• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14# add for aa in debug mode
15debug_only(`
16    allow aa aa_exec:file { execute_no_trans };
17    allow aa accessibility:binder { call transfer };
18    allow aa arkcompiler_param:file { map open read };
19    allow aa ark_writeable_param:file { map open read };
20    allow aa bm_exec:file { getattr execute execute_no_trans map read open };
21    allow aa data_file:dir { search getattr};
22    allow aa data_local:dir { search };
23    allow aa data_local_tmp:dir { getattr write search };
24    allow aa data_service_el1_file:file { read write };
25    allow aa debug_param:file { map read open };
26    allow aa dev_ashmem_file:chr_file { open };
27    allow aa dev_console_file:chr_file { read write };
28    allow aa dev_kmsg_file:chr_file { write };
29    allow aa devpts:chr_file { ioctl read write };
30    allow aa dev_unix_socket:dir { search };
31    allow aa foundation:binder { call transfer };
32    allow aa foundation:fd { use };
33    allow aa hap_domain:fd { use };
34    allow aa hap_file_attr:file { getattr ioctl read write };
35    allow aa hdcd:fd { use };
36    allow aa hdcd:fifo_file { ioctl read write };
37    allow aa hdcd:unix_stream_socket { read write };
38    allow aa hilog_control_socket:sock_file { write };
39    allow aa hilogd:unix_stream_socket { connectto };
40    allow aa hilog_exec:file { getattr execute execute_no_trans map read open };
41    allow aa hilog_output_socket:sock_file { write };
42    allow aa hilog_param:file { map read open };
43    allow aa init:dir { getattr search };
44    allow aa init:file { open read };
45    allow aa kernel:dir { getattr search };
46    allow aa kernel:file { open read };
47    allow aa multimodalinput:binder { call };
48    allow aa normal_hap_attr:binder { call transfer };
49    allow aa param_watcher:binder { call transfer };
50    allow aa persist_sys_param:file { map open read };
51    binder_call(aa, powermgr);
52    allow aa render_service:fd { use };
53    allow aa composer_host:fd { use };
54    allow aa sa_accessibleabilityms:samgr_class { get };
55    allow aa sa_accountmgr:samgr_class { get };
56    allow aa sa_foundation_abilityms:samgr_class { get };
57    allow aa sa_foundation_appms:samgr_class { get };
58    allow aa sa_foundation_bms:samgr_class { get };
59    allow aa sa_foundation_cesfwk_service:samgr_class { get };
60    allow aa sa_foundation_dms:samgr_class { get };
61    allow aa samgr:binder { call };
62    allow aa sa_multimodalinput_service:samgr_class { get };
63    allow aa sa_param_watcher:samgr_class { get };
64    allow aa sh_exec:file { execute execute_no_trans map read open };
65    allow aa sh:fd { use };
66    allow aa sh:fifo_file { ioctl write };
67    allow aa system_bin_file:dir { search };
68    allow aa system_bin_file:file { getattr execute read open execute_no_trans map };
69    allow aa system_bin_file:lnk_file { read };
70    allow aa toybox_exec:file { execute execute_no_trans getattr map read open };
71    allow aa toybox_exec:lnk_file { read };
72    allow aa tracefs:dir { search };
73    allow aa tty_device:chr_file { read write open ioctl };
74    allow aa uinput_exec:file { execute execute_no_trans getattr map read open };
75    allow aa uitest_exec:file { execute getattr map read open };
76    allow aa watchdog_service:dir { getattr search };
77    allow accessibility aa:binder { call transfer };
78    allow foundation aa:binder { call };
79    allow hap_domain aa:binder { call };
80    allow hdcd aa:process { signal };
81    allow hidumper aa:fd { use };
82    allow hidumper aa:fifo_file { write };
83    allow hidumper_service aa:dir { search };
84    allow hidumper_service aa:fd { use };
85    allow hidumper_service aa:fifo_file { write };
86    allow hidumper_service aa:file { getattr open read };
87    allow hiview aa:dir { search };
88    allow hiview aa:file { read open getattr };
89    allow normal_hap_attr aa:binder { transfer };
90    allow param_watcher aa:binder { call };
91    allow powermgr aa:binder { call };
92    allow samgr aa:binder { call transfer };
93    allow samgr aa:dir { search };
94    allow samgr aa:file { open read };
95    allow samgr aa:process { getattr };
96    allowxperm aa devpts:chr_file ioctl { 0x5413 };
97    allowxperm aa hap_file_attr:file ioctl { 0x5413 };
98    allowxperm aa hdcd:fifo_file ioctl { 0x5413 };
99    allowxperm aa sh:fifo_file ioctl { 0x5413 };
100    allowxperm aa tty_device:chr_file ioctl { 0x5413 };
101')
102
103# add for aa in developer mode
104developer_only(`
105    allow aa aa_exec:file { execute_no_trans };
106    allow aa arkcompiler_param:file { map open read };
107    allow aa ark_writeable_param:file { map open read };
108    allow aa bm_exec:file { getattr execute execute_no_trans map read open };
109    allow aa debug_param:file { map read open };
110    allow aa dev_console_file:chr_file { read write };
111    allow aa devpts:chr_file { ioctl read write };
112    allow aa dev_unix_socket:dir { search };
113    allow aa foundation:binder { call transfer };
114    allow aa foundation:fd { use };
115    allow aa hdcd:fd { use };
116    allow aa hdcd:fifo_file { ioctl read write };
117    allow aa hdcd:unix_stream_socket { read write };
118    allow aa hilog_param:file { map read open };
119    allow aa persist_sys_param:file { map open read };
120    binder_call(aa, powermgr);
121    allow aa sa_foundation_abilityms:samgr_class { get };
122    allow aa sa_foundation_appms:samgr_class { get };
123    allow aa sa_foundation_bms:samgr_class { get };
124    allow aa samgr:binder { call };
125    allow aa samgr:dir { search };
126    allow aa samgr:file { read open };
127    allow aa samgr:process { getattr };
128    allow aa sh_exec:file { execute execute_no_trans map read open };
129    allow aa sh:fd { use };
130    allow aa system_bin_file:dir { search };
131    allow aa system_bin_file:file { getattr execute read open execute_no_trans map };
132    allow aa system_bin_file:lnk_file { read };
133    allow aa toybox_exec:file { getattr execute read open execute_no_trans map };
134    allow aa toybox_exec:lnk_file { read };
135    allow aa tracefs:dir { search };
136    allow aa tty_device:chr_file { read write open ioctl };
137    allow debug_hap aa:binder { call };
138    allow foundation aa:binder { call transfer };
139    allow hdcd aa:process { signal };
140    allow hidumper_service aa:dir { search };
141    allow hidumper_service aa:file { getattr open read };
142    allow hiview aa:dir { search };
143    allow hiview aa:file { read open getattr };
144    allow normal_hap aa:binder { call };
145    allow powermgr aa:binder { call transfer };
146    allow samgr aa:binder { call transfer };
147    allow samgr aa:dir { search };
148    allow samgr aa:file { open read };
149    allow samgr aa:process { getattr };
150    allowxperm aa devpts:chr_file ioctl { 0x5413 };
151    allowxperm aa hdcd:fifo_file ioctl { 0x5413 };
152    allowxperm aa tty_device:chr_file ioctl { 0x5413 };
153')
154