Android Customizing SePolicy: Difference between revisions
No edit summary |
|||
| Line 20: | Line 20: | ||
==Setting the permission in Boot image== | ==Setting the permission in Boot image== | ||
===Edit U- | ===Edit U-Boot command line arguments=== | ||
https://github.com/varigit/uboot-imx/blob/imx_v2017.03_4.9.11_1.0.0_ga_var01/include/configs/mx6var_som_android.h#L42 | https://github.com/varigit/uboot-imx/blob/imx_v2017.03_4.9.11_1.0.0_ga_var01/include/configs/mx6var_som_android.h#L42 | ||
Change following macro <br> | Change following macro <br> | ||
| Line 57: | Line 57: | ||
"firmware_class.path=/system/etc/firmware androidboot.selinux=permissive\0" | "firmware_class.path=/system/etc/firmware androidboot.selinux=permissive\0" | ||
===Compile U- | ===Compile U-Boot=== | ||
Compile the new | Compile the new U-Boot following {{Varlink|Android Customizing U-Boot|{{#var:RELEASE_LINK}}|Customizing U-Boot}} | ||
===Update U- | ===Update U-Boot=== | ||
Flash the binaries following {{Varlink|Android Flash Burning|{{#var:RELEASE_LINK}}|Burning Android binaries to flash/eMMC via SD card}} | Flash the binaries following {{Varlink|Android Flash Burning|{{#var:RELEASE_LINK}}|Burning Android binaries to flash/eMMC via SD card}} | ||
The updated | The updated U-Boot should have the SeLinux in permissive mode. | ||
Revision as of 10:33, 26 December 2019
Overview
Selinux is the Security Enhanced Linux concept to enhance the Android Security and have the controlled access to the files.
Please refer to https://source.android.com/security/selinux for more detailed concepts.
Bringup Stages and SELinux Permissive
Despite SELinux enforcement from Android 7.1.1 and onwards, you may want to access certain device nodes / have the application to be able to control the hardware.
We recommend building the proper sepolicy by following https://source.android.com/security/selinux/build
This requires SELinux to be set to permissive mode.
Refer to https://source.android.com/security/selinux/validate how to validate and remove the proper filecontext and Sepolicy in place.
You will mostly see below output when avc daemon blocks access to certain files especially applications.
$adb shell su root dmesg | grep 'avc: '
type=1400 audit: avc: denied { read write } for pid=177
SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run:
$adb shell setenforce 0
Or at the kernel command line (during early device bring-up):
androidboot.selinux=permissive
Setting the permission in Boot image
Edit U-Boot command line arguments
https://github.com/varigit/uboot-imx/blob/imx_v2017.03_4.9.11_1.0.0_ga_var01/include/configs/mx6var_som_android.h#L42
Change following macro
#define CONFIG_EXTRA_ENV_SETTINGS \ BOOT_ENV_SETTINGS \ HW_ENV_SETTINGS \ VIDEO_ENV_SETTINGS \ "splashpos=m,m\0" \ "fdt_high=0xffffffff\0" \ "initrd_high=0xffffffff\0" \ "bootargs=" \ "console=ttymxc0,115200 " \ "init=/init " \ "vmalloc=128M " \ "androidboot.console=ttymxc0 " \ "consoleblank=0 " \ "cma=448M " \ "firmware_class.path=/system/etc/firmware\0"
To
#define CONFIG_EXTRA_ENV_SETTINGS \ BOOT_ENV_SETTINGS \ HW_ENV_SETTINGS \ VIDEO_ENV_SETTINGS \ "splashpos=m,m\0" \ "fdt_high=0xffffffff\0" \ "initrd_high=0xffffffff\0" \ "bootargs=" \ "console=ttymxc0,115200 " \ "init=/init " \ "vmalloc=128M " \ "androidboot.console=ttymxc0 " \ "consoleblank=0 " \ "cma=448M " \ "firmware_class.path=/system/etc/firmware androidboot.selinux=permissive\0"
Compile U-Boot
Compile the new U-Boot following Customizing U-Boot
Update U-Boot
Flash the binaries following Burning Android binaries to flash/eMMC via SD card
The updated U-Boot should have the SeLinux in permissive mode.