# Copyright (c) 2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# avc:  denied  { read write } for  pid=602 comm="sa_main" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
allow drm_service dev_console_file:chr_file { read write };

# avc:  denied  { getattr } for  pid=602 comm="drm_service" path="/dev" dev="tmpfs" ino=1 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1
allow drm_service dev_file:dir { getattr };

# avc:  denied  { get } for service=clearplay_service pid=602 scontext=u:r:drm_service:s0 tcontext=u:object_r:hdf_clearplay_service:s0 tclass=hdf_devmgr_class permissive=1
allow drm_service hdf_clearplay_service:hdf_devmgr_class { get };

# avc:  denied  { getattr } for  pid=602 comm="drm_service" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
# avc:  denied  { open } for  pid=602 comm="drm_service" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
# avc:  denied  { read } for  pid=602 comm="drm_service" name="online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
allow drm_service sysfs_devices_system_cpu:file { getattr open read };
#avc:  denied  { transfer } for  pid=478 comm="camera_service" scontext=u:r:camera_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0
allow drm_service dcamera:binder { transfer };

debug_only(`
    allow drm_service sh:binder { call transfer };
    allow drm_service su:binder { call transfer };
')

#avc:  denied  { get } for service=401 pid=599 scontext=u:r:drm_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
allow drm_service sa_foundation_bms:samgr_class { get };

allow drm_service camera_service:unix_dgram_socket { getopt setopt};

allow drm_service normal_hap_attr:binder { call transfer};

allow drm_service accesstoken_service:binder { call transfer };

allow drm_service sa_memory_manager_service:samgr_class { get };
# avc:  denied  { call } for  pid=2392 comm="SaInit0" scontext=u:r:drm_service:s0 tcontext=u:r:memmgrservice:s0 tclass=binder permissive=1
allow drm_service memmgrservice:binder { call };

allow drm_service hdf_device_manager:hdf_devmgr_class { get };

allow drm_service privacy_service:binder { call transfer };
allow privacy_service drm_service:binder { call transfer };
allow drm_service sa_privacy_service:samgr_class { get };
# avc:  denied  { get } for service=clearplay_service pid=602 scontext=u:r:drm_service:s0 tcontext=u:object_r:hdf_clearplay_service:s0 tclass=hdf_devmgr_class permissive=1
allow drm_service hdf_clearplay_service:hdf_devmgr_class { get };
allow drm_service data_system:file { create read open getattr write ioctl };

# avc:  denied  { transfer } for  pid=608 comm="OS_IPC_2_1673" scontext=u:r:drm_service:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
allow drm_service media_service:binder { transfer };

# avc:  denied  { use } for  pid=568 comm="multiqueue4:src" path="/dev/ashmem" dev="tmpfs" ino=238 scontext=u:r:drm_service:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1
allow drm_service media_service:fd { use };

#avc:  denied  { read } for  pid=4768 comm="SaInit0" name="oem_certificate_service" dev="sdd74" ino=6055 scontext=u:r:drm_service:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1
allow drm_service system_lib_file:dir { read };

# avc:  denied  { map } for  pid=11141 comm="SaInit0" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
# avc:  denied  { open } for  pid=11141 comm="SaInit0" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
# avc:  denied  { read } for  pid=11141 comm="SaInit0" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
allow drm_service arkcompiler_param:file { map open read };
allow drm_service ark_writeable_param:file { map open read };

# avc:  denied  { search } for  pid=11141 comm="SaInit0" name="/" dev="sdd91" ino=3 scontext=u:r:drm_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
allow drm_service data_file:dir { search };

# avc:  denied  { search } for  pid=11141 comm="SaInit0" name="system" dev="sdd91" ino=29 scontext=u:r:drm_service:s0 tcontext=u:object_r:data_system:s0 tclass=dir permissive=1
allow drm_service data_system:dir { search write add_name create read open };

# avc:  denied  { write } for  pid=11141 comm="sa_main" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
allow drm_service dev_kmsg_file:chr_file { write };

# avc:  denied  { connect } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
# avc:  denied  { create } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
# avc:  denied  { getattr } for  pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
# avc:  denied  { getopt } for  pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
# avc:  denied  { read } for  pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
# avc:  denied  { setopt } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
# avc:  denied  { write } for  pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
allow drm_service drm_service:tcp_socket { connect create getattr getopt read setopt write };

# avc:  denied  { bind } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1
# avc:  denied  { create } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1
# avc:  denied  { read } for  pid=11141 comm="OS_WisePlayCert" lport=50730 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1
# avc:  denied  { write } for  pid=11141 comm="OS_WisePlayCert" lport=50730 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1
allow drm_service drm_service:udp_socket { bind create read write };

# avc:  denied  { call } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:netmanager:s0 tclass=binder permissive=1
allow drm_service netmanager:binder { call };

# avc:  denied  { connectto } for  pid=11141 comm="OS_WisePlayCert" path="/dev/unix/socket/dnsproxyd" scontext=u:r:drm_service:s0 tcontext=u:r:netsysnative:s0 tclass=unix_stream_socket permissive=1
allow drm_service netsysnative:unix_stream_socket { connectto };

# avc:  denied  { node_bind } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1
allow drm_service node:udp_socket { node_bind };

# avc:  denied  { name_connect } for  pid=11141 comm="OS_WisePlayCert" dest=8080 scontext=u:r:drm_service:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1
allow drm_service port:tcp_socket { name_connect };

# avc:  denied  { open } for  pid=11141 comm="SaInit0" path="/system/lib64/oem_certificate_service" dev="sdd86" ino=6224 scontext=u:r:drm_service:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1
allow drm_service system_lib_file:dir { open };

# avc_audit_slow:260] avc: denied { transfer } for pid=1637, comm="/system/bin/sa_main"  scontext=u:r:drm_service:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1
allow drm_service av_codec_service:binder { transfer };

# avc_audit_slow:260] avc: denied { use } for pid=1654, comm="/system/bin/sa_main"  path="/dev/ashmem" dev="" ino=1 scontext=u:r:drm_service:s0 tcontext=u:r:av_codec_service:s0 tclass=fd permissive=1
allow drm_service av_codec_service:fd { use };

# avc:  denied  { use } for  pid=550 comm="OS_IPC_2_2362" path="/dev/ashmem" dev="tmpfs" ino=245 scontext=u:r:clearplay_host:s0 tcontext=u:r:av_codec_service:s0 tclass=fd permissive=1
allow clearplay_host av_codec_service:fd { use };

#avc:  denied  { get } for service=1151 pid=5890 scontext=u:r:drm_service:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=1
allow drm_service sa_net_conn_manager:samgr_class { get };

# avc:  denied  { use } for  pid=1622 comm="IPC_0_1803" path="/dmabuf:" dev="dmabuf" ino=38669 scontext=u:r:drm_service:s0 tcontext=u:r:codec_host:s0 tclass=fd permissive=1
allow drm_service codec_host:fd { use };

allow drm_service tty_device:chr_file { read write };

allow drm_service hap_domain:fd { use };

# avc_audit_slow:260] avc: denied { call } for pid=1540, comm="/system/bin/sa_main"  scontext=u:r:drm_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1
# avc_audit_slow:260] avc: denied { transfer } for pid=1540, comm="/system/bin/sa_main"  scontext=u:r:drm_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1
allow drm_service system_basic_hap:binder { call transfer };