Add Intelligence rc
By persist.vendor.intelligence,
# on -> mount(ok) -> on
# off -> write_zeroes -> remove -> rm(ok) -> disable
# on -> mount(fail) -> remove -> rm(ok) -> disable
For SEpolicy,
type=1400 audit(1731445557.444:32): avc: denied { read } for comm="kworker/u16:3" path="/dev/block/sda33" dev="tmpfs" ino=1050 scontext=u:r:kernel:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1
type=1400 audit(1731445557.476:33): avc: denied { execute_no_trans } for comm="storage_intelli" path="/vendor/bin/toolbox" dev="dm-11" ino=368 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1
type=1400 audit(1731448933.292:16): avc: denied { search } for comm="dd" name="block" dev="tmpfs" ino=12 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
type=1400 audit(1731461590.844:16): avc: denied { write } for comm="dd" name="sda33" dev="tmpfs" ino=1052 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1
type=1400 audit(1731461590.844:17): avc: denied { open } for comm="dd" path="/dev/block/sda33" dev="tmpfs" ino=1052 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1
Bug: 378120929
Flag: build.RELEASE_PIXEL_VENDOR_INTELLIGENCE_AID
Change-Id: If9d2f067e29b6c574d3b827ea509fec92c6d8028
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
diff --git a/storage/Android.bp b/storage/Android.bp
index 3a06113..eb806bc 100644
--- a/storage/Android.bp
+++ b/storage/Android.bp
@@ -14,8 +14,15 @@
shared_libs: [
"libbase",
"libdump",
- "liblog",
+ "liblog",
],
vendor: true,
relative_install_path: "dump",
}
+
+sh_binary {
+ name: "storage_intelligence.sh",
+ src: "storage_intelligence.sh",
+ init_rc: ["storage.intelligence.rc"],
+ vendor: true,
+}
diff --git a/storage/sepolicy/file.te b/storage/sepolicy/file.te
index 0fa9564..59b739d 100644
--- a/storage/sepolicy/file.te
+++ b/storage/sepolicy/file.te
@@ -4,3 +4,5 @@
type sg_device, dev_type;
type sg_util_exec, exec_type, vendor_file_type, file_type;
+# Intelligence Service
+type intelligence_data_file, file_type, data_file_type;
diff --git a/storage/sepolicy/file_contexts b/storage/sepolicy/file_contexts
index 1ef5a67..18527fb 100644
--- a/storage/sepolicy/file_contexts
+++ b/storage/sepolicy/file_contexts
@@ -1,9 +1,13 @@
# storage
-/vendor/bin/dump/dump_storage u:object_r:dump_storage_exec:s0
-/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging u:object_r:sysfs_scsi_devices_0000:s0
-/dev/sg[0-9] u:object_r:sg_device:s0
-/data/vendor/storage(/.*)? u:object_r:dump_storage_data_file:s0
-/vendor/bin/sg_read_buffer u:object_r:sg_util_exec:s0
-/dev/block/by-name/userdata_exp.* u:object_r:userdata_exp_block_device:s0
-/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
+/data/vendor/intelligence(/.*)? u:object_r:intelligence_data_file:s0
+/data/vendor/storage(/.*)? u:object_r:dump_storage_data_file:s0
+/dev/block/by-name/userdata_exp.* u:object_r:userdata_exp_block_device:s0
+/dev/sg[0-9] u:object_r:sg_device:s0
+
+/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging u:object_r:sysfs_scsi_devices_0000:s0
+
+/vendor/bin/dump/dump_storage u:object_r:dump_storage_exec:s0
+/vendor/bin/sg_read_buffer u:object_r:sg_util_exec:s0
+/vendor/bin/storage_intelligence\.sh u:object_r:storage_intelligence_exec:s0
+/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
diff --git a/storage/sepolicy/init.te b/storage/sepolicy/init.te
index dc24247..464ca4b 100644
--- a/storage/sepolicy/init.te
+++ b/storage/sepolicy/init.te
@@ -1,3 +1,4 @@
# init
allow init sysfs_scsi_devices_0000:file w_file_perms;
+dontaudit init intelligence_data_file:dir mounton;
diff --git a/storage/sepolicy/kernel.te b/storage/sepolicy/kernel.te
new file mode 100644
index 0000000..55882ed
--- /dev/null
+++ b/storage/sepolicy/kernel.te
@@ -0,0 +1,3 @@
+# for intelligence service
+
+allow kernel userdata_exp_block_device:blk_file read;
diff --git a/storage/sepolicy/property.te b/storage/sepolicy/property.te
new file mode 100644
index 0000000..598c71a
--- /dev/null
+++ b/storage/sepolicy/property.te
@@ -0,0 +1,3 @@
+# for intelligence service
+
+vendor_internal_prop(vendor_intelligence_prop)
diff --git a/storage/sepolicy/property_contexts b/storage/sepolicy/property_contexts
new file mode 100644
index 0000000..b436986
--- /dev/null
+++ b/storage/sepolicy/property_contexts
@@ -0,0 +1 @@
+persist.vendor.intelligence u:object_r:vendor_intelligence_prop:s0
diff --git a/storage/sepolicy/storage_intelligence.te b/storage/sepolicy/storage_intelligence.te
new file mode 100644
index 0000000..66d14df
--- /dev/null
+++ b/storage/sepolicy/storage_intelligence.te
@@ -0,0 +1,12 @@
+# support intelligence service
+init_daemon_domain(storage_intelligence)
+type storage_intelligence, domain;
+type storage_intelligence_exec, vendor_file_type, exec_type, file_type;
+
+set_prop(storage_intelligence, vendor_intelligence_prop);
+
+allow storage_intelligence vendor_toolbox_exec:file execute_no_trans;
+
+# for storage management
+allow storage_intelligence block_device:dir { search };
+allow storage_intelligence userdata_exp_block_device:blk_file rw_file_perms;
diff --git a/storage/sepolicy/tracking_denials/bug_map b/storage/sepolicy/tracking_denials/bug_map
new file mode 100644
index 0000000..a1e8298
--- /dev/null
+++ b/storage/sepolicy/tracking_denials/bug_map
@@ -0,0 +1 @@
+shell vendor_intelligence_prop file b/378120929
diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te
index 73eb527..cbb2990 100644
--- a/storage/sepolicy/vendor_init.te
+++ b/storage/sepolicy/vendor_init.te
@@ -4,3 +4,5 @@
# dirty swappiness
allow vendor_init proc_dirty:file w_file_perms;
+# intelligence
+set_prop(vendor_init, vendor_intelligence_prop);
diff --git a/storage/storage.intelligence.rc b/storage/storage.intelligence.rc
new file mode 100644
index 0000000..85586ab
--- /dev/null
+++ b/storage/storage.intelligence.rc
@@ -0,0 +1,23 @@
+# For intelligence service
+# on -> mount(ok) -> on
+# off -> write_zeroes -> remove -> rm(ok) -> disable
+# on -> mount(fail) -> remove -> rm(ok) -> disable
+
+service storage_intelligence /vendor/bin/storage_intelligence.sh
+ user root
+ disabled
+ oneshot
+
+on boot && property:persist.vendor.intelligence=on
+ mkdir /data/vendor/intelligence 0770 vendor_intelligence vendor_intelligence
+ restorecon_recursive /data/vendor/intelligence
+ mount f2fs loop@/dev/block/by-name/userdata_exp.ai /data/vendor/intelligence ro
+ start storage_intelligence
+
+on boot && property:persist.vendor.intelligence=off
+ start storage_intelligence
+
+on property:persist.vendor.intelligence=remove
+ rm /data/userdata_exp.ai
+ rmdir /data/vendor/intelligence
+ setprop persist.vendor.intelligence disable
diff --git a/storage/storage_intelligence.sh b/storage/storage_intelligence.sh
new file mode 100755
index 0000000..03d2ca7
--- /dev/null
+++ b/storage/storage_intelligence.sh
@@ -0,0 +1,24 @@
+#!/vendor/bin/sh
+#
+# The script belongs to the feature of UFS FFU via OTA: go/p23-ffu-ota
+# Its purpose is to copy the corresponding firmware into partition for UFS FFU.
+
+
+property="persist.vendor.intelligence"
+partition="/dev/block/by-name/userdata_exp.ai"
+mount_point="/data/vendor/intelligence"
+backend_file="/data/userdata_exp.ai"
+
+request=`getprop $property`
+
+if [ "$request" == "on" ]; then
+ mounted=`grep $mount_point /proc/mounts`
+ if [ "$mounted" ]; then
+ setprop $property on
+ else
+ setprop $property remove
+ fi
+elif [ "$request" == "off" ]; then
+ dd if=/dev/zero of=$partition bs=4k count=2
+ setprop $property remove
+fi
diff --git a/storage/tracking_denials/bug_map b/storage/tracking_denials/bug_map
new file mode 100644
index 0000000..a1e8298
--- /dev/null
+++ b/storage/tracking_denials/bug_map
@@ -0,0 +1 @@
+shell vendor_intelligence_prop file b/378120929