TOMOYO Linux on Android
This page describes how to run TOMOYO Linux on Android emulator for ARM architecture. This page assumes Ubuntu 10.04.3 for x86_64 architecture as the host environment.
Step 1: Install required packages.
Install packages as suggested at http://source.android.com/source/download.html .
| sudo add-apt-repository "deb http://archive.canonical.com/ lucid partner" sudo add-apt-repository "deb-src http://archive.canonical.com/ubuntu lucid partner" sudo apt-get update sudo apt-get install sun-java6-jdk sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev libc6-dev \ lib32ncurses5-dev ia32-libs x11proto-core-dev libx11-dev lib32readline5-dev lib32z-dev \ libgl1-mesa-dev g++-multilib mingw32 tofrodos python-markdown libxml2-utils xsltproc |
Step 2: Set environment variables.
Set environment variables shown below. Adding to user's initrc script (e.g. ~/.bashrc ) is recommended.
| export ANDROID_HOME=$HOME/mydroid/ export ANDROID_IMG=$ANDROID_HOME/image/ |
Step 3: Build the Android environment.
Download the source code and compile the emulator.
| mkdir -p $ANDROID_HOME cd $ANDROID_HOME wget https://dl-ssl.google.com/dl/googlesource/git-repo/repo chmod 755 repo ./repo init -u https://android.googlesource.com/platform/manifest -b android-4.0.1_r1 ./repo sync source build/envsetup.sh lunch full-eng make |
Step 4: Build the Android kernel.
Compile the kernel. The proceedure is same as usual except applying TOMOYO Linux patches.
| mkdir -p $ANDROID_HOME/tmp cd $ANDROID_HOME/tmp/ git clone https://android.googlesource.com/kernel/goldfish cd goldfish/ git checkout origin/android-goldfish-2.6.29 wget -O ccs-patch-1.7.3-20130117.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/43375/ccs-patch-1.7.3-20130117.tar.gz' wget -O ccs-patch-1.7.3-20130117.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/43375/ccs-patch-1.7.3-20130117.tar.gz.asc' gpg ccs-patch-1.7.3-20130117.tar.gz.asc tar -zxf ccs-patch-1.7.3-20130117.tar.gz patch -p1 < patches/ccs-patch-2.6.29-android-goldfish.diff sed -i -e 's:/sbin/modprobe /sbin/hotplug::' -e 's:/sbin/ccs-start:/init:' -- security/ccsecurity/Kconfig ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s goldfish_armv7_defconfig ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s mkdir -p $ANDROID_IMG/tmp cp -p arch/arm/boot/zImage $ANDROID_IMG/kernel.img |
Step 5: Copy Android's image files.
Copy image file used by Android emulator.
| cd $ANDROID_HOME/out/target/product/generic/ cp -p system.img ramdisk.img userdata.img $ANDROID_IMG |
Step 6: Compile tools for host environment.
Install TOMOYO Linux's userland tools into host environment in order to manage Android emulator remotely.
| cd $ANDROID_HOME/tmp/ wget -O ccs-tools-1.7.3-20120301.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/43376/ccs-tools-1.7.3-20120301.tar.gz' tar -zxf ccs-tools-1.7.3-20120301.tar.gz cd ccstools sudo apt-get install libreadline5-dev make sudo make install |
Step 7: Compile tools for emulator environment.
Install TOMOYO Linux's userland tools into Android emulator environment.
Since /init.rc in Android emulator's ramdisk creates /etc as a symlink to /system/etc/ directory, /sbin/ccs-init (TOMOYO Linux's policy loader which will be added at Step 12) can't reserve /etc/ccs/ directory for storing policy which is loaded upon boot. Thus, use /ccs/ directory rather than /etc/ccs/ directory.
| cd $ANDROID_HOME/tmp/ wget -O agcc http://plausible.org/andy/agcc sed -i -e 's@4\.2\.1@4.4.3@g' -e 's@interwork/@@g' -- agcc chmod 755 agcc ./agcc -o init_policy $ANDROID_HOME/tmp/ccstools/init_policy.c ./agcc -o ccs-editpolicy-agent $ANDROID_HOME/tmp/ccstools/ccs-editpolicy-agent.c sed -e 's:etc/ccs:ccs:g' $ANDROID_HOME/tmp/ccstools/ccs-init.c > $ANDROID_HOME/tmp/ccstools/ccs-init2.c ./agcc -o ccs-init $ANDROID_HOME/tmp/ccstools/ccs-init2.c chmod 700 init_policy ccs-editpolicy-agent ccs-init |
Step 8: Edit Android's ramdisk image.
Copy the agent program into Android emulator's ramdisk and configure the agent to be automatically executed upon boot.
| cd $ANDROID_IMG/tmp/ zcat ../ramdisk.img | cpio -id echo 'service ccs_agent /sbin/ccs-editpolicy-agent 0.0.0.0:7000' >> init.rc echo ' class core' >> init.rc echo ' oneshot' >> init.rc echo >> init.rc cp -p $ANDROID_HOME/tmp/init_policy $ANDROID_HOME/tmp/ccs-editpolicy-agent sbin/ find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img rm sbin/init_policy |
Step 9: Start the Android emulator.
Start the Android emulator. Specify the kernel made at step 4 and the ramdisk made at step 8.
| emulator -kernel $ANDROID_IMG/kernel.img -ramdisk $ANDROID_IMG/ramdisk.img -sysdir $ANDROID_IMG -data $ANDROID_IMG/userdata.img -show-kernel |
Step 10: Initialize policy and pull.
Create initial policy used by TOMOYO Linux. Then, copy the initial policy to ramdisk's /ccs/ directory.
| mkdir -p $ANDROID_IMG/tmp/ccs/ adb shell /sbin/init_policy policy_dir=/data/ccs/ adb pull /data/ccs/ $ANDROID_IMG/tmp/ccs/ adb shell rm /data/ccs/\* adb shell rmdir /data/ccs/ adb emu kill |
Step 11: Edit initialized policy.
Add missing entries (e.g. file_pattern / allow_read ) to exception policy. Below is just an example. Domain policy is configured to use profile 1 (which is a profile for "learning mode"). Manager is configured to allow only agent program.
| cd $ANDROID_IMG/tmp/ ( echo 'initialize_domain /init' echo 'initialize_domain /system/bin/app_process' echo 'file_pattern /dev/tty\$' echo 'file_pattern /system/lib/\@.so' echo 'allow_read /system/lib/\@.so' echo 'file_pattern /system/framework/\*.jar' echo 'allow_read /system/framework/\*.jar' echo 'file_pattern /system/media/audio/\*/\*' echo 'allow_read /system/media/audio/\*/\*' echo 'file_pattern /system/fonts/\*.ttf' echo 'allow_read /system/fonts/\*.ttf' echo 'file_pattern /data/tombstones/tombstone_\$' echo 'file_pattern /data/dalvik-cache/system@framework@\*.jar@classes.dex' echo 'file_pattern /data/dalvik-cache/system@app@\*.jar@classes.dex' echo 'file_pattern /data/dalvik-cache/data@app@\*@classes.dex' echo 'file_pattern /data/local/tmp/\*.apk' echo 'file_pattern /data/local/tmp/\*.apk' echo 'file_pattern /data/app/\*.tmp' echo 'file_pattern /data/data/\*/databases/\*' echo 'file_pattern /data/data/\*/databases/' echo 'file_pattern /data/dalvik-cache/system@framework@\*.jar@classes.dex' echo 'file_pattern /data/dalvik-cache/system@app@\*.apk@classes.dex' echo 'file_pattern /data/dalvik-cache/system@app-private@\*.apk@classes.dex' echo 'file_pattern /sdcard/dcim/.thumbnails/\$.jpg' echo 'file_pattern /sdcard/dcim/.thumbnails/.thumbdata\*' echo 'file_pattern /sdcard/dcim/.thumbnails/.thumbdata3--\$' echo 'path_group SYSTEM_APK /system/app/\@.apk' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_min' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_def' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_max' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_min' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_def' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_max' echo 'allow_read /sys/devices/platform/\*battery\*/power_supply/ac/online' echo 'allow_read /sys/devices/platform/\*battery\*/power_supply/battery/\@' #App. specific data files echo 'file_pattern /data/data/com.android.browser/cache/webviewCache/\*' echo 'file_pattern /data/data/com.android.browser/app_thumbnails/\*' ) >> ccs/exception_policy.conf ( echo '<kernel>' echo 'use_profile 1' ) > ccs/domain_policy.conf echo /sbin/ccs-editpolicy-agent > ccs/manager.conf |
Step 12: Add policy loader to Android's ramdisk image.
Add /sbin/ccs-init into ramdisk in order to enable TOMOYO Linux. Also, copy files needed by /sbin/ccs-init . On Android environment, /system/bin/loader is used for loading dynamically linked library files. But /system/ partition is not yet mounted when /sbin/ccs-init is executed. Therefore, you need to copy /bin/loader in the /system/ partition to /system/bin/ directory in the ramdisk's image. Likewise, you need to copy /lib/libc.so and /lib/libm.so in the /system/ partition to /system/lib/ directory in the ramdisk's image.
| cd $ANDROID_IMG/tmp/ mkdir -p system/bin system/lib cp -p $ANDROID_HOME/tmp/ccs-init sbin/ cp -p $ANDROID_HOME/out/target/product/generic/system/bin/linker system/bin/ cp -p $ANDROID_HOME/out/target/product/generic/system/lib/libc.so system/lib/ cp -p $ANDROID_HOME/out/target/product/generic/system/lib/libm.so system/lib/ chmod 755 system/bin/linker system/lib/libc.so system/lib/libm.so find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img |
Step 13: Start the Android emulator.
Start the Android emulator. Specify the kernel made at step 4 and the ramdisk made at step 12.
| emulator -kernel $ANDROID_IMG/kernel.img -ramdisk $ANDROID_IMG/ramdisk.img -sysdir $ANDROID_IMG -data $ANDROID_IMG/userdata.img -show-kernel |
Step 14: Enable TCP port forwarding.
Configure port forwarding in order to communicate with the agent program running in the emulator. Below line makes TCP connection requests sent to host environment's port 10000 are forwarded to emulator environment's port 7000. As you have configures ccs-editpolicy-agent to listen at port 7000 at step 8, you can communicate with the agent program by connecting to host environment's port 10000.
| adb forward tcp:10000 tcp:7000 |
Step 15: Operate via agent.
You can browse/edit policy via agent program by starting ccs-editpolicy as shown below.
| /usr/sbin/ccs-editpolicy 127.0.0.1:10000 |
You can save current policy into ramdisk's /ccs/ directory by executing ccs-savepolicy as shown below.
| /usr/sbin/ccs-savepolicy edpm $ANDROID_IMG/tmp/ccs/ 127.0.0.1:10000 cd $ANDROID_IMG/tmp/ find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img |
You can save audit logs by starting ccs-auditd as shown below. Please be careful with disk's free space because a lot of logs are generated.
| /usr/sbin/ccs-auditd /tmp/grant_log /tmp/reject_log 127.0.0.1:10000 |
You can interactively handle policy violation in enforcing mode by starting ccs-queryd as shown below. Press Ctrl-C to terminate ccs-queryd.
| /usr/sbin/ccs-queryd 127.0.0.1:10000 |
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
