• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2021-2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type init, native_system_domain, domain;
15type init_exec, exec_attr, file_attr, system_file_attr;
16type ueventd, native_system_domain, domain;
17type ueventd_exec, system_file_attr, exec_attr, file_attr;
18type remount_exec, system_file_attr, exec_attr, file_attr;
19type param_exec, system_file_attr, exec_attr, file_attr;
20type begetctl_exec, system_file_attr, exec_attr, file_attr;
21developer_only(`
22    allow sh param_exec:file { read getattr map execute open execute_no_trans };
23    allow sh begetctl_exec:file { read getattr map execute open execute_no_trans };
24')
25allow resource_schedule_executor param_exec:file { open read getattr };
26allow init param_exec:file { read getattr map execute open execute_no_trans };
27allow init begetctl_exec:file { read getattr map execute open execute_no_trans };
28
29debug_only(`
30    allow init console:process { rlimitinh siginh transition getattr };
31')
32allow init data_startup:dir { create getattr open read relabelfrom relabelto remove_name search setattr write add_name };
33allow init data_startup:file { create ioctl open read append relabelto rename unlink write open };
34allow init proc_stat_file:file { setattr read open };
35allow init proc_diskstats_file:file { read open };
36allow init kernel:file { read open };
37allow init kernel:dir { search };
38allow bootevent_wms_param tmpfs:filesystem associate;
39allow init bootevent_wms_param:file { map open read relabelto relabelfrom};
40allow dhardware_dm_param tmpfs:filesystem associate;
41allow init dhardware_dm_param:file { map open read relabelto relabelfrom };
42allow persist_audio_param tmpfs:filesystem associate;
43allow init persist_audio_param:file { map open read relabelto relabelfrom };
44allow arkcompiler_param tmpfs:filesystem associate;
45allow init arkcompiler_param:file { map open read relabelto relabelfrom };
46allow init arkcompiler_param:parameter_service { set };
47allow arkui_param tmpfs:filesystem associate;
48allow init arkui_param:file { map open read relabelto relabelfrom };
49allow init arkui_param:parameter_service { set };
50allow hap_domain arkui_param:file { map open read };
51allow init inputmethod_param:file { map open read relabelto relabelfrom };
52allow init inputmethod_param:parameter_service { set };
53
54allow pasteboard_param tmpfs:filesystem associate;
55allow init pasteboard_param:file { map open read relabelto relabelfrom };
56allow time_param tmpfs:filesystem associate;
57allow init time_param:file { map open read relabelto relabelfrom };
58allow accesstoken_perm_param tmpfs:filesystem associate;
59allow init accesstoken_perm_param:file { map open read relabelto relabelfrom };
60
61allow xts_devattest_authresult_param tmpfs:filesystem associate;
62allow init xts_devattest_authresult_param:file { map open read relabelto relabelfrom };
63allow init xts_devattest_authresult_param:parameter_service { set };
64allow init hitrace_param:file { map open read relabelto relabelfrom };
65allow init hiviewdfx_profiler_param:file { map open read relabelto relabelfrom };
66allow init devpts:chr_file { ioctl };
67
68allow i18n_param tmpfs:filesystem associate;
69allow init i18n_param:file { map open read relabelto relabelfrom };
70allow init i18n_param:parameter_service { set };
71allow { domain -limit_domain } i18n_param:file { map open read };
72allow const_i18n_param tmpfs:filesystem associate;
73allow init const_i18n_param:file { map open read relabelto relabelfrom };
74allow i18n_param_tz_override tmpfs:filesystem associate;
75allow init i18n_param_tz_override:file { map open read relabelto relabelfrom };
76allow init i18n_param_tz_override:parameter_service { set };
77allow { domain } i18n_param_tz_override:file { map open read };
78developer_only(`
79    allow sh i18n_param_tz_override:file { map open read };
80')
81allow { domain -limit_domain } const_i18n_param:file { map open read };
82
83allow { domain } data_service_el1_i18n_timezone_file:dir { search open read getattr mounton };
84allow { domain } data_service_el1_i18n_timezone_file:file { open read getattr map };
85developer_only(`
86    allow sh data_service_el1_i18n_timezone_file:dir { search };
87    allow sh data_service_el1_i18n_timezone_file:file { open read getattr map };
88')
89
90allow { domain -hdcd } data_service_el1_i18n_libphonenumber_file:dir { search open read getattr mounton };
91allow { domain -hdcd } data_service_el1_i18n_libphonenumber_file:file { open read getattr map };
92
93allow { domain -hdcd } data_service_el1_i18n_taboo_file:dir { search open read getattr mounton };
94allow { domain -hdcd } data_service_el1_i18n_taboo_file:file { open read getattr map };
95
96#for bootchart to read
97allow init domain:file { open read };
98allow init domain:dir { search };
99
100# for init trace
101allow init hiview:unix_dgram_socket { sendto };
102
103# all can read
104allow domain musl_param:file { map open read };
105
106#for crash handle
107allow init init_exec:file { open read getattr map };
108allow init faultloggerd_temp_file:dir { add_name remove_name write open read search };
109allow init faultloggerd_temp_file:file { create getattr setattr write open read unlink };
110allow init sa_device_service_manager:samgr_class{ get };
111
112allow edm_writable_param tmpfs:filesystem associate;
113allow init edm_writable_param:file { map open read relabelto };
114allow init edm_writable_param:parameter_service { set };
115allow { domain } edm_writable_param:file { map open read };
116
117define(`init_relabel', `
118    allow init $1:{ file dir sock_file } { relabelto setattr };
119    allow init $1:dir { search };
120')
121init_relabel(data_service_el1_public_print_service_file);
122init_relabel(print_driver_exec);
123init_relabel(data_service_el1_i18n_libphonenumber_file);
124init_relabel(data_service_el1_i18n_taboo_file);
125init_relabel(data_service_el1_i18n_timezone_file);
126init_relabel(data_parameters);
127init_relabel(data_udev);
128init_relabel(data_multimodalinput);
129init_relabel(sandbox_manager_data_file);
130init_relabel(account_data_file);
131init_relabel(hdf_ext_devmgr_file);
132init_relabel(cloudfile_data_file);
133init_relabel(udevd_socket);
134init_relabel(accesstoken_data_file);
135init_relabel(data_service_el1_public_deviceauthService_file);
136init_relabel(data_service_el1_public_huksService_file);
137init_relabel(update_dupdate_engine_file);
138init_relabel(update_update_service_file);
139neverallow init *:process ptrace;
140
141allow init init:netlink_kobject_uevent_socket { read write };
142