• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2023 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13#no need to add debug_only,otherwise hdcd not work
14#avc: denied { read write } for pid=230 comm="sh" path="/dev/console" dev="tmpfs" ino=246 scontext=u:r:sh:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
15allow sh dev_console_file:chr_file { read write };
16
17updater_only(`
18    debug_only(`
19    #avc: denied { search } for pid=267 comm="hdcd" name="/" dev="devpts" ino=1 scontext=u:r:sh:s0 tcontext=u:object_r:dev_pts_file:s0 tclass=dir permissive=1
20    allow sh dev_pts_file:dir { search };
21
22    #avc: denied { open } for pid=267 comm="hdcd" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:sh:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
23    allow sh devpts:chr_file { open };
24
25    #avc: denied { entrypoint } for pid=230 comm="init" path="/bin/sh" dev="rootfs" ino=16991 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
26    #avc: denied { map } for pid=230 comm="sh" path="/bin/sh" dev="rootfs" ino=16991 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
27    #avc: denied { read } for pid=230 comm="sh" path="/bin/sh" dev="rootfs" ino=16991 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
28    #avc: denied { execute } for pid=230 comm="sh" path="/bin/sh" dev="rootfs" ino=16991 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
29    #avc: denied { execute_no_trans } for pid=262 comm="hdcd" path="/bin/sh" dev="rootfs" ino=16991 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
30    allow sh rootfs:file { entrypoint map read execute execute_no_trans };
31
32    #avc: denied { read write } for pid=230 comm="sh" path="socket:[28383]" dev="sockfs" ino=28383 scontext=u:r:sh:s0 tcontext=u:r:ueventd:s0 tclass=netlink_kobject_uevent_socket permissive=1
33    allow sh ueventd:netlink_kobject_uevent_socket { read write };
34
35    #avc: denied { open } for pid=230 comm="sh" path="/dev/__parameters__/u:object_r:musl_param:s0" dev="tmpfs" ino=40 scontext=u:r:sh:s0 tcontext=u:object_r:musl_param:s0 tclass=file permissive=1
36    allow sh musl_param:file { open map };
37
38    #avc: denied { map } for pid=237 comm="sh" path="/bin/sh" dev="rootfs" ino=17509 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
39    #avc: denied { read } for pid=237 comm="sh" path="/bin/sh" dev="rootfs" ino=17509 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
40    #avc: denied { execute } for pid=237 comm="sh" path="/bin/sh" dev="rootfs" ino=17509 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
41    #avc: denied { execute_no_trans } for pid=269 comm="hdcd" path="/bin/sh" dev="rootfs" ino=17509 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
42    allow sh rootfs:file { map read execute execute_no_trans};
43
44    #avc: denied { ioctl } for pid=269 comm="sh" path="/dev/console" dev="rootfs" ino=17175 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=chr_file permissive=1
45    allow sh rootfs:chr_file { ioctl };
46    allowxperm sh rootfs:chr_file ioctl { 0x5413 };
47
48    #avc: denied { read } for pid=270 comm="hilog" name="etc" dev="rootfs" ino=17179 scontext=u:r:sh:s0 tcontext=u:object_r:system_etc_file:s0 tclass=lnk_file permissive=1
49    allow sh system_etc_file:lnk_file { read };
50
51    #avc: denied { ioctl } for pid=224 comm="sh" path="/dev/console" dev="tmpfs" ino=246 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:object_r:dev_console_file:s0 tclass=chr_file permissive=1
52    allow sh dev_console_file:chr_file { ioctl };
53    allowxperm sh dev_console_file:chr_file ioctl { 0x5413 };
54
55    # avc:  denied  { getattr } for  pid=261 comm="mount" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:sh:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=1
56    # avc:  denied  { open } for  pid=261 comm="mount" path="/proc/filesystems" dev="proc" ino=4026532202 scontext=u:r:sh:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=1
57    # avc:  denied  { read } for  pid=261 comm="mount" name="filesystems" dev="proc" ino=4026532202 scontext=u:r:sh:s0 tcontext=u:object_r:proc_filesystems_file:s0 tclass=file permissive=1
58    allow sh proc_filesystems_file:file { getattr open read };
59
60    # avc:  denied  { mounton } for  pid=261 comm="mount" path="/sdcard" dev="rootfs" ino=20781 scontext=u:r:sh:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1
61    allow sh rootfs:dir { mounton };
62
63    # avc:  denied  { mounton } for  pid=265 comm="mount" path="/sdcard" dev="mmcblk1p1" ino=1 scontext=u:r:sh:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
64    # avc: denied { open } for pid=331 comm="sh" path="/sdcard" dev="mmcblk1p1" ino=1 scontext=u:r:sh:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
65    # avc: denied { read } for pid=331 comm="sh" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:sh:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
66    # avc: denied { search } for pid=331 comm="sh" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:sh:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
67    allow sh vfat:dir { open read search mounton };
68
69    # avc:  denied  { use } for  pid=292 comm="dmesg" path="pipe:[20457]" dev="pipefs" ino=20457 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:r:updater:s0 tclass=fd permissive=1
70    allow sh updater:fd { use };
71
72    # avc:  denied  { ioctl } for  pid=292 comm="dmesg" path="pipe:[20457]" dev="pipefs" ino=20457 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1
73    # avc:  denied  { write } for  pid=292 comm="dmesg" path="pipe:[20457]" dev="pipefs" ino=20457 scontext=u:r:sh:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1
74    allow sh updater:fifo_file { ioctl write };
75
76    # avc:  denied  { ioctl } for  pid=292 comm="dmesg" path="pipe:[20457]" dev="pipefs" ino=20457 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:r:updater:s0 tclass=fifo_file permissive=1
77    allowxperm sh updater:fifo_file ioctl { 0x5413 };
78
79    # avc: denied { getattr } for pid=352 comm="ls" path="/sdcard/updater/updater.zip" dev="mmcblk1p1" ino=100 scontext=u:r:sh:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
80    allow sh vfat:file { getattr };
81
82    # avc: denied { add_name } for pid=309 comm="mkdir" name="updater" scontext=u:r:sh:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
83    # avc: denied { create } for pid=309 comm="mkdir" name="updater" scontext=u:r:sh:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
84    # avc: denied { open } for pid=284 comm="sh" path="/sdcard" dev="mmcblk1p1" ino=5 scontext=u:r:sh:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
85    # avc: denied { read } for pid=284 comm="sh" name="/" dev="mmcblk1p1" ino=5 scontext=u:r:sh:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
86    # avc: denied { search } for pid=284 comm="sh" name="/" dev="mmcblk1p1" ino=5 scontext=u:r:sh:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
87    # avc: denied { write } for pid=309 comm="mkdir" name="/" dev="mmcblk1p1" ino=5 scontext=u:r:sh:s0 tcontext=u:object_r:ntfs:s0 tclass=dir permissive=1
88    allow sh ntfs:dir { add_name create open read search write };
89
90    # avc: denied { add_name } for pid=300 comm="mkdir" name="updater" scontext=u:r:sh:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1
91    # avc: denied { create } for pid=300 comm="mkdir" name="updater" scontext=u:r:sh:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1
92    # avc: denied { search } for pid=300 comm="mkdir" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:sh:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1
93    # avc: denied { write } for pid=300 comm="mkdir" name="/" dev="mmcblk1p1" ino=1 scontext=u:r:sh:s0 tcontext=u:object_r:exfat:s0 tclass=dir permissive=1
94    allow sh exfat:dir { add_name create search write };
95
96    #avc: denied { append } for pid=267 comm="updater" name="updater.log" dev="tmpfs" ino=2 scontext=u:r:sh:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
97    #avc: denied { ioctl } for pid=267 comm="updater" path="/tmp/updater.log" dev="tmpfs" ino=2 ioctlcmd=0x5413 scontext=u:r:sh:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=1
98    allow sh tmpfs:file { append ioctl };
99    allowxperm updater tmpfs:file ioctl { 0x5413 };
100    ')
101')
102