# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#type accountmgr, sadomain, domain, samgr_type;

binder_call(accountmgr, foundation);
binder_call(accountmgr, useriam);
binder_call(accountmgr, pinauth);
binder_call(accountmgr, system_core_hap_attr);
binder_call(accountmgr, system_basic_hap_attr);
binder_call(accountmgr, normal_hap_attr);

allow accountmgr init:binder { call transfer };
allow accountmgr self:unix_dgram_socket{ getopt setopt };

allow accountmgr data_system:dir { getattr write add_name create read open setattr search remove_name rmdir };
allow accountmgr data_system:file { getattr write create read open setattr ioctl relabelfrom };
allow accountmgr data_service_file:dir { search };
allow accountmgr data_service_el1_file:dir { add_name create getattr open read search setattr write remove_name rmdir watch };
allow accountmgr data_service_el1_file:file { create getattr ioctl relabelfrom setattr write open read unlink map lock watch };
allowxperm accountmgr data_service_el1_file:file ioctl { 0xf50c };
allowxperm accountmgr data_service_el1_file:file ioctl { 0x5413 };
allow accountmgr data_service_el2_file:dir { search };
allow accountmgr account_data_file:file { getattr setattr open ioctl create write read relabelto unlink map };
allow accountmgr account_data_file:dir { add_name create open setattr remove_name rmdir getattr search read write watch };
allow accountmgr vendor_lib_file:file { getattr open read map execute };
allow accountmgr vendor_lib_file:lnk_file { read };
allow accountmgr vendor_lib_file:dir { search };
allow accountmgr data_file:dir { search };
allow accountmgr sys_file:file { read open };
# avc:  denied  { lock } for  pid=4779 comm="IPC_1_4783" path="/data/service/el1/public/account/100/account_info.json" dev="mmcblk0p14" ino=7594 scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_file:s0 tclass=file permissive=1
# avc:  denied  { watch } for  pid=4779 comm="SaInit0" path="/data/service/el1/public/account/104/account_info.json" dev="mmcblk0p14" ino=14953 scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_file:s0 tclass=file permissive=1
allow accountmgr account_data_file:file { lock watch };

allow accountmgr account_data_el2_file:file { getattr setattr open create write read relabelto unlink map lock watch };
allow accountmgr account_data_el2_file:dir { add_name create open setattr remove_name rmdir getattr search read write watch };
# avc:  denied  { ioctl } for  pid=666 comm="OS_IPC_3_955" path="/data/service/el2/100/account/app_account/database/kvdb/5b281d1d619b09bcafed523d8fe64b47c64bec36bee7fa9d64ad21e569894065/single_ver/main/gen_natural_store.db" dev="mmcblk0p15" ino=2591 ioctlcmd=0xf50c scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_el2_file:s0 tclass=file permissive=1
allow accountmgr account_data_el2_file:file { ioctl };
# avc:  denied  { ioctl } for  pid=666 comm="OS_IPC_3_955" path="/data/service/el2/100/account/app_account/database/kvdb/5b281d1d619b09bcafed523d8fe64b47c64bec36bee7fa9d64ad21e569894065/single_ver/main/gen_natural_store.db" dev="mmcblk0p15" ino=2591 ioctlcmd=0xf50c scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_el2_file:s0 tclass=file permissive=1
allowxperm accountmgr account_data_el2_file:file ioctl { 0xf50c };

allow accountmgr tracefs:dir { search };
allow accountmgr tracefs_trace_marker_file:file { write open };
allow accountmgr hilog_input_socket:sock_file { write };
allow accountmgr hisysevent_socket:sock_file { write };
allow accountmgr accesstoken_service:binder { call };
allow accountmgr dev_unix_socket:dir { search };
allow accountmgr param_watcher:binder { call };
allow accountmgr storage_manager:binder { call };
allow accountmgr storage_manager:binder { transfer };
allow accountmgr distributeddata:binder { transfer };
allow accountmgr distributeddata:binder { call };
allow accountmgr data_init_agent:dir { search };
allow accountmgr data_init_agent:file { read append ioctl open };
allow accountmgr param_watcher:binder { transfer };
allow accountmgr devinfo_private_param:file { map open read };
allow accountmgr wifi_manager_service:binder { transfer };

allow accountmgr sa_accountmgr:samgr_class { add };
allow accountmgr sa_param_watcher:samgr_class { get };
allow accountmgr sa_foundation_appms:samgr_class { get };
allow accountmgr sa_storage_manager_service:samgr_class { get };
allow accountmgr sa_foundation_cesfwk_service:samgr_class { get };
allow accountmgr sa_foundation_abilityms:samgr_class { get };
allow accountmgr sa_distributeddata_service:samgr_class { get };
allow accountmgr sa_accesstoken_manager_service:samgr_class { get };
allow accountmgr sa_foundation_bms:samgr_class { get };
allow accountmgr sa_useriam_useridm_service:samgr_class { get };
allow accountmgr sa_useriam_userauth_service:samgr_class { get };
allow accountmgr sa_useriam_pinauth_service:samgr_class { get };
allow accountmgr sa_foundation_devicemanager_service:samgr_class { get };
allow accountmgr sa_time_service:samgr_class { get };
allow accountmgr sa_huks_service:samgr_class { get };
# avc:  denied  { transfer } for  pid=4779 comm="IPC_4_4794" scontext=u:r:accountmgr:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1
allow accountmgr dlp_permission_service:binder { transfer };

# avc:  denied  { call } for  pid=4779 comm="IPC_1_4783" scontext=u:r:accountmgr:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=1
allow accountmgr huks_service:binder { call transfer };

allow accountmgr accessibility:binder { transfer };
allow accountmgr bootevent_param:file { map open read };
allow accountmgr bootevent_param:parameter_service { set };
allow accountmgr bootevent_samgr_param:file { map open read };
allow accountmgr build_version_param:file { map open read };
allow accountmgr const_allow_mock_param:file { map open read };
allow accountmgr const_allow_param:file { map open read };
allow accountmgr const_build_param:file { map open read };
allow accountmgr const_display_brightness_param:file { map open read };
allow accountmgr const_param:file { map open read };
allow accountmgr const_postinstall_fstab_param:file { map open read };
allow accountmgr const_postinstall_param:file { map open read };
allow accountmgr const_product_param:file { map open read };

allow accountmgr debug_param:file { map open read };
allow accountmgr default_param:file { map open read };
allow accountmgr deviceauth_service:binder { transfer };
allow accountmgr dev_console_file:chr_file { read write };

allow accountmgr time_service:binder { call transfer };
allow accountmgr distributedfiledaemon:binder { call transfer };
allow accountmgr distributedsche_param:file { map open read };
allow accountmgr hilog_param:file { map open read };
allow accountmgr hiview:binder { transfer };
allow accountmgr hiview:unix_dgram_socket { sendto };
allow accountmgr hw_sc_build_os_param:file { map open read };
allow accountmgr hw_sc_build_param:file { map open read };
allow accountmgr hw_sc_param:file { map open read };
allow accountmgr init_param:file { map open read };
allow accountmgr init_svc_param:file { map open read };
allow accountmgr input_pointer_device_param:file { map open read };
allow accountmgr locationhub:binder { transfer };
allow accountmgr net_param:file { map open read };
allow accountmgr net_tcp_param:file { map open read };
allow accountmgr ohos_boot_param:file { map open read };
allow accountmgr ohos_param:file { map open read };
allow accountmgr paramservice_socket:sock_file { write };
allow accountmgr persist_param:file { map open read };
allow accountmgr persist_sys_param:file { map open read };
allow accountmgr security_param:file { map open read };
allow accountmgr softbus_server:binder { transfer };
allow accountmgr startup_param:file { map open read };
allow accountmgr sys_param:file { map open read };
allow accountmgr system_bin_file:dir { search };
allow accountmgr sys_usb_param:file { map open read };
allow accountmgr sysfs_devices_system_cpu:file { open read getattr };
allow accountmgr kernel:unix_stream_socket { connectto };
allow accountmgr vendor_etc_file:dir { search };
allow accountmgr vendor_etc_file:file { read getattr open };
allow accountmgr usb_service:binder { call transfer };
allow accountmgr system_etc_file:file { lock };
allow accountmgr sa_asset_service:samgr_class { get };
allow accountmgr asset_service:binder { call transfer };
allow accountmgr audio_server:binder { call transfer };
allow accountmgr media_service:binder { call transfer };
allow accountmgr i18n_service:binder { call transfer };

# avc: denied { open } for  pid=541 comm="IPC_0_735" path="/dev/ashmem" dev="tmpfs" ino=170 scontext=u:r:accountmgr:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0
allow accountmgr dev_ashmem_file:chr_file { open };

# avc:  denied  { set } for parameter=persist.account.login_name_max pid=2208 uid=3058 gid=3058 scontext=u:r:accountmgr:s0 tcontext=u:object_r:persist_param:s0 tclass=parameter_service permissive=0
allow accountmgr persist_param:parameter_service { set };

allow accountmgr account_data_file:dir { ioctl };
allowxperm accountmgr account_data_file:dir ioctl { 0xf546 0xf547 };

allow accountmgr msdp_sa:binder { call transfer };

# add for test
debug_only(`
    allow accountmgr sh:binder { call };
')