chore: Add waydroid spec file with patch for regex issue

spec_files/waydroid/README.md

@@ -0,0 +1,3 @@
+# waydroid
+
+The waydroid package

spec_files/waydroid/dev-binderfs.mount

@@ -0,0 +1,7 @@
+[Unit]
+Description=Mount binderfs partition
+
+[Mount]
+What=binder
+Where=/dev/binderfs
+Type=binder

spec_files/waydroid/mount-secontext.patch

@@ -0,0 +1,13 @@
+diff --git a/tools/helpers/mount.py b/tools/helpers/mount.py
+index a0d34be5..f507d668 100644
+--- a/tools/helpers/mount.py
++++ b/tools/helpers/mount.py
+@@ -133,7 +133,7 @@ def mount(args, source, destination, create_folders=True, umount=False,
+                             destination)
+ 
+     extra_args = []
+-    opt_args = []
++    opt_args = ["context=\"system_u:object_r:waydroid_rootfs_t:s0\""]
+     if mount_type:
+         extra_args.extend(["-t", mount_type])
+     if readonly:

spec_files/waydroid/regex.patch

@@ -0,0 +1,23 @@
+From 66c8343c4d2ea118601ba5d8ce52fa622cbcd665 Mon Sep 17 00:00:00 2001
+From: Aarron Lee <aclee91@gmail.com>
+Date: Sun, 19 Nov 2023 16:11:44 -0500
+Subject: [PATCH] update regex for deprecation warning
+
+---
+ tools/helpers/net.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/helpers/net.py b/tools/helpers/net.py
+index c20a95bc..b267357a 100644
+--- a/tools/helpers/net.py
++++ b/tools/helpers/net.py
+@@ -31,6 +31,6 @@ def get_device_ip_address():
+ 
+     try:
+         with open(lease_file) as f:
+-            return re.search("(\d{1,3}\.){3}\d{1,3}\s", f.read()).group().strip()
++            return re.search(r"(\d{1,3}\.){3}\d{1,3}\s", f.read()).group().strip()
+     except:
+-        pass
+\ No newline at end of file
++        pass

spec_files/waydroid/setup-firewalld.patch

@@ -0,0 +1,17 @@
+--- waydroid-1.2.0/data/scripts/waydroid-net.sh	2021-10-19 15:50:56.000000000 +0800
++++ waydroid-1.2.0-1/data/scripts/waydroid-net.sh	2021-10-21 22:57:50.991706580 +0800
+@@ -1,4 +1,4 @@
+-#!/bin/sh -
++#!/usr/bin/sh -
+ 
+ varrun="/run/waydroid-lxc"
+ varlib="/var/lib"
+@@ -60,6 +60,8 @@ _ifup() {
+     ip addr add ${CIDR_ADDR} broadcast + dev ${LXC_BRIDGE}
+     ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC
+     ip link set dev ${LXC_BRIDGE} up
++    # Fedora specific
++    firewall-cmd --zone=trusted --add-interface=${LXC_BRIDGE} || true
+ }
+ 
+ start_ipv6() {

spec_files/waydroid/sse3.patch

@@ -0,0 +1,32 @@
+From 6eea5cf63f4a724e66a2857b8f67ee2bbc82f0bd Mon Sep 17 00:00:00 2001
+From: sta-c0000 <37939220+sta-c0000@users.noreply.github.com>
+Date: Tue, 19 Dec 2023 09:49:12 -0500
+Subject: [PATCH] Add SSSE3 CPU check for arch x86/x86_64
+
+---
+ tools/helpers/arch.py | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tools/helpers/arch.py b/tools/helpers/arch.py
+index 735d344e..c74ef906 100644
+--- a/tools/helpers/arch.py
++++ b/tools/helpers/arch.py
+@@ -19,11 +19,14 @@ def host():
+                      " architecture is not supported")
+ 
+ def maybe_remap(target):
+-    if target == "x86_64":
++    if target.startswith("x86"):
+         with open("/proc/cpuinfo") as f:
+-            if "sse4_2" not in f.read():
+-                logging.info("x86_64 CPU does not support SSE4.2, falling back to x86...")
+-                return "x86"
++            cpuinfo = f.read()
++        if "ssse3" not in cpuinfo:
++            raise ValueError("x86/x86_64 CPU must support SSSE3!")
++        if target == "x86_64" and "sse4_2" not in cpuinfo:
++            logging.info("x86_64 CPU does not support SSE4.2, falling back to x86...")
++            return "x86"
+     elif target == "arm64" and platform.architecture()[0] == "32bit":
+         return "arm"
+ 

spec_files/waydroid/waydroid.fc

@@ -0,0 +1,5 @@
+/usr/lib/waydroid/waydroid.py                       gen_context(system_u:object_r:waydroid_exec_t,s0)
+/usr/lib/waydroid/data/scripts/waydroid-net\.sh     gen_context(system_u:object_r:waydroid_net_exec_t,s0)
+/var/lib/waydroid(.*)?                              gen_context(system_u:object_r:waydroid_data_t,s0)
+/var/run/waydroid-(?!lxc).*                         gen_context(system_u:object_r:waydroid_var_run_t,s0)
+/run/waydroid-(?!lxc).*                             gen_context(system_u:object_r:waydroid_var_run_t,s0)

spec_files/waydroid/waydroid.spec

@@ -0,0 +1,215 @@
+%global forgeurl https://github.com/waydroid/waydroid
+%global selinuxtype targeted
+
+Version:        1.4.2
+%global tag %{version}
+
+%forgemeta
+Name:           waydroid
+Release:        1%{?dist}.bazzite
+Summary:        Container-based approach to boot a full Android system on GNU/Linux
+License:        GPL-3.0-only
+URL:            %{forgeurl}
+Source:         %{forgesource}
+Source1:        waydroid.te
+Source4:        dev-binderfs.mount
+Source6:        waydroid.fc
+
+# Assign firewalld zone to the waydroid network interface
+Patch0:         setup-firewalld.patch
+
+# Mount the android rootfs with a default selinux context
+Patch1:         mount-secontext.patch
+
+# https://github.com/waydroid/waydroid/commit/66c8343c4d2ea118601ba5d8ce52fa622cbcd665
+Patch2:         regex.patch
+# https://github.com/waydroid/waydroid/commit/6eea5cf63f4a724e66a2857b8f67ee2bbc82f0bd
+Patch3:         sse3.patch
+
+BuildArch:      noarch
+
+BuildRequires:  make
+BuildRequires:  selinux-policy-devel
+BuildRequires:  container-selinux
+BuildRequires:  systemd
+BuildRequires:  python3-devel
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  desktop-file-utils
+BuildRequires:  libappstream-glib
+
+Requires:       python3-gbinder >= 1.1.0
+Requires:       python3-gobject
+Requires:       lxc
+Requires:       gtk3
+Requires:       (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+Requires:       nftables
+Requires:       iproute
+Requires:       dnsmasq
+Recommends:     python3-pyclip
+Recommends:     wl-clipboard
+
+%description
+Waydroid uses Linux namespaces to run a full Android system in a container
+and provide Android applications on any GNU/Linux-based platform.
+The Android system inside the container has direct access to needed hardware
+through LXC and the binder interface.
+
+%package selinux
+Summary:            SELinux policy module for waydroid
+Requires:           %{name} = %{version}-%{release}
+Requires:           container-selinux
+%{?selinux_requires}
+
+%description selinux
+This package contains the SELinux policy module necessary to run waydroid.
+
+%prep
+%forgeautosetup -p1
+mkdir SELinux
+cp %{S:1} SELinux/
+cp %{S:6} SELinux/
+
+%build
+# Remove link for ROM files
+sed -i -e '/"system_channel":/ s/: ".*"/: ""/' tools/config/__init__.py
+sed -i -e '/"vendor_channel":/ s/: ".*"/: ""/' tools/config/__init__.py
+# Compile sepolicy
+cd SELinux
+%{__make} NAME=%{selinuxtype} -f /usr/share/selinux/devel/Makefile
+
+%install
+%make_install LIBDIR=%{_libdir} DESTDIR=%{buildroot} USE_SYSTEMD=1 USE_DBUS_ACTIVATION=1 USE_NFTABLES=1
+%py_byte_compile %{python3} %{buildroot}%{_prefix}/lib/waydroid
+%{__install} -d %{buildroot}%{_unitdir}
+%{__install} -d %{buildroot}%{_datadir}/selinux/%{selinuxtype}
+%{__install} -p -m 644 %{S:4} %{buildroot}%{_unitdir}/
+%{__install} -p -m 644 SELinux/%{name}.pp %{buildroot}%{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+sed -i '/^\[Unit\]/a Wants=dev-binderfs.mount' %{buildroot}%{_unitdir}/waydroid-container.service
+sed -i '/^\[Service\]/a ExecStartPre=/usr/bin/ln -sf /dev/binderfs/binder /dev/binderfs/vndbinder /dev/binderfs/hwbinder /dev/' %{buildroot}%{_unitdir}/waydroid-container.service
+
+%check
+desktop-file-validate %{buildroot}/%{_datadir}/applications/Waydroid.desktop
+desktop-file-validate %{buildroot}/%{_datadir}/applications/waydroid.market.desktop
+desktop-file-validate %{buildroot}/%{_datadir}/applications/waydroid.app.install.desktop
+appstream-util validate --nonet %{buildroot}%{_metainfodir}/id.waydro.waydroid.metainfo.xml
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+  # the daemon needs to be restarted for the custom label to be applied
+  %systemd_postun_with_restart waydroid-container.service
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+  %selinux_modules_uninstall -s %{selinuxtype} %{name}
+  %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%post
+waydroid upgrade -o > /dev/null || :
+%systemd_post waydroid-container.service
+if [ $1 -eq 1 ]; then
+  if systemctl -q is-enabled waydroid-container.service > /dev/null 2>&1 ; then
+    systemctl start waydroid-container.service > /dev/null 2>&1 || :
+  fi
+fi
+
+%preun
+%systemd_preun waydroid-container.service
+
+%postun
+%systemd_postun_with_restart waydroid-container.service
+
+%files
+%license LICENSE
+%doc README.md
+%{_prefix}/lib/waydroid
+%{_datadir}/applications/Waydroid.desktop
+%{_datadir}/applications/waydroid.market.desktop
+%{_datadir}/applications/waydroid.app.install.desktop
+%{_datadir}/metainfo/id.waydro.waydroid.metainfo.xml
+%{_datadir}/icons/hicolor/512x512/apps/waydroid.png
+%{_bindir}/waydroid
+%{_unitdir}/waydroid-container.service
+%{_unitdir}/dev-binderfs.mount
+%{_datadir}/dbus-1/system-services/id.waydro.Container.service
+%{_datadir}/dbus-1/system.d/id.waydro.Container.conf
+%{_datadir}/polkit-1/actions/id.waydro.Container.policy
+%{_datadir}/desktop-directories/waydroid.directory
+%{_sysconfdir}/xdg/menus/applications-merged/waydroid.menu
+
+%files selinux
+%doc SELinux/%{name}.te
+%{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+
+%changelog
+* Tue Oct 31 2023 Alessandro Astone <ales.astone@gmail.com> - 1.4.2-1
+- Update to 1.4.2
+
+* Tue Sep 26 2023 Alessandro Astone <ales.astone@gmail.com> - 1.4.1-3
+- Amend SELinux to coexist with snap
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Apr 25 2023 Alessandro Astone <ales.astone@gmail.com> - 1.4.1-1
+- Update to 1.4.1
+
+* Wed Feb 08 2023 Alessandro Astone <ales.astone@gmail.com> - 1.4.0-1
+- Update to 1.4.0
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jan 06 2023 Alessandro Astone <ales.astone@gmail.com> - 1.3.4-4
+- Re-enable s390x build
+- Sepolicy fixes
+
+* Tue Dec 27 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.4-3
+- Fix description typos etc.
+- Validate desktop and metainfo files
+- Reorder post install scriptlets
+
+* Sun Dec 25 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.4-2
+- Add selinux label to android rootfs
+- Make package noarch
+
+* Wed Dec 14 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.4-1
+- Update to 1.3.4
+
+* Sat Nov 05 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.3-3
+- Override selinux context of the android rootfs
+- Fixes https://github.com/casualsnek/waydroid_script
+
+* Sun Oct 30 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.3-2
+- Add sepolicy for updating from the android app
+
+* Sun Sep 25 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.3-1
+- Update to 1.3.3
+
+* Fri Sep 02 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.1-1
+- Update to 1.3.1
+
+* Tue Aug 09 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.0-1
+- Update to 1.3.0
+
+* Sun Apr 17 2022 Alessandro Astone <ales.astone@gmail.com> - 1.2.1-1
+- Update to 1.2.1
+
+* Mon Mar 07 2022 Alessandro Astone <ales.astone@gmail.com> - 1.2.0-7.20220307git1.2.0
+- Recommend pyclip
+
+* Sat Feb 26 2022 Alessandro Astone <ales.astone@gmail.com> - 1.2.0-5.20220226git1.2.0
+- Add sepolicy for crash handler
+
+* Fri Feb 25 2022 Alessandro Astone <ales.astone@gmail.com> - 1.2.0-4.20220225git1.2.0
+- Respin package
+
+* Wed Aug 12 2020 Qiyu Yan <yanqiyu@fedoraproject.org> - 0-0.1.20200811gitc87ea48
+- initial package

spec_files/waydroid/waydroid.te

@@ -0,0 +1,161 @@
+
+policy_module(waydroid, 1.0)
+
+require {
+	type unconfined_t;
+	type unconfined_service_t;
+	type binder_device_t;
+	type binderfs_t;
+	type abrt_t;
+	type bin_t;
+	type var_lib_t;
+	type proc_t;
+	type mount_exec_t;
+	type mount_t;
+	type uhid_device_t;
+	type tun_tap_device_t;
+	type tmp_t;
+	type http_cache_port_t;
+	type rpm_script_t;
+	role rpm_script_roles;
+	type iptables_t;
+	type systemd_systemctl_exec_t;
+}
+
+# Define domain
+type waydroid_t;
+type waydroid_exec_t;
+init_daemon_domain(waydroid_t, waydroid_exec_t)
+
+# Execute python
+allow waydroid_t bin_t:file { map execute };
+allow waydroid_t proc_t:file read_file_perms;
+gnome_search_gconf_data_dir(waydroid_t)
+auth_read_passwd(waydroid_t)
+miscfiles_read_generic_certs(waydroid_t)
+
+# Manage waydroid fifos
+type waydroid_var_run_t;
+files_pid_file(waydroid_var_run_t)
+files_pid_filetrans(waydroid_t, waydroid_var_run_t, fifo_file, "waydroid-remote_init_output")
+manage_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+manage_fifo_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+manage_dirs_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+
+# Manage /var/lib/waydroid
+type waydroid_data_t;
+files_type(waydroid_data_t)
+filetrans_pattern(waydroid_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+filetrans_pattern(unconfined_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+manage_dirs_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+manage_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+manage_lnk_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+
+# Execute lxc commands, domain transition
+container_runtime_domtrans(waydroid_t)
+
+# Execute misc utils
+exec_files_pattern(waydroid_t, bin_t, bin_t)
+domtrans_pattern(waydroid_t, mount_exec_t, mount_t)
+corecmd_exec_shell(waydroid_t)
+modutils_domtrans_kmod(waydroid_t)
+
+# Waydroid init from the container daemon
+dev_read_sysfs(waydroid_t)
+storage_getattr_fuse_dev(waydroid_t)
+getattr_chr_files_pattern(waydroid_t, device_t, { uhid_device_t tun_tap_device_t })
+fs_search_cgroup_dirs(waydroid_t)
+allow waydroid_t tmp_t:dir read;
+allow waydroid_t self:process setfscreate;
+allow waydroid_t self:tcp_socket create_socket_perms;
+allow waydroid_t http_cache_port_t:tcp_socket name_connect;
+sysnet_dns_name_resolve(waydroid_t)
+corenet_sendrecv_http_client_packets(waydroid_t)
+corenet_tcp_connect_http_port(waydroid_t)
+# No need to run systemctl. It is only used to determine apparmor status
+dontaudit waydroid_t systemd_systemctl_exec_t:file getattr;
+
+# waydroid-net.sh
+type waydroid_net_exec_t;
+files_type(waydroid_net_exec_t)
+domtrans_pattern(waydroid_t, waydroid_net_exec_t, container_runtime_t)
+domain_entry_file(container_runtime_t, waydroid_net_exec_t)
+manage_fifo_files_pattern(iptables_t, waydroid_t, waydroid_t)
+
+# Read android rootfs
+type waydroid_rootfs_t;
+files_type(waydroid_rootfs_t)
+read_files_pattern(waydroid_t, waydroid_rootfs_t, waydroid_rootfs_t)
+
+# Read android data
+allow waydroid_t self:capability { dac_read_search };
+
+# Upgrade from app
+allow waydroid_t self:capability dac_override;
+read_files_pattern(waydroid_t, data_home_t, data_home_t)
+delete_files_pattern(waydroid_t, data_home_t, data_home_t)
+list_dirs_pattern(waydroid_t, waydroid_data_t, waydroid_rootfs_t)
+delete_files_pattern(waydroid_t, { waydroid_data_t waydroid_rootfs_t }, { waydroid_data_t waydroid_rootfs_t })
+delete_dirs_pattern(waydroid_t, { waydroid_data_t waydroid_rootfs_t }, { waydroid_data_t waydroid_rootfs_t })
+allow waydroid_t self:unix_dgram_socket { create setopt getopt };
+
+# Use binder devices
+allow waydroid_t binderfs_t:dir search_dir_perms;
+allow waydroid_t binder_device_t:chr_file { getattr setattr ioctl map open read write };
+allow waydroid_t container_runtime_t:binder { call transfer };
+allow container_runtime_t waydroid_t:binder call;
+allow container_runtime_t self:binder { call set_context_mgr transfer };
+allow container_runtime_t self:capability2 mac_admin;
+allow container_runtime_t unconfined_service_t:binder call;
+allow container_runtime_t unconfined_t:binder { call transfer };
+allow unconfined_service_t container_runtime_t:binder { call transfer };
+allow unconfined_t container_runtime_t:binder { call transfer };
+
+# Graphics
+dev_setattr_generic_dirs(waydroid_t)
+dev_getattr_dri_dev(waydroid_t)
+dev_setattr_dri_dev(waydroid_t)
+dev_getattr_framebuffer_dev(waydroid_t)
+dev_setattr_framebuffer_dev(waydroid_t)
+allow waydroid_t self:capability fsetid;
+
+# Video
+dev_getattr_video_dev(waydroid_t)
+dev_setattr_video_dev(waydroid_t)
+
+# Search shared sockets
+userdom_search_user_tmp_dirs(waydroid_t)
+allow waydroid_t user_tmp_t:sock_file getattr;
+
+# RPM upgrade scriptlets
+container_runtime_run(rpm_script_t, rpm_script_roles)
+filetrans_pattern(rpm_script_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+
+# For when we crash
+allow abrt_t binder_device_t:chr_file { open read };
+
+# Attach to the container
+allow container_runtime_t self:process2 { nnp_transition };
+exec_files_pattern(container_runtime_t, waydroid_rootfs_t, waydroid_rootfs_t)
+domain_entry_file(container_runtime_t, waydroid_rootfs_t)
+
+# DBus
+type waydroid_tmpfs_t;
+files_tmp_file(waydroid_tmpfs_t)
+manage_files_pattern(waydroid_t, waydroid_tmpfs_t, waydroid_tmpfs_t)
+can_exec(waydroid_t, waydroid_tmpfs_t)
+fs_tmpfs_filetrans(waydroid_t, waydroid_tmpfs_t, file)
+dbus_system_bus_client(waydroid_t)
+dbus_connect_system_bus(waydroid_t)
+policykit_dbus_chat(waydroid_t)
+unconfined_dbus_chat(waydroid_t)
+unconfined_signal(waydroid_t)
+allow waydroid_t self:capability kill;
+
+# Snap
+optional_policy(`
+	require {
+		type snappy_var_lib_t;
+	}
+	dontaudit waydroid_t snappy_var_lib_t:dir search_dir_perms;
+')