# Copyright (c) 2021-2024 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

type init, native_system_domain, domain;
type init_exec, exec_attr, file_attr, system_file_attr;
type ueventd, native_system_domain, domain;
type ueventd_exec, system_file_attr, exec_attr, file_attr;
type remount_exec, system_file_attr, exec_attr, file_attr;


debug_only(`
    allow init console:process { rlimitinh siginh transition getattr };
')
allow init data_startup:dir { create getattr open read relabelfrom relabelto remove_name search setattr write add_name };
allow init data_startup:file { create ioctl open read append relabelto rename unlink write open };
allow init proc_stat_file:file { setattr read open };
allow init proc_diskstats_file:file { read open };
allow init kernel:file { read open };
allow init kernel:dir { search };
allow bootevent_wms_param tmpfs:filesystem associate;
allow init bootevent_wms_param:file { map open read relabelto relabelfrom};
allow dhardware_dm_param tmpfs:filesystem associate;
allow init dhardware_dm_param:file { map open read relabelto relabelfrom };
allow persist_audio_param tmpfs:filesystem associate;
allow init persist_audio_param:file { map open read relabelto relabelfrom };
allow arkcompiler_param tmpfs:filesystem associate;
allow init arkcompiler_param:file { map open read relabelto relabelfrom };
allow init arkcompiler_param:parameter_service { set };
allow arkui_param tmpfs:filesystem associate;
allow init arkui_param:file { map open read relabelto relabelfrom };
allow init arkui_param:parameter_service { set };
allow hap_domain arkui_param:file { map open read };
allow init inputmethod_param:file { map open read relabelto relabelfrom };
allow init inputmethod_param:parameter_service { set };

allow pasteboard_param tmpfs:filesystem associate;
allow init pasteboard_param:file { map open read relabelto relabelfrom };
allow time_param tmpfs:filesystem associate;
allow init time_param:file { map open read relabelto relabelfrom };
allow accesstoken_perm_param tmpfs:filesystem associate;
allow init accesstoken_perm_param:file { map open read relabelto relabelfrom };

allow xts_devattest_authresult_param tmpfs:filesystem associate;
allow init xts_devattest_authresult_param:file { map open read relabelto relabelfrom };
allow init xts_devattest_authresult_param:parameter_service { set };
allow init hitrace_param:file { map open read relabelto relabelfrom };
allow init hiviewdfx_profiler_param:file { map open read relabelto relabelfrom };
allow init devpts:chr_file { ioctl };

allow i18n_param tmpfs:filesystem associate;
allow init i18n_param:file { map open read relabelto relabelfrom };
allow init i18n_param:parameter_service { set };
allow { domain -limit_domain } i18n_param:file { map open read };
allow i18n_param_tz_override tmpfs:filesystem associate;
allow init i18n_param_tz_override:file { map open read relabelto relabelfrom };
allow init i18n_param_tz_override:parameter_service { set };
allow { domain } i18n_param_tz_override:file { map open read };
developer_only(`
    allow sh i18n_param_tz_override:file { map open read };
')
allow const_i18n_param tmpfs:filesystem associate;
allow init const_i18n_param:file { map open read relabelto relabelfrom };
allow { domain -limit_domain } const_i18n_param:file { map open read };

allow { domain } data_service_el1_i18n_timezone_file:dir { search open read getattr mounton };
allow { domain } data_service_el1_i18n_timezone_file:file { open read getattr map };

#for bootchart to read
allow init domain:file { open read };
allow init domain:dir { search };

# for init trace
allow init hiview:unix_dgram_socket { sendto };

# all can read
allow domain musl_param:file { map open read };

#for crash handle
allow init init_exec:file { open read getattr map };
allow init faultloggerd_temp_file:dir { add_name remove_name write open read search };
allow init faultloggerd_temp_file:file { create getattr setattr write open read unlink };
allow init sa_device_service_manager:samgr_class{ get };

allow edm_writable_param tmpfs:filesystem associate;
allow init edm_writable_param:file { map open read relabelto };
allow init edm_writable_param:parameter_service { set };
allow { domain } edm_writable_param:file { map open read };

define(`init_relabel', `
    allow init $1:{ file dir sock_file } { relabelto setattr };
    allow init $1:dir { search };
')
init_relabel(data_service_el1_public_print_service_file);
init_relabel(data_service_el1_i18n_timezone_file);
init_relabel(data_parameters);
init_relabel(data_udev);
init_relabel(data_multimodalinput);
init_relabel(sandbox_manager_data_file);
init_relabel(account_data_file);
init_relabel(hdf_ext_devmgr_file);
init_relabel(cloudfile_data_file);
init_relabel(udevd_socket);
init_relabel(accesstoken_data_file);
init_relabel(data_service_el1_public_deviceauthService_file);
init_relabel(data_service_el1_public_huksService_file);
init_relabel(update_dupdate_engine_file);
init_relabel(update_update_service_file);
neverallow init *:process ptrace;

allow init init:netlink_kobject_uevent_socket { read write };