From 3bcf1e58910c54ce4e8b27115cad71e6b8b386c6 Mon Sep 17 00:00:00 2001
From: Jaegeuk Kim <jaegeuk@google.com>
Date: Sat, 9 Nov 2024 16:23:56 -0800
Subject: [PATCH] Add Intelligence rc

By persist.vendor.intelligence,

 # on  -> mount(ok)    -> on
 # off -> write_zeroes -> remove -> rm(ok) -> disable
 # on  -> mount(fail)  -> remove -> rm(ok) -> disable

For SEpolicy,

type=1400 audit(1731445557.444:32): avc:  denied  { read } for  comm="kworker/u16:3" path="/dev/block/sda33" dev="tmpfs" ino=1050 scontext=u:r:kernel:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1

type=1400 audit(1731445557.476:33): avc:  denied  { execute_no_trans } for  comm="storage_intelli" path="/vendor/bin/toolbox" dev="dm-11" ino=368 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1

type=1400 audit(1731448933.292:16): avc:  denied  { search } for  comm="dd" name="block" dev="tmpfs" ino=12 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1

type=1400 audit(1731461590.844:16): avc:  denied  { write } for  comm="dd" name="sda33" dev="tmpfs" ino=1052 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1
type=1400 audit(1731461590.844:17): avc:  denied  { open } for  comm="dd" path="/dev/block/sda33" dev="tmpfs" ino=1052 scontext=u:r:storage_intelligence:s0 tcontext=u:object_r:userdata_exp_block_device:s0 tclass=blk_file permissive=1

Bug: 378120929
Flag: build.RELEASE_PIXEL_VENDOR_INTELLIGENCE_AID
Change-Id: If9d2f067e29b6c574d3b827ea509fec92c6d8028
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
---
 storage/Android.bp                        |  9 ++++++++-
 storage/sepolicy/file.te                  |  2 ++
 storage/sepolicy/file_contexts            | 18 ++++++++++-------
 storage/sepolicy/init.te                  |  1 +
 storage/sepolicy/kernel.te                |  3 +++
 storage/sepolicy/property.te              |  3 +++
 storage/sepolicy/property_contexts        |  1 +
 storage/sepolicy/storage_intelligence.te  | 12 ++++++++++++
 storage/sepolicy/tracking_denials/bug_map |  1 +
 storage/sepolicy/vendor_init.te           |  2 ++
 storage/storage.intelligence.rc           | 23 ++++++++++++++++++++++
 storage/storage_intelligence.sh           | 24 +++++++++++++++++++++++
 storage/tracking_denials/bug_map          |  1 +
 13 files changed, 92 insertions(+), 8 deletions(-)
 create mode 100644 storage/sepolicy/kernel.te
 create mode 100644 storage/sepolicy/property.te
 create mode 100644 storage/sepolicy/property_contexts
 create mode 100644 storage/sepolicy/storage_intelligence.te
 create mode 100644 storage/sepolicy/tracking_denials/bug_map
 create mode 100644 storage/storage.intelligence.rc
 create mode 100755 storage/storage_intelligence.sh
 create mode 100644 storage/tracking_denials/bug_map

diff --git a/storage/Android.bp b/storage/Android.bp
index 3a06113..eb806bc 100644
--- a/storage/Android.bp
+++ b/storage/Android.bp
@@ -14,8 +14,15 @@ cc_binary {
     shared_libs: [
         "libbase",
         "libdump",
-	"liblog",
+        "liblog",
     ],
     vendor: true,
     relative_install_path: "dump",
 }
+
+sh_binary {
+    name: "storage_intelligence.sh",
+    src: "storage_intelligence.sh",
+    init_rc: ["storage.intelligence.rc"],
+    vendor: true,
+}
diff --git a/storage/sepolicy/file.te b/storage/sepolicy/file.te
index 0fa9564..59b739d 100644
--- a/storage/sepolicy/file.te
+++ b/storage/sepolicy/file.te
@@ -4,3 +4,5 @@ type dump_storage_data_file, file_type, data_file_type;
 type sg_device, dev_type;
 type sg_util_exec, exec_type, vendor_file_type, file_type;
 
+# Intelligence Service
+type intelligence_data_file, file_type, data_file_type;
diff --git a/storage/sepolicy/file_contexts b/storage/sepolicy/file_contexts
index 1ef5a67..18527fb 100644
--- a/storage/sepolicy/file_contexts
+++ b/storage/sepolicy/file_contexts
@@ -1,9 +1,13 @@
 # storage
-/vendor/bin/dump/dump_storage      u:object_r:dump_storage_exec:s0
-/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging  u:object_r:sysfs_scsi_devices_0000:s0
-/dev/sg[0-9]                       u:object_r:sg_device:s0
-/data/vendor/storage(/.*)?         u:object_r:dump_storage_data_file:s0
-/vendor/bin/sg_read_buffer         u:object_r:sg_util_exec:s0
-/dev/block/by-name/userdata_exp.*  u:object_r:userdata_exp_block_device:s0
-/vendor/bin/ufs_firmware_update\.sh                                  u:object_r:ufs_firmware_update_exec:s0
+/data/vendor/intelligence(/.*)?                                      u:object_r:intelligence_data_file:s0
+/data/vendor/storage(/.*)?                                           u:object_r:dump_storage_data_file:s0
 
+/dev/block/by-name/userdata_exp.*                                    u:object_r:userdata_exp_block_device:s0
+/dev/sg[0-9]                                                         u:object_r:sg_device:s0
+
+/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging  u:object_r:sysfs_scsi_devices_0000:s0
+
+/vendor/bin/dump/dump_storage                                        u:object_r:dump_storage_exec:s0
+/vendor/bin/sg_read_buffer                                           u:object_r:sg_util_exec:s0
+/vendor/bin/storage_intelligence\.sh                                 u:object_r:storage_intelligence_exec:s0
+/vendor/bin/ufs_firmware_update\.sh                                  u:object_r:ufs_firmware_update_exec:s0
diff --git a/storage/sepolicy/init.te b/storage/sepolicy/init.te
index dc24247..464ca4b 100644
--- a/storage/sepolicy/init.te
+++ b/storage/sepolicy/init.te
@@ -1,3 +1,4 @@
 # init
 allow init sysfs_scsi_devices_0000:file w_file_perms;
 
+dontaudit init intelligence_data_file:dir mounton;
diff --git a/storage/sepolicy/kernel.te b/storage/sepolicy/kernel.te
new file mode 100644
index 0000000..55882ed
--- /dev/null
+++ b/storage/sepolicy/kernel.te
@@ -0,0 +1,3 @@
+# for intelligence service
+
+allow kernel userdata_exp_block_device:blk_file read;
diff --git a/storage/sepolicy/property.te b/storage/sepolicy/property.te
new file mode 100644
index 0000000..598c71a
--- /dev/null
+++ b/storage/sepolicy/property.te
@@ -0,0 +1,3 @@
+# for intelligence service
+
+vendor_internal_prop(vendor_intelligence_prop)
diff --git a/storage/sepolicy/property_contexts b/storage/sepolicy/property_contexts
new file mode 100644
index 0000000..b436986
--- /dev/null
+++ b/storage/sepolicy/property_contexts
@@ -0,0 +1 @@
+persist.vendor.intelligence          u:object_r:vendor_intelligence_prop:s0
diff --git a/storage/sepolicy/storage_intelligence.te b/storage/sepolicy/storage_intelligence.te
new file mode 100644
index 0000000..66d14df
--- /dev/null
+++ b/storage/sepolicy/storage_intelligence.te
@@ -0,0 +1,12 @@
+# support intelligence service
+init_daemon_domain(storage_intelligence)
+type storage_intelligence, domain;
+type storage_intelligence_exec, vendor_file_type, exec_type, file_type;
+
+set_prop(storage_intelligence, vendor_intelligence_prop);
+
+allow storage_intelligence vendor_toolbox_exec:file execute_no_trans;
+
+# for storage management
+allow storage_intelligence block_device:dir { search };
+allow storage_intelligence userdata_exp_block_device:blk_file rw_file_perms;
diff --git a/storage/sepolicy/tracking_denials/bug_map b/storage/sepolicy/tracking_denials/bug_map
new file mode 100644
index 0000000..a1e8298
--- /dev/null
+++ b/storage/sepolicy/tracking_denials/bug_map
@@ -0,0 +1 @@
+shell vendor_intelligence_prop file b/378120929
diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te
index 73eb527..cbb2990 100644
--- a/storage/sepolicy/vendor_init.te
+++ b/storage/sepolicy/vendor_init.te
@@ -4,3 +4,5 @@ allow vendor_init sg_device:chr_file r_file_perms;
 # dirty swappiness
 allow vendor_init proc_dirty:file w_file_perms;
 
+# intelligence
+set_prop(vendor_init, vendor_intelligence_prop);
diff --git a/storage/storage.intelligence.rc b/storage/storage.intelligence.rc
new file mode 100644
index 0000000..85586ab
--- /dev/null
+++ b/storage/storage.intelligence.rc
@@ -0,0 +1,23 @@
+# For intelligence service
+# on  -> mount(ok)    -> on
+# off -> write_zeroes -> remove -> rm(ok) -> disable
+# on  -> mount(fail)  -> remove -> rm(ok) -> disable
+
+service storage_intelligence /vendor/bin/storage_intelligence.sh
+    user root
+    disabled
+    oneshot
+
+on boot && property:persist.vendor.intelligence=on
+    mkdir /data/vendor/intelligence 0770 vendor_intelligence vendor_intelligence
+    restorecon_recursive /data/vendor/intelligence
+    mount f2fs loop@/dev/block/by-name/userdata_exp.ai /data/vendor/intelligence ro
+    start storage_intelligence
+
+on boot && property:persist.vendor.intelligence=off
+    start storage_intelligence
+
+on property:persist.vendor.intelligence=remove
+    rm /data/userdata_exp.ai
+    rmdir /data/vendor/intelligence
+    setprop persist.vendor.intelligence disable
diff --git a/storage/storage_intelligence.sh b/storage/storage_intelligence.sh
new file mode 100755
index 0000000..03d2ca7
--- /dev/null
+++ b/storage/storage_intelligence.sh
@@ -0,0 +1,24 @@
+#!/vendor/bin/sh
+#
+# The script belongs to the feature of UFS FFU via OTA: go/p23-ffu-ota
+# Its purpose is to copy the corresponding firmware into partition for UFS FFU.
+
+
+property="persist.vendor.intelligence"
+partition="/dev/block/by-name/userdata_exp.ai"
+mount_point="/data/vendor/intelligence"
+backend_file="/data/userdata_exp.ai"
+
+request=`getprop $property`
+
+if [ "$request" == "on" ]; then
+	mounted=`grep $mount_point /proc/mounts`
+	if [ "$mounted" ]; then
+		setprop $property on
+	else
+		setprop $property remove
+	fi
+elif [ "$request" == "off" ]; then
+	dd if=/dev/zero of=$partition bs=4k count=2
+	setprop $property remove
+fi
diff --git a/storage/tracking_denials/bug_map b/storage/tracking_denials/bug_map
new file mode 100644
index 0000000..a1e8298
--- /dev/null
+++ b/storage/tracking_denials/bug_map
@@ -0,0 +1 @@
+shell vendor_intelligence_prop file b/378120929