diff --git a/sepolicy/base/public/attributes b/sepolicy/base/public/attributes index fc1b828acb5fb93a2b2854919ddec4d3f9cd7e7e..fac7154ea2b6b9434fa6982b75c84333409fe17e 100644 --- a/sepolicy/base/public/attributes +++ b/sepolicy/base/public/attributes @@ -74,6 +74,14 @@ attribute hdf_devmgr_type; attribute hapdomain; # Type of all native processes. -# i.e. foundation, +# i.e. appspawn, # media attribute nativedomain; + +# Type of hdf processes. +# i.e. hdv_devmgr, +attribute hdfdomain; + +# Type of all native processes. +# i.e. at, +attribute sadomain; diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te index de228fa1e8e32194b675549d8f2d11fccc3d2aac..26c80d1cdbfdc58e77acc5dc93b0814cf7bb2466 100644 --- a/sepolicy/base/public/domain.te +++ b/sepolicy/base/public/domain.te @@ -92,42 +92,73 @@ allow domain init:process sigchld; #type samgr, domain; -type multimodalinput, domain; -type accesstoken_service, domain; -type face_service, domain; -type huks_service, domain; -type socperf_service, domain; -type distributedsche, domain; -type pulseaudio, domain; -type storage_manager, domain; -type bluetooth_service, domain; -type accountmgr, domain; -type dslm_service, domain; -type ui_service, domain; -type d_bms, domain; -type wifi_manager_service, domain; -type softbus_server, domain; -type distributeddata, domain; -type usb_service, domain; -type medialibrary_service, domain; +type multimodalinput, sadomain, domain; +type accesstoken_service, sadomain, domain; +type face_service, sadomain, domain; +type huks_service, sadomain, domain; +type socperf_service, sadomain, domain; +type distributedsche, sadomain, domain; +type pulseaudio, sadomain, domain; +type storage_manager, sadomain, domain; +type bluetooth_service, sadomain, domain; +type accountmgr, sadomain, domain; +type dslm_service, sadomain, domain; +type ui_service, sadomain, domain; +type d_bms, sadomain, domain; +type wifi_manager_service, sadomain, domain; +type softbus_server, sadomain, domain; +type distributeddata, sadomain, domain; +type usb_service, sadomain, domain; +type medialibrary_service, sadomain, domain; type netdnative, domain; -type netmanager, domain; -type sensors, domain; -type telephony, domain; -type updater_sa, domain; -type time_service, domain; -type bgtaskmgr_service, domain; -type camera_service, domain; -type media_service, domain; -type work_scheduler_service, domain; -type param_watcher, domain; -type useriam, domain; -type inputmethod_service, domain; -type pinauth_service, domain; +type netmanager, sadomain, domain; +type sensors, sadomain, domain; +type telephony_sa, sadomain, domain; +type updater_sa, sadomain, domain; +type time_service, sadomain, domain; +type bgtaskmgr_service, sadomain, domain; +type camera_service, sadomain, domain; +type media_service, sadomain, domain; +type work_scheduler_service, sadomain, domain; +type param_watcher, sadomain, domain; +type useriam, sadomain, domain; +type inputmethod_service, sadomain, domain; +type pinauth_service, sadomain, domain; #type foundation, domain; -type battery_stats, domain; -type audio_policy, domain; - +type battery_stats, sadomain, domain; +type audio_policy, sadomain, domain; +type token_sync_service, sadomain, domain; +type memmgrservice, sadomain, domain; +type resource_schedule_service, sadomain, domain; +type accessibility, sadomain, domain; +type distributedsched, sadomain, domain; +type distributedfile, sadomain, domain; +type fms_service, sadomain, domain; +type thermal_sa, sadomain, domain; +type device_usage_statistics_service, sadomain, domain; +type deviceinfoservice, sadomain, domain; +type distributedhardware_fwk, sadomain, domain; +type nwebspawn, sadomain, domain; +type upms, sadomain, domain; + + +type blue_host, hdfdomain, domain; +type sample_host, hdfdomain, domain; +type usb_host, hdfdomain, domain; +type usbfnMaster_host, hdfdomain, domain; +type power_host, hdfdomain, domain; +type wifi_host, hdfdomain, domain; +type audio_hdi_server_host, hdfdomain, domain; +type camera_host, hdfdomain, domain; +type input_user_host, hdfdomain, domain; +type display_gralloc_host, hdfdomain, domain; +type codec_host, hdfdomain, domain; +type riladapter_host, hdfdomain, domain; +type sensor_dal_host, hdfdomain, domain; +type vibrator_dal_host, hdfdomain, domain; +type light_dal_host, hdfdomain, domain; +type wifi_c_host, hdfdomain, domain; +type disp_gralloc_host, hdfdomain, domain; type watchdog_service, domain; type watchdog_service_exec, exec_type, file_type, system_file_type; @@ -141,10 +172,6 @@ type lmks, domain; type lmks_exec, exec_type, file_type, system_file_type; domain_auto_transition_pattern(init, lmks_exec, lmks); -#type hdf_devmgr, domain; -#type hdf_devmgr_exec, exec_type, file_type, system_file_type; -#domain_auto_transition_pattern(init, hdf_devmgr_exec, hdf_devmgr); - type wifi_hal_service, domain; type wifi_hal_service_exec, exec_type, file_type, system_file_type; domain_auto_transition_pattern(init, wifi_hal_service_exec, wifi_hal_service); @@ -157,7 +184,6 @@ type faultloggerd, domain; type faultloggerd_exec, exec_type, file_type, system_file_type; domain_auto_transition_pattern(init, faultloggerd_exec, faultloggerd); -#type hiview, domain; type hiview_exec, exec_type, file_type, system_file_type; domain_auto_transition_pattern(init, hiview_exec, hiview); @@ -169,6 +195,10 @@ type storage_daemon, domain; type storage_daemon_exec, exec_type, file_type, system_file_type; domain_auto_transition_pattern(init, storage_daemon_exec, storage_daemon); +type thermal_protector, domain; +type thermal_protector_exec, exec_type, file_type, system_file_type; +domain_auto_transition_pattern(init, thermal_protector_exec, thermal_protector); + type sh, domain; type sh_exec, exec_type, file_type, system_file_type; domain_auto_transition_pattern(init, sh_exec, sh); diff --git a/sepolicy/base/rk3568/accessibility.te b/sepolicy/base/rk3568/accessibility.te new file mode 100644 index 0000000000000000000000000000000000000000..ca8945fb2ac7c0455a597bab7ac84bc0f1d75130 --- /dev/null +++ b/sepolicy/base/rk3568/accessibility.te @@ -0,0 +1,62 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accessibility accessibility:dir { search }; +allow accessibility accessibility:lnk_file { read }; +allow accessibility accessibility:process { fork getsched }; +allow accessibility accessibility:unix_dgram_socket { connect create write }; +allow accessibility data_file:dir { search }; +allow accessibility data_service_el1_file:dir { getattr search }; +allow accessibility data_service_el1_file:file { getattr open read }; +allow accessibility data_service_file:dir { search }; +allow accessibility debugfs:dir { search }; +allow accessibility dev_at_file:chr_file { ioctl open read write }; +allow accessibility dev_binder_file:chr_file { ioctl map open read write }; +allow accessibility dev_file:dir { search }; +allow accessibility dev_null_file:chr_file { ioctl read write }; +allow accessibility dev_parameters_file:dir { search }; +allow accessibility dev_parameters_file:file { map open read }; +allow accessibility dev_random_file:chr_file { open read }; +allow accessibility dev_unix_file:dir { search }; +allow accessibility dev_unix_socket_file:dir { search }; +allow accessibility dev_unix_socket_file:sock_file { write }; +allow accessibility etc_file:lnk_file { read }; +allow accessibility foundation:binder { call transfer }; +allow accessibility init:fd { use }; +allow accessibility init:netlink_kobject_uevent_socket { read write }; +allow accessibility init:unix_dgram_socket { sendto }; +allow accessibility init:unix_stream_socket { read write }; +allow accessibility kernel:fd { use }; +allow accessibility normal_hap_domain:binder { call }; +allow accessibility platform_hap_domain:binder { call }; +allow accessibility priv_hap_domain:binder { call }; +allow accessibility proc_file:dir { search }; +allow accessibility proc_file:lnk_file { read }; +allow accessibility rootfs:dir { search }; +allow accessibility samain_exec:file { entrypoint execute map read }; +allow accessibility samgr:binder { call transfer }; +allow accessibility system_etc_file:dir { getattr open read search }; +allow accessibility system_etc_file:file { open read }; +allow accessibility system_file:dir { search }; +allow accessibility system_lib_file:dir { search }; +allow accessibility system_lib_file:file { execute getattr map open read }; +allow accessibility system_profile_file:dir { search }; +allow accessibility system_profile_file:file { getattr open read }; +allow accessibility system_usr_file:dir { search }; +allow accessibility system_usr_file:file { getattr map open read }; +allow accessibility vendor_file:dir { search }; +allow accessibility vendor_file:file { execute getattr map open read }; +allow accessibility vendor_file:lnk_file { read }; +allowxperm accessibility dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm accessibility dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm accessibility dev_null_file:chr_file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/accesstoken_service.te b/sepolicy/base/rk3568/accesstoken_service.te new file mode 100644 index 0000000000000000000000000000000000000000..285b8b7a229d7f7eb4686a10c3834aa7d7c722f7 --- /dev/null +++ b/sepolicy/base/rk3568/accesstoken_service.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accesstoken_service accesstoken_service:dir { search }; +allow accesstoken_service accesstoken_service:lnk_file { read }; +allow accesstoken_service accesstoken_service:process { fork getsched }; +allow accesstoken_service accesstoken_service:unix_dgram_socket { connect create write }; +allow accesstoken_service data_file:dir { search }; +allow accesstoken_service data_service_el0_file:dir { search }; +allow accesstoken_service data_service_el0_file:file { getattr open read }; +allow accesstoken_service data_service_file:dir { search }; +allow accesstoken_service data_system:dir { add_name open read remove_name search write }; +allow accesstoken_service data_system:file { create getattr ioctl lock open read write unlink }; +allow accesstoken_service debugfs:dir { search }; +allow accesstoken_service dev_at_file:chr_file { ioctl open read write }; +allow accesstoken_service dev_binder_file:chr_file { ioctl map open read write }; +allow accesstoken_service dev_file:dir { search }; +allow accesstoken_service dev_null_file:chr_file { read write }; +allow accesstoken_service dev_parameters_file:dir { search }; +allow accesstoken_service dev_parameters_file:file { map open read }; +allow accesstoken_service dev_random_file:chr_file { open read }; +allow accesstoken_service dev_unix_file:dir { search }; +allow accesstoken_service dev_unix_socket_file:dir { search }; +allow accesstoken_service dev_unix_socket_file:sock_file { write }; +allow accesstoken_service etc_file:lnk_file { read }; +allow accesstoken_service init:fd { use }; +allow accesstoken_service init:netlink_kobject_uevent_socket { read write }; +allow accesstoken_service init:unix_dgram_socket { sendto }; +allow accesstoken_service init:unix_stream_socket { read write }; +allow accesstoken_service kernel:fd { use }; +allow accesstoken_service proc_file:dir { search }; +allow accesstoken_service proc_file:lnk_file { read }; +allow accesstoken_service rootfs:dir { search }; +allow accesstoken_service samain_exec:file { entrypoint execute map read }; +allow accesstoken_service samgr:binder { call transfer }; +allow accesstoken_service system_etc_file:dir { search }; +allow accesstoken_service system_etc_file:file { open read }; +allow accesstoken_service system_file:dir { search }; +allow accesstoken_service system_lib_file:dir { search }; +allow accesstoken_service system_lib_file:file { execute getattr map open read }; +allow accesstoken_service system_profile_file:dir { search }; +allow accesstoken_service system_profile_file:file { getattr open read }; +allowxperm accesstoken_service data_system:file ioctl { 0xf50c }; +allowxperm accesstoken_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm accesstoken_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/accountmgr.te b/sepolicy/base/rk3568/accountmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..1c43c6eb0d9dc6e57581332f15674903930ece8c --- /dev/null +++ b/sepolicy/base/rk3568/accountmgr.te @@ -0,0 +1,85 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow accountmgr accesstoken_service:binder { call }; +allow accountmgr accountmgr:dir { getattr open read search }; +allow accountmgr accountmgr:fifo_file { read write }; +allow accountmgr accountmgr:file { getattr open read }; +allow accountmgr accountmgr:lnk_file { read }; +allow accountmgr accountmgr:lockdown { confidentiality }; +allow accountmgr accountmgr:process { fork getcap getsched ptrace setcap }; +allow accountmgr accountmgr:unix_dgram_socket { connect create write }; +allow accountmgr accountmgr:unix_stream_socket { connect create read setopt write }; +allow accountmgr bgtaskmgr_service:binder { transfer }; +allow accountmgr data_file:dir { search }; +allow accountmgr data_init_agent:dir { search }; +allow accountmgr data_log:file { read write }; +allow accountmgr data_system:dir { add_name getattr search write }; +allow accountmgr data_system:file { create getattr ioctl open read write }; +allow accountmgr debugfs:dir { search }; +allow accountmgr dev_at_file:chr_file { ioctl open read write }; +allow accountmgr dev_binder_file:chr_file { ioctl map open read write }; +allow accountmgr dev_file:dir { search }; +allow accountmgr device_usage_statistics_service:binder { transfer }; +allow accountmgr dev_null_file:chr_file { open read write }; +allow accountmgr dev_parameters_file:dir { search }; +allow accountmgr dev_parameters_file:file { map open read }; +allow accountmgr dev_random_file:chr_file { open read }; +allow accountmgr dev_unix_file:dir { search }; +allow accountmgr dev_unix_socket_file:dir { search }; +allow accountmgr dev_unix_socket_file:sock_file { write }; +allow accountmgr distributeddata:binder { call transfer }; +allow accountmgr distributedfile:binder { call transfer }; +allow accountmgr etc_file:lnk_file { read }; +allow accountmgr faultloggerd:fd { use }; +allow accountmgr faultloggerd:unix_stream_socket { connectto }; +allow accountmgr foundation:binder { call transfer }; +allow accountmgr init:fd { use }; +allow accountmgr init:netlink_kobject_uevent_socket { read write }; +allow accountmgr init:unix_dgram_socket { sendto }; +allow accountmgr init:unix_stream_socket { read write }; +allow accountmgr kernel:fd { use }; +allow accountmgr lib_file:lnk_file { read }; +allow accountmgr memmgrservice:binder { call transfer }; +allow accountmgr normal_hap_domain:binder { transfer }; +allow accountmgr param_watcher:binder { call transfer }; +allow accountmgr priv_hap_domain:binder { call transfer }; +allow accountmgr proc_file:dir { search }; +allow accountmgr proc_file:lnk_file { read }; +allow accountmgr rootfs:dir { getattr search }; +allow accountmgr samain_exec:file { entrypoint execute getattr map open read }; +allow accountmgr samgr:binder { call transfer }; +allow accountmgr storage_manager:binder { call }; +allow accountmgr sys_file:dir { search }; +allow accountmgr sys_file:file { open read }; +allow accountmgr sys_file:lnk_file { read }; +allow accountmgr sysfs_block_file:dir { search }; +allow accountmgr system_bin_file:dir { search }; +allow accountmgr system_bin_file:file { execute execute_no_trans map read open }; +allow accountmgr system_etc_file:dir { getattr open read search }; +allow accountmgr system_etc_file:file { getattr open read }; +allow accountmgr system_file:dir { search }; +allow accountmgr system_lib_file:dir { search }; +allow accountmgr system_lib_file:file { execute getattr map open read }; +allow accountmgr system_profile_file:dir { search }; +allow accountmgr system_profile_file:file { getattr open read }; +allow accountmgr system_usr_file:dir { search }; +allow accountmgr system_usr_file:file { getattr map open read }; +allow accountmgr tracefs:dir { search }; +allow accountmgr tracefs:file { open write }; +allow accountmgr vendor_file:dir { search }; +allow accountmgr vendor_file:file { execute getattr map open read }; +allow accountmgr vendor_file:lnk_file { read }; +allowxperm accountmgr data_system:file ioctl { 0x5413 }; +allowxperm accountmgr dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm accountmgr dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/appspawn.te b/sepolicy/base/rk3568/appspawn.te new file mode 100644 index 0000000000000000000000000000000000000000..58e42d15f31c67aa23d9d15be4d89ab71e822de2 --- /dev/null +++ b/sepolicy/base/rk3568/appspawn.te @@ -0,0 +1,77 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow appspawn appspawn:capability { chown dac_override dac_read_search fsetid }; +allow appspawn appspawn:dir { getattr open read search }; +allow appspawn appspawn_exec:file { entrypoint execute getattr map open read }; +allow appspawn appspawn:fifo_file { read write }; +allow appspawn appspawn:file { getattr open read write }; +allow appspawn appspawn:lnk_file { read }; +allow appspawn appspawn:process { fork getcap getsched ptrace setcap setcurrent sigkill }; +allow appspawn appspawn:unix_dgram_socket { connect create write }; +allow appspawn appspawn:unix_stream_socket { accept bind connect create listen read setopt write }; +allow appspawn data_file:dir { search }; +allow appspawn data_init_agent:dir { add_name search write }; +allow appspawn data_init_agent:file { create ioctl open read append }; +allow appspawn data_log:file { read write }; +allow appspawn debugfs:dir { search }; +allow appspawn dev_at_file:chr_file { ioctl open read write }; +allow appspawn dev_binder_file:chr_file { ioctl map open read write }; +allow appspawn dev_file:dir { search }; +allow appspawn dev_null_file:chr_file { open read write }; +allow appspawn dev_parameters_file:dir { search }; +allow appspawn dev_parameters_file:file { map open read }; +allow appspawn dev_random_file:chr_file { open read }; +allow appspawn dev_unix_file:dir { search }; +allow appspawn dev_unix_socket_file:dir { add_name remove_name search write }; +allow appspawn dev_unix_socket_file:sock_file { create setattr unlink write }; +allow appspawn etc_file:lnk_file { read }; +allow appspawn faultloggerd:fd { use }; +allow appspawn faultloggerd:unix_stream_socket { connectto }; +allow appspawn hiview:binder { call }; +allow appspawn init:fd { use }; +allow appspawn init:netlink_kobject_uevent_socket { read write }; +allow appspawn init:unix_dgram_socket { sendto }; +allow appspawn init:unix_stream_socket { read write }; +allow appspawn kernel:fd { use }; +allow appspawn kernel:unix_stream_socket { connectto }; +allow appspawn lib_file:lnk_file { read }; +allow appspawn normal_hap_domain:process { dyntransition }; +allow appspawn platform_hap_domain:process { dyntransition }; +allow appspawn priv_hap_domain:process { dyntransition }; +allow appspawn proc_file:dir { search }; +allow appspawn proc_file:lnk_file { read }; +allow appspawn rootfs:dir { getattr search }; +allow appspawn samgr:binder { call }; +allow appspawn security:security { check_context }; +allow appspawn selinuxfs:dir { search }; +allow appspawn selinuxfs:file { open read write }; +allow appspawn selinuxfs:filesystem { getattr }; +allow appspawn sys_file:dir { search }; +allow appspawn system_bin_file:dir { search }; +allow appspawn system_bin_file:file { execute execute_no_trans map read open }; +allow appspawn system_etc_file:dir { getattr open read search }; +allow appspawn system_etc_file:file { open read }; +allow appspawn system_file:dir { search }; +allow appspawn system_fonts_file:dir { open read search }; +allow appspawn system_fonts_file:file { getattr map open read }; +allow appspawn system_lib_file:dir { search }; +allow appspawn system_lib_file:file { execute getattr map open read }; +allow appspawn system_usr_file:dir { search }; +allow appspawn system_usr_file:file { getattr map open read }; +allow appspawn vendor_file:dir { search }; +allow appspawn vendor_file:file { execute getattr map open read }; +allow appspawn vendor_file:lnk_file { read }; +allowxperm appspawn data_init_agent:file ioctl { 0x5413 }; +allowxperm appspawn dev_at_file:chr_file ioctl { 0x4101 0x4102 }; +allowxperm appspawn dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e }; diff --git a/sepolicy/base/rk3568/audio_hdi_server_host.te b/sepolicy/base/rk3568/audio_hdi_server_host.te new file mode 100644 index 0000000000000000000000000000000000000000..4e18fcaba54925f5da6a2cea43c3b88db2e347db --- /dev/null +++ b/sepolicy/base/rk3568/audio_hdi_server_host.te @@ -0,0 +1,56 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_hdi_server_host audio_hdi_server_host:dir { search }; +allow audio_hdi_server_host audio_hdi_server_host:lnk_file { read }; +allow audio_hdi_server_host audio_hdi_server_host:process { fork }; +allow audio_hdi_server_host audio_hdi_server_host:unix_dgram_socket { connect create write }; +allow audio_hdi_server_host data_file:dir { add_name search write }; +allow audio_hdi_server_host data_file:file { create ioctl open read append }; +allow audio_hdi_server_host debugfs:dir { search }; +allow audio_hdi_server_host dev_at_file:chr_file { ioctl open read write }; +allow audio_hdi_server_host dev_binder_file:chr_file { ioctl map open read write }; +allow audio_hdi_server_host dev_file:chr_file { getattr ioctl open read write }; +allow audio_hdi_server_host dev_file:dir { search }; +allow audio_hdi_server_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow audio_hdi_server_host dev_null_file:chr_file { read write }; +allow audio_hdi_server_host dev_parameters_file:dir { search }; +allow audio_hdi_server_host dev_parameters_file:file { map open read }; +allow audio_hdi_server_host dev_unix_file:dir { search }; +allow audio_hdi_server_host dev_unix_socket_file:dir { search }; +allow audio_hdi_server_host dev_unix_socket_file:sock_file { write }; +allow audio_hdi_server_host etc_file:lnk_file { read }; +allow audio_hdi_server_host hdf_devmgr:binder { call transfer }; +allow audio_hdi_server_host init:fd { use }; +allow audio_hdi_server_host init:netlink_kobject_uevent_socket { read write }; +allow audio_hdi_server_host init:unix_dgram_socket { sendto }; +allow audio_hdi_server_host init:unix_stream_socket { read write }; +allow audio_hdi_server_host kernel:fd { use }; +allow audio_hdi_server_host proc_file:dir { search }; +allow audio_hdi_server_host proc_file:lnk_file { read }; +allow audio_hdi_server_host rootfs:dir { search }; +allow audio_hdi_server_host samgr:binder { call }; +allow audio_hdi_server_host system_etc_file:dir { search }; +allow audio_hdi_server_host system_etc_file:file { open read }; +allow audio_hdi_server_host system_file:dir { search }; +allow audio_hdi_server_host system_lib_file:dir { search }; +allow audio_hdi_server_host system_lib_file:file { execute getattr map open read }; +allow audio_hdi_server_host vendor_etc_file:dir { search }; +allow audio_hdi_server_host vendor_etc_file:file { getattr open read }; +allow audio_hdi_server_host vendor_file:dir { search }; +allow audio_hdi_server_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm audio_hdi_server_host data_file:file ioctl { 0x5413 }; +allowxperm audio_hdi_server_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm audio_hdi_server_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm audio_hdi_server_host dev_file:chr_file ioctl { 0x6201 }; +allowxperm audio_hdi_server_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/audio_policy.te b/sepolicy/base/rk3568/audio_policy.te new file mode 100644 index 0000000000000000000000000000000000000000..73fd0aef2c9213d137d60f88b76133c040d6ab06 --- /dev/null +++ b/sepolicy/base/rk3568/audio_policy.te @@ -0,0 +1,73 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow audio_policy audio_policy:dir { open read search }; +allow audio_policy audio_policy:fifo_file { read write }; +allow audio_policy audio_policy:file { open read }; +allow audio_policy audio_policy:lnk_file { read }; +allow audio_policy audio_policy:lockdown { confidentiality }; +allow audio_policy audio_policy:process { fork getsched }; +allow audio_policy audio_policy:unix_dgram_socket { connect create write }; +allow audio_policy audio_policy:unix_stream_socket { connect create getattr getopt read setopt write }; +allow audio_policy data_data_file:dir { getattr open read remove_name search write }; +allow audio_policy data_data_file:fifo_file { unlink }; +allow audio_policy data_data_file:file { lock open read write }; +allow audio_policy data_data_file:sock_file { write }; +allow audio_policy data_file:dir { search }; +allow audio_policy data_init_agent:dir { search }; +allow audio_policy debugfs:dir { search }; +allow audio_policy dev_at_file:chr_file { ioctl open read write }; +allow audio_policy dev_binder_file:chr_file { ioctl map open read write }; +allow audio_policy dev_file:dir { search }; +allow audio_policy dev_null_file:chr_file { read write }; +allow audio_policy dev_parameters_file:dir { search }; +allow audio_policy dev_parameters_file:file { map open read }; +allow audio_policy dev_random_file:chr_file { open read }; +allow audio_policy dev_unix_file:dir { search }; +allow audio_policy dev_unix_socket_file:dir { search }; +allow audio_policy dev_unix_socket_file:sock_file { write }; +allow audio_policy distributeddata:binder { call transfer }; +allow audio_policy etc_file:lnk_file { read }; +allow audio_policy hdf_devmgr:binder { call transfer }; +allow audio_policy init:fd { use }; +allow audio_policy init:netlink_kobject_uevent_socket { read write }; +allow audio_policy init:unix_dgram_socket { sendto }; +allow audio_policy init:unix_stream_socket { read write }; +allow audio_policy kernel:fd { use }; +allow audio_policy media_service:binder { call }; +allow audio_policy multimodalinput:binder { call }; +allow audio_policy multimodalinput:fd { use }; +allow audio_policy multimodalinput:unix_stream_socket { read write }; +allow audio_policy param_watcher:binder { call transfer }; +allow audio_policy priv_hap_domain:binder { call }; +allow audio_policy proc_file:dir { search }; +allow audio_policy proc_file:lnk_file { read }; +allow audio_policy pulseaudio:binder { call }; +allow audio_policy pulseaudio:unix_stream_socket { connectto }; +allow audio_policy rootfs:dir { search }; +allow audio_policy samain_exec:file { entrypoint execute map read }; +allow audio_policy samgr:binder { call transfer }; +allow audio_policy sys_file:dir { search }; +allow audio_policy system_etc_file:dir { search }; +allow audio_policy system_etc_file:file { getattr open read }; +allow audio_policy system_file:dir { search }; +allow audio_policy system_lib_file:dir { search }; +allow audio_policy system_lib_file:file { execute getattr map open read }; +allow audio_policy system_profile_file:dir { search }; +allow audio_policy system_profile_file:file { getattr open read }; +allow audio_policy tracefs:dir { search }; +allow audio_policy tracefs:file { open write }; +allow audio_policy vendor_file:dir { search }; +allow audio_policy vendor_file:file { execute getattr map open read }; +allowxperm audio_policy dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm audio_policy dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/battery_stats.te b/sepolicy/base/rk3568/battery_stats.te new file mode 100644 index 0000000000000000000000000000000000000000..20f7fcd406ae3f1dfdab51a6b10be66fcb4469d7 --- /dev/null +++ b/sepolicy/base/rk3568/battery_stats.te @@ -0,0 +1,57 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow battery_stats battery_stats:dir { search }; +allow battery_stats battery_stats:lnk_file { read }; +allow battery_stats battery_stats:process { fork getsched }; +allow battery_stats battery_stats:unix_dgram_socket { connect create write }; +allow battery_stats data_file:dir { search }; +allow battery_stats data_system:dir { search }; +allow battery_stats debugfs:dir { search }; +allow battery_stats dev_at_file:chr_file { ioctl open read write }; +allow battery_stats dev_binder_file:chr_file { ioctl map open read write }; +allow battery_stats dev_file:dir { search }; +allow battery_stats dev_null_file:chr_file { read write }; +allow battery_stats dev_parameters_file:dir { search }; +allow battery_stats dev_parameters_file:file { map open read }; +allow battery_stats dev_random_file:chr_file { open read }; +allow battery_stats dev_unix_file:dir { search }; +allow battery_stats dev_unix_socket_file:dir { search }; +allow battery_stats dev_unix_socket_file:sock_file { write }; +allow battery_stats etc_file:lnk_file { read }; +allow battery_stats foundation:binder { call transfer }; +allow battery_stats hiview:binder { call transfer }; +allow battery_stats init:fd { use }; +allow battery_stats init:netlink_kobject_uevent_socket { read write }; +allow battery_stats init:unix_dgram_socket { sendto }; +allow battery_stats init:unix_stream_socket { read write }; +allow battery_stats kernel:fd { use }; +allow battery_stats proc_file:dir { search }; +allow battery_stats proc_file:lnk_file { read }; +allow battery_stats rootfs:dir { search }; +allow battery_stats samain_exec:file { entrypoint execute map read }; +allow battery_stats samgr:binder { call transfer }; +allow battery_stats system_etc_file:dir { getattr open read search }; +allow battery_stats system_etc_file:file { open read }; +allow battery_stats system_file:dir { search }; +allow battery_stats system_lib_file:dir { search }; +allow battery_stats system_lib_file:file { execute getattr map open read }; +allow battery_stats system_profile_file:dir { search }; +allow battery_stats system_profile_file:file { getattr open read }; +allow battery_stats system_usr_file:dir { search }; +allow battery_stats system_usr_file:file { getattr map open read }; +allow battery_stats vendor_file:dir { search }; +allow battery_stats vendor_file:file { execute getattr map open read }; +allow battery_stats vendor_file:lnk_file { read }; +allowxperm battery_stats dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm battery_stats dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/bgtaskmgr_service.te b/sepolicy/base/rk3568/bgtaskmgr_service.te new file mode 100644 index 0000000000000000000000000000000000000000..531dafa29d438a91409e854bf5842592cb74d37f --- /dev/null +++ b/sepolicy/base/rk3568/bgtaskmgr_service.te @@ -0,0 +1,80 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bgtaskmgr_service accountmgr:binder { call }; +allow bgtaskmgr_service bgtaskmgr_service:dir { getattr open read search }; +allow bgtaskmgr_service bgtaskmgr_service:fifo_file { read write }; +allow bgtaskmgr_service bgtaskmgr_service:file { getattr open read }; +allow bgtaskmgr_service bgtaskmgr_service:lnk_file { read }; +allow bgtaskmgr_service bgtaskmgr_service:lockdown { confidentiality }; +allow bgtaskmgr_service bgtaskmgr_service:process { fork getcap getsched ptrace setcap sigkill }; +allow bgtaskmgr_service bgtaskmgr_service:unix_dgram_socket { connect create write }; +allow bgtaskmgr_service bgtaskmgr_service:unix_stream_socket { connect create read setopt write }; +allow bgtaskmgr_service data_app_el1_file:dir { search }; +allow bgtaskmgr_service data_app_el1_file:file { getattr open read }; +allow bgtaskmgr_service data_app_file:dir { search }; +allow bgtaskmgr_service data_file:dir { search }; +allow bgtaskmgr_service data_init_agent:dir { search }; +allow bgtaskmgr_service data_log:file { read write }; +allow bgtaskmgr_service debugfs:dir { search }; +allow bgtaskmgr_service dev_at_file:chr_file { ioctl open read write }; +allow bgtaskmgr_service dev_binder_file:chr_file { ioctl map open read write }; +allow bgtaskmgr_service dev_file:dir { search }; +allow bgtaskmgr_service device_usage_statistics_service:binder { call }; +allow bgtaskmgr_service dev_null_file:chr_file { open read write }; +allow bgtaskmgr_service dev_parameters_file:dir { search }; +allow bgtaskmgr_service dev_parameters_file:file { map open read }; +allow bgtaskmgr_service dev_random_file:chr_file { open read }; +allow bgtaskmgr_service dev_unix_file:dir { search }; +allow bgtaskmgr_service dev_unix_socket_file:dir { search }; +allow bgtaskmgr_service dev_unix_socket_file:sock_file { write }; +allow bgtaskmgr_service etc_file:lnk_file { read }; +allow bgtaskmgr_service faultloggerd:fd { use }; +allow bgtaskmgr_service faultloggerd:unix_stream_socket { connectto }; +allow bgtaskmgr_service foundation:binder { call transfer }; +allow bgtaskmgr_service hiview:binder { call }; +allow bgtaskmgr_service init:fd { use }; +allow bgtaskmgr_service init:netlink_kobject_uevent_socket { read write }; +allow bgtaskmgr_service init:unix_dgram_socket { sendto }; +allow bgtaskmgr_service init:unix_stream_socket { read write }; +allow bgtaskmgr_service kernel:fd { use }; +allow bgtaskmgr_service lib_file:lnk_file { read }; +allow bgtaskmgr_service memmgrservice:binder { call }; +allow bgtaskmgr_service param_watcher:binder { call transfer }; +allow bgtaskmgr_service proc_file:dir { search }; +allow bgtaskmgr_service proc_file:lnk_file { read }; +allow bgtaskmgr_service resource_schedule_service:binder { call }; +allow bgtaskmgr_service rootfs:dir { getattr search }; +allow bgtaskmgr_service samain_exec:file { entrypoint execute getattr map open read }; +allow bgtaskmgr_service samgr:binder { call transfer }; +allow bgtaskmgr_service sys_file:dir { open read search }; +allow bgtaskmgr_service sys_file:file { open read }; +allow bgtaskmgr_service sys_file:lnk_file { read }; +allow bgtaskmgr_service system_bin_file:dir { search }; +allow bgtaskmgr_service system_bin_file:file { execute execute_no_trans map read open }; +allow bgtaskmgr_service system_etc_file:dir { getattr open read search }; +allow bgtaskmgr_service system_etc_file:file { open read }; +allow bgtaskmgr_service system_file:dir { search }; +allow bgtaskmgr_service system_lib_file:dir { search }; +allow bgtaskmgr_service system_lib_file:file { execute getattr map open read }; +allow bgtaskmgr_service system_profile_file:dir { search }; +allow bgtaskmgr_service system_profile_file:file { getattr open read }; +allow bgtaskmgr_service system_usr_file:dir { search }; +allow bgtaskmgr_service system_usr_file:file { getattr map open read }; +allow bgtaskmgr_service tracefs:dir { search }; +allow bgtaskmgr_service tracefs:file { open write }; +allow bgtaskmgr_service vendor_file:dir { search }; +allow bgtaskmgr_service vendor_file:file { execute getattr map open read }; +allow bgtaskmgr_service vendor_file:lnk_file { read }; +allowxperm bgtaskmgr_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm bgtaskmgr_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/blue_host.te b/sepolicy/base/rk3568/blue_host.te new file mode 100644 index 0000000000000000000000000000000000000000..5a0489cb1f7f353fdac4d340077838cc3dbc2150 --- /dev/null +++ b/sepolicy/base/rk3568/blue_host.te @@ -0,0 +1,51 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow blue_host blue_host:dir { search }; +allow blue_host blue_host:lnk_file { read }; +allow blue_host blue_host:process { fork }; +allow blue_host blue_host:unix_dgram_socket { connect create write }; +allow blue_host debugfs:dir { search }; +allow blue_host dev_at_file:chr_file { ioctl open read write }; +allow blue_host dev_binder_file:chr_file { ioctl map open read write }; +allow blue_host dev_file:dir { search }; +allow blue_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow blue_host dev_null_file:chr_file { read write }; +allow blue_host dev_parameters_file:dir { search }; +allow blue_host dev_parameters_file:file { map open read }; +allow blue_host dev_unix_file:dir { search }; +allow blue_host dev_unix_socket_file:dir { search }; +allow blue_host dev_unix_socket_file:sock_file { write }; +allow blue_host etc_file:lnk_file { read }; +allow blue_host hdf_devmgr:binder { call transfer }; +allow blue_host init:fd { use }; +allow blue_host init:netlink_kobject_uevent_socket { read write }; +allow blue_host init:unix_dgram_socket { sendto }; +allow blue_host init:unix_stream_socket { read write }; +allow blue_host kernel:fd { use }; +allow blue_host proc_file:dir { search }; +allow blue_host proc_file:lnk_file { read }; +allow blue_host rootfs:dir { search }; +allow blue_host samgr:binder { call }; +allow blue_host system_etc_file:dir { search }; +allow blue_host system_etc_file:file { open read }; +allow blue_host system_file:dir { search }; +allow blue_host system_lib_file:dir { search }; +allow blue_host system_lib_file:file { execute getattr map open read }; +allow blue_host vendor_etc_file:dir { search }; +allow blue_host vendor_etc_file:file { getattr open read }; +allow blue_host vendor_file:dir { search }; +allow blue_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm blue_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm blue_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm blue_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/bluetooth_service.te b/sepolicy/base/rk3568/bluetooth_service.te new file mode 100644 index 0000000000000000000000000000000000000000..d7f388fadab925a467ca3823f62c0748e4cd89da --- /dev/null +++ b/sepolicy/base/rk3568/bluetooth_service.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow bluetooth_service bluetooth_service:dir { search }; +allow bluetooth_service bluetooth_service:lnk_file { read }; +allow bluetooth_service bluetooth_service:process { fork getsched }; +allow bluetooth_service bluetooth_service:unix_dgram_socket { connect create write }; +allow bluetooth_service data_bluetooth:dir { search }; +allow bluetooth_service data_bluetooth:file { getattr open read }; +allow bluetooth_service data_file:dir { search }; +allow bluetooth_service debugfs:dir { search }; +allow bluetooth_service dev_at_file:chr_file { ioctl open read write }; +allow bluetooth_service dev_binder_file:chr_file { ioctl map open read write }; +allow bluetooth_service dev_file:dir { search }; +allow bluetooth_service dev_null_file:chr_file { read write }; +allow bluetooth_service dev_parameters_file:dir { search }; +allow bluetooth_service dev_parameters_file:file { map open read }; +allow bluetooth_service dev_random_file:chr_file { open read }; +allow bluetooth_service dev_unix_file:dir { search }; +allow bluetooth_service dev_unix_socket_file:dir { search }; +allow bluetooth_service dev_unix_socket_file:sock_file { write }; +allow bluetooth_service etc_file:lnk_file { read }; +allow bluetooth_service init:fd { use }; +allow bluetooth_service init:netlink_kobject_uevent_socket { read write }; +allow bluetooth_service init:unix_dgram_socket { sendto }; +allow bluetooth_service init:unix_stream_socket { read write }; +allow bluetooth_service kernel:fd { use }; +allow bluetooth_service priv_hap_domain:binder { call transfer }; +allow bluetooth_service proc_file:dir { search }; +allow bluetooth_service proc_file:lnk_file { read }; +allow bluetooth_service rootfs:dir { search }; +allow bluetooth_service samain_exec:file { entrypoint execute map read }; +allow bluetooth_service samgr:binder { call transfer }; +allow bluetooth_service system_etc_file:dir { search }; +allow bluetooth_service system_etc_file:file { open read }; +allow bluetooth_service system_file:dir { search }; +allow bluetooth_service system_lib_file:dir { search }; +allow bluetooth_service system_lib_file:file { execute getattr map open read }; +allow bluetooth_service system_profile_file:dir { search }; +allow bluetooth_service system_profile_file:file { getattr open read }; +allow bluetooth_service vendor_file:dir { search }; +allow bluetooth_service vendor_file:file { execute getattr map open read }; +allowxperm bluetooth_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm bluetooth_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/camera_host.te b/sepolicy/base/rk3568/camera_host.te new file mode 100644 index 0000000000000000000000000000000000000000..112bb40e963b678dab170e8238db3a227651fcfa --- /dev/null +++ b/sepolicy/base/rk3568/camera_host.te @@ -0,0 +1,56 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow camera_host camera_host:dir { search }; +allow camera_host camera_host:lnk_file { read }; +allow camera_host camera_host:netlink_kobject_uevent_socket { bind create read }; +allow camera_host camera_host:process { fork }; +allow camera_host camera_host:unix_dgram_socket { connect create write }; +allow camera_host camera_service:binder { call }; +allow camera_host debugfs:dir { search }; +allow camera_host dev_at_file:chr_file { ioctl open read write }; +allow camera_host dev_binder_file:chr_file { ioctl map open read write }; +allow camera_host dev_file:dir { search }; +allow camera_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow camera_host dev_null_file:chr_file { read write }; +allow camera_host dev_parameters_file:dir { search }; +allow camera_host dev_parameters_file:file { map open read }; +allow camera_host dev_unix_file:dir { search }; +allow camera_host dev_unix_socket_file:dir { search }; +allow camera_host dev_unix_socket_file:sock_file { write }; +allow camera_host dev_video_file:chr_file { getattr ioctl open read write }; +allow camera_host etc_file:lnk_file { read }; +allow camera_host hdf_devmgr:binder { call transfer }; +allow camera_host init:fd { use }; +allow camera_host init:netlink_kobject_uevent_socket { read write }; +allow camera_host init:unix_dgram_socket { sendto }; +allow camera_host init:unix_stream_socket { read write }; +allow camera_host kernel:fd { use }; +allow camera_host proc_file:dir { search }; +allow camera_host proc_file:lnk_file { read }; +allow camera_host rootfs:dir { search }; +allow camera_host samgr:binder { call }; +allow camera_host system_etc_file:dir { search }; +allow camera_host system_etc_file:file { open read }; +allow camera_host system_file:dir { search }; +allow camera_host system_lib_file:dir { search }; +allow camera_host system_lib_file:file { execute getattr map open read }; +allow camera_host vendor_etc_file:dir { search }; +allow camera_host vendor_etc_file:file { getattr open read }; +allow camera_host vendor_file:dir { search }; +allow camera_host vendor_file:file { entrypoint execute getattr map open read }; +allow camera_host vendor_file:lnk_file { read }; +allowxperm camera_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm camera_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm camera_host dev_mgr_file:chr_file ioctl { 0x6201 }; +allowxperm camera_host dev_video_file:chr_file ioctl { 0x5600 }; diff --git a/sepolicy/base/rk3568/camera_service.te b/sepolicy/base/rk3568/camera_service.te new file mode 100644 index 0000000000000000000000000000000000000000..3f4097db60246c1e936a464b27675388d165590f --- /dev/null +++ b/sepolicy/base/rk3568/camera_service.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow camera_service camera_host:binder { call transfer }; +allow camera_service camera_service:dir { search }; +allow camera_service camera_service:lnk_file { read }; +allow camera_service camera_service:process { fork getsched }; +allow camera_service camera_service:unix_dgram_socket { connect create write }; +allow camera_service debugfs:dir { search }; +allow camera_service dev_at_file:chr_file { ioctl open read write }; +allow camera_service dev_binder_file:chr_file { ioctl map open read write }; +allow camera_service dev_file:dir { search }; +allow camera_service dev_null_file:chr_file { read write }; +allow camera_service dev_parameters_file:dir { search }; +allow camera_service dev_parameters_file:file { map open read }; +allow camera_service dev_random_file:chr_file { open read }; +allow camera_service dev_unix_file:dir { search }; +allow camera_service dev_unix_socket_file:dir { search }; +allow camera_service dev_unix_socket_file:sock_file { write }; +allow camera_service etc_file:lnk_file { read }; +allow camera_service hdf_devmgr:binder { call transfer }; +allow camera_service init:fd { use }; +allow camera_service init:netlink_kobject_uevent_socket { read write }; +allow camera_service init:unix_dgram_socket { sendto }; +allow camera_service init:unix_stream_socket { read write }; +allow camera_service kernel:fd { use }; +allow camera_service normal_hap_domain:binder { call transfer }; +allow camera_service proc_file:dir { search }; +allow camera_service proc_file:lnk_file { read }; +allow camera_service rootfs:dir { search }; +allow camera_service samain_exec:file { entrypoint execute map read }; +allow camera_service samgr:binder { call transfer }; +allow camera_service system_etc_file:dir { search }; +allow camera_service system_etc_file:file { open read }; +allow camera_service system_file:dir { search }; +allow camera_service system_lib_file:dir { search }; +allow camera_service system_lib_file:file { execute getattr map open read }; +allow camera_service system_profile_file:dir { search }; +allow camera_service system_profile_file:file { getattr open read }; +allow camera_service vendor_file:dir { search }; +allow camera_service vendor_file:file { execute getattr map open read }; +allow camera_service vendor_file:lnk_file { read }; +allowxperm camera_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm camera_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/device_usage_statistics_service.te b/sepolicy/base/rk3568/device_usage_statistics_service.te new file mode 100644 index 0000000000000000000000000000000000000000..945c5c60b9f3ea26efa09a6c0ffed4266b2c0953 --- /dev/null +++ b/sepolicy/base/rk3568/device_usage_statistics_service.te @@ -0,0 +1,72 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow device_usage_statistics_service accountmgr:binder { call }; +allow device_usage_statistics_service bgtaskmgr_service:binder { call transfer }; +allow device_usage_statistics_service data_file:dir { search }; +allow device_usage_statistics_service data_init_agent:dir { search }; +allow device_usage_statistics_service data_init_agent:file { ioctl open read append }; +allow device_usage_statistics_service data_system_ce:dir { add_name open read search write }; +allow device_usage_statistics_service data_system_ce:file { create getattr ioctl lock map open read read write setattr write }; +allow device_usage_statistics_service debugfs:dir { search }; +allow device_usage_statistics_service dev_at_file:chr_file { ioctl open read write }; +allow device_usage_statistics_service dev_binder_file:chr_file { ioctl map open read write }; +allow device_usage_statistics_service dev_file:dir { search }; +allow device_usage_statistics_service device_usage_statistics_service:capability { dac_read_search }; +allow device_usage_statistics_service device_usage_statistics_service:dir { search }; +allow device_usage_statistics_service device_usage_statistics_service:lnk_file { read }; +allow device_usage_statistics_service device_usage_statistics_service:lockdown { confidentiality }; +allow device_usage_statistics_service device_usage_statistics_service:process { fork getsched }; +allow device_usage_statistics_service device_usage_statistics_service:unix_dgram_socket { connect create write }; +allow device_usage_statistics_service dev_null_file:chr_file { read write }; +allow device_usage_statistics_service dev_parameters_file:dir { search }; +allow device_usage_statistics_service dev_parameters_file:file { map open read }; +allow device_usage_statistics_service dev_random_file:chr_file { open read }; +allow device_usage_statistics_service dev_unix_file:dir { search }; +allow device_usage_statistics_service dev_unix_socket_file:dir { search }; +allow device_usage_statistics_service dev_unix_socket_file:sock_file { write }; +allow device_usage_statistics_service etc_file:lnk_file { read }; +allow device_usage_statistics_service foundation:binder { call transfer }; +allow device_usage_statistics_service init:fd { use }; +allow device_usage_statistics_service init:netlink_kobject_uevent_socket { read write }; +allow device_usage_statistics_service init:unix_dgram_socket { sendto }; +allow device_usage_statistics_service init:unix_stream_socket { read write }; +allow device_usage_statistics_service kernel:fd { use }; +allow device_usage_statistics_service param_watcher:binder { call transfer }; +allow device_usage_statistics_service proc_file:dir { search }; +allow device_usage_statistics_service proc_file:lnk_file { read }; +allow device_usage_statistics_service rootfs:dir { search }; +allow device_usage_statistics_service samain_exec:file { entrypoint execute map read }; +allow device_usage_statistics_service samgr:binder { call transfer }; +allow device_usage_statistics_service sys_file:dir { open read search }; +allow device_usage_statistics_service sys_file:file { open read }; +allow device_usage_statistics_service sys_file:lnk_file { read }; +allow device_usage_statistics_service system_etc_file:dir { getattr open read search }; +allow device_usage_statistics_service system_etc_file:file { open read }; +allow device_usage_statistics_service system_file:dir { search }; +allow device_usage_statistics_service system_lib_file:dir { search }; +allow device_usage_statistics_service system_lib_file:file { execute getattr map open read }; +allow device_usage_statistics_service system_profile_file:dir { search }; +allow device_usage_statistics_service system_profile_file:file { getattr open read }; +allow device_usage_statistics_service system_usr_file:dir { search }; +allow device_usage_statistics_service system_usr_file:file { getattr map open read }; +allow device_usage_statistics_service time_service:binder { call }; +allow device_usage_statistics_service tracefs:dir { search }; +allow device_usage_statistics_service tracefs:file { open write }; +allow device_usage_statistics_service vendor_file:dir { search }; +allow device_usage_statistics_service vendor_file:file { execute getattr map open read }; +allow device_usage_statistics_service vendor_file:lnk_file { read }; +allowxperm device_usage_statistics_service data_init_agent:file ioctl { 0x5413 }; +allowxperm device_usage_statistics_service data_system_ce:file ioctl { 0x5413 0xf50c }; +allowxperm device_usage_statistics_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm device_usage_statistics_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/deviceauth_service.te b/sepolicy/base/rk3568/deviceauth_service.te new file mode 100644 index 0000000000000000000000000000000000000000..39b09e65c48d194cebd83dab5f53ee55f07c1a29 --- /dev/null +++ b/sepolicy/base/rk3568/deviceauth_service.te @@ -0,0 +1,47 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow deviceauth_service data_data_file:dir { search }; +allow deviceauth_service data_file:dir { search }; +allow deviceauth_service debugfs:dir { search }; +allow deviceauth_service dev_at_file:chr_file { ioctl open read write }; +allow deviceauth_service dev_binder_file:chr_file { ioctl map open read write }; +allow deviceauth_service dev_file:dir { search }; +allow deviceauth_service deviceauth_service_exec:file { entrypoint execute map read }; +allow deviceauth_service deviceauth_service:process { fork }; +allow deviceauth_service deviceauth_service:unix_dgram_socket { connect create write }; +allow deviceauth_service dev_null_file:chr_file { read write }; +allow deviceauth_service dev_parameters_file:dir { search }; +allow deviceauth_service dev_parameters_file:file { map open read }; +allow deviceauth_service dev_random_file:chr_file { open read }; +allow deviceauth_service dev_unix_file:dir { search }; +allow deviceauth_service dev_unix_socket_file:dir { search }; +allow deviceauth_service dev_unix_socket_file:sock_file { write }; +allow deviceauth_service etc_file:lnk_file { read }; +allow deviceauth_service foundation:binder { call }; +allow deviceauth_service huks_service:binder { call }; +allow deviceauth_service init:fd { use }; +allow deviceauth_service init:netlink_kobject_uevent_socket { read write }; +allow deviceauth_service init:unix_dgram_socket { sendto }; +allow deviceauth_service init:unix_stream_socket { read write }; +allow deviceauth_service kernel:fd { use }; +allow deviceauth_service rootfs:dir { search }; +allow deviceauth_service samgr:binder { call transfer }; +allow deviceauth_service softbus_server:binder { call transfer }; +allow deviceauth_service system_etc_file:dir { search }; +allow deviceauth_service system_etc_file:file { open read }; +allow deviceauth_service system_file:dir { search }; +allow deviceauth_service system_lib_file:dir { search }; +allow deviceauth_service system_lib_file:file { execute getattr map open read }; +allowxperm deviceauth_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm deviceauth_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/deviceinfoservice.te b/sepolicy/base/rk3568/deviceinfoservice.te new file mode 100644 index 0000000000000000000000000000000000000000..14d29d9ac530098c27f9cd522b0306904df727f0 --- /dev/null +++ b/sepolicy/base/rk3568/deviceinfoservice.te @@ -0,0 +1,52 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow deviceinfoservice data_file:dir { search }; +allow deviceinfoservice data_init_agent:dir { search }; +allow deviceinfoservice data_init_agent:file { ioctl open read append }; +allow deviceinfoservice debugfs:dir { search }; +allow deviceinfoservice dev_at_file:chr_file { ioctl open read write }; +allow deviceinfoservice dev_binder_file:chr_file { ioctl map open read write }; +allow deviceinfoservice dev_file:dir { search }; +allow deviceinfoservice deviceinfoservice:dir { search }; +allow deviceinfoservice deviceinfoservice:lnk_file { read }; +allow deviceinfoservice deviceinfoservice:process { fork getsched }; +allow deviceinfoservice deviceinfoservice:unix_dgram_socket { connect create write }; +allow deviceinfoservice dev_null_file:chr_file { read write }; +allow deviceinfoservice dev_parameters_file:dir { search }; +allow deviceinfoservice dev_parameters_file:file { map open read }; +allow deviceinfoservice dev_random_file:chr_file { open read }; +allow deviceinfoservice dev_unix_file:dir { search }; +allow deviceinfoservice dev_unix_socket_file:dir { search }; +allow deviceinfoservice dev_unix_socket_file:sock_file { write }; +allow deviceinfoservice etc_file:lnk_file { read }; +allow deviceinfoservice init:fd { use }; +allow deviceinfoservice init:netlink_kobject_uevent_socket { read write }; +allow deviceinfoservice init:unix_dgram_socket { sendto }; +allow deviceinfoservice init:unix_stream_socket { read write }; +allow deviceinfoservice kernel:fd { use }; +allow deviceinfoservice proc_file:dir { search }; +allow deviceinfoservice proc_file:lnk_file { read }; +allow deviceinfoservice rootfs:dir { search }; +allow deviceinfoservice samain_exec:file { entrypoint execute map read }; +allow deviceinfoservice samgr:binder { call transfer }; +allow deviceinfoservice system_etc_file:dir { search }; +allow deviceinfoservice system_etc_file:file { open read }; +allow deviceinfoservice system_file:dir { search }; +allow deviceinfoservice system_lib_file:dir { search }; +allow deviceinfoservice system_lib_file:file { execute getattr map open read }; +allow deviceinfoservice system_profile_file:dir { search }; +allow deviceinfoservice system_profile_file:file { getattr open read }; +allowxperm deviceinfoservice data_init_agent:file ioctl { 0x5413 }; +allowxperm deviceinfoservice dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm deviceinfoservice dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/display_gralloc_host.te b/sepolicy/base/rk3568/display_gralloc_host.te new file mode 100644 index 0000000000000000000000000000000000000000..909821539160c0fbbf2b0cd4d35d05cfa5bf5cee --- /dev/null +++ b/sepolicy/base/rk3568/display_gralloc_host.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow display_gralloc_host debugfs:dir { search }; +allow display_gralloc_host dev_at_file:chr_file { ioctl open read write }; +allow display_gralloc_host dev_binder_file:chr_file { ioctl map open read write }; +allow display_gralloc_host dev_dri_file:chr_file { getattr ioctl open read write }; +allow display_gralloc_host dev_dri_file:dir { search }; +allow display_gralloc_host dev_file:dir { search }; +allow display_gralloc_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow display_gralloc_host dev_null_file:chr_file { read write }; +allow display_gralloc_host dev_parameters_file:dir { search }; +allow display_gralloc_host dev_parameters_file:file { map open read }; +allow display_gralloc_host dev_unix_file:dir { search }; +allow display_gralloc_host dev_unix_socket_file:dir { search }; +allow display_gralloc_host dev_unix_socket_file:sock_file { write }; +allow display_gralloc_host display_gralloc_host:capability { sys_admin }; +allow display_gralloc_host display_gralloc_host:dir { search }; +allow display_gralloc_host display_gralloc_host:lnk_file { read }; +allow display_gralloc_host display_gralloc_host:process { fork }; +allow display_gralloc_host display_gralloc_host:unix_dgram_socket { connect create write }; +allow display_gralloc_host etc_file:lnk_file { read }; +allow display_gralloc_host hdf_devmgr:binder { call transfer }; +allow display_gralloc_host init:fd { use }; +allow display_gralloc_host init:netlink_kobject_uevent_socket { read write }; +allow display_gralloc_host init:unix_dgram_socket { sendto }; +allow display_gralloc_host init:unix_stream_socket { read write }; +allow display_gralloc_host kernel:fd { use }; +allow display_gralloc_host proc_file:dir { search }; +allow display_gralloc_host proc_file:lnk_file { read }; +allow display_gralloc_host rootfs:dir { search }; +allow display_gralloc_host samgr:binder { call }; +allow display_gralloc_host system_etc_file:dir { search }; +allow display_gralloc_host system_etc_file:file { open read }; +allow display_gralloc_host system_file:dir { search }; +allow display_gralloc_host system_lib_file:dir { search }; +allow display_gralloc_host system_lib_file:file { execute getattr map open read }; +allow display_gralloc_host vendor_etc_file:dir { search }; +allow display_gralloc_host vendor_etc_file:file { getattr open read }; +allow display_gralloc_host vendor_file:dir { search }; +allow display_gralloc_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm display_gralloc_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm display_gralloc_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm display_gralloc_host dev_dri_file:chr_file ioctl { 0x641f 0x642d 0x64b2 0x64b4 }; +allowxperm display_gralloc_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/distributeddata.te b/sepolicy/base/rk3568/distributeddata.te new file mode 100644 index 0000000000000000000000000000000000000000..0527dc770c3f880fe75154c574f84815e657d652 --- /dev/null +++ b/sepolicy/base/rk3568/distributeddata.te @@ -0,0 +1,81 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributeddata accountmgr:binder { call transfer }; +allow distributeddata audio_policy:binder { call transfer }; +allow distributeddata data_file:dir { open read search }; +allow distributeddata data_file:file { getattr ioctl lock map open read write }; +allow distributeddata data_init_agent:dir { search }; +allow distributeddata data_misc_ce:dir { add_name create getattr open read remove_name rmdir search setattr write }; +allow distributeddata data_misc_ce:file { create getattr ioctl lock map open read rename setattr unlink write }; +allow distributeddata data_misc_de:dir { add_name create getattr open read remove_name rmdir search setattr write }; +allow distributeddata data_misc_de:file { create getattr ioctl lock map open read rename setattr unlink write }; +allow distributeddata data_service_el1_file:dir { add_name getattr open read search write }; +allow distributeddata data_service_el1_file:file { create getattr ioctl lock map open read write }; +allow distributeddata data_service_file:dir { search }; +allow distributeddata debugfs:dir { search }; +allow distributeddata dev_at_file:chr_file { ioctl open read write }; +allow distributeddata dev_binder_file:chr_file { ioctl map open read write }; +allow distributeddata dev_file:dir { search }; +allow distributeddata deviceauth_service:binder { call }; +allow distributeddata dev_null_file:chr_file { read write }; +allow distributeddata dev_parameters_file:dir { search }; +allow distributeddata dev_parameters_file:file { map open read }; +allow distributeddata dev_random_file:chr_file { open read }; +allow distributeddata dev_unix_file:dir { search }; +allow distributeddata dev_unix_socket_file:dir { search }; +allow distributeddata dev_unix_socket_file:sock_file { write }; +allow distributeddata distributeddata:dir { search }; +allow distributeddata distributeddata:lnk_file { read }; +allow distributeddata distributeddata:lockdown { confidentiality }; +allow distributeddata distributeddata:process { fork getsched }; +allow distributeddata distributeddata:unix_dgram_socket { connect create write }; +allow distributeddata distributedsched:binder { call transfer }; +allow distributeddata etc_file:lnk_file { read }; +allow distributeddata foundation:binder { call transfer }; +allow distributeddata huks_service:binder { call }; +allow distributeddata init:fd { use }; +allow distributeddata init:netlink_kobject_uevent_socket { read write }; +allow distributeddata init:unix_dgram_socket { sendto }; +allow distributeddata init:unix_stream_socket { read write }; +allow distributeddata kernel:fd { use }; +allow distributeddata lib_file:lnk_file { read }; +allow distributeddata normal_hap_domain:binder { call transfer }; +allow distributeddata param_watcher:binder { call transfer }; +allow distributeddata proc_file:dir { search }; +allow distributeddata proc_file:lnk_file { read }; +allow distributeddata rootfs:dir { search }; +allow distributeddata samain_exec:file { entrypoint execute map read }; +allow distributeddata samgr:binder { call transfer }; +allow distributeddata softbus_server:binder { call transfer }; +allow distributeddata sys_file:dir { search }; +allow distributeddata system_etc_file:dir { getattr open read search }; +allow distributeddata system_etc_file:file { open read }; +allow distributeddata system_file:dir { search }; +allow distributeddata system_lib_file:dir { search }; +allow distributeddata system_lib_file:file { execute getattr map open read }; +allow distributeddata system_profile_file:dir { search }; +allow distributeddata system_profile_file:file { getattr open read }; +allow distributeddata system_usr_file:dir { search }; +allow distributeddata system_usr_file:file { getattr map open read }; +allow distributeddata tracefs:dir { search }; +allow distributeddata tracefs:file { open write }; +allow distributeddata vendor_file:dir { search }; +allow distributeddata vendor_file:file { execute getattr map open read }; +allow distributeddata vendor_file:lnk_file { read }; +allowxperm distributeddata data_file:file ioctl { 0xf50c }; +allowxperm distributeddata data_misc_ce:file ioctl { 0x5413 0xf50c }; +allowxperm distributeddata data_misc_de:file ioctl { 0x5413 0xf50c }; +allowxperm distributeddata data_service_el1_file:file ioctl { 0xf50c }; +allowxperm distributeddata dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm distributeddata dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/distributedfile.te b/sepolicy/base/rk3568/distributedfile.te new file mode 100644 index 0000000000000000000000000000000000000000..425485c9cbf2142c3827828ff51039217d00e59f --- /dev/null +++ b/sepolicy/base/rk3568/distributedfile.te @@ -0,0 +1,58 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedfile accountmgr:binder { call transfer }; +allow distributedfile debugfs:dir { search }; +allow distributedfile dev_at_file:chr_file { ioctl open read write }; +allow distributedfile dev_binder_file:chr_file { ioctl map open read write }; +allow distributedfile dev_file:dir { search }; +allow distributedfile dev_null_file:chr_file { read write }; +allow distributedfile dev_parameters_file:dir { search }; +allow distributedfile dev_parameters_file:file { map open read }; +allow distributedfile dev_random_file:chr_file { open read }; +allow distributedfile dev_unix_file:dir { search }; +allow distributedfile dev_unix_socket_file:dir { search }; +allow distributedfile dev_unix_socket_file:sock_file { write }; +allow distributedfile distributedfile:dir { search }; +allow distributedfile distributedfile:lnk_file { read }; +allow distributedfile distributedfile:process { fork getsched }; +allow distributedfile distributedfile:unix_dgram_socket { connect create write }; +allow distributedfile etc_file:lnk_file { read }; +allow distributedfile foundation:binder { call transfer }; +allow distributedfile huks_service:binder { call }; +allow distributedfile init:fd { use }; +allow distributedfile init:netlink_kobject_uevent_socket { read write }; +allow distributedfile init:unix_dgram_socket { sendto }; +allow distributedfile init:unix_stream_socket { read write }; +allow distributedfile kernel:fd { use }; +allow distributedfile proc_file:dir { search }; +allow distributedfile proc_file:lnk_file { read }; +allow distributedfile rootfs:dir { search }; +allow distributedfile samain_exec:file { entrypoint execute map read }; +allow distributedfile samgr:binder { call transfer }; +allow distributedfile softbus_server:binder { call transfer }; +allow distributedfile sys_file:dir { search }; +allow distributedfile system_etc_file:dir { getattr open read search }; +allow distributedfile system_etc_file:file { open read }; +allow distributedfile system_file:dir { search }; +allow distributedfile system_lib_file:dir { search }; +allow distributedfile system_lib_file:file { execute getattr map open read }; +allow distributedfile system_profile_file:dir { search }; +allow distributedfile system_profile_file:file { getattr open read }; +allow distributedfile system_usr_file:dir { search }; +allow distributedfile system_usr_file:file { getattr map open read }; +allow distributedfile vendor_file:dir { search }; +allow distributedfile vendor_file:file { execute getattr map open read }; +allow distributedfile vendor_file:lnk_file { read }; +allowxperm distributedfile dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm distributedfile dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/distributedhardware_fwk.te b/sepolicy/base/rk3568/distributedhardware_fwk.te new file mode 100644 index 0000000000000000000000000000000000000000..5ee52d921a2ca81542a0c3b7267a0f008283698d --- /dev/null +++ b/sepolicy/base/rk3568/distributedhardware_fwk.te @@ -0,0 +1,49 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedhardware_fwk debugfs:dir { search }; +allow distributedhardware_fwk dev_at_file:chr_file { ioctl open read write }; +allow distributedhardware_fwk dev_binder_file:chr_file { ioctl map open read write }; +allow distributedhardware_fwk dev_file:dir { search }; +allow distributedhardware_fwk dev_null_file:chr_file { read write }; +allow distributedhardware_fwk dev_parameters_file:dir { search }; +allow distributedhardware_fwk dev_parameters_file:file { map open read }; +allow distributedhardware_fwk dev_random_file:chr_file { open read }; +allow distributedhardware_fwk dev_unix_file:dir { search }; +allow distributedhardware_fwk dev_unix_socket_file:dir { search }; +allow distributedhardware_fwk dev_unix_socket_file:sock_file { write }; +allow distributedhardware_fwk distributedhardware_fwk:dir { search }; +allow distributedhardware_fwk distributedhardware_fwk:lnk_file { read }; +allow distributedhardware_fwk distributedhardware_fwk:process { fork getsched }; +allow distributedhardware_fwk distributedhardware_fwk:unix_dgram_socket { connect create write }; +allow distributedhardware_fwk etc_file:lnk_file { read }; +allow distributedhardware_fwk foundation:binder { call transfer }; +allow distributedhardware_fwk init:fd { use }; +allow distributedhardware_fwk init:netlink_kobject_uevent_socket { read write }; +allow distributedhardware_fwk init:unix_dgram_socket { sendto }; +allow distributedhardware_fwk init:unix_stream_socket { read write }; +allow distributedhardware_fwk kernel:fd { use }; +allow distributedhardware_fwk proc_file:dir { search }; +allow distributedhardware_fwk proc_file:lnk_file { read }; +allow distributedhardware_fwk rootfs:dir { search }; +allow distributedhardware_fwk samain_exec:file { entrypoint execute map read }; +allow distributedhardware_fwk samgr:binder { call transfer }; +allow distributedhardware_fwk system_etc_file:dir { search }; +allow distributedhardware_fwk system_etc_file:file { open read }; +allow distributedhardware_fwk system_file:dir { search }; +allow distributedhardware_fwk system_lib_file:dir { search }; +allow distributedhardware_fwk system_lib_file:file { execute getattr map open read }; +allow distributedhardware_fwk system_profile_file:dir { search }; +allow distributedhardware_fwk system_profile_file:file { getattr open read }; +allowxperm distributedhardware_fwk dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm distributedhardware_fwk dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/distributedsched.te b/sepolicy/base/rk3568/distributedsched.te new file mode 100644 index 0000000000000000000000000000000000000000..1fa4b29585569afb33238fd18393aa3c3dd20dc4 --- /dev/null +++ b/sepolicy/base/rk3568/distributedsched.te @@ -0,0 +1,66 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow distributedsched data_file:dir { search }; +allow distributedsched data_init_agent:dir { search }; +allow distributedsched debugfs:dir { search }; +allow distributedsched dev_at_file:chr_file { ioctl open read write }; +allow distributedsched dev_binder_file:chr_file { ioctl map open read write }; +allow distributedsched dev_file:dir { search }; +allow distributedsched dev_null_file:chr_file { read write }; +allow distributedsched dev_parameters_file:dir { search }; +allow distributedsched dev_parameters_file:file { map open read }; +allow distributedsched dev_random_file:chr_file { open read }; +allow distributedsched dev_unix_file:dir { search }; +allow distributedsched dev_unix_socket_file:dir { search }; +allow distributedsched dev_unix_socket_file:sock_file { write }; +allow distributedsched distributeddata:binder { call transfer }; +allow distributedsched distributedsched:dir { search }; +allow distributedsched distributedsched:lnk_file { read }; +allow distributedsched distributedsched:lockdown { confidentiality }; +allow distributedsched distributedsched:process { fork getsched }; +allow distributedsched distributedsched:unix_dgram_socket { connect create write }; +allow distributedsched etc_file:lnk_file { read }; +allow distributedsched huks_service:binder { call }; +allow distributedsched init:fd { use }; +allow distributedsched init:netlink_kobject_uevent_socket { read write }; +allow distributedsched init:unix_dgram_socket { sendto }; +allow distributedsched init:unix_stream_socket { read write }; +allow distributedsched kernel:fd { use }; +allow distributedsched param_watcher:binder { call transfer }; +allow distributedsched proc_file:dir { search }; +allow distributedsched proc_file:lnk_file { read }; +allow distributedsched rootfs:dir { search }; +allow distributedsched samain_exec:file { entrypoint execute map read }; +allow distributedsched samgr:binder { call transfer }; +allow distributedsched softbus_server:binder { call transfer }; +allow distributedsched sys_file:dir { search }; +allow distributedsched sys_file:file { open read }; +allow distributedsched sys_file:lnk_file { read }; +allow distributedsched sysfs_block_file:dir { search }; +allow distributedsched system_etc_file:dir { getattr open read search }; +allow distributedsched system_etc_file:file { open read }; +allow distributedsched system_file:dir { search }; +allow distributedsched system_lib_file:dir { search }; +allow distributedsched system_lib_file:file { execute getattr map open read }; +allow distributedsched system_profile_file:dir { search }; +allow distributedsched system_profile_file:file { getattr open read }; +allow distributedsched system_usr_file:dir { search }; +allow distributedsched system_usr_file:file { getattr map open read }; +allow distributedsched tracefs:dir { search }; +allow distributedsched tracefs:file { open write }; +allow distributedsched vendor_file:dir { search }; +allow distributedsched vendor_file:file { execute getattr map open read }; +allow distributedsched vendor_file:lnk_file { read }; +allowxperm distributedsched dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm distributedsched dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/dslm_service.te b/sepolicy/base/rk3568/dslm_service.te new file mode 100644 index 0000000000000000000000000000000000000000..f77b552a24d392c0a539ce9fe6a7a5378f942818 --- /dev/null +++ b/sepolicy/base/rk3568/dslm_service.te @@ -0,0 +1,50 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow dslm_service debugfs:dir { search }; +allow dslm_service dev_at_file:chr_file { ioctl open read write }; +allow dslm_service dev_binder_file:chr_file { ioctl map open read write }; +allow dslm_service dev_file:dir { search }; +allow dslm_service dev_null_file:chr_file { read write }; +allow dslm_service dev_parameters_file:dir { search }; +allow dslm_service dev_parameters_file:file { map open read }; +allow dslm_service dev_random_file:chr_file { open read }; +allow dslm_service dev_unix_file:dir { search }; +allow dslm_service dev_unix_socket_file:dir { search }; +allow dslm_service dev_unix_socket_file:sock_file { write }; +allow dslm_service dslm_service:dir { search }; +allow dslm_service dslm_service:lnk_file { read }; +allow dslm_service dslm_service:process { fork getsched }; +allow dslm_service dslm_service:unix_dgram_socket { connect create write }; +allow dslm_service etc_file:lnk_file { read }; +allow dslm_service huks_service:binder { call }; +allow dslm_service init:fd { use }; +allow dslm_service init:netlink_kobject_uevent_socket { read write }; +allow dslm_service init:unix_dgram_socket { sendto }; +allow dslm_service init:unix_stream_socket { read write }; +allow dslm_service kernel:fd { use }; +allow dslm_service proc_file:dir { search }; +allow dslm_service proc_file:lnk_file { read }; +allow dslm_service rootfs:dir { search }; +allow dslm_service samain_exec:file { entrypoint execute map read }; +allow dslm_service samgr:binder { call transfer }; +allow dslm_service softbus_server:binder { call transfer }; +allow dslm_service system_etc_file:dir { search }; +allow dslm_service system_etc_file:file { open read }; +allow dslm_service system_file:dir { search }; +allow dslm_service system_lib_file:dir { search }; +allow dslm_service system_lib_file:file { execute getattr map open read }; +allow dslm_service system_profile_file:dir { search }; +allow dslm_service system_profile_file:file { getattr open read }; +allowxperm dslm_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm dslm_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/face_service.te b/sepolicy/base/rk3568/face_service.te new file mode 100644 index 0000000000000000000000000000000000000000..e075b4e6137e9538feb20db8e09323ec9b21a91f --- /dev/null +++ b/sepolicy/base/rk3568/face_service.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow face_service data_file:dir { search }; +allow face_service data_init_agent:dir { search }; +allow face_service debugfs:dir { search }; +allow face_service dev_at_file:chr_file { ioctl open read write }; +allow face_service dev_binder_file:chr_file { ioctl map open read write }; +allow face_service dev_file:dir { search }; +allow face_service dev_null_file:chr_file { read write }; +allow face_service dev_parameters_file:dir { search }; +allow face_service dev_parameters_file:file { map open read }; +allow face_service dev_random_file:chr_file { open read }; +allow face_service dev_unix_file:dir { search }; +allow face_service dev_unix_socket_file:dir { search }; +allow face_service dev_unix_socket_file:sock_file { write }; +allow face_service etc_file:lnk_file { read }; +allow face_service face_service:dir { search }; +allow face_service face_service:lnk_file { read }; +allow face_service face_service:process { fork getsched }; +allow face_service face_service:unix_dgram_socket { connect create write }; +allow face_service init:fd { use }; +allow face_service init:netlink_kobject_uevent_socket { read write }; +allow face_service init:unix_dgram_socket { sendto }; +allow face_service init:unix_stream_socket { read write }; +allow face_service kernel:fd { use }; +allow face_service param_watcher:binder { call transfer }; +allow face_service proc_file:dir { search }; +allow face_service proc_file:lnk_file { read }; +allow face_service rootfs:dir { search }; +allow face_service samain_exec:file { entrypoint execute map read }; +allow face_service samgr:binder { call transfer }; +allow face_service system_etc_file:dir { search }; +allow face_service system_etc_file:file { open read }; +allow face_service system_file:dir { search }; +allow face_service system_lib_file:dir { search }; +allow face_service system_lib_file:file { execute getattr map open read }; +allow face_service system_profile_file:dir { search }; +allow face_service system_profile_file:file { getattr open read }; +allow face_service useriam:binder { call transfer }; +allow face_service vendor_file:dir { search }; +allow face_service vendor_file:file { execute getattr map open read }; +allow face_service vendor_file:lnk_file { read }; +allowxperm face_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm face_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/faultloggerd.te b/sepolicy/base/rk3568/faultloggerd.te new file mode 100644 index 0000000000000000000000000000000000000000..5ebe7a86b054984c80487bbf650c14342007e4e0 --- /dev/null +++ b/sepolicy/base/rk3568/faultloggerd.te @@ -0,0 +1,44 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow faultloggerd accountmgr:process { signal }; +allow faultloggerd data_file:dir { search }; +allow faultloggerd data_log:dir { add_name open read remove_name search setattr write }; +allow faultloggerd data_log:file { create read write open setattr unlink }; +allow faultloggerd dev_file:dir { search }; +allow faultloggerd dev_null_file:chr_file { read write }; +allow faultloggerd dev_parameters_file:dir { search }; +allow faultloggerd dev_parameters_file:file { map open read }; +allow faultloggerd dev_unix_file:dir { search }; +allow faultloggerd dev_unix_socket_file:dir { add_name search write }; +allow faultloggerd dev_unix_socket_file:sock_file { create setattr write }; +allow faultloggerd etc_file:lnk_file { read }; +allow faultloggerd faultloggerd:capability { fowner kill }; +allow faultloggerd faultloggerd_exec:file { entrypoint execute map read }; +allow faultloggerd faultloggerd:process { fork }; +allow faultloggerd faultloggerd:unix_dgram_socket { connect create write }; +allow faultloggerd faultloggerd:unix_stream_socket { accept bind create listen read setopt write }; +allow faultloggerd foundation:process { signal }; +allow faultloggerd init:fd { use }; +allow faultloggerd init:netlink_kobject_uevent_socket { read write }; +allow faultloggerd init:unix_dgram_socket { sendto }; +allow faultloggerd init:unix_stream_socket { read write }; +allow faultloggerd kernel:fd { use }; +allow faultloggerd normal_hap_domain:process { signal }; +allow faultloggerd priv_hap_domain:process { signal }; +allow faultloggerd rootfs:dir { search }; +allow faultloggerd system_etc_file:dir { search }; +allow faultloggerd system_etc_file:file { open read }; +allow faultloggerd system_file:dir { search }; +allow faultloggerd system_lib_file:dir { search }; +allow faultloggerd system_lib_file:file { execute getattr map open read }; diff --git a/sepolicy/base/rk3568/filesystem.te b/sepolicy/base/rk3568/filesystem.te new file mode 100644 index 0000000000000000000000000000000000000000..5ab795320a74628b72a066d54a81482216a41d06 --- /dev/null +++ b/sepolicy/base/rk3568/filesystem.te @@ -0,0 +1,75 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow cgroup cgroup:filesystem { associate }; +allow config_file config_file:filesystem { associate }; +allow data_app_el1_file labeledfs:filesystem { associate }; +allow data_data_file labeledfs:filesystem { associate }; +allow data_file labeledfs:filesystem { associate }; +allow data_init_agent labeledfs:filesystem { associate }; +allow data_local labeledfs:filesystem { associate }; +allow data_log labeledfs:filesystem { associate }; +allow data_media labeledfs:filesystem { associate }; +allow data_misc_ce labeledfs:filesystem { associate }; +allow data_misc_de labeledfs:filesystem { associate }; +allow data_misc labeledfs:filesystem { associate }; +allow data_service_el1_file labeledfs:filesystem { associate }; +allow data_system_ce labeledfs:filesystem { associate }; +allow data_system labeledfs:filesystem { associate }; +allow dev_ashmem_file tmpfs:filesystem { associate }; +allow dev_at_file tmpfs:filesystem { associate }; +allow dev_binder_file tmpfs:filesystem { associate }; +allow dev_block_file tmpfs:filesystem { associate }; +allow dev_bus_usb_file tmpfs:filesystem { associate }; +allow dev_console_file tmpfs:filesystem { associate }; +allow dev_cpu_dma_latency_file tmpfs:filesystem { associate }; +allow dev_dma_heap_file tmpfs:filesystem { associate }; +allow dev_dri_file tmpfs:filesystem { associate }; +allow dev_file tmpfs:filesystem { associate }; +allow dev_fscklogs_file tmpfs:filesystem { associate }; +allow dev_fuse_file tmpfs:filesystem { associate }; +allow dev_graphics_file tmpfs:filesystem { associate }; +allow dev_hdf_file tmpfs:filesystem { associate }; +allow dev_hwbinder_file tmpfs:filesystem { associate }; +allow device device:filesystem { associate }; +allow dev_iio_file tmpfs:filesystem { associate }; +allow dev_input_file tmpfs:filesystem { associate }; +allow dev_kmsg_file tmpfs:filesystem { associate }; +allow dev_loop_control_file tmpfs:filesystem { associate }; +allow dev_media_file tmpfs:filesystem { associate }; +allow dev_mgr_file tmpfs:filesystem { associate }; +allow dev_null_file tmpfs:filesystem { associate }; +allow dev_parameters_file tmpfs:filesystem { associate }; +allow dev_pts_file devpts:filesystem { associate }; +allow dev_random_file tmpfs:filesystem { associate }; +allow dev_rpmb_file tmpfs:filesystem { associate }; +allow dev_rtc_file tmpfs:filesystem { associate }; +allow dev_svc_mgr_file tmpfs:filesystem { associate }; +allow dev_tee_file tmpfs:filesystem { associate }; +allow dev_ubi_file tmpfs:filesystem { associate }; +allow dev_uhid_file tmpfs:filesystem { associate }; +allow dev_unix_file tmpfs:filesystem { associate }; +allow dev_unix_socket_file tmpfs:filesystem { associate }; +allow dev_vcs_file tmpfs:filesystem { associate }; +allow dev_v_file tmpfs:filesystem { associate }; +allow dev_vhci_file tmpfs:filesystem { associate }; +allow dev_video_file tmpfs:filesystem { associate }; +allow dev_vndbinder_file tmpfs:filesystem { associate }; +allow dev_watchdog_file tmpfs:filesystem { associate }; +allow dev_zero_file tmpfs:filesystem { associate }; +allow normal_hap_data_file labeledfs:filesystem { associate }; +allow platform_hap_data_file labeledfs:filesystem { associate }; +allow priv_hap_data_file labeledfs:filesystem { associate }; +allow sys_file sys_file:filesystem { associate }; +allow tmpfs tmpfs:filesystem { associate }; +allow tty_device tmpfs:filesystem { associate }; diff --git a/sepolicy/base/rk3568/fms_service.te b/sepolicy/base/rk3568/fms_service.te new file mode 100644 index 0000000000000000000000000000000000000000..111d28563bff7e86e1a411821d25ada70815bb82 --- /dev/null +++ b/sepolicy/base/rk3568/fms_service.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow fms_service debugfs:dir { search }; +allow fms_service dev_at_file:chr_file { ioctl open read write }; +allow fms_service dev_binder_file:chr_file { ioctl map open read write }; +allow fms_service dev_file:dir { search }; +allow fms_service dev_null_file:chr_file { read write }; +allow fms_service dev_parameters_file:dir { search }; +allow fms_service dev_parameters_file:file { map open read }; +allow fms_service dev_random_file:chr_file { open read }; +allow fms_service dev_unix_file:dir { search }; +allow fms_service dev_unix_socket_file:dir { search }; +allow fms_service dev_unix_socket_file:sock_file { write }; +allow fms_service etc_file:lnk_file { read }; +allow fms_service fms_service:dir { search }; +allow fms_service fms_service:lnk_file { read }; +allow fms_service fms_service:process { fork getsched }; +allow fms_service fms_service:unix_dgram_socket { connect create write }; +allow fms_service foundation:binder { call transfer }; +allow fms_service init:fd { use }; +allow fms_service init:netlink_kobject_uevent_socket { read write }; +allow fms_service init:unix_dgram_socket { sendto }; +allow fms_service init:unix_stream_socket { read write }; +allow fms_service kernel:fd { use }; +allow fms_service proc_file:dir { search }; +allow fms_service proc_file:lnk_file { read }; +allow fms_service rootfs:dir { search }; +allow fms_service samain_exec:file { entrypoint execute map read }; +allow fms_service samgr:binder { call transfer }; +allow fms_service system_etc_file:dir { getattr open read search }; +allow fms_service system_etc_file:file { open read }; +allow fms_service system_file:dir { search }; +allow fms_service system_lib_file:dir { search }; +allow fms_service system_lib_file:file { execute getattr map open read }; +allow fms_service system_profile_file:dir { search }; +allow fms_service system_profile_file:file { getattr open read }; +allow fms_service system_usr_file:dir { search }; +allow fms_service system_usr_file:file { getattr map open read }; +allow fms_service vendor_file:dir { search }; +allow fms_service vendor_file:file { execute getattr map open read }; +allow fms_service vendor_file:lnk_file { read }; +allowxperm fms_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm fms_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/foundation.te b/sepolicy/base/rk3568/foundation.te new file mode 100644 index 0000000000000000000000000000000000000000..82e57983284b8fe48ca3ba276d0d4ffcc24421a0 --- /dev/null +++ b/sepolicy/base/rk3568/foundation.te @@ -0,0 +1,127 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow foundation accessibility:binder { call }; +allow foundation accesstoken_service:binder { call }; +allow foundation accountmgr:binder { call transfer }; +allow foundation appspawn:unix_stream_socket { connectto }; +allow foundation battery_stats:binder { call }; +allow foundation bgtaskmgr_service:binder { call transfer }; +allow foundation config_file:dir { add_name create getattr search write }; +allow foundation config_file:file { open write }; +allow foundation data_file:dir { search }; +allow foundation data_file:file { getattr }; +allow foundation data_init_agent:dir { search }; +allow foundation data_log:file { read write }; +allow foundation data_service_el1_file:dir { add_name open read remove_name search write }; +allow foundation data_service_el1_file:file { create getattr ioctl open read unlink write write open }; +allow foundation data_service_file:dir { search }; +allow foundation data_system_ce:dir { add_name search write }; +allow foundation data_system_ce:file { create getattr ioctl lock map open read write }; +allow foundation data_system:dir { add_name open read remove_name search write }; +allow foundation data_system:file { create getattr ioctl lock open read write read write open unlink }; +allow foundation debugfs:dir { search }; +allow foundation dev_ashmem_file:chr_file { getattr ioctl map open read write }; +allow foundation dev_at_file:chr_file { ioctl open read write }; +allow foundation dev_binder_file:chr_file { ioctl map open read write }; +allow foundation dev_file:dir { search }; +allow foundation deviceauth_service:binder { call transfer }; +allow foundation device_usage_statistics_service:binder { call transfer }; +allow foundation dev_null_file:chr_file { open read write }; +allow foundation dev_parameters_file:dir { search }; +allow foundation dev_parameters_file:file { map open read }; +allow foundation dev_random_file:chr_file { open read }; +allow foundation dev_unix_file:dir { search }; +allow foundation dev_unix_socket_file:dir { search }; +allow foundation dev_unix_socket_file:sock_file { write }; +allow foundation distributeddata:binder { call transfer }; +allow foundation distributedfile:binder { call }; +allow foundation distributedhardware_fwk:binder { call }; +allow foundation etc_file:lnk_file { read }; +allow foundation faultloggerd:fd { use }; +allow foundation faultloggerd:unix_stream_socket { connectto }; +allow foundation fms_service:binder { call }; +allow foundation foundation:dir { getattr open read search }; +allow foundation foundation:fifo_file { read write }; +allow foundation foundation:file { getattr open read }; +allow foundation foundation:lnk_file { read }; +allow foundation foundation:lockdown { confidentiality }; +allow foundation foundation:process { fork getcap getsched ptrace setcap setsched }; +allow foundation foundation:unix_dgram_socket { connect create getopt setopt write }; +allow foundation foundation:unix_stream_socket { connect create read setopt write }; +allow foundation hdf_devmgr:binder { call }; +allow foundation huks_service:binder { call }; +allow foundation init:binder { call }; +allow foundation init:fd { use }; +allow foundation init:netlink_kobject_uevent_socket { read write }; +allow foundation init:unix_dgram_socket { sendto }; +allow foundation init:unix_stream_socket { read write }; +allow foundation inputmethod_service:binder { call }; +allow foundation kernel:fd { use }; +allow foundation kernel:unix_stream_socket { connectto }; +allow foundation lib_file:lnk_file { read }; +allow foundation memmgrservice:binder { call transfer }; +allow foundation multimodalinput:binder { call }; +allow foundation multimodalinput:fd { use }; +allow foundation multimodalinput:unix_stream_socket { read write write }; +allow foundation normal_hap_domain:binder { call transfer }; +allow foundation param_watcher:binder { call transfer }; +allow foundation platform_hap_domain:binder { call transfer }; +allow foundation power_host:binder { call transfer }; +allow foundation priv_hap_domain:binder { call transfer }; +allow foundation proc_file:dir { search }; +allow foundation proc_file:file { open read }; +allow foundation proc_file:lnk_file { read }; +allow foundation render_service:binder { call transfer }; +allow foundation render_service:fd { use }; +allow foundation resource_schedule_service:binder { call transfer }; +allow foundation rootfs:dir { getattr search }; +allow foundation samain_exec:file { entrypoint execute getattr map open read }; +allow foundation samgr:binder { call transfer }; +allow foundation sensors:binder { call }; +allow foundation softbus_server:binder { call transfer }; +allow foundation storage_manager:binder { call }; +allow foundation sys_file:dir { open read search }; +allow foundation sys_file:file { ioctl open read write }; +allow foundation sys_file:lnk_file { read }; +allow foundation system_bin_file:dir { search }; +allow foundation system_bin_file:file { execute execute_no_trans map read open }; +allow foundation system_etc_file:dir { getattr open read search }; +allow foundation system_etc_file:file { getattr open read }; +allow foundation system_file:dir { open read search }; +allow foundation system_file:file { getattr open read }; +allow foundation system_lib_file:dir { search }; +allow foundation system_lib_file:file { execute getattr map read open }; +allow foundation system_profile_file:dir { search }; +allow foundation system_profile_file:file { getattr open read }; +allow foundation system_usr_file:dir { search }; +allow foundation system_usr_file:file { getattr map open read }; +allow foundation telephony_sa:binder { call transfer }; +allow foundation thermal_sa:binder { call }; +allow foundation time_service:binder { call }; +allow foundation token_sync_service:binder { call }; +allow foundation tracefs:dir { search }; +allow foundation tracefs:file { open write }; +allow foundation upms:binder { call }; +allow foundation vendor_etc_file:dir { search }; +allow foundation vendor_file:dir { search }; +allow foundation vendor_file:file { execute getattr map open read }; +allow foundation vendor_file:lnk_file { read }; +allow foundation work_scheduler_service:binder { call }; +allowxperm foundation data_service_el1_file:file ioctl { 0x5413 }; +allowxperm foundation data_system_ce:file ioctl { 0xf50c }; +allowxperm foundation data_system:file ioctl { 0xf50c }; +allowxperm foundation dev_ashmem_file:chr_file ioctl { 0x7701 0x7703 0x7705 0x7706 }; +allowxperm foundation dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm foundation dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm foundation sys_file:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/hdcd.te b/sepolicy/base/rk3568/hdcd.te new file mode 100644 index 0000000000000000000000000000000000000000..7a2c6e8c25c643c3be016a7946db688c88257e27 --- /dev/null +++ b/sepolicy/base/rk3568/hdcd.te @@ -0,0 +1,686 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdcd accessibility:dir { getattr open read search }; +allow hdcd accessibility:file { getattr open read }; +allow hdcd accessibility:lnk_file { getattr read }; +allow hdcd accessibility:process { getattr }; +allow hdcd accessibility:unix_dgram_socket { getattr }; +allow hdcd accesstoken_service:dir { getattr open read search }; +allow hdcd accesstoken_service:file { getattr open read }; +allow hdcd accesstoken_service:lnk_file { getattr read }; +allow hdcd accesstoken_service:process { getattr }; +allow hdcd accesstoken_service:unix_dgram_socket { getattr }; +allow hdcd accountmgr:dir { getattr open read search }; +allow hdcd accountmgr:file { getattr open read }; +allow hdcd accountmgr:lnk_file { getattr read }; +allow hdcd accountmgr:process { getattr }; +allow hdcd accountmgr:unix_dgram_socket { getattr }; +allow hdcd appspawn:dir { getattr open read search }; +allow hdcd appspawn_exec:file { getattr }; +allow hdcd appspawn:file { getattr open read }; +allow hdcd appspawn:lnk_file { getattr read }; +allow hdcd appspawn:process { getattr }; +allow hdcd appspawn:unix_dgram_socket { getattr }; +allow hdcd appspawn:unix_stream_socket { getattr }; +allow hdcd audio_hdi_server_host:dir { getattr open read search }; +allow hdcd audio_hdi_server_host:file { getattr open read }; +allow hdcd audio_hdi_server_host:lnk_file { getattr read }; +allow hdcd audio_hdi_server_host:process { getattr }; +allow hdcd audio_hdi_server_host:unix_dgram_socket { getattr }; +allow hdcd audio_policy:dir { getattr open read search }; +allow hdcd audio_policy:fifo_file { getattr }; +allow hdcd audio_policy:file { getattr open read }; +allow hdcd audio_policy:lnk_file { getattr read }; +allow hdcd audio_policy:process { getattr }; +allow hdcd audio_policy:unix_dgram_socket { getattr }; +allow hdcd audio_policy:unix_stream_socket { getattr }; +allow hdcd battery_stats:dir { getattr open read search }; +allow hdcd battery_stats:file { getattr open read }; +allow hdcd battery_stats:lnk_file { getattr read }; +allow hdcd battery_stats:process { getattr }; +allow hdcd battery_stats:unix_dgram_socket { getattr }; +allow hdcd bgtaskmgr_service:dir { getattr open read search }; +allow hdcd bgtaskmgr_service:file { getattr open read }; +allow hdcd bgtaskmgr_service:lnk_file { getattr read }; +allow hdcd bgtaskmgr_service:process { getattr }; +allow hdcd bgtaskmgr_service:unix_dgram_socket { getattr }; +allow hdcd blue_host:dir { getattr open read search }; +allow hdcd blue_host:file { getattr open read }; +allow hdcd blue_host:lnk_file { getattr read }; +allow hdcd blue_host:process { getattr }; +allow hdcd blue_host:unix_dgram_socket { getattr }; +allow hdcd bluetooth_service:dir { getattr open read search }; +allow hdcd bluetooth_service:file { getattr open read }; +allow hdcd bluetooth_service:lnk_file { getattr read }; +allow hdcd bluetooth_service:process { getattr }; +allow hdcd bluetooth_service:unix_dgram_socket { getattr }; +allow hdcd camera_host:dir { getattr open read search }; +allow hdcd camera_host:file { getattr open read }; +allow hdcd camera_host:lnk_file { getattr read }; +allow hdcd camera_host:netlink_kobject_uevent_socket { getattr }; +allow hdcd camera_host:process { getattr }; +allow hdcd camera_host:unix_dgram_socket { getattr }; +allow hdcd camera_service:dir { getattr open read search }; +allow hdcd camera_service:file { getattr open read }; +allow hdcd camera_service:lnk_file { getattr read }; +allow hdcd camera_service:process { getattr }; +allow hdcd camera_service:unix_dgram_socket { getattr }; +allow hdcd cgroup:dir { getattr open read search }; +allow hdcd cgroup:file { getattr }; +allow hdcd cgroup:filesystem { getattr }; +allow hdcd config_file:dir { getattr open read search }; +allow hdcd config_file:file { getattr }; +allow hdcd config_file:filesystem { getattr }; +allow hdcd config_file:lnk_file { getattr read }; +allow hdcd data_appasec:dir { getattr open read search }; +allow hdcd data_app_el1_file:dir { getattr open read search }; +allow hdcd data_app_el1_file:file { getattr }; +allow hdcd data_app_el2_file:dir { getattr open read search }; +allow hdcd data_app_el3_file:dir { getattr open read search }; +allow hdcd data_app_el4_file:dir { getattr open read search }; +allow hdcd data_appephemeral:dir { getattr open read search }; +allow hdcd data_app_file:dir { getattr open read search }; +allow hdcd data_applib:dir { getattr open read search }; +allow hdcd data_appprivate:dir { getattr open read search }; +allow hdcd data_appstaging:dir { getattr open read search }; +allow hdcd data_backup:dir { getattr open read search }; +allow hdcd data_bluetooth:dir { getattr open read search }; +allow hdcd data_bluetooth:file { getattr }; +allow hdcd data_bootchart:dir { getattr open read search }; +allow hdcd data_cache:dir { getattr open read search }; +allow hdcd data_chipset_el1_file:dir { getattr open read search }; +allow hdcd data_chipset_el2_file:dir { getattr open read search }; +allow hdcd data_chipset_file:dir { getattr open read search }; +allow hdcd data_data_file:dir { getattr open read search }; +allow hdcd data_data_file:file { getattr }; +allow hdcd data_dhcp:dir { getattr open read search }; +allow hdcd data_drm:dir { getattr open read search }; +allow hdcd data_file:dir { add_name getattr open read search write }; +allow hdcd data_file:file { create getattr open read write }; +allow hdcd data_file:sock_file { getattr }; +allow hdcd data_init_agent:dir { getattr open read search }; +allow hdcd data_init_agent:file { getattr ioctl open read append }; +allow hdcd data_local:dir { getattr open read search }; +allow hdcd data_local:file { append getattr ioctl open }; +allow hdcd data_log:dir { getattr open read search }; +allow hdcd data_log:file { getattr }; +allow hdcd data_media:dir { getattr open read search }; +allow hdcd data_mediadrm:dir { getattr open read search }; +allow hdcd data_misc_ce:dir { getattr open read search }; +allow hdcd data_misc_ce:file { getattr }; +allow hdcd data_misc_de:dir { getattr open read search }; +allow hdcd data_misc_de:file { getattr }; +allow hdcd data_misc:dir { getattr open read search }; +allow hdcd data_misc:file { getattr }; +allow hdcd data_misc:sock_file { getattr }; +allow hdcd data_nfc:dir { getattr open read search }; +allow hdcd data_ota:dir { getattr open read search }; +allow hdcd data_ota_package:dir { getattr open read search }; +allow hdcd data_preloads:dir { getattr open read search }; +allow hdcd data_resourcecache:dir { getattr open read search }; +allow hdcd data_sadata_de:dir { getattr open read search }; +allow hdcd data_service_el0_file:dir { getattr open read search }; +allow hdcd data_service_el0_file:file { getattr }; +allow hdcd data_service_el1_file:dir { getattr open read search }; +allow hdcd data_service_el1_file:file { getattr }; +allow hdcd data_service_el2_file:dir { getattr open read search }; +allow hdcd data_service_file:dir { getattr open read search }; +allow hdcd data_ss:dir { getattr open read search }; +allow hdcd data_system_ce:dir { getattr open read search }; +allow hdcd data_system_ce:file { getattr }; +allow hdcd data_system_de:dir { getattr open read search }; +allow hdcd data_system:dir { getattr open read search }; +allow hdcd data_system:file { getattr }; +allow hdcd data_user_de:dir { getattr open read search }; +allow hdcd data_user:dir { getattr open read search }; +allow hdcd data_user:lnk_file { getattr read }; +allow hdcd data_vendor_ce:dir { getattr open read search }; +allow hdcd data_vendor_de:dir { getattr open read search }; +allow hdcd data_vendor:dir { getattr open read search }; +allow hdcd debugfs:dir { getattr open read search }; +allow hdcd debugfs:file { getattr }; +allow hdcd debugfs:filesystem { getattr }; +allow hdcd debugfs:lnk_file { getattr read }; +allow hdcd dev_ashmem_file:chr_file { getattr }; +allow hdcd dev_at_file:chr_file { getattr }; +allow hdcd dev_binder_file:chr_file { getattr }; +allow hdcd dev_block_file:blk_file { getattr }; +allow hdcd dev_block_file:dir { getattr open read search }; +allow hdcd dev_block_file:lnk_file { getattr read }; +allow hdcd dev_bus_usb_file:chr_file { getattr }; +allow hdcd dev_bus_usb_file:dir { getattr open read search }; +allow hdcd dev_console_file:chr_file { getattr }; +allow hdcd dev_cpu_dma_latency_file:chr_file { getattr }; +allow hdcd dev_dma_heap_file:chr_file { getattr }; +allow hdcd dev_dma_heap_file:dir { getattr open read search }; +allow hdcd dev_dri_file:chr_file { getattr }; +allow hdcd dev_dri_file:dir { getattr open read search }; +allow hdcd dev_dri_file:lnk_file { getattr read }; +allow hdcd dev_file:chr_file { getattr ioctl open read write }; +allow hdcd dev_file:dir { getattr open read search }; +allow hdcd dev_file:file { getattr }; +allow hdcd dev_file:lnk_file { getattr read }; +allow hdcd dev_fscklogs_file:dir { getattr open read search }; +allow hdcd dev_fuse_file:chr_file { getattr }; +allow hdcd dev_graphics_file:chr_file { getattr }; +allow hdcd dev_graphics_file:dir { getattr open read search }; +allow hdcd dev_hdf_file:chr_file { getattr }; +allow hdcd dev_hwbinder_file:chr_file { getattr }; +allow hdcd deviceauth_service:dir { getattr open read search }; +allow hdcd deviceauth_service_exec:file { getattr }; +allow hdcd deviceauth_service:file { getattr open read }; +allow hdcd deviceauth_service:lnk_file { getattr read }; +allow hdcd deviceauth_service:process { getattr }; +allow hdcd deviceauth_service:unix_dgram_socket { getattr }; +allow hdcd device:dir { getattr }; +allow hdcd deviceinfoservice:dir { getattr open read search }; +allow hdcd deviceinfoservice:file { getattr open read }; +allow hdcd deviceinfoservice:lnk_file { getattr read }; +allow hdcd deviceinfoservice:process { getattr }; +allow hdcd deviceinfoservice:unix_dgram_socket { getattr }; +allow hdcd device_usage_statistics_service:dir { getattr open read search }; +allow hdcd device_usage_statistics_service:file { getattr open read }; +allow hdcd device_usage_statistics_service:lnk_file { getattr read }; +allow hdcd device_usage_statistics_service:process { getattr }; +allow hdcd device_usage_statistics_service:unix_dgram_socket { getattr }; +allow hdcd dev_iio_file:chr_file { getattr }; +allow hdcd dev_input_file:chr_file { getattr }; +allow hdcd dev_input_file:dir { getattr open read search }; +allow hdcd dev_input_file:lnk_file { getattr read }; +allow hdcd dev_kmsg_file:chr_file { getattr }; +allow hdcd dev_loop_control_file:chr_file { getattr }; +allow hdcd dev_media_file:chr_file { getattr }; +allow hdcd dev_mgr_file:chr_file { getattr }; +allow hdcd dev_null_file:chr_file { getattr ioctl open read write }; +allow hdcd dev_parameters_file:dir { getattr open read search }; +allow hdcd dev_parameters_file:file { getattr map open read }; +allow hdcd devpts:chr_file { getattr ioctl open read write }; +allow hdcd dev_pts_file:chr_file { getattr }; +allow hdcd dev_pts_file:dir { getattr open read search }; +allow hdcd devpts:filesystem { getattr }; +allow hdcd dev_random_file:chr_file { getattr }; +allow hdcd dev_rpmb_file:chr_file { getattr }; +allow hdcd dev_rtc_file:chr_file { getattr }; +allow hdcd dev_svc_mgr_file:chr_file { getattr }; +allow hdcd dev_tee_file:chr_file { getattr }; +allow hdcd dev_ubi_file:chr_file { getattr }; +allow hdcd dev_uhid_file:chr_file { getattr }; +allow hdcd dev_unix_file:dir { getattr open read search }; +allow hdcd dev_unix_socket_file:dir { getattr open read search }; +allow hdcd dev_unix_socket_file:sock_file { getattr write }; +allow hdcd dev_vcs_file:chr_file { getattr }; +allow hdcd dev_v_file:chr_file { getattr }; +allow hdcd dev_vhci_file:chr_file { getattr }; +allow hdcd dev_video_file:chr_file { getattr }; +allow hdcd dev_vndbinder_file:chr_file { getattr }; +allow hdcd dev_watchdog_file:chr_file { getattr }; +allow hdcd dev_zero_file:chr_file { getattr }; +allow hdcd display_gralloc_host:dir { getattr open read search }; +allow hdcd display_gralloc_host:file { getattr open read }; +allow hdcd display_gralloc_host:lnk_file { getattr read }; +allow hdcd display_gralloc_host:process { getattr }; +allow hdcd display_gralloc_host:unix_dgram_socket { getattr }; +allow hdcd distributeddata:dir { getattr open read search }; +allow hdcd distributeddata:file { getattr open read }; +allow hdcd distributeddata:lnk_file { getattr read }; +allow hdcd distributeddata:process { getattr }; +allow hdcd distributeddata:unix_dgram_socket { getattr }; +allow hdcd distributedfile:dir { getattr open read search }; +allow hdcd distributedfile:file { getattr open read }; +allow hdcd distributedfile:lnk_file { getattr read }; +allow hdcd distributedfile:process { getattr }; +allow hdcd distributedfile:unix_dgram_socket { getattr }; +allow hdcd distributedhardware_fwk:dir { getattr open read search }; +allow hdcd distributedhardware_fwk:file { getattr open read }; +allow hdcd distributedhardware_fwk:lnk_file { getattr read }; +allow hdcd distributedhardware_fwk:process { getattr }; +allow hdcd distributedhardware_fwk:unix_dgram_socket { getattr }; +allow hdcd distributedsched:dir { getattr open read search }; +allow hdcd distributedsched:file { getattr open read }; +allow hdcd distributedsched:lnk_file { getattr read }; +allow hdcd distributedsched:process { getattr }; +allow hdcd distributedsched:unix_dgram_socket { getattr }; +allow hdcd dslm_service:dir { getattr open read search }; +allow hdcd dslm_service:file { getattr open read }; +allow hdcd dslm_service:lnk_file { getattr read }; +allow hdcd dslm_service:process { getattr }; +allow hdcd dslm_service:unix_dgram_socket { getattr }; +allow hdcd etc_file:lnk_file { getattr read }; +allow hdcd face_service:dir { getattr open read search }; +allow hdcd face_service:file { getattr open read }; +allow hdcd face_service:lnk_file { getattr read }; +allow hdcd face_service:process { getattr }; +allow hdcd face_service:unix_dgram_socket { getattr }; +allow hdcd faultloggerd:dir { getattr open read search }; +allow hdcd faultloggerd_exec:file { getattr }; +allow hdcd faultloggerd:file { getattr open read }; +allow hdcd faultloggerd:lnk_file { getattr read }; +allow hdcd faultloggerd:process { getattr }; +allow hdcd faultloggerd:unix_dgram_socket { getattr }; +allow hdcd faultloggerd:unix_stream_socket { getattr }; +allow hdcd fms_service:dir { getattr open read search }; +allow hdcd fms_service:file { getattr open read }; +allow hdcd fms_service:lnk_file { getattr read }; +allow hdcd fms_service:process { getattr }; +allow hdcd fms_service:unix_dgram_socket { getattr }; +allow hdcd foundation:dir { getattr open read search }; +allow hdcd foundation:file { getattr open read }; +allow hdcd foundation:lnk_file { getattr read }; +allow hdcd foundation:process { getattr }; +allow hdcd foundation:unix_dgram_socket { getattr }; +allow hdcd foundation:unix_stream_socket { getattr }; +allow hdcd functionfs:dir { getattr open read search }; +allow hdcd functionfs:file { getattr open read write }; +allow hdcd functionfs:filesystem { getattr }; +allow hdcd hdcd:capability2 { checkpoint_restore }; +allow hdcd hdcd:capability { dac_override dac_read_search sys_admin sys_ptrace }; +allow hdcd hdcd:dir { getattr open read search }; +allow hdcd hdcd_exec:file { entrypoint execute getattr map read }; +allow hdcd hdcd:fifo_file { getattr write }; +allow hdcd hdcd:file { getattr open read write }; +allow hdcd hdcd:lnk_file { getattr read }; +allow hdcd hdcd:process { fork getattr setpgid }; +allow hdcd hdcd:unix_dgram_socket { connect create write }; +allow hdcd hdcd:unix_stream_socket { accept bind connect create getattr ioctl listen read setopt write }; +allow hdcd hdf_devmgr:dir { getattr open read search }; +allow hdcd hdf_devmgr:file { getattr open read }; +allow hdcd hdf_devmgr:lnk_file { getattr read }; +allow hdcd hdf_devmgr:process { getattr }; +allow hdcd hdf_devmgr:unix_dgram_socket { getattr }; +allow hdcd hdf_devmgr:unix_stream_socket { getattr }; +allow hdcd hilogd:dir { getattr open read search }; +allow hdcd hilogd_exec:file { getattr }; +allow hdcd hilogd:file { getattr open read }; +allow hdcd hilogd:lnk_file { getattr read }; +allow hdcd hilogd:process { getattr }; +allow hdcd hiview:dir { getattr open read search }; +allow hdcd hiview_exec:file { getattr }; +allow hdcd hiview:file { getattr open read }; +allow hdcd hiview:lnk_file { getattr read }; +allow hdcd hiview:process { getattr }; +allow hdcd hiview:unix_dgram_socket { getattr }; +allow hdcd hmdfs:dir { getattr open read search }; +allow hdcd hmdfs:filesystem { getattr }; +allow hdcd huks_service:dir { getattr open read search }; +allow hdcd huks_service:file { getattr open read }; +allow hdcd huks_service:lnk_file { getattr read }; +allow hdcd huks_service:process { getattr }; +allow hdcd huks_service:unix_dgram_socket { getattr }; +allow hdcd init:dir { getattr open read search }; +allow hdcd init:fd { use }; +allow hdcd init:file { getattr open read }; +allow hdcd init:lnk_file { getattr read }; +allow hdcd init:netlink_kobject_uevent_socket { getattr read write }; +allow hdcd init:process { getattr }; +allow hdcd init:unix_dgram_socket { getattr sendto }; +allow hdcd init:unix_stream_socket { getattr read write }; +allow hdcd inputmethod_service:dir { getattr open read search }; +allow hdcd inputmethod_service:file { getattr open read }; +allow hdcd inputmethod_service:lnk_file { getattr read }; +allow hdcd inputmethod_service:process { getattr }; +allow hdcd inputmethod_service:unix_dgram_socket { getattr }; +allow hdcd input_user_host:dir { getattr open read search }; +allow hdcd input_user_host:file { getattr open read }; +allow hdcd input_user_host:lnk_file { getattr read }; +allow hdcd input_user_host:process { getattr }; +allow hdcd input_user_host:unix_dgram_socket { getattr }; +allow hdcd installs:dir { getattr open read search }; +allow hdcd installs_exec:file { getattr }; +allow hdcd installs:file { getattr open read }; +allow hdcd installs:lnk_file { getattr read }; +allow hdcd installs:process { getattr }; +allow hdcd installs:unix_dgram_socket { getattr }; +allow hdcd kernel:dir { getattr open read search }; +allow hdcd kernel:fd { use }; +allow hdcd kernel:file { getattr open read }; +allow hdcd kernel:lnk_file { getattr read }; +allow hdcd kernel:process { getattr }; +allow hdcd kernel:unix_dgram_socket { getattr }; +allow hdcd kernel:unix_stream_socket { connectto getattr }; +allow hdcd labeledfs:filesystem { getattr remount }; +allow hdcd lib_file:lnk_file { getattr read }; +allow hdcd light_dal_host:dir { getattr open read search }; +allow hdcd light_dal_host:file { getattr open read }; +allow hdcd light_dal_host:lnk_file { getattr read }; +allow hdcd light_dal_host:process { getattr }; +allow hdcd light_dal_host:unix_dgram_socket { getattr }; +allow hdcd medialibrary_service:dir { getattr open read search }; +allow hdcd medialibrary_service:file { getattr open read }; +allow hdcd medialibrary_service:lnk_file { getattr read }; +allow hdcd medialibrary_service:process { getattr }; +allow hdcd medialibrary_service:unix_dgram_socket { getattr }; +allow hdcd media_service:dir { getattr open read search }; +allow hdcd media_service:file { getattr open read }; +allow hdcd media_service:lnk_file { getattr read }; +allow hdcd media_service:process { getattr }; +allow hdcd media_service:unix_dgram_socket { getattr }; +allow hdcd memmgrservice:dir { getattr open read search }; +allow hdcd memmgrservice:file { getattr open read }; +allow hdcd memmgrservice:lnk_file { getattr read }; +allow hdcd memmgrservice:process { getattr }; +allow hdcd memmgrservice:unix_dgram_socket { getattr }; +allow hdcd multimodalinput:dir { getattr open read search }; +allow hdcd multimodalinput:file { getattr open read }; +allow hdcd multimodalinput:lnk_file { getattr read }; +allow hdcd multimodalinput:netlink_kobject_uevent_socket { getattr }; +allow hdcd multimodalinput:process { getattr }; +allow hdcd multimodalinput:unix_dgram_socket { getattr }; +allow hdcd multimodalinput:unix_stream_socket { getattr }; +allow hdcd netmanager:dir { getattr open read search }; +allow hdcd netmanager:file { getattr open read }; +allow hdcd netmanager:lnk_file { getattr read }; +allow hdcd netmanager:netlink_route_socket { getattr }; +allow hdcd netmanager:process { getattr }; +allow hdcd netmanager:unix_dgram_socket { getattr }; +allow hdcd normal_hap_data_file:dir { getattr open read search }; +allow hdcd normal_hap_data_file:file { getattr }; +allow hdcd normal_hap_domain:dir { getattr open read search }; +allow hdcd normal_hap_domain:fifo_file { getattr }; +allow hdcd normal_hap_domain:file { getattr open read }; +allow hdcd normal_hap_domain:lnk_file { getattr read }; +allow hdcd normal_hap_domain:process { getattr }; +allow hdcd param_watcher:dir { getattr open read search }; +allow hdcd param_watcher:file { getattr open read }; +allow hdcd param_watcher:lnk_file { getattr read }; +allow hdcd param_watcher:process { getattr }; +allow hdcd param_watcher:unix_dgram_socket { getattr }; +allow hdcd param_watcher:unix_stream_socket { getattr }; +allow hdcd pinauth_service:dir { getattr open read search }; +allow hdcd pinauth_service:file { getattr open read }; +allow hdcd pinauth_service:lnk_file { getattr read }; +allow hdcd pinauth_service:process { getattr }; +allow hdcd pinauth_service:unix_dgram_socket { getattr }; +allow hdcd platform_hap_data_file:dir { getattr open read search }; +allow hdcd platform_hap_data_file:file { getattr }; +allow hdcd power_host:dir { getattr open read search }; +allow hdcd power_host:file { getattr open read }; +allow hdcd power_host:lnk_file { getattr read }; +allow hdcd power_host:netlink_kobject_uevent_socket { getattr }; +allow hdcd power_host:process { getattr }; +allow hdcd power_host:unix_dgram_socket { getattr }; +allow hdcd priv_hap_data_file:dir { getattr open read search }; +allow hdcd priv_hap_data_file:file { getattr }; +allow hdcd priv_hap_domain:dir { getattr open read search }; +allow hdcd priv_hap_domain:fifo_file { getattr }; +allow hdcd priv_hap_domain:file { getattr open read }; +allow hdcd priv_hap_domain:lnk_file { getattr read }; +allow hdcd priv_hap_domain:process { getattr }; +allow hdcd proc_bluetooth_file:dir { getattr open read search }; +allow hdcd proc_bluetooth_file:file { getattr }; +allow hdcd proc_buddyinfo_file:file { getattr }; +allow hdcd proc_bus_file:dir { getattr open read search }; +allow hdcd proc_bus_file:file { getattr }; +allow hdcd proc_cgroups_file:file { getattr }; +allow hdcd proc_cmdline_file:file { getattr }; +allow hdcd proc_config_gz_file:file { getattr }; +allow hdcd proc_cpuinfo_file:file { getattr }; +allow hdcd proc_diskstats_file:file { getattr }; +allow hdcd proc_dynamic_debug_file:dir { getattr open read search }; +allow hdcd proc_dynamic_debug_file:file { getattr }; +allow hdcd proc_file:dir { getattr open read search }; +allow hdcd proc_file:file { getattr open read }; +allow hdcd proc_file:filesystem { getattr }; +allow hdcd proc_file:lnk_file { getattr read }; +allow hdcd proc_filesystems_file:file { getattr }; +allow hdcd proc_fs_file:dir { getattr open read search }; +allow hdcd proc_fs_file:file { getattr }; +allow hdcd proc_interrupts_file:file { getattr }; +allow hdcd proc_iomem_file:file { getattr }; +allow hdcd proc_keys_file:file { getattr }; +allow hdcd proc_kmsg_file:file { getattr }; +allow hdcd proc_loadavg_file:file { getattr }; +allow hdcd proc_meminfo_file:file { getattr }; +allow hdcd proc_misc_file:file { getattr }; +allow hdcd proc_modules_file:file { getattr }; +allow hdcd proc_mpp_service_file:dir { getattr open read search }; +allow hdcd proc_mpp_service_file:file { getattr }; +allow hdcd proc_net:dir { getattr open read search }; +allow hdcd proc_net:file { getattr }; +allow hdcd proc_net_tcp_udp:file { getattr }; +allow hdcd proc_pagetypeinfo_file:file { getattr }; +allow hdcd proc_partitions_file:file { getattr }; +allow hdcd proc_rkisp_vir0_file:file { getattr }; +allow hdcd proc_slabinfo_file:file { getattr }; +allow hdcd proc_softirqs_file:file { getattr }; +allow hdcd proc_stat_file:file { getattr }; +allow hdcd proc_swaps_file:file { getattr }; +allow hdcd proc_sysrq_trigger_file:file { getattr }; +allow hdcd proc_timer_list_file:file { getattr }; +allow hdcd proc_uptime_file:file { getattr }; +allow hdcd proc_version_file:file { getattr }; +allow hdcd proc_vmallocinfo_file:file { getattr }; +allow hdcd proc_vmstat_file:file { getattr }; +allow hdcd proc_zoneinfo_file:file { getattr }; +allow hdcd pulseaudio:dir { getattr open read search }; +allow hdcd pulseaudio:fifo_file { getattr }; +allow hdcd pulseaudio:file { getattr open read }; +allow hdcd pulseaudio:lnk_file { getattr read }; +allow hdcd pulseaudio:process { getattr }; +allow hdcd pulseaudio:unix_dgram_socket { getattr }; +allow hdcd pulseaudio:unix_stream_socket { getattr }; +allow hdcd render_service:dir { getattr open read search }; +allow hdcd render_service_exec:file { getattr }; +allow hdcd render_service:file { getattr open read }; +allow hdcd render_service:lnk_file { getattr read }; +allow hdcd render_service:netlink_kobject_uevent_socket { getattr }; +allow hdcd render_service:process { getattr }; +allow hdcd render_service:unix_dgram_socket { getattr }; +allow hdcd render_service:unix_stream_socket { getattr }; +allow hdcd resource_schedule_service:dir { getattr open read search }; +allow hdcd resource_schedule_service:file { getattr open read }; +allow hdcd resource_schedule_service:lnk_file { getattr read }; +allow hdcd resource_schedule_service:process { getattr }; +allow hdcd resource_schedule_service:unix_dgram_socket { getattr }; +allow hdcd rootfs:dir { getattr open read search }; +allow hdcd rootfs:lnk_file { getattr read }; +allow hdcd samain_exec:file { getattr }; +allow hdcd samgr:dir { getattr open read search }; +allow hdcd samgr:file { getattr open read }; +allow hdcd samgr:lnk_file { getattr read }; +allow hdcd samgr:process { getattr }; +allow hdcd samgr:unix_dgram_socket { getattr }; +allow hdcd security:security { setenforce }; +allow hdcd selinuxfs:dir { getattr open read search }; +allow hdcd selinuxfs:file { getattr open read read write }; +allow hdcd selinuxfs:filesystem { getattr }; +allow hdcd sensor_dal_host:dir { getattr open read search }; +allow hdcd sensor_dal_host:file { getattr open read }; +allow hdcd sensor_dal_host:lnk_file { getattr read }; +allow hdcd sensor_dal_host:process { getattr }; +allow hdcd sensor_dal_host:unix_dgram_socket { getattr }; +allow hdcd sensors:dir { getattr open read search }; +allow hdcd sensors:file { getattr open read }; +allow hdcd sensors:lnk_file { getattr read }; +allow hdcd sensors:process { getattr }; +allow hdcd sensors:unix_dgram_socket { getattr }; +allow hdcd sh:dir { getattr open read search }; +allow hdcd sh_exec:file { execute execute_no_trans getattr map read open }; +allow hdcd sh:file { getattr open read }; +allow hdcd sh:lnk_file { getattr read }; +allow hdcd sh:process { getattr }; +allow hdcd socperf_service:dir { getattr open read search }; +allow hdcd socperf_service:file { getattr open read }; +allow hdcd socperf_service:lnk_file { getattr read }; +allow hdcd socperf_service:process { getattr }; +allow hdcd socperf_service:unix_dgram_socket { getattr }; +allow hdcd softbus_server:dir { getattr open read search }; +allow hdcd softbus_server:fifo_file { getattr }; +allow hdcd softbus_server:file { getattr open read }; +allow hdcd softbus_server:lnk_file { getattr read }; +allow hdcd softbus_server:netlink_route_socket { getattr }; +allow hdcd softbus_server:process { getattr }; +allow hdcd softbus_server:unix_dgram_socket { getattr }; +allow hdcd storage_daemon:dir { getattr open read search }; +allow hdcd storage_daemon_exec:file { getattr }; +allow hdcd storage_daemon:fifo_file { getattr }; +allow hdcd storage_daemon:file { getattr open read }; +allow hdcd storage_daemon:lnk_file { getattr read }; +allow hdcd storage_daemon:netlink_kobject_uevent_socket { getattr }; +allow hdcd storage_daemon:process { getattr }; +allow hdcd storage_daemon:unix_dgram_socket { getattr }; +allow hdcd storage_manager:dir { getattr open read search }; +allow hdcd storage_manager:file { getattr open read }; +allow hdcd storage_manager:lnk_file { getattr read }; +allow hdcd storage_manager:process { getattr }; +allow hdcd storage_manager:unix_dgram_socket { getattr }; +allow hdcd sys_file:dir { getattr open read search }; +allow hdcd sys_file:file { getattr }; +allow hdcd sys_file:filesystem { getattr }; +allow hdcd sys_file:lnk_file { getattr read }; +allow hdcd sysfs_block_file:dir { getattr open read search }; +allow hdcd system_bin_file:dir { getattr open read search }; +allow hdcd system_bin_file:file { execute execute_no_trans getattr map read open }; +allow hdcd system_bin_file:lnk_file { getattr read }; +allow hdcd system_etc_file:dir { getattr open read search }; +allow hdcd system_etc_file:file { getattr open read write }; +allow hdcd system_file:dir { getattr open read search }; +allow hdcd system_file:file { getattr }; +allow hdcd system_fonts_file:dir { getattr open read search }; +allow hdcd system_fonts_file:file { getattr }; +allow hdcd system_lib_file:dir { getattr open read search }; +allow hdcd system_lib_file:file { execute getattr map open read }; +allow hdcd system_lib_file:lnk_file { getattr read }; +allow hdcd system_profile_file:dir { getattr open read search }; +allow hdcd system_profile_file:file { getattr }; +allow hdcd system_usr_file:dir { getattr open read search }; +allow hdcd system_usr_file:file { getattr }; +allow hdcd telephony_sa:dir { getattr open read search }; +allow hdcd telephony_sa:file { getattr open read }; +allow hdcd telephony_sa:lnk_file { getattr read }; +allow hdcd telephony_sa:process { getattr }; +allow hdcd telephony_sa:unix_dgram_socket { getattr }; +allow hdcd thermal_sa:dir { getattr open read search }; +allow hdcd thermal_sa:file { getattr open read }; +allow hdcd thermal_sa:lnk_file { getattr read }; +allow hdcd thermal_sa:process { getattr }; +allow hdcd thermal_sa:unix_dgram_socket { getattr }; +allow hdcd time_service:dir { getattr open read search }; +allow hdcd time_service:file { getattr open read }; +allow hdcd time_service:lnk_file { getattr read }; +allow hdcd time_service:process { getattr }; +allow hdcd time_service:unix_dgram_socket { getattr }; +allow hdcd tmpfs:dir { getattr open read search }; +allow hdcd tmpfs:file { getattr }; +allow hdcd tmpfs:filesystem { getattr }; +allow hdcd tmpfs:lnk_file { getattr read }; +allow hdcd token_sync_service:dir { getattr open read search }; +allow hdcd token_sync_service:file { getattr open read }; +allow hdcd token_sync_service:lnk_file { getattr read }; +allow hdcd token_sync_service:process { getattr }; +allow hdcd token_sync_service:unix_dgram_socket { getattr }; +allow hdcd tracefs:dir { getattr open read search }; +allow hdcd tracefs:file { getattr }; +allow hdcd tracefs:filesystem { getattr }; +allow hdcd tty_device:chr_file { getattr ioctl open read write }; +allow hdcd udevadm_exec:file { getattr }; +allow hdcd udevd:dir { getattr open read search }; +allow hdcd udevd_exec:file { getattr }; +allow hdcd udevd:file { getattr open read }; +allow hdcd udevd:lnk_file { getattr read }; +allow hdcd udevd:netlink_kobject_uevent_socket { getattr }; +allow hdcd udevd:process { getattr }; +allow hdcd udevd:unix_dgram_socket { getattr }; +allow hdcd udevd:unix_stream_socket { getattr }; +allow hdcd ueventd_exec:file { getattr }; +allow hdcd uinput_inject:dir { getattr open read search }; +allow hdcd uinput_inject_exec:file { getattr }; +allow hdcd uinput_inject:file { getattr open read }; +allow hdcd uinput_inject:lnk_file { getattr read }; +allow hdcd uinput_inject:process { getattr }; +allow hdcd uinput_inject:unix_dgram_socket { getattr }; +allow hdcd ui_service:dir { getattr open read search }; +allow hdcd ui_service:file { getattr open read }; +allow hdcd ui_service:lnk_file { getattr read }; +allow hdcd ui_service:process { getattr }; +allow hdcd ui_service:unix_dgram_socket { getattr }; +allow hdcd unlabeled:dir { getattr open read search }; +allow hdcd unlabeled:file { getattr }; +allow hdcd unlabeled:filesystem { getattr }; +allow hdcd updater_file:dir { getattr open read search }; +allow hdcd updater_sa:dir { getattr open read search }; +allow hdcd updater_sa:file { getattr open read }; +allow hdcd updater_sa:lnk_file { getattr read }; +allow hdcd updater_sa:process { getattr }; +allow hdcd updater_sa:unix_dgram_socket { getattr }; +allow hdcd upms:dir { getattr open read search }; +allow hdcd upms:file { getattr open read }; +allow hdcd upms:lnk_file { getattr read }; +allow hdcd upms:process { getattr }; +allow hdcd upms:unix_dgram_socket { getattr }; +allow hdcd usbfnMaster_host:dir { getattr open read search }; +allow hdcd usbfnMaster_host:file { getattr open read }; +allow hdcd usbfnMaster_host:lnk_file { getattr read }; +allow hdcd usbfnMaster_host:process { getattr }; +allow hdcd usbfnMaster_host:unix_dgram_socket { getattr }; +allow hdcd usb_host:dir { getattr open read search }; +allow hdcd usb_host:file { getattr open read }; +allow hdcd usb_host:lnk_file { getattr read }; +allow hdcd usb_host:process { getattr }; +allow hdcd usb_host:unix_dgram_socket { getattr }; +allow hdcd usb_service:dir { getattr open read search }; +allow hdcd usb_service:file { getattr open read }; +allow hdcd usb_service:lnk_file { getattr read }; +allow hdcd usb_service:process { getattr }; +allow hdcd usb_service:unix_dgram_socket { getattr }; +allow hdcd useriam:dir { getattr open read search }; +allow hdcd useriam:file { getattr open read }; +allow hdcd useriam:lnk_file { getattr read }; +allow hdcd useriam:process { getattr }; +allow hdcd useriam:unix_dgram_socket { getattr }; +allow hdcd useriam:unix_stream_socket { getattr }; +allow hdcd vendor_etc_file:dir { getattr open read search }; +allow hdcd vendor_etc_file:file { getattr }; +allow hdcd vendor_file:dir { getattr open read search }; +allow hdcd vendor_file:file { getattr }; +allow hdcd vendor_file:lnk_file { getattr read }; +allow hdcd vibrator_dal_host:dir { getattr open read search }; +allow hdcd vibrator_dal_host:file { getattr open read }; +allow hdcd vibrator_dal_host:lnk_file { getattr read }; +allow hdcd vibrator_dal_host:process { getattr }; +allow hdcd vibrator_dal_host:unix_dgram_socket { getattr }; +allow hdcd watchdog_service:dir { getattr open read search }; +allow hdcd watchdog_service_exec:file { getattr }; +allow hdcd watchdog_service:file { getattr open read }; +allow hdcd watchdog_service:lnk_file { getattr read }; +allow hdcd watchdog_service:process { getattr }; +allow hdcd wifi_hal_service:dir { getattr open read search }; +allow hdcd wifi_hal_service_exec:file { getattr }; +allow hdcd wifi_hal_service:file { getattr open read }; +allow hdcd wifi_hal_service:lnk_file { getattr read }; +allow hdcd wifi_hal_service:process { getattr }; +allow hdcd wifi_hal_service:unix_dgram_socket { getattr }; +allow hdcd wifi_hal_service:unix_stream_socket { getattr }; +allow hdcd wifi_host:dir { getattr open read search }; +allow hdcd wifi_host:file { getattr open read }; +allow hdcd wifi_host:lnk_file { getattr read }; +allow hdcd wifi_host:process { getattr }; +allow hdcd wifi_host:unix_dgram_socket { getattr }; +allow hdcd wifi_manager_service:dir { getattr open read search }; +allow hdcd wifi_manager_service:file { getattr open read }; +allow hdcd wifi_manager_service:lnk_file { getattr read }; +allow hdcd wifi_manager_service:process { getattr }; +allow hdcd wifi_manager_service:unix_dgram_socket { getattr }; +allow hdcd wifi_manager_service:unix_stream_socket { getattr }; +allow hdcd work_scheduler_service:dir { getattr open read search }; +allow hdcd work_scheduler_service:file { getattr open read }; +allow hdcd work_scheduler_service:lnk_file { getattr read }; +allow hdcd work_scheduler_service:process { getattr }; +allow hdcd work_scheduler_service:unix_dgram_socket { getattr }; +allowxperm hdcd data_init_agent:file ioctl { 0x5413 }; +allowxperm hdcd data_local:file ioctl { 0x5413 }; +allowxperm hdcd dev_file:chr_file ioctl { 0x5430 0x5431 }; +allowxperm hdcd dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm hdcd devpts:chr_file ioctl { 0x5413 }; +allowxperm hdcd hdcd:unix_stream_socket ioctl { 0x5451 }; +allowxperm hdcd tty_device:chr_file ioctl { 0x5401 0x5403 0x540f 0x5410 0x5413 }; diff --git a/sepolicy/base/rk3568/hdf_devmgr.te b/sepolicy/base/rk3568/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..fd84f35d77b92941452dd89b8cc46096f1f0859a --- /dev/null +++ b/sepolicy/base/rk3568/hdf_devmgr.te @@ -0,0 +1,79 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr audio_hdi_server_host:binder { call transfer }; +allow hdf_devmgr audio_policy:binder { call }; +allow hdf_devmgr blue_host:binder { call transfer }; +allow hdf_devmgr camera_host:binder { call transfer }; +allow hdf_devmgr camera_service:binder { call transfer }; +allow hdf_devmgr data_file:dir { search }; +allow hdf_devmgr data_init_agent:dir { search }; +allow hdf_devmgr data_init_agent:file { ioctl open read append }; +allow hdf_devmgr debugfs:dir { search }; +allow hdf_devmgr dev_at_file:chr_file { ioctl open read write }; +allow hdf_devmgr dev_binder_file:chr_file { ioctl map open read write }; +allow hdf_devmgr dev_file:dir { search }; +allow hdf_devmgr dev_mgr_file:chr_file { getattr ioctl open read write }; +allow hdf_devmgr dev_null_file:chr_file { read write }; +allow hdf_devmgr dev_parameters_file:dir { search }; +allow hdf_devmgr dev_parameters_file:file { map open read }; +allow hdf_devmgr dev_unix_file:dir { search }; +allow hdf_devmgr dev_unix_socket_file:dir { search }; +allow hdf_devmgr dev_unix_socket_file:sock_file { write }; +allow hdf_devmgr display_gralloc_host:binder { call transfer }; +allow hdf_devmgr etc_file:lnk_file { read }; +allow hdf_devmgr foundation:binder { transfer }; +allow hdf_devmgr hdf_devmgr:dir { search }; +allow hdf_devmgr hdf_devmgr:lnk_file { read }; +allow hdf_devmgr hdf_devmgr:process { fork }; +allow hdf_devmgr hdf_devmgr:unix_dgram_socket { connect create write }; +allow hdf_devmgr hdf_devmgr:unix_stream_socket { connect create read setopt write }; +allow hdf_devmgr init:fd { use }; +allow hdf_devmgr init:netlink_kobject_uevent_socket { read write }; +allow hdf_devmgr init:unix_dgram_socket { sendto }; +allow hdf_devmgr init:unix_stream_socket { read write }; +allow hdf_devmgr input_user_host:binder { call transfer }; +allow hdf_devmgr kernel:fd { use }; +allow hdf_devmgr kernel:unix_stream_socket { connectto }; +allow hdf_devmgr light_dal_host:binder { call transfer }; +allow hdf_devmgr normal_hap_domain:binder { transfer }; +allow hdf_devmgr platform_hap_domain:binder { transfer }; +allow hdf_devmgr power_host:binder { call transfer }; +allow hdf_devmgr priv_hap_domain:binder { transfer }; +allow hdf_devmgr proc_file:dir { search }; +allow hdf_devmgr proc_file:lnk_file { read }; +allow hdf_devmgr pulseaudio:binder { transfer }; +allow hdf_devmgr render_service:binder { transfer }; +allow hdf_devmgr rootfs:dir { search }; +allow hdf_devmgr samgr:binder { call transfer }; +allow hdf_devmgr sensor_dal_host:binder { call transfer }; +allow hdf_devmgr sensors:binder { transfer }; +allow hdf_devmgr system_etc_file:dir { search }; +allow hdf_devmgr system_etc_file:file { open read }; +allow hdf_devmgr system_file:dir { search }; +allow hdf_devmgr system_lib_file:dir { search }; +allow hdf_devmgr system_lib_file:file { execute getattr map open read }; +allow hdf_devmgr thermal_sa:binder { transfer }; +allow hdf_devmgr usbfnMaster_host:binder { call transfer }; +allow hdf_devmgr usb_host:binder { call transfer }; +allow hdf_devmgr usb_service:binder { transfer }; +allow hdf_devmgr vendor_etc_file:dir { search }; +allow hdf_devmgr vendor_etc_file:file { getattr open read }; +allow hdf_devmgr vendor_file:dir { search }; +allow hdf_devmgr vendor_file:file { entrypoint execute getattr map open read }; +allow hdf_devmgr vibrator_dal_host:binder { call transfer }; +allow hdf_devmgr wifi_host:binder { call transfer }; +allowxperm hdf_devmgr data_init_agent:file ioctl { 0x5413 }; +allowxperm hdf_devmgr dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm hdf_devmgr dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm hdf_devmgr dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/hilogd.te b/sepolicy/base/rk3568/hilogd.te new file mode 100644 index 0000000000000000000000000000000000000000..81b9e7de6d67f7ef8cca1dd2806764d2e11d4fee --- /dev/null +++ b/sepolicy/base/rk3568/hilogd.te @@ -0,0 +1,42 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hilogd cgroup:dir { search }; +allow hilogd data_file:dir { search }; +allow hilogd data_init_agent:dir { add_name search write }; +allow hilogd data_init_agent:file { create ioctl open read append }; +allow hilogd data_log:dir { getattr open read search }; +allow hilogd dev_file:dir { search }; +allow hilogd dev_kmsg_file:chr_file { read }; +allow hilogd dev_null_file:chr_file { ioctl read write }; +allow hilogd dev_parameters_file:dir { search }; +allow hilogd dev_parameters_file:file { map open read }; +allow hilogd dev_unix_file:dir { search }; +allow hilogd dev_unix_socket_file:dir { search }; +allow hilogd dev_unix_socket_file:sock_file { setattr }; +allow hilogd etc_file:lnk_file { read }; +allow hilogd hilogd_exec:file { entrypoint execute map read }; +allow hilogd hilogd:process { fork }; +allow hilogd init:fd { use }; +allow hilogd init:netlink_kobject_uevent_socket { read write }; +allow hilogd init:unix_dgram_socket { getattr getopt read write }; +allow hilogd init:unix_stream_socket { getattr getopt listen read write }; +allow hilogd kernel:fd { use }; +allow hilogd rootfs:dir { search }; +allow hilogd system_etc_file:dir { search }; +allow hilogd system_etc_file:file { open read }; +allow hilogd system_file:dir { search }; +allow hilogd system_lib_file:dir { search }; +allow hilogd system_lib_file:file { execute getattr map open read }; +allowxperm hilogd data_init_agent:file ioctl { 0x5413 }; +allowxperm hilogd dev_null_file:chr_file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/hiview.te b/sepolicy/base/rk3568/hiview.te new file mode 100644 index 0000000000000000000000000000000000000000..0c04b638e0d67ec4392047f54694530485205cea --- /dev/null +++ b/sepolicy/base/rk3568/hiview.te @@ -0,0 +1,72 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hiview accountmgr:dir { search }; +allow hiview accountmgr:file { open read }; +allow hiview battery_stats:binder { call }; +allow hiview data_file:dir { search }; +allow hiview data_init_agent:dir { search }; +allow hiview data_init_agent:file { ioctl open read append }; +allow hiview data_log:dir { add_name open read remove_name search watch write }; +allow hiview data_log:file { create getattr lock map open read unlink write open }; +allow hiview debugfs:dir { open read search }; +allow hiview debugfs:file { getattr open read }; +allow hiview dev_at_file:chr_file { ioctl open read write }; +allow hiview dev_binder_file:chr_file { ioctl map open read write }; +allow hiview dev_file:chr_file { open read }; +allow hiview dev_file:dir { search }; +allow hiview dev_null_file:chr_file { read write }; +allow hiview dev_parameters_file:dir { search }; +allow hiview dev_parameters_file:file { map open read }; +allow hiview dev_random_file:chr_file { open read }; +allow hiview dev_unix_file:dir { search }; +allow hiview dev_unix_socket_file:dir { search }; +allow hiview dev_unix_socket_file:sock_file { write }; +allow hiview etc_file:lnk_file { read }; +allow hiview faultloggerd:unix_stream_socket { connectto }; +allow hiview foundation:binder { call }; +allow hiview foundation:dir { search }; +allow hiview foundation:file { open read }; +allow hiview hiview:capability { dac_read_search sys_ptrace }; +allow hiview hiview:dir { search }; +allow hiview hiview_exec:file { entrypoint execute map read }; +allow hiview hiview:file { open read }; +allow hiview hiview:lnk_file { read }; +allow hiview hiview:process { fork }; +allow hiview hiview:unix_dgram_socket { connect create write }; +allow hiview hiview:unix_stream_socket { connect create read write }; +allow hiview init:fd { use }; +allow hiview init:netlink_kobject_uevent_socket { read write }; +allow hiview init:unix_dgram_socket { getattr getopt read sendto setopt write }; +allow hiview init:unix_stream_socket { read write }; +allow hiview kernel:fd { use }; +allow hiview normal_hap_domain:dir { search }; +allow hiview normal_hap_domain:file { open read }; +allow hiview priv_hap_domain:dir { search }; +allow hiview priv_hap_domain:file { open read }; +allow hiview proc_file:dir { search }; +allow hiview proc_file:lnk_file { read }; +allow hiview rootfs:dir { search }; +allow hiview samgr:binder { call transfer }; +allow hiview sys_file:dir { search }; +allow hiview system_bin_file:dir { search }; +allow hiview system_bin_file:file { execute }; +allow hiview system_bin_file:lnk_file { read }; +allow hiview system_etc_file:dir { open read search }; +allow hiview system_etc_file:file { getattr open read }; +allow hiview system_file:dir { search }; +allow hiview system_lib_file:dir { search }; +allow hiview system_lib_file:file { execute getattr map open read }; +allowxperm hiview data_init_agent:file ioctl { 0x5413 }; +allowxperm hiview dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm hiview dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/huks_service.te b/sepolicy/base/rk3568/huks_service.te new file mode 100644 index 0000000000000000000000000000000000000000..6e3912641fe28a78a35a8261b0a010320aa12c1e --- /dev/null +++ b/sepolicy/base/rk3568/huks_service.te @@ -0,0 +1,52 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow huks_service data_data_file:dir { search }; +allow huks_service data_data_file:file { getattr open read }; +allow huks_service data_file:dir { search }; +allow huks_service debugfs:dir { search }; +allow huks_service dev_at_file:chr_file { ioctl open read write }; +allow huks_service dev_binder_file:chr_file { ioctl map open read write }; +allow huks_service dev_file:dir { search }; +allow huks_service dev_null_file:chr_file { read write }; +allow huks_service dev_parameters_file:dir { search }; +allow huks_service dev_parameters_file:file { map open read }; +allow huks_service dev_random_file:chr_file { open read }; +allow huks_service dev_unix_file:dir { search }; +allow huks_service dev_unix_socket_file:dir { search }; +allow huks_service dev_unix_socket_file:sock_file { write }; +allow huks_service etc_file:lnk_file { read }; +allow huks_service foundation:binder { call transfer }; +allow huks_service huks_service:dir { search }; +allow huks_service huks_service:lnk_file { read }; +allow huks_service huks_service:process { fork getsched }; +allow huks_service huks_service:unix_dgram_socket { connect create write }; +allow huks_service init:fd { use }; +allow huks_service init:netlink_kobject_uevent_socket { read write }; +allow huks_service init:unix_dgram_socket { sendto }; +allow huks_service init:unix_stream_socket { read write }; +allow huks_service kernel:fd { use }; +allow huks_service proc_file:dir { search }; +allow huks_service proc_file:lnk_file { read }; +allow huks_service rootfs:dir { search }; +allow huks_service samain_exec:file { entrypoint execute map read }; +allow huks_service samgr:binder { call transfer }; +allow huks_service system_etc_file:dir { search }; +allow huks_service system_etc_file:file { open read }; +allow huks_service system_file:dir { search }; +allow huks_service system_lib_file:dir { search }; +allow huks_service system_lib_file:file { execute getattr map open read }; +allow huks_service system_profile_file:dir { search }; +allow huks_service system_profile_file:file { getattr open read }; +allowxperm huks_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm huks_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/init.te b/sepolicy/base/rk3568/init.te new file mode 100644 index 0000000000000000000000000000000000000000..f1e9673b02e54da56e236502e1dc022efaac07af --- /dev/null +++ b/sepolicy/base/rk3568/init.te @@ -0,0 +1,256 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init accessibility:process { noatsecure rlimitinh siginh transition }; +allow init accesstoken_service:process { noatsecure rlimitinh siginh transition }; +allow init accountmgr:process { noatsecure rlimitinh siginh transition }; +allow init audio_hdi_server_host:process { noatsecure rlimitinh siginh transition }; +allow init audio_policy:process { noatsecure rlimitinh siginh transition }; +allow init battery_stats:process { noatsecure rlimitinh siginh transition }; +allow init bgtaskmgr_service:process { noatsecure rlimitinh siginh transition }; +allow init blue_host:process { noatsecure rlimitinh siginh transition }; +allow init bluetooth_service:process { noatsecure rlimitinh siginh transition }; +allow init camera_host:process { noatsecure rlimitinh siginh transition }; +allow init camera_service:process { noatsecure rlimitinh siginh transition }; +allow init cgroup:dir { add_name create getattr open read search setattr write }; +allow init cgroup:file { getattr open setattr }; +allow init cgroup:filesystem { getattr mount }; +allow init cgroup:file { write }; +allow init config_file:dir { add_name create getattr mounton open read search setattr write }; +allow init config_file:file { create getattr open }; +allow init config_file:filesystem { getattr mount }; +allow init config_file:file { write }; +allow init config_file:lnk_file { create }; +allow init data_appasec:dir { getattr setattr }; +allow init data_app_el1_file:dir { getattr search setattr }; +allow init data_app_el2_file:dir { getattr search setattr }; +allow init data_app_el3_file:dir { getattr search setattr }; +allow init data_app_el4_file:dir { getattr search setattr }; +allow init data_appephemeral:dir { getattr setattr }; +allow init data_app_file:dir { getattr search setattr }; +allow init data_applib:dir { getattr setattr }; +allow init data_appprivate:dir { getattr setattr }; +allow init data_appstaging:dir { getattr setattr }; +allow init data_backup:dir { getattr setattr }; +allow init data_bluetooth:dir { getattr }; +allow init data_bootchart:dir { getattr setattr }; +allow init data_cache:dir { getattr search setattr }; +allow init data_chipset_el1_file:dir { getattr search setattr }; +allow init data_chipset_el2_file:dir { getattr search setattr }; +allow init data_chipset_file:dir { getattr search setattr }; +allow init data_data_file:dir { getattr remove_name search setattr write }; +allow init data_data_file:file { unlink }; +allow init data_dhcp:dir { getattr }; +allow init data_drm:dir { getattr setattr }; +allow init data_file:dir { add_name getattr mounton open read remove_name search setattr write }; +allow init data_file:file { create ioctl open read rename unlink write write open }; +allow init data_init_agent:dir { getattr search setattr }; +allow init data_init_agent:file { ioctl open read append setattr }; +allow init data_local:dir { getattr search setattr }; +allow init data_log:dir { getattr search setattr }; +allow init data_log:file { read write }; +allow init data_media:dir { add_name create getattr open read remove_name rmdir search setattr write }; +allow init data_mediadrm:dir { getattr setattr }; +allow init data_misc_ce:dir { getattr setattr }; +allow init data_misc_de:dir { getattr setattr }; +allow init data_misc:dir { getattr search setattr }; +allow init data_nfc:dir { getattr search setattr }; +allow init data_ota:dir { getattr setattr }; +allow init data_ota_package:dir { getattr setattr }; +allow init data_preloads:dir { getattr setattr }; +allow init data_resourcecache:dir { getattr setattr }; +allow init data_sadata_de:dir { getattr search setattr }; +allow init data_service_el0_file:dir { getattr search setattr }; +allow init data_service_el0_file:file { getattr open read }; +allow init data_service_el1_file:dir { getattr search setattr }; +allow init data_service_el2_file:dir { getattr search setattr }; +allow init data_service_file:dir { getattr search setattr }; +allow init data_ss:dir { getattr setattr }; +allow init data_system_ce:dir { getattr setattr }; +allow init data_system_de:dir { getattr setattr }; +allow init data_system:dir { getattr search setattr }; +allow init data_user_de:dir { getattr setattr }; +allow init data_user:dir { getattr search setattr }; +allow init data_vendor_ce:dir { getattr setattr }; +allow init data_vendor_de:dir { getattr setattr }; +allow init data_vendor:dir { getattr search setattr }; +allow init debugfs:dir { search }; +allow init debugfs:filesystem { mount }; +allow init dev_at_file:chr_file { ioctl open read write setattr }; +allow init dev_binder_file:chr_file { ioctl map open read write }; +allow init dev_block_file:blk_file { getattr ioctl open read relabelto write }; +allow init dev_block_file:dir { open read relabelto search }; +allow init dev_block_file:lnk_file { read relabelto }; +allow init dev_console_file:chr_file { getattr ioctl open read write }; +allow init dev_file:chr_file { getattr ioctl map open read write setattr }; +allow init dev_file:dir { add_name create getattr mounton open read relabelfrom relabelto remove_name rmdir search setattr write }; +allow init dev_file:lnk_file { create }; +allow init dev_fscklogs_file:dir { open read relabelto search setattr }; +allow init dev_graphics_file:chr_file { setattr }; +allow init dev_graphics_file:dir { search }; +allow init dev_hdf_file:chr_file { setattr }; +allow init deviceinfoservice:process { noatsecure rlimitinh siginh transition }; +allow init device_usage_statistics_service:process { noatsecure rlimitinh siginh transition }; +allow init dev_kmsg_file:chr_file { getattr open read relabelto setattr write }; +allow init dev_media_file:chr_file { ioctl open read write }; +allow init dev_mgr_file:chr_file { setattr }; +allow init dev_null_file:chr_file { ioctl open read relabelto write }; +allow init dev_parameters_file:dir { open read relabelto search }; +allow init dev_parameters_file:file { map open read relabelto }; +allow init devpts:chr_file { getattr relabelfrom }; +allow init devpts:dir { getattr relabelfrom }; +allow init dev_pts_file:chr_file { relabelto }; +allow init dev_pts_file:dir { open read relabelto search }; +allow init devpts:filesystem { getattr }; +allow init dev_random_file:chr_file { getattr open read relabelto write }; +allow init dev_unix_file:dir { open read relabelto search }; +allow init dev_unix_socket_file:dir { add_name open read relabelto search write }; +allow init dev_unix_socket_file:sock_file { create getattr relabelto setattr write }; +allow init dev_v_file:chr_file { getattr }; +allow init dev_video_file:chr_file { getattr ioctl open read write }; +allow init display_gralloc_host:process { noatsecure rlimitinh siginh transition }; +allow init distributeddata:process { noatsecure rlimitinh siginh transition }; +allow init distributedfile:process { noatsecure rlimitinh siginh transition }; +allow init distributedhardware_fwk:process { noatsecure rlimitinh siginh transition }; +allow init distributedsched:process { noatsecure rlimitinh siginh transition }; +allow init dslm_service:process { noatsecure rlimitinh siginh transition }; +allow init etc_file:lnk_file { read }; +allow init face_service:process { noatsecure rlimitinh siginh transition }; +allow init faultloggerd:fd { use }; +allow init faultloggerd:unix_stream_socket { connectto }; +allow init fms_service:process { noatsecure rlimitinh siginh transition }; +allow init foundation:binder { call transfer }; +allow init foundation:process { noatsecure rlimitinh siginh transition }; +allow init functionfs:filesystem { mount }; +allow init hiview:binder { call }; +allow init huks_service:process { noatsecure rlimitinh siginh transition }; +allow init init:capability { chown dac_override dac_read_search fowner fsetid net_admin setgid setuid sys_admin sys_boot sys_rawio sys_resource }; +allow init init:dir { getattr open read search }; +allow init init:fifo_file { read write }; +allow init init:file { getattr open read read write write }; +allow init init:lnk_file { read }; +allow init init:lockdown { confidentiality }; +allow init init:netlink_kobject_uevent_socket { bind create setopt }; +allow init init:netlink_route_socket { bind create read }; +allow init init:process { fork getcap getsched ptrace setcap setexec setrlimit setsched sigkill }; +allow init init:udp_socket { create ioctl }; +allow init init:unix_dgram_socket { bind connect create ioctl sendto setopt write }; +allow init init:unix_stream_socket { bind connect create listen read setopt write }; +allow init inputmethod_service:process { noatsecure rlimitinh siginh transition }; +allow init input_user_host:process { noatsecure rlimitinh siginh transition }; +allow init kernel:fd { use }; +allow init kernel:process { setsched }; +allow init kernel:system { syslog_read }; +allow init kernel:unix_stream_socket { write }; +allow init labeledfs:filesystem { getattr mount remount }; +allow init lib_file:lnk_file { read }; +allow init light_dal_host:process { noatsecure rlimitinh siginh transition }; +allow init medialibrary_service:process { noatsecure rlimitinh siginh transition }; +allow init media_service:binder { call transfer }; +allow init media_service:process { noatsecure rlimitinh siginh transition }; +allow init memmgrservice:process { noatsecure rlimitinh siginh transition }; +allow init multimodalinput:binder { call }; +allow init multimodalinput:fd { use }; +allow init multimodalinput:process { noatsecure rlimitinh siginh transition }; +allow init multimodalinput:unix_stream_socket { read write }; +allow init netmanager:process { noatsecure rlimitinh siginh transition }; +allow init param_watcher:binder { call transfer }; +allow init param_watcher:process { noatsecure rlimitinh siginh transition }; +allow init pinauth_service:process { noatsecure rlimitinh siginh transition }; +allow init power_host:process { noatsecure rlimitinh siginh transition }; +allow init proc_cmdline_file:file { getattr open read setattr }; +allow init proc_file:dir { search }; +allow init proc_file:file { getattr open setattr write }; +allow init proc_file:lnk_file { read }; +allow init proc_interrupts_file:file { setattr }; +allow init proc_kmsg_file:file { setattr }; +allow init proc_net:file { setattr }; +allow init proc_slabinfo_file:file { setattr }; +allow init proc_stat_file:file { setattr }; +allow init proc_vmallocinfo_file:file { setattr }; +allow init pulseaudio:process { noatsecure rlimitinh siginh transition }; +allow init render_service:binder { call transfer }; +allow init render_service:fd { use }; +allow init render_service:unix_stream_socket { read read write }; +allow init resource_schedule_service:process { noatsecure rlimitinh siginh transition }; +allow init rootfs:dir { getattr search }; +allow init rootfs:lnk_file { read }; +allow init samain_exec:file { execute execute_no_trans getattr map read open }; +allow init samgr:binder { call transfer }; +allow init selinuxfs:dir { search }; +allow init selinuxfs:file { setattr }; +allow init sensor_dal_host:process { noatsecure rlimitinh siginh transition }; +allow init sensors:process { noatsecure rlimitinh siginh transition }; +allow init socperf_service:process { noatsecure rlimitinh siginh transition }; +allow init softbus_server:process { noatsecure rlimitinh siginh transition }; +allow init storage_manager:process { noatsecure rlimitinh siginh transition }; +allow init sys_file:dir { add_name mounton open read search write }; +allow init sys_file:file { create getattr open read setattr }; +allow init sys_file:filesystem { getattr }; +allow init sys_file:lnk_file { read }; +allow init sysfs_block_file:dir { search }; +allow init system_bin_file:dir { search }; +allow init system_bin_file:file { execute execute_no_trans getattr map read read open }; +allow init system_bin_file:lnk_file { read }; +allow init system_etc_file:dir { getattr open read search }; +allow init system_etc_file:file { getattr map open read }; +allow init system_file:dir { search }; +allow init system_lib_file:dir { search }; +allow init system_lib_file:file { execute getattr map open read read open }; +allow init system_profile_file:dir { search }; +allow init system_profile_file:file { getattr open read }; +allow init system_usr_file:dir { search }; +allow init system_usr_file:file { getattr map open read }; +allow init telephony_sa:process { noatsecure rlimitinh siginh transition }; +allow init thermal_sa:process { noatsecure rlimitinh siginh transition }; +allow init time_service:process { noatsecure rlimitinh siginh transition }; +allow init tmpfs:blk_file { getattr relabelfrom }; +allow init tmpfs:chr_file { getattr relabelfrom }; +allow init tmpfs:dir { add_name create getattr mounton open read relabelfrom search setattr write }; +allow init tmpfs:file { getattr relabelfrom }; +allow init tmpfs:filesystem { getattr mount }; +allow init tmpfs:lnk_file { getattr relabelfrom }; +allow init tmpfs:sock_file { getattr relabelfrom }; +allow init token_sync_service:process { noatsecure rlimitinh siginh transition }; +allow init tracefs:dir { search setattr }; +allow init tracefs:file { getattr open setattr write }; +allow init ui_service:process { noatsecure rlimitinh siginh transition }; +allow init unlabeled:dir { setattr }; +allow init unlabeled:filesystem { mount }; +allow init updater_sa:process { noatsecure rlimitinh siginh transition }; +allow init upms:process { noatsecure rlimitinh siginh transition }; +allow init usbfnMaster_host:process { noatsecure rlimitinh siginh transition }; +allow init usb_host:process { noatsecure rlimitinh siginh transition }; +allow init usb_service:process { noatsecure rlimitinh siginh transition }; +allow init useriam:process { noatsecure rlimitinh siginh transition }; +allow init vendor_etc_file:dir { open read search }; +allow init vendor_etc_file:file { getattr open read }; +allow init vendor_file:dir { search }; +allow init vendor_file:file { execute execute_no_trans getattr map open read read open }; +allow init vendor_file:lnk_file { read }; +allow init vibrator_dal_host:process { noatsecure rlimitinh siginh transition }; +allow init wifi_host:process { noatsecure rlimitinh siginh transition }; +allow init wifi_manager_service:process { noatsecure rlimitinh siginh transition }; +allow init work_scheduler_service:process { noatsecure rlimitinh siginh transition }; +allowxperm init data_file:file ioctl { 0x5413 }; +allowxperm init data_init_agent:file ioctl { 0x5413 }; +allowxperm init dev_at_file:chr_file ioctl { 0x4101 0x4102 }; +allowxperm init dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm init dev_block_file:blk_file ioctl { 0x125e 0x1272 0x127c }; +allowxperm init dev_console_file:chr_file ioctl { 0x540e }; +allowxperm init dev_file:chr_file ioctl { 0x8000 0x8001 0x8003 0x8004 0x8005 0x8007 0x800e 0x800f 0x8011 0x8018 0x8026 }; +allowxperm init dev_media_file:chr_file ioctl { 0x7c00 0x7c01 0x7c02 }; +allowxperm init dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm init dev_video_file:chr_file ioctl { 0x5600 0x5604 }; +allowxperm init init:udp_socket ioctl { 0x8913 0x8914 }; +allowxperm init init:unix_dgram_socket ioctl { 0x8933 }; diff --git a/sepolicy/base/rk3568/input_user_host.te b/sepolicy/base/rk3568/input_user_host.te new file mode 100644 index 0000000000000000000000000000000000000000..72ae248e3be4b75110eafae4feb9bc2ee92c091b --- /dev/null +++ b/sepolicy/base/rk3568/input_user_host.te @@ -0,0 +1,53 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow input_user_host debugfs:dir { search }; +allow input_user_host dev_at_file:chr_file { ioctl open read write }; +allow input_user_host dev_binder_file:chr_file { ioctl map open read write }; +allow input_user_host dev_file:dir { search }; +allow input_user_host dev_hdf_file:chr_file { getattr ioctl open read write }; +allow input_user_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow input_user_host dev_null_file:chr_file { read write }; +allow input_user_host dev_parameters_file:dir { search }; +allow input_user_host dev_parameters_file:file { map open read }; +allow input_user_host dev_unix_file:dir { search }; +allow input_user_host dev_unix_socket_file:dir { search }; +allow input_user_host dev_unix_socket_file:sock_file { write }; +allow input_user_host etc_file:lnk_file { read }; +allow input_user_host hdf_devmgr:binder { call transfer }; +allow input_user_host init:fd { use }; +allow input_user_host init:netlink_kobject_uevent_socket { read write }; +allow input_user_host init:unix_dgram_socket { sendto }; +allow input_user_host init:unix_stream_socket { read write }; +allow input_user_host input_user_host:dir { search }; +allow input_user_host input_user_host:lnk_file { read }; +allow input_user_host input_user_host:process { fork }; +allow input_user_host input_user_host:unix_dgram_socket { connect create write }; +allow input_user_host kernel:fd { use }; +allow input_user_host proc_file:dir { search }; +allow input_user_host proc_file:lnk_file { read }; +allow input_user_host rootfs:dir { search }; +allow input_user_host samgr:binder { call }; +allow input_user_host system_etc_file:dir { search }; +allow input_user_host system_etc_file:file { open read }; +allow input_user_host system_file:dir { search }; +allow input_user_host system_lib_file:dir { search }; +allow input_user_host system_lib_file:file { execute getattr map open read }; +allow input_user_host vendor_etc_file:dir { search }; +allow input_user_host vendor_etc_file:file { getattr open read }; +allow input_user_host vendor_file:dir { search }; +allow input_user_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm input_user_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm input_user_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm input_user_host dev_hdf_file:chr_file ioctl { 0x6203 }; +allowxperm input_user_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/inputmethod_service.te b/sepolicy/base/rk3568/inputmethod_service.te new file mode 100644 index 0000000000000000000000000000000000000000..ea13b98ed4286f37ca47cc58450d10866dcf8d76 --- /dev/null +++ b/sepolicy/base/rk3568/inputmethod_service.te @@ -0,0 +1,67 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow inputmethod_service data_log:file { read write }; +allow inputmethod_service debugfs:dir { search }; +allow inputmethod_service dev_at_file:chr_file { ioctl open read write }; +allow inputmethod_service dev_binder_file:chr_file { ioctl map open read write }; +allow inputmethod_service dev_file:dir { search }; +allow inputmethod_service dev_null_file:chr_file { open read write }; +allow inputmethod_service dev_parameters_file:dir { search }; +allow inputmethod_service dev_parameters_file:file { map open read }; +allow inputmethod_service dev_random_file:chr_file { open read }; +allow inputmethod_service dev_unix_file:dir { search }; +allow inputmethod_service dev_unix_socket_file:dir { search }; +allow inputmethod_service dev_unix_socket_file:sock_file { write }; +allow inputmethod_service etc_file:lnk_file { read }; +allow inputmethod_service faultloggerd:fd { use }; +allow inputmethod_service faultloggerd:unix_stream_socket { connectto }; +allow inputmethod_service foundation:binder { call transfer }; +allow inputmethod_service hiview:binder { call }; +allow inputmethod_service init:fd { use }; +allow inputmethod_service init:netlink_kobject_uevent_socket { read write }; +allow inputmethod_service init:unix_dgram_socket { sendto }; +allow inputmethod_service init:unix_stream_socket { read write }; +allow inputmethod_service inputmethod_service:dir { getattr open read search }; +allow inputmethod_service inputmethod_service:fifo_file { read write }; +allow inputmethod_service inputmethod_service:file { getattr open read }; +allow inputmethod_service inputmethod_service:lnk_file { read }; +allow inputmethod_service inputmethod_service:process { fork getcap getsched ptrace setcap sigkill }; +allow inputmethod_service inputmethod_service:unix_dgram_socket { connect create write }; +allow inputmethod_service inputmethod_service:unix_stream_socket { connect create read setopt write }; +allow inputmethod_service kernel:fd { use }; +allow inputmethod_service lib_file:lnk_file { read }; +allow inputmethod_service normal_hap_domain:binder { call transfer }; +allow inputmethod_service platform_hap_domain:binder { call transfer }; +allow inputmethod_service priv_hap_domain:binder { call transfer }; +allow inputmethod_service proc_file:dir { search }; +allow inputmethod_service proc_file:lnk_file { read }; +allow inputmethod_service rootfs:dir { getattr search }; +allow inputmethod_service samain_exec:file { entrypoint execute getattr map open read }; +allow inputmethod_service samgr:binder { call transfer }; +allow inputmethod_service system_bin_file:dir { search }; +allow inputmethod_service system_bin_file:file { execute execute_no_trans map read open }; +allow inputmethod_service system_etc_file:dir { getattr open read search }; +allow inputmethod_service system_etc_file:file { open read }; +allow inputmethod_service system_file:dir { search }; +allow inputmethod_service system_lib_file:dir { search }; +allow inputmethod_service system_lib_file:file { execute getattr map open read }; +allow inputmethod_service system_profile_file:dir { search }; +allow inputmethod_service system_profile_file:file { getattr open read }; +allow inputmethod_service system_usr_file:dir { search }; +allow inputmethod_service system_usr_file:file { getattr map open read }; +allow inputmethod_service vendor_file:dir { search }; +allow inputmethod_service vendor_file:file { execute getattr map open read }; +allow inputmethod_service vendor_file:lnk_file { read }; +allowxperm inputmethod_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm inputmethod_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/installs.te b/sepolicy/base/rk3568/installs.te new file mode 100644 index 0000000000000000000000000000000000000000..fef01fcfc73d10530e2d4d177fbbd3a313aa7852 --- /dev/null +++ b/sepolicy/base/rk3568/installs.te @@ -0,0 +1,45 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow installs data_file:dir { getattr search }; +allow installs debugfs:dir { search }; +allow installs dev_at_file:chr_file { ioctl open read write }; +allow installs dev_binder_file:chr_file { ioctl map open read write }; +allow installs dev_file:dir { search }; +allow installs dev_null_file:chr_file { read write }; +allow installs dev_parameters_file:dir { search }; +allow installs dev_parameters_file:file { map open read }; +allow installs dev_random_file:chr_file { open read }; +allow installs dev_unix_file:dir { search }; +allow installs dev_unix_socket_file:dir { search }; +allow installs dev_unix_socket_file:sock_file { write }; +allow installs etc_file:lnk_file { read }; +allow installs init:fd { use }; +allow installs init:netlink_kobject_uevent_socket { read write }; +allow installs init:unix_dgram_socket { sendto }; +allow installs init:unix_stream_socket { read write }; +allow installs installs_exec:file { entrypoint execute map read }; +allow installs installs:process { fork }; +allow installs installs:unix_dgram_socket { connect create write }; +allow installs kernel:fd { use }; +allow installs rootfs:dir { search }; +allow installs samgr:binder { call transfer }; +allow installs selinuxfs:filesystem { getattr }; +allow installs sys_file:dir { search }; +allow installs system_etc_file:dir { search }; +allow installs system_etc_file:file { open read }; +allow installs system_file:dir { search }; +allow installs system_lib_file:dir { search }; +allow installs system_lib_file:file { execute getattr map open read }; +allowxperm installs dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm installs dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/kernel.te b/sepolicy/base/rk3568/kernel.te new file mode 100644 index 0000000000000000000000000000000000000000..1847ae0fdde8dc21feda13440815d86eeafa99d3 --- /dev/null +++ b/sepolicy/base/rk3568/kernel.te @@ -0,0 +1,32 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow kernel data_file:dir { search }; +allow kernel data_log:dir { add_name create search setattr write }; +allow kernel data_log:file { append create read write open setattr }; +allow kernel dev_file:chr_file { open write }; +allow kernel dev_file:dir { search }; +allow kernel device:chr_file { create getattr setattr unlink }; +allow kernel device:dir { add_name remove_name rmdir search write }; +allow kernel init:process { dyntransition }; +allow kernel kernel:capability { chown dac_override dac_read_search mknod }; +allow kernel kernel:dir { search }; +allow kernel kernel:file { open read write }; +allow kernel kernel:process { fork setcurrent }; +allow kernel proc_file:dir { search }; +allow kernel proc_file:lnk_file { read }; +allow kernel rootfs:dir { search }; +allow kernel sys_file:dir { open read search }; +allow kernel tmpfs:chr_file { write }; +allow kernel unlabeled:dir { open read remove_name search write }; +allow kernel unlabeled:file { open read unlink }; diff --git a/sepolicy/base/rk3568/light_dal_host.te b/sepolicy/base/rk3568/light_dal_host.te new file mode 100644 index 0000000000000000000000000000000000000000..d5f5177135a8606b4362b23151235cf29e9d3c7b --- /dev/null +++ b/sepolicy/base/rk3568/light_dal_host.te @@ -0,0 +1,51 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow light_dal_host debugfs:dir { search }; +allow light_dal_host dev_at_file:chr_file { ioctl open read write }; +allow light_dal_host dev_binder_file:chr_file { ioctl map open read write }; +allow light_dal_host dev_file:dir { search }; +allow light_dal_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow light_dal_host dev_null_file:chr_file { read write }; +allow light_dal_host dev_parameters_file:dir { search }; +allow light_dal_host dev_parameters_file:file { map open read }; +allow light_dal_host dev_unix_file:dir { search }; +allow light_dal_host dev_unix_socket_file:dir { search }; +allow light_dal_host dev_unix_socket_file:sock_file { write }; +allow light_dal_host etc_file:lnk_file { read }; +allow light_dal_host hdf_devmgr:binder { call transfer }; +allow light_dal_host init:fd { use }; +allow light_dal_host init:netlink_kobject_uevent_socket { read write }; +allow light_dal_host init:unix_dgram_socket { sendto }; +allow light_dal_host init:unix_stream_socket { read write }; +allow light_dal_host kernel:fd { use }; +allow light_dal_host light_dal_host:dir { search }; +allow light_dal_host light_dal_host:lnk_file { read }; +allow light_dal_host light_dal_host:process { fork }; +allow light_dal_host light_dal_host:unix_dgram_socket { connect create write }; +allow light_dal_host proc_file:dir { search }; +allow light_dal_host proc_file:lnk_file { read }; +allow light_dal_host rootfs:dir { search }; +allow light_dal_host samgr:binder { call }; +allow light_dal_host system_etc_file:dir { search }; +allow light_dal_host system_etc_file:file { open read }; +allow light_dal_host system_file:dir { search }; +allow light_dal_host system_lib_file:dir { search }; +allow light_dal_host system_lib_file:file { execute getattr map open read }; +allow light_dal_host vendor_etc_file:dir { search }; +allow light_dal_host vendor_etc_file:file { getattr open read }; +allow light_dal_host vendor_file:dir { search }; +allow light_dal_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm light_dal_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm light_dal_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm light_dal_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/media_service.te b/sepolicy/base/rk3568/media_service.te new file mode 100644 index 0000000000000000000000000000000000000000..fbe6974c737e5d3eacc5cf7ee15c97a2f218612c --- /dev/null +++ b/sepolicy/base/rk3568/media_service.te @@ -0,0 +1,65 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow media_service audio_policy:binder { call transfer }; +allow media_service data_data_file:dir { getattr open read search setattr }; +allow media_service data_data_file:file { lock open read write }; +allow media_service data_data_file:sock_file { write }; +allow media_service data_file:dir { search }; +allow media_service debugfs:dir { search }; +allow media_service dev_at_file:chr_file { ioctl open read write }; +allow media_service dev_binder_file:chr_file { ioctl map open read write }; +allow media_service dev_file:dir { search }; +allow media_service dev_null_file:chr_file { ioctl read write }; +allow media_service dev_parameters_file:dir { search }; +allow media_service dev_parameters_file:file { map open read }; +allow media_service dev_random_file:chr_file { open read }; +allow media_service dev_unix_file:dir { search }; +allow media_service dev_unix_socket_file:dir { search }; +allow media_service dev_unix_socket_file:sock_file { write }; +allow media_service etc_file:lnk_file { read }; +allow media_service init:binder { call transfer }; +allow media_service init:fd { use }; +allow media_service init:netlink_kobject_uevent_socket { read write }; +allow media_service init:unix_dgram_socket { sendto }; +allow media_service init:unix_stream_socket { read write }; +allow media_service kernel:fd { use }; +allow media_service lib_file:lnk_file { read }; +allow media_service media_service:dir { search }; +allow media_service media_service:fifo_file { read write }; +allow media_service media_service:lnk_file { read }; +allow media_service media_service:process { fork getsched }; +allow media_service media_service:unix_dgram_socket { connect create write }; +allow media_service media_service:unix_stream_socket { connect create getattr getopt read setopt write }; +allow media_service normal_hap_domain:binder { call transfer }; +allow media_service priv_hap_domain:binder { call transfer }; +allow media_service proc_file:dir { search }; +allow media_service proc_file:lnk_file { read }; +allow media_service pulseaudio:binder { call }; +allow media_service pulseaudio:unix_stream_socket { connectto }; +allow media_service rootfs:dir { search }; +allow media_service samain_exec:file { entrypoint execute map read }; +allow media_service samgr:binder { call transfer }; +allow media_service system_etc_file:dir { search }; +allow media_service system_etc_file:file { getattr open read }; +allow media_service system_file:dir { search }; +allow media_service system_lib_file:dir { open read search }; +allow media_service system_lib_file:file { execute getattr map open read }; +allow media_service system_profile_file:dir { search }; +allow media_service system_profile_file:file { getattr open read }; +allow media_service vendor_file:dir { search }; +allow media_service vendor_file:file { execute getattr map open read }; +allow media_service vendor_file:lnk_file { read }; +allowxperm media_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm media_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm media_service dev_null_file:chr_file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/medialibrary_service.te b/sepolicy/base/rk3568/medialibrary_service.te new file mode 100644 index 0000000000000000000000000000000000000000..d8fc818c8bd66d528bbfccad4f3b3023cc4eef9b --- /dev/null +++ b/sepolicy/base/rk3568/medialibrary_service.te @@ -0,0 +1,49 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow medialibrary_service debugfs:dir { search }; +allow medialibrary_service dev_at_file:chr_file { ioctl open read write }; +allow medialibrary_service dev_binder_file:chr_file { ioctl map open read write }; +allow medialibrary_service dev_file:dir { search }; +allow medialibrary_service dev_null_file:chr_file { read write }; +allow medialibrary_service dev_parameters_file:dir { search }; +allow medialibrary_service dev_parameters_file:file { map open read }; +allow medialibrary_service dev_random_file:chr_file { open read }; +allow medialibrary_service dev_unix_file:dir { search }; +allow medialibrary_service dev_unix_socket_file:dir { search }; +allow medialibrary_service dev_unix_socket_file:sock_file { write }; +allow medialibrary_service etc_file:lnk_file { read }; +allow medialibrary_service init:fd { use }; +allow medialibrary_service init:netlink_kobject_uevent_socket { read write }; +allow medialibrary_service init:unix_dgram_socket { sendto }; +allow medialibrary_service init:unix_stream_socket { read write }; +allow medialibrary_service kernel:fd { use }; +allow medialibrary_service medialibrary_service:dir { search }; +allow medialibrary_service medialibrary_service:lnk_file { read }; +allow medialibrary_service medialibrary_service:process { fork getsched }; +allow medialibrary_service medialibrary_service:unix_dgram_socket { connect create write }; +allow medialibrary_service proc_file:dir { search }; +allow medialibrary_service proc_file:lnk_file { read }; +allow medialibrary_service rootfs:dir { search }; +allow medialibrary_service samain_exec:file { entrypoint execute map read }; +allow medialibrary_service samgr:binder { call transfer }; +allow medialibrary_service system_etc_file:dir { search }; +allow medialibrary_service system_etc_file:file { open read }; +allow medialibrary_service system_file:dir { search }; +allow medialibrary_service system_lib_file:dir { search }; +allow medialibrary_service system_lib_file:file { execute getattr map open read }; +allow medialibrary_service system_profile_file:dir { search }; +allow medialibrary_service system_profile_file:file { getattr open read }; +allow medialibrary_service tmpfs:dir { search }; +allowxperm medialibrary_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm medialibrary_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/memmgrservice.te b/sepolicy/base/rk3568/memmgrservice.te new file mode 100644 index 0000000000000000000000000000000000000000..36cad2630640cbacfac7aff32e7920920a167782 --- /dev/null +++ b/sepolicy/base/rk3568/memmgrservice.te @@ -0,0 +1,66 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow memmgrservice accountmgr:binder { call transfer }; +allow memmgrservice bgtaskmgr_service:binder { call transfer }; +allow memmgrservice cgroup:dir { add_name create search write }; +allow memmgrservice cgroup:file { append create ioctl open read write }; +allow memmgrservice debugfs:dir { search }; +allow memmgrservice dev_at_file:chr_file { ioctl open read write }; +allow memmgrservice dev_binder_file:chr_file { ioctl map open read write }; +allow memmgrservice dev_file:dir { search }; +allow memmgrservice dev_null_file:chr_file { read write }; +allow memmgrservice dev_parameters_file:dir { search }; +allow memmgrservice dev_parameters_file:file { map open read }; +allow memmgrservice dev_random_file:chr_file { open read }; +allow memmgrservice dev_unix_file:dir { search }; +allow memmgrservice dev_unix_socket_file:dir { search }; +allow memmgrservice dev_unix_socket_file:sock_file { write }; +allow memmgrservice etc_file:lnk_file { read }; +allow memmgrservice foundation:binder { call transfer }; +allow memmgrservice init:fd { use }; +allow memmgrservice init:netlink_kobject_uevent_socket { read write }; +allow memmgrservice init:unix_dgram_socket { sendto }; +allow memmgrservice init:unix_stream_socket { read write }; +allow memmgrservice kernel:fd { use }; +allow memmgrservice memmgrservice:capability { dac_override sys_resource }; +allow memmgrservice memmgrservice:dir { search }; +allow memmgrservice memmgrservice:lnk_file { read }; +allow memmgrservice memmgrservice:process { fork getsched }; +allow memmgrservice memmgrservice:unix_dgram_socket { connect create write }; +allow memmgrservice normal_hap_domain:dir { search }; +allow memmgrservice normal_hap_domain:file { open read write }; +allow memmgrservice platform_hap_domain:dir { search }; +allow memmgrservice platform_hap_domain:file { open read write }; +allow memmgrservice priv_hap_domain:dir { search }; +allow memmgrservice priv_hap_domain:file { open read write }; +allow memmgrservice proc_file:dir { search }; +allow memmgrservice proc_file:file { open write }; +allow memmgrservice proc_file:lnk_file { read }; +allow memmgrservice proc_meminfo_file:file { open read }; +allow memmgrservice rootfs:dir { search }; +allow memmgrservice samain_exec:file { entrypoint execute map read }; +allow memmgrservice samgr:binder { call transfer }; +allow memmgrservice system_etc_file:dir { getattr open read search }; +allow memmgrservice system_etc_file:file { open read }; +allow memmgrservice system_file:dir { search }; +allow memmgrservice system_lib_file:dir { search }; +allow memmgrservice system_lib_file:file { execute getattr map open read }; +allow memmgrservice system_profile_file:dir { search }; +allow memmgrservice system_profile_file:file { getattr open read }; +allow memmgrservice vendor_file:dir { search }; +allow memmgrservice vendor_file:file { execute getattr map open read }; +allow memmgrservice vendor_file:lnk_file { read }; +allowxperm memmgrservice cgroup:file ioctl { 0x5413 }; +allowxperm memmgrservice dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm memmgrservice dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/multimodalinput.te b/sepolicy/base/rk3568/multimodalinput.te new file mode 100644 index 0000000000000000000000000000000000000000..e766e7e01f4f23f38efd8e0e2ee80c5405168983 --- /dev/null +++ b/sepolicy/base/rk3568/multimodalinput.te @@ -0,0 +1,73 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow multimodalinput data_file:dir { add_name search write }; +allow multimodalinput data_file:file { create ioctl open read write }; +allow multimodalinput data_init_agent:dir { search }; +allow multimodalinput data_init_agent:file { ioctl open read append }; +allow multimodalinput debugfs:dir { search }; +allow multimodalinput dev_at_file:chr_file { ioctl open read write }; +allow multimodalinput dev_binder_file:chr_file { ioctl map open read write }; +allow multimodalinput dev_file:dir { search }; +allow multimodalinput dev_input_file:chr_file { getattr ioctl open read write }; +allow multimodalinput dev_input_file:dir { search }; +allow multimodalinput dev_kmsg_file:chr_file { open write }; +allow multimodalinput dev_null_file:chr_file { ioctl read write write }; +allow multimodalinput dev_parameters_file:dir { search }; +allow multimodalinput dev_parameters_file:file { map open read }; +allow multimodalinput dev_random_file:chr_file { open read }; +allow multimodalinput dev_unix_file:dir { search }; +allow multimodalinput dev_unix_socket_file:dir { search }; +allow multimodalinput dev_unix_socket_file:sock_file { write }; +allow multimodalinput etc_file:lnk_file { read }; +allow multimodalinput init:fd { use }; +allow multimodalinput init:netlink_kobject_uevent_socket { read write }; +allow multimodalinput init:unix_dgram_socket { sendto }; +allow multimodalinput init:unix_stream_socket { read write }; +allow multimodalinput kernel:fd { use }; +allow multimodalinput multimodalinput:dir { search }; +allow multimodalinput multimodalinput:lnk_file { read }; +allow multimodalinput multimodalinput:lockdown { confidentiality }; +allow multimodalinput multimodalinput:netlink_kobject_uevent_socket { bind create getattr setopt }; +allow multimodalinput multimodalinput:process { fork getsched }; +allow multimodalinput multimodalinput:unix_dgram_socket { connect create write }; +allow multimodalinput multimodalinput:unix_stream_socket { create read setopt write }; +allow multimodalinput param_watcher:binder { call transfer }; +allow multimodalinput proc_file:dir { search }; +allow multimodalinput proc_file:lnk_file { read }; +allow multimodalinput rootfs:dir { search }; +allow multimodalinput samain_exec:file { entrypoint execute map read }; +allow multimodalinput samgr:binder { call transfer }; +allow multimodalinput sys_file:dir { open read search }; +allow multimodalinput sys_file:file { getattr open read }; +allow multimodalinput sys_file:lnk_file { read }; +allow multimodalinput system_etc_file:dir { getattr open read search }; +allow multimodalinput system_etc_file:file { open read }; +allow multimodalinput system_file:dir { search }; +allow multimodalinput system_lib_file:dir { search }; +allow multimodalinput system_lib_file:file { execute getattr map open read }; +allow multimodalinput system_profile_file:dir { search }; +allow multimodalinput system_profile_file:file { getattr open read }; +allow multimodalinput system_usr_file:dir { search }; +allow multimodalinput system_usr_file:file { getattr map open read }; +allow multimodalinput tracefs:dir { search }; +allow multimodalinput tracefs:file { open write }; +allow multimodalinput vendor_file:dir { search }; +allow multimodalinput vendor_file:file { execute getattr map open read }; +allow multimodalinput vendor_file:lnk_file { read }; +allowxperm multimodalinput data_file:file ioctl { 0x5413 }; +allowxperm multimodalinput data_init_agent:file ioctl { 0x5413 }; +allowxperm multimodalinput dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm multimodalinput dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm multimodalinput dev_input_file:chr_file ioctl { 0x4501 0x4502 0x4506 0x4507 0x4508 0x4509 0x4518 0x4519 0x451b 0x4520 0x4521 0x4522 0x4523 0x4524 0x4525 0x4531 0x4532 0x4535 0x4540 0x4541 0x4558 0x4570 0x4571 0x4574 0x4575 0x4576 0x4578 0x4579 0x457a 0x45a0 }; +allowxperm multimodalinput dev_null_file:chr_file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/netmanager.te b/sepolicy/base/rk3568/netmanager.te new file mode 100644 index 0000000000000000000000000000000000000000..8a68a735bb0b386fe76e69040fda1bacee106dc7 --- /dev/null +++ b/sepolicy/base/rk3568/netmanager.te @@ -0,0 +1,64 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow netmanager data_data_file:dir { add_name search write }; +allow netmanager data_data_file:file { append create ioctl open read write }; +allow netmanager data_file:dir { open read search }; +allow netmanager data_system:dir { search }; +allow netmanager data_system:file { getattr open read }; +allow netmanager debugfs:dir { search }; +allow netmanager dev_at_file:chr_file { ioctl open read write }; +allow netmanager dev_binder_file:chr_file { ioctl map open read write }; +allow netmanager dev_file:dir { search }; +allow netmanager dev_null_file:chr_file { read write }; +allow netmanager dev_parameters_file:dir { search }; +allow netmanager dev_parameters_file:file { map open read }; +allow netmanager dev_random_file:chr_file { open read }; +allow netmanager dev_unix_file:dir { search }; +allow netmanager dev_unix_socket_file:dir { search }; +allow netmanager dev_unix_socket_file:sock_file { write }; +allow netmanager etc_file:lnk_file { read }; +allow netmanager foundation:binder { call }; +allow netmanager init:fd { use }; +allow netmanager init:netlink_kobject_uevent_socket { read write }; +allow netmanager init:unix_dgram_socket { sendto }; +allow netmanager init:unix_stream_socket { read write }; +allow netmanager kernel:fd { use }; +allow netmanager lib_file:lnk_file { read }; +allow netmanager netmanager:dir { search }; +allow netmanager netmanager:lnk_file { read }; +allow netmanager netmanager:netlink_route_socket { bind create getattr nlmsg_read read setopt write }; +allow netmanager netmanager:process { fork getsched }; +allow netmanager netmanager:udp_socket { create ioctl }; +allow netmanager netmanager:unix_dgram_socket { connect create write }; +allow netmanager proc_file:dir { search }; +allow netmanager proc_file:lnk_file { read }; +allow netmanager rootfs:dir { search }; +allow netmanager samain_exec:file { entrypoint execute map read }; +allow netmanager samgr:binder { call transfer }; +allow netmanager sys_file:dir { open read search }; +allow netmanager sys_file:file { open read }; +allow netmanager sys_file:lnk_file { read }; +allow netmanager system_etc_file:dir { search }; +allow netmanager system_etc_file:file { open read }; +allow netmanager system_file:dir { search }; +allow netmanager system_lib_file:dir { search }; +allow netmanager system_lib_file:file { execute getattr map open read }; +allow netmanager system_profile_file:dir { search }; +allow netmanager system_profile_file:file { getattr open read }; +allow netmanager vendor_file:dir { search }; +allow netmanager wifi_manager_service:binder { call }; +allowxperm netmanager data_data_file:file ioctl { 0x5413 }; +allowxperm netmanager dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm netmanager dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm netmanager netmanager:udp_socket ioctl { 0x8927 }; diff --git a/sepolicy/base/rk3568/normal_hap_domain.te b/sepolicy/base/rk3568/normal_hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..36ba358d97fb3a6ec024623161a3109770b861de --- /dev/null +++ b/sepolicy/base/rk3568/normal_hap_domain.te @@ -0,0 +1,115 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow normal_hap_domain accessibility:binder { call transfer }; +allow normal_hap_domain accountmgr:binder { call }; +allow normal_hap_domain appspawn_exec:file { getattr map open read }; +allow normal_hap_domain appspawn:fd { use }; +allow normal_hap_domain appspawn:fifo_file { write }; +allow normal_hap_domain appspawn:unix_dgram_socket { connect write }; +allow normal_hap_domain camera_service:binder { call transfer }; +allow normal_hap_domain config_file:dir { mounton }; +allow normal_hap_domain data_app_el1_file:dir { add_name create mounton open read search setattr write }; +allow normal_hap_domain data_app_el1_file:file { execute getattr map open read }; +allow normal_hap_domain data_app_el2_file:dir { search }; +allow normal_hap_domain data_app_file:dir { search }; +allow normal_hap_domain data_file:dir { add_name getattr mounton search write }; +allow normal_hap_domain data_file:file { create getattr ioctl lock map open read write }; +allow normal_hap_domain data_log:file { read write }; +allow normal_hap_domain data_service_el2_file:dir { getattr read open search }; +allow normal_hap_domain data_service_file:dir { search }; +allow normal_hap_domain debugfs:dir { search }; +allow normal_hap_domain dev_ashmem_file:chr_file { getattr ioctl map open read write }; +allow normal_hap_domain dev_at_file:chr_file { ioctl open read write }; +allow normal_hap_domain dev_binder_file:chr_file { ioctl map open read write }; +allow normal_hap_domain dev_dri_file:chr_file { getattr ioctl open read write }; +allow normal_hap_domain dev_dri_file:dir { search }; +allow normal_hap_domain dev_file:chr_file { getattr ioctl map open read write }; +allow normal_hap_domain dev_file:dir { mounton search }; +allow normal_hap_domain dev_null_file:chr_file { ioctl open read write }; +allow normal_hap_domain dev_parameters_file:dir { search }; +allow normal_hap_domain dev_parameters_file:file { map open read }; +allow normal_hap_domain dev_random_file:chr_file { open read }; +allow normal_hap_domain dev_unix_file:dir { search }; +allow normal_hap_domain dev_unix_socket_file:dir { search }; +allow normal_hap_domain dev_unix_socket_file:sock_file { write }; +allow normal_hap_domain display_gralloc_host:binder { call }; +allow normal_hap_domain display_gralloc_host:fd { use }; +allow normal_hap_domain distributeddata:binder { call transfer }; +allow normal_hap_domain faultloggerd:fd { use }; +allow normal_hap_domain faultloggerd:unix_stream_socket { connectto }; +allow normal_hap_domain foundation:binder { call transfer }; +allow normal_hap_domain foundation:fd { use }; +allow normal_hap_domain hdcd:unix_stream_socket { connectto }; +allow normal_hap_domain hdf_devmgr:binder { call }; +allow normal_hap_domain hiview:binder { call }; +allow normal_hap_domain hmdfs:dir { getattr mounton open read search }; +allow normal_hap_domain init:unix_dgram_socket { sendto }; +allow normal_hap_domain inputmethod_service:binder { call transfer }; +allow normal_hap_domain labeledfs:filesystem { unmount }; +allow normal_hap_domain medialibrary_service:binder { call }; +allow normal_hap_domain media_service:binder { call transfer }; +allow normal_hap_domain multimodalinput:binder { call }; +allow normal_hap_domain multimodalinput:fd { use }; +allow normal_hap_domain multimodalinput:unix_stream_socket { read read write write }; +allow normal_hap_domain normal_hap_data_file:dir { add_name create getattr mounton open read remove_name search write }; +allow normal_hap_domain normal_hap_data_file:file { append create getattr ioctl lock map open read rename setattr unlink write write open }; +allow normal_hap_domain normal_hap_domain:binder { call transfer }; +allow normal_hap_domain normal_hap_domain:capability { setgid setuid sys_admin }; +allow normal_hap_domain normal_hap_domain:dir { getattr open read search }; +allow normal_hap_domain normal_hap_domain:fifo_file { read write }; +allow normal_hap_domain normal_hap_domain:file { getattr open read write }; +allow normal_hap_domain normal_hap_domain:lnk_file { read }; +allow normal_hap_domain normal_hap_domain:lockdown { confidentiality }; +allow normal_hap_domain normal_hap_domain:process { execmem fork getcap getsched ptrace setcap setsched sigkill }; +allow normal_hap_domain normal_hap_domain:unix_dgram_socket { connect create getopt setopt write }; +allow normal_hap_domain normal_hap_domain:unix_stream_socket { accept bind connect create getopt listen read setopt write }; +allow normal_hap_domain param_watcher:binder { call transfer }; +allow normal_hap_domain priv_hap_domain:binder { call transfer }; +allow normal_hap_domain priv_hap_domain:fd { use }; +allow normal_hap_domain proc_file:dir { mounton search }; +allow normal_hap_domain proc_file:file { open read }; +allow normal_hap_domain proc_file:lnk_file { read }; +allow normal_hap_domain render_service:binder { call transfer }; +allow normal_hap_domain render_service:fd { use }; +allow normal_hap_domain render_service:unix_stream_socket { read read write write }; +allow normal_hap_domain resource_schedule_service:binder { call }; +allow normal_hap_domain rootfs:dir { mounton search }; +allow normal_hap_domain samgr:binder { call }; +allow normal_hap_domain sys_file:dir { mounton open read search }; +allow normal_hap_domain sys_file:file { open read }; +allow normal_hap_domain sys_file:lnk_file { read }; +allow normal_hap_domain system_bin_file:dir { search }; +allow normal_hap_domain system_bin_file:file { execute execute_no_trans map read open }; +allow normal_hap_domain system_etc_file:dir { search }; +allow normal_hap_domain system_etc_file:file { getattr map open read }; +allow normal_hap_domain system_file:dir { mounton search }; +allow normal_hap_domain system_fonts_file:dir { search }; +allow normal_hap_domain system_fonts_file:file { getattr map open read }; +allow normal_hap_domain system_lib_file:dir { search }; +allow normal_hap_domain system_lib_file:file { execute getattr map open read }; +allow normal_hap_domain system_usr_file:dir { search }; +allow normal_hap_domain telephony_sa:binder { call }; +allow normal_hap_domain tmpfs:dir { add_name create getattr mounton search write }; +allow normal_hap_domain tmpfs:lnk_file { create read }; +allow normal_hap_domain tracefs:dir { search }; +allow normal_hap_domain tracefs:file { open write }; +allow normal_hap_domain upms:binder { call }; +allowxperm normal_hap_domain data_file:file ioctl { 0xf50c }; +allowxperm normal_hap_domain dev_ashmem_file:chr_file ioctl { 0x7701 0x7703 0x7704 0x7706 }; +allowxperm normal_hap_domain dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm normal_hap_domain dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm normal_hap_domain dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm normal_hap_domain dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; +allowxperm normal_hap_domain dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm normal_hap_domain normal_hap_data_file:file ioctl { 0x5413 0xf50c }; diff --git a/sepolicy/base/rk3568/param_watcher.te b/sepolicy/base/rk3568/param_watcher.te new file mode 100644 index 0000000000000000000000000000000000000000..cee6d0d1bee130cb5eabfed18ab95aa0db4ae3f2 --- /dev/null +++ b/sepolicy/base/rk3568/param_watcher.te @@ -0,0 +1,69 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow param_watcher accountmgr:binder { call }; +allow param_watcher audio_policy:binder { call }; +allow param_watcher bgtaskmgr_service:binder { call }; +allow param_watcher data_file:dir { search }; +allow param_watcher data_init_agent:dir { add_name search write }; +allow param_watcher data_init_agent:file { create }; +allow param_watcher debugfs:dir { search }; +allow param_watcher dev_at_file:chr_file { ioctl open read write }; +allow param_watcher dev_binder_file:chr_file { ioctl map open read write }; +allow param_watcher dev_file:dir { search }; +allow param_watcher device_usage_statistics_service:binder { call }; +allow param_watcher dev_null_file:chr_file { read write }; +allow param_watcher dev_parameters_file:dir { search }; +allow param_watcher dev_parameters_file:file { map open read }; +allow param_watcher dev_random_file:chr_file { open read }; +allow param_watcher dev_unix_file:dir { search }; +allow param_watcher dev_unix_socket_file:dir { search }; +allow param_watcher dev_unix_socket_file:sock_file { write }; +allow param_watcher distributeddata:binder { call }; +allow param_watcher distributedsched:binder { call }; +allow param_watcher etc_file:lnk_file { read }; +allow param_watcher face_service:binder { call }; +allow param_watcher foundation:binder { call }; +allow param_watcher init:binder { call }; +allow param_watcher init:fd { use }; +allow param_watcher init:netlink_kobject_uevent_socket { read write }; +allow param_watcher init:unix_dgram_socket { sendto }; +allow param_watcher init:unix_stream_socket { read write }; +allow param_watcher kernel:fd { use }; +allow param_watcher kernel:unix_stream_socket { connectto }; +allow param_watcher multimodalinput:binder { call }; +allow param_watcher normal_hap_domain:binder { call }; +allow param_watcher param_watcher:dir { search }; +allow param_watcher param_watcher:lnk_file { read }; +allow param_watcher param_watcher:process { fork getsched }; +allow param_watcher param_watcher:unix_dgram_socket { connect create write }; +allow param_watcher param_watcher:unix_stream_socket { connect create read write }; +allow param_watcher pinauth_service:binder { call }; +allow param_watcher platform_hap_domain:binder { call }; +allow param_watcher priv_hap_domain:binder { call }; +allow param_watcher proc_file:dir { search }; +allow param_watcher proc_file:lnk_file { read }; +allow param_watcher render_service:binder { call }; +allow param_watcher resource_schedule_service:binder { call }; +allow param_watcher rootfs:dir { search }; +allow param_watcher samain_exec:file { entrypoint execute map read }; +allow param_watcher samgr:binder { call transfer }; +allow param_watcher system_etc_file:dir { search }; +allow param_watcher system_etc_file:file { open read }; +allow param_watcher system_file:dir { search }; +allow param_watcher system_lib_file:dir { search }; +allow param_watcher system_lib_file:file { execute getattr map open read }; +allow param_watcher system_profile_file:dir { search }; +allow param_watcher system_profile_file:file { getattr open read }; +allowxperm param_watcher dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm param_watcher dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/pinauth_service.te b/sepolicy/base/rk3568/pinauth_service.te new file mode 100644 index 0000000000000000000000000000000000000000..0d03d6a0bc6ea639cfc07af5e1ea288b3477859c --- /dev/null +++ b/sepolicy/base/rk3568/pinauth_service.te @@ -0,0 +1,52 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pinauth_service data_file:dir { search }; +allow pinauth_service data_init_agent:dir { search }; +allow pinauth_service debugfs:dir { search }; +allow pinauth_service dev_at_file:chr_file { ioctl open read write }; +allow pinauth_service dev_binder_file:chr_file { ioctl map open read write }; +allow pinauth_service dev_file:dir { search }; +allow pinauth_service dev_null_file:chr_file { read write }; +allow pinauth_service dev_parameters_file:dir { search }; +allow pinauth_service dev_parameters_file:file { map open read }; +allow pinauth_service dev_random_file:chr_file { open read }; +allow pinauth_service dev_unix_file:dir { search }; +allow pinauth_service dev_unix_socket_file:dir { search }; +allow pinauth_service dev_unix_socket_file:sock_file { write }; +allow pinauth_service etc_file:lnk_file { read }; +allow pinauth_service init:fd { use }; +allow pinauth_service init:netlink_kobject_uevent_socket { read write }; +allow pinauth_service init:unix_dgram_socket { sendto }; +allow pinauth_service init:unix_stream_socket { read write }; +allow pinauth_service kernel:fd { use }; +allow pinauth_service param_watcher:binder { call transfer }; +allow pinauth_service pinauth_service:dir { search }; +allow pinauth_service pinauth_service:lnk_file { read }; +allow pinauth_service pinauth_service:process { fork getsched }; +allow pinauth_service pinauth_service:unix_dgram_socket { connect create write }; +allow pinauth_service proc_file:dir { search }; +allow pinauth_service proc_file:lnk_file { read }; +allow pinauth_service rootfs:dir { search }; +allow pinauth_service samain_exec:file { entrypoint execute map read }; +allow pinauth_service samgr:binder { call transfer }; +allow pinauth_service system_etc_file:dir { search }; +allow pinauth_service system_etc_file:file { open read }; +allow pinauth_service system_file:dir { search }; +allow pinauth_service system_lib_file:dir { search }; +allow pinauth_service system_lib_file:file { execute getattr map open read }; +allow pinauth_service system_profile_file:dir { search }; +allow pinauth_service system_profile_file:file { getattr open read }; +allow pinauth_service useriam:binder { call transfer }; +allowxperm pinauth_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm pinauth_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/platform_hap_domain.te b/sepolicy/base/rk3568/platform_hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..6f4f73b78f40be91e62e30e860e5ab0feabdc9c4 --- /dev/null +++ b/sepolicy/base/rk3568/platform_hap_domain.te @@ -0,0 +1,87 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow platform_hap_domain accessibility:binder { call transfer }; +allow platform_hap_domain accesstoken_service:binder { call }; +allow platform_hap_domain appspawn:fd { use }; +allow platform_hap_domain appspawn:fifo_file { write }; +allow platform_hap_domain appspawn:unix_dgram_socket { connect write }; +allow platform_hap_domain config_file:dir { mounton }; +allow platform_hap_domain data_app_el1_file:dir { add_name create mounton open read search setattr write }; +allow platform_hap_domain data_app_el1_file:file { getattr map open read }; +allow platform_hap_domain data_app_el2_file:dir { search }; +allow platform_hap_domain data_app_file:dir { search }; +allow platform_hap_domain data_file:dir { mounton search }; +allow platform_hap_domain data_service_el2_file:dir { search }; +allow platform_hap_domain debugfs:dir { search }; +allow platform_hap_domain dev_at_file:chr_file { ioctl open read write }; +allow platform_hap_domain dev_binder_file:chr_file { ioctl map open read write }; +allow platform_hap_domain dev_dri_file:chr_file { getattr ioctl open read write }; +allow platform_hap_domain dev_dri_file:dir { search }; +allow platform_hap_domain dev_file:chr_file { getattr ioctl map open read write }; +allow platform_hap_domain dev_file:dir { mounton search }; +allow platform_hap_domain dev_null_file:chr_file { ioctl open read write }; +allow platform_hap_domain dev_random_file:chr_file { open read }; +allow platform_hap_domain dev_unix_file:dir { search }; +allow platform_hap_domain dev_unix_socket_file:dir { search }; +allow platform_hap_domain dev_unix_socket_file:sock_file { write }; +allow platform_hap_domain display_gralloc_host:binder { call }; +allow platform_hap_domain display_gralloc_host:fd { use }; +allow platform_hap_domain foundation:binder { call transfer }; +allow platform_hap_domain hdf_devmgr:binder { call }; +allow platform_hap_domain hmdfs:dir { mounton search }; +allow platform_hap_domain init:unix_dgram_socket { sendto }; +allow platform_hap_domain inputmethod_service:binder { call transfer }; +allow platform_hap_domain labeledfs:filesystem { unmount }; +allow platform_hap_domain multimodalinput:binder { call }; +allow platform_hap_domain multimodalinput:fd { use }; +allow platform_hap_domain multimodalinput:unix_stream_socket { read write }; +allow platform_hap_domain param_watcher:binder { call transfer }; +allow platform_hap_domain platform_hap_data_file:dir { add_name create mounton open read search write }; +allow platform_hap_domain platform_hap_data_file:file { create getattr ioctl map read write open }; +allow platform_hap_domain platform_hap_domain:capability { setgid setuid sys_admin }; +allow platform_hap_domain platform_hap_domain:dir { search }; +allow platform_hap_domain platform_hap_domain:fifo_file { write }; +allow platform_hap_domain platform_hap_domain:file { open read }; +allow platform_hap_domain platform_hap_domain:lnk_file { read }; +allow platform_hap_domain platform_hap_domain:lockdown { confidentiality }; +allow platform_hap_domain platform_hap_domain:process { fork getsched setcap setsched }; +allow platform_hap_domain platform_hap_domain:unix_dgram_socket { create getopt setopt write }; +allow platform_hap_domain priv_hap_domain:binder { call }; +allow platform_hap_domain proc_file:dir { mounton search }; +allow platform_hap_domain proc_file:lnk_file { read }; +allow platform_hap_domain render_service:binder { call transfer }; +allow platform_hap_domain render_service:fd { use }; +allow platform_hap_domain render_service:unix_stream_socket { read write }; +allow platform_hap_domain resource_schedule_service:binder { call }; +allow platform_hap_domain rootfs:dir { mounton search }; +allow platform_hap_domain samgr:binder { call }; +allow platform_hap_domain sys_file:dir { mounton search }; +allow platform_hap_domain system_etc_file:dir { search }; +allow platform_hap_domain system_file:dir { mounton search }; +allow platform_hap_domain system_fonts_file:dir { search }; +allow platform_hap_domain system_fonts_file:file { getattr map open read }; +allow platform_hap_domain system_lib_file:dir { search }; +allow platform_hap_domain system_lib_file:file { execute getattr map open read }; +allow platform_hap_domain system_usr_file:dir { search }; +allow platform_hap_domain tmpfs:dir { add_name create mounton search write }; +allow platform_hap_domain tmpfs:lnk_file { create read }; +allow platform_hap_domain tracefs:dir { search }; +allow platform_hap_domain tracefs:file { open write }; +allow platform_hap_domain upms:binder { call }; +allowxperm platform_hap_domain dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm platform_hap_domain dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm platform_hap_domain dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm platform_hap_domain dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; +allowxperm platform_hap_domain dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm platform_hap_domain platform_hap_data_file:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/power_host.te b/sepolicy/base/rk3568/power_host.te new file mode 100644 index 0000000000000000000000000000000000000000..b5fe352e8827c7f313fd73583183c216f51beaf4 --- /dev/null +++ b/sepolicy/base/rk3568/power_host.te @@ -0,0 +1,64 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow power_host data_file:dir { search }; +allow power_host data_file:file { open read write }; +allow power_host data_local:dir { add_name open read search write }; +allow power_host data_local:file { create ioctl open read write }; +allow power_host debugfs:dir { search }; +allow power_host dev_at_file:chr_file { ioctl open read write }; +allow power_host dev_binder_file:chr_file { ioctl map open read write }; +allow power_host dev_file:dir { search }; +allow power_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow power_host dev_null_file:chr_file { read write }; +allow power_host dev_parameters_file:dir { search }; +allow power_host dev_parameters_file:file { map open read }; +allow power_host dev_unix_file:dir { search }; +allow power_host dev_unix_socket_file:dir { search }; +allow power_host dev_unix_socket_file:sock_file { write }; +allow power_host etc_file:lnk_file { read }; +allow power_host foundation:binder { call }; +allow power_host hdf_devmgr:binder { call transfer }; +allow power_host init:fd { use }; +allow power_host init:netlink_kobject_uevent_socket { read write }; +allow power_host init:unix_dgram_socket { sendto }; +allow power_host init:unix_stream_socket { read write }; +allow power_host kernel:fd { use }; +allow power_host power_host:capability2 { block_suspend }; +allow power_host power_host:capability { dac_read_search net_admin }; +allow power_host power_host:dir { search }; +allow power_host power_host:lnk_file { read }; +allow power_host power_host:netlink_kobject_uevent_socket { bind create read setopt }; +allow power_host power_host:process { fork }; +allow power_host power_host:unix_dgram_socket { connect create write }; +allow power_host proc_file:dir { search }; +allow power_host proc_file:lnk_file { read }; +allow power_host rootfs:dir { search }; +allow power_host samgr:binder { call }; +allow power_host sys_file:dir { open read search }; +allow power_host sys_file:file { open read write }; +allow power_host sys_file:lnk_file { read }; +allow power_host system_etc_file:dir { search }; +allow power_host system_etc_file:file { open read }; +allow power_host system_file:dir { search }; +allow power_host system_lib_file:dir { search }; +allow power_host system_lib_file:file { execute getattr map open read }; +allow power_host thermal_sa:binder { call }; +allow power_host vendor_etc_file:dir { search }; +allow power_host vendor_etc_file:file { getattr open read }; +allow power_host vendor_file:dir { search }; +allow power_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm power_host data_local:file ioctl { 0x5413 }; +allowxperm power_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm power_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm power_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/priv_hap_domain.te b/sepolicy/base/rk3568/priv_hap_domain.te new file mode 100644 index 0000000000000000000000000000000000000000..2a6c97facdd9411575918e98bca8fffd9a5a0841 --- /dev/null +++ b/sepolicy/base/rk3568/priv_hap_domain.te @@ -0,0 +1,116 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow priv_hap_domain accessibility:binder { call transfer }; +allow priv_hap_domain accountmgr:binder { call transfer }; +allow priv_hap_domain appspawn_exec:file { getattr map open read }; +allow priv_hap_domain appspawn:fd { use }; +allow priv_hap_domain appspawn:fifo_file { write }; +allow priv_hap_domain appspawn:unix_dgram_socket { connect write }; +allow priv_hap_domain audio_policy:binder { call transfer }; +allow priv_hap_domain bluetooth_service:binder { call transfer }; +allow priv_hap_domain config_file:dir { mounton }; +allow priv_hap_domain data_app_el1_file:dir { add_name create mounton open read search setattr write }; +allow priv_hap_domain data_app_el1_file:file { getattr map open read }; +allow priv_hap_domain data_app_el2_file:dir { search }; +allow priv_hap_domain data_app_file:dir { search }; +allow priv_hap_domain data_file:dir { add_name getattr mounton open read remove_name search write }; +allow priv_hap_domain data_file:file { create getattr ioctl lock map open read read write rename setattr unlink write open }; +allow priv_hap_domain data_log:file { read read write write }; +allow priv_hap_domain data_service_el2_file:dir { search }; +allow priv_hap_domain debugfs:dir { search }; +allow priv_hap_domain dev_ashmem_file:chr_file { getattr ioctl map open read write }; +allow priv_hap_domain dev_at_file:chr_file { ioctl open read write }; +allow priv_hap_domain dev_binder_file:chr_file { ioctl map open read write }; +allow priv_hap_domain dev_dri_file:chr_file { getattr ioctl open read write }; +allow priv_hap_domain dev_dri_file:dir { search }; +allow priv_hap_domain dev_file:chr_file { getattr ioctl map open read write }; +allow priv_hap_domain dev_file:dir { mounton search }; +allow priv_hap_domain dev_null_file:chr_file { ioctl open read write }; +allow priv_hap_domain dev_parameters_file:dir { search }; +allow priv_hap_domain dev_parameters_file:file { map open read }; +allow priv_hap_domain dev_random_file:chr_file { open read }; +allow priv_hap_domain dev_unix_file:dir { search }; +allow priv_hap_domain dev_unix_socket_file:dir { search }; +allow priv_hap_domain dev_unix_socket_file:sock_file { write }; +allow priv_hap_domain display_gralloc_host:binder { call }; +allow priv_hap_domain display_gralloc_host:fd { use }; +allow priv_hap_domain faultloggerd:fd { use }; +allow priv_hap_domain faultloggerd:unix_stream_socket { connectto }; +allow priv_hap_domain foundation:binder { call transfer }; +allow priv_hap_domain hdf_devmgr:binder { call }; +allow priv_hap_domain hiview:binder { call }; +allow priv_hap_domain hmdfs:dir { mounton search }; +allow priv_hap_domain init:unix_dgram_socket { sendto }; +allow priv_hap_domain inputmethod_service:binder { call transfer }; +allow priv_hap_domain kernel:unix_stream_socket { connectto }; +allow priv_hap_domain labeledfs:filesystem { unmount }; +allow priv_hap_domain media_service:binder { call transfer }; +allow priv_hap_domain multimodalinput:binder { call }; +allow priv_hap_domain multimodalinput:fd { use }; +allow priv_hap_domain multimodalinput:unix_stream_socket { read read write write }; +allow priv_hap_domain normal_hap_domain:binder { call transfer }; +allow priv_hap_domain param_watcher:binder { call transfer }; +allow priv_hap_domain priv_hap_data_file:dir { add_name create mounton open read search write }; +allow priv_hap_domain priv_hap_data_file:file { create getattr ioctl map read write open }; +allow priv_hap_domain priv_hap_domain:binder { call transfer }; +allow priv_hap_domain priv_hap_domain:capability { setgid setuid sys_admin }; +allow priv_hap_domain priv_hap_domain:dir { getattr open read search }; +allow priv_hap_domain priv_hap_domain:fifo_file { read write }; +allow priv_hap_domain priv_hap_domain:file { getattr open read write }; +allow priv_hap_domain priv_hap_domain:lnk_file { read }; +allow priv_hap_domain priv_hap_domain:lockdown { confidentiality }; +allow priv_hap_domain priv_hap_domain:process { execmem fork getcap getsched ptrace setcap setsched sigkill }; +allow priv_hap_domain priv_hap_domain:unix_dgram_socket { connect create getopt setopt write }; +allow priv_hap_domain priv_hap_domain:unix_stream_socket { connect create read setopt write }; +allow priv_hap_domain proc_file:dir { mounton search }; +allow priv_hap_domain proc_file:file { open read }; +allow priv_hap_domain proc_file:lnk_file { read }; +allow priv_hap_domain pulseaudio:binder { call }; +allow priv_hap_domain render_service:binder { call transfer }; +allow priv_hap_domain render_service:fd { use }; +allow priv_hap_domain render_service:unix_stream_socket { read read write write }; +allow priv_hap_domain resource_schedule_service:binder { call }; +allow priv_hap_domain rootfs:dir { mounton search }; +allow priv_hap_domain samgr:binder { call }; +allow priv_hap_domain sys_file:dir { mounton open read search }; +allow priv_hap_domain sys_file:file { open read }; +allow priv_hap_domain sys_file:lnk_file { read }; +allow priv_hap_domain system_bin_file:dir { search }; +allow priv_hap_domain system_bin_file:file { execute execute_no_trans map read open }; +allow priv_hap_domain system_etc_file:dir { search }; +allow priv_hap_domain system_etc_file:file { getattr map open read }; +allow priv_hap_domain system_file:dir { mounton search }; +allow priv_hap_domain system_fonts_file:dir { search }; +allow priv_hap_domain system_fonts_file:file { getattr map open read }; +allow priv_hap_domain system_lib_file:dir { search }; +allow priv_hap_domain system_lib_file:file { execute getattr map open read }; +allow priv_hap_domain system_usr_file:dir { search }; +allow priv_hap_domain telephony_sa:binder { call }; +allow priv_hap_domain tmpfs:dir { add_name create getattr mounton search write }; +allow priv_hap_domain tmpfs:filesystem { getattr }; +allow priv_hap_domain tmpfs:lnk_file { create read }; +allow priv_hap_domain tracefs:dir { search }; +allow priv_hap_domain tracefs:file { open write }; +allow priv_hap_domain upms:binder { call }; +allow priv_hap_domain usb_service:binder { call }; +allow priv_hap_domain useriam:binder { call transfer }; +allow priv_hap_domain wifi_manager_service:binder { call transfer }; +allowxperm priv_hap_domain data_file:file ioctl { 0x5413 0xf50c }; +allowxperm priv_hap_domain dev_ashmem_file:chr_file ioctl { 0x7701 0x7703 0x7704 0x7706 }; +allowxperm priv_hap_domain dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm priv_hap_domain dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm priv_hap_domain dev_dri_file:chr_file ioctl { 0x641f }; +allowxperm priv_hap_domain dev_file:chr_file ioctl { 0x8000 0x8001 0x8002 0x8003 0x8005 0x8006 0x8007 0x800e 0x800f 0x8011 0x8016 0x8018 0x801d 0x801e 0x8026 0xab02 0xab05 0xab06 0xab09 0xab0c 0xab0d }; +allowxperm priv_hap_domain dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm priv_hap_domain priv_hap_data_file:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/pulseaudio.te b/sepolicy/base/rk3568/pulseaudio.te new file mode 100644 index 0000000000000000000000000000000000000000..ec076d0ab2050e3add0a8306efbfb7302aab2da0 --- /dev/null +++ b/sepolicy/base/rk3568/pulseaudio.te @@ -0,0 +1,63 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow pulseaudio audio_hdi_server_host:binder { call }; +allow pulseaudio data_data_file:dir { add_name getattr open read remove_name search setattr write }; +allow pulseaudio data_data_file:fifo_file { create getattr open read write setattr }; +allow pulseaudio data_data_file:file { create getattr lock read write open setattr }; +allow pulseaudio data_data_file:sock_file { create setattr unlink write }; +allow pulseaudio data_file:dir { search }; +allow pulseaudio debugfs:dir { search }; +allow pulseaudio dev_at_file:chr_file { ioctl open read write }; +allow pulseaudio dev_binder_file:chr_file { ioctl map open read read write }; +allow pulseaudio dev_file:dir { search }; +allow pulseaudio dev_null_file:chr_file { ioctl read write }; +allow pulseaudio dev_parameters_file:dir { search }; +allow pulseaudio dev_parameters_file:file { map open read }; +allow pulseaudio dev_random_file:chr_file { open read }; +allow pulseaudio dev_unix_file:dir { search }; +allow pulseaudio dev_unix_socket_file:dir { search }; +allow pulseaudio dev_unix_socket_file:sock_file { write }; +allow pulseaudio etc_file:lnk_file { read }; +allow pulseaudio hdf_devmgr:binder { call }; +allow pulseaudio init:fd { use }; +allow pulseaudio init:netlink_kobject_uevent_socket { read write }; +allow pulseaudio init:unix_dgram_socket { sendto }; +allow pulseaudio init:unix_stream_socket { read write }; +allow pulseaudio kernel:fd { use }; +allow pulseaudio proc_file:dir { search }; +allow pulseaudio proc_file:lnk_file { read }; +allow pulseaudio pulseaudio:dir { search }; +allow pulseaudio pulseaudio:fifo_file { read write }; +allow pulseaudio pulseaudio:lnk_file { read }; +allow pulseaudio pulseaudio:process { fork getsched setrlimit setsched signal }; +allow pulseaudio pulseaudio:unix_dgram_socket { connect create write }; +allow pulseaudio pulseaudio:unix_stream_socket { accept bind connect create getattr listen read setopt write }; +allow pulseaudio rootfs:dir { search }; +allow pulseaudio samain_exec:file { entrypoint execute map read }; +allow pulseaudio samgr:binder { call transfer }; +allow pulseaudio system_bin_file:dir { getattr }; +allow pulseaudio system_etc_file:dir { search }; +allow pulseaudio system_etc_file:file { open read }; +allow pulseaudio system_file:dir { search }; +allow pulseaudio system_lib_file:dir { search }; +allow pulseaudio system_lib_file:file { execute getattr map open read }; +allow pulseaudio system_profile_file:dir { search }; +allow pulseaudio system_profile_file:file { getattr open read }; +allow pulseaudio vendor_etc_file:dir { search }; +allow pulseaudio vendor_etc_file:file { getattr open read }; +allow pulseaudio vendor_file:dir { search }; +allow pulseaudio vendor_file:file { execute getattr map open read }; +allowxperm pulseaudio dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm pulseaudio dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm pulseaudio dev_null_file:chr_file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/render_service.te b/sepolicy/base/rk3568/render_service.te new file mode 100644 index 0000000000000000000000000000000000000000..292f5f8f1bb605ba3d8ec0cba4907acbf9a01f77 --- /dev/null +++ b/sepolicy/base/rk3568/render_service.te @@ -0,0 +1,84 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow render_service data_file:dir { search }; +allow render_service data_init_agent:dir { search }; +allow render_service data_init_agent:file { ioctl open read append }; +allow render_service debugfs:dir { search }; +allow render_service dev_ashmem_file:chr_file { getattr ioctl map open read write }; +allow render_service dev_at_file:chr_file { ioctl open read write }; +allow render_service dev_binder_file:chr_file { ioctl map open read write }; +allow render_service dev_dri_file:chr_file { getattr ioctl open read write }; +allow render_service dev_dri_file:dir { search }; +allow render_service dev_file:chr_file { ioctl open read write }; +allow render_service dev_file:dir { search }; +allow render_service dev_graphics_file:chr_file { ioctl open read write }; +allow render_service dev_graphics_file:dir { search }; +allow render_service dev_null_file:chr_file { ioctl read write }; +allow render_service dev_parameters_file:dir { search }; +allow render_service dev_parameters_file:file { map open read }; +allow render_service dev_random_file:chr_file { open read }; +allow render_service dev_unix_file:dir { search }; +allow render_service dev_unix_socket_file:dir { search }; +allow render_service dev_unix_socket_file:sock_file { write }; +allow render_service display_gralloc_host:binder { call }; +allow render_service display_gralloc_host:fd { use }; +allow render_service etc_file:lnk_file { read }; +allow render_service foundation:binder { call transfer }; +allow render_service hdf_devmgr:binder { call }; +allow render_service init:binder { call transfer }; +allow render_service init:fd { use }; +allow render_service init:netlink_kobject_uevent_socket { read write }; +allow render_service init:unix_dgram_socket { sendto }; +allow render_service init:unix_stream_socket { read write }; +allow render_service kernel:fd { use }; +allow render_service lib_file:lnk_file { read }; +allow render_service normal_hap_domain:binder { call transfer }; +allow render_service param_watcher:binder { call transfer }; +allow render_service platform_hap_domain:binder { call transfer }; +allow render_service priv_hap_domain:binder { call transfer }; +allow render_service proc_file:dir { search }; +allow render_service proc_file:file { open read }; +allow render_service proc_file:lnk_file { read }; +allow render_service render_service:capability { dac_override sys_admin sys_nice }; +allow render_service render_service:dir { search }; +allow render_service render_service_exec:file { entrypoint execute map read }; +allow render_service render_service:lnk_file { read }; +allow render_service render_service:lockdown { confidentiality }; +allow render_service render_service:netlink_kobject_uevent_socket { bind create read setopt }; +allow render_service render_service:process { fork setsched }; +allow render_service render_service:unix_dgram_socket { connect create write }; +allow render_service render_service:unix_stream_socket { create read setopt write }; +allow render_service rootfs:dir { search }; +allow render_service samgr:binder { call transfer }; +allow render_service sys_file:dir { search }; +allow render_service sys_file:file { open read write }; +allow render_service sys_file:lnk_file { read }; +allow render_service system_etc_file:dir { getattr open read search }; +allow render_service system_etc_file:file { open read }; +allow render_service system_file:dir { search }; +allow render_service system_lib_file:dir { search }; +allow render_service system_lib_file:file { execute getattr map open read }; +allow render_service tracefs:dir { search }; +allow render_service tracefs:file { open write }; +allow render_service vendor_file:dir { search }; +allow render_service vendor_file:file { execute getattr map open read }; +allow render_service vendor_file:lnk_file { read }; +allowxperm render_service data_init_agent:file ioctl { 0x5413 }; +allowxperm render_service dev_ashmem_file:chr_file ioctl { 0x7701 0x7703 0x7705 }; +allowxperm render_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm render_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm render_service dev_dri_file:chr_file ioctl { 0x6409 0x640d 0x6411 0x641e 0x641f 0x642d 0x642e 0x643a 0x64a0 0x64a1 0x64a6 0x64a7 0x64aa 0x64af 0x64b2 0x64b4 0x64b5 0x64b6 0x64b8 0x64b9 0x64bc 0x64bd 0x64be }; +allowxperm render_service dev_file:chr_file ioctl { 0x5017 0x601b }; +allowxperm render_service dev_graphics_file:chr_file ioctl { 0x4611 }; +allowxperm render_service dev_null_file:chr_file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/resource_schedule_service.te b/sepolicy/base/rk3568/resource_schedule_service.te new file mode 100644 index 0000000000000000000000000000000000000000..1ebf61e13923d4c856676b82005f9362157620fc --- /dev/null +++ b/sepolicy/base/rk3568/resource_schedule_service.te @@ -0,0 +1,70 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow resource_schedule_service bgtaskmgr_service:binder { call transfer }; +allow resource_schedule_service cgroup:dir { search }; +allow resource_schedule_service cgroup:file { getattr open write }; +allow resource_schedule_service data_file:dir { search }; +allow resource_schedule_service data_init_agent:dir { search }; +allow resource_schedule_service data_init_agent:file { ioctl open read append }; +allow resource_schedule_service debugfs:dir { search }; +allow resource_schedule_service dev_at_file:chr_file { ioctl open read write }; +allow resource_schedule_service dev_binder_file:chr_file { ioctl map open read write }; +allow resource_schedule_service dev_file:chr_file { ioctl open read write }; +allow resource_schedule_service dev_file:dir { search }; +allow resource_schedule_service dev_null_file:chr_file { read write }; +allow resource_schedule_service dev_parameters_file:dir { search }; +allow resource_schedule_service dev_parameters_file:file { map open read }; +allow resource_schedule_service dev_random_file:chr_file { open read }; +allow resource_schedule_service dev_unix_file:dir { search }; +allow resource_schedule_service dev_unix_socket_file:dir { search }; +allow resource_schedule_service dev_unix_socket_file:sock_file { write }; +allow resource_schedule_service etc_file:lnk_file { read }; +allow resource_schedule_service foundation:binder { call transfer }; +allow resource_schedule_service init:fd { use }; +allow resource_schedule_service init:netlink_kobject_uevent_socket { read write }; +allow resource_schedule_service init:unix_dgram_socket { sendto }; +allow resource_schedule_service init:unix_stream_socket { read write }; +allow resource_schedule_service kernel:fd { use }; +allow resource_schedule_service param_watcher:binder { call transfer }; +allow resource_schedule_service proc_file:dir { search }; +allow resource_schedule_service proc_file:lnk_file { read }; +allow resource_schedule_service resource_schedule_service:capability { dac_override dac_read_search }; +allow resource_schedule_service resource_schedule_service:dir { search }; +allow resource_schedule_service resource_schedule_service:lnk_file { read }; +allow resource_schedule_service resource_schedule_service:lockdown { confidentiality }; +allow resource_schedule_service resource_schedule_service:process { fork getsched }; +allow resource_schedule_service resource_schedule_service:unix_dgram_socket { connect create write }; +allow resource_schedule_service rootfs:dir { search }; +allow resource_schedule_service samain_exec:file { entrypoint execute map read }; +allow resource_schedule_service samgr:binder { call transfer }; +allow resource_schedule_service socperf_service:binder { call }; +allow resource_schedule_service sys_file:dir { search }; +allow resource_schedule_service system_etc_file:dir { getattr open read search }; +allow resource_schedule_service system_etc_file:file { getattr open read }; +allow resource_schedule_service system_file:dir { search }; +allow resource_schedule_service system_lib_file:dir { search }; +allow resource_schedule_service system_lib_file:file { execute getattr map open read }; +allow resource_schedule_service system_profile_file:dir { search }; +allow resource_schedule_service system_profile_file:file { getattr open read }; +allow resource_schedule_service system_usr_file:dir { search }; +allow resource_schedule_service system_usr_file:file { getattr map open read }; +allow resource_schedule_service tracefs:dir { search }; +allow resource_schedule_service tracefs:file { open write }; +allow resource_schedule_service vendor_file:dir { search }; +allow resource_schedule_service vendor_file:file { execute getattr map open read }; +allow resource_schedule_service vendor_file:lnk_file { read }; +allowxperm resource_schedule_service data_init_agent:file ioctl { 0x5413 }; +allowxperm resource_schedule_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm resource_schedule_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm resource_schedule_service dev_file:chr_file ioctl { 0xab01 0xab02 }; diff --git a/sepolicy/base/rk3568/samgr.te b/sepolicy/base/rk3568/samgr.te new file mode 100644 index 0000000000000000000000000000000000000000..5c9f389b0f678393c8e247083e94db84240c7e0e --- /dev/null +++ b/sepolicy/base/rk3568/samgr.te @@ -0,0 +1,115 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow samgr accessibility:binder { call transfer }; +allow samgr accesstoken_service:binder { call }; +allow samgr accountmgr:binder { call transfer }; +allow samgr appspawn:binder { transfer }; +allow samgr audio_hdi_server_host:binder { transfer }; +allow samgr audio_policy:binder { call transfer }; +allow samgr battery_stats:binder { call transfer }; +allow samgr bgtaskmgr_service:binder { call transfer }; +allow samgr blue_host:binder { transfer }; +allow samgr bluetooth_service:binder { call }; +allow samgr camera_host:binder { transfer }; +allow samgr camera_service:binder { call transfer }; +allow samgr debugfs:dir { search }; +allow samgr dev_at_file:chr_file { ioctl open read write }; +allow samgr dev_binder_file:chr_file { ioctl map open read write }; +allow samgr dev_file:dir { search }; +allow samgr deviceauth_service:binder { call transfer }; +allow samgr deviceinfoservice:binder { call }; +allow samgr device_usage_statistics_service:binder { call transfer }; +allow samgr dev_null_file:chr_file { read write }; +allow samgr dev_parameters_file:dir { search }; +allow samgr dev_parameters_file:file { map open read }; +allow samgr dev_random_file:chr_file { open read }; +allow samgr dev_unix_file:dir { search }; +allow samgr dev_unix_socket_file:dir { search }; +allow samgr dev_unix_socket_file:sock_file { write }; +allow samgr display_gralloc_host:binder { transfer }; +allow samgr distributeddata:binder { call transfer }; +allow samgr distributedfile:binder { call transfer }; +allow samgr distributedhardware_fwk:binder { call transfer }; +allow samgr distributedsched:binder { call transfer }; +allow samgr dslm_service:binder { call transfer }; +allow samgr etc_file:lnk_file { read }; +allow samgr face_service:binder { call transfer }; +allow samgr fms_service:binder { call transfer }; +allow samgr foundation:binder { call transfer }; +allow samgr hdf_devmgr:binder { call }; +allow samgr hiview:binder { call transfer }; +allow samgr huks_service:binder { call transfer }; +allow samgr init:binder { call transfer }; +allow samgr init:fd { use }; +allow samgr init:netlink_kobject_uevent_socket { read write }; +allow samgr init:unix_dgram_socket { sendto }; +allow samgr init:unix_stream_socket { read write }; +allow samgr inputmethod_service:binder { call transfer }; +allow samgr input_user_host:binder { transfer }; +allow samgr installs:binder { call }; +allow samgr kernel:fd { use }; +allow samgr light_dal_host:binder { transfer }; +allow samgr medialibrary_service:binder { call }; +allow samgr media_service:binder { call transfer }; +allow samgr memmgrservice:binder { call transfer }; +allow samgr multimodalinput:binder { call transfer }; +allow samgr netmanager:binder { call transfer }; +allow samgr normal_hap_domain:binder { transfer }; +allow samgr param_watcher:binder { call }; +allow samgr pinauth_service:binder { call transfer }; +allow samgr platform_hap_domain:binder { transfer }; +allow samgr power_host:binder { transfer }; +allow samgr priv_hap_domain:binder { transfer }; +allow samgr proc_file:dir { search }; +allow samgr proc_file:lnk_file { read }; +allow samgr pulseaudio:binder { call transfer }; +allow samgr render_service:binder { call transfer }; +allow samgr resource_schedule_service:binder { call transfer }; +allow samgr rootfs:dir { search }; +allow samgr samain_exec:file { entrypoint execute map read }; +allow samgr samgr:binder { set_context_mgr }; +allow samgr samgr:dir { search }; +allow samgr samgr:lnk_file { read }; +allow samgr samgr:process { fork }; +allow samgr samgr:unix_dgram_socket { connect create write }; +allow samgr sensor_dal_host:binder { transfer }; +allow samgr sensors:binder { call transfer }; +allow samgr socperf_service:binder { call }; +allow samgr softbus_server:binder { call transfer }; +allow samgr storage_daemon:binder { call }; +allow samgr storage_manager:binder { call transfer }; +allow samgr system_etc_file:dir { search }; +allow samgr system_etc_file:file { open read }; +allow samgr system_file:dir { search }; +allow samgr system_lib_file:dir { search }; +allow samgr system_lib_file:file { execute getattr map open read }; +allow samgr system_profile_file:dir { open read search }; +allow samgr system_profile_file:file { getattr open read }; +allow samgr telephony_sa:binder { call transfer }; +allow samgr thermal_sa:binder { call transfer }; +allow samgr time_service:binder { call transfer }; +allow samgr token_sync_service:binder { call transfer }; +allow samgr ui_service:binder { call }; +allow samgr updater_sa:binder { call }; +allow samgr upms:binder { call }; +allow samgr usbfnMaster_host:binder { transfer }; +allow samgr usb_host:binder { transfer }; +allow samgr usb_service:binder { call transfer }; +allow samgr useriam:binder { call transfer }; +allow samgr vibrator_dal_host:binder { transfer }; +allow samgr wifi_host:binder { transfer }; +allow samgr wifi_manager_service:binder { call transfer }; +allow samgr work_scheduler_service:binder { call transfer }; +allowxperm samgr dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm samgr dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6207 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/sensor_dal_host.te b/sepolicy/base/rk3568/sensor_dal_host.te new file mode 100644 index 0000000000000000000000000000000000000000..78eda7cfb0ddea6938e6f83c9a8be10aa2608ba7 --- /dev/null +++ b/sepolicy/base/rk3568/sensor_dal_host.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sensor_dal_host debugfs:dir { search }; +allow sensor_dal_host dev_at_file:chr_file { ioctl open read write }; +allow sensor_dal_host dev_binder_file:chr_file { ioctl map open read write }; +allow sensor_dal_host dev_file:chr_file { getattr ioctl open read write }; +allow sensor_dal_host dev_file:dir { search }; +allow sensor_dal_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow sensor_dal_host dev_null_file:chr_file { read write }; +allow sensor_dal_host dev_parameters_file:dir { search }; +allow sensor_dal_host dev_parameters_file:file { map open read }; +allow sensor_dal_host dev_unix_file:dir { search }; +allow sensor_dal_host dev_unix_socket_file:dir { search }; +allow sensor_dal_host dev_unix_socket_file:sock_file { write }; +allow sensor_dal_host etc_file:lnk_file { read }; +allow sensor_dal_host hdf_devmgr:binder { call transfer }; +allow sensor_dal_host init:fd { use }; +allow sensor_dal_host init:netlink_kobject_uevent_socket { read write }; +allow sensor_dal_host init:unix_dgram_socket { sendto }; +allow sensor_dal_host init:unix_stream_socket { read write }; +allow sensor_dal_host kernel:fd { use }; +allow sensor_dal_host proc_file:dir { search }; +allow sensor_dal_host proc_file:lnk_file { read }; +allow sensor_dal_host rootfs:dir { search }; +allow sensor_dal_host samgr:binder { call }; +allow sensor_dal_host sensor_dal_host:dir { search }; +allow sensor_dal_host sensor_dal_host:lnk_file { read }; +allow sensor_dal_host sensor_dal_host:process { fork }; +allow sensor_dal_host sensor_dal_host:unix_dgram_socket { connect create write }; +allow sensor_dal_host sensors:binder { call }; +allow sensor_dal_host system_etc_file:dir { search }; +allow sensor_dal_host system_etc_file:file { open read }; +allow sensor_dal_host system_file:dir { search }; +allow sensor_dal_host system_lib_file:dir { search }; +allow sensor_dal_host system_lib_file:file { execute getattr map open read }; +allow sensor_dal_host vendor_etc_file:dir { search }; +allow sensor_dal_host vendor_etc_file:file { getattr open read }; +allow sensor_dal_host vendor_file:dir { search }; +allow sensor_dal_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm sensor_dal_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm sensor_dal_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm sensor_dal_host dev_file:chr_file ioctl { 0x6201 0x6203 }; +allowxperm sensor_dal_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/sensors.te b/sepolicy/base/rk3568/sensors.te new file mode 100644 index 0000000000000000000000000000000000000000..dfbdf74ae4546b092afeff8a803cae5bc6c66f4c --- /dev/null +++ b/sepolicy/base/rk3568/sensors.te @@ -0,0 +1,53 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sensors debugfs:dir { search }; +allow sensors dev_at_file:chr_file { ioctl open read write }; +allow sensors dev_binder_file:chr_file { ioctl map open read write }; +allow sensors dev_file:dir { search }; +allow sensors dev_null_file:chr_file { read write }; +allow sensors dev_parameters_file:dir { search }; +allow sensors dev_parameters_file:file { map open read }; +allow sensors dev_random_file:chr_file { open read }; +allow sensors dev_unix_file:dir { search }; +allow sensors dev_unix_socket_file:dir { search }; +allow sensors dev_unix_socket_file:sock_file { write }; +allow sensors etc_file:lnk_file { read }; +allow sensors hdf_devmgr:binder { call }; +allow sensors init:fd { use }; +allow sensors init:netlink_kobject_uevent_socket { read write }; +allow sensors init:unix_dgram_socket { sendto }; +allow sensors init:unix_stream_socket { read write }; +allow sensors kernel:fd { use }; +allow sensors proc_file:dir { search }; +allow sensors proc_file:lnk_file { read }; +allow sensors rootfs:dir { search }; +allow sensors samain_exec:file { entrypoint execute map read }; +allow sensors samgr:binder { call transfer }; +allow sensors sensor_dal_host:binder { call transfer }; +allow sensors sensors:dir { search }; +allow sensors sensors:lnk_file { read }; +allow sensors sensors:process { fork getsched }; +allow sensors sensors:unix_dgram_socket { connect create write }; +allow sensors system_etc_file:dir { search }; +allow sensors system_etc_file:file { open read }; +allow sensors system_file:dir { search }; +allow sensors system_lib_file:dir { search }; +allow sensors system_lib_file:file { execute getattr map open read }; +allow sensors system_profile_file:dir { search }; +allow sensors system_profile_file:file { getattr open read }; +allow sensors vendor_file:dir { search }; +allow sensors vendor_file:file { execute getattr map open read }; +allow sensors vibrator_dal_host:binder { call }; +allowxperm sensors dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm sensors dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/sh.te b/sepolicy/base/rk3568/sh.te new file mode 100644 index 0000000000000000000000000000000000000000..c137daed81159e03b9ec2dd5b12af24df976a2fc --- /dev/null +++ b/sepolicy/base/rk3568/sh.te @@ -0,0 +1,32 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow sh dev_console_file:chr_file { getattr ioctl read write }; +allow sh dev_file:dir { search }; +allow sh dev_parameters_file:dir { search }; +allow sh dev_parameters_file:file { map open read }; +allow sh etc_file:lnk_file { read }; +allow sh init:fd { use }; +allow sh init:netlink_kobject_uevent_socket { read write }; +allow sh init:unix_stream_socket { read write }; +allow sh kernel:fd { use }; +allow sh rootfs:dir { search }; +allow sh sh_exec:file { entrypoint execute map read }; +allow sh system_etc_file:dir { search }; +allow sh system_etc_file:file { open read }; +allow sh system_file:dir { search }; +allow sh system_lib_file:dir { search }; +allow sh system_lib_file:file { execute getattr map open read }; +allow sh tty_device:chr_file { ioctl open read write }; +allowxperm sh dev_console_file:chr_file ioctl { 0x5413 }; +allowxperm sh tty_device:chr_file ioctl { 0x5401 0x5403 0x540f 0x5413 }; diff --git a/sepolicy/base/rk3568/socperf_service.te b/sepolicy/base/rk3568/socperf_service.te new file mode 100644 index 0000000000000000000000000000000000000000..be71565c862f917ba943ed8d813597952a08b7b0 --- /dev/null +++ b/sepolicy/base/rk3568/socperf_service.te @@ -0,0 +1,52 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow socperf_service debugfs:dir { search }; +allow socperf_service dev_at_file:chr_file { ioctl open read write }; +allow socperf_service dev_binder_file:chr_file { ioctl map open read write }; +allow socperf_service dev_file:dir { search }; +allow socperf_service dev_null_file:chr_file { read write }; +allow socperf_service dev_parameters_file:dir { search }; +allow socperf_service dev_parameters_file:file { map open read }; +allow socperf_service dev_random_file:chr_file { open read }; +allow socperf_service dev_unix_file:dir { search }; +allow socperf_service dev_unix_socket_file:dir { search }; +allow socperf_service dev_unix_socket_file:sock_file { write }; +allow socperf_service etc_file:lnk_file { read }; +allow socperf_service init:fd { use }; +allow socperf_service init:netlink_kobject_uevent_socket { read write }; +allow socperf_service init:unix_dgram_socket { sendto }; +allow socperf_service init:unix_stream_socket { read write }; +allow socperf_service kernel:fd { use }; +allow socperf_service proc_file:dir { search }; +allow socperf_service proc_file:lnk_file { read }; +allow socperf_service rootfs:dir { search }; +allow socperf_service samain_exec:file { entrypoint execute map read }; +allow socperf_service samgr:binder { call transfer }; +allow socperf_service socperf_service:capability { dac_override }; +allow socperf_service socperf_service:dir { search }; +allow socperf_service socperf_service:lnk_file { read }; +allow socperf_service socperf_service:process { fork getsched }; +allow socperf_service socperf_service:unix_dgram_socket { connect create write }; +allow socperf_service sys_file:dir { search }; +allow socperf_service sys_file:file { getattr ioctl open write }; +allow socperf_service system_etc_file:dir { search }; +allow socperf_service system_etc_file:file { getattr open read }; +allow socperf_service system_file:dir { search }; +allow socperf_service system_lib_file:dir { search }; +allow socperf_service system_lib_file:file { execute getattr map open read }; +allow socperf_service system_profile_file:dir { search }; +allow socperf_service system_profile_file:file { getattr open read }; +allowxperm socperf_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm socperf_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm socperf_service sys_file:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/softbus_server.te b/sepolicy/base/rk3568/softbus_server.te new file mode 100644 index 0000000000000000000000000000000000000000..3d54ec440060c1b3bde3f09d53156bcaa7c37fe8 --- /dev/null +++ b/sepolicy/base/rk3568/softbus_server.te @@ -0,0 +1,70 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow softbus_server data_data_file:dir { search }; +allow softbus_server data_data_file:file { open read }; +allow softbus_server data_file:dir { search }; +allow softbus_server debugfs:dir { search }; +allow softbus_server dev_at_file:chr_file { ioctl open read write }; +allow softbus_server dev_binder_file:chr_file { ioctl map open read write }; +allow softbus_server dev_file:dir { search }; +allow softbus_server deviceauth_service:binder { call transfer }; +allow softbus_server dev_null_file:chr_file { ioctl read write }; +allow softbus_server dev_parameters_file:dir { search }; +allow softbus_server dev_parameters_file:file { map open read }; +allow softbus_server dev_random_file:chr_file { open read }; +allow softbus_server dev_unix_file:dir { search }; +allow softbus_server dev_unix_socket_file:dir { search }; +allow softbus_server dev_unix_socket_file:sock_file { write }; +allow softbus_server distributeddata:binder { call }; +allow softbus_server distributedfile:binder { call }; +allow softbus_server distributedsched:binder { call }; +allow softbus_server dslm_service:binder { call }; +allow softbus_server etc_file:lnk_file { read }; +allow softbus_server foundation:binder { call }; +allow softbus_server huks_service:binder { call }; +allow softbus_server init:fd { use }; +allow softbus_server init:netlink_kobject_uevent_socket { read write }; +allow softbus_server init:unix_dgram_socket { sendto }; +allow softbus_server init:unix_stream_socket { read write }; +allow softbus_server kernel:fd { use }; +allow softbus_server proc_file:dir { search }; +allow softbus_server proc_file:lnk_file { read }; +allow softbus_server rootfs:dir { search }; +allow softbus_server samain_exec:file { entrypoint execute map read }; +allow softbus_server samgr:binder { call transfer }; +allow softbus_server softbus_server:capability { net_admin }; +allow softbus_server softbus_server:dir { search }; +allow softbus_server softbus_server:fifo_file { read write }; +allow softbus_server softbus_server:lnk_file { read }; +allow softbus_server softbus_server:netlink_route_socket { bind create read setopt }; +allow softbus_server softbus_server:process { fork getsched }; +allow softbus_server softbus_server:udp_socket { create ioctl }; +allow softbus_server softbus_server:unix_dgram_socket { connect create write }; +allow softbus_server sys_file:dir { search }; +allow softbus_server sys_file:file { open read }; +allow softbus_server sys_file:lnk_file { read }; +allow softbus_server sysfs_block_file:dir { search }; +allow softbus_server system_etc_file:dir { search }; +allow softbus_server system_etc_file:file { open read }; +allow softbus_server system_file:dir { search }; +allow softbus_server system_lib_file:dir { search }; +allow softbus_server system_lib_file:file { execute getattr map open read }; +allow softbus_server system_profile_file:dir { search }; +allow softbus_server system_profile_file:file { getattr open read }; +allow softbus_server token_sync_service:binder { call }; +allow softbus_server wifi_manager_service:binder { call }; +allowxperm softbus_server dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm softbus_server dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm softbus_server dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm softbus_server softbus_server:udp_socket ioctl { 0x8913 0x8915 }; diff --git a/sepolicy/base/rk3568/storage_daemon.te b/sepolicy/base/rk3568/storage_daemon.te new file mode 100644 index 0000000000000000000000000000000000000000..a9690e0e367dcf6c07ed65f5b4be6673da37a062 --- /dev/null +++ b/sepolicy/base/rk3568/storage_daemon.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_daemon data_file:dir { search }; +allow storage_daemon data_service_el2_file:dir { read open search }; +allow storage_daemon data_service_file:dir { search }; +allow storage_daemon debugfs:dir { search }; +allow storage_daemon dev_at_file:chr_file { ioctl open read write }; +allow storage_daemon dev_binder_file:chr_file { ioctl map open read write }; +allow storage_daemon dev_file:dir { search }; +allow storage_daemon dev_null_file:chr_file { read write }; +allow storage_daemon dev_parameters_file:dir { search }; +allow storage_daemon dev_parameters_file:file { map open read }; +allow storage_daemon dev_random_file:chr_file { open read }; +allow storage_daemon dev_unix_file:dir { search }; +allow storage_daemon dev_unix_socket_file:dir { search }; +allow storage_daemon dev_unix_socket_file:sock_file { write }; +allow storage_daemon etc_file:lnk_file { read }; +allow storage_daemon hmdfs:dir { read open search }; +allow storage_daemon hmdfs:filesystem { mount }; +allow storage_daemon init:fd { use }; +allow storage_daemon init:netlink_kobject_uevent_socket { read write }; +allow storage_daemon init:unix_dgram_socket { sendto }; +allow storage_daemon init:unix_stream_socket { read write }; +allow storage_daemon kernel:fd { use }; +allow storage_daemon rootfs:dir { search }; +allow storage_daemon samgr:binder { call transfer }; +allow storage_daemon storage_daemon:capability { chown dac_override net_admin sys_admin }; +allow storage_daemon storage_daemon_exec:file { entrypoint execute map read }; +allow storage_daemon storage_daemon:netlink_kobject_uevent_socket { bind create read setopt }; +allow storage_daemon storage_daemon:process { fork }; +allow storage_daemon storage_daemon:unix_dgram_socket { connect create write }; +allow storage_daemon sys_file:dir { open read search }; +allow storage_daemon sys_file:file { open write }; +allow storage_daemon sys_file:lnk_file { read }; +allow storage_daemon sysfs_block_file:dir { open read search }; +allow storage_daemon system_etc_file:dir { search }; +allow storage_daemon system_etc_file:file { open read }; +allow storage_daemon system_file:dir { search }; +allow storage_daemon system_lib_file:dir { search }; +allow storage_daemon system_lib_file:file { execute getattr map open read }; +allow storage_daemon tmpfs:dir { add_name create mounton search setattr write }; +allowxperm storage_daemon dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm storage_daemon dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/storage_manager.te b/sepolicy/base/rk3568/storage_manager.te new file mode 100644 index 0000000000000000000000000000000000000000..c6b2f1084eca079e3f4bd798d0d34a21b44f1906 --- /dev/null +++ b/sepolicy/base/rk3568/storage_manager.te @@ -0,0 +1,59 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow storage_manager debugfs:dir { search }; +allow storage_manager dev_at_file:chr_file { ioctl open read write }; +allow storage_manager dev_binder_file:chr_file { ioctl map open read write }; +allow storage_manager dev_file:dir { search }; +allow storage_manager dev_null_file:chr_file { ioctl read write }; +allow storage_manager dev_parameters_file:dir { search }; +allow storage_manager dev_parameters_file:file { map open read }; +allow storage_manager dev_random_file:chr_file { open read }; +allow storage_manager dev_unix_file:dir { search }; +allow storage_manager dev_unix_socket_file:dir { search }; +allow storage_manager dev_unix_socket_file:sock_file { write }; +allow storage_manager etc_file:lnk_file { read }; +allow storage_manager foundation:binder { call transfer }; +allow storage_manager init:fd { use }; +allow storage_manager init:netlink_kobject_uevent_socket { read write }; +allow storage_manager init:unix_dgram_socket { sendto }; +allow storage_manager init:unix_stream_socket { read write }; +allow storage_manager kernel:fd { use }; +allow storage_manager lib_file:lnk_file { read }; +allow storage_manager proc_file:dir { search }; +allow storage_manager proc_file:lnk_file { read }; +allow storage_manager rootfs:dir { search }; +allow storage_manager samain_exec:file { entrypoint execute map read }; +allow storage_manager samgr:binder { call transfer }; +allow storage_manager storage_daemon:binder { call }; +allow storage_manager storage_manager:dir { search }; +allow storage_manager storage_manager:lnk_file { read }; +allow storage_manager storage_manager:process { fork getsched }; +allow storage_manager storage_manager:unix_dgram_socket { connect create write }; +allow storage_manager system_bin_file:dir { search }; +allow storage_manager system_bin_file:file { execute execute_no_trans map read open }; +allow storage_manager system_etc_file:dir { getattr open read search }; +allow storage_manager system_etc_file:file { open read }; +allow storage_manager system_file:dir { search }; +allow storage_manager system_lib_file:dir { search }; +allow storage_manager system_lib_file:file { execute getattr map read open }; +allow storage_manager system_profile_file:dir { search }; +allow storage_manager system_profile_file:file { getattr open read }; +allow storage_manager system_usr_file:dir { search }; +allow storage_manager system_usr_file:file { getattr map open read }; +allow storage_manager vendor_file:dir { search }; +allow storage_manager vendor_file:file { execute getattr map open read }; +allow storage_manager vendor_file:lnk_file { read }; +allowxperm storage_manager dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm storage_manager dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm storage_manager dev_null_file:chr_file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/telephony_sa.te b/sepolicy/base/rk3568/telephony_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..fad38892ea75992a0aa284703be998156ac4304a --- /dev/null +++ b/sepolicy/base/rk3568/telephony_sa.te @@ -0,0 +1,58 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow telephony_sa debugfs:dir { search }; +allow telephony_sa dev_at_file:chr_file { ioctl open read write }; +allow telephony_sa dev_binder_file:chr_file { ioctl map open read write }; +allow telephony_sa dev_file:dir { search }; +allow telephony_sa dev_null_file:chr_file { read write }; +allow telephony_sa dev_parameters_file:dir { search }; +allow telephony_sa dev_parameters_file:file { map open read }; +allow telephony_sa dev_random_file:chr_file { open read }; +allow telephony_sa dev_unix_file:dir { search }; +allow telephony_sa dev_unix_socket_file:dir { search }; +allow telephony_sa dev_unix_socket_file:sock_file { write }; +allow telephony_sa etc_file:lnk_file { read }; +allow telephony_sa foundation:binder { call }; +allow telephony_sa hdf_devmgr:binder { call }; +allow telephony_sa init:fd { use }; +allow telephony_sa init:netlink_kobject_uevent_socket { read write }; +allow telephony_sa init:unix_dgram_socket { sendto }; +allow telephony_sa init:unix_stream_socket { read write }; +allow telephony_sa kernel:fd { use }; +allow telephony_sa proc_file:dir { search }; +allow telephony_sa proc_file:lnk_file { read }; +allow telephony_sa rootfs:dir { search }; +allow telephony_sa samain_exec:file { entrypoint execute map read }; +allow telephony_sa samgr:binder { call transfer }; +allow telephony_sa sys_file:dir { open read search }; +allow telephony_sa sys_file:file { open read }; +allow telephony_sa sys_file:lnk_file { read }; +allow telephony_sa system_etc_file:dir { getattr open read search }; +allow telephony_sa system_etc_file:file { open read }; +allow telephony_sa system_file:dir { search }; +allow telephony_sa system_lib_file:dir { search }; +allow telephony_sa system_lib_file:file { execute getattr map open read }; +allow telephony_sa system_profile_file:dir { search }; +allow telephony_sa system_profile_file:file { getattr open read }; +allow telephony_sa system_usr_file:dir { search }; +allow telephony_sa system_usr_file:file { getattr map open read }; +allow telephony_sa telephony_sa:dir { search }; +allow telephony_sa telephony_sa:lnk_file { read }; +allow telephony_sa telephony_sa:process { fork getsched }; +allow telephony_sa telephony_sa:unix_dgram_socket { connect create write }; +allow telephony_sa vendor_file:dir { search }; +allow telephony_sa vendor_file:file { execute getattr map open read }; +allow telephony_sa vendor_file:lnk_file { read }; +allowxperm telephony_sa dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm telephony_sa dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/thermal_protector.te b/sepolicy/base/rk3568/thermal_protector.te new file mode 100644 index 0000000000000000000000000000000000000000..0182570ee1f59385bf9d039df541e5d1cc5762d9 --- /dev/null +++ b/sepolicy/base/rk3568/thermal_protector.te @@ -0,0 +1,59 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow thermal_protector data_file:dir { search }; +allow thermal_protector data_service_el2_file:dir { read open search }; +allow thermal_protector data_service_file:dir { search }; +allow thermal_protector debugfs:dir { search }; +allow thermal_protector dev_at_file:chr_file { ioctl open read write }; +allow thermal_protector dev_binder_file:chr_file { ioctl map open read write }; +allow thermal_protector dev_file:dir { search }; +allow thermal_protector dev_null_file:chr_file { read write }; +allow thermal_protector dev_parameters_file:dir { search }; +allow thermal_protector dev_parameters_file:file { map open read }; +allow thermal_protector dev_random_file:chr_file { open read }; +allow thermal_protector dev_unix_file:dir { search }; +allow thermal_protector dev_unix_socket_file:dir { search }; +allow thermal_protector dev_unix_socket_file:sock_file { write }; +allow thermal_protector etc_file:lnk_file { read }; +allow thermal_protector init:fd { use }; +allow thermal_protector init:netlink_kobject_uevent_socket { read write }; +allow thermal_protector init:unix_dgram_socket { sendto }; +allow thermal_protector init:unix_stream_socket { read write }; +allow thermal_protector kernel:fd { use }; +allow thermal_protector rootfs:dir { search }; +allow thermal_protector samgr:binder { call transfer }; +allow thermal_protector thermal_protector:capability { chown dac_override net_admin sys_admin }; +allow thermal_protector thermal_protector_exec:file { entrypoint execute map read }; +allow thermal_protector thermal_protector:netlink_kobject_uevent_socket { bind create read setopt }; +allow thermal_protector thermal_protector:process { fork }; +allow thermal_protector thermal_protector:unix_dgram_socket { connect create write }; +allow thermal_protector sys_file:dir { open read search }; +allow thermal_protector sys_file:file { open write }; +allow thermal_protector sys_file:lnk_file { read }; +allow thermal_protector sysfs_block_file:dir { open read search }; +allow thermal_protector system_etc_file:dir { getattr open read search }; +allow thermal_protector system_etc_file:file { getattr open read }; +allow thermal_protector system_file:dir { search }; +allow thermal_protector system_lib_file:dir { search }; +allow thermal_protector system_lib_file:file { execute getattr map open read }; +allow thermal_protector system_profile_file:dir { search }; +allow thermal_protector system_profile_file:file { getattr open read }; +allow thermal_protector system_usr_file:dir { search }; +allow thermal_protector system_usr_file:file { getattr map open read }; +allow thermal_protector vendor_file:dir { search }; +allow thermal_protector vendor_file:file { execute getattr map open read }; +allow thermal_protector vendor_file:lnk_file { read }; +allow thermal_protector tmpfs:dir { add_name create mounton search setattr write }; +allowxperm thermal_protector dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm thermal_protector dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; \ No newline at end of file diff --git a/sepolicy/base/rk3568/thermal_sa.te b/sepolicy/base/rk3568/thermal_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..86eb1fb0d86580d6cb3726613e172578997a1933 --- /dev/null +++ b/sepolicy/base/rk3568/thermal_sa.te @@ -0,0 +1,62 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow thermal_sa data_file:dir { search }; +allow thermal_sa data_file:file { ioctl open read write }; +allow thermal_sa debugfs:dir { search }; +allow thermal_sa dev_at_file:chr_file { ioctl open read write }; +allow thermal_sa dev_binder_file:chr_file { ioctl map open read write }; +allow thermal_sa dev_file:dir { search }; +allow thermal_sa dev_null_file:chr_file { read write }; +allow thermal_sa dev_parameters_file:dir { search }; +allow thermal_sa dev_parameters_file:file { map open read }; +allow thermal_sa dev_random_file:chr_file { open read }; +allow thermal_sa dev_unix_file:dir { search }; +allow thermal_sa dev_unix_socket_file:dir { search }; +allow thermal_sa dev_unix_socket_file:sock_file { write }; +allow thermal_sa etc_file:lnk_file { read }; +allow thermal_sa foundation:binder { call transfer }; +allow thermal_sa hdf_devmgr:binder { call }; +allow thermal_sa init:fd { use }; +allow thermal_sa init:netlink_kobject_uevent_socket { read write }; +allow thermal_sa init:unix_dgram_socket { sendto }; +allow thermal_sa init:unix_stream_socket { read write }; +allow thermal_sa kernel:fd { use }; +allow thermal_sa power_host:binder { call transfer }; +allow thermal_sa proc_file:dir { search }; +allow thermal_sa proc_file:lnk_file { read }; +allow thermal_sa rootfs:dir { search }; +allow thermal_sa samain_exec:file { entrypoint execute map read }; +allow thermal_sa samgr:binder { call transfer }; +allow thermal_sa sys_file:dir { open read search }; +allow thermal_sa sys_file:file { open read }; +allow thermal_sa sys_file:lnk_file { read }; +allow thermal_sa system_etc_file:dir { getattr open read search }; +allow thermal_sa system_etc_file:file { getattr open read }; +allow thermal_sa system_file:dir { search }; +allow thermal_sa system_lib_file:dir { search }; +allow thermal_sa system_lib_file:file { execute getattr map open read }; +allow thermal_sa system_profile_file:dir { search }; +allow thermal_sa system_profile_file:file { getattr open read }; +allow thermal_sa system_usr_file:dir { search }; +allow thermal_sa system_usr_file:file { getattr map open read }; +allow thermal_sa thermal_sa:dir { search }; +allow thermal_sa thermal_sa:lnk_file { read }; +allow thermal_sa thermal_sa:process { fork getsched }; +allow thermal_sa thermal_sa:unix_dgram_socket { connect create write }; +allow thermal_sa vendor_file:dir { search }; +allow thermal_sa vendor_file:file { execute getattr map open read }; +allow thermal_sa vendor_file:lnk_file { read }; +allowxperm thermal_sa data_file:file ioctl { 0x5413 }; +allowxperm thermal_sa dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm thermal_sa dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/time_service.te b/sepolicy/base/rk3568/time_service.te new file mode 100644 index 0000000000000000000000000000000000000000..cc1b8324d22abee19787b7d01e510febe4b70490 --- /dev/null +++ b/sepolicy/base/rk3568/time_service.te @@ -0,0 +1,61 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow time_service data_file:dir { search }; +allow time_service data_misc:dir { getattr search }; +allow time_service data_misc:file { open read }; +allow time_service debugfs:dir { search }; +allow time_service dev_at_file:chr_file { ioctl open read write }; +allow time_service dev_binder_file:chr_file { ioctl map open read write }; +allow time_service dev_file:dir { search }; +allow time_service dev_null_file:chr_file { read write }; +allow time_service dev_parameters_file:dir { search }; +allow time_service dev_parameters_file:file { map open read }; +allow time_service dev_random_file:chr_file { open read }; +allow time_service dev_unix_file:dir { search }; +allow time_service dev_unix_socket_file:dir { search }; +allow time_service dev_unix_socket_file:sock_file { write }; +allow time_service etc_file:lnk_file { read }; +allow time_service foundation:binder { call transfer }; +allow time_service init:fd { use }; +allow time_service init:netlink_kobject_uevent_socket { read write }; +allow time_service init:unix_dgram_socket { sendto }; +allow time_service init:unix_stream_socket { read write }; +allow time_service kernel:fd { use }; +allow time_service proc_file:dir { search }; +allow time_service proc_file:lnk_file { read }; +allow time_service rootfs:dir { search }; +allow time_service samain_exec:file { entrypoint execute map read }; +allow time_service samgr:binder { call transfer }; +allow time_service sys_file:dir { open read search }; +allow time_service sys_file:file { open read }; +allow time_service sys_file:lnk_file { read }; +allow time_service system_etc_file:dir { getattr open read search }; +allow time_service system_etc_file:file { open read }; +allow time_service system_file:dir { search }; +allow time_service system_lib_file:dir { search }; +allow time_service system_lib_file:file { execute getattr map open read }; +allow time_service system_profile_file:dir { search }; +allow time_service system_profile_file:file { getattr open read }; +allow time_service system_usr_file:dir { search }; +allow time_service system_usr_file:file { getattr map open read }; +allow time_service time_service:capability2 { wake_alarm }; +allow time_service time_service:dir { search }; +allow time_service time_service:lnk_file { read }; +allow time_service time_service:process { fork getsched }; +allow time_service time_service:unix_dgram_socket { connect create write }; +allow time_service vendor_file:dir { search }; +allow time_service vendor_file:file { execute getattr map open read }; +allow time_service vendor_file:lnk_file { read }; +allowxperm time_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm time_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/token_sync_service.te b/sepolicy/base/rk3568/token_sync_service.te new file mode 100644 index 0000000000000000000000000000000000000000..44cfe75a9e5f54f986dce9976cced10de8ebdd99 --- /dev/null +++ b/sepolicy/base/rk3568/token_sync_service.te @@ -0,0 +1,50 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow token_sync_service debugfs:dir { search }; +allow token_sync_service dev_at_file:chr_file { ioctl open read write }; +allow token_sync_service dev_binder_file:chr_file { ioctl map open read write }; +allow token_sync_service dev_file:dir { search }; +allow token_sync_service dev_null_file:chr_file { read write }; +allow token_sync_service dev_parameters_file:dir { search }; +allow token_sync_service dev_parameters_file:file { map open read }; +allow token_sync_service dev_random_file:chr_file { open read }; +allow token_sync_service dev_unix_file:dir { search }; +allow token_sync_service dev_unix_socket_file:dir { search }; +allow token_sync_service dev_unix_socket_file:sock_file { write }; +allow token_sync_service etc_file:lnk_file { read }; +allow token_sync_service foundation:binder { call transfer }; +allow token_sync_service init:fd { use }; +allow token_sync_service init:netlink_kobject_uevent_socket { read write }; +allow token_sync_service init:unix_dgram_socket { sendto }; +allow token_sync_service init:unix_stream_socket { read write }; +allow token_sync_service kernel:fd { use }; +allow token_sync_service proc_file:dir { search }; +allow token_sync_service proc_file:lnk_file { read }; +allow token_sync_service rootfs:dir { search }; +allow token_sync_service samain_exec:file { entrypoint execute map read }; +allow token_sync_service samgr:binder { call transfer }; +allow token_sync_service softbus_server:binder { call transfer }; +allow token_sync_service system_etc_file:dir { search }; +allow token_sync_service system_etc_file:file { open read }; +allow token_sync_service system_file:dir { search }; +allow token_sync_service system_lib_file:dir { search }; +allow token_sync_service system_lib_file:file { execute getattr map open read }; +allow token_sync_service system_profile_file:dir { search }; +allow token_sync_service system_profile_file:file { getattr open read }; +allow token_sync_service token_sync_service:dir { search }; +allow token_sync_service token_sync_service:lnk_file { read }; +allow token_sync_service token_sync_service:process { fork getsched }; +allow token_sync_service token_sync_service:unix_dgram_socket { connect create write }; +allowxperm token_sync_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm token_sync_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/udevadm.te b/sepolicy/base/rk3568/udevadm.te new file mode 100644 index 0000000000000000000000000000000000000000..f030ae650df499e0b91a2254c43c0ff1c12d8a6a --- /dev/null +++ b/sepolicy/base/rk3568/udevadm.te @@ -0,0 +1,32 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow udevadm dev_file:dir { search }; +allow udevadm dev_null_file:chr_file { read write }; +allow udevadm dev_parameters_file:dir { search }; +allow udevadm dev_parameters_file:file { map open read }; +allow udevadm etc_file:lnk_file { read }; +allow udevadm init:fd { use }; +allow udevadm init:netlink_kobject_uevent_socket { read write }; +allow udevadm init:unix_stream_socket { read write }; +allow udevadm kernel:fd { use }; +allow udevadm rootfs:dir { search }; +allow udevadm sys_file:dir { open read search }; +allow udevadm sys_file:file { getattr open write }; +allow udevadm sys_file:lnk_file { read }; +allow udevadm system_etc_file:dir { search }; +allow udevadm system_etc_file:file { open read }; +allow udevadm system_file:dir { search }; +allow udevadm system_lib_file:dir { search }; +allow udevadm system_lib_file:file { execute getattr map open read }; +allow udevadm udevadm_exec:file { entrypoint execute map read }; diff --git a/sepolicy/base/rk3568/udevd.te b/sepolicy/base/rk3568/udevd.te new file mode 100644 index 0000000000000000000000000000000000000000..c274f278aa9c92366a4c360496756688ee1de347 --- /dev/null +++ b/sepolicy/base/rk3568/udevd.te @@ -0,0 +1,98 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow udevd data_file:dir { add_name getattr open read remove_name search watch write }; +allow udevd data_file:file { create ioctl open read rename unlink write write open }; +allow udevd data_file:sock_file { create unlink }; +allow udevd dev_ashmem_file:chr_file { getattr write }; +allow udevd dev_at_file:chr_file { getattr write }; +allow udevd dev_binder_file:chr_file { getattr write }; +allow udevd dev_bus_usb_file:chr_file { getattr write }; +allow udevd dev_bus_usb_file:dir { search }; +allow udevd dev_console_file:chr_file { getattr write }; +allow udevd dev_cpu_dma_latency_file:chr_file { getattr write }; +allow udevd dev_dma_heap_file:chr_file { getattr write }; +allow udevd dev_dma_heap_file:dir { search }; +allow udevd dev_dri_file:chr_file { getattr write }; +allow udevd dev_dri_file:dir { add_name create getattr search write }; +allow udevd dev_dri_file:lnk_file { create }; +allow udevd dev_file:chr_file { getattr write }; +allow udevd dev_file:dir { add_name create getattr search write }; +allow udevd dev_file:lnk_file { create getattr read write }; +allow udevd dev_fuse_file:chr_file { getattr setattr write }; +allow udevd dev_hwbinder_file:chr_file { getattr write }; +allow udevd dev_iio_file:chr_file { getattr write }; +allow udevd dev_input_file:chr_file { getattr ioctl open read setattr write }; +allow udevd dev_input_file:dir { add_name create getattr search write }; +allow udevd dev_input_file:lnk_file { create }; +allow udevd dev_kmsg_file:chr_file { getattr ioctl open write }; +allow udevd dev_loop_control_file:chr_file { getattr write }; +allow udevd dev_media_file:chr_file { getattr write }; +allow udevd dev_null_file:chr_file { getattr ioctl open read write }; +allow udevd dev_parameters_file:dir { search }; +allow udevd dev_parameters_file:file { map open read }; +allow udevd dev_random_file:chr_file { getattr open read write }; +allow udevd dev_rpmb_file:chr_file { getattr write }; +allow udevd dev_rtc_file:chr_file { getattr write }; +allow udevd dev_tee_file:chr_file { getattr write }; +allow udevd dev_ubi_file:chr_file { getattr write }; +allow udevd dev_uhid_file:chr_file { getattr write }; +allow udevd dev_unix_file:dir { search }; +allow udevd dev_unix_socket_file:dir { search }; +allow udevd dev_unix_socket_file:sock_file { write }; +allow udevd dev_vcs_file:chr_file { getattr write }; +allow udevd dev_v_file:chr_file { getattr write }; +allow udevd dev_vhci_file:chr_file { getattr write }; +allow udevd dev_video_file:chr_file { getattr write }; +allow udevd dev_vndbinder_file:chr_file { getattr write }; +allow udevd dev_watchdog_file:chr_file { getattr write }; +allow udevd dev_zero_file:chr_file { getattr write }; +allow udevd etc_file:lnk_file { read }; +allow udevd init:fd { use }; +allow udevd init:netlink_kobject_uevent_socket { read write }; +allow udevd init:unix_dgram_socket { sendto }; +allow udevd init:unix_stream_socket { read write }; +allow udevd kernel:fd { use }; +allow udevd lib_file:lnk_file { read }; +allow udevd proc_cmdline_file:file { open read }; +allow udevd proc_file:dir { search }; +allow udevd proc_file:lnk_file { read }; +allow udevd rootfs:dir { search }; +allow udevd rootfs:lnk_file { read }; +allow udevd sh_exec:file { execute execute_no_trans map read open }; +allow udevd sys_file:dir { search }; +allow udevd sys_file:file { getattr open read }; +allow udevd sys_file:lnk_file { read }; +allow udevd system_bin_file:dir { search }; +allow udevd system_etc_file:dir { getattr open read search watch }; +allow udevd system_etc_file:file { getattr open read }; +allow udevd system_file:dir { search }; +allow udevd system_lib_file:dir { search }; +allow udevd system_lib_file:file { execute getattr map open read }; +allow udevd tty_device:chr_file { getattr open read write }; +allow udevd udevd:capability { dac_override fowner fsetid net_admin }; +allow udevd udevd:dir { search }; +allow udevd udevd_exec:file { entrypoint execute map read }; +allow udevd udevd:fifo_file { ioctl read write }; +allow udevd udevd:file { ioctl open write }; +allow udevd udevd:lnk_file { read }; +allow udevd udevd:netlink_kobject_uevent_socket { bind create getattr read setopt write }; +allow udevd udevd:process { fork getsched }; +allow udevd udevd:unix_dgram_socket { connect create read sendto setopt write }; +allow udevd udevd:unix_stream_socket { bind connect create listen setopt }; +allowxperm udevd data_file:file ioctl { 0x5413 }; +allowxperm udevd dev_input_file:chr_file ioctl { 0x4540 0x4541 }; +allowxperm udevd dev_kmsg_file:chr_file ioctl { 0x5413 }; +allowxperm udevd dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm udevd udevd:fifo_file ioctl { 0x5413 }; +allowxperm udevd udevd:file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/ueventd.te b/sepolicy/base/rk3568/ueventd.te new file mode 100644 index 0000000000000000000000000000000000000000..0c585e1a9628e8564941ab46cc29bb94ffb68b7a --- /dev/null +++ b/sepolicy/base/rk3568/ueventd.te @@ -0,0 +1,89 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ueventd dev_ashmem_file:chr_file { relabelto }; +allow ueventd dev_at_file:chr_file { relabelto }; +allow ueventd dev_binder_file:chr_file { relabelto }; +allow ueventd dev_block_file:blk_file { create getattr setattr }; +allow ueventd dev_block_file:dir { add_name getattr open read search write }; +allow ueventd dev_block_file:lnk_file { create getattr }; +allow ueventd dev_bus_usb_file:chr_file { getattr relabelto }; +allow ueventd dev_bus_usb_file:dir { getattr open read relabelto search }; +allow ueventd dev_console_file:chr_file { relabelto }; +allow ueventd dev_cpu_dma_latency_file:chr_file { relabelto }; +allow ueventd dev_dma_heap_file:chr_file { create getattr relabelto setattr }; +allow ueventd dev_dma_heap_file:dir { add_name getattr open read relabelto search write }; +allow ueventd dev_dri_file:chr_file { create getattr relabelto setattr }; +allow ueventd dev_dri_file:dir { add_name getattr open read relabelto search write }; +allow ueventd dev_file:chr_file { create getattr relabelfrom setattr }; +allow ueventd dev_file:dir { add_name create getattr relabelfrom search write }; +allow ueventd dev_file:file { create read write open }; +allow ueventd dev_fuse_file:chr_file { relabelto }; +allow ueventd dev_graphics_file:chr_file { getattr relabelto }; +allow ueventd dev_graphics_file:dir { getattr open read relabelto search }; +allow ueventd dev_hdf_file:chr_file { relabelto }; +allow ueventd dev_hwbinder_file:chr_file { relabelto }; +allow ueventd dev_iio_file:chr_file { relabelto }; +allow ueventd dev_input_file:chr_file { create getattr relabelto setattr }; +allow ueventd dev_input_file:dir { add_name getattr open read relabelto search write }; +allow ueventd dev_kmsg_file:chr_file { getattr open setattr write }; +allow ueventd dev_loop_control_file:chr_file { relabelto }; +allow ueventd dev_media_file:chr_file { relabelto }; +allow ueventd dev_mgr_file:chr_file { relabelto }; +allow ueventd dev_null_file:chr_file { getattr read write setattr }; +allow ueventd dev_parameters_file:dir { search }; +allow ueventd dev_parameters_file:file { map open read }; +allow ueventd devpts:filesystem { getattr }; +allow ueventd dev_random_file:chr_file { getattr setattr }; +allow ueventd dev_rpmb_file:chr_file { relabelto }; +allow ueventd dev_rtc_file:chr_file { relabelto }; +allow ueventd dev_svc_mgr_file:chr_file { relabelto }; +allow ueventd dev_tee_file:chr_file { relabelto }; +allow ueventd dev_ubi_file:chr_file { relabelto }; +allow ueventd dev_uhid_file:chr_file { relabelto }; +allow ueventd dev_vcs_file:chr_file { relabelto }; +allow ueventd dev_v_file:chr_file { relabelto }; +allow ueventd dev_vhci_file:chr_file { relabelto }; +allow ueventd dev_video_file:chr_file { relabelto }; +allow ueventd dev_vndbinder_file:chr_file { relabelto }; +allow ueventd dev_watchdog_file:chr_file { relabelto }; +allow ueventd dev_zero_file:chr_file { relabelto }; +allow ueventd etc_file:lnk_file { read }; +allow ueventd init:fd { use }; +allow ueventd init:netlink_kobject_uevent_socket { getopt read read write }; +allow ueventd init:unix_stream_socket { read write }; +allow ueventd kernel:fd { use }; +allow ueventd labeledfs:filesystem { getattr }; +allow ueventd proc_cmdline_file:file { open read }; +allow ueventd proc_file:dir { search }; +allow ueventd proc_file:lnk_file { read }; +allow ueventd rootfs:dir { search }; +allow ueventd selinuxfs:filesystem { getattr }; +allow ueventd sys_file:dir { getattr open read search }; +allow ueventd sys_file:file { open }; +allow ueventd sys_file:filesystem { getattr }; +allow ueventd sys_file:file { write }; +allow ueventd sys_file:lnk_file { read }; +allow ueventd sysfs_block_file:dir { open read }; +allow ueventd system_etc_file:dir { search }; +allow ueventd system_etc_file:file { getattr map open read }; +allow ueventd system_file:dir { search }; +allow ueventd system_lib_file:dir { search }; +allow ueventd system_lib_file:file { execute getattr map open read }; +allow ueventd tmpfs:filesystem { getattr }; +allow ueventd tty_device:chr_file { relabelto }; +allow ueventd ueventd:capability { chown fowner fsetid mknod setgid }; +allow ueventd ueventd:dir { search }; +allow ueventd ueventd_exec:file { entrypoint execute map read }; +allow ueventd ueventd:file { open read }; +allow ueventd ueventd:lnk_file { read }; diff --git a/sepolicy/base/rk3568/ui_service.te b/sepolicy/base/rk3568/ui_service.te new file mode 100644 index 0000000000000000000000000000000000000000..34fbded73b03fbc90ad96c419b45b6c45f941575 --- /dev/null +++ b/sepolicy/base/rk3568/ui_service.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow ui_service debugfs:dir { search }; +allow ui_service dev_at_file:chr_file { ioctl open read write }; +allow ui_service dev_binder_file:chr_file { ioctl map open read write }; +allow ui_service dev_file:dir { search }; +allow ui_service dev_null_file:chr_file { read write }; +allow ui_service dev_parameters_file:dir { search }; +allow ui_service dev_parameters_file:file { map open read }; +allow ui_service dev_random_file:chr_file { open read }; +allow ui_service dev_unix_file:dir { search }; +allow ui_service dev_unix_socket_file:dir { search }; +allow ui_service dev_unix_socket_file:sock_file { write }; +allow ui_service etc_file:lnk_file { read }; +allow ui_service init:fd { use }; +allow ui_service init:netlink_kobject_uevent_socket { read write }; +allow ui_service init:unix_dgram_socket { sendto }; +allow ui_service init:unix_stream_socket { read write }; +allow ui_service kernel:fd { use }; +allow ui_service proc_file:dir { search }; +allow ui_service proc_file:lnk_file { read }; +allow ui_service rootfs:dir { search }; +allow ui_service samain_exec:file { entrypoint execute map read }; +allow ui_service samgr:binder { call transfer }; +allow ui_service system_etc_file:dir { getattr open read search }; +allow ui_service system_etc_file:file { open read }; +allow ui_service system_file:dir { search }; +allow ui_service system_fonts_file:dir { open read search }; +allow ui_service system_fonts_file:file { getattr map open read }; +allow ui_service system_lib_file:dir { search }; +allow ui_service system_lib_file:file { execute getattr map open read }; +allow ui_service system_profile_file:dir { search }; +allow ui_service system_profile_file:file { getattr open read }; +allow ui_service system_usr_file:dir { search }; +allow ui_service system_usr_file:file { getattr map open read }; +allow ui_service ui_service:dir { search }; +allow ui_service ui_service:lnk_file { read }; +allow ui_service ui_service:process { fork getsched }; +allow ui_service ui_service:unix_dgram_socket { connect create write }; +allow ui_service vendor_file:dir { search }; +allow ui_service vendor_file:file { execute getattr map open read }; +allow ui_service vendor_file:lnk_file { read }; +allowxperm ui_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm ui_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/uinput_inject.te b/sepolicy/base/rk3568/uinput_inject.te new file mode 100644 index 0000000000000000000000000000000000000000..9d476d4c42cd0811f0f0ff19d0cc9ff81fb1ab04 --- /dev/null +++ b/sepolicy/base/rk3568/uinput_inject.te @@ -0,0 +1,45 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow uinput_inject dev_file:chr_file { ioctl open write }; +allow uinput_inject dev_file:dir { search }; +allow uinput_inject dev_hdf_file:chr_file { getattr ioctl open read write }; +allow uinput_inject dev_null_file:chr_file { read write }; +allow uinput_inject dev_parameters_file:dir { search }; +allow uinput_inject dev_parameters_file:file { map open read }; +allow uinput_inject dev_unix_file:dir { search }; +allow uinput_inject dev_unix_socket_file:dir { search }; +allow uinput_inject dev_unix_socket_file:sock_file { write }; +allow uinput_inject etc_file:lnk_file { read }; +allow uinput_inject init:fd { use }; +allow uinput_inject init:netlink_kobject_uevent_socket { read write }; +allow uinput_inject init:unix_dgram_socket { sendto }; +allow uinput_inject init:unix_stream_socket { read write }; +allow uinput_inject kernel:fd { use }; +allow uinput_inject proc_file:dir { search }; +allow uinput_inject proc_file:lnk_file { read }; +allow uinput_inject rootfs:dir { search }; +allow uinput_inject system_etc_file:dir { search }; +allow uinput_inject system_etc_file:file { open read }; +allow uinput_inject system_file:dir { search }; +allow uinput_inject system_lib_file:dir { search }; +allow uinput_inject system_lib_file:file { execute getattr map open read }; +allow uinput_inject uinput_inject:dir { search }; +allow uinput_inject uinput_inject_exec:file { entrypoint execute map read }; +allow uinput_inject uinput_inject:lnk_file { read }; +allow uinput_inject uinput_inject:process { fork }; +allow uinput_inject uinput_inject:unix_dgram_socket { connect create write }; +allow uinput_inject vendor_file:dir { search }; +allow uinput_inject vendor_file:file { execute getattr map open read }; +allowxperm uinput_inject dev_file:chr_file ioctl { 0x5501 0x5564 0x5565 0x5567 0x556e }; +allowxperm uinput_inject dev_hdf_file:chr_file ioctl { 0x6201 0x6202 0x6203 }; diff --git a/sepolicy/base/rk3568/updater_sa.te b/sepolicy/base/rk3568/updater_sa.te new file mode 100644 index 0000000000000000000000000000000000000000..1b46ed5e571b240227ae875a3cf61b45f1ab4348 --- /dev/null +++ b/sepolicy/base/rk3568/updater_sa.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow updater_sa data_file:dir { add_name search write }; +allow updater_sa data_file:file { append create ioctl open }; +allow updater_sa data_init_agent:dir { search }; +allow updater_sa data_init_agent:file { ioctl open read append }; +allow updater_sa debugfs:dir { search }; +allow updater_sa dev_at_file:chr_file { ioctl open read write }; +allow updater_sa dev_binder_file:chr_file { ioctl map open read write }; +allow updater_sa dev_file:dir { search }; +allow updater_sa dev_null_file:chr_file { ioctl read write }; +allow updater_sa dev_parameters_file:dir { search }; +allow updater_sa dev_parameters_file:file { map open read }; +allow updater_sa dev_random_file:chr_file { open read }; +allow updater_sa dev_unix_file:dir { search }; +allow updater_sa dev_unix_socket_file:dir { search }; +allow updater_sa dev_unix_socket_file:sock_file { write }; +allow updater_sa etc_file:lnk_file { read }; +allow updater_sa init:fd { use }; +allow updater_sa init:netlink_kobject_uevent_socket { read write }; +allow updater_sa init:unix_dgram_socket { sendto }; +allow updater_sa init:unix_stream_socket { read write }; +allow updater_sa kernel:fd { use }; +allow updater_sa proc_file:dir { search }; +allow updater_sa proc_file:lnk_file { read }; +allow updater_sa rootfs:dir { search }; +allow updater_sa samain_exec:file { entrypoint execute map read }; +allow updater_sa samgr:binder { call transfer }; +allow updater_sa system_etc_file:dir { search }; +allow updater_sa system_etc_file:file { open read }; +allow updater_sa system_file:dir { search }; +allow updater_sa system_lib_file:dir { search }; +allow updater_sa system_lib_file:file { execute getattr map open read }; +allow updater_sa system_profile_file:dir { search }; +allow updater_sa system_profile_file:file { getattr open read }; +allow updater_sa updater_sa:dir { search }; +allow updater_sa updater_sa:lnk_file { read }; +allow updater_sa updater_sa:process { fork getsched }; +allow updater_sa updater_sa:unix_dgram_socket { connect create write }; +allowxperm updater_sa data_file:file ioctl { 0x5413 }; +allowxperm updater_sa data_init_agent:file ioctl { 0x5413 }; +allowxperm updater_sa dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm updater_sa dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm updater_sa dev_null_file:chr_file ioctl { 0x5413 }; diff --git a/sepolicy/base/rk3568/upms.te b/sepolicy/base/rk3568/upms.te new file mode 100644 index 0000000000000000000000000000000000000000..2f203211cc85eba823ed8390d40fef58fac413a7 --- /dev/null +++ b/sepolicy/base/rk3568/upms.te @@ -0,0 +1,48 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow upms debugfs:dir { search }; +allow upms dev_at_file:chr_file { ioctl open read write }; +allow upms dev_binder_file:chr_file { ioctl map open read write }; +allow upms dev_file:dir { search }; +allow upms dev_null_file:chr_file { read write }; +allow upms dev_parameters_file:dir { search }; +allow upms dev_parameters_file:file { map open read }; +allow upms dev_random_file:chr_file { open read }; +allow upms dev_unix_file:dir { search }; +allow upms dev_unix_socket_file:dir { search }; +allow upms dev_unix_socket_file:sock_file { write }; +allow upms etc_file:lnk_file { read }; +allow upms init:fd { use }; +allow upms init:netlink_kobject_uevent_socket { read write }; +allow upms init:unix_dgram_socket { sendto }; +allow upms init:unix_stream_socket { read write }; +allow upms kernel:fd { use }; +allow upms proc_file:dir { search }; +allow upms proc_file:lnk_file { read }; +allow upms rootfs:dir { search }; +allow upms samain_exec:file { entrypoint execute map read }; +allow upms samgr:binder { call transfer }; +allow upms system_etc_file:dir { search }; +allow upms system_etc_file:file { open read }; +allow upms system_file:dir { search }; +allow upms system_lib_file:dir { search }; +allow upms system_lib_file:file { execute getattr map open read }; +allow upms system_profile_file:dir { search }; +allow upms system_profile_file:file { getattr open read }; +allow upms upms:dir { search }; +allow upms upms:lnk_file { read }; +allow upms upms:process { fork getsched }; +allow upms upms:unix_dgram_socket { connect create write }; +allowxperm upms dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm upms dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/usb_host.te b/sepolicy/base/rk3568/usb_host.te new file mode 100644 index 0000000000000000000000000000000000000000..bddb93d80cb6ec3465c92ac54d8b02a952338921 --- /dev/null +++ b/sepolicy/base/rk3568/usb_host.te @@ -0,0 +1,54 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow usb_host debugfs:dir { search }; +allow usb_host dev_at_file:chr_file { ioctl open read write }; +allow usb_host dev_binder_file:chr_file { ioctl map open read write }; +allow usb_host dev_file:dir { search }; +allow usb_host dev_hdf_file:chr_file { getattr ioctl open read write }; +allow usb_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow usb_host dev_null_file:chr_file { read write }; +allow usb_host dev_parameters_file:dir { search }; +allow usb_host dev_parameters_file:file { map open read }; +allow usb_host dev_unix_file:dir { search }; +allow usb_host dev_unix_socket_file:dir { search }; +allow usb_host dev_unix_socket_file:sock_file { write }; +allow usb_host etc_file:lnk_file { read }; +allow usb_host hdf_devmgr:binder { call transfer }; +allow usb_host init:fd { use }; +allow usb_host init:netlink_kobject_uevent_socket { read write }; +allow usb_host init:unix_dgram_socket { sendto }; +allow usb_host init:unix_stream_socket { read write }; +allow usb_host kernel:fd { use }; +allow usb_host proc_file:dir { search }; +allow usb_host proc_file:lnk_file { read }; +allow usb_host rootfs:dir { search }; +allow usb_host samgr:binder { call }; +allow usb_host system_etc_file:dir { search }; +allow usb_host system_etc_file:file { open read }; +allow usb_host system_file:dir { search }; +allow usb_host system_lib_file:dir { search }; +allow usb_host system_lib_file:file { execute getattr map open read }; +allow usb_host usb_host:dir { search }; +allow usb_host usb_host:lnk_file { read }; +allow usb_host usb_host:process { fork }; +allow usb_host usb_host:unix_dgram_socket { connect create write }; +allow usb_host usb_service:binder { call }; +allow usb_host vendor_etc_file:dir { search }; +allow usb_host vendor_etc_file:file { getattr open read }; +allow usb_host vendor_file:dir { search }; +allow usb_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm usb_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm usb_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm usb_host dev_hdf_file:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm usb_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/usb_service.te b/sepolicy/base/rk3568/usb_service.te new file mode 100644 index 0000000000000000000000000000000000000000..93feda462958fe2f786ad95235b56a423eb8ec98 --- /dev/null +++ b/sepolicy/base/rk3568/usb_service.te @@ -0,0 +1,56 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow usb_service debugfs:dir { search }; +allow usb_service dev_at_file:chr_file { ioctl open read write }; +allow usb_service dev_binder_file:chr_file { ioctl map open read write }; +allow usb_service dev_file:dir { search }; +allow usb_service dev_null_file:chr_file { read write }; +allow usb_service dev_parameters_file:dir { search }; +allow usb_service dev_parameters_file:file { map open read }; +allow usb_service dev_random_file:chr_file { open read }; +allow usb_service dev_unix_file:dir { search }; +allow usb_service dev_unix_socket_file:dir { search }; +allow usb_service dev_unix_socket_file:sock_file { write }; +allow usb_service etc_file:lnk_file { read }; +allow usb_service foundation:binder { call }; +allow usb_service hdf_devmgr:binder { call }; +allow usb_service init:fd { use }; +allow usb_service init:netlink_kobject_uevent_socket { read write }; +allow usb_service init:unix_dgram_socket { sendto }; +allow usb_service init:unix_stream_socket { read write }; +allow usb_service kernel:fd { use }; +allow usb_service proc_file:dir { search }; +allow usb_service proc_file:lnk_file { read }; +allow usb_service rootfs:dir { search }; +allow usb_service samain_exec:file { entrypoint execute map read }; +allow usb_service samgr:binder { call transfer }; +allow usb_service system_etc_file:dir { getattr open read search }; +allow usb_service system_etc_file:file { open read }; +allow usb_service system_file:dir { search }; +allow usb_service system_lib_file:dir { search }; +allow usb_service system_lib_file:file { execute getattr map open read }; +allow usb_service system_profile_file:dir { search }; +allow usb_service system_profile_file:file { getattr open read }; +allow usb_service system_usr_file:dir { search }; +allow usb_service system_usr_file:file { getattr map open read }; +allow usb_service usb_host:binder { call transfer }; +allow usb_service usb_service:dir { search }; +allow usb_service usb_service:lnk_file { read }; +allow usb_service usb_service:process { fork getsched }; +allow usb_service usb_service:unix_dgram_socket { connect create write }; +allow usb_service vendor_file:dir { search }; +allow usb_service vendor_file:file { execute getattr map open read }; +allow usb_service vendor_file:lnk_file { read }; +allowxperm usb_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm usb_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/usbfnMaster_host.te b/sepolicy/base/rk3568/usbfnMaster_host.te new file mode 100644 index 0000000000000000000000000000000000000000..18c13949ebe13eee3dbf71a3861d74a386825890 --- /dev/null +++ b/sepolicy/base/rk3568/usbfnMaster_host.te @@ -0,0 +1,53 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow usbfnMaster_host debugfs:dir { search }; +allow usbfnMaster_host dev_at_file:chr_file { ioctl open read write }; +allow usbfnMaster_host dev_binder_file:chr_file { ioctl map open read write }; +allow usbfnMaster_host dev_file:dir { search }; +allow usbfnMaster_host dev_hdf_file:chr_file { getattr ioctl open read write }; +allow usbfnMaster_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow usbfnMaster_host dev_null_file:chr_file { read write }; +allow usbfnMaster_host dev_parameters_file:dir { search }; +allow usbfnMaster_host dev_parameters_file:file { map open read }; +allow usbfnMaster_host dev_unix_file:dir { search }; +allow usbfnMaster_host dev_unix_socket_file:dir { search }; +allow usbfnMaster_host dev_unix_socket_file:sock_file { write }; +allow usbfnMaster_host etc_file:lnk_file { read }; +allow usbfnMaster_host hdf_devmgr:binder { call transfer }; +allow usbfnMaster_host init:fd { use }; +allow usbfnMaster_host init:netlink_kobject_uevent_socket { read write }; +allow usbfnMaster_host init:unix_dgram_socket { sendto }; +allow usbfnMaster_host init:unix_stream_socket { read write }; +allow usbfnMaster_host kernel:fd { use }; +allow usbfnMaster_host proc_file:dir { search }; +allow usbfnMaster_host proc_file:lnk_file { read }; +allow usbfnMaster_host rootfs:dir { search }; +allow usbfnMaster_host samgr:binder { call }; +allow usbfnMaster_host system_etc_file:dir { search }; +allow usbfnMaster_host system_etc_file:file { open read }; +allow usbfnMaster_host system_file:dir { search }; +allow usbfnMaster_host system_lib_file:dir { search }; +allow usbfnMaster_host system_lib_file:file { execute getattr map open read }; +allow usbfnMaster_host usbfnMaster_host:dir { search }; +allow usbfnMaster_host usbfnMaster_host:lnk_file { read }; +allow usbfnMaster_host usbfnMaster_host:process { fork }; +allow usbfnMaster_host usbfnMaster_host:unix_dgram_socket { connect create write }; +allow usbfnMaster_host vendor_etc_file:dir { search }; +allow usbfnMaster_host vendor_etc_file:file { getattr open read }; +allow usbfnMaster_host vendor_file:dir { search }; +allow usbfnMaster_host vendor_file:file { entrypoint execute getattr map open read }; +allowxperm usbfnMaster_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm usbfnMaster_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm usbfnMaster_host dev_hdf_file:chr_file ioctl { 0x6201 0x6202 0x6203 }; +allowxperm usbfnMaster_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/useriam.te b/sepolicy/base/rk3568/useriam.te new file mode 100644 index 0000000000000000000000000000000000000000..10b1dc12b1f5d40193123fe7209304a0b948082f --- /dev/null +++ b/sepolicy/base/rk3568/useriam.te @@ -0,0 +1,55 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow useriam accesstoken_service:binder { call }; +allow useriam data_file:dir { search }; +allow useriam debugfs:dir { search }; +allow useriam dev_at_file:chr_file { ioctl open read write }; +allow useriam dev_binder_file:chr_file { ioctl map open read write }; +allow useriam dev_file:dir { search }; +allow useriam dev_null_file:chr_file { read write }; +allow useriam dev_parameters_file:dir { search }; +allow useriam dev_parameters_file:file { map open read }; +allow useriam dev_random_file:chr_file { open read }; +allow useriam dev_unix_file:dir { search }; +allow useriam dev_unix_socket_file:dir { search }; +allow useriam dev_unix_socket_file:sock_file { write }; +allow useriam etc_file:lnk_file { read }; +allow useriam face_service:binder { call transfer }; +allow useriam init:fd { use }; +allow useriam init:netlink_kobject_uevent_socket { read write }; +allow useriam init:unix_dgram_socket { sendto }; +allow useriam init:unix_stream_socket { read write }; +allow useriam kernel:fd { use }; +allow useriam kernel:unix_stream_socket { connectto }; +allow useriam pinauth_service:binder { call transfer }; +allow useriam priv_hap_domain:binder { call }; +allow useriam proc_file:dir { search }; +allow useriam proc_file:lnk_file { read }; +allow useriam rootfs:dir { search }; +allow useriam samain_exec:file { entrypoint execute map read }; +allow useriam samgr:binder { call transfer }; +allow useriam system_etc_file:dir { search }; +allow useriam system_etc_file:file { open read }; +allow useriam system_file:dir { search }; +allow useriam system_lib_file:dir { search }; +allow useriam system_lib_file:file { execute getattr map open read }; +allow useriam system_profile_file:dir { search }; +allow useriam system_profile_file:file { getattr open read }; +allow useriam useriam:dir { search }; +allow useriam useriam:lnk_file { read }; +allow useriam useriam:process { fork getsched }; +allow useriam useriam:unix_dgram_socket { connect create write }; +allow useriam useriam:unix_stream_socket { connect create read setopt write }; +allowxperm useriam dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm useriam dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/rk3568/vibrator_dal_host.te b/sepolicy/base/rk3568/vibrator_dal_host.te new file mode 100644 index 0000000000000000000000000000000000000000..1b1b24d31e652d5bdf0195ff1b9e50a4765cddd4 --- /dev/null +++ b/sepolicy/base/rk3568/vibrator_dal_host.te @@ -0,0 +1,51 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow vibrator_dal_host debugfs:dir { search }; +allow vibrator_dal_host dev_at_file:chr_file { ioctl open read write }; +allow vibrator_dal_host dev_binder_file:chr_file { ioctl map open read write }; +allow vibrator_dal_host dev_file:dir { search }; +allow vibrator_dal_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow vibrator_dal_host dev_null_file:chr_file { read write }; +allow vibrator_dal_host dev_parameters_file:dir { search }; +allow vibrator_dal_host dev_parameters_file:file { map open read }; +allow vibrator_dal_host dev_unix_file:dir { search }; +allow vibrator_dal_host dev_unix_socket_file:dir { search }; +allow vibrator_dal_host dev_unix_socket_file:sock_file { write }; +allow vibrator_dal_host etc_file:lnk_file { read }; +allow vibrator_dal_host hdf_devmgr:binder { call transfer }; +allow vibrator_dal_host init:fd { use }; +allow vibrator_dal_host init:netlink_kobject_uevent_socket { read write }; +allow vibrator_dal_host init:unix_dgram_socket { sendto }; +allow vibrator_dal_host init:unix_stream_socket { read write }; +allow vibrator_dal_host kernel:fd { use }; +allow vibrator_dal_host proc_file:dir { search }; +allow vibrator_dal_host proc_file:lnk_file { read }; +allow vibrator_dal_host rootfs:dir { search }; +allow vibrator_dal_host samgr:binder { call }; +allow vibrator_dal_host system_etc_file:dir { search }; +allow vibrator_dal_host system_etc_file:file { open read }; +allow vibrator_dal_host system_file:dir { search }; +allow vibrator_dal_host system_lib_file:dir { search }; +allow vibrator_dal_host system_lib_file:file { execute getattr map open read }; +allow vibrator_dal_host vendor_etc_file:dir { search }; +allow vibrator_dal_host vendor_etc_file:file { getattr open read }; +allow vibrator_dal_host vendor_file:dir { search }; +allow vibrator_dal_host vendor_file:file { entrypoint execute getattr map open read }; +allow vibrator_dal_host vibrator_dal_host:dir { search }; +allow vibrator_dal_host vibrator_dal_host:lnk_file { read }; +allow vibrator_dal_host vibrator_dal_host:process { fork }; +allow vibrator_dal_host vibrator_dal_host:unix_dgram_socket { connect create write }; +allowxperm vibrator_dal_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm vibrator_dal_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm vibrator_dal_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/watchdog_service.te b/sepolicy/base/rk3568/watchdog_service.te new file mode 100644 index 0000000000000000000000000000000000000000..120ccf5bd7724ac29aa79a02b1afdeace269b6af --- /dev/null +++ b/sepolicy/base/rk3568/watchdog_service.te @@ -0,0 +1,32 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow watchdog_service dev_file:dir { search }; +allow watchdog_service dev_kmsg_file:chr_file { open write }; +allow watchdog_service dev_null_file:chr_file { read write }; +allow watchdog_service dev_parameters_file:dir { search }; +allow watchdog_service dev_parameters_file:file { map open read }; +allow watchdog_service dev_watchdog_file:chr_file { getattr ioctl open read write }; +allow watchdog_service etc_file:lnk_file { read }; +allow watchdog_service init:fd { use }; +allow watchdog_service init:netlink_kobject_uevent_socket { read write }; +allow watchdog_service init:unix_stream_socket { read write }; +allow watchdog_service kernel:fd { use }; +allow watchdog_service rootfs:dir { search }; +allow watchdog_service system_etc_file:dir { search }; +allow watchdog_service system_etc_file:file { open read }; +allow watchdog_service system_file:dir { search }; +allow watchdog_service system_lib_file:dir { search }; +allow watchdog_service system_lib_file:file { execute getattr map open read }; +allow watchdog_service watchdog_service_exec:file { entrypoint execute map read }; +allowxperm watchdog_service dev_watchdog_file:chr_file ioctl { 0x5705 0x5706 0x5707 }; diff --git a/sepolicy/base/rk3568/wifi_hal_service.te b/sepolicy/base/rk3568/wifi_hal_service.te new file mode 100644 index 0000000000000000000000000000000000000000..9571691c423f98e5baa5dc7908f2a018a1c5a316 --- /dev/null +++ b/sepolicy/base/rk3568/wifi_hal_service.te @@ -0,0 +1,72 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_hal_service data_file:dir { search }; +allow wifi_hal_service data_misc:dir { add_name getattr remove_name search write }; +allow wifi_hal_service data_misc:file { create read write open }; +allow wifi_hal_service data_misc:sock_file { create unlink }; +allow wifi_hal_service dev_file:chr_file { open read }; +allow wifi_hal_service dev_file:dir { search }; +allow wifi_hal_service dev_null_file:chr_file { getattr ioctl open read write }; +allow wifi_hal_service dev_parameters_file:dir { search }; +allow wifi_hal_service dev_parameters_file:file { map open read }; +allow wifi_hal_service dev_unix_file:dir { search }; +allow wifi_hal_service dev_unix_socket_file:dir { search }; +allow wifi_hal_service dev_unix_socket_file:sock_file { write }; +allow wifi_hal_service etc_file:lnk_file { read }; +allow wifi_hal_service init:fd { use }; +allow wifi_hal_service init:netlink_kobject_uevent_socket { read write }; +allow wifi_hal_service init:unix_dgram_socket { sendto }; +allow wifi_hal_service init:unix_stream_socket { read write }; +allow wifi_hal_service kernel:fd { use }; +allow wifi_hal_service kernel:system { module_request }; +allow wifi_hal_service lib_file:lnk_file { read }; +allow wifi_hal_service node:udp_socket { node_bind }; +allow wifi_hal_service port:udp_socket { name_bind }; +allow wifi_hal_service proc_file:dir { search }; +allow wifi_hal_service proc_file:lnk_file { read }; +allow wifi_hal_service rootfs:dir { search }; +allow wifi_hal_service rootfs:lnk_file { read }; +allow wifi_hal_service selinuxfs:filesystem { getattr }; +allow wifi_hal_service sh_exec:file { execute execute_no_trans map read open }; +allow wifi_hal_service sys_file:dir { getattr search }; +allow wifi_hal_service sys_file:lnk_file { read }; +allow wifi_hal_service system_bin_file:dir { search }; +allow wifi_hal_service system_bin_file:file { execute execute_no_trans getattr map read open }; +allow wifi_hal_service system_bin_file:lnk_file { read }; +allow wifi_hal_service system_etc_file:dir { search }; +allow wifi_hal_service system_etc_file:file { getattr open read }; +allow wifi_hal_service system_file:dir { search }; +allow wifi_hal_service system_lib_file:dir { search }; +allow wifi_hal_service system_lib_file:file { execute getattr map open read }; +allow wifi_hal_service tty_device:chr_file { open read write }; +allow wifi_hal_service vendor_etc_file:dir { search }; +allow wifi_hal_service vendor_etc_file:file { open read }; +allow wifi_hal_service vendor_file:dir { search }; +allow wifi_hal_service vendor_file:file { execute getattr map open read }; +allow wifi_hal_service wifi_hal_service:capability { dac_override dac_read_search net_admin net_raw sys_module }; +allow wifi_hal_service wifi_hal_service:dir { search }; +allow wifi_hal_service wifi_hal_service_exec:file { entrypoint execute map read }; +allow wifi_hal_service wifi_hal_service:fifo_file { read }; +allow wifi_hal_service wifi_hal_service:lnk_file { read }; +allow wifi_hal_service wifi_hal_service:netlink_generic_socket { bind create getattr read setopt write }; +allow wifi_hal_service wifi_hal_service:netlink_route_socket { bind create nlmsg_write read write }; +allow wifi_hal_service wifi_hal_service:packet_socket { bind create ioctl setopt }; +allow wifi_hal_service wifi_hal_service:process { fork }; +allow wifi_hal_service wifi_hal_service:udp_socket { bind connect create ioctl read write }; +allow wifi_hal_service wifi_hal_service:unix_dgram_socket { connect create ioctl write }; +allow wifi_hal_service wifi_hal_service:unix_stream_socket { accept bind create listen read setopt write }; +allowxperm wifi_hal_service dev_null_file:chr_file ioctl { 0x5413 }; +allowxperm wifi_hal_service wifi_hal_service:packet_socket ioctl { 0x8933 }; +allowxperm wifi_hal_service wifi_hal_service:udp_socket ioctl { 0x8913 }; +allowxperm wifi_hal_service wifi_hal_service:unix_dgram_socket ioctl { 0x8933 }; diff --git a/sepolicy/base/rk3568/wifi_host.te b/sepolicy/base/rk3568/wifi_host.te new file mode 100644 index 0000000000000000000000000000000000000000..bcdf6872daec840928223e3b192ee628c11c8c15 --- /dev/null +++ b/sepolicy/base/rk3568/wifi_host.te @@ -0,0 +1,51 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_host debugfs:dir { search }; +allow wifi_host dev_at_file:chr_file { ioctl open read write }; +allow wifi_host dev_binder_file:chr_file { ioctl map open read write }; +allow wifi_host dev_file:dir { search }; +allow wifi_host dev_mgr_file:chr_file { getattr ioctl open read write }; +allow wifi_host dev_null_file:chr_file { read write }; +allow wifi_host dev_parameters_file:dir { search }; +allow wifi_host dev_parameters_file:file { map open read }; +allow wifi_host dev_unix_file:dir { search }; +allow wifi_host dev_unix_socket_file:dir { search }; +allow wifi_host dev_unix_socket_file:sock_file { write }; +allow wifi_host etc_file:lnk_file { read }; +allow wifi_host hdf_devmgr:binder { call transfer }; +allow wifi_host init:fd { use }; +allow wifi_host init:netlink_kobject_uevent_socket { read write }; +allow wifi_host init:unix_dgram_socket { sendto }; +allow wifi_host init:unix_stream_socket { read write }; +allow wifi_host kernel:fd { use }; +allow wifi_host proc_file:dir { search }; +allow wifi_host proc_file:lnk_file { read }; +allow wifi_host rootfs:dir { search }; +allow wifi_host samgr:binder { call }; +allow wifi_host system_etc_file:dir { search }; +allow wifi_host system_etc_file:file { open read }; +allow wifi_host system_file:dir { search }; +allow wifi_host system_lib_file:dir { search }; +allow wifi_host system_lib_file:file { execute getattr map open read }; +allow wifi_host vendor_etc_file:dir { search }; +allow wifi_host vendor_etc_file:file { getattr open read }; +allow wifi_host vendor_file:dir { search }; +allow wifi_host vendor_file:file { entrypoint execute getattr map open read }; +allow wifi_host wifi_host:dir { search }; +allow wifi_host wifi_host:lnk_file { read }; +allow wifi_host wifi_host:process { fork }; +allow wifi_host wifi_host:unix_dgram_socket { connect create write }; +allowxperm wifi_host dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm wifi_host dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6209 0x621e 0x621f }; +allowxperm wifi_host dev_mgr_file:chr_file ioctl { 0x6201 }; diff --git a/sepolicy/base/rk3568/wifi_manager_service.te b/sepolicy/base/rk3568/wifi_manager_service.te new file mode 100644 index 0000000000000000000000000000000000000000..108fde127392b41582874bd78fba94c21493b532 --- /dev/null +++ b/sepolicy/base/rk3568/wifi_manager_service.te @@ -0,0 +1,65 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow wifi_manager_service data_dhcp:dir { search }; +allow wifi_manager_service data_file:dir { search }; +allow wifi_manager_service data_misc:dir { add_name search write }; +allow wifi_manager_service data_misc:file { create ioctl open read write }; +allow wifi_manager_service data_misc:sock_file { write }; +allow wifi_manager_service debugfs:dir { search }; +allow wifi_manager_service dev_at_file:chr_file { ioctl open read write }; +allow wifi_manager_service dev_binder_file:chr_file { ioctl map open read write }; +allow wifi_manager_service dev_file:dir { search }; +allow wifi_manager_service dev_null_file:chr_file { read write }; +allow wifi_manager_service dev_parameters_file:dir { search }; +allow wifi_manager_service dev_parameters_file:file { map open read }; +allow wifi_manager_service dev_random_file:chr_file { open read }; +allow wifi_manager_service dev_unix_file:dir { search }; +allow wifi_manager_service dev_unix_socket_file:dir { search }; +allow wifi_manager_service dev_unix_socket_file:sock_file { write }; +allow wifi_manager_service etc_file:lnk_file { read }; +allow wifi_manager_service foundation:binder { call }; +allow wifi_manager_service init:fd { use }; +allow wifi_manager_service init:netlink_kobject_uevent_socket { read write }; +allow wifi_manager_service init:unix_dgram_socket { sendto }; +allow wifi_manager_service init:unix_stream_socket { read write }; +allow wifi_manager_service kernel:fd { use }; +allow wifi_manager_service lib_file:lnk_file { read }; +allow wifi_manager_service netmanager:binder { call transfer }; +allow wifi_manager_service priv_hap_domain:binder { call }; +allow wifi_manager_service proc_file:dir { search }; +allow wifi_manager_service proc_file:lnk_file { read }; +allow wifi_manager_service rootfs:dir { search }; +allow wifi_manager_service samain_exec:file { entrypoint execute map read }; +allow wifi_manager_service samgr:binder { call transfer }; +allow wifi_manager_service system_bin_file:dir { search }; +allow wifi_manager_service system_bin_file:file { execute execute_no_trans map read open }; +allow wifi_manager_service system_etc_file:dir { search }; +allow wifi_manager_service system_etc_file:file { open read }; +allow wifi_manager_service system_file:dir { search }; +allow wifi_manager_service system_lib_file:dir { search }; +allow wifi_manager_service system_lib_file:file { execute getattr map open read }; +allow wifi_manager_service system_profile_file:dir { search }; +allow wifi_manager_service system_profile_file:file { getattr open read }; +allow wifi_manager_service wifi_hal_service:unix_stream_socket { connectto }; +allow wifi_manager_service wifi_manager_service:capability { dac_override dac_read_search net_admin }; +allow wifi_manager_service wifi_manager_service:dir { search }; +allow wifi_manager_service wifi_manager_service:lnk_file { read }; +allow wifi_manager_service wifi_manager_service:process { fork getsched }; +allow wifi_manager_service wifi_manager_service:udp_socket { create ioctl }; +allow wifi_manager_service wifi_manager_service:unix_dgram_socket { connect create write }; +allow wifi_manager_service wifi_manager_service:unix_stream_socket { connect create read write }; +allowxperm wifi_manager_service data_misc:file ioctl { 0x5413 }; +allowxperm wifi_manager_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm wifi_manager_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; +allowxperm wifi_manager_service wifi_manager_service:udp_socket ioctl { 0x8916 }; diff --git a/sepolicy/base/rk3568/work_scheduler_service.te b/sepolicy/base/rk3568/work_scheduler_service.te new file mode 100644 index 0000000000000000000000000000000000000000..2e788b1f264b1468f45277d31cdebb72232b0c54 --- /dev/null +++ b/sepolicy/base/rk3568/work_scheduler_service.te @@ -0,0 +1,57 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow work_scheduler_service data_file:dir { search }; +allow work_scheduler_service data_service_el1_file:dir { search }; +allow work_scheduler_service data_service_file:dir { search }; +allow work_scheduler_service debugfs:dir { search }; +allow work_scheduler_service dev_at_file:chr_file { ioctl open read write }; +allow work_scheduler_service dev_binder_file:chr_file { ioctl map open read write }; +allow work_scheduler_service dev_file:dir { search }; +allow work_scheduler_service dev_null_file:chr_file { read write }; +allow work_scheduler_service dev_parameters_file:dir { search }; +allow work_scheduler_service dev_parameters_file:file { map open read }; +allow work_scheduler_service dev_random_file:chr_file { open read }; +allow work_scheduler_service dev_unix_file:dir { search }; +allow work_scheduler_service dev_unix_socket_file:dir { search }; +allow work_scheduler_service dev_unix_socket_file:sock_file { write }; +allow work_scheduler_service etc_file:lnk_file { read }; +allow work_scheduler_service foundation:binder { call transfer }; +allow work_scheduler_service init:fd { use }; +allow work_scheduler_service init:netlink_kobject_uevent_socket { read write }; +allow work_scheduler_service init:unix_dgram_socket { sendto }; +allow work_scheduler_service init:unix_stream_socket { read write }; +allow work_scheduler_service kernel:fd { use }; +allow work_scheduler_service proc_file:dir { search }; +allow work_scheduler_service proc_file:lnk_file { read }; +allow work_scheduler_service rootfs:dir { search }; +allow work_scheduler_service samain_exec:file { entrypoint execute map read }; +allow work_scheduler_service samgr:binder { call transfer }; +allow work_scheduler_service system_etc_file:dir { getattr open read search }; +allow work_scheduler_service system_etc_file:file { open read }; +allow work_scheduler_service system_file:dir { search }; +allow work_scheduler_service system_lib_file:dir { search }; +allow work_scheduler_service system_lib_file:file { execute getattr map open read }; +allow work_scheduler_service system_profile_file:dir { search }; +allow work_scheduler_service system_profile_file:file { getattr open read }; +allow work_scheduler_service system_usr_file:dir { search }; +allow work_scheduler_service system_usr_file:file { getattr map open read }; +allow work_scheduler_service vendor_file:dir { search }; +allow work_scheduler_service vendor_file:file { execute getattr map open read }; +allow work_scheduler_service vendor_file:lnk_file { read }; +allow work_scheduler_service work_scheduler_service:dir { search }; +allow work_scheduler_service work_scheduler_service:lnk_file { read }; +allow work_scheduler_service work_scheduler_service:process { fork getsched }; +allow work_scheduler_service work_scheduler_service:unix_dgram_socket { connect create write }; +allowxperm work_scheduler_service dev_at_file:chr_file ioctl { 0x4101 }; +allowxperm work_scheduler_service dev_binder_file:chr_file ioctl { 0x6201 0x6205 0x6208 0x6209 0x621e 0x621f }; diff --git a/sepolicy/base/system/access_vectors b/sepolicy/base/system/access_vectors index 80529df0d8624f79f8320679498336090ff91d5a..1ca2d91753c2cc9ec1967c9574c9b7ad00c42204 100644 --- a/sepolicy/base/system/access_vectors +++ b/sepolicy/base/system/access_vectors @@ -118,6 +118,7 @@ common cap2 wake_alarm block_suspend audit_read + checkpoint_restore } class filesystem { @@ -507,4 +508,10 @@ class hdf_devmgr_class add get list -} \ No newline at end of file +} + +class lockdown +{ + integrity + confidentiality +} diff --git a/sepolicy/base/system/file.te b/sepolicy/base/system/file.te index f4a302d83a921398c39664b93bbc33ea3aa577f7..f48082a44cbee2885c2e30cd830cc57022d7cfcb 100644 --- a/sepolicy/base/system/file.te +++ b/sepolicy/base/system/file.te @@ -208,4 +208,5 @@ type dev_zero_file, dev_type; type tty_device, dev_type; -type tracefs, fs_type; \ No newline at end of file +type tracefs, fs_type; +type hmdfs, fs_type; diff --git a/sepolicy/base/system/file_contexts b/sepolicy/base/system/file_contexts index 6da27ef9278c3b33b3311f25fd4685defdeba0d2..a703a5fe36dc9d5c70ec6d6964a9389b5cb2a2f6 100644 --- a/sepolicy/base/system/file_contexts +++ b/sepolicy/base/system/file_contexts @@ -174,7 +174,7 @@ /system/bin/lmks u:object_r:lmks_exec:s0 -/system/bin/hdf_devmgr u:object_r:hdf_devmgr_exec:s0 +/vendor/bin/hdf_devmgr u:object_r:hdf_devmgr_exec:s0 /system/bin/wifi_hal_service u:object_r:wifi_hal_service_exec:s0 @@ -188,6 +188,8 @@ /system/bin/storage_daemon u:object_r:storage_daemon_exec:s0 +/system/bin/thermal_protector u:object_r:thermal_protector_exec:s0 + /system/bin/sh u:object_r:sh_exec:s0 /system/bin/hdcd u:object_r:hdcd_exec:s0 diff --git a/sepolicy/base/system/security_classes b/sepolicy/base/system/security_classes index a61af086f53de85d6c777b9929c591a4705f5cf8..fe535e3772fd86d54b44e2d33efee4536cb8d1d5 100644 --- a/sepolicy/base/system/security_classes +++ b/sepolicy/base/system/security_classes @@ -106,3 +106,4 @@ class xdp_socket class parameter_service class samgr_class class hdf_devmgr_class +class lockdown diff --git a/sepolicy/base/system/virtfs_contexts b/sepolicy/base/system/virtfs_contexts index 72ef5e565fa0028769080d119f425cc0565d9388..d010f59c268287f452043ec88cf8b69df57c56ad 100644 --- a/sepolicy/base/system/virtfs_contexts +++ b/sepolicy/base/system/virtfs_contexts @@ -72,4 +72,6 @@ genfscon debugfs / u:object_r:debugfs:s0 genfscon cgroup / u:object_r:cgroup:s0 genfscon functionfs / u:object_r:functionfs:s0 -genfscon tracefs / u:object_r:tracefs:s0 \ No newline at end of file +genfscon tracefs / u:object_r:tracefs:s0 + +genfscon hmdfs / u:object_r:hmdfs:s0 \ No newline at end of file diff --git a/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/foundation.te b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/foundation.te index d3f4f113b3b4b92e28ee525120bafe1b5be200b1..4a5ab907c6c2d740890f8fd754d9381f53b221fe 100644 --- a/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/foundation.te +++ b/sepolicy/ohos_policy/appexecfwk/appexecfwk/system/foundation.te @@ -16,23 +16,23 @@ type foundation, domain, nativedomain; #domain_auto_transition_pattern(init, samain_exec, foundation); #allow init samain_exec:file execute_no_trans; -binder_call(foundation, appspawn); -binder_call(foundation, installs); -binder_call(foundation, deviceauth_service); -binder_call(foundation, samgr); -binder_call(foundation, render_service); +#binder_call(foundation, appspawn); +#binder_call(foundation, installs); +#binder_call(foundation, deviceauth_service); +#binder_call(foundation, samgr); +#binder_call(foundation, render_service); -allow foundation hdf_devmgr:binder call; -allow appspawn foundation:binder call; -allow deviceauth_service foundation:binder call; +#allow foundation hdf_devmgr:binder call; +#allow appspawn foundation:binder call; +#allow deviceauth_service foundation:binder call; -allow foundation appspawn:unix_stream_socket connectto; +#allow foundation appspawn:unix_stream_socket connectto; -allow foundation vendor_file:dir read_dir_perms; +#allow foundation vendor_file:dir read_dir_perms; -allow foundation foundation:{ udp_socket netlink_route_socket } { create ioctl setopt bind read }; +#allow foundation foundation:{ udp_socket netlink_route_socket } { create ioctl setopt bind read }; -allow foundation init:unix_stream_socket connectto; +#allow foundation init:unix_stream_socket connectto; # "/system/profile/foundation.xml", O_RDONLY -allow foundation system_file:file read_file_perms; +#allow foundation system_file:file read_file_perms; diff --git a/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te b/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te index 4dd1f5a84eb5467f89cd578809b4cca0af69e705..5a46709f6fd0ee47a6da8babac81e55087231b39 100644 --- a/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te +++ b/sepolicy/ohos_policy/distributedschedule/samgr/system/samgr.te @@ -16,16 +16,16 @@ type samgr_exec, exec_type, file_type, system_file_type; init_daemon_domain(samgr); -binder_call(samgr, appspawn); -binder_call(samgr, foundation); -binder_call(samgr, deviceauth_service); -binder_call(samgr, hdf_devmgr); -binder_call(samgr, render_service); -binder_call(render_service, hdf_devmgr); +#binder_call(samgr, appspawn); +#binder_call(samgr, foundation); +#binder_call(samgr, deviceauth_service); +#binder_call(samgr, hdf_devmgr); +#binder_call(samgr, render_service); +#binder_call(render_service, hdf_devmgr); -allow samgr kernel:fd use; -allow samgr tmpfs:chr_file { open read write getattr ioctl map }; +#allow samgr kernel:fd use; +#allow samgr tmpfs:chr_file { open read write getattr ioctl map }; -allow samgr samgr:binder set_context_mgr; +#allow samgr samgr:binder set_context_mgr; -allow samgr socket_device:sock_file write; +#allow samgr socket_device:sock_file write; diff --git a/sepolicy/ohos_policy/drivers/adapter/system/hdf_devmgr.te b/sepolicy/ohos_policy/drivers/adapter/system/hdf_devmgr.te index 8856be8015f58ce11cad717e2d4b8a6ada9c5573..a411fc7d0da85d0383decd0f9531bf2426107bf4 100644 --- a/sepolicy/ohos_policy/drivers/adapter/system/hdf_devmgr.te +++ b/sepolicy/ohos_policy/drivers/adapter/system/hdf_devmgr.te @@ -16,16 +16,16 @@ type hdf_devmgr_exec, exec_type, file_type, system_file_type; init_daemon_domain(hdf_devmgr); -binder_call(hdf_devmgr, samgr); -binder_call(hdf_devmgr, render_service); -binder_call(hdf_devmgr, foundation); +#binder_call(hdf_devmgr, samgr); +#binder_call(hdf_devmgr, render_service); +#binder_call(hdf_devmgr, foundation); -allow hdf_devmgr device:sock_file { write }; +#allow hdf_devmgr device:sock_file { write }; -allow hdf_devmgr system_file:file execute_no_trans; +#allow hdf_devmgr system_file:file execute_no_trans; -allow hdf_devmgr hdf_devmgr:netlink_kobject_uevent_socket { create_socket_perms }; +#allow hdf_devmgr hdf_devmgr:netlink_kobject_uevent_socket { create_socket_perms }; -allow hdf_devmgr dev_type:chr_file read_file_perms; +#allow hdf_devmgr dev_type:chr_file read_file_perms; -allow hdf_devmgr sysfs_type:file rw_file_perms; +#allow hdf_devmgr sysfs_type:file rw_file_perms; diff --git a/sepolicy/ohos_policy/graphic/graphic/system/graphic.te b/sepolicy/ohos_policy/graphic/graphic/system/graphic.te index 2857b822dd1aafcb1fdd72cc2a7f4338b0f3d215..11e271e49ee8ca9e5b8e1cc456f27d633911654f 100644 --- a/sepolicy/ohos_policy/graphic/graphic/system/graphic.te +++ b/sepolicy/ohos_policy/graphic/graphic/system/graphic.te @@ -16,6 +16,6 @@ type render_service_exec, exec_type, file_type, system_file_type; init_daemon_domain(render_service); -binder_call(render_service, samgr); -binder_call(render_service, appspawn); +#binder_call(render_service, samgr); +#binder_call(render_service, appspawn); diff --git a/sepolicy/ohos_policy/hiviewdfx/hiview/system/hiview.te b/sepolicy/ohos_policy/hiviewdfx/hiview/system/hiview.te index 49fe2fc23dfb8729a236d7acf118436d5609967a..f2d0c68e4a1005d70c760f52043507549bdac24b 100644 --- a/sepolicy/ohos_policy/hiviewdfx/hiview/system/hiview.te +++ b/sepolicy/ohos_policy/hiviewdfx/hiview/system/hiview.te @@ -16,8 +16,8 @@ type hiview, domain; domain_auto_transition_pattern(init, logserver_exec, hiview); -allow hiview shell:fd { use }; -allow hiview shell:fifo_file { write }; +#allow hiview shell:fd { use }; +#allow hiview shell:fifo_file { write }; -binder_call(samgr, hiview); -allow hiview samgr:binder { call transfer }; +#binder_call(samgr, hiview); +#allow hiview samgr:binder { call transfer }; diff --git a/sepolicy/ohos_policy/kernel/linux/system/kernel.te b/sepolicy/ohos_policy/kernel/linux/system/kernel.te index d96e8fa9859b74861df5463c99054e2dd9f7ac3c..d5b09b588ae9f8b730d2483bca92ec7b938d733a 100644 --- a/sepolicy/ohos_policy/kernel/linux/system/kernel.te +++ b/sepolicy/ohos_policy/kernel/linux/system/kernel.te @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -domain_auto_transition_pattern(kernel, init_exec, init) +#domain_auto_transition_pattern(kernel, init_exec, init) -allow kernel tmpfs:chr_file read_file_perms; -allow kernel kernel:process setsched; +#allow kernel tmpfs:chr_file read_file_perms; +#allow kernel kernel:process setsched; diff --git a/sepolicy/ohos_policy/multimodalinput/input/system/udevadm.te b/sepolicy/ohos_policy/multimodalinput/input/system/udevadm.te index b35eae26cee56f48d4ab6b03d1b8a5863af20c35..c8fd3e56c2f9b62d0999d330adb1d41419818232 100644 --- a/sepolicy/ohos_policy/multimodalinput/input/system/udevadm.te +++ b/sepolicy/ohos_policy/multimodalinput/input/system/udevadm.te @@ -16,5 +16,5 @@ type udevadm_exec, exec_type, file_type, system_file_type; domain_auto_transition_pattern(init, udevadm_exec, udevadm); -allow udevadm udevd_socket:sock_file write; -allow udevadm udevd:unix_stream_socket { connectto }; +#allow udevadm udevd_socket:sock_file write; +#allow udevadm udevd:unix_stream_socket { connectto }; diff --git a/sepolicy/ohos_policy/security/deviceauth/system/deviceauth.te b/sepolicy/ohos_policy/security/deviceauth/system/deviceauth.te index 43e8e0e6f738c762083844f2d738a54328520f55..690c52b491b23f8970e26c4347c14eae3f6b24ec 100644 --- a/sepolicy/ohos_policy/security/deviceauth/system/deviceauth.te +++ b/sepolicy/ohos_policy/security/deviceauth/system/deviceauth.te @@ -16,4 +16,4 @@ type deviceauth_service_exec, exec_type, file_type, system_file_type; init_daemon_domain(deviceauth_service); -binder_call(deviceauth_service, samgr); +#binder_call(deviceauth_service, samgr); diff --git a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te index 20f8cae4942500554132cff0a6f7abcdf234b7f4..965dcc08c4303d0b5f5f6a35b69b6161fa38b55a 100644 --- a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te +++ b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te @@ -16,49 +16,49 @@ type appspawn_exec, system_file_type, exec_type, file_type; init_daemon_domain(appspawn); -binder_call(appspawn, render_service); -binder_call(appspawn, hdf_devmgr); +#binder_call(appspawn, render_service); +#binder_call(appspawn, hdf_devmgr); -allow appspawn appspawn:process { execmem }; +#allow appspawn appspawn:process { execmem }; # "/dev/null", O_RDWR -allow appspawn dev_null_file:chr_file rw_file_perms; +#allow appspawn dev_null_file:chr_file rw_file_perms; # "/", -allow appspawn rootfs:dir search; +#allow appspawn rootfs:dir search; # "proc", -allow appspawn appspawn:lnk_file read; +#allow appspawn appspawn:lnk_file read; # "/system/lib/*.so", O_RDONLY -allow appspawn system_lib_file:file { read_file_perms map }; -allow appspawn system_lib_file:dir read_dir_perms; +#allow appspawn system_lib_file:file { read_file_perms map }; +#allow appspawn system_lib_file:dir read_dir_perms; # "/dev/cpu_variant:arm", O_RDONLY -allow appspawn dev_cpu_variant:file read_file_perms; +#allow appspawn dev_cpu_variant:file read_file_perms; # "/system/etc/fontconfig.json", O_RDONLY -allow appspawn fontconfig_file:file read_file_perms; +#allow appspawn fontconfig_file:file read_file_perms; # "/system/fonts/*", O_RDONLY -allow appspawn fonts_file:file read_file_perms; +#allow appspawn fonts_file:file read_file_perms; # avc: denied {read} for pid = 486 comm="appspawn" path = "pipe:[26660]" dev= "pipefs" ino=26660 scontext=u:r:appspawn:s0 tcontext=u:r:appspawn:s0 tclass=fifo_file permissive = 1 -allow appspawn self:fifo_file read; +#allow appspawn self:fifo_file read; -allow appspawn self:unix_stream_socket { write accept connectto }; +#allow appspawn self:unix_stream_socket { write accept connectto }; -allow appspawn system_file:dir search; +#allow appspawn system_file:dir search; -allow appspawn self:unix_dgram_socket { write sendto }; +#allow appspawn self:unix_dgram_socket { write sendto }; -allow appspawn init_tmpfs:file { read open map }; +#allow appspawn init_tmpfs:file { read open map }; -allow appspawn tmpfs:dir { write add_name }; +#allow appspawn tmpfs:dir { write add_name }; -allow appspawn tmpfs:sock_file { create setattr }; +#allow appspawn tmpfs:sock_file { create setattr }; -allow appspawn samgr:binder call; +#allow appspawn samgr:binder call; -allow appspawn foundation:unix_stream_socket rw_socket_perms; +#allow appspawn foundation:unix_stream_socket rw_socket_perms; diff --git a/sepolicy/ohos_policy/startup/init/public/init.te b/sepolicy/ohos_policy/startup/init/public/init.te index 0a7aa144da66cc8880a514e3c001069d9fc94d4c..4bc6132c9fcdc5429a084b33ed17a858e2a81ecf 100644 --- a/sepolicy/ohos_policy/startup/init/public/init.te +++ b/sepolicy/ohos_policy/startup/init/public/init.te @@ -13,3 +13,5 @@ type init, domain; type init_exec, exec_type, file_type; +type init2, domain; + diff --git a/sepolicy/ohos_policy/startup/init/system/init.te b/sepolicy/ohos_policy/startup/init/system/init.te index 9bd90a858306407d03ac39ebfdd227b821afc952..52eb9f71aa3da640e08d4b087939fa7ca1017877 100644 --- a/sepolicy/ohos_policy/startup/init/system/init.te +++ b/sepolicy/ohos_policy/startup/init/system/init.te @@ -15,43 +15,43 @@ type init_tmpfs, file_type; type trigger_device, dev_type; type trigger_trigger, dev_type; -allow init su:process transition; +#allow init su:process transition; -allow init { proc_panic }:file getattr; +#allow init { proc_panic }:file getattr; -domain_auto_transition_pattern(init, shell_exec, shell); +#domain_auto_transition_pattern(init, shell_exec, shell); -allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; -allow init tmpfs:blk_file { create setattr unlink rw_file_perms }; -allow init tmpfs:file { relabelfrom }; +#allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; +#allow init tmpfs:blk_file { create setattr unlink rw_file_perms }; +#allow init tmpfs:file { relabelfrom }; -allow init device: { file lnk_file chr_file blk_file sock_file } relabelto; -allow init dev_type: { file lnk_file chr_file blk_file } relabelto; +#allow init device: { file lnk_file chr_file blk_file sock_file } relabelto; +#allow init dev_type: { file lnk_file chr_file blk_file } relabelto; -allow init dev_type:dir relabelto; +#allow init dev_type:dir relabelto; -allow init trigger_device:file rw_file_perms; -allow init trigger_trigger:file { relabelto rw_file_perms }; -allow init param_device:file rw_file_perms; +#allow init trigger_device:file rw_file_perms; +#allow init trigger_trigger:file { relabelto rw_file_perms }; +#allow init param_device:file rw_file_perms; -allow init devpts:dir relabelfrom; -allow init devpts:chr_file { getattr relabelfrom }; +#allow init devpts:dir relabelfrom; +#allow init devpts:chr_file { getattr relabelfrom }; # Create sockets for the services. -allow init domain:unix_stream_socket { create bind setopt }; -allow init domain:unix_dgram_socket { create bind setopt }; +#allow init domain:unix_stream_socket { create bind setopt }; +#allow init domain:unix_dgram_socket { create bind setopt }; -allow init tmpfs:sock_file { create setattr getattr relabelfrom }; +#allow init tmpfs:sock_file { create setattr getattr relabelfrom }; -allow init system_file:file execute_no_trans; +#allow init system_file:file execute_no_trans; -allow init device:sock_file { create setattr }; +#allow init device:sock_file { create setattr }; -allow init sys_file:file setattr; +#allow init sys_file:file setattr; -allow init shell_exec:file { execute_no_trans }; -allow init logserver_exec:file { execute_no_trans }; +#allow init shell_exec:file { execute_no_trans }; +#allow init logserver_exec:file { execute_no_trans }; # avc: denied { read } for pid = 1 comm="init" path="pipe:[]" dev="devpts" ino=12016 scontext=u:object_r:device:s0 tcontext=u:object_r:devpts:s0 tclass=filesystem permissive=1 -allow init kernel:fifo_file { read write }; +#allow init kernel:fifo_file { read write }; diff --git a/sepolicy/ohos_policy/startup/init/system/ueventd.te b/sepolicy/ohos_policy/startup/init/system/ueventd.te index 8d840e604afcd227b8b2da401813759f5cd73923..8ce4e04bcd8a600d426d0a0e522125cb1b318bce 100644 --- a/sepolicy/ohos_policy/startup/init/system/ueventd.te +++ b/sepolicy/ohos_policy/startup/init/system/ueventd.te @@ -16,15 +16,15 @@ type ueventd_exec, system_file_type, exec_type, file_type; init_daemon_domain(ueventd); -allow ueventd kernel:fd use; +#allow ueventd kernel:fd use; -allow ueventd sys_file:file write_file_perms; -allow ueventd tmpfs:chr_file { create setattr unlink rw_file_perms }; -allow ueventd tmpfs:dir create_dir_perms; -allow ueventd tmpfs:blk_file { create setattr unlink rw_file_perms }; -allow ueventd tmpfs:lnk_file { create setattr unlink rw_file_perms }; +#allow ueventd sys_file:file write_file_perms; +#allow ueventd tmpfs:chr_file { create setattr unlink rw_file_perms }; +#allow ueventd tmpfs:dir create_dir_perms; +#allow ueventd tmpfs:blk_file { create setattr unlink rw_file_perms }; +#allow ueventd tmpfs:lnk_file { create setattr unlink rw_file_perms }; -allow ueventd sysfs_rtc:dir read_dir_perms; -allow ueventd sysfs_rtc: { file lnk_file } read_file_perms; +#allow ueventd sysfs_rtc:dir read_dir_perms; +#allow ueventd sysfs_rtc: { file lnk_file } read_file_perms; -allow ueventd self:netlink_kobject_uevent_socket { read create setopt bind write }; +#allow ueventd self:netlink_kobject_uevent_socket { read create setopt bind write }; diff --git a/test/unittest/src/selinux_unit_test.cpp b/test/unittest/src/selinux_unit_test.cpp index d5844b657ee3b135c0b932eda5e4ee6d9bfbff79..32fa4d25448e9d279814312bac7d917ecfcff0db 100644 --- a/test/unittest/src/selinux_unit_test.cpp +++ b/test/unittest/src/selinux_unit_test.cpp @@ -14,16 +14,17 @@ */ #include "selinux_unit_test.h" -#include -#include +#include #include +#include +#include #include "selinux_error.h" #include "selinux_parameter.h" using namespace testing::ext; using namespace OHOS::Security::Selinux; using namespace Selinux; -const static int SLEEP_SECOND = 10; +const static int SLEEP_SECOND = 2; const static std::string BASE_PATH = "/data/app/el1/0/base/"; const static std::string TEST_PATH = BASE_PATH + "com.ohos.selftest/"; @@ -149,9 +150,67 @@ static bool CreateFile(const std::string &path) return access(path.c_str(), F_OK) == 0; } -static void RunSysCmd(const std::string &cmd) +static bool CopyFile(const std::string &src, const std::string &des) +{ + std::ifstream fin(src, std::ifstream::in || std::ifstream::binary); + if (!fin) { + return false; + } + std::ofstream fout(des, std::ofstream::out || std::ofstream::binary); + if (!fout) { + fin.close(); + return false; + } + fout << fin.rdbuf(); + if (!fout) { + fin.close(); + fout.close(); + return false; + } + fin.close(); + fout.close(); + return true; +} + +static bool WriteFile(const std::string &file, std::vector &info) +{ + std::ofstream fout(file, std::ofstream::out || std::ofstream::app); + if (!fout) { + return false; + } + for (auto i : info) { + fout << i << std::endl; + } + if (!fout) { + fout.close(); + return false; + } + fout.close(); + return true; +} + +static int RenameFile(const std::string &src, const std::string &des) +{ + return rename(src.c_str(), des.c_str()); +} + +static void GenerateTestFile() +{ + ASSERT_EQ(true, CopyFile(SEHAP_CONTEXTS_FILE, SEHAP_CONTEXTS_FILE + "_bk")); + std::vector sehapInfo = { + "apl=system_core name=com.ohos.test domain= type=", + "apl=system_core name=com.hap.selftest domain=selftest type=selftest_hap_data_file"}; + ASSERT_EQ(true, WriteFile(SEHAP_CONTEXTS_FILE, sehapInfo)); + + ASSERT_EQ(true, CopyFile(PARAM_CONTEXTS_FILE, PARAM_CONTEXTS_FILE + "_bk")); + std::vector paramInfo = {"test.para u:object_r:testpara:s0"}; + ASSERT_EQ(true, WriteFile(PARAM_CONTEXTS_FILE, paramInfo)); +} + +static void RemoveTestFile() { - system(cmd.c_str()); + ASSERT_EQ(0, RenameFile(SEHAP_CONTEXTS_FILE + "_bk", SEHAP_CONTEXTS_FILE)); + ASSERT_EQ(0, RenameFile(PARAM_CONTEXTS_FILE + "_bk", PARAM_CONTEXTS_FILE)); } static std::string RunCommand(const std::string &command) @@ -170,35 +229,22 @@ static std::string RunCommand(const std::string &command) return result; } -static void GenerateTestFile() -{ - RunSysCmd("cp " + SEHAP_CONTEXTS_FILE + " " + SEHAP_CONTEXTS_FILE + "_bk"); - RunSysCmd("echo 'apl=system_core name=com.ohos.test domain= type=' >> " + SEHAP_CONTEXTS_FILE); - RunSysCmd("echo 'apl=system_core name=com.hap.selftest domain=selftest type=selftest_hap_data_file' >> " + - SEHAP_CONTEXTS_FILE); - RunSysCmd("cp " + PARAM_CONTEXTS_FILE + " " + PARAM_CONTEXTS_FILE + "_bk"); - RunSysCmd("echo 'test.para u:object_r:testpara:s0' >> " + PARAM_CONTEXTS_FILE); -} - void SelinuxUnitTest::SetUpTestCase() { // make test case clean -} - -void SelinuxUnitTest::TearDownTestCase() {} - -void SelinuxUnitTest::SetUp() -{ GenerateTestFile(); SetSelinuxLogCallback(); } -void SelinuxUnitTest::TearDown() +void SelinuxUnitTest::TearDownTestCase() { - RunSysCmd("mv " + SEHAP_CONTEXTS_FILE + "_bk " + SEHAP_CONTEXTS_FILE); - RunSysCmd("mv " + PARAM_CONTEXTS_FILE + "_bk " + PARAM_CONTEXTS_FILE); + RemoveTestFile(); } +void SelinuxUnitTest::SetUp() {} + +void SelinuxUnitTest::TearDown() {} + void SelinuxUnitTest::CreateDataFile() const {} /**