# Copyright (c) 2022-2023 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. #avc: denied { add } for service=3302 pid=608 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=1 allow bluetooth_service sa_bluetooth_server:samgr_class { add }; #avc: denied { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 #avc: denied { transfer } for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1 allow bluetooth_service audio_server:binder { call transfer }; #avc: denied {search} for pid=371 comm="threaded-ml" name="data" dev="mmcblk0p7" ino=1436162 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=dir permissive=1 allow bluetooth_service data_bluetooth:dir { search }; #avc: denied { getattr } for pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state" dev="mmcblk0p7" ino=1436167 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_data_pudata_bluetoothlse_dir:s0 tclass=file permissive=1 #avc: denied { open } for pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="mmcblk0p7" ino=1436170 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=file permissive=1 #avc: denied { read } for pid=371 comm="threaded-ml" name="state" dev="mmcblk0p7" ino=1436167 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=file permissive=1 allow bluetooth_service data_bluetooth:file { getattr open read }; #avc: denied { write } for pid=1207 comm="bluetooth_servi" name="ubsan" dev="mmcblk0p11" ino=574 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 #avc: denied { search } for pid=371 comm="threaded-ml" name="/" dev="mmcblk0p7" ino=2 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 allow bluetooth_service data_file:dir { search write }; allow bluetooth_service samain_exec:file { entrypoint execute map read }; #avc: denied { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 #avc: denied {transfer} for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1 allow bluetooth_service samgr:binder { call transfer }; #avc: denied { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 #avc: denied {transfer} for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1 allow bluetooth_service softbus_server:binder { call transfer }; allow bluetooth_service tmpfs:lnk_file { read }; allow bluetooth_service vendor_file:file { execute getattr map open read }; #avc: denied { get } for service=5100 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_device_service_manager:s0 tclass=samgr_class permissive=1 allow bluetooth_service sa_device_service_manager:samgr_class { get }; #avc: denied { get } for service=hci_interface_service pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:hdf_hci_interface_service:s0 tclass=hdf_devmgr_class permissive=1 allow bluetooth_service hdf_hci_interface_service:hdf_devmgr_class { get }; #avc: denied { get } for service=4010 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_telephony_tel_core_service:s0 tclass=samgr_class permissive=1 allow bluetooth_service sa_telephony_tel_core_service:samgr_class { get }; #avc: denied { get } for service=4005 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_foundation_tel_call_manager:s0 tclass=samgr_class permissive=1 allow bluetooth_service sa_foundation_tel_call_manager:samgr_class { get }; #avc: denied { get } for service=4009 pid=348 scotext=u:bluetooth_service:s0 tcontext:u:object_r:sa_foundation_tel_state_registry:s0 tclass=samgr_class permissive=0 allow bluetooth_service sa_foundation_tel_state_registry:samgr_class { get }; #avc: denied { get } for pid=279 scontext=u:r:bluetooth_service:s0 tcontext=u:r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1 allow bluetooth_service hdf_device_manager:hdf_devmgr_class { get }; #avc: denied { get } for service=3299 pid=348 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 allow bluetooth_service sa_foundation_cesfwk_service:samgr_class { get }; allow bluetooth_service dev_tun_file:chr_file { open read write ioctl }; allow bluetooth_service bluetooth_service:udp_socket { create ioctl read write shutdown }; allowxperm bluetooth_service bluetooth_service:udp_socket ioctl { 0x8927 0x8914 0x8924 0x891c 0x8916 0x8915 }; allow bluetooth_service bluetooth_service:tun_socket { create ioctl read write shutdown }; allowxperm bluetooth_service dev_tun_file:chr_file ioctl { 0x800454d2 0x400454ca }; allow bluetooth_service bluetooth_service:capability { net_admin }; allow bluetooth_service netmanager:binder { call transfer }; allow bluetooth_service kernel:system { module_request }; allow bluetooth_service dev_uhid_file:chr_file { read write }; allow bluetooth_service data_bluetooth:dir { remove_name }; allow bluetooth_service data_bluetooth:file { rename }; allow bluetooth_service data_bluetooth:file { unlink }; debug_only(` allow bluetooth_service sh:binder { transfer }; allow bluetooth_service sh:binder { call }; ') allow bluetooth_service dev_uhid_file:chr_file { open }; allow bluetooth_service normal_hap_attr:binder { call transfer }; #avc: denied { call } for pid=380 comm="1IPC_450" scontext=u:r:bluetooth_service:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=1 allow bluetooth_service system_core_hap_attr:binder { call transfer }; allow bluetooth_service dev_console_file:chr_file { read write }; allow bluetooth_service data_service_file:dir { search }; allow bluetooth_service data_service_el1_file:dir { getattr search open read write add_name remove_name }; allow bluetooth_service data_service_el1_file:file { getattr setattr open read write rename unlink ioctl create}; #avc: denied { getattr } bluetooth_service data_log tclass=file #avc: denied { setattr } bluetooth_service data_log tclass=file #avc: denied { unlink } bluetooth_service data_log tclass=file allow bluetooth_service data_log:file { getattr setattr unlink }; #avc: denied { read } bluetooth_service data_log tclass=dir #avc: denied { open } bluetooth_service data_log tclass=dir allow bluetooth_service data_log:dir { read open }; #avc: denied { read } bluetooth_service hdf_bluetooth_audio_session_service tclass=hdf_devmgr_class #avc: denied { open } bluetooth_service a2dp_host tclass=fd #avc: denied { open } bluetooth_service sa_powermgr_battery_service tclass=samgr_class allow bluetooth_service hdf_bluetooth_audio_session_service:hdf_devmgr_class { get }; allow bluetooth_service hdf_audio_bluetooth_hdi_service:hdf_devmgr_class { get }; allow bluetooth_service a2dp_host:fd { use }; allow bluetooth_service sa_powermgr_battery_service:samgr_class { get }; #avc: denied { read open getattr } scontext=u:r:bluetooth_service tcontext=u:object_r:sysfs_devices_system_cpu: tclass=file permissive=1 allow bluetooth_service sysfs_devices_system_cpu:file { read open getattr }; #avc: denied { getattr } scontext=u:r:bluetooth_service tcontext=u:object_r:dev_file: tclass=dir permissive=1 allow bluetooth_service dev_file:dir { getattr }; allow bluetooth_service accesstoken_service:binder { call }; allow bluetooth_service blue_host:binder { call transfer }; allow bluetooth_service bluetooth_service:unix_dgram_socket { getopt setopt }; allow bluetooth_service bootevent_param:file { map open read }; allow bluetooth_service bootevent_samgr_param:file { map open read }; allow bluetooth_service build_version_param:file { map open read }; allow bluetooth_service const_allow_mock_param:file { map open read }; allow bluetooth_service const_allow_param:file { map open read }; allow bluetooth_service const_build_param:file { map open read }; allow bluetooth_service const_display_brightness_param:file { map open read }; allow bluetooth_service const_param:file { map open read }; allow bluetooth_service const_postinstall_fstab_param:file { map open read }; allow bluetooth_service const_postinstall_param:file { map open read }; allow bluetooth_service const_product_param:file { map open read }; allow bluetooth_service data_bluetooth:dir { add_name write read open }; allow bluetooth_service data_bluetooth:file { create ioctl write read }; allow bluetooth_service data_user:dir { search }; allow bluetooth_service data_file:file { read open }; allow bluetooth_service data_log:dir { add_name remove_name search write }; allow bluetooth_service data_log:file { create ioctl open read rename write write open }; allow bluetooth_service debug_param:file { map open read }; allow bluetooth_service default_param:file { map open read }; allow bluetooth_service dev_unix_socket:dir { search }; allow bluetooth_service distributedsche_param:file { map open read }; allow bluetooth_service foundation:binder { call transfer }; allow bluetooth_service hdf_devmgr:binder { call }; allow bluetooth_service hilog_param:file { map open read }; allow bluetooth_service hw_sc_build_os_param:file { map open read }; allow bluetooth_service hw_sc_build_param:file { map open read }; allow bluetooth_service hw_sc_param:file { map open read }; allow bluetooth_service init_param:file { map open read }; allow bluetooth_service init_svc_param:file { map open read }; allow bluetooth_service input_pointer_device_param:file { map open read }; allow bluetooth_service net_param:file { map open read }; allow bluetooth_service net_tcp_param:file { map open read }; allow bluetooth_service ohos_boot_param:file { map open read }; allow bluetooth_service ohos_param:file { map open read }; allow bluetooth_service param_watcher:binder { call transfer }; allow bluetooth_service persist_param:file { map open read }; allow bluetooth_service persist_sys_param:file { map open read }; binder_call(bluetooth_service, powermgr); allow bluetooth_service sa_accesstoken_manager_service:samgr_class { get }; allow bluetooth_service sa_param_watcher:samgr_class { get }; allow bluetooth_service security_param:file { map open read }; allow bluetooth_service startup_param:file { map open read }; allow bluetooth_service sys_param:file { map open read }; allow bluetooth_service system_basic_hap_attr:binder { call transfer }; allow bluetooth_service system_bin_file:dir { search }; allow bluetooth_service sys_usb_param:file { map open read }; allow bluetooth_service telephony_sa:binder { call transfer }; allow bluetooth_service tracefs:dir { search }; allow bluetooth_service tracefs_trace_marker_file:file { open write }; allow bluetooth_service normal_hap_attr:binder { call }; allowxperm bluetooth_service data_bluetooth:file ioctl { 0x5413 }; allowxperm bluetooth_service data_log:file ioctl { 0x5413 }; #avc: denied { call } for pid=305 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:a2dp_host:s0 tclass=binder permissive=1 #avc: denied { transfer } for pid=305 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:a2dp_host:s0 tclass=binder permissive=1 allow bluetooth_service a2dp_host:binder { call transfer }; #avc: denied { get } for service=3009 pid=283 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=1 allow bluetooth_service sa_audio_policy_service:samgr_class { get }; #avc: denied { get } for service=3001 pid=316 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=1 allow bluetooth_service sa_pulseaudio_audio_service:samgr_class { get }; #bluetooth_service allow bluetooth_service resource_schedule_service:binder { call }; allow bluetooth_service persist_param:parameter_service set; #avc: denied { write } for pid=2949 comm="AdapterManager" name="paramservice" dev="tmpfs" ino=85 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0 allow bluetooth_service paramservice_socket:sock_file { read write }; #avc: denied { connectto } for pid=2922 comm="AdapterManager" path="/dev/unix/socket/paramservice" scontext=u:r:bluetooth_service:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0 allow bluetooth_service kernel:unix_stream_socket { connectto }; allow bluetooth_service distributeddata:binder { call transfer }; allow bluetooth_service distributeddata:fd { use }; allow bluetooth_service sa_dataobs_mgr_service_service:samgr_class { get }; allow bluetooth_service sa_distributeddata_service:samgr_class { get }; allow bluetooth_service sa_foundation_abilityms:samgr_class { get }; allow bluetooth_service sa_net_conn_manager:samgr_class { get }; allow bluetooth_service data_misc:dir { read write add_name remove_name open }; allow bluetooth_service data_misc:file { read getattr unlink create ioctl write open }; allowxperm bluetooth_service data_misc:file ioctl { 0x5413 }; #avc: denied { get } for service=3299 pid=348 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_telephony_tel_sms_mms:s0 tclass=samgr_class permissive=0 allow bluetooth_service sa_telephony_tel_sms_mms:samgr_class { get }; allow bluetooth_service sa_foundation_bms:samgr_class { get }; #avc: denied { call } for pid=1414, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 #avc: denied { transfer } for pid=1414, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0 allow bluetooth_service device_manager:binder { call transfer }; #avc: denied { get } for service=3505 pid=14188 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0 allow bluetooth_service sa_privacy_service:samgr_class { get }; #avc: denied { call } for pid=1612, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=1 allow bluetooth_service privacy_service:binder { call };