• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14# add for aa in debug mode
15debug_only(`
16    allow aa aa_exec:file { execute_no_trans };
17    allow aa accessibility:binder { call transfer };
18    allow aa arkcompiler_param:file { map open read };
19    allow aa ark_writeable_param:file { map open read };
20    allow aa bm_exec:file { getattr execute execute_no_trans map read open };
21    allow aa data_file:dir { search getattr};
22    allow aa data_local:dir { search };
23    allow aa data_local_tmp:dir { getattr write search };
24    allow aa data_service_el1_file:file { read write };
25    allow aa debug_param:file { map read open };
26    allow aa dev_ashmem_file:chr_file { open };
27    allow aa dev_console_file:chr_file { read write };
28    allow aa dev_kmsg_file:chr_file { write };
29    allow aa devpts:chr_file { ioctl read write };
30    allow aa dev_unix_socket:dir { search };
31    allow aa foundation:binder { call transfer };
32    allow aa foundation:fd { use };
33    allow aa hap_domain:fd { use };
34    allow aa hap_file_attr:file { getattr ioctl read write };
35    allow aa hdcd:fd { use };
36    allow aa hdcd:fifo_file { ioctl read write };
37    allow aa hdcd:unix_stream_socket { read write };
38    allow aa hilog_control_socket:sock_file { write };
39    allow aa hilogd:unix_stream_socket { connectto };
40    allow aa hilog_exec:file { getattr execute execute_no_trans map read open };
41    allow aa hilog_output_socket:sock_file { write };
42    allow aa hilog_param:file { map read open };
43    allow aa init:dir { getattr search };
44    allow aa init:file { open read };
45    allow aa kernel:dir { getattr search };
46    allow aa kernel:file { open read };
47    allow aa multimodalinput:binder { call };
48    allow aa normal_hap_attr:binder { call transfer };
49    allow aa param_watcher:binder { call transfer };
50    allow aa persist_sys_param:file { map open read };
51    binder_call(aa, powermgr);
52    allow aa render_service:fd { use };
53    allow aa sa_accessibleabilityms:samgr_class { get };
54    allow aa sa_accountmgr:samgr_class { get };
55    allow aa sa_foundation_abilityms:samgr_class { get };
56    allow aa sa_foundation_appms:samgr_class { get };
57    allow aa sa_foundation_bms:samgr_class { get };
58    allow aa sa_foundation_cesfwk_service:samgr_class { get };
59    allow aa sa_foundation_dms:samgr_class { get };
60    allow aa samgr:binder { call };
61    allow aa sa_multimodalinput_service:samgr_class { get };
62    allow aa sa_param_watcher:samgr_class { get };
63    allow aa sh_exec:file { execute execute_no_trans map read open };
64    allow aa sh:fd { use };
65    allow aa sh:fifo_file { ioctl write };
66    allow aa system_bin_file:dir { search };
67    allow aa system_bin_file:file { getattr execute read open execute_no_trans map };
68    allow aa system_bin_file:lnk_file { read };
69    allow aa toybox_exec:file { execute execute_no_trans getattr map read open };
70    allow aa toybox_exec:lnk_file { read };
71    allow aa tracefs:dir { search };
72    allow aa tty_device:chr_file { read write open ioctl };
73    allow aa uinput_exec:file { execute execute_no_trans getattr map read open };
74    allow aa uitest_exec:file { execute getattr map read open };
75    allow aa watchdog_service:dir { getattr search };
76    allow accessibility aa:binder { call transfer };
77    allow foundation aa:binder { call };
78    allow hap_domain aa:binder { call };
79    allow hdcd aa:process { signal };
80    allow hidumper aa:fd { use };
81    allow hidumper aa:fifo_file { write };
82    allow hidumper_service aa:dir { search };
83    allow hidumper_service aa:fd { use };
84    allow hidumper_service aa:fifo_file { write };
85    allow hidumper_service aa:file { getattr open read };
86    allow hiview aa:dir { search };
87    allow hiview aa:file { read open getattr };
88    allow normal_hap_attr aa:binder { transfer };
89    allow param_watcher aa:binder { call };
90    allow powermgr aa:binder { call };
91    allow samgr aa:binder { call transfer };
92    allow samgr aa:dir { search };
93    allow samgr aa:file { open read };
94    allow samgr aa:process { getattr };
95    allowxperm aa devpts:chr_file ioctl { 0x5413 };
96    allowxperm aa hap_file_attr:file ioctl { 0x5413 };
97    allowxperm aa hdcd:fifo_file ioctl { 0x5413 };
98    allowxperm aa sh:fifo_file ioctl { 0x5413 };
99    allowxperm aa tty_device:chr_file ioctl { 0x5413 };
100')
101
102# add for aa in developer mode
103developer_only(`
104    allow aa aa_exec:file { execute_no_trans };
105    allow aa arkcompiler_param:file { map open read };
106    allow aa ark_writeable_param:file { map open read };
107    allow aa bm_exec:file { getattr execute execute_no_trans map read open };
108    allow aa debug_param:file { map read open };
109    allow aa dev_console_file:chr_file { read write };
110    allow aa devpts:chr_file { ioctl read write };
111    allow aa dev_unix_socket:dir { search };
112    allow aa foundation:binder { call transfer };
113    allow aa foundation:fd { use };
114    allow aa hdcd:fd { use };
115    allow aa hdcd:fifo_file { ioctl read write };
116    allow aa hdcd:unix_stream_socket { read write };
117    allow aa hilog_param:file { map read open };
118    allow aa persist_sys_param:file { map open read };
119    binder_call(aa, powermgr);
120    allow aa sa_foundation_abilityms:samgr_class { get };
121    allow aa sa_foundation_appms:samgr_class { get };
122    allow aa sa_foundation_bms:samgr_class { get };
123    allow aa samgr:binder { call };
124    allow aa samgr:dir { search };
125    allow aa samgr:file { read open };
126    allow aa samgr:process { getattr };
127    allow aa sh_exec:file { execute execute_no_trans map read open };
128    allow aa sh:fd { use };
129    allow aa system_bin_file:dir { search };
130    allow aa system_bin_file:file { getattr execute read open execute_no_trans map };
131    allow aa system_bin_file:lnk_file { read };
132    allow aa toybox_exec:file { getattr execute read open execute_no_trans map };
133    allow aa toybox_exec:lnk_file { read };
134    allow aa tracefs:dir { search };
135    allow aa tty_device:chr_file { read write open ioctl };
136    allow debug_hap aa:binder { call };
137    allow foundation aa:binder { call transfer };
138    allow hdcd aa:process { signal };
139    allow hidumper_service aa:dir { search };
140    allow hidumper_service aa:file { getattr open read };
141    allow hiview aa:dir { search };
142    allow hiview aa:file { read open getattr };
143    allow normal_hap aa:binder { call };
144    allow powermgr aa:binder { call transfer };
145    allow samgr aa:binder { call transfer };
146    allow samgr aa:dir { search };
147    allow samgr aa:file { open read };
148    allow samgr aa:process { getattr };
149    allowxperm aa devpts:chr_file ioctl { 0x5413 };
150    allowxperm aa hdcd:fifo_file ioctl { 0x5413 };
151    allowxperm aa tty_device:chr_file ioctl { 0x5413 };
152    allow aa sa_inputmethod_service:samgr_class { get };
153    allow aa inputmethod_service:binder { call transfer };
154    allow inputmethod_service aa:binder { call transfer };
155    allow aa ime_exec:file { getattr execute execute_no_trans map read open};
156')
157