netsysnative system_core_hap_attr:udp_socket { read write getopt setopt };
allow netsysnative edm_sa:binder { call };
allow netsysnative sysfs_devices_system_cpu:file { read open getattr };
allow netsysnative dev_kmsg_file:chr_file { open write };

allow netsysnative sa_distributed_net_service:samgr_class { add get };

allow netsysnative cgroup2:dir { read open };

allow netsysnative sa_netvirt_ext:samgr_class { add };

allow init fs_bpf:dir { add_name create mounton open read search setattr write };
allow init fs_bpf:file { create getattr open };
allow init fs_bpf:filesystem { mount };
allow init fs_bpf:file { write };
allow init fs_bpf:lnk_file { create };
allow init cgroup2:dir { add_name create mounton open read search setattr write };
allow init cgroup2:file { create getattr open };
allow init cgroup2:filesystem { mount };
allow init cgroup2:file { write };
allow init cgroup2:lnk_file { create };

allow init dnsproxy_service:sock_file { getattr unlink setattr relabelto };
allow netsysnative dnsproxy_service:sock_file { setattr };
allow init fwmark_service:sock_file { getattr unlink setattr relabelto };
allow netsysnative fwmark_service:sock_file { setattr };

allow domain fwmark_service:sock_file { write read };
allow domain dnsproxy_service:sock_file { write read };
allow domain dev_tun_file:chr_file { read write };
allow domain netsysnative:fd { use };

allow netsysnative sa_net_policy_manager:samgr_class { get };

neverallow { domain -wifi_hal_service -wifi_manager_service -netmanager -telephony_sa -param_watcher -hidumper_service -samgr -edm_sa -netsysnative_violator_binder_call -security_collector } netsysnative:binder *;
neverallow { domain -netsysnative -rgm_violator_ohos_iptables_exec_file_execute } iptables_exec:file { execute };

allow netsysnative hap_domain:icmp_socket { setopt getopt };