1# Copyright (c) 2021-2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14type init, native_system_domain, domain;
15type init_exec, exec_attr, file_attr, system_file_attr;
16type ueventd, native_system_domain, domain;
17type ueventd_exec, system_file_attr, exec_attr, file_attr;
18type remount_exec, system_file_attr, exec_attr, file_attr;
19
20
21debug_only(`
22    allow init console:process { rlimitinh siginh transition getattr };
23')
24allow init data_startup:dir { create getattr open read relabelfrom relabelto remove_name search setattr write add_name };
25allow init data_startup:file { create ioctl open read append relabelto rename unlink write open };
26allow init proc_stat_file:file { setattr read open };
27allow init proc_diskstats_file:file { read open };
28allow init kernel:file { read open };
29allow init kernel:dir { search };
30allow bootevent_wms_param tmpfs:filesystem associate;
31allow init bootevent_wms_param:file { map open read relabelto relabelfrom};
32allow dhardware_dm_param tmpfs:filesystem associate;
33allow init dhardware_dm_param:file { map open read relabelto relabelfrom };
34allow persist_audio_param tmpfs:filesystem associate;
35allow init persist_audio_param:file { map open read relabelto relabelfrom };
36allow arkcompiler_param tmpfs:filesystem associate;
37allow init arkcompiler_param:file { map open read relabelto relabelfrom };
38allow init arkcompiler_param:parameter_service { set };
39allow arkui_param tmpfs:filesystem associate;
40allow init arkui_param:file { map open read relabelto relabelfrom };
41allow init arkui_param:parameter_service { set };
42allow hap_domain arkui_param:file { map open read };
43allow init inputmethod_param:file { map open read relabelto relabelfrom };
44allow init inputmethod_param:parameter_service { set };
45
46allow pasteboard_param tmpfs:filesystem associate;
47allow init pasteboard_param:file { map open read relabelto relabelfrom };
48allow time_param tmpfs:filesystem associate;
49allow init time_param:file { map open read relabelto relabelfrom };
50allow accesstoken_perm_param tmpfs:filesystem associate;
51allow init accesstoken_perm_param:file { map open read relabelto relabelfrom };
52
53allow xts_devattest_authresult_param tmpfs:filesystem associate;
54allow init xts_devattest_authresult_param:file { map open read relabelto relabelfrom };
55allow init xts_devattest_authresult_param:parameter_service { set };
56allow init hiviewdfx_profiler_param:file { map open read relabelto relabelfrom };
57allow init devpts:chr_file { ioctl };
58
59allow i18n_param tmpfs:filesystem associate;
60allow init i18n_param:file { map open read relabelto relabelfrom };
61allow init i18n_param:parameter_service { set };
62allow { domain -limit_domain } i18n_param:file { map open read };
63allow const_i18n_param tmpfs:filesystem associate;
64allow init const_i18n_param:file { map open read relabelto relabelfrom };
65allow i18n_param_tz_override tmpfs:filesystem associate;
66allow init i18n_param_tz_override:file { map open read relabelto relabelfrom };
67allow init i18n_param_tz_override:parameter_service { set };
68allow { domain } i18n_param_tz_override:file { map open read };
69developer_only(`
70    allow sh i18n_param_tz_override:file { map open read };
71')
72allow { domain -limit_domain } const_i18n_param:file { map open read };
73
74allow { domain } data_service_el1_i18n_timezone_file:dir { search open read getattr mounton };
75allow { domain } data_service_el1_i18n_timezone_file:file { open read getattr map };
76developer_only(`
77    allow sh data_service_el1_i18n_timezone_file:dir { search };
78    allow sh data_service_el1_i18n_timezone_file:file { open read getattr map };
79')
80
81#for bootchart to read
82allow init domain:file { open read };
83allow init domain:dir { search };
84
85# for init trace
86allow init hiview:unix_dgram_socket { sendto };
87
88# all can read
89allow domain musl_param:file { map open read };
90
91#for crash handle
92allow init init_exec:file { open read getattr map };
93allow init faultloggerd_temp_file:dir { add_name remove_name write open read search };
94allow init faultloggerd_temp_file:file { create getattr setattr write open read unlink };
95allow init sa_device_service_manager:samgr_class{ get };
96
97allow edm_writable_param tmpfs:filesystem associate;
98allow init edm_writable_param:file { map open read relabelto };
99allow init edm_writable_param:parameter_service { set };
100allow { domain } edm_writable_param:file { map open read };
101
102define(`init_relabel', `
103    allow init $1:{ file dir sock_file } { relabelto setattr };
104    allow init $1:dir { search };
105')
106init_relabel(data_service_el1_public_print_service_file);
107init_relabel(data_service_el1_i18n_timezone_file);
108init_relabel(data_parameters);
109init_relabel(data_udev);
110init_relabel(data_multimodalinput);
111init_relabel(sandbox_manager_data_file);
112init_relabel(account_data_file);
113init_relabel(hdf_ext_devmgr_file);
114init_relabel(cloudfile_data_file);
115init_relabel(udevd_socket);
116init_relabel(accesstoken_data_file);
117init_relabel(data_service_el1_public_deviceauthService_file);
118init_relabel(data_service_el1_public_huksService_file);
119init_relabel(update_dupdate_engine_file);
120init_relabel(update_update_service_file);
121neverallow init *:process ptrace;
122