From: Alessandro Astone Date: Thu, 22 Sep 2022 09:49:35 +0000 (+0200) Subject: lxc: Finer-grained config control X-Git-Tag: 1.3.3~3 X-Git-Url: https://glassweightruler.freedombox.rocks/gitweb/waydroid.git/commitdiff_plain/45ff58a6494a411788e6b4bbc6d1ca9735c5e018?ds=sidebyside lxc: Finer-grained config control Split config files into snippets isolating new LXC features by version. Move `seccomp.allow_nesting` to version 4 or higher. NOTE: this currently assumes that new LXC versions will keep compatibility with old config options. The only exception to this was LXC 1.x -> 2.x --- diff --git a/data/configs/config_1 b/data/configs/config_1 index 33671c4..365cac3 100644 --- a/data/configs/config_1 +++ b/data/configs/config_1 @@ -1,18 +1,9 @@ -# Waydroid LXC Config - -lxc.rootfs.path = /var/lib/waydroid/rootfs lxc.utsname = waydroid -lxc.arch = LXCARCH -lxc.autodev = 0 -# lxc.autodev.tmpfs.size = 25000000 -lxc.aa_profile = unconfined -lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp - -lxc.cap.keep = audit_control sys_nice wake_alarm setpcap setgid setuid sys_ptrace sys_admin wake_alarm block_suspend sys_time net_admin net_raw net_bind_service kill dac_override dac_read_search fsetid mknod syslog chown sys_resource fowner sys_module ipc_lock sys_chroot lxc.init_cmd = /init -lxc.mount.auto = cgroup:ro sys:ro proc +lxc.aa_profile = unconfined +lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp lxc.network.type = veth lxc.network.flags = up @@ -21,9 +12,3 @@ lxc.network.name = eth0 lxc.network.hwaddr = 00:16:3e:f9:d3:03 lxc.network.mtu = 1500 -lxc.console.path = none -lxc.pty.max = 10 - -lxc.include = /var/lib/waydroid/lxc/waydroid/config_nodes - -lxc.hook.post-stop = /dev/null diff --git a/data/configs/config_2 b/data/configs/config_2 index 34537ec..dcc6fc4 100644 --- a/data/configs/config_2 +++ b/data/configs/config_2 @@ -1,21 +1,12 @@ -# Waydroid LXC Config - -lxc.rootfs.path = /var/lib/waydroid/rootfs lxc.uts.name = waydroid -lxc.arch = LXCARCH -lxc.autodev = 0 -# lxc.autodev.tmpfs.size = 25000000 + lxc.apparmor.profile = unconfined lxc.seccomp.profile = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp -lxc.seccomp.allow_nesting = 1 -lxc.cap.keep = audit_control sys_nice wake_alarm setpcap setgid setuid sys_ptrace sys_admin wake_alarm block_suspend sys_time net_admin net_raw net_bind_service kill dac_override dac_read_search fsetid mknod syslog chown sys_resource fowner sys_module ipc_lock sys_chroot lxc.no_new_privs = 1 lxc.init.cmd = /init -lxc.mount.auto = cgroup:ro sys:ro proc - lxc.net.0.type = veth lxc.net.0.flags = up lxc.net.0.link = waydroid0 @@ -23,9 +14,3 @@ lxc.net.0.name = eth0 lxc.net.0.hwaddr = 00:16:3e:f9:d3:03 lxc.net.0.mtu = 1500 -lxc.console.path = none -lxc.pty.max = 10 - -lxc.include = /var/lib/waydroid/lxc/waydroid/config_nodes - -lxc.hook.post-stop = /dev/null diff --git a/data/configs/config_4 b/data/configs/config_4 new file mode 100644 index 0000000..adecdad --- /dev/null +++ b/data/configs/config_4 @@ -0,0 +1,2 @@ +lxc.seccomp.allow_nesting = 1 + diff --git a/data/configs/config_base b/data/configs/config_base new file mode 100644 index 0000000..8bcff5c --- /dev/null +++ b/data/configs/config_base @@ -0,0 +1,18 @@ +# Waydroid LXC Config + +lxc.rootfs.path = /var/lib/waydroid/rootfs +lxc.arch = LXCARCH +lxc.autodev = 0 +# lxc.autodev.tmpfs.size = 25000000 + +lxc.cap.keep = audit_control sys_nice wake_alarm setpcap setgid setuid sys_ptrace sys_admin wake_alarm block_suspend sys_time net_admin net_raw net_bind_service kill dac_override dac_read_search fsetid mknod syslog chown sys_resource fowner sys_module ipc_lock sys_chroot + +lxc.mount.auto = cgroup:ro sys:ro proc + +lxc.console.path = none +lxc.pty.max = 10 + +lxc.include = /var/lib/waydroid/lxc/waydroid/config_nodes + +lxc.hook.post-stop = /dev/null + diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py index a13f838..ee84c61 100644 --- a/tools/helpers/lxc.py +++ b/tools/helpers/lxc.py @@ -130,18 +130,25 @@ def generate_nodes_lxc_config(args): def set_lxc_config(args): lxc_path = tools.config.defaults["lxc"] + "/waydroid" - config_file = "config_2" lxc_ver = get_lxc_version(args) if lxc_ver == 0: raise OSError("LXC is not installed") - elif lxc_ver <= 2: - config_file = "config_1" - config_path = tools.config.tools_src + "/data/configs/" + config_file + config_paths = tools.config.tools_src + "/data/configs/config_" seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp" + config_snippets = [ config_paths + "base" ] + # lxc v1 is a bit special because some options got renamed later + if lxc_ver == 1: + config_snippets.append(config_paths + "1") + else: + for ver in range(2, 5): + snippet = config_paths + str(ver) + if lxc_ver >= ver and os.path.exists(snippet): + config_snippets.append(snippet) + command = ["mkdir", "-p", lxc_path] tools.helpers.run.user(args, command) - command = ["cp", "-fpr", config_path, lxc_path + "/config"] + command = ["sh", "-c", "cat {} > \"{}\"".format(' '.join('"{0}"'.format(w) for w in config_snippets), lxc_path + "/config")] tools.helpers.run.user(args, command) command = ["sed", "-i", "s/LXCARCH/{}/".format(platform.machine()), lxc_path + "/config"] tools.helpers.run.user(args, command)