[ 5.762658] init: SELinux: Could not load policy: Invalid argument
[ 5.768144] init: failed to load policy: Invalid argument
[ 5.773426] init: Security failure; rebooting into recovery mode...
Here are the list of backported upstream SELinux patches needed to run Android N for kernel versions 3.10, 3.14, and 3.18. Similar patches may be found or easily cherry-picked to Android 3.4 and 4.1 kernels.
$ make -j32 :)
3.10
Required:
Revert "SELinux: ss: Fix policy write for ioctl operations"
https://android-review.googlesource.com/162273
Revert "SELinux: use deletion-safe iterator to free list"
https://android-review.googlesource.com/162274
Revert "SELinux: per-command whitelisting of ioctls"
https://android-review.googlesource.com/162275
Revert "security: lsm_audit: add ioctl specific auditing"
https://android-review.googlesource.com/162276
selinux: remove unnecessary pointer reassignment
https://android-review.googlesource.com/162277
security: add ioctl specific auditing to lsm_audit
https://android-review.googlesource.com/162278
selinux: extended permissions for ioctls
https://android-review.googlesource.com/162279
Optional for backwards compatibility:
selinux: Android kernel compatibility with M userspace
https://android-review.googlesource.com/#/c/179155
Other SELinux bug fixes
selinux: do not check open perm on ftruncate call
https://android-review.googlesource.com/#/c/173321
mm: reorder can_do_mlock to fix audit denial
https://android-review.googlesource.com/140751
3.14
Required:
Revert "SELinux: ss: Fix policy write for ioctl operations"
ttps://android-review.googlesource.com/162282
Revert "SELinux: use deletion-safe iterator to free list"
https://android-review.googlesource.com/162283
Revert "SELinux: per-command whitelisting of ioctls"
https://android-review.googlesource.com/162284
Revert "security: lsm_audit: add ioctl specific auditing"
https://android-review.googlesource.com/162285
selinux: remove unnecessary pointer reassignment
https://android-review.googlesource.com/162286
security: add ioctl specific auditing to lsm_audit
https://android-review.googlesource.com/162287
selinux: extended permissions for ioctls
https://android-review.googlesource.com/162288
Optional for backwards compatibility:
selinux: Android kernel compatibility with M userspace
https://android-review.googlesource.com/#/c/179245
Other SELinux bug fixes
selinux: do not check open perm on ftruncate call
https://android-review.googlesource.com/173225
mm: reorder can_do_mlock to fix audit denial
https://android-review.googlesource.com/180251
3.18
Required:
Revert "SELinux: ss: Fix policy write for ioctl operations"
https://android-review.googlesource.com/162310
Revert "SELinux: use deletion-safe iterator to free list"
https://android-review.googlesource.com/162311
Revert "SELinux: per-command whitelisting of ioctls"
https://android-review.googlesource.com/162312
Revert "security: lsm_audit: add ioctl specific auditing"
https://android-review.googlesource.com/162313
selinux: remove unnecessary pointer reassignment
https://android-review.googlesource.com/162314
security: add ioctl specific auditing to lsm_audit
https://android-review.googlesource.com/162315
selinux: extended permissions for ioctls
https://android-review.googlesource.com/162316
UPSTREAM: selinux: fix bug in conditional rules handling
https://android-review.googlesource.com/#/c/197120/
Optional for backwards compatibility:
selinux: Android kernel compatibility with M userspace
https://android-review.googlesource.com/#/c/178861
Other SELinux bug fixes
selinux: do not check open perm on ftruncate call
https://android-review.googlesource.com/#/c/173332/
mm: reorder can_do_mlock to fix audit denial
Hi
ReplyDeleteI'm porting Android M on my Huawei P8 Lite based on Kirin 620, since it's kernel is released for Android 5.0 that boot without problem, doesn't have the necessary patches needed to boot Android M, I also try to google but without result, can you share them if is not a problem?
Thanks in advance.
You need:
ReplyDeletesecurity: lsm_audit: add ioctl specific auditing
https://android-review.googlesource.com/#/c/132454/
SELinux: per-command whitelisting of ioctls
https://android-review.googlesource.com/#/c/146898/
SELinux: use deletion-safe iterator to free list
https://android-review.googlesource.com/#/c/147685/
SELinux: ss: Fix policy write for ioctl operations
https://android-review.googlesource.com/#/c/148733/
Cheers!
https://yadi.sk/i/-vCSVHuB3KbnCn
DeleteThese took from mm (os 6) for not loading at all, not adb is not butanimation
e:\new_boot_\ramdisk\sbin\healthd
e:\new_boot_\ramdisk\init
thanks a lot :)
ReplyDeleteHey Jeffrey
ReplyDeleteI applied those patches on my 3.10.x kernel to boot MM but still doesn't boot, what do I miss?
Knowing that I have both stock MM and Stock lp
Thanks in advance
security: lsm_audit: add ioctl specific auditing
https://android-review.googlesource.com/#/c/132454/
SELinux: per-command whitelisting of ioctls
https://android-review.googlesource.com/#/c/146898/
SELinux: use deletion-safe iterator to free list
https://android-review.googlesource.com/#/c/147685/
SELinux: ss: Fix policy write for ioctl operations
https://android-review.googlesource.com/#/c/148733/
Hi, I want to boot android N on my lp kernel.which patches are needed??
ReplyDeleteThe patches above should be adequate from an selinux standpoint.
DeleteHello ! I applied the patches to the kernel 3.10.22 (then silent to raise the subversion) I load 5 and 6 android. But I can not download 7 and leange os 6. What could be the reason? Logkat on adb also does not work (there is not even a botanimation)
DeleteDo you have the serial console output from the kernel? You're likely missing other patches and it's difficult to say which without some kind of debug output.
Delete
DeleteAlas, all is lamentable that even there are no kmsg and logcat. He starts on another ramdisk and there is a logcat, but also has many critical errors. (Ramadisk from 6 os of the same apparatus)
thanks for the info
ReplyDeleteThanks alot Jeffrey, i successfully update my kernel to Nougat. Cheers!
ReplyDeletePlease help, how to apply the patch?
DeleteIs there any patches 3.4 kernel.....
ReplyDeletehttps://android-review.googlesource.com/#/q/status:merged+project:kernel/common+branch:android-3.4+topic:selinux_xperms
DeleteHey Jeffrey! I wanna boot Android M from my 3.10.x lollipop kernel.Which patches are exactly needed?
ReplyDeleteYou'll need the following patches for the selinux LSM.
Deletehttps://android-review.googlesource.com/#/c/132454/
https://android-review.googlesource.com/#/c/132455/
https://android-review.googlesource.com/#/c/147587/
https://android-review.googlesource.com/#/c/148733/
I have no idea if you'll need patches for other subsystems.
this patches not seemed to me to use for 3.10.y kernel
DeleteLol. You are albe, right?
DeleteThis comment has been removed by the author.
ReplyDeletesir Jeffrey Vander Stoep, any way to patch the android source instead of patching the kernel and boot nouget on stock 3.18 MM kernel.???
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHi Jeff,
ReplyDeleteDo you have such a list composed for N to O ? Would like to see it if you have one as i am planning to prepare my device for upgrade before the public source drop
No patches are needed for N -> O for the selinux subsystem.
DeleteThere are some binder related patches..
DeleteNewbie Dev struggling with kernel. One question,
ReplyDeleteI don't understand what kind of methods are modified when making kernel bootable for next android version. I mean.. I know this article is only for making compatible with new SELinux, but this will not be all for bootable option.
I heard that all of the modules(?) should be backported in order to make my phone bootable. I'm curious about how to know the lists of those and patch manually for each of them. I'm very confused about the way of upgrading android kernel version. Any help or mentions would be greatly appreciated. Thanks in advance.
That greatly depends on the kmsg errors you are getting when you are booting it with stock kernel sources.. U can get some ideas by searching about those errors on google... Or one other thing you can do is that to refer to a kernel sources with bootable LineageOS of phones which is similar specs as your phone have(mostly refer to chipset no.)
DeleteHow to apply this patch to kernel source?
ReplyDeleteCherry-pick them...lol
DeleteThanks jeff
ReplyDeleteAny patches that can be applied to 3.4.67 to boot Lollipop?
ReplyDeleteI think there are patches for both SELinux and Binder, but i don't know where to start
DeleteIs there any patch needed for upgrading nougat to oreo?
ReplyDeleteThis comment has been removed by the author.
DeleteWhat about oreo patches? I heard we need several binder patches
ReplyDeleteI don't know. This was intended to only cover the SELinux subsystem for M->N
Deletemy nougat rom booting with masrshmallow kernel but with ported boot.img but when i try to compile it it didnt booted going to recovery mode in last_ksmg there is error in avtab invalid class
ReplyDeletePlz help bros
you must downgrade sepolicy in romsource/system/sepolicy to support on a non nougat kernel.
Deletethis patch > https://github.com/TestMT6572/android_system_sepolicy/commit/71e44168d42fd4e6958f21852433f24aea03d897
DeleteNougat will not boot with a Marshmallow kernel, that's the point of this post. You need to include the patches listed above and rebuild your kernel/bootimage.
ReplyDeleteSir, this patches are for supporting the nougat sepolicy(v30) on a marshmallow kernel..am i right?
DeleteThe patches are required for kernels on Android N. If you want your N-kernel to be compatible with an M-userspace, you can apply the patch mentioned above "selinux: Android kernel compatibility with M userspace"
ReplyDeleteGot it,sir.Thanks for your awesome work.
DeleteI wanna boot Android n from my 3.10.x kitkat kernel.Which patches are exactly needed?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIs there any Specific guide on howto upgrade kernel for specific device(lets say Mido) from 3.18.x to 4.4.x?
ReplyDeleteThanks for your help, but I'm still confuse which patches should I pick when facing a newer Android version, are there any rules or tips?
ReplyDelete