1# Copyright (c) 2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow cloudfiledaemon persist_param:parameter_service { set }; 15allow cloudfiledaemon persist_param:file { map open read }; 16allow cloudfiledaemon cloudfile_data_file:dir { rmdir }; 17allow cloudfiledaemon sa_accesstoken_manager_service:samgr_class { get }; 18allow cloudfiledaemon sa_param_watcher:samgr_class { get }; 19allow cloudfiledaemon param_watcher:binder { call transfer }; 20allow cloudfiledaemon dev_unix_socket:dir { search }; 21allow cloudfiledaemon paramservice_socket:sock_file { write }; 22allow cloudfiledaemon kernel:unix_stream_socket { connectto }; 23allow cloudfiledaemon netsysnative:unix_stream_socket { connectto }; 24allow cloudfiledaemon netmanager:binder { call transfer }; 25allow cloudfiledaemon accesstoken_service:binder { call }; 26allow cloudfiledaemon data_service_file:dir { search }; 27allow cloudfiledaemon sa_foundation_cesfwk_service:samgr_class { get }; 28allow cloudfiledaemon foundation:binder { transfer call }; 29allow cloudfiledaemon sa_foundation_abilityms:samgr_class { get }; 30binder_call(cloudfiledaemon, powermgr); 31allow cloudfiledaemon sa_powermgr_battery_service:samgr_class { get }; 32allow cloudfiledaemon data_app_file:dir { search open read write }; 33allow cloudfiledaemon data_app_el2_file:dir { search read write open }; 34allow cloudfiledaemon data_app_el2_file:file { lock getattr open read write ioctl map }; 35allow cloudfiledaemon dev_fuse_file:chr_file { read write }; 36allow cloudfiledaemon data_service_el2_file:dir { search }; 37allow cloudfiledaemon data_service_el2_hmdfs:dir { create search read open write add_name remove_name }; 38allow cloudfiledaemon data_service_el2_hmdfs:file { create setattr getattr read open write append ioctl rename unlink }; 39allow cloudfiledaemon hmdfs:dir { search write remove_name add_name create open read rmdir rename reparent }; 40allow cloudfiledaemon hmdfs:file { read open getattr create append rename unlink ioctl }; 41allowxperm cloudfiledaemon hmdfs:file ioctl { 0xf202 0x5413 }; 42allow cloudfiledaemon storage_daemon:fd { use }; 43allow cloudfiledaemon sa_filemanagement_cloud_sync_service:samgr_class { add get_remote get }; 44allow cloudfiledaemon hap_domain:binder { call transfer }; 45debug_only(` 46 allow cloudfiledaemon sh:binder { call }; 47') 48allow cloudfiledaemon sa_net_conn_manager:samgr_class { get }; 49allow cloudfiledaemon dev_console_file:chr_file { read write }; 50allow cloudfiledaemon sa_filemanagement_cloud_daemon_service:samgr_class { add }; 51allow cloudfiledaemon data_service_el1_file:dir { search write add_name create remove_name read open }; 52allow cloudfiledaemon data_service_el1_file:file { create write open getattr setattr read rename unlink lock map }; 53allow cloudfiledaemon cloudfile_data_file:dir { search write add_name create remove_name read open setattr getattr }; 54allow cloudfiledaemon cloudfile_data_file:file { create write open getattr setattr read rename unlink lock map ioctl }; 55allowxperm cloudfiledaemon cloudfile_data_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; 56allow cloudfiledaemon hap_domain:binder { call }; 57allow cloudfiledaemon data_file:dir { search }; 58allow cloudfiledaemon dev_ashmem_file:chr_file { open }; 59allow cloudfiledaemon distributeddata:binder { transfer call }; 60allow cloudfiledaemon distributeddata:fd { use }; 61allow cloudfiledaemon data_user_file:dir { read open search add_name write remove_name create rmdir rename reparent }; 62allow cloudfiledaemon data_user_file:file { read open getattr write create rename unlink append ioctl setattr }; 63allow cloudfiledaemon cloudfiledaemon:udp_socket { create bind read write node_bind connect getattr ioctl setopt }; 64allowxperm cloudfiledaemon cloudfiledaemon:udp_socket ioctl { 0x8912 0x8913 0x8915 0x891b }; 65allow cloudfiledaemon node:udp_socket { node_bind }; 66allow cloudfiledaemon node:tcp_socket { node_bind }; 67allow cloudfiledaemon cloudfiledaemon:tcp_socket { read create setopt connect getopt getattr write bind shutdown listen accept }; 68allow cloudfiledaemon port:tcp_socket { name_connect name_bind }; 69allow cloudfiledaemon system_bin_file:dir { search }; 70allow cloudfiledaemon medialibrary_hap_data_file:dir { search read open }; 71allow cloudfiledaemon medialibrary_hap_data_file:file { read open getattr write ioctl lock map }; 72allow cloudfiledaemon sa_dataobs_mgr_service_service:samgr_class { get }; 73allow cloudfiledaemon sa_distributeddata_service:samgr_class { get }; 74allow cloudfiledaemon normal_hap_attr:fd { use }; 75allow cloudfiledaemon system_core_hap_attr:fd { use }; 76allow cloudfiledaemon hmdfs:file { write }; 77allow cloudfiledaemon data_service_el2_hmdfs:file { lock }; 78allow cloudfiledaemon data_storage:dir { search }; 79allow cloudfiledaemon data_service_el2_hmdfs:file { create_file_perms_without_ioctl }; 80allow cloudfiledaemon data_service_el2_hmdfs:dir { create_dir_perms_without_ioctl }; 81allow cloudfiledaemon accountmgr:binder { call }; 82allow accountmgr cloudfiledaemon:binder { transfer }; 83allow cloudfiledaemon sa_accountmgr:samgr_class { get }; 84allow cloudfiledaemon sa_powermgr_powermgr_service:samgr_class { get }; 85allow cloudfiledaemon dev_unix_file:sock_file { write }; 86allow cloudfiledaemon sa_softbus_service:samgr_class { get }; 87allow cloudfiledaemon softbus_server:binder { call transfer }; 88allow cloudfiledaemon softbus_server:fd { use }; 89allow cloudfiledaemon softbus_server:tcp_socket { read write setopt shutdown }; 90allow cloudfiledaemon cloudfiledaemon:binder { call }; 91allow cloudfiledaemon cloudfiledaemon:netlink_route_socket { create }; 92allow cloudfiledaemon cloudfiledaemon:unix_dgram_socket { getopt }; 93allow cloudfiledaemon media_library_param:file { map open read }; 94allow cloudfiledaemon resource_schedule_service:binder { call transfer }; 95allow cloudfiledaemon sa_resource_schedule:samgr_class { get }; 96allow resource_schedule_service cloudfiledaemon:binder { call }; 97