Merge pull request #286 from morphis/f/correct-permissions-for-ip-conf

Correct permissions for Android IP configuration directory to prevent failing container start

src/anbox/cmds/container_manager.cpp

@@ -79,6 +79,9 @@ anbox::cmds::ContainerManager::ContainerManager()
       if (!data_path_.empty())
         SystemConfiguration::instance().set_data_path(data_path_);
 
+      if (!fs::exists(data_path_))
+        fs::create_directories(data_path_);
+
       if (!setup_mounts())
         return EXIT_FAILURE;
 

src/anbox/cmds/launch.cpp

@@ -130,7 +130,11 @@ anbox::cmds::Launch::Launch()
         }
 
         try {
-          const auto flags = core::posix::StandardStream::stdout | core::posix::StandardStream::stderr;
+          auto flags = core::posix::StandardStream::stdout | core::posix::StandardStream::stderr;
+          // If we have logging enable in debug mode then we allow the child process
+          // to print to stdout/stderr too.
+          if (Log().GetSeverity() == Logger::Severity::kDebug)
+            flags = core::posix::StandardStream::empty;
           auto child = core::posix::fork([&]() {
             auto grandchild = core::posix::exec(exe_path, args, env, flags);
             grandchild.dont_kill_on_cleanup();

src/anbox/container/lxc_container.cpp

@@ -36,6 +36,7 @@
 namespace fs = boost::filesystem;
 
 namespace {
+constexpr unsigned int unprivileged_user_id{100000};
 constexpr const char *default_container_ip_address{"192.168.250.2"};
 constexpr const std::uint32_t default_container_ip_prefix_length{24};
 constexpr const char *default_host_ip_address{"192.168.250.1"};
@@ -58,8 +59,7 @@ LxcContainer::~LxcContainer() {
 }
 
 void LxcContainer::setup_id_maps() {
-  // FIXME make these id sets configurable
-  const auto base_id = 100000;
+  const auto base_id = unprivileged_user_id;
   const auto max_id = 65536;
 
   set_config_item("lxc.id_map",
@@ -112,10 +112,22 @@ void LxcContainer::setup_network() {
   common::BinaryWriter writer(buffer.begin(), buffer.end());
   const auto size = ip_conf.write(writer);
 
-  const auto ip_conf_dir = SystemConfiguration::instance().data_dir() / "data" / "misc" / "ethernet";
-  if (!fs::exists(ip_conf_dir))
+  const auto data_ethernet_path = fs::path("data") / "misc" / "ethernet";
+  const auto ip_conf_dir = SystemConfiguration::instance().data_dir() / data_ethernet_path;
+  if (!fs::exists(ip_conf_dir)) {
     fs::create_directories(ip_conf_dir);
 
+    // We have to walk through the created directory hierachy now and
+    // ensure the permissions are set correctly. Otherwise the Android
+    // system will fail to boot as it isn't allowed to write anything
+    // into these directories.
+    for (auto iter = data_ethernet_path.begin(); iter != data_ethernet_path.end(); iter++) {
+      const auto path = SystemConfiguration::instance().data_dir() / *iter;
+      if (::chown(path.c_str(), unprivileged_user_id, unprivileged_user_id) < 0)
+        WARNING("Failed to set owner for path '%s'", path);
+    }
+  }
+
   const auto ip_conf_path = ip_conf_dir / "ipconfig.txt";
   if (fs::exists(ip_conf_path))
     fs::remove(ip_conf_path);

src/anbox/logger.cpp

@@ -64,6 +64,10 @@ struct BoostLogLogger : public anbox::Logger {
     severity_ = severity;
   }
 
+  Severity GetSeverity() override {
+    return severity_;
+  }
+
   void Log(Severity severity, const std::string& message, const boost::optional<Location>& loc) override {
     if (!initialized_) Init();
 

src/anbox/logger.h

@@ -51,6 +51,7 @@ class Logger : public DoNotCopyOrMove {
 
   bool SetSeverityFromString(const std::string &severity);
   virtual void SetSeverity(const Severity& severity) = 0;
+  virtual Severity GetSeverity() = 0;
 
   virtual void Log(Severity severity, const std::string& message,
                    const boost::optional<Location>& location) = 0;