1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type foundation, domain, sadomain; 15 16#domain_auto_transition_pattern(init, samain_exec, foundation); 17#allow init samain_exec:file execute_no_trans; 18 19#binder_call(foundation, appspawn); 20#binder_call(foundation, installs); 21#binder_call(foundation, deviceauth_service); 22#binder_call(foundation, samgr); 23#binder_call(foundation, render_service); 24#allow foundation hdf_devmgr:binder call; 25#allow appspawn foundation:binder call; 26#allow deviceauth_service foundation:binder call; 27 28#allow foundation appspawn:unix_stream_socket connectto; 29 30#allow foundation vendor_file:dir read_dir_perms; 31 32#allow foundation foundation:{ udp_socket netlink_route_socket } { create ioctl setopt bind read }; 33 34#allow foundation init:unix_stream_socket connectto; 35 36# "/system/profile/foundation.xml", O_RDONLY 37#allow foundation system_file:file read_file_perms; 38 39allow foundation multimodalinput:binder call; 40allow foundation multimodalinput:unix_stream_socket write; 41 42allow foundation accessibility:binder { call }; 43allow foundation accesstoken_service:binder { call }; 44allow foundation appspawn:unix_stream_socket { connectto }; 45allow foundation appspawn_socket:sock_file { write }; 46allow foundation bgtaskmgr_service:binder { call transfer }; 47allow foundation configfs:dir { search }; 48allow foundation configfs:file { open write }; 49allow foundation data_file:dir { getattr open read search }; 50allow foundation data_file:file { getattr map read open }; 51allow foundation data_app_el1_file:file { getattr read }; 52allow foundation data_app_el2_file:file { getattr read }; 53allow foundation data_service_el1_file:dir { add_name remove_name search write }; 54allow foundation data_service_el1_file:file { create ioctl open unlink write write open }; 55allow foundation data_service_file:dir { search }; 56allow foundation data_system_ce:file { lock }; 57allow foundation dev_ashmem_file:chr_file { open }; 58allow foundation device_usage_stats_service:binder { call transfer }; 59allow foundation deviceauth_service:binder { call transfer }; 60allow foundation devinfo_private_param:file { map open read }; 61allow foundation dev_unix_socket:dir { search }; 62allow foundation dev_unix_socket:sock_file { write }; 63allow foundation dev_mali:chr_file { ioctl map read write }; 64allow foundation distributeddata:binder { call transfer }; 65allow foundation distributedfileservice:binder { call }; 66allow foundation distributedsche:binder { call }; 67allow foundation foundation:unix_dgram_socket { getopt setopt }; 68allow foundation hdf_devmgr:binder { call transfer }; 69allow foundation hiview:binder { transfer }; 70allow foundation huks_service:binder { call }; 71allow foundation inputmethod_service:binder { call }; 72allow foundation memmgrservice:binder { call }; 73allow foundation msdp_sa:binder { call }; 74allow foundation multimodalinput:unix_stream_socket { read }; 75allow foundation normal_hap:dir { search }; 76allow foundation normal_hap:file { getattr read }; 77allow foundation normal_hap:process { sigkill }; 78allow foundation ohos_param:parameter_service { set }; 79allow foundation persist_param:parameter_service { set }; 80allow foundation power_host:binder { call }; 81allow foundation proc_file:file { open read }; 82allow foundation render_service:binder { call transfer }; 83allow foundation resource_schedule_service:binder { call transfer }; 84allow foundation sa_accountmgr:samgr_class { get }; 85allow foundation sa_distributed_bundle_mgr_service_service:samgr_class { get }; 86allow foundation sa_distributeddata_service:samgr_class { get }; 87allow foundation sa_distributeschedule:samgr_class { get }; 88allow foundation sa_foundation_abilityms:samgr_class { add get }; 89allow foundation sa_foundation_ans:samgr_class { add }; 90allow foundation sa_foundation_appms:samgr_class { add get }; 91allow foundation sa_foundation_bms:samgr_class { add }; 92allow foundation sa_foundation_devicemanager_service:samgr_class { add }; 93allow foundation sa_foundation_tel_call_manager:samgr_class { add }; 94allow foundation sa_msdp_devicestatus_service:samgr_class { get }; 95allow foundation sa_multimodalinput_service:samgr_class { get }; 96allow foundation sa_param_watcher:samgr_class { get }; 97allow foundation sa_softbus_service:samgr_class { get }; 98allow foundation sa_telephony_tel_cellular_call:samgr_class { get }; 99allow foundation sa_time_service:samgr_class { get }; 100allow foundation screenlock_server:binder { call transfer }; 101allow foundation sensors:binder { call }; 102allow foundation sh:binder { call transfer }; 103allow foundation softbus_server:binder { call transfer }; 104allow foundation storage_manager:binder { call transfer }; 105allow foundation sys_file:dir { open read }; 106allow foundation sys_file:file { ioctl open read }; 107allow foundation system_basic_hap:binder { call }; 108allow foundation system_basic_hap:fd { use }; 109allow foundation system_core_hap:binder { call }; 110allow foundation system_core_hap:file { getattr read }; 111allow foundation system_core_hap:process { sigkill }; 112allow foundation system_file:file { getattr map open read }; 113allow foundation time_service:binder { call transfer }; 114allow foundation vendor_lib_file:dir { search }; 115allow foundation work_scheduler_service:binder { call }; 116allow foundation servicectrl_param:parameter_service { set }; 117allowxperm foundation data_service_el1_file:file ioctl { 0x5413 }; 118allowxperm foundation dev_mali:chr_file ioctl { 0x8002 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8019 0x801d 0x801e 0x8026 }; 119allowxperm foundation sys_file:file ioctl { 0x5413 }; 120 121