1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow multimodalinput accessibility_param:file { read }; 15allow multimodalinput arkcompiler_param:file { read open map }; 16allow multimodalinput audio_server:binder { call }; 17allow multimodalinput bootanimation:fd { use }; 18allow multimodalinput data_file:dir { search }; 19allow multimodalinput data_init_agent:dir { search }; 20allow multimodalinput data_init_agent:file { open read append ioctl }; 21allow multimodalinput data_log:dir { search write add_name create }; 22allow multimodalinput data_log:file { create open read write ioctl }; 23allow multimodalinput data_multimodalinput:dir { add_name create getattr open read remove_name search watch write }; 24allow multimodalinput data_multimodalinput:file { create open read rename unlink write setattr getattr ioctl }; 25allow multimodalinput data_service_file:dir { search }; 26allow multimodalinput data_service_el1_file:dir { search }; 27allow multimodalinput data_service_el1_file:file { open read }; 28allow multimodalinput data_vendor:dir { search }; 29allow multimodalinput dev_ashmem_file:chr_file { open }; 30allow multimodalinput dev_console_file:chr_file { open read write getattr ioctl }; 31allow multimodalinput dev_dri_file:dir { search }; 32allow multimodalinput dev_dri_file:chr_file { open read write getattr ioctl }; 33allow multimodalinput dev_kmsg_file:chr_file { open write }; 34allow multimodalinput dev_input_file:chr_file { ioctl }; 35allow multimodalinput dev_input_file:dir { watch open read search getattr }; 36allow multimodalinput dev_unix_socket:dir { search }; 37allow multimodalinput dev_unix_socket:sock_file { write }; 38allow multimodalinput distributeddata:binder { call transfer }; 39allow multimodalinput ui_service:binder { call transfer }; 40allow multimodalinput ui_service:fd { use }; 41allow multimodalinput distributeddata:fd { use }; 42allow multimodalinput allocator_host:binder { call }; 43allow multimodalinput allocator_host:fd { use }; 44allow multimodalinput composer_host:binder { call transfer }; 45allow multimodalinput composer_host:fd { use }; 46allow multimodalinput hdf_allocator_service:hdf_devmgr_class { get }; 47allow multimodalinput hdf_display_composer_service:hdf_devmgr_class { get }; 48allow multimodalinput hdf_codec_component_manager_service:hdf_devmgr_class { get }; 49hdi_call(multimodalinput, hdf_allocator_service) 50allow multimodalinput faultloggerd_socket:sock_file { write }; 51allow multimodalinput faultloggerd:unix_stream_socket { connectto }; 52allow multimodalinput foundation:binder { call transfer }; 53allow multimodalinput hdf_devmgr:binder { call }; 54allow multimodalinput input_pointer_device_param:parameter_service { set }; 55allow multimodalinput media_service:binder { call transfer }; 56allow multimodalinput multimodalinput:netlink_kobject_uevent_socket { bind create getattr setopt read }; 57#allow multimodalinput multimodalinput:process { ptrace }; 58allow multimodalinput musl_param:file { map open read }; 59allow multimodalinput param_watcher:binder { call transfer }; 60binder_call(multimodalinput, powermgr); 61allow multimodalinput render_service:binder { call transfer }; 62allow multimodalinput render_service:fd { use }; 63allow multimodalinput resource_schedule_service:binder { call }; 64allow multimodalinput resource_schedule_service:dir { search }; 65allow multimodalinput rootfs:chr_file { write }; 66allow multimodalinput sa_audio_policy_service:samgr_class { get }; 67allow multimodalinput sa_device_service_manager:samgr_class { get }; 68allow multimodalinput sa_distributeddata_service:samgr_class { get }; 69allow multimodalinput sa_foundation_dms:samgr_class { get }; 70allow multimodalinput sa_foundation_tel_call_manager:samgr_class { get }; 71allow multimodalinput sa_foundation_wms:samgr_class { get }; 72allow multimodalinput sa_media_service:samgr_class { get }; 73allow multimodalinput sa_multimodalinput_service:samgr_class { get }; 74allow multimodalinput sa_render_service:samgr_class { get }; 75allow multimodalinput sys_file:dir { open read }; 76allow multimodalinput sys_file:file { getattr open read }; 77allow multimodalinput system_lib_file:dir { open read }; 78allow multimodalinput system_bin_file:dir { search }; 79allow multimodalinput system_bin_file:file { execute execute_no_trans map read open }; 80allow multimodalinput tracefs:dir { search }; 81allow multimodalinput tracefs:file { open write }; 82allow multimodalinput tracefs_trace_marker_file:file { open write }; 83allow multimodalinput tty_device:chr_file { read write }; 84allow multimodalinput vendor_etc_file:dir { search }; 85allow multimodalinput vendor_etc_file:file { getattr open read }; 86allow multimodalinput data_file:dir { remove_name }; 87allow multimodalinput data_multimodalinput:file { lock }; 88allow multimodalinput sysfs_devices_system_cpu:file { open read getattr }; 89allow multimodalinput data_file:sock_file { setattr create unlink }; 90# avc: denied { get } for service=3299 pid=722 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=1 91allow multimodalinput sa_foundation_cesfwk_service:samgr_class { get }; 92allow multimodalinput sa_foundation_appms:samgr_class { get }; 93allow multimodalinput normal_hap_attr:binder { call }; 94allow multimodalinput normal_hap_attr:fd { use }; 95allow multimodalinput system_basic_hap:fd { use }; 96allow init data_multimodalinput:file { getattr }; 97allow multimodalinput system_fonts_file:dir { read open search }; 98allow multimodalinput system_fonts_file:file { read open getattr map }; 99allow multimodalinput sa_powermgr_powermgr_service:samgr_class { get }; 100allow multimodalinput tmpfs:chr_file { getattr }; 101allow media_service multimodalinput:binder { call transfer }; 102allow normal_hap_attr multimodalinput:unix_stream_socket { read write }; 103allow normal_hap_attr sa_multimodalinput_service:samgr_class { get }; 104allow normal_hap_attr multimodalinput:fd { use }; 105allow system_basic_hap_attr multimodalinput:unix_stream_socket { read }; 106allow system_basic_hap_attr multimodalinput:unix_stream_socket { read write }; 107allow system_core_hap_attr multimodalinput:unix_stream_socket { read }; 108allow sensors multimodalinput:unix_stream_socket { write }; 109allow init data_multimodalinput:dir { create getattr open read relabelfrom relabelto search setattr write }; 110# avc: denied { read } scontext=u:r:useriam:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1 111allow useriam multimodalinput:unix_stream_socket { read }; 112# avc: denied { get } scontext=u:r:useriam:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1 113allow useriam sa_multimodalinput_service:samgr_class { get }; 114# avc: denied { get } scontext=u:r:charger:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=0 115allow charger sa_multimodalinput_service:samgr_class { get }; 116allow charger multimodalinput:binder { call }; 117allow charger multimodalinput:fd { use }; 118allow charger multimodalinput:unix_stream_socket { read write }; 119allowxperm multimodalinput data_log:file ioctl { 0x5413 }; 120allowxperm multimodalinput dev_dri_file:chr_file ioctl { 0x641f }; 121allowxperm multimodalinput dev_input_file:chr_file ioctl { 0x4503 0x4560 0x4542 0x4548 0x456f 0x450a 0x4559 0x4568 0x455a 0x455b 0x4577 0x4545 0x4549 0x454a 0x4550 0x4551 0x4567 0x4569 0x456c }; 122allowxperm multimodalinput data_multimodalinput:file ioctl { 0x5413 }; 123debug_only(` 124 allow multimodalinput sh:binder { call }; 125') 126 127# avc: denied { get } for service=3704 sid=u:r:multimodalinput:s0 scontext=u:r:multimodalinput:s0 tcontext=u:object_r:sa_screenlock_service:s0 tclass=samgr_class permissive=0 128allow multimodalinput sa_screenlock_service:samgr_class { get }; 129allow multimodalinput sys_prod_file:dir { open read }; 130allow multimodalinput input_isolate_debug_hap:unix_stream_socket { read write }; 131allow multimodalinput input_isolate_hap:unix_stream_socket { read write }; 132allow multimodalinput sensors:binder { call transfer }; 133allow multimodalinput sensors:unix_stream_socket { read write }; 134allow multimodalinput sa_sensor_service:samgr_class { get }; 135allow multimodalinput hdf_device_manager:hdf_devmgr_class { get }; 136