1# Copyright (c) 2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License 13 14allow hiebpf data_file:dir search; 15allow hiebpf devpts:chr_file { read write }; 16allow hiebpf hdcd:fd use; 17allow hiebpf hdcd:unix_stream_socket { read write }; 18allow hiebpf hiview_exec:file { getattr map open read }; 19allow hiebpf hiview_file:dir search; 20allow hiebpf tmpfs:file { getattr open }; 21allow hiebpf tty_device:chr_file { read write }; 22 23allow hiebpf data_service_file:dir search; 24allow hiebpf foundation:dir search; 25allow hiebpf foundation:file { getattr open read }; 26allow hiebpf hidumper_service:file read; 27allow hiebpf normal_hap_attr:file read; 28 29allow hiebpf domain:dir { open read getattr search }; 30allow hiebpf domain:file { open read getattr }; 31 32allow hiebpf system_bin_file:dir search; 33allow hiebpf system_bin_file:file { getattr map open read }; 34allow hiebpf toybox_exec:file { getattr map open read }; 35allow hiebpf self:perf_event { cpu kernel open write }; 36 37debug_only(` 38 allow hiebpf data_local_tmp:dir { add_name search write remove_name }; 39 allow hiebpf data_local_tmp:file { read write create map open getattr ioctl link unlink }; 40 allow hiebpf self:capability { sys_ptrace sys_resource sys_admin }; 41 allow hiebpf self:capability2 { perfmon }; 42 allow hiebpf sh:fd use; 43') 44 45allow hiebpf data_local:dir search; 46allow hiebpf hilogd_exec:file { open read }; 47allow hiebpf proc_file:file { getattr open read }; 48allow hiebpf samain_exec:file { getattr map open read }; 49allow hiebpf appspawn_exec:file { getattr map open read }; 50allow hiebpf data_service_el1_file:dir search; 51allow hiebpf data_service_el1_file:file { getattr open read }; 52allow hiebpf self:bpf { map_create map_read map_write prog_load prog_run }; 53allow hiebpf self:capability2 { bpf }; 54allow hiebpf sys_file:file read; 55allow hiebpf system_usr_file:dir search; 56allow hiebpf system_usr_file:file read; 57allow hiebpf vendor_bin_file:dir search; 58allow hiebpf vendor_bin_file:file { getattr map open read }; 59 60allow hiebpf data_service_el1_file:file map; 61allow hiebpf hdf_devmgr_exec:file read; 62allow hiebpf hiview_file:file { getattr map open read }; 63allow hiebpf init_exec:file { getattr map open read }; 64allow hiebpf render_service_exec:file { getattr map open read }; 65allow hiebpf sys_file:file { getattr open }; 66allow hiebpf system_usr_file:file { getattr map open }; 67 68allow hiebpf hdcd_exec:file { getattr map open read }; 69allow hiebpf hilogd_exec:file { getattr map }; 70allow hiebpf uinput_inject_exec:file { getattr map open read }; 71 72allow hiebpf dev_unix_socket:dir { add_name remove_name search write }; 73allow hiebpf dev_unix_socket:sock_file { create unlink }; 74allow hiebpf hiprofiler_plugins:fd use; 75allow hiebpf hiprofiler_plugins:fifo_file { ioctl write }; 76allow hiebpf hiprofiler_plugins:unix_stream_socket { read write }; 77allow hiebpf hiprofilerd:fd use; 78allow hiebpf rootfs:file read; 79allow hiebpf sh_exec:file read; 80 81allow hiebpf tracefs:dir search; 82allow hiebpf tracefs:file { open read write }; 83 84allow hiebpf powermgr:dir search; 85allow hiebpf powermgr:file { getattr open read }; 86