From f24bfe8ca3703d0013735e67ddb942b05f893034 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 7 Oct 2024 03:48:06 +0000 Subject: [PATCH 1/3] ban hal_dumpstate_default from execute_no_trans It keeps people from using my domain to do random things, which causes VTS failure like b/364989823. Bug: 371497180 Test: build pass and adb bugreport build fail when ag/28359861 is around. Change-Id: I438bf2b026718a46bb841ab5e656d11eec630960 --- gear/dumpstate/sepolicy/hal_dumpstate_default.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gear/dumpstate/sepolicy/hal_dumpstate_default.te b/gear/dumpstate/sepolicy/hal_dumpstate_default.te index 06ebb75..e0f0b09 100644 --- a/gear/dumpstate/sepolicy/hal_dumpstate_default.te +++ b/gear/dumpstate/sepolicy/hal_dumpstate_default.te @@ -5,3 +5,8 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; allow hal_dumpstate_default shell_data_file:file getattr; set_prop(hal_dumpstate_default, vendor_logger_prop) +# All dumps that are executed via hal_dumpstate_default should use their +# own domain to request their permissions to achieve compartmentalization. +# go/pixel-bugreport has examples on how to do that. +neverallow hal_dumpstate_default { vendor_file_type -vendor_toolbox_exec }:file execute_no_trans; + From 0af034bf9f1066b190124630ca655306a2156457 Mon Sep 17 00:00:00 2001 From: Ocean Chen Date: Mon, 7 Oct 2024 14:48:56 +0800 Subject: [PATCH 2/3] storage: Defer blkio class configuration Move blkio class configuration from on init to on property:sys.boot_completed=1. This improves I/O balance between foreground and background processes during boot, as many background processes compete for I/O resources at that time. Deferring the configuration ensures a smoother user experience by prioritizing foreground processes. Bug: 364960533 Test: forrest build and test on felix Change-Id: If15343d4d96d55032618a4611bf9fdf47105c974 --- storage/init.storage.rc | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/storage/init.storage.rc b/storage/init.storage.rc index 9e4acd4..77057cd 100644 --- a/storage/init.storage.rc +++ b/storage/init.storage.rc @@ -1,11 +1,3 @@ -on init - # Make foreground and background I/O priority different. none-to-rt was - # introduced in kernel 5.14. promote-to-rt was introduced in kernel 6.5. - # Write none-to-rt first and promote-to-rt next to support both older and - # newer kernel versions. - write /dev/blkio/blkio.prio.class none-to-rt - write /dev/blkio/blkio.prio.class promote-to-rt - on property:ro.build.type=userdebug write /dev/sys/block/bootdevice/pixel/enable_pixel_ufs_logging 1 chown system /dev/sg3 @@ -44,6 +36,13 @@ on init write /dev/sys/block/bootdevice/clkgate_enable 0 on property:sys.boot_completed=1 + # Make foreground and background I/O priority different. none-to-rt was + # introduced in kernel 5.14. promote-to-rt was introduced in kernel 6.5. + # Write none-to-rt first and promote-to-rt next to support both older and + # newer kernel versions. + write /dev/blkio/blkio.prio.class none-to-rt + write /dev/blkio/blkio.prio.class promote-to-rt + # Health Storage HAL chown system system /dev/sys/block/bootdevice/manual_gc From 93d8e4ada661b7563097d461ed1a5e1c3bf13491 Mon Sep 17 00:00:00 2001 From: Madhav Iyengar Date: Fri, 30 Aug 2024 16:19:51 +0000 Subject: [PATCH 3/3] [chre-hal-xport] Add file_contexts for new xport Bug: 369883034 Flag: android.chre.flags.refactor_hal_xport_agnostic Change-Id: I13b1a769f0f866a0b7c17d461052a6be83cc0e07 --- aoc/sepolicy/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aoc/sepolicy/file_contexts b/aoc/sepolicy/file_contexts index 73293f7..778de0c 100644 --- a/aoc/sepolicy/file_contexts +++ b/aoc/sepolicy/file_contexts @@ -34,6 +34,9 @@ /dev/acd-chre_bt_offload_ctl u:object_r:aoc_device:s0 /dev/acd-chre_bt_offload_data_tx u:object_r:aoc_device:s0 /dev/acd-chre_bt_offload_data_rx u:object_r:aoc_device:s0 +/dev/acd-chre_ctl u:object_r:aoc_device:s0 +/dev/acd-chre_data_tx u:object_r:aoc_device:s0 +/dev/acd-chre_data_rx u:object_r:aoc_device:s0 # AoC vendor binaries /vendor/bin/aocd u:object_r:aocd_exec:s0