1# Copyright (c) 2022-2025 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14neverallow * { sa_service_attr -sa_distributed_bundle_mgr_service_service -sa_dhardware_service -sa_distributeschedule -sa_filemanagement_cloud_sync_service -sa_filemanagement_distributed_file_daemon_service -sa_avsession_service -cap_violator_addremote -sa_distributed_hardware_audio_sink_service -sa_distributed_hardware_audio_source_service -sa_dcamera_sink_service -sa_dcamera_source_service }:samgr_class add_remote; 15allow samgr bootevent_param:file { map open read }; 16allow samgr bootevent_samgr_param:file { map open read }; 17allow samgr build_version_param:file { map open read }; 18allow samgr const_allow_mock_param:file { map open read }; 19allow samgr const_allow_param:file { map open read }; 20allow samgr const_build_param:file { map open read }; 21allow samgr const_display_brightness_param:file { map open read }; 22allow samgr const_param:file { map open read }; 23allow samgr const_postinstall_fstab_param:file { map open read }; 24allow samgr const_postinstall_param:file { map open read }; 25allow samgr const_product_param:file { map open read }; 26allow samgr debug_param:file { map open read }; 27allow samgr default_param:file { map open read }; 28allow samgr dev_kmsg_file:chr_file { open write }; 29allow samgr dev_unix_socket:sock_file { write }; 30allow samgr distributedsche_param:file { map open read }; 31allow samgr data_samgr:dir { add_name search write remove_name }; 32allow samgr data_samgr:file { create getattr ioctl read write lock map open rename setattr unlink }; 33allow samgr hilog_param:file { map open read }; 34allow samgr hw_sc_build_os_param:file { map open read }; 35allow samgr hw_sc_build_param:file { map open read }; 36allow samgr hw_sc_param:file { map open read }; 37allow samgr init_param:file { map open read }; 38allow samgr init_svc_param:file { map open read }; 39allow samgr input_pointer_device_param:file { map open read }; 40allow samgr net_param:file { map open read }; 41allow samgr net_tcp_param:file { map open read }; 42allow samgr normal_hap_attr:binder { call }; 43allow samgr ohos_boot_param:file { map open read }; 44allow samgr ohos_param:file { map open read }; 45allow samgr ohos_param:parameter_service { set }; 46allow samgr persist_param:file { map open read }; 47allow samgr persist_sys_param:file { map open read }; 48allow samgr processdump:binder { transfer }; 49allow samgr processdump:dir { search }; 50allow samgr processdump:file { open read }; 51allow samgr processdump:process { getattr }; 52allow samgr samgr:unix_dgram_socket { getopt setopt }; 53allow samgr sa_softbus_service:samgr_class { get }; 54allow samgr security_param:file { map open read }; 55allow samgr SP_daemon:binder { call }; 56allow samgr startup_param:file { map open read }; 57allow samgr sys_param:file { map open read }; 58allow samgr system_basic_hap_attr:binder { call }; 59allow samgr system_core_hap_attr:binder { call }; 60allow samgr sys_usb_param:file { map open read }; 61allow samgr tracefs:dir { search }; 62allow samgr tracefs_trace_marker_file:file { open write }; 63allow samgr vendor_etc_file:dir { search }; 64allow samgr appspawn:process { getattr }; 65allowxperm samgr data_samgr:file ioctl { 0x5413 }; 66