From ad285f35a95ae744a8ff40be2d1f79874b7865fe Mon Sep 17 00:00:00 2001 From: =?utf8?q?=D0=90=D0=B7=D0=B0=D0=BB=D0=B8=D1=8F=20=D0=A1=D0=BC=D0=B0?= =?utf8?q?=D1=80=D0=B0=D0=B3=D0=B4=D0=BE=D0=B2=D0=B0?= Date: Sun, 13 Nov 2022 00:07:46 +0500 Subject: [PATCH] AppArmor policy setup has been moved to the Makefile --- Makefile | 11 +++++++++++ data/configs/config_1 | 2 +- data/configs/config_2 | 2 +- tools/helpers/lxc.py | 18 ------------------ 4 files changed, 13 insertions(+), 20 deletions(-) diff --git a/Makefile b/Makefile index 810902e..4652ea5 100644 --- a/Makefile +++ b/Makefile @@ -31,3 +31,14 @@ install: if [ $(USE_NFTABLES) = 1 ]; then \ sed '/LXC_USE_NFT=/ s/false/true/' -i $(INSTALL_WAYDROID_DIR)/data/scripts/waydroid-net.sh; \ fi + +apparmor: + cp -f data/configs/adbd /etc/apparmor.d/adbd + apparmor_parser -r /etc/apparmor.d/adbd + cp -f data/configs/android_app /etc/apparmor.d/android_app + apparmor_parser -r /etc/apparmor.d/android_app + cp -f data/configs/lxc-waydroid /etc/apparmor.d/lxc/lxc-waydroid + apparmor_parser -r /etc/apparmor.d/lxc/lxc-waydroid + sed --sandbox -i "s/lxc.aa_profile = unconfined/lxc.aa_profile = lxc-waydroid/g;" /var/lib/waydroid/lxc/waydroid/config + sed --sandbox -i "s/lxc.apparmor.profile = unconfined/lxc.apparmor.profile = lxc-waydroid/g;" /var/lib/waydroid/lxc/waydroid/config + diff --git a/data/configs/config_1 b/data/configs/config_1 index 52f1261..365cac3 100644 --- a/data/configs/config_1 +++ b/data/configs/config_1 @@ -2,7 +2,7 @@ lxc.utsname = waydroid lxc.init_cmd = /init -lxc.aa_profile = lxc-waydroid +lxc.aa_profile = unconfined lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp lxc.network.type = veth diff --git a/data/configs/config_2 b/data/configs/config_2 index 2d5498a..dcc6fc4 100644 --- a/data/configs/config_2 +++ b/data/configs/config_2 @@ -1,6 +1,6 @@ lxc.uts.name = waydroid -lxc.apparmor.profile = lxc-waydroid +lxc.apparmor.profile = unconfined lxc.seccomp.profile = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp lxc.no_new_privs = 1 diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py index d774936..45d5e5d 100644 --- a/tools/helpers/lxc.py +++ b/tools/helpers/lxc.py @@ -135,8 +135,6 @@ def set_lxc_config(args): raise OSError("LXC is not installed") config_paths = tools.config.tools_src + "/data/configs/config_" seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp" - apparmor_profiles = [tools.config.tools_src + "/data/configs/" + "lxc-waydroid",tools.config.tools_src + "/data/configs/" + "android_app",tools.config.tools_src + "/data/configs/" + "adbd"] - apparmor_profile_dir = "/etc/apparmor.d/" config_snippets = [ config_paths + "base" ] # lxc v1 is a bit special because some options got renamed later @@ -157,22 +155,6 @@ def set_lxc_config(args): command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"] tools.helpers.run.user(args, command) - try: - command = ["cp", "-i", apparmor_profiles[0], apparmor_profile_dir + "lxc/lxc-waydroid"] - tools.helpers.run.user(args, command) - command = ["apparmor_parser", "-r", apparmor_profile_dir + "lxc/lxc-waydroid"] - tools.helpers.run.user(args, command) - command = ["cp", "-i", apparmor_profiles[1], apparmor_profile_dir + "android_app"] - tools.helpers.run.user(args, command) - command = ["apparmor_parser", "-r", apparmor_profile_dir + "android_app"] - tools.helpers.run.user(args, command) - command = ["cp", "-i", apparmor_profiles[2], apparmor_profile_dir + "adbd"] - tools.helpers.run.user(args, command) - command = ["apparmor_parser", "-r", apparmor_profile_dir + "adbd"] - tools.helpers.run.user(args, command) - except: - logging.warning("An error has occurred while installing AppArmor profiles. If profiles are not installed, or AppArmor is disabled or not supported on your system, then the container will run without AppArmor protection.") - nodes = generate_nodes_lxc_config(args) config_nodes_tmp_path = args.work + "/config_nodes" config_nodes = open(config_nodes_tmp_path, "w") -- 2.47.3