Thanks for your inputs. I did go through the slides of your recent presentation on a case for SELinux enhanced Android phone. You have done a great job re-engineering Android to retrofit SELinux.
I was wondering how much effort it is to actually port a subset of SELinux's userspace (e.g., loadpolicy, chcon and a few others) tools to Android? Does it entail major changes to Android's existing toolchain including modifications to its bionic libc? Also, I was wondering if you also undertook a port of coreutils as well (to enable the -Z option for utils like ps and ls)?
Thanks again,
Bhargava
On Fri, Nov 4, 2011 at 1:32 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
We have been working on enabling the use of SELinux in Android. I gaveOn Fri, 2011-11-04 at 11:16 +0100, Bhargava Shastry wrote:
> Hello,
>
> I am trying to get SELinux running on an Android phone. I did
> successfully build the kernel with SELinux enabled and mounted
> selinuxfs on init. Now, I would like to port SELinux user-space tools
> for policy loading/management. I looked at sebusybox tool-set but ran
> into problems while compiling. My hunch is that header files related
> to File System extended attributes are missing in the bionic lib
> sources that Android builds on. Having said that I have patched the
> Android YAFFS FS with an Xattr patch and also configured the kernel
> accordingly.
>
> I have sources of libselinux and libsepol checked out and am wondering
> how to go about building these libraries for Android. Any help in this
> regard would be much appreciated.
a talk on this topic at the Linux Security Summit in September; the
slides are available here:
http://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf
You don't need much of the SELinux userspace on the device unless you
want to try to support modular policy on the device, which I wouldn't
recommend (at least in its current form). You can just build the policy
on your build host using the build host's checkpolicy, which should be
available to you on most Linux distributions; I build on Fedora and
others have built my code on Ubuntu, both of which have checkpolicy
available. So you don't need libsepol, checkpolicy, libsemanage, or
most of policycoreutils on the device.
The only core SELinux userspace components that you need on the device
are a subset of libselinux (primarily the wrappers for the SELinux
kernel interfaces that you want to use on the device), and a subset of
the SELinux utilities (some of which you'll want to implement as init
built-ins because init.rc is interpreted and executed in-process by
init, not by exec'ing external programs except for starting services;
others you may want as additions to the Android toolbox so that you can
invoke them from an adb shell). libselinux needs to be ported (i.e.
modified) and not just re-compiled for Android due to differences in its
libc (bionic vs glibc).
We plan to release our code once we have integrated SELinux with the
application layer access controls and can demonstrate a more complete
solution.
--
Stephen Smalley
National Security Agency
--
Bhargava Shastry
