1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13updater_only(`
14
15# avc_audit_slow:267] avc: denied { relabelto } for pid=1, comm="/init"  name="/bin/faultloggerd" dev="tmpfs" ino=727 scontext=u:r:init:s0 tcontext=u:object_r:faultloggerd_exec:s0 tclass=file permissive=0
16allow init faultloggerd_exec:file { relabelto };
17# avc_audit_slow:267] avc: denied { relabelto } for pid=1, comm="/init"  name="/bin/processdump" dev="tmpfs" ino=726 scontext=u:r:init:s0 tcontext=u:object_r:processdump_exec:s0 tclass=file permissive=0
18allow init processdump_exec:file { relabelto };
19# avc_audit_slow:267] avc: denied { relabelto } for pid=1, comm="/init"  name="/bin/updater_binary" dev="tmpfs" ino=957 scontext=u:r:init:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=0
20allow init updater_binary_exec:file { relabelto };
21
22#avc: denied { read } for pid=1 comm="init" name="ohos.para.size" dev="rootfs" ino=17448 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
23#avc: denied { getattr } for pid=1 comm="init" path="/etc/selinux/targeted/contexts/file_contexts" dev="rootfs" ino=17429 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
24#avc: denied { open } for pid=1 comm="init" path="/etc/selinux/targeted/contexts/file_contexts" dev="rootfs" ino=17429 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
25#avc: denied { open } for pid=1 comm="init" path="/etc/param/ohos.para.size" dev="rootfs" ino=17448 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
26#avc: denied { execute } for pid=231 comm="init" name="ueventd" dev="rootfs" ino=17717 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
27#avc: denied { execute_no_trans } for pid=233 comm="init" path="/bin/hilog" dev="rootfs" ino=797 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
28#avc: denied { map } for pid=1 comm="init" path="/lib/init/librebootmodule.z.so" dev="rootfs" ino=17620 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
29#avc: denied { map } for pid=235 comm="hilog" path="/bin/hilog" dev="rootfs" ino=17650 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
30#avc: denied { write } for pid=227 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_1.info" dev="rootfs" ino=26950 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
31allow init rootfs:file { getattr read open execute map };
32
33# avc: denied { read } for pid=1 comm="init" name="etc" dev="rootfs" ino=399 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
34# avc: denied { open } for pid=1 comm="init" path="/etc" dev="rootfs" ino=16655 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
35# avc: denied { relabelfrom } for pid=1 comm="init" name="system" dev="rootfs" ino=386 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
36# avc: denied { write } for pid=1 comm="init" name="/" dev="rootfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
37# avc: denied { add_name } for pid=1 comm="init" name="config" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
38# avc: denied { create } for pid=1 comm="init" name="config" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
39# avc: denied { setattr } for pid=1 comm="init" name="param" dev="rootfs" ino=17987 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1
40# avc:  denied  { relabelto } for  pid=1 comm="init" name="/" dev="tmpfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1
41allow init rootfs:dir { read open write relabelfrom add_name create setattr relabelto };
42
43# avc: denied { create } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
44# avc: denied { setopt } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
45# avc: denied { bind } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
46allow init ueventd:netlink_kobject_uevent_socket { create setopt bind };
47
48# avc: denied { relabelto } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
49# avc: denied { read } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
50# avc: denied { open } for pid=1 comm="init" path="/system" dev="rootfs" ino=17408 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
51# avc:  denied  { getattr } for  pid=1 comm="init" path="/system" dev="rootfs" ino=17413 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
52allow init system_file:dir { read open relabelto getattr };
53
54# avc: denied { associate } for pid=1 comm="init" name="system" dev="rootfs" ino=17408 scontext=u:object_r:system_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
55allow system_file rootfs:filesystem { associate };
56
57#avc: denied { relabelfrom } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
58allow init rootfs:lnk_file { relabelfrom };
59
60#avc: denied { relabelto } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:r:init:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
61# avc:  denied  { getattr } for  pid=1 comm="init" path="/system/bin" dev="rootfs" ino=17417 scontext=u:r:init:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
62allow init system_bin_file:lnk_file { relabelto getattr };
63
64#avc: denied { associate } for pid=1 comm="init" name="bin" dev="rootfs" ino=2032 scontext=u:object_r:system_bin_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
65allow system_bin_file rootfs:filesystem { associate };
66
67#avc: denied { relabelto } for pid=1 comm="init" name="lib" dev="rootfs" ino=2031 scontext=u:r:init:s0 tcontext=u:object_r:system_lib_file:s0 tclass=lnk_file permissive=1
68# avc:  denied  { getattr } for  pid=1 comm="init" path="/system/lib" dev="rootfs" ino=17416 scontext=u:r:init:s0 tcontext=u:object_r:system_lib_file:s0 tclass=lnk_file permissive=1
69allow init system_lib_file:lnk_file { relabelto getattr };
70
71#avc: denied { associate } for pid=1 comm="init" name="lib" dev="rootfs" ino=2031 scontext=u:object_r:system_lib_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
72allow system_lib_file rootfs:filesystem { associate };
73
74#avc: denied { relabelto } for pid=1 comm="init" name="etc" dev="rootfs" ino=2030 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
75#avc: denied { read } for pid=235 comm="hilog" name="etc" dev="rootfs" ino=17415 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
76# avc:  denied  { getattr } for  pid=1 comm="init" path="/system/etc" dev="rootfs" ino=17415 scontext=u:r:init:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
77allow init system_etc_file:lnk_file { relabelto read getattr };
78
79#avc: denied { associate } for pid=1 comm="init" name="etc" dev="rootfs" ino=2030 scontext=u:object_r:system_etc_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
80allow system_etc_file rootfs:filesystem { associate };
81
82#avc: denied { read } for pid=1 comm="init" name="vendor" dev="rootfs" ino=16661 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1
83#avc: denied { open } for pid=1 comm="init" path="/vendor" dev="rootfs" ino=16661 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1
84#avc: denied { relabelto } for pid=1 comm="init" name="vendor" dev="rootfs" ino=2038 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1
85# avc:  denied  { getattr } for  pid=1 comm="init" path="/vendor" dev="rootfs" ino=17423 scontext=u:r:init:s0 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=1
86allow init vendor_file:dir { relabelto read open getattr };
87
88#avc: denied { associate } for pid=1 comm="init" name="vendor" dev="rootfs" ino=16661 scontext=u:object_r:vendor_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
89allow vendor_file rootfs:filesystem { associate };
90
91
92#avc: denied { associate } for pid=1 comm="init" name="data" dev="rootfs" ino=20555 scontext=u:object_r:data_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
93allow data_file rootfs:filesystem { associate };
94
95#avc: denied { mount } for pid=1 comm="init" name="/" dev="tmpfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=1
96allow init tmpfs:filesystem { mount };
97
98#avc: denied { associate } for pid=1 comm="init" name="log" dev="rootfs" ino=20558 scontext=u:object_r:data_log:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
99allow data_log rootfs:filesystem { associate };
100
101#avc: denied { associate } for pid=1 comm="init" name="hilog" dev="rootfs" ino=20559 scontext=u:object_r:data_hilogd_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
102allow data_hilogd_file rootfs:filesystem { associate };
103
104#avc: denied { relabelto } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1
105#avc: denied { read } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1
106#avc: denied { open } for pid=1 comm="init" path="/config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1
107#avc: denied { setattr } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:r:init:s0 tcontext=u:object_r:config_file:s0 tclass=dir permissive=1
108allow init config_file:dir { relabelto read open setattr };
109
110#avc: denied { associate } for pid=1 comm="init" name="config" dev="rootfs" ino=20592 scontext=u:object_r:config_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=1
111allow config_file rootfs:filesystem { associate };
112
113#avc: denied { getattr } for pid=1 comm="init" path="/config/usb_gadget/g1/os_desc/b.1" dev="configfs" ino=20701 scontext=u:r:init:s0 tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=1
114allow init configfs:lnk_file { getattr };
115
116#avc: denied { read } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
117#avc: denied { open } for pid=1 comm="init" path="/dev/usb-ffs/hdc" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
118#avc: denied { search } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
119#avc: denied { setattr } for pid=1 comm="init" name="/" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
120#avc: denied { mounton } for pid=1 comm="init" path="/dev/usb-ffs/hdc" dev="functionfs" ino=19954 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
121allow init functionfs:dir { read open search setattr mounton };
122
123#avc: denied { getattr } for pid=1 comm="init" path="/dev/usb-ffs/hdc/ep0" dev="functionfs" ino=19955 scontext=u:r:init:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
124allow init functionfs:file { getattr };
125
126#avc: denied { transition } for pid=234 comm="init" path="/bin/updater" dev="rootfs" ino=17825 scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1
127#avc: denied { rlimitinh } for pid=234 comm="updater" scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1
128#avc: denied { siginh } for pid=234 comm="updater" scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=process permissive=1
129allow init updater:process { transition rlimitinh siginh };
130
131#avc: denied { open } for pid=236 comm="hilog" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:init:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
132#avc: denied { map } for pid=235 comm="hilog" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:init:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
133allow init musl_param:file { open map };
134
135#avc: denied { write } for pid=234 comm="hilog" name="hilogControl" dev="tmpfs" ino=67 scontext=u:r:init:s0 tcontext=u:object_r:hilog_control_socket:s0 tclass=sock_file permissive=1
136allow init hilog_control_socket:sock_file { write };
137
138#avc: denied { connectto } for pid=234 comm="hilog" path="/dev/unix/socket/hilogControl" scontext=u:r:init:s0 tcontext=u:r:hilogd:s0 tclass=unix_stream_socket permissive=1
139allow init hilogd:unix_stream_socket { connectto };
140
141#avc: denied { ioctl } for pid=234 comm="hilog" path="/dev/console" dev="rootfs" ino=16652 ioctlcmd=0x5413 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
142#avc: denied { write } for pid=234 comm="hilog" path="/dev/console" dev="rootfs" ino=16652 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
143allow init rootfs:chr_file { ioctl write };
144allowxperm init rootfs:chr_file ioctl { 0x5413 };
145
146# avc: denied { read } for pid=1 comm="init" name="misc" dev="tmpfs" ino=133 scontext=u:r:init:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1
147allow init dev_file:lnk_file { read };
148
149#avc: denied { relabelto } for pid=1 comm="init" name="lib64" dev="rootfs" ino=18269 scontext=u:r:init:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=lnk_file permissive=0
150# avc:  denied  { getattr } for  pid=1 comm="init" path="/vendor/lib64" dev="rootfs" ino=17424 scontext=u:r:init:s0 tcontext=u:object_r:vendor_lib_file:s0 tclass=lnk_file permissive=1
151allow init vendor_lib_file:lnk_file { relabelto getattr };
152
153#avc: denied { associate } for pid=1 comm="init" name="lib64" dev="rootfs" ino=395 scontext=u:object_r:vendor_lib_file:s0 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=0
154allow vendor_lib_file rootfs:filesystem { associate };
155
156#avc: denied { mount } for pid=1 comm="init" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:exfat:s0 tclass=filesystem permissive=0
157allow init exfat:filesystem { mount };
158
159# avc: denied { mounton } for pid=1 comm="init" path="/sdcard" dev="mmcblk1p1" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0
160allow init exfat:dir { mounton };
161
162#avc: denied { execute_no_trans } for pid=234 comm="init" path="/bin/hilog" dev="rootfs" ino=19711 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
163allow init rootfs:file { execute_no_trans };
164
165# avc:  denied  { getattr } for  pid=238 comm="init" path="/data/log/hilog/.persisterInfo_2" dev="rootfs" ino=27803 scontext=u:r:init:s0 tcontext=u:object_r:data_hilogd_file:s0 tclass=file permissive=1
166# avc:  denied  { relabelto } for  pid=238 comm="init" name=".persisterInfo_2" dev="rootfs" ino=27803 scontext=u:r:init:s0 tcontext=u:object_r:data_hilogd_file:s0 tclass=file permissive=1
167allow init data_hilogd_file:file { getattr relabelto };
168
169# avc:  denied  { getattr } for  pid=1 comm="init" path="/proc/235/status" dev="proc" ino=27295 scontext=u:r:init:s0 tcontext=u:r:updater:s0 tclass=file permissive=1
170allow init updater:file { getattr };
171
172# avc: denied { relabelfrom } for pid=237 comm="init" name=".persisterInfo_1" dev="rootfs" ino=28034 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
173allow init rootfs:file { relabelfrom };
174
175allow init updater_block_file:blk_file { getattr ioctl open read write };
176allowxperm init updater_block_file:blk_file ioctl { 0x5413 };
177')
178
179# avc:  denied  { execute } for  pid=1849 comm="init" name="write_updater" dev="mmcblk0p7" ino=455 scontext=u:r:init:s0 tcontext=u:object_r:write_updater_exec:s0 tclass=file permissive=1
180# avc:  denied  { execute_no_trans } for  pid=1849 comm="init" path="/system/bin/write_updater" dev="mmcblk0p7" ino=455 scontext=u:r:init:s0 tcontext=u:object_r:write_updater_exec:s0 tclass=file permissive=1
181# avc:  denied  { map } for  pid=1849 comm="write_updater" path="/system/bin/write_updater" dev="mmcblk0p7" ino=455 scontext=u:r:init:s0 tcontext=u:object_r:write_updater_exec:s0 tclass=file permissive=1
182# avc:  denied  { read open } for  pid=1849 comm="init" path="/system/bin/write_updater" dev="mmcblk0p7" ino=455 scontext=u:r:init:s0 tcontext=u:object_r:write_updater_exec:s0 tclass=file permissive=1
183#allow init write_updater_exec:file { execute execute_no_trans map read open };
184
185# avc:  denied  { open } for  pid=271 comm="init" path="/dev/asanlog" dev="tmpfs" ino=377 scontext=u:r:init:s0 tcontext=u:object_r:dev_asanlog_file:s0 tclass=dir permissive=1
186allow init dev_asanlog_file:dir { open };
187
188# avc:  denied  { getattr } for  pid=591 comm="init" path="/dev/unix/socket/faultloggerd.crash.server" dev="tmpfs" ino=385 scontext=u:r:init:s0 tcontext=u:object_r:faultloggerd_socket_crash:s0 tclass=sock_file permissive=1
189# avc:  denied  { relabelto } for  pid=591 comm="init" name="faultloggerd.crash.server" dev="tmpfs" ino=385 scontext=u:r:init:s0 tcontext=u:object_r:faultloggerd_socket_crash:s0 tclass=sock_file permissive=1
190allow init faultloggerd_socket_crash:sock_file { getattr relabelto };
191
192# avc:  denied  { setattr } for  pid=271 comm="init" name="sysrq-trigger" dev="proc" ino=4026532372 scontext=u:r:init:s0 tcontext=u:object_r:proc_sysrq_trigger_file:s0 tclass=file permissive=1
193allow init proc_sysrq_trigger_file:file { setattr };
194
195# avc:  denied  { relabelto } for  pid=1 comm="init" name="mmcblk0p2" dev="tmpfs" ino=35 scontext=u:r:init:s0 tcontext=u:object_r:updater_block_file:s0 tclass=blk_file permissive=1
196allow init updater_block_file:blk_file { relabelto };
197