1# Copyright (c) 2023-2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License 13 14neverallow SP_daemon *:process ptrace; 15allow SP_daemon data_file:dir { search }; 16allow SP_daemon data_local:dir { search }; 17allow SP_daemon data_local_tmp:dir { add_name getattr search write search create open read remove_name rmdir }; 18allow SP_daemon data_local_tmp:file { create getattr ioctl open write unlink read setattr append }; 19allowxperm SP_daemon data_local_tmp:file ioctl 0x5413; 20 21allow SP_daemon dev_console_file:chr_file { read write }; 22allow SP_daemon dev_unix_socket:dir { search }; 23allow SP_daemon devpts:chr_file { getattr read write write ioctl }; 24allow SP_daemon hdcd:fd { use }; 25allow SP_daemon hdcd:unix_stream_socket { read write }; 26allow SP_daemon sh:fd { use }; 27allow SP_daemon sh_exec:file { execute execute_no_trans map read open }; 28allow SP_daemon sys_file:dir { open read }; 29allow SP_daemon sys_file:file { getattr open read }; 30allow SP_daemon sysfs_devices_system_cpu:file { getattr open read}; 31allow SP_daemon system_bin_file:dir { search }; 32allow SP_daemon system_bin_file:file { execute execute_no_trans getattr map read open }; 33allow SP_daemon toybox_exec:file { execute execute_no_trans getattr map read open }; 34allow SP_daemon tty_device:chr_file { read write ioctl open }; 35 36allow SP_daemon system_bin_file:lnk_file { read }; 37allow SP_daemon toybox_exec:lnk_file { read }; 38allow SP_daemon uitest_exec:file { execute execute_no_trans getattr map read open }; 39allowxperm SP_daemon devpts:chr_file ioctl 0x5413; 40allowxperm SP_daemon tty_device:chr_file ioctl 0x5413; 41allow SP_daemon multimodalinput:binder { call }; 42allow SP_daemon SP_daemon:tcp_socket { create accept bind listen }; 43allow SP_daemon SP_daemon:udp_socket { create read bind write }; 44allow SP_daemon foundation:binder { call }; 45allow SP_daemon samgr:binder { call }; 46allow SP_daemon param_watcher:binder { call transfer }; 47allow SP_daemon node:tcp_socket { node_bind }; 48allow SP_daemon node:udp_socket { node_bind }; 49allow SP_daemon port:tcp_socket { name_bind }; 50allow SP_daemon port:udp_socket { name_bind }; 51 52allow SP_daemon sa_param_watcher:samgr_class { get }; 53allow SP_daemon sa_foundation_dms:samgr_class { get }; 54allow SP_daemon sa_foundation_wms:samgr_class { get }; 55 56allow SP_daemon hilog_param:file { map open read }; 57allow SP_daemon persist_sys_param:file { map open read }; 58allow SP_daemon ohos_boot_param:file { map open read }; 59allow SP_daemon debug_param:file { map open read }; 60allow SP_daemon bootevent_param:file { map open read }; 61allow SP_daemon devinfo_private_param:file { read map open }; 62allow SP_daemon net_param:file { open read map }; 63allow SP_daemon sys_param:file { map open read }; 64allow SP_daemon sys_usb_param:file { map open read }; 65allow SP_daemon const_postinstall_fstab_param:file { map read open }; 66allow SP_daemon const_postinstall_param:file { map open read }; 67allow SP_daemon net_tcp_param:file { map open read }; 68allow SP_daemon const_allow_mock_param:file { map open read }; 69allow SP_daemon const_allow_param:file { map open read }; 70allow SP_daemon persist_param:file { read map open }; 71allow SP_daemon security_param:file { map open read }; 72allow SP_daemon bootevent_wms_param:file { map open read }; 73allow SP_daemon ffrt_param:file { map open read }; 74allow SP_daemon print_param:file { map open read }; 75allow SP_daemon arkcompiler_param:file { map open read }; 76allow SP_daemon ark_writeable_param:file { map open read }; 77allow SP_daemon arkui_param:file { map open read }; 78allow SP_daemon hitrace_param:file { map open read }; 79allow SP_daemon hiviewdfx_profiler_param:file { map open read }; 80allow SP_daemon bms_param:file { map read open}; 81allow SP_daemon const_display_brightness_param:file { map read open }; 82allow SP_daemon developtools_hdc_control_param:file { map read open }; 83allow SP_daemon distributedsche_param:file { map read open }; 84allow SP_daemon samgr_perf_param:file { map read open }; 85allow SP_daemon thermal_log_param:file { map read open }; 86allow SP_daemon update_updater_param:file { map read open}; 87allow SP_daemon updater_flashd_param:file { map read open }; 88allow SP_daemon render_service:fd { use }; 89allow SP_daemon usb_setting_param:file { read open map }; 90allow SP_daemon sh:dir { search }; 91allow SP_daemon sh:file { read }; 92allow SP_daemon data_hilogd_file:dir { search }; 93allow SP_daemon hdcd:fd { use }; 94allow SP_daemon hdcd:fifo_file { ioctl read write }; 95allow SP_daemon hdcd:unix_stream_socket { read write }; 96allowxperm SP_daemon hdcd:fifo_file ioctl { 0x5413 }; 97# ps -ef 98allow SP_daemon domain: dir { search getattr }; 99allow SP_daemon domain: file { open read }; 100allow SP_daemon hisysevent:lnk_file { read }; 101allow SP_daemon hisysevent:process { signal }; 102allow SP_daemon hitrace:lnk_file { read }; 103allow SP_daemon dev_ucollection:chr_file { ioctl read open read write open write }; 104allowxperm SP_daemon dev_ucollection:chr_file ioctl { 0x1 0x2 0x3 0x5 0x7 }; 105allow SP_daemon SP_daemon:tcp_socket { connect read shutdown write }; 106allow SP_daemon port:tcp_socket { name_connect }; 107allow SP_daemon sysfs_devices_system_cpu:dir { read open read }; 108allow SP_daemon foundation:binder { transfer }; 109allow SP_daemon SP_daemon_exec:file { execute_no_trans }; 110allow SP_daemon SP_daemon:capability { sys_ptrace }; 111 112allow SP_daemon hiprofiler_plugins:fd { use }; 113allow SP_daemon hiprofiler_plugins:fifo_file { ioctl write }; 114allow SP_daemon hiprofiler_plugins:unix_stream_socket { read write }; 115allow SP_daemon hiprofilerd:fd { use }; 116allowxperm SP_daemon hiprofiler_plugins:fifo_file ioctl { 0x5413 }; 117allow SP_daemon uinput_exec:file { execute execute_no_trans getattr open read map }; 118allow SP_daemon aa_exec:file { execute execute_no_trans getattr open read }; 119 120allow SP_daemon proc_net:file { getattr read open read }; 121allow SP_daemon proc_stat_file:file { read open getattr setattr }; 122allow SP_daemon proc_meminfo_file:file { getattr open read }; 123allow SP_daemon proc_cmdline_file:file { getattr open read }; 124allow SP_daemon proc_loadavg_file:file { getattr open read }; 125allow SP_daemon proc_modules_file:file { getattr open read }; 126allow SP_daemon proc_net_tcp_udp:file { getattr open read }; 127allow SP_daemon proc_slabinfo_file:file { getattr open read }; 128allow SP_daemon proc_version_file:file { getattr open read }; 129allow SP_daemon proc_vmallocinfo_file:file { getattr open read }; 130allow SP_daemon proc_vmstat_file:file { getattr open read }; 131allow SP_daemon proc_zoneinfo_file:file { getattr open read }; 132allow SP_daemon proc_file:file { open read }; 133allow SP_daemon processdump:dir search; 134allow SP_daemon processdump:file { open read }; 135allow SP_daemon hiprofiler_cmd:file getattr; 136allow SP_daemon hiprofiler_plugins:file getattr; 137allow SP_daemon hiprofilerd:file getattr; 138allow SP_daemon SP_daemon:tcp_socket { setopt }; 139allow SP_daemon proc_cpuinfo_file:file { getattr open read }; 140allow SP_daemon snapshot_display_exec:file { execute execute_no_trans getattr open read map }; 141allow SP_daemon aa_exec:file { map }; 142allow SP_daemon dev_ucollection:chr_file { ioctl }; 143allow SP_daemon sh:file { open }; 144allowxperm SP_daemon dev_ucollection:chr_file ioctl { 0x4 }; 145allow SP_daemon sa_multimodalinput_service:samgr_class { get }; 146allow SP_daemon sa_foundation_abilityms:samgr_class { get }; 147allow SP_daemon sa_accessibleabilityms:samgr_class { get }; 148allow SP_daemon chip_prod_file:dir { search }; 149 150allow SP_daemon paramservice_socket:sock_file { write }; 151allow SP_daemon kernel:unix_stream_socket { connectto }; 152allow SP_daemon debug_param:parameter_service { set }; 153 154allow SP_daemon sa_test_server:samgr_class { get }; 155allow SP_daemon test_server:binder { call transfer }; 156allow SP_daemon samgr:binder { transfer }; 157allow SP_daemon system_usr_file:dir { search }; 158allow SP_daemon system_usr_file:file { getattr map open read }; 159 160allow SP_daemon test_server:fd { use }; 161allow SP_daemon dev_kmsg_file:chr_file { write }; 162allow SP_daemon sysfs_attr:file { read open getattr }; 163allow SP_daemon sys_prod_file:dir { search }; 164allow SP_daemon SP_daemon:file { open }; 165allow SP_daemon SP_daemon:hmcap { supervsable }; 166 167allow SP_daemon normal_hap:file { getattr open read }; 168allow SP_daemon normal_hap:lnk_file { getattr open read }; 169allow SP_daemon normal_hap:dir { open read }; 170 171allow SP_daemon sa_render_service:samgr_class { get }; 172allow SP_daemon render_service:binder { call }; 173allow SP_daemon hiview_file:dir { open read getattr search }; 174allow SP_daemon hiview_file:file { open read getattr }; 175allow SP_daemon render_service:binder { transfer }; 176allow SP_daemon hiperf:process { signal }; 177allow SP_daemon system_file:file { read open getattr }; 178 179allow SP_daemon hiview:unix_dgram_socket { sendto }; 180 181allow SP_daemon data_service_el2_file:dir { search read open getattr }; 182allow SP_daemon data_service_el2_file:file { read open getattr }; 183allow SP_daemon data_service_file:dir { search }; 184