From: Alessandro Astone Date: Mon, 14 Nov 2022 22:10:08 +0000 (+0100) Subject: Change apparmor profile at runtime X-Git-Tag: 1.3.4~12 X-Git-Url: https://glassweightruler.freedombox.rocks/gitweb/waydroid.git/commitdiff_plain/ba10a1665073ab396f23a2624ae16214524065d1?ds=sidebyside Change apparmor profile at runtime --- diff --git a/Makefile b/Makefile index a3ec1c8..c70814d 100644 --- a/Makefile +++ b/Makefile @@ -39,8 +39,6 @@ install_apparmor: cp -f data/configs/apparmor_profiles/adbd $(INSTALL_APPARMOR_DIR)/adbd cp -f data/configs/apparmor_profiles/android_app $(INSTALL_APPARMOR_DIR)/android_app cp -f data/configs/apparmor_profiles/lxc-waydroid $(INSTALL_APPARMOR_DIR)/lxc/lxc-waydroid - sed --sandbox -i "/lxc.aa_profile/ s/unconfined/lxc-waydroid/g" $(DESTDIR)$(WAYDROID_DIR)/data/configs/config_1 - sed --sandbox -i "/lxc.apparmor.profile/ s/unconfined/lxc-waydroid/g" $(DESTDIR)$(WAYDROID_DIR)/data/configs/config_2 # Load the profiles if not just packaging if [ -z $(DESTDIR) ] && { aa-enabled --quiet || systemctl is-active -q apparmor; } 2>/dev/null; then \ apparmor_parser -r -T -W "$(INSTALL_APPARMOR_DIR)/adbd"; \ diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py index 45d5e5d..e1a81e0 100644 --- a/tools/helpers/lxc.py +++ b/tools/helpers/lxc.py @@ -127,6 +127,15 @@ def generate_nodes_lxc_config(args): return nodes +LXC_APPARMOR_PROFILE = "lxc-waydroid" +def get_apparmor_status(args): + enabled = False + if shutil.which("aa-status"): + enabled = (tools.helpers.run.user(args, ["aa-status", "--quiet"], check=False) == 0) + if not enabled and shutil.which("systemctl"): + enabled = (tools.helpers.run.user(args, ["systemctl", "is-active", "-q", "apparmor"], check=False) == 0) + enabled &= os.path.exists(os.path.join("/etc/apparmor.d/lxc", LXC_APPARMOR_PROFILE)) + return enabled def set_lxc_config(args): lxc_path = tools.config.defaults["lxc"] + "/waydroid" @@ -154,6 +163,9 @@ def set_lxc_config(args): tools.helpers.run.user(args, command) command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"] tools.helpers.run.user(args, command) + if get_apparmor_status(args): + command = ["sed", "-i", "-E", "/lxc.aa_profile|lxc.apparmor.profile/ s/unconfined/{}/g".format(LXC_APPARMOR_PROFILE), lxc_path + "/config"] + tools.helpers.run.user(args, command) nodes = generate_nodes_lxc_config(args) config_nodes_tmp_path = args.work + "/config_nodes"