1# Copyright (c) 2025 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the License); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14debug_only(` 15 # for ime run 16 domain_auto_transition_pattern(su, ime_exec, ime); 17 18 allow ime su:fd { use }; 19 allow ime su:fifo_file { ioctl read write }; 20 allow ime su:unix_stream_socket { read write }; 21 allowxperm ime su:fifo_file ioctl { 0x5413 }; 22') 23 24developer_only(` 25 #avc: denied { search } for pid=16766, comm="/bin/ime" name="/service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=9 scontext=u:r:ime:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0 26 allow ime data_service_file:dir { search }; 27 #avc: denied { search } for pid=16766, comm="/bin/ime" name="/lib64" dev="overlay" ino=1 scontext=u:r:ime:s0 tcontext=u:object_r:chip_prod_file:s0 tclass=dir permissive=0 28 allow ime chip_prod_file:dir { search }; 29 #avc: denied { use } for pid=16766, comm="/bin/ime" path="pipe:[2999]" dev="tmpfs" ino=2999 scontext=u:r:ime:s0 tcontext=u:r:hdcd:s0 tclass=fd permissive=0 30 allow ime hdcd:fd { use }; 31 # avc: denied { read write } scontext=u:r:ime:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 32 allow ime tty_device:chr_file { read write }; 33 # avc: denied { search } for scontext=u:r:ime:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=0 34 allow ime dev_unix_socket:dir { search }; 35 # avc: denied { map open read} scontext=u:r:ime:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=0 36 allow ime arkcompiler_param:file { map open read }; 37 allow ime ark_writeable_param:file { map open read }; 38 # avc: denied { map open read } scontext=u:r:ime:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=0 39 allow ime debug_param:file { map open read }; 40 # avc: denied { read } scontext=u:r:ime:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 41 allow ime hilog_param:file { read map open }; 42 # avc: denied { search } scontext=u:r:samgr:s0 tcontext=u:r:ime:s0 tclass=dir permissive=0 43 allow samgr ime:dir { search }; 44 # avc: denied { transfer } scontext=u:r:samgr:s0 tcontext=u:r:ime:s0 tclass=binder permissive=0 45 allow samgr ime:binder { transfer }; 46 # avc: denied { open } scontext=u:r:samgr:s0 tcontext=u:r:ime:s0 tclass=file permissive=0 47 # avc: denied { read } scontext=u:r:samgr:s0 tcontext=u:r:ime:s0 tclass=file permissive=0 48 allow samgr ime:file { open read }; 49 # avc: denied { getattr } scontext=u:r:samgr:s0 tcontext=u:r:ime:s0 tclass=process permissive=0 50 allow samgr ime:process { getattr }; 51 # avc: denied { ioctl read write } scontext=u:r:ime:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 52 allow ime devpts:chr_file { ioctl read write }; 53 allowxperm ime devpts:chr_file ioctl { 0x5413 }; 54 # avc: denied { ioctl read write } for pid=31205, comm="/bin/ime" path="pipe:[4514]" dev="tmpfs" ino=4514 scontext=u:r:ime:s0 tcontext=u:r:hdcd:s0 tclass=fifo_file permissive=0 55 allow ime hdcd:fifo_file { ioctl read write }; 56 allowxperm ime hdcd:fifo_file ioctl { 0x5413 }; 57 58 #for ime run 59 domain_auto_transition_pattern(sh, ime_exec, ime); 60 61 allow ime samgr:binder { call }; 62 allow ime sa_inputmethod_service:samgr_class { get }; 63 allow ime inputmethod_service:binder { call transfer }; 64 allow inputmethod_service ime:binder { call transfer }; 65 allow ime sh:fd { use }; 66 allow ime sh:fifo_file { ioctl read write }; 67 allow ime sh:unix_stream_socket { read write }; 68 allowxperm ime sh:fifo_file ioctl { 0x5413 }; 69') 70