1# Copyright (c) 2022-2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License 13 14allow hiperf const_allow_mock_param:file { map open read }; 15allow hiperf const_allow_param:file { map open read }; 16allow hiperf const_build_param:file { map open read }; 17allow hiperf const_param:file { map open read }; 18allow hiperf const_postinstall_fstab_param:file { map open read }; 19allow hiperf const_postinstall_param:file { map open read }; 20allow hiperf data_test_file:file { write }; 21allow hiperf data_file:file { getattr ioctl map open read }; 22allow hiperf default_param:file { map open read }; 23allow hiperf distributedsche_param:file { map open read }; 24allow hiperf hdcd:fd use; 25allow hiperf hdcd_exec:file { getattr map open read }; 26allow hiperf hw_sc_build_os_param:file { map open read }; 27allow hiperf hw_sc_build_param:file { map open read }; 28allow hiperf hw_sc_param:file { map open read }; 29allow hiperf init_param:file { map open read }; 30allow hiperf init_svc_param:file { map open read }; 31allow hiperf input_pointer_device_param:file { map open read }; 32allow hiperf net_param:file { map open read }; 33allow hiperf net_tcp_param:file { map open read }; 34allow hiperf normal_hap_attr:dir { getattr open read search }; 35allow hiperf normal_hap_attr:process signull; 36allow hiperf ohos_boot_param:file { map open read }; 37allow hiperf ohos_param:file { map open read }; 38allow hiperf proc_buddyinfo_file:file getattr; 39allow hiperf proc_cgroups_file:file getattr; 40allow hiperf proc_cmdline_file:file getattr; 41allow hiperf proc_config_gz_file:file getattr; 42allow hiperf proc_cpuinfo_file:file getattr; 43allow hiperf proc_diskstats_file:file getattr; 44allow hiperf proc_file:file { ioctl write }; 45allow hiperf proc_filesystems_file:file getattr; 46allow hiperf proc_interrupts_file:file getattr; 47allow hiperf proc_iomem_file:file getattr; 48allow hiperf proc_keys_file:file getattr; 49allow hiperf proc_kmsg_file:file getattr; 50allow hiperf proc_loadavg_file:file getattr; 51allow hiperf proc_meminfo_file:file { getattr open read }; 52allow hiperf proc_misc_file:file getattr; 53allow hiperf proc_modules_file:file { getattr open read }; 54allow hiperf proc_pagetypeinfo_file:file getattr; 55allow hiperf proc_partitions_file:file getattr; 56allow hiperf proc_rkisp_vir0_file:file getattr; 57allow hiperf proc_slabinfo_file:file getattr; 58allow hiperf proc_softirqs_file:file getattr; 59allow hiperf proc_stat_file:file getattr; 60allow hiperf proc_swaps_file:file getattr; 61allow hiperf proc_sysrq_trigger_file:file getattr; 62allow hiperf proc_timer_list_file:file getattr; 63allow hiperf proc_uptime_file:file getattr; 64allow hiperf proc_version_file:file getattr; 65allow hiperf proc_vmallocinfo_file:file getattr; 66allow hiperf proc_vmstat_file:file getattr; 67allow hiperf proc_zoneinfo_file:file getattr; 68allow hiperf samain_exec:file { getattr map open read }; 69allow hiperf sys_param:file { map open read }; 70allow hiperf sys_usb_param:file { map open read }; 71allow hiperf tracefs:dir { open read search }; 72allow hiperf tracefs:file { getattr open read write ioctl }; 73allowxperm hiperf tracefs:file ioctl { 0x5413 }; 74allow hiperf tty_device:chr_file { read write }; 75 76allow hiperf appspawn_exec:file { getattr map open read }; 77allow hiperf bootevent_param:file { map open read }; 78allow hiperf bootevent_samgr_param:file { map open read }; 79allow hiperf build_version_param:file { map open read }; 80allow hiperf const_display_brightness_param:file { map open read }; 81allow hiperf const_product_param:file { map open read }; 82allow hiperf debug_param:file { map open read }; 83allow hiperf devpts:chr_file { read write }; 84allow hiperf hdcd:unix_stream_socket { read write }; 85allow hiperf hilog_param:file { map open read }; 86allow hiperf hilogd_exec:file { getattr map open read }; 87allow hiperf persist_param:file { map open read }; 88allow hiperf persist_sys_param:file { map open read }; 89allow hiperf proc_file:file { getattr open read }; 90allow hiperf security_param:file { map open read }; 91allow hiperf self:perf_event { cpu kernel open read write }; 92allow hiperf startup_param:file { map open read }; 93allow hiperf wifi_hal_service_exec:file { getattr map open read }; 94allow hiperf hiview_exec:file { getattr map open read }; 95allow hiperf storage_daemon_exec:file { getattr map open read }; 96 97allow hiperf data_file:dir search; 98allow hiperf dev_unix_socket:dir search; 99allow hiperf system_bin_file:dir search; 100allow hiperf data_local:dir search; 101 102allow hiperf hiprofiler_plugins:unix_stream_socket { read write }; 103allow hiperf rootfs:file read; 104allow hiperf sh_exec:file { getattr map open read }; 105allow hiperf sysfs_kernel_notes:file { open read }; 106allow hiperf system_bin_file:file { execute execute_no_trans getattr map open read }; 107allow hiperf toybox_exec:file { execute execute_no_trans getattr map open read }; 108allow hiperf tmpfs:file { read write }; 109 110allow hiperf hiprofiler_plugins:fd use; 111allow hiperf hiprofilerd:fd use; 112allow hiperf hiprofiler_plugins:fifo_file { ioctl write }; 113allow hiperf watchdog_service_exec:file { getattr map open read }; 114 115allow hiperf data_local_tmp:fifo_file { create open read unlink write }; 116allow hiperf hdf_devmgr_exec:file { getattr map open read }; 117allow hiperf proc_cpuinfo_file:file { open read }; 118allow hiperf sysfs_devices_system_cpu:file { open read }; 119allow hiperf uinput_inject_exec:file { getattr map open read }; 120allow hiperf vendor_bin_file:dir search; 121 122allow hiperf domain:dir { add_name getattr search open read write }; 123allow hiperf domain:file { getattr map open read }; 124 125allow hiperf camera_service:dir { open read }; 126allow hiperf camera_service:process signull; 127allow hiperf drm_service:dir { open read }; 128allow hiperf drm_service:process signull; 129allow hiperf data_file:dir { add_name getattr open read write }; 130 131allow hiperf dev_mali:chr_file { getattr open read }; 132allow hiperf distributedfiledaemon:dir { open read }; 133allow hiperf distributedfiledaemon:process signull; 134allow hiperf hdcd:dir { open read }; 135allow hiperf hdcd:process signull; 136allow hiperf init:dir { open read }; 137allow hiperf init:process signull; 138allow hiperf render_service:dir { open read }; 139allow hiperf render_service:process signull; 140allow hiperf render_service_exec:file { getattr map open read }; 141allow hiperf rootfs:dir read; 142allow hiperf self:perf_event tracepoint; 143allow hiperf system_basic_hap_attr:dir { open read }; 144allow hiperf system_basic_hap_attr:process signull; 145allow hiperf system_bin_file:lnk_file read; 146allow hiperf toybox_exec:lnk_file read; 147allow hiperf ui_service:dir { open read }; 148allow hiperf ui_service:process signull; 149allow hiperf hiview:process signull; 150allow hiperf domain:process signull; 151 152allow hiperf accessibility_param:file { map open read }; 153allow hiperf ohos_dev_param:file { map open read }; 154allow hiperf data_log_hiperf_file:dir { create_dir_perms }; 155allow hiperf data_log_hiperf_file:file { create_file_perms }; 156allow hiperf data_log_hiperf_file:fifo_file { create open read unlink write }; 157 158allow hiperf data_local_tmp_hiperf_file:dir { create_dir_perms }; 159allow hiperf data_local_tmp_hiperf_file:file { create_file_perms }; 160allow hiperf data_local_tmp_hiperf_file:fifo_file { create open read unlink write }; 161 162allow hiperf data_log:dir { add_name open read search watch write create remove_name }; 163allow hiperf data_log:file { create getattr lock map open read rename ioctl write unlink }; 164allow hiperf data_app_el1_file:file { getattr map open read }; 165allow hiperf data_app_el1_file:dir search; 166allow hiperf normal_hap_attr:lnk_file read; 167 168allow hiperf chip_prod_file:dir search; 169allow hiperf chip_prod_file:file { getattr map open read }; 170allow hiperf sys_file:file { getattr open read }; 171allow hiperf sysfs_devices_system_cpu:file getattr; 172allow hiperf udevd_exec:file { getattr map open read }; 173allow hiperf ueventd_exec:file read; 174allow hiperf vendor_bin_file:file { getattr map open read }; 175 176allow init data_log:file relabelfrom; 177allow init data_log_hiperf_file:dir relabelto; 178 179#allow hiperf data_file:file { create write }; 180#allow hiperf devpts:chr_file ioctl; 181 182debug_only(` 183 allow hiperf self:capability { setgid }; 184 allow hiperf self:capability2 syslog; 185') 186 187developer_only(` 188 allow hiperf sh:dir { getattr open read search }; 189 allow hiperf sh:fd use; 190 allow hiperf sh:fifo_file { read write }; 191 allow hiperf sh:process signull; 192') 193 194allow hiperf data_local_tmp:file { create getattr ioctl map open read rename unlink write }; 195allow hiperf data_local_tmp:dir { open read add_name remove_name search write }; 196allow hiperf self:capability2 perfmon; 197allow hiperf self:capability { sys_ptrace ipc_lock }; 198allow hiperf self:perf_event { open read write kernel }; 199 200neverallow hiperf *:process ptrace; 201neverallow { domain -hiperf -init -hiebpf } self:perf_event ~{ open read write kernel }; 202 203allow hiperf musl_param:file { open map read }; 204allow hiperf dev_console_file:chr_file { read write }; 205allow hiperf musl_param:file { open map read }; 206allow hiperf security_param:parameter_service { set }; 207allow hiperf hiviewdfx_profiler_param:parameter_service { set }; 208allow hiperf paramservice_socket:sock_file { read write }; 209allow hiperf kernel:unix_stream_socket connectto; 210 211allow hiperf sa_foundation_bms:samgr_class get; 212allow hiperf sa_param_watcher:samgr_class get; 213allow hiperf foundation:binder call; 214allow hiperf samgr:binder { call }; 215 216allow hiperf param_watcher:binder { call transfer }; 217allow hiperf tracefs_trace_marker_file:file { open write }; 218allow hiperf hilog_exec:file { getattr map open read }; 219allow hiperf rootfs:file { ioctl }; 220allow hiperf ueventd_exec:file { getattr map open }; 221allow hiperf dev_file:dir getattr; 222 223allow samgr hiperf:file { read open }; 224allow samgr hiperf:dir { search }; 225allow samgr hiperf:process { getattr }; 226allow samgr hiperf:binder { call transfer }; 227 228allow hiperf dev_bbox:chr_file { read }; 229allow hiperf sysfs_devices_system_cpu:dir { read open }; 230 231allow hiperf hiview:fd { use }; 232allow hiperf hiview:unix_dgram_socket { read write }; 233allow hiperf hiview:fifo_file { read write }; 234allow hiperf hiview_file:file { read write }; 235 236allow hiview hiperf:process sigkill; 237allow hiview data_local:dir { search }; 238allow hiview proc_file:file { getattr }; 239allow hiview debug_param:parameter_service { set }; 240 241allow hiperf system_file:file { getattr open read }; 242allow hiperf SP_daemon_exec:file { getattr open read }; 243allow hiperf data_local_arkcache:dir { search }; 244allow hiperf data_local_arkcache:file { getattr open read }; 245allow hiperf app_el1_bundle_public:dir { getattr open read search }; 246allow hiperf app_el1_bundle_public:file { getattr map open read }; 247allow hiperf deviceauth_service_exec:file { getattr map open read }; 248allow hiperf faultloggerd_exec:file { getattr map open read }; 249allow hiperf hidumper_exec:file { getattr map open read }; 250allow hiperf hiprofiler_cmd_exec:file { getattr map open read }; 251allow hiperf hiprofiler_plugins_exec:file { getattr map open read }; 252allow hiperf hiprofilerd_exec:file { getattr map open read }; 253allow hiperf hisysevent_exec:file { getattr map open read }; 254allow hiperf hitrace_exec:file { getattr map open read }; 255allow hiperf init_exec:file { getattr map open read }; 256allow hiperf sys_prod_file:dir { search }; 257allow hiperf sys_prod_file:file { getattr map open read }; 258allow hiperf system_usr_file:file { getattr map open read }; 259allow hiperf data_service_el1_file:file { getattr map open read }; 260 261allow hiperf isolated_render:lnk_file { read }; 262