Android M port AM438x
371 views
Skip to first unread message
Mantesh Eksambe
Aug 29, 2017, 1:45:03 PM8/29/17
to android-porting
I have used attached create-sdcard.sh script to create rootfs and also attached the screen shots of boot and rootfs partation.
uEnv.txt file -
kloadaddr=0x81000010
dtbaddr=0x87000010
load_kernel=fatload mmc 0 ${kloadaddr} zImage
load_dtb=fatload mmc 0 ${dtbaddr} am43x-epos-evm.dtb
set_bootargs=setenv bootargs console=ttyO0,115200n8 androidboot.console=ttyO0 mem=256M root=/dev/mmcblk0p2 rw rootwait ro enforcing=0 androidboot.selinux=permissive
but I'm facing issue related to selinux,
i think selinux is not allowing to init process to read "mmcblk0p2" and "file_contexts". it shows the files are "unlabele0".
please someone help me to solve this issue.
1.869693] Creating 10 MTD partitions on "8000000.nand":
[ 1.875398] 0x000000000000-0x000000040000 : "NAND.SPL"
[ 1.888116] 0x000000040000-0x000000080000 : "NAND.SPL.backup1"
[ 1.898361] 0x000000080000-0x0000000c0000 : "NAND.SPL.backup2"
[ 1.909208] 0x0000000c0000-0x000000100000 : "NAND.SPL.backup3"
[ 1.920761] 0x000000100000-0x000000180000 : "NAND.u-boot-spl-os"
[ 1.930615] mmc0: host does not support reading read-only switch, assuming write-enable
[ 1.940006] 0x000000180000-0x000000280000 : "NAND.u-boot"
[ 1.947788] mmc0: new high speed SDHC card at address 0007
[ 1.957652] 0x000000280000-0x0000002c0000 : "NAND.u-boot-env"
[ 1.966909] mmcblk0: mmc0:0007 SS08G 7.21 GiB
[ 1.975629] 0x0000002c0000-0x000000300000 : "NAND.u-boot-env.backup1"
[ 1.986038] mmcblk0: p1 p2
[ 1.996293] 0x000000300000-0x000000a00000 : "NAND.kernel"
[ 2.006651] 0x000000a00000-0x000020000000 : "NAND.file-system"
[ 2.119007] omap_i2c 44e0b000.i2c: bus 0 rev0.12 at 100 kHz
[ 2.128429] omap_i2c 4819c000.i2c: bus 2 rev0.12 at 100 kHz
[ 2.136651] hctosys: unable to open rtc device (rtc0)
[ 2.142093] sr_init: No PMIC hook to init smartreflex
[ 2.147676] sr_init: platform driver register failed for SR
[ 2.178213] vbat: disabling
[ 2.181427] v1_0bat: disabling
[ 2.185679] v1_8bat: disabling
[ 2.235844] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[ 2.244745] VFS: Mounted root (ext4 filesystem) on device 179:2.
[ 2.255998] devtmpfs: mounted
[ 2.260344] Freeing unused kernel memory: 480K (c096a000 - c09e2000)
[ 2.267039] This architecture does not have kernel memory protection.
[ 2.327045] init: init started!
[ 2.359565] SELinux: Android master kernel running Android M policy in compatibility mode.
[ 2.460124] audit: type=1403 audit(2.450:2): policy loaded auid=4294967295 ses=4294967295
[ 2.470869] audit: type=1404 audit(2.460:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 2.482958] init: (Initializing SELinux enforcing took 0.15s.)
[ 2.489408] audit: type=1400 audit(2.470:4): avc: denied { read } for pid=1 comm="init" name="selinux_version" dev="mmcblk0p2" ino=27 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabele0
[ 2.514619] audit: type=1400 audit(2.500:5): avc: denied { read } for pid=1 comm="init" name="file_contexts" dev="mmcblk0p2" ino=1475 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabele0
[ 2.535412] init: selinux_android_file_context_handle: Error getting file context handle (Permission denied)
[ 2.546252] audit: type=1400 audit(2.530:6): avc: denied { execute } for pid=1 comm="init" name="init" dev="mmcblk0p2" ino=15 scontext=u:r:kernel:s0 tcontext=u:object_r:unlabeled:s0 tcl0
[ 2.566012] init: execv("/init") failed: Permission denied
[ 2.571955] init: Security failure; rebooting into recovery mode...
[ 4.285521] sysrq: SysRq : Emergency Remount R/O
[ 4.301170] reboot: Restarting system with command 'recovery'
Thanks,
Mantesh
Sooraj Sizon
Aug 29, 2017, 5:13:35 PM8/29/17
to android-porting
Since this is a bring up i think you should try with selinux permissive at this stage you can add policies for the denials in the later stage .
in the targets Boardconfig makefile find kernel command line and add to the end
in the targets Boardconfig makefile find kernel command line and add to the end
androidboot.selinux=permissive
Mantesh Eksambe
Aug 30, 2017, 2:35:34 PM8/30/17
to android-porting
thanks sooraj.
I have added androidboot."selinux=permissive" in targets Boardconfig makefile
and when i parsed avc denials log messages using audit2allow tool it gives unlabeled permission still i have added parsed permissions into device/AM438/sepolicy/*.te files.
but unfortunately some unlabeled permissions are neverallow from externel/sepolicy/kernel.te and demen.te files.
so i thinks modify generic *.te files from externel/sepolicy/ it is not proper a way please correct me if i am wrong.
#device/AM438/sepolicy/init.te
#============= kernel ==============
allow kernel unlabeled:file { relabelfrom execute read open getattr execute_no_trans }; // but actually execute_no_trans permission is neverallow from externel/sepolicy/kernel.te
allow kernel unlabeled:lnk_file { read execute };
#device/AM438/sepolicy/kernel.te
#============= init ==============
allow init unlabeled:dir mounton;
allow init unlabeled:file execute;
allow init storage_file:dir mounton;
allow init unlabeled:file execute_no_trans;
allow init logd_socket:sock_file write;
allow init self:capability sys_nice;
allow init self:netlink_audit_socket create;
allow init self:netlink_kobject_uevent_socket create;
allow init self:rawip_socket create;
allow init storage_file:dir mounton;
allow init unlabeled:file execute_no_trans;
After doing this whole process i got following logs.
i don't understand why it gives me unlabeled permission when i parsed avc denial logs.
[ 4.741588] init: init started!
[ 4.779383] SELinux: Android master kernel running Android M policy in compatibility mode.
[ 4.797773] SELinux: Permission module_load in class system not defined in policy.
[ 4.806367] SELinux: Class netlink_iscsi_socket not defined in policy.
[ 4.813431] SELinux: Class netlink_fib_lookup_socket not defined in policy.
[ 4.820868] SELinux: Class netlink_connector_socket not defined in policy.
[ 4.828241] SELinux: Class netlink_netfilter_socket not defined in policy.
[ 4.835614] SELinux: Class netlink_generic_socket not defined in policy.
[ 4.842786] SELinux: Class netlink_scsitransport_socket not defined in policy.
[ 4.850493] SELinux: Class netlink_rdma_socket not defined in policy.
[ 4.857390] SELinux: Class netlink_crypto_socket not defined in policy.
[ 4.864786] SELinux: Permission audit_read in class capability2 not defined in policy.
[ 4.873314] SELinux: the above unknown classes and permissions will be denied
[ 5.008416] audit: type=1403 audit(5.000:2): policy loaded auid=4294967295 ses=4294967295
[ 5.018893] audit: type=1404 audit(5.010:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 5.053062] init: (Initializing SELinux enforcing took 0.31s.)
[ 5.083123] init: init second stage started!
[ 5.155902] init: waitpid failed: No child processes
[ 5.167600] init: (Loading properties from /default.prop took 0.01s.)
[ 5.190003] init: (Parsing /init.environ.rc took 0.00s.)
[ 5.201329] init: (Parsing /init.usb.rc took 0.01s.)
[ 5.207105] init: could not import file '/init.unknown.rc' from '/init.rc'
[ 5.219968] init: (Parsing /init.zygote32.rc took 0.01s.)
[ 5.231446] init: (Parsing /init.trace.rc took 0.01s.)
[ 5.237207] init: (Parsing /init.rc took 0.06s.)
[ 8.208686] init: Starting service 'zygote'...
[ 8.408365] healthd: No charger supplies found
[ 8.415518] healthd: No battery devices found
[ 10.667422] init: Service 'zygote' (pid 145) killed by signal 6
[ 10.674246] init: Service 'zygote' (pid 145) killing any children in process group
[ 10.683851] init: write_file: Unable to open '/sys/android_power/request_state': No such file or directory
[ 10.696174] init: write_file: Unable to write to '/sys/power/state': Invalid argument
[ 10.706458] init: Warning! Service media needs a SELinux domain defined; please fix!
[ 10.715459] init: Starting service 'media'...
[ 10.724635] init: Warning! Service netd needs a SELinux domain defined; please fix!
[ 10.735428] init: Starting service 'netd'...
[ 12.752365] init: Warning! Service surfaceflinger needs a SELinux domain defined; please fix!
[ 12.761482] init: Starting service 'surfaceflinger'...
[ 13.092734] init: Service 'surfaceflinger' (pid 177) killed by signal 6
[ 13.099774] init: Service 'surfaceflinger' (pid 177) killing any children in process group
[ 13.126197] init: Warning! Service zygote needs a SELinux domain defined; please fix!
[ 13.152597] init: Starting service 'zygote'...
shell@sitara:/ $
shell@sitara:/ $
shell@sitara:/ $ su
su: setgid failed: Operation not permitted
1|shell@sitara:/ $
1|shell@sitara:/ $
1|shell@sitara:/ $
1|shell@sitara:/ $
1|shell@sitara:/ $ su
su: setgid failed: Operation not permitted
1|shell@sitara:/ $ [ 16.240644] init: Service 'zygote' (pid 185) killed by signal 6
[ 16.252381] init: Service 'zygote' (pid 185) killing any children in process group
[ 16.260774] init: write_file: Unable to open '/sys/android_power/request_state': No such file or directory
[ 16.304716] init: write_file: Unable to write to '/sys/power/state': Invalid argument
[ 16.316857] init: Service 'media' is being killed...
[ 16.340089] init: Service 'netd' is being killed...
[ 16.356396] init: Service 'media' (pid 147) killed by signal 9
Thanks,
Mantesh
I have added androidboot."selinux=permissive" in targets Boardconfig makefile
and when i parsed avc denials log messages using audit2allow tool it gives unlabeled permission still i have added parsed permissions into device/AM438/sepolicy/*.te files.
but unfortunately some unlabeled permissions are neverallow from externel/sepolicy/kernel.te and demen.te files.
so i thinks modify generic *.te files from externel/sepolicy/ it is not proper a way please correct me if i am wrong.
#device/AM438/sepolicy/init.te
#============= kernel ==============
allow kernel unlabeled:file { relabelfrom execute read open getattr execute_no_trans }; // but actually execute_no_trans permission is neverallow from externel/sepolicy/kernel.te
allow kernel unlabeled:lnk_file { read execute };
#device/AM438/sepolicy/kernel.te
#============= init ==============
allow init unlabeled:dir mounton;
allow init unlabeled:file execute;
allow init storage_file:dir mounton;
allow init unlabeled:file execute_no_trans;
allow init logd_socket:sock_file write;
allow init self:capability sys_nice;
allow init self:netlink_audit_socket create;
allow init self:netlink_kobject_uevent_socket create;
allow init self:rawip_socket create;
allow init storage_file:dir mounton;
allow init unlabeled:file execute_no_trans;
After doing this whole process i got following logs.
i don't understand why it gives me unlabeled permission when i parsed avc denial logs.
[ 4.741588] init: init started!
[ 4.779383] SELinux: Android master kernel running Android M policy in compatibility mode.
[ 4.797773] SELinux: Permission module_load in class system not defined in policy.
[ 4.806367] SELinux: Class netlink_iscsi_socket not defined in policy.
[ 4.813431] SELinux: Class netlink_fib_lookup_socket not defined in policy.
[ 4.820868] SELinux: Class netlink_connector_socket not defined in policy.
[ 4.828241] SELinux: Class netlink_netfilter_socket not defined in policy.
[ 4.835614] SELinux: Class netlink_generic_socket not defined in policy.
[ 4.842786] SELinux: Class netlink_scsitransport_socket not defined in policy.
[ 4.850493] SELinux: Class netlink_rdma_socket not defined in policy.
[ 4.857390] SELinux: Class netlink_crypto_socket not defined in policy.
[ 4.864786] SELinux: Permission audit_read in class capability2 not defined in policy.
[ 4.873314] SELinux: the above unknown classes and permissions will be denied
[ 5.008416] audit: type=1403 audit(5.000:2): policy loaded auid=4294967295 ses=4294967295
[ 5.018893] audit: type=1404 audit(5.010:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 5.053062] init: (Initializing SELinux enforcing took 0.31s.)
[ 5.083123] init: init second stage started!
[ 5.155902] init: waitpid failed: No child processes
[ 5.167600] init: (Loading properties from /default.prop took 0.01s.)
[ 5.190003] init: (Parsing /init.environ.rc took 0.00s.)
[ 5.201329] init: (Parsing /init.usb.rc took 0.01s.)
[ 5.207105] init: could not import file '/init.unknown.rc' from '/init.rc'
[ 5.219968] init: (Parsing /init.zygote32.rc took 0.01s.)
[ 5.231446] init: (Parsing /init.trace.rc took 0.01s.)
[ 5.237207] init: (Parsing /init.rc took 0.06s.)
[ 8.208686] init: Starting service 'zygote'...
[ 8.408365] healthd: No charger supplies found
[ 8.415518] healthd: No battery devices found
[ 10.667422] init: Service 'zygote' (pid 145) killed by signal 6
[ 10.674246] init: Service 'zygote' (pid 145) killing any children in process group
[ 10.683851] init: write_file: Unable to open '/sys/android_power/request_state': No such file or directory
[ 10.696174] init: write_file: Unable to write to '/sys/power/state': Invalid argument
[ 10.706458] init: Warning! Service media needs a SELinux domain defined; please fix!
[ 10.715459] init: Starting service 'media'...
[ 10.724635] init: Warning! Service netd needs a SELinux domain defined; please fix!
[ 10.735428] init: Starting service 'netd'...
[ 12.752365] init: Warning! Service surfaceflinger needs a SELinux domain defined; please fix!
[ 12.761482] init: Starting service 'surfaceflinger'...
[ 13.092734] init: Service 'surfaceflinger' (pid 177) killed by signal 6
[ 13.099774] init: Service 'surfaceflinger' (pid 177) killing any children in process group
[ 13.126197] init: Warning! Service zygote needs a SELinux domain defined; please fix!
[ 13.152597] init: Starting service 'zygote'...
shell@sitara:/ $
shell@sitara:/ $
shell@sitara:/ $ su
su: setgid failed: Operation not permitted
1|shell@sitara:/ $
1|shell@sitara:/ $
1|shell@sitara:/ $
1|shell@sitara:/ $
1|shell@sitara:/ $ su
su: setgid failed: Operation not permitted
1|shell@sitara:/ $ [ 16.240644] init: Service 'zygote' (pid 185) killed by signal 6
[ 16.252381] init: Service 'zygote' (pid 185) killing any children in process group
[ 16.260774] init: write_file: Unable to open '/sys/android_power/request_state': No such file or directory
[ 16.304716] init: write_file: Unable to write to '/sys/power/state': Invalid argument
[ 16.316857] init: Service 'media' is being killed...
[ 16.340089] init: Service 'netd' is being killed...
[ 16.356396] init: Service 'media' (pid 147) killed by signal 9
Thanks,
Mantesh
Sooraj Sizon
Aug 30, 2017, 6:41:59 PM8/30/17
to android-porting
Take a look how they handle unlabeled policies
https://review.lineageos.org/#/c/19527/
https://review.lineageos.org/#/c/158864/
To be honest there shouldn't be any unlabeled files all.
https://review.lineageos.org/#/c/19527/
https://review.lineageos.org/#/c/158864/
To be honest there shouldn't be any unlabeled files all.
On Tuesday, August 29, 2017 at 11:15:03 PM UTC+5:30, Mantesh Eksambe wrote:
Mantesh Eksambe
Sep 4, 2017, 2:34:43 PM9/4/17
to android-porting
thanks sooraj
now i face problem in surfaceflinger.
i think it needs vendor specific OPEN-GL library but i don't know anything about open gl and display related configuration.
could you help me to build opngl libs and about egl configuration of AM438x.
now i face problem in surfaceflinger.
i think it needs vendor specific OPEN-GL library but i don't know anything about open gl and display related configuration.
could you help me to build opngl libs and about egl configuration of AM438x.
Reply all
Reply to author
Forward
0 new messages