1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14#avc:  denied  { get } for service=3002 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_media_service:s0 tclass=samgr_class permissive=1
15allow dscreen sa_media_service:samgr_class { get };
16
17#avc:  denied  { get } for service=4700 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_softbus_service:s0 tclass=samgr_class permissive=1
18allow dscreen sa_softbus_service:samgr_class { get };
19
20#avc:  denied  { get } for service=3901 pid=2063 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_param_watcher:s0 tclass=samgr_class permissive=1
21allow dscreen sa_param_watcher:samgr_class { get };
22
23#avc:  denied  { call } for  pid=2025 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
24allow dscreen softbus_server:binder { call };
25
26#avc:  denied  { call } for  pid=686 comm="THREAD_POOL" scontext=u:r:softbus_server:s0 tcontext=u:r:dscreen:s0 tclass=binder permissive=1
27allow dscreen dscreen:binder { call };
28
29#avc:  denied  { use } for  pid=686 comm="THREAD_POOL" path="socket:[32801]" dev="sockfs" ino=32801 scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=fd permissive=1
30allow dscreen softbus_server:fd { use };
31
32#avc:  denied  { read write } for  pid=686 comm="THREAD_POOL" path="socket:[32801]" dev="sockfs" ino=32801 scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
33allow dscreen softbus_server:tcp_socket { read write };
34
35#avc:  denied  { setopt } for  pid=2025 comm="dscreen"  scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
36allow dscreen softbus_server:tcp_socket { setopt };
37
38#avc:  denied  { search } for  pid=2117 comm="dscreen" name="socket" dev="tmpfs" ino=40 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
39allow dscreen dev_unix_socket:dir { search };
40
41#avc:  denied  { call } for  pid=2117 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
42#avc:  denied  { transfer } for  pid=1925 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:foundation:s0 tclass=binder permissive=1
43allow dscreen foundation:binder { call transfer };
44
45#avc:  denied  { get_remote } for service=4808 pid=2117 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_sink_service:s0 tclass=samgr_class permissive=1
46#avc:  denied  { add } for service=4808 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_sink_service:s0 tclass=samgr_class permissive=1
47allow dscreen sa_dscreen_sink_service:samgr_class { get_remote add get };
48
49#avc:  denied  { search } for  pid=1925 comm="dscreen" name="/" dev="tracefs" ino=1 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs:s0 tclass=dir permissive=1
50allow dscreen tracefs:dir { search };
51
52#avc:  denied  { write } for  pid=1925 comm="dscreen" name="trace_marker" dev="tracefs" ino=13902 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
53#avc:  denied  { open } for  pid=1925 comm="dscreen" path="/sys/kernel/debug/tracing/trace_marker" dev="tracefs" ino=13902 scontext=u:r:dscreen:s0 tcontext=u:object_r:tracefs_trace_marker_file:s0 tclass=file permissive=1
54allow dscreen tracefs_trace_marker_file:file { write open };
55
56#avc:  denied  { search } for  pid=1925 comm="dscreen" name="socket" dev="tmpfs" ino=40 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
57allow dscreen dev_unix_socket:dir { search };
58
59#avc:  denied  { search } for  pid=1925 comm="dscreen" name="/" dev="mmcblk0p11" ino=2 scontext=u:r:dscreen:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
60allow dscreen data_file:dir { search };
61
62#avc:  denied  { call } for  pid=1925 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
63#avc:  denied  { transfer } for  pid=2381 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=binder permissive=1
64allow dscreen media_service:binder { call transfer };
65
66#avc:  denied  { use } for  pid=674 comm="media_service" path="/dev/ashmem" dev="tmpfs" ino=179 scontext=u:r:dscreen:s0 tcontext=u:r:media_service:s0 tclass=fd permissive=1
67allow dscreen media_service:fd { use };
68
69#avc:  denied  { read } for  pid=1978 comm="Fillp_core_31"  scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
70#avc:  denied  { write } for  pid=1978 comm="Fillp_core_31" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
71allow dscreen dscreen:udp_socket { read write };
72
73#avc:  denied  { add } for service=4807 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_source_service:s0 tclass=samgr_class permissive=1
74#avc:  denied  { get_remote } for service=4807 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dscreen_source_service:s0 tclass=samgr_class permissive=1
75allow dscreen sa_dscreen_source_service:samgr_class { add get_remote get };
76
77#avc:  denied  { get } for service=4607 pid=2067 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_dms:s0 tclass=samgr_class permissive=1
78allow dscreen sa_foundation_dms:samgr_class { get };
79
80#avc:  denied  { search } for  pid=2127 comm="dscreen" name="usr" dev="mmcblk0p6" ino=2492 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=dir permissive=1
81allow dscreen system_usr_file:dir { search };
82
83#avc:  denied  { getattr } for  pid=2127 comm="dscreen" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
84#avc:  denied  { read } for  pid=2127 comm="dscreen" name="supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
85#avc:  denied  { open } for  pid=2127 comm="dscreen" path="/system/usr/ohos_locale_config/supported_regions.xml" dev="mmcblk0p6" ino=2499 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
86#avc:  denied  { map } for  pid=2127 comm="dscreen" path="/system/usr/ohos_icu/icudt67l.dat" dev="mmcblk0p6" ino=2494 scontext=u:r:dscreen:s0 tcontext=u:object_r:system_usr_file:s0 tclass=file permissive=1
87allow dscreen system_usr_file:file { getattr read open map };
88
89#avc:  denied  { transfer } for  pid=2127 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=binder permissive=1
90allow dscreen softbus_server:binder { transfer };
91
92#avc:  denied  { create } for  pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
93#avc:  denied  { setopt } for  pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
94#avc:  denied  { bind } for  pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
95#avc:  denied  { getattr } for  pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
96allow dscreen  dscreen:udp_socket { create setopt bind getattr};
97
98#avc:  denied  { node_bind } for  pid=2315 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=1
99allow dscreen node:udp_socket { node_bind };
100
101#avc:  denied  { create } for  pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1
102#avc:  denied  { write } for  pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1
103allow dscreen dscreen:netlink_route_socket { create write };
104
105#avc:  denied  { shutdown } for  pid=2315 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
106allow dscreen softbus_server:tcp_socket { shutdown };
107
108#avc:  denied  { call } for  pid=2325 comm="dscreen"     scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
109#avc:  denied  { transfer } for  pid=2444 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=binder permissive=1
110allow dscreen render_service:binder { call transfer };
111
112#avc:  denied  { shutdown } for  pid=2325 comm="THREAD_POOL" scontext=u:r:dscreen:s0 tcontext=u:r:softbus_server:s0 tclass=tcp_socket permissive=1
113allow dscreen softbus_server:tcp_socket { shutdown };
114
115#avc:  denied  { get } for service=10 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_render_service:s0 tclass=samgr_class permissive=1
116allow dscreen sa_render_service:samgr_class { get };
117
118#avc:  denied  { get } for service=4606 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_wms:s0 tclass=samgr_class permissive=1
119allow dscreen sa_foundation_wms:samgr_class { get };
120
121#avc:  denied  { get } for service=3101 pid=2325 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_multimodalinput_service:s0 tclass=samgr_class permissive=1
122allow dscreen sa_multimodalinput_service:samgr_class { get };
123
124#avc:  denied  { call } for  pid=2444 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=binder permissive=1
125allow dscreen multimodalinput:binder { call };
126
127#avc:  denied  { use } for  pid=251 comm="multimodalinput" path="socket:[32377]" dev="sockfs" ino=32377 scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=fd permissive=1
128allow dscreen multimodalinput:fd { use };
129
130#avc:  denied  { nlmsg_read } for  pid=2417 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1
131#avc:  denied  { read } for  pid=2417 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=netlink_route_socket permissive=1
132allow dscreen dscreen:netlink_route_socket { nlmsg_read nlmsg_readpriv read };
133
134#avc:  denied  { connect } for  pid=2417 comm="Fillp_core_0" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=udp_socket permissive=1
135allow dscreen dscreen:udp_socket { connect };
136
137#avc:  denied  { read write } for  pid=253 comm="multimodalinput" scontext=u:r:dscreen:s0 tcontext=u:r:multimodalinput:s0 tclass=unix_stream_socket permissive=1
138allow dscreen multimodalinput:unix_stream_socket { read write };
139
140#avc:  denied  { getopt } for  pid=2404 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=unix_dgram_socket permissive=1
141#avc:  denied  { setopt } for  pid=2404 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=unix_dgram_socket permissive=1
142allow dscreen dscreen:unix_dgram_socket { getopt setopt };
143
144debug_only(`
145    #avc:  denied  { call } for  pid=2552 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:sh:s0 tclass=binder permissive=1
146    allow dscreen sh:binder { call transfer };
147')
148
149allow dscreen init:binder { call transfer };
150
151#avc:  denied  { use } for   scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=fd permissive=0
152allow dscreen render_service:fd { use };
153
154#avc:  denied  { read write } for   scontext=u:r:dscreen:s0 tcontext=u:r:render_service:s0 tclass=unix_stream_socket permissive=1
155allow dscreen render_service:unix_stream_socket { read write };
156
157#avc:  denied  { get } for service=4801 pid=2892 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_dhardware_service:s0 tclass=samgr_class permissive=0
158allow dscreen sa_dhardware_service:samgr_class { get };
159
160#avc:  denied  { read } for  pid=2824 scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=0
161#avc:  denied  { open } for  pid=2839 scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1
162#avc:  denied  { map } for  pid=2839  scontext=u:r:dscreen:s0 tcontext=u:object_r:accessibility_param:s0 tclass=file permissive=1
163allow dscreen accessibility_param:file { read open map };
164
165#avc:  denied  { read } for  pid=2021  scontext=u:r:dscreen:s0 tcontext=u:object_r:ohos_dev_param:s0 tclass=file permissive=0
166allow dscreen ohos_dev_param:file { read };
167
168#avc:  denied  { read write } for  pid=2573 scontext=u:r:dscreen:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=0
169allow dscreen dev_console_file:chr_file { read write };
170
171#avc:  denied  { read } for  pid=2692    ino=55 scontext=u:r:dscreen:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
172#avc:  denied  { open } for  pid=2381    ino=55 scontext=u:r:dscreen:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=0
173allow dscreen musl_param:file { read open };
174
175#avc:  denied  { search } for  pid=3351  scontext=u:r:dscreen:s0 tcontext=u:object_r:vendor_bin_file:s0 tclass=dir permissive=0
176allow dscreen vendor_bin_file:dir { search };
177
178#avc:  denied  { get } for  service=allocator_service pid=3162  scontext=u:r:dscreen:s0 tcontext=u:object_r:hdf_allocator_service:s0 tclass=hdf_devmgr_class permissive=1
179allow dscreen hdf_allocator_service:hdf_devmgr_class { get };
180
181#avc:  denied  { create } for  pid=2893 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
182#avc:  denied  { bind } for  pid=2893 comm="dscreen" scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
183#avc:  denied  { read } for  pid=2893 comm="dscreen" laddr=127.0.0.1 lport=7000 faddr=127.0.0.1 fport=44306 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
184#avc:  denied  { listen } for  pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
185#avc:  denied  { setopt } for  pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
186#avc:  denied  { accept } for  pid=2876 comm="IPC_1_2884" laddr=127.0.0.1 lport=7000 scontext=u:r:dscreen:s0 tcontext=u:r:dscreen:s0 tclass=tcp_socket permissive=1
187allow dscreen dscreen:tcp_socket { create bind read listen setopt accept };
188
189#avc:  denied  { name_bind } for  pid=2893 comm="dscreen" src=7000 scontext=u:r:dscreen:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket permissive=1
190allow dscreen port:tcp_socket { name_bind };
191
192#avc:  denied  { use } for  pid=2893 comm="IPC_1_2900" path="/dmabuf:" dev="dmabuf" info=39534 ioctlcmd=0x6200 scontext=u:r:dscreen:s0 tcontext=u:r:allocator_host:s0 tclass=fd permissive=1
193allow dscreen allocator_host:fd { use };
194
195#avc:  denied  { read } for  pid=3041 comm="dscreen" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
196#avc:  denied  { open } for  pid=3041 comm="dscreen" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
197#avc:  denied  { getattr } for  pid=3041 comm="dscreen" path="/proc/cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
198allow dscreen proc_cpuinfo_file:file { read open getattr };
199
200#avc:  denied  { get } for  scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_device_service_manager:s0 tclass=samgr_class permissive=0
201allow dscreen sa_device_service_manager:samgr_class { get };
202
203#avc:  denied  { call } for  pid=2914 comm="IPC_1_2921" scontext=u:r:dscreen:s0 tcontext=u:r:hdf_devmgr:s0 tclass=binder permissive=1
204allow dscreen hdf_devmgr:binder { call };
205
206#avc:  denied  { call } for  pid=2914 comm="IPC_1_2921" scontext=u:r:dscreen:s0 tcontext=u:r:allocator_host:s0 tclass=binder permissive=1
207allow dscreen allocator_host:binder { call };
208
209#avc:  denied  { read } for  pid=2914 comm="IPC_1_2921" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
210#avc:  denied  { open } for  pid=2914 comm="IPC_1_2921" path="/proc/cpuinfo" dev="proc" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
211#avc:  denied  { getattr } for  pid=2914 comm="IPC_1_2921" path="/proc/cpuinfo" dev="proc" name="cpuinfo" dev="proc" ino=4026532324 scontext=u:r:dscreen:s0 tcontext=u:object_r:proc_cpuinfo_file:s0 tclass=file permissive=1
212allow dscreen proc_cpuinfo_file:file { read open getattr };
213
214#avc:  denied  { read } for  pid=2876 comm="sa_main" name="online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
215#avc:  denied  { open } for  pid=2910 comm="sa_main" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
216#avc:  denied  { getattr } for  pid=2910 comm="sa_main" path="/sys/devices/system/cpu/online" dev="sysfs" ino=33621 scontext=u:r:dscreen:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
217allow dscreen sysfs_devices_system_cpu:file { read open getattr };
218
219#avc:  denied  { node_bind } for  pid=2876 comm="IPC_1_2884" saddr=127.0.0.1 src=7000 scontext=u:r:dscreen:s0 tcontext=u:object_r:node:s0 tclass=tcp_socket permissive=1
220allow dscreen node:tcp_socket { node_bind };
221
222allow dscreen system_lib_file:dir { open read };
223allow dscreen dev_ashmem_file:chr_file { open };
224allow dscreen dhardware:binder { transfer };
225allow dscreen hdf_codec_hdi_omx_service:hdf_devmgr_class { get };
226allow dscreen codec_host:binder { call transfer };
227
228#avc:  denied  { get } for service=401 pid=1478 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_foundation_bms:s0 tclass=samgr_class permissive=0
229allow dscreen sa_foundation_bms:samgr_class { get };
230
231#avc:  denied  { get } for service=3503 pid=1519 scontext=u:r:dscreen:s0 tcontext=u:object_r:sa_accesstoken_manager_service:s0 tclass=samgr_class permissive=0
232allow dscreen sa_accesstoken_manager_service:samgr_class { get };
233
234allow dscreen accesstoken_service:binder { call };
235
236allow dscreen arkcompiler_param:file { map open read };
237allow dscreen av_codec_service:binder { call transfer };
238allow dscreen av_codec_service:fd { use };
239allow dscreen chip_prod_file:dir { search };
240allow dscreen codec_host:fd { use };
241allow dscreen dev_dri_file:chr_file { open read write };
242allowxperm dscreen dev_dri_file:chr_file ioctl { 0x641f };
243allow dscreen dev_dri_file:dir { search };
244allow dscreen dev_kmsg_file:chr_file { write };
245allow dscreen dev_kmsg_file:file { read };
246allow dscreen sa_av_codec_service:samgr_class { get };
247allow dscreen sys_prod_file:dir { search };
248allow dscreen sysfs_devices_system_cpu:file { read getattr };
249allow dscreen tty_device:chr_file { read write };
250