Running Android in lxc container?

asked 2015-09-04 21:33:36 +0300

peerchemist
1066 ●18 ●24 ●27

updated 2015-09-05 00:32:30 +0300

Have Jolla engineers considered running Android in lxc container? It seems Cannonical is trying something like that for their "Ubuntu Touch" OS. Information on the Internet is sparse and seems to be limited to few smaller projects. Still interesting to take a look.

Benefits of this approach would obviously be:

better isolation of Sailfish and Android, as well as ability to fine tune and tweak "meeting points" where two OS's would be able to interact
Jolla would be able to apply AppArmour on the whole Android container;
Snapshoting Android rootfs via lxc/btrfs integration (to enable rolling back after some malicious program is installed or just something random went wrong)
Run multiple Android versions on Sailfish

Info links: https://wiki.ubuntu.com/Touch/ContainerArchitecture

https://lists.linuxcontainers.org/pipermail/lxc-devel/2013-December/006516.html

https://www.stgraber.org/2013/12/23/lxc-1-0-some-more-advanced-container-usage/

http://condroid.github.io/about.html

edit retag flag offensive close delete

Comments

Does it mean the current way we run Android apps on SailfishOS is not isolated? For example, a proprietary Android app could inject a spyware in SailfishOS?

Update: any Android app can read and create files in SailfishOS folders (https://together.jolla.com/question/120006/malware-in-third-party-android-stores/?answer=121308#post-id-121308).

You can see that when using an Android app like Firefox and typing file:///home/nemo/ in the URL bar or by changing the download folder in about:config. To prevent this, I executed these commands: chmod -R 700 /home/nemo/ and chmod -R 700 /media/sdcard/ (if you do it as root in order to protect files owned by root user, you will also have to do chmod 770 /home/nemo/.local/share/system/privileged/to avoid having a black background after reboot and losing your calendar events after a firmware update, like it happened to me https://together.jolla.com/question/215126/calendar-events-missing-after-firmware-update/).

Since Android data is saved in /home/nemo/android_storage/, you also need this command to access the parent folder and make the Firefox downloads work: chmod 710 /home/nemo/. When you reboot, I noticed the /home/nemo/ permissions are reset and Android apps have access again to the SailfishOS data so unless there is a cleaner way to prevent permission changes, you will need to cd /home/nemo/ and use this command: chattr +i . Documents Downloads Pictures Videos Music Desktop .cache.

baptx ( 2019-04-11 14:51:04 +0300 )edit

7

answered 2015-09-05 00:30:24 +0300

Philippe De Swert
7698 ●74 ●88 ●91

Well go ahead and give it a try! Containers should run on the phone. As here: https://together.jolla.com/question/70499/request-fulfilled-enable-container-namespace-features-in-jolla-kernel/

edit flag offensive delete publish link

6

answered 2017-04-12 08:42:22 +0300

netvandal
1051 ●18 ●31 ●29

Anbox was just released: http://anbox.io/

It's interesting but it require the loading of some kernel modules that make everything more complicated for dev outside jolla itself.

edit flag offensive delete publish link

Comments

we've probably already got the modules for ashmem and binder installed and working, so its just the container things and it should JustWorkTM

Its fairly similar to what SFDroid is on ported devices really

r0kk3rz ( 2017-04-12 11:53:31 +0300 )edit

1

Any HowTo make it work with jolla1?

alexxy ( 2017-10-14 23:45:57 +0300 )edit

Here is the dedicated thread for Anbox: https://together.jolla.com/question/162876/anbox-on-sailfish-os/

baptx ( 2019-10-13 14:06:35 +0300 )edit

3

answered 2015-09-05 11:35:45 +0300

t-lo

4384 ●51 ●61 ●63

http://www.thilo-fromm.de...

As @Philippe De Swert already mentioned - recent SailfishOS versions (>= 1.1.6) support containers out of the box, with systemd-nspawn (http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html) being used for container supervision (instead of lxc).

The thing that's missing is the actual Android container image(s). For now, Condroid seems to be more of an empty shell. As soon as an image becomes available though basically every Jolla owner can start integrating, then using it.

edit flag offensive delete publish link

Comments

BTW has anyone tried to run a full distro on a systemd-nspawn container and have the desktop render on the screen as an app?

ApB ( 2015-09-05 12:17:36 +0300 )edit

systemd-nspawn can not be used in such way. You will not be able to see the Desktop of such guest OS.

peerchemist ( 2015-09-05 12:25:04 +0300 )edit

I've seen people launch compositors inside compositors (wayland) so i thought it might be possible. And there is a section in the arch wiki on how to launch X but obviously this doesn't apply on the phone.

ApB ( 2015-09-05 12:39:50 +0300 )edit

@ApB "full distro" yes (Fedora 22 Cloud Image), but I didn't try a graphical desktop yet. A selection of Fedora ARM images is available here: https://arm.fedoraproject.org/. In theory, any ARM image of a distro running systemd it should work straight away; it does not need to be a "container" image. Sailfish's systemd-nspawn will tell the image's systemd that it's containerized, which should cause the image to do the Right Things.

@peerchemist I'm not entirely sure this is true - maybe it can be fixed by granting the appropriate permissions. I'm sure though it can be worked around, e.g. by having the container serve VNC, and usung a native Jolla VNC client to connect to the container's desktop, for a start.

t-lo ( 2015-09-05 12:45:07 +0300 )edit

@t-lo If you try could you give a heads up. Post here a how to or whatever. ;)

ApB ( 2015-09-05 13:19:48 +0300 )edit

Running Android in lxc container?

Comments

3 Answers

Comments

Comments

Question tools

Stats

Related questions

Running Android in lxc container?

Comments

3 Answers

Comments

Comments

Question tools

Public thread

Stats

Related questions