diff --git a/sepolicy/ohos_policy/multimedia/audio/system/audio_server.te b/sepolicy/ohos_policy/multimedia/audio/system/audio_server.te index 1f2b133f0542728df42eb702bd9ee6c78d8ed243..941eedd6585f8a27591ec7f385bb2bc7cdcb70f8 100644 --- a/sepolicy/ohos_policy/multimedia/audio/system/audio_server.te +++ b/sepolicy/ohos_policy/multimedia/audio/system/audio_server.te @@ -298,3 +298,9 @@ allow audio_server sa_foundation_dms:samgr_class { get }; #denied { get } for service=200 pid=341 scontext=u:r:audio_server:s0 tcontext=u:object_r:sa_accountmgr:s0 tclass=samgr_class permissive=0 allow audio_server sa_accountmgr:samgr_class { get }; allow audio_server accountmgr:binder { call transfer }; + +#avc: denied { get } for service=3013 pid=356 scontext=u:r:audio_server:s0 tcontext=u:object_r:sa_media_monitor:s0 tclass=samgr_class permissive=0 +allow audio_server sa_media_monitor:samgr_class { get }; + +#avc: denied { call } for pid=367 comm="audio_server" scontext=u:r:audio_server:s0 tcontext=u:r:media_monitor:s0 tclass=binder permissive=0 +allow audio_server media_monitor:binder { call }; diff --git a/sepolicy/ohos_policy/multimedia/media_monitor/system/init.te b/sepolicy/ohos_policy/multimedia/media_monitor/system/init.te new file mode 100644 index 0000000000000000000000000000000000000000..86687482a1b2ef861edb51634c9de4537ee473bf --- /dev/null +++ b/sepolicy/ohos_policy/multimedia/media_monitor/system/init.te @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow init media_monitor:process { rlimitinh siginh transition }; diff --git a/sepolicy/ohos_policy/multimedia/media_monitor/system/media_monitor.te b/sepolicy/ohos_policy/multimedia/media_monitor/system/media_monitor.te new file mode 100644 index 0000000000000000000000000000000000000000..b7042243f82ad79d3e929daf1346c7015b7a7289 --- /dev/null +++ b/sepolicy/ohos_policy/multimedia/media_monitor/system/media_monitor.te @@ -0,0 +1,47 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type media_monitor, sadomain, domain; +type sa_media_monitor, sa_service_attr; + +allow media_monitor sa_media_monitor:samgr_class { add get_remote }; + +allow media_monitor audio_server:binder { call transfer }; +allow media_monitor dev_unix_socket:dir { search }; +allow media_monitor distributeddata:binder { call transfer }; +allow media_monitor multimodalinput:binder { call }; +allow media_monitor multimodalinput:fd { use }; +allow media_monitor multimodalinput:unix_stream_socket { read write }; +allow media_monitor param_watcher:binder { call transfer }; +allow media_monitor sa_accesstoken_manager_service:samgr_class { get }; +allow media_monitor sa_distributeddata_service:samgr_class { get }; +allow media_monitor sa_multimodalinput_service:samgr_class { get }; +allow media_monitor sa_param_watcher:samgr_class { get }; +allow media_monitor tracefs:dir { search }; +allow media_monitor tracefs:file { open write }; +allow media_monitor tracefs_trace_marker_file:file { write open }; +allow media_monitor data_service_file:dir { search }; +allow media_monitor accesstoken_service:binder { call transfer }; +allow media_monitor sa_foundation_devicemanager_service:samgr_class { get }; +allow media_monitor device_manager:binder { call transfer }; +allow media_monitor sa_foundation_bms:samgr_class { get }; +allow media_monitor sa_foundation_abilityms:samgr_class { get }; +allow media_monitor normal_hap_attr:binder { transfer call }; +allow media_monitor system_core_hap_attr:binder { call transfer }; +allow media_monitor system_bin_file:dir { getattr search }; +allow media_monitor sa_audio_policy_service:samgr_class { add get }; +allow media_monitor dev_console_file:chr_file { read write }; +allow media_monitor debug_param:file { map open read }; +allow media_monitor dev_kmsg_file:chr_file { open write }; +allow media_monitor sysfs_devices_system_cpu:file { getattr open read }; +allow media_monitor media_monitor:unix_dgram_socket { getopt setopt }; diff --git a/sepolicy/ohos_policy/multimedia/media_monitor/system/service_contexts b/sepolicy/ohos_policy/multimedia/media_monitor/system/service_contexts new file mode 100644 index 0000000000000000000000000000000000000000..5fe6e9979be9c9324e6150dd29b3c4f6e19e580a --- /dev/null +++ b/sepolicy/ohos_policy/multimedia/media_monitor/system/service_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +66160 u:object_r:sa_media_monitor:s0 diff --git a/sepolicy/ohos_policy/multimedia/media_monitor/system/system_core_hap.te b/sepolicy/ohos_policy/multimedia/media_monitor/system/system_core_hap.te new file mode 100644 index 0000000000000000000000000000000000000000..d036136f7e2452602ec6a6dbcfbbd1fabf3aef6b --- /dev/null +++ b/sepolicy/ohos_policy/multimedia/media_monitor/system/system_core_hap.te @@ -0,0 +1,16 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow system_core_hap sa_media_monitor:samgr_class { get }; + +allow system_core_hap media_monitor:binder { call }; diff --git a/sepolicy/ohos_policy/multimedia/player/system/media_service.te b/sepolicy/ohos_policy/multimedia/player/system/media_service.te index 87d3a0dfca3cacfd186f896e751026d781152de5..35c86b0b2e207d3b44feb269876de503b9eca1a3 100644 --- a/sepolicy/ohos_policy/multimedia/player/system/media_service.te +++ b/sepolicy/ohos_policy/multimedia/player/system/media_service.te @@ -154,3 +154,9 @@ allow media_service resource_schedule_service:binder { call }; allow media_service sa_accountmgr:samgr_class { get }; allow media_service accountmgr:binder { call transfer }; + +#avc: denied { get } for service=3013 pid=522 scontext=u:r:media_service:s0 tcontext=u:object_r:sa_media_monitor:s0 tclass=samgr_class permissive=1 +allow media_service sa_media_monitor:samgr_class { get }; + +#avc: denied { call } for pid=608 comm="PlayerEngine" scontext=u:r:media_service:s0 tcontext=u:r:media_monitor:s0 tclass=binder permissive=0 +allow media_service media_monitor:binder { call };