1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#avc:  denied  { call } for  pid=2061 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=1
15#avc:  denied  { transfer } for  pid=2061 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:camera_service:s0 tclass=binder permissive=1
16allow dcamera camera_service:binder { call transfer };
17
18#avc:  denied  { search } for  pid=2040 comm="dcamera" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:dcamera:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
19allow dcamera data_file:dir { search };
20
21#avc:  denied  { bind } for  pid=3250 comm="Fillp_core_0" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1
22#avc:  denied  { connect } for  pid=2344 comm="Fillp_core_0" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1
23#avc:  denied  { create } for  pid=3250 comm="Fillp_core_0" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1
24#avc:  denied  { getattr } for  pid=2344 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1
25#avc:  denied  { read } for  pid=2040 comm="Fillp_core_94" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1
26#avc:  denied  { setopt } for  pid=3250 comm="Fillp_core_0" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1
27#avc:  denied  { write } for  pid=2040 comm="Fillp_core_94" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=udp_socket permissive=1
28allow dcamera dcamera:udp_socket { bind connect create getattr read setopt write };
29
30#avc:  denied  { getopt } for  pid=2051 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=unix_dgram_socket permissive=1
31#avc:  denied  { setopt } for  pid=2051 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=unix_dgram_socket permissive=1
32allow dcamera dcamera:unix_dgram_socket { getopt setopt };
33
34#avc:  denied  { call } for  pid=2178 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera_host:s0 tclass=binder permissive=1
35#avc:  denied  { transfer } for  pid=2429 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera_host:s0 tclass=binder permissive=1
36allow dcamera dcamera_host:binder { call transfer };
37
38#avc:  denied  { create } for  pid=2166 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=netlink_route_socket permissive=1
39#avc:  denied  { write } for  pid=2166 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=netlink_route_socket permissive=1
40#avc:  denied  { nlmsg_read } for  pid=2166 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=netlink_route_socket permissive=1
41#avc:  denied  { read } for  pid=2166 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dcamera:s0 tclass=netlink_route_socket permissive=1
42allow dcamera dcamera:netlink_route_socket { create nlmsg_read nlmsg_readpriv read write };
43
44#avc:  denied  { search } for  pid=2047 comm="dcamera" name="socket" dev="tmpfs" ino=38 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
45allow dcamera dev_unix_socket:dir { search };
46
47#avc:  denied  { read write } for  pid=2520 comm="sa_main" path="/dev/console" dev="tmpfs" ino=19 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0
48allow dcamera dev_console_file:chr_file { read write };
49
50#avc:  denied  { getattr } for  pid=2396 comm="dcamera" path="/dev/dri/renderD128" dev="tmpfs" ino=94 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
51#avc:  denied  { read write } for  pid=2396 comm="dcamera" name="renderD128" dev="tmpfs" ino=94 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
52#avc:  denied  { open } for  pid=2396 comm="dcamera" path="/dev/dri/renderD128" dev="tmpfs" ino=94 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
53#avc:  denied  { ioctl } for  pid=2396 comm="dcamera" path="/dev/dri/renderD128" dev="tmpfs" ino=94 ioctlcmd=0x641f scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
54allow dcamera dev_dri_file:chr_file { getattr ioctl open read write };
55
56#avc:  denied  { search } for  pid=2396 comm="dcamera" name="dri" dev="tmpfs" ino=93 scontext=u:r:dcamera:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1
57allow dcamera dev_dri_file:dir { search };
58
59#avc:  denied  { call } for  pid=2464 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=1
60allow dcamera dhardware:binder { call };
61
62
63
64#avc:  denied  { call } for  pid=2061 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=1
65allow dcamera allocator_host:binder { call };
66
67#avc:  denied  { use } for  pid=2033 comm="dcamera" path="/dmabuf:" dev="dmabuf" ino=29931 ioctlcmd=0x6200 scontext=u:r:dcamera:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=1
68allow dcamera allocator_host:fd { use };
69
70#avc:  denied  { call } for  pid=2483 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
71allow dcamera foundation:binder { call };
72
73#avc:  denied  { get } for service=hdf_device_manager pid=2053 scontext=u:r:dcamera:s0 tcontext=u:object_r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1
74allow dcamera hdf_device_manager:hdf_devmgr_class { get };
75
76#avc:  denied  { get } for service=distributed_camera_provider_service pid=2053 scontext=u:r:dcamera:s0 tcontext=u:object_r:hdf_distributed_camera_provider_service:s0 tclass=hdf_devmgr_class permissive=1
77allow dcamera hdf_distributed_camera_provider_service:hdf_devmgr_class { get };
78
79
80allow dcamera hdf_allocator_service:hdf_devmgr_class { get };
81
82#avc:  denied  { call } for  pid=2040 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
83#avc:  denied  { transfer } for  pid=2464 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
84allow dcamera hdf_devmgr:binder { call transfer };
85
86#avc:  denied  { call } for  pid=2061 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
87#avc:  denied  { transfer } for  pid=2061 comm="ohos.dhardware." scontext=u:r:dcamera:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
88allow dcamera media_service:binder { call transfer };
89
90#avc:  denied  { read } for  pid=3521 comm="sa_main" name="u:object_r:accessibility_param:s0" dev="tmpfs" ino=53 scontext=u:r:dcamera:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0
91allow dcamera accessibility_param:file { read open map };
92
93#avc:  denied  { use } for  pid=514 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=181 scontext=u:r:dcamera:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1
94allow dcamera media_service:fd { use };
95
96#avc:  denied  { get } for service=3002 pid=2053 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1
97allow dcamera sa_media_service:samgr_class { get };
98
99#avc:  denied  { get } for service=3901 pid=2042 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1
100allow dcamera sa_param_watcher:samgr_class { get };
101
102#avc: denied  { get } for service=4700 pid=2053 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1
103allow dcamera sa_softbus_service:samgr_class { get };
104
105#avc:  denied  { add } for service=4803 pid=2068 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_dcamera_source_service:s0 tclass=samgr_class permissive=1
106allow dcamera sa_dcamera_source_service:samgr_class { add get_remote };
107
108#avc:  denied  { get_remote } for service=4804 pid=2068 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_dcamera_sink_service:s0 tclass=samgr_class permissive=1
109#avc:  denied  { add } for service=4804 pid=2068 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_dcamera_sink_service:s0 tclass=samgr_class permissive=1
110allow dcamera sa_dcamera_sink_service:samgr_class { add get_remote };
111
112#avc:  denied  { get } for service=5100 pid=2068 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1
113allow dcamera sa_device_service_manager:samgr_class { get };
114
115#avc:  denied  { get } for service=3008 pid=2475 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_camera_service:s0 tclass=samgr_class permissive=1
116allow dcamera sa_camera_service:samgr_class { get };
117
118#avc:  denied  { get } for service=401 pid=2490 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
119allow dcamera sa_foundation_bms:samgr_class { get };
120
121#avc:  denied  { get } for service=4607 pid=1562 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1
122allow dcamera sa_foundation_dms:samgr_class { get };
123
124#avc:  denied  { get } for service=4606 pid=3551 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1
125allow dcamera sa_foundation_wms:samgr_class { get };
126
127#avc:  denied  { read } for  pid=2433 comm="THREAD_POOL" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
128#avc:  denied  { setopt } for  pid=2047 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
129#avc:  denied  { shutdown } for  pid=2061 comm="THREAD_POOL" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
130#avc:  denied  { write } for  pid=2047 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
131allow dcamera softbus_server:tcp_socket { read setopt write shutdown };
132
133#avc:  denied  { call } for  pid=2047 comm="DHEventbusHandl" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
134#avc:  denied  { transfer } for  pid=2061 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
135allow dcamera softbus_server:binder { call transfer };
136
137#avc:  denied  { use } for  pid=586 comm="THREAD_POOL"  scontext=u:r:dcamera:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1
138allow dcamera softbus_server:fd { use };
139
140#avc:  denied  { read } for  pid=4773 comm="dcamera" name="online" dev="sysfs" ino=29986 scontext=u:r:dcamera:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
141#avc:  denied  { open } for  pid=4773 comm="dcamera" path"sys/devices/system/cpu/" name="online" dev="sysfs" ino=29986 scontext=u:r:dcamera:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
142allow dcamera sysfs_devices_system_cpu:file { read open };
143
144#avc:  denied  { read } for  pid=2020 comm="sa_main" name="u:object_r:ohos_dev_param:s0" dev="tmpfs" ino=30 scontext=u:r:dcamera:s0 tcontext=u:object_r:ohos_dev_param:s0 tclass=file permissive=0
145allow dcamera ohos_dev_param:file { read };
146
147#avc:  denied  { get } for service=3503 pid=2648 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1
148allow dcamera sa_accesstoken_manager_service:samgr_class { get };
149
150#avc:  denied  { node_bind } for  pid=2166 comm="Fillp_core_210" scontext=u:r:dcamera:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1
151allow dcamera node:udp_socket { node_bind };
152allow dcamera init:binder { call transfer };
153debug_only(`
154    allow dcamera sh:binder { call transfer };
155')
156
157#avc:  denied  { get } for service=4803 pid=560 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_dcamera_source_service:s0 tclass=samgr_class permissive=0
158# avc:  denied  { get } for service=4804 pid=560 scontext=u:r:hidumper_service:s0 tcontext=u:object_r:sa_dcamera_sink_service:s0 tclass=samgr_class permissive=0
159allow hidumper_service sa_dcamera_source_service:samgr_class { get };
160allow hidumper_service sa_dcamera_sink_service:samgr_class { get };
161
162#avc:  denied  { get } for service=4801 pid=2892 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=0
163allow dcamera sa_dhardware_service:samgr_class { get };
164
165#avc:  denied  { search } for  pid=3030 comm="sa_main" name="bin" dev="sdd72" ino=12 scontext=u:r:dcamera:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=dir permissive=1
166allow dcamera vendor_bin_file:dir { search };
167
168#avc:  denied  { call } for  pid=571 comm="msdp" scontext=u:r:dcamera:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
169allow dcamera accesstoken_service:binder { call };
170
171#avc:  denied  { get } for service=4802 pid=3227 scontext=u:r:dcamera:s0 tcontext=u:object_r:sa_foundation_devicemanager_service:s0 tclass=samgr_class permissive=1
172allow dcamera sa_foundation_devicemanager_service:samgr_class { get };
173
174#avc:  denied  { call } for  pid=2169 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0
175#avc:  denied  { transfer } for  pid=2712 comm="IPC_1_2732" scontext=u:r:dcamera:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=1
176allow dcamera device_manager:binder { call transfer };
177
178#avc:  denied  { get } for pid=1380 comm="dcamera" scontext=u:r:dcamera:s0 tcontext=u:r:sa_av_codec_service:s0 tclass=samgr_class permissive=1
179allow dcamera sa_av_codec_service:samgr_class { get };
180
181#avc:  denied  { call } for pid=6252 comm="SrcDevHandler" scontext=u:r:dcamera:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=0
182#avc:  denied  { transfer } for pid=4125 comm="ohos.dharfware." scontext=u:r:dcamera:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=0
183allow dcamera av_codec_service:binder { call transfer };
184
185#avc:  denied  { call } for pid=1544 comm="IPC_3_2014" scontext=u:r:foundation:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0
186#avc:  denied  { call } for pid=1453 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0
187allow foundation dcamera:binder { call transfer };
188
189#avc:  denied  { call } for pid=1380 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=1
190#avc:  denied  { transfer } for pid=1380 comm="av_codec_servic" scontext=u:r:av_codec_service:s0 tcontext=u:r:dhardware:s0 tclass=binder permissive=1
191allow av_codec_service dhardware:binder { call transfer };
192allow av_codec_service dcamera:binder { call transfer };
193
194allow dcamera sysfs_devices_system_cpu:file { read getattr };
195allow dcamera arkcompiler_param:file { map open read };
196allow dcamera ark_writeable_param:file { map open read };
197
198allow dcamera av_codec_service:fd { use };
199allow dcamera_host chip_prod_file:dir { search };
200
201#avc: denied  { call transfer } for pid=4202 comm="DRPC_4_6734" scontext=u:r:dcamera:s0 tcontext=u:r:dslm_service:s0 tclass=binder permissive=1;
202#avc: denied  { call transfer } for pid=3591 comm="dslm_service" scontext=u:r:dslm_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=1;
203#avc: denied  { call transfer } for pid=4202 comm="IPC_2_2923" scontext=u:r:camera_service:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1;
204allow dcamera dslm_service:binder { call transfer };
205allow dslm_service dcamera:binder { call transfer };
206allow camera_service av_codec_service:binder { call transfer };
207
208#avc: denied  { write } for pid=5006 comm="sa_main" path="/dev/kmsg" dev = "tmpfs" ino=116 scontext=u:r:dcamera:s0 tcontext=u:r:dev_kmsg_file:s0 tclass=chr_file permissive=1;
209#avc: denied  { write } for pid=4861 comm="hdf_devhost" path="/dev/kmsg" dev = "tmpfs" ino=116 scontext=u:r:dcamera_host:s0 tcontext=u:r:dev_kmsg_file:s0 tclass=chr_file permissive=1;
210#avc: denied  { write } for pid=4861 comm="IPC_1_4881" name= dev = "tmpfs" ino=116 scontext=u:r:dcamera_host:s0 tcontext=u:r:chip_prod_file:s0 tclass=file permissive=1;
211#avc: denied  { get } for service=3511 pid=4213 scontext=u:r:dcamera:s0 tcontext=u:r:sa_device_security_level_manager_service:s0 tclass=samgr_class permissive=0;
212allow  dcamera dev_kmsg_file:chr_file { open write };
213allow  dcamera_host dev_kmsg_file:chr_file { open write };
214allow  dcamera_host chip_prod_file:file { open getattr write read };
215allow  dcamera sa_device_security_level_manager_service:samgr_class{ get };
216allow accessibility sa_powermgr_powermgr_service:samgr_class { get };
217
218allow dcamera dev_ashmem_file:chr_file { read open map };
219allow normal_hap sa_dhardware_service:samgr_class { get };
220allow normal_hap dhardware:binder { call };
221
222
223allow dcamera bootevent_param:file { map open read };
224allow dcamera bootevent_samgr_param:file { map open read };
225allow dcamera build_version_param:file { map open read };
226allow dcamera const_allow_mock_param:file { map open read };
227allow dcamera const_allow_param:file { map open read };
228allow dcamera const_build_param:file { map open read };
229allow dcamera const_display_brightness_param:file { map open read };
230allow dcamera const_param:file { map open read };
231allow dcamera const_postinstall_fstab_param:file { map open read };
232allow dcamera const_postinstall_param:file { map open read };
233allow dcamera const_product_param:file { map open read };
234allow dcamera dcamera_host:binder { transfer };
235allow dcamera debug_param:file { map open read };
236allow dcamera default_param:file { map open read };
237allow dcamera distributedsche_param:file { map open read };
238allow dcamera hilog_param:file { map open read };
239allow dcamera hw_sc_build_os_param:file { map open read };
240allow dcamera hw_sc_build_param:file { map open read };
241allow dcamera hw_sc_param:file { map open read };
242allow dcamera init_param:file { map open read };
243allow dcamera init_svc_param:file { map open read };
244allow dcamera input_pointer_device_param:file { map open read };
245allow dcamera net_param:file { map open read };
246allow dcamera net_tcp_param:file { map open read };
247allow dcamera ohos_boot_param:file { map open read };
248allow dcamera ohos_param:file { map open read };
249allow dcamera param_watcher:binder { call transfer };
250allow dcamera persist_param:file { map open read };
251allow dcamera persist_sys_param:file { map open read };
252allow dcamera security_param:file { map open read };
253allow dcamera startup_param:file { map open read };
254allow dcamera sys_param:file { map open read };
255allow dcamera system_bin_file:dir { search };
256allow dcamera sys_usb_param:file { map open read };
257allow dcamera tracefs:dir { search };
258allow dcamera tracefs_trace_marker_file:file { open write };
259allow dcamera sys_prod_file:dir { search };
260allow dcamera chip_prod_file:dir { search };
261allow dcamera data_data_file:dir { search write add_name search };
262allow dcamera data_data_file:file { create append open ioctl getattr };
263allow camera_service hdf_distributed_camera_provider_service:hdf_devmgr_class { get };
264allow dcamera_host render_service:binder { transfer };
265allow dcamera_host normal_hap_attr:binder { transfer };
266allow dcamera_host av_codec_service:binder { call transfer };
267allowxperm dcamera data_data_file:file ioctl { 0x5413 };
268