mirror of
https://github.com/ublue-os/bazzite.git
synced 2025-01-17 01:11:48 +00:00
chore: Add waydroid spec file with patch for regex issue
This commit is contained in:
parent
19db7fbafd
commit
409086f6ec
3
spec_files/waydroid/README.md
Normal file
3
spec_files/waydroid/README.md
Normal file
@ -0,0 +1,3 @@
|
||||
# waydroid
|
||||
|
||||
The waydroid package
|
7
spec_files/waydroid/dev-binderfs.mount
Normal file
7
spec_files/waydroid/dev-binderfs.mount
Normal file
@ -0,0 +1,7 @@
|
||||
[Unit]
|
||||
Description=Mount binderfs partition
|
||||
|
||||
[Mount]
|
||||
What=binder
|
||||
Where=/dev/binderfs
|
||||
Type=binder
|
13
spec_files/waydroid/mount-secontext.patch
Normal file
13
spec_files/waydroid/mount-secontext.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/tools/helpers/mount.py b/tools/helpers/mount.py
|
||||
index a0d34be5..f507d668 100644
|
||||
--- a/tools/helpers/mount.py
|
||||
+++ b/tools/helpers/mount.py
|
||||
@@ -133,7 +133,7 @@ def mount(args, source, destination, create_folders=True, umount=False,
|
||||
destination)
|
||||
|
||||
extra_args = []
|
||||
- opt_args = []
|
||||
+ opt_args = ["context=\"system_u:object_r:waydroid_rootfs_t:s0\""]
|
||||
if mount_type:
|
||||
extra_args.extend(["-t", mount_type])
|
||||
if readonly:
|
23
spec_files/waydroid/regex.patch
Normal file
23
spec_files/waydroid/regex.patch
Normal file
@ -0,0 +1,23 @@
|
||||
From 66c8343c4d2ea118601ba5d8ce52fa622cbcd665 Mon Sep 17 00:00:00 2001
|
||||
From: Aarron Lee <aclee91@gmail.com>
|
||||
Date: Sun, 19 Nov 2023 16:11:44 -0500
|
||||
Subject: [PATCH] update regex for deprecation warning
|
||||
|
||||
---
|
||||
tools/helpers/net.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tools/helpers/net.py b/tools/helpers/net.py
|
||||
index c20a95bc..b267357a 100644
|
||||
--- a/tools/helpers/net.py
|
||||
+++ b/tools/helpers/net.py
|
||||
@@ -31,6 +31,6 @@ def get_device_ip_address():
|
||||
|
||||
try:
|
||||
with open(lease_file) as f:
|
||||
- return re.search("(\d{1,3}\.){3}\d{1,3}\s", f.read()).group().strip()
|
||||
+ return re.search(r"(\d{1,3}\.){3}\d{1,3}\s", f.read()).group().strip()
|
||||
except:
|
||||
- pass
|
||||
\ No newline at end of file
|
||||
+ pass
|
17
spec_files/waydroid/setup-firewalld.patch
Normal file
17
spec_files/waydroid/setup-firewalld.patch
Normal file
@ -0,0 +1,17 @@
|
||||
--- waydroid-1.2.0/data/scripts/waydroid-net.sh 2021-10-19 15:50:56.000000000 +0800
|
||||
+++ waydroid-1.2.0-1/data/scripts/waydroid-net.sh 2021-10-21 22:57:50.991706580 +0800
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/bin/sh -
|
||||
+#!/usr/bin/sh -
|
||||
|
||||
varrun="/run/waydroid-lxc"
|
||||
varlib="/var/lib"
|
||||
@@ -60,6 +60,8 @@ _ifup() {
|
||||
ip addr add ${CIDR_ADDR} broadcast + dev ${LXC_BRIDGE}
|
||||
ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC
|
||||
ip link set dev ${LXC_BRIDGE} up
|
||||
+ # Fedora specific
|
||||
+ firewall-cmd --zone=trusted --add-interface=${LXC_BRIDGE} || true
|
||||
}
|
||||
|
||||
start_ipv6() {
|
32
spec_files/waydroid/sse3.patch
Normal file
32
spec_files/waydroid/sse3.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 6eea5cf63f4a724e66a2857b8f67ee2bbc82f0bd Mon Sep 17 00:00:00 2001
|
||||
From: sta-c0000 <37939220+sta-c0000@users.noreply.github.com>
|
||||
Date: Tue, 19 Dec 2023 09:49:12 -0500
|
||||
Subject: [PATCH] Add SSSE3 CPU check for arch x86/x86_64
|
||||
|
||||
---
|
||||
tools/helpers/arch.py | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tools/helpers/arch.py b/tools/helpers/arch.py
|
||||
index 735d344e..c74ef906 100644
|
||||
--- a/tools/helpers/arch.py
|
||||
+++ b/tools/helpers/arch.py
|
||||
@@ -19,11 +19,14 @@ def host():
|
||||
" architecture is not supported")
|
||||
|
||||
def maybe_remap(target):
|
||||
- if target == "x86_64":
|
||||
+ if target.startswith("x86"):
|
||||
with open("/proc/cpuinfo") as f:
|
||||
- if "sse4_2" not in f.read():
|
||||
- logging.info("x86_64 CPU does not support SSE4.2, falling back to x86...")
|
||||
- return "x86"
|
||||
+ cpuinfo = f.read()
|
||||
+ if "ssse3" not in cpuinfo:
|
||||
+ raise ValueError("x86/x86_64 CPU must support SSSE3!")
|
||||
+ if target == "x86_64" and "sse4_2" not in cpuinfo:
|
||||
+ logging.info("x86_64 CPU does not support SSE4.2, falling back to x86...")
|
||||
+ return "x86"
|
||||
elif target == "arm64" and platform.architecture()[0] == "32bit":
|
||||
return "arm"
|
||||
|
5
spec_files/waydroid/waydroid.fc
Normal file
5
spec_files/waydroid/waydroid.fc
Normal file
@ -0,0 +1,5 @@
|
||||
/usr/lib/waydroid/waydroid.py gen_context(system_u:object_r:waydroid_exec_t,s0)
|
||||
/usr/lib/waydroid/data/scripts/waydroid-net\.sh gen_context(system_u:object_r:waydroid_net_exec_t,s0)
|
||||
/var/lib/waydroid(.*)? gen_context(system_u:object_r:waydroid_data_t,s0)
|
||||
/var/run/waydroid-(?!lxc).* gen_context(system_u:object_r:waydroid_var_run_t,s0)
|
||||
/run/waydroid-(?!lxc).* gen_context(system_u:object_r:waydroid_var_run_t,s0)
|
215
spec_files/waydroid/waydroid.spec
Normal file
215
spec_files/waydroid/waydroid.spec
Normal file
@ -0,0 +1,215 @@
|
||||
%global forgeurl https://github.com/waydroid/waydroid
|
||||
%global selinuxtype targeted
|
||||
|
||||
Version: 1.4.2
|
||||
%global tag %{version}
|
||||
|
||||
%forgemeta
|
||||
Name: waydroid
|
||||
Release: 1%{?dist}.bazzite
|
||||
Summary: Container-based approach to boot a full Android system on GNU/Linux
|
||||
License: GPL-3.0-only
|
||||
URL: %{forgeurl}
|
||||
Source: %{forgesource}
|
||||
Source1: waydroid.te
|
||||
Source4: dev-binderfs.mount
|
||||
Source6: waydroid.fc
|
||||
|
||||
# Assign firewalld zone to the waydroid network interface
|
||||
Patch0: setup-firewalld.patch
|
||||
|
||||
# Mount the android rootfs with a default selinux context
|
||||
Patch1: mount-secontext.patch
|
||||
|
||||
# https://github.com/waydroid/waydroid/commit/66c8343c4d2ea118601ba5d8ce52fa622cbcd665
|
||||
Patch2: regex.patch
|
||||
# https://github.com/waydroid/waydroid/commit/6eea5cf63f4a724e66a2857b8f67ee2bbc82f0bd
|
||||
Patch3: sse3.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildRequires: container-selinux
|
||||
BuildRequires: systemd
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: systemd-rpm-macros
|
||||
BuildRequires: desktop-file-utils
|
||||
BuildRequires: libappstream-glib
|
||||
|
||||
Requires: python3-gbinder >= 1.1.0
|
||||
Requires: python3-gobject
|
||||
Requires: lxc
|
||||
Requires: gtk3
|
||||
Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
|
||||
Requires: nftables
|
||||
Requires: iproute
|
||||
Requires: dnsmasq
|
||||
Recommends: python3-pyclip
|
||||
Recommends: wl-clipboard
|
||||
|
||||
%description
|
||||
Waydroid uses Linux namespaces to run a full Android system in a container
|
||||
and provide Android applications on any GNU/Linux-based platform.
|
||||
The Android system inside the container has direct access to needed hardware
|
||||
through LXC and the binder interface.
|
||||
|
||||
%package selinux
|
||||
Summary: SELinux policy module for waydroid
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: container-selinux
|
||||
%{?selinux_requires}
|
||||
|
||||
%description selinux
|
||||
This package contains the SELinux policy module necessary to run waydroid.
|
||||
|
||||
%prep
|
||||
%forgeautosetup -p1
|
||||
mkdir SELinux
|
||||
cp %{S:1} SELinux/
|
||||
cp %{S:6} SELinux/
|
||||
|
||||
%build
|
||||
# Remove link for ROM files
|
||||
sed -i -e '/"system_channel":/ s/: ".*"/: ""/' tools/config/__init__.py
|
||||
sed -i -e '/"vendor_channel":/ s/: ".*"/: ""/' tools/config/__init__.py
|
||||
# Compile sepolicy
|
||||
cd SELinux
|
||||
%{__make} NAME=%{selinuxtype} -f /usr/share/selinux/devel/Makefile
|
||||
|
||||
%install
|
||||
%make_install LIBDIR=%{_libdir} DESTDIR=%{buildroot} USE_SYSTEMD=1 USE_DBUS_ACTIVATION=1 USE_NFTABLES=1
|
||||
%py_byte_compile %{python3} %{buildroot}%{_prefix}/lib/waydroid
|
||||
%{__install} -d %{buildroot}%{_unitdir}
|
||||
%{__install} -d %{buildroot}%{_datadir}/selinux/%{selinuxtype}
|
||||
%{__install} -p -m 644 %{S:4} %{buildroot}%{_unitdir}/
|
||||
%{__install} -p -m 644 SELinux/%{name}.pp %{buildroot}%{_datadir}/selinux/%{selinuxtype}/%{name}.pp
|
||||
sed -i '/^\[Unit\]/a Wants=dev-binderfs.mount' %{buildroot}%{_unitdir}/waydroid-container.service
|
||||
sed -i '/^\[Service\]/a ExecStartPre=/usr/bin/ln -sf /dev/binderfs/binder /dev/binderfs/vndbinder /dev/binderfs/hwbinder /dev/' %{buildroot}%{_unitdir}/waydroid-container.service
|
||||
|
||||
%check
|
||||
desktop-file-validate %{buildroot}/%{_datadir}/applications/Waydroid.desktop
|
||||
desktop-file-validate %{buildroot}/%{_datadir}/applications/waydroid.market.desktop
|
||||
desktop-file-validate %{buildroot}/%{_datadir}/applications/waydroid.app.install.desktop
|
||||
appstream-util validate --nonet %{buildroot}%{_metainfodir}/id.waydro.waydroid.metainfo.xml
|
||||
|
||||
%pre selinux
|
||||
%selinux_relabel_pre -s %{selinuxtype}
|
||||
|
||||
%post selinux
|
||||
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/%{selinuxtype}/%{name}.pp
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
if [ "$1" -le "1" ]; then # First install
|
||||
# the daemon needs to be restarted for the custom label to be applied
|
||||
%systemd_postun_with_restart waydroid-container.service
|
||||
fi
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
%selinux_modules_uninstall -s %{selinuxtype} %{name}
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
fi
|
||||
|
||||
%post
|
||||
waydroid upgrade -o > /dev/null || :
|
||||
%systemd_post waydroid-container.service
|
||||
if [ $1 -eq 1 ]; then
|
||||
if systemctl -q is-enabled waydroid-container.service > /dev/null 2>&1 ; then
|
||||
systemctl start waydroid-container.service > /dev/null 2>&1 || :
|
||||
fi
|
||||
fi
|
||||
|
||||
%preun
|
||||
%systemd_preun waydroid-container.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart waydroid-container.service
|
||||
|
||||
%files
|
||||
%license LICENSE
|
||||
%doc README.md
|
||||
%{_prefix}/lib/waydroid
|
||||
%{_datadir}/applications/Waydroid.desktop
|
||||
%{_datadir}/applications/waydroid.market.desktop
|
||||
%{_datadir}/applications/waydroid.app.install.desktop
|
||||
%{_datadir}/metainfo/id.waydro.waydroid.metainfo.xml
|
||||
%{_datadir}/icons/hicolor/512x512/apps/waydroid.png
|
||||
%{_bindir}/waydroid
|
||||
%{_unitdir}/waydroid-container.service
|
||||
%{_unitdir}/dev-binderfs.mount
|
||||
%{_datadir}/dbus-1/system-services/id.waydro.Container.service
|
||||
%{_datadir}/dbus-1/system.d/id.waydro.Container.conf
|
||||
%{_datadir}/polkit-1/actions/id.waydro.Container.policy
|
||||
%{_datadir}/desktop-directories/waydroid.directory
|
||||
%{_sysconfdir}/xdg/menus/applications-merged/waydroid.menu
|
||||
|
||||
%files selinux
|
||||
%doc SELinux/%{name}.te
|
||||
%{_datadir}/selinux/%{selinuxtype}/%{name}.pp
|
||||
|
||||
%changelog
|
||||
* Tue Oct 31 2023 Alessandro Astone <ales.astone@gmail.com> - 1.4.2-1
|
||||
- Update to 1.4.2
|
||||
|
||||
* Tue Sep 26 2023 Alessandro Astone <ales.astone@gmail.com> - 1.4.1-3
|
||||
- Amend SELinux to coexist with snap
|
||||
|
||||
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Tue Apr 25 2023 Alessandro Astone <ales.astone@gmail.com> - 1.4.1-1
|
||||
- Update to 1.4.1
|
||||
|
||||
* Wed Feb 08 2023 Alessandro Astone <ales.astone@gmail.com> - 1.4.0-1
|
||||
- Update to 1.4.0
|
||||
|
||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.4-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Fri Jan 06 2023 Alessandro Astone <ales.astone@gmail.com> - 1.3.4-4
|
||||
- Re-enable s390x build
|
||||
- Sepolicy fixes
|
||||
|
||||
* Tue Dec 27 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.4-3
|
||||
- Fix description typos etc.
|
||||
- Validate desktop and metainfo files
|
||||
- Reorder post install scriptlets
|
||||
|
||||
* Sun Dec 25 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.4-2
|
||||
- Add selinux label to android rootfs
|
||||
- Make package noarch
|
||||
|
||||
* Wed Dec 14 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.4-1
|
||||
- Update to 1.3.4
|
||||
|
||||
* Sat Nov 05 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.3-3
|
||||
- Override selinux context of the android rootfs
|
||||
- Fixes https://github.com/casualsnek/waydroid_script
|
||||
|
||||
* Sun Oct 30 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.3-2
|
||||
- Add sepolicy for updating from the android app
|
||||
|
||||
* Sun Sep 25 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.3-1
|
||||
- Update to 1.3.3
|
||||
|
||||
* Fri Sep 02 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.1-1
|
||||
- Update to 1.3.1
|
||||
|
||||
* Tue Aug 09 2022 Alessandro Astone <ales.astone@gmail.com> - 1.3.0-1
|
||||
- Update to 1.3.0
|
||||
|
||||
* Sun Apr 17 2022 Alessandro Astone <ales.astone@gmail.com> - 1.2.1-1
|
||||
- Update to 1.2.1
|
||||
|
||||
* Mon Mar 07 2022 Alessandro Astone <ales.astone@gmail.com> - 1.2.0-7.20220307git1.2.0
|
||||
- Recommend pyclip
|
||||
|
||||
* Sat Feb 26 2022 Alessandro Astone <ales.astone@gmail.com> - 1.2.0-5.20220226git1.2.0
|
||||
- Add sepolicy for crash handler
|
||||
|
||||
* Fri Feb 25 2022 Alessandro Astone <ales.astone@gmail.com> - 1.2.0-4.20220225git1.2.0
|
||||
- Respin package
|
||||
|
||||
* Wed Aug 12 2020 Qiyu Yan <yanqiyu@fedoraproject.org> - 0-0.1.20200811gitc87ea48
|
||||
- initial package
|
161
spec_files/waydroid/waydroid.te
Normal file
161
spec_files/waydroid/waydroid.te
Normal file
@ -0,0 +1,161 @@
|
||||
|
||||
policy_module(waydroid, 1.0)
|
||||
|
||||
require {
|
||||
type unconfined_t;
|
||||
type unconfined_service_t;
|
||||
type binder_device_t;
|
||||
type binderfs_t;
|
||||
type abrt_t;
|
||||
type bin_t;
|
||||
type var_lib_t;
|
||||
type proc_t;
|
||||
type mount_exec_t;
|
||||
type mount_t;
|
||||
type uhid_device_t;
|
||||
type tun_tap_device_t;
|
||||
type tmp_t;
|
||||
type http_cache_port_t;
|
||||
type rpm_script_t;
|
||||
role rpm_script_roles;
|
||||
type iptables_t;
|
||||
type systemd_systemctl_exec_t;
|
||||
}
|
||||
|
||||
# Define domain
|
||||
type waydroid_t;
|
||||
type waydroid_exec_t;
|
||||
init_daemon_domain(waydroid_t, waydroid_exec_t)
|
||||
|
||||
# Execute python
|
||||
allow waydroid_t bin_t:file { map execute };
|
||||
allow waydroid_t proc_t:file read_file_perms;
|
||||
gnome_search_gconf_data_dir(waydroid_t)
|
||||
auth_read_passwd(waydroid_t)
|
||||
miscfiles_read_generic_certs(waydroid_t)
|
||||
|
||||
# Manage waydroid fifos
|
||||
type waydroid_var_run_t;
|
||||
files_pid_file(waydroid_var_run_t)
|
||||
files_pid_filetrans(waydroid_t, waydroid_var_run_t, fifo_file, "waydroid-remote_init_output")
|
||||
manage_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
|
||||
manage_fifo_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
|
||||
manage_dirs_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
|
||||
|
||||
# Manage /var/lib/waydroid
|
||||
type waydroid_data_t;
|
||||
files_type(waydroid_data_t)
|
||||
filetrans_pattern(waydroid_t, var_lib_t, waydroid_data_t, dir, "waydroid")
|
||||
filetrans_pattern(unconfined_t, var_lib_t, waydroid_data_t, dir, "waydroid")
|
||||
manage_dirs_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
|
||||
manage_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
|
||||
manage_lnk_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
|
||||
|
||||
# Execute lxc commands, domain transition
|
||||
container_runtime_domtrans(waydroid_t)
|
||||
|
||||
# Execute misc utils
|
||||
exec_files_pattern(waydroid_t, bin_t, bin_t)
|
||||
domtrans_pattern(waydroid_t, mount_exec_t, mount_t)
|
||||
corecmd_exec_shell(waydroid_t)
|
||||
modutils_domtrans_kmod(waydroid_t)
|
||||
|
||||
# Waydroid init from the container daemon
|
||||
dev_read_sysfs(waydroid_t)
|
||||
storage_getattr_fuse_dev(waydroid_t)
|
||||
getattr_chr_files_pattern(waydroid_t, device_t, { uhid_device_t tun_tap_device_t })
|
||||
fs_search_cgroup_dirs(waydroid_t)
|
||||
allow waydroid_t tmp_t:dir read;
|
||||
allow waydroid_t self:process setfscreate;
|
||||
allow waydroid_t self:tcp_socket create_socket_perms;
|
||||
allow waydroid_t http_cache_port_t:tcp_socket name_connect;
|
||||
sysnet_dns_name_resolve(waydroid_t)
|
||||
corenet_sendrecv_http_client_packets(waydroid_t)
|
||||
corenet_tcp_connect_http_port(waydroid_t)
|
||||
# No need to run systemctl. It is only used to determine apparmor status
|
||||
dontaudit waydroid_t systemd_systemctl_exec_t:file getattr;
|
||||
|
||||
# waydroid-net.sh
|
||||
type waydroid_net_exec_t;
|
||||
files_type(waydroid_net_exec_t)
|
||||
domtrans_pattern(waydroid_t, waydroid_net_exec_t, container_runtime_t)
|
||||
domain_entry_file(container_runtime_t, waydroid_net_exec_t)
|
||||
manage_fifo_files_pattern(iptables_t, waydroid_t, waydroid_t)
|
||||
|
||||
# Read android rootfs
|
||||
type waydroid_rootfs_t;
|
||||
files_type(waydroid_rootfs_t)
|
||||
read_files_pattern(waydroid_t, waydroid_rootfs_t, waydroid_rootfs_t)
|
||||
|
||||
# Read android data
|
||||
allow waydroid_t self:capability { dac_read_search };
|
||||
|
||||
# Upgrade from app
|
||||
allow waydroid_t self:capability dac_override;
|
||||
read_files_pattern(waydroid_t, data_home_t, data_home_t)
|
||||
delete_files_pattern(waydroid_t, data_home_t, data_home_t)
|
||||
list_dirs_pattern(waydroid_t, waydroid_data_t, waydroid_rootfs_t)
|
||||
delete_files_pattern(waydroid_t, { waydroid_data_t waydroid_rootfs_t }, { waydroid_data_t waydroid_rootfs_t })
|
||||
delete_dirs_pattern(waydroid_t, { waydroid_data_t waydroid_rootfs_t }, { waydroid_data_t waydroid_rootfs_t })
|
||||
allow waydroid_t self:unix_dgram_socket { create setopt getopt };
|
||||
|
||||
# Use binder devices
|
||||
allow waydroid_t binderfs_t:dir search_dir_perms;
|
||||
allow waydroid_t binder_device_t:chr_file { getattr setattr ioctl map open read write };
|
||||
allow waydroid_t container_runtime_t:binder { call transfer };
|
||||
allow container_runtime_t waydroid_t:binder call;
|
||||
allow container_runtime_t self:binder { call set_context_mgr transfer };
|
||||
allow container_runtime_t self:capability2 mac_admin;
|
||||
allow container_runtime_t unconfined_service_t:binder call;
|
||||
allow container_runtime_t unconfined_t:binder { call transfer };
|
||||
allow unconfined_service_t container_runtime_t:binder { call transfer };
|
||||
allow unconfined_t container_runtime_t:binder { call transfer };
|
||||
|
||||
# Graphics
|
||||
dev_setattr_generic_dirs(waydroid_t)
|
||||
dev_getattr_dri_dev(waydroid_t)
|
||||
dev_setattr_dri_dev(waydroid_t)
|
||||
dev_getattr_framebuffer_dev(waydroid_t)
|
||||
dev_setattr_framebuffer_dev(waydroid_t)
|
||||
allow waydroid_t self:capability fsetid;
|
||||
|
||||
# Video
|
||||
dev_getattr_video_dev(waydroid_t)
|
||||
dev_setattr_video_dev(waydroid_t)
|
||||
|
||||
# Search shared sockets
|
||||
userdom_search_user_tmp_dirs(waydroid_t)
|
||||
allow waydroid_t user_tmp_t:sock_file getattr;
|
||||
|
||||
# RPM upgrade scriptlets
|
||||
container_runtime_run(rpm_script_t, rpm_script_roles)
|
||||
filetrans_pattern(rpm_script_t, var_lib_t, waydroid_data_t, dir, "waydroid")
|
||||
|
||||
# For when we crash
|
||||
allow abrt_t binder_device_t:chr_file { open read };
|
||||
|
||||
# Attach to the container
|
||||
allow container_runtime_t self:process2 { nnp_transition };
|
||||
exec_files_pattern(container_runtime_t, waydroid_rootfs_t, waydroid_rootfs_t)
|
||||
domain_entry_file(container_runtime_t, waydroid_rootfs_t)
|
||||
|
||||
# DBus
|
||||
type waydroid_tmpfs_t;
|
||||
files_tmp_file(waydroid_tmpfs_t)
|
||||
manage_files_pattern(waydroid_t, waydroid_tmpfs_t, waydroid_tmpfs_t)
|
||||
can_exec(waydroid_t, waydroid_tmpfs_t)
|
||||
fs_tmpfs_filetrans(waydroid_t, waydroid_tmpfs_t, file)
|
||||
dbus_system_bus_client(waydroid_t)
|
||||
dbus_connect_system_bus(waydroid_t)
|
||||
policykit_dbus_chat(waydroid_t)
|
||||
unconfined_dbus_chat(waydroid_t)
|
||||
unconfined_signal(waydroid_t)
|
||||
allow waydroid_t self:capability kill;
|
||||
|
||||
# Snap
|
||||
optional_policy(`
|
||||
require {
|
||||
type snappy_var_lib_t;
|
||||
}
|
||||
dontaudit waydroid_t snappy_var_lib_t:dir search_dir_perms;
|
||||
')
|
Loading…
Reference in New Issue
Block a user