1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13updater_only(`
14
15# avc: denied { read write } for pid=243 comm="hdcd" path="/dev/console" dev="rootfs" ino=3504 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
16# avc: denied { ioctl } for pid=234 comm="hdcd" path="/dev/console" dev="rootfs" ino=1979 ioctlcmd=0x5413 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
17allow hdcd rootfs:chr_file { read write ioctl };
18allowxperm hdcd rootfs:chr_file ioctl { 0x5413 };
19
20# avc: denied { entrypoint } for pid=243 comm="init" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
21# avc: denied { map } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
22# avc: denied { read } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
23# avc: denied { execute } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
24# avc: denied { open } for pid=235 comm="hdcd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=18288 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
25# avc: denied { getattr } for pid=235 comm="hdcd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=18288 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
26allow hdcd rootfs:file { entrypoint map read execute open getattr };
27
28# avc: denied { setcurrent } for pid=270 comm="hdcd" scontext=u:r:hdcd:s0 tcontext=u:r:hdcd:s0 tclass=process permissive=1
29allow hdcd hdcd:process { setcurrent };
30
31debug_only(`
32# avc: denied { dyntransition } for pid=270 comm="hdcd" scontext=u:r:hdcd:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
33allow hdcd sh:process { dyntransition };
34')
35
36#avc: denied { read write } for pid=235 comm="hdcd" path="socket:[20967]" dev="sockfs" ino=20967 scontext=u:r:hdcd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
37allow hdcd ueventd:netlink_kobject_uevent_socket { read write };
38
39# avc: denied { map } for pid=235 comm="hdcd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:hdcd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
40allow hdcd musl_param:file { read open map };
41
42# avc: denied { read } for pid=235 comm="hdcd" name="etc" dev="rootfs" ino=18266 scontext=u:r:hdcd:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
43allow hdcd system_etc_file:lnk_file { read };
44
45debug_only(`
46    # avc:  denied  { search } for  pid=235 comm="hdcd" name="/" dev="mmcblk1p1" ino=5 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
47    # avc:  denied  { write } for  pid=236 comm="hdcd" name="updater" dev="mmcblk1p1" ino=64 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
48    # avc:  denied  { add_name } for  pid=235 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
49    allow hdcd ntfs:dir { search write add_name };
50
51    # avc:  denied  { search } for  pid=246 comm="hdcd" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0
52    allow hdcd exfat:dir { search write add_name };
53
54    # avc:  denied  { create } for  pid=240 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
55    # avc:  denied  { write open } for  pid=235 comm="hdcd" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
56    allow hdcd ntfs:file { write open create };
57
58    # avc:  denied  { getattr } for  pid=238 comm="hdcd" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:hdcd:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
59    allow hdcd exfat:file { create write open getattr };
60
61    # avc:  denied  { search } for  pid=235 comm="hdcd" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
62    # avc:  denied  { write } for  pid=239 comm="hdcd" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
63    # avc:  denied  { add_name } for  pid=241 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
64    allow hdcd vfat:dir { add_name write search };
65
66    # avc:  denied  { create } for  pid=234 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
67    allow hdcd vfat:file { create write open getattr };
68')
69')
70
71