# Copyright (c) 2023 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. updater_only(` # avc_audit_slow:267] avc: denied { map } for pid=793, comm="/bin/updater_binary" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="" ino=179 scontext=u:r:updater_binary:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 # avc_audit_slow:267] avc: denied { open } for pid=793, comm="/bin/updater_binary" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="" ino=179 scontext=u:r:updater_binary:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 allow updater_binary persist_param:file { map open }; #avc: denied { search } for pid=281 comm="updater" name="/" dev="rootfs" ino=1 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 # avc: denied { read write } for pid=273 comm="updater_binary" name="updater" dev="rootfs" ino=20121 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 # avc: denied { add_name } for pid=269 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 # avc: denied { create } for pid=264 comm="updater_binary" name="update_tmp" scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 # avc: denied { open } for pid=264 comm="updater_binary" path="/data/updater/update_tmp" dev="rootfs" ino=20420 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 # avc: denied { remove_name } for pid=264 comm="updater_binary" name="system" dev="rootfs" ino=20402 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 allow updater_binary rootfs:dir { search read write add_name create open remove_name }; #avc: denied { execute } for pid=279 comm="updater" name="ld-musl-arm.so.1" dev="rootfs" ino=596 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { read open } for pid=279 comm="updater" path="/lib/ld-musl-arm.so.1" dev="rootfs" ino=596 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { map } for pid=279 comm="updater_binary" path="/lib/ld-musl-arm.so.1" dev="rootfs" ino=596 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { getattr } for pid=279 comm="updater_binary" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=418 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 # avc: denied { execute_no_trans } for pid=277 comm="updater_binary" path="/bin/processdump" dev="rootfs" ino=17428 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 # avc: denied { create } for pid=267 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 # avc: denied { write } for pid=269 comm="updater_binary" path="/data/updater/loadScript.us" dev="rootfs" ino=27819 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 # avc: denied { ioctl } for pid=265 comm="updater_binary" path="/data/updater/Verse-script.us" dev="rootfs" ino=18908 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 # avc: denied { ioctl } for pid=264 comm="updater_binary" path="/data/updater/system" dev="rootfs" ino=20402 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 # avc: denied { rename } for pid=264 comm="updater_binary" name="system" dev="rootfs" ino=20402 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 allow updater_binary rootfs:file { execute read open map getattr execute_no_trans create write ioctl rename }; # avc: denied { ioctl } for pid=265 comm="updater_binary" path="/data/updater/Verse-script.us" dev="rootfs" ino=18908 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 allowxperm updater_binary rootfs:file ioctl { 0x5413 }; #avc: denied { ioctl } for pid=270 comm="updater_binary" path="/dev/console" dev="rootfs" ino=17411 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 #avc: denied { write } for pid=270 comm="updater_binary" path="/dev/console" dev="rootfs" ino=17411 scontext=u:r:updater_binary:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 allow updater_binary rootfs:chr_file { ioctl write }; allowxperm updater_binary rootfs:chr_file ioctl { 0x5413 }; #avc: denied { search } for pid=281 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 allow updater_binary tmpfs:dir { search }; #avc: denied { execute } for pid=279 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { open } for pid=279 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { execute_no_trans } for pid=279 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { read open } for pid=281 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=5 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { append } for pid=270 comm="updater_binary" name="updater.log" dev="tmpfs" ino=2 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { getattr } for pid=270 comm="updater_binary" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { ioctl } for pid=270 comm="updater_binary" path="/tmp/updater.log" dev="tmpfs" ino=2 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 allow updater_binary tmpfs:file { execute read open execute_no_trans append getattr ioctl create write}; allowxperm updater_binary tmpfs:file ioctl { 0x5413 }; # avc: denied { fork } for pid=281 comm="updater_binary" scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:updater_binary:s0 tclass=process permissive=1 allow updater_binary updater_binary:process { fork }; # avc: denied { write } for pid=281 comm="updater_binary" path="pipe:[1664]" dev="pipefs" ino=1664 scontext=u:object_r:updater_binary:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1 # avc: denied { getattr } for pid=270 comm="updater_binary" path="pipe:[18906]" dev="pipefs" ino=18906 scontext=u:r:updater_binary:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1 # avc: denied { ioctl } for pid=270 comm="updater_binary" path="pipe:[20191]" dev="pipefs" ino=20191 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1 allow updater_binary updater:fifo_file { write getattr ioctl }; allowxperm updater_binary updater:fifo_file ioctl { 0x5413 }; # avc: denied { use } for pid=270 comm="updater_binary" path="pipe:[20191]" dev="pipefs" ino=20191 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:r:updater:s0 tclass=fd permissive=1 allow updater_binary updater:fd { use }; #avc: denied { read } for pid=279 comm="updater_binary" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 #avc: denied { open } for pid=279 comm="updater_binary" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 #avc: denied { map } for pid=279 comm="updater_binary" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=1 allow updater_binary ohos_boot_param:file { open map read }; # avc: denied { search } for pid=268 comm="updater_binary" name="/" dev="tmpfs" ino=1 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_file:s0 tclass=dir permissive=1 allow updater_binary dev_file:dir { search }; # avc: denied { read } for pid=268 comm="updater_binary" name="misc" dev="tmpfs" ino=128 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1 allow updater_binary dev_file:lnk_file { read }; # avc: denied { read } for pid=268 comm="updater_binary" name="urandom" dev="tmpfs" ino=5 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_random_file:s0 tclass=chr_file permissive=1 allow updater_binary dev_random_file:chr_file { read }; #avc: denied { search } for pid=268 comm="updater_binary" name="block" dev="tmpfs" ino=94 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 allow updater_binary dev_block_volfile:dir { search }; #avc: denied { read } for pid=268 comm="updater_binary" name="by-name" dev="tmpfs" ino=101 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1 allow updater_binary dev_block_volfile:lnk_file { read }; #avc: denied { read write } for pid=268 comm="updater_binary" name="mmcblk0p2" dev="tmpfs" ino=127 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 #avc: denied { open } for pid=270 comm="updater_binary" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 # avc: denied { map } for pid=267 comm="updater_binary" path="/dev/block/mmcblk0p6" dev="tmpfs" ino=122 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 # avc: denied { getattr } for pid=266 comm="updater_binary" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=128 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 # avc: denied { ioctl } for pid=266 comm="updater_binary" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=120 ioctlcmd=0x1277 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 allow updater_binary dev_block_file:blk_file { read write open map getattr ioctl }; # avc: denied { ioctl } for pid=266 comm="updater_binary" path="/dev/block/mmcblk0p8" dev="tmpfs" ino=120 ioctlcmd=0x1277 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 allowxperm updater_binary dev_block_file:blk_file ioctl { 0x1277 }; # avc: denied { search } for pid=282 comm="updater_binary" name="__parameters__" dev="tmpfs" ino=11 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_parameters_file:s0 tclass=dir permissive=1 allow updater_binary dev_parameters_file:dir { search }; # avc: denied { read } for pid=282 comm="updater_binary" name="param_selinux" dev="tmpfs" ino=12 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_parameters_file:s0 tclass=file permissive=1 allow updater_binary dev_parameters_file:file { read }; # avc: denied { search } for pid=282 comm="updater_binary" name="/" dev="proc" ino=1 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:proc_file:s0 tclass=dir permissive=1 allow updater_binary proc_file:dir { search }; #avc: denied { search } for pid=277 comm="updater_binary" name="277" dev="proc" ino=27311 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:updater_binary:s0 tclass=dir permissive=1 allow updater_binary updater_binary:dir { search }; #avc: denied { read } for pid=273 comm="updater_binary" name="by-name" dev="tmpfs" ino=105 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1 allow updater_binary updater_binary:lnk_file { read }; # avc: denied { search } for pid=277 comm="updater_binary" name="system" dev="rootfs" ino=18624 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1 allow updater_binary system_file:dir { search }; # avc: denied { read } for pid=277 comm="updater_binary" name="lib" dev="rootfs" ino=18625 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:system_lib_file:s0 tclass=lnk_file permissive=1 allow updater_binary system_lib_file:lnk_file { read }; # avc: denied { search } for pid=280 comm="updater_binary" name="vendor" dev="rootfs" ino=17285 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1 allow updater_binary vendor_file:dir { search }; # avc: denied { read } for pid=280 comm="updater_binary" name="u:object_r:hook_param:s0" dev="tmpfs" ino=35 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1 # avc: denied { open } for pid=273 comm="updater_binary" path="/dev/__parameters__/u:object_r:hook_param:s0" dev="tmpfs" ino=35 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:hook_param:s0 tclass=file permissive=1 allow updater_binary hook_param:file { read open }; #avc: denied { read } for pid=279 comm="updater_binary" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater_binary:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 #avc: denied { open } for pid=270 comm="updater_binary" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater_binary:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 #avc: denied { map } for pid=270 comm="updater_binary" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater_binary:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 allow updater_binary musl_param:file { read open map }; # avc: denied { read } for pid=270 comm="updater_binary" name="etc" dev="rootfs" ino=17415 scontext=u:r:updater_binary:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 allow updater_binary system_etc_file:lnk_file { read }; # avc: denied { read } for pid=273 comm="updater_binary" name="u:object_r:time_param:s0" dev="tmpfs" ino=51 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:time_param:s0 tclass=file permissive=1 allow updater_binary time_param:file { read }; # avc: denied { create } for pid=273 comm="updater_binary" scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:updater_binary:s0 tclass=unix_dgram_socket permissive=1 allow updater_binary updater_binary:unix_dgram_socket { create }; # avc: denied { search } for pid=274 comm="updater_binary" name="unix" dev="tmpfs" ino=7 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:dev_unix_file:s0 tclass=dir permissive=1 allow updater_binary dev_unix_file:dir { search }; #avc: denied { search } for pid=270 comm="updater_binary" name="socket" dev="tmpfs" ino=8 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 allow updater_binary dev_unix_socket:dir { search }; # avc: denied { write } for pid=274 comm="updater_binary" name="hilogInput" dev="tmpfs" ino=315 scontext=u:object_r:updater_binary:s0 tcontext=u:object_r:hilog_input_socket:s0 tclass=sock_file permissive=1 allow updater_binary hilog_input_socket:sock_file { write }; # avc: denied { use } for pid=274 comm="updater_binary" path="/dev/console" dev="rootfs" ino=17230 ioctlcmd=0x5413 scontext=u:object_r:updater_binary:s0 tcontext=u:r:kernel:s0 tclass=fd permissive=1 allow updater_binary kernel:fd { use }; # avc: denied { search } for pid=270 comm="updater_binary" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 # avc: denied { add_name } for pid=263 comm="updater_binary" name="updater" scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 # avc: denied { create } for pid=271 comm="updater_binary" name="updater" scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 # avc: denied { getattr } for pid=268 comm="updater_binary" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 # avc: denied { write } for pid=266 comm="updater_binary" name="data" dev="rootfs" ino=2725 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 allow updater_binary data_file:dir { search add_name create getattr write }; #avc: denied { add_name } for pid=279 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { search } for pid=270 comm="updater_binary" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { read write } for pid=270 comm="updater_binary" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { getattr } for pid=270 comm="updater_binary" path="/data/updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 # avc: denied { setattr } for pid=263 comm="updater_binary" name="update_tmp" dev="mmcblk0p12" ino=3277 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 # avc: denied { remove_name } for pid=267 comm="updater_binary" name="vendor" dev="mmcblk0p12" ino=4733 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 # avc: denied { create } for pid=268 comm="updater_binary" name="update_tmp" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 # avc: denied { open } for pid=270 comm="updater_binary" path="/data/updater/update_tmp" dev="mmcblk0p12" ino=1376 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 allow updater_binary data_updater_file:dir { open create setattr add_name search read write getattr remove_name }; allow updater_binary update_firmware_file:dir { open create setattr add_name search read write getattr remove_name }; #avc: denied { read } for pid=270 comm="updater_binary" name="updater.zip" dev="mmcblk0p12" ino=4136 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { open } for pid=270 comm="updater_binary" path="/data/updater/updater.zip" dev="mmcblk0p12" ino=4136 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { getattr } for pid=270 comm="updater_binary" path="/data/updater/updater.zip" dev="mmcblk0p12" ino=4136 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { write } for pid=270 comm="updater_binary" name="update.bin.tmp" dev="mmcblk0p12" ino=5916 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { create } for pid=279 comm="updater_binary" name="loadScript.us" scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #denied { ioctl } for pid=281 comm="updater_binary" path="/data/updater/update.bin.tmp" dev="mmcblk0p12" ino=6829 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 # avc: denied { rename } for pid=268 comm="updater_binary" name="vendor" dev="mmcblk0p12" ino=1006 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=0 # avc: denied { setattr } for pid=268 comm="updater_binary" name="vendor_retry" dev="mmcblk0p12" ino=4748 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=0 # avc: denied { unlink } for pid=269 comm="updater_binary" name="deaf4cd35457797973b4e888888560b4794df92865f14d616ae99853a484605b" dev="mmcblk0p12" ino=1918 scontext=u:r:updater_binary:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=0 allow updater_binary data_updater_file:file { read open getattr write create ioctl rename setattr unlink map}; allowxperm updater_binary data_updater_file:file ioctl { 0x5413 }; allow updater_binary update_firmware_file:file { read open getattr write create ioctl rename setattr unlink map}; allowxperm updater_binary update_firmware_file:file ioctl { 0x5413 }; # avc: denied { read } for pid=279 comm="processdump" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater_binary:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 # avc: denied { open } for pid=278 comm="processdump" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater_binary:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 # avc: denied { map } for pid=278 comm="processdump" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater_binary:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=0 allow updater_binary hilog_param:file { read open map }; # avc: denied { read write } for pid=272 comm="processdump" path="/data/log/faultlog/temp/cppcrash-265-1679413199123" dev="mmcblk0p12" ino=8782 scontext=u:r:updater_binary:s0 tcontext=u:object_r:faultloggerd_temp_file:s0 tclass=file permissive=0 allow updater_binary faultloggerd_temp_file:file { read write }; # avc: denied { search } for pid=279 comm="updater_binary" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 # avc: denied { read write } for pid=281 comm="updater_binary" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 allow updater_binary exfat:dir { search read write }; # avc: denied { read } for pid=270 comm="updater_binary" name="updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { open } for pid=270 comm="updater_binary" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { getattr } for pid=265 comm="updater_binary" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { write } for pid=265 comm="updater_binary" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { ioctl } for pid=266 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 allow updater_binary exfat:file { read open getattr write ioctl }; allowxperm updater_binary exfat:file ioctl { 0x5413 }; # avc: denied { read write } for pid=262 comm="updater_binary" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 # avc: denied { search } for pid=262 comm="updater_binary" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 allow updater_binary vfat:dir { search read write }; # avc: denied { read } for pid=268 comm="updater_binary" name="updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 # avc: denied { open } for pid=267 comm="updater_binary" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 # avc: denied { getattr } for pid=261 comm="updater_binary" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 # avc: denied { write } for pid=261 comm="updater_binary" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 # avc: denied { ioctl } for pid=266 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 allow updater_binary vfat:file { read open getattr write ioctl }; # avc: denied { ioctl } for pid=266 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 allowxperm updater_binary vfat:file ioctl { 0x5413 }; # avc: denied { search } for pid=268 comm="updater_binary" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 allow updater_binary ntfs:dir { search read write }; # avc: denied { read } for pid=276 comm="updater_binary" name="updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 # avc: denied { ioctl } for pid=268 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 allow updater_binary ntfs:file { read open getattr write ioctl }; # avc: denied { ioctl } for pid=268 comm="updater_binary" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater_binary:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 allowxperm updater_binary ntfs:file ioctl { 0x5413 }; allow updater_binary tmpfs:dir { read write add_name }; # avc: denied { map } for pid=272 comm="updater_binary" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater_binary:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 # avc: denied { open } for pid=272 comm="updater_binary" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater_binary:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 # avc: denied { read } for pid=272 comm="updater_binary" name="u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater_binary:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 allow updater_binary debug_param:file { map open read }; allow updater_binary data_file:file { setattr write create }; allow updater_binary exfat:file { map }; allow updater_binary ntfs:file { map }; allow updater_binary vfat:file { map }; # avc: denied { execute_no_trans } for pid=267 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater_binary:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=0 allow updater_binary updater_binary_exec:file { execute_no_trans }; # avc: denied { ioctl } for pid=267 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x6409 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 allow updater_binary dev_dri_file:chr_file { ioctl }; # avc: denied { ioctl } for pid=267 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x6409 scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 # avc: denied { ioctl } for pid=267 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x64af scontext=u:r:updater_binary:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=0 allowxperm updater_binary dev_dri_file:chr_file ioctl { 0x6409 0x64af }; allow updater_binary updater_block_file:blk_file { read write open map getattr ioctl }; allowxperm updater_binary updater_block_file:blk_file ioctl { 0x1277 }; ') allow updater_binary self:xpm { exec_no_sign };