This blog shows how to port SELinux on OpenMoko Neo Free Runner where we build the infrastructure for mobile platforms based on ARMv4t. It is based on the Linux kernel 2.6.24 and run policy version 19 with support for Booleans. Most of the work is cross compilation with thorough understanding of the infrastructure (SELinux user space libraries and policy management binaries).
Requirements
• Before starting the process below, first read the Openmoko wiki
• Ubuntu 9.04 or later as host operating system.
• Default User will be root. If you are not root then use sudo.
Obtaining User-Space Source code
To port SELinux on openmoko, we will need its User-space source code. Download it from Google Code via SVN using the following command:
#svn checkout http://selinux-openmoko.googlecode.com/svn/trunk/ selinux-openmoko-read-only
Tool Chain
You need a tool chain to cross compile the libraries and to setup environment for cross compilation.
The Tools-Chain’s Cross-compiler will compile the source code from native machine (x86 in our case) to a target platform (ARM).
Download the tool chain from here
Extract the contents of the archive to the root directory and the files will get to /usr/local/openmoko.
Deployment of a Mandatory Access Control Mechanism on the mobile platform
USB Networking
Here is a quick method of connecting your Openmoko with PC via USB interface.
1. Plug-in the USB Cable in both Openmoko and PC.
2. Open terminal and type the Following Commands
# ifconfig usb0 192.168.0.200 netmask 255.255.255.0 up
# ssh root@192.168.0.202
Press enter if asked for root password.
This logs you in as root to Openmoko and you can give commands to Openmoko from this terminal.
Required Libraries
We need libraries and tools for the host system such as gcc, binutiles, bison etc to compile SELinux User-
Space libraries, whenever you are asked for something missing, the easiest way to find it is to use
Synaptic manager provided by Ubuntu.
Acquiring Kernel and Root File System for Openmoko
• You would need to acquire a Kernel and Root File System which we will flash.
• Download them from here.
• The Method of how to flash the Kernel and Root File System is given here
Problem with Auditing
We need device to store all the messages in a file rather than buffer, to do this modify the file /etc/syslog.conf (inside device). Replace the entry buffer with file as shown in the Figure below
Compiling User-Space Libraries
Perform the following steps to CROSS COMPILE the libraries.
Note: Remove –Werror switch from the internal makefile files.
Setting the Environment
The setup-evn is a script that comes with the tool chain; it sets up environment variables for c
compilation, run the setup-env command in /usr/local/openmoko/arm.
Note: Make setup-env executable by setting it’s execute bit on in order to execute it.
Setting Environment Variables
To allow access to tools provided by tool chain, setup the environment variables.
shows it.
#export PATH=$PATH:/usr/local/openmoko/arm/bin
Commands to Compile User Space Libraries
Go to the Source code user-space libraries and type the following commands
#./configure
#make
Libselinux
Information:
libselinux is the core library, which is used by all selinux-aware applications.
Go to libselinux folder in User-Space source code directory. Use the above commands to CROSS COMPILE them. There are a few problems with paths in makefile. Specify the paths in CFLAGS portion in Makefile. The Makefile also contain some switches like def, and –z which produced errors, Removed them to solve compilation errors. Copy the output files libselinux.a, libselinux.so and libselinux.so.1 to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/lib and copy the include folder to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/include.
Verbose output of compiling libselinux
Libsepol
Information:
Sepol is a Linux user space tool to parse existing selinux polices with existing selinux boolean settings generating new policy.
Go to the libsepol folder in user-space source code and run the compilation commands. It got the same problems as libselinux. copy output files to libsepol.a, libsepol.so and libsepol.so.1 to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/lib and the include folder to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/include.
Libsemanage
Information:
Semanage is used to configure SELinux Policy. You can configure SELinux user mappings, SELinux Port mappings, and SELinux Users. File Context and Network Interfaces and MLS/MCS translations. It canreconfigure certain elements of the policy without modifying or recompiling the policy.
Go to libsemanage folder in user-space source code directory and run the compilation commands.
It also got the same problems as above libraries. Copy the output files libsemanage.a, libsemanage.so and libsemanage.so.1 to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/lib and the include folder to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/include.
Busybox
Information:
BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc.
Download busybox source code from its website. Extract it. Next we will add SELinux user space commands and tools to it.
Go to its source code and type the following commands:
#makemenuconfig
Then go to SELinux Section and enable all entries. We did this to add additional applets to busybox to handle SELinux.
Busybox provides the following applets for SELinux:
Chcon getenforce
Getsebool load_policy
Matchpathcon restorecon
Runcon selinuxenabled
Setenforce setfiles
Setsebool sestatus
Copy the output binary file busybox to /usr/bin folder of on device.
Compiling the Kernel
Download the Openmoko kernel source code from the git repository by using the following commands.
#git clone git://git.openmoko.org/git/kernel.git linux-2.6
#cd linux-2.6
#git checkout -b mystable origin/andy-tracking
#mkdir GTA02
#cp arch/arm/configs/gta02-moredrivers-defconfig GTA02/.config
Add support for SELinux and EXT2 for using SELinux and Xttented attributes to the downloaded Kernel by using the following command.
#make menuconfig ARCH=arm CROSS_COMPILE=arm-angstrom-linux-gnueabi-
In Security Option menu, enable the following.
[*] NSA SELinux Support
[*] NSA SELinux boot parameter
(0) NSA SELinux boot parameter default value
[*] NSA SELinux runtime disable
[*] NSA SELinux Development Support
[*] NSA SELinux AVC Statistics
(1) NSA SELinux checkreqprot default value
[ ] NSA SELinux maximum supported policy format version
Note: Do not enable NSA SELinux maximum supported policy format version. You might end up hanged.
The Secuity Option Screen where SELinux is enabled
Then in File System menu, enable the following.
<M> Second extended fs support
Ext2 extended attributes
Ext2 Security Labels
Ext2 execute in place support
<*> Ext3 journalling file system support
Ext3 extended attributes
Ext3 Security Labels
CROSS COMPILE the kernel for ARM Architecture. The Command is:
#make
Compile the kernel using commands mentioned above. The downloaded source code contains a script by the name of build. Run it so that we can obtain a binary image file (with .bin extension) in order to flash/copy it to device. To run the script use the following command.
#sh build
The result will be a file called uImage.bin, copy it to the first partition of the SD Card in case of SD Card and flashed in case of Phone’s internal memory.
Flashing Neo Free Runner:
You need to flash the Neo Free Runner in case you want to add new Root Filesystems and kernels.
To Flash the Root FS using the utility called dfu-util. Flash the ROOT FS using following steps:
1. Boot the Neo Free Runner in NOR (AUX+PWR).
2. The boot menu appears.
3. Connect the device to PC via USB cable.
4. To check whether dfu-util sees your device, run the command:
#dfu-util –l
If you get error messages from the dfu-util command then try again. Often it works on the second try.
The usage of dfu-util is as following:
#dfu-util -a <altsetting> -R -D <file_name>
Where:
-a: altsetting: Specify the altsetting of the DFU interface by name or by number
-R: Issue USB Reset signalling once we’re finished
-D: filename: Write firmware from file_name into device
Flashing the Kernel
Flash the kernel using simple copy paste command as shown above or do it using dfu-util. The command format is:
#dfu-util -a kernel -R -D /path/to/uImage
When flashing succeeds the following will be shown:
status(0) = No error condition is present
Done!
Flashing the Root Filesystem
Downloaded therootfs from from its website. If the file you downloaded is zipped or compressed (has a .gz, bz2, .zip, tar, tar.gz or .tgz extension) then uncompress it first. And do simple copy paste into SD Card second partition. If the root filesystem is in image in jffs2 format, then flash it using the command given below
#dfu-util -a rootfs -R -D root fs_filename.jffs2
The flashing process takes up to 15 minutes for a ~70MB image. It is also wise to make sure that your
Neo has enough battery charge prior to flashing. When flashing succeeds the following will be shown:
status(0) = No error condition is present
Done!
Alternative Way
An alternative and easy way to flash Neo Free Runner is by using a graphic utility called NEO TOOLS.
1. To use neotools, download and install neotools.
2. Run it from command prompt, the following window will appear.
The Main Screen of Neotools
3. Click 2 Flash your Neo. The Following screen will appear.
Options for What to Flash
4. Select Root-Filesystem and Kernel as shown and click OK.
5. Select your Root-Filesystem as shown.
Selecting RootFS
6. Next, select your kernel as shown.
Selecting Kernel
7. The Following warning Appears; Just click OK and writing process will start.
Warning “Ready to flash”
Copying Compiled Libraries and other files to Device:
Copy the compiled libraries and include folder to /usr/local/openmoko/arm/arm-angstrom-linux-
gnueabi/usr in PC and then copy it to /usr/lib on device and the include folder /usr/include/ folder of the device.
Copy the files from /selinux-openmoko-read-only/bin to /usr/bin folder of device.
Make soft links of missing files such as setfiles, sestatus and load_policy from busybox by using the following command:
#ln –s busybox setiles
#ln –s busybox setstatus
#ln –s busybox load_policy
Adding SELinux FS
Edit fstab file in /etc/ folder on device to add mountable SELinux filesystem support, add the following to fstab.
none /selinux selinuxfs noauto 0 0
After that create a folder /selinux in device using the following command
#mkdir /selinux
And then mount it using following command
#mount /selinux
After that copy the /selinux-openmoko-read-only/targeted/ folder along with its config file to the /etc/selinux folder of device.
Reloading and Building the Policy
Build and load the policy use the following commands in /etc/selinux/targeted folder.
To install the Policy
#make install
To Relabel the File System
#make relabel
To Load The Policy
#make load
To check whether selinux is running use the following command
#sestatus
Also check the /var/log/messages file for SELinux entries.
Final Snapshots:
The Following figures show SELinux enabled on Openmoko.
result of ls-Z command on openmoko
Result of sestatus
Snapshot of denials by SELinux
Trouble Shooting
Auditing:
When you don’t get messages file in /var/log/, this means they are saved in buffer, to fix this error, Go to /etc/syslog.conf and edit it, change the entry of buffer to file.
Opkg not working
If opkg does not download the appropriate file:
This means that you haven’t configured internet in your Openmoko. Use graphical interface for configuringwifi, or use Openmoko’s wiki to configure wired network, you can also use the following script to configure wired network between your PC and Openmoko.
#!/bin/sh
/sbin/route add -host 192.168.0.202/32 dev usb0
iptables -A POSTROUTING -t nat -j MASQUERADE -s
192.168.1.1/24
iptables -P FORWARD ACCEPT
sysctl -w net.ipv4.ip_forward=1
scp /etc/resolv.confroot@192.168.0.202:/etc/resolv.conf
Make your required changes according to your networking.
If opkg returns signature failure:
You can safely ignore this error but don’t forget to setup Internet in Openmoko.
If opkg does not find your appropriate file in repository then you can specify the exact path with opkg and it will install and configure it by it self, like example below.
opkg install
http://downloads.openmoko.org/repository/Om2008.8/armv4t/pidgin_2.5.1-r0_armv4t.opk
Missing Core Files
When you flash new kernel, the first problem you get is missing core utilities like make, m4 etc. You can download the files from here
Another way to do is download them directly to your device using opkg. Opkg will download, install and configure your package automatically. The Command to do this is:
#opkg install make
#opkg install m4
No selinuxfs
When this problem, it means that you haven’t added selinux support to your kernel, add selinux support to your kernel and then recompile it, for detail see section 3 for detail.
Mls and other files missing
When you get this error, it means you haven’t mounted your /selinux filesystem.
Setfiles, load_policy files missing
These files are provided by busybox, to set these files make soft links to set them. The following command shows how to do it:
ln -s busyboxsetfiles
ln -s busyboxload_policy
Busybox complains about missing applets such as setfiles
This means that you haven’t added selinux support to your busybox. See section 2 for detail.
Clock skew
This means that the time of device is different then that of files, to fix this error, correct the date and time on your device.
Policy not loading
This problem will occur when you try to load policy from ssh. Try loading policy directly from device.
tmp/load error
This means that load_policy doesn’t take a policy file argument anymore (it always loads policy from the standard location and selects the appropriate version). So just modify your Makefile to omit the policy file or run load_policy by hand with no arguments. If your try this from ssh, your terminal will hang up.
Try it directly on your device.
This has been updated to 2.6.32 recently and the IMA code has also been used along.