1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type installs, sadomain, domain; 15type installs_exec, system_file_attr, exec_attr, file_attr; 16 17init_daemon_domain(installs); 18 19allow installs data_app_el1_file:dir { add_name getattr open read remove_name rmdir search write }; 20allow installs data_app_el1_file:file { create getattr ioctl setattr unlink map read }; 21allow installs data_app_el2_file:dir { add_name create getattr open read remove_name search setattr write rmdir }; 22allow installs data_app_file:dir { search }; 23allow installs data_file:file { getattr open read }; 24allow installs data_service_el1_file:dir { remove_name search rmdir }; 25allow installs data_service_el1_file:file { create setattr unlink getattr open read rename write ioctl map }; 26allow installs data_service_el2_file:dir { add_name create open read search setattr write getattr }; 27allow installs data_service_el2_hmdfs:dir { getattr }; 28allow installs data_service_file:dir { search }; 29allow installs dev_unix_socket:dir { search }; 30allow installs normal_hap_data_file:dir { getattr open read relabelfrom relabelto remove_name rmdir search setattr write }; 31allow installs normal_hap_data_file:file { open read getattr setattr unlink }; 32allow installs security:security { check_context }; 33allow installs selinuxfs:dir { search }; 34allow installs selinuxfs:file { open read write }; 35allow installs system_basic_hap_data_file:file { open read getattr setattr unlink }; 36allow installs system_basic_hap_data_file:dir { open read relabelfrom relabelto remove_name rmdir search getattr setattr write }; 37allow installs system_core_hap_data_file:dir { getattr open read relabelfrom relabelto remove_name rmdir search setattr write }; 38allow installs system_core_hap_data_file:file { create open read getattr unlink }; 39allow installs system_file:file { getattr open read }; 40allow installs data_service_el2_share:file { open read getattr setattr unlink }; 41allow installs data_service_el2_share:dir { add_name create open read search remove_name setattr write getattr rmdir }; 42allow installs data_local:file { create getattr ioctl setattr unlink map read open write }; 43allow installs data_local:dir { add_name create setattr getattr open read remove_name rmdir search write }; 44allow appspawn data_local:dir { add_name create mounton search write read open getattr }; 45allow normal_hap data_local:file { getattr open read map create write }; 46allow normal_hap data_local:dir { getattr search write add_name }; 47allow normal_hap arkcompiler_param:file { getattr open read map }; 48allow system_basic_hap data_local:file { getattr open read map create write }; 49allow system_basic_hap data_local:dir { getattr search write add_name }; 50allow system_basic_hap arkcompiler_param:file { getattr open read map }; 51allow system_core_hap data_local:file { getattr open read map create write }; 52allow system_core_hap data_local:dir { getattr search write add_name }; 53allow system_core_hap arkcompiler_param:file { getattr open read map }; 54allowxperm installs data_app_el1_file:file ioctl { 0x5413 }; 55allowxperm installs data_service_el1_file:file ioctl 0x5413; 56 57