1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14###################
15## Macro define: ##
16###################
17define(`use_faultloggerd', `
18    allow $1 faultloggerd:fd use;
19    allow $1 faultloggerd:unix_stream_socket connectto;
20    allow $1 faultloggerd_socket:sock_file { getattr write };
21')
22
23define(`use_faultloggerd_file', `
24    allow $1 faultloggerd_temp_file:dir { getattr setattr open read search watch };
25    allow $1 faultloggerd_temp_file:file { getattr open read write };
26    allow $1 faultloggerd:fifo_file read;
27')
28
29define(`use_faultloggerd_crash', `
30    allow $1 faultloggerd:fd use;
31    allow $1 faultloggerd:unix_stream_socket connectto;
32    allow $1 faultloggerd_socket_crash:sock_file { getattr write };
33')
34
35define(`use_faultloggerd_sdkdump', `
36    allow $1 faultloggerd:fd use;
37    allow $1 faultloggerd:unix_stream_socket connectto;
38    allow $1 faultloggerd_socket_sdkdump:sock_file { getattr write };
39')
40
41##########################################
42## Read/Use/Control faultloggerd rules: ##
43##########################################
44use_faultloggerd(domain)
45use_faultloggerd_crash({ processdump })
46use_faultloggerd_file({ hiview hidumper })
47use_faultloggerd_sdkdump({ hiview hidumper foundation })
48
49neverallow { domain -processdump } faultloggerd_socket_crash:sock_file { write read ioctl };
50neverallow { domain -processdump -foundation -hidumper -hiview -dumpcatcher -appspawn } faultloggerd_socket_sdkdump:sock_file { write read ioctl };
51#########################
52## faultloggerd rules: ##
53#########################
54allow faultloggerd init:unix_stream_socket { accept getattr getopt listen setopt };
55
56allow faultloggerd domain:file { open read };
57allow faultloggerd domain:dir { getattr search };
58allow faultloggerd domain:process signal;
59
60allow faultloggerd data_file:dir search;
61allow faultloggerd data_init_agent:dir search;
62allow faultloggerd dev_unix_socket:dir search;
63allow faultloggerd data_log:dir search;
64
65allow faultloggerd tty_device:chr_file { open read write };
66allow faultloggerd system_bin_file:file { execute execute_no_trans getattr map open read };
67allow faultloggerd system_bin_file:lnk_file read;
68allow faultloggerd toybox_exec:file { execute execute_no_trans getattr map open read };
69allow faultloggerd toybox_exec:lnk_file read;
70
71allow faultloggerd data_init_agent:file { append ioctl open read };
72allow faultloggerd dev_unix_socket:sock_file unlink;
73allow faultloggerd faultloggerd_socket:sock_file unlink;
74allow faultloggerd faultloggerd_socket_crash:sock_file unlink;
75allow faultloggerd faultloggerd_socket_sdkdump:sock_file unlink;
76allow faultloggerd faultloggerd_temp_file:dir { add_name remove_name write open read search };
77allow faultloggerd faultloggerd_temp_file:file { create getattr setattr write open read unlink };
78
79allow faultloggerd_temp_file labeledfs:filesystem { associate };
80
81# allow hap apply pipe fd for mix stack
82allow hap_domain faultloggerd:fifo_file write;
83