1# Copyright (c) 2022-2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License 13 14neverallow hiprofiler_cmd *:process ptrace; 15developer_only(` 16 allow hiprofiler_cmd devpts:chr_file { read write }; 17 allow hiprofiler_cmd hdcd:fd use; 18 allow hiprofiler_cmd hdcd:unix_stream_socket { read write }; 19 allow hiprofiler_cmd proc_cpuinfo_file:file { open read }; 20 allow hiprofiler_cmd tty_device:chr_file { read write }; 21 allow hiprofiler_cmd node:tcp_socket node_bind; 22 allow hiprofiler_cmd self:netlink_route_socket { create nlmsg_read nlmsg_readpriv read write }; 23 allow hiprofiler_cmd self:tcp_socket { bind create setopt }; 24 allow hiprofiler_cmd port:tcp_socket name_connect; 25 allow hiprofiler_cmd self:tcp_socket { connect getattr getopt read write }; 26 allow hiprofiler_cmd self:tcp_socket shutdown; 27 allow hiprofiler_cmd data_local:dir search; 28 29 allow hiprofiler_cmd rootfs:file { read }; 30 31 allow hiprofiler_cmd dev_unix_socket:dir search; 32 allow hiprofiler_cmd hdcd:fifo_file { read write }; 33 allow hiprofiler_cmd ohos_boot_param:file { map open read }; 34 allow hiprofiler_cmd ohos_param:file { map open read }; 35 allow hiprofiler_cmd system_bin_file:dir search; 36 37 allow hiprofiler_cmd const_param:file { map open read }; 38 allow hiprofiler_cmd init_param:file { map open read }; 39 allow hiprofiler_cmd net_tcp_param:file { open read }; 40 allow hiprofiler_cmd sys_usb_param:file { map open }; 41 42 allow hiprofiler_cmd hw_sc_param:file { open read }; 43 allow hiprofiler_cmd net_param:file { map open read }; 44 allow hiprofiler_cmd net_tcp_param:file map; 45 allow hiprofiler_cmd persist_param:file read; 46 allow hiprofiler_cmd security_param:file { map open read }; 47 48 allow hiprofiler_cmd const_postinstall_param:file { map open read }; 49 allow hiprofiler_cmd hw_sc_build_param:file { map open read }; 50 allow hiprofiler_cmd hw_sc_param:file map; 51 allow hiprofiler_cmd init_svc_param:file { map open read }; 52 53 allow hiprofiler_cmd hw_sc_build_os_param:file { open read }; 54 allow hiprofiler_cmd persist_param:file { map open }; 55 allow hiprofiler_cmd persist_sys_param:file { open read }; 56 57 allow hiprofiler_cmd const_postinstall_fstab_param:file { map open read }; 58 allow hiprofiler_cmd debug_param:file { map open read }; 59 allow hiprofiler_cmd hw_sc_build_os_param:file map; 60 allow hiprofiler_cmd persist_sys_param:file map; 61 allow hiprofiler_cmd startup_param:file { open read }; 62 63 allow hiprofiler_cmd const_postinstall_fstab_param:file { map open read }; 64 allow hiprofiler_cmd hw_sc_build_os_param:file map; 65 allow hiprofiler_cmd persist_sys_param:file map; 66 67 allow hiprofiler_cmd bootevent_param:file { map open read }; 68 allow hiprofiler_cmd const_allow_mock_param:file { map open read }; 69 allow hiprofiler_cmd const_allow_param:file { map open read }; 70 allow hiprofiler_cmd startup_param:file map; 71 72 allow hiprofiler_cmd build_version_param:file { open read }; 73 allow hiprofiler_cmd data_file:dir search; 74 allow hiprofiler_cmd dev_file:sock_file write; 75 allow hiprofiler_cmd netsysnative:unix_stream_socket connectto; 76 77 allow hiprofiler_cmd bootevent_samgr_param:file read; 78 allow hiprofiler_cmd build_version_param:file map; 79 allow hiprofiler_cmd const_display_brightness_param:file read; 80 allow hiprofiler_cmd distributedsche_param:file { map open read }; 81 82 allow hiprofiler_cmd bootevent_samgr_param:file { map open }; 83 allow hiprofiler_cmd const_build_param:file { map open read }; 84 allow hiprofiler_cmd const_display_brightness_param:file open; 85 allow hiprofiler_cmd input_pointer_device_param:file { map open read }; 86 87 allow hiprofiler_cmd const_display_brightness_param:file map; 88 allow hiprofiler_cmd default_param:file { map open read }; 89 90 allow hiprofiler_cmd tty_device:chr_file { ioctl open }; 91 92 allow hiprofiler_cmd rootfs:file getattr; 93 allow hiprofiler_cmd system_bin_file:lnk_file read; 94 allow hiprofiler_cmd toybox_exec:lnk_file read; 95 96 allow hiprofiler_cmd init:file read; 97 allow hiprofiler_cmd kernel:file read; 98 allow hiprofiler_cmd system_bin_file:file { getattr map open read execute execute_no_trans }; 99 allow hiprofiler_cmd toybox_exec:file { getattr map open read execute execute_no_trans }; 100 101 allow hiprofiler_cmd dev_unix_socket:dir remove_name; 102 allow hiprofiler_cmd dev_unix_socket:sock_file unlink; 103 allow hiprofiler_cmd hdf_devmgr:file read; 104 allow hiprofiler_cmd hiprofiler_plugins:process sigkill; 105 allow hiprofiler_cmd hiprofilerd:fd use; 106 allow hiprofiler_cmd hiprofilerd:process sigkill; 107 108 allow hiprofiler_cmd const_product_param:file { map open read }; 109 allow hiprofiler_cmd hilog_param:file { map open read }; 110 allow hiprofiler_cmd sys_param:file { map open read }; 111 allow hiprofiler_cmd sys_usb_param:file read; 112 113 allow hiprofiler_cmd hilogd:file read; 114 allow hiprofiler_cmd hiprofilerd:process signal; 115 116 allow hiprofiler_cmd domain:dir { search open read }; 117 allow hiprofiler_cmd domain:file { getattr map open read }; 118 119 allow hiprofiler_cmd dev_unix_socket:dir write; 120 allow hiprofiler_cmd dev_unix_socket:sock_file write; 121 122 allow hiprofiler_cmd dev_unix_socket:dir add_name; 123 allow hiprofiler_cmd hiprofilerd:unix_stream_socket connectto; 124 allow hiprofiler_cmd tmpfs:file { map read write }; 125 126 allow hiprofiler_cmd kernel:unix_stream_socket connectto; 127 128 allow hiprofiler_cmd dev_unix_socket:sock_file { create getattr setattr }; 129 allow hiprofiler_cmd hook_param:parameter_service set; 130 131 allow hiprofiler_cmd data_local_tmp:file { lock read open getattr }; 132 allow hiprofiler_cmd data_local_tmp:dir { open search }; 133 134 allow hiprofiler_cmd sh:fd use; 135 allow hiprofiler_cmd sh:fifo_file write; 136 allowxperm hiprofiler_cmd sh:fifo_file ioctl { 0x5413 }; 137 allow hiprofiler_cmd sh:fifo_file ioctl; 138 139 allow hiprofiler_cmd self:capability sys_ptrace; 140 141 allow hiprofiler_cmd domain:process signal; 142 allow hiprofiler_cmd hiview_exec:file { getattr map open read }; 143 144 allow domain hiprofiler_cmd:fd use; 145 allow domain hiprofiler_cmd:unix_stream_socket connectto; 146 allow hiprofiler_cmd ohos_dev_param:file { map open read }; 147 allow hiprofiler_cmd dev_unix_file:sock_file unlink; 148 allow hiprofiler_cmd paramservice_socket:sock_file write; 149 150 allow hiprofiler_cmd appspawn_exec:file { open read }; 151 allow hiprofiler_cmd normal_hap_attr:lnk_file read; 152 allow hiprofiler_cmd data_app_el1_file:dir search; 153 allow hiprofiler_cmd data_app_el1_file:file { getattr map open read }; 154 155 allow hiprofiler_cmd musl_param:file read; 156 allow hiprofiler_cmd native_daemon:process sigkill; 157 allow hiprofiler_cmd musl_param:file { map open }; 158 allow hiprofiler_cmd security_param:parameter_service set; 159 allow hiprofiler_cmd dnsproxy_service:sock_file write; 160 allow hiprofiler_cmd proc_file:file { getattr open read }; 161 162 allow hiprofiler_cmd hiviewdfx_profiler_param:parameter_service { set }; 163 allow hiprofiler_cmd dev_console_file:chr_file { read write }; 164 allowxperm hiprofiler_cmd devpts:chr_file ioctl { 0x5413 }; 165 allow hiprofiler_cmd devpts:chr_file { ioctl }; 166 167 allow hiprofiler_cmd vendor_bin_file:dir search; 168 allow hiprofiler_cmd sysfs_devices_system_cpu:dir { read open }; 169 allow hiprofiler_cmd dev_file:dir getattr; 170 allow hiprofiler_cmd dev_ashmem_file:chr_file { open }; 171 allow hiprofiler_cmd hdcd_exec:file { read open getattr map }; 172') 173 174