1# Copyright (c) 2021-2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14 15allow init domain:{ unix_stream_socket unix_dgram_socket } { create bind setopt }; 16 17neverallow init data_local_tmp:dir { non_developer_mode(`write add_name') remove_name }; 18neverallow { domain -kernel } init:process dyntransition; 19neverallow { domain -kernel } init:process transition; 20 21neverallow init { domain debug_only(`-domain')}:process {noatsecure}; 22debug_only(`neverallow init processdump:process {noatsecure};') 23 24neverallow { domain -processdump } init:process ptrace; 25 26neverallow init self:perf_event { kernel tracepoint read write }; 27 28neverallow init hap_file_attr:lnk_file read; 29neverallow init data_local_tmp:lnk_file read; 30 31neverallow init { file_attr fs_attr -init_exec }:file entrypoint; 32 33neverallow init domain:{ tcp_socket rawip_socket } *; 34neverallow init domain:udp_socket ~{ ioctl create }; 35 36#todo 37# system_bin_file need to fix 38neverallow init { file_attr fs_attr -system_bin_file -toybox_exec -sdc_exec -hnp_exec updater_only(`-rootfs') -system_bin_file_quickfix -init_module_system_bin_file -bootanimation_exec}:file execute_no_trans; 39 40#todo 41#neverallow init sys_file:file { open read write }; 42