1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License 13 14allow hiperf const_allow_mock_param:file { map open read }; 15allow hiperf const_allow_param:file { map open read }; 16allow hiperf const_build_param:file { map open read }; 17allow hiperf const_param:file { map open read }; 18allow hiperf const_postinstall_fstab_param:file { map open read }; 19allow hiperf const_postinstall_param:file { map open read }; 20allow hiperf data_test_file:file { write }; 21allow hiperf data_file:file { getattr ioctl map open read }; 22allow hiperf default_param:file { map open read }; 23allow hiperf distributedsche_param:file { map open read }; 24allow hiperf hdcd:fd use; 25allow hiperf hdcd_exec:file { getattr map open read }; 26allow hiperf hw_sc_build_os_param:file { map open read }; 27allow hiperf hw_sc_build_param:file { map open read }; 28allow hiperf hw_sc_param:file { map open read }; 29allow hiperf init_param:file { map open read }; 30allow hiperf init_svc_param:file { map open read }; 31allow hiperf input_pointer_device_param:file { map open read }; 32allow hiperf net_param:file { map open read }; 33allow hiperf net_tcp_param:file { map open read }; 34allow hiperf normal_hap_attr:dir { getattr open read search }; 35allow hiperf normal_hap_attr:process signull; 36allow hiperf ohos_boot_param:file { map open read }; 37allow hiperf ohos_param:file { map open read }; 38allow hiperf proc_buddyinfo_file:file getattr; 39allow hiperf proc_cgroups_file:file getattr; 40allow hiperf proc_cmdline_file:file getattr; 41allow hiperf proc_config_gz_file:file getattr; 42allow hiperf proc_cpuinfo_file:file getattr; 43allow hiperf proc_diskstats_file:file getattr; 44allow hiperf proc_file:file { ioctl write }; 45allow hiperf proc_filesystems_file:file getattr; 46allow hiperf proc_interrupts_file:file getattr; 47allow hiperf proc_iomem_file:file getattr; 48allow hiperf proc_keys_file:file getattr; 49allow hiperf proc_kmsg_file:file getattr; 50allow hiperf proc_loadavg_file:file getattr; 51allow hiperf proc_meminfo_file:file { getattr open read }; 52allow hiperf proc_misc_file:file getattr; 53allow hiperf proc_modules_file:file { getattr open read }; 54allow hiperf proc_pagetypeinfo_file:file getattr; 55allow hiperf proc_partitions_file:file getattr; 56allow hiperf proc_rkisp_vir0_file:file getattr; 57allow hiperf proc_slabinfo_file:file getattr; 58allow hiperf proc_softirqs_file:file getattr; 59allow hiperf proc_stat_file:file getattr; 60allow hiperf proc_swaps_file:file getattr; 61allow hiperf proc_sysrq_trigger_file:file getattr; 62allow hiperf proc_timer_list_file:file getattr; 63allow hiperf proc_uptime_file:file getattr; 64allow hiperf proc_version_file:file getattr; 65allow hiperf proc_vmallocinfo_file:file getattr; 66allow hiperf proc_vmstat_file:file getattr; 67allow hiperf proc_zoneinfo_file:file getattr; 68allow hiperf samain_exec:file { getattr map open read }; 69allow hiperf sh:dir { getattr open read search }; 70allow hiperf sh:fd use; 71allow hiperf sh:fifo_file { read write }; 72allow hiperf sys_param:file { map open read }; 73allow hiperf sys_usb_param:file { map open read }; 74allow hiperf tracefs:dir { open read search }; 75allow hiperf tracefs:file { getattr open read }; 76allow hiperf tty_device:chr_file { read write }; 77 78allow hiperf appspawn_exec:file { getattr map open read }; 79allow hiperf bootevent_param:file { map open read }; 80allow hiperf bootevent_samgr_param:file { map open read }; 81allow hiperf build_version_param:file { map open read }; 82allow hiperf const_display_brightness_param:file { map open read }; 83allow hiperf const_product_param:file { map open read }; 84allow hiperf debug_param:file { map open read }; 85allow hiperf devpts:chr_file { read write }; 86allow hiperf hdcd:unix_stream_socket { read write }; 87allow hiperf hilog_param:file { map open read }; 88allow hiperf hilogd_exec:file { getattr map open read }; 89allow hiperf persist_param:file { map open read }; 90allow hiperf persist_sys_param:file { map open read }; 91allow hiperf proc_file:file { getattr open read }; 92allow hiperf security_param:file { map open read }; 93allow hiperf self:perf_event { cpu kernel open read write }; 94allow hiperf sh:process signull; 95allow hiperf startup_param:file { map open read }; 96allow hiperf wifi_hal_service_exec:file { getattr map open read }; 97allow hiperf hiview_exec:file { getattr map open read }; 98allow hiperf storage_daemon_exec:file { getattr map open read }; 99 100allow hiperf data_file:dir search; 101allow hiperf dev_unix_socket:dir search; 102allow hiperf system_bin_file:dir search; 103allow hiperf data_local:dir search; 104 105allow hiperf hiprofiler_plugins:unix_stream_socket { read write }; 106allow hiperf rootfs:file read; 107allow hiperf sh_exec:file { getattr map open read }; 108allow hiperf sysfs_kernel_notes:file { open read }; 109allow hiperf system_bin_file:file { execute execute_no_trans getattr map open read }; 110allow hiperf tmpfs:file { read write }; 111 112allow hiperf hiprofiler_plugins:fd use; 113allow hiperf hiprofilerd:fd use; 114allow hiperf hiprofiler_plugins:fifo_file { ioctl write }; 115allow hiperf watchdog_service_exec:file { getattr map open read }; 116 117allow hiperf data_local_tmp:fifo_file { create open read unlink write }; 118allow hiperf hdf_devmgr_exec:file { getattr map open read }; 119allow hiperf proc_cpuinfo_file:file { open read }; 120allow hiperf sysfs_devices_system_cpu:file { open read }; 121allow hiperf uinput_inject_exec:file { getattr map open read }; 122allow hiperf vendor_bin_file:dir search; 123 124allow hiperf domain:dir { add_name getattr search open read write }; 125allow hiperf domain:file { getattr map open read }; 126 127allow hiperf camera_service:dir { open read }; 128allow hiperf camera_service:process signull; 129allow hiperf data_file:dir { add_name getattr open read write }; 130 131allow hiperf dev_mali:chr_file { getattr open read }; 132allow hiperf distributedfiledaemon:dir { open read }; 133allow hiperf distributedfiledaemon:process signull; 134allow hiperf hdcd:dir { open read }; 135allow hiperf hdcd:process signull; 136allow hiperf init:dir { open read }; 137allow hiperf init:process signull; 138allow hiperf render_service:dir { open read }; 139allow hiperf render_service:process signull; 140allow hiperf render_service_exec:file { getattr map open read }; 141allow hiperf rootfs:dir read; 142allow hiperf self:perf_event tracepoint; 143allow hiperf system_basic_hap_attr:dir { open read }; 144allow hiperf system_basic_hap_attr:process signull; 145allow hiperf system_bin_file:lnk_file read; 146allow hiperf ui_service:dir { open read }; 147allow hiperf ui_service:process signull; 148allow hiperf hiview:process signull; 149allow hiperf domain:process signull; 150 151allow hiperf accessibility_param:file { map open read }; 152allow hiperf ohos_dev_param:file { map open read }; 153allow hiperf data_log_hiperf_file:dir { create_dir_perms }; 154allow hiperf data_log_hiperf_file:file { create_file_perms }; 155allow hiperf data_log_hiperf_file:fifo_file { create open read unlink write }; 156 157allow hiperf data_local_tmp_hiperf_file:dir { create_dir_perms }; 158allow hiperf data_local_tmp_hiperf_file:file { create_file_perms }; 159allow hiperf data_local_tmp_hiperf_file:fifo_file { create open read unlink write }; 160 161allow hiperf data_log:dir { add_name open read search watch write create remove_name }; 162allow hiperf data_log:file { create getattr lock map open read ioctl write unlink }; 163allow hiperf data_app_el1_file:file { getattr map open read }; 164allow hiperf data_app_el1_file:dir search; 165allow hiperf normal_hap_attr:lnk_file read; 166 167allow hiperf chip_prod_file:dir search; 168allow hiperf chip_prod_file:file { getattr map open read }; 169allow hiperf sys_file:file { getattr open read }; 170allow hiperf sysfs_devices_system_cpu:file getattr; 171allow hiperf udevd_exec:file { getattr map open read }; 172allow hiperf ueventd_exec:file read; 173allow hiperf vendor_bin_file:file { getattr map open read }; 174 175allow init data_log:file relabelfrom; 176allow init data_log_hiperf_file:dir relabelto; 177 178#allow hiperf data_file:file { create write }; 179#allow hiperf devpts:chr_file ioctl; 180 181debug_only(` 182 allow hiperf self:capability { dac_read_search setgid }; 183 allow hiperf self:capability2 syslog; 184') 185allow hiperf data_local_tmp:file { open create getattr ioctl read rename unlink write }; 186allow hiperf data_local_tmp:dir { open read add_name remove_name search write }; 187allow hiperf self:capability2 perfmon; 188allow hiperf self:capability { sys_ptrace ipc_lock }; 189allow hiperf self:perf_event { open read write kernel }; 190 191neverallow hiperf *:process ptrace; 192neverallow { domain -hiperf -init -hiebpf } self:perf_event ~{ open read write kernel }; 193 194allow hiperf musl_param:file { open map read }; 195allow hiperf dev_console_file:chr_file { read write }; 196allow hiperf musl_param:file { open map read }; 197allow hiperf security_param:parameter_service { set }; 198allow hiperf hiviewdfx_profiler_param:parameter_service { set }; 199allow hiperf paramservice_socket:sock_file { read write }; 200allow hiperf kernel:unix_stream_socket connectto; 201 202allow hiperf sa_foundation_bms:samgr_class get; 203allow hiperf sa_param_watcher:samgr_class get; 204allow hiperf foundation:binder call; 205allow hiperf samgr:binder { call }; 206 207allow hiperf param_watcher:binder { call transfer }; 208allow hiperf tracefs_trace_marker_file:file { open write }; 209allow hiperf hilog_exec:file { getattr map open read }; 210allow hiperf rootfs:file { ioctl }; 211allow hiperf ueventd_exec:file { getattr map open }; 212allow hiperf dev_file:dir getattr; 213 214allow samgr hiperf:file { read open }; 215allow samgr hiperf:dir { search }; 216allow samgr hiperf:process { getattr }; 217allow samgr hiperf:binder { call transfer }; 218 219allow hiperf dev_bbox:chr_file { read }; 220allow hiperf sysfs_devices_system_cpu:dir { read open }; 221 222allow hiperf hiview:fd { use }; 223allow hiperf hiview:unix_dgram_socket { read write }; 224allow hiperf hiview:fifo_file { read write }; 225allow hiperf hiview_file:file { read write }; 226 227allow hiview hiperf:process sigkill; 228allow hiview data_local:dir { search }; 229allow hiview proc_file:file { getattr }; 230allow hiview debug_param:parameter_service { set }; 231