I am going to build an AOSP 13 for a Pixel 4a device. I have embedded a few system apps related to OTA functionalities. So, the system needs to be set permissive after each boot operation. I know that the following rule works for userdebug and eng builds.
BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
But I am going to deliver the device to a third-party user, and I need to produce a user build. However, the above-mentioned approach does not work for a user build. I know that I should either write a specific policy for this purpose or modify the system policies like allow and neverallow rules. Is there any experience, solution or tools that have already implemented this process?
Finally, I could handle the situation by hacking two functions of selinux.cpp placed at system/core/init in AOSP 13 source code. According to the code demonstrated below, I just enforced selinux to set permissive state under any circumstances, regardless of enforcing status coming from build types like user build by returning SELINUX_PERMISSIVE value for function StatusFromProperty(), and returning false for function IsEnforcing(). In these situations, selinux only sets to be permissive.
EnforcingStatus StatusFromProperty() {
return SELINUX_PERMISSIVE; //in early stage, the function returns permissive status
EnforcingStatus status = SELINUX_PERMISSIVE;
ImportKernelCmdline([&](const std::string& key, const std::string& value) {
if (key == "androidboot.selinux" && value == "permissive") {
status = SELINUX_PERMISSIVE;
}
});
if (status == SELINUX_ENFORCING) {
status = SELINUX_PERMISSIVE;
}
return SELINUX_PERMISSIVE;
}
bool IsEnforcing() {
return false; //selinux returns false under any enforcing circumstances.
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromProperty() == SELINUX_PERMISSIVE;
}
return true;
}
I have tested the above-mentioned code for a user build on a Pixel 4a device with Android 13, and it really works!