Info: Version 1.8.x is available.

Japanese Page

Last modified: $Date: 2017-11-11 20:51:02 +0900 (Sat, 11 Nov 2017) $

TOMOYO Linux on Android

This page describes how to run TOMOYO Linux on Android emulator for ARM architecture. This page assumes Ubuntu 10.04.3 for x86_64 architecture as the host environment.

Step 1: Install required packages.

Install packages as suggested at .

sudo add-apt-repository "deb lucid partner"
sudo add-apt-repository "deb-src lucid partner"
sudo apt-get update
sudo apt-get install sun-java6-jdk
sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev libc6-dev \
lib32ncurses5-dev ia32-libs x11proto-core-dev libx11-dev lib32readline5-dev lib32z-dev \
libgl1-mesa-dev g++-multilib mingw32 tofrodos python-markdown libxml2-utils xsltproc

Step 2: Set environment variables.

Set environment variables shown below. Adding to user's initrc script (e.g. ~/.bashrc ) is recommended.

export ANDROID_HOME=$HOME/mydroid/

Step 3: Build the Android environment.

Download the source code and compile the emulator.

mkdir -p $ANDROID_HOME
chmod 755 repo
./repo init -u -b android-4.0.1_r1
./repo sync
source build/
lunch full-eng

Step 4: Build the Android kernel.

Compile the kernel. The proceedure is same as usual except applying TOMOYO Linux patches.

mkdir -p $ANDROID_HOME/tmp
git clone
cd goldfish/
git checkout origin/android-goldfish-2.6.29
wget -O ccs-patch-1.7.3-20171111.tar.gz ''
wget -O ccs-patch-1.7.3-20171111.tar.gz.asc ''
gpg ccs-patch-1.7.3-20171111.tar.gz.asc
tar -zxf ccs-patch-1.7.3-20171111.tar.gz
patch -p1 < patches/ccs-patch-2.6.29-android-goldfish.diff
sed -i -e 's:/sbin/modprobe /sbin/hotplug::' -e 's:/sbin/ccs-start:/init:' -- security/ccsecurity/Kconfig
ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s goldfish_armv7_defconfig
ARCH=arm CROSS_COMPILE=$ANDROID_EABI_TOOLCHAIN/arm-linux-androideabi- make -s
mkdir -p $ANDROID_IMG/tmp
cp -p arch/arm/boot/zImage $ANDROID_IMG/kernel.img

Step 5: Copy Android's image files.

Copy image file used by Android emulator.

cd $ANDROID_HOME/out/target/product/generic/
cp -p system.img ramdisk.img userdata.img $ANDROID_IMG

Step 6: Compile tools for host environment.

Install TOMOYO Linux's userland tools into host environment in order to manage Android emulator remotely.

wget -O ccs-tools-1.7.3-20120301.tar.gz ''
tar -zxf ccs-tools-1.7.3-20120301.tar.gz
cd ccstools
sudo apt-get install libreadline5-dev
sudo make install

Step 7: Compile tools for emulator environment.

Install TOMOYO Linux's userland tools into Android emulator environment.

Since /init.rc in Android emulator's ramdisk creates /etc as a symlink to /system/etc/ directory, /sbin/ccs-init (TOMOYO Linux's policy loader which will be added at Step 12) can't reserve /etc/ccs/ directory for storing policy which is loaded upon boot. Thus, use /ccs/ directory rather than /etc/ccs/ directory.

wget -O agcc
sed -i -e 's@4\.2\.1@4.4.3@g' -e 's@interwork/@@g' -- agcc
chmod 755 agcc
./agcc -o init_policy $ANDROID_HOME/tmp/ccstools/init_policy.c
./agcc -o ccs-editpolicy-agent $ANDROID_HOME/tmp/ccstools/ccs-editpolicy-agent.c
sed -e 's:etc/ccs:ccs:g' $ANDROID_HOME/tmp/ccstools/ccs-init.c > $ANDROID_HOME/tmp/ccstools/ccs-init2.c
./agcc -o ccs-init $ANDROID_HOME/tmp/ccstools/ccs-init2.c
chmod 700 init_policy ccs-editpolicy-agent ccs-init

Step 8: Edit Android's ramdisk image.

Copy the agent program into Android emulator's ramdisk and configure the agent to be automatically executed upon boot.

cd $ANDROID_IMG/tmp/
zcat ../ramdisk.img | cpio -id
echo 'service ccs_agent /sbin/ccs-editpolicy-agent' >> init.rc
echo '    class core' >> init.rc
echo '    oneshot' >> init.rc
echo >> init.rc
cp -p $ANDROID_HOME/tmp/init_policy $ANDROID_HOME/tmp/ccs-editpolicy-agent sbin/
find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img
rm sbin/init_policy

Step 9: Start the Android emulator.

Start the Android emulator. Specify the kernel made at step 4 and the ramdisk made at step 8.

emulator -kernel $ANDROID_IMG/kernel.img -ramdisk $ANDROID_IMG/ramdisk.img -sysdir $ANDROID_IMG -data $ANDROID_IMG/userdata.img -show-kernel

Step 10: Initialize policy and pull.

Create initial policy used by TOMOYO Linux. Then, copy the initial policy to ramdisk's /ccs/ directory.

mkdir -p $ANDROID_IMG/tmp/ccs/
adb shell /sbin/init_policy policy_dir=/data/ccs/
adb pull /data/ccs/ $ANDROID_IMG/tmp/ccs/
adb shell rm /data/ccs/\*
adb shell rmdir /data/ccs/
adb emu kill

Step 11: Edit initialized policy.

Add missing entries (e.g. file_pattern / allow_read ) to exception policy. Below is just an example. Domain policy is configured to use profile 1 (which is a profile for "learning mode"). Manager is configured to allow only agent program.

cd $ANDROID_IMG/tmp/
echo 'initialize_domain /init'
echo 'initialize_domain /system/bin/app_process'

echo 'file_pattern /dev/tty\$'

echo 'file_pattern /system/lib/\'
echo 'allow_read /system/lib/\'
echo 'file_pattern /system/framework/\*.jar'
echo 'allow_read /system/framework/\*.jar'
echo 'file_pattern /system/media/audio/\*/\*'
echo 'allow_read /system/media/audio/\*/\*'
echo 'file_pattern /system/fonts/\*.ttf'
echo 'allow_read /system/fonts/\*.ttf'
echo 'file_pattern /data/tombstones/tombstone_\$'

echo 'file_pattern /data/dalvik-cache/system@framework@\*.jar@classes.dex'
echo 'file_pattern /data/dalvik-cache/system@app@\*.jar@classes.dex'
echo 'file_pattern /data/dalvik-cache/data@app@\*@classes.dex'

echo 'file_pattern /data/local/tmp/\*.apk'
echo 'file_pattern /data/local/tmp/\*.apk'

echo 'file_pattern /data/app/\*.tmp'
echo 'file_pattern /data/data/\*/databases/\*'
echo 'file_pattern /data/data/\*/databases/'

echo 'file_pattern /data/dalvik-cache/system@framework@\*.jar@classes.dex'
echo 'file_pattern /data/dalvik-cache/system@app@\*.apk@classes.dex'
echo 'file_pattern /data/dalvik-cache/system@app-private@\*.apk@classes.dex'

echo 'file_pattern /sdcard/dcim/.thumbnails/\$.jpg'
echo 'file_pattern /sdcard/dcim/.thumbnails/.thumbdata\*'
echo 'file_pattern /sdcard/dcim/.thumbnails/.thumbdata3--\$'

echo 'path_group SYSTEM_APK /system/app/\@.apk'

echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_min'
echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_def'
echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_wmem_max'
echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_min'
echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_def'
echo 'path_group SYS_FILES /sys/kernel/ipv4/tcp_rmem_max'

echo 'allow_read /sys/devices/platform/\*battery\*/power_supply/ac/online'
echo 'allow_read /sys/devices/platform/\*battery\*/power_supply/battery/\@'

#App. specific data files
echo 'file_pattern /data/data/\*'
echo 'file_pattern /data/data/\*'
) >> ccs/exception_policy.conf
echo '<kernel>'
echo 'use_profile 1'
) > ccs/domain_policy.conf
echo /sbin/ccs-editpolicy-agent > ccs/manager.conf

Step 12: Add policy loader to Android's ramdisk image.

Add /sbin/ccs-init into ramdisk in order to enable TOMOYO Linux. Also, copy files needed by /sbin/ccs-init . On Android environment, /system/bin/loader is used for loading dynamically linked library files. But /system/ partition is not yet mounted when /sbin/ccs-init is executed. Therefore, you need to copy /bin/loader in the /system/ partition to /system/bin/ directory in the ramdisk's image. Likewise, you need to copy /lib/ and /lib/ in the /system/ partition to /system/lib/ directory in the ramdisk's image.

cd $ANDROID_IMG/tmp/
mkdir -p system/bin system/lib
cp -p $ANDROID_HOME/tmp/ccs-init sbin/
cp -p $ANDROID_HOME/out/target/product/generic/system/bin/linker system/bin/
cp -p $ANDROID_HOME/out/target/product/generic/system/lib/ system/lib/
cp -p $ANDROID_HOME/out/target/product/generic/system/lib/ system/lib/
chmod 755 system/bin/linker system/lib/ system/lib/
find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img

Step 13: Start the Android emulator.

Start the Android emulator. Specify the kernel made at step 4 and the ramdisk made at step 12.

emulator -kernel $ANDROID_IMG/kernel.img -ramdisk $ANDROID_IMG/ramdisk.img -sysdir $ANDROID_IMG -data $ANDROID_IMG/userdata.img -show-kernel

Step 14: Enable TCP port forwarding.

Configure port forwarding in order to communicate with the agent program running in the emulator. Below line makes TCP connection requests sent to host environment's port 10000 are forwarded to emulator environment's port 7000. As you have configures ccs-editpolicy-agent to listen at port 7000 at step 8, you can communicate with the agent program by connecting to host environment's port 10000.

adb forward tcp:10000 tcp:7000

Step 15: Operate via agent.

You can browse/edit policy via agent program by starting ccs-editpolicy as shown below.


You can save current policy into ramdisk's /ccs/ directory by executing ccs-savepolicy as shown below.

/usr/sbin/ccs-savepolicy edpm $ANDROID_IMG/tmp/ccs/
cd $ANDROID_IMG/tmp/
find . -print0 | cpio -o0 -H newc | gzip -9 > ../ramdisk.img

You can save audit logs by starting ccs-auditd as shown below. Please be careful with disk's free space because a lot of logs are generated.

/usr/sbin/ccs-auditd /tmp/grant_log /tmp/reject_log

You can interactively handle policy violation in enforcing mode by starting ccs-queryd as shown below. Press Ctrl-C to terminate ccs-queryd.


Return to index page.