Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
anbox
提交
baedea8d
A
anbox
项目概览
openeuler
/
anbox
通知
24
Star
1
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
A
anbox
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
baedea8d
编写于
7月 19, 2018
作者:
S
Simon Fels
提交者:
GitHub
7月 19, 2018
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #827 from morphis/snap-confinement-phase1
Initial support for full snap confinement
上级
bc2cf304
2b83d922
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
85 addition
and
18 deletion
+85
-18
CMakeLists.txt
CMakeLists.txt
+6
-0
scripts/container-manager.sh
scripts/container-manager.sh
+0
-5
snap/snapcraft.yaml
snap/snapcraft.yaml
+67
-8
src/anbox/container/lxc_container.cpp
src/anbox/container/lxc_container.cpp
+12
-5
未找到文件。
CMakeLists.txt
浏览文件 @
baedea8d
...
...
@@ -119,6 +119,12 @@ if (NOT "${HOST_CMAKE_C_COMPILER}" STREQUAL "")
message
(
STATUS
"Host C compiler:
${
HOST_CMAKE_CXX_COMPILER
}
"
)
endif
()
option
(
SNAP_CONFINEMENT
"Enable snap confinement support"
OFF
)
if
(
SNAP_CONFINEMENT
)
message
(
STATUS
"Building with support for snap confinement"
)
set
(
CMAKE_CXX_FLAGS
"
${
CMAKE_CXX_FLAGS
}
-DENABLE_SNAP_CONFINEMENT"
)
endif
()
install
(
FILES data/ui/loading-screen.png DESTINATION
${
ANBOX_RESOURCE_DIR
}
/ui
)
# uninstall target
...
...
scripts/container-manager.sh
浏览文件 @
baedea8d
...
...
@@ -53,11 +53,6 @@ start() {
# lib directory as explicit search target here.
export
LD_LIBRARY_PATH
=
"
$LD_LIBRARY_PATH
:
$SNAP
/usr/lib/
$ARCH
"
if
[
-d
/sys/kernel/security/apparmor
]
;
then
# Load the profile for our Android container
"
$SNAP
"
/sbin/apparmor_parser
-r
"
$SNAP
"
/apparmor/anbox-container.aa
fi
enable_debug
=
"
$(
snapctl get debug.enable
)
"
if
[
"
$enable_debug
"
=
true
]
;
then
export
ANBOX_LOG_LEVEL
=
debug
...
...
snap/snapcraft.yaml
浏览文件 @
baedea8d
...
...
@@ -16,25 +16,44 @@ grade: devel
architectures
:
[
amd64
]
slots
:
# Depending on in which environment we're running we either need
# to use the system or session DBus so we also need to have one
# slot for each.
dbus-session
:
dbus-session-slot
:
interface
:
dbus
bus
:
s
ystem
bus
:
s
ession
name
:
org.anbox
dbus-system
:
plugs
:
dbus-session-plug
:
interface
:
dbus
bus
:
s
ystem
bus
:
s
ession
name
:
org.anbox
apps
:
anbox
:
command
:
desktop-launch $SNAP/bin/anbox-wrapper.sh
slots
:
-
dbus-session-slot
plugs
:
-
x11
-
unity7
-
network
-
opengl
-
wayland
-
pulseaudio
-
home
-
process-control
-
desktop
container-manager
:
command
:
bin/container-manager.sh start
stop-command
:
bin/container-manager.sh stop
daemon
:
simple
plugs
:
-
firewall-control
-
kernel-module-control
-
mount-observe
-
network-control
-
network-bind
collect-bug-info
:
command
:
bin/collect-bug-info.sh
shell
:
...
...
@@ -42,9 +61,36 @@ apps:
android-settings
:
command
:
desktop-launch $SNAP/bin/app-android-settings.sh
desktop
:
desktop/android-settings.desktop
slots
:
-
dbus-session-slot
plugs
:
-
dbus-session-plug
-
x11
-
unity7
-
network
-
opengl
-
wayland
-
pulseaudio
-
home
-
process-control
-
desktop
appmgr
:
command
:
desktop-launch $SNAP/bin/app-appmgr.sh
desktop
:
desktop/appmgr.desktop
slots
:
-
dbus-session-slot
plugs
:
-
dbus-session-plug
-
x11
-
unity7
-
network
-
opengl
-
wayland
-
pulseaudio
-
home
-
process-control
-
desktop
parts
:
android
:
...
...
@@ -102,7 +148,7 @@ parts:
lxc
:
source
:
https://github.com/lxc/lxc
source-type
:
git
source-tag
:
lxc-3.0.
0
source-tag
:
lxc-3.0.
1
build-packages
:
-
libapparmor-dev
-
libcap-dev
...
...
@@ -125,6 +171,16 @@ parts:
-
--enable-capabilities
-
--with-rootfs-path=/var/snap/anbox/common/lxc/
-
--libexecdir=/snap/anbox/current/libexec/
override-build
:
|
set -ex
git config user.email "buildbot@anbox.io"
git config user.name "Anbox Buildbot"
git remote add anbox https://github.com/anbox/lxc
git fetch anbox
# apparmor: don't require a transition for Anbox child profiles
git cherry-pick 2f81fb7c91560b32e506bb874f8cd63e37985906
set +ex
snapcraftctl build
organize
:
snap/anbox/current/libexec
:
libexec
prime
:
...
...
@@ -195,6 +251,9 @@ parts:
# that is fixed we can avoid using a prefix here.
-
-DCMAKE_INSTALL_PREFIX:PATH=/usr
-
-DANBOX_VERSION=$SNAPCRAFT_PROJECT_VERSION
# FIXME: Once we have everything in place for full snap confinement we
# can securely enable this.
# - -DSNAP_CONFINEMENT=ON
build-packages
:
-
build-essential
-
cmake
...
...
src/anbox/container/lxc_container.cpp
浏览文件 @
baedea8d
...
...
@@ -266,6 +266,13 @@ void LxcContainer::start(const Configuration &configuration) {
set_config_item
(
"lxc.init.cmd"
,
"/anbox-init.sh"
);
#if ENABLE_SNAP_CONFINEMENT
// If we're running inside the snap environment snap-confine already created a
// cgroup for us we need to use as otherwise presevering a namespace wont help.
if
(
utils
::
is_env_set
(
"SNAP"
))
set_config_item
(
"lxc.namespace.keep"
,
"cgroup"
);
#endif
auto
rootfs_path
=
SystemConfiguration
::
instance
().
rootfs_dir
();
if
(
rootfs_overlay_
)
rootfs_path
=
SystemConfiguration
::
instance
().
combined_rootfs_dir
();
...
...
@@ -283,11 +290,11 @@ void LxcContainer::start(const Configuration &configuration) {
setup_network
();
#if
0
set_config_item("lxc.apparmor.profile", "anbox-container");
const auto seccomp_profile_path = fs::path(utils::get_env_value("SNAP", "/etc/anbox")) / "seccomp" / "anbox.sc";
set_config_item("lxc.
seccomp.profile", seccomp_profile_path.string().c_str()
);
#if
ENABLE_SNAP_CONFINEMENT
// We take the AppArmor profile snapd has defined for us as part of the
// anbox-support interface. The container manager itself runs within a
// child profile snap.anbox.container-manager//lxc too.
set_config_item
(
"lxc.
apparmor.profile"
,
"snap.anbox.container-manager//container"
);
#else
set_config_item
(
"lxc.apparmor.profile"
,
"unconfined"
);
#endif
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录