Info: Version 1.8.x is available.
Last modified: $Date: 2024-03-31 15:45:12 +0000 (Sun, 31 Mar 2024) $
This page describes how to run TOMOYO Linux on Android emulator for ARM architecture. This page assumes Ubuntu 10.04.3 for x86_64 architecture as the host environment.
Install packages as suggested at https://source.android.com/source/download.html .
|
sudo add-apt-repository "deb http://archive.canonical.com/ lucid partner" sudo add-apt-repository "deb-src http://archive.canonical.com/ubuntu lucid partner" sudo apt-get update sudo apt-get install sun-java6-jdk sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev libc6-dev \ lib32ncurses5-dev ia32-libs x11proto-core-dev libx11-dev lib32readline5-dev lib32z-dev \ libgl1-mesa-dev g++-multilib mingw32 tofrodos python-markdown libxml2-utils xsltproc |
Set environment variables shown below. Adding to user's initrc script (e.g. ~/.bashrc ) is recommended.
|
export ANDROID_HOME=$HOME/mydroid/ export ANDROID_IMG=$ANDROID_HOME/image/ |
Download the source code and compile the emulator.
|
mkdir -p $ANDROID_HOME cd $ANDROID_HOME wget https://dl-ssl.google.com/dl/googlesource/git-repo/repo chmod 755 repo ./repo init -u https://android.googlesource.com/platform/manifest -b android-4.0.1_r1 ./repo sync source build/envsetup.sh lunch full-eng make |
Compile the kernel. The proceedure is same as usual except applying TOMOYO Linux patches.
|
mkdir -p $ANDROID_HOME/tmp cd $ANDROID_HOME/tmp/ git clone https://android.googlesource.com/kernel/goldfish cd goldfish/ git checkout origin/android-goldfish-2.6.29 wget https://sourceforge.net/projects/tomoyo/files/ccs-patch/1.7/ccs-patch-1.7.4-20240401.tar.gz wget https://sourceforge.net/projects/tomoyo/files/ccs-patch/1.7/ccs-patch-1.7.4-20240401.tar.gz.asc gpg ccs-patch-1.7.4-20240401.tar.gz.asc tar -zxf ccs-patch-1.7.4-20240401.tar.gz patch -p1 < patches/ccs-patch-2.6.29-android-goldfish.diff sed -i -e 's:/sbin/modprobe /sbin/hotplug::' -e 's:/sbin/ccs-start:/init:' -- security/ccsecurity/Kconfig ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s goldfish_armv7_defconfig ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s mkdir -p $ANDROID_IMG/tmp cp -p arch/arm/boot/zImage $ANDROID_IMG/kernel.img |
Copy image file used by Android emulator.
|
cd $ANDROID_HOME/out/target/product/generic/ cp -p system.img ramdisk.img userdata.img $ANDROID_IMG |
Install TOMOYO Linux's userland tools into host environment in order to manage Android emulator remotely.
|
cd $ANDROID_HOME/tmp/ wget https://sourceforge.net/projects/tomoyo/files/ccs-tools/1.7/ccs-tools-1.7.3-20120301.tar.gz tar -zxf ccs-tools-1.7.3-20120301.tar.gz cd ccstools sudo apt-get install libreadline5-dev make sudo make install |
Install TOMOYO Linux's userland tools into Android emulator environment.
Since /init.rc in Android emulator's ramdisk creates /etc as a symlink to /system/etc/ directory, /sbin/ccs-init (TOMOYO Linux's policy loader which will be added at Step 12) can't reserve /etc/ccs/ directory for storing policy which is loaded upon boot. Thus, use /ccs/ directory rather than /etc/ccs/ directory.
|
cd $ANDROID_HOME/tmp/ wget -O agcc https://plausible.org/andy/agcc sed -i -e 's@4\.2\.1@4.4.3@g' -e 's@interwork/@@g' -- agcc chmod 755 agcc ./agcc -o init_policy $ANDROID_HOME/tmp/ccstools/init_policy.c ./agcc -o ccs-editpolicy-agent $ANDROID_HOME/tmp/ccstools/ccs-editpolicy-agent.c sed -e 's:etc/ccs:ccs:g' $ANDROID_HOME/tmp/ccstools/ccs-init.c > $ANDROID_HOME/tmp/ccstools/ccs-init2.c ./agcc -o ccs-init $ANDROID_HOME/tmp/ccstools/ccs-init2.c chmod 700 init_policy ccs-editpolicy-agent ccs-init |
Copy the agent program into Android emulator's ramdisk and configure the agent to be automatically executed upon boot.
|
cd $ANDROID_IMG/tmp/ zcat ../ramdisk.img | cpio -id echo 'service ccs_agent /sbin/ccs-editpolicy-agent 0.0.0.0:7000' >> init.rc echo ' class core' >> init.rc echo ' oneshot' >> init.rc echo >> init.rc cp -p $ANDROID_HOME/tmp/init_policy $ANDROID_HOME/tmp/ccs-editpolicy-agent sbin/ find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img rm sbin/init_policy |
Start the Android emulator. Specify the kernel made at step 4 and the ramdisk made at step 8.
| emulator -kernel $ANDROID_IMG/kernel.img -ramdisk $ANDROID_IMG/ramdisk.img -sysdir $ANDROID_IMG -data $ANDROID_IMG/userdata.img -show-kernel |
Create initial policy used by TOMOYO Linux. Then, copy the initial policy to ramdisk's /ccs/ directory.
|
mkdir -p $ANDROID_IMG/tmp/ccs/ adb shell /sbin/init_policy policy_dir=/data/ccs/ adb pull /data/ccs/ $ANDROID_IMG/tmp/ccs/ adb shell rm /data/ccs/\* adb shell rmdir /data/ccs/ adb emu kill |
Add missing entries (e.g. file_pattern / allow_read ) to exception policy. Below is just an example. Domain policy is configured to use profile 1 (which is a profile for "learning mode"). Manager is configured to allow only agent program.
|
cd $ANDROID_IMG/tmp/ ( echo 'initialize_domain /init' echo 'initialize_domain /system/bin/app_process' echo 'file_pattern /dev/tty\$' echo 'file_pattern /system/lib/\@.so' echo 'allow_read /system/lib/\@.so' echo 'file_pattern /system/framework/\*.jar' echo 'allow_read /system/framework/\*.jar' echo 'file_pattern /system/media/audio/\*/\*' echo 'allow_read /system/media/audio/\*/\*' echo 'file_pattern /system/fonts/\*.ttf' echo 'allow_read /system/fonts/\*.ttf' echo 'file_pattern /data/tombstones/tombstone_\$' echo 'file_pattern /data/dalvik-cache/system@framework@\*.jar@classes.dex' echo 'file_pattern /data/dalvik-cache/system@app@\*.jar@classes.dex' echo 'file_pattern /data/dalvik-cache/data@app@\*@classes.dex' echo 'file_pattern /data/local/tmp/\*.apk' echo 'file_pattern /data/local/tmp/\*.apk' echo 'file_pattern /data/app/\*.tmp' echo 'file_pattern /data/data/\*/databases/\*' echo 'file_pattern /data/data/\*/databases/' echo 'file_pattern /data/dalvik-cache/system@framework@\*.jar@classes.dex' echo 'file_pattern /data/dalvik-cache/system@app@\*.apk@classes.dex' echo 'file_pattern /data/dalvik-cache/system@app-private@\*.apk@classes.dex' echo 'file_pattern /sdcard/dcim/.thumbnails/\$.jpg' echo 'file_pattern /sdcard/dcim/.thumbnails/.thumbdata\*' echo 'file_pattern /sdcard/dcim/.thumbnails/.thumbdata3--\$' echo 'path_group SYSTEM_APK /system/app/\@.apk' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_min' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_def' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_max' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_min' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_def' echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_max' echo 'allow_read /sys/devices/platform/\*battery\*/power_supply/ac/online' echo 'allow_read /sys/devices/platform/\*battery\*/power_supply/battery/\@' #App. specific data files echo 'file_pattern /data/data/com.android.browser/cache/webviewCache/\*' echo 'file_pattern /data/data/com.android.browser/app_thumbnails/\*' ) >> ccs/exception_policy.conf ( echo '<kernel>' echo 'use_profile 1' ) > ccs/domain_policy.conf echo /sbin/ccs-editpolicy-agent > ccs/manager.conf |
Add /sbin/ccs-init into ramdisk in order to enable TOMOYO Linux. Also, copy files needed by /sbin/ccs-init . On Android environment, /system/bin/loader is used for loading dynamically linked library files. But /system/ partition is not yet mounted when /sbin/ccs-init is executed. Therefore, you need to copy /bin/loader in the /system/ partition to /system/bin/ directory in the ramdisk's image. Likewise, you need to copy /lib/libc.so and /lib/libm.so in the /system/ partition to /system/lib/ directory in the ramdisk's image.
|
cd $ANDROID_IMG/tmp/ mkdir -p system/bin system/lib cp -p $ANDROID_HOME/tmp/ccs-init sbin/ cp -p $ANDROID_HOME/out/target/product/generic/system/bin/linker system/bin/ cp -p $ANDROID_HOME/out/target/product/generic/system/lib/libc.so system/lib/ cp -p $ANDROID_HOME/out/target/product/generic/system/lib/libm.so system/lib/ chmod 755 system/bin/linker system/lib/libc.so system/lib/libm.so find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img |
Start the Android emulator. Specify the kernel made at step 4 and the ramdisk made at step 12.
| emulator -kernel $ANDROID_IMG/kernel.img -ramdisk $ANDROID_IMG/ramdisk.img -sysdir $ANDROID_IMG -data $ANDROID_IMG/userdata.img -show-kernel |
Configure port forwarding in order to communicate with the agent program running in the emulator. Below line makes TCP connection requests sent to host environment's port 10000 are forwarded to emulator environment's port 7000. As you have configures ccs-editpolicy-agent to listen at port 7000 at step 8, you can communicate with the agent program by connecting to host environment's port 10000.
| adb forward tcp:10000 tcp:7000 |
You can browse/edit policy via agent program by starting ccs-editpolicy as shown below.
| /usr/sbin/ccs-editpolicy 127.0.0.1:10000 |
You can save current policy into ramdisk's /ccs/ directory by executing ccs-savepolicy as shown below.
|
/usr/sbin/ccs-savepolicy edpm $ANDROID_IMG/tmp/ccs/ 127.0.0.1:10000 cd $ANDROID_IMG/tmp/ find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img |
You can save audit logs by starting ccs-auditd as shown below. Please be careful with disk's free space because a lot of logs are generated.
| /usr/sbin/ccs-auditd /tmp/grant_log /tmp/reject_log 127.0.0.1:10000 |
You can interactively handle policy violation in enforcing mode by starting ccs-queryd as shown below. Press Ctrl-C to terminate ccs-queryd.
| /usr/sbin/ccs-queryd 127.0.0.1:10000 |