1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow foundation accessibility:binder { call }; 15allow foundation accesstoken_service:binder { call }; 16allow foundation accountmgr:binder { call }; 17allow foundation appspawn_socket:sock_file { write }; 18allow foundation appspawn:fd { use }; 19allow foundation appspawn:unix_stream_socket { connectto }; 20allow foundation bootevent_param:file { map open read }; 21allow foundation bootevent_param:parameter_service { set }; 22allow foundation bgtaskmgr_service:binder { call transfer }; 23allow foundation configfs:dir { remove_name rmdir search write }; 24allow foundation data_app_el1_file:file { getattr map read }; 25allow foundation data_file:dir { search }; 26allow foundation data_service_el1_file:dir { add_name create remove_name search write }; 27allow foundation data_service_el1_file:file { create ioctl unlink write open }; 28allow foundation data_service_file:dir { search }; 29allow foundation data_system_ce:dir { add_name search write }; 30allow foundation data_system_ce:file { create getattr ioctl lock map open read write }; 31allow foundation device_usage_stats_service:binder { call transfer }; 32allow foundation dev_mali:chr_file { ioctl }; 33allow foundation dev_unix_socket:dir { search }; 34allow foundation dev_unix_socket:sock_file { write }; 35allow foundation distributeddata:binder { call transfer }; 36allow foundation distributedfiledaemon:binder { call }; 37allow foundation distributedfileservice:binder { call }; 38allow foundation edm_sa:binder { call }; 39allow foundation foundation:unix_dgram_socket { getopt setopt }; 40allow foundation hdcd:binder { transfer }; 41allow foundation hdf_devmgr:binder { call transfer }; 42allow foundation hdf_allocator_service:hdf_devmgr_class { get }; 43allow foundation hiview:binder { transfer }; 44allow foundation memmgrservice:binder { call transfer }; 45allow foundation multimodalinput:unix_stream_socket { read }; 46allow foundation normal_hap_attr:process { sigkill signal }; 47allow foundation normal_hap_data_file_attr:file { read }; 48allow foundation persist_param:parameter_service { set }; 49allow foundation power_host:binder { call }; 50allow foundation render_service:binder { call transfer }; 51allow foundation render_service:fd { use }; 52allow foundation resource_schedule_service:binder { call transfer }; 53allow foundation sa_accesstoken_manager_service:samgr_class { get }; 54allow foundation sa_accountmgr:samgr_class { get }; 55allow foundation sa_bgtaskmgr:samgr_class { get }; 56allow foundation sa_device_service_manager:samgr_class { get }; 57allow foundation sa_distributeddata_service:samgr_class { get }; 58allow foundation sa_distributeschedule:samgr_class { get }; 59allow foundation sa_foundation_abilityms:samgr_class { add }; 60allow foundation sa_foundation_ans:samgr_class { add }; 61allow foundation sa_foundation_appms:samgr_class { add get }; 62allow foundation sa_foundation_battery_service:samgr_class { get }; 63allow foundation sa_foundation_bms:samgr_class { add }; 64allow foundation sa_foundation_devicemanager_service:samgr_class { add get }; 65allow foundation sa_foundation_tel_call_manager:samgr_class { add }; 66allow foundation sa_foundation_wms:samgr_class { get }; 67allow foundation sa_memory_manager_service:samgr_class { get }; 68allow foundation sa_msdp_devicestatus_service:samgr_class { get }; 69allow foundation sa_multimodalinput_service:samgr_class { get }; 70allow foundation sa_param_watcher:samgr_class { get }; 71allow foundation sa_softbus_service:samgr_class { get }; 72allow foundation sa_telephony_tel_cellular_call:samgr_class { get }; 73allow foundation screenlock_server:binder { call transfer }; 74allow foundation softbus_server:binder { call }; 75allow foundation sys_file:file { ioctl write }; 76allow foundation system_basic_hap_attr:binder { call transfer }; 77allow foundation system_basic_hap_attr:fd { use }; 78allow foundation system_basic_hap_attr:process { sigkill signal }; 79allow foundation system_basic_hap_data_file_attr:file { read }; 80allow foundation system_core_hap_attr:binder { call transfer }; 81allow foundation system_core_hap_attr:dir { search }; 82allow foundation system_core_hap_attr:file { getattr read }; 83allow foundation system_core_hap_attr:process { sigkill signal }; 84allow foundation system_core_hap_data_file_attr:file { read }; 85allow foundation system_lib_file:dir { getattr }; 86allow foundation vendor_etc_file:dir { search }; 87allow foundation work_scheduler_service:binder { call }; 88allow foundation quick_fix:binder { call transfer }; 89allowxperm foundation data_service_el1_file:file ioctl { 0x5413 }; 90allowxperm foundation data_system_ce:file ioctl { 0xf50c }; 91allowxperm foundation dev_mali:chr_file ioctl { 0x8002 }; 92allowxperm foundation sys_file:file ioctl { 0x5413 }; 93allow foundation foundation:capability { sys_ptrace }; 94allow foundation storage_manager:dir { search }; 95allow foundation storage_manager:file { open read write getattr }; 96allow foundation sa_storage_manager_service:samgr_class { get }; 97allow foundation netmanager:binder { transfer }; 98allow foundation faultloggerd:fifo_file { read }; 99neverallow foundation *:process ptrace; 100 101