Merge branch 'master' into explicit-search-path-for-boost

945e6f1f · Simon Fels · GitHub · e0d50867 · 9a95b53d · 945e6f1f
14 changed file
--- a/external/backtrace-cpp/CMakeLists.txt
+++ b/external/backtrace-cpp/CMakeLists.txt
@@ -38,7 +38,7 @@ if (CMAKE_CXX_COMPILER_ID STREQUAL "Clang" OR CMAKE_COMPILER_IS_GNUCXX)
 endif()

 # ANBOX: allow old-style casts
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-error=old-style-cast -Wno-error=switch-default -Wno-error=implicit-fallthrough")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-error=old-style-cast -Wno-error=switch-default")

 ###############################################################################
 # BACKWARD OBJECT

--- a/external/backtrace-cpp/backward.hpp
+++ b/external/backtrace-cpp/backward.hpp
@@ -1391,6 +1391,7 @@ private:
 					if (die_has_pc(die, pc)) {
 						return result;
 					}
+					/* fall through */
 				default:
 					bool declaration = false;
 					Dwarf_Attribute attr_mem;

--- a/scripts/container-manager.sh
+++ b/scripts/container-manager.sh
@@ -10,6 +10,11 @@ DATA_PATH=$SNAP_COMMON/
 ROOTFS_PATH=$DATA_PATH/rootfs
 ANDROID_IMG=$SNAP/android.img

+if [ "$(id -u)" != 0 ]; then
+	echo "ERROR: You need to run the container manager as root"
+	exit 1
+fi
+
 if [ ! -e $ANDROID_IMG ]; then
 	echo "ERROR: android image does not exist"
 	exit 1
@@ -60,7 +65,19 @@ start() {
 		export ANBOX_LOG_LEVEL=debug
 	fi

+	EXTRA_ARGS=
+	enable_rootfs_overlay="$(snapctl get rootfs-overlay.enable)"
+	if [ "$enable_rootfs_overlay" = true ]; then
+		EXTRA_ARGS="$EXTRA_ARGS --use-rootfs-overlay"
+	fi
+
+	privileged_container="$(snapctl get container.privileged)"
+	if [ "$privileged_container" = true ]; then
+		EXTRA_ARGS="$EXTRA_ARGS --privileged"
+	fi
+
 	exec $AA_EXEC $SNAP/bin/anbox-wrapper.sh container-manager \
+		"$EXTRA_ARGS" \
 		--data-path=$DATA_PATH \
 		--android-image=$ANDROID_IMG \
 		--daemon

--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -62,175 +62,288 @@ target_link_libraries(anbox-protobuf
    ${PROTOBUF_LITE_LIBRARIES})

 set(SOURCES
-    anbox/logger.cpp
-    anbox/utils.cpp
-    anbox/cli.cpp
-    anbox/runtime.cpp
-    anbox/daemon.cpp
-    anbox/system_configuration.cpp
-    anbox/not_reachable.cpp
+    anbox/android/intent.cpp
+    anbox/android/intent.h
+    anbox/android/ip_config_builder.cpp
+    anbox/android/ip_config_builder.h
+
+    anbox/application/database.cpp
+    anbox/application/database.h
+    anbox/application/launcher_storage.cpp
+    anbox/application/launcher_storage.h
+    anbox/application/manager.h
+
+    anbox/audio/client_info.h
+    anbox/audio/server.cpp
+    anbox/audio/server.h
+    anbox/audio/sink.h
+    anbox/audio/source.h
+
+    anbox/bridge/android_api_stub.cpp
+    anbox/bridge/android_api_stub.h
+    anbox/bridge/platform_api_skeleton.cpp
+    anbox/bridge/platform_api_skeleton.h
+    anbox/bridge/platform_message_processor.cpp
+    anbox/bridge/platform_message_processor.h

+    anbox/build/config.h
    anbox/build/config.h.in

-    anbox/android/intent.cpp
-    anbox/android/ip_config_builder.cpp
+    anbox/cmds/container_manager.cpp
+    anbox/cmds/container_manager.h
+    anbox/cmds/launch.cpp
+    anbox/cmds/launch.h
+    anbox/cmds/session_manager.cpp
+    anbox/cmds/session_manager.h
+    anbox/cmds/system_info.cpp
+    anbox/cmds/system_info.h
+    anbox/cmds/version.cpp
+    anbox/cmds/version.h
+    anbox/cmds/wait_ready.cpp
+    anbox/cmds/wait_ready.h

+    anbox/common/binary_writer.cpp
+    anbox/common/binary_writer.h
+    anbox/common/dispatcher.cpp
+    anbox/common/dispatcher.h
    anbox/common/fd.cpp
+    anbox/common/fd.h
    anbox/common/fd_sets.h
-    anbox/common/variable_length_array.h
-    anbox/common/wait_handle.cpp
-    anbox/common/dispatcher.cpp
-    anbox/common/small_vector.h
-    anbox/common/type_traits.h
-    anbox/common/message_channel.cpp
-    anbox/common/scope_ptr.h
-    anbox/common/loop_device.cpp
    anbox/common/loop_device_allocator.cpp
+    anbox/common/loop_device_allocator.h
+    anbox/common/loop_device.cpp
+    anbox/common/loop_device.h
+    anbox/common/message_channel.cpp
+    anbox/common/message_channel.h
    anbox/common/mount_entry.cpp
-    anbox/common/binary_writer.cpp
-
-    anbox/testing/gtest_utils.h
+    anbox/common/mount_entry.h
+    anbox/common/scope_ptr.h
+    anbox/common/small_vector.h
+    anbox/common/type_traits.h
+    anbox/common/variable_length_array.h
+    anbox/common/wait_handle.cpp
+    anbox/common/wait_handle.h

-    anbox/container/service.cpp
    anbox/container/client.cpp
+    anbox/container/client.h
    anbox/container/configuration.h
    anbox/container/container.cpp
+    anbox/container/container.h
    anbox/container/lxc_container.cpp
-    anbox/container/management_api_stub.cpp
-    anbox/container/management_api_skeleton.cpp
+    anbox/container/lxc_container.h
    anbox/container/management_api_message_processor.cpp
+    anbox/container/management_api_message_processor.h
+    anbox/container/management_api_skeleton.cpp
+    anbox/container/management_api_skeleton.h
+    anbox/container/management_api_stub.cpp
+    anbox/container/management_api_stub.h
+    anbox/container/service.cpp
+    anbox/container/service.h

-    anbox/network/credentials.cpp
-    anbox/network/message_sender.h
-    anbox/network/message_receiver.h
-    anbox/network/message_processor.h
-    anbox/network/connector.h
-    anbox/network/connection_creator.h
-    anbox/network/published_socket_connector.cpp
-    anbox/network/connections.h
-    anbox/network/socket_connection.cpp
-    anbox/network/socket_messenger.cpp
-    anbox/network/delegate_message_processor.cpp
-    anbox/network/delegate_connection_creator.h
-    anbox/network/base_socket_messenger.cpp
-    anbox/network/local_socket_messenger.cpp
-    anbox/network/tcp_socket_messenger.cpp
-    anbox/network/socket_helper.cpp
-    anbox/network/tcp_socket_connector.cpp
-
-    anbox/rpc/channel.cpp
-    anbox/rpc/pending_call_cache.cpp
-    anbox/rpc/constants.h
-    anbox/rpc/connection_creator.cpp
-    anbox/rpc/message_processor.cpp
-    anbox/rpc/template_message_processor.h
-    anbox/rpc/make_protobuf_object.h
+    anbox/dbus/bus.cpp
+    anbox/dbus/bus.h
+    anbox/dbus/codecs.h
+    anbox/dbus/interface.h
+    anbox/dbus/sd_bus_helpers.h
+    anbox/dbus/skeleton/application_manager.cpp
+    anbox/dbus/skeleton/application_manager.h
+    anbox/dbus/skeleton/service.cpp
+    anbox/dbus/skeleton/service.h
+    anbox/dbus/stub/application_manager.cpp
+    anbox/dbus/stub/application_manager.h

-    anbox/graphics/opengles_message_processor.cpp
-    anbox/graphics/buffer_queue.cpp
    anbox/graphics/buffered_io_stream.cpp
-    anbox/graphics/gl_renderer_server.cpp
+    anbox/graphics/buffered_io_stream.h
+    anbox/graphics/buffer_queue.cpp
+    anbox/graphics/buffer_queue.h
    anbox/graphics/density.cpp
    anbox/graphics/density.h
-    anbox/graphics/rect.cpp
+    anbox/graphics/gl_extensions.h
+    anbox/graphics/gl_renderer_server.cpp
+    anbox/graphics/gl_renderer_server.h
    anbox/graphics/layer_composer.cpp
+    anbox/graphics/layer_composer.h
    anbox/graphics/multi_window_composer_strategy.cpp
-    anbox/graphics/single_window_composer_strategy.cpp
-    anbox/graphics/program_family.cpp
+    anbox/graphics/multi_window_composer_strategy.h
+    anbox/graphics/opengles_message_processor.cpp
+    anbox/graphics/opengles_message_processor.h
    anbox/graphics/primitives.h
+    anbox/graphics/program_family.cpp
+    anbox/graphics/program_family.h
+    anbox/graphics/rect.cpp
+    anbox/graphics/rect.h
    anbox/graphics/renderer.h
-    anbox/graphics/gl_extensions.h
+    anbox/graphics/single_window_composer_strategy.cpp
+    anbox/graphics/single_window_composer_strategy.h

    anbox/graphics/emugl/ColorBuffer.cpp
+    anbox/graphics/emugl/ColorBuffer.h
+    anbox/graphics/emugl/DispatchTables.h
    anbox/graphics/emugl/DisplayManager.cpp
-    anbox/graphics/emugl/RendererConfig.cpp
-    anbox/graphics/emugl/Renderable.cpp
-    anbox/graphics/emugl/Renderer.cpp
+    anbox/graphics/emugl/DisplayManager.h
    anbox/graphics/emugl/ReadBuffer.cpp
+    anbox/graphics/emugl/ReadBuffer.h
+    anbox/graphics/emugl/Renderable.cpp
+    anbox/graphics/emugl/Renderable.h
    anbox/graphics/emugl/RenderApi.cpp
+    anbox/graphics/emugl/RenderApi.h
    anbox/graphics/emugl/RenderContext.cpp
+    anbox/graphics/emugl/RenderContext.h
    anbox/graphics/emugl/RenderControl.cpp
+    anbox/graphics/emugl/RenderControl.h
+    anbox/graphics/emugl/RendererConfig.cpp
+    anbox/graphics/emugl/RendererConfig.h
+    anbox/graphics/emugl/Renderer.cpp
+    anbox/graphics/emugl/Renderer.h
    anbox/graphics/emugl/RenderThread.cpp
+    anbox/graphics/emugl/RenderThread.h
    anbox/graphics/emugl/RenderThreadInfo.cpp
+    anbox/graphics/emugl/RenderThreadInfo.h
    anbox/graphics/emugl/TextureDraw.cpp
+    anbox/graphics/emugl/TextureDraw.h
    anbox/graphics/emugl/TextureResize.cpp
+    anbox/graphics/emugl/TextureResize.h
    anbox/graphics/emugl/TimeUtils.cpp
+    anbox/graphics/emugl/TimeUtils.h
    anbox/graphics/emugl/WindowSurface.cpp
+    anbox/graphics/emugl/WindowSurface.h

-    anbox/audio/server.cpp
-    anbox/audio/client_info.h
-    anbox/audio/source.h
-    anbox/audio/sink.h
+    anbox/input/device.cpp
+    anbox/input/device.h
+    anbox/input/manager.cpp
+    anbox/input/manager.h

-    anbox/wm/display.cpp
-    anbox/wm/task.cpp
-    anbox/wm/stack.cpp
-    anbox/wm/manager.cpp
-    anbox/wm/single_window_manager.cpp
-    anbox/wm/multi_window_manager.cpp
-    anbox/wm/window_state.cpp
-    anbox/wm/window.cpp
+    anbox/network/base_socket_messenger.cpp
+    anbox/network/base_socket_messenger.h
+    anbox/network/connection_context.cpp
+    anbox/network/connection_context.h
+    anbox/network/connection_creator.cpp
+    anbox/network/connection_creator.h
+    anbox/network/connections.h
+    anbox/network/connector.h
+    anbox/network/credentials.cpp
+    anbox/network/credentials.h
+    anbox/network/delegate_connection_creator.h
+    anbox/network/delegate_message_processor.cpp
+    anbox/network/delegate_message_processor.h
+    anbox/network/fd_socket_transmission.cpp
+    anbox/network/fd_socket_transmission.h
+    anbox/network/local_socket_messenger.cpp
+    anbox/network/local_socket_messenger.h
+    anbox/network/message_processor.h
+    anbox/network/message_receiver.h
+    anbox/network/message_sender.h
+    anbox/network/published_socket_connector.cpp
+    anbox/network/published_socket_connector.h
+    anbox/network/socket_connection.cpp
+    anbox/network/socket_connection.h
+    anbox/network/socket_helper.cpp
+    anbox/network/socket_helper.h
+    anbox/network/socket_messenger.cpp
+    anbox/network/socket_messenger.h
+    anbox/network/tcp_socket_connector.cpp
+    anbox/network/tcp_socket_connector.h
+    anbox/network/tcp_socket_messenger.cpp
+    anbox/network/tcp_socket_messenger.h

    anbox/platform/base_platform.cpp
-
+    anbox/platform/base_platform.h
    anbox/platform/null/platform.cpp
-
-    anbox/platform/sdl/sdl_wrapper.h
-    anbox/platform/sdl/window.cpp
+    anbox/platform/null/platform.h
+    anbox/platform/sdl/audio_sink.cpp
+    anbox/platform/sdl/audio_sink.h
    anbox/platform/sdl/keycode_converter.cpp
+    anbox/platform/sdl/keycode_converter.h
    anbox/platform/sdl/platform.cpp
-    anbox/platform/sdl/audio_sink.cpp
+    anbox/platform/sdl/platform.h
+    anbox/platform/sdl/sdl_wrapper.h
+    anbox/platform/sdl/window.cpp
+    anbox/platform/sdl/window.h

-    anbox/input/manager.cpp
-    anbox/input/device.cpp
+    anbox/protobuf/anbox_bridge.proto
+    anbox/protobuf/anbox_container.proto
+    anbox/protobuf/anbox_rpc.proto
+    anbox/protobuf/google_protobuf_guard.cpp

-    anbox/qemu/pipe_connection_creator.cpp
-    anbox/qemu/null_message_processor.cpp
-    anbox/qemu/qemud_message_processor.cpp
+    anbox/qemu/adb_message_processor.cpp
+    anbox/qemu/adb_message_processor.h
+    anbox/qemu/at_parser.cpp
+    anbox/qemu/at_parser.h
+    anbox/qemu/bootanimation_message_processor.cpp
+    anbox/qemu/bootanimation_message_processor.h
    anbox/qemu/boot_properties_message_processor.cpp
-    anbox/qemu/hwcontrol_message_processor.cpp
-    anbox/qemu/sensors_message_processor.cpp
+    anbox/qemu/boot_properties_message_processor.h
    anbox/qemu/camera_message_processor.cpp
+    anbox/qemu/camera_message_processor.h
    anbox/qemu/fingerprint_message_processor.cpp
+    anbox/qemu/fingerprint_message_processor.h
    anbox/qemu/gsm_message_processor.cpp
-    anbox/qemu/at_parser.cpp
-    anbox/qemu/bootanimation_message_processor.cpp
-    anbox/qemu/adb_message_processor.cpp
-
-    anbox/bridge/platform_message_processor.cpp
-    anbox/bridge/platform_api_skeleton.cpp
-    anbox/bridge/android_api_stub.cpp
+    anbox/qemu/gsm_message_processor.h
+    anbox/qemu/hwcontrol_message_processor.cpp
+    anbox/qemu/hwcontrol_message_processor.h
+    anbox/qemu/null_message_processor.cpp
+    anbox/qemu/null_message_processor.h
+    anbox/qemu/pipe_connection_creator.cpp
+    anbox/qemu/pipe_connection_creator.h
+    anbox/qemu/qemud_message_processor.cpp
+    anbox/qemu/qemud_message_processor.h
+    anbox/qemu/sensors_message_processor.cpp
+    anbox/qemu/sensors_message_processor.h

-    anbox/dbus/bus.cpp
-    anbox/dbus/bus.h
-    anbox/dbus/sd_bus_helpers.h
-    anbox/dbus/interface.h
-    anbox/dbus/skeleton/service.cpp
-    anbox/dbus/skeleton/service.h
-    anbox/dbus/skeleton/application_manager.cpp
-    anbox/dbus/skeleton/application_manager.h
-    anbox/dbus/stub/application_manager.cpp
-    anbox/dbus/stub/application_manager.h
+    anbox/rpc/channel.cpp
+    anbox/rpc/channel.h
+    anbox/rpc/connection_creator.cpp
+    anbox/rpc/connection_creator.h
+    anbox/rpc/constants.h
+    anbox/rpc/make_protobuf_object.h
+    anbox/rpc/message_processor.cpp
+    anbox/rpc/message_processor.h
+    anbox/rpc/pending_call_cache.cpp
+    anbox/rpc/pending_call_cache.h
+    anbox/rpc/template_message_processor.h

-    anbox/application/launcher_storage.cpp
-    anbox/application/database.cpp
-    anbox/application/manager.h
+    anbox/testing/gtest_utils.h

-    anbox/cmds/version.cpp
-    anbox/cmds/session_manager.cpp
-    anbox/cmds/container_manager.cpp
-    anbox/cmds/launch.cpp
-    anbox/cmds/system_info.cpp
-    anbox/cmds/wait_ready.cpp
-    anbox/cmds/wait_ready.h
+    anbox/ui/splash_screen.cpp
+    anbox/ui/splash_screen.h

    anbox/utils/environment_file.cpp
+    anbox/utils/environment_file.h

-    anbox/ui/splash_screen.cpp
+    anbox/wm/display.cpp
+    anbox/wm/display.h
+    anbox/wm/manager.cpp
+    anbox/wm/manager.h
+    anbox/wm/multi_window_manager.cpp
+    anbox/wm/multi_window_manager.h
+    anbox/wm/single_window_manager.cpp
+    anbox/wm/single_window_manager.h
+    anbox/wm/stack.cpp
+    anbox/wm/stack.h
+    anbox/wm/task.cpp
+    anbox/wm/task.h
+    anbox/wm/window.cpp
+    anbox/wm/window.h
+    anbox/wm/window_state.cpp
+    anbox/wm/window_state.h

+    anbox/cli.cpp
+    anbox/cli.h
+    anbox/daemon.cpp
+    anbox/daemon.h
+    anbox/defer_action.h
    anbox/do_not_copy_or_move.h
+    anbox/logger.cpp
+    anbox/logger.h
+    anbox/not_reachable.cpp
+    anbox/not_reachable.h
    anbox/optional.h
-    anbox/defer_action.h)
+    anbox/utils.cpp
+    anbox/utils.h
+    anbox/runtime.cpp
+    anbox/runtime.h
+    anbox/system_configuration.cpp
+    anbox/system_configuration.h)

 add_library(anbox-core STATIC ${SOURCES})
 target_link_libraries(anbox-core

--- a/src/anbox/cli.h
+++ b/src/anbox/cli.h
@@ -71,7 +71,7 @@ std::ostream& operator<<(std::ostream& out,
 }

 // We are imposing size constraints to ensure a consistent CLI layout.
-typedef SizeConstrainedString<20> Name;
+typedef SizeConstrainedString<30> Name;
 typedef SizeConstrainedString<60> Usage;
 typedef SizeConstrainedString<100> Description;


--- a/src/anbox/cmds/container_manager.cpp
+++ b/src/anbox/cmds/container_manager.cpp
@@ -52,6 +52,9 @@ anbox::cmds::ContainerManager::ContainerManager()
  flag(cli::make_flag(cli::Name{"daemon"},
                      cli::Description{"Mark service as being started as systemd daemon"},
                      daemon_));
+  flag(cli::make_flag(cli::Name{"use-rootfs-overlay"},
+                      cli::Description{"Use an overlay for the Android rootfs"},
+                      enable_rootfs_overlay_));

  action([&](const cli::Command::Context&) {
    try {
@@ -87,7 +90,10 @@ anbox::cmds::ContainerManager::ContainerManager()
        return EXIT_FAILURE;

      auto rt = Runtime::create();
-      auto service = container::Service::create(rt, privileged_);
+      container::Service::Configuration config;
+      config.privileged = privileged_;
+      config.rootfs_overlay = enable_rootfs_overlay_;
+      auto service = container::Service::create(rt, config);

      rt->start();
      trap->run();
@@ -183,8 +189,17 @@ bool anbox::cmds::ContainerManager::setup_mounts() {
    return false;
  }

+  auto final_android_rootfs_dir = android_rootfs_dir;
+  if (enable_rootfs_overlay_) {
+    if (!setup_rootfs_overlay())
+      return false;
+
+    final_android_rootfs_dir = SystemConfiguration::instance().combined_rootfs_dir();
+  }
+
+
  for (const auto &dir_name : std::vector<std::string>{"cache", "data"}) {
-    auto target_dir_path = fs::path(android_rootfs_dir) / dir_name;
+    auto target_dir_path = fs::path(final_android_rootfs_dir) / dir_name;
    auto src_dir_path = SystemConfiguration::instance().data_dir() / dir_name;

    if (!fs::exists(src_dir_path)) {
@@ -214,3 +229,26 @@ bool anbox::cmds::ContainerManager::setup_mounts() {

  return true;
 }
+
+bool anbox::cmds::ContainerManager::setup_rootfs_overlay() {
+  const auto combined_rootfs_path = SystemConfiguration::instance().combined_rootfs_dir();
+  if (!fs::exists(combined_rootfs_path))
+    fs::create_directories(combined_rootfs_path);
+
+  const auto overlay_path = SystemConfiguration::instance().overlay_dir();
+  if (!fs::exists(overlay_path))
+    fs::create_directories(overlay_path);
+
+  const auto rootfs_path = SystemConfiguration::instance().rootfs_dir();
+  const auto overlay_config = utils::string_format("lowerdir=%s:%s", rootfs_path, overlay_path);
+  auto m = common::MountEntry::create("overlay", combined_rootfs_path, "overlay", MS_RDONLY, overlay_config.c_str());
+  if (!m) {
+    ERROR("Failed to setup rootfs overlay");
+    mounts_.clear();
+    return false;
+  }
+  mounts_.push_back(m);
+
+  DEBUG("Successfully setup rootfs overlay");
+  return true;
+}
--- a/src/anbox/cmds/container_manager.h
+++ b/src/anbox/cmds/container_manager.h
@@ -36,6 +36,7 @@ class ContainerManager : public cli::CommandWithFlagsAndAction {

 private:
  bool setup_mounts();
+  bool setup_rootfs_overlay();

  std::string android_img_path_;
  std::string data_path_;
@@ -43,6 +44,7 @@ class ContainerManager : public cli::CommandWithFlagsAndAction {
  std::vector<std::shared_ptr<common::MountEntry>> mounts_;
  bool privileged_ = false;
  bool daemon_ = false;
+  bool enable_rootfs_overlay_ = false;
 };
 }  // namespace cmds
 }  // namespace anbox

--- a/src/anbox/common/mount_entry.cpp
+++ b/src/anbox/common/mount_entry.cpp
@@ -33,8 +33,12 @@ std::shared_ptr<MountEntry> MountEntry::create(const boost::filesystem::path &sr
  if (!data.empty())
    mount_data = reinterpret_cast<const void*>(data.c_str());

-  if (::mount(src.c_str(), target.c_str(), !fs_type.empty() ? fs_type.c_str() : nullptr, flags, mount_data) != 0)
+  DEBUG("Mounting %s on %s ...", src, target);
+
+  if (::mount(src.c_str(), target.c_str(), !fs_type.empty() ? fs_type.c_str() : nullptr, flags, mount_data) < 0) {
+    ERROR("Failed to mount %s: %s", target, strerror(errno));
    return nullptr;
+  }

  entry->active_ = true;


--- a/src/anbox/container/lxc_container.cpp
+++ b/src/anbox/container/lxc_container.cpp
@@ -58,8 +58,12 @@ constexpr int device_minor(__dev_t dev) {

 namespace anbox {
 namespace container {
-LxcContainer::LxcContainer(bool privileged, const network::Credentials &creds)
-    : state_(State::inactive), container_(nullptr),  privileged_(privileged), creds_(creds) {
+LxcContainer::LxcContainer(bool privileged, bool rootfs_overlay, const network::Credentials &creds)
+    : state_(State::inactive),
+      container_(nullptr),
+      privileged_(privileged),
+      rootfs_overlay_(rootfs_overlay),
+      creds_(creds) {
  utils::ensure_paths({
      SystemConfiguration::instance().container_config_dir(),
      SystemConfiguration::instance().log_dir(),
@@ -68,7 +72,8 @@ LxcContainer::LxcContainer(bool privileged, const network::Credentials &creds)

 LxcContainer::~LxcContainer() {
  stop();
-  if (container_) lxc_container_put(container_);
+  if (container_)
+    lxc_container_put(container_);
 }

 void LxcContainer::setup_id_map() {
@@ -261,7 +266,10 @@ void LxcContainer::start(const Configuration &configuration) {

  set_config_item("lxc.init.cmd", "/anbox-init.sh");

-  const auto rootfs_path = SystemConfiguration::instance().rootfs_dir();
+  auto rootfs_path = SystemConfiguration::instance().rootfs_dir();
+  if (rootfs_overlay_)
+    rootfs_path = SystemConfiguration::instance().combined_rootfs_dir();
+
  DEBUG("Using rootfs path %s", rootfs_path);
  set_config_item("lxc.rootfs.path", rootfs_path);


--- a/src/anbox/container/lxc_container.h
+++ b/src/anbox/container/lxc_container.h
@@ -29,7 +29,7 @@ namespace anbox {
 namespace container {
 class LxcContainer : public Container {
 public:
-  LxcContainer(bool privileged, const network::Credentials &creds);
+  LxcContainer(bool privileged, bool rootfs_overlay, const network::Credentials &creds);
  ~LxcContainer();

  void start(const Configuration &configuration) override;
@@ -45,6 +45,7 @@ class LxcContainer : public Container {
  State state_;
  lxc_container *container_;
  bool privileged_;
+  bool rootfs_overlay_;
  network::Credentials creds_;
 };
 }  // namespace container

--- a/src/anbox/container/service.cpp
+++ b/src/anbox/container/service.cpp
@@ -34,8 +34,8 @@ namespace fs = boost::filesystem;

 namespace anbox {
 namespace container {
-std::shared_ptr<Service> Service::create(const std::shared_ptr<Runtime> &rt, bool privileged) {
-  auto sp = std::shared_ptr<Service>(new Service(rt, privileged));
+std::shared_ptr<Service> Service::create(const std::shared_ptr<Runtime> &rt, const Configuration &config) {
+  auto sp = std::shared_ptr<Service>(new Service(rt, config));

  auto wp = std::weak_ptr<Service>(sp);
  auto delegate_connector = std::make_shared<network::DelegateConnectionCreator<boost::asio::local::stream_protocol>>(
@@ -59,11 +59,11 @@ std::shared_ptr<Service> Service::create(const std::shared_ptr<Runtime> &rt, boo
  return sp;
 }

-Service::Service(const std::shared_ptr<Runtime> &rt, bool privileged)
+Service::Service(const std::shared_ptr<Runtime> &rt, const Configuration &config)
    : dispatcher_(anbox::common::create_dispatcher_for_runtime(rt)),
      next_connection_id_(0),
      connections_(std::make_shared<network::Connections<network::SocketConnection>>()),
-      privileged_(privileged) {
+      config_(config) {
 }

 Service::~Service() {
@@ -86,7 +86,7 @@ void Service::new_client(std::shared_ptr<boost::asio::local::stream_protocol::so
  auto pending_calls = std::make_shared<rpc::PendingCallCache>();
  auto rpc_channel = std::make_shared<rpc::Channel>(pending_calls, messenger);
  auto server = std::make_shared<container::ManagementApiSkeleton>(
-      pending_calls, std::make_shared<LxcContainer>(privileged_, messenger->creds()));
+      pending_calls, std::make_shared<LxcContainer>(config_.privileged, config_.rootfs_overlay, messenger->creds()));
  auto processor = std::make_shared<container::ManagementApiMessageProcessor>(
      messenger, pending_calls, server);


--- a/src/anbox/container/service.h
+++ b/src/anbox/container/service.h
@@ -30,12 +30,18 @@ namespace anbox {
 namespace container {
 class Service : public std::enable_shared_from_this<Service> {
 public:
-  static std::shared_ptr<Service> create(const std::shared_ptr<Runtime> &rt, bool privileged);
+  struct Configuration {
+    bool privileged = false;
+    bool rootfs_overlay = true;
+  };
+
+  static std::shared_ptr<Service> create(const std::shared_ptr<Runtime> &rt,
+                                         const Configuration &config);

  ~Service();

 private:
-  Service(const std::shared_ptr<Runtime> &rt, bool privileged);
+  Service(const std::shared_ptr<Runtime> &rt, const Configuration &config);

  int next_id();
  void new_client(std::shared_ptr<
@@ -46,7 +52,7 @@ class Service : public std::enable_shared_from_this<Service> {
  std::atomic<int> next_connection_id_;
  std::shared_ptr<network::Connections<network::SocketConnection>> connections_;
  std::shared_ptr<Container> backend_;
-  bool privileged_;
+  Configuration config_;
 };
 }  // namespace container
 }  // namespace anbox

--- a/src/anbox/system_configuration.cpp
+++ b/src/anbox/system_configuration.cpp
@@ -55,6 +55,14 @@ std::string anbox::SystemConfiguration::rootfs_dir() const {
  return (data_path / "rootfs").string();
 }

+std::string anbox::SystemConfiguration::overlay_dir() const {
+  return (data_path / "rootfs-overlay").string();
+}
+
+std::string anbox::SystemConfiguration::combined_rootfs_dir() const {
+  return (data_path / "combined-rootfs").string();
+}
+
 std::string anbox::SystemConfiguration::log_dir() const {
  return (data_path / "logs").string();
 }

--- a/src/anbox/system_configuration.h
+++ b/src/anbox/system_configuration.h
@@ -34,6 +34,8 @@ class SystemConfiguration {

  boost::filesystem::path data_dir() const;
  std::string rootfs_dir() const;
+  std::string overlay_dir() const;
+  std::string combined_rootfs_dir() const;
  std::string log_dir() const;
  std::string socket_dir() const;
  std::string container_config_dir() const;