1 # Copyright (c) 2023 Huawei Device Co., Ltd. 2 # Licensed under the Apache License, Version 2.0 (the "License"); 3 # you may not use this file except in compliance with the License. 4 # You may obtain a copy of the License at 5 # 6 # http://www.apache.org/licenses/LICENSE-2.0 7 # 8 # Unless required by applicable law or agreed to in writing, software 9 # distributed under the License is distributed on an "AS IS" BASIS, 10 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 # See the License for the specific language governing permissions and 12 # limitations under the License. 13 updater_only(` 14 15 # avc: denied { read write } for pid=243 comm="hdcd" path="/dev/console" dev="rootfs" ino=3504 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 16 # avc: denied { ioctl } for pid=234 comm="hdcd" path="/dev/console" dev="rootfs" ino=1979 ioctlcmd=0x5413 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1 17 allow hdcd rootfs:chr_file { read write ioctl }; 18 allowxperm hdcd rootfs:chr_file ioctl { 0x5413 }; 19 20 # avc: denied { entrypoint } for pid=243 comm="init" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 21 # avc: denied { map } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 22 # avc: denied { read } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 23 # avc: denied { execute } for pid=243 comm="hdcd" path="/bin/hdcd" dev="rootfs" ino=3945 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 24 # avc: denied { open } for pid=235 comm="hdcd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=18288 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 25 # avc: denied { getattr } for pid=235 comm="hdcd" path="/etc/ld-musl-namespace-arm.ini" dev="rootfs" ino=18288 scontext=u:r:hdcd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 26 allow hdcd rootfs:file { entrypoint map read execute open getattr }; 27 28 # avc: denied { setcurrent } for pid=270 comm="hdcd" scontext=u:r:hdcd:s0 tcontext=u:r:hdcd:s0 tclass=process permissive=1 29 allow hdcd hdcd:process { setcurrent }; 30 31 debug_only(` 32 # avc: denied { dyntransition } for pid=270 comm="hdcd" scontext=u:r:hdcd:s0 tcontext=u:r:sh:s0 tclass=process permissive=1 33 allow hdcd sh:process { dyntransition }; 34 ') 35 36 #avc: denied { read write } for pid=235 comm="hdcd" path="socket:[20967]" dev="sockfs" ino=20967 scontext=u:r:hdcd:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1 37 allow hdcd ueventd:netlink_kobject_uevent_socket { read write }; 38 39 # avc: denied { map } for pid=235 comm="hdcd" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:hdcd:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1 40 allow hdcd musl_param:file { read open map }; 41 42 # avc: denied { read } for pid=235 comm="hdcd" name="etc" dev="rootfs" ino=18266 scontext=u:r:hdcd:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1 43 allow hdcd system_etc_file:lnk_file { read }; 44 45 debug_only(` 46 # avc: denied { getattr } for pid=270 comm="hdcd" path="/sys/devices/virtual/tty/console/active" dev="sysfs" ino=14700 scontext=u:r:sh:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 47 # avc: denied { read } for pid=270 comm="hdcd" name="active" dev="sysfs" ino=14700 scontext=u:r:sh:s0 tcontext=u:object_r:sys_file:s0 tclass=file permissive=1 48 allow sh sys_file:file { read getattr }; 49 50 # avc: denied { search } for pid=235 comm="hdcd" name="/" dev="mmcblk1p1" ino=5 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 51 # avc: denied { write } for pid=236 comm="hdcd" name="updater" dev="mmcblk1p1" ino=64 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 52 # avc: denied { add_name } for pid=235 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=0 53 allow hdcd ntfs:dir { search write add_name }; 54 55 # avc: denied { search } for pid=246 comm="hdcd" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=0 56 allow hdcd exfat:dir { search write add_name }; 57 58 # avc: denied { create } for pid=240 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 59 # avc: denied { write open } for pid=235 comm="hdcd" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=65 scontext=u:r:hdcd:s0 tcontext=u:object_r:ntfs:s0 tclass=file permissive=0 60 allow hdcd ntfs:file { write open create }; 61 62 # avc: denied { getattr } for pid=238 comm="hdcd" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:hdcd:s0 tcontext=u:object_r:exfat:s0 tclass=file permissive=0 63 allow hdcd exfat:file { create write open getattr }; 64 65 # avc: denied { search } for pid=235 comm="hdcd" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 66 # avc: denied { write } for pid=239 comm="hdcd" name="updater" dev="mmcblk1p1" ino=99 scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 67 # avc: denied { add_name } for pid=241 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 68 allow hdcd vfat:dir { add_name write search }; 69 70 # avc: denied { create } for pid=234 comm="hdcd" name="updater.zip" scontext=u:r:hdcd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 71 allow hdcd vfat:file { create write open getattr }; 72 ') 73 ') 74 75