waydroid
waydroid copied to clipboard
waydroid
Can the host machine be attacked by executing an executable program in the waydroid shell?
Possibly -- the container is privileged (which means it runs in an initial user namespace, therefore superuser in a container is the system-wide superuser), so it's not considered root-safe, but I currently haven't managed to run it in unprivileged mode. We do try to mitigate some risks (by limiting capabilities, blocking the most dangerous system calls, supplying AppArmor profiles for the container). However, protecting the system completely from the process that runs as root (even limited) doesn't seem realistic to me -- not to mention waydroid shell can circumvent Android security policies and access a lot of sensitive data. Android already does a good job preventing apps from getting root (without user approval through tools like Magisk).
IMO I think that it should be a goal to offer hardening at least at some point. Not a short term goal by any means, but various containerization techs could allow us to harden waydroid much more then it is.
in waydroid's current state I would very much consider it insecure however.
We can work in the direction of running it in an unprivileged container. We can start with the mapping 0=0 (which means UIDs and GIDs are mapped to the same UIDs and GIDs, but the container runs in a different user namespace and its capabilities are only effective inside the container), and then try using tools like shiftfs.
@Quackdoc @ChrysoliteAzalea Is there an existing issue to track the progress on the unprivileged container or should we create one to make it more visible for contributors? By the way, if we try to run the Waydroid privileged container in an unprivileged LXC container (instead of our host system directly), does it work?
Update: I tried installing Waydroid in an unprivileged LXC container but when executing sudo waydroid init there were errors:
Failed to load binder driver
modprobe: FATAL: Module binder_linux not found in directory /lib/modules/6.1.0-18-amd64
ERROR: Binder node "binder" for waydroid not found
I also read we cannot use modprobe in an LXC container (https://serverfault.com/questions/381658/modprobe-inside-an-lxc-container).
I'd like to point out that any user can start the container via D-Bus if polkit is not running. Not sure how that could be mitigated other than not running privileged but this or at the very least the fact that Waydroid runs privileged should be mentioned.
I do not understand how difficult it would be to make it run unprivileged and I do not ask for that, but there should be a warning at the front page or in front of the installation instructions.
EDIT: actually I got confused by the .policy file, I think it can be done even with polkit enabled, which is worse (not gonna install polkit to test tho, but without it it definitely works)
