1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14updater_only(`
15
16#avc: denied { read } for pid=240 comm="updater" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
17#avc: denied { open } for pid=240 comm="updater" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
18#avc: denied { map } for pid=240 comm="updater" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
19allow updater hilog_param:file { read open map };
20
21#avc: denied { getattr } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1
22#avc: denied { read write } for pid=240 comm="updater" name="hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1
23#avc: denied { open } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1
24#avc: denied { ioctl } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 ioctlcmd=0x6201 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1
25allow updater dev_hdf_file:chr_file { getattr read write open ioctl };
26allowxperm updater dev_hdf_file:chr_file ioctl { 0x6201 };
27
28#avc: denied { getattr } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
29#avc: denied { read write } for pid=233 comm="updater" name="hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
30#avc: denied { open } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
31#avc: denied { ioctl } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 ioctlcmd=0x6203 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
32#avc: denied { ioctl } for pid=233 comm="evt_listen" path="/dev/hdf_input_event1" dev="tmpfs" ino=234 ioctlcmd=0x6202 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
33allow updater dev_hdf_input:chr_file { getattr read write open ioctl };
34allowxperm updater dev_hdf_input:chr_file ioctl { 0x6203 0x6202 };
35
36#avc: denied { write } for pid=235 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
37#avc: denied { add_name } for pid=235 comm="updater" name="mainpage.png" scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
38#avc: denied { read } for pid=235 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
39# avc:  denied  { remove_name } for  pid=238 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
40allow updater tmpfs:dir { write add_name read remove_name };
41
42#avc: denied { create } for pid=231 comm="updater" name="updater.log" scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
43#avc: denied { open } for pid=231 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
44#avc: denied { getattr } for pid=231 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
45#avc: denied { setattr } for pid=229 comm="updater" name="updater_result" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
46#avc:  denied  { execute } for  pid=272 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
47#avc: denied { execute_no_trans } for pid=278 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
48# avc:  denied  { relabelfrom } for  pid=234 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
49# avc:  denied  { unlink } for  pid=238 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
50allow updater tmpfs:file { unlink append ioctl create open getattr setattr execute execute_no_trans relabelfrom };
51allowxperm updater tmpfs:file ioctl { 0x5413 };
52
53#avc: denied { write } for pid=262 comm="resize.f2fs" name="mmcblk0p12" dev="tmpfs" ino=98 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
54#avc: denied { read } for pid=228 comm="updater" name="mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
55#avc: denied { open } for pid=228 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
56#avc: denied { getattr } for pid=228 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
57#avc: denied { ioctl } for pid=274 comm="resize.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x1268 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
58#avc: denied  { ioctl } for  pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x125e scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
59#avc: denied  { lock } for  pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
60allow updater dev_block_file:blk_file { write getattr read open ioctl lock };
61
62# avc: denied  { ioctl } for  pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x125e scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
63# avc: denied { ioctl } for pid=274 comm="resize.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x1268 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
64# avc: denied  { ioctl } for  pid=269 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x1271 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
65# avc:  denied  { ioctl } for  pid=265 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 ioctlcmd=0x1272 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
66# avc:  denied  { ioctl } for  pid=265 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 ioctlcmd=0x127d scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
67# avc:  denied  { ioctl } for  pid=278 comm="mkfs.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x2285 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
68# avc: denied { ioctl } for pid=239 comm="updater" path="/dev/block/mmcblk0p14" dev="tmpfs" ino=151 ioctlcmd=0x1277 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
69allowxperm updater dev_block_file:blk_file ioctl { 0x2285 0x5413 0x1268 0x125e 0x1271 0x1272 0x127d 0x1277 };
70
71#avc: denied { read } for pid=274 comm="resize.f2fs" name="version" dev="proc" ino=4026532114 scontext=u:r:updater:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1
72#avc: denied { open } for pid=274 comm="resize.f2fs" path="/proc/version" dev="proc" ino=4026532114 scontext=u:r:updater:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1
73allow updater proc_version_file:file { read open };
74
75#denied { getattr } for pid=274 comm="resize.f2fs" path="/sys/devices/platform/fe310000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p12/partition" dev="sysfs" ino=31854 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1
76#avc: denied { read } for pid=274 comm="resize.f2fs" name="zoned" dev="sysfs" ino=31912 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1
77#denied { open } for pid=274 comm="resize.f2fs" path="/sys/devices/platform/fe310000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/queue/zoned" dev="sysfs" ino=31912 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1
78allow updater sys_file:file { read getattr open };
79
80#avc: denied { getattr } for pid=231 comm="updater" path="/data/updater" dev="mmcblk0p12" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
81#avc: denied { search } for pid=238 comm="updater" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
82#avc: denied { read } for pid=238 comm="updater" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
83#avc: denied { open } for pid=238 comm="updater" path="/data/updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
84#avc: denied { write } for pid=238 comm="updater" name="log" dev="mmcblk0p12" ino=954 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
85#avc: denied { add_name } for pid=238 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
86#avc: denied { remove_name } for pid=227 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=5006 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
87#avc: denied { create } for pid=231 comm="updater" name="log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0
88# avc:  denied  { rmdir } for  pid=231 comm="updater" name="update_tmp" dev="mmcblk0p12" ino=3277 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0
89# avc: denied { setattr } for pid=249 comm="updater" name="updater" dev="mmcblk0p12" ino=144 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
90allow updater data_updater_file:dir { read getattr add_name search write open remove_name create rmdir setattr };
91allow updater update_firmware_file:dir { read getattr add_name search write open remove_name create rmdir };
92
93#avc: denied { create } for pid=238 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
94#avc: denied { append } for pid=238 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
95#avc: denied { open } for pid=238 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
96#avc: denied { getattr } for pid=228 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
97#avc: denied { ioctl } for pid=228 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
98#avc: denied { read } for pid=228 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
99#avc: denied { setattr } for pid=228 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
100#avc: denied { unlink } for pid=235 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
101#avc: denied { write } for pid=235 comm="updater" path="/data/updater/update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
102allow updater data_updater_file:file { create open append getattr ioctl read setattr unlink write };
103allowxperm updater data_updater_file:file ioctl { 0x5413 };
104
105allow updater update_firmware_file:file { create open append getattr ioctl read setattr unlink write };
106allowxperm updater update_firmware_file:file ioctl { 0x5413 };
107
108#avc: denied { search } for pid=228 comm="updater" name="block" dev="tmpfs" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1
109allow updater dev_block_volfile:dir { search };
110
111# avc: denied { set } for process="updater" parameter=updater.hdc.configfs pid=234 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:update_updater_param:s0 tclass=parameter_service permissive=1
112#avc: denied { set } for process="unknown process" parameter=updater.data.configs pid=232 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:update_updater_param:s0 tclass=parameter_service permissive=0
113allow updater update_updater_param:parameter_service { set };
114
115#avc: denied { read } for pid=227 comm="updater" name="bin" dev="rootfs" ino=17791 scontext=u:r:updater:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
116allow updater system_bin_file:lnk_file { read };
117
118# avc: denied { module_request } for pid=227 comm="updater" kmod="quota_v2" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
119allow updater kernel:system { module_request };
120
121# avc: denied { read } for pid=234 comm="updater" name="usb-ffs" dev="tmpfs" ino=314 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1
122# avc:  denied  { open } for  pid=235 comm="updater" path="/dev/usb-ffs" dev="tmpfs" ino=322 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1
123# avc:  denied  { search } for  pid=235 comm="updater" name="usb-ffs" dev="tmpfs" ino=322 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1
124allow updater dev_usb_ffs:dir { read open search };
125
126# avc: denied { read write } for pid=234 comm="updater" name="ep0" dev="functionfs" ino=27986 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
127# avc:  denied  { open } for  pid=235 comm="updater" path="/dev/usb-ffs/hdc/ep0" dev="functionfs" ino=18354 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
128allow updater functionfs:file { read write open };
129
130# avc: denied { search } for pid=234 comm="updater" name="local" dev="mmcblk0p12" ino=87 scontext=u:r:updater:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1
131allow updater data_local:dir { search };
132
133
134# avc: denied { dyntransition } for pid=281 comm="updater" scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary:s0 tclass=process permissive=1
135allow updater updater_binary:process { dyntransition };
136
137# avc: denied { setcurrent } for pid=279 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=process permissive=1
138allow updater updater:process { setcurrent };
139
140# avc: denied { read write } for pid=292 comm="sh" name="tty" dev="tmpfs" ino=282 scontext=u:r:updater:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
141allow updater tty_device:chr_file { read write };
142
143#avc: denied { read } for pid=227 comm="updater" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
144#avc: denied { open } for pid=227 comm="updater" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
145#avc: denied { map } for pid=227 comm="updater" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
146allow updater musl_param:file { read map open };
147
148# avc: denied { read } for pid=236 comm="updater" name="etc" dev="rootfs" ino=17422 scontext=u:r:updater:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
149allow updater system_etc_file:lnk_file { read };
150
151# avc: denied { chown } for pid=227 comm="updater" capability=0 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0
152# avc: denied { sys_admin } for pid=228 comm="updater" capability=21 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0
153allow updater updater:capability { sys_admin chown };
154
155# avc: denied { read write } for pid=239 comm="updater" name="ptmx" dev="tmpfs" ino=232 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1
156allow updater dev_ptmx:chr_file { read write };
157
158# avc: denied { search } for pid=266 comm="updater" name="/" dev="devpts" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:dev_pts_file:s0 tclass=dir permissive=1
159allow updater dev_pts_file:dir { search };
160
161# avc: denied { read write } for pid=266 comm="updater" name="0" dev="devpts" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
162allow updater devpts:chr_file { read write };
163
164# avc: denied { ioctl } for pid=266 comm="sh" path="/dev/tty" dev="tmpfs" ino=282 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
165allow updater tty_device:chr_file { ioctl};
166allowxperm updater tty_device:chr_file ioctl { 0x5413 };
167
168#avc: denied { read write } for pid=227 comm="updater" path="/dev/console" dev="rootfs" ino=16653 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
169#avc: denied { ioctl } for pid=229 comm="updater" path="/dev/console" dev="rootfs" ino=3976 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
170allow updater rootfs:chr_file { read write ioctl };
171allowxperm updater rootfs:chr_file ioctl { 0x5413 };
172
173#avc: denied { read write } for pid=226 comm="updater" name="card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
174#avc: denied { open } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
175#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x640c scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
176#avc: denied { map } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
177#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a0 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
178#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a7 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
179#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a6 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
180#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a1 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
181#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b2 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
182#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b8 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
183#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a2 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
184#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b3 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
185# avc: denied { ioctl } for pid=233 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x6409 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
186# avc: denied { ioctl } for pid=233 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x64af scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
187allow updater dev_dri_file:chr_file { ioctl read write open map };
188allowxperm updater dev_dri_file:chr_file ioctl { 0x640c 0x64a0 0x64a7 0x64a6 0x64a1 0x64b2 0x64b8 0x64a2 0x64b3 0x6409 0x64af };
189
190#avc: denied { search } for pid=229 comm="updater" name="dri" dev="tmpfs" ino=89 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1
191allow updater dev_dri_file:dir { search };
192
193#avc: denied { read } for pid=228 comm="updater" name="by-name" dev="tmpfs" ino=106 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1
194allow updater dev_block_volfile:lnk_file { read };
195
196#avc: denied { read } for pid=228 comm="updater" name="misc" dev="tmpfs" ino=133 scontext=u:r:updater:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1
197allow updater dev_file:lnk_file { read };
198
199#avc: denied { search } for pid=231 comm="updater" name="socket" dev="tmpfs" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
200allow updater dev_unix_socket:dir { search };
201
202#avc: denied { write } for pid=229 comm="updater" name="paramservice" dev="tmpfs" ino=15 scontext=u:r:updater:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1
203allow updater paramservice_socket:sock_file { write };
204
205#avc: denied { connectto } for pid=229 comm="updater" path="/dev/unix/socket/paramservice" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1
206allow updater kernel:unix_stream_socket { connectto };
207
208#avc: denied { entrypoint } for pid=226 comm="init" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
209#avc: denied { map } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
210#avc: denied { read } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
211#avc: denied { execute } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
212#avc: denied { open } for pid=226 comm="updater" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16682 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
213#avc: denied { getattr } for pid=227 comm="updater" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16679 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
214#avc: denied { write } for pid=221 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_2.info" dev="rootfs" ino=20796 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
215# avc:  denied  { setattr } for  pid=231 comm="updater" name="updater_binary" dev="rootfs" ino=19417 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
216# avc:  denied  { execute_no_trans } for  pid=278 comm="updater" path="/bin/mkfs.f2fs" dev="rootfs" ino=17686 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
217allow updater rootfs:file { entrypoint  map read execute open getattr write setattr execute_no_trans };
218
219#avc: denied { read write } for pid=226 comm="updater" path="socket:[17326]" dev="sockfs" ino=17326 scontext=u:r:updater:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
220allow updater ueventd:netlink_kobject_uevent_socket { read write};
221
222#avc: denied { read } for pid=269 comm="updater_binary" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0
223# avc:  denied  { map } for  pid=263 comm="updater_binary" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0
224allow updater ohos_boot_param:file { read map open };
225
226#avc: denied { mount } for pid=241 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1
227#avc: denied { unmount } for pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
228allow updater labeledfs:filesystem { mount unmount };
229
230#avc: denied { set } for process="updater" parameter=startup.device.ctl pid=241 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:servicectrl_reboot_param:s0 tclass=parameter_service permissive=1
231allow updater servicectrl_reboot_param:parameter_service { set };
232
233# avc:  denied  { read write } for  pid=275 comm="processdump" path="/data/log/faultlog/temp/cppcrash-270-1502782678223" dev="mmcblk0p12" ino=3328 scontext=u:r:updater:s0 tcontext=u:object_r:faultloggerd_temp_file:s0 tclass=file permissive=0
234allow updater faultloggerd_temp_file:file { read write };
235
236# avc:  denied  { mounton } for  pid=237 comm="updater" path="/sdcard" dev="rootfs" ino=27932 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
237allow updater rootfs:dir { mounton };
238
239# avc:  denied  { setgid } for  pid=270 comm="mount.ntfs" capability=6  scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0
240# avc:  denied  { setuid } for  pid=265 comm="mount.ntfs" capability=7  scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0
241allow updater updater:capability { setuid setgid };
242
243# avc:  denied  { getattr } for  pid=272 comm="mount.ntfs" path="/dev/fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0
244# avc:  denied  { read write } for  pid=269 comm="mount.ntfs" name="fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0
245# avc:  denied  { open } for  pid=272 comm="mount.ntfs" path="/dev/fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0
246allow updater dev_fuse_file:chr_file { getattr read write open };
247
248# avc:  denied  { open } for  pid=272 comm="mount.ntfs" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0
249# avc:  denied  { read } for  pid=272 comm="mount.ntfs" name="filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0
250# avc:  denied  { getattr } for  pid=265 comm="mount.ntfs" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0
251allow updater proc_filesystems_file:file { read open getattr };
252
253# avc:  denied  { read write } for  pid=235 comm="updater" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0
254# avc:  denied  { add_name } for  pid=234 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0
255# avc: denied { open } for pid=238 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1
256# avc: denied { remove_name } for pid=238 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1
257allow updater exfat:dir { read write search add_name open remove_name };
258
259# avc:  denied  { read } for  pid=240 comm="updater" name="updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
260# avc:  denied  { open } for  pid=235 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
261# avc:  denied  { getattr } for  pid=235 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
262# avc:  denied  { create } for  pid=233 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
263# avc:  denied  { write } for  pid=240 comm="updater" path="/sdcard/updater/update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
264# avc:  denied  { ioctl } for  pid=235 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
265# avc: denied { unlink } for pid=238 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=1
266allow updater exfat:file { read open getattr create write ioctl unlink };
267
268# avc:  denied  { mount } for  pid=242 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=filesystem permissive=0
269allow updater exfat:filesystem { mount };
270
271# avc:  denied  { ioctl } for  pid=235 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
272allowxperm updater exfat:file ioctl { 0x5413 };
273
274# avc:  denied  { write } for  pid=272 comm="updater_binary" name="data" dev="rootfs" ino=27999 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0
275#avc: denied { search } for pid=229 comm="updater" name="data" dev="rootfs" ino=18958 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
276#avc: denied { remove_name } for pid=235 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
277#avc: denied { getattr } for pid=241 comm="updater" path="/data" dev="rootfs" ino=20430 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
278#avc: denied { mounton } for pid=241 comm="updater" path="/data" dev="rootfs" ino=20430 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
279# avc: denied { open } for pid=234 comm="updater" path="/data" dev="mmcblk0p18" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
280# avc: denied { read } for pid=234 comm="updater" name="/" dev="mmcblk0p18" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
281# avc: denied { relabelfrom } for pid=234 comm="updater" name="log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
282allow updater data_file:dir { write search remove_name getattr mounton open read relabelfrom};
283
284# avc: denied { unlink } for pid=234 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=1
285allow updater updater_binary_exec:file { unlink };
286
287# avc:  denied  { mount } for  pid=235 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=filesystem permissive=0
288allow updater vfat:filesystem { mount };
289
290# avc:  denied  { read write } for  pid=231 comm="updater" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
291# avc:  denied  { ioctl } for  pid=230 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
292# avc: denied { unlink } for pid=228 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
293allow updater vfat:file { create read open getattr write ioctl unlink };
294
295# avc:  denied  { ioctl } for  pid=230 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
296allowxperm updater vfat:file ioctl { 0x5413 };
297
298# avc:  denied  { open } for  pid=235 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
299# avc: denied { open } for pid=228 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
300# avc: denied { remove_name } for pid=228 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
301allow updater vfat:dir { read write search add_name open remove_name };
302
303# avc:  denied  { read write } for  pid=235 comm="updater" name="updater" dev="mmcblk1p1" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
304# avc:  denied  { search } for  pid=235 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
305# avc:  denied  { add_name } for  pid=232 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
306# avc: denied { open } for pid=237 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
307# avc: denied { remove_name } for pid=237 comm="updater" name="build_tools.zip.tmp" dev="mmcblk1p1" ino=67 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
308allow updater ntfs:dir { read write search add_name open remove_name };
309
310# avc:  denied  { read } for  pid=227 comm="updater" name="updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
311# avc:  denied  { open } for  pid=229 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
312# avc:  denied  { ioctl } for  pid=233 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
313# avc: denied { unlink } for pid=237 comm="updater" name="build_tools.zip.tmp" dev="mmcblk1p1" ino=67 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=1
314allow updater ntfs:file { read create open getattr write ioctl unlink };
315
316# avc:  denied  { ioctl } for  pid=233 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
317allowxperm updater ntfs:file ioctl { 0x5413 };
318
319# avc:  denied  { mount } for  pid=262 comm="mount.ntfs" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=filesystem permissive=0
320allow updater ntfs:filesystem { mount };
321
322# avc:  denied  { search } for  pid=235 comm="updater" name="/" dev="functionfs" ino=18353 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
323allow updater functionfs:dir { search };
324
325# avc:  denied  { set } for process="unknown process" parameter=sys.usb.ffs.ready pid=265 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:sys_param:s0 tclass=parameter_service permissive=1
326allow updater sys_param:parameter_service { set };
327
328# avc:  denied  { dac_override } for  pid=235 comm="updater" capability=1  scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=1
329allow updater updater:capability { dac_override };
330
331debug_only(`
332# avc:  denied  { dyntransition } for  pid=285 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
333# avc:  denied  { signal } for  pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
334# avc: denied { sigkill } for pid=241 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
335allow updater sh:process { dyntransition signal sigkill };
336
337# avc:  denied  { dyntransition } for  pid=255 comm="hdcd_shellfork" scontext=u:r:updater:s0 tcontext=u:r:su:s0 tclass=process permissive=0
338allow updater su:process { dyntransition };
339')
340
341# avc:  denied  { set } for process="unknown process" parameter=updater.flashd.configfs pid=235 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=parameter_service permissive=1
342allow updater updater_flashd_param:parameter_service { set };
343
344# avc:  denied  { map } for  pid=233 comm="updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
345# avc:  denied  { open } for  pid=233 comm="updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
346# avc:  denied  { read } for  pid=233 comm="updater" name="u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
347allow updater debug_param:file { map open read };
348
349# avc:  denied  { dac_read_search } for  pid=233 comm="updater" capability=2  scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=1
350allow updater updater:capability { dac_read_search };
351
352# avc: denied { ioctl } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 ioctlcmd=0x5431 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1
353# avc: denied { open } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1
354allow updater dev_ptmx:chr_file { ioctl open };
355
356# avc: denied { ioctl } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 ioctlcmd=0x5431 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1
357allowxperm updater dev_ptmx:chr_file ioctl { 0x5431 0x5430 };
358
359allow updater data_file:dir { add_name create };
360allow updater data_file:file { create getattr ioctl read write open setattr };
361allowxperm updater data_file:file ioctl { 0x5413 };
362
363# denied { map } for pid=246 comm="updater" path="/data/update/ota_package/firmware/versions/updater_diff.zip" dev="mmcblk0p12" ino=1409 scontext=u:r:updater:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=file permissive=1
364allow updater update_firmware_file:file { map };
365allow updater data_updater_file:file { map };
366allow updater exfat:file { map };
367allow updater ntfs:file { map };
368allow updater vfat:file { map };
369
370# avc: denied { relabelto } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
371# avc: denied { setattr } for pid=235 comm="updater" name="updater" dev="mmcblk0p12" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
372allow updater data_file:dir { relabelto setattr };
373
374# avc: denied { append } for pid=235 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=9 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1
375allow updater data_file:file { append };
376
377# avc: denied { getattr } for pid=235 comm="updater" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
378# avc: denied { relabelfrom } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
379allow updater unlabeled:dir { getattr relabelfrom };
380allow updater devinfo_private_param:file { map open read };
381
382# avc: denied { relabelto } for pid=232 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=1
383allow updater updater_binary_exec:file { relabelto };
384
385# avc: denied { syslog_read } for pid=230 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
386allow updater kernel:system { syslog_read };
387
388# avc: denied { read } for pid=232 comm="updater" name="misc" dev="tmpfs" ino=161 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=lnk_file permissive=1
389allow updater dev_block_file:lnk_file { read };
390
391# avc: denied { add_name } for pid=232 comm="updater" name="log" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
392# avc: denied { create } for pid=232 comm="updater" name="updater" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
393# avc: denied { open } for pid=232 comm="updater" path="/data/updater/log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
394# avc: denied { read } for pid=232 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
395# avc: denied { search } for pid=232 comm="updater" name="updater" dev="mmcblk0p18" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
396# avc: denied { setattr } for pid=232 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
397# avc: denied { write } for pid=232 comm="updater" name="updater" dev="mmcblk0p18" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
398# avc: denied { getattr } for pid=235 comm="updater" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
399# avc: denied { relabelfrom } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
400allow updater unlabeled:dir { getattr relabelfrom add_name create open read search setattr write };
401
402# avc: denied { relabelto } for pid=246 comm="updater" name="log" dev="mmcblk0p18" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
403allow updater data_updater_file:dir { relabelto };
404
405# avc: denied { append open } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
406# avc: denied { create } for pid=246 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
407# avc: denied { getattr } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
408# avc: denied { ioctl } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
409# avc: denied { read } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
410# avc: denied { relabelfrom } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
411# avc: denied { setattr } for pid=246 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
412allow updater unlabeled:file { append open create getattr ioctl read relabelfrom setattr };
413
414# avc: denied { ioctl } for pid=246 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p18" ino=8 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=file permissive=1
415allowxperm updater unlabeled:file ioctl { 0x5413 };
416
417# avc: denied { relabelto } for pid=238 comm="updater" name="updater_log" dev="mmcblk0p18" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
418allow updater data_updater_file:file { relabelto };
419
420allow updater updater_block_file:blk_file { write getattr read open ioctl lock };
421allowxperm updater updater_block_file:blk_file ioctl { 0x2285 0x5413 0x1268 0x125e 0x1271 0x1272 0x127d 0x1277 };
422allow updater updater_block_file:lnk_file { read };
423
424# avc:  denied  { map } for  pid=261 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1
425# avc:  denied  { open } for  pid=261 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1
426# avc:  denied  { read } for  pid=261 comm="hdcd_shellfork" name="u:object_r:persist_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:persist_param:s0 tclass=file permissive=1
427allow updater persist_param:file { map open read };
428
429# avc:  denied  { map } for  pid=265 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1
430# avc:  denied  { open } for  pid=265 comm="hdcd_shellfork" path="/dev/__parameters__/u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1
431# avc:  denied  { read } for  pid=265 comm="hdcd_shellfork" name="u:object_r:updater_flashd_param:s0" dev="tmpfs" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=file permissive=1
432allow updater updater_flashd_param:file { map open read };
433
434')
435