1# Copyright (c) 2022-2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#avc:  denied  { add } for service=3302 pid=608 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_bluetooth_server:s0 tclass=samgr_class permissive=1
15allow bluetooth_service sa_bluetooth_server:samgr_class { add };
16
17#avc:  denied  { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1
18#avc:  denied  { transfer } for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:audio_server:s0 tclass=binder permissive=1
19allow bluetooth_service audio_server:binder { call transfer };
20
21#avc:  denied  {search} for pid=371 comm="threaded-ml" name="data" dev="mmcblk0p7" ino=1436162 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=dir permissive=1
22allow bluetooth_service data_bluetooth:dir { search };
23
24#avc:  denied  { getattr } for pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state" dev="mmcblk0p7" ino=1436167 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_data_pudata_bluetoothlse_dir:s0 tclass=file permissive=1
25#avc:  denied  { open } for pid=371 comm="threaded-ml" path="/data/data/.pulse_dir/state/cookie" dev="mmcblk0p7" ino=1436170 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=file permissive=1
26#avc:  denied  { read } for pid=371 comm="threaded-ml" name="state" dev="mmcblk0p7" ino=1436167 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_bluetooth:s0 tclass=file permissive=1
27allow bluetooth_service data_bluetooth:file { getattr open read };
28
29#avc:  denied  { write } for  pid=1207 comm="bluetooth_servi" name="ubsan" dev="mmcblk0p11" ino=574 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0
30#avc:  denied  { search } for pid=371 comm="threaded-ml" name="/" dev="mmcblk0p7" ino=2 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
31allow bluetooth_service data_file:dir { search write };
32
33allow bluetooth_service samain_exec:file { entrypoint execute map read };
34
35#avc:  denied  { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
36#avc:  denied  {transfer} for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:samgr:s0 tclass=binder permissive=1
37allow bluetooth_service samgr:binder { call transfer };
38
39#avc:  denied  { call } for pid=293 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
40#avc:  denied  {transfer} for pid=310 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
41allow bluetooth_service softbus_server:binder { call transfer };
42
43allow bluetooth_service tmpfs:lnk_file { read };
44
45allow bluetooth_service vendor_file:file { execute getattr map open read };
46
47#avc:  denied  { get } for service=5100 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_device_service_manager:s0 tclass=samgr_class permissive=1
48allow bluetooth_service sa_device_service_manager:samgr_class { get };
49
50#avc:  denied  { get } for service=hci_interface_service pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:hdf_hci_interface_service:s0 tclass=hdf_devmgr_class permissive=1
51allow bluetooth_service hdf_hci_interface_service:hdf_devmgr_class { get };
52
53#avc:  denied  { get } for service=4010 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_telephony_tel_core_service:s0 tclass=samgr_class permissive=1
54allow bluetooth_service sa_telephony_tel_core_service:samgr_class { get };
55
56#avc:  denied  { get } for service=4005 pid=278 scontext=u:r:bluetooth_service:s0 tcontext=u:r:sa_foundation_tel_call_manager:s0 tclass=samgr_class permissive=1
57allow bluetooth_service sa_foundation_tel_call_manager:samgr_class { get };
58
59#avc:  denied  { get } for service=4009 pid=348 scotext=u:bluetooth_service:s0 tcontext:u:object_r:sa_foundation_tel_state_registry:s0 tclass=samgr_class permissive=0
60allow bluetooth_service sa_foundation_tel_state_registry:samgr_class { get };
61
62#avc:  denied  { get } for pid=279 scontext=u:r:bluetooth_service:s0 tcontext=u:r:hdf_device_manager:s0 tclass=hdf_devmgr_class permissive=1
63allow bluetooth_service hdf_device_manager:hdf_devmgr_class { get };
64
65#avc:  denied  { get } for service=3299 pid=348 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_foundation_cesfwk_service:s0 tclass=samgr_class permissive=0
66allow bluetooth_service sa_foundation_cesfwk_service:samgr_class { get };
67
68allow bluetooth_service dev_tun_file:chr_file { open read write ioctl };
69allow bluetooth_service bluetooth_service:udp_socket { create ioctl read write shutdown };
70allowxperm bluetooth_service bluetooth_service:udp_socket ioctl { 0x8927 0x8914 0x8924 0x891c 0x8916 0x8915 };
71allow bluetooth_service bluetooth_service:tun_socket { create ioctl read write shutdown };
72allowxperm bluetooth_service dev_tun_file:chr_file ioctl { 0x800454d2 0x400454ca };
73allow bluetooth_service bluetooth_service:capability { net_admin };
74allow bluetooth_service netmanager:binder { call transfer };
75allow bluetooth_service kernel:system { module_request };
76
77allow bluetooth_service dev_uhid_file:chr_file { read write };
78allow bluetooth_service data_bluetooth:dir { remove_name };
79allow bluetooth_service data_bluetooth:file { rename };
80allow bluetooth_service data_bluetooth:file { unlink };
81
82debug_only(`
83    allow bluetooth_service sh:binder { transfer };
84    allow bluetooth_service sh:binder { call };
85')
86allow bluetooth_service dev_uhid_file:chr_file { open };
87allow bluetooth_service normal_hap_attr:binder { call transfer };
88
89#avc:  denied  { call } for  pid=380 comm="1IPC_450" scontext=u:r:bluetooth_service:s0 tcontext=u:r:system_core_hap:s0 tclass=binder permissive=1
90allow bluetooth_service system_core_hap_attr:binder { call transfer };
91
92allow bluetooth_service dev_console_file:chr_file { read write };
93allow bluetooth_service data_service_file:dir { search };
94allow bluetooth_service data_service_el1_file:dir { getattr search open read write add_name remove_name };
95allow bluetooth_service data_service_el1_file:file { getattr setattr open read write rename unlink ioctl create};
96
97#avc: denied { getattr } bluetooth_service data_log tclass=file
98#avc: denied { setattr } bluetooth_service data_log tclass=file
99#avc: denied { unlink } bluetooth_service data_log tclass=file
100allow bluetooth_service data_log:file { getattr setattr unlink };
101
102#avc: denied { read } bluetooth_service data_log tclass=dir
103#avc: denied { open } bluetooth_service data_log tclass=dir
104allow bluetooth_service data_log:dir { read open };
105
106#avc: denied { read } bluetooth_service hdf_bluetooth_audio_session_service tclass=hdf_devmgr_class
107#avc: denied { open } bluetooth_service a2dp_host tclass=fd
108#avc: denied { open } bluetooth_service sa_powermgr_battery_service tclass=samgr_class
109allow bluetooth_service hdf_bluetooth_audio_session_service:hdf_devmgr_class { get };
110allow bluetooth_service hdf_audio_bluetooth_hdi_service:hdf_devmgr_class { get };
111allow bluetooth_service a2dp_host:fd { use };
112allow bluetooth_service sa_powermgr_battery_service:samgr_class { get };
113
114#avc: denied { read open getattr } scontext=u:r:bluetooth_service  tcontext=u:object_r:sysfs_devices_system_cpu: tclass=file permissive=1
115allow bluetooth_service sysfs_devices_system_cpu:file { read open getattr };
116
117#avc: denied { getattr } scontext=u:r:bluetooth_service  tcontext=u:object_r:dev_file: tclass=dir permissive=1
118allow bluetooth_service dev_file:dir { getattr };
119
120allow bluetooth_service accesstoken_service:binder { call };
121allow bluetooth_service blue_host:binder { call transfer };
122allow bluetooth_service bluetooth_service:unix_dgram_socket { getopt setopt };
123allow bluetooth_service bootevent_param:file { map open read };
124allow bluetooth_service bootevent_samgr_param:file { map open read };
125allow bluetooth_service build_version_param:file { map open read };
126allow bluetooth_service const_allow_mock_param:file { map open read };
127allow bluetooth_service const_allow_param:file { map open read };
128allow bluetooth_service const_build_param:file { map open read };
129allow bluetooth_service const_display_brightness_param:file { map open read };
130allow bluetooth_service const_param:file { map open read };
131allow bluetooth_service const_postinstall_fstab_param:file { map open read };
132allow bluetooth_service const_postinstall_param:file { map open read };
133allow bluetooth_service const_product_param:file { map open read };
134allow bluetooth_service data_bluetooth:dir { add_name write read open };
135allow bluetooth_service data_bluetooth:file { create ioctl write read };
136allow bluetooth_service data_user:dir { search };
137allow bluetooth_service data_file:file { read open };
138allow bluetooth_service data_log:dir { add_name remove_name search write };
139allow bluetooth_service data_log:file { create ioctl open read rename write write open };
140allow bluetooth_service debug_param:file { map open read };
141allow bluetooth_service default_param:file { map open read };
142allow bluetooth_service dev_unix_socket:dir { search };
143allow bluetooth_service distributedsche_param:file { map open read };
144allow bluetooth_service foundation:binder { call transfer };
145allow bluetooth_service hdf_devmgr:binder { call };
146allow bluetooth_service hilog_param:file { map open read };
147allow bluetooth_service hw_sc_build_os_param:file { map open read };
148allow bluetooth_service hw_sc_build_param:file { map open read };
149allow bluetooth_service hw_sc_param:file { map open read };
150allow bluetooth_service init_param:file { map open read };
151allow bluetooth_service init_svc_param:file { map open read };
152allow bluetooth_service input_pointer_device_param:file { map open read };
153allow bluetooth_service net_param:file { map open read };
154allow bluetooth_service net_tcp_param:file { map open read };
155allow bluetooth_service ohos_boot_param:file { map open read };
156allow bluetooth_service ohos_param:file { map open read };
157allow bluetooth_service param_watcher:binder { call transfer };
158allow bluetooth_service persist_param:file { map open read };
159allow bluetooth_service persist_sys_param:file { map open read };
160binder_call(bluetooth_service, powermgr);
161allow bluetooth_service sa_accesstoken_manager_service:samgr_class { get };
162allow bluetooth_service sa_param_watcher:samgr_class { get };
163allow bluetooth_service security_param:file { map open read };
164allow bluetooth_service startup_param:file { map open read };
165allow bluetooth_service sys_param:file { map open read };
166allow bluetooth_service system_basic_hap_attr:binder { call transfer };
167allow bluetooth_service system_bin_file:dir { search };
168allow bluetooth_service sys_usb_param:file { map open read };
169allow bluetooth_service telephony_sa:binder { call transfer };
170allow bluetooth_service tracefs:dir { search };
171allow bluetooth_service tracefs_trace_marker_file:file { open write };
172allow bluetooth_service normal_hap_attr:binder { call };
173allowxperm bluetooth_service data_bluetooth:file ioctl { 0x5413 };
174allowxperm bluetooth_service data_log:file ioctl { 0x5413 };
175
176#avc:  denied  { call } for  pid=305 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:a2dp_host:s0 tclass=binder permissive=1
177#avc:  denied  { transfer } for  pid=305 comm="bluetooth_servi" scontext=u:r:bluetooth_service:s0 tcontext=u:r:a2dp_host:s0 tclass=binder permissive=1
178allow bluetooth_service a2dp_host:binder { call transfer };
179
180#avc:  denied  { get } for service=3009 pid=283 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_audio_policy_service:s0 tclass=samgr_class permissive=1
181allow bluetooth_service sa_audio_policy_service:samgr_class { get };
182
183#avc:  denied  { get } for service=3001 pid=316 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_pulseaudio_audio_service:s0 tclass=samgr_class permissive=1
184allow bluetooth_service sa_pulseaudio_audio_service:samgr_class { get };
185
186#bluetooth_service
187allow bluetooth_service resource_schedule_service:binder { call };
188
189allow bluetooth_service persist_param:parameter_service set;
190
191
192#avc:  denied  { write } for  pid=2949 comm="AdapterManager" name="paramservice" dev="tmpfs" ino=85 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=0
193allow bluetooth_service paramservice_socket:sock_file { read write };
194
195#avc:  denied  { connectto } for  pid=2922 comm="AdapterManager" path="/dev/unix/socket/paramservice" scontext=u:r:bluetooth_service:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=0
196allow bluetooth_service kernel:unix_stream_socket { connectto };
197
198allow bluetooth_service distributeddata:binder { call transfer };
199allow bluetooth_service distributeddata:fd { use };
200allow bluetooth_service sa_dataobs_mgr_service_service:samgr_class { get };
201allow bluetooth_service sa_distributeddata_service:samgr_class { get };
202allow bluetooth_service sa_foundation_abilityms:samgr_class { get };
203allow bluetooth_service sa_net_conn_manager:samgr_class { get };
204
205allow bluetooth_service data_misc:dir { read write add_name remove_name open };
206allow bluetooth_service data_misc:file { read getattr unlink create ioctl write open };
207allowxperm bluetooth_service data_misc:file ioctl { 0x5413 };
208
209#avc:  denied  { get } for service=3299 pid=348 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_telephony_tel_sms_mms:s0 tclass=samgr_class permissive=0
210allow bluetooth_service sa_telephony_tel_sms_mms:samgr_class { get };
211allow bluetooth_service sa_foundation_bms:samgr_class { get };
212
213#avc: denied { call } for pid=1414, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0
214#avc: denied { transfer } for pid=1414, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:device_manager:s0 tclass=binder permissive=0
215allow bluetooth_service device_manager:binder { call transfer };
216
217#avc:  denied  { get } for service=3505 pid=14188 scontext=u:r:bluetooth_service:s0 tcontext=u:object_r:sa_privacy_service:s0 tclass=samgr_class permissive=0
218allow bluetooth_service sa_privacy_service:samgr_class { get };
219
220#avc:  denied  { call } for pid=1612, comm="/system/bin/sa_main" scontext=u:r:bluetooth_service:s0 tcontext=u:r:privacy_service:s0 tclass=binder permissive=1
221allow bluetooth_service privacy_service:binder { call };
222