1# Copyright (c) 2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14allow init data_module_update:dir { add_name create getattr link open read relabelto remove_name search setattr unlink write }; 15allow init data_module_update_package:dir { getattr open read relabelto search setattr write rmdir remove_name }; 16allow init data_module_update_package:file { getattr link open read map unlink relabelfrom write }; 17allow init data_module_update:file { getattr link open read map relabelto unlink write }; 18allowxperm init dev_block_file:blk_file ioctl { 0x1261 0x4c00 0x4c01 0x4c04 0x4c09 0x4c0a }; 19allow init dev_file:chr_file { ioctl open read write }; 20allowxperm init dev_file:chr_file ioctl { 0xfd03 0xfd06 0xfd07 0xfd09 }; 21allow init dev_mapper_control_file:chr_file { ioctl open read write relabelto getattr setattr }; 22allowxperm init dev_mapper_control_file:chr_file ioctl { 0xfd03 0xfd06 0xfd07 0xfd09 0xfd04 }; 23allow init dev_loop_control_file:chr_file { getattr ioctl open read write }; 24allowxperm init dev_loop_control_file:chr_file ioctl { 0x4c80 0x4c82 }; 25allow init module_update_file:dir { search }; 26allow init module_update_service:binder { call }; 27allow init sa_module_update_service:samgr_class { get }; 28allow init sysfs_block_loop:file { open read write }; 29allow init system_file:dir { open read }; 30allow init system_file:file { open read getattr }; 31allow init system_module_update_file:dir { getattr open read search }; 32allow init system_module_update_file:file { getattr open read }; 33allow init system_profile_file:file { getattr open read }; 34allow init tmpfs:dir { remove_name rmdir }; 35allow init tmpfs:filesystem { mount }; 36allow init sysfs_block_loop:file { getattr open read write setattr }; 37allow init data_module_update:dir { rmdir reparent rename }; 38 39# avc: denied { execute } for pid=598 comm="/bin/init" path="/system/bin/check_module_update_init" dev="overlay" ino=571 scontext=u:r:init:s0 tcontext=u:r:system_bin_module_update_exec:s0 tclass=file permissive=1 40# avc: denied { getattr } for pid=1 comm="/bin/init" path="/system/bin/check_module_update_init" dev="overlay" ino=571 scontext=u:r:init:s0 tcontext=u:r:system_bin_module_update_exec:s0 tclass=file permissive=1 41# avc: denied { open } for pid=599 comm="/bin/init" path="/system/bin/check_module_update_init" dev="overlay" ino=572 scontext=u:r:init:s0 tcontext=u:r:system_bin_module_update_exec:s0 tclass=file permissive=1 42# avc: denied { execute_no_trans } for pid=599 comm="/bin/init" path="/system/bin/check_module_update_init" scontext=u:r:init:s0 tcontext=u:r:system_bin_module_update_exec:s0 tclass=file permissive=1 43# avc: denied { read } for pid=599 comm="/bin/init" path="/system/bin/check_module_update_init" dev="overlay" ino=572 scontext=u:r:init:s0 tcontext=u:r:system_bin_module_update_exec:s0 tclass=file permissive=1 44# avc: denied { map } for pid=unknown comm=unknown, cidx=0x0 path="/system/bin/check_module_update_init" dev="overlay" ino=157 scontext=u:r:init:s0 tcontext=u:r:system_bin_module_update_exec:s0 tclass=file permissive=1 45allow init system_bin_module_update_exec:file { execute getattr open execute_no_trans read map }; 46