1# Copyright (c) 2022-2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License 13 14allow hiperf const_allow_mock_param:file { map open read }; 15allow hiperf const_allow_param:file { map open read }; 16allow hiperf const_build_param:file { map open read }; 17allow hiperf const_param:file { map open read }; 18allow hiperf const_postinstall_fstab_param:file { map open read }; 19allow hiperf const_postinstall_param:file { map open read }; 20allow hiperf data_test_file:file { write }; 21allow hiperf data_file:file { getattr ioctl map open read }; 22allow hiperf default_param:file { map open read }; 23allow hiperf distributedsche_param:file { map open read }; 24allow hiperf hdcd:fd use; 25allow hiperf hdcd_exec:file { getattr map open read }; 26allow hiperf hw_sc_build_os_param:file { map open read }; 27allow hiperf hw_sc_build_param:file { map open read }; 28allow hiperf hw_sc_param:file { map open read }; 29allow hiperf init_param:file { map open read }; 30allow hiperf init_svc_param:file { map open read }; 31allow hiperf input_pointer_device_param:file { map open read }; 32allow hiperf net_param:file { map open read }; 33allow hiperf net_tcp_param:file { map open read }; 34allow hiperf normal_hap_attr:dir { getattr open read search }; 35allow hiperf normal_hap_attr:process signull; 36allow hiperf ohos_boot_param:file { map open read }; 37allow hiperf ohos_param:file { map open read }; 38allow hiperf proc_buddyinfo_file:file getattr; 39allow hiperf proc_cgroups_file:file getattr; 40allow hiperf proc_cmdline_file:file getattr; 41allow hiperf proc_config_gz_file:file getattr; 42allow hiperf proc_cpuinfo_file:file getattr; 43allow hiperf proc_diskstats_file:file getattr; 44allow hiperf proc_file:file { ioctl write }; 45allow hiperf proc_filesystems_file:file getattr; 46allow hiperf proc_interrupts_file:file getattr; 47allow hiperf proc_iomem_file:file getattr; 48allow hiperf proc_keys_file:file getattr; 49allow hiperf proc_kmsg_file:file getattr; 50allow hiperf proc_loadavg_file:file getattr; 51allow hiperf proc_meminfo_file:file { getattr open read }; 52allow hiperf proc_misc_file:file getattr; 53allow hiperf proc_modules_file:file { getattr open read }; 54allow hiperf proc_pagetypeinfo_file:file getattr; 55allow hiperf proc_partitions_file:file getattr; 56allow hiperf proc_rkisp_vir0_file:file getattr; 57allow hiperf proc_slabinfo_file:file getattr; 58allow hiperf proc_softirqs_file:file getattr; 59allow hiperf proc_stat_file:file getattr; 60allow hiperf proc_swaps_file:file getattr; 61allow hiperf proc_sysrq_trigger_file:file getattr; 62allow hiperf proc_timer_list_file:file getattr; 63allow hiperf proc_uptime_file:file getattr; 64allow hiperf proc_version_file:file getattr; 65allow hiperf proc_vmallocinfo_file:file getattr; 66allow hiperf proc_vmstat_file:file getattr; 67allow hiperf proc_zoneinfo_file:file getattr; 68allow hiperf samain_exec:file { getattr map open read }; 69allow hiperf sys_param:file { map open read }; 70allow hiperf sys_usb_param:file { map open read }; 71allow hiperf tracefs:dir { open read search }; 72allow hiperf tracefs:file { getattr open read write ioctl }; 73allowxperm hiperf tracefs:file ioctl { 0x5413 }; 74allow hiperf tty_device:chr_file { read write }; 75 76allow hiperf appspawn_exec:file { getattr map open read }; 77allow hiperf bootevent_param:file { map open read }; 78allow hiperf bootevent_samgr_param:file { map open read }; 79allow hiperf build_version_param:file { map open read }; 80allow hiperf const_display_brightness_param:file { map open read }; 81allow hiperf const_product_param:file { map open read }; 82allow hiperf debug_param:file { map open read }; 83allow hiperf devpts:chr_file { read write }; 84allow hiperf hdcd:unix_stream_socket { read write }; 85allow hiperf hilog_param:file { map open read }; 86allow hiperf hilogd_exec:file { getattr map open read }; 87allow hiperf persist_param:file { map open read }; 88allow hiperf persist_sys_param:file { map open read }; 89allow hiperf proc_file:file { getattr open read }; 90allow hiperf security_param:file { map open read }; 91allow hiperf self:perf_event { cpu kernel open read write }; 92allow hiperf startup_param:file { map open read }; 93allow hiperf wifi_hal_service_exec:file { getattr map open read }; 94allow hiperf hiview_exec:file { getattr map open read }; 95allow hiperf storage_daemon_exec:file { getattr map open read }; 96 97allow hiperf data_file:dir search; 98allow hiperf dev_unix_socket:dir search; 99allow hiperf system_bin_file:dir search; 100allow hiperf data_local:dir search; 101 102allow hiperf hiprofiler_plugins:unix_stream_socket { read write }; 103allow hiperf rootfs:file read; 104allow hiperf sh_exec:file { getattr map open read }; 105allow hiperf sysfs_kernel_notes:file { open read }; 106allow hiperf system_bin_file:file { execute execute_no_trans getattr map open read }; 107allow hiperf toybox_exec:file { execute execute_no_trans getattr map open read }; 108allow hiperf tmpfs:file { read write }; 109 110allow hiperf hiprofiler_plugins:fd use; 111allow hiperf hiprofilerd:fd use; 112allow hiperf hiprofiler_plugins:fifo_file { ioctl write }; 113allow hiperf watchdog_service_exec:file { getattr map open read }; 114 115allow hiperf data_local_tmp:fifo_file { create open read unlink write }; 116allow hiperf hdf_devmgr_exec:file { getattr map open read }; 117allow hiperf proc_cpuinfo_file:file { open read }; 118allow hiperf sysfs_devices_system_cpu:file { open read }; 119allow hiperf uinput_inject_exec:file { getattr map open read }; 120allow hiperf vendor_bin_file:dir search; 121 122allow hiperf domain:dir { add_name getattr search open read write }; 123allow hiperf domain:file { getattr map open read }; 124 125allow hiperf camera_service:dir { open read }; 126allow hiperf camera_service:process signull; 127allow hiperf drm_service:dir { open read }; 128allow hiperf drm_service:process signull; 129allow hiperf data_file:dir { add_name getattr open read write }; 130 131allow hiperf dev_mali:chr_file { getattr open read }; 132allow hiperf distributedfiledaemon:dir { open read }; 133allow hiperf distributedfiledaemon:process signull; 134allow hiperf hdcd:dir { open read }; 135allow hiperf hdcd:process signull; 136allow hiperf init:dir { open read }; 137allow hiperf init:process signull; 138allow hiperf render_service:dir { open read }; 139allow hiperf render_service:process signull; 140allow hiperf render_service_exec:file { getattr map open read }; 141allow hiperf rootfs:dir read; 142allow hiperf self:perf_event tracepoint; 143allow hiperf system_basic_hap_attr:dir { open read }; 144allow hiperf system_basic_hap_attr:process signull; 145allow hiperf system_bin_file:lnk_file read; 146allow hiperf toybox_exec:lnk_file read; 147allow hiperf ui_service:dir { open read }; 148allow hiperf ui_service:process signull; 149allow hiperf hiview:process signull; 150allow hiperf domain:process signull; 151 152allow hiperf accessibility_param:file { map open read }; 153allow hiperf ohos_dev_param:file { map open read }; 154allow hiperf data_log_hiperf_file:dir { create_dir_perms }; 155allow hiperf data_log_hiperf_file:file { create_file_perms }; 156allow hiperf data_log_hiperf_file:fifo_file { create open read unlink write }; 157 158allow hiperf data_local_tmp_hiperf_file:dir { create_dir_perms }; 159allow hiperf data_local_tmp_hiperf_file:file { create_file_perms }; 160allow hiperf data_local_tmp_hiperf_file:fifo_file { create open read unlink write }; 161 162allow hiperf data_log:dir { add_name getattr open read search watch write create remove_name }; 163allow hiperf data_log:file { create getattr lock map open read rename ioctl write unlink }; 164allow hiperf data_app_el1_file:file { getattr map open read }; 165allow hiperf data_app_el1_file:dir search; 166allow hiperf normal_hap_attr:lnk_file read; 167 168allow hiperf chip_prod_file:dir search; 169allow hiperf chip_prod_file:file { getattr map open read }; 170allow hiperf sys_file:file { getattr open read }; 171allow hiperf sysfs_devices_system_cpu:file getattr; 172allow hiperf udevd_exec:file { getattr map open read }; 173allow hiperf ueventd_exec:file read; 174allow hiperf vendor_bin_file:file { getattr map open read }; 175 176allow init data_log:file relabelfrom; 177allow init data_log_hiperf_file:dir { getattr open read relabelto setattr }; 178allow init data_log_hiperf_file:file { read }; 179allow hiview data_log_hiperf_file:dir { getattr open read relabelto search }; 180allow hiview data_log_hiperf_file:file { getattr open read unlink }; 181 182#allow hiperf data_file:file { create write }; 183#allow hiperf devpts:chr_file ioctl; 184 185debug_only(` 186 allow hiperf self:capability2 syslog; 187 allow hiperf hap_domain:process { ptrace }; 188') 189 190developer_only(` 191 allow hiperf sh:dir { getattr open read search }; 192 allow hiperf sh:fd use; 193 allow hiperf sh:fifo_file { read write }; 194 allow hiperf sh:process signull; 195 allow hiperf data_log:fifo_file { create open read unlink write }; 196 allow hiperf debug_hap:process { ptrace }; 197 allow hiperf hiperf:hmcap { code_protect }; 198') 199 200neverallow hiperf { domain debug_only(`-hap_domain') developer_only(`-debug_hap') }:process ptrace; 201allow hiperf data_local_tmp:file { create getattr ioctl map open read rename unlink write }; 202allow hiperf data_local_tmp:dir { open read add_name remove_name search write }; 203allow hiperf self:capability2 perfmon; 204allow hiperf self:capability { sys_ptrace ipc_lock }; 205allow hiperf self:unix_dgram_socket { getopt setopt }; 206 207neverallow { domain -hiperf -init -hiebpf -rgm_violator_perf_event_cpu } self:perf_event cpu; 208neverallow { domain -hiperf } self:perf_event tracepoint; 209 210allow hiperf musl_param:file { open map read }; 211allow hiperf dev_console_file:chr_file { read write }; 212allow hiperf musl_param:file { open map read }; 213allow hiperf security_param:parameter_service { set }; 214allow hiperf hiviewdfx_profiler_param:parameter_service { set }; 215allow hiperf paramservice_socket:sock_file { read write }; 216allow hiperf kernel:unix_stream_socket connectto; 217 218allow hiperf sa_foundation_bms:samgr_class get; 219allow hiperf sa_param_watcher:samgr_class get; 220allow hiperf foundation:binder call; 221allow hiperf samgr:binder { call }; 222 223allow hiperf param_watcher:binder { call transfer }; 224allow hiperf tracefs_trace_marker_file:file { open write }; 225allow hiperf hilog_exec:file { getattr map open read }; 226allow hiperf rootfs:file { ioctl }; 227allow hiperf ueventd_exec:file { getattr map open }; 228allow hiperf dev_file:dir getattr; 229 230allow samgr hiperf:file { read open }; 231allow samgr hiperf:dir { search }; 232allow samgr hiperf:process { getattr }; 233allow samgr hiperf:binder { call transfer }; 234 235allow hiperf dev_bbox:chr_file { read }; 236allow hiperf sysfs_devices_system_cpu:dir { read open }; 237 238allow hiperf hiview:fd { use }; 239allow hiperf hiview:unix_dgram_socket { read write sendto }; 240allow hiperf hiview:fifo_file { read write }; 241allow hiperf hiview_file:file { read write }; 242 243allow hiview hiperf:process sigkill; 244allow hiview data_local:dir { search }; 245allow hiview proc_file:file { getattr }; 246allow hiview debug_param:parameter_service { set }; 247 248allow hiperf system_file:file { getattr open read }; 249allow hiperf SP_daemon_exec:file { getattr open read }; 250allow hiperf data_app_el1_arkcache:dir { search }; 251allow hiperf data_app_el1_arkcache:file { getattr open read }; 252allow hiperf app_el1_bundle_public:dir { getattr open read search }; 253allow hiperf app_el1_bundle_public:file { getattr map open read }; 254allow hiperf deviceauth_service_exec:file { getattr map open read }; 255allow hiperf faultloggerd_exec:file { getattr map open read }; 256allow hiperf hidumper_exec:file { getattr map open read }; 257allow hiperf hiprofiler_cmd_exec:file { getattr map open read }; 258allow hiperf hiprofiler_plugins_exec:file { getattr map open read }; 259allow hiperf hiprofilerd_exec:file { getattr map open read }; 260allow hiperf hisysevent_exec:file { getattr map open read }; 261allow hiperf hitrace_exec:file { getattr map open read }; 262allow hiperf init_exec:file { getattr map open read }; 263allow hiperf sys_prod_file:dir { search }; 264allow hiperf sys_prod_file:file { getattr map open read }; 265allow hiperf system_usr_file:dir { search }; 266allow hiperf system_usr_file:file { getattr map open read }; 267allow hiperf data_service_el1_file:file { getattr map open read }; 268 269allow hiperf init_exec:file { getattr map open read }; 270allow hiperf render_service_exec:file { getattr map open read }; 271 272allow hiperf isolated_render:lnk_file { read }; 273allow hiperf SP_daemon:fd { use }; 274 275allow hiperf SP_daemon:fifo_file { write }; 276