• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 # Copyright (c) 2023 Huawei Device Co., Ltd.
2 # Licensed under the Apache License, Version 2.0 (the "License");
3 # you may not use this file except in compliance with the License.
4 # You may obtain a copy of the License at
5 #
6 #     http://www.apache.org/licenses/LICENSE-2.0
7 #
8 # Unless required by applicable law or agreed to in writing, software
9 # distributed under the License is distributed on an "AS IS" BASIS,
10 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11 # See the License for the specific language governing permissions and
12 # limitations under the License.
13 updater_only(`
14 
15 # avc: denied { read write } for pid=243 comm="hdcd" path="/dev/console" dev="rootfs" ino=3504 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
16 # avc: denied { ioctl } for pid=234 comm="hdcd" path="/dev/console" dev="rootfs" ino=1979 ioctlcmd=0x5413 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
17 allow hdcd rootfs:chr_file { read write ioctl };
18 allowxperm hdcd rootfs:chr_file ioctl { 0x5413 };
19 
20 # avc: denied { entrypoint } for pid=243 comm="init" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
21 # avc: denied { map } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
22 # avc: denied { read } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
23 # avc: denied { execute } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
24 # avc: denied { open } for pid=235 comm="hdcd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=18288 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
25 # avc: denied { getattr } for pid=235 comm="hdcd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=18288 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
26 allow hdcd rootfs:file { entrypoint map read execute open getattr };
27 
28 # avc: denied { setcurrent } for pid=270 comm="hdcd" scontext=u:r:hdcd:s0 tcontext=u:r:hdcd:s0 tclass=process permissive=1
29 allow hdcd hdcd:process { setcurrent };
30 
31 debug_only(`
32 # avc: denied { dyntransition } for pid=270 comm="hdcd" scontext=u:r:hdcd:s0 tcontext=u:r:sh:s0 tclass=process permissive=1
33 allow hdcd sh:process { dyntransition };
34 ')
35 
36 #avc: denied { read write } for pid=235 comm="hdcd" path="socket:[20967]" dev="sockfs" ino=20967 scontext=u:r:hdcd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
37 allow hdcd ueventd:netlink_kobject_uevent_socket { read write };
38 
39 # avc: denied { map } for pid=235 comm="hdcd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:hdcd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
40 allow hdcd musl_param:file { read open map };
41 
42 # avc: denied { read } for pid=235 comm="hdcd" name="etc" dev="rootfs" ino=18266 scontext=u:r:hdcd:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
43 allow hdcd system_etc_file:lnk_file { read };
44 
45 debug_only(`
46     # avc: denied { getattr } for pid=270 comm="hdcd" path="/sys/devices/virtual/tty/console/active" dev="sysfs" ino=14700 scontext=u:r:sh:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1
47     # avc: denied { read } for pid=270 comm="hdcd" name="active" dev="sysfs" ino=14700 scontext=u:r:sh:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1
48     allow sh sys_file:file { read getattr };
49 
50     # avc:  denied  { search } for  pid=235 comm="hdcd" name="/" dev="mmcblk1p1" ino=5 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
51     # avc:  denied  { write } for  pid=236 comm="hdcd" name="updater" dev="mmcblk1p1" ino=64 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
52     # avc:  denied  { add_name } for  pid=235 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0
53     allow hdcd ntfs:dir { search write add_name };
54 
55     # avc:  denied  { search } for  pid=246 comm="hdcd" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0
56     allow hdcd exfat:dir { search write add_name };
57 
58     # avc:  denied  { create } for  pid=240 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
59     # avc:  denied  { write open } for  pid=235 comm="hdcd" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0
60     allow hdcd ntfs:file { write open create };
61 
62     # avc:  denied  { getattr } for  pid=238 comm="hdcd" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:hdcd:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0
63     allow hdcd exfat:file { create write open getattr };
64 
65     # avc:  denied  { search } for  pid=235 comm="hdcd" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
66     # avc:  denied  { write } for  pid=239 comm="hdcd" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
67     # avc:  denied  { add_name } for  pid=241 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
68     allow hdcd vfat:dir { add_name write search };
69 
70     # avc:  denied  { create } for  pid=234 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
71     allow hdcd vfat:file { create write open getattr };
72 ')
73 ')
74 
75