1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type privacy_service, sadomain, domain; 15 16allow privacy_service accesstoken_data_file:dir { search add_name open read write remove_name }; 17allow privacy_service accesstoken_data_file:file { open read getattr ioctl lock write create unlink }; 18allow privacy_service accesstoken_service:binder { call }; 19allow privacy_service audio_server:binder { call transfer }; 20allow privacy_service bootevent_param:file { map open read }; 21allow privacy_service bootevent_samgr_param:file { map open read }; 22allow privacy_service build_version_param:file { map open read }; 23allow privacy_service const_allow_mock_param:file { map open read }; 24allow privacy_service const_allow_param:file { map open read }; 25allow privacy_service const_build_param:file { map open read }; 26allow privacy_service const_display_brightness_param:file { map open read }; 27allow privacy_service const_param:file { map open read }; 28allow privacy_service const_postinstall_fstab_param:file { map open read }; 29allow privacy_service const_postinstall_param:file { map open read }; 30allow privacy_service const_product_param:file { map open read }; 31allow privacy_service data_file:dir { search }; 32allow privacy_service data_service_el1_file:dir { add_name getattr open read remove_name search write }; 33allow privacy_service data_service_el1_file:file { create getattr ioctl lock read write open unlink relabelfrom }; 34allow privacy_service data_service_file:dir { search }; 35allow privacy_service debug_param:file { map open read }; 36allow privacy_service default_param:file { map open read }; 37allow privacy_service dev_console_file:chr_file { read write }; 38allow privacy_service dev_unix_socket:dir { search }; 39allow privacy_service devinfo_private_param:file { map open read }; 40allow privacy_service distributedsche_param:file { map open read }; 41allow privacy_service hilog_param:file { map open read }; 42allow privacy_service hw_sc_build_os_param:file { map open read }; 43allow privacy_service hw_sc_build_param:file { map open read }; 44allow privacy_service hw_sc_param:file { map open read }; 45allow privacy_service init_param:file { map open read }; 46allow privacy_service init_svc_param:file { map open read }; 47allow privacy_service input_pointer_device_param:file { map open read }; 48allow privacy_service net_param:file { map open read }; 49allow privacy_service net_tcp_param:file { map open read }; 50allow privacy_service normal_hap_attr:binder { call }; 51allow privacy_service ohos_boot_param:file { map open read }; 52allow privacy_service ohos_param:file { map open read }; 53allow privacy_service param_watcher:binder { call transfer }; 54allow privacy_service persist_param:file { map open read }; 55allow privacy_service persist_sys_param:file { map open read }; 56allow privacy_service sa_accesstoken_manager_service:samgr_class { get }; 57allow privacy_service sa_audio_policy_service:samgr_class { get }; 58# avc: denied { get } for service=3008 pid=500 scontext=u:r:privacy_service:s0 tcontext=u:object_r:sa_camera_service:s0 tclass=samgr_class permissive=0 59allow privacy_service sa_camera_service:samgr_class { get }; 60allow privacy_service sa_drm_service:samgr_class { get }; 61allow privacy_service sa_foundation_abilityms:samgr_class { get }; 62allow privacy_service sa_foundation_appms:samgr_class { get }; 63# avc: denied { get } for service=3301 pid=531 scontext=u:r:privacy_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=1 64allow privacy_service sa_powermgr_powermgr_service:samgr_class { get }; 65allow privacy_service sa_foundation_wms:samgr_class { get }; 66allow privacy_service sa_param_watcher:samgr_class { get }; 67allow privacy_service sa_privacy_service:samgr_class { add get }; 68allow privacy_service sa_pulseaudio_audio_service:samgr_class { get }; 69allow privacy_service security_param:file { map open read }; 70allow privacy_service startup_param:file { map open read }; 71allow privacy_service sys_param:file { map open read }; 72allow privacy_service sys_usb_param:file { map open read }; 73allow privacy_service system_basic_hap_attr:binder {call}; 74allow privacy_service system_bin_file:dir { search }; 75allow privacy_service system_core_hap_attr:binder {call}; 76allow privacy_service tracefs_trace_marker_file:file { open write }; 77allow privacy_service tracefs:dir { search }; 78 79allow privacy_service sa_foundation_cesfwk_service:samgr_class { get }; 80allow privacy_service sa_screenlock_service:samgr_class { get }; 81allow privacy_service sa_bgtaskmgr:samgr_class { get }; 82 83binder_call(foundation, privacy_service); 84binder_call(powermgr, privacy_service); 85binder_call(privacy_service, accesstoken_service); 86binder_call(privacy_service, foundation); 87binder_call(privacy_service, powermgr); 88binder_call(system_basic_hap_attr, privacy_service); 89binder_call(system_core_hap_attr, privacy_service); 90binder_call(privacy_service, bgtaskmgr_service); 91 92debug_only(` 93 binder_call(privacy_service, sh); 94 binder_call(privacy_service, su); 95') 96