debian/control: add Depends on pipewire-pulse | pulseaudio

[waydroid.git] / tools / helpers / lxc.py

diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py
index 59b1c9112465b9e45ba6a95d10f643d4929e40f5..79eac733a44f2258383868f2664efd185f3a46f6 100644 (file)
--- a/tools/helpers/lxc.py
+++ b/tools/helpers/lxc.py
@@ -2,16 +2,15 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 import subprocess
 import os
 # SPDX-License-Identifier: GPL-3.0-or-later
 import subprocess
 import os

-import re

 import logging
 import glob
 import shutil
 import logging
 import glob
 import shutil

+import time

 import platform
 import gbinder
 import tools.config
 import tools.helpers.run
 
 import platform
 import gbinder
 import tools.config
 import tools.helpers.run
 

-

 def get_lxc_version(args):
     if shutil.which("lxc-info") is not None:
         command = ["lxc-info", "--version"]
 def get_lxc_version(args):
     if shutil.which("lxc-info") is not None:
         command = ["lxc-info", "--version"]


@@ -20,30 +19,33 @@ def get_lxc_version(args):
     else:
         return 0
 
     else:
         return 0
 

+def add_node_entry(nodes, src, dist, mnt_type, options, check):
+    if check and not os.path.exists(src):
+        return False
+    entry = "lxc.mount.entry = "
+    entry += src + " "
+    if dist is None:
+        dist = src[1:]
+    entry += dist + " "
+    entry += mnt_type + " "
+    entry += options
+    nodes.append(entry)
+    return True

 
 def generate_nodes_lxc_config(args):
 
 def generate_nodes_lxc_config(args):

+    nodes = []

     def make_entry(src, dist=None, mnt_type="none", options="bind,create=file,optional 0 0", check=True):
     def make_entry(src, dist=None, mnt_type="none", options="bind,create=file,optional 0 0", check=True):

-        if check and not os.path.exists(src):
-            return False
-        entry = "lxc.mount.entry = "
-        entry += src + " "
-        if dist is None:
-            dist = src[1:]
-        entry += dist + " "
-        entry += mnt_type + " "
-        entry += options
-        nodes.append(entry)
-        return True
+        return add_node_entry(nodes, src, dist, mnt_type, options, check)

 
 

-    nodes = []

     # Necessary dev nodes
     make_entry("tmpfs", "dev", "tmpfs", "nosuid 0 0", False)
     make_entry("/dev/zero")
     make_entry("/dev/null")
     make_entry("/dev/full")
     # Necessary dev nodes
     make_entry("tmpfs", "dev", "tmpfs", "nosuid 0 0", False)
     make_entry("/dev/zero")
     make_entry("/dev/null")
     make_entry("/dev/full")

-    make_entry("/dev/ashmem", check=False)
+    make_entry("/dev/ashmem")

     make_entry("/dev/fuse")
     make_entry("/dev/ion")
     make_entry("/dev/fuse")
     make_entry("/dev/ion")

+    make_entry("/dev/tty")

     make_entry("/dev/char", options="bind,create=dir,optional 0 0")
 
     # Graphic dev nodes
     make_entry("/dev/char", options="bind,create=dir,optional 0 0")
 
     # Graphic dev nodes


@@ -52,7 +54,8 @@ def generate_nodes_lxc_config(args):
     make_entry("/dev/pvr_sync")
     make_entry("/dev/pmsg0")
     make_entry("/dev/dxg")
     make_entry("/dev/pvr_sync")
     make_entry("/dev/pmsg0")
     make_entry("/dev/dxg")

-    make_entry(tools.helpers.gpu.getDriNode(args), "dev/dri/renderD128")
+    render, _ = tools.helpers.gpu.getDriNode(args)
+    make_entry(render)

 
     for n in glob.glob("/dev/fb*"):
         make_entry(n)
 
     for n in glob.glob("/dev/fb*"):
         make_entry(n)


@@ -60,6 +63,8 @@ def generate_nodes_lxc_config(args):
         make_entry(n)
     for n in glob.glob("/dev/video*"):
         make_entry(n)
         make_entry(n)
     for n in glob.glob("/dev/video*"):
         make_entry(n)

+    for n in glob.glob("/dev/dma_heap/*"):
+        make_entry(n)

 
     # Binder dev nodes
     make_entry("/dev/" + args.BINDER_DRIVER, "dev/binder", check=False)
 
     # Binder dev nodes
     make_entry("/dev/" + args.BINDER_DRIVER, "dev/binder", check=False)


@@ -69,7 +74,7 @@ def generate_nodes_lxc_config(args):
     if args.vendor_type != "MAINLINE":
         if not make_entry("/dev/hwbinder", "dev/host_hwbinder"):
             raise OSError('Binder node "hwbinder" of host not found')
     if args.vendor_type != "MAINLINE":
         if not make_entry("/dev/hwbinder", "dev/host_hwbinder"):
             raise OSError('Binder node "hwbinder" of host not found')

-        make_entry("/vendor", "vendor_extra", options="bind,optional 0 0")
+        make_entry("/vendor", "vendor_extra", options="rbind,optional 0 0")

 
     # Necessary device nodes for adb
     make_entry("none", "dev/pts", "devpts", "defaults,mode=644,ptmxmode=666,create=dir 0 0", False)
 
     # Necessary device nodes for adb
     make_entry("none", "dev/pts", "devpts", "defaults,mode=644,ptmxmode=666,create=dir 0 0", False)


@@ -81,17 +86,10 @@ def generate_nodes_lxc_config(args):
     # Low memory killer sys node
     make_entry("/sys/module/lowmemorykiller", options="bind,create=dir,optional 0 0")
 
     # Low memory killer sys node
     make_entry("/sys/module/lowmemorykiller", options="bind,create=dir,optional 0 0")
 

-    # Mount /data
-    make_entry("tmpfs", "mnt", "tmpfs", "mode=0755,uid=0,gid=1000", False)
-    make_entry(tools.config.defaults["data"], "data", options="bind 0 0", check=False)
-

     # Mount host permissions
     make_entry(tools.config.defaults["host_perms"],
                "vendor/etc/host-permissions", options="bind,optional 0 0")
 
     # Mount host permissions
     make_entry(tools.config.defaults["host_perms"],
                "vendor/etc/host-permissions", options="bind,optional 0 0")
 

-    # Recursive mount /run to provide necessary host sockets
-    make_entry("/run", options="rbind,create=dir 0 0")
-

     # Necessary sw_sync node for HWC
     make_entry("/dev/sw_sync")
     make_entry("/sys/kernel/debug", options="rbind,create=dir,optional 0 0")
     # Necessary sw_sync node for HWC
     make_entry("/dev/sw_sync")
     make_entry("/sys/kernel/debug", options="rbind,create=dir,optional 0 0")


@@ -113,14 +111,10 @@ def generate_nodes_lxc_config(args):
     make_entry("/mnt/wslg", "mnt_extra/wslg",
                options="rbind,create=dir,optional 0 0")
 
     make_entry("/mnt/wslg", "mnt_extra/wslg",
                options="rbind,create=dir,optional 0 0")
 

-    # var
-    make_entry("tmpfs", "var", "tmpfs", "nodev 0 0", False)
-    make_entry("/var/run", options="rbind,create=dir,optional 0 0")
-
-    # tmp
+    # Make a tmpfs at every possible rootfs mountpoint

     make_entry("tmpfs", "tmp", "tmpfs", "nodev 0 0", False)
     make_entry("tmpfs", "tmp", "tmpfs", "nodev 0 0", False)

-    for n in glob.glob("/tmp/run-*"):
-        make_entry(n, options="rbind,create=dir,optional 0 0")
+    make_entry("tmpfs", "var", "tmpfs", "nodev 0 0", False)
+    make_entry("tmpfs", "run", "tmpfs", "nodev 0 0", False)

 
     # NFC config
     make_entry("/system/etc/libnfc-nci.conf", options="bind,optional 0 0")
 
     # NFC config
     make_entry("/system/etc/libnfc-nci.conf", options="bind,optional 0 0")


@@ -130,8 +124,8 @@ def generate_nodes_lxc_config(args):
 LXC_APPARMOR_PROFILE = "lxc-waydroid"
 def get_apparmor_status(args):
     enabled = False
 LXC_APPARMOR_PROFILE = "lxc-waydroid"
 def get_apparmor_status(args):
     enabled = False

-    if shutil.which("aa-status"):
-        enabled = (tools.helpers.run.user(args, ["aa-status", "--quiet"], check=False) == 0)
+    if shutil.which("aa-enabled"):
+        enabled = (tools.helpers.run.user(args, ["aa-enabled", "--quiet"], check=False) == 0)

     if not enabled and shutil.which("systemctl"):
         enabled = (tools.helpers.run.user(args, ["systemctl", "is-active", "-q", "apparmor"], check=False) == 0)
     try:
     if not enabled and shutil.which("systemctl"):
         enabled = (tools.helpers.run.user(args, ["systemctl", "is-active", "-q", "apparmor"], check=False) == 0)
     try:


@@ -180,6 +174,46 @@ def set_lxc_config(args):
     command = ["mv", config_nodes_tmp_path, lxc_path]
     tools.helpers.run.user(args, command)
 
     command = ["mv", config_nodes_tmp_path, lxc_path]
     tools.helpers.run.user(args, command)
 

+    # Create empty file
+    open(os.path.join(lxc_path, "config_session"), mode="w").close()
+
+def generate_session_lxc_config(args, session):
+    nodes = []
+    def make_entry(src, dist=None, mnt_type="none", options="rbind,create=file 0 0"):
+        if any(x in src for x in ["\n", "\r"]):
+            logging.warning("User-provided mount path contains illegal character: " + src)
+            return False
+        if dist is None and (not os.path.exists(src) or
+                             str(os.stat(src).st_uid) != session["user_id"]):
+            logging.warning("User-provided mount path is not owned by user: " + src)
+            return False
+        return add_node_entry(nodes, src, dist, mnt_type, options, check=False)
+
+    # Make sure XDG_RUNTIME_DIR exists
+    if not make_entry("tmpfs", tools.config.defaults["container_xdg_runtime_dir"], options="create=dir 0 0"):
+        raise OSError("Failed to create XDG_RUNTIME_DIR mount point")
+
+    wayland_host_socket = os.path.realpath(os.path.join(session["xdg_runtime_dir"], session["wayland_display"]))
+    wayland_container_socket = os.path.realpath(os.path.join(tools.config.defaults["container_xdg_runtime_dir"], tools.config.defaults["container_wayland_display"]))
+    if not make_entry(wayland_host_socket, wayland_container_socket[1:]):
+        raise OSError("Failed to bind Wayland socket")
+
+    # Make sure PULSE_RUNTIME_DIR exists
+    pulse_host_socket = os.path.join(session["pulse_runtime_path"], "native")
+    pulse_container_socket = os.path.join(tools.config.defaults["container_pulse_runtime_path"], "native")
+    make_entry(pulse_host_socket, pulse_container_socket[1:])
+
+    if not make_entry(session["waydroid_data"], "data", options="rbind 0 0"):
+        raise OSError("Failed to bind userdata")
+
+    lxc_path = tools.config.defaults["lxc"] + "/waydroid"
+    config_nodes_tmp_path = args.work + "/config_session"
+    config_nodes = open(config_nodes_tmp_path, "w")
+    for node in nodes:
+        config_nodes.write(node + "\n")
+    config_nodes.close()
+    command = ["mv", config_nodes_tmp_path, lxc_path]
+    tools.helpers.run.user(args, command)

 
 def make_base_props(args):
     def find_hal(hardware):
 
 def make_base_props(args):
     def find_hal(hardware):


@@ -213,8 +247,12 @@ def make_base_props(args):
     if not os.path.exists("/dev/ashmem"):
         props.append("sys.use_memfd=true")
 
     if not os.path.exists("/dev/ashmem"):
         props.append("sys.use_memfd=true")
 

+    # Added for security reasons
+    props.append("ro.adb.secure=1")
+    props.append("ro.debuggable=0")
+

     egl = tools.helpers.props.host_get(args, "ro.hardware.egl")
     egl = tools.helpers.props.host_get(args, "ro.hardware.egl")

-    dri = tools.helpers.gpu.getDriNode(args)
+    dri, _ = tools.helpers.gpu.getDriNode(args)

 
     gralloc = find_hal("gralloc")
     if not gralloc:
 
     gralloc = find_hal("gralloc")
     if not gralloc:


@@ -224,6 +262,7 @@ def make_base_props(args):
         if dri:
             gralloc = "gbm"
             egl = "mesa"
         if dri:
             gralloc = "gbm"
             egl = "mesa"

+            props.append("gralloc.gbm.device=" + dri)

         else:
             gralloc = "default"
             egl = "swiftshader"
         else:
             gralloc = "default"
             egl = "swiftshader"


@@ -266,7 +305,7 @@ def make_base_props(args):
 
     opengles = tools.helpers.props.host_get(args, "ro.opengles.version")
     if opengles == "":
 
     opengles = tools.helpers.props.host_get(args, "ro.opengles.version")
     if opengles == "":

-        opengles = "196609"
+        opengles = "196610"

     props.append("ro.opengles.version=" + opengles)
 
     if args.images_path not in tools.config.defaults["preinstalled_images_paths"]:
     props.append("ro.opengles.version=" + opengles)
 
     if args.images_path not in tools.config.defaults["preinstalled_images_paths"]:


@@ -341,14 +380,31 @@ def setup_host_perms(args):
 
 def status(args):
     command = ["lxc-info", "-P", tools.config.defaults["lxc"], "-n", "waydroid", "-sH"]
 
 def status(args):
     command = ["lxc-info", "-P", tools.config.defaults["lxc"], "-n", "waydroid", "-sH"]

-    out = subprocess.run(command, stdout=subprocess.PIPE).stdout.decode('utf-8').strip()
-    os.chmod(args.log, 0o666)
-    return out
+    try:
+        return tools.helpers.run.user(args, command, output_return=True).strip()
+    except:
+        logging.info("Couldn't get LXC status. Assuming STOPPED.")
+        return "STOPPED"
+
+def wait_for_running(args):
+    lxc_status = status(args)
+    timeout = 10
+    while lxc_status != "RUNNING" and timeout > 0:
+        lxc_status = status(args)
+        logging.info(
+            "waiting {} seconds for container to start...".format(timeout))
+        timeout = timeout - 1
+        time.sleep(1)
+    if lxc_status != "RUNNING":
+        raise OSError("container failed to start")

 
 def start(args):
     command = ["lxc-start", "-P", tools.config.defaults["lxc"],
                "-F", "-n", "waydroid", "--", "/init"]
     tools.helpers.run.user(args, command, output="background")
 
 def start(args):
     command = ["lxc-start", "-P", tools.config.defaults["lxc"],
                "-F", "-n", "waydroid", "--", "/init"]
     tools.helpers.run.user(args, command, output="background")

+    wait_for_running(args)
+    # Workaround lxc-start changing stdout/stderr permissions to 700
+    os.chmod(args.log, 0o666)

 
 def stop(args):
     command = ["lxc-stop", "-P",
 
 def stop(args):
     command = ["lxc-stop", "-P",


@@ -364,22 +420,95 @@ def unfreeze(args):
                tools.config.defaults["lxc"], "-n", "waydroid"]
     tools.helpers.run.user(args, command)
 
                tools.config.defaults["lxc"], "-n", "waydroid"]
     tools.helpers.run.user(args, command)
 

+ANDROID_ENV = {
+    "PATH": "/product/bin:/apex/com.android.runtime/bin:/apex/com.android.art/bin:/system_ext/bin:/system/bin:/system/xbin:/odm/bin:/vendor/bin:/vendor/xbin",
+    "ANDROID_ROOT": "/system",
+    "ANDROID_DATA": "/data",
+    "ANDROID_STORAGE": "/storage",
+    "ANDROID_ART_ROOT": "/apex/com.android.art",
+    "ANDROID_I18N_ROOT": "/apex/com.android.i18n",
+    "ANDROID_TZDATA_ROOT": "/apex/com.android.tzdata",
+    "ANDROID_RUNTIME_ROOT": "/apex/com.android.runtime",
+    "BOOTCLASSPATH": "/apex/com.android.art/javalib/core-oj.jar:/apex/com.android.art/javalib/core-libart.jar:/apex/com.android.art/javalib/core-icu4j.jar:/apex/com.android.art/javalib/okhttp.jar:/apex/com.android.art/javalib/bouncycastle.jar:/apex/com.android.art/javalib/apache-xml.jar:/system/framework/framework.jar:/system/framework/ext.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/framework-atb-backward-compatibility.jar:/apex/com.android.conscrypt/javalib/conscrypt.jar:/apex/com.android.media/javalib/updatable-media.jar:/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar:/apex/com.android.os.statsd/javalib/framework-statsd.jar:/apex/com.android.permission/javalib/framework-permission.jar:/apex/com.android.sdkext/javalib/framework-sdkextensions.jar:/apex/com.android.wifi/javalib/framework-wifi.jar:/apex/com.android.tethering/javalib/framework-tethering.jar"
+}
+
+def android_env_attach_options(args):
+    local_env = ANDROID_ENV.copy()
+    # Include CLASSPATH env that was generated by Android
+    command = ["lxc-attach", "-P", tools.config.defaults["lxc"],
+               "-n", "waydroid", "--clear-env", "--",
+               "/system/bin/cat" ,"/data/system/environ/classpath"]
+    allowed = ["CLASSPATH", "SYSTEMSERVER"]
+    try:
+        p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
+        out, _ = p.communicate()
+        if p.returncode == 0:
+            for line in out.decode().splitlines():
+                _, k, v = line.split(' ', 2)
+                if any(pattern in k for pattern in allowed):
+                    local_env[k] = v
+    except:
+        pass
+    env = [k + "=" + v for k, v in local_env.items()]
+    return [x for var in env for x in ("--set-var", var)]
+

 def shell(args):
 def shell(args):

-    if status(args) != "RUNNING":
-        logging.error("WayDroid container is {}".format(status(args)))
+    state = status(args)
+    if state == "FROZEN":
+        unfreeze(args)
+    elif state != "RUNNING":
+        logging.error("WayDroid container is {}".format(state))

         return
     command = ["lxc-attach", "-P", tools.config.defaults["lxc"],
         return
     command = ["lxc-attach", "-P", tools.config.defaults["lxc"],

-               "-n", "waydroid", "--"]
+               "-n", "waydroid", "--clear-env"]
+    command.extend(android_env_attach_options(args))
+    if args.uid!=None:
+        command.append("--uid="+str(args.uid))
+    if args.gid!=None:
+        command.append("--gid="+str(args.gid))
+    elif args.uid!=None:
+        command.append("--gid="+str(args.uid))
+    if args.nolsm or args.allcaps or args.nocgroup:
+        elevatedprivs = "--elevated-privileges="
+        addpipe = False
+        if args.nolsm:
+            if addpipe:
+                elevatedprivs+="|"
+            elevatedprivs+="LSM"
+            addpipe = True
+        if args.allcaps:
+            if addpipe:
+                elevatedprivs+="|"
+            elevatedprivs+="CAP"
+            addpipe = True
+        if args.nocgroup:
+            if addpipe:
+                elevatedprivs+="|"
+            elevatedprivs+="CGROUP"
+            addpipe = True
+        command.append(elevatedprivs)
+    if args.context!=None and not args.nolsm:
+        command.append("--context="+args.context)
+    command.append("--")

     if args.COMMAND:
     if args.COMMAND:

-        command.append(args.COMMAND)
+        command.extend(args.COMMAND)

     else:
         command.append("/system/bin/sh")
     else:
         command.append("/system/bin/sh")

-    subprocess.run(command, env={"PATH": os.environ['PATH'] + ":/system/bin:/vendor/bin"})
+
+    try:
+        subprocess.run(command)
+    except KeyboardInterrupt:
+        pass
+
+    if state == "FROZEN":
+        freeze(args)

 
 def logcat(args):
 
 def logcat(args):

-    if status(args) != "RUNNING":
-        logging.error("WayDroid container is {}".format(status(args)))
-        return
-    command = ["lxc-attach", "-P", tools.config.defaults["lxc"],
-               "-n", "waydroid", "--", "/system/bin/logcat"]
-    subprocess.run(command)
+    args.COMMAND = ["/system/bin/logcat"]
+    args.uid = None
+    args.gid = None
+    args.nolsm = None
+    args.allcaps = None
+    args.nocgroup = None
+    args.context = None
+    shell(args)