Android Customizing SePolicy: Difference between revisions
No edit summary |
|||
(6 intermediate revisions by 3 users not shown) | |||
Line 4: | Line 4: | ||
--> {{PageHeader|Android - Customizing SELinux Policy}} {{DocImage|category1=Android|category2={{#var:HARDWARE_NAME}}}} __toc__ | --> {{PageHeader|Android - Customizing SELinux Policy}} {{DocImage|category1=Android|category2={{#var:HARDWARE_NAME}}}} __toc__ | ||
=Overview= | =Overview= | ||
SELinux is the Security Enhanced Linux concept to enhance the Android Security and have the controlled access to the files.<br> | |||
Please refer to https://source.android.com/security/selinux for more detailed concepts. | Please refer to https://source.android.com/security/selinux for more detailed concepts. | ||
Line 13: | Line 13: | ||
Refer to https://source.android.com/security/selinux/validate how to validate and remove the proper filecontext and Sepolicy in place.<br> | Refer to https://source.android.com/security/selinux/validate how to validate and remove the proper filecontext and Sepolicy in place.<br> | ||
You will mostly see below output when avc daemon blocks access to certain files especially applications. <br> | You will mostly see below output when avc daemon blocks access to certain files especially applications. <br> | ||
$adb shell su root dmesg | grep 'avc: ' | $ adb shell su root dmesg | grep 'avc: ' | ||
type=1400 audit: avc: denied { read write } for pid=177 | type=1400 audit: avc: denied { read write } for pid=177 | ||
SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run: | SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run: | ||
$adb shell setenforce 0 | $ adb shell setenforce 0 | ||
Or at the kernel command line (during early device bring-up): | Or at the kernel command line (during early device bring-up): | ||
Line 40: | Line 40: | ||
===Compile U-Boot=== | ===Compile U-Boot=== | ||
Compile the new U-Boot | Compile the new U-Boot | ||
$ cd {{#var:BUILD_FOLDER}}/{{#var:BUILD_FOLDER_ANDROID}} | |||
$ source build/envsetup.sh | |||
$ lunch {{#var:ANDROID_MACHINE_NAME}}-userdebug | |||
{{#switch: {{#var:ANDROID_NAME}} | |||
| Android 10 = $ ./imx-make.sh bootloader -j4 2>&1 {{!}} tee build1-1.log | |||
| Android 11 = $ ./imx-make.sh bootloader -j4 2>&1 {{!}} tee build1-1.log | |||
| $ make -j4 bootloader 2>&1 {{!}} tee build1-1.log | |||
}} | |||
There are two methods from which you can update bootloader, | |||
Flash the binaries following {{Varlink|Android_Recovery_SD_card|{{#var:RELEASE_LINK}}|Android Recovery SD card}} and replacing your binaries in /opt/images/Android/ | Flash the binaries following {{Varlink|Android_Recovery_SD_card|{{#var:RELEASE_LINK}}|Android Recovery SD card}} and replacing your binaries in /opt/images/Android/ <br> | ||
Boot from Yocto, and run install_android.sh. | |||
* Note: This erases everything and installs everything <br> | |||
or <br> | |||
If you wish to just update u-boot, and your platform already has the bootloader and adb running use below commands to flash directly to eMMC. | |||
$ cd {{#var:BUILD_FOLDER}}/{{#var:BUILD_FOLDER_ANDROID}} | |||
$ adb root;sleep 3; | |||
$ adb push out/target/product/{{#var:ANDROID_MACHINE_NAME}}/{{#var:U-BOOT_SD_IMAGE_NAME}} /data/ | |||
$ adb shell 'dd if=/data/{{#var:U-BOOT_SD_IMAGE_NAME}} of=/dev/block/{{#var:EMMC_ROOTFS_DEV}} bs=1k seek={{#var:U-BOOT_OFFSET}} conv=notrunc' | |||
$ adb shell sync | |||
$ adb reboot |
Latest revision as of 00:59, 27 June 2023
Overview
SELinux is the Security Enhanced Linux concept to enhance the Android Security and have the controlled access to the files.
Please refer to https://source.android.com/security/selinux for more detailed concepts.
Bringup Stages and SELinux Permissive
Despite SELinux enforcement from Android 7.1.1 and onwards, you may want to access certain device nodes / have the application to be able to control the hardware.
We recommend building the proper sepolicy by following https://source.android.com/security/selinux/build
This requires SELinux to be set to permissive mode.
Refer to https://source.android.com/security/selinux/validate how to validate and remove the proper filecontext and Sepolicy in place.
You will mostly see below output when avc daemon blocks access to certain files especially applications.
$ adb shell su root dmesg | grep 'avc: ' type=1400 audit: avc: denied { read write } for pid=177
SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run:
$ adb shell setenforce 0
Or at the kernel command line (during early device bring-up):
androidboot.selinux=permissive
Setting the permission in Boot image
Edit U-Boot command line arguments
https://github.com/varigit/uboot-imx/blob/n7.1.1_1.0.0_ga_var01/
Change following macro
#define CONFIG_EXTRA_ENV_SETTINGS \ "bootargs=" \ ....... ....\0"
And append "androidboot.selinux=permissive\0" to the kernel
#define CONFIG_EXTRA_ENV_SETTINGS \ "bootargs=" \ ....... androidboot.selinux=permissive\0"
Compile U-Boot
Compile the new U-Boot
$ cd ~/var_n_711_100/n_711_100_build $ source build/envsetup.sh $ lunch -userdebug $ make -j4 bootloader 2>&1 | tee build1-1.log
There are two methods from which you can update bootloader,
Flash the binaries following Android Recovery SD card and replacing your binaries in /opt/images/Android/
Boot from Yocto, and run install_android.sh.
- Note: This erases everything and installs everything
or
If you wish to just update u-boot, and your platform already has the bootloader and adb running use below commands to flash directly to eMMC.
$ cd ~/var_n_711_100/n_711_100_build $ adb root;sleep 3; $ adb push out/target/product//u-boot.img-sd /data/ $ adb shell 'dd if=/data/u-boot.img-sd of=/dev/block/mmcblk0 bs=1k seek= conv=notrunc' $ adb shell sync $ adb reboot