1# Copyright (c) 2024-2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type nativespawn, native_system_domain, domain; 15type nativespawn_exec, system_file_attr, exec_attr, file_attr; 16 17allow nativespawn appspawn:unix_dgram_socket { connect write }; 18allow nativespawn appspawn:unix_stream_socket { getopt setopt getattr listen accept read write }; 19allow nativespawn nativespawn:capability { setuid setgid sys_admin net_admin kill }; 20allow nativespawn chip_prod_file:dir { search }; 21allow nativespawn sys_prod_file:dir { search }; 22allow nativespawn system_lib_file:dir { read open }; 23allow nativespawn dev_unix_socket:dir { search }; 24allow nativespawn system_file:file { getattr read open }; 25allow nativespawn dev_unix_file:sock_file {setattr}; 26 27allow nativespawn data_app_el1_file:dir { getattr mounton search }; 28allow nativespawn nativespawn:process { setcurrent }; 29allow nativespawn samgr:binder { call }; 30allow nativespawn security:security { check_context }; 31allow nativespawn selinuxfs:dir { search }; 32allow nativespawn selinuxfs:file { read write open }; 33allow nativespawn system_bin_file:dir { getattr mounton }; 34allow nativespawn system_lib_file:dir { getattr mounton }; 35allow nativespawn vendor_lib_file:dir { getattr mounton }; 36allow nativespawn data_app_el2_file:dir { search }; 37allow nativespawn data_app_file:dir { search }; 38allow nativespawn data_file:dir { search }; 39allow nativespawn data_service_el1_file:dir { search }; 40allow nativespawn data_service_file:dir { search }; 41allow nativespawn dev_file:dir { getattr mounton }; 42allow nativespawn labeledfs:filesystem { unmount }; 43allow nativespawn proc_file:dir { mounton }; 44allow nativespawn rootfs:dir { mounton }; 45allow nativespawn sys_file:dir { mounton }; 46allow nativespawn system_etc_file:dir { mounton }; 47allow nativespawn system_fonts_file:dir { getattr mounton }; 48allow nativespawn tmpfs:dir { mounton add_name create write }; 49allow nativespawn tmpfs:file { mounton }; 50allow nativespawn dev_at_file:chr_file { ioctl }; 51allowxperm nativespawn dev_at_file:chr_file ioctl { 0x4102 }; 52allow nativespawn appspawn:fd { use }; 53allow hap_domain nativespawn:fd { use }; 54allow hap_domain nativespawn:fifo_file { write }; 55allow nativespawn hap_domain:process { dyntransition sigkill }; 56allow nativespawn cgroup:dir { add_name search create remove_name rmdir write }; 57allow nativespawn cgroup:file { getattr read append open }; 58allow nativespawn sysfs_net:file { open write }; 59allow nativespawn dev_xpm:chr_file { ioctl read write open }; 60allowxperm nativespawn dev_xpm:chr_file ioctl { 0x7801 0x7802 }; 61allow nativespawn normal_hap_data_file_attr:dir { getattr mounton }; 62allow nativespawn hap_domain:fd { use }; 63allow nativespawn normal_hap_data_file_attr:file { read write }; 64allow nativespawn system_bin_file:file { entrypoint execute map open read }; 65allow nativespawn init:unix_stream_socket { accept getattr getopt listen }; 66allow nativespawn nativespawn:unix_dgram_socket { getopt setopt }; 67allow init nativespawn:process { rlimitinh siginh transition }; 68allow hap_domain nativespawn:unix_dgram_socket { write }; 69allow nativespawn cgroup:file { write }; 70allow nativespawn tmpfs:lnk_file { create }; 71allow nativespawn appspawn_socket:sock_file { setattr }; 72allow nativespawn isolated_render:process { dyntransition sigkill }; 73allow isolated_render nativespawn:fd { use }; 74allow isolated_render nativespawn:fifo_file { write }; 75allow isolated_render nativespawn:unix_dgram_socket { write connect }; 76 77## Before killing the isolated process of nativespawn by ams, it will read the /proc/pid/status. 78allow foundation isolated_render:dir { search }; 79allow foundation isolated_render:file { getattr read }; 80allow nativespawn nativespawn_exec:file { entrypoint execute map read open }; 81allow init nativespawn_exec:file { execute getattr read open }; 82 83neverallow nativespawn *:process ptrace; 84