1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow foundation accessibility:binder { call }; 15allow foundation accesstoken_service:binder { call }; 16allow foundation accountmgr:binder { call }; 17allow foundation appspawn_socket:sock_file { write }; 18allow foundation appspawn:fd { use }; 19allow foundation appspawn:unix_stream_socket { connectto }; 20allow foundation bootevent_param:file { map open read }; 21allow foundation bootevent_param:parameter_service { set }; 22allow foundation bgtaskmgr_service:binder { call transfer }; 23allow foundation configfs:dir { remove_name rmdir search write }; 24allow foundation data_app_el1_file:file { getattr map read }; 25allow foundation data_file:dir { search }; 26allow foundation data_service_el1_file:dir { add_name create remove_name search write }; 27allow foundation data_service_el1_file:file { create ioctl unlink write open }; 28allow foundation data_service_file:dir { search }; 29allow foundation data_system_ce:dir { add_name search write }; 30allow foundation data_system_ce:file { create getattr ioctl lock map open read write }; 31allow foundation device_usage_stats_service:binder { call transfer }; 32allow foundation dev_mali:chr_file { ioctl }; 33allow foundation dev_unix_socket:dir { search }; 34allow foundation dev_unix_socket:sock_file { write }; 35allow foundation distributeddata:binder { call transfer }; 36allow foundation distributedfiledaemon:binder { call }; 37allow foundation distributedfileservice:binder { call }; 38allow foundation edm_sa:binder { call }; 39allow foundation foundation:unix_dgram_socket { getopt setopt }; 40allow foundation hdcd:binder { transfer }; 41allow foundation hdf_devmgr:binder { call transfer }; 42allow foundation hdf_allocator_service:hdf_devmgr_class { get }; 43allow foundation hiview:binder { transfer }; 44allow foundation memmgrservice:binder { call transfer }; 45allow foundation multimodalinput:binder { transfer }; 46allow foundation multimodalinput:unix_stream_socket { read }; 47allow foundation normal_hap_attr:process { sigkill signal }; 48allow foundation normal_hap_data_file_attr:file { read }; 49allow foundation persist_param:parameter_service { set }; 50allow foundation power_host:binder { call }; 51allow foundation render_service:binder { call transfer }; 52allow foundation render_service:fd { use }; 53allow foundation resource_schedule_service:binder { call transfer }; 54allow foundation sa_accesstoken_manager_service:samgr_class { get }; 55allow foundation sa_accountmgr:samgr_class { get }; 56allow foundation sa_bgtaskmgr:samgr_class { get }; 57allow foundation sa_device_service_manager:samgr_class { get }; 58allow foundation sa_distributeddata_service:samgr_class { get }; 59allow foundation sa_distributeschedule:samgr_class { get }; 60allow foundation sa_foundation_abilityms:samgr_class { add }; 61allow foundation sa_foundation_ans:samgr_class { add }; 62allow foundation sa_foundation_appms:samgr_class { add get }; 63allow foundation sa_foundation_bms:samgr_class { add }; 64allow foundation sa_foundation_devicemanager_service:samgr_class { add get }; 65allow foundation sa_foundation_tel_call_manager:samgr_class { add }; 66allow foundation sa_foundation_wms:samgr_class { get }; 67allow foundation sa_powermgr_battery_service:samgr_class { get }; 68allow foundation sa_powermgr_batterystats_service:samgr_class { get }; 69allow foundation sa_powermgr_displaymgr_service:samgr_class { get }; 70allow foundation sa_powermgr_powermgr_service:samgr_class { get }; 71allow foundation sa_powermgr_thermal_service:samgr_class { get }; 72binder_call(foundation, powermgr); 73allow foundation sa_memory_manager_service:samgr_class { get }; 74allow foundation sa_msdp_devicestatus_service:samgr_class { get }; 75allow foundation sa_multimodalinput_service:samgr_class { get }; 76allow foundation sa_param_watcher:samgr_class { get }; 77allow foundation sa_softbus_service:samgr_class { get }; 78allow foundation sa_telephony_tel_cellular_call:samgr_class { get }; 79allow foundation sa_useriam_useridm_service:samgr_class { get }; 80allow foundation sa_useriam_userauth_service:samgr_class { get }; 81allow foundation screenlock_server:binder { call transfer }; 82allow foundation softbus_server:binder { call }; 83allow foundation sys_file:file { ioctl write }; 84allow foundation system_basic_hap_attr:binder { call transfer }; 85allow foundation system_basic_hap_attr:fd { use }; 86allow foundation system_basic_hap_attr:process { sigkill signal }; 87allow foundation system_basic_hap_data_file_attr:file { read }; 88allow foundation system_basic_hap_data_file:file { write }; 89allow foundation system_core_hap_attr:binder { call transfer }; 90allow foundation system_core_hap_attr:dir { search }; 91allow foundation system_core_hap_attr:file { getattr open read }; 92allow foundation system_core_hap_attr:process { sigkill signal }; 93allow foundation system_core_hap_data_file_attr:file { read }; 94allow foundation system_lib_file:dir { getattr }; 95allow foundation vendor_etc_file:dir { search }; 96allow foundation work_scheduler_service:binder { call }; 97allow foundation quick_fix:binder { call transfer }; 98allowxperm foundation data_service_el1_file:file ioctl { 0x5413 }; 99allowxperm foundation data_system_ce:file ioctl { 0xf50c }; 100allowxperm foundation dev_mali:chr_file ioctl { 0x8002 }; 101allowxperm foundation sys_file:file ioctl { 0x5413 }; 102allow foundation foundation:capability { sys_ptrace }; 103allow foundation storage_manager:dir { search }; 104allow foundation storage_manager:file { open read write getattr }; 105allow foundation sa_storage_manager_service:samgr_class { get }; 106allow foundation netmanager:binder { transfer }; 107allow foundation faultloggerd:fifo_file { read }; 108allow foundation exfat:file { read write }; 109allow foundation vfat:file { read write }; 110allow foundation ntfs:file { read write }; 111allow foundation key_enable:key { search }; 112allow foundation accountmgr:fd { use }; 113neverallow foundation *:process ptrace; 114 115# add for hiperf 116allow hiperf multimodalinput:fd { use }; 117