SEAndroid Build for Galaxy Nexus

SEAndroid Build for Galaxy Nexus

[Bryan Hinton]

I just completed a 4.0.3 SEAndroid build for the Galaxy Nexus.  The
build was clean and it is successfully running on the device.
A few general notes:
-I ran the following  fastboot commands (in this order) after building
AOSP w/ SELinux patches and repacking the boot image:   fastboot erase
cache, fastboot flash boot boot.img, fastboot flash system system.img,
fastboot flash userdata userdata.img.
-I had to mount /system rw after boot and fix the missing, userland
ril client library in order to get the cdma/lte radios working.
device/samsung/tuna is missing the extract script in AOSP.
-permissive and enforced modes are functioning properly according to
dmesg output.    phone calls and sms are successful.  I am in the
process of relabeling some of the device nodes in the policy to allow
access to the radio.


Bryan Hinton

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid Build for Galaxy Nexus

[Stephen Smalley]

On Tue, 2012-01-24 at 12:44 -0600, Bryan Hinton wrote:
> I just completed a 4.0.3 SEAndroid build for the Galaxy Nexus.  The
> build was clean and it is successfully running on the device.
> A few general notes:
> -I ran the following  fastboot commands (in this order) after building
> AOSP w/ SELinux patches and repacking the boot image:   fastboot erase
> cache, fastboot flash boot boot.img, fastboot flash system system.img,
> fastboot flash userdata userdata.img.
> -I had to mount /system rw after boot and fix the missing, userland
> ril client library in order to get the cdma/lte radios working.
> device/samsung/tuna is missing the extract script in AOSP.
> -permissive and enforced modes are functioning properly according to
> dmesg output.    phone calls and sms are successful.  I am in the
> process of relabeling some of the device nodes in the policy to allow
> access to the radio.

Glad to hear that you were able to get it up and running.  I don't
presently have that device, so I'd be interested in hearing more about
your experience, changes you have to make, etc.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid Build for Galaxy Nexus

[Joshua Brindle]

Stephen Smalley wrote:
> On Tue, 2012-01-24 at 12:44 -0600, Bryan Hinton wrote:
>> I just completed a 4.0.3 SEAndroid build for the Galaxy Nexus.  The
>> build was clean and it is successfully running on the device.
>> A few general notes:
>> -I ran the following  fastboot commands (in this order) after building
>> AOSP w/ SELinux patches and repacking the boot image:   fastboot erase
>> cache, fastboot flash boot boot.img, fastboot flash system system.img,
>> fastboot flash userdata userdata.img.
>> -I had to mount /system rw after boot and fix the missing, userland
>> ril client library in order to get the cdma/lte radios working.
>> device/samsung/tuna is missing the extract script in AOSP.
>> -permissive and enforced modes are functioning properly according to
>> dmesg output.    phone calls and sms are successful.  I am in the
>> process of relabeling some of the device nodes in the policy to allow
>> access to the radio.
>
> Glad to hear that you were able to get it up and running.  I don't
> presently have that device, so I'd be interested in hearing more about
> your experience, changes you have to make, etc.
>

I also have it running on the Galaxy Nexus. One thing I had to do was /factory 
was unlabeled after the initial boot. The files in there are all owned by radio 
so I labeled them u:r:radio_device:s0. Since the default policy only allows 
chr_file access for radio_device I had to add regular files and directory access 
to the policy. I'll send up a patch when I've gotten other issues resolved.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid Build for Galaxy Nexus

[Stephen Smalley]

On Wed, 2012-01-25 at 10:01 -0500, Joshua Brindle wrote:
> I also have it running on the Galaxy Nexus. One thing I had to do was /factory 
> was unlabeled after the initial boot. The files in there are all owned by radio 
> so I labeled them u:r:radio_device:s0. Since the default policy only allows 
> chr_file access for radio_device I had to add regular files and directory access 
> to the policy. I'll send up a patch when I've gotten other issues resolved.

I wouldn't overload the radio_device type in that manner.  There is
already radio_data_file if you want the radio/phone app to be able to
access it, or create a new type if you only want rild to access it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid Build for Galaxy Nexus

[Bryan Hinton]

This is a fairly minimal configuration of SEAndroid on the Galaxy
Nexus.  Here are the steps that I took.
Phone calls, SMS, and the Browser work.  The camera is disabled along
with most of the other internal peripherals.
I think that the policy config additions that I made around the
telephony provider database files could use some increased granularity
- perhaps a new type in the radio domain for radio access to the
telephony provider databases (rather than overriding radio_data_file
as you mentioned) ?

--Build Environment
Host: Mint 12

--PreBuild Stage
Pull the following drivers from device (SCH-i515 - Galaxy Nexus) with
most recent 4.0.2 ota.
The extract-files.sh script in device/samsung/toro directory does this
but I am not using anything in this directory so here are the three
files
that I pulled manually.
host # adb pull /system/lib/libsecril-client.so
host # adb pull /system/vendor/lib/libsec-ril_lte.so
host # adb pull /system/vendor/firmware/bcm4330.hcd

--Build Stage
AOSP 4.0.3 (full_toro-userdebug) w/ SELinux patches + Kernel w/ SELinux enabled
apply patches below to external/sepolicy

--PostBuild Stage (kernel + full_toro-userdebug)
>From within device/samsung/tuna
host # mkbootimg --cmdline 'no_console_suspend=1 console=null'
--kernel zImage --ramdisk ramdisk.img -o seboot.img
host # adb reboot bootloader
host # fastboot erase cache
host # fastboot flash boot seboot.img
host # fastboot flash system system.img
host # fastboot flash userdata userdata.img
host # fastboot reboot

target # mount -o rw,remount -t ext4
/dev/block/platform/omap/omap_hsmmc.0/by-name/system /system
host # adb root
host # adb push libsecril-client.so /system/lib
host # adb push bcm4330.hcd /system/vendor/firmware
host # adb push libsec-ril_lte.so /system/vendor/lib
host # adb reboot
# manually set permissions on telephony provider databases if needed
target # chcon u:object_r:radio_data_file:s0
/data/data/com.android.providers.telephony/optable.db
target # chcon u:object_r:radio_data_file:s0
/data/data/com.android.providers.telephony/databases/telephony.db
target # chcon u:object_r:radio_data_file:s0
/data/data/com.android.providers.telephony/databases/telephony.db-journal

# set SE mode to enforced. will reset to permissive on next boot. *add
to init.rc and repack seboot.img after testing complete.
target # setenforce 1


diff --git a/file_contexts b/file_contexts
index 92c6bb0..059276c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -19,6 +19,13 @@
 /dev/block/loop[0-9]*  u:object_r:loop_device:s0
 /dev/block/ram[0-9]*   u:object_r:ram_device:s0
 /dev/block/mtdblock5   u:object_r:radio_device:s0
+/dev/cdma_ipc0 u:object_r:radio_device:s0
+/dev/cdma_rmnet5 u:object_r:radio_device:s0
+/dev/lte_ipc0 u:object_r:radio_device:s0
+/dev/lte_rmnet4 u:object_r:radio_device:s0
+/dev/lte_boot0 u:object_r:radio_device:s0
+/dev/lte_spi u:object_r:radio_device:s0
+/dev/ttyGS1 u:object_r:radio_device:s0
 /dev/cam               u:object_r:camera_device:s0
 /dev/console           u:object_r:console_device:s0
 /dev/cpuctl(/.*)?      u:object_r:cpuctl_device:s0
diff --git a/rild.te b/rild.te
index 2857892..630bc42 100644
--- a/rild.te
+++ b/rild.te
@@ -19,3 +19,7 @@ allow rild shell_exec:file rx_file_perms;
 dontaudit rild self:capability sys_admin;
 # XXX Label sysfs files with a specific type?
 allow rild sysfs:file rw_file_perms;
+allow rild radio_data_file:file rw_file_perms;
+allow rild radio_data_file:dir rw_dir_perms;
+allow rild radio_data_file:chr_file r_file_perms;
+allow rild sdcard:dir r_dir_perms;


Bryan Hinton



On Wed, Jan 25, 2012 at 6:40 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2012-01-24 at 12:44 -0600, Bryan Hinton wrote:
>> I just completed a 4.0.3 SEAndroid build for the Galaxy Nexus.  The
>> build was clean and it is successfully running on the device.
>> A few general notes:
>> -I ran the following  fastboot commands (in this order) after building
>> AOSP w/ SELinux patches and repacking the boot image:   fastboot erase
>> cache, fastboot flash boot boot.img, fastboot flash system system.img,
>> fastboot flash userdata userdata.img.
>> -I had to mount /system rw after boot and fix the missing, userland
>> ril client library in order to get the cdma/lte radios working.
>> device/samsung/tuna is missing the extract script in AOSP.
>> -permissive and enforced modes are functioning properly according to
>> dmesg output.    phone calls and sms are successful.  I am in the
>> process of relabeling some of the device nodes in the policy to allow
>> access to the radio.
>
> Glad to hear that you were able to get it up and running.  I don't
> presently have that device, so I'd be interested in hearing more about
> your experience, changes you have to make, etc.
>
> --
> Stephen Smalley
> National Security Agency
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.