1# Copyright (c) 2021-2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow memmgrservice data_file:dir { search }; 15allow memmgrservice data_init_agent:dir { search }; 16allow memmgrservice data_init_agent:file { ioctl open read append }; 17allow memmgrservice domain:dir { search }; 18allow memmgrservice domain:file { open read }; 19allow memmgrservice accountmgr:binder { call transfer }; 20allow memmgrservice dev_unix_socket:dir { search }; 21allow memmgrservice bgtaskmgr_service:binder { call transfer }; 22allow memmgrservice cgroup:dir { add_name create search write }; 23allow memmgrservice cgroup:file { append getattr ioctl open read write }; 24allow memmgrservice foundation:binder { call transfer }; 25 26allow memmgrservice memmgrservice:capability { kill sys_resource dac_override sys_ptrace }; 27neverallow memmgrservice *:process ptrace; 28 29allow memmgrservice normal_hap:file { write }; 30allow memmgrservice normal_hap:process { sigkill }; 31 32# denied { read } for pid=274 comm="event_runner#9" name="enable" dev="proc" ino=305072 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 33# denied { create } for pid=286 comm="event_runner#11" name="lmkd_dbg_trigger" scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 34# denied { ioctl } for pid=286 comm="event_runner#11" path="/proc/lmkd_dbg_trigger" dev="proc" ino=4026532101 ioctlcmd=0x5413 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:proc_file:s0 tclass=file permissive=1 35allow memmgrservice proc_file:file { write open read create ioctl getattr }; 36 37allow memmgrservice proc_meminfo_file:file { open read }; 38allow memmgrservice system_basic_hap:file { write }; 39allow memmgrservice system_basic_hap:process { sigkill }; 40allow memmgrservice system_core_hap:file { write }; 41allow memmgrservice system_core_hap:process { sigkill }; 42allow memmgrservice vendor_lib_file:file { read }; 43allowxperm memmgrservice cgroup:file ioctl { 0x5413 }; 44allowxperm memmgrservice data_init_agent:file ioctl 0x5413; 45 46# denied { set } for parameter=persist.sys.eswap.permanently.closed pid=287 uid=1111 gid=1111 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:persist_sys_param:s0 tclass=parameter_service permissive=1 47allow memmgrservice persist_sys_param:parameter_service { set }; 48 49# denied { write } for pid=1798 comm="memmgrservice" name="paramservice" dev="tmpfs" ino=45 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1 50allow memmgrservice paramservice_socket:sock_file { write }; 51 52# denied { connectto } for pid=1798 comm="memmgrservice" path="/dev/unix/socket/paramservice" scontext=u:r:memmgrservice:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 53allow memmgrservice kernel:unix_stream_socket { connectto }; 54 55# denied { get } for service=200 pid=275 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=1 56allow memmgrservice sa_accountmgr:samgr_class { get }; 57 58# denied { get } for service=501 pid=275 scontext=u:r:memmgrservice:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=1 59allow memmgrservice sa_foundation_appms:samgr_class { get }; 60 61allow memmgrservice sa_foundation_cesfwk_service:samgr_class { get }; 62 63allow memmgrservice sa_foundation_abilityms:samgr_class { get }; 64 65allow memmgrservice sa_bgtaskmgr:samgr_class { get }; 66 67allow memmgrservice sa_foundation_bms:samgr_class { get }; 68