# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the License);
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#avc:  denied  { getattr } for  pid=475 comm="media_service" path="/data/storage/el1/bundle/ohos.acts.multimedia.audio.audioplayer/assets/entry/resources/rawfile/01.mp3" dev="mmcblk0p11" ino=1307144 scontext=u:r:media_service:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
allow media_service data_app_el1_file:file { getattr };

#avc:  denied  { getattr } for  pid=475 comm="media_service" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_00.aac" dev="mmcblk0p11" ino=261492 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=475 comm="typefind:sink" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_00.aac" dev="mmcblk0p11" ino=261492 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
#avc:  denied  { write } for  pid=475 comm="queue0:src" path="/data/service/el2/100/hmdfs/account/files/Videos/audio_09.mp4" dev="mmcblk0p11" ino=261565 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
allow media_service data_user_file:file { getattr read write };

#avc:  denied  { write } for  pid=475 comm="media_service" name="hilogInput" dev="tmpfs" ino=495 scontext=u:r:media_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=sock_file permissive=1
allow media_service dev_unix_socket:sock_file { write };

#avc:  denied  { connect } for  pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1
#avc:  denied  { create } for  pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1
#avc:  denied  { setopt } for  pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1
#avc:  denied  { create } for  pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1
allow media_service media_service:tcp_socket { connect create setopt create };

#avc:  denied  { name_connect } for  pid=475 comm="source:src" dest=8000 scontext=u:r:media_service:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1
allow media_service port:tcp_socket { name_connect };

#avc:  denied  { use } for  pid=475 comm="qtdemux5:sink" path="/data/storage/el1/bundle/ohos.acts.multimedia.audio.audioplayer/assets/entry/resources/rawfile/64.mp4" dev="mmcblk0p11" ino=1307154 scontext=u:r:media_service:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1
allow media_service system_core_hap_attr:fd { use };

#avc:  denied  { getattr } for  pid=475 comm="media_service" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=475 comm="media_service" name="H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1
allow media_service data_file:file { getattr read open };

#avc:  denied  { open } for  pid=475 comm="conv_src:src" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=150834 scontext=u:r:media_service:s0 tcontext=u:object_r:proc_boot_id:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=475 comm="conv_src:src" name="boot_id" dev="proc" ino=150834 scontext=u:r:media_service:s0 tcontext=u:object_r:proc_boot_id:s0 tclass=file permissive=1
allow media_service proc_boot_id:file { open read };

#avc:  denied  { call } for  pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0
#avc:  denied  { transfer } for  pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1
debug_only(`
    allow media_service sh:binder { call transfer };
')

#avc:  denied  { use } for  pid=20777 comm="avmetadata_unit" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1
debug_only(`
    allow media_service sh:fd { use };
')

#avc:  denied  { getattr } for  pid=499 comm="media_service" path="/data/storage/el2/base/haps/entry/files/H264_AAC.mp4" dev="mmcblk0p11" ino=1307219 scontext=u:r:media_service:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=2096 comm="jsThread-1" path="/data/storage/el2/base/haps/entry/files/H264_AAC.mp4" dev="mmcblk0p11" ino=1307219 scontext=u:r:media_service:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=0
allow media_service system_core_hap_data_file_attr:file { getattr read };
allow media_service media_service:udp_socket { create };
allow media_service foundation:binder { call transfer };

#avc:  denied  { call } for  pid=2003 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
allow media_service codec_host:binder { call };

#avc:  denied  { transfer } for  pid=2003 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
allow media_service codec_host:binder { transfer };

#avc:  denied  { get } for service=codec_hdi_omx_service pid=2247 scontext=u:r:media_service:s0 tcontext=u:object_r:hdf_codec_hdi_omx_service:s0 tclass=hdf_devmgr_class permissive=0
allow media_service hdf_codec_hdi_omx_service:hdf_devmgr_class { get };

#avc:  denied  { add_name } for  pid=540 comm="media_service" name="check.config" scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0
#avc:  denied  { write } for  pid=503 comm="media_service" name="log" dev="mmcblk0p11" ino=1305610 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0
allow media_service data_file:dir { write add_name };

#avc:  denied  { write } for  pid=12844 comm="recorder_unit_t" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=391698 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=0
#avc:  denied  { getattr } for  pid=507 comm="media_service" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=1175048 scontext=u:r:media_service:s0 tcontext=u:object_r:data_test_file:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=1968 comm="recorder_unit_t" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=1175048 scontext=u:r:media_service:s0 tcontext=u:object_r:data_test_file:s0 tclass=file permissive=0
allow media_service data_test_media_file:file { write read getattr };

allow media_service system_basic_hap_attr:fd { use };

allow media_service system_basic_hap_attr:binder { transfer call };

allow media_service system_basic_hap_data_file_attr:file { getattr read write };

allow media_service normal_hap_data_file_attr:file { read getattr };

allow media_service musl_param:file { open map read };

allow media_service dnsproxy_service:sock_file { write };

allow media_service render_service:fd { use };

allow media_service data_media_log_file:file { create read open getattr write append ioctl };

allowxperm media_service data_media_log_file:file ioctl { 0x5413 };

allow media_service data_media_log_file:dir { create add_name write search };

allow media_service normal_hap_data_file:file { write };

allow media_service hilogd:unix_dgram_socket { sendto };

allow media_service sa_avsession_service:samgr_class { get };

allow media_service av_session:binder { call transfer };

allow media_service sa_foundation_bms:samgr_class { get };

#avc:  denied  { get } for service=4607 pid=624 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=0
allow media_service sa_foundation_dms:samgr_class { get };

#add selinux for get sa_privacy_service
allow media_service sa_privacy_service:samgr_class { get };

#add selinux for call privacy_service
allow media_service privacy_service:binder { call transfer };