1# Copyright (c) 2024 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14
15# Prohibit system component processes from accessing vendor files to achieve access isolation
16neverallow { system_domain -vendor_file_violator_dir } vendor_file:dir ~{ search getattr relabelto read open mounton };
17neverallow { system_domain -hdcd -hidumper_service -init -processdump -vendor_file_violator_dir_getattr} vendor_file:dir { getattr };
18neverallow { system_domain -init -vendor_file_violator_dir_relabelto } vendor_file:dir { relabelto };
19neverallow { system_domain -init -processdump -vendor_file_violator_dir_read } vendor_file:dir { read };
20neverallow { system_domain -init -processdump -vendor_file_violator_dir_open } vendor_file:dir { open };
21neverallow { system_domain -vendor_file_violator_dir_mounton } vendor_file:dir { mounton };
22neverallow { system_domain -vendor_file_violator_file } vendor_file:file ~{ map open read getattr execute relabelto setattr };
23neverallow { system_domain -sadomain -processdump -vendor_file_violator_file_map } vendor_file:file { map };
24neverallow { system_domain -sadomain -processdump -vendor_file_violator_file_open } vendor_file:file { open };
25neverallow { system_domain -sadomain -processdump -vendor_file_violator_file_read } vendor_file:file { read };
26neverallow { system_domain -sadomain -processdump -vendor_file_violator_file_getattr } vendor_file:file { getattr };
27neverallow { system_domain -bluetooth_service -distributeddata -foundation -audio_server -resource_schedule_service
28    -usb_service -vendor_file_violator_file_execute } vendor_file:file { execute };
29neverallow { system_domain -vendor_file_violator_file_relabelto } vendor_file:file { relabelto };
30neverallow { system_domain -vendor_file_violator_file_setattr } vendor_file:file { setattr };
31neverallow { system_domain } vendor_file:{ blk_file chr_file fifo_file lnk_file sock_file } *;
32
33# Prohibit system component processes from accessing vendor bin files to achieve access isolation
34neverallow { system_domain -vendor_bin_file_violator_dir } vendor_bin_file:dir ~{ search getattr open read mounton relabelto };
35neverallow { system_domain -accessibility -bootanimation -nfc_service -hiebpf -hiprofiler_cmd -hiprofilerd -daudio -dcamera -dhardware -dinput -dscreen -render_service
36    -processdump -hidumper_service -hiview -locationhub -audio_server -av_session -resource_schedule_service -dlp_permission_service
37    -security_component_service -init -module_update_service -hiprofiler_plugins -hiperf -vendor_bin_file_violator_dir_search } vendor_bin_file:dir { search };
38neverallow { system_domain -vendor_bin_file_violator_dir_getattr } vendor_bin_file:dir { getattr };
39neverallow { system_domain -vendor_bin_file_violator_dir_open } vendor_bin_file:dir { open };
40neverallow { system_domain -vendor_bin_file_violator_dir_read } vendor_bin_file:dir { read };
41neverallow { system_domain -vendor_bin_file_violator_dir_mounton } vendor_bin_file:dir { mounton };
42neverallow { system_domain -vendor_bin_file_violator_dir_relabelto } vendor_bin_file:dir { relabelto };
43neverallow { system_domain -vendor_bin_file_violator_file } { vendor_bin_file }:file ~{ entrypoint execute map read getattr open execute_no_trans relabelto setattr };
44neverallow { system_domain -ispserver -vendor_bin_file_violator_file_entrypoint } vendor_bin_file:file { entrypoint };
45neverallow { system_domain -ispserver -init -vendor_bin_file_violator_file_execute } vendor_bin_file:file { execute };
46neverallow { system_domain -ispserver -hiebpf -hidumper_service -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_map } vendor_bin_file:file { map };
47neverallow { system_domain -ispserver -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_read } vendor_bin_file:file { read };
48neverallow { system_domain -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_getattr } vendor_bin_file:file { getattr };
49neverallow { system_domain -hiebpf -hidumper_service -init -hiperf -hiprofiler_plugins -processdump -vendor_bin_file_violator_file_open } vendor_bin_file:file { open };
50neverallow { system_domain -vendor_bin_file_violator_file_execute_no_trans } vendor_bin_file:file { execute_no_trans };
51neverallow { system_domain -vendor_bin_file_violator_file_relabelto } vendor_bin_file:file { relabelto };
52neverallow { system_domain -vendor_bin_file_violator_file_setattr } vendor_bin_file:file { setattr };
53neverallow { system_domain -vendor_bin_file_violator_file_lnk_file } vendor_bin_file:lnk_file ~{ read };
54neverallow { system_domain -vendor_bin_file_violator_file_lnk_file_read } vendor_bin_file:lnk_file { read };
55neverallow { system_domain } vendor_bin_file:{ blk_file chr_file fifo_file sock_file } *;
56
57# Prohibit system component processes from accessing vendor etc files to achieve access isolation
58neverallow { system_domain -vendor_etc_file_violator_dir } vendor_etc_file:dir ~{ search getattr read open mounton relabelto };
59neverallow { system_domain -bootanimation -ispserver -media_service -misc -multimodalinput -resource_schedule_service -samgr -foundation -powermgr -accountmgr -oaid_service
60    -nfc_service -wifi_hal_service -telephony_sa -dhardware -dinput -hdf_devmgr -hiview -memmgrservice -msdp_sa -audio_server -av_codec_service
61    -multimodalinput -charger -concurrent_task_service -resource_schedule_service -dlp_permission_service -sensors -appspawn -init -ueventd -telephony_sa
62    -module_update_service -sys_installer_sa -updater_binary -nwebspawn -module_update_service -vendor_etc_file_violator_dir_search -cjappspawn
63    -hap_domain -render_service developer_only(`-hnp') -rgm_violator_ohos_vendor_etc_dir_search } vendor_etc_file:dir { search };
64neverallow { system_domain -nfc_service -charger -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_getattr } vendor_etc_file:dir { getattr };
65neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_read } vendor_etc_file:dir { read };
66neverallow { system_domain -init -appspawn -cjappspawn -vendor_etc_file_violator_dir_open } vendor_etc_file:dir { open };
67neverallow { system_domain -vendor_etc_file_violator_dir_mounton } vendor_etc_file:dir { mounton };
68neverallow { system_domain -vendor_etc_file_violator_dir_relabelto } vendor_etc_file:dir { relabelto };
69neverallow { system_domain -vendor_etc_file_violator_file } vendor_etc_file:file ~{ map open read getattr relabelto };
70neverallow { system_domain -bootanimation -media_service -memmgrservice -concurrent_task_service -resource_schedule_service
71    -vendor_etc_file_violator_file_map } vendor_etc_file:file { map };
72neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr
73    -hdf_devmgr -hiview -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service
74    -resource_schedule_service -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_open developer_only(`-hnp') -rgm_violator_ohos_vendor_etc_file_open } vendor_etc_file:file { open };
75neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -msdp_sa -foundation -powermgr
76    -hdf_devmgr -hiview -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service
77    -resource_schedule_service -appspawn -cjappspawn -init -telephony_sa -vendor_etc_file_violator_file_read developer_only(`-hnp') -rgm_violator_ohos_vendor_etc_file_read } vendor_etc_file:file { read };
78neverallow { system_domain -bootanimation -ispserver -media_service -misc -accountmgr -wifi_hal_service -dhardware -dinput -foundation -powermgr
79    -hdf_devmgr -memmgrservice -audio_server -sensors -av_codec_service -multimodalinput -charger -concurrent_task_service
80    -resource_schedule_service -appspawn -cjappspawn -init -vendor_etc_file_violator_file_getattr developer_only(`-hnp') -rgm_violator_ohos_vendor_etc_file_getattr } vendor_etc_file:file { getattr };
81neverallow { system_domain -vendor_etc_file_violator_file_relabelto } vendor_etc_file:file { relabelto };
82neverallow { system_domain } vendor_etc_file:{ blk_file chr_file fifo_file lnk_file sock_file } *;
83