1# Copyright (c) 2021-2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow init data_ethernet:dir { getattr }; 15allow init data_log:file { getattr }; 16allow init data_parameters:file { getattr }; 17allow init data_udev:dir { relabelfrom }; 18allow init privacy_service:process { transition }; 19allow init hisysevent_socket:sock_file { unlink setattr }; 20allow init system_core_hap:file { read open }; 21allow init system_core_hap:dir { search }; 22allow init system_core_hap:process { getattr }; 23 24allow init accessibility_param:file { map open read relabelto relabelfrom }; 25allow init const_postinstall_param:file { map open read relabelto relabelfrom }; 26allow init hilog_param:file { map open read relabelto relabelfrom }; 27 28allow accessibility_param tmpfs:filesystem associate; 29allow init sh:file { map open read relabelto relabelfrom }; 30allow init sh:dir { search }; 31allow init sh:process { getattr }; 32allow init data_service_file:file { ioctl rename relabelfrom }; 33allow init data_service_file:dir { remove_name }; 34allow init dev_console_file:chr_file { relabelto }; 35 36# for create map file 37allow servicectrl_param tmpfs:filesystem associate; 38allow servicectrl_reboot_param tmpfs:filesystem associate; 39allow startup_init_param tmpfs:filesystem associate; 40allow startup_appspawn_param tmpfs:filesystem associate; 41allow startup_uevent_param tmpfs:filesystem associate; 42allow devinfo_private_param tmpfs:filesystem associate; 43allow devinfo_public_param tmpfs:filesystem associate; 44allow telephony_param tmpfs:filesystem associate; 45allow useriam_fwkready_param tmpfs:filesystem associate; 46allow netmanager_base_param tmpfs:filesystem associate; 47 48allow init servicectrl_param:file { map open read relabelto relabelfrom }; 49allow init servicectrl_reboot_param:file { map open read relabelto relabelfrom }; 50allow init startup_init_param:file { map open read relabelto relabelfrom }; 51allow init startup_appspawn_param:file { map open read relabelto relabelfrom }; 52allow init startup_uevent_param:file { map open read relabelto relabelfrom }; 53allow init devinfo_private_param:file { map open read relabelto relabelfrom }; 54allow init devinfo_public_param:file { map open read relabelto relabelfrom }; 55allow init telephony_param:file { map open read relabelto relabelfrom }; 56allow init useriam_fwkready_param:file { map open read relabelto relabelfrom }; 57allow init netmanager_base_param:file { map open read relabelto relabelfrom }; 58 59#for set 60allow { init samgr hdf_devmgr } servicectrl_param:parameter_service { set }; 61allow { init updater_sa power_host foundation } servicectrl_reboot_param:parameter_service { set }; 62allow init startup_init_param:parameter_service { set }; 63allow init devinfo_private_param:parameter_service { set }; 64allow { init appspawn } startup_appspawn_param:parameter_service { set }; 65allow { init ueventd } startup_uevent_param:parameter_service { set }; 66allow init devinfo_public_param:parameter_service { set }; 67allow { sadomain hdfdomain nativedomain } bootevent_param:parameter_service { set }; 68allow { init telephony_sa riladapter_host } telephony_param:parameter_service { set }; 69allow { useriam } useriam_fwkready_param:parameter_service { set }; 70allow { init netmanager } netmanager_base_param:parameter_service { set }; 71 72#for read 73allow { domain -limit_domain } servicectrl_param:file { map open read }; 74allow { domain -limit_domain } servicectrl_reboot_param:file { map open read }; 75allow { domain -limit_domain } startup_init_param:file { map open read }; 76allow { domain -limit_domain } startup_appspawn_param:file { map open read }; 77allow { domain -limit_domain } startup_uevent_param:file { map open read }; 78allow { domain -limit_domain } devinfo_public_param:file { map open read }; 79allow { domain -limit_domain } telephony_param:file { map open read }; 80allow { domain -limit_domain } useriam_fwkready_param:file { map open read }; 81allow { domain -limit_domain } netmanager_base_param:file { map open read }; 82 83#for udid 84allow { init deviceinfoservice sh samgr hdf_devmgr softbus_server } devinfo_private_param:file { map open read }; 85allow { distributedsche accountmgr device_manager foundation d-bms } devinfo_private_param:file { map open read }; 86 87allow { domain -limit_domain } accessibility_param:file { map open read }; 88allow { domain -limit_domain } default_param:file { map open read }; 89 90#for connect to param service 91allow deviceinfoservice paramservice_socket:sock_file { write }; 92allow deviceinfoservice kernel:unix_stream_socket { connectto }; 93allow deviceinfoservice init:file { getattr open read }; 94 95allow init deviceinfoservice:file { getattr open read }; 96allow init deviceinfoservice:process { getattr }; 97allow init deviceinfoservice:dir { getattr search open read }; 98#for hidumper_service 99allow hidumper_service sa_sysparam_device_service:samgr_class { get }; 100 101#for param watcher to watch, must allow read 102allow { param_watcher pin_auth_host softbus_server } devinfo_private_param:file { map open read }; 103allow { param_watcher } accessibility_param:file { map open read }; 104 105#for fs size 106allowxperm init dev_block_file:blk_file ioctl { 0x1268 0x2285 }; 107 108#for sysrq 109allow init proc_sysrq_trigger_file:file { getattr open write ioctl }; 110