Азалия Смарагдова

> Manpage and shell completion missing. > > The manpage should also explain consequences like busy removable media. Done.

> > If Landlock self-restriction is enabled, experimental patched version of Bubblewrap will create and apply a ruleset which only allows access to mounted resources, preventing container escape. > >...

Force-pushed the experimental branch in order to combine and sign commits. No changes to the code itself have been made.

I've tested this a bit, and it seems to be working correctly for me. Seems to be ready for review. What has to be done: * Adding the Landlock syscall...

> Android has a lot of SELinux policy written for it. I wonder if we could take advantage of LSM namespaces, or if they are not ready yet. As far...

The problem is that SELinux labels the filesystem and AppArmor doesn't. If the Android container uses SELinux (and therefore labeled filesystem) and the rest of the system uses AppArmor and...

[There is already a pull request](https://github.com/waydroid/waydroid/pull/403).

> needs added to config_1 as well Done for all changes except for "No New Privileges" restriction (I just couldn't find how it was called on older LXC version and...

The previous config was causing **logcat read failure** on my system -- had to grant CAP_AUDIT_CONTROL to container in order to fix it. Also, removed the universal read access from...

Force-pushed the branch to merge commits into one and sign it. No files have been changed.