Adding AppArmor profiles for the container.

diff --git a/data/configs/adbd b/data/configs/adbd
new file mode 100644 (file)
index 0000000..714e672
--- /dev/null
+++ b/data/configs/adbd
@@ -0,0 +1,58 @@
+#include <tunables/global>
+
+profile adbd flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  /** ix,
+  /dev** rw,
+  network,
+  unix,
+  owner /proc** rw,
+  / r,
+  /** r,
+  /storage** rwkl,
+  /data** rwkl,
+  /proc** rw,
+  /sys** rw,
+  /dev** rw,
+  /tmp** rw,
+  /var** rw,
+  /run** rw,
+  /mnt** rw,
+  /apex** rw,
+  mount,
+  umount,
+
+  capability sys_nice,
+  capability wake_alarm,
+  capability setpcap,
+  capability setgid,
+  capability setuid,
+  capability sys_ptrace,
+  capability sys_admin,
+  capability wake_alarm,
+  capability block_suspend,
+  capability sys_time,
+  capability net_admin,
+  capability net_raw,
+  capability net_bind_service,
+  capability kill,
+  capability dac_override,
+  capability dac_read_search,
+  capability fsetid,
+  capability mknod,
+  capability syslog,
+  capability chown,
+  capability sys_resource,
+  capability fowner,
+
+  ptrace (read,readby,trace,tracedby) peer=lxc-waydroid,
+  ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid,
+  ptrace (read,readby,trace,tracedby) peer=adbd//&lxc-waydroid,
+
+  signal (send,receive) peer=lxc-waydroid,
+  signal (send,receive) peer=android_app//&lxc-waydroid,
+  signal (send) peer=adbd//&lxc-waydroid,
+  signal (receive),
+  
+}
+

diff --git a/data/configs/android_app b/data/configs/android_app
new file mode 100644 (file)
index 0000000..4ac9883
--- /dev/null
+++ b/data/configs/android_app
@@ -0,0 +1,72 @@
+#include <tunables/global>
+
+profile android_app flags=(mediate_deleted,attach_disconnected) {
+  #include <abstractions/base>
+  /** ix,
+  /dev** rw,
+  network,
+  unix,
+  owner /proc** rw,
+  / r,
+  /* r,
+  deny pivot_root,
+  deny dbus,
+  capability sys_nice,
+  capability wake_alarm,
+  capability setpcap,
+  capability setgid,
+  capability setuid,
+  capability sys_ptrace,
+  capability sys_admin,
+  capability wake_alarm,
+  capability block_suspend,
+  capability sys_time,
+  capability net_admin,
+  capability net_raw,
+  capability net_bind_service,
+  capability kill,
+  capability dac_override,
+  mount fstype=tmpfs -> /storage**,
+  mount options in (rw,bind) options in (rw,rbind) -> /storage**,
+  mount /dev/fuse -> /storage**,
+  mount -> /,
+  umount /storage**,
+
+  ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid,
+  ptrace (read,trace,readby,tracedby) peer=lxc-waydroid,
+  ptrace (read,trace,readby,tracedby) peer=adbd//&lxc-waydroid,
+
+  signal (send,receive) peer=android_app//&lxc-waydroid,
+  signal (receive) peer=adbd//&lxc-waydroid,
+  signal (send,receive) peer=lxc-waydroid,
+  signal (receive),
+
+  /acct** rwkl,
+  owner /data** rwkl,
+  /data/app** r,
+  /data/misc** r,
+  /data/lineageos_updates** r,
+  /apex** mr,
+  /data/system_ce/** rw,
+  /data/data/com.android** rw,
+  /data/misc/profiles** rw,
+  /data/user_de/** rw,
+  /storage** rwkl,
+  /data/tombstone** rw,
+  /mnt/user** rw,
+  owner /proc** rw,
+  /proc** r,
+  /proc/*/timerslack_ns w,
+  /system/bin** mr,
+  /system/lib** mr,
+  /system** r,
+  /sys** r,
+  /sys/kernel/debug/tracing** w,
+  /vendor** r,
+  /vendor_extra** r,
+
+# This seems to be important for Magisk to function
+#  /system/framework** wk,
+
+  
+}

diff --git a/data/configs/config_1 b/data/configs/config_1
index 365cac307b34b88c046f93a5afbdfbd2ceb1440c..52f1261a7d6df5911a28cf2d4c668baf2bc6e458 100644 (file)
--- a/data/configs/config_1
+++ b/data/configs/config_1
@@ -2,7 +2,7 @@ lxc.utsname = waydroid
 
 lxc.init_cmd = /init
 
 
 lxc.init_cmd = /init
 

-lxc.aa_profile = unconfined
+lxc.aa_profile = lxc-waydroid

 lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp
 
 lxc.network.type = veth
 lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp
 
 lxc.network.type = veth

diff --git a/data/configs/config_2 b/data/configs/config_2
index dcc6fc4de25b6cb784a4283d9ba7999cdb423652..2d5498aaeebfcf07bfcd81f5653ed1852f46a800 100644 (file)
--- a/data/configs/config_2
+++ b/data/configs/config_2
@@ -1,6 +1,6 @@
 lxc.uts.name = waydroid
 
 lxc.uts.name = waydroid
 

-lxc.apparmor.profile = unconfined
+lxc.apparmor.profile = lxc-waydroid

 lxc.seccomp.profile = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp
 
 lxc.no_new_privs = 1
 lxc.seccomp.profile = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp
 
 lxc.no_new_privs = 1

diff --git a/data/configs/lxc-waydroid b/data/configs/lxc-waydroid
new file mode 100644 (file)
index 0000000..45f6d77
--- /dev/null
+++ b/data/configs/lxc-waydroid
@@ -0,0 +1,69 @@
+#include <tunables/global>
+
+profile lxc-waydroid flags=(mediate_deleted,attach_disconnected) {
+  #include <abstractions/base>
+  /** ix,
+  /system/bin/app_process Pix -> lxc-waydroid//&android_app,
+  /system/bin/app_process32 Pix -> lxc-waydroid//&android_app,
+  /system/bin/app_process64 Pix -> lxc-waydroid//&android_app,
+  /system/bin/adbd Pix -> lxc-waydroid//&adbd,
+  /dev** rw,
+  network,
+  unix,
+  owner /proc** rw,
+  / r,
+  /** r,
+  /acct** rwkl,
+  /acct rwkl,
+  /storage** rwkl,
+  /data** rwkl,
+  /proc** rw,
+  /sys** rw,
+  /dev** rw,
+  /tmp** rw,
+  /var** rw,
+  /run** rw,
+  /mnt** rw,
+  /apex** rw,
+  /sbin** rw,
+  /system** k,
+  mount,
+  umount,
+
+  capability sys_nice,
+  capability wake_alarm,
+  capability setpcap,
+  capability setgid,
+  capability setuid,
+  capability sys_ptrace,
+  capability sys_admin,
+  capability wake_alarm,
+  capability block_suspend,
+  capability sys_time,
+  capability net_admin,
+  capability net_raw,
+  capability net_bind_service,
+  capability kill,
+  capability dac_override,
+  capability dac_read_search,
+  capability fsetid,
+  capability mknod,
+  capability syslog,
+  capability chown,
+  capability sys_resource,
+  capability fowner,
+  capability sys_module,
+  capability ipc_lock,
+  capability sys_chroot,
+
+  ptrace (read,readby,trace,tracedby) peer=lxc-waydroid,
+  ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid,
+  ptrace (read,readby,trace,tracedby) peer=adbd//&lxc-waydroid,
+
+  signal (send,receive) peer=lxc-waydroid,
+  signal (send,receive) peer=android_app//&lxc-waydroid,
+  signal (send) peer=adbd//&lxc-waydroid,
+  signal (receive),
+  
+}
+

diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py
index 45d5e5d0947136bf1f2b2baefb0de2a9b2284b53..d77493600b06409142e3ef052f70e6c652a4ad5e 100644 (file)
--- a/tools/helpers/lxc.py
+++ b/tools/helpers/lxc.py
@@ -135,6 +135,8 @@ def set_lxc_config(args):
         raise OSError("LXC is not installed")
     config_paths = tools.config.tools_src + "/data/configs/config_"
     seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp"
         raise OSError("LXC is not installed")
     config_paths = tools.config.tools_src + "/data/configs/config_"
     seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp"

+    apparmor_profiles = [tools.config.tools_src + "/data/configs/" + "lxc-waydroid",tools.config.tools_src + "/data/configs/" + "android_app",tools.config.tools_src + "/data/configs/" + "adbd"]
+    apparmor_profile_dir = "/etc/apparmor.d/"

 
     config_snippets = [ config_paths + "base" ]
     # lxc v1 is a bit special because some options got renamed later
 
     config_snippets = [ config_paths + "base" ]
     # lxc v1 is a bit special because some options got renamed later


@@ -155,6 +157,22 @@ def set_lxc_config(args):
     command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"]
     tools.helpers.run.user(args, command)
 
     command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"]
     tools.helpers.run.user(args, command)
 

+    try:
+        command = ["cp", "-i", apparmor_profiles[0], apparmor_profile_dir + "lxc/lxc-waydroid"]
+        tools.helpers.run.user(args, command)
+        command = ["apparmor_parser", "-r", apparmor_profile_dir + "lxc/lxc-waydroid"]
+        tools.helpers.run.user(args, command)
+        command = ["cp", "-i", apparmor_profiles[1], apparmor_profile_dir + "android_app"]
+        tools.helpers.run.user(args, command)
+        command = ["apparmor_parser", "-r", apparmor_profile_dir + "android_app"]
+        tools.helpers.run.user(args, command)
+        command = ["cp", "-i", apparmor_profiles[2], apparmor_profile_dir + "adbd"]
+        tools.helpers.run.user(args, command)
+        command = ["apparmor_parser", "-r", apparmor_profile_dir + "adbd"]
+        tools.helpers.run.user(args, command)
+    except:
+        logging.warning("An error has occurred while installing AppArmor profiles. If profiles are not installed, or AppArmor is disabled or not supported on your system, then the container will run without AppArmor protection.")
+

     nodes = generate_nodes_lxc_config(args)
     config_nodes_tmp_path = args.work + "/config_nodes"
     config_nodes = open(config_nodes_tmp_path, "w")
     nodes = generate_nodes_lxc_config(args)
     config_nodes_tmp_path = args.work + "/config_nodes"
     config_nodes = open(config_nodes_tmp_path, "w")