# Copyright (c) 2021-2022 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

allow init data_ethernet:dir { getattr };
allow init data_log:file { getattr };
allow init data_parameters:file { getattr };
allow init data_udev:dir { relabelfrom };
allow init privacy_service:process { transition };
allow init hisysevent_socket:sock_file { unlink setattr };
allow init system_core_hap:file { read open };
allow init system_core_hap:dir { search };
allow init system_core_hap:process { getattr };

allow init accessibility_param:file { map open read relabelto relabelfrom };
allow init const_postinstall_param:file { map open read relabelto relabelfrom };
allow init hilog_param:file { map open read relabelto relabelfrom };

allow accessibility_param tmpfs:filesystem associate;
allow init sh:file { map open read relabelto relabelfrom };
allow init sh:dir { search };
allow init sh:process { getattr };
allow init data_service_file:file { ioctl rename relabelfrom };
allow init data_service_file:dir { remove_name };
allow init dev_console_file:chr_file { relabelto };

# for create map file
allow servicectrl_param tmpfs:filesystem associate;
allow servicectrl_reboot_param tmpfs:filesystem associate;
allow startup_init_param tmpfs:filesystem associate;
allow startup_appspawn_param tmpfs:filesystem associate;
allow startup_uevent_param tmpfs:filesystem associate;
allow devinfo_private_param tmpfs:filesystem associate;
allow devinfo_public_param tmpfs:filesystem associate;
allow telephony_param tmpfs:filesystem associate;
allow useriam_fwkready_param tmpfs:filesystem associate;
allow netmanager_base_param tmpfs:filesystem associate;

allow init servicectrl_param:file { map open read relabelto relabelfrom };
allow init servicectrl_reboot_param:file { map open read relabelto relabelfrom };
allow init startup_init_param:file { map open read relabelto relabelfrom };
allow init startup_appspawn_param:file { map open read relabelto relabelfrom };
allow init startup_uevent_param:file { map open read relabelto relabelfrom };
allow init devinfo_private_param:file { map open read relabelto relabelfrom };
allow init devinfo_public_param:file { map open read relabelto relabelfrom };
allow init telephony_param:file { map open read relabelto relabelfrom };
allow init useriam_fwkready_param:file { map open read relabelto relabelfrom };
allow init netmanager_base_param:file { map open read relabelto relabelfrom };

#for set
allow { init samgr hdf_devmgr } servicectrl_param:parameter_service { set };
allow { init updater_sa power_host foundation } servicectrl_reboot_param:parameter_service { set };
allow init startup_init_param:parameter_service { set };
allow init devinfo_private_param:parameter_service { set };
allow { init appspawn } startup_appspawn_param:parameter_service { set };
allow { init ueventd } startup_uevent_param:parameter_service { set };
allow init devinfo_public_param:parameter_service { set };
allow { sadomain hdfdomain nativedomain } bootevent_param:parameter_service { set };
allow { init telephony_sa riladapter_host } telephony_param:parameter_service { set };
allow { useriam } useriam_fwkready_param:parameter_service { set };
allow { init netmanager } netmanager_base_param:parameter_service { set };

#for read
allow { domain -limit_domain } servicectrl_param:file { map open read };
allow { domain -limit_domain } servicectrl_reboot_param:file { map open read };
allow { domain -limit_domain } startup_init_param:file { map open read };
allow { domain -limit_domain } startup_appspawn_param:file { map open read };
allow { domain -limit_domain } startup_uevent_param:file { map open read };
allow { domain -limit_domain } devinfo_public_param:file { map open read };
allow { domain -limit_domain } telephony_param:file { map open read };
allow { domain -limit_domain } useriam_fwkready_param:file { map open read };
allow { domain -limit_domain } netmanager_base_param:file { map open read };

#for udid
allow { init deviceinfoservice sh samgr hdf_devmgr softbus_server } devinfo_private_param:file { map open read };
allow { distributedsche accountmgr device_manager foundation d-bms } devinfo_private_param:file { map open read };

allow { domain -limit_domain } accessibility_param:file { map open read };
allow { domain -limit_domain } default_param:file { map open read };

#for connect to param service
allow deviceinfoservice paramservice_socket:sock_file { write };
allow deviceinfoservice kernel:unix_stream_socket { connectto };
allow deviceinfoservice init:file { getattr open read };

allow init deviceinfoservice:file { getattr open read };
allow init deviceinfoservice:process { getattr };
allow init deviceinfoservice:dir { getattr search open read };
#for hidumper_service
allow hidumper_service sa_sysparam_device_service:samgr_class { get };

#for param watcher to watch, must allow read
allow { param_watcher pin_auth_host softbus_server } devinfo_private_param:file { map open read };
allow { param_watcher } accessibility_param:file { map open read };

#for fs size
allowxperm init dev_block_file:blk_file ioctl { 0x1268 0x2285 };

#for sysrq
allow init proc_sysrq_trigger_file:file { getattr open write ioctl };