1# Copyright (c) 2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow cloudfiledaemon persist_param:parameter_service { set }; 15allow cloudfiledaemon persist_param:file { map open read }; 16allow cloudfiledaemon cloudfile_data_file:dir { rmdir }; 17allow cloudfiledaemon sa_accesstoken_manager_service:samgr_class { get }; 18allow cloudfiledaemon sa_param_watcher:samgr_class { get }; 19allow cloudfiledaemon param_watcher:binder { call transfer }; 20allow cloudfiledaemon dev_unix_socket:dir { search }; 21allow cloudfiledaemon paramservice_socket:sock_file { write }; 22allow cloudfiledaemon kernel:unix_stream_socket { connectto }; 23allow cloudfiledaemon netsysnative:unix_stream_socket { connectto }; 24allow cloudfiledaemon netmanager:binder { call transfer }; 25allow cloudfiledaemon accesstoken_service:binder { call }; 26allow cloudfiledaemon data_service_file:dir { search }; 27allow cloudfiledaemon sa_foundation_cesfwk_service:samgr_class { get }; 28allow cloudfiledaemon foundation:binder { transfer call }; 29allow cloudfiledaemon sa_foundation_abilityms:samgr_class { get }; 30binder_call(cloudfiledaemon, powermgr); 31allow cloudfiledaemon sa_powermgr_battery_service:samgr_class { get }; 32allow cloudfiledaemon data_app_file:dir { search open read write }; 33allow cloudfiledaemon data_app_el2_file:dir { search read write open }; 34allow cloudfiledaemon data_app_el2_file:file { lock getattr open read write ioctl map }; 35allow cloudfiledaemon dev_fuse_file:chr_file { read write }; 36allow cloudfiledaemon data_service_el2_file:dir { search }; 37allow cloudfiledaemon data_service_el2_hmdfs:dir { create search read open write add_name remove_name }; 38allow cloudfiledaemon data_service_el2_hmdfs:file { create setattr getattr read open write append ioctl rename unlink }; 39allow cloudfiledaemon hmdfs:dir { search write remove_name add_name create open read rmdir rename reparent ioctl }; 40allowxperm cloudfiledaemon hmdfs:dir ioctl { 0xf20b 0xf281 }; 41allow cloudfiledaemon hmdfs:file { read open getattr create append rename unlink ioctl }; 42allowxperm cloudfiledaemon hmdfs:file ioctl { 0xf202 0x5413 }; 43allow cloudfiledaemon storage_daemon:fd { use }; 44allow cloudfiledaemon sa_filemanagement_cloud_sync_service:samgr_class { add add_remote get_remote get }; 45allow cloudfiledaemon hap_domain:binder { call transfer }; 46debug_only(` 47 allow cloudfiledaemon sh:binder { call }; 48') 49allow cloudfiledaemon sa_net_conn_manager:samgr_class { get }; 50allow cloudfiledaemon dev_console_file:chr_file { read write }; 51allow cloudfiledaemon sa_filemanagement_cloud_daemon_service:samgr_class { add }; 52allow cloudfiledaemon data_service_el1_file:dir { search write add_name create remove_name read open }; 53allow cloudfiledaemon data_service_el1_file:file { create write open getattr setattr read rename unlink lock map }; 54allow cloudfiledaemon cloudfile_data_file:dir { search write add_name create remove_name read open setattr getattr }; 55allow cloudfiledaemon cloudfile_data_file:file { create write open getattr setattr read rename unlink lock map ioctl }; 56allowxperm cloudfiledaemon cloudfile_data_file:file ioctl { 0xf50c 0x5413 0xf546 0xf547 }; 57allow cloudfiledaemon hap_domain:binder { call }; 58allow cloudfiledaemon data_file:dir { search }; 59allow cloudfiledaemon dev_ashmem_file:chr_file { open }; 60allow cloudfiledaemon distributeddata:binder { transfer call }; 61allow cloudfiledaemon distributeddata:fd { use }; 62allow cloudfiledaemon data_user_file:dir { read open search add_name write remove_name create rmdir rename reparent }; 63allow cloudfiledaemon data_user_file:file { read open getattr write create rename unlink append ioctl setattr }; 64allow cloudfiledaemon cloudfiledaemon:udp_socket { create bind read write node_bind connect getattr ioctl setopt }; 65allowxperm cloudfiledaemon cloudfiledaemon:udp_socket ioctl { 0x8912 0x8913 0x8915 0x891b }; 66allow cloudfiledaemon node:udp_socket { node_bind }; 67allow cloudfiledaemon node:tcp_socket { node_bind }; 68allow cloudfiledaemon cloudfiledaemon:tcp_socket { read create setopt connect getopt getattr write bind shutdown listen accept }; 69allow cloudfiledaemon port:tcp_socket { name_connect name_bind }; 70allow cloudfiledaemon system_bin_file:dir { search }; 71allow cloudfiledaemon medialibrary_hap_data_file:dir { search read open }; 72allow cloudfiledaemon medialibrary_hap_data_file:file { read open getattr write ioctl lock map setattr }; 73allow cloudfiledaemon sa_dataobs_mgr_service_service:samgr_class { get }; 74allow cloudfiledaemon sa_distributeddata_service:samgr_class { get }; 75allow cloudfiledaemon normal_hap_attr:fd { use }; 76allow cloudfiledaemon system_core_hap_attr:fd { use }; 77allow cloudfiledaemon hmdfs:file { write setattr }; 78allow cloudfiledaemon data_service_el2_hmdfs:file { lock }; 79allow cloudfiledaemon data_storage:dir { search }; 80allow cloudfiledaemon data_service_el2_hmdfs:file { create_file_perms_without_ioctl }; 81allow cloudfiledaemon data_service_el2_hmdfs:dir { create_dir_perms_without_ioctl }; 82allow cloudfiledaemon accountmgr:binder { call }; 83allow accountmgr cloudfiledaemon:binder { transfer }; 84allow cloudfiledaemon sa_accountmgr:samgr_class { get }; 85allow cloudfiledaemon sa_powermgr_powermgr_service:samgr_class { get }; 86allow cloudfiledaemon dev_unix_file:sock_file { write }; 87allow cloudfiledaemon sa_softbus_service:samgr_class { get }; 88allow cloudfiledaemon softbus_server:binder { call transfer }; 89allow cloudfiledaemon softbus_server:fd { use }; 90allow cloudfiledaemon softbus_server:tcp_socket { read write setopt shutdown }; 91allow cloudfiledaemon cloudfiledaemon:binder { call }; 92allow cloudfiledaemon cloudfiledaemon:netlink_route_socket { create }; 93allow cloudfiledaemon cloudfiledaemon:unix_dgram_socket { getopt }; 94allow cloudfiledaemon media_library_param:file { map open read }; 95allow cloudfiledaemon resource_schedule_service:binder { call transfer }; 96allow cloudfiledaemon sa_resource_schedule:samgr_class { get }; 97allow resource_schedule_service cloudfiledaemon:binder { call }; 98allow cloudfiledaemon media_service:dir { search }; 99allow cloudfiledaemon media_service:file { getattr open read }; 100allow cloudfiledaemon sa_media_service:samgr_class { get }; 101allow cloudfiledaemon media_service:binder { call transfer }; 102allow cloudfiledaemon medialibrary_hap_data_file:dir { ioctl }; 103allowxperm cloudfiledaemon medialibrary_hap_data_file:dir ioctl 0xf546; 104allow cloudfiledaemon sa_storage_manager_service:samgr_class { get }; 105allow cloudfiledaemon sa_memory_manager_service:samgr_class { get }; 106allow cloudfiledaemon memmgrservice:binder { call }; 107allow cloudfiledaemon hap_domain:dir { search }; 108allow cloudfiledaemon hap_domain:file { getattr open read }; 109allow cloudfiledaemon cloudfile_data_file:file { append }; 110