1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type distributedsche_param, parameter_attr; 15 16#avc: denied { add } for service=1401 pid=406 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_1401_service:s0 tclass=samgr_class permissive=1 17allow distributedsche sa_distributeschedule:samgr_class { add get_remote }; 18allow distributedsche sa_distributeddata_service:samgr_class { get }; 19allow distributedsche sa_softbus_service:samgr_class { get }; 20allow distributedsche sa_param_watcher:samgr_class { get }; 21allow distributedsche sa_accesstoken_manager_service:samgr_class { get }; 22allow distributedsche sa_foundation_bms:samgr_class { get }; 23allow distributedsche sa_accountmgr:samgr_class { get }; 24allow distributedsche sa_foundation_abilityms:samgr_class { get }; 25allow distributedsche accessibility_param:file { map open read }; 26allow distributedsche accesstoken_service:binder { call }; 27allow distributedsche accountmgr:binder { call }; 28allow distributedsche data_file:dir { search }; 29allow distributedsche data_service_file:dir { search }; 30allow distributedsche data_service_el1_file:dir { add_name open read search write getattr create remove_name rmdir }; 31allow distributedsche data_service_el1_file:file { create getattr ioctl open read write lock map unlink }; 32allow distributedsche deviceauth_service:binder { call }; 33allow distributedsche device_manager:binder { transfer }; 34allow distributedsche dev_ashmem_file:chr_file { open }; 35allow distributedsche dev_unix_socket:dir { search }; 36allow distributedsche distributeddata:binder { call transfer }; 37allow distributedsche distributedsche_param:parameter_service { set }; 38allow distributedsche distributedsche:unix_dgram_socket { getopt setopt }; 39allow distributedsche foundation:binder { call transfer }; 40allow distributedsche foundation:fd { use }; 41allow distributedsche kernel:unix_stream_socket { connectto }; 42allow distributedsche normal_hap:binder { call transfer }; 43allow distributedsche system_basic_hap:binder { call transfer }; 44allow distributedsche system_core_hap:binder { call transfer }; 45allow distributedsche paramservice_socket:sock_file { write }; 46allow distributedsche proc_cpuinfo_file:file { open read }; 47allow distributedsche proc_file:file { open read }; 48allow distributedsche sh:binder { call }; 49allow distributedsche softbus_server:binder { call transfer }; 50allow distributedsche softbus_server:fd { use }; 51allow distributedsche softbus_server:tcp_socket { read setopt shutdown write }; 52 53allow accountmgr distributedsche:binder { transfer }; 54allow init distributedsche:dir { search }; 55allow init distributedsche:file { open read }; 56allow init distributedsche:process { getattr }; 57allow sh distributedsche:binder { call transfer }; 58allow sh distributedsche:process { sigkill }; 59allow softbus_server distributedsche:binder { call }; 60allow distributedsche sa_foundation_devicemanager_service:samgr_class { get }; 61allow distributedsche devinfo_private_param:file { map open read}; 62allow distributedsche sa_form_mgr_service:samgr_class { get }; 63 64#avc: denied { get } for service=1903 pid=469 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_bgtaskmgr:s0 tclass=samgr_class permissive=1 65allow distributedsche sa_bgtaskmgr:samgr_class { get }; 66#avc: denied { read open } for pid=551 comm="foundation" scontext=u:r:foundation:s0 tcontext=u:r:distributedsche:s0 tclass=file permissive=1 67allow foundation distributedsche:file { read open }; 68#avc: denied { search } for pid=551 comm="foundation" name="469" dev="proc" ino=17886 scontext=u:r:foundation:s0 tcontext=u:r:distributedsche:s0 tclass=dir permissive=1 69allow foundation distributedsche:dir { search }; 70#avc: denied { get } for service=1909 pid=560 scontext=u:r:distributedsche:s0 tcontext=u:object_r:sa_memory_manager_service:s0 tclass=samgr_class permissive=0 71allow distributedsche sa_memory_manager_service:samgr_class { get }; 72#avc: denied { call } for pid=479 comm="DmsComponentCha" scontext=u:r:distributedsche:s0 tcontext=u:r:memmgrservice:s0 tclass=binder permissive=0 73allow distributedsche memmgrservice:binder { call }; 74 75neverallow {domain -samgr -distributedsche} sa_distributeschedule:samgr_class { get_remote }; 76