1# Copyright (c) 2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14# for developer_only version 15developer_only(` 16# for shell 17allow sh rootfs:dir { search }; 18allow sh rootfs:lnk_file { read }; 19allow sh dev_file:dir { search }; 20allow sh dev_null_file:chr_file { read write open }; 21allow sh dev_unix_file:dir { search }; 22allow sh dev_unix_socket:dir { search }; 23allow sh devpts:chr_file { getattr ioctl read write }; 24allowxperm sh devpts:chr_file ioctl { 0x5413 0x5403 }; 25allow sh dev_console_file:chr_file { getattr read write }; 26allow sh sh:process { fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit }; 27allow sh sh:fd use; 28allow sh sh:file rw_file_perms; 29allow sh sh:fifo_file rw_file_perms; 30allow sh sh:dir read_dir_perms; 31allow sh sh:lnk_file read_file_perms; 32allow sh sh:udp_socket { ioctl bind read write }; 33allowxperm sh sh:udp_socket ioctl { 0x8912 0x8913 0x8915 0x8919 0x891b 0x891d 0x8921 0x8927 0x8942 0x8970 }; 34allow sh sh:unix_dgram_socket { connect create write }; 35allow sh sh:unix_stream_socket { connect create write read setopt }; 36allow sh sh:icmp_socket { create setopt write read bind }; 37allow sh sh:rawip_socket { create setopt write read }; 38allow sh dev_random_file:chr_file { read open }; 39allow sh dnsproxy_service:sock_file { read open write }; 40allow sh node:udp_socket { node_bind }; 41allow sh node:icmp_socket { node_bind }; 42allow sh netsysnative:unix_stream_socket { connectto }; 43allow sh proc_net:lnk_file { read }; 44allow sh devinfo_public_param:file { map open read }; 45allow sh devinfo_type_param:file { map open read }; 46## for musl.so 47allow sh system_lib_file:file { map read execute open getattr }; 48 49#avc: denied { execute } for pid=26490 comm="sh" name="hdcd_user_permit" dev="mmcblk0p15" ino=2134 scontext=u:r:sh:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=0 50#avc: denied { execute_no_trans } for pid=1621 comm="sh" path="/data/local/tmp/a.sh" dev="mmcblk0p15" ino=1984 scontext=u:r:sh:s0 tcontext=u:object_r:data_local_tmp:s0 tclass=file permissive=0 51allow sh data_local_tmp:file { execute execute_no_trans }; 52 53# for toybox command execute 54allow sh system_file:dir { search }; 55allow sh vendor_file:dir { search }; 56allow sh system_lib_file:dir { search }; 57allow sh vendor_lib_file:dir { search }; 58allow sh system_etc_file:dir { search }; 59allow sh lib_file:lnk_file { read }; 60allow sh etc_file:lnk_file { read }; 61allow sh system_etc_file:file { read open getattr map }; 62allow sh sysfs_net:dir { search }; 63allow sh sysfs_net:lnk_file { read }; 64allow sh proc_net_tcp_udp:file { getattr }; 65 66allow sh system_bin_file:file { execute execute_no_trans getattr map read open }; 67allow sh system_bin_file:lnk_file { read }; 68allow sh toybox_exec:file { execute execute_no_trans getattr map read open }; 69allow sh toybox_exec:lnk_file { read }; 70## for toybox command auto complete, like tab 71allow sh system_bin_file:dir { search getattr open read }; 72 73# for terminal 74allow sh tty_device:chr_file { getattr ioctl open read write }; 75allowxperm sh tty_device:chr_file ioctl { 0x5401 0x5402 0x5403 0x540f 0x5413 0x5410 }; 76 77# for reboot 78allow sh servicectrl_reboot_param:parameter_service set; 79allow sh hichecker_writable_param:parameter_service { set }; 80allow sh arkui_param:parameter_service { set }; 81allow sh paramservice_socket:sock_file { write }; 82## for /dev/unix/socket/parameterservice 83allow sh kernel:unix_stream_socket { connectto }; 84 85# for hdc shell command 86allow sh hdcd:fifo_file { read }; 87allow sh hdcd:fd { use }; 88allow sh hdcd:unix_stream_socket { read write }; 89allow sh hdcd:fifo_file { ioctl write }; 90allowxperm sh hdcd:fifo_file ioctl { 0x5413 }; 91 92# for data/local/tmp 93allow sh data_file:dir { search getattr }; 94allow sh data_local:dir read_dir_perms; 95allow sh data_local_tmp:dir { create_dir_perms read_dir_perms }; 96allow sh data_local_tmp:file { create_file_perms }; 97 98# for data/log 99allow sh data_log:dir { search }; 100 101# for data/log/hilog 102allow sh data_hilogd_file:dir read_dir_perms; 103allow sh data_hilogd_file:file read_file_perms; 104 105# for ps -efZ 106allow sh proc_file:dir { search read open getattr }; 107allow sh proc_file:lnk_file { read getattr }; 108allow sh proc_net:file { read open getattr }; 109allow sh sys_file:dir { search }; 110allow sh domain:dir { getattr search }; 111allow sh domain:file { open read }; 112allow sh domain:process { getattr }; 113allow sh selinuxfs:filesystem { getattr }; 114 115# for access debug_hap_data_file 116allow sh data_file:dir search; 117allow sh data_app_file:dir search; 118allow sh data_app_el1_file:dir search; 119allow sh data_app_el2_file:dir search; 120allow sh data_app_el3_file:dir search; 121allow sh data_app_el4_file:dir search; 122allow sh debug_hap_data_file:dir { search getattr read open }; 123allow sh debug_hap_data_file:file { getattr read open }; 124 125# for system_fonts_file 126allow sh system_file:dir search; 127allow sh system_fonts_file:dir { getattr search read open }; 128allow sh system_fonts_file:file { getattr read open }; 129 130# for param_get 131allow sh dev_parameters_file:dir { search }; 132allow sh dev_parameters_file:file read_file_perms; 133allow sh debug_param:file { map read open }; 134allow sh hilog_param:file { map read open }; 135allow sh developtools_hdc_control_param:file { map read open }; 136 137# for bin run 138## for bm install 139domain_auto_transition_pattern(sh, bm_exec, bm); 140## for aa start in deveco 141domain_auto_transition_pattern(sh, aa_exec, aa); 142domain_auto_transition_pattern(sh, hiperf_exec, hiperf); 143domain_auto_transition_pattern(sh, hiprofiler_cmd_exec, hiprofiler_cmd); 144domain_auto_transition_pattern(sh, hidumper_exec, hidumper); 145domain_auto_transition_pattern(sh, hitrace_exec, hitrace); 146domain_auto_transition_pattern(sh, bytrace_exec, bytrace); 147domain_auto_transition_pattern(sh, hisysevent_exec, hisysevent); 148domain_auto_transition_pattern(sh, wukong_exec, wukong); 149domain_auto_transition_pattern(sh, SP_daemon_exec, SP_daemon); 150domain_auto_transition_pattern(sh, uitest_exec, uitest); 151domain_auto_transition_pattern(sh, snapshot_display_exec, snapshot_display); 152 153# for sh process crash faultlog 154allow sh processdump:process { share sigchld }; 155domain_auto_transition_pattern({ domain -sh }, processdump_exec, processdump); 156developer_only(` 157 domain_auto_transition_pattern(sh, processdump_exec, processdump); 158') 159 160# for sh process arkCompiler AOT 161allow sh ark_profile:parameter_service { set }; 162 163# for sh process arkCompiler param 164allow sh ark_writeable_param:parameter_service { set }; 165 166# for hilog 167use_hilog(sh) 168read_hilog(sh) 169control_hilog(sh) 170') 171