1# Copyright (c) 2021-2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type init, native_system_domain, domain; 15type init_exec, exec_attr, file_attr, system_file_attr; 16type ueventd, native_system_domain, domain; 17type ueventd_exec, system_file_attr, exec_attr, file_attr; 18type remount_exec, system_file_attr, exec_attr, file_attr; 19 20 21debug_only(` 22 allow init console:process { rlimitinh siginh transition getattr }; 23') 24allow init data_startup:dir { create getattr open read relabelfrom relabelto remove_name search setattr write add_name }; 25allow init data_startup:file { create ioctl open read append relabelto rename unlink write open }; 26allow init proc_stat_file:file { setattr read open }; 27allow init proc_diskstats_file:file { read open }; 28allow init kernel:file { read open }; 29allow init kernel:dir { search }; 30allow bootevent_wms_param tmpfs:filesystem associate; 31allow init bootevent_wms_param:file { map open read relabelto relabelfrom}; 32allow dhardware_dm_param tmpfs:filesystem associate; 33allow init dhardware_dm_param:file { map open read relabelto relabelfrom }; 34allow persist_audio_param tmpfs:filesystem associate; 35allow init persist_audio_param:file { map open read relabelto relabelfrom }; 36allow arkcompiler_param tmpfs:filesystem associate; 37allow init arkcompiler_param:file { map open read relabelto relabelfrom }; 38allow init arkcompiler_param:parameter_service { set }; 39allow arkui_param tmpfs:filesystem associate; 40allow init arkui_param:file { map open read relabelto relabelfrom }; 41allow init arkui_param:parameter_service { set }; 42allow hap_domain arkui_param:file { map open read }; 43allow init inputmethod_param:file { map open read relabelto relabelfrom }; 44allow init inputmethod_param:parameter_service { set }; 45 46allow pasteboard_param tmpfs:filesystem associate; 47allow init pasteboard_param:file { map open read relabelto relabelfrom }; 48allow time_param tmpfs:filesystem associate; 49allow init time_param:file { map open read relabelto relabelfrom }; 50allow accesstoken_perm_param tmpfs:filesystem associate; 51allow init accesstoken_perm_param:file { map open read relabelto relabelfrom }; 52 53allow xts_devattest_authresult_param tmpfs:filesystem associate; 54allow init xts_devattest_authresult_param:file { map open read relabelto relabelfrom }; 55allow init xts_devattest_authresult_param:parameter_service { set }; 56allow init hitrace_param:file { map open read relabelto relabelfrom }; 57allow init hiviewdfx_profiler_param:file { map open read relabelto relabelfrom }; 58allow init devpts:chr_file { ioctl }; 59 60allow i18n_param tmpfs:filesystem associate; 61allow init i18n_param:file { map open read relabelto relabelfrom }; 62allow init i18n_param:parameter_service { set }; 63allow { domain -limit_domain } i18n_param:file { map open read }; 64allow i18n_param_tz_override tmpfs:filesystem associate; 65allow init i18n_param_tz_override:file { map open read relabelto relabelfrom }; 66allow init i18n_param_tz_override:parameter_service { set }; 67allow { domain } i18n_param_tz_override:file { map open read }; 68developer_only(` 69 allow sh i18n_param_tz_override:file { map open read }; 70') 71allow const_i18n_param tmpfs:filesystem associate; 72allow init const_i18n_param:file { map open read relabelto relabelfrom }; 73allow { domain -limit_domain } const_i18n_param:file { map open read }; 74 75allow { domain } data_service_el1_i18n_timezone_file:dir { search open read getattr mounton }; 76allow { domain } data_service_el1_i18n_timezone_file:file { open read getattr map }; 77developer_only(` 78 allow sh data_service_el1_i18n_timezone_file:dir { search }; 79 allow sh data_service_el1_i18n_timezone_file:file { open read getattr map }; 80') 81 82allow { domain -hdcd } data_service_el1_i18n_libphonenumber_file:dir { search open read getattr mounton }; 83allow { domain -hdcd } data_service_el1_i18n_libphonenumber_file:file { open read getattr map }; 84 85allow { domain -hdcd } data_service_el1_i18n_taboo_file:dir { search open read getattr mounton }; 86allow { domain -hdcd } data_service_el1_i18n_taboo_file:file { open read getattr map }; 87 88#for bootchart to read 89allow init domain:file { open read }; 90allow init domain:dir { search }; 91 92# for init trace 93allow init hiview:unix_dgram_socket { sendto }; 94 95# all can read 96allow domain musl_param:file { map open read }; 97 98#for crash handle 99allow init init_exec:file { open read getattr map }; 100allow init faultloggerd_temp_file:dir { add_name remove_name write open read search }; 101allow init faultloggerd_temp_file:file { create getattr setattr write open read unlink }; 102allow init sa_device_service_manager:samgr_class{ get }; 103 104allow edm_writable_param tmpfs:filesystem associate; 105allow init edm_writable_param:file { map open read relabelto }; 106allow init edm_writable_param:parameter_service { set }; 107allow { domain } edm_writable_param:file { map open read }; 108 109define(`init_relabel', ` 110 allow init $1:{ file dir sock_file } { relabelto setattr }; 111 allow init $1:dir { search }; 112') 113init_relabel(data_service_el1_public_print_service_file); 114init_relabel(print_driver_exec); 115init_relabel(data_service_el1_i18n_libphonenumber_file); 116init_relabel(data_service_el1_i18n_taboo_file); 117init_relabel(data_service_el1_i18n_timezone_file); 118init_relabel(data_parameters); 119init_relabel(data_udev); 120init_relabel(data_multimodalinput); 121init_relabel(sandbox_manager_data_file); 122init_relabel(account_data_file); 123init_relabel(hdf_ext_devmgr_file); 124init_relabel(cloudfile_data_file); 125init_relabel(udevd_socket); 126init_relabel(accesstoken_data_file); 127init_relabel(data_service_el1_public_deviceauthService_file); 128init_relabel(data_service_el1_public_huksService_file); 129init_relabel(update_dupdate_engine_file); 130init_relabel(update_update_service_file); 131neverallow init *:process ptrace; 132 133allow init init:netlink_kobject_uevent_socket { read write }; 134