The package rpms/waydroid.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/waydroid.git/commit/?id=30ac6b36b....
Change:
+ExcludeArch: s390x
Thanks.
Full change:
============
commit 30ac6b36b6477e098e7c3e8addab034aa9dcf986
Author: Alessandro Astone <ales.astone(a)gmail.com>
Date: Fri Dec 30 15:59:08 2022 +0100
Initial import (fedora#2120119).
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e22f4be
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/waydroid-1.3.4.tar.gz
diff --git a/dev-binderfs.mount b/dev-binderfs.mount
new file mode 100644
index 0000000..5884673
--- /dev/null
+++ b/dev-binderfs.mount
@@ -0,0 +1,7 @@
+[Unit]
+Description=Mount binderfs partition
+
+[Mount]
+What=binder
+Where=/dev/binderfs
+Type=binder
diff --git a/mount-secontext.patch b/mount-secontext.patch
new file mode 100644
index 0000000..44429ea
--- /dev/null
+++ b/mount-secontext.patch
@@ -0,0 +1,13 @@
+diff --git a/tools/helpers/mount.py b/tools/helpers/mount.py
+index fdf6477..de9718a 100644
+--- a/tools/helpers/mount.py
++++ b/tools/helpers/mount.py
+@@ -128,7 +128,7 @@ def mount(args, source, destination, create_folders=True,
umount=False, readonly
+ destination)
+
+ # Actually mount the folder
+- tools.helpers.run.user(args, ["mount", source, destination])
++ tools.helpers.run.user(args, ["mount", "-o",
"context=\"system_u:object_r:waydroid_rootfs_t:s0\"", source,
destination])
+ if readonly:
+ tools.helpers.run.user(args, ["mount", "-o",
"remount,ro", source, destination])
+
diff --git a/setup-firewalld.patch b/setup-firewalld.patch
new file mode 100644
index 0000000..dde0abd
--- /dev/null
+++ b/setup-firewalld.patch
@@ -0,0 +1,17 @@
+--- waydroid-1.2.0/data/scripts/waydroid-net.sh 2021-10-19 15:50:56.000000000 +0800
++++ waydroid-1.2.0-1/data/scripts/waydroid-net.sh 2021-10-21 22:57:50.991706580 +0800
+@@ -1,4 +1,4 @@
+-#!/bin/sh -
++#!/usr/bin/sh -
+
+ varrun="/run/waydroid-lxc"
+ varlib="/var/lib"
+@@ -60,6 +60,8 @@ _ifup() {
+ ip addr add ${CIDR_ADDR} broadcast + dev ${LXC_BRIDGE}
+ ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC
+ ip link set dev ${LXC_BRIDGE} up
++ # Fedora specific
++ firewall-cmd --zone=trusted --add-interface=${LXC_BRIDGE} || true
+ }
+
+ start_ipv6() {
diff --git a/sources b/sources
new file mode 100644
index 0000000..926c047
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+SHA512 (waydroid-1.3.4.tar.gz) =
2c7feb8cfe2b6e2738159d07e12f378250f5ba6a0d0f47c0ff904af934eacde193ae0fcae1cb4fb67d1687a2ffcd2864c1eea4fa5e52c19685ffad5c702359a5
diff --git a/waydroid-container.service b/waydroid-container.service
new file mode 100644
index 0000000..13593c2
--- /dev/null
+++ b/waydroid-container.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Waydroid Container
+Wants=dev-binderfs.mount
+
+[Service]
+ExecStartPre=/usr/bin/ln -sf /dev/binderfs/binder /dev/binderfs/vndbinder
/dev/binderfs/hwbinder /dev/
+ExecStart=/usr/bin/waydroid -w container start
+ExecStop=/usr/bin/waydroid container stop
+ExecStopPost=/usr/bin/waydroid session stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/waydroid-gbinder.conf b/waydroid-gbinder.conf
new file mode 100644
index 0000000..a95692f
--- /dev/null
+++ b/waydroid-gbinder.conf
@@ -0,0 +1,2 @@
+[General]
+ApiLevel = 29
diff --git a/waydroid.fc b/waydroid.fc
new file mode 100644
index 0000000..c66329c
--- /dev/null
+++ b/waydroid.fc
@@ -0,0 +1,5 @@
+/usr/lib/waydroid/waydroid.py
gen_context(system_u:object_r:waydroid_exec_t,s0)
+/usr/lib/waydroid/data/scripts/waydroid-net\.sh
gen_context(system_u:object_r:waydroid_net_exec_t,s0)
+/var/lib/waydroid(.*)?
gen_context(system_u:object_r:waydroid_data_t,s0)
+/var/run/waydroid-(?!lxc).*
gen_context(system_u:object_r:waydroid_var_run_t,s0)
+/run/waydroid-(?!lxc).*
gen_context(system_u:object_r:waydroid_var_run_t,s0)
diff --git a/waydroid.spec b/waydroid.spec
new file mode 100644
index 0000000..92dd398
--- /dev/null
+++ b/waydroid.spec
@@ -0,0 +1,182 @@
+%global forgeurl
https://github.com/waydroid/waydroid
+%global selinuxtype targeted
+
+Version: 1.3.4
+%global tag %{version}
+
+%forgemeta
+Name: waydroid
+Release: 3%{?dist}
+Summary: Container-based approach to boot a full Android system on GNU/Linux
+License: GPL-3.0-only
+URL: %{forgeurl}
+Source: %{forgesource}
+Source1: waydroid.te
+Source2: waydroid-gbinder.conf
+Source3: waydroid-container.service
+Source4: dev-binderfs.mount
+Source6: waydroid.fc
+
+# Assign firewalld zone to the waydroid network interface
+Patch0: setup-firewalld.patch
+
+# Mount the android rootfs with a default selinux context
+Patch1: mount-secontext.patch
+
+BuildArch: noarch
+# TODO: Track bugzilla ticket
+ExcludeArch: s390x
+
+BuildRequires: make
+BuildRequires: selinux-policy-devel
+BuildRequires: container-selinux
+BuildRequires: systemd
+BuildRequires: python3-devel
+BuildRequires: systemd-rpm-macros
+BuildRequires: desktop-file-utils
+BuildRequires: libappstream-glib
+
+Requires: python3-gbinder >= 1.1.0
+Requires: python3-gobject
+Requires: lxc
+Requires: gtk3
+Requires: (%{name}-selinux = %{version}-%{release} if
selinux-policy-%{selinuxtype})
+Requires: nftables
+Requires: iproute
+Requires: dnsmasq
+Recommends: python3-pyclip
+Recommends: wl-clipboard
+
+%description
+Waydroid uses Linux namespaces to run a full Android system in a container
+and provide Android applications on any GNU/Linux-based platform.
+The Android system inside the container has direct access to needed hardware
+through LXC and the binder interface.
+
+%package selinux
+Summary: SELinux policy module for waydroid
+Requires: %{name} = %{version}-%{release}
+Requires: container-selinux
+%{?selinux_requires}
+
+%description selinux
+This package contains the SELinux policy module necessary to run waydroid.
+
+%prep
+%forgeautosetup -p1
+mkdir SELinux
+cp %{S:1} SELinux/
+cp %{S:6} SELinux/
+
+%build
+# Remove link for ROM files
+sed -i -e '/"system_channel":/ s/: ".*"/: ""/'
tools/config/__init__.py
+sed -i -e '/"vendor_channel":/ s/: ".*"/: ""/'
tools/config/__init__.py
+# Compile sepolicy
+cd SELinux
+%{__make} NAME=%{selinuxtype} -f /usr/share/selinux/devel/Makefile
+
+%install
+%make_install LIBDIR=%{_libdir} DESTDIR=%{buildroot} USE_SYSTEMD=0 USE_NFTABLES=1
+%py_byte_compile %{python3} %{buildroot}%{_prefix}/lib/waydroid
+%{__install} -d %{buildroot}%{_unitdir}
+%{__install} -d %{buildroot}%{_datadir}/selinux/%{selinuxtype}
+%{__install} -p -m 644 %{S:3} %{buildroot}%{_unitdir}/
+%{__install} -p -m 644 %{S:4} %{buildroot}%{_unitdir}/
+%{__install} -p -m 644 SELinux/%{name}.pp
%{buildroot}%{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+
+%check
+desktop-file-validate %{buildroot}/%{_datadir}/applications/Waydroid.desktop
+appstream-util validate-relax --nonet
%{buildroot}%{_metainfodir}/id.waydro.waydroid.metainfo.xml
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+ # the daemon needs to be restarted for the custom label to be applied
+ %systemd_postun_with_restart waydroid-container.service
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} %{name}
+ %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%post
+waydroid upgrade -o > /dev/null || :
+%systemd_post waydroid-container.service
+if [ $1 -eq 1 ]; then
+ if systemctl -q is-enabled waydroid-container.service > /dev/null 2>&1 ;
then
+ systemctl start waydroid-container.service > /dev/null 2>&1 || :
+ fi
+fi
+
+%preun
+%systemd_preun waydroid-container.service
+
+%postun
+%systemd_postun_with_restart waydroid-container.service
+
+%files
+%license LICENSE
+%doc README.md
+%{_prefix}/lib/waydroid
+%{_datadir}/applications/Waydroid.desktop
+%{_datadir}/applications/waydroid.market.desktop
+%{_datadir}/metainfo/id.waydro.waydroid.metainfo.xml
+%{_bindir}/waydroid
+%{_unitdir}/waydroid-container.service
+%{_unitdir}/dev-binderfs.mount
+
+%files selinux
+%doc SELinux/%{name}.te
+%{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+
+%changelog
+* Tue Dec 27 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.3.4-3
+- Fix description typos etc.
+- Validate desktop and metainfo files
+- Reorder post install scriptlets
+
+* Sun Dec 25 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.3.4-2
+- Add selinux label to android rootfs
+- Make package noarch
+
+* Wed Dec 14 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.3.4-1
+- Update to 1.3.4
+
+* Sat Nov 05 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.3.3-3
+- Override selinux context of the android rootfs
+- Fixes
https://github.com/casualsnek/waydroid_script
+
+* Sun Oct 30 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.3.3-2
+- Add sepolicy for updating from the android app
+
+* Sun Sep 25 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.3.3-1
+- Update to 1.3.3
+
+* Fri Sep 02 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.3.1-1
+- Update to 1.3.1
+
+* Tue Aug 09 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.3.0-1
+- Update to 1.3.0
+
+* Sun Apr 17 2022 Alessandro Astone <ales.astone(a)gmail.com> - 1.2.1-1
+- Update to 1.2.1
+
+* Mon Mar 07 2022 Alessandro Astone <ales.astone(a)gmail.com> -
1.2.0-7.20220307git1.2.0
+- Recommend pyclip
+
+* Sat Feb 26 2022 Alessandro Astone <ales.astone(a)gmail.com> -
1.2.0-5.20220226git1.2.0
+- Add sepolicy for crash handler
+
+* Fri Feb 25 2022 Alessandro Astone <ales.astone(a)gmail.com> -
1.2.0-4.20220225git1.2.0
+- Respin package
+
+* Wed Aug 12 2020 Qiyu Yan <yanqiyu(a)fedoraproject.org> - 0-0.1.20200811gitc87ea48
+- initial package
diff --git a/waydroid.te b/waydroid.te
new file mode 100644
index 0000000..103c3c0
--- /dev/null
+++ b/waydroid.te
@@ -0,0 +1,133 @@
+
+policy_module(waydroid, 1.0)
+
+require {
+ type unconfined_t;
+ type unconfined_service_t;
+ type spc_t;
+ type init_t;
+ type binder_device_t;
+ type binderfs_t;
+ type abrt_t;
+ type bin_t;
+ type var_lib_t;
+ type proc_t;
+ type mount_exec_t;
+ type mount_t;
+ type sysctl_net_t;
+ type sysfs_t;
+ type uhid_device_t;
+ type tun_tap_device_t;
+ type tmp_t;
+ type http_cache_port_t;
+ type rpm_script_t;
+ role rpm_script_roles;
+ type iptables_t;
+}
+
+# Define domain
+type waydroid_t;
+type waydroid_exec_t;
+init_daemon_domain(waydroid_t, waydroid_exec_t)
+
+# Execute python
+allow waydroid_t bin_t:file { map execute };
+allow waydroid_t proc_t:file read_file_perms;
+gnome_search_gconf_data_dir(waydroid_t)
+auth_read_passwd(waydroid_t)
+miscfiles_read_generic_certs(waydroid_t)
+
+# Manage waydroid fifos
+type waydroid_var_run_t;
+files_pid_file(waydroid_var_run_t)
+files_pid_filetrans(waydroid_t, waydroid_var_run_t, fifo_file,
"waydroid-init")
+files_pid_filetrans(waydroid_t, waydroid_var_run_t, fifo_file,
"waydroid-remote_init_output")
+manage_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+manage_fifo_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+manage_dirs_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+
+# Manage /var/lib/waydroid
+type waydroid_data_t;
+files_type(waydroid_data_t)
+filetrans_pattern(waydroid_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+filetrans_pattern(unconfined_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+manage_dirs_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+manage_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+manage_lnk_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+
+# Execute lxc commands, domain transition
+container_runtime_domtrans(waydroid_t)
+
+# Execute misc utils
+exec_files_pattern(waydroid_t, bin_t, bin_t)
+domtrans_pattern(waydroid_t, mount_exec_t, mount_t)
+corecmd_exec_shell(waydroid_t)
+modutils_domtrans_kmod(waydroid_t)
+
+# Waydroid init from the container daemon
+dev_read_sysfs(waydroid_t)
+storage_getattr_fuse_dev(waydroid_t)
+getattr_chr_files_pattern(waydroid_t, device_t, { uhid_device_t tun_tap_device_t })
+fs_search_cgroup_dirs(waydroid_t)
+allow waydroid_t tmp_t:dir read;
+allow waydroid_t self:process setfscreate;
+allow waydroid_t self:tcp_socket create_socket_perms;
+allow waydroid_t http_cache_port_t:tcp_socket name_connect;
+sysnet_dns_name_resolve(waydroid_t)
+corenet_sendrecv_http_client_packets(waydroid_t)
+corenet_tcp_connect_http_port(waydroid_t)
+
+# waydroid-net.sh
+type waydroid_net_exec_t;
+files_type(waydroid_net_exec_t)
+domtrans_pattern(waydroid_t, waydroid_net_exec_t, container_runtime_t)
+domain_entry_file(container_runtime_t, waydroid_net_exec_t)
+manage_fifo_files_pattern(iptables_t, waydroid_t, waydroid_t)
+
+# Read android rootfs
+type waydroid_rootfs_t;
+files_type(waydroid_rootfs_t)
+read_files_pattern(waydroid_t, waydroid_rootfs_t, waydroid_rootfs_t)
+
+# Read android data
+allow waydroid_t self:capability { dac_read_search };
+
+# Upgrade from app
+read_files_pattern(waydroid_t, data_home_t, data_home_t)
+allow waydroid_t self:unix_dgram_socket create;
+
+# Use binder devices
+allow waydroid_t binderfs_t:dir search_dir_perms;
+allow waydroid_t binder_device_t:chr_file { getattr setattr ioctl map open read write };
+allow waydroid_t container_runtime_t:binder { call transfer };
+allow container_runtime_t waydroid_t:binder call;
+allow container_runtime_t self:binder { call set_context_mgr transfer };
+allow container_runtime_t self:capability2 mac_admin;
+allow container_runtime_t unconfined_service_t:binder call;
+allow container_runtime_t unconfined_t:binder { call transfer };
+allow unconfined_service_t container_runtime_t:binder { call transfer };
+allow unconfined_t container_runtime_t:binder { call transfer };
+
+# Graphics
+dev_setattr_generic_dirs(waydroid_t)
+dev_getattr_dri_dev(waydroid_t)
+dev_setattr_dri_dev(waydroid_t)
+dev_getattr_framebuffer_dev(waydroid_t)
+dev_setattr_framebuffer_dev(waydroid_t)
+allow waydroid_t self:capability fsetid;
+
+# Video
+dev_getattr_video_dev(waydroid_t)
+dev_setattr_video_dev(waydroid_t)
+
+# RPM upgrade scriptlets
+container_runtime_run(rpm_script_t, rpm_script_roles)
+filetrans_pattern(rpm_script_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+
+# For when we crash
+allow abrt_t binder_device_t:chr_file { open read };
+
+# Attach to the container
+allow container_runtime_t self:process2 { nnp_transition };
+exec_files_pattern(container_runtime_t, waydroid_rootfs_t, waydroid_rootfs_t)
+domain_entry_file(container_runtime_t, waydroid_rootfs_t)