• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14updater_only(`
15
16#avc: denied { read } for pid=240 comm="updater" name="u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
17#avc: denied { open } for pid=240 comm="updater" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
18#avc: denied { map } for pid=240 comm="updater" path="/dev/__parameters__/u:object_r:hilog_param:s0" dev="tmpfs" ino=34 scontext=u:r:updater:s0 tcontext=u:object_r:hilog_param:s0 tclass=file permissive=1
19allow updater hilog_param:file { read open map };
20
21#avc: denied { getattr } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1
22#avc: denied { read write } for pid=240 comm="updater" name="hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1
23#avc: denied { open } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1
24#avc: denied { ioctl } for pid=240 comm="updater" path="/dev/hdf_input_host" dev="tmpfs" ino=214 ioctlcmd=0x6201 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_file:s0 tclass=chr_file permissive=1
25allow updater dev_hdf_file:chr_file { getattr read write open ioctl };
26allowxperm updater dev_hdf_file:chr_file ioctl { 0x6201 };
27
28#avc: denied { getattr } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
29#avc: denied { read write } for pid=233 comm="updater" name="hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
30#avc: denied { open } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
31#avc: denied { ioctl } for pid=233 comm="updater" path="/dev/hdf_input_event1" dev="tmpfs" ino=222 ioctlcmd=0x6203 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
32#avc: denied { ioctl } for pid=233 comm="evt_listen" path="/dev/hdf_input_event1" dev="tmpfs" ino=234 ioctlcmd=0x6202 scontext=u:r:updater:s0 tcontext=u:object_r:dev_hdf_input:s0 tclass=chr_file permissive=1
33allow updater dev_hdf_input:chr_file { getattr read write open ioctl };
34allowxperm updater dev_hdf_input:chr_file ioctl { 0x6203 0x6202 };
35
36#avc: denied { write } for pid=235 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
37#avc: denied { add_name } for pid=235 comm="updater" name="mainpage.png" scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
38#avc: denied { read } for pid=235 comm="updater" name="/" dev="tmpfs" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
39# avc:  denied  { remove_name } for  pid=238 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
40allow updater tmpfs:dir { write add_name read remove_name };
41
42#avc: denied { create } for pid=231 comm="updater" name="updater.log" scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
43#avc: denied { open } for pid=231 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
44#avc: denied { getattr } for pid=231 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
45#avc: denied { setattr } for pid=229 comm="updater" name="updater_result" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
46#avc:  denied  { execute } for  pid=272 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
47#avc: denied { execute_no_trans } for pid=278 comm="updater" path="/tmp/updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
48# avc:  denied  { relabelfrom } for  pid=234 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
49# avc:  denied  { unlink } for  pid=238 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0
50allow updater tmpfs:file { unlink append ioctl create open getattr setattr execute execute_no_trans relabelfrom };
51allowxperm updater tmpfs:file ioctl { 0x5413 };
52
53#avc: denied { write } for pid=262 comm="resize.f2fs" name="mmcblk0p12" dev="tmpfs" ino=98 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
54#avc: denied { read } for pid=228 comm="updater" name="mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
55#avc: denied { open } for pid=228 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
56#avc: denied { getattr } for pid=228 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
57#avc: denied { ioctl } for pid=274 comm="resize.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x1268 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
58#avc: denied  { ioctl } for  pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x125e scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
59#avc: denied  { lock } for  pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
60allow updater dev_block_file:blk_file { write getattr read open ioctl lock };
61
62# avc: denied  { ioctl } for  pid=272 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x125e scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
63# avc: denied { ioctl } for pid=274 comm="resize.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x1268 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
64# avc: denied  { ioctl } for  pid=269 comm="mount.ntfs" path="/dev/block/mmcblk1p1" dev="tmpfs" ino=160 ioctlcmd=0x1271 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
65# avc:  denied  { ioctl } for  pid=265 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 ioctlcmd=0x1272 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
66# avc:  denied  { ioctl } for  pid=265 comm="updater" path="/dev/block/mmcblk0p2" dev="tmpfs" ino=132 ioctlcmd=0x127d scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
67# avc:  denied  { ioctl } for  pid=278 comm="mkfs.f2fs" path="/dev/block/mmcblk0p12" dev="tmpfs" ino=104 ioctlcmd=0x2285 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=1
68# avc: denied { ioctl } for pid=239 comm="updater" path="/dev/block/mmcblk0p14" dev="tmpfs" ino=151 ioctlcmd=0x1277 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_file:s0 tclass=blk_file permissive=0
69allowxperm updater dev_block_file:blk_file ioctl { 0x2285 0x5413 0x1268 0x125e 0x1271 0x1272 0x127d 0x1277 };
70
71#avc: denied { read } for pid=274 comm="resize.f2fs" name="version" dev="proc" ino=4026532114 scontext=u:r:updater:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1
72#avc: denied { open } for pid=274 comm="resize.f2fs" path="/proc/version" dev="proc" ino=4026532114 scontext=u:r:updater:s0 tcontext=u:object_r:proc_version_file:s0 tclass=file permissive=1
73allow updater proc_version_file:file { read open };
74
75#denied { getattr } for pid=274 comm="resize.f2fs" path="/sys/devices/platform/fe310000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p12/partition" dev="sysfs" ino=31854 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1
76#avc: denied { read } for pid=274 comm="resize.f2fs" name="zoned" dev="sysfs" ino=31912 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1
77#denied { open } for pid=274 comm="resize.f2fs" path="/sys/devices/platform/fe310000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/queue/zoned" dev="sysfs" ino=31912 scontext=u:r:updater:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1
78allow updater sys_file:file { read getattr open };
79
80#avc: denied { getattr } for pid=231 comm="updater" path="/data/updater" dev="mmcblk0p12" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
81#avc: denied { search } for pid=238 comm="updater" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
82#avc: denied { read } for pid=238 comm="updater" name="updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
83#avc: denied { open } for pid=238 comm="updater" path="/data/updater" dev="mmcblk0p12" ino=118 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
84#avc: denied { write } for pid=238 comm="updater" name="log" dev="mmcblk0p12" ino=954 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
85#avc: denied { add_name } for pid=238 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
86#avc: denied { remove_name } for pid=227 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=5006 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
87#avc: denied { create } for pid=231 comm="updater" name="log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0
88# avc:  denied  { rmdir } for  pid=231 comm="updater" name="update_tmp" dev="mmcblk0p12" ino=3277 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=0
89# avc: denied { setattr } for pid=249 comm="updater" name="updater" dev="mmcblk0p12" ino=144 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
90allow updater data_updater_file:dir { read getattr add_name search write open remove_name create rmdir setattr };
91allow updater update_firmware_file:dir { read getattr add_name search write open remove_name create rmdir };
92
93#avc: denied { create } for pid=238 comm="updater" name="updater_log" scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
94#avc: denied { append } for pid=238 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
95#avc: denied { open } for pid=238 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
96#avc: denied { getattr } for pid=228 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
97#avc: denied { ioctl } for pid=228 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=1037 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
98#avc: denied { read } for pid=228 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
99#avc: denied { setattr } for pid=228 comm="updater" name="updater_log" dev="mmcblk0p12" ino=1037 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
100#avc: denied { unlink } for pid=235 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
101#avc: denied { write } for pid=235 comm="updater" path="/data/updater/update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=file permissive=1
102allow updater data_updater_file:file { create open append getattr ioctl read setattr unlink write };
103allowxperm updater data_updater_file:file ioctl { 0x5413 };
104
105allow updater update_firmware_file:file { create open append getattr ioctl read setattr unlink write };
106allowxperm updater update_firmware_file:file ioctl { 0x5413 };
107
108#avc: denied { search } for pid=228 comm="updater" name="block" dev="tmpfs" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=dir permissive=1
109allow updater dev_block_volfile:dir { search };
110
111# avc: denied { set } for process="updater" parameter=updater.hdc.configfs pid=234 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:updater_hdc_param:s0 tclass=parameter_service permissive=1
112allow updater updater_hdc_param:parameter_service { set };
113
114#avc: denied { set } for process="unknown process" parameter=updater.data.configs pid=232 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:updater_data_param:s0 tclass=parameter_service permissive=0
115allow updater updater_data_param:parameter_service { set };
116
117#avc: denied { read } for pid=227 comm="updater" name="bin" dev="rootfs" ino=17791 scontext=u:r:updater:s0 tcontext=u:object_r:system_bin_file:s0 tclass=lnk_file permissive=1
118allow updater system_bin_file:lnk_file { read };
119
120# avc: denied { module_request } for pid=227 comm="updater" kmod="quota_v2" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
121allow updater kernel:system { module_request };
122
123# avc: denied { read } for pid=234 comm="updater" name="usb-ffs" dev="tmpfs" ino=314 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1
124# avc:  denied  { open } for  pid=235 comm="updater" path="/dev/usb-ffs" dev="tmpfs" ino=322 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1
125# avc:  denied  { search } for  pid=235 comm="updater" name="usb-ffs" dev="tmpfs" ino=322 scontext=u:r:updater:s0 tcontext=u:object_r:dev_usb_ffs:s0 tclass=dir permissive=1
126allow updater dev_usb_ffs:dir { read open search };
127
128# avc: denied { read write } for pid=234 comm="updater" name="ep0" dev="functionfs" ino=27986 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
129# avc:  denied  { open } for  pid=235 comm="updater" path="/dev/usb-ffs/hdc/ep0" dev="functionfs" ino=18354 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
130allow updater functionfs:file { read write open };
131
132# avc: denied { search } for pid=234 comm="updater" name="local" dev="mmcblk0p12" ino=87 scontext=u:r:updater:s0 tcontext=u:object_r:data_local:s0 tclass=dir permissive=1
133allow updater data_local:dir { search };
134
135
136# avc: denied { dyntransition } for pid=281 comm="updater" scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary:s0 tclass=process permissive=1
137allow updater updater_binary:process { dyntransition };
138
139# avc: denied { setcurrent } for pid=279 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=process permissive=1
140allow updater updater:process { setcurrent };
141
142# avc: denied { read write } for pid=292 comm="sh" name="tty" dev="tmpfs" ino=282 scontext=u:r:updater:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
143allow updater tty_device:chr_file { read write };
144
145#avc: denied { read } for pid=227 comm="updater" name="u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
146#avc: denied { open } for pid=227 comm="updater" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
147#avc: denied { map } for pid=227 comm="updater" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:updater:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
148allow updater musl_param:file { read map open };
149
150# avc: denied { read } for pid=236 comm="updater" name="etc" dev="rootfs" ino=17422 scontext=u:r:updater:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
151allow updater system_etc_file:lnk_file { read };
152
153# avc: denied { chown } for pid=227 comm="updater" capability=0 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0
154# avc: denied { sys_admin } for pid=228 comm="updater" capability=21 scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0
155allow updater updater:capability { sys_admin chown };
156
157# avc: denied { read write } for pid=239 comm="updater" name="ptmx" dev="tmpfs" ino=232 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1
158allow updater dev_ptmx:chr_file { read write };
159
160# avc: denied { search } for pid=266 comm="updater" name="/" dev="devpts" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:dev_pts_file:s0 tclass=dir permissive=1
161allow updater dev_pts_file:dir { search };
162
163# avc: denied { read write } for pid=266 comm="updater" name="0" dev="devpts" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
164allow updater devpts:chr_file { read write };
165
166# avc: denied { ioctl } for pid=266 comm="sh" path="/dev/tty" dev="tmpfs" ino=282 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=1
167allow updater tty_device:chr_file { ioctl};
168allowxperm updater tty_device:chr_file ioctl { 0x5413 };
169
170#avc: denied { read write } for pid=227 comm="updater" path="/dev/console" dev="rootfs" ino=16653 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
171#avc: denied { ioctl } for pid=229 comm="updater" path="/dev/console" dev="rootfs" ino=3976 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
172allow updater rootfs:chr_file { read write ioctl };
173allowxperm updater rootfs:chr_file ioctl { 0x5413 };
174
175#avc: denied { read write } for pid=226 comm="updater" name="card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
176#avc: denied { open } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
177#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x640c scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
178#avc: denied { map } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
179#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a0 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
180#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a7 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
181#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a6 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
182#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a1 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
183#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b2 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
184#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b8 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
185#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64a2 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
186#avc: denied { ioctl } for pid=226 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=91 ioctlcmd=0x64b3 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
187# avc: denied { ioctl } for pid=233 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x6409 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
188# avc: denied { ioctl } for pid=233 comm="updater" path="/dev/dri/card0" dev="tmpfs" ino=93 ioctlcmd=0x64af scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=chr_file permissive=1
189allow updater dev_dri_file:chr_file { ioctl read write open map };
190allowxperm updater dev_dri_file:chr_file ioctl { 0x640c 0x64a0 0x64a7 0x64a6 0x64a1 0x64b2 0x64b8 0x64a2 0x64b3 0x6409 0x64af };
191
192#avc: denied { search } for pid=229 comm="updater" name="dri" dev="tmpfs" ino=89 scontext=u:r:updater:s0 tcontext=u:object_r:dev_dri_file:s0 tclass=dir permissive=1
193allow updater dev_dri_file:dir { search };
194
195#avc: denied { read } for pid=228 comm="updater" name="by-name" dev="tmpfs" ino=106 scontext=u:r:updater:s0 tcontext=u:object_r:dev_block_volfile:s0 tclass=lnk_file permissive=1
196allow updater dev_block_volfile:lnk_file { read };
197
198#avc: denied { read } for pid=228 comm="updater" name="misc" dev="tmpfs" ino=133 scontext=u:r:updater:s0 tcontext=u:object_r:dev_file:s0 tclass=lnk_file permissive=1
199allow updater dev_file:lnk_file { read };
200
201#avc: denied { search } for pid=231 comm="updater" name="socket" dev="tmpfs" ino=8 scontext=u:r:updater:s0 tcontext=u:object_r:dev_unix_socket:s0 tclass=dir permissive=1
202allow updater dev_unix_socket:dir { search };
203
204#avc: denied { write } for pid=229 comm="updater" name="paramservice" dev="tmpfs" ino=15 scontext=u:r:updater:s0 tcontext=u:object_r:paramservice_socket:s0 tclass=sock_file permissive=1
205allow updater paramservice_socket:sock_file { write };
206
207#avc: denied { connectto } for pid=229 comm="updater" path="/dev/unix/socket/paramservice" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket permissive=1
208allow updater kernel:unix_stream_socket { connectto };
209
210#avc: denied { entrypoint } for pid=226 comm="init" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
211#avc: denied { map } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
212#avc: denied { read } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
213#avc: denied { execute } for pid=226 comm="updater" path="/bin/updater" dev="rootfs" ino=17070 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
214#avc: denied { open } for pid=226 comm="updater" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16682 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
215#avc: denied { getattr } for pid=227 comm="updater" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=16679 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
216#avc: denied { write } for pid=221 comm="hilogd.control" path="/data/log/hilog/.persisterInfo_2.info" dev="rootfs" ino=20796 scontext=u:r:hilogd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
217# avc:  denied  { setattr } for  pid=231 comm="updater" name="updater_binary" dev="rootfs" ino=19417 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
218# avc:  denied  { execute_no_trans } for  pid=278 comm="updater" path="/bin/mkfs.f2fs" dev="rootfs" ino=17686 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
219allow updater rootfs:file { entrypoint  map read execute open getattr write setattr execute_no_trans };
220
221#avc: denied { read write } for pid=226 comm="updater" path="socket:[17326]" dev="sockfs" ino=17326 scontext=u:r:updater:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
222allow updater ueventd:netlink_kobject_uevent_socket { read write};
223
224#avc: denied { read } for pid=269 comm="updater_binary" name="u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0
225# avc:  denied  { map } for  pid=263 comm="updater_binary" path="/dev/__parameters__/u:object_r:ohos_boot_param:s0" dev="tmpfs" ino=18 scontext=u:r:updater:s0 tcontext=u:object_r:ohos_boot_param:s0 tclass=file permissive=0
226allow updater ohos_boot_param:file { read map open };
227
228#avc: denied { mount } for pid=241 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1
229#avc: denied { unmount } for pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
230allow updater labeledfs:filesystem { mount unmount };
231
232#avc: denied { set } for process="updater" parameter=startup.device.ctl pid=241 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:servicectrl_reboot_param:s0 tclass=parameter_service permissive=1
233allow updater servicectrl_reboot_param:parameter_service { set };
234
235# avc:  denied  { read write } for  pid=275 comm="processdump" path="/data/log/faultlog/temp/cppcrash-270-1502782678223" dev="mmcblk0p12" ino=3328 scontext=u:r:updater:s0 tcontext=u:object_r:faultloggerd_temp_file:s0 tclass=file permissive=0
236allow updater faultloggerd_temp_file:file { read write };
237
238# avc:  denied  { mounton } for  pid=237 comm="updater" path="/sdcard" dev="rootfs" ino=27932 scontext=u:r:updater:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
239allow updater rootfs:dir { mounton };
240
241# avc:  denied  { setgid } for  pid=270 comm="mount.ntfs" capability=6  scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0
242# avc:  denied  { setuid } for  pid=265 comm="mount.ntfs" capability=7  scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=0
243allow updater updater:capability { setuid setgid };
244
245# avc:  denied  { getattr } for  pid=272 comm="mount.ntfs" path="/dev/fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0
246# avc:  denied  { read write } for  pid=269 comm="mount.ntfs" name="fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0
247# avc:  denied  { open } for  pid=272 comm="mount.ntfs" path="/dev/fuse" dev="tmpfs" ino=186 scontext=u:r:updater:s0 tcontext=u:object_r:dev_fuse_file:s0 tclass=chr_file permissive=0
248allow updater dev_fuse_file:chr_file { getattr read write open };
249
250# avc:  denied  { open } for  pid=272 comm="mount.ntfs" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0
251# avc:  denied  { read } for  pid=272 comm="mount.ntfs" name="filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0
252# avc:  denied  { getattr } for  pid=265 comm="mount.ntfs" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:updater:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=0
253allow updater proc_filesystems_file:file { read open getattr };
254
255# avc:  denied  { read write } for  pid=235 comm="updater" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0
256# avc:  denied  { add_name } for  pid=234 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0
257# avc: denied { open } for pid=238 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1
258# avc: denied { remove_name } for pid=238 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1
259allow updater exfat:dir { read write search add_name open remove_name };
260
261# avc:  denied  { read } for  pid=240 comm="updater" name="updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
262# avc:  denied  { open } for  pid=235 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
263# avc:  denied  { getattr } for  pid=235 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
264# avc:  denied  { create } for  pid=233 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
265# avc:  denied  { write } for  pid=240 comm="updater" path="/sdcard/updater/update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
266# avc:  denied  { ioctl } for  pid=235 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
267# avc: denied { unlink } for pid=238 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=1
268allow updater exfat:file { read open getattr create write ioctl unlink };
269
270# avc:  denied  { mount } for  pid=242 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=filesystem permissive=0
271allow updater exfat:filesystem { mount };
272
273# avc:  denied  { ioctl } for  pid=235 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
274allowxperm updater exfat:file ioctl { 0x5413 };
275
276# avc:  denied  { write } for  pid=272 comm="updater_binary" name="data" dev="rootfs" ino=27999 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=0
277#avc: denied { search } for pid=229 comm="updater" name="data" dev="rootfs" ino=18958 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
278#avc: denied { remove_name } for pid=235 comm="updater" name="update.bin.tmp" dev="mmcblk0p12" ino=3186 scontext=u:r:updater:s0 tcontext=u:object_r:data_updater_file:s0 tclass=dir permissive=1
279#avc: denied { getattr } for pid=241 comm="updater" path="/data" dev="rootfs" ino=20430 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
280#avc: denied { mounton } for pid=241 comm="updater" path="/data" dev="rootfs" ino=20430 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
281allow updater data_file:dir { write search remove_name getattr mounton };
282
283# avc: denied { unlink } for pid=234 comm="updater" name="updater_binary" dev="tmpfs" ino=6 scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=1
284allow updater updater_binary_exec:file { unlink };
285
286# avc:  denied  { mount } for  pid=235 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=filesystem permissive=0
287allow updater vfat:filesystem { mount };
288
289# avc:  denied  { read write } for  pid=231 comm="updater" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
290# avc:  denied  { ioctl } for  pid=230 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
291# avc: denied { unlink } for pid=228 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
292allow updater vfat:file { create read open getattr write ioctl unlink };
293
294# avc:  denied  { ioctl } for  pid=230 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=102 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
295allowxperm updater vfat:file ioctl { 0x5413 };
296
297# avc:  denied  { open } for  pid=235 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
298# avc: denied { open } for pid=228 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=99 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
299# avc: denied { remove_name } for pid=228 comm="updater" name="update.bin.tmp" dev="mmcblk1p1" ino=101 scontext=u:r:updater:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
300allow updater vfat:dir { read write search add_name open remove_name };
301
302# avc:  denied  { read write } for  pid=235 comm="updater" name="updater" dev="mmcblk1p1" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
303# avc:  denied  { search } for  pid=235 comm="updater" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
304# avc:  denied  { add_name } for  pid=232 comm="updater" name="update.bin.tmp" scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
305# avc: denied { open } for pid=237 comm="updater" path="/sdcard/updater" dev="mmcblk1p1" ino=64 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
306# avc: denied { remove_name } for pid=237 comm="updater" name="build_tools.zip.tmp" dev="mmcblk1p1" ino=67 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
307allow updater ntfs:dir { read write search add_name open remove_name };
308
309# avc:  denied  { read } for  pid=227 comm="updater" name="updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
310# avc:  denied  { open } for  pid=229 comm="updater" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
311# avc:  denied  { ioctl } for  pid=233 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
312# avc: denied { unlink } for pid=237 comm="updater" name="build_tools.zip.tmp" dev="mmcblk1p1" ino=67 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=1
313allow updater ntfs:file { read create open getattr write ioctl unlink };
314
315# avc:  denied  { ioctl } for  pid=233 comm="updater" path="/sdcard/updater/build_tools.zip.tmp" dev="mmcblk1p1" ino=67 ioctlcmd=0x5413 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
316allowxperm updater ntfs:file ioctl { 0x5413 };
317
318# avc:  denied  { mount } for  pid=262 comm="mount.ntfs" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:updater:s0 tcontext=u:object_r:ntfs:s0 tclass=filesystem permissive=0
319allow updater ntfs:filesystem { mount };
320
321# avc:  denied  { search } for  pid=235 comm="updater" name="/" dev="functionfs" ino=18353 scontext=u:r:updater:s0 tcontext=u:object_r:functionfs:s0 tclass=dir permissive=1
322allow updater functionfs:dir { search };
323
324# avc:  denied  { set } for process="unknown process" parameter=sys.usb.ffs.ready pid=265 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:sys_param:s0 tclass=parameter_service permissive=1
325allow updater sys_param:parameter_service { set };
326
327debug_only(`
328# avc:  denied  { dac_override } for  pid=235 comm="updater" capability=1  scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=1
329allow updater updater:capability { dac_override };
330
331# avc:  denied  { dyntransition } for  pid=285 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
332# avc:  denied  { signal } for  pid=231 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
333# avc: denied { sigkill } for pid=241 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
334allow updater sh:process { dyntransition signal sigkill };
335')
336
337# avc:  denied  { set } for process="unknown process" parameter=updater.flashd.configfs pid=235 uid=0 gid=0 scontext=u:r:updater:s0 tcontext=u:object_r:updater_flashd_param:s0 tclass=parameter_service permissive=1
338allow updater updater_flashd_param:parameter_service { set };
339
340# avc:  denied  { map } for  pid=233 comm="updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
341# avc:  denied  { open } for  pid=233 comm="updater" path="/dev/__parameters__/u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
342# avc:  denied  { read } for  pid=233 comm="updater" name="u:object_r:debug_param:s0" dev="tmpfs" ino=38 scontext=u:r:updater:s0 tcontext=u:object_r:debug_param:s0 tclass=file permissive=1
343allow updater debug_param:file { map open read };
344
345# avc:  denied  { dac_read_search } for  pid=233 comm="updater" capability=2  scontext=u:r:updater:s0 tcontext=u:r:updater:s0 tclass=capability permissive=1
346allow updater updater:capability { dac_read_search };
347
348# avc: denied { ioctl } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 ioctlcmd=0x5431 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1
349# avc: denied { open } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1
350allow updater dev_ptmx:chr_file { ioctl open };
351
352# avc: denied { ioctl } for pid=241 comm="updater" path="/dev/ptmx" dev="tmpfs" ino=245 ioctlcmd=0x5431 scontext=u:r:updater:s0 tcontext=u:object_r:dev_ptmx:s0 tclass=chr_file permissive=1
353allowxperm updater dev_ptmx:chr_file ioctl { 0x5431 0x5430 };
354
355allow updater data_file:dir { add_name create };
356allow updater data_file:file { create getattr ioctl read write open setattr };
357allowxperm updater data_file:file ioctl { 0x5413 };
358
359# denied { map } for pid=246 comm="updater" path="/data/update/ota_package/firmware/versions/updater_diff.zip" dev="mmcblk0p12" ino=1409 scontext=u:r:updater:s0 tcontext=u:object_r:update_firmware_file:s0 tclass=file permissive=1
360allow updater update_firmware_file:file { map };
361allow updater data_updater_file:file { map };
362allow updater exfat:file { map };
363allow updater ntfs:file { map };
364allow updater vfat:file { map };
365
366# avc: denied { relabelto } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
367# avc: denied { setattr } for pid=235 comm="updater" name="updater" dev="mmcblk0p12" ino=7 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=dir permissive=1
368allow updater data_file:dir { relabelto setattr };
369
370# avc: denied { append } for pid=235 comm="updater" path="/data/updater/log/updater_log" dev="mmcblk0p12" ino=9 scontext=u:r:updater:s0 tcontext=u:object_r:data_file:s0 tclass=file permissive=1
371allow updater data_file:file { append };
372
373# avc: denied { getattr } for pid=235 comm="updater" path="/data" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
374# avc: denied { relabelfrom } for pid=235 comm="updater" name="/" dev="mmcblk0p12" ino=3 scontext=u:r:updater:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
375allow updater unlabeled:dir { getattr relabelfrom };
376allow updater devinfo_private_param:file { map open read };
377
378# avc: denied { relabelto } for pid=232 comm="updater" name="updater_binary" dev="tmpfs" ino=5 scontext=u:r:updater:s0 tcontext=u:object_r:updater_binary_exec:s0 tclass=file permissive=1
379allow updater updater_binary_exec:file { relabelto };
380
381# avc: denied { syslog_read } for pid=230 comm="updater" scontext=u:r:updater:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1
382allow updater kernel:system { syslog_read };
383
384')
385