From 409086f6ec589312193a9d2b81865e82384b10dc Mon Sep 17 00:00:00 2001 From: Kyle Gospodnetich Date: Thu, 28 Dec 2023 14:09:54 -0800 Subject: [PATCH] chore: Add waydroid spec file with patch for regex issue --- spec_files/waydroid/README.md | 3 + spec_files/waydroid/dev-binderfs.mount | 7 + spec_files/waydroid/mount-secontext.patch | 13 ++ spec_files/waydroid/regex.patch | 23 +++ spec_files/waydroid/setup-firewalld.patch | 17 ++ spec_files/waydroid/sse3.patch | 32 ++++ spec_files/waydroid/waydroid.fc | 5 + spec_files/waydroid/waydroid.spec | 215 ++++++++++++++++++++++ spec_files/waydroid/waydroid.te | 161 ++++++++++++++++ 9 files changed, 476 insertions(+) create mode 100644 spec_files/waydroid/README.md create mode 100644 spec_files/waydroid/dev-binderfs.mount create mode 100644 spec_files/waydroid/mount-secontext.patch create mode 100644 spec_files/waydroid/regex.patch create mode 100644 spec_files/waydroid/setup-firewalld.patch create mode 100644 spec_files/waydroid/sse3.patch create mode 100644 spec_files/waydroid/waydroid.fc create mode 100644 spec_files/waydroid/waydroid.spec create mode 100644 spec_files/waydroid/waydroid.te diff --git a/spec_files/waydroid/README.md b/spec_files/waydroid/README.md new file mode 100644 index 00000000..c7e3b888 --- /dev/null +++ b/spec_files/waydroid/README.md @@ -0,0 +1,3 @@ +# waydroid + +The waydroid package diff --git a/spec_files/waydroid/dev-binderfs.mount b/spec_files/waydroid/dev-binderfs.mount new file mode 100644 index 00000000..5884673c --- /dev/null +++ b/spec_files/waydroid/dev-binderfs.mount @@ -0,0 +1,7 @@ +[Unit] +Description=Mount binderfs partition + +[Mount] +What=binder +Where=/dev/binderfs +Type=binder diff --git a/spec_files/waydroid/mount-secontext.patch b/spec_files/waydroid/mount-secontext.patch new file mode 100644 index 00000000..3d2727dc --- /dev/null +++ b/spec_files/waydroid/mount-secontext.patch @@ -0,0 +1,13 @@ +diff --git a/tools/helpers/mount.py b/tools/helpers/mount.py +index a0d34be5..f507d668 100644 +--- a/tools/helpers/mount.py ++++ b/tools/helpers/mount.py +@@ -133,7 +133,7 @@ def mount(args, source, destination, create_folders=True, umount=False, + destination) + + extra_args = [] +- opt_args = [] ++ opt_args = ["context=\"system_u:object_r:waydroid_rootfs_t:s0\""] + if mount_type: + extra_args.extend(["-t", mount_type]) + if readonly: diff --git a/spec_files/waydroid/regex.patch b/spec_files/waydroid/regex.patch new file mode 100644 index 00000000..808b78d9 --- /dev/null +++ b/spec_files/waydroid/regex.patch @@ -0,0 +1,23 @@ +From 66c8343c4d2ea118601ba5d8ce52fa622cbcd665 Mon Sep 17 00:00:00 2001 +From: Aarron Lee +Date: Sun, 19 Nov 2023 16:11:44 -0500 +Subject: [PATCH] update regex for deprecation warning + +--- + tools/helpers/net.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/helpers/net.py b/tools/helpers/net.py +index c20a95bc..b267357a 100644 +--- a/tools/helpers/net.py ++++ b/tools/helpers/net.py +@@ -31,6 +31,6 @@ def get_device_ip_address(): + + try: + with open(lease_file) as f: +- return re.search("(\d{1,3}\.){3}\d{1,3}\s", f.read()).group().strip() ++ return re.search(r"(\d{1,3}\.){3}\d{1,3}\s", f.read()).group().strip() + except: +- pass +\ No newline at end of file ++ pass diff --git a/spec_files/waydroid/setup-firewalld.patch b/spec_files/waydroid/setup-firewalld.patch new file mode 100644 index 00000000..dde0abd6 --- /dev/null +++ b/spec_files/waydroid/setup-firewalld.patch @@ -0,0 +1,17 @@ +--- waydroid-1.2.0/data/scripts/waydroid-net.sh 2021-10-19 15:50:56.000000000 +0800 ++++ waydroid-1.2.0-1/data/scripts/waydroid-net.sh 2021-10-21 22:57:50.991706580 +0800 +@@ -1,4 +1,4 @@ +-#!/bin/sh - ++#!/usr/bin/sh - + + varrun="/run/waydroid-lxc" + varlib="/var/lib" +@@ -60,6 +60,8 @@ _ifup() { + ip addr add ${CIDR_ADDR} broadcast + dev ${LXC_BRIDGE} + ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC + ip link set dev ${LXC_BRIDGE} up ++ # Fedora specific ++ firewall-cmd --zone=trusted --add-interface=${LXC_BRIDGE} || true + } + + start_ipv6() { diff --git a/spec_files/waydroid/sse3.patch b/spec_files/waydroid/sse3.patch new file mode 100644 index 00000000..fef4b2d5 --- /dev/null +++ b/spec_files/waydroid/sse3.patch @@ -0,0 +1,32 @@ +From 6eea5cf63f4a724e66a2857b8f67ee2bbc82f0bd Mon Sep 17 00:00:00 2001 +From: sta-c0000 <37939220+sta-c0000@users.noreply.github.com> +Date: Tue, 19 Dec 2023 09:49:12 -0500 +Subject: [PATCH] Add SSSE3 CPU check for arch x86/x86_64 + +--- + tools/helpers/arch.py | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/helpers/arch.py b/tools/helpers/arch.py +index 735d344e..c74ef906 100644 +--- a/tools/helpers/arch.py ++++ b/tools/helpers/arch.py +@@ -19,11 +19,14 @@ def host(): + " architecture is not supported") + + def maybe_remap(target): +- if target == "x86_64": ++ if target.startswith("x86"): + with open("/proc/cpuinfo") as f: +- if "sse4_2" not in f.read(): +- logging.info("x86_64 CPU does not support SSE4.2, falling back to x86...") +- return "x86" ++ cpuinfo = f.read() ++ if "ssse3" not in cpuinfo: ++ raise ValueError("x86/x86_64 CPU must support SSSE3!") ++ if target == "x86_64" and "sse4_2" not in cpuinfo: ++ logging.info("x86_64 CPU does not support SSE4.2, falling back to x86...") ++ return "x86" + elif target == "arm64" and platform.architecture()[0] == "32bit": + return "arm" + diff --git a/spec_files/waydroid/waydroid.fc b/spec_files/waydroid/waydroid.fc new file mode 100644 index 00000000..c66329cb --- /dev/null +++ b/spec_files/waydroid/waydroid.fc @@ -0,0 +1,5 @@ +/usr/lib/waydroid/waydroid.py gen_context(system_u:object_r:waydroid_exec_t,s0) +/usr/lib/waydroid/data/scripts/waydroid-net\.sh gen_context(system_u:object_r:waydroid_net_exec_t,s0) +/var/lib/waydroid(.*)? gen_context(system_u:object_r:waydroid_data_t,s0) +/var/run/waydroid-(?!lxc).* gen_context(system_u:object_r:waydroid_var_run_t,s0) +/run/waydroid-(?!lxc).* gen_context(system_u:object_r:waydroid_var_run_t,s0) diff --git a/spec_files/waydroid/waydroid.spec b/spec_files/waydroid/waydroid.spec new file mode 100644 index 00000000..ffe8dd94 --- /dev/null +++ b/spec_files/waydroid/waydroid.spec @@ -0,0 +1,215 @@ +%global forgeurl https://github.com/waydroid/waydroid +%global selinuxtype targeted + +Version: 1.4.2 +%global tag %{version} + +%forgemeta +Name: waydroid +Release: 1%{?dist}.bazzite +Summary: Container-based approach to boot a full Android system on GNU/Linux +License: GPL-3.0-only +URL: %{forgeurl} +Source: %{forgesource} +Source1: waydroid.te +Source4: dev-binderfs.mount +Source6: waydroid.fc + +# Assign firewalld zone to the waydroid network interface +Patch0: setup-firewalld.patch + +# Mount the android rootfs with a default selinux context +Patch1: mount-secontext.patch + +# https://github.com/waydroid/waydroid/commit/66c8343c4d2ea118601ba5d8ce52fa622cbcd665 +Patch2: regex.patch +# https://github.com/waydroid/waydroid/commit/6eea5cf63f4a724e66a2857b8f67ee2bbc82f0bd +Patch3: sse3.patch + +BuildArch: noarch + +BuildRequires: make +BuildRequires: selinux-policy-devel +BuildRequires: container-selinux +BuildRequires: systemd +BuildRequires: python3-devel +BuildRequires: systemd-rpm-macros +BuildRequires: desktop-file-utils +BuildRequires: libappstream-glib + +Requires: python3-gbinder >= 1.1.0 +Requires: python3-gobject +Requires: lxc +Requires: gtk3 +Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) +Requires: nftables +Requires: iproute +Requires: dnsmasq +Recommends: python3-pyclip +Recommends: wl-clipboard + +%description +Waydroid uses Linux namespaces to run a full Android system in a container +and provide Android applications on any GNU/Linux-based platform. +The Android system inside the container has direct access to needed hardware +through LXC and the binder interface. + +%package selinux +Summary: SELinux policy module for waydroid +Requires: %{name} = %{version}-%{release} +Requires: container-selinux +%{?selinux_requires} + +%description selinux +This package contains the SELinux policy module necessary to run waydroid. + +%prep +%forgeautosetup -p1 +mkdir SELinux +cp %{S:1} SELinux/ +cp %{S:6} SELinux/ + +%build +# Remove link for ROM files +sed -i -e '/"system_channel":/ s/: ".*"/: ""/' tools/config/__init__.py +sed -i -e '/"vendor_channel":/ s/: ".*"/: ""/' tools/config/__init__.py +# Compile sepolicy +cd SELinux +%{__make} NAME=%{selinuxtype} -f /usr/share/selinux/devel/Makefile + +%install +%make_install LIBDIR=%{_libdir} DESTDIR=%{buildroot} USE_SYSTEMD=1 USE_DBUS_ACTIVATION=1 USE_NFTABLES=1 +%py_byte_compile %{python3} %{buildroot}%{_prefix}/lib/waydroid +%{__install} -d %{buildroot}%{_unitdir} +%{__install} -d %{buildroot}%{_datadir}/selinux/%{selinuxtype} +%{__install} -p -m 644 %{S:4} %{buildroot}%{_unitdir}/ +%{__install} -p -m 644 SELinux/%{name}.pp %{buildroot}%{_datadir}/selinux/%{selinuxtype}/%{name}.pp +sed -i '/^\[Unit\]/a Wants=dev-binderfs.mount' %{buildroot}%{_unitdir}/waydroid-container.service +sed -i '/^\[Service\]/a ExecStartPre=/usr/bin/ln -sf /dev/binderfs/binder /dev/binderfs/vndbinder /dev/binderfs/hwbinder /dev/' %{buildroot}%{_unitdir}/waydroid-container.service + +%check +desktop-file-validate %{buildroot}/%{_datadir}/applications/Waydroid.desktop +desktop-file-validate %{buildroot}/%{_datadir}/applications/waydroid.market.desktop +desktop-file-validate %{buildroot}/%{_datadir}/applications/waydroid.app.install.desktop +appstream-util validate --nonet %{buildroot}%{_metainfodir}/id.waydro.waydroid.metainfo.xml + +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/%{selinuxtype}/%{name}.pp +%selinux_relabel_post -s %{selinuxtype} + +if [ "$1" -le "1" ]; then # First install + # the daemon needs to be restarted for the custom label to be applied + %systemd_postun_with_restart waydroid-container.service +fi + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} + %selinux_relabel_post -s %{selinuxtype} +fi + +%post +waydroid upgrade -o > /dev/null || : +%systemd_post waydroid-container.service +if [ $1 -eq 1 ]; then + if systemctl -q is-enabled waydroid-container.service > /dev/null 2>&1 ; then + systemctl start waydroid-container.service > /dev/null 2>&1 || : + fi +fi + +%preun +%systemd_preun waydroid-container.service + +%postun +%systemd_postun_with_restart waydroid-container.service + +%files +%license LICENSE +%doc README.md +%{_prefix}/lib/waydroid +%{_datadir}/applications/Waydroid.desktop +%{_datadir}/applications/waydroid.market.desktop +%{_datadir}/applications/waydroid.app.install.desktop +%{_datadir}/metainfo/id.waydro.waydroid.metainfo.xml +%{_datadir}/icons/hicolor/512x512/apps/waydroid.png +%{_bindir}/waydroid +%{_unitdir}/waydroid-container.service +%{_unitdir}/dev-binderfs.mount +%{_datadir}/dbus-1/system-services/id.waydro.Container.service +%{_datadir}/dbus-1/system.d/id.waydro.Container.conf +%{_datadir}/polkit-1/actions/id.waydro.Container.policy +%{_datadir}/desktop-directories/waydroid.directory +%{_sysconfdir}/xdg/menus/applications-merged/waydroid.menu + +%files selinux +%doc SELinux/%{name}.te +%{_datadir}/selinux/%{selinuxtype}/%{name}.pp + +%changelog +* Tue Oct 31 2023 Alessandro Astone - 1.4.2-1 +- Update to 1.4.2 + +* Tue Sep 26 2023 Alessandro Astone - 1.4.1-3 +- Amend SELinux to coexist with snap + +* Sat Jul 22 2023 Fedora Release Engineering - 1.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Apr 25 2023 Alessandro Astone - 1.4.1-1 +- Update to 1.4.1 + +* Wed Feb 08 2023 Alessandro Astone - 1.4.0-1 +- Update to 1.4.0 + +* Sat Jan 21 2023 Fedora Release Engineering - 1.3.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Jan 06 2023 Alessandro Astone - 1.3.4-4 +- Re-enable s390x build +- Sepolicy fixes + +* Tue Dec 27 2022 Alessandro Astone - 1.3.4-3 +- Fix description typos etc. +- Validate desktop and metainfo files +- Reorder post install scriptlets + +* Sun Dec 25 2022 Alessandro Astone - 1.3.4-2 +- Add selinux label to android rootfs +- Make package noarch + +* Wed Dec 14 2022 Alessandro Astone - 1.3.4-1 +- Update to 1.3.4 + +* Sat Nov 05 2022 Alessandro Astone - 1.3.3-3 +- Override selinux context of the android rootfs +- Fixes https://github.com/casualsnek/waydroid_script + +* Sun Oct 30 2022 Alessandro Astone - 1.3.3-2 +- Add sepolicy for updating from the android app + +* Sun Sep 25 2022 Alessandro Astone - 1.3.3-1 +- Update to 1.3.3 + +* Fri Sep 02 2022 Alessandro Astone - 1.3.1-1 +- Update to 1.3.1 + +* Tue Aug 09 2022 Alessandro Astone - 1.3.0-1 +- Update to 1.3.0 + +* Sun Apr 17 2022 Alessandro Astone - 1.2.1-1 +- Update to 1.2.1 + +* Mon Mar 07 2022 Alessandro Astone - 1.2.0-7.20220307git1.2.0 +- Recommend pyclip + +* Sat Feb 26 2022 Alessandro Astone - 1.2.0-5.20220226git1.2.0 +- Add sepolicy for crash handler + +* Fri Feb 25 2022 Alessandro Astone - 1.2.0-4.20220225git1.2.0 +- Respin package + +* Wed Aug 12 2020 Qiyu Yan - 0-0.1.20200811gitc87ea48 +- initial package diff --git a/spec_files/waydroid/waydroid.te b/spec_files/waydroid/waydroid.te new file mode 100644 index 00000000..6de637d6 --- /dev/null +++ b/spec_files/waydroid/waydroid.te @@ -0,0 +1,161 @@ + +policy_module(waydroid, 1.0) + +require { + type unconfined_t; + type unconfined_service_t; + type binder_device_t; + type binderfs_t; + type abrt_t; + type bin_t; + type var_lib_t; + type proc_t; + type mount_exec_t; + type mount_t; + type uhid_device_t; + type tun_tap_device_t; + type tmp_t; + type http_cache_port_t; + type rpm_script_t; + role rpm_script_roles; + type iptables_t; + type systemd_systemctl_exec_t; +} + +# Define domain +type waydroid_t; +type waydroid_exec_t; +init_daemon_domain(waydroid_t, waydroid_exec_t) + +# Execute python +allow waydroid_t bin_t:file { map execute }; +allow waydroid_t proc_t:file read_file_perms; +gnome_search_gconf_data_dir(waydroid_t) +auth_read_passwd(waydroid_t) +miscfiles_read_generic_certs(waydroid_t) + +# Manage waydroid fifos +type waydroid_var_run_t; +files_pid_file(waydroid_var_run_t) +files_pid_filetrans(waydroid_t, waydroid_var_run_t, fifo_file, "waydroid-remote_init_output") +manage_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t) +manage_fifo_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t) +manage_dirs_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t) + +# Manage /var/lib/waydroid +type waydroid_data_t; +files_type(waydroid_data_t) +filetrans_pattern(waydroid_t, var_lib_t, waydroid_data_t, dir, "waydroid") +filetrans_pattern(unconfined_t, var_lib_t, waydroid_data_t, dir, "waydroid") +manage_dirs_pattern(waydroid_t, waydroid_data_t, waydroid_data_t) +manage_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t) +manage_lnk_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t) + +# Execute lxc commands, domain transition +container_runtime_domtrans(waydroid_t) + +# Execute misc utils +exec_files_pattern(waydroid_t, bin_t, bin_t) +domtrans_pattern(waydroid_t, mount_exec_t, mount_t) +corecmd_exec_shell(waydroid_t) +modutils_domtrans_kmod(waydroid_t) + +# Waydroid init from the container daemon +dev_read_sysfs(waydroid_t) +storage_getattr_fuse_dev(waydroid_t) +getattr_chr_files_pattern(waydroid_t, device_t, { uhid_device_t tun_tap_device_t }) +fs_search_cgroup_dirs(waydroid_t) +allow waydroid_t tmp_t:dir read; +allow waydroid_t self:process setfscreate; +allow waydroid_t self:tcp_socket create_socket_perms; +allow waydroid_t http_cache_port_t:tcp_socket name_connect; +sysnet_dns_name_resolve(waydroid_t) +corenet_sendrecv_http_client_packets(waydroid_t) +corenet_tcp_connect_http_port(waydroid_t) +# No need to run systemctl. It is only used to determine apparmor status +dontaudit waydroid_t systemd_systemctl_exec_t:file getattr; + +# waydroid-net.sh +type waydroid_net_exec_t; +files_type(waydroid_net_exec_t) +domtrans_pattern(waydroid_t, waydroid_net_exec_t, container_runtime_t) +domain_entry_file(container_runtime_t, waydroid_net_exec_t) +manage_fifo_files_pattern(iptables_t, waydroid_t, waydroid_t) + +# Read android rootfs +type waydroid_rootfs_t; +files_type(waydroid_rootfs_t) +read_files_pattern(waydroid_t, waydroid_rootfs_t, waydroid_rootfs_t) + +# Read android data +allow waydroid_t self:capability { dac_read_search }; + +# Upgrade from app +allow waydroid_t self:capability dac_override; +read_files_pattern(waydroid_t, data_home_t, data_home_t) +delete_files_pattern(waydroid_t, data_home_t, data_home_t) +list_dirs_pattern(waydroid_t, waydroid_data_t, waydroid_rootfs_t) +delete_files_pattern(waydroid_t, { waydroid_data_t waydroid_rootfs_t }, { waydroid_data_t waydroid_rootfs_t }) +delete_dirs_pattern(waydroid_t, { waydroid_data_t waydroid_rootfs_t }, { waydroid_data_t waydroid_rootfs_t }) +allow waydroid_t self:unix_dgram_socket { create setopt getopt }; + +# Use binder devices +allow waydroid_t binderfs_t:dir search_dir_perms; +allow waydroid_t binder_device_t:chr_file { getattr setattr ioctl map open read write }; +allow waydroid_t container_runtime_t:binder { call transfer }; +allow container_runtime_t waydroid_t:binder call; +allow container_runtime_t self:binder { call set_context_mgr transfer }; +allow container_runtime_t self:capability2 mac_admin; +allow container_runtime_t unconfined_service_t:binder call; +allow container_runtime_t unconfined_t:binder { call transfer }; +allow unconfined_service_t container_runtime_t:binder { call transfer }; +allow unconfined_t container_runtime_t:binder { call transfer }; + +# Graphics +dev_setattr_generic_dirs(waydroid_t) +dev_getattr_dri_dev(waydroid_t) +dev_setattr_dri_dev(waydroid_t) +dev_getattr_framebuffer_dev(waydroid_t) +dev_setattr_framebuffer_dev(waydroid_t) +allow waydroid_t self:capability fsetid; + +# Video +dev_getattr_video_dev(waydroid_t) +dev_setattr_video_dev(waydroid_t) + +# Search shared sockets +userdom_search_user_tmp_dirs(waydroid_t) +allow waydroid_t user_tmp_t:sock_file getattr; + +# RPM upgrade scriptlets +container_runtime_run(rpm_script_t, rpm_script_roles) +filetrans_pattern(rpm_script_t, var_lib_t, waydroid_data_t, dir, "waydroid") + +# For when we crash +allow abrt_t binder_device_t:chr_file { open read }; + +# Attach to the container +allow container_runtime_t self:process2 { nnp_transition }; +exec_files_pattern(container_runtime_t, waydroid_rootfs_t, waydroid_rootfs_t) +domain_entry_file(container_runtime_t, waydroid_rootfs_t) + +# DBus +type waydroid_tmpfs_t; +files_tmp_file(waydroid_tmpfs_t) +manage_files_pattern(waydroid_t, waydroid_tmpfs_t, waydroid_tmpfs_t) +can_exec(waydroid_t, waydroid_tmpfs_t) +fs_tmpfs_filetrans(waydroid_t, waydroid_tmpfs_t, file) +dbus_system_bus_client(waydroid_t) +dbus_connect_system_bus(waydroid_t) +policykit_dbus_chat(waydroid_t) +unconfined_dbus_chat(waydroid_t) +unconfined_signal(waydroid_t) +allow waydroid_t self:capability kill; + +# Snap +optional_policy(` + require { + type snappy_var_lib_t; + } + dontaudit waydroid_t snappy_var_lib_t:dir search_dir_perms; +')