1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14# avc:  denied  { read write } for  pid=602 comm="sa_main" path="/dev/console" dev="tmpfs" ino=39 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
15allow drm_service dev_console_file:chr_file { read write };
16
17# avc:  denied  { getattr } for  pid=602 comm="drm_service" path="/dev" dev="tmpfs" ino=1 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1
18allow drm_service dev_file:dir { getattr };
19
20# avc:  denied  { get } for service=clearplay_service pid=602 scontext=u:r:drm_service:s0 tcontext=u:object_r:hdf_clearplay_service:s0 tclass=hdf_devmgr_class permissive=1
21allow drm_service hdf_clearplay_service:hdf_devmgr_class { get };
22
23# avc:  denied  { getattr } for  pid=602 comm="drm_service" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
24# avc:  denied  { open } for  pid=602 comm="drm_service" path="/sys/devices/system/cpu/online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
25# avc:  denied  { read } for  pid=602 comm="drm_service" name="online" dev="sysfs" ino=4917 scontext=u:r:drm_service:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
26allow drm_service sysfs_devices_system_cpu:file { getattr open read };
27#avc:  denied  { transfer } for  pid=478 comm="camera_service" scontext=u:r:camera_service:s0 tcontext=u:r:dcamera:s0 tclass=binder permissive=0
28allow drm_service dcamera:binder { transfer };
29
30debug_only(`
31    allow drm_service sh:binder { call transfer };
32    allow drm_service su:binder { call transfer };
33')
34
35#avc:  denied  { get } for service=401 pid=599 scontext=u:r:drm_service:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=1
36allow drm_service sa_foundation_bms:samgr_class { get };
37
38allow drm_service camera_service:unix_dgram_socket { getopt setopt};
39
40allow drm_service normal_hap_attr:binder { call transfer};
41
42allow drm_service accesstoken_service:binder { call transfer };
43
44allow drm_service sa_memory_manager_service:samgr_class { get };
45# avc:  denied  { call } for  pid=2392 comm="SaInit0" scontext=u:r:drm_service:s0 tcontext=u:r:memmgrservice:s0 tclass=binder permissive=1
46allow drm_service memmgrservice:binder { call };
47
48allow drm_service hdf_device_manager:hdf_devmgr_class { get };
49
50allow drm_service privacy_service:binder { call transfer };
51allow privacy_service drm_service:binder { call transfer };
52allow drm_service sa_privacy_service:samgr_class { get };
53# avc:  denied  { get } for service=clearplay_service pid=602 scontext=u:r:drm_service:s0 tcontext=u:object_r:hdf_clearplay_service:s0 tclass=hdf_devmgr_class permissive=1
54allow drm_service hdf_clearplay_service:hdf_devmgr_class { get };
55allow drm_service data_system:file { create read open getattr write ioctl };
56
57# avc:  denied  { transfer } for  pid=608 comm="OS_IPC_2_1673" scontext=u:r:drm_service:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
58allow drm_service media_service:binder { transfer };
59
60# avc:  denied  { use } for  pid=568 comm="multiqueue4:src" path="/dev/ashmem" dev="tmpfs" ino=238 scontext=u:r:drm_service:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1
61allow drm_service media_service:fd { use };
62
63#avc:  denied  { read } for  pid=4768 comm="SaInit0" name="oem_certificate_service" dev="sdd74" ino=6055 scontext=u:r:drm_service:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1
64allow drm_service system_lib_file:dir { read };
65
66# avc:  denied  { map } for  pid=11141 comm="SaInit0" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
67# avc:  denied  { open } for  pid=11141 comm="SaInit0" path="/dev/__parameters__/u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
68# avc:  denied  { read } for  pid=11141 comm="SaInit0" name="u:object_r:arkcompiler_param:s0" dev="tmpfs" ino=161 scontext=u:r:drm_service:s0 tcontext=u:object_r:arkcompiler_param:s0 tclass=file permissive=1
69allow drm_service arkcompiler_param:file { map open read };
70allow drm_service ark_writeable_param:file { map open read };
71
72# avc:  denied  { search } for  pid=11141 comm="SaInit0" name="/" dev="sdd91" ino=3 scontext=u:r:drm_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
73allow drm_service data_file:dir { search };
74
75# avc:  denied  { search } for  pid=11141 comm="SaInit0" name="system" dev="sdd91" ino=29 scontext=u:r:drm_service:s0 tcontext=u:object_r:data_system:s0 tclass=dir permissive=1
76allow drm_service data_system:dir { search write add_name create read open };
77
78# avc:  denied  { write } for  pid=11141 comm="sa_main" path="/dev/kmsg" dev="tmpfs" ino=116 scontext=u:r:drm_service:s0 tcontext=u:object_r:dev_kmsg_file:s0 tclass=chr_file permissive=1
79allow drm_service dev_kmsg_file:chr_file { write };
80
81# avc:  denied  { connect } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
82# avc:  denied  { create } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
83# avc:  denied  { getattr } for  pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
84# avc:  denied  { getopt } for  pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
85# avc:  denied  { read } for  pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
86# avc:  denied  { setopt } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
87# avc:  denied  { write } for  pid=11141 comm="OS_WisePlayCert" laddr=192.168.50.172 lport=52352 faddr=139.9.117.106 fport=8080 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=tcp_socket permissive=1
88allow drm_service drm_service:tcp_socket { connect create getattr getopt read setopt write };
89
90# avc:  denied  { bind } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1
91# avc:  denied  { create } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1
92# avc:  denied  { read } for  pid=11141 comm="OS_WisePlayCert" lport=50730 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1
93# avc:  denied  { write } for  pid=11141 comm="OS_WisePlayCert" lport=50730 scontext=u:r:drm_service:s0 tcontext=u:r:drm_service:s0 tclass=udp_socket permissive=1
94allow drm_service drm_service:udp_socket { bind create read write };
95
96# avc:  denied  { call } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:r:netmanager:s0 tclass=binder permissive=1
97allow drm_service netmanager:binder { call };
98
99# avc:  denied  { connectto } for  pid=11141 comm="OS_WisePlayCert" path="/dev/unix/socket/dnsproxyd" scontext=u:r:drm_service:s0 tcontext=u:r:netsysnative:s0 tclass=unix_stream_socket permissive=1
100allow drm_service netsysnative:unix_stream_socket { connectto };
101
102# avc:  denied  { node_bind } for  pid=11141 comm="OS_WisePlayCert" scontext=u:r:drm_service:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1
103allow drm_service node:udp_socket { node_bind };
104
105# avc:  denied  { name_connect } for  pid=11141 comm="OS_WisePlayCert" dest=8080 scontext=u:r:drm_service:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1
106allow drm_service port:tcp_socket { name_connect };
107
108# avc:  denied  { open } for  pid=11141 comm="SaInit0" path="/system/lib64/oem_certificate_service" dev="sdd86" ino=6224 scontext=u:r:drm_service:s0 tcontext=u:object_r:system_lib_file:s0 tclass=dir permissive=1
109allow drm_service system_lib_file:dir { open };
110
111# avc_audit_slow:260] avc: denied { transfer } for pid=1637, comm="/system/bin/sa_main"  scontext=u:r:drm_service:s0 tcontext=u:r:av_codec_service:s0 tclass=binder permissive=1
112allow drm_service av_codec_service:binder { transfer };
113
114# avc_audit_slow:260] avc: denied { use } for pid=1654, comm="/system/bin/sa_main"  path="/dev/ashmem" dev="" ino=1 scontext=u:r:drm_service:s0 tcontext=u:r:av_codec_service:s0 tclass=fd permissive=1
115allow drm_service av_codec_service:fd { use };
116
117# avc:  denied  { use } for  pid=550 comm="OS_IPC_2_2362" path="/dev/ashmem" dev="tmpfs" ino=245 scontext=u:r:clearplay_host:s0 tcontext=u:r:av_codec_service:s0 tclass=fd permissive=1
118allow clearplay_host av_codec_service:fd { use };
119
120#avc:  denied  { get } for service=1151 pid=5890 scontext=u:r:drm_service:s0 tcontext=u:object_r:sa_net_conn_manager:s0 tclass=samgr_class permissive=1
121allow drm_service sa_net_conn_manager:samgr_class { get };
122
123# avc:  denied  { use } for  pid=1622 comm="IPC_0_1803" path="/dmabuf:" dev="dmabuf" ino=38669 scontext=u:r:drm_service:s0 tcontext=u:r:codec_host:s0 tclass=fd permissive=1
124allow drm_service codec_host:fd { use };
125
126allow drm_service tty_device:chr_file { read write };
127
128allow drm_service hap_domain:fd { use };
129
130# avc_audit_slow:260] avc: denied { call } for pid=1540, comm="/system/bin/sa_main"  scontext=u:r:drm_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1
131# avc_audit_slow:260] avc: denied { transfer } for pid=1540, comm="/system/bin/sa_main"  scontext=u:r:drm_service:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1
132allow drm_service system_basic_hap:binder { call transfer };
133