# Copyright (c) 2023 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. updater_only(` #avc: denied { read } for pid=240 comm="updater" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 #avc: denied { open } for pid=240 comm="updater" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 #avc: denied { map } for pid=240 comm="updater" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1 allow updater hilog_param:file { read open map }; #avc: denied { getattr } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1 #avc: denied { read write } for pid=240 comm="updater" name="hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1 #avc: denied { open } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 ioctlcmd=0x6201 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1 allow updater dev_hdf_file:chr_file { getattr read write open ioctl }; allowxperm updater dev_hdf_file:chr_file ioctl { 0x6201 }; #avc: denied { getattr } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 #avc: denied { read write } for pid=233 comm="updater" name="hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 #avc: denied { open } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 ioctlcmd=0x6203 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=233 comm="evt_listen" path="/dev/hdf_input_event1" dev="tmpfs" ino=234 ioctlcmd=0x6202 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1 allow updater dev_hdf_input:chr_file { getattr read write open ioctl }; allowxperm updater dev_hdf_input:chr_file ioctl { 0x6203 0x6202 }; #avc: denied { write } for pid=235 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 #avc: denied { add_name } for pid=235 comm="updater" name="mainpage.png" scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 #avc: denied { read } for pid=235 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 # avc: denied { remove_name } for pid=238 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0 allow updater tmpfs:dir { write add_name read remove_name }; #avc: denied { create } for pid=231 comm="updater" name="updater.log" scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { open } for pid=231 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { getattr } for pid=231 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { setattr } for pid=229 comm="updater" name="updater_result" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1 #avc: denied { execute } for pid=272 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 #avc: denied { execute_no_trans } for pid=278 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 # avc: denied { relabelfrom } for pid=234 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 # avc: denied { unlink } for pid=238 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 allow updater tmpfs:file { unlink append ioctl create open getattr setattr execute execute_no_trans relabelfrom }; allowxperm updater tmpfs:file ioctl { 0x5413 }; #avc: denied { write } for pid=262 comm="resize.f2fs" name="mmcblk0p12" dev="tmpfs" ino=98 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 #avc: denied { read } for pid=228 comm="updater" name="mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 #avc: denied { open } for pid=228 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 #avc: denied { getattr } for pid=228 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 #avc: denied { ioctl } for pid=274 comm="resize.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x1268 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 #avc: denied { ioctl } for pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x125e scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 #avc: denied { lock } for pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 allow updater dev_block_file:blk_file { write getattr read open ioctl lock }; # avc: denied { ioctl } for pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x125e scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 # avc: denied { ioctl } for pid=274 comm="resize.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x1268 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 # avc: denied { ioctl } for pid=269 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x1271 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 # avc: denied { ioctl } for pid=265 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 ioctlcmd=0x1272 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 # avc: denied { ioctl } for pid=265 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 ioctlcmd=0x127d scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 # avc: denied { ioctl } for pid=278 comm="mkfs.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x2285 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1 # avc: denied { ioctl } for pid=239 comm="updater" path="/dev/block/mmcblk0p14" dev="tmpfs" ino=151 ioctlcmd=0x1277 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0 allowxperm updater dev_block_file:blk_file ioctl { 0x2285 0x5413 0x1268 0x125e 0x1271 0x1272 0x127d 0x1277 }; #avc: denied { read } for pid=274 comm="resize.f2fs" name="version" dev="proc" ino=4026532114 scontext=u:r:updater:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 #avc: denied { open } for pid=274 comm="resize.f2fs" path="/proc/version" dev="proc" ino=4026532114 scontext=u:r:updater:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1 allow updater proc_version_file:file { read open }; #denied { getattr } for pid=274 comm="resize.f2fs" path="/sys/devices/platform/fe310000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p12/partition" dev="sysfs" ino=31854 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 #avc: denied { read } for pid=274 comm="resize.f2fs" name="zoned" dev="sysfs" ino=31912 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 #denied { open } for pid=274 comm="resize.f2fs" path="/sys/devices/platform/fe310000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/queue/zoned" dev="sysfs" ino=31912 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 allow updater sys_file:file { read getattr open }; #avc: denied { getattr } for pid=231 comm="updater" path="/data/updater" dev="mmcblk0p12" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { search } for pid=238 comm="updater" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { read } for pid=238 comm="updater" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { open } for pid=238 comm="updater" path="/data/updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { write } for pid=238 comm="updater" name="log" dev="mmcblk0p12" ino=954 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { add_name } for pid=238 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { remove_name } for pid=227 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=5006 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { create } for pid=231 comm="updater" name="log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 # avc: denied { rmdir } for pid=231 comm="updater" name="update_tmp" dev="mmcblk0p12" ino=3277 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0 # avc: denied { setattr } for pid=249 comm="updater" name="updater" dev="mmcblk0p12" ino=144 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 allow updater data_updater_file:dir { read getattr add_name search write open remove_name create rmdir setattr }; allow updater update_firmware_file:dir { read getattr add_name search write open remove_name create rmdir }; #avc: denied { create } for pid=238 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { append } for pid=238 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { open } for pid=238 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { getattr } for pid=228 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { ioctl } for pid=228 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { read } for pid=228 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { setattr } for pid=228 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { unlink } for pid=235 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 #avc: denied { write } for pid=235 comm="updater" path="/data/updater/update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 allow updater data_updater_file:file { create open append getattr ioctl read setattr unlink write }; allowxperm updater data_updater_file:file ioctl { 0x5413 }; allow updater update_firmware_file:file { create open append getattr ioctl read setattr unlink write }; allowxperm updater update_firmware_file:file ioctl { 0x5413 }; #avc: denied { search } for pid=228 comm="updater" name="block" dev="tmpfs" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1 allow updater dev_block_volfile:dir { search }; # avc: denied { set } for process="updater" parameter=updater.hdc.configfs pid=234 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:update_updater_param:s0 tclass=parameter_service permissive=1 #avc: denied { set } for process="unknown process" parameter=updater.data.configs pid=232 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:update_updater_param:s0 tclass=parameter_service permissive=0 allow updater update_updater_param:parameter_service { set }; #avc: denied { read } for pid=227 comm="updater" name="bin" dev="rootfs" ino=17791 scontext=u:r:updater:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1 allow updater system_bin_file:lnk_file { read }; # avc: denied { module_request } for pid=227 comm="updater" kmod="quota_v2" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 allow updater kernel:system { module_request }; # avc: denied { read } for pid=234 comm="updater" name="usb-ffs" dev="tmpfs" ino=314 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1 # avc: denied { open } for pid=235 comm="updater" path="/dev/usb-ffs" dev="tmpfs" ino=322 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1 # avc: denied { search } for pid=235 comm="updater" name="usb-ffs" dev="tmpfs" ino=322 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1 allow updater dev_usb_ffs:dir { read open search }; # avc: denied { read write } for pid=234 comm="updater" name="ep0" dev="functionfs" ino=27986 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 # avc: denied { open } for pid=235 comm="updater" path="/dev/usb-ffs/hdc/ep0" dev="functionfs" ino=18354 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 allow updater functionfs:file { read write open }; # avc: denied { search } for pid=234 comm="updater" name="local" dev="mmcblk0p12" ino=87 scontext=u:r:updater:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1 allow updater data_local:dir { search }; # avc: denied { dyntransition } for pid=281 comm="updater" scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary:s0 tclass=process permissive=1 allow updater updater_binary:process { dyntransition }; # avc: denied { setcurrent } for pid=279 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=process permissive=1 allow updater updater:process { setcurrent }; # avc: denied { read write } for pid=292 comm="sh" name="tty" dev="tmpfs" ino=282 scontext=u:r:updater:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 allow updater tty_device:chr_file { read write }; #avc: denied { read } for pid=227 comm="updater" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 #avc: denied { open } for pid=227 comm="updater" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 #avc: denied { map } for pid=227 comm="updater" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 allow updater musl_param:file { read map open }; # avc: denied { read } for pid=236 comm="updater" name="etc" dev="rootfs" ino=17422 scontext=u:r:updater:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 allow updater system_etc_file:lnk_file { read }; # avc: denied { chown } for pid=227 comm="updater" capability=0 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0 # avc: denied { sys_admin } for pid=228 comm="updater" capability=21 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0 allow updater updater:capability { sys_admin chown }; # avc: denied { read write } for pid=239 comm="updater" name="ptmx" dev="tmpfs" ino=232 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 allow updater dev_ptmx:chr_file { read write }; # avc: denied { search } for pid=266 comm="updater" name="/" dev="devpts" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:dev_pts_file:s0 tclass=dir permissive=1 allow updater dev_pts_file:dir { search }; # avc: denied { read write } for pid=266 comm="updater" name="0" dev="devpts" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 allow updater devpts:chr_file { read write }; # avc: denied { ioctl } for pid=266 comm="sh" path="/dev/tty" dev="tmpfs" ino=282 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1 allow updater tty_device:chr_file { ioctl}; allowxperm updater tty_device:chr_file ioctl { 0x5413 }; #avc: denied { read write } for pid=227 comm="updater" path="/dev/console" dev="rootfs" ino=16653 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=229 comm="updater" path="/dev/console" dev="rootfs" ino=3976 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 allow updater rootfs:chr_file { read write ioctl }; allowxperm updater rootfs:chr_file ioctl { 0x5413 }; #avc: denied { read write } for pid=226 comm="updater" name="card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { open } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x640c scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { map } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a0 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a7 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a6 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a1 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b2 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b8 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a2 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 #avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b3 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 # avc: denied { ioctl } for pid=233 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x6409 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 # avc: denied { ioctl } for pid=233 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x64af scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1 allow updater dev_dri_file:chr_file { ioctl read write open map }; allowxperm updater dev_dri_file:chr_file ioctl { 0x640c 0x64a0 0x64a7 0x64a6 0x64a1 0x64b2 0x64b8 0x64a2 0x64b3 0x6409 0x64af }; #avc: denied { search } for pid=229 comm="updater" name="dri" dev="tmpfs" ino=89 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1 allow updater dev_dri_file:dir { search }; #avc: denied { read } for pid=228 comm="updater" name="by-name" dev="tmpfs" ino=106 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1 allow updater dev_block_volfile:lnk_file { read }; #avc: denied { read } for pid=228 comm="updater" name="misc" dev="tmpfs" ino=133 scontext=u:r:updater:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1 allow updater dev_file:lnk_file { read }; #avc: denied { search } for pid=231 comm="updater" name="socket" dev="tmpfs" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1 allow updater dev_unix_socket:dir { search }; #avc: denied { write } for pid=229 comm="updater" name="paramservice" dev="tmpfs" ino=15 scontext=u:r:updater:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1 allow updater paramservice_socket:sock_file { write }; #avc: denied { connectto } for pid=229 comm="updater" path="/dev/unix/socket/paramservice" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1 allow updater kernel:unix_stream_socket { connectto }; #avc: denied { entrypoint } for pid=226 comm="init" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { map } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { read } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { execute } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { open } for pid=226 comm="updater" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16682 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { getattr } for pid=227 comm="updater" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16679 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 #avc: denied { write } for pid=221 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_2.info" dev="rootfs" ino=20796 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 # avc: denied { setattr } for pid=231 comm="updater" name="updater_binary" dev="rootfs" ino=19417 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 # avc: denied { execute_no_trans } for pid=278 comm="updater" path="/bin/mkfs.f2fs" dev="rootfs" ino=17686 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 allow updater rootfs:file { entrypoint map read execute open getattr write setattr execute_no_trans }; #avc: denied { read write } for pid=226 comm="updater" path="socket:[17326]" dev="sockfs" ino=17326 scontext=u:r:updater:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 allow updater ueventd:netlink_kobject_uevent_socket { read write}; #avc: denied { read } for pid=269 comm="updater_binary" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 # avc: denied { map } for pid=263 comm="updater_binary" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0 allow updater ohos_boot_param:file { read map open }; #avc: denied { mount } for pid=241 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1 #avc: denied { unmount } for pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 allow updater labeledfs:filesystem { mount unmount }; #avc: denied { set } for process="updater" parameter=startup.device.ctl pid=241 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:servicectrl_reboot_param:s0 tclass=parameter_service permissive=1 allow updater servicectrl_reboot_param:parameter_service { set }; # avc: denied { read write } for pid=275 comm="processdump" path="/data/log/faultlog/temp/cppcrash-270-1502782678223" dev="mmcblk0p12" ino=3328 scontext=u:r:updater:s0 tcontext=u:object_r:faultloggerd_temp_file:s0 tclass=file permissive=0 allow updater faultloggerd_temp_file:file { read write }; # avc: denied { mounton } for pid=237 comm="updater" path="/sdcard" dev="rootfs" ino=27932 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 allow updater rootfs:dir { mounton }; # avc: denied { setgid } for pid=270 comm="mount.ntfs" capability=6 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0 # avc: denied { setuid } for pid=265 comm="mount.ntfs" capability=7 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0 allow updater updater:capability { setuid setgid }; # avc: denied { getattr } for pid=272 comm="mount.ntfs" path="/dev/fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0 # avc: denied { read write } for pid=269 comm="mount.ntfs" name="fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0 # avc: denied { open } for pid=272 comm="mount.ntfs" path="/dev/fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0 allow updater dev_fuse_file:chr_file { getattr read write open }; # avc: denied { open } for pid=272 comm="mount.ntfs" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0 # avc: denied { read } for pid=272 comm="mount.ntfs" name="filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0 # avc: denied { getattr } for pid=265 comm="mount.ntfs" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0 allow updater proc_filesystems_file:file { read open getattr }; # avc: denied { read write } for pid=235 comm="updater" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 # avc: denied { add_name } for pid=234 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 # avc: denied { open } for pid=238 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1 # avc: denied { remove_name } for pid=238 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1 allow updater exfat:dir { read write search add_name open remove_name }; # avc: denied { read } for pid=240 comm="updater" name="updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { open } for pid=235 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { getattr } for pid=235 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { create } for pid=233 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { write } for pid=240 comm="updater" path="/sdcard/updater/update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { ioctl } for pid=235 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 # avc: denied { unlink } for pid=238 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=1 allow updater exfat:file { read open getattr create write ioctl unlink }; # avc: denied { mount } for pid=242 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=filesystem permissive=0 allow updater exfat:filesystem { mount }; # avc: denied { ioctl } for pid=235 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 allowxperm updater exfat:file ioctl { 0x5413 }; # avc: denied { write } for pid=272 comm="updater_binary" name="data" dev="rootfs" ino=27999 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0 #avc: denied { search } for pid=229 comm="updater" name="data" dev="rootfs" ino=18958 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 #avc: denied { remove_name } for pid=235 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 #avc: denied { getattr } for pid=241 comm="updater" path="/data" dev="rootfs" ino=20430 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 #avc: denied { mounton } for pid=241 comm="updater" path="/data" dev="rootfs" ino=20430 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 # avc: denied { open } for pid=234 comm="updater" path="/data" dev="mmcblk0p18" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 # avc: denied { read } for pid=234 comm="updater" name="/" dev="mmcblk0p18" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 # avc: denied { relabelfrom } for pid=234 comm="updater" name="log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 allow updater data_file:dir { write search remove_name getattr mounton open read relabelfrom}; # avc: denied { unlink } for pid=234 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=1 allow updater updater_binary_exec:file { unlink }; # avc: denied { mount } for pid=235 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=filesystem permissive=0 allow updater vfat:filesystem { mount }; # avc: denied { read write } for pid=231 comm="updater" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 # avc: denied { ioctl } for pid=230 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 # avc: denied { unlink } for pid=228 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1 allow updater vfat:file { create read open getattr write ioctl unlink }; # avc: denied { ioctl } for pid=230 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 allowxperm updater vfat:file ioctl { 0x5413 }; # avc: denied { open } for pid=235 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 # avc: denied { open } for pid=228 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 # avc: denied { remove_name } for pid=228 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 allow updater vfat:dir { read write search add_name open remove_name }; # avc: denied { read write } for pid=235 comm="updater" name="updater" dev="mmcblk1p1" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 # avc: denied { search } for pid=235 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 # avc: denied { add_name } for pid=232 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 # avc: denied { open } for pid=237 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1 # avc: denied { remove_name } for pid=237 comm="updater" name="build_tools.zip.tmp" dev="mmcblk1p1" ino=67 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1 allow updater ntfs:dir { read write search add_name open remove_name }; # avc: denied { read } for pid=227 comm="updater" name="updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 # avc: denied { open } for pid=229 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 # avc: denied { ioctl } for pid=233 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 # avc: denied { unlink } for pid=237 comm="updater" name="build_tools.zip.tmp" dev="mmcblk1p1" ino=67 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=1 allow updater ntfs:file { read create open getattr write ioctl unlink }; # avc: denied { ioctl } for pid=233 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 allowxperm updater ntfs:file ioctl { 0x5413 }; # avc: denied { mount } for pid=262 comm="mount.ntfs" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=filesystem permissive=0 allow updater ntfs:filesystem { mount }; # avc: denied { search } for pid=235 comm="updater" name="/" dev="functionfs" ino=18353 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1 allow updater functionfs:dir { search }; # avc: denied { set } for process="unknown process" parameter=sys.usb.ffs.ready pid=265 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:sys_param:s0 tclass=parameter_service permissive=1 allow updater sys_param:parameter_service { set }; # avc: denied { dac_override } for pid=235 comm="updater" capability=1 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=1 allow updater updater:capability { dac_override }; debug_only(` # avc: denied { dyntransition } for pid=285 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 # avc: denied { signal } for pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 # avc: denied { sigkill } for pid=241 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 allow updater sh:process { dyntransition signal sigkill }; # avc: denied { dyntransition } for pid=255 comm="hdcd_shellfork" scontext=u:r:updater:s0 tcontext=u:r:su:s0 tclass=process permissive=0 allow updater su:process { dyntransition }; ') # avc: denied { set } for process="unknown process" parameter=updater.flashd.configfs pid=235 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=parameter_service permissive=1 allow updater updater_flashd_param:parameter_service { set }; # avc: denied { map } for pid=233 comm="updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 # avc: denied { open } for pid=233 comm="updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 # avc: denied { read } for pid=233 comm="updater" name="u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1 allow updater debug_param:file { map open read }; # avc: denied { dac_read_search } for pid=233 comm="updater" capability=2 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=1 allow updater updater:capability { dac_read_search }; # avc: denied { ioctl } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 ioctlcmd=0x5431 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 # avc: denied { open } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 allow updater dev_ptmx:chr_file { ioctl open }; # avc: denied { ioctl } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 ioctlcmd=0x5431 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1 allowxperm updater dev_ptmx:chr_file ioctl { 0x5431 0x5430 }; allow updater data_file:dir { add_name create }; allow updater data_file:file { create getattr ioctl read write open setattr }; allowxperm updater data_file:file ioctl { 0x5413 }; # denied { map } for pid=246 comm="updater" path="/data/update/ota_package/firmware/versions/updater_diff.zip" dev="mmcblk0p12" ino=1409 scontext=u:r:updater:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=file permissive=1 allow updater update_firmware_file:file { map }; allow updater data_updater_file:file { map }; allow updater exfat:file { map }; allow updater ntfs:file { map }; allow updater vfat:file { map }; # avc: denied { relabelto } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 # avc: denied { setattr } for pid=235 comm="updater" name="updater" dev="mmcblk0p12" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1 allow updater data_file:dir { relabelto setattr }; # avc: denied { append } for pid=235 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=9 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1 allow updater data_file:file { append }; # avc: denied { getattr } for pid=235 comm="updater" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { relabelfrom } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 allow updater unlabeled:dir { getattr relabelfrom }; allow updater devinfo_private_param:file { map open read }; # avc: denied { relabelto } for pid=232 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=1 allow updater updater_binary_exec:file { relabelto }; # avc: denied { syslog_read } for pid=230 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 allow updater kernel:system { syslog_read }; # avc: denied { read } for pid=232 comm="updater" name="misc" dev="tmpfs" ino=161 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=lnk_file permissive=1 allow updater dev_block_file:lnk_file { read }; # avc: denied { add_name } for pid=232 comm="updater" name="log" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { create } for pid=232 comm="updater" name="updater" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { open } for pid=232 comm="updater" path="/data/updater/log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { read } for pid=232 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { search } for pid=232 comm="updater" name="updater" dev="mmcblk0p18" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { setattr } for pid=232 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { write } for pid=232 comm="updater" name="updater" dev="mmcblk0p18" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { getattr } for pid=235 comm="updater" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 # avc: denied { relabelfrom } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1 allow updater unlabeled:dir { getattr relabelfrom add_name create open read search setattr write }; # avc: denied { relabelto } for pid=246 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1 allow updater data_updater_file:dir { relabelto }; # avc: denied { append open } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 # avc: denied { create } for pid=246 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 # avc: denied { getattr } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 # avc: denied { ioctl } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 # avc: denied { read } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 # avc: denied { relabelfrom } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 # avc: denied { setattr } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 allow updater unlabeled:file { append open create getattr ioctl read relabelfrom setattr }; # avc: denied { ioctl } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1 allowxperm updater unlabeled:file ioctl { 0x5413 }; # avc: denied { relabelto } for pid=238 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1 allow updater data_updater_file:file { relabelto }; allow updater updater_block_file:blk_file { write getattr read open ioctl lock }; allowxperm updater updater_block_file:blk_file ioctl { 0x2285 0x5413 0x1268 0x125e 0x1271 0x1272 0x127d 0x1277 }; allow updater updater_block_file:lnk_file { read }; # avc: denied { map } for pid=261 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 # avc: denied { open } for pid=261 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 # avc: denied { read } for pid=261 comm="hdcd_shellfork" name="u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1 allow updater persist_param:file { map open read }; # avc: denied { map } for pid=265 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1 # avc: denied { open } for pid=265 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1 # avc: denied { read } for pid=265 comm="hdcd_shellfork" name="u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1 allow updater updater_flashd_param:file { map open read }; ')