1 |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
2 |
<html lang="en-US"> |
3 |
<head> |
4 |
<meta http-equiv="content-type" content="text/html; charset=UTF-8"> |
5 |
<meta http-equiv="content-style-type" content="text/css"> |
6 |
<link rel="stylesheet" href="../media/tomoyolinux.css" media="all" type="text/css"> |
7 |
<title>TOMOYO Linux 1.8.x : TOMOYO Linux on Android</title> |
8 |
</head> |
9 |
|
10 |
<body> |
11 |
|
12 |
<div id="titlebar"> |
13 |
<a href="../index.html.en"><img src="../media/tomoyotitle.png" alt="tomoyotitle.png" width="320" height="40" border="0" align="left" title="TOMOYO Linux"></a> |
14 |
</div> |
15 |
|
16 |
<div id="navbar" class="tomoyo-documentation"> |
17 |
<ul id="navbarlist"> |
18 |
<li id="tomoyo-home"><a href="../index.html.en" title="TOMOYO Linux Home Page">Home</a></li> |
19 |
<li id="tomoyo-about"><a href="../about.html.en" title="About TOMOYO Linux">About</a></li> |
20 |
<li id="tomoyo-download"><a href="../download.html.en" title="Get TOMOYO Linux">Download</a></li> |
21 |
<li id="tomoyo-changelogs"><a href="../changelogs.html.en" title="TOMOYO Linux ChangeLogs">ChangeLogs</a></li> |
22 |
<li id="tomoyo-documentation"><a href="../documentation.html.en" title="Official Documentation">Documentation</a></li> |
23 |
<li id="tomoyo-support"><a href="../support.html.en" title="Support information">Support</a></li> |
24 |
<li id="tomoyo-links"><a href="../links.html.en" title="Links">Links</a></li> |
25 |
</ul> |
26 |
<ul id="switch-language"> |
27 |
<li id="tomoyo-switch-language"><a href="android-arm.html.ja" title="Go to Japanese page">Japanese page</a></li> |
28 |
</ul> |
29 |
</div> |
30 |
|
31 |
<div id="content"> |
32 |
|
33 |
<div id="regular-content"> |
34 |
|
35 |
<h2>TOMOYO Linux on Android</h2> |
36 |
|
37 |
<p>This page describes how to run TOMOYO Linux on Android emulator for ARM architecture. This page assumes Ubuntu 10.04.3 for x86_64 architecture as the host environment.</p> |
38 |
|
39 |
<h3>Step 1: Install required packages.</h3> |
40 |
|
41 |
<p>Install packages as suggested at <a href="http://source.android.com/source/download.html">http://source.android.com/source/download.html</a> .</p> |
42 |
|
43 |
<pre class="command"> |
44 |
sudo add-apt-repository "deb http://archive.canonical.com/ lucid partner" |
45 |
sudo add-apt-repository "deb-src http://archive.canonical.com/ubuntu lucid partner" |
46 |
sudo apt-get update |
47 |
sudo apt-get install sun-java6-jdk |
48 |
sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev libc6-dev \ |
49 |
lib32ncurses5-dev ia32-libs x11proto-core-dev libx11-dev lib32readline5-dev lib32z-dev \ |
50 |
libgl1-mesa-dev g++-multilib mingw32 tofrodos python-markdown libxml2-utils xsltproc |
51 |
</pre> |
52 |
|
53 |
<h3>Step 2: Set environment variables.</h3> |
54 |
|
55 |
<p>Set environment variables shown below. Adding to user's initrc script (e.g. ~/.bashrc ) is recommended.</p> |
56 |
|
57 |
<pre class="command"> |
58 |
export ANDROID_HOME=$HOME/mydroid/ |
59 |
export ANDROID_IMG=$ANDROID_HOME/image/ |
60 |
</pre> |
61 |
|
62 |
<p>Create directories.</p> |
63 |
|
64 |
<pre class="command"> |
65 |
mkdir -p $ANDROID_HOME |
66 |
mkdir -p $ANDROID_HOME/tmp |
67 |
mkdir -p $ANDROID_HOME/tmp/policy |
68 |
mkdir -p $ANDROID_IMG |
69 |
mkdir -p $ANDROID_IMG/tmp |
70 |
sudo mkdir -p /var/log/tomoyo |
71 |
sudo chown -R `id -u` /var/log/tomoyo/ |
72 |
</pre> |
73 |
|
74 |
<h3>Step 3: Build the Android environment.</h3> |
75 |
|
76 |
<p>Download the source code and compile the emulator.</p> |
77 |
|
78 |
<pre class="command"> |
79 |
cd $ANDROID_HOME |
80 |
wget https://dl-ssl.google.com/dl/googlesource/git-repo/repo |
81 |
chmod 755 repo |
82 |
./repo init -u https://android.googlesource.com/platform/manifest -b android-4.0.1_r1 |
83 |
./repo sync |
84 |
source build/envsetup.sh |
85 |
lunch full-eng |
86 |
make |
87 |
</pre> |
88 |
|
89 |
<h3>Step 4: Compile tools for host environment.</h3> |
90 |
|
91 |
<p>Install TOMOYO Linux's userland tools into host environment in order to manage Android emulator remotely.</p> |
92 |
|
93 |
<pre class="command"> |
94 |
cd $ANDROID_HOME/tmp/ |
95 |
wget -O ccs-tools-1.8.3-20140601.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/49693/ccs-tools-1.8.3-20140601.tar.gz' |
96 |
wget -O ccs-tools-1.8.3-20140601.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/49693/ccs-tools-1.8.3-20140601.tar.gz.asc' |
97 |
wget http://I-love.SAKURA.ne.jp/kumaneko-key |
98 |
gpg --import kumaneko-key |
99 |
gpg ccs-tools-1.8.3-20140601.tar.gz.asc |
100 |
tar -zxf ccs-tools-1.8.3-20140601.tar.gz |
101 |
cd ccs-tools |
102 |
make |
103 |
sudo make install |
104 |
</pre> |
105 |
|
106 |
<p>Also, create default configuration in order to prepare for policy management tools.</p> |
107 |
|
108 |
<pre class="command"> |
109 |
sudo /usr/lib/ccs/init_policy |
110 |
sudo chown -R `id -u` /etc/ccs/ |
111 |
echo 'rewrite head_pattern /acct/uid/\$/' >> /etc/ccs/tools/patternize.conf |
112 |
</pre> |
113 |
|
114 |
<h3>Step 5: Compile tools for emulator environment.</h3> |
115 |
|
116 |
<p>Install TOMOYO Linux's agent program into Android emulator environment.</p> |
117 |
|
118 |
<pre class="command"> |
119 |
cd $ANDROID_HOME/tmp/ |
120 |
wget -O agcc http://plausible.org/andy/agcc |
121 |
sed -i -e 's@4\.2\.1@4.4.3@g' -e 's@interwork/@@g' -- agcc |
122 |
chmod 755 agcc |
123 |
./agcc -o ccs-editpolicy-agent $ANDROID_HOME/tmp/ccs-tools/usr_lib_ccs/ccs-editpolicy-agent.c |
124 |
chmod 700 ccs-editpolicy-agent |
125 |
</pre> |
126 |
|
127 |
<h3>Step 6: Create initial policy.</h3> |
128 |
|
129 |
<p>Create initial policy which will be embedded into the kernel.</p> |
130 |
|
131 |
<ul> |
132 |
<li>Use profile 1 (which is a profile for "learning mode") to all domains.</li> |
133 |
<li>Automatically transit to "<kernel> //./system-user" domain when the current process's UID or GID has changed from 0 to 1 to 9999.</li> |
134 |
<li>Automatically transit to "<kernel> //./app-user" domain when the current process's UID or GID has changed from 0 to 10000 or above.</li> |
135 |
<li>Give some permission from the beginning.</li> |
136 |
<li>Do not distinguish individual Android applications.</li> |
137 |
<li>Only /sbin/ccs-editpolicy-agent is allowed to modify policy via /proc/ccs/ interface.</li> |
138 |
</ul> |
139 |
|
140 |
<p>An example with conditions above is shown below. But it would be too loose to give write access to ANY_PATHNAME to "<kernel> //./app-user" domain. When applying to real devices, you should use more strict permissions such as forbidding write access to /system/ directory.</p> |
141 |
|
142 |
<pre class="command"> |
143 |
cd $ANDROID_HOME/tmp/policy/ |
144 |
cat > profile.conf << "EOF" |
145 |
PROFILE_VERSION=20100903 |
146 |
0-COMMENT=-----Disabled Mode----- |
147 |
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 } |
148 |
0-CONFIG={ mode=disabled grant_log=no reject_log=yes } |
149 |
1-COMMENT=-----Learning Mode----- |
150 |
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 } |
151 |
1-CONFIG={ mode=learning grant_log=no reject_log=yes } |
152 |
2-COMMENT=-----Permissive Mode----- |
153 |
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 } |
154 |
2-CONFIG={ mode=permissive grant_log=no reject_log=yes } |
155 |
3-COMMENT=-----Enforcing Mode----- |
156 |
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 } |
157 |
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes } |
158 |
EOF |
159 |
cat > exception_policy.conf << "EOF" |
160 |
path_group ANY_PATHNAME / |
161 |
path_group ANY_PATHNAME /\{\*\}/ |
162 |
path_group ANY_PATHNAME /\{\*\}/\* |
163 |
path_group ANY_PATHNAME /\* |
164 |
path_group ANY_PATHNAME \*:/ |
165 |
path_group ANY_PATHNAME \*:/\{\*\}/ |
166 |
path_group ANY_PATHNAME \*:/\{\*\}/\* |
167 |
path_group ANY_PATHNAME \*:/\* |
168 |
path_group ANY_PATHNAME \*:[\$] |
169 |
path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$] |
170 |
acl_group 0 file getattr @ANY_PATHNAME |
171 |
acl_group 0 file ioctl @ANY_PATHNAME 0-0xFFFFFFFF |
172 |
acl_group 0 file read /dev/urandom |
173 |
acl_group 0 file read /system/bin/linker |
174 |
acl_group 0 file read /system/lib/lib\*.so |
175 |
acl_group 0 misc env _ |
176 |
acl_group 0 misc env ANDROID_ASSETS |
177 |
acl_group 0 misc env ANDROID_BOOTLOGO |
178 |
acl_group 0 misc env ANDROID_DATA |
179 |
acl_group 0 misc env ANDROID_DNS_MODE |
180 |
acl_group 0 misc env ANDROID_PROPERTY_WORKSPACE |
181 |
acl_group 0 misc env ANDROID_ROOT |
182 |
acl_group 0 misc env ANDROID_SOCKET_\* |
183 |
acl_group 0 misc env ASEC_MOUNTPOINT |
184 |
acl_group 0 misc env BOOTCLASSPATH |
185 |
acl_group 0 misc env EXTERNAL_STORAGE |
186 |
acl_group 0 misc env HOME |
187 |
acl_group 0 misc env LD_LIBRARY_PATH |
188 |
acl_group 0 misc env LOOP_MOUNTPOINT |
189 |
acl_group 0 misc env ndns |
190 |
acl_group 0 misc env PATH |
191 |
acl_group 0 misc env qemu |
192 |
acl_group 0 misc env RANDOM |
193 |
acl_group 0 misc env SHELL |
194 |
acl_group 0 misc env TERM |
195 |
acl_group 0 task auto_domain_transition <kernel> //./app-user task.gid=10000-4294967295 |
196 |
acl_group 0 task auto_domain_transition <kernel> //./app-user task.uid=10000-4294967295 |
197 |
acl_group 0 task auto_domain_transition <kernel> //./system-user task.gid=1-9999 |
198 |
acl_group 0 task auto_domain_transition <kernel> //./system-user task.uid=1-9999 |
199 |
acl_group 1 file getattr @ANY_PATHNAME |
200 |
acl_group 1 file ioctl @ANY_PATHNAME 0-0xFFFFFFFF |
201 |
acl_group 1 file read /dev/urandom |
202 |
acl_group 1 file read /system/bin/linker |
203 |
acl_group 1 file read /system/lib/lib\*.so |
204 |
acl_group 1 misc env _ |
205 |
acl_group 1 misc env ANDROID_ASSETS |
206 |
acl_group 1 misc env ANDROID_BOOTLOGO |
207 |
acl_group 1 misc env ANDROID_DATA |
208 |
acl_group 1 misc env ANDROID_PROPERTY_WORKSPACE |
209 |
acl_group 1 misc env ANDROID_ROOT |
210 |
acl_group 1 misc env ANDROID_SOCKET_\* |
211 |
acl_group 1 misc env ASEC_MOUNTPOINT |
212 |
acl_group 1 misc env BOOTCLASSPATH |
213 |
acl_group 1 misc env EXTERNAL_STORAGE |
214 |
acl_group 1 misc env HOME |
215 |
acl_group 1 misc env HOSTNAME |
216 |
acl_group 1 misc env LD_LIBRARY_PATH |
217 |
acl_group 1 misc env LOOP_MOUNTPOINT |
218 |
acl_group 1 misc env MKSH |
219 |
acl_group 1 misc env PATH |
220 |
acl_group 1 misc env PS1 |
221 |
acl_group 1 misc env RANDOM |
222 |
acl_group 1 misc env SHELL |
223 |
acl_group 1 misc env TERM |
224 |
acl_group 1 misc env USER |
225 |
EOF |
226 |
cat > domain_policy.conf << "EOF" |
227 |
<kernel> |
228 |
use_profile 1 |
229 |
use_group 0 |
230 |
|
231 |
<kernel> //./system-user |
232 |
use_profile 1 |
233 |
use_group 1 |
234 |
|
235 |
file read/write/unlink/rmdir/truncate/symlink @ANY_PATHNAME task.euid=1-9999 task.egid=1-9999 |
236 |
file create/mkdir/mkfifo/mksock/chmod @ANY_PATHNAME 0-0777 task.euid=1-9999 task.egid=1-9999 |
237 |
file link/rename @ANY_PATHNAME @ANY_PATHNAME task.euid=1-9999 task.egid=1-9999 |
238 |
|
239 |
<kernel> //./app-user |
240 |
use_profile 1 |
241 |
use_group 1 |
242 |
|
243 |
file read/write/unlink/rmdir/truncate/symlink @ANY_PATHNAME task.euid=10000-4294967295 task.egid=10000-4294967295 |
244 |
file create/mkdir/mkfifo/mksock/chmod @ANY_PATHNAME 0-0777 task.euid=10000-4294967295 task.egid=10000-4294967295 |
245 |
file link/rename @ANY_PATHNAME @ANY_PATHNAME task.euid=10000-4294967295 task.egid=10000-4294967295 |
246 |
EOF |
247 |
echo /sbin/ccs-editpolicy-agent > manager.conf |
248 |
echo > stat.conf |
249 |
</pre> |
250 |
|
251 |
<h3>Step 7: Build the Android kernel.</h3> |
252 |
|
253 |
<p>Download and extract the kernel source code.</p> |
254 |
|
255 |
<pre class="command"> |
256 |
cd $ANDROID_HOME/tmp/ |
257 |
git clone https://android.googlesource.com/kernel/goldfish |
258 |
cd goldfish/ |
259 |
git checkout origin/android-goldfish-2.6.29 |
260 |
ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s goldfish_armv7_defconfig |
261 |
</pre> |
262 |
|
263 |
<p>Apply TOMOYO Linux patch.</p> |
264 |
|
265 |
<pre class="command"> |
266 |
cd $ANDROID_HOME/tmp/goldfish/ |
267 |
wget -O ccs-patch-1.8.3-20141123.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/49684/ccs-patch-1.8.3-20141123.tar.gz' |
268 |
wget -O ccs-patch-1.8.3-20141123.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/49684/ccs-patch-1.8.3-20141123.tar.gz.asc' |
269 |
gpg ccs-patch-1.8.3-20141123.tar.gz.asc |
270 |
tar -zxf ccs-patch-1.8.3-20141123.tar.gz |
271 |
patch -p1 < patches/ccs-patch-2.6.29-android-goldfish.diff |
272 |
sed -e 's/# CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER is not set/CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER=y/' -- config.ccs >> .config |
273 |
mkdir -p security/ccsecurity/policy/ |
274 |
cp -p $ANDROID_HOME/tmp/policy/*.conf security/ccsecurity/policy/ |
275 |
</pre> |
276 |
|
277 |
<p>Compile the kernel.</p> |
278 |
|
279 |
<pre class="command"> |
280 |
cd $ANDROID_HOME/tmp/goldfish/ |
281 |
ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s |
282 |
cp -p arch/arm/boot/zImage $ANDROID_IMG/kernel.img |
283 |
</pre> |
284 |
|
285 |
<h3>Step 8: Copy Android's image files.</h3> |
286 |
|
287 |
<p>Copy image file used by Android emulator.</p> |
288 |
|
289 |
<pre class="command"> |
290 |
cd $ANDROID_HOME/out/target/product/generic/ |
291 |
cp -p system.img ramdisk.img userdata.img $ANDROID_IMG |
292 |
</pre> |
293 |
|
294 |
<h3>Step 9: Edit Android's ramdisk image.</h3> |
295 |
|
296 |
<p>Copy the agent program into Android emulator's ramdisk and configure the agent to be automatically executed upon boot.</p> |
297 |
|
298 |
<pre class="command"> |
299 |
cd $ANDROID_IMG/tmp/ |
300 |
zcat ../ramdisk.img | cpio -id |
301 |
echo >> init.rc |
302 |
echo 'service ccs_agent /sbin/ccs-editpolicy-agent 0.0.0.0:7000' >> init.rc |
303 |
echo ' class core' >> init.rc |
304 |
echo ' oneshot' >> init.rc |
305 |
cp -p $ANDROID_HOME/tmp/ccs-editpolicy-agent sbin/ |
306 |
find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img |
307 |
</pre> |
308 |
|
309 |
<h3>Step 10: Start the Android emulator.</h3> |
310 |
|
311 |
<p>Start the Android emulator. Specify the kernel made at step 7 and the ramdisk made at step 9.</p> |
312 |
|
313 |
<pre class="command"> |
314 |
emulator -kernel $ANDROID_IMG/kernel.img -ramdisk $ANDROID_IMG/ramdisk.img -sysdir $ANDROID_IMG \ |
315 |
-data $ANDROID_IMG/userdata.img -show-kernel |
316 |
</pre> |
317 |
|
318 |
<h3>Step 11: Enable TCP port forwarding.</h3> |
319 |
|
320 |
<p>Configure port forwarding in order to communicate with the agent program running in the emulator. Below line makes TCP connection requests sent to host environment's port 10000 are forwarded to emulator environment's port 7000. As you have configures ccs-editpolicy-agent to listen at port 7000 at step 9, you can communicate with the agent program by connecting to host environment's port 10000.</p> |
321 |
|
322 |
<pre class="command"> |
323 |
adb forward tcp:10000 tcp:7000 |
324 |
</pre> |
325 |
|
326 |
<h3>Step 12: Operate via agent.</h3> |
327 |
|
328 |
<p>You can browse/edit policy via agent program by starting ccs-editpolicy as shown below.</p> |
329 |
|
330 |
<pre class="command"> |
331 |
/usr/sbin/ccs-editpolicy 127.0.0.1:10000 |
332 |
</pre> |
333 |
|
334 |
<p>You can save audit logs by starting ccs-auditd as shown below. Please be careful with disk's free space because a lot of logs are generated.</p> |
335 |
|
336 |
<pre class="command"> |
337 |
/usr/sbin/ccs-auditd 127.0.0.1:10000 |
338 |
</pre> |
339 |
|
340 |
<p>You can interactively handle policy violation in enforcing mode by starting ccs-queryd as shown below. Press Ctrl-C to terminate ccs-queryd.</p> |
341 |
|
342 |
<pre class="command"> |
343 |
/usr/sbin/ccs-queryd 127.0.0.1:10000 |
344 |
</pre> |
345 |
|
346 |
<p>You can make patterns by running ccs-patternize as show below. Edit /etc/ccs/tools/patternize.conf as needed since the rules for making patterns are defined in that file.</p> |
347 |
|
348 |
<pre class="command"> |
349 |
cd $ANDROID_HOME/tmp/policy/ |
350 |
/usr/sbin/ccs-savepolicy -d 127.0.0.1:10000 > domain_policy.old |
351 |
/usr/sbin/ccs-patternize < domain_policy.old > domain_policy.new |
352 |
/usr/sbin/ccs-diffpolicy domain_policy.old domain_policy.new > domain_policy.diff |
353 |
less domain_policy.diff |
354 |
/usr/sbin/ccs-loadpolicy -d 127.0.0.1:10000 < domain_policy.diff |
355 |
</pre> |
356 |
|
357 |
<h3>Step 13: Updating policy</h3> |
358 |
|
359 |
<p>Since the policy updated after the boot resides only in the kernel memory, the updated policy will be lost when the emulator is terminated. Be sure to save the updated policy before terminating the emulator.</p> |
360 |
|
361 |
<pre class="command"> |
362 |
cd $ANDROID_HOME/tmp/policy/ |
363 |
/usr/sbin/ccs-savepolicy -e 127.0.0.1:10000 > exception_policy.conf |
364 |
/usr/sbin/ccs-savepolicy -d 127.0.0.1:10000 > domain_policy.conf |
365 |
/usr/sbin/ccs-savepolicy -p 127.0.0.1:10000 > profile.conf |
366 |
</pre> |
367 |
|
368 |
<p>Run below commands to update policy which will be embedded into the kernel.</p> |
369 |
|
370 |
<pre class="command"> |
371 |
cp -p $ANDROID_HOME/tmp/policy/*.conf $ANDROID_HOME/tmp/goldfish/security/ccsecurity/policy/ |
372 |
</pre> |
373 |
|
374 |
<p>Recompile the Android kernel.</p> |
375 |
|
376 |
<pre class="command"> |
377 |
cd $ANDROID_HOME/tmp/goldfish/ |
378 |
ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s |
379 |
cp -p arch/arm/boot/zImage $ANDROID_IMG/kernel.img |
380 |
</pre> |
381 |
|
382 |
<p>Restart the Android emulator.</p> |
383 |
|
384 |
<pre class="command"> |
385 |
emulator -kernel $ANDROID_IMG/kernel.img -ramdisk $ANDROID_IMG/ramdisk.img -sysdir $ANDROID_IMG \ |
386 |
-data $ANDROID_IMG/userdata.img -show-kernel |
387 |
</pre> |
388 |
|
389 |
<p>When you have finished developing the final policy files, you can specify a profile for enforcing mode (use_profile 3) to domain_policy.conf which will be embedded into the kernel. By using a profile for enforcing mode, you can enable access control from the moment /init in the initramfs is executed. After you have verified that the emulator works as expected with a profile for enforcing mode, you can remove /sbin/ccs-editpolicy-agent added at step 9. Also, you can remove ccs-editpolicy-agent from /init.rc and from profile.conf which will be embedded into the kernel.</p> |
390 |
|
391 |
<h3>Appendix: Hints for allowing policy updates after boot</h3> |
392 |
|
393 |
<p>Regarding Android devices, users can add applications which are not shipped with the device. Above procedure assumed there will be no need for updating policy when applications are added by categorizing into 3 groups based on the Linux's UID value.</p> |
394 |
|
395 |
<p>However, you may want to allow updating policy when special applications are added. In that case, you can split policy files into the "fixed" part which will be embedded into the kernel for use at the boot stage and the "variant" part which will not be embedded into the kernel for use after the boot stage.</p> |
396 |
|
397 |
<p>You can reduce the risk of tampering the "fixed" part by deploying the kernel into the read-only partition. But you may not be able to reduce the risk of tampering the "variant" part because the "variant" part will likely be located into the read-write partition. In that case, you can use (e.g.) GPG signature and append the policy into the kernel only when you verified that the "variant" part is not tampered.</p> |
398 |
|
399 |
<p>TOMOYO Linux provides a mechanism for querying external userland application when a policy violation in enforcing mode has occurred. You can implement a program like ccs-queryd and daemonize the program instead of ccs-editpolicy-agent .</p> |
400 |
|
401 |
<h3>Appendix: Hints for not embedding policy into the kernel</h3> |
402 |
|
403 |
<p>If you want not to embed policy files into your kernel by some reason, you can replace</p> |
404 |
|
405 |
<pre class="command"> |
406 |
sed -e 's/# CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER is not set/CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER=y/' -- config.ccs >> .config |
407 |
mkdir -p security/ccsecurity/policy/ |
408 |
cp -p $ANDROID_HOME/tmp/policy/*.conf security/ccsecurity/policy/ |
409 |
</pre> |
410 |
|
411 |
<p>with</p> |
412 |
|
413 |
<pre class="command"> |
414 |
sed -e 's:/sbin/init:/init:' -- config.ccs >> .config |
415 |
</pre> |
416 |
|
417 |
<p>in Step 7. If you do so, you will need to copy /sbin/ccs-init (as a policy loader, and /system/bin/linker /system/lib/libc.so /system/lib/libm.so which /sbin/ccs-init depends on) into ramdisk image. You cannot use symlinks to files in /system/ partition because /system/ partition is not yet mounted as of /sbin/ccs-init is executed. Also, please modify ccs-init.c as needed (for example, embed the content of $ANDROID_HOME/tmp/policy/*.conf into ccs-init.c) because it is designed to read policy files from /etc/ccs/ directory. Below example changes ccs-init.c to read policy files from /ccs/ directory because /init.rc in Android emulator's ramdisk creates /etc as a symlink to /system/etc/ directory.</p> |
418 |
|
419 |
<pre class="command"> |
420 |
cd $ANDROID_HOME/tmp/ |
421 |
sed -e 's:etc/ccs:ccs:g' $ANDROID_HOME/tmp/ccs-tools/sbin/ccs-init.c > $ANDROID_HOME/tmp/ccs-tools/sbin/ccs-init2.c |
422 |
./agcc -o ccs-init $ANDROID_HOME/tmp/ccs-tools/sbin/ccs-init2.c |
423 |
cd $ANDROID_IMG/tmp/ |
424 |
mkdir -p sbin system/bin system/lib |
425 |
cp -p $ANDROID_HOME/tmp/ccs-init sbin/ |
426 |
cp -p $ANDROID_HOME/out/target/product/generic/system/bin/linker system/bin/ |
427 |
cp -p $ANDROID_HOME/out/target/product/generic/system/lib/libc.so system/lib/ |
428 |
cp -p $ANDROID_HOME/out/target/product/generic/system/lib/libm.so system/lib/ |
429 |
chmod 700 sbin/ccs-init system/bin/linker system/lib/libc.so system/lib/libm.so |
430 |
find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img |
431 |
</pre> |
432 |
|
433 |
</div><!-- regular-content --> |
434 |
|
435 |
</div><!-- content --> |
436 |
|
437 |
<div id="navfooter"> |
438 |
<hr> |
439 |
<table> |
440 |
<tr> |
441 |
<td class="docs-previous"> |
442 |
</td> |
443 |
<td class="docs-index"> |
444 |
<a href="index.html.en">Index</a> |
445 |
</td> |
446 |
<td class="docs-next"> |
447 |
</td> |
448 |
</tr> |
449 |
<tr> |
450 |
<td class="docs-previous-description"> |
451 |
</td> |
452 |
<td class="docs-home"> |
453 |
</td> |
454 |
<td class="docs-next-description"> |
455 |
</td> |
456 |
</tr> |
457 |
</table> |
458 |
</div> |
459 |
|
460 |
<div id="footer"> |
461 |
<p class="language">Go to <a href="android-arm.html.ja">Japanese page</a>.</p> |
462 |
<p class="timestamp">Last modified: $Date$</p> |
463 |
<p class="trademark">Linux® is a registered trademark of Linus Torvalds world-wide. TOMOYO® is a registered trademark of <a href="http://www.nttdata.com/global/en/">NTT DATA Corporation</a>.</p> |
464 |
<p><a href="http://sourceforge.jp/"><img src="http://sourceforge.jp/sflogo.php?group_id=1973" width="96" height="31" alt="sflogo.php" title="SourceForge.jp"></a></p> |
465 |
</div> |
466 |
|
467 |
</body> |
468 |
</html> |