Compilation of smack in Android Kernel

First, smack is suitable for embedded devices.
In Embedded Computing -- Casey schaufler
This article reveals how to compile smack into the android kernel,
First, smack is a security patch on Linux, If you download the Linux-2.6.38 kernel, you will find that in the shell input make menuconfig will have simple access control smack this item, select it, smack is configured in the Linux kernel, and then compiled. After compilation, enter
CD/smack will switch to the Virtual File System (fake file system) of smack, which contains load, cipso, ambient and other virtual files (in fact, these files exist in the kernel space in the form of a linked list), input CD/etc/smack in the shell, you will find an accesses file, VIM accesses, we can enter a line of AA (subject tag) BB (Object Tag) W (access mode), so that this line is parsed into rules by the smack code, adding a struct to the rule linked list/smack/load stored in the kernel is much simpler than the complicated te of SELinux. I will reveal the smack technology in detail later.
Secondly, how can we compile smack into the android kernel? There is a/security subdirectory In the android kernel that stores security-related modules, including LSM, SELinux, smack, and other modules. Google did not remove LSM from the android kernel. This provides favorable conditions for compiling smack.
So how to compile smack? Let's take a look at the files in/security/smack. We found That Casy has written both the configuration files kconfig and makefile of smack. The kconfig file is very important, it is about module configuration and needs to be used during compilation. There is a bool "simplified .... "depend on netlabel
& Security_network: To compile smack, we must first enable the configuration file of the android kernel to support netlabel and security_network. How can this problem be solved?
First, we select the panda kernel. After decompression, panda/kernel-ics-chipsee-Panda will be available. We will perform operations in shell,

CD panda/kernel-ics-chipsee-Panda

Cd arch/ARM/configs/
Find the default configuration file Vim panda_chinese_def in this directory.
We can see that neither netlabel nor security_network is configured. We can configure config_netlabel = y and config_security_network = y.
Configure config_security_smack = y config_default_security_smack = y config_default_security = "Smack"
In this way, we have written all the configurations required by smack.
Return to the kernel main directory kernel-ics-chipsee-panda/and run

CD kernel-ics-chipsee-panda/
Export Path =/usr/local/The arm-2010q1/bin: $ path
Export cross_compile = arm-None-Linux-gnueabi-
Export arch = arm
Make distclean
Make panda_chipsee_defconfig

In this case, input make menuconfig in shell, and we will be pleasantly surprised to find out.

In this way, smack is configured in the android kernel.

Next we will compile the kernel, make uimage
After you enter the preceding command, the system will prompt an error after compilation. It doesn't matter. We can re-modify the configuration file as prompted (just like the above practice ).
Successful compilation will be shown in the following figure:

The new compiled kernel is uimage.
So how to run the kernel? I have been wondering for a long time before. At that time, when the android 4.0.3 source code was downloaded, there was a kernel, but this kernel was a compiled kernel, that is, a huge binary image file, stored in the/prebuilt directory of the android source code, it should be bzimage (I can't remember it). We want android to run on the compiled kernel panda and enter the command:
Emulator-kernel/host/panda3/kernel-ics-chipsee-panda/ARCH/ARM/boot/uimage
However, an error message is displayed:

At this point, I suspect it is a memory space problem because the android4.0.3 simulator cannot run on our newly compiled kernel. In any case, we can compile smack into the android kernel.
We also need to note that LSM modifies some kernel objects and adds some security fields to represent the security attributes of the subject and object. Therefore, to use the features of LSM, the file system must support the extension attributes of files. The extension attributes can represent the security attributes of files. We can use the getfattr and setfattr commands to obtain and set the extension attributes of files,
See http://blog.csdn.net/ganggexiongqi/article/details/7661024
We know that android uses the yaffs2 file system, which is suitable for NAND embedded devices. However, it does not support file extension attributes, so the problem arises, we know that the core mechanism of smack is to use Linux LSM, which requires that the android file system must support extended attributes. The seandroid team modified the yaffs2 image file-mkyaffs2image. c. Added the security context -- Char to the file object header of yaffs2.
* Secontext, which represents the Security Attribute of the subject and object. In fact, the problem is very simple. The new version of Android already uses the ext4 file system, which supports file extension attributes,
Ext4: http://www.baidu.com/link? Url = Response
Let's go back to shell, CD kernel-ics-chipsee-Panda, input make menuconfig, and find the file-related configuration options. We are surprised to find that:

That is to say, the panda kernel has been configured with ext4 and supports extended attributes. That's great. The next question is how to make this kernel run on the panda Development Board?