1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14debug_only(`
15    # for uinput run
16    domain_auto_transition_pattern(su, uinput_exec, uinput);
17
18    # avc:  denied  { use } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fd permissive=0
19    # avc:  denied  { ioctl } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1
20    # avc:  denied  { read } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1
21    # avc:  denied  { write } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1
22    # avc:  denied  { read write } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0
23    # avc:  denied  { ioctl } for scontext=u:r:uinput:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=1
24    allow uinput su:fd { use };
25    allow uinput su:fifo_file { ioctl read write };
26    allow uinput su:unix_stream_socket { read write };
27    allowxperm uinput su:fifo_file ioctl { 0x5413 };
28')
29
30developer_only(`
31    # avc:  denied  { get } scontext=u:r:uinput:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1
32    allow uinput sa_multimodalinput_service:samgr_class { get };
33
34    # avc:  denied  { read write } scontext=u:r:uinput:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
35    allow uinput tty_device:chr_file { read write };
36
37    # avc:  denied  { search } for scontext=u:r:uinput:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
38    allow uinput dev_unix_socket:dir { search };
39
40    # avc:  denied  { call } tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1
41    allow uinput multimodalinput:binder { call };
42
43    # avc:  denied  { map } scontext=u:r:uinput:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
44    # avc:  denied  { open } scontext=u:r:uinput:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
45    # avc:  denied  { read } scontext=u:r:uinput:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
46    allow uinput arkcompiler_param:file { map open read };
47    allow uinput ark_writeable_param:file { map open read };
48
49    # avc:  denied  { map } scontext=u:r:uinput:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
50    # avc:  denied  { open } scontext=u:r:uinput:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
51    # avc:  denied  { read } scontext=u:r:uinput:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
52    allow uinput debug_param:file { map open read };
53
54    # avc:  denied  { ioctl } scontext=u:r:uinput:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
55    # avc:  denied  { read write } scontext=u:r:uinput:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
56    allow uinput devpts:chr_file { ioctl read write };
57
58    # avc:  denied  { read } scontext=u:r:uinput:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
59    allow uinput hilog_param:file { read };
60
61    # avc:  denied  { map } scontext=u:r:uinput:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
62    # avc:  denied  { open } scontext=u:r:uinput:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0
63    allow uinput hilog_param:file { map open };
64
65    # avc:  denied  { call } scontext=u:r:uinput:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=0
66    allow uinput samgr:binder { call };
67
68    # avc:  denied  { search } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=dir permissive=0
69    allow samgr uinput:dir { search };
70
71    # avc:  denied  { transfer } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=binder permissive=1
72    allow samgr uinput:binder { transfer };
73
74    # avc:  denied  { open } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=file permissive=1
75    # avc:  denied  { read } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=file permissive=0
76    allow samgr uinput:file { open read };
77
78    # avc:  denied  { getattr } scontext=u:r:samgr:s0 tcontext=u:r:uinput:s0 tclass=process permissive=1
79    allow samgr uinput:process { getattr };
80
81    # avc:  denied  { ioctl } scontext=u:r:uinput:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
82    allowxperm uinput devpts:chr_file ioctl { 0x5413 };
83
84    #for uinput run
85    domain_auto_transition_pattern(sh, uinput_exec, uinput);
86
87    allow uinput sh:fd { use };
88    allow uinput sh:fifo_file { ioctl read write };
89    allow uinput sh:unix_stream_socket { read write };
90    allowxperm uinput sh:fifo_file ioctl { 0x5413 };
91')
92