1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#type accountmgr, sadomain, domain, samgr_type;
15
16binder_call(accountmgr, foundation);
17binder_call(accountmgr, useriam);
18binder_call(accountmgr, pinauth);
19binder_call(accountmgr, system_core_hap_attr);
20binder_call(accountmgr, system_basic_hap_attr);
21binder_call(accountmgr, normal_hap_attr);
22
23allow accountmgr init:binder { call transfer };
24allow accountmgr self:unix_dgram_socket{ getopt setopt };
25
26allow accountmgr data_system:dir { getattr write add_name create read open setattr search remove_name rmdir };
27allow accountmgr data_system:file { getattr write create read open setattr ioctl relabelfrom };
28allow accountmgr data_service_file:dir { search };
29allow accountmgr data_service_el1_file:dir { add_name create getattr open read search setattr write remove_name rmdir watch };
30allow accountmgr data_service_el1_file:file { create getattr ioctl relabelfrom setattr write open read unlink map lock watch };
31allowxperm accountmgr data_service_el1_file:file ioctl { 0xf50c };
32allowxperm accountmgr data_service_el1_file:file ioctl { 0x5413 };
33allow accountmgr data_service_el2_file:dir { search };
34allow accountmgr account_data_file:file { getattr setattr open ioctl create write read relabelto unlink map };
35allow accountmgr account_data_file:dir { add_name create open setattr remove_name rmdir getattr search read write watch };
36allow accountmgr vendor_lib_file:file { getattr open read map execute };
37allow accountmgr vendor_lib_file:lnk_file { read };
38allow accountmgr vendor_lib_file:dir { search };
39allow accountmgr data_file:dir { search };
40allow accountmgr sys_file:file { read open };
41# avc:  denied  { lock } for  pid=4779 comm="IPC_1_4783" path="/data/service/el1/public/account/100/account_info.json" dev="mmcblk0p14" ino=7594 scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_file:s0 tclass=file permissive=1
42# avc:  denied  { watch } for  pid=4779 comm="SaInit0" path="/data/service/el1/public/account/104/account_info.json" dev="mmcblk0p14" ino=14953 scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_file:s0 tclass=file permissive=1
43allow accountmgr account_data_file:file { lock watch };
44
45allow accountmgr account_data_el2_file:file { getattr setattr open create write read relabelto unlink map lock watch };
46allow accountmgr account_data_el2_file:dir { add_name create open setattr remove_name rmdir getattr search read write watch };
47# avc:  denied  { ioctl } for  pid=666 comm="OS_IPC_3_955" path="/data/service/el2/100/account/app_account/database/kvdb/5b281d1d619b09bcafed523d8fe64b47c64bec36bee7fa9d64ad21e569894065/single_ver/main/gen_natural_store.db" dev="mmcblk0p15" ino=2591 ioctlcmd=0xf50c scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_el2_file:s0 tclass=file permissive=1
48allow accountmgr account_data_el2_file:file { ioctl };
49# avc:  denied  { ioctl } for  pid=666 comm="OS_IPC_3_955" path="/data/service/el2/100/account/app_account/database/kvdb/5b281d1d619b09bcafed523d8fe64b47c64bec36bee7fa9d64ad21e569894065/single_ver/main/gen_natural_store.db" dev="mmcblk0p15" ino=2591 ioctlcmd=0xf50c scontext=u:r:accountmgr:s0 tcontext=u:object_r:account_data_el2_file:s0 tclass=file permissive=1
50allowxperm accountmgr account_data_el2_file:file ioctl { 0xf50c };
51
52allow accountmgr tracefs:dir { search };
53allow accountmgr tracefs_trace_marker_file:file { write open };
54allow accountmgr hilog_input_socket:sock_file { write };
55allow accountmgr hisysevent_socket:sock_file { write };
56allow accountmgr accesstoken_service:binder { call };
57allow accountmgr dev_unix_socket:dir { search };
58allow accountmgr param_watcher:binder { call };
59allow accountmgr storage_manager:binder { call };
60allow accountmgr storage_manager:binder { transfer };
61allow accountmgr distributeddata:binder { transfer };
62allow accountmgr distributeddata:binder { call };
63allow accountmgr data_init_agent:dir { search };
64allow accountmgr data_init_agent:file { read append ioctl open };
65allow accountmgr param_watcher:binder { transfer };
66allow accountmgr devinfo_private_param:file { map open read };
67allow accountmgr wifi_manager_service:binder { transfer };
68
69allow accountmgr sa_accountmgr:samgr_class { add };
70allow accountmgr sa_param_watcher:samgr_class { get };
71allow accountmgr sa_foundation_appms:samgr_class { get };
72allow accountmgr sa_storage_manager_service:samgr_class { get };
73allow accountmgr sa_foundation_cesfwk_service:samgr_class { get };
74allow accountmgr sa_foundation_abilityms:samgr_class { get };
75allow accountmgr sa_distributeddata_service:samgr_class { get };
76allow accountmgr sa_accesstoken_manager_service:samgr_class { get };
77allow accountmgr sa_foundation_bms:samgr_class { get };
78allow accountmgr sa_useriam_useridm_service:samgr_class { get };
79allow accountmgr sa_useriam_userauth_service:samgr_class { get };
80allow accountmgr sa_useriam_pinauth_service:samgr_class { get };
81allow accountmgr sa_foundation_devicemanager_service:samgr_class { get };
82allow accountmgr sa_time_service:samgr_class { get };
83allow accountmgr sa_huks_service:samgr_class { get };
84# avc:  denied  { transfer } for  pid=4779 comm="IPC_4_4794" scontext=u:r:accountmgr:s0 tcontext=u:r:dlp_permission_service:s0 tclass=binder permissive=1
85allow accountmgr dlp_permission_service:binder { transfer };
86
87# avc:  denied  { call } for  pid=4779 comm="IPC_1_4783" scontext=u:r:accountmgr:s0 tcontext=u:r:huks_service:s0 tclass=binder permissive=1
88allow accountmgr huks_service:binder { call transfer };
89
90allow accountmgr accessibility:binder { transfer };
91allow accountmgr bootevent_param:file { map open read };
92allow accountmgr bootevent_param:parameter_service { set };
93allow accountmgr bootevent_samgr_param:file { map open read };
94allow accountmgr build_version_param:file { map open read };
95allow accountmgr const_allow_mock_param:file { map open read };
96allow accountmgr const_allow_param:file { map open read };
97allow accountmgr const_build_param:file { map open read };
98allow accountmgr const_display_brightness_param:file { map open read };
99allow accountmgr const_param:file { map open read };
100allow accountmgr const_postinstall_fstab_param:file { map open read };
101allow accountmgr const_postinstall_param:file { map open read };
102allow accountmgr const_product_param:file { map open read };
103
104allow accountmgr debug_param:file { map open read };
105allow accountmgr default_param:file { map open read };
106allow accountmgr deviceauth_service:binder { transfer };
107allow accountmgr dev_console_file:chr_file { read write };
108
109allow accountmgr time_service:binder { call transfer };
110allow accountmgr distributedfiledaemon:binder { call transfer };
111allow accountmgr distributedsche_param:file { map open read };
112allow accountmgr hilog_param:file { map open read };
113allow accountmgr hiview:binder { transfer };
114allow accountmgr hiview:unix_dgram_socket { sendto };
115allow accountmgr hw_sc_build_os_param:file { map open read };
116allow accountmgr hw_sc_build_param:file { map open read };
117allow accountmgr hw_sc_param:file { map open read };
118allow accountmgr init_param:file { map open read };
119allow accountmgr init_svc_param:file { map open read };
120allow accountmgr input_pointer_device_param:file { map open read };
121allow accountmgr locationhub:binder { transfer };
122allow accountmgr net_param:file { map open read };
123allow accountmgr net_tcp_param:file { map open read };
124allow accountmgr ohos_boot_param:file { map open read };
125allow accountmgr ohos_param:file { map open read };
126allow accountmgr paramservice_socket:sock_file { write };
127allow accountmgr persist_param:file { map open read };
128allow accountmgr persist_sys_param:file { map open read };
129allow accountmgr security_param:file { map open read };
130allow accountmgr softbus_server:binder { transfer };
131allow accountmgr startup_param:file { map open read };
132allow accountmgr sys_param:file { map open read };
133allow accountmgr system_bin_file:dir { search };
134allow accountmgr sys_usb_param:file { map open read };
135allow accountmgr sysfs_devices_system_cpu:file { open read getattr };
136allow accountmgr kernel:unix_stream_socket { connectto };
137allow accountmgr vendor_etc_file:dir { search };
138allow accountmgr vendor_etc_file:file { read getattr open };
139allow accountmgr usb_service:binder { call transfer };
140allow accountmgr system_etc_file:file { lock };
141allow accountmgr sa_asset_service:samgr_class { get };
142allow accountmgr asset_service:binder { call transfer };
143allow accountmgr audio_server:binder { call transfer };
144allow accountmgr media_service:binder { call transfer };
145allow accountmgr i18n_service:binder { call transfer };
146
147# avc: denied { open } for  pid=541 comm="IPC_0_735" path="/dev/ashmem" dev="tmpfs" ino=170 scontext=u:r:accountmgr:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0
148allow accountmgr dev_ashmem_file:chr_file { open };
149
150# avc:  denied  { set } for parameter=persist.account.login_name_max pid=2208 uid=3058 gid=3058 scontext=u:r:accountmgr:s0 tcontext=u:object_r:persist_param:s0 tclass=parameter_service permissive=0
151allow accountmgr persist_param:parameter_service { set };
152
153allow accountmgr account_data_file:dir { ioctl };
154allowxperm accountmgr account_data_file:dir ioctl { 0xf546 0xf547 };
155
156allow accountmgr msdp_sa:binder { call transfer };
157
158# add for test
159debug_only(`
160    allow accountmgr sh:binder { call };
161')
162