Lines Matching refs:domain
15 allow domain init:process sigchld;
16 allow init domain:process sigkill;
18 allow domain self:process { fork sigchld sigkill sigstop signull signal getsched setsched getsessio…
20 allow domain self:fd use;
21 allow { domain -limit_domain } self:file rw_file_perms;
22 allow domain self:fifo_file rw_file_perms;
23 allow domain self:dir read_dir_perms;
24 allow domain self:lnk_file read_file_perms;
25 allow domain self:unix_dgram_socket { connect create write };
26 allow domain self:unix_stream_socket { accept bind connect create getattr listen read getopt setopt…
28 allow domain self:lockdown confidentiality;
30 allow domain init:fd use;
32 allow domain tmpfs:dir { getattr search };
33 allow domain tmpfs:lnk_file read;
35 allow { domain -normal_hap_attr } proc_attr:dir read_dir_perms;
36 allow { domain -normal_hap_attr } proc_attr:lnk_file { getattr read };
40 allow domain rootfs:dir search;
41 allow domain rootfs:lnk_file { read getattr };
43 allow domain dev_file:dir search;
44 allow domain dev_null_file:chr_file rw_file_perms;
45 allow domain dev_zero_file:chr_file rw_file_perms;
46 allow domain dev_ashmem_file:chr_file { getattr read ioctl lock map append write };
47 allow domain dev_binder_file:chr_file { ioctl map open read write };
48 allowxperm domain dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f };
49 allow domain dev_at_file:chr_file { ioctl open read write };
50 allowxperm domain dev_at_file:chr_file ioctl { 0x4101 0x4103 0x4104 };
52 allow domain dev_unix_file:dir search;
53 allow domain dev_unix_socket_file:dir { search };
54 allow domain dev_unix_socket_file:sock_file { write };
56 allow domain dev_random_file:chr_file rw_file_perms;
57 allow domain dev_parameters_file:dir { getattr search };
58 allow { domain -limit_domain } dev_parameters_file:file read_file_perms;
60 allow domain system_etc_file:dir { open read search getattr };
61 allow { domain -limit_domain } system_etc_file:file { getattr map open read };
63 allow domain system_file:dir { search };
64 allow domain vendor_file:dir search;
66 allow domain { lib_file system_lib_file vendor_lib_file }:dir { search };
67 allow { domain -limit_domain } { lib_file system_lib_file vendor_lib_file }:file { execute getattr …
68 allow domain { lib_file system_lib_file vendor_lib_file }:lnk_file { read };
71 allow domain system_profile_file:dir search;
73 allow domain sysfs_attr:lnk_file { getattr read };
74 allow domain sysfs_attr:dir search;
76 allow { domain -limit_domain } selinuxfs:file getattr;
78 allow domain debugfs:dir search;
80 allow domain fs_attr:filesystem getattr;
81 allow domain { fs_attr -unlabeled }:dir getattr;
83 allow domain etc_file:lnk_file { read };
85 allow { domain -hap_domain } kernel:fd use;
87 allow domain init:unix_dgram_socket { sendto };
88 allow { domain -hap_domain } init:unix_stream_socket { read write };
89 allow { domain -hap_domain } init:netlink_kobject_uevent_socket { read write };
92 dontaudit domain domain:process noatsecure;
94 neverallow { domain -init } dev_parameters_file:file write;
95 neverallow { domain -init } data_parameters:dir never_write_dir;
97 neverallow { domain -init -appspawn -nwebspawn } proc_file:{ file dir } mounton;
100 #neverallow { domain -init -foundation } data_file:dir { write add_name remove_name };
103 neverallow { domain -hdcd -installs -init -hiprofilerd -hiprofiler_plugins -native_daemon -hiperf -…
105 neverallow { domain -hdcd -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plug…
108 neverallow { domain -samgr } *:binder set_context_mgr;
110 neverallow { domain -init } hdcd:process transition;
116 neverallow { domain -init } debugfs: { file lnk_file } never_rw_file;
121 neverallow { domain } dev_port:chr_file ~{ create relabelto unlink setattr getattr };
128 neverallow { domain debug_only(`-domain')} self:lockdown integrity;
136 neverallow { domain -installs } data_local_arkcache:file { write };
137 neverallow { domain -installs } data_local_arkcache:dir { write };
141 # keep every process join the domain attribute.
142 neverallow ~domain domain:process { transition dyntransition };
145 neverallow domain { domain -sadomain -hdfdomain -hap_domain -nativedomain }:process { transition dy…
149 neverallow * ~{ file_attr domain fs_attr dev_attr parameter_attr } :{ dir notdevfile_class_set } *;
152 neverallow domain ~{ domain fs_attr dev_attr parameter_attr system_file_attr sys_prod_file_attr ven…
169 neverallow domain default_param:parameter_service *;
172 neverallow domain default_service:samgr_class *;
175 neverallow domain default_hdf_service:hdf_devmgr_class *;
179 neverallow domain limit_domain:binder *;
182 neverallow { domain -init -kernel updater_only(`-updater') } unlabeled:dir_file_class_set *;
186 neverallow { domain -kernel } kernel:security setcheckreqprot;
187 neverallow { domain -init } kernel:security setsecparam;
189 # can't use domain type as exec target.
190 neverallow * domain:file { execute execute_no_trans entrypoint };
203 neverallow { domain -init -ueventd -riladapter_host debug_only(`-hdcd -softbus_server') -dev_file_…
206 #neverallow { domain -ueventd -riladapter_host debug_only(`-hdcd') } dev_file:sock_file *;
208 neverallow { domain -kernel -init -chipset_init -misc -updater_sa -storage_daemon -partitionslot_ho…
210 neverallow domain *:filesystem ~{ getattr mount remount unmount relabelfrom relabelto quotaget quot…
211 neverallow { domain -init -storage_daemon -appspawn -netsysnative updater_only(`-updater')} *:files…
212 neverallow { domain -init debug_only(`-hdcd') } *:filesystem remount;
213 neverallow { domain -init -storage_daemon debug_only(`-hdcd') -appspawn -nwebspawn updater_only(`-u…
214 neverallow { domain -init -storage_daemon } *:filesystem relabelfrom;
215 neverallow { domain -init -storage_daemon } *:filesystem relabelto;
216 neverallow { domain -storage_daemon } *:filesystem quotaget;
217 neverallow { domain -storage_daemon } *:filesystem quotamod;
219 neverallow { domain updater_only(`-updater -updater_binary -init')} rootfs:file { create write seta…
221 neverallow { domain -init -proc_sys_writer } { proc_attr sysfs_attr }:dir { add_name create link re…
223 neverallow { domain -init } debugfs_kprobes:file *;
225 neverallow domain parameter_attr:file { ioctl lock };
227 neverallow { domain -init } data_parameters:file { never_write_file never_execute_file };
229 neverallow { domain -init } parameter_attr:file { never_write_file never_execute_file };
231 neverallow { domain -init } dev_parameters_file:file { never_write_file never_execute_file };
233 neverallow domain file_attr:file execmod;
237 neverallow domain debugfs_attr:file { execute execute_no_trans };
239 neverallow { domain -cgroup_creator } cgroup:file create;
241 neverallow { domain -init } debugfs:{ file lnk_file } never_rw_file;
243 neverallow { domain -init -appspawn -nwebspawn -normal_hap_attr } { system_file_attr vendor_file_at…
245 neverallow { domain -kernel -hap_domain -locationhub
248 neverallow { domain -hdcd -hap_domain -sh -hiprofilerd -native_daemon -hiprofiler_plugins -hiperf -…
253 #[OHOS ERROR] (neverallow hdcd domain (udp_socket (ioctl read write create getattr setattr lock r…
254 #[OHOS ERROR] (neverallow init domain (udp_socket (ioctl read write create getattr setattr lock r…
256 #[OHOS ERROR] (neverallow hdcd domain (tcp_socket (ioctl read write create getattr setattr lock r…
260 neverallow { appspawn storage_daemon udevd resource_schedule_service ispserver console } domain:{ t…
264 neverallow { domain debug_only(`-hdcd') -sh updater_only(`-init -updater -updater_binary')} { rootf…
265 neverallow { domain debug_only(`-hdcd') -sh updater_only(`-init -updater -updater_binary')} { rootf…
267 #limit domain access to sh_exec
268 neverallow { domain -console -init -hdcd -sh -faultloggerd -riladapter_host -appspawn
273 neverallow { domain -appspawn -hap_domain } self:process execmem;
275 neverallow { domain -processdump -hap_domain } domain:process ptrace;
279 # neverallow { domain -init } self:capability chown;
282 neverallow { domain -appspawn -chipset_init -init -ueventd -installs -storage_daemon -cap_violator…
283 neverallow { domain -appspawn -init -chipset_init -ueventd -memmgrservice
286 neverallow { domain -chipset_init -appspawn -init -hidumper_service -hiview -storage_daemon -hiprof…
287 neverallow { domain -init -chipset_init -ueventd -installs -storage_daemon -cap_violator_fowner } s…
288 neverallow { domain -chipset_init -appspawn -init -ueventd -storage_daemon -cap_violator_fsetid } s…
289 neverallow { domain -init -memmgrservice -appspawn -nwebspawn -faultloggerd -foundation -resource_s…
290 neverallow { domain -init -chipset_init -appspawn -nwebspawn -storage_daemon debug_only(`-console -…
291 neverallow { domain -init -chipset_init -ueventd -appspawn -nwebspawn -storage_daemon debug_only(`-…
292 neverallow { domain -init -chipset_init } self:{ capability cap_userns } setpcap;
294 neverallow { domain -wifi_manager_service -netsysnative } self:{ capability cap_userns } net_bind_s…
296 neverallow { domain -init -chipset_init -ueventd -wifi_hal_service -wifi_manager_service -softbus_s…
297 neverallow { domain -wifi_hal_service -wifi_manager_service -netmanager -netsysnative -cap_violator…
298 neverallow { domain -hiperf } self:{ capability cap_userns } ipc_lock;
300 neverallow { domain -cap_violator_sysmodule } self:{ capability cap_userns } sys_module;
301 neverallow { domain -init -chipset_init -cap_violator_sysrawio} self:{ capability cap_userns } sys_…
302 neverallow { domain -init -chipset_init -appspawn } self:{ capability cap_userns } sys_chroot;
303 neverallow { domain -hiview -hidumper_service -memmgrservice -storage_daemon -hiprofiler_cmd -hipro…
306 neverallow { domain -init -chipset_init -storage_daemon -appspawn -nwebspawn -netsysnative debug_on…
307 neverallow { domain -init -chipset_init } self:{ capability cap_userns } sys_boot;
308 neverallow { domain -render_service -cap_violator_sysnice -composer_host } self:{ capability cap_us…
309 neverallow { domain -init -chipset_init -memmgrservice -netsysnative debug_only(`-hiebpf') } self:…
310 neverallow { domain -time_service } self:{ capability cap_userns } sys_time;
312 neverallow { domain -ueventd -kernel -storage_daemon } self:{ capability cap_userns } mknod;
319 neverallow { domain -hiview debug_only(`-hiperf') -cap_violator_syslog } self:{ capability2 cap2_us…
320 neverallow { domain -time_service -cap_violator_wakealarm } self:{ capability2 cap2_userns } wake_a…
321 neverallow { domain -power_host } self:{ capability2 cap2_userns } block_suspend;
324 neverallow { domain -hiperf -cap_violator_perfmon debug_only(`-hiebpf') } self:{ capability2 cap2_u…
326 #limit domain has exec_no_sign and exec_anon_mem permission
327 neverallow { domain -debug_hap debug_only(`-sh') } self:xpm { exec_no_sign };
328 neverallow { domain -debug_hap -isolated_render debug_only(`-sh') } self:xpm { exec_anon_mem };