Hello,
This is my first post in the forum. Thanks a lot for making it!
I would like to talk about the appropriated Linux kernel default security configuration for Droidian. I guess it’s not enough defined, and i hope this post, with your feedback, might be useful to clarify this topic.
I did some investigation about, and i guess the results have sense.
I want to share my conclusions, currently applied and working on the Xiaomi Poco X3 Pro (vayu lts port 4.14).
I look forward to receiving criticism and feedback, this will help to optimize, fix or redefine this initial work.
Initial considerations (as my understand!)
-
Droidian is not using Apparmor. The apparmor service is intentionally disabled.
-
Droidian requires to set SELinux as permissive (if it’s enabled in the kernel). On some devices, setting SELinux as permissive without fully disabling it (selinux=0), causes random black screen boots.
-
Many Droidian ports has apparmor patches from UBPorts applied to its kernels (like legacy pattches). The Droidian’s porting guide recommends to revert, or not patch them. But having them is not a problem, because the aApparmor service is disabled.
Initial conclusion
- There isn’t any default LSM defined for Droidian.
Common configuration
The common configuration for most (at least few) devices running Droidian probably is:
- Apparmor: Kernel with UBPorts patches, default LSM, systemd service disabled.
- SELinux: Enabled in kernel, permissive/disabled in cmdline, no default LSM.
- Probably some other LSM additionally enabled in kernel.
Assuming this scenario, and looking at the dmesg and journal logs, some errors from the android keystore service appears.
The reason is like “Missing selinux context”.
So it demonstrates that some services in the android lxc container might be failing because SELinux dependencies.
At this point, i was decided to investigate about setting SELinux as default LSM.
Final conclusions
- Setting SELinux as default LSM fixes the keystore service but:
- a. If SELinux is not the only enabled LSM in the kernel, the SELinux context not loads successfully and the keystore service still crashes.
- b. When SELinux is the default LSM, and the only LSM enabled, then the keystore service starts succesfully. The cmdline shoud set selinux as permissive, and enabled (selinux=1)
- c. Seems that the scenario 1a causes LSM conflicts (on kernel 4.14)
- But still might remain a problem: with this configuration, the system might randomly boot to a black screen:
- a. The problem seems to be some extra SELinux mechanisms which are not bypassed even using selinux in permissive mode.
- b. For the tested device (xiaomi vayu) the problem was some authentication problems in the drm driver.
- c. This problem was solved by patching the driver to bypass the problematic authentication mechanism.
Implementation sample
This configuration starts with a minimal security configuration in kernel.
Only one LSM is enabled (SELinux). But the There are three components in the implementation
- Kernel security configuration SELinux based
## CONFIG_SECURITY
## Apparmor is not used by Droidian,
## SELinux must be disabled or set to permissive to allow booting Droidian
# Default security
CONFIG_DEFAULT_SECURITY="selinux"
CONFIG_DEFAULT_SECURITY_SELINUX=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
## Enable securities
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_SELINUX=y
## Security boot config
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
## Smack security
CONFIG_SECURITY_SMACK=n
## Tomoyo security
CONFIG_SECURITY_TOMOYO=n
CONFIG_SECURITY_YAMA=y # Required!
- cmdline
androidboot.selinux=permissive enforcing=0 selinux=1
- DRM driver: fix black screen when SELinux is enabled
halium: drm/msm: Disable SUI MISR
halium: drm: Remove DRM_MASTER from atomic ioctl
halium: drm: Auto-authenticate DRM for single client
What do you think?