xref: /base/security/selinux_adapter/sepolicy/whitelist/sh.baseline

# Copyright (c) 2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

developer_only(`
(allow sh aa (process (transition siginh rlimitinh)))
(allow sh aa_exec (file (ioctl read getattr map execute open)))
(allow sh bm (process (transition siginh rlimitinh)))
(allow sh bm_exec (file (ioctl read getattr map execute open)))
(allow sh bytrace (process (transition siginh rlimitinh)))
(allow sh bytrace_exec (file (ioctl read getattr map execute open)))
(allow sh data_file (dir (getattr search)))
(allow sh data_log (dir (search)))
(allow sh data_hilogd_file (dir (ioctl read getattr lock open watch watch_reads search)))
(allow sh data_hilogd_file (file (ioctl read getattr lock map open watch watch_reads)))
(allow sh data_local (dir (ioctl read getattr lock open watch watch_reads search)))
(allow sh data_local_tmp (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow sh data_local_tmp (file (execute execute_no_trans ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
(allow sh debug_param (file (read map open)))
(allow sh debug_param (parameter_service (set)))
(allow sh dev_console_file (chr_file (read write getattr)))
(allow sh dev_file (dir (search)))
(allow sh dev_null_file (chr_file (read write open)))
(allow sh dev_parameters_file (dir (search)))
(allow sh dev_parameters_file (file (ioctl read getattr lock map open watch watch_reads)))
(allow sh dev_unix_file (dir (search)))
(allow sh dev_unix_socket (dir (search)))
(allow sh developtools_hdc_control_param (file (read map open)))
(allow sh devpts (chr_file (ioctl read write getattr)))
(allow sh domain (dir (getattr search)))
(allow sh domain (file (read open)))
(allow sh domain (process (getattr)))
(allow sh edm (process (transition getattr siginh rlimitinh)))
(allow sh edm_exec (file (getattr read ioctl open map execute)))
(allow sh etc_file (lnk_file (read)))
(allow sh hdcd (fd (use)))
(allow sh hdcd (fifo_file (ioctl read write)))
(allow sh hdcd (unix_stream_socket (read write)))
(allow sh hidumper (process (transition siginh rlimitinh)))
(allow sh hidumper_exec (file (ioctl read getattr map execute open)))
(allow sh hilog_control_socket (sock_file (write)))
(allow sh hilog_exec (file (read getattr map execute open execute_no_trans)))
(allow sh hilog_input_socket (sock_file (write)))
(allow sh hilog_output_socket (sock_file (write)))
(allow sh hilog_param (file (read map open)))
(allow sh hilog_param (parameter_service (set)))
(allow sh hilogd (unix_dgram_socket (sendto)))
(allow sh hilogd (unix_stream_socket (connectto)))
(allow sh hiperf (process (transition siginh rlimitinh)))
(allow sh hiperf_exec (file (ioctl read getattr map execute open)))
(allow sh hiprofiler_cmd (process (transition siginh rlimitinh)))
(allow sh hiprofiler_cmd_exec (file (ioctl read getattr map execute open)))
(allow sh hisysevent (process (transition siginh rlimitinh)))
(allow sh hisysevent_exec (file (ioctl read getattr map execute open)))
(allow sh hitrace (process (transition siginh rlimitinh)))
(allow sh hitrace_exec (file (ioctl read getattr map execute open)))
(allow sh kernel (unix_stream_socket (connectto)))
(allow sh lib_file (lnk_file (read)))
(allow sh paramservice_socket (sock_file (write)))
(allow sh proc_file (dir (read getattr open search)))
(allow sh proc_file (lnk_file (read getattr)))
(allow sh proc_net (file (read open getattr)))
(allow sh processdump (process (transition sigchld share siginh rlimitinh)))
(allow sh processdump_exec (file (ioctl read getattr map execute open)))
(allow sh rootfs (dir (search)))
(allow sh rootfs (lnk_file (read)))
(allow sh self (dir (ioctl read getattr lock open watch watch_reads search)))
(allow sh self (fd (use)))
(allow sh self (fifo_file (ioctl read write getattr lock append map open watch watch_reads)))
(allow sh self (file (ioctl read write getattr lock append map open watch watch_reads)))
(allow sh self (lnk_file (ioctl read getattr lock map open watch watch_reads)))
(allow sh self (process (fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit)))
(allow sh self (unix_dgram_socket (write create connect)))
(allow sh self (unix_stream_socket (read write create connect setopt)))
(allow sh selinuxfs (filesystem (getattr)))
(allow sh servicectrl_reboot_param (parameter_service (set)))
(allow sh sh_exec (file (read getattr map execute open entrypoint)))
(allow sh sys_file (dir (search)))
(allow sh system_bin_file (dir (read getattr open search)))
(allow sh system_bin_file (file (read getattr map execute open execute_no_trans)))
(allow sh system_bin_file (lnk_file (read)))
(allow sh toybox_exec (file (read getattr map execute open execute_no_trans)))
(allow sh toybox_exec (lnk_file (read)))
(allow sh system_etc_file (dir (search)))
(allow sh system_etc_file (file (read getattr open map)))
(allow sh sysfs_net (dir (search)))
(allow sh sysfs_net (lnk_file (read)))
(allow sh proc_net_tcp_udp (file (getattr)))
(allow sh system_file (dir (search)))
(allow sh system_lib_file (file (read getattr map execute open)))
(allow sh tty_device (chr_file (ioctl read write getattr open)))
(allow sh vendor_lib_file (dir (search)))
(allow sh time_param (file (read map open)))
(allow sh vendor_file (dir (search)))
(allow sh system_lib_file (dir (search)))
(allow sh hichecker_writable_param (parameter_service (set)))
(allow sh arkui_param (parameter_service (set)))
(allow sh devinfo_public_param (file (map open read)))
(allow sh devinfo_type_param (file (map open read)))
(allow sh ark_profile (parameter_service (set)))
(allow sh ark_writeable_param (parameter_service (set)))
(allow sh SP_daemon (process (transition siginh rlimitinh)))
(allow sh SP_daemon_exec (file (ioctl read getattr map execute open)))
(allow sh atm (process (transition siginh rlimitinh)))
(allow sh atm_exec (file (ioctl read getattr map execute open)))
(allow sh uitest (process (transition siginh rlimitinh sigkill)))
(allow sh uitest_exec (file (ioctl read getattr map execute open)))
(allow sh wukong (process (transition siginh rlimitinh)))
(allow sh wukong_exec (file (ioctl read getattr map execute open)))
(allow sh snapshot_display (process (siginh transition rlimitinh getattr)))
(allow sh snapshot_display_exec (file (read map execute getattr open ioctl)))
(allow sh uinput (process (transition rlimitinh siginh getattr)))
(allow sh uinput_exec (file (open map getattr ioctl read execute)))
(allow sh lldb_server_file (dir (create setattr getattr add_name open write remove_name read search rmdir)))
(allow sh lldb_server_file (file (open unlink create write setattr read getattr append)))
(allow sh power_shell (process (transition siginh rlimitinh getattr)))
(allow sh power_shell_exec (file (open map read ioctl execute getattr)))
(allow sh power_shell (lnk_file (read)))
(allow sh tmpfs (dir (search read open getattr)))
(allow sh hmdfs (dir (search read open getattr add_name create remove_name rename reparent rmdir write)))
(allow sh hmdfs (file (write read map create rename append open getattr unlink)))
(allow sh data_user_file (dir (write read add_name create rename open getattr search remove_name reparent rmdir)))
(allow sh data_user_file (file (write read map create rename append open getattr unlink)))
(allow sh data_file (dir (search)))
(allow sh data_app_file (dir (search)))
(allow sh data_app_el1_file (dir (search)))
(allow sh data_app_el2_file (dir (search)))
(allow sh data_app_el3_file (dir (search)))
(allow sh data_app_el4_file (dir (search)))
(allow sh debug_hap_data_file (dir (search getattr read open)))
(allow sh debug_hap_data_file (file (getattr read open)))
(allow sh system_file (dir (search)))
(allow sh system_fonts_file (dir (getattr search read open)))
(allow sh system_fonts_file (file (getattr read open)))
(allow sh sh (udp_socket (connect create ioctl bind read write)))
(allow sh sh (tcp_socket (connect create setopt getattr read write)))
(allow sh sh (icmp_socket (create setopt write read bind)))
(allow sh sh (rawip_socket (create setopt write read)))
(allow sh dev_random_file (chr_file (read open)))
(allow sh dnsproxy_service (sock_file (read open write)))
(allow sh node (udp_socket (node_bind)))
(allow sh node (icmp_socket (node_bind)))
(allow sh netsysnative (unix_stream_socket (connectto)))
(allow sh proc_net (lnk_file (read)))
(allow sh port (tcp_socket (name_connect)))
(allow sh kernel (key (search)))
(allow sh mediatool (process (getattr rlimitinh transition siginh)))
(allow sh mediatool_exec (file (execute read getattr ioctl map open)))
(allow sh hnp_file (dir (search getattr read open)))
(allow sh hnp_file (file (execute execute_no_trans read getattr map open)))
(allow sh hnp_file (lnk_file (read)))
(allow sh key_enable (key (search)))
(allow sh storage_daemon (key (search)))
(allow sh cem_exec (file (execute map open getattr ioctl read)))
(allow sh cem (process (getattr rlimitinh transition siginh)))
(allow sh devicedebug (process (siginh getattr rlimitinh transition)))
(allow sh devicedebug_exec (file (execute_no_trans open read map getattr execute ioctl)))
(allow sh i18n_param_tz_override (file (map open read)))
(allow sh debug_hap (dir (read open)))
(allow sh proc_stat_file (file (read open)))
(allow sh proc_meminfo_file (file (read open)))
(allow sh sysfs_devices_system_cpu (dir (read open)))
')