1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License 13 14allow hiprofiler_plugins data_file:dir search; 15allow hiprofiler_plugins data_init_agent:dir search; 16allow hiprofiler_plugins data_init_agent:file { append ioctl open read }; 17allow hiprofiler_plugins dev_unix_socket:sock_file { unlink create getattr setattr write }; 18allow hiprofiler_plugins devpts:chr_file { read write }; 19allow hiprofiler_plugins hdcd:unix_stream_socket { read write }; 20allow hiprofiler_plugins hdcd:fifo_file write; 21allow hiprofiler_plugins tty_device:chr_file { read write }; 22allow hiprofiler_plugins dev_unix_socket:dir { add_name remove_name write search }; 23allow hiprofiler_plugins proc_cpuinfo_file:file { open read }; 24allow hiprofiler_plugins system_bin_file:dir search; 25allow hiprofiler_plugins data_local:dir search; 26allow hiprofiler_plugins hiprofilerd:unix_stream_socket connectto; 27allow hiprofiler_plugins hiprofilerd:fd { use }; 28 29allow hiprofiler_plugins appspawn:file read; 30allow hiprofiler_plugins hdcd:fd use; 31allow hiprofiler_plugins hdf_devmgr:file read; 32allow hiprofiler_plugins hilog_param:file { map open read }; 33allow hiprofiler_plugins init:file { getattr open read }; 34allow hiprofiler_plugins kernel:file read; 35allow hiprofiler_plugins net_param:file read; 36allow hiprofiler_plugins net_tcp_param:file read; 37allow hiprofiler_plugins ohos_boot_param:file { map open read }; 38allow hiprofiler_plugins ohos_param:file { map open read }; 39allow hiprofiler_plugins param_watcher:file read; 40allow hiprofiler_plugins persist_param:file { map open read }; 41allow hiprofiler_plugins persist_sys_param:file read; 42allow hiprofiler_plugins proc_stat_file:file { getattr open read }; 43allow hiprofiler_plugins samgr:file read; 44allow hiprofiler_plugins security_param:file { map open read }; 45allow hiprofiler_plugins storage_manager:file read; 46allow hiprofiler_plugins sys_file:file { getattr open read }; 47allow hiprofiler_plugins sys_param:file { map open read }; 48allow hiprofiler_plugins sys_usb_param:file read; 49allow hiprofiler_plugins sysfs_devices_system_cpu:dir { open read }; 50allow hiprofiler_plugins sysfs_devices_system_cpu:file { getattr read }; 51allow hiprofiler_plugins tmpfs:file write; 52allow hiprofiler_plugins udevd:file read; 53allow hiprofiler_plugins watchdog_service:file read; 54 55allow hiprofiler_plugins const_param:file read; 56allow hiprofiler_plugins const_postinstall_param:file read; 57allow hiprofiler_plugins hw_sc_build_os_param:file read; 58allow hiprofiler_plugins hw_sc_build_param:file read; 59allow hiprofiler_plugins hw_sc_param:file { map open read }; 60allow hiprofiler_plugins init_param:file read; 61allow hiprofiler_plugins init_svc_param:file read; 62allow hiprofiler_plugins net_param:file { map open }; 63allow hiprofiler_plugins net_tcp_param:file { map open }; 64allow hiprofiler_plugins sys_usb_param:file { map open }; 65 66allow hiprofiler_plugins const_param:file { map open }; 67allow hiprofiler_plugins hw_sc_build_os_param:file { map open }; 68allow hiprofiler_plugins hw_sc_build_param:file { map open }; 69allow hiprofiler_plugins init_param:file { map open }; 70allow hiprofiler_plugins init_svc_param:file { map open }; 71allow hiprofiler_plugins const_postinstall_param:file open; 72 73allow hiprofiler_plugins const_allow_mock_param:file read; 74allow hiprofiler_plugins const_allow_param:file { open read }; 75allow hiprofiler_plugins const_build_param:file read; 76allow hiprofiler_plugins const_postinstall_fstab_param:file { map open read }; 77allow hiprofiler_plugins const_postinstall_param:file map; 78allow hiprofiler_plugins const_product_param:file read; 79allow hiprofiler_plugins debug_param:file read; 80allow hiprofiler_plugins persist_sys_param:file open; 81allow hiprofiler_plugins startup_param:file read; 82allow hiprofiler_plugins bootevent_param:file read; 83allow hiprofiler_plugins bootevent_samgr_param:file read; 84allow hiprofiler_plugins build_version_param:file read; 85allow hiprofiler_plugins const_allow_mock_param:file open; 86allow hiprofiler_plugins const_allow_param:file map; 87allow hiprofiler_plugins const_build_param:file open; 88allow hiprofiler_plugins const_product_param:file open; 89allow hiprofiler_plugins debug_param:file open; 90allow hiprofiler_plugins persist_sys_param:file map; 91allow hiprofiler_plugins startup_param:file open; 92 93allow hiprofiler_plugins bootevent_param:file { map open }; 94allow hiprofiler_plugins bootevent_samgr_param:file open; 95allow hiprofiler_plugins build_version_param:file { map open }; 96allow hiprofiler_plugins const_allow_mock_param:file map; 97allow hiprofiler_plugins const_build_param:file map; 98allow hiprofiler_plugins const_product_param:file map; 99allow hiprofiler_plugins debug_param:file map; 100allow hiprofiler_plugins startup_param:file map; 101 102allow hiprofiler_plugins bootevent_samgr_param:file map; 103allow hiprofiler_plugins const_display_brightness_param:file { map open read }; 104allow hiprofiler_plugins distributedsche_param:file { map open read }; 105allow hiprofiler_plugins input_pointer_device_param:file { map open read }; 106 107allow hiprofiler_plugins default_param:file { map open read }; 108 109allow hiprofiler_plugins accessibility:file { getattr open read }; 110allow hiprofiler_plugins distributeddata:file { getattr read }; 111allow hiprofiler_plugins hilog_exec:file { execute execute_no_trans getattr map open read }; 112allow hiprofiler_plugins init:dir { open read }; 113allow hiprofiler_plugins kernel:file { getattr open }; 114allow hiprofiler_plugins media_service:dir search; 115allow hiprofiler_plugins proc_meminfo_file:file { getattr open read }; 116allow hiprofiler_plugins proc_vmstat_file:file { getattr open read }; 117allow hiprofiler_plugins sysfs_block_zram:file { getattr open read }; 118allow hiprofiler_plugins sysfs_devices_system_cpu:file open; 119 120allow hiprofiler_plugins tracefs:file write; 121 122allow hiprofiler_plugins init:dir search; 123allow hiprofiler_plugins init:unix_stream_socket connectto; 124allow hiprofiler_plugins mmi_uinput_service:file read; 125 126allow hiprofiler_plugins accountmgr:file read; 127allow hiprofiler_plugins deviceauth_service:file read; 128allow hiprofiler_plugins huks_service:file read; 129allow hiprofiler_plugins locationhub:file read; 130allow hiprofiler_plugins memmgrservice:file read; 131allow hiprofiler_plugins multimodalinput:file read; 132allow hiprofiler_plugins resource_schedule_service:file read; 133allow hiprofiler_plugins storage_daemon:file read; 134 135allow hiprofiler_plugins bgtaskmgr_service:file read; 136allow hiprofiler_plugins bluetooth_service:file read; 137allow hiprofiler_plugins device_usage_stats_service:file read; 138allow hiprofiler_plugins pasteboard_service:file read; 139 140allow hiprofiler_plugins audio_server:file read; 141allow hiprofiler_plugins download_server:file read; 142allow hiprofiler_plugins edm_sa:file read; 143allow hiprofiler_plugins msdp_sa:file read; 144allow hiprofiler_plugins screenlock_server:file read; 145allow hiprofiler_plugins time_service:file read; 146allow hiprofiler_plugins tty_device:chr_file open; 147allow hiprofiler_plugins wallpaper_service:file read; 148 149allow hiprofiler_plugins codec_host:file read; 150allow hiprofiler_plugins face_auth_host:file read; 151allow hiprofiler_plugins fingerprint_auth_host:file read; 152allow hiprofiler_plugins hdcd:fifo_file ioctl; 153allow hiprofiler_plugins hilog_control_socket:sock_file write; 154allow hiprofiler_plugins light_host:file read; 155allow hiprofiler_plugins location_host:file read; 156allow hiprofiler_plugins pin_auth_host:file read; 157allow hiprofiler_plugins sensor_host:file read; 158allow hiprofiler_plugins user_auth_host:file read; 159allow hiprofiler_plugins vibrator_host:file read; 160 161allow hiprofiler_plugins audio_host:file read; 162allow hiprofiler_plugins blue_host:file read; 163allow hiprofiler_plugins clearplay_host:file read; 164allow hiprofiler_plugins camera_host:file read; 165allow hiprofiler_plugins allocator_host:file read; 166allow hiprofiler_plugins input_user_host:file read; 167allow hiprofiler_plugins power_host:file read; 168allow hiprofiler_plugins usb_host:file read; 169allow hiprofiler_plugins wifi_host:file read; 170 171allow hiprofiler_plugins camera_service:file read; 172allow hiprofiler_plugins faultloggerd:file read; 173allow hiprofiler_plugins drm_service:file read; 174allow hiprofiler_plugins media_service:file read; 175allow hiprofiler_plugins render_service:file read; 176allow hiprofiler_plugins useriam:file read; 177allow hiprofiler_plugins wifi_hal_service:file read; 178 179allow hiprofiler_plugins distributedsche:file read; 180allow hiprofiler_plugins softbus_server:file read; 181allow hiprofiler_plugins ui_service:file read; 182 183allow hiprofiler_plugins hiview:file read; 184allow hiprofiler_plugins installs:file read; 185allow hiprofiler_plugins sensors:file read; 186 187allow hiprofiler_plugins foundation:file read; 188allow hiprofiler_plugins hdcd:file read; 189allow hiprofiler_plugins hidumper_service:file read; 190allow hiprofiler_plugins hiprofilerd:file read; 191allow hiprofiler_plugins kernel:dir search; 192allow hiprofiler_plugins pinauth:file read; 193allow hiprofiler_plugins wifi_manager_service:file read; 194 195allow hiprofiler_plugins proc_file:file write; 196allow hiprofiler_plugins udevd:file { getattr open }; 197 198allow hiprofiler_plugins deviceauth_service:dir search; 199allow hiprofiler_plugins deviceauth_service:file { getattr open }; 200allow hiprofiler_plugins resource_schedule_service:dir search; 201allow hiprofiler_plugins resource_schedule_service:file { getattr open }; 202allow hiprofiler_plugins storage_daemon:dir search; 203allow hiprofiler_plugins storage_daemon:file { getattr open }; 204 205allow hiprofiler_plugins hilogd:file getattr; 206allow hiprofiler_plugins system_bin_file:file execute; 207allow hiprofiler_plugins toybox_exec:file { execute execute_no_trans getattr map open read }; 208allow hiprofiler_plugins tmpfs:file { map read }; 209allow hiprofiler_plugins tracefs:dir search; 210allow hiprofiler_plugins tracefs:file { getattr read }; 211 212allow hiprofiler_plugins accountmgr:file getattr; 213allow hiprofiler_plugins bgtaskmgr_service:file getattr; 214allow hiprofiler_plugins bluetooth_service:file getattr; 215allow hiprofiler_plugins device_usage_stats_service:file getattr; 216allow hiprofiler_plugins hiprofiler_cmd:file getattr; 217allow hiprofiler_plugins hiprofilerd:file getattr; 218allow hiprofiler_plugins huks_service:file getattr; 219allow hiprofiler_plugins locationhub:file getattr; 220allow hiprofiler_plugins memmgrservice:file getattr; 221allow hiprofiler_plugins pasteboard_service:file getattr; 222allow hiprofiler_plugins proc_file:file { getattr open read }; 223allow hiprofiler_plugins audio_server:file getattr; 224allow hiprofiler_plugins tracefs:file open; 225 226allow hiprofiler_plugins proc_diskstats_file:file { open read }; 227allow hiprofiler_plugins rootfs:file getattr; 228 229allow hiprofiler_plugins hiprofiler_cmd:fd use; 230allow hiprofiler_plugins rootfs:file read; 231allow hiprofiler_plugins tty_device:chr_file ioctl; 232allow hiprofiler_plugins hilog_output_socket:sock_file write; 233 234allow hiprofiler_plugins proc_uptime_file:file { open read }; 235allow hiprofiler_plugins tracefs:dir { open read }; 236 237allow hiprofiler_plugins tracefs:file append; 238 239allow hiprofiler_plugins data_local_tmp:dir { getattr read watch watch_reads add_name write open search remove_name }; 240allow hiprofiler_plugins data_local_tmp:file { create read open write lock getattr unlink }; 241allow hiprofiler_plugins self:capability { sys_ptrace dac_read_search }; 242 243debug_only(` 244 allow hiprofiler_plugins self:capability { sys_admin }; 245 allow hiprofiler_plugins sh_exec:file { execute execute_no_trans map open read }; 246 allow hiprofiler_plugins self:capability setgid; 247 allow hiprofiler_plugins sh:fd use; 248 allow hiprofiler_plugins sh:dir { open read }; 249 allow hiprofiler_plugins sh:file { getattr open }; 250 allow hiprofiler_plugins console:file read; 251') 252 253allow hiprofiler_plugins domain:dir { open read getattr search }; 254allow hiprofiler_plugins domain:file { open read getattr }; 255 256allow hiprofiler_plugins data_local_tmp:file ioctl; 257allow hiprofiler_plugins hilogd:unix_stream_socket connectto; 258allow hiprofiler_plugins musl_param:file { open read }; 259 260neverallow hiprofiler_plugins *:process ptrace; 261allow hiprofiler_plugins musl_param:file map; 262allow hiprofiler_plugins dev_unix_file:sock_file write; 263allow hiprofiler_plugins hisysevent_exec:file { open read execute execute_no_trans map}; 264allow hiprofiler_plugins samgr:binder call; 265allow hiprofiler_plugins sa_sys_event_service:samgr_class get; 266allow hiprofiler_plugins sa_hiview_service:samgr_class get; 267allow hiprofiler_plugins hiview:binder { call transfer }; 268allow hiprofiler_plugins dev_console_file:chr_file { read write }; 269allow hiprofiler_plugins proc_diskstats_file:file getattr; 270allow hiprofiler_plugins proc_uptime_file:file getattr; 271 272allow hiprofiler_plugins appspawn_exec:file read; 273allow hiprofiler_plugins data_local_tmp:fifo_file { open read unlink write }; 274allow hiprofiler_plugins hiview_exec:file { getattr map open read }; 275allow hiprofiler_plugins self:perf_event write; 276allow hiprofiler_plugins storage_daemon_exec:file { getattr map open read }; 277allow hiprofiler_plugins vendor_bin_file:file { getattr map open read }; 278allow hiprofiler_plugins vendor_bin_file:dir search; 279allow hiprofiler_plugins dev_file:dir getattr; 280 281allow hiprofiler_plugins hisysevent:process sigkill; 282allow hiprofiler_plugins sa_accountmgr:samgr_class get; 283allow hiprofiler_plugins sa_foundation_bms:samgr_class get; 284allow hiprofiler_plugins hiview:fd use; 285 286allow samgr hiprofiler_plugins:dir { search }; 287allow samgr hiprofiler_plugins:file { read open }; 288allow samgr hiprofiler_plugins:process { getattr }; 289allow samgr hiprofiler_plugins:binder { call transfer }; 290allow hiprofiler_plugins arkcompiler_param:file { read open map }; 291allow hiprofiler_plugins ark_writeable_param:file { read open map }; 292allow hiprofiler_plugins accountmgr:binder { call }; 293allow hiprofiler_plugins foundation:binder { call }; 294allow accountmgr hiprofiler_plugins:binder { transfer }; 295allow hiprofiler_plugins system_bin_file:lnk_file read; 296allow hiprofiler_plugins toybox_exec:lnk_file read; 297allow hiprofiler_plugins SP_daemon_exec:file { getattr open read execute execute_no_trans map}; 298 299allow hiprofiler_plugins sa_render_service:samgr_class get; 300allow hiprofiler_plugins render_service:binder { call transfer }; 301allow hiprofiler_plugins normal_hap_attr:unix_stream_socket { connectto }; 302 303developer_only(` 304 allow hiprofiler_plugins system_usr_file:dir { search }; 305 allow hiprofiler_plugins system_usr_file:file { getattr map open read }; 306 allow hiprofiler_plugins SP_daemon:process { rlimitinh siginh transition sigkill signal }; 307 allow hiprofiler_plugins dev_ashmem_file:chr_file { open }; 308 allow hiprofiler_plugins hiviewdfx_profiler_param:parameter_service { set }; 309 allow hiprofiler_plugins paramservice_socket:sock_file { read write }; 310 allow hiprofiler_plugins kernel:unix_stream_socket { connectto }; 311 allow hap_domain hiviewdfx_profiler_param:file { map open read }; 312 allow hap_domain hiprofiler_plugins:unix_stream_socket { connectto read write }; 313 allow hap_domain hiprofiler_plugins:fd { use }; 314 allow hiprofiler_plugins data_hilogd_file:dir { getattr open read search }; 315 allow hiprofiler_plugins data_hilogd_file:file { getattr open read }; 316 allow sadomain hiviewdfx_profiler_param:file { map open read }; 317') 318