Merge pull request #755 from morphis/correct-uid-map

Map UIDs correctly into the container be independent of the UID initiating the container
2018-06-11 09:19:02 +02:00 · 2018-06-11 09:19:02 +02:00 · 0f80db195e
commit 0f80db195e
parent 2d979b8a1e 02a2601fad
4 changed files with 20 additions and 28 deletions
--- a/scripts/anbox-init.sh
+++ b/scripts/anbox-init.sh
@ -29,9 +29,5 @@ prepare_filesystem &
 echo "Waiting for filesystem being prepared ..."
 wait $!

-ln -sf /dev/sockets/qemu_pipe /dev/qemu_pipe
-ln -sf /dev/sockets/qemud /dev/qemud
-ln -sf /dev/sockets/anbox_bridge /dev/anbox_bridge
-
 echo "Starting real init now ..."
-/init
+exec /init
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@ -224,6 +224,7 @@ parts:
      - protobuf-compiler
    stage-packages:
      - libboost-log1.58.0
+      - libboost-iostreams1.58.0
      - libboost-program-options1.58.0
      - libboost-thread1.58.0
      - libdb5.3
--- a/src/anbox/container/lxc_container.cpp
+++ b/src/anbox/container/lxc_container.cpp
@ -39,7 +39,8 @@
 namespace fs = boost::filesystem;

 namespace {
-constexpr unsigned int unprivileged_user_id{100000};
+constexpr unsigned int unprivileged_uid{100000};
+constexpr unsigned int android_system_uid{1000};
 constexpr const char *default_container_ip_address{"192.168.250.2"};
 constexpr const std::uint32_t default_container_ip_prefix_length{24};
 constexpr const char *default_host_ip_address{"192.168.250.1"};
@ -69,31 +70,25 @@ LxcContainer::~LxcContainer() {
  if (container_) lxc_container_put(container_);
 }

-void LxcContainer::setup_id_maps() {
-  const auto base_id = unprivileged_user_id;
+void LxcContainer::setup_id_map() {
+  const auto base_id = unprivileged_uid;
  const auto max_id = 65536;

-  set_config_item("lxc.id_map",
-                  utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1));
-  set_config_item("lxc.id_map",
-                  utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1));
+  set_config_item("lxc.id_map", utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1));
+  set_config_item("lxc.id_map", utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1));

  // We need to bind the user id for the one running the client side
  // process as he is the owner of various socket files we bind mount
  // into the container.
-  set_config_item("lxc.id_map",
-                  utils::string_format("u %d %d 1", creds_.uid(), creds_.uid()));
-  set_config_item("lxc.id_map",
-                  utils::string_format("g %d %d 1", creds_.gid(), creds_.gid()));
+  set_config_item("lxc.id_map", utils::string_format("u %d %d 1", android_system_uid, creds_.uid()));
+  set_config_item("lxc.id_map", utils::string_format("g %d %d 1", android_system_uid, creds_.gid()));

-  set_config_item("lxc.id_map",
-                  utils::string_format("u %d %d %d", creds_.uid() + 1,
-                                       base_id + creds_.uid() + 1,
-                                       max_id - creds_.uid() - 1));
-  set_config_item("lxc.id_map",
-                  utils::string_format("g %d %d %d", creds_.uid() + 1,
-                                       base_id + creds_.gid() + 1,
-                                       max_id - creds_.gid() - 1));
+  set_config_item("lxc.id_map", utils::string_format("u %d %d %d", android_system_uid + 1,
+                                                     base_id + android_system_uid + 1,
+                                                     max_id - creds_.uid() - 1));
+  set_config_item("lxc.id_map", utils::string_format("g %d %d %d", android_system_uid + 1,
+                                                     base_id + android_system_uid + 1,
+                                                     max_id - creds_.gid() - 1));
 }

 void LxcContainer::setup_network() {
@ -148,7 +143,7 @@ void LxcContainer::setup_network() {
    if (st.st_uid != 0 && st.st_gid != 0)
      continue;

-    if (::chown(path.c_str(), unprivileged_user_id, unprivileged_user_id) < 0)
+    if (::chown(path.c_str(), unprivileged_uid, unprivileged_uid) < 0)
      WARNING("Failed to set owner for path '%s'", path);
  }

@ -188,7 +183,7 @@ void LxcContainer::add_device(const std::string& device) {
    throw std::runtime_error(msg);
  }

-  auto base_uid = unprivileged_user_id;
+  auto base_uid = unprivileged_uid;
  if (privileged_)
    base_uid = 0;

@ -279,7 +274,7 @@ void LxcContainer::start(const Configuration &configuration) {
  set_config_item("lxc.aa_profile", "anbox-container");

  if (!privileged_)
-    setup_id_maps();
+    setup_id_map();

  auto bind_mounts = configuration.bind_mounts;
  for (const auto &bind_mount : bind_mounts) {
--- a/src/anbox/container/lxc_container.h
+++ b/src/anbox/container/lxc_container.h
@ -38,7 +38,7 @@ class LxcContainer : public Container {

 private:
  void set_config_item(const std::string &key, const std::string &value);
-  void setup_id_maps();
+  void setup_id_map();
  void setup_network();
  void add_device(const std::string& device);