1# Copyright (c) 2021-2024 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14type init, native_system_domain, domain; 15type init_exec, exec_attr, file_attr, system_file_attr; 16type ueventd, native_system_domain, domain; 17type ueventd_exec, system_file_attr, exec_attr, file_attr; 18type remount_exec, system_file_attr, exec_attr, file_attr; 19 20 21debug_only(` 22 allow init console:process { rlimitinh siginh transition getattr }; 23') 24allow init data_startup:dir { create getattr open read relabelfrom relabelto remove_name search setattr write add_name }; 25allow init data_startup:file { create ioctl open read append relabelto rename unlink write open }; 26allow init proc_stat_file:file { setattr read open }; 27allow init proc_diskstats_file:file { read open }; 28allow init kernel:file { read open }; 29allow init kernel:dir { search }; 30allow bootevent_wms_param tmpfs:filesystem associate; 31allow init bootevent_wms_param:file { map open read relabelto relabelfrom}; 32allow dhardware_dm_param tmpfs:filesystem associate; 33allow init dhardware_dm_param:file { map open read relabelto relabelfrom }; 34allow persist_audio_param tmpfs:filesystem associate; 35allow init persist_audio_param:file { map open read relabelto relabelfrom }; 36allow arkcompiler_param tmpfs:filesystem associate; 37allow init arkcompiler_param:file { map open read relabelto relabelfrom }; 38allow init arkcompiler_param:parameter_service { set }; 39allow arkui_param tmpfs:filesystem associate; 40allow init arkui_param:file { map open read relabelto relabelfrom }; 41allow init arkui_param:parameter_service { set }; 42allow hap_domain arkui_param:file { map open read }; 43allow init inputmethod_param:file { map open read relabelto relabelfrom }; 44allow init inputmethod_param:parameter_service { set }; 45 46allow pasteboard_param tmpfs:filesystem associate; 47allow init pasteboard_param:file { map open read relabelto relabelfrom }; 48allow time_param tmpfs:filesystem associate; 49allow init time_param:file { map open read relabelto relabelfrom }; 50allow accesstoken_perm_param tmpfs:filesystem associate; 51allow init accesstoken_perm_param:file { map open read relabelto relabelfrom }; 52 53allow xts_devattest_authresult_param tmpfs:filesystem associate; 54allow init xts_devattest_authresult_param:file { map open read relabelto relabelfrom }; 55allow init xts_devattest_authresult_param:parameter_service { set }; 56allow init hitrace_param:file { map open read relabelto relabelfrom }; 57allow init hiviewdfx_profiler_param:file { map open read relabelto relabelfrom }; 58allow init devpts:chr_file { ioctl }; 59 60allow i18n_param tmpfs:filesystem associate; 61allow init i18n_param:file { map open read relabelto relabelfrom }; 62allow init i18n_param:parameter_service { set }; 63allow { domain -limit_domain } i18n_param:file { map open read }; 64allow i18n_param_tz_override tmpfs:filesystem associate; 65allow init i18n_param_tz_override:file { map open read relabelto relabelfrom }; 66allow init i18n_param_tz_override:parameter_service { set }; 67allow { domain } i18n_param_tz_override:file { map open read }; 68developer_only(` 69 allow sh i18n_param_tz_override:file { map open read }; 70') 71allow const_i18n_param tmpfs:filesystem associate; 72allow init const_i18n_param:file { map open read relabelto relabelfrom }; 73allow { domain -limit_domain } const_i18n_param:file { map open read }; 74 75allow { domain } data_service_el1_i18n_timezone_file:dir { search open read getattr mounton }; 76allow { domain } data_service_el1_i18n_timezone_file:file { open read getattr map }; 77 78#for bootchart to read 79allow init domain:file { open read }; 80allow init domain:dir { search }; 81 82# for init trace 83allow init hiview:unix_dgram_socket { sendto }; 84 85# all can read 86allow domain musl_param:file { map open read }; 87 88#for crash handle 89allow init init_exec:file { open read getattr map }; 90allow init faultloggerd_temp_file:dir { add_name remove_name write open read search }; 91allow init faultloggerd_temp_file:file { create getattr setattr write open read unlink }; 92allow init sa_device_service_manager:samgr_class{ get }; 93 94allow edm_writable_param tmpfs:filesystem associate; 95allow init edm_writable_param:file { map open read relabelto }; 96allow init edm_writable_param:parameter_service { set }; 97allow { domain } edm_writable_param:file { map open read }; 98 99define(`init_relabel', ` 100 allow init $1:{ file dir sock_file } { relabelto setattr }; 101 allow init $1:dir { search }; 102') 103init_relabel(data_service_el1_public_print_service_file); 104init_relabel(data_service_el1_i18n_timezone_file); 105init_relabel(data_parameters); 106init_relabel(data_udev); 107init_relabel(data_multimodalinput); 108init_relabel(sandbox_manager_data_file); 109init_relabel(account_data_file); 110init_relabel(hdf_ext_devmgr_file); 111init_relabel(cloudfile_data_file); 112init_relabel(udevd_socket); 113init_relabel(accesstoken_data_file); 114init_relabel(data_service_el1_public_deviceauthService_file); 115init_relabel(data_service_el1_public_huksService_file); 116init_relabel(update_dupdate_engine_file); 117init_relabel(update_update_service_file); 118neverallow init *:process ptrace; 119 120allow init init:netlink_kobject_uevent_socket { read write }; 121