• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type inputmethod_service, sadomain, domain;
15
16allow inputmethod_service vendor_lib_file:file { open read getattr };
17allow inputmethod_service sa_foundation_bms:samgr_class { get };
18allow inputmethod_service dev_unix_socket:dir { search };
19allow inputmethod_service dev_unix_socket:sock_file { write };
20allow inputmethod_service normal_hap:binder { call };
21allow inputmethod_service system_basic_hap:binder { call };
22allow inputmethod_service system_core_hap:binder { call };
23allow inputmethod_service data_file:dir { search };
24allow inputmethod_service inputmethod_service:unix_dgram_socket { getopt setopt };
25allow inputmethod_service kernel:unix_stream_socket { connectto };
26allow inputmethod_service paramservice_socket:sock_file { write };
27allow inputmethod_service sa_subsys_ace_service:samgr_class { get };
28allow inputmethod_service pasteboard_service:binder { call transfer };
29allow inputmethod_service inputmethod_param:parameter_service { set };
30allow { domain -limit_domain } inputmethod_param:file { map open read };
31#avc:  denied  { get } for service=200 pid=475 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=0
32#avc:  denied  { call } for  pid=485 comm="IPC_1_1016" scontext=u:r:inputmethod_service:s0 tcontext=u:r:accountmgr:s0 tclass=binder permissive=0
33#avc:  denied  { transfer } for  pid=504 comm="IPC_1_928" scontext=u:r:accountmgr:s0 tcontext=u:r:inputmethod_service:s0 tclass=binder permissive=0
34allow inputmethod_service sa_accountmgr:samgr_class { get };
35allow inputmethod_service accountmgr:binder { call };
36allow accountmgr inputmethod_service:binder { transfer };
37#avc:  denied  { signal } for  pid=1549 comm="sh" scontext=u:r:sh:s0 tcontext=u:r:inputmethod_service:s0 tclass=process permissive=1
38#avc:  denied  { read write } for  pid=1633 comm="sa_main" path="/dev/console" dev="tmpfs" ino=27 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0
39#avc:  denied  { read } for  pid=1633 comm="sa_main" name="u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
40#avc:  denied  { read } for  pid=1633 comm="inputmethod_ser" name="u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
41#avc:  denied  { search } for  pid=1633 comm="SaInit0" name="service" dev="mmcblk0p12" ino=7 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0
42#avc:  denied  { open } for  pid=1560 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
43#avc:  denied  { open } for  pid=1560 comm="inputmethod_ser" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
44#avc:  denied  { search } for  pid=1626 comm="SaInit0" name="el1" dev="mmcblk0p12" ino=11 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0
45#avc:  denied  { map } for  pid=1576 comm="sa_main" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
46#avc:  denied  { map } for  pid=1576 comm="inputmethod_ser" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=62 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
47#avc:  denied  { write } for  pid=1553 comm="SaInit0" name="imf" dev="mmcblk0p12" ino=1014 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0
48#avc:  denied  { add_name } for  pid=1557 comm="SaInit0" name="ime_cfg" scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0
49#avc:  denied  { create } for  pid=1555 comm="SaInit0" name="ime_cfg" scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=0
50#avc:  denied  { create } for  pid=658 comm="SaInit3" name="ime_cfg.json" scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
51#avc:  denied  { read } for  pid=1607 comm="SaInit0" name="ime_cfg.json" dev="mmcblk0p12" ino=2292 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
52#avc:  denied  { write } for  pid=634 comm="SaInit0" name="ime_cfg.json" dev="mmcblk0p12" ino=2310 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
53#avc:  denied  { open } for  pid=621 comm="SaInit2" path="/data/service/el1/public/imf/ime_cfg/ime_cfg.json" dev="mmcblk0p12" ino=2310 scontext=u:r:inputmethod_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
54allow sh inputmethod_service:process { signal };
55allow inputmethod_service dev_console_file:chr_file { read write };
56allow inputmethod_service musl_param:file { read open map };
57allow inputmethod_service data_service_file:dir { search };
58allow inputmethod_service data_service_el1_file:dir { search write add_name create };
59allow inputmethod_service data_service_el1_file:file {create read write open };
60
61# add for TDD
62allow sh sa_inputmethod_service:samgr_class { get };
63allow inputmethod_service sh:binder { call transfer };
64allow sh inputmethod_service:binder { call transfer };
65
66