1# Copyright (c) 2021-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14allow memmgrservice data_file:dir { search };
15allow memmgrservice data_init_agent:dir { search };
16allow memmgrservice data_init_agent:file { ioctl open read append };
17allow memmgrservice domain:dir { search };
18allow memmgrservice domain:file { open read getattr };
19allow memmgrservice accountmgr:binder { call transfer };
20allow memmgrservice dev_unix_socket:dir { search };
21allow memmgrservice bgtaskmgr_service:binder { call transfer };
22allow memmgrservice cgroup:dir { add_name create search open read write };
23allow memmgrservice cgroup:file { append getattr ioctl open read write };
24allow memmgrservice foundation:binder { call transfer };
25allow memmgrservice data_vendor:dir { search };
26allow memmgrservice hyperhold_sys:dir { search relabelto write add_name getattr setattr remove_name };
27allow memmgrservice hyperhold_sys:file { getattr open read write create rename unlink };
28
29allow memmgrservice memmgrservice:capability { kill sys_resource dac_override sys_ptrace };
30neverallow memmgrservice *:process ptrace;
31
32allow memmgrservice normal_hap_attr:file { write getattr };
33allow memmgrservice normal_hap_attr:process { sigkill };
34
35# denied  { read } for  pid=274 comm="event_runner#9" name="enable" dev="proc" ino=305072 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1
36# denied  { create } for  pid=286 comm="event_runner#11" name="lmkd_dbg_trigger" scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1
37# denied  { ioctl } for  pid=286 comm="event_runner#11" path="/proc/lmkd_dbg_trigger" dev="proc" ino=4026532101 ioctlcmd=0x5413 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1
38allow memmgrservice proc_file:file { write open read create ioctl getattr };
39
40allow memmgrservice proc_meminfo_file:file { open read getattr };
41allow memmgrservice system_basic_hap_attr:file { write getattr };
42allow memmgrservice system_basic_hap_attr:process { sigkill };
43allow memmgrservice system_core_hap_attr:file { write };
44allow memmgrservice system_core_hap_attr:process { sigkill };
45allow memmgrservice vendor_lib_file:file { read };
46allowxperm memmgrservice cgroup:file ioctl {  0x5413  };
47allowxperm memmgrservice data_init_agent:file ioctl 0x5413;
48
49# denied  { set } for parameter=persist.sys.eswap.permanently.closed pid=287 uid=1111 gid=1111 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=parameter_service permissive=1
50allow memmgrservice persist_sys_param:parameter_service { set };
51
52# denied  { write } for  pid=1798 comm="memmgrservice" name="paramservice" dev="tmpfs" ino=45 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1
53allow memmgrservice paramservice_socket:sock_file { write };
54
55# denied  { connectto } for  pid=1798 comm="memmgrservice" path="/dev/unix/socket/paramservice" scontext=u:r:memmgrservice:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1
56allow memmgrservice kernel:unix_stream_socket { connectto };
57
58# denied  { get } for service=200 pid=275 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1
59allow memmgrservice sa_accountmgr:samgr_class { get };
60
61# denied  { get } for service=501 pid=275 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1
62allow memmgrservice sa_foundation_appms:samgr_class { get };
63
64allow memmgrservice sa_foundation_cesfwk_service:samgr_class { get };
65
66allow memmgrservice sa_foundation_abilityms:samgr_class { get };
67
68allow memmgrservice sa_bgtaskmgr:samgr_class { get };
69
70allow memmgrservice sa_foundation_bms:samgr_class { get };
71allow memmgrservice netsysnative:file { getattr };
72
73# vendor
74allow memmgrservice vendor_etc_file:dir { search };
75allow memmgrservice vendor_etc_file:file { getattr map open read };
76
77# chip
78allow memmgrservice chip_prod_file:dir { search };
79allow memmgrservice chip_prod_file:file { getattr map open read };
80
81# sys
82allow memmgrservice sys_prod_file:dir { search };
83allow memmgrservice sys_prod_file:file { getattr map open read };
84
85# host
86allow memmgrservice user_auth_host:file { getattr };
87allow memmgrservice pin_auth_host:file { getattr };
88allow memmgrservice face_auth_host:file { getattr };
89allow memmgrservice codec_host:file { getattr };
90allow memmgrservice light_host:file { getattr };
91allow memmgrservice vibrator_host:file { getattr };
92allow memmgrservice sensor_host:file { getattr };
93allow memmgrservice input_user_host:file { getattr };
94
95# nandlife_controller
96allow memmgrservice data_service_file:dir { search };
97allow memmgrservice data_service_el1_file:dir { search write add_name };
98allow memmgrservice data_service_el1_file:file { read open lock write getattr create };
99allow memmgrservice sysfs_devices_system_cpu:file { read open getattr };
100