Merge pull request #53 from DreamConnected/main

add lsm selinux, add seccomp backend

Author: DreamConnected

.github/workflows/code-test.yml

@@ -12,7 +12,7 @@ jobs:
     - name: Set up Android NDK
       uses: nttld/setup-ndk@v1
       with:
-        ndk-version: r27c
+        ndk-version: r28c
 
     - name: Install dependencies
       run: |
@@ -21,10 +21,30 @@ jobs:
         pipx ensurepath
         pipx install meson==0.61
         pipx install ninja
+
+    - name: Download Dependencies 
+      run: |
+        libssl=$(curl -s https://api.github.com/repos/android-dev-stub/libssl-android-stub-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
+        libssl_file=$(curl -s https://api.github.com/repos/android-dev-stub/libssl-android-stub-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
+        wget -q ${libssl} && sudo unzip -q -o ${libssl_file} -d / && echo 1/4 ${libssl} ${libssl_file}
+        
+        libcap=$(curl -s https://api.github.com/repos/android-dev-stub/libcap-android-stub-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
+        libcap_file=$(curl -s https://api.github.com/repos/android-dev-stub/libcap-android-stub-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
+        wget -q ${libcap} && sudo unzip -q -o ${libcap_file} -d / && echo 2/4 ${libcap} ${libcap_file}
+
+        libselinux=$(curl -s https://api.github.com/repos/android-dev-stub/libselinux-android-stub-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
+        libselinux_file=$(curl -s https://api.github.com/repos/android-dev-stub/libselinux-android-stub-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
+        wget -q ${libselinux} && sudo unzip -q -o ${libselinux_file} -d / && echo 3/4 ${libselinux} ${libselinux_file}
         
+        libminijail=$(curl -s https://api.github.com/repos/android-dev-stub/libminijail-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
+        libminijail_file=$(curl -s https://api.github.com/repos/android-dev-stub/libminijail-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
+        wget -q ${libminijail} && sudo unzip -q -o ${libminijail_file} -d / && echo 4/4 ${libminijail} ${libminijail_file}
+
     - name: Test build
       run: |
         sed -i "s|android-ndk-r27c|$ANDROID_NDK_HOME|g" aarch64-android-api30.txt
+        export PKG_CONFIG_PATH=/data/sysroot/lib/pkgconfig:$PKG_CONFIG_PATH
+        export LDFLAGS="-L/data/sysroot/lib -lcap -lselinux -lminijail -lssl"
 
         meson setup build \
             -Dprefix=/data/share \
@@ -38,11 +58,12 @@ jobs:
             --localstatedir=/data/share/var \
             -Dmemfd-rexec=true \
             --buildtype debug \
-            -Dcapabilities=false \
+            -Dcapabilities=true \
             -Dseccomp=false \
-            -Dselinux=false \
+            -Dseccomp-minijail=true \
+            -Dselinux=true \
             -Dapparmor=false \
-            -Dopenssl=false \
+            -Dopenssl=true \
             -Ddbus=false \
             -Dandroid-log=true \
             -Dandroid-audio=true \
@@ -59,8 +80,3 @@ jobs:
         name: android-aarch64-lxc-shared-api30
         path: /data/share/*
 
-    - name: Upload artifacts lxc-module
-      uses: actions/upload-artifact@v4.3.1
-      with:
-        name: android-lxc-module
-        path: lxc-module.zip

.github/workflows/main.yml

@@ -5,7 +5,7 @@ on:
       ndk_version:
         description: 'Android NDK version'
         required: false
-        default: 'r27c'
+        default: 'r29c'
 
 jobs:
   build:
@@ -30,30 +30,27 @@ jobs:
 
     - name: Download Dependencies 
       run: |
-        libssl=$(curl -s https://api.github.com/repos/DreamConnected/libopenssl-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
-        libssl_file=$(curl -s https://api.github.com/repos/DreamConnected/libopenssl-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
-        wget -q ${libssl} && sudo unzip -q -o ${libssl_file} -d / && echo 1/5 ${libssl} ${libssl_file}
+        libssl=$(curl -s https://api.github.com/repos/android-dev-stub/libssl-android-stub-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
+        libssl_file=$(curl -s https://api.github.com/repos/android-dev-stub/libssl-android-stub-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
+        wget -q ${libssl} && sudo unzip -q -o ${libssl_file} -d / && echo 1/4 ${libssl} ${libssl_file}
         
-        libcap=$(curl -s https://api.github.com/repos/DreamConnected/AndroidLibcapBuild/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
-        libcap_file=$(curl -s https://api.github.com/repos/DreamConnected/AndroidLibcapBuild/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
-        wget -q ${libcap} && sudo unzip -q -o ${libcap_file} -d / && echo 2/5 ${libcap} ${libcap_file}
+        libcap=$(curl -s https://api.github.com/repos/android-dev-stub/libcap-android-stub-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
+        libcap_file=$(curl -s https://api.github.com/repos/android-dev-stub/libcap-android-stub-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
+        wget -q ${libcap} && sudo unzip -q -o ${libcap_file} -d / && echo 2/4 ${libcap} ${libcap_file}
 
-        libapparmor=$(curl -s https://api.github.com/repos/DreamConnected/libapparmor-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
-        libapparmor_file=$(curl -s https://api.github.com/repos/DreamConnected/libapparmor-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
-        wget -q ${libapparmor} && sudo unzip -q -o ${libapparmor_file} -d / && echo 3/5 ${libapparmor} ${libapparmor_file}
-
-        libselinux=$(curl -s https://api.github.com/repos/DreamConnected/libselinux-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
-        libselinux_file=$(curl -s https://api.github.com/repos/DreamConnected/libselinux-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
-        wget -q ${libselinux} && sudo unzip -q -o ${libselinux_file} -d / && echo 4/5 ${libselinux} ${libselinux_file}
-
-        libseccomp=$(curl -s https://api.github.com/repos/DreamConnected/libseccomp-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
-        libseccomp_file=$(curl -s https://api.github.com/repos/DreamConnected/libseccomp-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
-        wget -q ${libseccomp} && sudo unzip -q -o ${libseccomp_file} -d / && echo 5/5 ${libseccomp} ${libseccomp_file}
+        libselinux=$(curl -s https://api.github.com/repos/android-dev-stub/libselinux-android-stub-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
+        libselinux_file=$(curl -s https://api.github.com/repos/android-dev-stub/libselinux-android-stub-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
+        wget -q ${libselinux} && sudo unzip -q -o ${libselinux_file} -d / && echo 3/4 ${libselinux} ${libselinux_file}
         
+        libminijail=$(curl -s https://api.github.com/repos/android-dev-stub/libminijail-dev/releases/latest | grep browser_download_url | cut -d'"' -f4 |grep -E 'zip$')
+        libminijail_file=$(curl -s https://api.github.com/repos/android-dev-stub/libminijail-dev/releases/latest | grep name | cut -d'"' -f4 |grep -E 'zip$')
+        wget -q ${libminijail} && sudo unzip -q -o ${libminijail_file} -d / && echo 4/4 ${libminijail} ${libminijail_file}
+
     - name: Build lxc
       run: |
         sed -i "s|android-ndk-r27c|$ANDROID_NDK_HOME|g" aarch64-android-api30.txt
-        export PKG_CONFIG_PATH=/data/sysroot/lib/pkgconfig:/data/sysroot/lib64/pkgconfig:$PKG_CONFIG_PATH
+        export PKG_CONFIG_PATH=/data/sysroot/lib/pkgconfig:$PKG_CONFIG_PATH
+        export LDFLAGS="-L/data/sysroot/lib -lcap -lselinux -lminijail -lssl"
 
         meson setup build \
             -Dprefix=/data/share \
@@ -68,12 +65,15 @@ jobs:
             -Dmemfd-rexec=false \
             --buildtype release \
             -Dcapabilities=true \
-            -Dseccomp=true \
+            -Dseccomp=false \
+            -Dseccomp-minijail=true \
             -Dselinux=true \
-            -Dapparmor=true \
+            -Dapparmor=false \
             -Dopenssl=true \
             -Ddbus=false \
             -Dandroid-log=true \
+            -Dandroid-audio=false \
+            -Dandroid-network=false \
             -Dlandlock-monitor=false \
             -Dinstall-state-dirs=true \
             --cross-file aarch64-android-api30.txt
@@ -82,16 +82,10 @@ jobs:
         sudo /usr/local/bin/ninja -C build install
         echo "RELEASE_TAG=$(meson introspect meson.build --projectinfo | jq -r '.version')-$(git log -1 --format=%h)" >> $GITHUB_ENV
 
-    - name: Upload artifacts sysroot
-      uses: actions/upload-artifact@v4.3.1
-      with:
-        name: android-${{ github.event.inputs.target_arch || 'aarch64' }}-deps
-        path: /data/sysroot/*
-
     - name: Upload artifacts lxc
       uses: actions/upload-artifact@v4.3.1
       with:
-        name: android-${{ github.event.inputs.target_arch || 'aarch64' }}-lxc
+        name: android-aarch64-lxc
         path: /data/share/*
 
     - name: Upload artifacts lxc-module
@@ -102,8 +96,7 @@ jobs:
 
     - name: Create a TAR file for artifact
       run: |
-        tar -czvf android-${{ github.event.inputs.target_arch || 'aarch64' }}-api30-lxc.tar.gz -C /data/share .
-        tar -czvf android-${{ github.event.inputs.target_arch || 'aarch64' }}-api30-sysroot.tar.gz -C /data/sysroot .
+        tar -czvf android-aarch64-api30-lxc.tar.gz -C /data/share .
     
     - name: Create Release and Upload Release Asset
       uses: softprops/action-gh-release@v1
@@ -114,6 +107,5 @@ jobs:
         draft: false
         prerelease: false
         files: |
-            android-${{ github.event.inputs.target_arch || 'aarch64' }}-api30-lxc.tar.gz
-            android-${{ github.event.inputs.target_arch || 'aarch64' }}-api30-sysroot.tar.gz
+            android-aarch64-api30-lxc.tar.gz
             lxc-module.zip