1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License 13 14allow audio_server audio_server:binder transfer; 15allow audio_server audio_server:binder call; 16allow deviceauth_service paramservice_socket:sock_file write; 17allow deviceauth_service kernel:unix_stream_socket connectto; 18allow foundation data_service_el1_file:file ioctl; 19allow telephony_sa vendor_etc_file:dir search; 20allow time_service data_file:dir getattr; 21allow time_service data_service_el1_file:dir getattr; 22allow udevd dev_port:chr_file getattr; 23allow hiperf hdcd:fifo_file { ioctl write }; 24allow usb_service self:unix_dgram_socket { getopt setopt }; 25 26allow init dev_block_file:blk_file ioctl; 27allow init hook_param:file relabelto; 28allow { sadomain hdfdomain hap_domain native_system_domain native_chipset_domain } hook_param:file { map open read }; 29allow normal_hap_attr normal_hap_data_file_attr:file ioctl; 30allow hap_domain proc_meminfo_file:file { read getattr open }; 31allow hap_domain dev_ucollection:chr_file { read ioctl open }; 32allowxperm hap_domain dev_ucollection:chr_file ioctl { 0x6 0x8 }; 33neverallowxperm hap_domain dev_ucollection:chr_file ioctl ~{ 0x6 0x8 }; 34 35allow { sadomain -hilogd } system_core_hap_data_file_attr:file { read write }; 36allow appspawn accesstoken_service:binder call; 37allow appspawn accountmgr:binder call; 38allow appspawn dev_console_file:chr_file { read write }; 39allow appspawn foundation:binder { call transfer }; 40allow appspawn hdcd:unix_stream_socket connectto; 41allow appspawn multimodalinput:binder call; 42allow appspawn multimodalinput:fd use; 43allow appspawn multimodalinput:unix_stream_socket { read write }; 44allow appspawn musl_param:file { map open read }; 45allow appspawn normal_hap_attr:binder { call transfer }; 46allow appspawn normal_hap_attr:fd use; 47allow appspawn normal_hap_data_file_attr:dir search; 48allow appspawn render_service:binder { call transfer }; 49allow appspawn render_service:fd use; 50allow appspawn resource_schedule_service:binder call; 51allow appspawn samgr:binder call; 52allow appspawn system_file:file { getattr open read }; 53allow appspawn system_lib_file:dir { open read }; 54allow appspawn tracefs:dir search; 55allow appspawn tracefs_trace_marker_file:file { open write }; 56allow appspawn accessibility:binder { call transfer }; 57allow appspawn dev_mali:chr_file { getattr ioctl open read write }; 58allow appspawn param_watcher:binder { call transfer }; 59 60allow init dev_dri_file:dir search; 61allow init data_updater_file:dir add_name; 62allow init data_service_el0_file:dir relabelfrom; 63allow init data_startup:file getattr; 64allow init musl_param:file read; 65allow init chip_prod_file:dir search; 66allow init sys_prod_file:dir search; 67allow init data_local_tmp:dir search; 68allow init dev_unix_socket:sock_file unlink; 69 70allow samgr appspawn:binder transfer; 71allow samgr appspawn:dir search; 72allow samgr appspawn:file { open read }; 73allow samgr dev_console_file:chr_file { read write }; 74allow samgr hiprofiler_plugins:dir search; 75allow samgr hiprofiler_plugins:file { open read }; 76allow samgr hiprofiler_plugins:binder transfer; 77allow samgr hiprofiler_plugins:process getattr; 78 79allow hiview hiprofiler_plugins:binder call; 80allow deviceauth_service dev_console_file:chr_file { read write }; 81allow hiview sa_native_daemon:samgr_class { get }; 82 83allow render_service hiprofiler_plugins:binder { call transfer }; 84