1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow multimodalinput accessibility_param:file { read }; 15allow multimodalinput arkcompiler_param:file { read open map }; 16allow multimodalinput audio_server:binder { call }; 17allow multimodalinput bootanimation:fd { use }; 18allow multimodalinput data_file:dir { search }; 19allow multimodalinput data_init_agent:dir { search }; 20allow multimodalinput data_init_agent:file { open read append ioctl }; 21allow multimodalinput data_log:dir { search write add_name create }; 22allow multimodalinput data_log:file { create open read write ioctl }; 23allow multimodalinput data_multimodalinput:dir { add_name create getattr open read remove_name search watch write }; 24allow multimodalinput data_multimodalinput:file { create open read rename unlink write setattr getattr ioctl }; 25allow multimodalinput data_service_file:dir { search }; 26allow multimodalinput data_service_el1_file:dir { search }; 27allow multimodalinput data_service_el1_file:file { open read }; 28allow multimodalinput data_vendor:dir { search }; 29allow multimodalinput dev_ashmem_file:chr_file { open }; 30allow multimodalinput dev_console_file:chr_file { open read write getattr ioctl }; 31allow multimodalinput dev_dri_file:dir { search }; 32allow multimodalinput dev_dri_file:chr_file { open read write getattr ioctl }; 33allow multimodalinput dev_kmsg_file:chr_file { open write }; 34allow multimodalinput dev_input_file:chr_file { ioctl }; 35allow multimodalinput dev_input_file:dir { watch open read search getattr }; 36allow multimodalinput dev_unix_socket:dir { search }; 37allow multimodalinput dev_unix_socket:sock_file { write }; 38allow multimodalinput distributeddata:binder { call transfer }; 39allow multimodalinput distributeddata:fd { use }; 40allow multimodalinput allocator_host:binder { call }; 41allow multimodalinput allocator_host:fd { use }; 42allow multimodalinput hdf_allocator_service:hdf_devmgr_class { get }; 43allow multimodalinput faultloggerd_socket:sock_file { write }; 44allow multimodalinput faultloggerd:unix_stream_socket { connectto }; 45allow multimodalinput foundation:binder { call transfer }; 46allow multimodalinput hdf_devmgr:binder { call }; 47allow multimodalinput input_pointer_device_param:parameter_service { set }; 48allow multimodalinput media_service:binder { call transfer }; 49allow multimodalinput multimodalinput:netlink_kobject_uevent_socket { bind create getattr setopt read }; 50#allow multimodalinput multimodalinput:process { ptrace }; 51allow multimodalinput musl_param:file { map open read }; 52allow multimodalinput param_watcher:binder { call transfer }; 53binder_call(multimodalinput, powermgr); 54allow multimodalinput render_service:binder { call transfer }; 55allow multimodalinput render_service:fd { use }; 56allow multimodalinput resource_schedule_service:binder { call }; 57allow multimodalinput resource_schedule_service:dir { search }; 58allow multimodalinput rootfs:chr_file { write }; 59allow multimodalinput sa_audio_policy_service:samgr_class { get }; 60allow multimodalinput sa_device_service_manager:samgr_class { get }; 61allow multimodalinput sa_distributeddata_service:samgr_class { get }; 62allow multimodalinput sa_foundation_dms:samgr_class { get }; 63allow multimodalinput sa_foundation_tel_call_manager:samgr_class { get }; 64allow multimodalinput sa_foundation_wms:samgr_class { get }; 65allow multimodalinput sa_media_service:samgr_class { get }; 66allow multimodalinput sa_multimodalinput_service:samgr_class { get }; 67allow multimodalinput sa_render_service:samgr_class { get }; 68allow multimodalinput sys_file:dir { open read }; 69allow multimodalinput sys_file:file { getattr open read }; 70allow multimodalinput system_bin_file:dir { search }; 71allow multimodalinput system_bin_file:file { execute execute_no_trans map read open }; 72allow multimodalinput tracefs:dir { search }; 73allow multimodalinput tracefs:file { open write }; 74allow multimodalinput tracefs_trace_marker_file:file { open write }; 75allow multimodalinput tty_device:chr_file { read write }; 76allow multimodalinput vendor_etc_file:dir { search }; 77allow multimodalinput vendor_etc_file:file { getattr open read }; 78allow multimodalinput data_file:dir { remove_name }; 79allow multimodalinput data_multimodalinput:file { lock }; 80allow multimodalinput sysfs_devices_system_cpu:file { open read getattr }; 81allow multimodalinput data_file:sock_file { setattr create unlink }; 82# avc: denied { get } for service=3299 pid=722 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 83allow multimodalinput sa_foundation_cesfwk_service:samgr_class { get }; 84allow multimodalinput sa_foundation_appms:samgr_class { get }; 85allow multimodalinput normal_hap_attr:binder { call }; 86allow multimodalinput normal_hap_attr:fd { use }; 87allow multimodalinput system_basic_hap:fd { use }; 88allow init data_multimodalinput:file { getattr }; 89allow multimodalinput system_fonts_file:dir { read open search }; 90allow multimodalinput system_fonts_file:file { read open getattr map }; 91allow multimodalinput sa_powermgr_powermgr_service:samgr_class { get }; 92allow media_service multimodalinput:binder { call transfer }; 93allow normal_hap_attr multimodalinput:unix_stream_socket { read write }; 94allow normal_hap_attr sa_multimodalinput_service:samgr_class { get }; 95allow normal_hap_attr multimodalinput:fd { use }; 96allow system_basic_hap_attr multimodalinput:unix_stream_socket { read }; 97allow system_basic_hap_attr multimodalinput:unix_stream_socket { read write }; 98allow system_core_hap_attr multimodalinput:unix_stream_socket { read }; 99allow init data_multimodalinput:dir { create getattr open read relabelfrom relabelto search setattr write }; 100# avc: denied { read } scontext=u:r:useriam:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 101allow useriam multimodalinput:unix_stream_socket { read }; 102# avc: denied { get } scontext=u:r:useriam:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 103allow useriam sa_multimodalinput_service:samgr_class { get }; 104allowxperm multimodalinput data_log:file ioctl { 0x5413 }; 105allowxperm multimodalinput dev_dri_file:chr_file ioctl { 0x641f }; 106allowxperm multimodalinput dev_input_file:chr_file ioctl { 0x4503 0x4560 0x4542 0x4548 0x456f 0x450a 0x4559 0x4568 0x455a 0x455b 0x4577 0x4545 0x4549 0x454a 0x4550 0x4551 }; 107allowxperm multimodalinput data_multimodalinput:file ioctl { 0x5413 }; 108debug_only(` 109 allow multimodalinput sh:binder { call }; 110') 111 112# avc: denied { get } for service=3704 sid=u:r:multimodalinput:s0 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sa_screenlock_service:s0 tclass=samgr_class permissive=0 113allow multimodalinput sa_screenlock_service:samgr_class { get }; 114allow multimodalinput sys_prod_file:dir { open read }; 115