Architecture specific change in rpms/waydroid.git - Arch-excludes - Fedora mailing-lists

30 Dec 2022

The package rpms/waydroid.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/waydroid.git/commit/?id=30ac6b36b647....
Change:
+ExcludeArch:    s390x
Thanks.
Full change:
============
commit 30ac6b36b6477e098e7c3e8addab034aa9dcf986
Author: Alessandro Astone ales.astone@gmail.com
Date:   Fri Dec 30 15:59:08 2022 +0100
Initial import (fedora#2120119).

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e22f4be
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/waydroid-1.3.4.tar.gz
diff --git a/dev-binderfs.mount b/dev-binderfs.mount
new file mode 100644
index 0000000..5884673
--- /dev/null
+++ b/dev-binderfs.mount
@@ -0,0 +1,7 @@
+[Unit]
+Description=Mount binderfs partition
+
+[Mount]
+What=binder
+Where=/dev/binderfs
+Type=binder
diff --git a/mount-secontext.patch b/mount-secontext.patch
new file mode 100644
index 0000000..44429ea
--- /dev/null
+++ b/mount-secontext.patch
@@ -0,0 +1,13 @@
+diff --git a/tools/helpers/mount.py b/tools/helpers/mount.py
+index fdf6477..de9718a 100644
+--- a/tools/helpers/mount.py
++++ b/tools/helpers/mount.py
+@@ -128,7 +128,7 @@ def mount(args, source, destination, create_folders=True, umount=False, readonly
+                             destination)
+ 
+     # Actually mount the folder
+-    tools.helpers.run.user(args, ["mount", source, destination])
++    tools.helpers.run.user(args, ["mount", "-o", "context="system_u:object_r:waydroid_rootfs_t:s0"", source, destination])
+     if readonly:
+         tools.helpers.run.user(args, ["mount", "-o", "remount,ro", source, destination])
+ 
diff --git a/setup-firewalld.patch b/setup-firewalld.patch
new file mode 100644
index 0000000..dde0abd
--- /dev/null
+++ b/setup-firewalld.patch
@@ -0,0 +1,17 @@
+--- waydroid-1.2.0/data/scripts/waydroid-net.sh	2021-10-19 15:50:56.000000000 +0800
++++ waydroid-1.2.0-1/data/scripts/waydroid-net.sh	2021-10-21 22:57:50.991706580 +0800
+@@ -1,4 +1,4 @@
+-#!/bin/sh -
++#!/usr/bin/sh -
+ 
+ varrun="/run/waydroid-lxc"
+ varlib="/var/lib"
+@@ -60,6 +60,8 @@ _ifup() {
+     ip addr add ${CIDR_ADDR} broadcast + dev ${LXC_BRIDGE}
+     ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC
+     ip link set dev ${LXC_BRIDGE} up
++    # Fedora specific
++    firewall-cmd --zone=trusted --add-interface=${LXC_BRIDGE} || true
+ }
+ 
+ start_ipv6() {
diff --git a/sources b/sources
new file mode 100644
index 0000000..926c047
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+SHA512 (waydroid-1.3.4.tar.gz) = 2c7feb8cfe2b6e2738159d07e12f378250f5ba6a0d0f47c0ff904af934eacde193ae0fcae1cb4fb67d1687a2ffcd2864c1eea4fa5e52c19685ffad5c702359a5
diff --git a/waydroid-container.service b/waydroid-container.service
new file mode 100644
index 0000000..13593c2
--- /dev/null
+++ b/waydroid-container.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Waydroid Container
+Wants=dev-binderfs.mount
+
+[Service]
+ExecStartPre=/usr/bin/ln -sf /dev/binderfs/binder /dev/binderfs/vndbinder /dev/binderfs/hwbinder /dev/
+ExecStart=/usr/bin/waydroid -w container start
+ExecStop=/usr/bin/waydroid container stop
+ExecStopPost=/usr/bin/waydroid session stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/waydroid-gbinder.conf b/waydroid-gbinder.conf
new file mode 100644
index 0000000..a95692f
--- /dev/null
+++ b/waydroid-gbinder.conf
@@ -0,0 +1,2 @@
+[General]
+ApiLevel = 29
diff --git a/waydroid.fc b/waydroid.fc
new file mode 100644
index 0000000..c66329c
--- /dev/null
+++ b/waydroid.fc
@@ -0,0 +1,5 @@
+/usr/lib/waydroid/waydroid.py                       gen_context(system_u:object_r:waydroid_exec_t,s0)
+/usr/lib/waydroid/data/scripts/waydroid-net.sh     gen_context(system_u:object_r:waydroid_net_exec_t,s0)
+/var/lib/waydroid(.*)?                              gen_context(system_u:object_r:waydroid_data_t,s0)
+/var/run/waydroid-(?!lxc).*                         gen_context(system_u:object_r:waydroid_var_run_t,s0)
+/run/waydroid-(?!lxc).*                             gen_context(system_u:object_r:waydroid_var_run_t,s0)
diff --git a/waydroid.spec b/waydroid.spec
new file mode 100644
index 0000000..92dd398
--- /dev/null
+++ b/waydroid.spec
@@ -0,0 +1,182 @@
+%global forgeurl https://github.com/waydroid/waydroid
+%global selinuxtype targeted
+
+Version:        1.3.4
+%global tag %{version}
+
+%forgemeta
+Name:           waydroid
+Release:        3%{?dist}
+Summary:        Container-based approach to boot a full Android system on GNU/Linux
+License:        GPL-3.0-only
+URL:            %{forgeurl}
+Source:         %{forgesource}
+Source1:        waydroid.te
+Source2:        waydroid-gbinder.conf
+Source3:        waydroid-container.service
+Source4:        dev-binderfs.mount
+Source6:        waydroid.fc
+
+# Assign firewalld zone to the waydroid network interface
+Patch0:         setup-firewalld.patch
+
+# Mount the android rootfs with a default selinux context
+Patch1:         mount-secontext.patch
+
+BuildArch:      noarch
+# TODO: Track bugzilla ticket
+ExcludeArch:    s390x
+
+BuildRequires:  make
+BuildRequires:  selinux-policy-devel
+BuildRequires:  container-selinux
+BuildRequires:  systemd
+BuildRequires:  python3-devel
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  desktop-file-utils
+BuildRequires:  libappstream-glib
+
+Requires:       python3-gbinder >= 1.1.0
+Requires:       python3-gobject
+Requires:       lxc
+Requires:       gtk3
+Requires:       (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+Requires:       nftables
+Requires:       iproute
+Requires:       dnsmasq
+Recommends:     python3-pyclip
+Recommends:     wl-clipboard
+
+%description
+Waydroid uses Linux namespaces to run a full Android system in a container
+and provide Android applications on any GNU/Linux-based platform.
+The Android system inside the container has direct access to needed hardware
+through LXC and the binder interface.
+
+%package selinux
+Summary:            SELinux policy module for waydroid
+Requires:           %{name} = %{version}-%{release}
+Requires:           container-selinux
+%{?selinux_requires}
+
+%description selinux
+This package contains the SELinux policy module necessary to run waydroid.
+
+%prep
+%forgeautosetup -p1
+mkdir SELinux
+cp %{S:1} SELinux/
+cp %{S:6} SELinux/
+
+%build
+# Remove link for ROM files
+sed -i -e '/"system_channel":/ s/: ".*"/: ""/' tools/config/__init__.py
+sed -i -e '/"vendor_channel":/ s/: ".*"/: ""/' tools/config/__init__.py
+# Compile sepolicy
+cd SELinux
+%{__make} NAME=%{selinuxtype} -f /usr/share/selinux/devel/Makefile
+
+%install
+%make_install LIBDIR=%{_libdir} DESTDIR=%{buildroot} USE_SYSTEMD=0 USE_NFTABLES=1
+%py_byte_compile %{python3} %{buildroot}%{_prefix}/lib/waydroid
+%{__install} -d %{buildroot}%{_unitdir}
+%{__install} -d %{buildroot}%{_datadir}/selinux/%{selinuxtype}
+%{__install} -p -m 644 %{S:3} %{buildroot}%{_unitdir}/
+%{__install} -p -m 644 %{S:4} %{buildroot}%{_unitdir}/
+%{__install} -p -m 644 SELinux/%{name}.pp %{buildroot}%{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+
+%check
+desktop-file-validate %{buildroot}/%{_datadir}/applications/Waydroid.desktop
+appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/id.waydro.waydroid.metainfo.xml
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+  # the daemon needs to be restarted for the custom label to be applied
+  %systemd_postun_with_restart waydroid-container.service
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+  %selinux_modules_uninstall -s %{selinuxtype} %{name}
+  %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%post
+waydroid upgrade -o > /dev/null || :
+%systemd_post waydroid-container.service
+if [ $1 -eq 1 ]; then
+  if systemctl -q is-enabled waydroid-container.service > /dev/null 2>&1 ; then
+    systemctl start waydroid-container.service > /dev/null 2>&1 || :
+  fi
+fi
+
+%preun
+%systemd_preun waydroid-container.service
+
+%postun
+%systemd_postun_with_restart waydroid-container.service
+
+%files
+%license LICENSE
+%doc README.md
+%{_prefix}/lib/waydroid
+%{_datadir}/applications/Waydroid.desktop
+%{_datadir}/applications/waydroid.market.desktop
+%{_datadir}/metainfo/id.waydro.waydroid.metainfo.xml
+%{_bindir}/waydroid
+%{_unitdir}/waydroid-container.service
+%{_unitdir}/dev-binderfs.mount
+
+%files selinux
+%doc SELinux/%{name}.te
+%{_datadir}/selinux/%{selinuxtype}/%{name}.pp
+
+%changelog
+* Tue Dec 27 2022 Alessandro Astone ales.astone@gmail.com - 1.3.4-3
+- Fix description typos etc.
+- Validate desktop and metainfo files
+- Reorder post install scriptlets
+
+* Sun Dec 25 2022 Alessandro Astone ales.astone@gmail.com - 1.3.4-2
+- Add selinux label to android rootfs
+- Make package noarch
+
+* Wed Dec 14 2022 Alessandro Astone ales.astone@gmail.com - 1.3.4-1
+- Update to 1.3.4
+
+* Sat Nov 05 2022 Alessandro Astone ales.astone@gmail.com - 1.3.3-3
+- Override selinux context of the android rootfs
+- Fixes https://github.com/casualsnek/waydroid_script
+
+* Sun Oct 30 2022 Alessandro Astone ales.astone@gmail.com - 1.3.3-2
+- Add sepolicy for updating from the android app
+
+* Sun Sep 25 2022 Alessandro Astone ales.astone@gmail.com - 1.3.3-1
+- Update to 1.3.3
+
+* Fri Sep 02 2022 Alessandro Astone ales.astone@gmail.com - 1.3.1-1
+- Update to 1.3.1
+
+* Tue Aug 09 2022 Alessandro Astone ales.astone@gmail.com - 1.3.0-1
+- Update to 1.3.0
+
+* Sun Apr 17 2022 Alessandro Astone ales.astone@gmail.com - 1.2.1-1
+- Update to 1.2.1
+
+* Mon Mar 07 2022 Alessandro Astone ales.astone@gmail.com - 1.2.0-7.20220307git1.2.0
+- Recommend pyclip
+
+* Sat Feb 26 2022 Alessandro Astone ales.astone@gmail.com - 1.2.0-5.20220226git1.2.0
+- Add sepolicy for crash handler
+
+* Fri Feb 25 2022 Alessandro Astone ales.astone@gmail.com - 1.2.0-4.20220225git1.2.0
+- Respin package
+
+* Wed Aug 12 2020 Qiyu Yan yanqiyu@fedoraproject.org - 0-0.1.20200811gitc87ea48
+- initial package
diff --git a/waydroid.te b/waydroid.te
new file mode 100644
index 0000000..103c3c0
--- /dev/null
+++ b/waydroid.te
@@ -0,0 +1,133 @@
+
+policy_module(waydroid, 1.0)
+
+require {
+	type unconfined_t;
+	type unconfined_service_t;
+	type spc_t;
+	type init_t;
+	type binder_device_t;
+	type binderfs_t;
+	type abrt_t;
+	type bin_t;
+	type var_lib_t;
+	type proc_t;
+	type mount_exec_t;
+	type mount_t;
+	type sysctl_net_t;
+	type sysfs_t;
+	type uhid_device_t;
+	type tun_tap_device_t;
+	type tmp_t;
+	type http_cache_port_t;
+	type rpm_script_t;
+	role rpm_script_roles;
+	type iptables_t;
+}
+
+# Define domain
+type waydroid_t;
+type waydroid_exec_t;
+init_daemon_domain(waydroid_t, waydroid_exec_t)
+
+# Execute python
+allow waydroid_t bin_t:file { map execute };
+allow waydroid_t proc_t:file read_file_perms;
+gnome_search_gconf_data_dir(waydroid_t)
+auth_read_passwd(waydroid_t)
+miscfiles_read_generic_certs(waydroid_t)
+
+# Manage waydroid fifos
+type waydroid_var_run_t;
+files_pid_file(waydroid_var_run_t)
+files_pid_filetrans(waydroid_t, waydroid_var_run_t, fifo_file, "waydroid-init")
+files_pid_filetrans(waydroid_t, waydroid_var_run_t, fifo_file, "waydroid-remote_init_output")
+manage_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+manage_fifo_files_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+manage_dirs_pattern(waydroid_t, waydroid_var_run_t, waydroid_var_run_t)
+
+# Manage /var/lib/waydroid
+type waydroid_data_t;
+files_type(waydroid_data_t)
+filetrans_pattern(waydroid_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+filetrans_pattern(unconfined_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+manage_dirs_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+manage_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+manage_lnk_files_pattern(waydroid_t, waydroid_data_t, waydroid_data_t)
+
+# Execute lxc commands, domain transition
+container_runtime_domtrans(waydroid_t)
+
+# Execute misc utils
+exec_files_pattern(waydroid_t, bin_t, bin_t)
+domtrans_pattern(waydroid_t, mount_exec_t, mount_t)
+corecmd_exec_shell(waydroid_t)
+modutils_domtrans_kmod(waydroid_t)
+
+# Waydroid init from the container daemon
+dev_read_sysfs(waydroid_t)
+storage_getattr_fuse_dev(waydroid_t)
+getattr_chr_files_pattern(waydroid_t, device_t, { uhid_device_t tun_tap_device_t })
+fs_search_cgroup_dirs(waydroid_t)
+allow waydroid_t tmp_t:dir read;
+allow waydroid_t self:process setfscreate;
+allow waydroid_t self:tcp_socket create_socket_perms;
+allow waydroid_t http_cache_port_t:tcp_socket name_connect;
+sysnet_dns_name_resolve(waydroid_t)
+corenet_sendrecv_http_client_packets(waydroid_t)
+corenet_tcp_connect_http_port(waydroid_t)
+
+# waydroid-net.sh
+type waydroid_net_exec_t;
+files_type(waydroid_net_exec_t)
+domtrans_pattern(waydroid_t, waydroid_net_exec_t, container_runtime_t)
+domain_entry_file(container_runtime_t, waydroid_net_exec_t)
+manage_fifo_files_pattern(iptables_t, waydroid_t, waydroid_t)
+
+# Read android rootfs
+type waydroid_rootfs_t;
+files_type(waydroid_rootfs_t)
+read_files_pattern(waydroid_t, waydroid_rootfs_t, waydroid_rootfs_t)
+
+# Read android data
+allow waydroid_t self:capability { dac_read_search };
+
+# Upgrade from app
+read_files_pattern(waydroid_t, data_home_t, data_home_t)
+allow waydroid_t self:unix_dgram_socket create;
+
+# Use binder devices
+allow waydroid_t binderfs_t:dir search_dir_perms;
+allow waydroid_t binder_device_t:chr_file { getattr setattr ioctl map open read write };
+allow waydroid_t container_runtime_t:binder { call transfer };
+allow container_runtime_t waydroid_t:binder call;
+allow container_runtime_t self:binder { call set_context_mgr transfer };
+allow container_runtime_t self:capability2 mac_admin;
+allow container_runtime_t unconfined_service_t:binder call;
+allow container_runtime_t unconfined_t:binder { call transfer };
+allow unconfined_service_t container_runtime_t:binder { call transfer };
+allow unconfined_t container_runtime_t:binder { call transfer };
+
+# Graphics
+dev_setattr_generic_dirs(waydroid_t)
+dev_getattr_dri_dev(waydroid_t)
+dev_setattr_dri_dev(waydroid_t)
+dev_getattr_framebuffer_dev(waydroid_t)
+dev_setattr_framebuffer_dev(waydroid_t)
+allow waydroid_t self:capability fsetid;
+
+# Video
+dev_getattr_video_dev(waydroid_t)
+dev_setattr_video_dev(waydroid_t)
+
+# RPM upgrade scriptlets
+container_runtime_run(rpm_script_t, rpm_script_roles)
+filetrans_pattern(rpm_script_t, var_lib_t, waydroid_data_t, dir, "waydroid")
+
+# For when we crash
+allow abrt_t binder_device_t:chr_file { open read };
+
+# Attach to the container
+allow container_runtime_t self:process2 { nnp_transition };
+exec_files_pattern(container_runtime_t, waydroid_rootfs_t, waydroid_rootfs_t)
+domain_entry_file(container_runtime_t, waydroid_rootfs_t)

    