1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type pasteboard_service, sadomain, domain; 15 16allow pasteboard_service system_core_hap:binder { call transfer }; 17allow pasteboard_service system_basic_hap:binder { call transfer }; 18allow pasteboard_service normal_hap:binder { call transfer }; 19allow pasteboard_service sh:binder { call transfer }; 20allow pasteboard_service dev_unix_socket:dir { search }; 21allow system_core_hap sa_pasteboard_service:samgr_class { get }; 22allow system_basic_hap sa_pasteboard_service:samgr_class { get }; 23allow normal_hap sa_pasteboard_service:samgr_class { get }; 24allow system_core_hap pasteboard_service:binder { call transfer }; 25allow system_basic_hap pasteboard_service:binder { call transfer }; 26allow normal_hap pasteboard_service:binder { call transfer }; 27allow sh pasteboard_service:binder { call transfer }; 28allow pasteboard_service foundation:binder { call transfer }; 29allow pasteboard_service sa_foundation_bms:samgr_class { get }; 30allow pasteboard_service accessibility_param:file { read open map }; 31allow pasteboard_service system_usr_file:dir { search }; 32allow pasteboard_service sa_foundation_wms:samgr_class { get }; 33 34allow pasteboard_service data_service_el1_file:dir { add_name remove_name search write }; 35allow pasteboard_service data_service_el1_file:file { create ioctl open unlink write write open }; 36allow pasteboard_service distributeddata:binder { call transfer }; 37allow pasteboard_service sa_distributeddata_service:samgr_class { get }; 38allow distributeddata pasteboard_service:binder { call transfer }; 39allow pasteboard_service sa_foundation_devicemanager_service:samgr_class { get }; 40allow pasteboard_service sa_device_profile_service:samgr_class { get }; 41allow pasteboard_service device_manager:binder { call transfer }; 42allow pasteboard_service distributedsche:binder { call transfer }; 43allow pasteboard_service system_usr_file:file { getattr read open map }; 44allow sh pasteboard_service:process { signal }; 45allow pasteboard_service paramservice_socket:sock_file { write }; 46allow pasteboard_service pasteboard_service:unix_dgram_socket { getopt setopt }; 47allow pasteboard_service kernel:unix_stream_socket { connectto }; 48allow pasteboard_service pasteboard_param:parameter_service { set }; 49allow { domain -limit_domain } pasteboard_param:file { map open read }; 50allow pasteboard_service sa_inputmethod_service:samgr_class { get }; 51allow pasteboard_service inputmethod_service:binder { call transfer }; 52allow pasteboard_service hmdfs:file { read open write getattr }; 53allow pasteboard_service data_service_el2_hmdfs:file { read open write getattr }; 54allow pasteboard_service hmdfs:dir { search read open write add_name create remove_name ioctl rmdir }; 55allow pasteboard_service data_service_el2_hmdfs:dir { search read open write add_name create remove_name rmdir }; 56allow pasteboard_service normal_hap_data_file:file { read getattr }; 57allow pasteboard_service sa_accountmgr:samgr_class { get }; 58allow accountmgr pasteboard_service:binder { call transfer }; 59allow pasteboard_service accountmgr:binder { call transfer }; 60allow pasteboard_service foundation:binder { call transfer }; 61 62#avc: denied { get } for service=4607 pid=533 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1 63allow pasteboard_service sa_foundation_dms:samgr_class { get }; 64 65#avc: denied { get } for service=7001 pid=533 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_subsys_ace_service:s0 tclass=samgr_class permissive=1 66allow pasteboard_service sa_subsys_ace_service:samgr_class { get }; 67 68#avc: denied { call } for pid=561 scontext=u:r:pasteboard_service:s0 tcontext=u:r:ui_service:s0 tclass=binder permissive=1 69allow pasteboard_service ui_service:binder { call transfer }; 70 71#avc: denied { call } for pid=640 scontext=u:r:ui_service:s0 tcontext=u:r:pasteboard_service:s0 tclass=binder permissive=1 72allow ui_service pasteboard_service:binder { call transfer }; 73 74#avc: denied { use } for pid=555 comm="IPC_1_843" path="/dev/ashmem" dev="tmpfs" ino=166 scontext=u:r:sh:s0 tcontext=u:r:pasteboard_service:s0 tclass=fd permissive=1 75allow pasteboard_service sh:fd { use }; 76allow sh pasteboard_service:fd { use }; 77 78#avc: denied { get } for service=180 pid=1811 scontext=u:r:pasteboard_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 79allow pasteboard_service sa_foundation_abilityms:samgr_class { get }; 80 81#avc: denied { use } for pid=2176 comm="jsThread-1" path="/dev/ashmem" dev="tmpfs" ino=176 scontext=u:r:pasteboard_service:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1 82#avc: denied { use } for pid=524 comm="pasteboard_serv" path="/dev/ashmem" dev="tmpfs" ino=176 scontext=u:r:system_core_hap:s0 tcontext=u:r:pasteboard_service:s0 tclass=fd permissive=1 83allow pasteboard_service system_core_hap:fd { use }; 84allow system_core_hap pasteboard_service:fd { use }; 85