• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2021-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14debug_only(`
15    allow system_file tmpfs:filesystem associate;
16    allow vendor_file tmpfs:filesystem associate;
17')
18
19debug_only(`
20    allow init hnp_file:dir { search };
21    allow init hnp_file:file { execute getattr open read };
22    allow init hnp_file:lnk_file { read };
23    allow init su:process2 { nosuid_transition };
24')
25allow init nwebspawn_socket:sock_file { unlink };
26allow init appspawn_socket:sock_file { unlink };
27allow init data_ethernet:dir { getattr };
28allow init data_log:file { getattr };
29allow init bootuptrace_file:dir { add_name getattr open read search write relabelto };
30allow init bootuptrace_file:file { create getattr write open relabelto };
31allow init data_parameters:file { getattr };
32allow init data_udev:dir { relabelfrom };
33allow init privacy_service:process { transition };
34allow init hisysevent_socket:sock_file { unlink setattr };
35allow init system_core_hap_attr:file { read open };
36allow init system_core_hap_attr:dir { search };
37allow init system_core_hap_attr:process { getattr };
38allow init system_lib_file:dir { open read };
39
40allow init accessibility_param:file { map open read relabelto relabelfrom };
41allow init const_postinstall_param:file { map open read relabelto relabelfrom };
42allow init hilog_param:file { map open read relabelto relabelfrom };
43
44allow accessibility_param tmpfs:filesystem associate;
45allow init data_service_file:file { ioctl rename relabelfrom };
46allow init data_service_file:dir { remove_name };
47allow init dev_console_file:chr_file { relabelto };
48
49# for create map file
50allow servicectrl_param tmpfs:filesystem associate;
51allow servicectrl_reboot_param tmpfs:filesystem associate;
52allow startup_init_param tmpfs:filesystem associate;
53allow startup_appspawn_param tmpfs:filesystem associate;
54allow startup_uevent_param tmpfs:filesystem associate;
55allow devinfo_private_param tmpfs:filesystem associate;
56allow devinfo_public_param tmpfs:filesystem associate;
57allow devinfo_type_param tmpfs:filesystem associate;
58allow useriam_fwkready_param tmpfs:filesystem associate;
59allow bluetooth_param tmpfs:filesystem associate;
60allow useriam_config_param tmpfs:filesystem associate;
61
62allow init servicectrl_param:file { map open read relabelto relabelfrom };
63allow init servicectrl_reboot_param:file { map open read relabelto relabelfrom };
64allow init startup_init_param:file { map open read relabelto relabelfrom };
65allow init startup_appspawn_param:file { map open read relabelto relabelfrom };
66allow init startup_uevent_param:file { map open read relabelto relabelfrom };
67allow init devinfo_private_param:file { map open read relabelto relabelfrom };
68allow init devinfo_public_param:file { map open read relabelto relabelfrom };
69allow init devinfo_type_param:file { map open read relabelto relabelfrom };
70allow init useriam_fwkready_param:file { map open read relabelto relabelfrom };
71allow init bluetooth_param:file { map open read relabelto relabelfrom };
72allow init useriam_config_param:file { map open read relabelto relabelfrom };
73
74#for set
75allow { init samgr hdf_devmgr } servicectrl_param:parameter_service { set };
76allow { init updater_sa power_host foundation } servicectrl_reboot_param:parameter_service { set };
77allow init startup_init_param:parameter_service { set };
78allow init devinfo_private_param:parameter_service { set };
79allow { init appspawn } startup_appspawn_param:parameter_service { set };
80allow { init ueventd } startup_uevent_param:parameter_service { set };
81allow init devinfo_public_param:parameter_service { set };
82allow init devinfo_type_param:parameter_service { set };
83allow { sadomain hdfdomain native_system_domain native_chipset_domain } bootevent_param:parameter_service { set };
84allow { useriam } useriam_fwkready_param:parameter_service { set };
85allow { init bluetooth_service } bluetooth_param:parameter_service { set };
86
87#for read
88allow domain servicectrl_param:file { map open read };
89allow domain servicectrl_reboot_param:file { map open read };
90allow domain startup_init_param:file { map open read };
91allow domain startup_appspawn_param:file { map open read };
92allow domain startup_uevent_param:file { map open read };
93allow domain devinfo_public_param:file { map open read };
94allow domain telephony_param:file { map open read };
95allow domain useriam_fwkready_param:file { map open read };
96allow domain bluetooth_param:file { map open read };
97allow {init samgr} useriam_config_param:file { map open read };
98
99#for udid
100allow { init deviceinfoservice samgr hdf_devmgr softbus_server } devinfo_private_param:file { map open read };
101allow { distributedsche accountmgr device_manager foundation d-bms } devinfo_private_param:file { map open read };
102
103allow domain accessibility_param:file { map open read };
104allow domain default_param:file { map open read };
105
106#for connect to param service
107allow deviceinfoservice paramservice_socket:sock_file { write };
108allow deviceinfoservice kernel:unix_stream_socket { connectto };
109allow deviceinfoservice init:file { getattr open read };
110
111allow init deviceinfoservice:file { getattr open read };
112allow init deviceinfoservice:process { getattr };
113allow init deviceinfoservice:dir { getattr search open read };
114#for hidumper_service
115allow hidumper_service sa_sysparam_device_service:samgr_class { get };
116
117#for param watcher to watch, must allow read
118allow { param_watcher pin_auth_host softbus_server } devinfo_private_param:file { map open read };
119allow { param_watcher } accessibility_param:file { map open read };
120
121#for fs size
122allowxperm init dev_block_file:blk_file ioctl { 0x1268 0x2285 };
123
124#for sysrq
125allow init proc_sysrq_trigger_file:file { getattr open write ioctl };
126
127#for init trace
128allow init tracefs_trace_marker_file:file { getattr write open read ioctl };
129allow init tracefs:file { getattr ioctl open read write };
130allow init tracefs:filesystem { mount };
131
132debug_only(`
133    allow init sh:file { map open read relabelto relabelfrom };
134    allow init sh:dir { search };
135    allow init sh:process { getattr };
136')
137
138allow init a2dp_host:process { rlimitinh siginh sigkill transition };
139allow init accessibility:process { rlimitinh siginh transition };
140allow init accesstoken_data_file:file { getattr open read write relabelto setattr lock };
141allow init accesstoken_service:process { rlimitinh siginh transition };
142allow init appspawn:process { signal };
143allow init appspawn_socket:sock_file { getattr relabelto };
144allow init bgtaskmgr_service:process { rlimitinh siginh transition };
145allow init blue_host:process { rlimitinh siginh transition };
146allow init bluetooth_service:process { rlimitinh siginh transition };
147allow init bootanimation:dir { search };
148allow init bootanimation:file { open read };
149allow init bootanimation:process { getattr rlimitinh siginh transition };
150allow init bootevent_param:file { map open read relabelto };
151allow init bootevent_samgr_param:file { map open read relabelto };
152allow init build_version_param:file { map open read relabelto };
153allow init camera_service:process { rlimitinh siginh transition };
154allow init mdnsmanager:process { rlimitinh siginh transition };
155allow init cgroup:dir { add_name create open read search setattr write remove_name rmdir };
156allow init cgroup:file { append getattr ioctl open read setattr };
157allow init cgroup:filesystem { mount };
158allow init cgroup:file { write };
159allowxperm init cgroup:file ioctl {  0x5413  };
160allow init config_file:dir { mounton };
161allow init configfs:dir { add_name create mounton open read search setattr write };
162allow init configfs:file { create getattr open };
163allow init configfs:filesystem { mount };
164allow init configfs:file { write };
165allow init configfs:lnk_file { create };
166allow init const_allow_mock_param:file { map open read relabelto };
167allow init const_allow_param:file { map open read relabelto };
168allow init const_build_param:file { map open read relabelto };
169allow init const_display_brightness_param:file { map open read relabelto };
170allow init const_param:file { map open read relabelto };
171allow init const_postinstall_fstab_param:file { map open read relabelto };
172allow init const_postinstall_param:file { map open read relabelto };
173allow init const_product_param:file { map open read relabelto };
174allow init data_appasec:dir { getattr open read relabelto setattr };
175allow init data_app_el1_file:dir { add_name create getattr open read relabelto search setattr write };
176allow init data_app_el2_file:dir { add_name create getattr open read relabelto search setattr write };
177allow init data_app_el3_file:dir { add_name create getattr open read relabelto search setattr write };
178allow init data_app_el4_file:dir { add_name create getattr open read relabelto search setattr write };
179allow init data_app_el5_file:dir { add_name create getattr open read relabelto search setattr write };
180allow init data_app_el1_file:dir { relabelfrom };
181allow init data_appephemeral:dir { getattr open read relabelto setattr };
182allow init data_app_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
183allow init data_applib:dir { getattr open read relabelto setattr };
184allow init data_appprivate:dir { getattr open read relabelto setattr };
185allow init data_appstaging:dir { getattr open read relabelto setattr };
186allow init data_backup:dir { getattr open read relabelto setattr };
187allow init data_bluetooth:dir { getattr open read relabelto search setattr add_name create write };
188allow init data_cache:dir { add_name create getattr open read relabelto search setattr write };
189allow init data_chipset_el1_file:dir { add_name create getattr open read relabelto search setattr write };
190allow init data_chipset_el2_file:dir { add_name create getattr open read relabelto search setattr write };
191allow init data_chipset_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
192allow init data_data_file:dir { add_name create getattr open read relabelto search setattr write };
193allow init data_data_pulse_dir:file { unlink };
194allow init data_drm:dir { getattr open read relabelto setattr };
195allow init data_ethernet:dir { open read relabelto setattr };
196allow init data_file:dir { add_name create getattr mounton open read relabelfrom relabelto remove_name search setattr write };
197allow init data_drm:dir { getattr open read relabelto setattr };
198allow init data_file:sock_file { getattr relabelfrom };
199allow init data_hilogd_file:dir { relabelto };
200allow init data_libinput:dir { getattr open read relabelto search setattr };
201allow init data_libinput:file { relabelto };
202allow init data_local:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
203allow init data_local_tmp:dir { getattr open read relabelto setattr };
204allow init data_local_traces:dir { getattr open read relabelto setattr };
205allow init data_app_el1_arkcache:dir { add_name create getattr open read relabelto search setattr write };
206allow init data_app_el1_arkprofile:dir { add_name create getattr open read relabelto search setattr write };
207allow init data_service_el1_framework_arkcache:dir { add_name create getattr open read relabelto search setattr write };
208allow init data_log:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
209allow init data_log:file { relabelto };
210allow init data_media:dir { add_name create getattr open read relabelto search setattr write };
211allow init data_misc_ce:dir { add_name create getattr open read relabelto search setattr write };
212allow init data_misc_ce:file { getattr setattr };
213allow init data_misc_de:dir { add_name create getattr open read relabelto search setattr write };
214allow init data_misc_de:file { getattr setattr };
215allow init data_misc:dir { add_name create getattr open read relabelto search setattr write };
216allow init data_nfc:dir { add_name create getattr open read relabelto search setattr write };
217allow init data_ota:dir { getattr open read relabelto setattr };
218allow init data_ota_package:dir { getattr open read relabelto setattr };
219allow init data_parameters:dir { add_name getattr open read relabelto remove_name search setattr write };
220allow init data_parameters:file { create ioctl open read read append relabelto rename unlink write write open };
221allow init data_preloads:dir { getattr open read relabelto setattr };
222allow init data_resourcecache:dir { getattr open read relabelto setattr };
223allow init data_service_el0_file:dir { add_name create getattr open read relabelto search setattr write };
224allow init data_service_el0_file:file { create getattr read write open relabelfrom };
225allow init data_service_el1_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
226allow init data_service_el1_file:file { getattr setattr relabelto };
227allow init data_service_el1_public_deviceauthService_file:dir { add_name create getattr open read relabelto search setattr write };
228allow init data_service_el1_public_huksService_file:dir { add_name create getattr open read relabelto search setattr write };
229allow init data_service_el2_public_huksService_file:dir { add_name create getattr open read relabelto search setattr write };
230allow init data_service_el2_userId_huksService_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
231allow init data_service_el4_userId_huksService_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
232allow init data_data_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
233allow init data_data_file:file { getattr setattr relabelto };
234allow init data_data_huksService_file:dir { add_name create getattr open read relabelto search setattr write };
235allow init data_data_huksService_file:file { create getattr ioctl open read setattr unlink write };
236allowxperm init data_data_huksService_file:file ioctl { 0x5705 };
237allow init data_service_el2_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
238allow init data_service_el2_hmdfs:dir { getattr open read relabelto setattr };
239allow init data_service_el3_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
240allow init data_service_el4_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
241allow init data_service_el5_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
242allow init data_service_file:dir { add_name create getattr open read relabelfrom relabelto search setattr write };
243allow init data_service_file:file { create getattr unlink write write open };
244allow init data_ss:dir { getattr open read relabelto setattr };
245allow init data_storage:dir { getattr open read relabelto setattr };
246allow init data_system_ce:dir { getattr open read relabelto setattr };
247allow init data_system_de:dir { getattr open read relabelto setattr };
248allow init data_system:dir { add_name create getattr open read relabelto search setattr write };
249allow init data_udev:dir { getattr open read relabelto search setattr };
250allow init data_updater_file:dir { getattr open read relabelto search setattr };
251allow init data_updater_file:file { relabelto create getattr map open read rename setattr unlink write append };
252allow init data_user_de:dir { getattr open read relabelto setattr };
253allow init data_user:dir { add_name getattr open read relabelto search setattr write };
254allow init data_user:lnk_file { create };
255allow init data_vendor_ce:dir { getattr open read relabelto setattr };
256allow init data_vendor_de:dir { getattr open read relabelto setattr };
257allow init data_vendor:dir { add_name create getattr open read relabelto search setattr write };
258allow init d-bms:process { rlimitinh siginh sigkill transition };
259allow init dcamera_host:process { rlimitinh siginh sigkill transition };
260allow init dcamera:process { rlimitinh siginh transition };
261allow init debugfs:dir { mounton };
262allow init debugfs:filesystem { mount };
263allow init debugfs_usb:dir { search };
264allow init debug_param:file { map open read relabelto };
265allow init default_param:file { map open read relabelto };
266allow init dev_at_file:chr_file { ioctl setattr };
267allow init dev_binder_file:chr_file { relabelto };
268allow init dev_block_file:blk_file { getattr ioctl open read read write relabelto setattr write };
269allow init dev_block_file:dir { open read relabelto search };
270allow init dev_block_file:lnk_file { read relabelto };
271allow init dev_block_volfile:dir { open read relabelto search };
272allow init dev_char_file:dir { getattr open read relabelto setattr };
273allow init dev_console_file:chr_file { getattr ioctl open read write };
274allow init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto write };
275allow init dev_file:lnk_file { create };
276allow init dev_fscklogs_file:dir { open read relabelto search setattr };
277allow init dev_fuse_file:chr_file { setattr };
278allow init dev_graphics_file:chr_file { setattr };
279allow init dev_graphics_file:dir { search };
280allow init dev_hdf_disp:chr_file { setattr };
281allow init dev_hdf_file:chr_file { setattr };
282allow init dev_hdf_input:chr_file { setattr };
283allow init dev_hdf_kevent:chr_file { setattr };
284allow init deviceinfoservice:process { rlimitinh siginh transition };
285allow init device_usage_stats_service:process { rlimitinh siginh transition };
286allow init dev_kmsg_file:chr_file { getattr open read relabelto setattr write };
287allow init dev_mali:chr_file { setattr };
288allow init dev_mgr_file:chr_file { setattr };
289allow init dev_mpp:chr_file { setattr };
290allow init dev_null_file:chr_file { relabelto };
291allow init dev_parameters_file:dir { add_name open read relabelto write };
292allow init dev_parameters_file:file { create relabelfrom relabelto write };
293allow init devpts:chr_file { getattr relabelfrom read write open };
294allow init devpts:dir { relabelfrom };
295allow init dev_pts_file:chr_file { relabelto };
296allow init dev_pts_file:dir { open read relabelto search };
297allow init dev_random_file:chr_file { relabelto };
298allow init dev_rga:chr_file { setattr };
299allow init dev_sched_rtg_ctrl:chr_file { setattr };
300allow init dev_uhid_file:chr_file { setattr };
301allow init dev_tun_file:chr_file { setattr };
302allow init dev_unix_file:dir { getattr open read relabelto };
303allow init dev_unix_file:sock_file { getattr relabelto write };
304allow init dev_unix_socket:dir { add_name getattr open read relabelto remove_name search write };
305allow init dev_unix_socket:sock_file { create getattr relabelfrom setattr };
306allow init dev_usb_ffs:dir { add_name create getattr mounton open read relabelto search setattr write };
307allow init dev_v_file:dir { open getattr read relabelto setattr };
308allow init dev_v_file:chr_file { setattr };
309allow init dev_media_file:chr_file { setattr };
310allow init dev_video_file:chr_file { setattr };
311allow init dhardware:process { rlimitinh siginh transition };
312allow init distributeddata:process { rlimitinh siginh transition };
313allow init distributedfiledaemon:process { rlimitinh siginh transition };
314allow init distributedsche_param:file { map open read relabelto };
315allow init distributedsche:process { rlimitinh siginh transition };
316allow init download_server:process { rlimitinh siginh transition };
317allow init dscreen:process { rlimitinh siginh transition };
318allow init dslm_service:process { rlimitinh siginh transition };
319allow init edm_sa:process { rlimitinh siginh transition };
320allow init faultloggerd_exec:file { execute getattr read open };
321allow init faultloggerd:process { rlimitinh siginh transition };
322allow init faultloggerd_socket:sock_file { getattr relabelto unlink };
323allow init faultloggerd_temp_file:dir { getattr open read relabelfrom relabelto setattr };
324allow init faultloggerd_socket_sdkdump:sock_file { getattr relabelto unlink };
325allow init fd_holder_socket:sock_file { getattr relabelto write };
326allow init foundation:dir { search };
327allow init foundation:file { open read };
328allow init foundation:process { getattr rlimitinh siginh transition };
329allow init powermgr:dir { search };
330allow init powermgr:file { open read };
331allow init powermgr:process { getattr rlimitinh siginh transition };
332allow init functionfs:filesystem { mount };
333allow init hdcd_exec:file { execute getattr open read };
334allow init hdcd:process { rlimitinh siginh transition getattr };
335allow init hdcd:file { read open };
336allow init hdcd:dir { search };
337allow init hdcd_socket:sock_file { getattr relabelto unlink };
338allow init hdf_devmgr:dir { search };
339allow init hdf_devmgr:file { open read };
340allow init hdf_devmgr:process { getattr };
341allow init hidumper_file:dir { getattr open read relabelto setattr };
342allow init hidumper_service:process { rlimitinh siginh transition };
343allow init hilog_control_socket:sock_file { getattr relabelto };
344allow init hilog_input_socket:sock_file { getattr relabelto };
345allow init hilog_param:file { map open read relabelto };
346allow init hisysevent_socket:sock_file { getattr relabelto };
347allow init hiview_file:dir { getattr open read relabelto setattr search };
348allow init hw_sc_build_os_param:file { map open read relabelto };
349allow init hw_sc_build_param:file { map open read relabelto };
350allow init hw_sc_param:file { map open read relabelto };
351allow init init:capability { chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_admin sys_boot sys_chroot sys_rawio sys_resource };
352allow init init:netlink_kobject_uevent_socket { bind create setopt };
353allow init init_param:file { map open read relabelto };
354allow init init:process { setexec setsockcreate };
355allow init init_svc_param:file { map open read relabelto };
356allow init init:udp_socket { create ioctl };
357allow init init:unix_dgram_socket { bind setopt getopt getattr read };
358allow init inputmethod_service:process { rlimitinh siginh transition };
359allow init input_pointer_device_param:file { map open read relabelto };
360allow init input_user_host:process { rlimitinh siginh transition };
361allow init ispserver:process { rlimitinh siginh transition };
362allow init kernel:process { setsched };
363allow init kernel:system { syslog_read };
364allow init kernel:unix_stream_socket { write };
365allow init labeledfs:filesystem { mount remount unmount };
366allow init location_host:process { rlimitinh siginh transition };
367allow init locationhub:process { rlimitinh siginh transition };
368allow init media_service:process { rlimitinh siginh transition };
369allow init memmgrservice:dir { search };
370allow init memmgrservice:file { open read };
371allow init memmgrservice:process { getattr rlimitinh siginh transition };
372allow init misc:process { rlimitinh siginh transition };
373allow init mmi_uinput_service:process { rlimitinh siginh transition };
374allow init msdp_sa:process { rlimitinh siginh transition };
375allow init multimodalinput:dir { search };
376allow init multimodalinput:file { open read };
377allow init multimodalinput:process { getattr rlimitinh siginh transition };
378allow init native_socket:sock_file { getattr relabelto };
379allow init netmanager:process { rlimitinh siginh transition };
380allow init net_param:file { map open read relabelto };
381allow init netsysnative:process { rlimitinh siginh transition };
382allow init net_tcp_param:file { map open read relabelto };
383allow init nfc_tag_service:process { rlimitinh siginh transition };
384allow init nwebspawn:process { rlimitinh siginh transition };
385allow init nwebspawn_socket:sock_file { getattr relabelto };
386allow init ohos_boot_param:file { map open read relabelto };
387allow init ohos_param:file { map open read relabelfrom relabelto };
388allow init paramservice_socket:sock_file { getattr relabelto };
389allow init param_watcher:process { rlimitinh siginh transition };
390allow init pasteboard_service:process { rlimitinh siginh transition };
391allow init persist_param:file { map open read relabelto };
392allow init persist_sys_param:file { map open read relabelto };
393allow init power_host:process { rlimitinh siginh transition };
394allow init proc_cmdline_file:file { getattr open read setattr };
395allow init proc_file:file { getattr open setattr write };
396allow init proc_interrupts_file:file { setattr };
397allow init proc_kmsg_file:file { setattr };
398allow init proc_net:file { setattr };
399allow init proc_slabinfo_file:file { setattr };
400allow init proc_swaps_file:file { read };
401allow init proc_vmallocinfo_file:file { setattr };
402allow init pstorefs:dir { setattr };
403allow init pstorefs:filesystem { mount };
404allow init rootfs:dir { mounton };
405allow init samain_exec:file { execute getattr open read open };
406allow init samgr:dir { search };
407allow init samgr:file { open read };
408allow init samgr:process { getattr };
409allow init screenlock_server:process { rlimitinh siginh transition };
410allow init security_param:file { map open read relabelto };
411allow init security:security { compute_av };
412allow init selinuxfs:dir { open read search };
413allow init selinuxfs:file { map open read write setattr };
414allow init sh_exec:file { execute getattr read open };
415allow init softbus_server:process { rlimitinh siginh transition };
416allow init startup_param:file { map open read relabelto };
417allow init storage_daemon_exec:file { execute getattr read open };
418allow init storage_daemon:process { rlimitinh siginh transition };
419allow init storage_manager:process { rlimitinh siginh transition };
420allow init sys_file:dir { add_name mounton write };
421allow init sys_file:file { create getattr open read setattr write };
422allow init sysfs_block_zram:file { getattr open setattr write };
423allow init sysfs_devices_system_cpu:file { setattr };
424allow init sysfs_power:file { setattr };
425allow init sysfs_state:file { setattr };
426allow init sysfs_wake_lck:file { setattr };
427allow init sys_param:file { map open read relabelto };
428allow init system_basic_hap_attr:dir { search };
429allow init system_basic_hap_attr:file { open read };
430allow init system_basic_hap_attr:process { getattr };
431allow init system_bin_file:dir { search };
432allow init system_bin_file:file { execute execute_no_trans getattr map open read read open };
433allow init system_bin_file:lnk_file { read };
434allow init toybox_exec:file { execute execute_no_trans getattr map open read };
435allow init toybox_exec:lnk_file { read };
436allow init sys_usb_param:file { map open read relabelto };
437allow init thermal_protector_exec:file { execute getattr read open };
438allow init time_service:process { rlimitinh siginh transition };
439allow init tmpfs:blk_file { getattr relabelfrom };
440allow init tmpfs:chr_file { getattr relabelfrom write open read };
441allow init tmpfs:dir { add_name create mounton open read relabelfrom setattr write };
442allow init tmpfs:file { getattr relabelfrom create open mounton };
443allow init tmpfs:lnk_file { create getattr relabelfrom };
444allow init tmpfs:sock_file { getattr relabelfrom };
445allow init token_sync_service:process { rlimitinh siginh transition };
446allow init tracefs:dir { mounton search setattr };
447allow init tracefs:file { getattr open setattr write };
448allow init tracefs_trace_marker_file:file { setattr };
449allow init tty_device:chr_file { relabelto setattr };
450allow init udevd_socket:sock_file { relabelto };
451allow init ui_service:process { rlimitinh siginh transition };
452allow init unlabeled:dir { getattr relabelfrom };
453allow init unlabeled:file { getattr open read relabelfrom };
454allow init updater_sa:dir { search };
455allow init updater_sa:file { open read };
456allow init updater_sa:process { getattr rlimitinh siginh transition };
457allow init usb_host:process { rlimitinh siginh transition };
458allow init usb_service:process { rlimitinh siginh transition };
459allow init vendor_bin_file:dir { search };
460allow init vendor_bin_file:file { execute getattr read read open };
461allow init hdf_devhost_exec:dir { search };
462allow init hdf_devhost_exec:file { execute getattr read read open };
463allow init vendor_etc_file:dir { open read search getattr };
464allow init vendor_etc_file:file { getattr open read };
465allow init wallpaper_service:process { rlimitinh siginh transition };
466allow init watchdog_service_exec:file { execute getattr read open };
467allow init watchdog_service:process { rlimitinh siginh transition };
468allow init wifi_hal_service_exec:file { execute getattr read read open };
469allow init wifi_hal_service:process { rlimitinh siginh transition };
470allow init wifi_manager_service:process { rlimitinh siginh transition };
471allow init kernel:unix_dgram_socket { sendto };
472allowxperm init data_file:file ioctl { 0x5413 };
473allowxperm init data_parameters:file ioctl { 0x5413 };
474allowxperm init dev_at_file:chr_file ioctl { 0x4102 };
475allowxperm init dev_block_file:blk_file ioctl { 0x125e 0x1272 0x127c 0x5413 };
476allowxperm init dev_console_file:chr_file ioctl { 0x540e };
477allowxperm init init:udp_socket ioctl { 0x8913 0x8914 };
478allowxperm init devpts:chr_file ioctl { 0x5413 };
479
480# for hyperhold
481allow init zram_device:blk_file { read open write ioctl getattr };
482allow init hyperhold_sys:dir { search relabelto write add_name getattr setattr remove_name };
483allow init hyperhold_sys:file { setattr getattr open read write create relabelto rename unlink };
484allowxperm init zram_device:blk_file ioctl { 0x126e };
485
486# avc:  denied  { getattr } for  pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1
487# avc:  denied  { ioctl } for  pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1
488# avc:  denied  { open } for  pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1
489# avc:  denied  { read } for  pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1
490# avc:  denied  { write } for  pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1
491allow init updater_block_file:blk_file { getattr ioctl open read write };
492
493# avc:  denied  { ioctl } for  pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1
494allowxperm init updater_block_file:blk_file ioctl { 0x5413 };
495
496# avc:  denied  { relabelto } for  pid=1 comm="init" name="misc" dev="tmpfs" ino=37 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=lnk_file permissive=0
497allow init updater_block_file:lnk_file { relabelto };
498
499# avc:  denied  { ioctl } for  pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1
500allowxperm init tmpfs:blk_file ioctl { 0x5413 };
501
502# avc:  denied  { rlimitinh } for  pid=602 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:drm_service:s0 tclass=process permissive=1
503# avc:  denied  { siginh } for  pid=602 comm="sa_main" scontext=u:r:init:s0 tcontext=u:r:drm_service:s0 tclass=process permissive=1
504# avc:  denied  { transition } for  pid=602 comm="init" path="/system/bin/sa_main" dev="mmcblk0p7" ino=366 scontext=u:r:init:s0 tcontext=u:r:drm_service:s0 tclass=process permissive=1
505allow init drm_service:process { rlimitinh siginh transition };
506# avc:  denied  { ioctl } for  pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1
507# avc:  denied  { open } for  pid=1 comm="init" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1
508# avc:  denied  { read } for  pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1
509# avc:  denied  { write } for  pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=blk_file permissive=1
510allow init tmpfs:blk_file { ioctl open read write };
511# for developer
512allow init proc_developer_file:file { open read getattr };
513allow init appspawn:file { read open write };
514allow init render_service:file { read open write };
515allow init foundation:file { read open write };
516allow init powermgr:file { read open write };
517allow init sysfs_hungtask_userlist:file { read open write };
518allow init data_service_el1_public_huksService_file:file { getattr };
519allow init share_public_file:dir { getattr };
520
521# for chip ckm
522# avc:  denied  { getattr } for  pid=1 comm="init" path="/chip_ckm" dev="mmcblk0p7" ino=13 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=dir permissive=0
523# avc:  denied  { mounton } for  pid=1 comm="init" path="/chip_ckm" dev="mmcblk0p7" ino=13 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=dir permissive=0
524# avc:  denied  { search } for  pid=1 comm="init" name="/" dev="mmcblk0p14" ino=2 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=dir permissive=0
525allow init chip_ckm_file:dir { getattr mounton search };
526
527# avc:  denied  { read } for  pid=1 comm="init" name="kosample.ko" dev="mmcblk0p14" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=file permissive=0
528# avc:  denied  { open } for  pid=1 comm="init" path="/chip_ckm/kosample.ko" dev="mmcblk0p14" ino=12 scontext=u:r:init:s0 tcontext=u:object_r:chip_ckm_file:s0 tclass=file permissive=0
529allow init chip_ckm_file:file { read open };
530
531allow init sysfs_block_file:dir { read open };
532allow init sysfs_block_file:file { open write };
533
534init_relabel(data_service_el1_public_device_attest);
535init_relabel(share_public_file);
536init_relabel(msdp_data_file);
537init_relabel(av_session_data_file);
538init_relabel(cert_manager_service_file);
539init_relabel(dlp_permission_data_file);
540
541allow ark_writeable_param tmpfs:filesystem associate;
542allow init ark_writeable_param:file { map open read relabelto relabelfrom };
543allow init ark_writeable_param:parameter_service { set };
544# avc:  denied  { read append } for  pid=1 comm="init" path="/data/service/el1/startup/parameters/persist_parameters" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=42 scontext=u:r:init:s0 tcontext=u:object_r:data_service_file:s0 tclass=file permissive=0
545allow init data_service_file:file {read append};
546# avc:  denied  { read } for  pid=1 comm="init" path="/console" dev="" ino=70 scontext=u:r:init:s0 tcontext=u:object_r:dev_console_file:s0 tclass=lnk_file permissive=0
547allow init dev_console_file:lnk_file { read};
548
549# avc:  denied  { setpcap } for  pid=4977 comm="init" capability=8  scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=0
550allow init init:capability { setpcap };
551
552# avc:  denied  { append } for  pid=1 comm="init" name="private_persist_parameters" dev="mmcblk0p15" ino=2386 scontext=u:r:init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
553# avc:  denied  { rename } for  pid=1 comm="init" name="tmp_private_persist_parameters" dev="mmcblk0p15" ino=2703 scontext=u:r:init:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=0
554allow init data_service_el1_file:file { open read append rename map };
555
556allow init teecd_exec:file { relabelto getattr execute read open };
557
558allow init hdf_devhost_exec:dir { getattr mounton { search } };
559
560# avc: denide { read write } for pid=656, comm="/bin/init" path="/dev/xpm" dev="" ino=5 scontext=u:r:init:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=0
561# avc: denide { open } for pid=656, comm="/bin/init" path="/dev/xpm" dev="" ino=5 scontext=u:r:init:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=0
562# avc: denide { ioctl } for pid=656, comm="/bin/init" path="/dev/xpm" dev="" ino=5 ioctlcmd=0x7802 scontext=u:r:init:s0 tcontext=u:object_r:dev_xpm:s0 tclass=chr_file permissive=0
563allow init dev_xpm:chr_file { ioctl read write open };
564allowxperm init dev_xpm:chr_file ioctl { 0x7802 };
565
566# avc: denied { getattr } for pid=1, comm="/bin/init" path="/system/bin/nwebspawn" dev="overlay" ino=835 scontext=u:r:init:s0 tcontext=u:object_r:nwebspawn_exec:s0 tclass=file permissive=0
567allow init nwebspawn_exec:file { execute getattr read open };
568