From a1738a5192c9fbbc0d4443ded703474c23cbd375 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Sun, 10 Jun 2018 19:12:48 +0200 Subject: [PATCH 1/4] container: correct code formatting --- src/anbox/container/lxc_container.cpp | 38 +++++++++++---------------- src/anbox/container/lxc_container.h | 2 +- 2 files changed, 17 insertions(+), 23 deletions(-) diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index efb70fa..ee5e697 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -39,7 +39,7 @@ namespace fs = boost::filesystem; namespace { -constexpr unsigned int unprivileged_user_id{100000}; +constexpr unsigned int unprivileged_uid{100000}; constexpr const char *default_container_ip_address{"192.168.250.2"}; constexpr const std::uint32_t default_container_ip_prefix_length{24}; constexpr const char *default_host_ip_address{"192.168.250.1"}; @@ -69,31 +69,25 @@ LxcContainer::~LxcContainer() { if (container_) lxc_container_put(container_); } -void LxcContainer::setup_id_maps() { - const auto base_id = unprivileged_user_id; +void LxcContainer::setup_id_map() { + const auto base_id = unprivileged_uid; const auto max_id = 65536; - set_config_item("lxc.id_map", - utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1)); - set_config_item("lxc.id_map", - utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1)); + set_config_item("lxc.id_map", utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1)); + set_config_item("lxc.id_map", utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1)); // We need to bind the user id for the one running the client side // process as he is the owner of various socket files we bind mount // into the container. - set_config_item("lxc.id_map", - utils::string_format("u %d %d 1", creds_.uid(), creds_.uid())); - set_config_item("lxc.id_map", - utils::string_format("g %d %d 1", creds_.gid(), creds_.gid())); + set_config_item("lxc.id_map", utils::string_format("u %d %d 1", creds_.uid(), creds_.uid())); + set_config_item("lxc.id_map", utils::string_format("g %d %d 1", creds_.gid(), creds_.gid())); - set_config_item("lxc.id_map", - utils::string_format("u %d %d %d", creds_.uid() + 1, - base_id + creds_.uid() + 1, - max_id - creds_.uid() - 1)); - set_config_item("lxc.id_map", - utils::string_format("g %d %d %d", creds_.uid() + 1, - base_id + creds_.gid() + 1, - max_id - creds_.gid() - 1)); + set_config_item("lxc.id_map", utils::string_format("u %d %d %d", creds_.uid() + 1, + base_id + creds_.uid() + 1, + max_id - creds_.uid() - 1)); + set_config_item("lxc.id_map", utils::string_format("g %d %d %d", creds_.uid() + 1, + base_id + creds_.gid() + 1, + max_id - creds_.gid() - 1)); } void LxcContainer::setup_network() { @@ -148,7 +142,7 @@ void LxcContainer::setup_network() { if (st.st_uid != 0 && st.st_gid != 0) continue; - if (::chown(path.c_str(), unprivileged_user_id, unprivileged_user_id) < 0) + if (::chown(path.c_str(), unprivileged_uid, unprivileged_uid) < 0) WARNING("Failed to set owner for path '%s'", path); } @@ -188,7 +182,7 @@ void LxcContainer::add_device(const std::string& device) { throw std::runtime_error(msg); } - auto base_uid = unprivileged_user_id; + auto base_uid = unprivileged_uid; if (privileged_) base_uid = 0; @@ -279,7 +273,7 @@ void LxcContainer::start(const Configuration &configuration) { set_config_item("lxc.aa_profile", "anbox-container"); if (!privileged_) - setup_id_maps(); + setup_id_map(); auto bind_mounts = configuration.bind_mounts; for (const auto &bind_mount : bind_mounts) { diff --git a/src/anbox/container/lxc_container.h b/src/anbox/container/lxc_container.h index 1a2c6cd..d525fea 100644 --- a/src/anbox/container/lxc_container.h +++ b/src/anbox/container/lxc_container.h @@ -38,7 +38,7 @@ class LxcContainer : public Container { private: void set_config_item(const std::string &key, const std::string &value); - void setup_id_maps(); + void setup_id_map(); void setup_network(); void add_device(const std::string& device); From 766db1fbc525887bd924ec0954edd9e462e9ff27 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Sun, 10 Jun 2018 19:15:52 +0200 Subject: [PATCH 2/4] snap: stage missing libboost-iostreams library --- snap/snapcraft.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 377455a..f0344da 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -224,6 +224,7 @@ parts: - protobuf-compiler stage-packages: - libboost-log1.58.0 + - libboost-iostreams1.58.0 - libboost-program-options1.58.0 - libboost-thread1.58.0 - libdb5.3 From d226d1763833370cdd00521765a15ef7c209d840 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Mon, 11 Jun 2018 07:00:42 +0200 Subject: [PATCH 3/4] container: always map current user to Androids system one --- src/anbox/container/lxc_container.cpp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index ee5e697..a0d5a57 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -40,6 +40,7 @@ namespace fs = boost::filesystem; namespace { constexpr unsigned int unprivileged_uid{100000}; +constexpr unsigned int android_system_uid{1000}; constexpr const char *default_container_ip_address{"192.168.250.2"}; constexpr const std::uint32_t default_container_ip_prefix_length{24}; constexpr const char *default_host_ip_address{"192.168.250.1"}; @@ -79,14 +80,14 @@ void LxcContainer::setup_id_map() { // We need to bind the user id for the one running the client side // process as he is the owner of various socket files we bind mount // into the container. - set_config_item("lxc.id_map", utils::string_format("u %d %d 1", creds_.uid(), creds_.uid())); - set_config_item("lxc.id_map", utils::string_format("g %d %d 1", creds_.gid(), creds_.gid())); + set_config_item("lxc.id_map", utils::string_format("u %d %d 1", android_system_uid, creds_.uid())); + set_config_item("lxc.id_map", utils::string_format("g %d %d 1", android_system_uid, creds_.gid())); - set_config_item("lxc.id_map", utils::string_format("u %d %d %d", creds_.uid() + 1, - base_id + creds_.uid() + 1, + set_config_item("lxc.id_map", utils::string_format("u %d %d %d", android_system_uid + 1, + base_id + android_system_uid + 1, max_id - creds_.uid() - 1)); - set_config_item("lxc.id_map", utils::string_format("g %d %d %d", creds_.uid() + 1, - base_id + creds_.gid() + 1, + set_config_item("lxc.id_map", utils::string_format("g %d %d %d", android_system_uid + 1, + base_id + android_system_uid + 1, max_id - creds_.gid() - 1)); } From 02a2601fadd959265615d35c8893b6e583fdc612 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Mon, 11 Jun 2018 07:50:54 +0200 Subject: [PATCH 4/4] scripts: don't create unneeded symlinks on container startup --- scripts/anbox-init.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/anbox-init.sh b/scripts/anbox-init.sh index ce61cce..f8ac1c6 100644 --- a/scripts/anbox-init.sh +++ b/scripts/anbox-init.sh @@ -29,9 +29,5 @@ prepare_filesystem & echo "Waiting for filesystem being prepared ..." wait $! -ln -sf /dev/sockets/qemu_pipe /dev/qemu_pipe -ln -sf /dev/sockets/qemud /dev/qemud -ln -sf /dev/sockets/anbox_bridge /dev/anbox_bridge - echo "Starting real init now ..." -/init +exec /init