--- /dev/null
+#include <tunables/global>
+
+profile adbd flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/base>
+ /** ix,
+ /dev** rw,
+ network,
+ unix,
+ owner /proc** rw,
+ / r,
+ /** r,
+ /storage** rwkl,
+ /data** rwkl,
+ /proc** rw,
+ /sys** rw,
+ /dev** rw,
+ /tmp** rw,
+ /var** rw,
+ /run** rw,
+ /mnt** rw,
+ /apex** rw,
+ mount,
+ umount,
+
+ capability sys_nice,
+ capability wake_alarm,
+ capability setpcap,
+ capability setgid,
+ capability setuid,
+ capability sys_ptrace,
+ capability sys_admin,
+ capability wake_alarm,
+ capability block_suspend,
+ capability sys_time,
+ capability net_admin,
+ capability net_raw,
+ capability net_bind_service,
+ capability kill,
+ capability dac_override,
+ capability dac_read_search,
+ capability fsetid,
+ capability mknod,
+ capability syslog,
+ capability chown,
+ capability sys_resource,
+ capability fowner,
+
+ ptrace (read,readby,trace,tracedby) peer=lxc-waydroid,
+ ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid,
+ ptrace (read,readby,trace,tracedby) peer=adbd//&lxc-waydroid,
+
+ signal (send,receive) peer=lxc-waydroid,
+ signal (send,receive) peer=android_app//&lxc-waydroid,
+ signal (send) peer=adbd//&lxc-waydroid,
+ signal (receive),
+
+}
+
--- /dev/null
+#include <tunables/global>
+
+profile android_app flags=(mediate_deleted,attach_disconnected) {
+ #include <abstractions/base>
+ /** ix,
+ /dev** rw,
+ network,
+ unix,
+ owner /proc** rw,
+ / r,
+ /* r,
+ deny pivot_root,
+ deny dbus,
+ capability sys_nice,
+ capability wake_alarm,
+ capability setpcap,
+ capability setgid,
+ capability setuid,
+ capability sys_ptrace,
+ capability sys_admin,
+ capability wake_alarm,
+ capability block_suspend,
+ capability sys_time,
+ capability net_admin,
+ capability net_raw,
+ capability net_bind_service,
+ capability kill,
+ capability dac_override,
+ mount fstype=tmpfs -> /storage**,
+ mount options in (rw,bind) options in (rw,rbind) -> /storage**,
+ mount /dev/fuse -> /storage**,
+ mount -> /,
+ umount /storage**,
+
+ ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid,
+ ptrace (read,trace,readby,tracedby) peer=lxc-waydroid,
+ ptrace (read,trace,readby,tracedby) peer=adbd//&lxc-waydroid,
+
+ signal (send,receive) peer=android_app//&lxc-waydroid,
+ signal (receive) peer=adbd//&lxc-waydroid,
+ signal (send,receive) peer=lxc-waydroid,
+ signal (receive),
+
+ /acct** rwkl,
+ owner /data** rwkl,
+ /data/app** r,
+ /data/misc** r,
+ /data/lineageos_updates** r,
+ /apex** mr,
+ /data/system_ce/** rw,
+ /data/data/com.android** rw,
+ /data/misc/profiles** rw,
+ /data/user_de/** rw,
+ /storage** rwkl,
+ /data/tombstone** rw,
+ /mnt/user** rw,
+ owner /proc** rw,
+ /proc** r,
+ /proc/*/timerslack_ns w,
+ /system/bin** mr,
+ /system/lib** mr,
+ /system** r,
+ /sys** r,
+ /sys/kernel/debug/tracing** w,
+ /vendor** r,
+ /vendor_extra** r,
+
+# This seems to be important for Magisk to function
+# /system/framework** wk,
+
+
+}
lxc.init_cmd = /init
-lxc.aa_profile = unconfined
+lxc.aa_profile = lxc-waydroid
lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp
lxc.network.type = veth
lxc.uts.name = waydroid
-lxc.apparmor.profile = unconfined
+lxc.apparmor.profile = lxc-waydroid
lxc.seccomp.profile = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp
lxc.no_new_privs = 1
--- /dev/null
+#include <tunables/global>
+
+profile lxc-waydroid flags=(mediate_deleted,attach_disconnected) {
+ #include <abstractions/base>
+ /** ix,
+ /system/bin/app_process Pix -> lxc-waydroid//&android_app,
+ /system/bin/app_process32 Pix -> lxc-waydroid//&android_app,
+ /system/bin/app_process64 Pix -> lxc-waydroid//&android_app,
+ /system/bin/adbd Pix -> lxc-waydroid//&adbd,
+ /dev** rw,
+ network,
+ unix,
+ owner /proc** rw,
+ / r,
+ /** r,
+ /acct** rwkl,
+ /acct rwkl,
+ /storage** rwkl,
+ /data** rwkl,
+ /proc** rw,
+ /sys** rw,
+ /dev** rw,
+ /tmp** rw,
+ /var** rw,
+ /run** rw,
+ /mnt** rw,
+ /apex** rw,
+ /sbin** rw,
+ /system** k,
+ mount,
+ umount,
+
+ capability sys_nice,
+ capability wake_alarm,
+ capability setpcap,
+ capability setgid,
+ capability setuid,
+ capability sys_ptrace,
+ capability sys_admin,
+ capability wake_alarm,
+ capability block_suspend,
+ capability sys_time,
+ capability net_admin,
+ capability net_raw,
+ capability net_bind_service,
+ capability kill,
+ capability dac_override,
+ capability dac_read_search,
+ capability fsetid,
+ capability mknod,
+ capability syslog,
+ capability chown,
+ capability sys_resource,
+ capability fowner,
+ capability sys_module,
+ capability ipc_lock,
+ capability sys_chroot,
+
+ ptrace (read,readby,trace,tracedby) peer=lxc-waydroid,
+ ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid,
+ ptrace (read,readby,trace,tracedby) peer=adbd//&lxc-waydroid,
+
+ signal (send,receive) peer=lxc-waydroid,
+ signal (send,receive) peer=android_app//&lxc-waydroid,
+ signal (send) peer=adbd//&lxc-waydroid,
+ signal (receive),
+
+}
+
raise OSError("LXC is not installed")
config_paths = tools.config.tools_src + "/data/configs/config_"
seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp"
+ apparmor_profiles = [tools.config.tools_src + "/data/configs/" + "lxc-waydroid",tools.config.tools_src + "/data/configs/" + "android_app",tools.config.tools_src + "/data/configs/" + "adbd"]
+ apparmor_profile_dir = "/etc/apparmor.d/"
config_snippets = [ config_paths + "base" ]
# lxc v1 is a bit special because some options got renamed later
command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"]
tools.helpers.run.user(args, command)
+ try:
+ command = ["cp", "-i", apparmor_profiles[0], apparmor_profile_dir + "lxc/lxc-waydroid"]
+ tools.helpers.run.user(args, command)
+ command = ["apparmor_parser", "-r", apparmor_profile_dir + "lxc/lxc-waydroid"]
+ tools.helpers.run.user(args, command)
+ command = ["cp", "-i", apparmor_profiles[1], apparmor_profile_dir + "android_app"]
+ tools.helpers.run.user(args, command)
+ command = ["apparmor_parser", "-r", apparmor_profile_dir + "android_app"]
+ tools.helpers.run.user(args, command)
+ command = ["cp", "-i", apparmor_profiles[2], apparmor_profile_dir + "adbd"]
+ tools.helpers.run.user(args, command)
+ command = ["apparmor_parser", "-r", apparmor_profile_dir + "adbd"]
+ tools.helpers.run.user(args, command)
+ except:
+ logging.warning("An error has occurred while installing AppArmor profiles. If profiles are not installed, or AppArmor is disabled or not supported on your system, then the container will run without AppArmor protection.")
+
nodes = generate_nodes_lxc_config(args)
config_nodes_tmp_path = args.work + "/config_nodes"
config_nodes = open(config_nodes_tmp_path, "w")
projects / waydroid.git / commitdiff