1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the License); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14#avc: denied { getattr } for pid=475 comm="media_service" path="/data/storage/el1/bundle/ohos.acts.multimedia.audio.audioplayer/assets/entry/resources/rawfile/01.mp3" dev="mmcblk0p11" ino=1307144 scontext=u:r:media_service:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1 15allow media_service data_app_el1_file:file { getattr }; 16 17#avc: denied { getattr } for pid=475 comm="media_service" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_00.aac" dev="mmcblk0p11" ino=261492 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 18#avc: denied { read } for pid=475 comm="typefind:sink" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_00.aac" dev="mmcblk0p11" ino=261492 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 19#avc: denied { write } for pid=475 comm="queue0:src" path="/data/service/el2/100/hmdfs/account/files/Videos/audio_09.mp4" dev="mmcblk0p11" ino=261565 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1 20allow media_service data_user_file:file { getattr read write }; 21 22#avc: denied { write } for pid=475 comm="media_service" name="hilogInput" dev="tmpfs" ino=495 scontext=u:r:media_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=sock_file permissive=1 23allow media_service dev_unix_socket:sock_file { write }; 24 25#avc: denied { connect } for pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 26#avc: denied { create } for pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 27#avc: denied { setopt } for pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1 28#avc: denied { create } for pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1 29allow media_service media_service:tcp_socket { connect create setopt create }; 30 31#avc: denied { name_connect } for pid=475 comm="source:src" dest=8000 scontext=u:r:media_service:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1 32allow media_service port:tcp_socket { name_connect }; 33 34#avc: denied { use } for pid=475 comm="qtdemux5:sink" path="/data/storage/el1/bundle/ohos.acts.multimedia.audio.audioplayer/assets/entry/resources/rawfile/64.mp4" dev="mmcblk0p11" ino=1307154 scontext=u:r:media_service:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1 35allow media_service system_core_hap_attr:fd { use }; 36 37#avc: denied { getattr } for pid=475 comm="media_service" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 38#avc: denied { read } for pid=475 comm="media_service" name="H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 39allow media_service data_file:file { getattr read open }; 40 41#avc: denied { open } for pid=475 comm="conv_src:src" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=150834 scontext=u:r:media_service:s0 tcontext=u:object_r:proc_boot_id:s0 tclass=file permissive=1 42#avc: denied { read } for pid=475 comm="conv_src:src" name="boot_id" dev="proc" ino=150834 scontext=u:r:media_service:s0 tcontext=u:object_r:proc_boot_id:s0 tclass=file permissive=1 43allow media_service proc_boot_id:file { open read }; 44 45#avc: denied { call } for pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0 46#avc: denied { transfer } for pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1 47debug_only(` 48 allow media_service sh:binder { call transfer }; 49') 50 51#avc: denied { use } for pid=20777 comm="avmetadata_unit" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1 52debug_only(` 53 allow media_service sh:fd { use }; 54') 55 56#avc: denied { getattr } for pid=499 comm="media_service" path="/data/storage/el2/base/haps/entry/files/H264_AAC.mp4" dev="mmcblk0p11" ino=1307219 scontext=u:r:media_service:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1 57#avc: denied { read } for pid=2096 comm="jsThread-1" path="/data/storage/el2/base/haps/entry/files/H264_AAC.mp4" dev="mmcblk0p11" ino=1307219 scontext=u:r:media_service:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=0 58allow media_service system_core_hap_data_file_attr:file { getattr read }; 59allow media_service media_service:udp_socket { create }; 60allow media_service foundation:binder { call transfer }; 61 62#avc: denied { call } for pid=2003 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1 63allow media_service codec_host:binder { call }; 64 65#avc: denied { transfer } for pid=2003 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1 66allow media_service codec_host:binder { transfer }; 67 68#avc: denied { get } for service=codec_hdi_omx_service pid=2247 scontext=u:r:media_service:s0 tcontext=u:object_r:hdf_codec_hdi_omx_service:s0 tclass=hdf_devmgr_class permissive=0 69allow media_service hdf_codec_hdi_omx_service:hdf_devmgr_class { get }; 70 71#avc: denied { add_name } for pid=540 comm="media_service" name="check.config" scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 72#avc: denied { write } for pid=503 comm="media_service" name="log" dev="mmcblk0p11" ino=1305610 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 73allow media_service data_file:dir { write add_name }; 74 75#avc: denied { write } for pid=12844 comm="recorder_unit_t" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=391698 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=0 76#avc: denied { getattr } for pid=507 comm="media_service" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=1175048 scontext=u:r:media_service:s0 tcontext=u:object_r:data_test_file:s0 tclass=file permissive=1 77#avc: denied { read } for pid=1968 comm="recorder_unit_t" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=1175048 scontext=u:r:media_service:s0 tcontext=u:object_r:data_test_file:s0 tclass=file permissive=0 78allow media_service data_test_media_file:file { write read getattr }; 79 80allow media_service system_basic_hap_attr:fd { use }; 81 82allow media_service system_basic_hap_attr:binder { transfer call }; 83 84allow media_service system_basic_hap_data_file_attr:file { getattr read write }; 85 86allow media_service normal_hap_data_file_attr:file { read getattr }; 87 88allow media_service musl_param:file { open map read }; 89 90allow media_service dnsproxy_service:sock_file { write }; 91 92allow media_service render_service:fd { use }; 93 94allow media_service data_media_log_file:file { create read open getattr write append ioctl }; 95 96allowxperm media_service data_media_log_file:file ioctl { 0x5413 }; 97 98allow media_service data_media_log_file:dir { create add_name write search }; 99 100allow media_service normal_hap_data_file:file { write }; 101 102allow media_service hilogd:unix_dgram_socket { sendto }; 103 104allow media_service sa_avsession_service:samgr_class { get }; 105 106allow media_service av_session:binder { call transfer }; 107 108allow media_service sa_foundation_bms:samgr_class { get }; 109 110#avc: denied { get } for service=4607 pid=624 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=0 111allow media_service sa_foundation_dms:samgr_class { get }; 112 113#add selinux for get sa_privacy_service 114allow media_service sa_privacy_service:samgr_class { get }; 115 116#add selinux for call privacy_service 117allow media_service privacy_service:binder { call transfer }; 118