androidandroid-sourceselinux

Producing a user build of AOSP with permissive SElinux policy


I am going to build an AOSP 13 for a Pixel 4a device. I have embedded a few system apps related to OTA functionalities. So, the system needs to be set permissive after each boot operation. I know that the following rule works for userdebug and eng builds.

BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive

But I am going to deliver the device to a third-party user, and I need to produce a user build. However, the above-mentioned approach does not work for a user build. I know that I should either write a specific policy for this purpose or modify the system policies like allow and neverallow rules. Is there any experience, solution or tools that have already implemented this process?


Solution

  • Finally, I could handle the situation by hacking two functions of selinux.cpp placed at system/core/init in AOSP 13 source code. According to the code demonstrated below, I just enforced selinux to set permissive state under any circumstances, regardless of enforcing status coming from build types like user build by returning SELINUX_PERMISSIVE value for function StatusFromProperty(), and returning false for function IsEnforcing(). In these situations, selinux only sets to be permissive.

    EnforcingStatus StatusFromProperty() {
        return SELINUX_PERMISSIVE; //in early stage, the function returns permissive status
        EnforcingStatus status = SELINUX_PERMISSIVE;
        ImportKernelCmdline([&](const std::string& key, const std::string& value) {
            if (key == "androidboot.selinux" && value == "permissive") {
                status = SELINUX_PERMISSIVE;
            }
        });
    
        if (status == SELINUX_ENFORCING) {
                            status = SELINUX_PERMISSIVE;
        }
        return SELINUX_PERMISSIVE;
    }
    
    bool IsEnforcing() {
        return false; //selinux returns false under any enforcing circumstances. 
        if (ALLOW_PERMISSIVE_SELINUX) {
            return StatusFromProperty() == SELINUX_PERMISSIVE;
        }
        return true;
    }
    

    I have tested the above-mentioned code for a user build on a Pixel 4a device with Android 13, and it really works!