Android Customizing SePolicy: Difference between revisions

From Variscite Wiki
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 13: Line 13:
Refer to https://source.android.com/security/selinux/validate  how to validate and  remove the proper filecontext and Sepolicy in place.<br>
Refer to https://source.android.com/security/selinux/validate  how to validate and  remove the proper filecontext and Sepolicy in place.<br>
You will mostly see below output when avc daemon blocks access to certain files especially applications. <br>
You will mostly see below output when avc daemon blocks access to certain files especially applications. <br>
  $adb shell su root dmesg | grep 'avc: '
  $ adb shell su root dmesg | grep 'avc: '
  type=1400 audit: avc:  denied  { read write } for  pid=177
  type=1400 audit: avc:  denied  { read write } for  pid=177


SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run:
SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run:


  $adb shell setenforce 0
  $ adb shell setenforce 0


Or at the kernel command line (during early device bring-up):
Or at the kernel command line (during early device bring-up):
Line 40: Line 40:


===Compile U-Boot===
===Compile U-Boot===
Compile the new U-Boot  
Compile the new U-Boot
$ cd {{#var:BUILD_FOLDER}}/{{#var:BUILD_FOLDER_ANDROID}}
$ source build/envsetup.sh
$ lunch {{#var:ANDROID_MACHINE_NAME}}-userdebug
{{#switch: {{#var:ANDROID_NAME}}
  | Android 10 = $ ./imx-make.sh bootloader -j4 2>&1 {{!}} tee build1-1.log
  | Android 11 = $ ./imx-make.sh bootloader -j4 2>&1 {{!}} tee build1-1.log
  | $ make -j4 bootloader 2>&1 {{!}} tee build1-1.log
}}


===Update U-Boot===
There are two methods from which you can update bootloader,
Flash the binaries following {{Varlink|Android_Recovery_SD_card|{{#var:RELEASE_LINK}}|Android Recovery SD card}} and replacing your binaries in /opt/images/Android/
Flash the binaries following {{Varlink|Android_Recovery_SD_card|{{#var:RELEASE_LINK}}|Android Recovery SD card}} and replacing your binaries in /opt/images/Android/ <br>
 
Boot from Yocto, and run install_android.sh.
The updated U-Boot should have the SeLinux in permissive mode.
* Note: This erases everything and installs everything <br>
or <br>
If you wish to just update u-boot, and your platform already has the bootloader and adb running use below commands to flash directly to eMMC.  
$ cd {{#var:BUILD_FOLDER}}/{{#var:BUILD_FOLDER_ANDROID}}
$ adb root;sleep 3;
$ adb push out/target/product/{{#var:ANDROID_MACHINE_NAME}}/{{#var:U-BOOT_SD_IMAGE_NAME}} /data/
$ adb shell 'dd if=/data/{{#var:U-BOOT_SD_IMAGE_NAME}} of=/dev/block/{{#var:EMMC_ROOTFS_DEV}} bs=1k seek={{#var:U-BOOT_OFFSET}} conv=notrunc'
$ adb shell sync
$ adb reboot

Latest revision as of 00:59, 27 June 2023

Android - Customizing SELinux Policy

Overview

SELinux is the Security Enhanced Linux concept to enhance the Android Security and have the controlled access to the files.
Please refer to https://source.android.com/security/selinux for more detailed concepts.

Bringup Stages and SELinux Permissive

Despite SELinux enforcement from Android 7.1.1 and onwards, you may want to access certain device nodes / have the application to be able to control the hardware.
We recommend building the proper sepolicy by following https://source.android.com/security/selinux/build
This requires SELinux to be set to permissive mode.
Refer to https://source.android.com/security/selinux/validate how to validate and remove the proper filecontext and Sepolicy in place.
You will mostly see below output when avc daemon blocks access to certain files especially applications.

$ adb shell su root dmesg | grep 'avc: '
type=1400 audit: avc:  denied  { read write } for  pid=177

SELinux enforcement can be disabled via ADB on userdebug or eng builds. To do so, first switch ADB to root by running adb root. Then, to disable SELinux enforcement, run:

$ adb shell setenforce 0

Or at the kernel command line (during early device bring-up):

androidboot.selinux=permissive

Setting the permission in Boot image

Edit U-Boot command line arguments

https://github.com/varigit/uboot-imx/blob/n7.1.1_1.0.0_ga_var01/ Change following macro

#define CONFIG_EXTRA_ENV_SETTINGS \
	"bootargs=" \
	.......
       ....\0" 

And append "androidboot.selinux=permissive\0" to the kernel

#define CONFIG_EXTRA_ENV_SETTINGS \
	"bootargs=" \
	.......
       androidboot.selinux=permissive\0"

Compile U-Boot

Compile the new U-Boot

$ cd ~/var_n_711_100/n_711_100_build
$ source build/envsetup.sh
$ lunch -userdebug
$ make -j4 bootloader 2>&1 | tee build1-1.log

There are two methods from which you can update bootloader, Flash the binaries following Android Recovery SD card and replacing your binaries in /opt/images/Android/
Boot from Yocto, and run install_android.sh.

  • Note: This erases everything and installs everything

or
If you wish to just update u-boot, and your platform already has the bootloader and adb running use below commands to flash directly to eMMC.

$ cd ~/var_n_711_100/n_711_100_build
$ adb root;sleep 3;
$ adb push out/target/product//u-boot.img-sd /data/
$ adb shell 'dd if=/data/u-boot.img-sd of=/dev/block/mmcblk0 bs=1k seek= conv=notrunc'
$ adb shell sync
$ adb reboot