Secure way of sharing host files and directories with Waydroid

[ChrysoliteAzalea]

Hello everyone! I'd like to discuss the topic of sharing files with Waydroid. Documentation on the official site recommends bind-mounting the into ~/.local/share/waydroid/media/0/..., however, that may cause issues on Android 11 due to MediaProvider FUSE mount on the shared storage.

I propose a better, more secure way by installing a document provider, for example, Termux or RCX, and bind-mount into their directory. For Rcx, however, you need to enable Document Provider functions in the settings:

Then, add the "Local" storage to the list:

The files have to be bind-mounted to the /storage/emulated/0/Android/data/io.github.x0b.rcx/files subdirectory (on the container) or ~/.local/share/waydroid/0/data/media/0/Android/data/io.github.x0b.rcx/files subdirectory (on the host side). I should also note that, for better security, you should make sure that only the document provider (Rcx in our case) has access to the directory. You can use bindfs for this. First, you need to determine the UID the document provider runs as by running the pm list packages -U as root in the container (for example, by using waydroid shell subcommand), and then, on the host side, run a command like this (for Rcx):

bindfs --mirror-only=$UID $host_dir /home/$user/.local/share/waydroid/data/media/0/Android/data/io.github.x0b.rcx/files/from_host/

where $UID is the UID Rcx runs as, $host_dir is the directory to be bind-mounted, and $user is the name of the user on the host that runs Waydroid. By doing this, we ensure that only Rcx (and root) has access to the bind-mounted directory, so files can only be accessed using Storage Access Framework (that has to be approved by user for each app).

[ChrysoliteAzalea]

I've managed to mount the directory using bindfs in a way that only RCX can access the directory (even root cannot, except if it changes UID), so these files can accessed from Waydroid only through Storage Access Framework. However:

• The RCX's UID must be registered on the host, the privileged helper will refuse to mount if it doesn't find a record. On Debian/Ubuntu, adduser --no-create-home --disabled-login --uid $UID can be used to register the UID
• bindfs will need read access to the source directory. It can be granted through supplementary groups or by keeping CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE. For example, using the setpriv command
• The target directory must be writable "naturally" (without capabilities). It can be granted through supplementary groups, but keep in mind that bindfs has to have search permission (x) on all parent directories. The privileged helper would refuse to mount otherwise.

[ChrysoliteAzalea]

Also, as far as I noticed, the bindfs mount will only become available in the container if it has been mounted after the container has started (on my system).

[ChrysoliteAzalea]

On the host side, I use this script:

#!/usr/bin/bash
if [ "x$1" == "x-u" ]
then
umount -v /home/madoka/.local/share/waydroid/data/media/0/Android/data/io.github.x0b.rcx/files/from_host/
else
setpriv --bounding-set -all,+DAC_OVERRIDE,+SYS_ADMIN,+SETUID,+SETGID,+SETPCAP --inh-caps -all,+DAC_OVERRIDE --ambient-caps -all,+DAC_OVERRIDE --reuid 10151 --regid 10151 --apparmor-profile waydroid-bindfs --groups 0,1000,1023,1078 -- /usr/bin/bindfs --mirror-only=10151 --chown-ignore --chgrp-ignore --chmod-filter=0700 --xattr-ro --resolve-symlinks --multithreaded --no-allow-other /root/visible /home/madoka/.local/share/waydroid/data/media/0/Android/data/io.github.x0b.rcx/files/from_host/
fi

[ChrysoliteAzalea]

10151 should be replaced with UID of the document provider (it's 10151 on my system)

[ChrysoliteAzalea]

The AppArmor profile mentioned is this:

# Last Modified: Sat Oct  7 17:36:21 2023
profile waydroid-bindfs {
  include <abstractions/base>

  capability dac_override,
  capability sys_admin,

  signal receive set=rtmin+0 peer=waydroid-bindfs,
  signal send set=rtmin+0 peer=waydroid-bindfs,

  mount -> /home/madoka/.local/share/waydroid/data/media/0/Android/data/io.github.x0b.rcx**,

  /** ix,
  /dev/fuse rw,
  /etc/passwd r,
  /etc/nsswitch r,
  /etc/fuse.conf r,
  /etc/ld.so.cache r,
  /etc/ld.so.preload r,
  /home/*/.local/share/waydroid/data/media/0/Android/data/io.github.x0b.rcx/files/from_host/ r,
  /proc/*/mounts r,
  /root/visible** rw,
  /usr/lib/x86_64-linux-gnu/libfuse.so.* r,
  owner /etc/nsswitch.conf r,
  owner /etc/passwd r,
  owner /proc/*/mountinfo r,
  owner /run/mount/utab r,
  owner /run/mount/utab.lock rwk,

}

Please note that you may have to replace madoka with your own username (and the mounted directory here is /root/visible/).

[NiffirgkcaJ]

Hi! I apologize for bumping this, but do you have a guide or step-by-step on how to do this?