From: Азалия Смарагдова Date: Tue, 11 Oct 2022 14:30:08 +0000 (+0500) Subject: Adding AppArmor profiles for the container. X-Git-Tag: 1.3.4~21 X-Git-Url: https://glassweightruler.freedombox.rocks/gitweb/waydroid.git/commitdiff_plain/0b73886b71273abd753184c88081127ca96c6c83?ds=sidebyside Adding AppArmor profiles for the container. --- diff --git a/data/configs/adbd b/data/configs/adbd new file mode 100644 index 0000000..714e672 --- /dev/null +++ b/data/configs/adbd @@ -0,0 +1,58 @@ +#include + +profile adbd flags=(attach_disconnected,mediate_deleted) { + #include + /** ix, + /dev** rw, + network, + unix, + owner /proc** rw, + / r, + /** r, + /storage** rwkl, + /data** rwkl, + /proc** rw, + /sys** rw, + /dev** rw, + /tmp** rw, + /var** rw, + /run** rw, + /mnt** rw, + /apex** rw, + mount, + umount, + + capability sys_nice, + capability wake_alarm, + capability setpcap, + capability setgid, + capability setuid, + capability sys_ptrace, + capability sys_admin, + capability wake_alarm, + capability block_suspend, + capability sys_time, + capability net_admin, + capability net_raw, + capability net_bind_service, + capability kill, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability mknod, + capability syslog, + capability chown, + capability sys_resource, + capability fowner, + + ptrace (read,readby,trace,tracedby) peer=lxc-waydroid, + ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid, + ptrace (read,readby,trace,tracedby) peer=adbd//&lxc-waydroid, + + signal (send,receive) peer=lxc-waydroid, + signal (send,receive) peer=android_app//&lxc-waydroid, + signal (send) peer=adbd//&lxc-waydroid, + signal (receive), + +} + diff --git a/data/configs/android_app b/data/configs/android_app new file mode 100644 index 0000000..4ac9883 --- /dev/null +++ b/data/configs/android_app @@ -0,0 +1,72 @@ +#include + +profile android_app flags=(mediate_deleted,attach_disconnected) { + #include + /** ix, + /dev** rw, + network, + unix, + owner /proc** rw, + / r, + /* r, + deny pivot_root, + deny dbus, + capability sys_nice, + capability wake_alarm, + capability setpcap, + capability setgid, + capability setuid, + capability sys_ptrace, + capability sys_admin, + capability wake_alarm, + capability block_suspend, + capability sys_time, + capability net_admin, + capability net_raw, + capability net_bind_service, + capability kill, + capability dac_override, + mount fstype=tmpfs -> /storage**, + mount options in (rw,bind) options in (rw,rbind) -> /storage**, + mount /dev/fuse -> /storage**, + mount -> /, + umount /storage**, + + ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid, + ptrace (read,trace,readby,tracedby) peer=lxc-waydroid, + ptrace (read,trace,readby,tracedby) peer=adbd//&lxc-waydroid, + + signal (send,receive) peer=android_app//&lxc-waydroid, + signal (receive) peer=adbd//&lxc-waydroid, + signal (send,receive) peer=lxc-waydroid, + signal (receive), + + /acct** rwkl, + owner /data** rwkl, + /data/app** r, + /data/misc** r, + /data/lineageos_updates** r, + /apex** mr, + /data/system_ce/** rw, + /data/data/com.android** rw, + /data/misc/profiles** rw, + /data/user_de/** rw, + /storage** rwkl, + /data/tombstone** rw, + /mnt/user** rw, + owner /proc** rw, + /proc** r, + /proc/*/timerslack_ns w, + /system/bin** mr, + /system/lib** mr, + /system** r, + /sys** r, + /sys/kernel/debug/tracing** w, + /vendor** r, + /vendor_extra** r, + +# This seems to be important for Magisk to function +# /system/framework** wk, + + +} diff --git a/data/configs/config_1 b/data/configs/config_1 index 365cac3..52f1261 100644 --- a/data/configs/config_1 +++ b/data/configs/config_1 @@ -2,7 +2,7 @@ lxc.utsname = waydroid lxc.init_cmd = /init -lxc.aa_profile = unconfined +lxc.aa_profile = lxc-waydroid lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp lxc.network.type = veth diff --git a/data/configs/config_2 b/data/configs/config_2 index dcc6fc4..2d5498a 100644 --- a/data/configs/config_2 +++ b/data/configs/config_2 @@ -1,6 +1,6 @@ lxc.uts.name = waydroid -lxc.apparmor.profile = unconfined +lxc.apparmor.profile = lxc-waydroid lxc.seccomp.profile = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp lxc.no_new_privs = 1 diff --git a/data/configs/lxc-waydroid b/data/configs/lxc-waydroid new file mode 100644 index 0000000..45f6d77 --- /dev/null +++ b/data/configs/lxc-waydroid @@ -0,0 +1,69 @@ +#include + +profile lxc-waydroid flags=(mediate_deleted,attach_disconnected) { + #include + /** ix, + /system/bin/app_process Pix -> lxc-waydroid//&android_app, + /system/bin/app_process32 Pix -> lxc-waydroid//&android_app, + /system/bin/app_process64 Pix -> lxc-waydroid//&android_app, + /system/bin/adbd Pix -> lxc-waydroid//&adbd, + /dev** rw, + network, + unix, + owner /proc** rw, + / r, + /** r, + /acct** rwkl, + /acct rwkl, + /storage** rwkl, + /data** rwkl, + /proc** rw, + /sys** rw, + /dev** rw, + /tmp** rw, + /var** rw, + /run** rw, + /mnt** rw, + /apex** rw, + /sbin** rw, + /system** k, + mount, + umount, + + capability sys_nice, + capability wake_alarm, + capability setpcap, + capability setgid, + capability setuid, + capability sys_ptrace, + capability sys_admin, + capability wake_alarm, + capability block_suspend, + capability sys_time, + capability net_admin, + capability net_raw, + capability net_bind_service, + capability kill, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability mknod, + capability syslog, + capability chown, + capability sys_resource, + capability fowner, + capability sys_module, + capability ipc_lock, + capability sys_chroot, + + ptrace (read,readby,trace,tracedby) peer=lxc-waydroid, + ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid, + ptrace (read,readby,trace,tracedby) peer=adbd//&lxc-waydroid, + + signal (send,receive) peer=lxc-waydroid, + signal (send,receive) peer=android_app//&lxc-waydroid, + signal (send) peer=adbd//&lxc-waydroid, + signal (receive), + +} + diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py index 45d5e5d..d774936 100644 --- a/tools/helpers/lxc.py +++ b/tools/helpers/lxc.py @@ -135,6 +135,8 @@ def set_lxc_config(args): raise OSError("LXC is not installed") config_paths = tools.config.tools_src + "/data/configs/config_" seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp" + apparmor_profiles = [tools.config.tools_src + "/data/configs/" + "lxc-waydroid",tools.config.tools_src + "/data/configs/" + "android_app",tools.config.tools_src + "/data/configs/" + "adbd"] + apparmor_profile_dir = "/etc/apparmor.d/" config_snippets = [ config_paths + "base" ] # lxc v1 is a bit special because some options got renamed later @@ -155,6 +157,22 @@ def set_lxc_config(args): command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"] tools.helpers.run.user(args, command) + try: + command = ["cp", "-i", apparmor_profiles[0], apparmor_profile_dir + "lxc/lxc-waydroid"] + tools.helpers.run.user(args, command) + command = ["apparmor_parser", "-r", apparmor_profile_dir + "lxc/lxc-waydroid"] + tools.helpers.run.user(args, command) + command = ["cp", "-i", apparmor_profiles[1], apparmor_profile_dir + "android_app"] + tools.helpers.run.user(args, command) + command = ["apparmor_parser", "-r", apparmor_profile_dir + "android_app"] + tools.helpers.run.user(args, command) + command = ["cp", "-i", apparmor_profiles[2], apparmor_profile_dir + "adbd"] + tools.helpers.run.user(args, command) + command = ["apparmor_parser", "-r", apparmor_profile_dir + "adbd"] + tools.helpers.run.user(args, command) + except: + logging.warning("An error has occurred while installing AppArmor profiles. If profiles are not installed, or AppArmor is disabled or not supported on your system, then the container will run without AppArmor protection.") + nodes = generate_nodes_lxc_config(args) config_nodes_tmp_path = args.work + "/config_nodes" config_nodes = open(config_nodes_tmp_path, "w")