Hi,
I’m trying to create a file inside $ANDROID_ROOTFS/sys, but even as root, I’m unable to do so. I’ve tested this both during the execution of hooks and while the container is running (via anbox-shell), but the result is the same.
Is there a reason for this restriction? I need to create a file in that directory—what would be the correct way to achieve this?
Thanks!
Hey Marco,
/sys is a special filesystem in any Linux which is owned by the Linux kernel, see https://man7.org/linux/man-pages/man5/sysfs.5.html for more details. Only the kernel has the authority to create and remove files. Userspace is only allowed to read/write/list.
Which file in particular are you trying to change? There might be workarounds we can help with.
Hey,
I need to run an app inside Anbox that intentionally crashes if the file /sys/fs/selinux/enforce is missing or if its content is set to 0. The problem is that since SELinux is not present on Anbox instances, the /sys/fs/selinux directory doesn’t exist, meaning the enforce file is also missing.
I am currently looking for an alternative to Frida to make the app work without hooking functions, and I thought about manually creating the /sys/fs/selinux/enforce file with 1 inside it. However, as you just explained, this is not possible due to kernel restrictions.
Would you have any suggestions for achieving this in a different way?
Thanks!
Hi Marco!
That is an interesting use case!
What you want is probably possible, but it is going to be quite tricky to implement on containers.
As Simon explained, the /sys/fs directory you see in Android is an actual mount of /sys/fs and comes with several constraints.
One thing you could do is bind-mount a directory at /sys/fs in the Android container. The directory you have bind-mounted could then contain your selinux/enforce file with the contents you want. Where this gets a bit tricky is that you also need to bind-mount everything that is under /sys/fs and that Android requires (e.g. /sys/fs/bpf, /sys/fs/cgroup, etc).
You can use an extra LXC configuration file at /var/lib/anbox/lxc-extra.conf. That file will be included by Anbox when it starts. See the LXC docs for more information on the file format.
In your case, you would mostly need to use lxc.mount.entry directives. You can take a look at the directives used by Anbox at /var/lib/anbox/containers/default/config to get a sense on how to do this.
For instance, we do something similar with /sys/module/lowmemorykiller. These are the bind-mount entries we are using:
lxc.mount.entry = /var/lib/anbox/state/sys_module /var/lib/anbox/rootfs/sys/module none bind,create=dir 0 0
lxc.mount.entry = /var/lib/anbox/state/sys_module_lowmemorykiller_parameters_minfree /var/lib/anbox/rootfs/sys/module/lowmemorykiller/parameters/minfree none bind,create=file,rw 0 0
/var/lib/anbox/state/sys_module is a regular directory that we create, and /var/lib/anbox/state/sys_module_lowmemorykiller_parameters_minfree is a regular file.
You would also need to bind-mount other directories in your case.
As tweaking these files can easily result in Android not booting, using devmode could be useful. See How to develop addons in --devmode.
Hope this helps!
Hey,
Thanks a lot for the suggestion! I’ll give it a try soon.
I have a question, though: why would I need to bind-mount all the other directories under /sys/fs/ (such as /sys/fs/bpf, /sys/fs/cgroup, etc.) if I only need to create a bind-mount for /sys/fs/selinux? Wouldn’t it be possible to just mount that specific folder without affecting the rest?
Also, I wanted to report something unrelated but possibly important. Since a recent update (I’m not sure if it was 1.25 or 1.25.1, but I suspect 1.25.1), device streaming has stopped working—even on Anbox’s official dashboard. The errors I’m seeing are:
"failed to establish a WebRTC connection via ICE" on the dashboard"WebRTC: ICE failed, your TURN server appears to be broken, see about:webrtc for more details" in the browser consoleDo you have any idea why this is happening?
Thanks!
Can you file a bug report with necessary details over at https://bugs.launchpad.net/anbox-cloud so we can have a look?
I have a question, though: why would I need to bind-mount all the other directories under
/sys/fs/(such as/sys/fs/bpf,/sys/fs/cgroup, etc.) if I only need to create a bind-mount for/sys/fs/selinux? Wouldn’t it be possible to just mount that specific folder without affecting the rest?
If you mount /sys/fs, this directory will be managed by the kernel. At this point, you cannot create a directory or file anymore (as you’ve seen already). Unless I missed something, I don’t expect it to work.