# Copyright (c) 2021-2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

init_daemon_domain(appspawn);

allow appspawn dev_unix_socket:sock_file unlink;

allow appspawn appspawn_exec:file { execute_no_trans };
allow appspawn bootevent_param:parameter_service { set };
allow appspawn paramservice_socket:sock_file { write };
allow appspawn kernel:unix_stream_socket { connectto };
allow appspawn dev_unix_socket:sock_file write;
allow appspawn data_service_el2_file:dir { search write add_name create };
allow appspawn data_app_el2_file:dir { search mounton write add_name create setattr getattr};
allow appspawn sharefs:dir { create_dir_perms mounton };
allow appspawn sharefs:filesystem { mount };
allow appspawn data_service_el2_share:dir { create_dir_perms mounton };

# read cfg from
#avc:  denied  { getattr } for  pid=1802 comm="appspawn" path="/dev" dev="tmpfs" ino=1 scontext=u:r:appspawn:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=0
allow appspawn dev_file:dir { getattr };
allow appspawn chip_prod_file:dir { open read search getattr };
allow appspawn chip_prod_file:file { getattr open read };
allow appspawn sys_prod_file:dir { open read search getattr };
allow appspawn sys_prod_file:file { getattr open read map };
allow appspawn vendor_etc_file:dir { open read search getattr };
allow appspawn vendor_etc_file:file { getattr open read };

# for appspawn native processor
#avc:  denied  { execute } for  pid=1762 comm="s.samples.clock" name="sh" dev="mmcblk0p7" ino=358 scontext=u:r:appspawn:s0 tcontext=u:object_r:sh_exec:s0 tclass=file permissive=0
allow appspawn sh_exec:file { execute execute_no_trans map read open };

allow appspawn appspawn:capability { dac_override kill setgid setuid sys_admin chown dac_read_search };
allow appspawn appspawn_socket:sock_file { unlink };
allow appspawn appspawn:process { setcurrent };
allow appspawn appspawn:unix_dgram_socket { getopt setopt };
allow appspawn bootevent_param:file { map open read };
allow appspawn bootevent_samgr_param:file { map open read };
allow appspawn build_version_param:file { map open read };
allow appspawn configfs:dir { mounton };
allow appspawn const_allow_mock_param:file { map open read };
allow appspawn const_allow_param:file { map open read };
allow appspawn const_build_param:file { map open read };
allow appspawn const_display_brightness_param:file { map open read };
allow appspawn const_param:file { map open read };
allow appspawn const_postinstall_fstab_param:file { map open read };
allow appspawn const_postinstall_param:file { map open read };
allow appspawn const_product_param:file { map open read };
allow appspawn data_app_el1_file:dir { add_name create mounton search write };
allow appspawn data_app_el2_file:dir { search mounton };
allow appspawn data_app_file:dir { search };
allow appspawn data_file:dir { add_name create mounton search write };
allow appspawn data_service_el2_file:dir { search };
allow appspawn data_service_el2_hmdfs:dir { search };
allow appspawn data_service_file:dir { search };
allow appspawn data_storage:dir { mounton };
allow appspawn debug_param:file { map open read };
allow appspawn default_param:file { map open read };
allow appspawn dev_at_file:chr_file { ioctl };
allow appspawn dev_file:dir { mounton };
allow appspawn dev_unix_socket:dir { add_name search write remove_name };
allow appspawn dev_unix_socket:sock_file { create setattr };
allow appspawn distributedsche_param:file { map open read };
allow appspawn hilog_param:file { map open read };
allow appspawn hiview:unix_dgram_socket { sendto };
allow appspawn hmdfs:dir { mounton search };
allow appspawn hw_sc_build_os_param:file { map open read };
allow appspawn hw_sc_build_param:file { map open read };
allow appspawn hw_sc_param:file { map open read };
allow appspawn init_param:file { map open read };
allow appspawn init_svc_param:file { map open read };
allow appspawn input_pointer_device_param:file { map open read };
allow appspawn labeledfs:filesystem { unmount };
allow appspawn net_param:file { map open read };
allow appspawn net_tcp_param:file { map open read };
allow appspawn normal_hap_data_file_attr:dir { mounton };
allow appspawn normal_hap_attr:process { sigkill };
allow appspawn ohos_boot_param:file { map open read };
allow appspawn ohos_param:file { map open read };
allow appspawn persist_param:file { map open read };
allow appspawn persist_sys_param:file { map open read };
allow appspawn proc_file:dir { mounton };
allow appspawn rootfs:dir { mounton };
allow appspawn security_param:file { map open read };
allow appspawn security:security { check_context };
allow appspawn selinuxfs:dir { search };
allow appspawn selinuxfs:file { open read write };
allow appspawn startup_param:file { map open read };
allow appspawn sys_file:dir { mounton };
allow appspawn sys_param:file { map open read };
allow appspawn system_basic_hap_data_file_attr:dir { mounton };
allow appspawn system_basic_hap_attr:process { dyntransition sigkill };
allow appspawn system_bin_file:dir { mounton search };
allow appspawn system_core_hap_data_file_attr:dir { mounton };
allow appspawn system_core_hap_attr:process { dyntransition };
allow appspawn system_etc_file:dir { mounton };
allow appspawn system_file:dir { mounton };
allow appspawn system_fonts_file:dir { mounton open read search };
allow appspawn system_fonts_file:file { getattr map open read };
allow appspawn system_lib_file:dir { mounton };
allow appspawn system_profile_file:dir { mounton };
allow appspawn system_usr_file:dir { mounton search };
allow appspawn system_usr_file:file { getattr map open read };
allow appspawn sys_usb_param:file { map open read };
allow appspawn tmpfs:dir { add_name create mounton write };
allow appspawn tmpfs:lnk_file { create };
allow appspawn vendor_lib_file:dir { mounton };
allow appspawn self:process execmem;
allowxperm appspawn dev_at_file:chr_file ioctl { 0x4102 };
allow appspawn dev_xpm:chr_file { open read write ioctl };
allow appspawn system_file:file { map };
allow appspawn nwebspawn:process{ dyntransition };
allow appspawn nwebspawn:process{ sigkill };