build lxc for android
apply kernel patch support
diff --git a/arch/arm64/configs/vendor/kernel_defconfig b/arch/arm64/configs/vendor/kernel_defconfig
index e665b7e8e688..d61022023599 100644
--- a/arch/arm64/configs/vendor/kernel_defconfig
+++ b/arch/arm64/configs/vendor/kernel_defconfig
@@ -837,3 +837,13 @@ CONFIG_QCOM_DLOAD_MODE=y
CONFIG_BUILD_ARM64_APPENDED_DTB_IMAGE=y
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
+
+CONFIG_USER_NS=y
+CONFIG_PID_NS=y
+CONFIG_KASAN_STACK=1
+CONFIG_IPC_NS=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_SYSVIPC_COMPAT=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 5e818f48a28c..98c1f611be73 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -275,7 +275,7 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
if (protocol < 0 || protocol >= IPPROTO_MAX)
return -EINVAL;
- if (!current_has_network())
+ if (net_eq(net, &init_net) && !current_has_network())
return -EACCES;
sock->state = SS_UNCONNECTED;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index c4594d92adf8..bf0d3071d8d1 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -136,7 +136,7 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
if (protocol < 0 || protocol >= IPPROTO_MAX)
return -EINVAL;
- if (!current_has_network())
+ if (net_eq(net, &init_net) && !current_has_network())
return -EACCES;
/* Look for the requested type/protocol pair. */
build lxc for android:
# Get Pre-reqs
# apt-get install libattr1-dev git unzip make gcc automake pkg-config lsb_releases
cat << EOF
+#ifdef HAVE_SECCOMP
if (!fetch_seccomp(ctx->container, options))
WARN("Failed to get seccomp policy");
+#endif
EOF
root=/home/level
arch=arm64
# Get Android NDK
cd $root
mkdir -p build && cd build
# wget -c http://dl.google.com/android/repository/android-ndk-r10e-linux-x86_64.zip -O /tmp/android-ndk-r10e-linux-x86_64.zip
# unzip /tmp/android-ndk-r10e-linux-x86_64.zip -d $root/build
# Set paths
export PATH=$PATH:$root/build/android-ndk-r10e/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/:$root/build/android-ndk-r10e/
export SYSROOT=$root/build/android-ndk-r10e/platforms/android-21/arch-$arch/
export LD=aarch64-linux-android-ld
export CC="aarch64-linux-android-gcc --sysroot=$root/build/android-ndk-r10e/platforms/android-21/arch-$arch/"
export CFLAGS="-fomit-frame-pointer -DANDROID -pie -fPIE --sysroot=$root/build/android-ndk-r10e/platforms/android-21/arch-$arch/ -I$root/build/android-ndk-r10e/platforms/android-21/arch-$arch/usr/include/"
export LDFLAGS="-Wl,--dynamic-linker,/system/bin/linker64 -lc -ldl"
export BUILD_CC=gcc
# Get LXC and libcap
cd $root
mkdir -p lxc;
cd lxc && git clone -b stable-4.0 https://github.com/lxc/lxc .
git clone https://github.com/mhiramat/libcap && cd libcap
git checkout 0ee94211e95096750ede752acd13b163aa6d5046
make CC="$CC" -j11
cp -f libcap/libcap.so* $root/build/android-ndk-r10e/platforms/android-21/arch-$arch/usr/lib/
cp -f libcap/libcap.a $root/build/android-ndk-r10e/platforms/android-21/arch-$arch/usr/lib/
cp -f libcap/include/sys/capability.h $root/build/android-ndk-r10e/platforms/android-21/arch-$arch/usr/include/sys/capability.h
cp -f libcap/include/uapi/linux/capability.h $root/build/android-ndk-r10e/platforms/android-21/arch-$arch/usr/include/linux/
# Build LXC
cd $root/lxc
./autogen.sh && mkdir -p OUT
cat << 'EOF' > /root/build/android-ndk-r10e/platforms/android-21/arch-$arch/usr/include/linux/genetlink.h
/****************************************************************************
****************************************************************************
***
*** This header was automatically generated from a Linux kernel header
*** of the same name, to make information necessary for userspace to
*** call into the kernel available to libc. It contains only constants,
*** structures, and macros generated from the original header, and thus,
*** contains no copyrightable information.
***
*** To edit the content of this header, modify the corresponding
*** source file (e.g. under external/kernel-headers/original/) then
*** run bionic/libc/kernel/tools/update_all.py
***
*** Any manual change here will be lost the next time this script will
*** be run. You've been warned!
***
****************************************************************************
****************************************************************************/
#ifndef _UAPI__LINUX_GENERIC_NETLINK_H
#define _UAPI__LINUX_GENERIC_NETLINK_H
#include <linux/types.h>
#include <linux/netlink.h>
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
#define GENL_NAMSIZ 16
#define GENL_MIN_ID NLMSG_MIN_TYPE
#define GENL_MAX_ID 1023
struct genlmsghdr {
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
__u8 cmd;
__u8 version;
__u16 reserved;
};
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
#define GENL_HDRLEN NLMSG_ALIGN(sizeof(struct genlmsghdr))
#define GENL_ADMIN_PERM 0x01
#define GENL_CMD_CAP_DO 0x02
#define GENL_CMD_CAP_DUMP 0x04
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
#define GENL_CMD_CAP_HASPOL 0x08
#define GENL_ID_GENERATE 0
#define GENL_ID_CTRL NLMSG_MIN_TYPE
#define GENL_ID_VFS_DQUOT (NLMSG_MIN_TYPE + 1)
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
#define GENL_ID_PMCRAID (NLMSG_MIN_TYPE + 2)
enum {
CTRL_CMD_UNSPEC,
CTRL_CMD_NEWFAMILY,
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
CTRL_CMD_DELFAMILY,
CTRL_CMD_GETFAMILY,
CTRL_CMD_NEWOPS,
CTRL_CMD_DELOPS,
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
CTRL_CMD_GETOPS,
CTRL_CMD_NEWMCAST_GRP,
CTRL_CMD_DELMCAST_GRP,
CTRL_CMD_GETMCAST_GRP,
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
__CTRL_CMD_MAX,
};
#define CTRL_CMD_MAX (__CTRL_CMD_MAX - 1)
enum {
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
CTRL_ATTR_UNSPEC,
CTRL_ATTR_FAMILY_ID,
CTRL_ATTR_FAMILY_NAME,
CTRL_ATTR_VERSION,
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
CTRL_ATTR_HDRSIZE,
CTRL_ATTR_MAXATTR,
CTRL_ATTR_OPS,
CTRL_ATTR_MCAST_GROUPS,
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
__CTRL_ATTR_MAX,
};
#define CTRL_ATTR_MAX (__CTRL_ATTR_MAX - 1)
enum {
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
CTRL_ATTR_OP_UNSPEC,
CTRL_ATTR_OP_ID,
CTRL_ATTR_OP_FLAGS,
__CTRL_ATTR_OP_MAX,
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
};
#define CTRL_ATTR_OP_MAX (__CTRL_ATTR_OP_MAX - 1)
enum {
CTRL_ATTR_MCAST_GRP_UNSPEC,
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
CTRL_ATTR_MCAST_GRP_NAME,
CTRL_ATTR_MCAST_GRP_ID,
__CTRL_ATTR_MCAST_GRP_MAX,
};
/* WARNING: DO NOT EDIT, AUTO-GENERATED CODE - SEE TOP FOR INSTRUCTIONS */
#define CTRL_ATTR_MCAST_GRP_MAX (__CTRL_ATTR_MCAST_GRP_MAX - 1)
#endif
EOF
# Start build
# ./configure --host=$arch-eabi --disable-api-docs --disable-lua --disable-python --disable-examples --prefix=/data/lxc/lxc --with-runtime-path=/cache/ --bindir="/data/lxc/bin" --libdir="/data/lxc/lib" --with-config-path=/data/lxc/containers/
./configure --host=arm-eabi --disable-api-docs --disable-lua --disable-python --disable-examples --prefix=/data/lxc/lxc --with-runtime-path=/cache/ --bindir="/data/lxc/bin" --libdir="/data/lxc/lib" --with-config-path=/data/lxc/containers/
make -j11
make install DESTDIR=$root
cp -rf $root/data OUT/data && rm -rf $root/data
cp -rf $root/build/android-ndk-r10e/platforms/android-21/arch-$arch/usr/lib/libcap.* OUT/data/lxc/lib/
cat << EOF
CONFIG_PID_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_NET=y
CONFIG_POSIX_MQUEUE=y
EOF
cat << EOF
lxc.net.0.type = none
# lxc.net.0.link = lxcbr0
# lxc.net.0.flags = up
# lxc.net.0.hwaddr = 00:16:3e:ab:81:67
lxc.rootfs.path = dir:/data/rootfs/
lxc.uts.name = kinetic
lxc.tty.max = 10
lxc.pty.max = 36
EOF
setup network for android container
ip link add name lxcbr0 type bridge
ip address add 192.168.1.1/24 dev lxcbr0
ip link set lxcbr0 up
ip route add 192.168.1.0/24 dev lxcbr0 table local
ip rule add iif lxcbr0 lookup wlan0
sysctl -w net.ipv4.ip_forward=1
iptables -A POSTROUTING -t nat -o wlan0 -j MASQUERADE
iptables -I FORWARD -j ACCEPT
mkdir /sys/fs/cgroup/systemd
mount -t cgroup -o none,name=systemd - /sys/fs/cgroup/systemd
Comments
Post a Comment