]> glassweightruler.freedombox.rocks Git - waydroid.git/blobdiff - tools/helpers/lxc.py
projects / waydroid.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Change apparmor profile at runtime
[waydroid.git] / tools / helpers / lxc.py
diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py
index 45d5e5d0947136bf1f2b2baefb0de2a9b2284b53..e1a81e04ddb0396c41c75b002a8e9c5df58940f3 100644 (file)
--- a/tools/helpers/lxc.py
+++ b/tools/helpers/lxc.py
@@ -127,6 +127,15 @@ def generate_nodes_lxc_config(args):
 
     return nodes
 
+LXC_APPARMOR_PROFILE = "lxc-waydroid"
+def get_apparmor_status(args):
+    enabled = False
+    if shutil.which("aa-status"):
+        enabled = (tools.helpers.run.user(args, ["aa-status", "--quiet"], check=False) == 0)
+    if not enabled and shutil.which("systemctl"):
+        enabled = (tools.helpers.run.user(args, ["systemctl", "is-active", "-q", "apparmor"], check=False) == 0)
+    enabled &= os.path.exists(os.path.join("/etc/apparmor.d/lxc", LXC_APPARMOR_PROFILE))
+    return enabled
 
 def set_lxc_config(args):
     lxc_path = tools.config.defaults["lxc"] + "/waydroid"
@@ -154,6 +163,9 @@ def set_lxc_config(args):
     tools.helpers.run.user(args, command)
     command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"]
     tools.helpers.run.user(args, command)
+    if get_apparmor_status(args):
+        command = ["sed", "-i", "-E", "/lxc.aa_profile|lxc.apparmor.profile/ s/unconfined/{}/g".format(LXC_APPARMOR_PROFILE), lxc_path + "/config"]
+        tools.helpers.run.user(args, command)
 
     nodes = generate_nodes_lxc_config(args)
     config_nodes_tmp_path = args.work + "/config_nodes"
https://github.com/waydroid/waydroid