1# Copyright (c) 2021-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow init data_ethernet:dir { getattr }; 15allow init data_log:file { getattr }; 16allow init data_parameters:file { getattr }; 17allow init data_udev:dir { relabelfrom }; 18allow init privacy_service:process { transition }; 19allow init hisysevent_socket:sock_file { unlink setattr }; 20allow init system_core_hap_attr:file { read open }; 21allow init system_core_hap_attr:dir { search }; 22allow init system_core_hap_attr:process { getattr }; 23allow init system_lib_file:dir { open read }; 24 25allow init accessibility_param:file { map open read relabelto relabelfrom }; 26allow init const_postinstall_param:file { map open read relabelto relabelfrom }; 27allow init hilog_param:file { map open read relabelto relabelfrom }; 28 29allow accessibility_param tmpfs:filesystem associate; 30allow init data_service_file:file { ioctl rename relabelfrom }; 31allow init data_service_file:dir { remove_name }; 32allow init dev_console_file:chr_file { relabelto }; 33 34# for create map file 35allow servicectrl_param tmpfs:filesystem associate; 36allow servicectrl_reboot_param tmpfs:filesystem associate; 37allow startup_init_param tmpfs:filesystem associate; 38allow startup_appspawn_param tmpfs:filesystem associate; 39allow startup_uevent_param tmpfs:filesystem associate; 40allow devinfo_private_param tmpfs:filesystem associate; 41allow devinfo_public_param tmpfs:filesystem associate; 42allow telephony_param tmpfs:filesystem associate; 43allow useriam_fwkready_param tmpfs:filesystem associate; 44allow bluetooth_param tmpfs:filesystem associate; 45 46allow init servicectrl_param:file { map open read relabelto relabelfrom }; 47allow init servicectrl_reboot_param:file { map open read relabelto relabelfrom }; 48allow init startup_init_param:file { map open read relabelto relabelfrom }; 49allow init startup_appspawn_param:file { map open read relabelto relabelfrom }; 50allow init startup_uevent_param:file { map open read relabelto relabelfrom }; 51allow init devinfo_private_param:file { map open read relabelto relabelfrom }; 52allow init devinfo_public_param:file { map open read relabelto relabelfrom }; 53allow init telephony_param:file { map open read relabelto relabelfrom }; 54allow init useriam_fwkready_param:file { map open read relabelto relabelfrom }; 55allow init bluetooth_param:file { map open read relabelto relabelfrom }; 56 57#for set 58allow { init samgr hdf_devmgr } servicectrl_param:parameter_service { set }; 59allow { init updater_sa power_host foundation } servicectrl_reboot_param:parameter_service { set }; 60allow init startup_init_param:parameter_service { set }; 61allow init devinfo_private_param:parameter_service { set }; 62allow { init appspawn } startup_appspawn_param:parameter_service { set }; 63allow { init ueventd } startup_uevent_param:parameter_service { set }; 64allow init devinfo_public_param:parameter_service { set }; 65allow { sadomain hdfdomain nativedomain } bootevent_param:parameter_service { set }; 66allow { init telephony_sa riladapter_host } telephony_param:parameter_service { set }; 67allow { useriam } useriam_fwkready_param:parameter_service { set }; 68allow { init bluetooth_service } bluetooth_param:parameter_service { set }; 69 70#for read 71allow { domain -limit_domain } servicectrl_param:file { map open read }; 72allow { domain -limit_domain } servicectrl_reboot_param:file { map open read }; 73allow { domain -limit_domain } startup_init_param:file { map open read }; 74allow { domain -limit_domain } startup_appspawn_param:file { map open read }; 75allow { domain -limit_domain } startup_uevent_param:file { map open read }; 76allow { domain -limit_domain } devinfo_public_param:file { map open read }; 77allow { domain -limit_domain } telephony_param:file { map open read }; 78allow { domain -limit_domain } useriam_fwkready_param:file { map open read }; 79allow { domain -limit_domain } bluetooth_param:file { map open read }; 80 81#for udid 82allow { init deviceinfoservice sh samgr hdf_devmgr softbus_server } devinfo_private_param:file { map open read }; 83allow { distributedsche accountmgr device_manager foundation d-bms } devinfo_private_param:file { map open read }; 84 85allow { domain -limit_domain } accessibility_param:file { map open read }; 86allow { domain -limit_domain } default_param:file { map open read }; 87 88#for connect to param service 89allow deviceinfoservice paramservice_socket:sock_file { write }; 90allow deviceinfoservice kernel:unix_stream_socket { connectto }; 91allow deviceinfoservice init:file { getattr open read }; 92 93allow init deviceinfoservice:file { getattr open read }; 94allow init deviceinfoservice:process { getattr }; 95allow init deviceinfoservice:dir { getattr search open read }; 96#for hidumper_service 97allow hidumper_service sa_sysparam_device_service:samgr_class { get }; 98 99#for param watcher to watch, must allow read 100allow { param_watcher pin_auth_host softbus_server } devinfo_private_param:file { map open read }; 101allow { param_watcher } accessibility_param:file { map open read }; 102 103#for fs size 104allowxperm init dev_block_file:blk_file ioctl { 0x1268 0x2285 }; 105 106#for sysrq 107allow init proc_sysrq_trigger_file:file { getattr open write ioctl }; 108 109#for init trace 110allow init tracefs_trace_marker_file:file { getattr write open read ioctl }; 111allow init tracefs:file { getattr ioctl open read write }; 112allow init tracefs:filesystem { mount }; 113 114debug_only(` 115 allow init sh:file { map open read relabelto relabelfrom }; 116 allow init sh:dir { search }; 117 allow init sh:process { getattr }; 118') 119 120allow init a2dp_host:process { rlimitinh siginh sigkill transition }; 121allow init accessibility:process { rlimitinh siginh transition }; 122allow init accesstoken_data_file:file { getattr open read write relabelto setattr }; 123allow init accesstoken_service:process { rlimitinh siginh transition }; 124allow init appspawn:process { signal }; 125allow init appspawn_socket:sock_file { getattr relabelto }; 126allow init bgtaskmgr_service:process { rlimitinh siginh transition }; 127allow init blue_host:process { rlimitinh siginh transition }; 128allow init bluetooth_service:process { rlimitinh siginh transition }; 129allow init bootanimation:dir { search }; 130allow init bootanimation:file { open read }; 131allow init bootanimation:process { getattr rlimitinh siginh transition }; 132allow init bootevent_param:file { map open read relabelto }; 133allow init bootevent_samgr_param:file { map open read relabelto }; 134allow init build_version_param:file { map open read relabelto }; 135allow init camera_service:process { rlimitinh siginh transition }; 136allow init mdnsmanager:process { rlimitinh siginh transition }; 137allow init cgroup:dir { add_name create open read search setattr write }; 138allow init cgroup:file { getattr open setattr }; 139allow init cgroup:filesystem { mount }; 140allow init cgroup:file { write }; 141allow init config_file:dir { mounton }; 142allow init configfs:dir { add_name create mounton open read search setattr write }; 143allow init configfs:file { create getattr open }; 144allow init configfs:filesystem { mount }; 145allow init configfs:file { write }; 146allow init configfs:lnk_file { create }; 147allow init const_allow_mock_param:file { map open read relabelto }; 148allow init const_allow_param:file { map open read relabelto }; 149allow init const_build_param:file { map open read relabelto }; 150allow init const_display_brightness_param:file { map open read relabelto }; 151allow init const_param:file { map open read relabelto }; 152allow init const_postinstall_fstab_param:file { map open read relabelto }; 153allow init const_postinstall_param:file { map open read relabelto }; 154allow init const_product_param:file { map open read relabelto }; 155allow init data_appasec:dir { getattr open read relabelto setattr }; 156allow init data_app_el1_file:dir { add_name create getattr open read relabelto search setattr write }; 157allow init data_app_el2_file:dir { add_name create getattr open read relabelto search setattr write }; 158allow init data_app_el3_file:dir { add_name create getattr open read relabelto search setattr write }; 159allow init data_app_el4_file:dir { add_name create getattr open read relabelto search setattr write }; 160allow init data_appephemeral:dir { getattr open read relabelto setattr }; 161allow init data_app_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; 162allow init data_applib:dir { getattr open read relabelto setattr }; 163allow init data_appprivate:dir { getattr open read relabelto setattr }; 164allow init data_appstaging:dir { getattr open read relabelto setattr }; 165allow init data_backup:dir { getattr open read relabelto setattr }; 166allow init data_bluetooth:dir { getattr open read relabelto search setattr add_name create write }; 167allow init data_cache:dir { add_name create getattr open read relabelto search setattr write }; 168allow init data_chipset_el1_file:dir { add_name create getattr open read relabelto search setattr write }; 169allow init data_chipset_el2_file:dir { add_name create getattr open read relabelto search setattr write }; 170allow init data_chipset_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; 171allow init data_data_file:dir { add_name create getattr open read relabelto search setattr write }; 172allow init data_data_pulse_dir:file { unlink }; 173allow init data_drm:dir { getattr open read relabelto setattr }; 174allow init data_ethernet:dir { open read relabelto setattr }; 175allow init data_file:dir { add_name create getattr mounton open read relabelfrom relabelto remove_name search setattr write }; 176allow init data_file:sock_file { getattr relabelfrom }; 177allow init data_hilogd_file:dir { relabelto }; 178allow init data_libinput:dir { getattr open read relabelto search setattr }; 179allow init data_libinput:file { relabelto }; 180allow init data_local:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; 181allow init data_local_tmp:dir { getattr open read relabelto setattr }; 182allow init data_local_traces:dir { getattr open read relabelto setattr }; 183allow init data_local_arkcache:dir { getattr open read relabelto setattr }; 184allow init data_log:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; 185allow init data_log:file { relabelto }; 186allow init data_media:dir { add_name create getattr open read relabelto search setattr write }; 187allow init data_misc_ce:dir { add_name create getattr open read relabelto search setattr write }; 188allow init data_misc_ce:file { getattr setattr }; 189allow init data_misc_de:dir { add_name create getattr open read relabelto search setattr write }; 190allow init data_misc_de:file { getattr setattr }; 191allow init data_misc:dir { add_name create getattr open read relabelto search setattr write }; 192allow init data_nfc:dir { add_name create getattr open read relabelto search setattr write }; 193allow init data_ota:dir { getattr open read relabelto setattr }; 194allow init data_ota_package:dir { getattr open read relabelto setattr }; 195allow init data_parameters:dir { add_name getattr open read relabelto remove_name search setattr write }; 196allow init data_parameters:file { create ioctl open read read append relabelto rename unlink write write open }; 197allow init data_preloads:dir { getattr open read relabelto setattr }; 198allow init data_resourcecache:dir { getattr open read relabelto setattr }; 199allow init data_service_el0_file:dir { add_name create getattr open read relabelto search setattr write }; 200allow init data_service_el0_file:file { create getattr read write open relabelfrom }; 201allow init data_service_el1_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; 202allow init data_service_el1_file:file { getattr setattr relabelto }; 203allow init data_service_el1_public_deviceauthService_file:dir { add_name create getattr open read relabelto search setattr write }; 204allow init data_service_el1_public_huksService_file:dir { add_name create getattr open read relabelto search setattr write }; 205allow init data_service_el2_public_huksService_file:dir { add_name create getattr open read relabelto search setattr write }; 206allow init data_service_el2_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; 207allow init data_service_el2_hmdfs:dir { getattr open read relabelto setattr }; 208allow init data_service_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write }; 209allow init data_service_file:file { create getattr unlink write write open }; 210allow init data_ss:dir { getattr open read relabelto setattr }; 211allow init data_storage:dir { getattr open read relabelto setattr }; 212allow init data_system_ce:dir { getattr open read relabelto setattr }; 213allow init data_system_de:dir { getattr open read relabelto setattr }; 214allow init data_system:dir { add_name create getattr open read relabelto search setattr write }; 215allow init data_udev:dir { getattr open read relabelto search setattr }; 216allow init data_updater_file:dir { getattr open read relabelto search setattr }; 217allow init data_updater_file:file { relabelto }; 218allow init data_user_de:dir { getattr open read relabelto setattr }; 219allow init data_user:dir { add_name getattr open read relabelto search setattr write }; 220allow init data_user:lnk_file { create }; 221allow init data_vendor_ce:dir { getattr open read relabelto setattr }; 222allow init data_vendor_de:dir { getattr open read relabelto setattr }; 223allow init data_vendor:dir { add_name create getattr open read relabelto search setattr write }; 224allow init d-bms:process { rlimitinh siginh sigkill transition }; 225allow init dcamera_host:process { rlimitinh siginh sigkill transition }; 226allow init dcamera:process { rlimitinh siginh transition }; 227allow init debugfs:dir { mounton }; 228allow init debugfs:filesystem { mount }; 229allow init debugfs_usb:dir { search }; 230allow init debug_param:file { map open read relabelto }; 231allow init default_param:file { map open read relabelto }; 232allow init dev_at_file:chr_file { ioctl setattr }; 233allow init dev_binder_file:chr_file { relabelto }; 234allow init dev_block_file:blk_file { getattr ioctl open read read write relabelto setattr write }; 235allow init dev_block_file:dir { open read relabelto search }; 236allow init dev_block_file:lnk_file { read relabelto }; 237allow init dev_block_volfile:dir { open read relabelto search }; 238allow init dev_char_file:dir { getattr open read relabelto setattr }; 239allow init dev_console_file:chr_file { getattr ioctl open read write }; 240allow init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write }; 241allow init dev_file:lnk_file { create }; 242allow init dev_fscklogs_file:dir { open read relabelto search setattr }; 243allow init dev_fuse_file:chr_file { setattr }; 244allow init dev_graphics_file:chr_file { setattr }; 245allow init dev_graphics_file:dir { search }; 246allow init dev_hdf_disp:chr_file { setattr }; 247allow init dev_hdf_file:chr_file { setattr }; 248allow init dev_hdf_input:chr_file { setattr }; 249allow init dev_hdf_kevent:chr_file { setattr }; 250allow init deviceinfoservice:process { rlimitinh siginh transition }; 251allow init device_usage_stats_service:process { rlimitinh siginh transition }; 252allow init dev_kmsg_file:chr_file { getattr open read relabelto setattr write }; 253allow init dev_mali:chr_file { setattr }; 254allow init dev_mgr_file:chr_file { setattr }; 255allow init dev_mpp:chr_file { setattr }; 256allow init dev_null_file:chr_file { relabelto }; 257allow init dev_parameters_file:dir { add_name open read relabelto write }; 258allow init dev_parameters_file:file { create relabelfrom relabelto write }; 259allow init devpts:chr_file { getattr relabelfrom read write open }; 260allow init devpts:dir { relabelfrom }; 261allow init dev_pts_file:chr_file { relabelto }; 262allow init dev_pts_file:dir { open read relabelto search }; 263allow init dev_random_file:chr_file { relabelto }; 264allow init dev_rga:chr_file { setattr }; 265allow init dev_sched_rtg_ctrl:chr_file { setattr }; 266allow init dev_uhid_file:chr_file { setattr }; 267allow init dev_tun_file:chr_file { setattr }; 268allow init dev_unix_file:dir { getattr open read relabelto }; 269allow init dev_unix_file:sock_file { getattr relabelto }; 270allow init dev_unix_socket:dir { add_name getattr open read relabelto remove_name search write }; 271allow init dev_unix_socket:sock_file { create getattr relabelfrom setattr }; 272allow init dev_usb_ffs:dir { add_name create getattr mounton open read relabelto search setattr write }; 273allow init dev_v_file:dir { open getattr read relabelto setattr }; 274allow init dev_v_file:chr_file { setattr }; 275allow init dev_media_file:chr_file { setattr }; 276allow init dev_video_file:chr_file { setattr }; 277allow init dhardware:process { rlimitinh siginh transition }; 278allow init distributeddata:process { rlimitinh siginh transition }; 279allow init distributedfiledaemon:process { rlimitinh siginh transition }; 280allow init distributedsche_param:file { map open read relabelto }; 281allow init distributedsche:process { rlimitinh siginh transition }; 282allow init download_server:process { rlimitinh siginh transition }; 283allow init dscreen:process { rlimitinh siginh transition }; 284allow init dslm_service:process { rlimitinh siginh transition }; 285allow init edm_sa:process { rlimitinh siginh transition }; 286allow init faultloggerd_exec:file { execute getattr read open }; 287allow init faultloggerd:process { rlimitinh siginh transition }; 288allow init faultloggerd_socket:sock_file { getattr relabelto unlink }; 289allow init faultloggerd_temp_file:dir { getattr open read relabelfrom relabelto setattr }; 290allow init fd_holder_socket:sock_file { getattr relabelto write }; 291allow init foundation:dir { search }; 292allow init foundation:file { open read }; 293allow init foundation:process { getattr rlimitinh siginh transition }; 294allow init functionfs:filesystem { mount }; 295allow init hdcd_exec:file { execute getattr open read }; 296allow init hdcd:process { rlimitinh siginh transition getattr }; 297allow init hdcd:file { read open }; 298allow init hdcd:dir { search }; 299allow init hdcd_socket:sock_file { getattr relabelto unlink }; 300allow init hdf_devmgr:dir { search }; 301allow init hdf_devmgr:file { open read }; 302allow init hdf_devmgr:process { getattr }; 303allow init hidumper_file:dir { getattr open read relabelto setattr }; 304allow init hidumper_service:process { rlimitinh siginh transition }; 305allow init hilog_control_socket:sock_file { getattr relabelto }; 306allow init hilog_input_socket:sock_file { getattr relabelto }; 307allow init hilog_param:file { map open read relabelto }; 308allow init hisysevent_socket:sock_file { getattr relabelto }; 309allow init hiview_file:dir { getattr open read relabelto setattr search }; 310allow init hw_sc_build_os_param:file { map open read relabelto }; 311allow init hw_sc_build_param:file { map open read relabelto }; 312allow init hw_sc_param:file { map open read relabelto }; 313allow init init:capability { chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_admin sys_boot sys_chroot sys_rawio sys_resource }; 314allow init init:netlink_kobject_uevent_socket { bind create setopt }; 315allow init init_param:file { map open read relabelto }; 316allow init init:process { setexec setsockcreate }; 317allow init init_svc_param:file { map open read relabelto }; 318allow init init:udp_socket { create ioctl }; 319allow init init:unix_dgram_socket { bind setopt getopt getattr read }; 320allow init inputmethod_service:process { rlimitinh siginh transition }; 321allow init input_pointer_device_param:file { map open read relabelto }; 322allow init input_user_host:process { rlimitinh siginh transition }; 323allow init ispserver:process { rlimitinh siginh transition }; 324allow init kernel:process { setsched }; 325allow init kernel:system { syslog_read }; 326allow init kernel:unix_stream_socket { write }; 327allow init labeledfs:filesystem { mount remount unmount }; 328allow init location_host:process { rlimitinh siginh transition }; 329allow init locationhub:process { rlimitinh siginh transition }; 330allow init media_service:process { rlimitinh siginh transition }; 331allow init memmgrservice:dir { search }; 332allow init memmgrservice:file { open read }; 333allow init memmgrservice:process { getattr rlimitinh siginh transition }; 334allow init misc:process { rlimitinh siginh transition }; 335allow init mmi_uinput_service:process { rlimitinh siginh transition }; 336allow init msdp_sa:process { rlimitinh siginh transition }; 337allow init multimodalinput:dir { search }; 338allow init multimodalinput:file { open read }; 339allow init multimodalinput:process { getattr rlimitinh siginh transition }; 340allow init native_socket:sock_file { getattr relabelto }; 341allow init netmanager:process { rlimitinh siginh transition }; 342allow init net_param:file { map open read relabelto }; 343allow init netsysnative:process { rlimitinh siginh transition }; 344allow init net_tcp_param:file { map open read relabelto }; 345allow init nwebspawn:process { rlimitinh siginh transition }; 346allow init nwebspawn_socket:sock_file { getattr relabelto }; 347allow init ohos_boot_param:file { map open read relabelto }; 348allow init ohos_param:file { map open read relabelfrom relabelto }; 349allow init paramservice_socket:sock_file { getattr relabelto }; 350allow init param_watcher:process { rlimitinh siginh transition }; 351allow init pasteboard_service:process { rlimitinh siginh transition }; 352allow init persist_param:file { map open read relabelto }; 353allow init persist_sys_param:file { map open read relabelto }; 354allow init power_host:process { rlimitinh siginh transition }; 355allow init proc_cmdline_file:file { getattr open read setattr }; 356allow init proc_file:file { getattr open setattr write }; 357allow init proc_interrupts_file:file { setattr }; 358allow init proc_kmsg_file:file { setattr }; 359allow init proc_net:file { setattr }; 360allow init proc_slabinfo_file:file { setattr }; 361allow init proc_swaps_file:file { read }; 362allow init proc_vmallocinfo_file:file { setattr }; 363allow init pstorefs:dir { setattr }; 364allow init pstorefs:filesystem { mount }; 365allow init rootfs:dir { mounton }; 366allow init samain_exec:file { execute getattr open read open }; 367allow init samgr:dir { search }; 368allow init samgr:file { open read }; 369allow init samgr:process { getattr }; 370allow init screenlock_server:process { rlimitinh siginh transition }; 371allow init security_param:file { map open read relabelto }; 372allow init security:security { compute_av }; 373allow init selinuxfs:dir { open read search }; 374allow init selinuxfs:file { map open read write setattr }; 375allow init sh_exec:file { execute getattr read open }; 376allow init softbus_server:process { rlimitinh siginh transition }; 377allow init startup_param:file { map open read relabelto }; 378allow init storage_daemon_exec:file { execute getattr read open }; 379allow init storage_daemon:process { rlimitinh siginh transition }; 380allow init storage_manager:process { rlimitinh siginh transition }; 381allow init sys_file:dir { add_name mounton write }; 382allow init sys_file:file { create getattr open read setattr write }; 383allow init sysfs_block_zram:file { getattr open setattr write }; 384allow init sysfs_devices_system_cpu:file { setattr }; 385allow init sysfs_power:file { setattr }; 386allow init sysfs_state:file { setattr }; 387allow init sysfs_wake_lck:file { setattr }; 388allow init sys_param:file { map open read relabelto }; 389allow init system_basic_hap_attr:dir { search }; 390allow init system_basic_hap_attr:file { open read }; 391allow init system_basic_hap_attr:process { getattr }; 392allow init system_bin_file:dir { search }; 393allow init system_bin_file:file { execute execute_no_trans getattr map open read read open }; 394allow init system_bin_file:lnk_file { read }; 395allow init sys_usb_param:file { map open read relabelto }; 396allow init telephony_sa:process { rlimitinh siginh transition }; 397allow init thermal_protector_exec:file { execute getattr read open }; 398allow init time_service:process { rlimitinh siginh transition }; 399allow init tmpfs:blk_file { getattr relabelfrom }; 400allow init tmpfs:chr_file { getattr relabelfrom write open read }; 401allow init tmpfs:dir { add_name create mounton open read relabelfrom setattr write }; 402allow init tmpfs:file { getattr relabelfrom create open mounton }; 403allow init tmpfs:lnk_file { create getattr relabelfrom }; 404allow init tmpfs:sock_file { getattr relabelfrom }; 405allow init token_sync_service:process { rlimitinh siginh transition }; 406allow init tracefs:dir { mounton search setattr }; 407allow init tracefs:file { getattr open setattr write }; 408allow init tracefs_trace_marker_file:file { setattr }; 409allow init tty_device:chr_file { relabelto setattr }; 410allow init udevd_socket:sock_file { relabelto }; 411allow init ui_service:process { rlimitinh siginh transition }; 412allow init unlabeled:dir { getattr relabelfrom }; 413allow init unlabeled:file { getattr open read relabelfrom }; 414allow init updater_sa:dir { search }; 415allow init updater_sa:file { open read }; 416allow init updater_sa:process { getattr rlimitinh siginh transition }; 417allow init usb_host:process { rlimitinh siginh transition }; 418allow init usb_service:process { rlimitinh siginh transition }; 419allow init vendor_bin_file:dir { search }; 420allow init vendor_bin_file:file { execute getattr read read open }; 421allow init vendor_etc_file:dir { open read search getattr }; 422allow init vendor_etc_file:file { getattr open read }; 423allow init wallpaper_service:process { rlimitinh siginh transition }; 424allow init watchdog_service_exec:file { execute getattr read open }; 425allow init watchdog_service:process { rlimitinh siginh transition }; 426allow init wifi_hal_service_exec:file { execute getattr read read open }; 427allow init wifi_hal_service:process { rlimitinh siginh transition }; 428allow init wifi_manager_service:process { rlimitinh siginh transition }; 429allow init kernel:unix_dgram_socket { sendto }; 430allowxperm init data_file:file ioctl { 0x5413 }; 431allowxperm init data_parameters:file ioctl { 0x5413 }; 432allowxperm init dev_at_file:chr_file ioctl { 0x4102 }; 433allowxperm init dev_block_file:blk_file ioctl { 0x125e 0x1272 0x127c 0x5413 }; 434allowxperm init dev_console_file:chr_file ioctl { 0x540e }; 435allowxperm init init:udp_socket ioctl { 0x8913 0x8914 }; 436allowxperm init devpts:chr_file ioctl { 0x5413 }; 437 438# for hyperhold 439allow init zram_device:blk_file { read open write ioctl getattr }; 440allow init hyperhold_sys:dir { search relabelto write add_name getattr setattr }; 441allow init hyperhold_sys:file { getattr open read write create rename unlink }; 442allowxperm init zram_device:blk_file ioctl { 0x126e }; 443