1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14#avc: denied { transfer } for pid=478 comm="camera_service" scontext=u:r:camera_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0 15allow camera_service dcamera:binder { transfer }; 16 17debug_only(` 18 allow camera_service sh:binder { call transfer }; 19') 20 21#avc: denied { get } for service=401 pid=599 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1 22allow camera_service sa_foundation_bms:samgr_class { get }; 23 24allow camera_service camera_service:unix_dgram_socket { getopt setopt}; 25 26allow camera_service normal_hap_attr:binder { call transfer}; 27 28allow camera_service accesstoken_service:binder { call transfer }; 29 30allow camera_service privacy_service:binder { call transfer }; 31allow privacy_service camera_service:binder { call transfer }; 32allow camera_service sa_privacy_service:samgr_class { get }; 33allow camera_service sa_sensor_service:samgr_class { get add}; 34allow camera_service sensors:binder { call transfer }; 35#avc: denied { get } for service=camera_image_process_service pid=1392 scontext=u:r:camera_service:s0 tcontext=u:object_r:hdf_camera_image_process_service:s0 tclass=hdf_devmgr_class permissive=1 36allow camera_service hdf_camera_image_process_service:hdf_devmgr_class { get }; 37#avc: denied { use } for pid=3966 comm="OS_FFRT_2_1" path="/dev/ashmem" dev="tmpfs" ino=630 scontext=u:r:camera_service:s0 tcontext=u:r:cameradaemon:s0 tclass=fd permissive=1 38#avc: denied { use } for pid=3966 comm="OS_FFRT_2_1" path="/dmabuf:" dev="dmabuf" ino=35644 scontext=u:r:camera_service:s0 tcontext=u:r:cameradaemon:s0 tclass=fd permissive=1 39#allow camera_service cameradaemon:fd { use }; 40allow camera_service foundation:binder { transfer }; 41binder_call(camera_service, powermgr); 42#avc: denied { get } for service=3303 pid=1767 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_powermgr_thermal_service:s0 tclass=samgr_class permissive=0 43allow camera_service sa_powermgr_thermal_service:samgr_class { get }; 44#avc: denied { get } for service=3299 pid=1767 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0 45allow camera_service sa_foundation_cesfwk_service:samgr_class { get }; 46 47#avc: denied { get } for service=allocator_service pid=8082 scontext=u:r:camera_service:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=0 48allow camera_service hdf_allocator_service:hdf_devmgr_class { get }; 49#avc: denied { call } for pid=1478, comm="/system/bin/sa_main" scontext=u:r:camera_service:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=0 50allow camera_service allocator_host:binder { call }; 51#avc: denied { use } for pid=1386, comm="/vendor/bin/hdf_devhost" path="anon_inode:dmabuf" dev="" ino=0 scontext=u:r:camera_service:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=0 52allow camera_service allocator_host:fd { use }; 53#avc: denied { get } for service=3009 pid=1472 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=0 54allow camera_service sa_audio_policy_service:samgr_class { get }; 55#avc: denied { call } for pid=1478, comm="/system/bin/sa_main" scontext=u:r:camera_service:s0 tcontext=u:r:audio_policy:s0 tclass=binder permissive=0 56allow camera_service audio_server:binder { call transfer }; 57allow camera_service sa_pulseaudio_audio_service:samgr_class { get }; 58allow camera_service sa_av_codec_service:samgr_class { get }; 59allow camera_service av_codec_service:binder { call transfer }; 60allow camera_service codec_host:fd { use }; 61#avc: denied { read } for pid=1474, comm="/system/bin/sa_main" path="/system/lib64/media/media_plugins" dev="/dev/block/platform/fa500000.ufs/by-name/system" ino=5362 scontext=u:r:camera_service:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=0 62allow camera_service system_lib_file:dir { open read }; 63#avc: denied { open } for pid=1469, comm="/system/bin/sa_main" path="/dev/ashmem" dev="" ino=1 scontext=u:r:camera_service:s0 tcontext=u:object_r:dev_ashmem_file:s0 tclass=chr_file permissive=0 64allow camera_service dev_ashmem_file:chr_file { open }; 65#avc: denied { search } for pid=1469, comm="/system/bin/sa_main" name="/data" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=3615 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=0 66allow camera_service data_data_file:dir { search write add_name }; 67allow camera_service data_data_file:file { create open read write }; 68allow camera_service hmdfs:file { read write ioctl }; 69allowxperm camera_service hmdfs:file ioctl { 0xf207 }; 70#avc: denied { use } for pid=5703, comm="/system/bin/appspawn" path="/storage/cloud/files/Photo/1/IMG_27156725_001.mp4" dev="/data/service/el2/100/hmdfs/account" ino=11529215046068485401 scontext=u:r:camera_service:s0 tcontext=u:r:medialibrary_hap:s0 tclass=fd permissive=0 71allow camera_service medialibrary_hap:fd { use }; 72#avc: denied { get } for service=180 pid=1480 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_abilityms:s0 tclass=samgr_class permissive=0 73allow camera_service sa_foundation_abilityms:samgr_class { get }; 74#avc: denied { get } for service=501 pid=1448 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_appms:s0 tclass=samgr_class permissive=0 75allow camera_service sa_foundation_appms:samgr_class {get}; 76allow camera_service distributeddata:binder { call }; 77allow camera_service dev_kmsg_file:chr_file { write }; 78allow camera_service tty_device:chr_file { read write }; 79allow camera_service chip_prod_file:dir { search }; 80allow camera_service normal_hap:fd { use }; 81allow camera_service sa_distributeddata_service:samgr_class { get }; 82allow camera_service distributeddata:fd { use }; 83allow camera_service sa_media_monitor:samgr_class { get }; 84allow camera_service dev_at_file:chr_file ioctl; 85allowxperm camera_service dev_at_file:chr_file ioctl { 0x4104 }; 86#avc: denied { get } for service=4802 sid=u:r:camera_service:s0 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_foundation_devicemanager_service:s0 tclass=samgr_class permissive=1 87allow camera_service sa_foundation_devicemanager_service:samgr_class { get }; 88allow camera_service device_manager:binder { call transfer }; 89allow camera_service av_codec_service:fd { use }; 90 91allow camera_service resource_schedule_service:binder { call }; 92allow camera_service data_user_file:file { create open read write }; 93#avc: denied { get } for service=3301 sid=u:r:camera_service:s0 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_powermgr_powermgr_service:s0 tclass=samgr_class permissive=0 94allow camera_service sa_powermgr_powermgr_service:samgr_class { get }; 95#avc: denied { search } for pid=1591, comm="/system/bin/sa_main" name="/service/el1" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=62 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 96#avc: denied { write remove_name search } for pid=20408, comm="/bin/rm" name="/service/el1/public/camera_service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=1473 scontext=u:r:su:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 97#avc: denied { getattr } for pid=20061, comm="/bin/ls" path="/data/service/el1/public/camera_service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=1473 scontext=u:r:su:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=dir permissive=1 98allow camera_service data_service_el1_file:dir { search write add_name read getattr remove_name }; 99#avc: denied { read } for pid=1591, comm="/system/bin/sa_main" path="/data/service/el1/public/camera_service/VID_9003970_001.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25402 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 100#avc: denied { open } for pid=1591, comm="/system/bin/sa_main" path="/data/service/el1/public/camera_service/VID_9003970_001.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25402 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 101#avc: denied { create } for pid=1591, comm="/system/bin/sa_main" name="/service/el1/public/camera_service/temp.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=26635 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 102#avc: denied { read write } for pid=1591, comm="/system/bin/sa_main" path="/data/service/el1/public/camera_service/temp.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=26635 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 103#avc: denied { unlink } for pid=20408, comm="/bin/rm" name="/service/el1/public/camera_service/temp.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25420 scontext=u:r:su:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 104#avc: denied { getattr } for pid=20061, comm="/bin/ls" path="/data/service/el1/public/camera_service/temp.mp4" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=25420 scontext=u:r:su:s0 tcontext=u:object_r:data_service_el1_file:s0 tclass=file permissive=1 105allow camera_service data_service_el1_file:file { read open create write unlink getattr map rename setattr }; 106#avc: denied { search } for pid=1540, comm="/system/bin/sa_main" name="/service" dev="/dev/block/platform/fa500000.ufs/by-name/userdata" ino=58 scontext=u:r:camera_service:s0 tcontext=u:object_r:data_service_file:s0 tclass=dir permissive=0 107allow camera_service data_service_file:dir { search }; 108allow camera_service hdf_camera_video_process_service:hdf_devmgr_class { get }; 109#avc: denied { getattr } for pid=9729, comm="/system/bin/sa_main" path="/storage/cloud/files/Photo/11/VID_9441076_011.mp4" dev="/data/service/el2/100/hmdfs/account" ino=11529215046068499858 scontext=u:r:camera_service:s0 tcontext=u:object_r:hmdfs:s0 tclass=file permissive=0 110allow camera_service hmdfs:file { getattr }; 111#avc: denied { get } for service=3302 sid=u:r:camera_service:s0 scontext=u:r:camera_service:s0 tcontext=u:object_r:sa_powermgr_battery_service:s0 tclass=samgr_class permissive=0 112allow camera_service sa_powermgr_battery_service:samgr_class { get }; 113