Allow privileged containers for systems without user namespace support

src/anbox/cmds/container_manager.cpp

@@ -45,6 +45,9 @@ anbox::cmds::ContainerManager::ContainerManager()
   flag(cli::make_flag(cli::Name{"data-path"},
                       cli::Description{"Path where the container and its data is stored"},
                       data_path_));
+  flag(cli::make_flag(cli::Name{"privileged"},
+                      cli::Description{"Run Android container in privileged mode"},
+                      privileged_));
 
   action([&](const cli::Command::Context&) {
     try {
@@ -62,7 +65,7 @@ anbox::cmds::ContainerManager::ContainerManager()
         return EXIT_FAILURE;
 
       auto rt = Runtime::create();
-      auto service = container::Service::create(rt);
+      auto service = container::Service::create(rt, privileged_);
 
       rt->start();
       trap->run();

src/anbox/cmds/container_manager.h

@@ -41,6 +41,7 @@ class ContainerManager : public cli::CommandWithFlagsAndAction {
   std::string data_path_;
   std::shared_ptr<common::LoopDevice> android_img_loop_dev_;
   std::vector<std::shared_ptr<common::MountEntry>> mounts_;
+  bool privileged_ = false;
 };
 }  // namespace cmds
 }  // namespace anbox

src/anbox/container/lxc_container.cpp

@@ -35,8 +35,8 @@ namespace fs = boost::filesystem;
 
 namespace anbox {
 namespace container {
-LxcContainer::LxcContainer(const network::Credentials &creds)
-    : state_(State::inactive), container_(nullptr), creds_(creds) {
+LxcContainer::LxcContainer(bool privileged, const network::Credentials &creds)
+    : state_(State::inactive), container_(nullptr),  privileged_(privileged), creds_(creds) {
   utils::ensure_paths({
       SystemConfiguration::instance().container_config_dir(),
       SystemConfiguration::instance().log_dir(),
@@ -44,16 +44,15 @@ LxcContainer::LxcContainer(const network::Credentials &creds)
 }
 
 LxcContainer::~LxcContainer() {
-  DEBUG("");
-
   stop();
-
   if (container_) lxc_container_put(container_);
 }
 
 void LxcContainer::setup_id_maps() {
+  // FIXME make these id sets configurable
   const auto base_id = 100000;
   const auto max_id = 65536;
+
   set_config_item("lxc.id_map",
                   utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1));
   set_config_item("lxc.id_map",
@@ -150,7 +149,8 @@ void LxcContainer::start(const Configuration &configuration) {
   set_config_item("lxc.aa_profile", "unconfined");
 #endif
 
-  setup_id_maps();
+  if (!privileged_)
+    setup_id_maps();
 
   auto bind_mounts = configuration.bind_mounts;
 

src/anbox/container/lxc_container.h

@@ -29,7 +29,7 @@ namespace anbox {
 namespace container {
 class LxcContainer : public Container {
  public:
-  LxcContainer(const network::Credentials &creds);
+  LxcContainer(bool privileged, const network::Credentials &creds);
   ~LxcContainer();
 
   void start(const Configuration &configuration) override;
@@ -42,6 +42,7 @@ class LxcContainer : public Container {
 
   State state_;
   lxc_container *container_;
+  bool privileged_;
   network::Credentials creds_;
 };
 }  // namespace container

src/anbox/container/service.cpp

@@ -30,8 +30,8 @@
 
 namespace anbox {
 namespace container {
-std::shared_ptr<Service> Service::create(const std::shared_ptr<Runtime> &rt) {
-  auto sp = std::make_shared<Service>(rt);
+std::shared_ptr<Service> Service::create(const std::shared_ptr<Runtime> &rt, bool privileged) {
+  auto sp = std::shared_ptr<Service>(new Service(rt, privileged));
 
   auto delegate_connector = std::make_shared<
       network::DelegateConnectionCreator<boost::asio::local::stream_protocol>>(
@@ -49,34 +49,32 @@ std::shared_ptr<Service> Service::create(const std::shared_ptr<Runtime> &rt) {
   return sp;
 }
 
-Service::Service(const std::shared_ptr<Runtime> &rt)
+Service::Service(const std::shared_ptr<Runtime> &rt, bool privileged)
     : dispatcher_(anbox::common::create_dispatcher_for_runtime(rt)),
       next_connection_id_(0),
-      connections_(
-          std::make_shared<network::Connections<network::SocketConnection>>()) {
+      connections_(std::make_shared<network::Connections<network::SocketConnection>>()),
+      privileged_(privileged) {
 }
 
 Service::~Service() {}
 
 int Service::next_id() { return next_connection_id_++; }
 
-void Service::new_client(
-    std::shared_ptr<boost::asio::local::stream_protocol::socket> const
+void Service::new_client(std::shared_ptr<boost::asio::local::stream_protocol::socket> const
         &socket) {
   if (connections_->size() >= 1) {
     socket->close();
     return;
   }
 
-  auto const messenger =
-      std::make_shared<network::LocalSocketMessenger>(socket);
+  auto const messenger = std::make_shared<network::LocalSocketMessenger>(socket);
 
   DEBUG("Got connection from pid %d", messenger->creds().pid());
 
   auto pending_calls = std::make_shared<rpc::PendingCallCache>();
   auto rpc_channel = std::make_shared<rpc::Channel>(pending_calls, messenger);
   auto server = std::make_shared<container::ManagementApiSkeleton>(
-      pending_calls, std::make_shared<LxcContainer>(messenger->creds()));
+      pending_calls, std::make_shared<LxcContainer>(privileged_, messenger->creds()));
   auto processor = std::make_shared<container::ManagementApiMessageProcessor>(
       messenger, pending_calls, server);
 

src/anbox/container/service.h

@@ -30,12 +30,13 @@ namespace anbox {
 namespace container {
 class Service : public std::enable_shared_from_this<Service> {
  public:
-  static std::shared_ptr<Service> create(const std::shared_ptr<Runtime> &rt);
+  static std::shared_ptr<Service> create(const std::shared_ptr<Runtime> &rt, bool privileged);
 
-  Service(const std::shared_ptr<Runtime> &rt);
   ~Service();
 
  private:
+  Service(const std::shared_ptr<Runtime> &rt, bool privileged);
+
   int next_id();
   void new_client(std::shared_ptr<
                   boost::asio::local::stream_protocol::socket> const &socket);
@@ -45,6 +46,7 @@ class Service : public std::enable_shared_from_this<Service> {
   std::atomic<int> next_connection_id_;
   std::shared_ptr<network::Connections<network::SocketConnection>> connections_;
   std::shared_ptr<Container> backend_;
+  bool privileged_;
 };
 }  // namespace container
 }  // namespace anbox