audio/system/audio_policy.te

# Copyright (c) 2022 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the License);
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

init_daemon_domain(audio_policy);

#avc:  denied  { call } for  pid=334 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
allow audio_policy accesstoken_service:binder { call };

#avc:  denied  { getopt } for  pid=476 comm="threaded-ml" scontext=u:r:audio_policy:s0 tcontext=u:r:audio_policy:s0 tclass=unix_dgram_socket permissive=1
#avc:  denied  { setopt } for  pid=476 comm="threaded-ml" scontext=u:r:audio_policy:s0 tcontext=u:r:audio_policy:s0 tclass=unix_dgram_socket permissive=1
allow audio_policy audio_policy:unix_dgram_socket { getopt setopt };

#avc:  denied  { call } for  pid=353 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:bluetooth_service:s0 tclass=binder permissive=1
#avc:  denied  { transfer } for  pid=351 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:bluetooth_service:s0 tclass=binder permissive=1
allow audio_policy bluetooth_service:binder { call transfer };

#avc:  denied  { search } for  pid=371 comm="threaded-ml" name="data" dev="mmcblk0p7" ino=1436162 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_file:s0 tclass=dir permissive=1
allow audio_policy data_data_file:dir { search };

#avc:  denied  { getattr } for  pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state" dev="mmcblk0p7" ino=1436167 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1
#avc:  denied  { open } for  pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="mmcblk0p7" ino=1436170 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=371 comm="threaded-ml" name="state" dev="mmcblk0p7" ino=1436167 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1
#avc:  denied  { remove_name } for  pid=360 comm="audio_policy" name="pipe_sink.pcm" dev="mmcblk0p7" ino=1436174 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1
#avc:  denied  { search } for  pid=371 comm="threaded-ml" name=".pulse_dir" dev="mmcblk0p7" ino=1436165 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1
#avc:  denied  { write } for  pid=338 comm="audio_policy" name=".pulse_dir" dev="mmcblk0p7" ino=1436165 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=dir permissive=1
allow audio_policy data_data_pulse_dir:dir { getattr open read remove_name search write };

#avc:  denied  { unlink } for  pid=360 comm="audio_policy" name="pipe_sink.pcm" dev="mmcblk0p7" ino=1436174 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=fifo_file permissive=1
allow audio_policy data_data_pulse_dir:fifo_file { unlink };

#avc:  denied  { lock } for  pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="mmcblk0p7" ino=1436170 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="mmcblk0p7" ino=1436170 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=1
#myavc:  denied  { read write } for  pid=371 comm="threaded-ml" name="cookie" dev="mmcblk0p7" ino=1436170 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_data_pulse_dir:s0 tclass=file permissive=1
allow audio_policy data_data_pulse_dir:file { lock open read write };

#avc:  denied  { search } for  pid=371 comm="threaded-ml" name="/" dev="mmcblk0p7" ino=2 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
allow audio_policy data_file:dir { search };

#avc:  denied  { search } for  pid=348 comm="audio_policy" name="init_agent" dev="mmcblk0p7" ino=8166 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_init_agent:s0 tclass=dir permissive=1
allow audio_policy data_init_agent:dir { search };

#avc:  denied  { ioctl } for  pid=334 comm="audio_policy" path="/data/init_agent/begetctl.log" dev="mmcblk0p7" ino=75 ioctlcmd=0x5413 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=334 comm="audio_policy" path="/data/init_agent/begetctl.log" dev="mmcblk0p7" ino=75 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
#avc:  denied  { read append } for  pid=334 comm="audio_policy" name="begetctl.log" dev="mmcblk0p7" ino=75 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
allow audio_policy data_init_agent:file { ioctl open read append };

#avc:  denied  { search } for  pid=382 comm="audio_policy" name="socket" dev="tmpfs" ino=38 scontext=u:r:audio_policy:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
allow audio_policy dev_unix_socket:dir { search };

#avc:  denied  { write } for  pid=382 comm="audio_policy" name="hilogInput" dev="tmpfs" ino=281 scontext=u:r:audio_policy:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=sock_file permissive=1
allow audio_policy dev_unix_socket:sock_file { write };

#avc:  denied  { call } for  pid=371 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1
#avc:  denied  { transfer } for  pid=361 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:distributeddata:s0 tclass=binder permissive=1
allow audio_policy distributeddata:binder { call transfer };

#avc:  denied  { call } for  pid=334 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:hdcd:s0 tclass=binder permissive=1
allow audio_policy hdcd:binder { call };

#avc:  denied  { call } for  pid=355 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
#avc:  denied  { transfer } for  pid=355 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
allow audio_policy hdf_devmgr:binder { call transfer };

#avc:  denied  { use } for  pid=407 comm="hidumper_servic" path="pipe:[37893]" dev="pipefs" ino=37893 scontext=u:r:audio_policy:s0 tcontext=u:r:hidumper_service:s0 tclass=fd permissive=1
allow audio_policy hidumper_service:fd { use };

#avc:  denied  { write } for  pid=407 comm="hidumper_servic" path="pipe:[31279]" dev="pipefs" ino=31279 scontext=u:r:audio_policy:s0 tcontext=u:r:hidumper_service:s0 tclass=fifo_file permissive=1
allow audio_policy hidumper_service:fifo_file { write };

#avc:  denied  { transfer } for  pid=360 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:init:s0 tclass=binder permissive=1
#allow audio_policy init:binder { transfer };

#avc:  denied  { connectto } for  pid=355 comm="audio_policy" path="/dev/unix/socket/native" scontext=u:r:audio_policy:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
allow audio_policy init:unix_stream_socket { connectto };

#avc:  denied  { call } for  pid=352 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
allow audio_policy media_service:binder { call };

#avc:  denied  { call } for  pid=348 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1
allow audio_policy multimodalinput:binder { call };

#avc:  denied  { use } for  pid=244 comm="multimodalinput" path="socket:[25817]" dev="sockfs" ino=25817 scontext=u:r:audio_policy:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=1
allow audio_policy multimodalinput:fd { use };

#avc:  denied  { read write } for  pid=244 comm="multimodalinput" path="socket:[25817]" dev="sockfs" ino=25817 scontext=u:r:audio_policy:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1
allow audio_policy multimodalinput:unix_stream_socket { read write };

#avc:  denied  { write } for  pid=338 comm="audio_policy" name="native" dev="tmpfs" ino=293 scontext=u:r:audio_policy:s0 tcontext=u:object_r:native_socket:s0 tclass=sock_file permissive=1
allow audio_policy native_socket:sock_file { write };

#avc:  denied  { call } for  pid=348 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
#avc:  denied  { transfer } for  pid=348 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:param_watcher:s0 tclass=binder permissive=1
allow audio_policy param_watcher:binder { call transfer };

#avc:  denied  { call } for  pid=342 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:pulseaudio:s0 tclass=binder permissive=1
allow audio_policy pulseaudio:binder { call };

#avc:  denied  { read write } for  pid=525 comm="sa_main" path=2F6465762F636F6E736F6C65202864656C6574656429 dev="rootfs" ino=15759 scontext=u:r:audio_policy:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
allow audio_policy rootfs:chr_file { read write };

#avc:  denied  { get } for service=3503 pid=341 scontext=u:r:audio_policy:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=1
allow audio_policy sa_accesstoken_manager_service:samgr_class { get };

#avc:  denied  { add } for service=3009 pid=385 scontext=u:r:audio_policy:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=1
allow audio_policy sa_audio_policy_service:samgr_class { add };

#avc:  denied  { get } for service=5100 pid=341 scontext=u:r:audio_policy:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=1
allow audio_policy sa_device_service_manager:samgr_class { get };

#avc:  denied  { get } for service=1301 pid=341 scontext=u:r:audio_policy:s0 tcontext=u:object_r:sa_distributeddata_service:s0 tclass=samgr_class permissive=1
allow audio_policy sa_distributeddata_service:samgr_class { get };

#avc:  denied  { get } for service=3101 pid=341 scontext=u:r:audio_policy:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1
allow audio_policy sa_multimodalinput_service:samgr_class { get };

#avc:  denied  { get } for service=3901 pid=341 scontext=u:r:audio_policy:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1
allow audio_policy sa_param_watcher:samgr_class { get };

#avc:  denied  { get } for service=3001 pid=385 scontext=u:r:audio_policy:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=1
allow audio_policy sa_pulseaudio_audio_service:samgr_class { get };

#avc:  denied  { call } for  pid=368 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:system_basic_hap:s0 tclass=binder permissive=1
allow audio_policy system_basic_hap:binder { call };

#avc:  denied  { search } for  pid=377 comm="sa_main" name="bin" dev="mmcblk0p6" ino=103 scontext=u:r:audio_policy:s0 tcontext=u:object_r:system_bin_file:s0 tclass=dir permissive=1
allow audio_policy system_bin_file:dir { search };

#avc:  denied  { call } for  pid=371 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=1
allow audio_policy system_core_hap:binder { call };

#avc:  denied  { search } for  pid=338 comm="audio_policy" name="/" dev="tracefs" ino=1 scontext=u:r:audio_policy:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
allow audio_policy tracefs:dir { search };

#avc:  denied  { open } for  pid=338 comm="audio_policy" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=13989 scontext=u:r:audio_policy:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1
#avc:  denied  { write } for  pid=338 comm="audio_policy" name="trace_marker" dev="tracefs" ino=13989 scontext=u:r:audio_policy:s0 tcontext=u:object_r:tracefs:s0 tclass=file permissive=1
allow audio_policy tracefs:file { open write };

#avc:  denied  { open } for  pid=335 comm="audio_policy" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=13989 scontext=u:r:audio_policy:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
#avc:  denied  { write } for  pid=385 comm="audio_policy" name="trace_marker" dev="tracefs" ino=15019 scontext=u:r:audio_policy:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
allow audio_policy tracefs_trace_marker_file:file { open write };

#avc:  denied  { search } for  pid=374 comm="audio_policy" name="etc" dev="mmcblk0p7" ino=19 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=dir permissive=1
allow audio_policy vendor_etc_file:dir { search };

#avc:  denied  { getattr } for  pid=374 comm="audio_policy" path="/vendor/etc/audio/audio_policy_config.xml" dev="mmcblk0p7" ino=22 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=378 comm="audio_policy" path="/vendor/etc/audio/audio_policy_config.xml" dev="mmcblk0p7" ino=22 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=374 comm="audio_policy" name="audio_policy_config.xml" dev="mmcblk0p7" ino=22 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_etc_file:s0 tclass=file p
allow audio_policy vendor_etc_file:file { getattr open read };

#avc:  denied  { getattr } for  pid=490 comm="audio_policy" path="/vendor/lib64/libhdi.z.so" dev="mmcblk0p7" ino=98 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=490 comm="audio_policy" path="/vendor/lib64/libhdi.z.so" dev="mmcblk0p7" ino=98 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=521 comm="audio_policy" path="/vendor/lib64/libhdi_display_gralloc_client.z.so" dev="mmcblk0p7" ino=108 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
allow audio_policy vendor_file:file { getattr open read };

#avc:  denied  { search } for  pid=359 comm="audio_policy" name="lib" dev="mmcblk0p6" ino=44 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=dir permissive=1
allow audio_policy vendor_lib_file:dir { search };

#avc:  denied  { read } for  pid=359 comm="audio_policy" name="libhdi.z.so" dev="mmcblk0p6" ino=87 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=359 comm="audio_policy" path="/vendor/lib/libhdi.z.so" dev="mmcblk0p6" ino=87 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=file permissive=1
#avc:  denied  { getattr } for  pid=359 comm="audio_policy" path="/vendor/lib/libhdi.z.so" dev="mmcblk0p6" ino=87 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=file permissive=1
#avc:  denied  { map } for  pid=359 comm="audio_policy" path="/vendor/lib/libhdi.z.so" dev="mmcblk0p6" ino=87 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=file permissive=1
#avc:  denied  { execute } for  pid=359 comm="audio_policy" path="/vendor/lib/libhdi.z.so" dev="mmcblk0p6" ino=87 scontext=u:r:audio_policy:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=file permissive=1
allow audio_policy vendor_lib_file:file { read open getattr map execute };

#avc:  denied  { ioctl } for  pid=334 comm="audio_policy" path="/data/init_agent/begetctl.log" dev="mmcblk0p7" ino=75 ioctlcmd=0x5413 scontext=u:r:audio_policy:s0 tcontext=u:object_r:data_init_agent:s0 tclass=file permissive=1
allowxperm audio_policy data_init_agent:file ioctl { 0x5413 };

#avc:  denied  { call } for  pid=456 comm="audio_policy" scontext=u:r:audio_policy:s0 tcontext=u:r:normal_hap:s0 tclass=binder permissive=1
allow audio_policy normal_hap:binder { call };

allow audio_policy data_service_file:dir { search };
allow audio_policy data_service_el1_file:dir { add_name create getattr open read remove_name rmdir search setattr write };
allow audio_policy data_service_el1_file:file { create getattr ioctl lock map open read rename setattr unlink write };

allow audio_policy accesstoken_service:binder { call transfer };
allow accesstoken_service audio_policy:binder { call transfer };

allow audio_policy accessibility:binder { call transfer };
allow audio_policy accessibility_param:file { map open read };
allow audio_policy sa_accessibleabilityms:samgr_class { get };

allow audio_policy privacy_service:binder { call transfer };
allow audio_policy sa_privacy_service:samgr_class { get };

allow audio_policy persist_audio_param:parameter_service { set };
allow { domain -limit_domain } persist_audio_param:file { map open read };

allow audio_policy paramservice_socket:sock_file { write };
allow audio_policy kernel:unix_stream_socket { connectto };

allow audio_policy persist_param:parameter_service { set };

allow audio_policy vendor_bin_file:dir { search };