• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022-2025 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License
13
14developer_only(`
15    allow native_daemon debug_hap:process { ptrace };
16    allow native_daemon native_daemon:hmcap { code_protect };
17')
18
19neverallow native_daemon { domain debug_only(`-hap_domain') developer_only(`-debug_hap') }:process ptrace;
20neverallow { domain -hiprofiler_cmd -hiprofilerd -hiprofiler_plugins -native_daemon -hitrace -hiview -bytrace -hiperf -hiviewdfx_profiler_param_violator } hiviewdfx_profiler_param:parameter_service { set };
21
22debug_only(`
23    allow native_daemon vendor_bin_file:dir { search };
24    allow native_daemon vendor_bin_file:file { getattr map open read };
25')
26allow domain hiprofiler_socket:sock_file { getattr write unlink };
27allow init hiprofiler_socket:sock_file { relabelto };
28
29allow native_daemon data_local_tmp:file { create read open write lock getattr ioctl map };
30allow native_daemon data_local_tmp:dir { search add_name write getattr };
31allow native_daemon self:capability { kill sys_ptrace };
32
33allow native_daemon data_file:dir search;
34allow native_daemon data_local:dir search;
35allow native_daemon devpts:chr_file { read write };
36allow native_daemon hilog_param:file { map open read };
37allow native_daemon musl_param:file { map open read };
38
39allow native_daemon hdcd:fd use;
40allow native_daemon hdcd:unix_stream_socket { read write };
41
42allow native_daemon tty_device:chr_file { ioctl open read write };
43allow native_daemon hiprofilerd:fd use;
44allow native_daemon hiview:process signal;
45allow native_daemon hiview_exec:file { getattr map open read };
46allow native_daemon rootfs:file read;
47allow native_daemon system_bin_file:dir search;
48
49allow native_daemon hiview:dir search;
50allow native_daemon hiview:file { open read };
51allow native_daemon tty_device:chr_file { ioctl open };
52allow native_daemon sh_exec:file { execute_no_trans map open read };
53allow native_daemon hilog_param:file read;
54allow native_daemon paramservice_socket:sock_file write;
55allow native_daemon system_bin_file:lnk_file read;
56allow native_daemon system_bin_file:file { execute execute_no_trans getattr map open read };
57allow native_daemon toybox_exec:lnk_file read;
58allow native_daemon toybox_exec:file { execute execute_no_trans getattr map open read };
59
60allow native_daemon domain:dir { open read getattr search };
61allow native_daemon domain:file { open read getattr };
62allow domain native_daemon:fd use;
63allow domain native_daemon:unix_stream_socket connectto;
64allow domain hiprofilerd:unix_stream_socket connectto;
65allow native_daemon dev_unix_socket:dir { add_name remove_name write search };
66allow native_daemon dev_unix_socket:sock_file { unlink create getattr setattr write };
67allow native_daemon domain:process signal;
68allow native_daemon appspawn_exec:file read;
69allow native_daemon kernel:unix_stream_socket connectto;
70allow native_daemon dev_unix_file:sock_file unlink;
71allow native_daemon hook_param:parameter_service set;
72allow native_daemon dev_unix_file:sock_file write;
73allow native_daemon appspawn_exec:file open;
74allow native_daemon appspawn_exec:file getattr;
75allow native_daemon appspawn_exec:file map;
76allow native_daemon dev_ashmem_file:chr_file { open };
77allow native_daemon dev_console_file:chr_file { read write };
78allow native_daemon proc_file:file { open read getattr };
79
80allow native_daemon sa_foundation_bms:samgr_class get;
81allow native_daemon sa_param_watcher:samgr_class get;
82allow native_daemon samgr:binder { call };
83allow native_daemon debug_param:file { map open read };
84allow native_daemon foundation:binder call;
85allow native_daemon param_watcher:binder call;
86allow native_daemon tracefs:dir search;
87allow native_daemon tracefs_trace_marker_file:file { open write };
88allow native_daemon param_watcher:binder transfer;
89allow native_daemon appspawn:lnk_file read;
90allowxperm native_daemon devpts:chr_file ioctl { 0x5413 };
91allow native_daemon devpts:chr_file { ioctl };
92allow native_daemon data_app_el1_file:dir search;
93allow native_daemon data_app_el1_file:file { getattr map open read };
94allow native_daemon native_daemon:unix_dgram_socket { ioctl };
95allow native_daemon dev_file:dir getattr;
96allow native_daemon hap_domain:lnk_file { getattr map open read };
97allow native_daemon app_el1_bundle_public:dir { read search open getattr };
98allow native_daemon app_el1_bundle_public:file { map getattr read open };
99allow native_daemon sa_native_daemon:samgr_class { add };
100allow native_daemon hiviewdfx_profiler_param:parameter_service { set };
101allow native_daemon hdcd_exec:file { read open getattr map };
102
103allow native_daemon hilog_exec:file { getattr map open read };
104allow native_daemon data_app_el1_arkcache:dir { search };
105allow native_daemon data_app_el1_arkcache:file { getattr open read };
106allow native_daemon SP_daemon_exec:file { getattr open read map };
107allow native_daemon hilogd_exec:file { getattr map open read };
108allow native_daemon render_service_exec:file { getattr map open read };
109allow native_daemon samain_exec:file { getattr map open read };
110allow native_daemon storage_daemon_exec:file { getattr map open read };
111allow native_daemon wifi_hal_service_exec:file { getattr map open read };
112allow native_daemon watchdog_service_exec:file { getattr map open read };
113allow native_daemon ueventd_exec:file { getattr map open read };
114allow native_daemon deviceauth_service_exec:file { getattr map open read };
115allow native_daemon faultloggerd_exec:file { getattr map open read };
116allow native_daemon hidumper_exec:file { getattr map open read };
117allow native_daemon hiprofiler_cmd_exec:file { getattr map open read };
118allow native_daemon hiprofiler_plugins_exec:file { getattr map open read };
119allow native_daemon hiprofilerd_exec:file { getattr map open read };
120allow native_daemon hisysevent_exec:file { getattr map open read };
121allow native_daemon hitrace_exec:file { getattr map open read };
122allow native_daemon init_exec:file { getattr map open read };
123allow native_daemon sys_prod_file:dir { search };
124allow native_daemon sys_prod_file:file { getattr map open read };
125allow native_daemon system_usr_file:file { getattr map open read };
126allow native_daemon data_service_el1_file:file { getattr map open read };
127allow native_daemon isolated_render:lnk_file { read };
128