# Copyright (c) 2022 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#avc:  denied  { get } for service=3002 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1
allow dscreen sa_media_service:samgr_class { get };

#avc:  denied  { get } for service=4700 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1
allow dscreen sa_softbus_service:samgr_class { get };

#avc:  denied  { get } for service=3901 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1
allow dscreen sa_param_watcher:samgr_class { get };

#avc:  denied  { call } for  pid=2025 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
allow dscreen softbus_server:binder { call };

#avc:  denied  { call } for  pid=686 comm="THREAD_POOL" scontext=u:r:softbus_server:s0 tcontext=u:r:dscreen:s0 tclass=binder permissive=1
allow dscreen dscreen:binder { call };

#avc:  denied  { use } for  pid=686 comm="THREAD_POOL" path="socket:[32801]" dev="sockfs" ino=32801 scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1
allow dscreen softbus_server:fd { use };

#avc:  denied  { read write } for  pid=686 comm="THREAD_POOL" path="socket:[32801]" dev="sockfs" ino=32801 scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
allow dscreen softbus_server:tcp_socket { read write };

#avc:  denied  { setopt } for  pid=2025 comm="dscreen"  scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
allow dscreen softbus_server:tcp_socket { setopt };

#avc:  denied  { search } for  pid=2117 comm="dscreen" name="socket" dev="tmpfs" ino=40 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
allow dscreen dev_unix_socket:dir { search };

#avc:  denied  { call } for  pid=2117 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
#avc:  denied  { transfer } for  pid=1925 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
allow dscreen foundation:binder { call transfer };

#avc:  denied  { get_remote } for service=4808 pid=2117 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_sink_service:s0 tclass=samgr_class permissive=1
#avc:  denied  { add } for service=4808 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_sink_service:s0 tclass=samgr_class permissive=1
allow dscreen sa_dscreen_sink_service:samgr_class { get_remote add get };

#avc:  denied  { search } for  pid=1925 comm="dscreen" name="/" dev="tracefs" ino=1 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
allow dscreen tracefs:dir { search };

#avc:  denied  { write } for  pid=1925 comm="dscreen" name="trace_marker" dev="tracefs" ino=13902 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=1925 comm="dscreen" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=13902 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
allow dscreen tracefs_trace_marker_file:file { write open };

#avc:  denied  { search } for  pid=1925 comm="dscreen" name="socket" dev="tmpfs" ino=40 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
allow dscreen dev_unix_socket:dir { search };

#avc:  denied  { search } for  pid=1925 comm="dscreen" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:dscreen:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
allow dscreen data_file:dir { search };

#avc:  denied  { call } for  pid=1925 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
#avc:  denied  { transfer } for  pid=2381 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
allow dscreen media_service:binder { call transfer };

#avc:  denied  { use } for  pid=674 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=179 scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1
allow dscreen media_service:fd { use };

#avc:  denied  { read } for  pid=1978 comm="Fillp_core_31"  scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
#avc:  denied  { write } for  pid=1978 comm="Fillp_core_31" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
allow dscreen dscreen:udp_socket { read write };

#avc:  denied  { add } for service=4807 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_source_service:s0 tclass=samgr_class permissive=1
#avc:  denied  { get_remote } for service=4807 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_source_service:s0 tclass=samgr_class permissive=1
allow dscreen sa_dscreen_source_service:samgr_class { add get_remote get };

#avc:  denied  { get } for service=4607 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1
allow dscreen sa_foundation_dms:samgr_class { get };

#avc:  denied  { search } for  pid=2127 comm="dscreen" name="usr" dev="mmcblk0p6" ino=2492 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1
allow dscreen system_usr_file:dir { search };

#avc:  denied  { getattr } for  pid=2127 comm="dscreen" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
#avc:  denied  { read } for  pid=2127 comm="dscreen" name="supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=2127 comm="dscreen" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
#avc:  denied  { map } for  pid=2127 comm="dscreen" path="/system/usr/ohos_icu/icudt67l.dat" dev="mmcblk0p6" ino=2494 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
allow dscreen system_usr_file:file { getattr read open map };

#avc:  denied  { transfer } for  pid=2127 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
allow dscreen softbus_server:binder { transfer };

#avc:  denied  { create } for  pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
#avc:  denied  { setopt } for  pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
#avc:  denied  { bind } for  pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
#avc:  denied  { getattr } for  pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
allow dscreen  dscreen:udp_socket { create setopt bind getattr};

#avc:  denied  { node_bind } for  pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1
allow dscreen node:udp_socket { node_bind };

#avc:  denied  { create } for  pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1
#avc:  denied  { write } for  pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1
allow dscreen dscreen:netlink_route_socket { create write };

#avc:  denied  { shutdown } for  pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
allow dscreen softbus_server:tcp_socket { shutdown };

#avc:  denied  { call } for  pid=2325 comm="dscreen"     scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
#avc:  denied  { transfer } for  pid=2444 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
allow dscreen render_service:binder { call transfer };

#avc:  denied  { shutdown } for  pid=2325 comm="THREAD_POOL" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
allow dscreen softbus_server:tcp_socket { shutdown };

#avc:  denied  { get } for service=10 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_render_service:s0 tclass=samgr_class permissive=1
allow dscreen sa_render_service:samgr_class { get };

#avc:  denied  { get } for service=4606 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1
allow dscreen sa_foundation_wms:samgr_class { get };

#avc:  denied  { get } for service=3101 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1
allow dscreen sa_multimodalinput_service:samgr_class { get };

#avc:  denied  { call } for  pid=2444 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1
allow dscreen multimodalinput:binder { call };

#avc:  denied  { use } for  pid=251 comm="multimodalinput" path="socket:[32377]" dev="sockfs" ino=32377 scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=1
allow dscreen multimodalinput:fd { use };

#avc:  denied  { nlmsg_read } for  pid=2417 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1
#avc:  denied  { read } for  pid=2417 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1
allow dscreen dscreen:netlink_route_socket { nlmsg_read nlmsg_readpriv read };

#avc:  denied  { connect } for  pid=2417 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
allow dscreen dscreen:udp_socket { connect };

#avc:  denied  { read write } for  pid=253 comm="multimodalinput" scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1
allow dscreen multimodalinput:unix_stream_socket { read write };

#avc:  denied  { getopt } for  pid=2404 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=unix_dgram_socket permissive=1
#avc:  denied  { setopt } for  pid=2404 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=unix_dgram_socket permissive=1
allow dscreen dscreen:unix_dgram_socket { getopt setopt };

debug_only(`
    #avc:  denied  { call } for  pid=2552 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1
    allow dscreen sh:binder { call transfer };
')

allow dscreen init:binder { call transfer };

#avc:  denied  { use } for   scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=0
allow dscreen render_service:fd { use };

#avc:  denied  { read write } for   scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=unix_stream_socket permissive=1
allow dscreen render_service:unix_stream_socket { read write };

#avc:  denied  { get } for service=4801 pid=2892 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=0
allow dscreen sa_dhardware_service:samgr_class { get };

#avc:  denied  { read } for  pid=2824 scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0
#avc:  denied  { open } for  pid=2839 scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1
#avc:  denied  { map } for  pid=2839  scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1
allow dscreen accessibility_param:file { read open map };

#avc:  denied  { read } for  pid=2021  scontext=u:r:dscreen:s0 tcontext=u:object_r:ohos_dev_param:s0 tclass=file permissive=0
allow dscreen ohos_dev_param:file { read };

#avc:  denied  { read write } for  pid=2573 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0
allow dscreen dev_console_file:chr_file { read write };

#avc:  denied  { read } for  pid=2692    ino=55 scontext=u:r:dscreen:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
#avc:  denied  { open } for  pid=2381    ino=55 scontext=u:r:dscreen:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
allow dscreen musl_param:file { read open };

#avc:  denied  { search } for  pid=3351  scontext=u:r:dscreen:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=dir permissive=0
allow dscreen vendor_bin_file:dir { search };

#avc:  denied  { get } for  service=allocator_service pid=3162  scontext=u:r:dscreen:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=1
allow dscreen hdf_allocator_service:hdf_devmgr_class { get };

#avc:  denied  { create } for  pid=2893 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
#avc:  denied  { bind } for  pid=2893 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
#avc:  denied  { read } for  pid=2893 comm="dscreen" laddr=127.0.0.1 lport=7000 faddr=127.0.0.1 fport=44306 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
#avc:  denied  { listen } for  pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
#avc:  denied  { setopt } for  pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
#avc:  denied  { accept } for  pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
allow dscreen dscreen:tcp_socket { create bind read listen setopt accept };

#avc:  denied  { name_bind } for  pid=2893 comm="dscreen" src=7000 scontext=u:r:dscreen:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1
allow dscreen port:tcp_socket { name_bind };

#avc:  denied  { use } for  pid=2893 comm="IPC_1_2900" path="/dmabuf:" dev="dmabuf" info=39534 ioctlcmd=0x6200 scontext=u:r:dscreen:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=1
allow dscreen allocator_host:fd { use };

#avc:  denied  { read } for  pid=3041 comm="dscreen" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=3041 comm="dscreen" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
#avc:  denied  { getattr } for  pid=3041 comm="dscreen" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
allow dscreen proc_cpuinfo_file:file { read open getattr };

#avc:  denied  { get } for  scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=0
allow dscreen sa_device_service_manager:samgr_class { get };

#avc:  denied  { call } for  pid=2914 comm="IPC_1_2921" scontext=u:r:dscreen:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
allow dscreen hdf_devmgr:binder { call };

#avc:  denied  { call } for  pid=2914 comm="IPC_1_2921" scontext=u:r:dscreen:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=1
allow dscreen allocator_host:binder { call };

#avc:  denied  { read } for  pid=2914 comm="IPC_1_2921" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
#avc:  denied  { open } for  pid=2914 comm="IPC_1_2921" path="/proc/cpuinfo" dev="proc" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
#avc:  denied  { getattr } for  pid=2914 comm="IPC_1_2921" path="/proc/cpuinfo" dev="proc" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
allow dscreen proc_cpuinfo_file:file { read open getattr };

#avc:  denied  { read } for  pid=2876 comm="sa_main" name="online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
#avc:  denied  { open } for  pid=2910 comm="sa_main" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
#avc:  denied  { getattr } for  pid=2910 comm="sa_main" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
allow dscreen sysfs_devices_system_cpu:file { read open getattr };

#avc:  denied  { node_bind } for  pid=2876 comm="IPC_1_2884" saddr=127.0.0.1 src=7000 scontext=u:r:dscreen:s0 tcontext=u:object_r:node:s0 tclass=tcp_socket permissive=1
allow dscreen node:tcp_socket { node_bind };

allow dscreen system_lib_file:dir { open read };
allow dscreen dev_ashmem_file:chr_file { open };
allow dscreen dhardware:binder { transfer };
allow dscreen hdf_codec_hdi_omx_service:hdf_devmgr_class { get };
allow dscreen codec_host:binder { call transfer };

#avc:  denied  { get } for service=401 pid=1478 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0
allow dscreen sa_foundation_bms:samgr_class { get };

#avc:  denied  { get } for service=3503 pid=1519 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=0
allow dscreen sa_accesstoken_manager_service:samgr_class { get };

allow dscreen accesstoken_service:binder { call };

allow dscreen arkcompiler_param:file { map open read };
allow dscreen av_codec_service:binder { call transfer };
allow dscreen av_codec_service:fd { use };
allow dscreen chip_prod_file:dir { search };
allow dscreen codec_host:fd { use };
allow dscreen dev_dri_file:chr_file { open read write };
allowxperm dscreen dev_dri_file:chr_file ioctl { 0x641f };
allow dscreen dev_dri_file:dir { search };
allow dscreen dev_kmsg_file:chr_file { write };
allow dscreen dev_kmsg_file:file { read };
allow dscreen sa_av_codec_service:samgr_class { get };
allow dscreen sys_prod_file:dir { search };
allow dscreen sysfs_devices_system_cpu:file { read getattr };
allow dscreen tty_device:chr_file { read write };