• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the License);
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#avc:  denied  { getattr } for  pid=475 comm="media_service" path="/data/storage/el1/bundle/ohos.acts.multimedia.audio.audioplayer/assets/entry/resources/rawfile/01.mp3" dev="mmcblk0p11" ino=1307144 scontext=u:r:media_service:s0 tcontext=u:object_r:data_app_el1_file:s0 tclass=file permissive=1
15allow media_service data_app_el1_file:file { getattr };
16
17#avc:  denied  { getattr } for  pid=475 comm="media_service" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_00.aac" dev="mmcblk0p11" ino=261492 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
18#avc:  denied  { read } for  pid=475 comm="typefind:sink" path="/data/service/el2/100/hmdfs/account/files/Audios/audioEncode_function_callback_00.aac" dev="mmcblk0p11" ino=261492 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
19#avc:  denied  { write } for  pid=475 comm="queue0:src" path="/data/service/el2/100/hmdfs/account/files/Videos/audio_09.mp4" dev="mmcblk0p11" ino=261565 scontext=u:r:media_service:s0 tcontext=u:object_r:data_user_file:s0 tclass=file permissive=1
20allow media_service data_user_file:file { getattr read write };
21
22#avc:  denied  { write } for  pid=475 comm="media_service" name="hilogInput" dev="tmpfs" ino=495 scontext=u:r:media_service:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=sock_file permissive=1
23allow media_service dev_unix_socket:sock_file { write };
24
25#avc:  denied  { connect } for  pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1
26#avc:  denied  { create } for  pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1
27#avc:  denied  { setopt } for  pid=475 comm="task542" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=tcp_socket permissive=1
28#avc:  denied  { create } for  pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:media_service:s0 tclass=udp_socket permissive=1
29allow media_service media_service:tcp_socket { connect create setopt create };
30
31#avc:  denied  { name_connect } for  pid=475 comm="source:src" dest=8000 scontext=u:r:media_service:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1
32allow media_service port:tcp_socket { name_connect };
33
34#avc:  denied  { use } for  pid=475 comm="qtdemux5:sink" path="/data/storage/el1/bundle/ohos.acts.multimedia.audio.audioplayer/assets/entry/resources/rawfile/64.mp4" dev="mmcblk0p11" ino=1307154 scontext=u:r:media_service:s0 tcontext=u:r:system_core_hap:s0 tclass=fd permissive=1
35allow media_service system_core_hap_attr:fd { use };
36
37#avc:  denied  { getattr } for  pid=475 comm="media_service" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1
38#avc:  denied  { read } for  pid=475 comm="media_service" name="H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1
39allow media_service data_file:file { getattr read open };
40
41#avc:  denied  { open } for  pid=475 comm="conv_src:src" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=150834 scontext=u:r:media_service:s0 tcontext=u:object_r:proc_boot_id:s0 tclass=file permissive=1
42#avc:  denied  { read } for  pid=475 comm="conv_src:src" name="boot_id" dev="proc" ino=150834 scontext=u:r:media_service:s0 tcontext=u:object_r:proc_boot_id:s0 tclass=file permissive=1
43allow media_service proc_boot_id:file { open read };
44
45#avc:  denied  { call } for  pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=0
46#avc:  denied  { transfer } for  pid=475 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1
47debug_only(`
48    allow media_service sh:binder { call transfer };
49')
50
51#avc:  denied  { use } for  pid=20777 comm="avmetadata_unit" path="/data/test/H264_AAC.mp4" dev="mmcblk0p11" ino=1044486 scontext=u:r:media_service:s0 tcontext=u:r:sh:s0 tclass=fd permissive=1
52debug_only(`
53    allow media_service sh:fd { use };
54')
55
56#avc:  denied  { getattr } for  pid=499 comm="media_service" path="/data/storage/el2/base/haps/entry/files/H264_AAC.mp4" dev="mmcblk0p11" ino=1307219 scontext=u:r:media_service:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=1
57#avc:  denied  { read } for  pid=2096 comm="jsThread-1" path="/data/storage/el2/base/haps/entry/files/H264_AAC.mp4" dev="mmcblk0p11" ino=1307219 scontext=u:r:media_service:s0 tcontext=u:object_r:system_core_hap_data_file:s0 tclass=file permissive=0
58allow media_service system_core_hap_data_file_attr:file { getattr read };
59allow media_service media_service:udp_socket { create };
60allow media_service foundation:binder { call transfer };
61
62#avc:  denied  { call } for  pid=2003 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
63allow media_service codec_host:binder { call };
64
65#avc:  denied  { transfer } for  pid=2003 comm="media_service" scontext=u:r:media_service:s0 tcontext=u:r:codec_host:s0 tclass=binder permissive=1
66allow media_service codec_host:binder { transfer };
67
68#avc:  denied  { get } for service=codec_hdi_omx_service pid=2247 scontext=u:r:media_service:s0 tcontext=u:object_r:hdf_codec_hdi_omx_service:s0 tclass=hdf_devmgr_class permissive=0
69allow media_service hdf_codec_hdi_omx_service:hdf_devmgr_class { get };
70
71#avc:  denied  { add_name } for  pid=540 comm="media_service" name="check.config" scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0
72#avc:  denied  { write } for  pid=503 comm="media_service" name="log" dev="mmcblk0p11" ino=1305610 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0
73allow media_service data_file:dir { write add_name };
74
75#avc:  denied  { write } for  pid=12844 comm="recorder_unit_t" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=391698 scontext=u:r:media_service:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=0
76#avc:  denied  { getattr } for  pid=507 comm="media_service" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=1175048 scontext=u:r:media_service:s0 tcontext=u:object_r:data_test_file:s0 tclass=file permissive=1
77#avc:  denied  { read } for  pid=1968 comm="recorder_unit_t" path="/data/test/recorder_video_yuv_mpeg4.mp4" dev="mmcblk0p11" ino=1175048 scontext=u:r:media_service:s0 tcontext=u:object_r:data_test_file:s0 tclass=file permissive=0
78allow media_service data_test_media_file:file { write read getattr };
79
80allow media_service system_basic_hap_attr:fd { use };
81
82allow media_service system_basic_hap_attr:binder { transfer call };
83
84allow media_service system_basic_hap_data_file_attr:file { getattr read write };
85
86allow media_service normal_hap_data_file_attr:file { read getattr };
87
88allow media_service musl_param:file { open map read };
89
90allow media_service dnsproxy_service:sock_file { write };
91
92allow media_service render_service:fd { use };
93
94allow media_service data_media_log_file:file { create read open getattr write append ioctl };
95
96allowxperm media_service data_media_log_file:file ioctl { 0x5413 };
97
98allow media_service data_media_log_file:dir { create add_name write search };
99
100allow media_service normal_hap_data_file:file { write };
101
102allow media_service hilogd:unix_dgram_socket { sendto };
103
104allow media_service sa_avsession_service:samgr_class { get };
105
106allow media_service av_session:binder { call transfer };
107
108allow media_service sa_foundation_bms:samgr_class { get };
109
110#avc:  denied  { get } for service=4607 pid=624 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=0
111allow media_service sa_foundation_dms:samgr_class { get };
112
113#add selinux for get sa_privacy_service
114allow media_service sa_privacy_service:samgr_class { get };
115
116#add selinux for call privacy_service
117allow media_service privacy_service:binder { call transfer };
118