lxc: Fixup LXC config versioning

[waydroid.git] / tools / helpers / lxc.py

diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py
index d77493600b06409142e3ef052f70e6c652a4ad5e..59b1c9112465b9e45ba6a95d10f643d4929e40f5 100644 (file)
--- a/tools/helpers/lxc.py
+++ b/tools/helpers/lxc.py
@@ -127,6 +127,19 @@ def generate_nodes_lxc_config(args):
 
     return nodes
 
+LXC_APPARMOR_PROFILE = "lxc-waydroid"
+def get_apparmor_status(args):
+    enabled = False
+    if shutil.which("aa-status"):
+        enabled = (tools.helpers.run.user(args, ["aa-status", "--quiet"], check=False) == 0)
+    if not enabled and shutil.which("systemctl"):
+        enabled = (tools.helpers.run.user(args, ["systemctl", "is-active", "-q", "apparmor"], check=False) == 0)
+    try:
+        with open("/sys/kernel/security/apparmor/profiles", "r") as f:
+            enabled &= (LXC_APPARMOR_PROFILE in f.read())
+    except:
+        enabled = False
+    return enabled
 
 def set_lxc_config(args):
     lxc_path = tools.config.defaults["lxc"] + "/waydroid"
@@ -135,15 +148,13 @@ def set_lxc_config(args):
         raise OSError("LXC is not installed")
     config_paths = tools.config.tools_src + "/data/configs/config_"
     seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp"
-    apparmor_profiles = [tools.config.tools_src + "/data/configs/" + "lxc-waydroid",tools.config.tools_src + "/data/configs/" + "android_app",tools.config.tools_src + "/data/configs/" + "adbd"]
-    apparmor_profile_dir = "/etc/apparmor.d/"
 
     config_snippets = [ config_paths + "base" ]
-    # lxc v1 is a bit special because some options got renamed later
-    if lxc_ver == 1:
+    # lxc v1 and v2 are bit special because some options got renamed later
+    if lxc_ver <= 2:
         config_snippets.append(config_paths + "1")
     else:
-        for ver in range(2, 5):
+        for ver in range(3, 5):
             snippet = config_paths + str(ver)
             if lxc_ver >= ver and os.path.exists(snippet):
                 config_snippets.append(snippet)
@@ -156,22 +167,9 @@ def set_lxc_config(args):
     tools.helpers.run.user(args, command)
     command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"]
     tools.helpers.run.user(args, command)
-
-    try:
-        command = ["cp", "-i", apparmor_profiles[0], apparmor_profile_dir + "lxc/lxc-waydroid"]
-        tools.helpers.run.user(args, command)
-        command = ["apparmor_parser", "-r", apparmor_profile_dir + "lxc/lxc-waydroid"]
+    if get_apparmor_status(args):
+        command = ["sed", "-i", "-E", "/lxc.aa_profile|lxc.apparmor.profile/ s/unconfined/{}/g".format(LXC_APPARMOR_PROFILE), lxc_path + "/config"]
         tools.helpers.run.user(args, command)
-        command = ["cp", "-i", apparmor_profiles[1], apparmor_profile_dir + "android_app"]
-        tools.helpers.run.user(args, command)
-        command = ["apparmor_parser", "-r", apparmor_profile_dir + "android_app"]
-        tools.helpers.run.user(args, command)
-        command = ["cp", "-i", apparmor_profiles[2], apparmor_profile_dir + "adbd"]
-        tools.helpers.run.user(args, command)
-        command = ["apparmor_parser", "-r", apparmor_profile_dir + "adbd"]
-        tools.helpers.run.user(args, command)
-    except:
-        logging.warning("An error has occurred while installing AppArmor profiles. If profiles are not installed, or AppArmor is disabled or not supported on your system, then the container will run without AppArmor protection.")
 
     nodes = generate_nodes_lxc_config(args)
     config_nodes_tmp_path = args.work + "/config_nodes"