Add Intelligence rc
By persist.vendor.intelligence,
# on -> mount(ok) -> on
# off -> write_zeroes -> remove -> rm(ok) -> disable
# on -> mount(fail) -> remove -> rm(ok) -> disable
For SEpolicy,
type=1400 audit(1731445557.444:32): avc: denied { read } for comm="kworker/u16:3" path="/dev/block/sda33" dev="tmpfs" ino=1050 scontext=u:r:kernel:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1
type=1400 audit(1731445557.476:33): avc: denied { execute_no_trans } for comm="storage_intelli" path="/vendor/bin/toolbox" dev="dm-11" ino=368 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1
type=1400 audit(1731448933.292:16): avc: denied { search } for comm="dd" name="block" dev="tmpfs" ino=12 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1
type=1400 audit(1731461590.844:16): avc: denied { write } for comm="dd" name="sda33" dev="tmpfs" ino=1052 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1
type=1400 audit(1731461590.844:17): avc: denied { open } for comm="dd" path="/dev/block/sda33" dev="tmpfs" ino=1052 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1
Bug: 378120929
Flag: build.RELEASE_PIXEL_VENDOR_INTELLIGENCE_AID
Change-Id: If9d2f067e29b6c574d3b827ea509fec92c6d8028
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
diff --git a/storage/sepolicy/file.te b/storage/sepolicy/file.te
index 0fa9564..59b739d 100644
--- a/storage/sepolicy/file.te
+++ b/storage/sepolicy/file.te
@@ -4,3 +4,5 @@
type sg_device, dev_type;
type sg_util_exec, exec_type, vendor_file_type, file_type;
+# Intelligence Service
+type intelligence_data_file, file_type, data_file_type;
diff --git a/storage/sepolicy/file_contexts b/storage/sepolicy/file_contexts
index 1ef5a67..18527fb 100644
--- a/storage/sepolicy/file_contexts
+++ b/storage/sepolicy/file_contexts
@@ -1,9 +1,13 @@
# storage
-/vendor/bin/dump/dump_storage u:object_r:dump_storage_exec:s0
-/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging u:object_r:sysfs_scsi_devices_0000:s0
-/dev/sg[0-9] u:object_r:sg_device:s0
-/data/vendor/storage(/.*)? u:object_r:dump_storage_data_file:s0
-/vendor/bin/sg_read_buffer u:object_r:sg_util_exec:s0
-/dev/block/by-name/userdata_exp.* u:object_r:userdata_exp_block_device:s0
-/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
+/data/vendor/intelligence(/.*)? u:object_r:intelligence_data_file:s0
+/data/vendor/storage(/.*)? u:object_r:dump_storage_data_file:s0
+/dev/block/by-name/userdata_exp.* u:object_r:userdata_exp_block_device:s0
+/dev/sg[0-9] u:object_r:sg_device:s0
+
+/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging u:object_r:sysfs_scsi_devices_0000:s0
+
+/vendor/bin/dump/dump_storage u:object_r:dump_storage_exec:s0
+/vendor/bin/sg_read_buffer u:object_r:sg_util_exec:s0
+/vendor/bin/storage_intelligence\.sh u:object_r:storage_intelligence_exec:s0
+/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
diff --git a/storage/sepolicy/init.te b/storage/sepolicy/init.te
index dc24247..464ca4b 100644
--- a/storage/sepolicy/init.te
+++ b/storage/sepolicy/init.te
@@ -1,3 +1,4 @@
# init
allow init sysfs_scsi_devices_0000:file w_file_perms;
+dontaudit init intelligence_data_file:dir mounton;
diff --git a/storage/sepolicy/kernel.te b/storage/sepolicy/kernel.te
new file mode 100644
index 0000000..55882ed
--- /dev/null
+++ b/storage/sepolicy/kernel.te
@@ -0,0 +1,3 @@
+# for intelligence service
+
+allow kernel userdata_exp_block_device:blk_file read;
diff --git a/storage/sepolicy/property.te b/storage/sepolicy/property.te
new file mode 100644
index 0000000..598c71a
--- /dev/null
+++ b/storage/sepolicy/property.te
@@ -0,0 +1,3 @@
+# for intelligence service
+
+vendor_internal_prop(vendor_intelligence_prop)
diff --git a/storage/sepolicy/property_contexts b/storage/sepolicy/property_contexts
new file mode 100644
index 0000000..b436986
--- /dev/null
+++ b/storage/sepolicy/property_contexts
@@ -0,0 +1 @@
+persist.vendor.intelligence u:object_r:vendor_intelligence_prop:s0
diff --git a/storage/sepolicy/storage_intelligence.te b/storage/sepolicy/storage_intelligence.te
new file mode 100644
index 0000000..66d14df
--- /dev/null
+++ b/storage/sepolicy/storage_intelligence.te
@@ -0,0 +1,12 @@
+# support intelligence service
+init_daemon_domain(storage_intelligence)
+type storage_intelligence, domain;
+type storage_intelligence_exec, vendor_file_type, exec_type, file_type;
+
+set_prop(storage_intelligence, vendor_intelligence_prop);
+
+allow storage_intelligence vendor_toolbox_exec:file execute_no_trans;
+
+# for storage management
+allow storage_intelligence block_device:dir { search };
+allow storage_intelligence userdata_exp_block_device:blk_file rw_file_perms;
diff --git a/storage/sepolicy/tracking_denials/bug_map b/storage/sepolicy/tracking_denials/bug_map
new file mode 100644
index 0000000..a1e8298
--- /dev/null
+++ b/storage/sepolicy/tracking_denials/bug_map
@@ -0,0 +1 @@
+shell vendor_intelligence_prop file b/378120929
diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te
index 73eb527..cbb2990 100644
--- a/storage/sepolicy/vendor_init.te
+++ b/storage/sepolicy/vendor_init.te
@@ -4,3 +4,5 @@
# dirty swappiness
allow vendor_init proc_dirty:file w_file_perms;
+# intelligence
+set_prop(vendor_init, vendor_intelligence_prop);