This repository contains recommended Anbox configuration to run the program as securely as possible.
Many users misconfigure Anbox to run in privileged mode which permits real root access for Android system processes to a Linux system. Configuration in this repository contains proper settings to run Anbox in _unprivileged mode_, thus better protecting your Linux system from possibly malicious Android processes.
Additionally, this repository provides feature-patched Android OS image file patches for Anbox, and several other improvements. **See and get available Android images on [https://fjordtek.com/public/applications/anbox/images/](https://fjordtek.com/public/applications/anbox/images/).**
`PKGBUILD` file is Arch Linux specific file. Otherwise, you can use rest of the files on any Linux distribution.
Anbox configuration security in mind.
## Anbox installation
Anbox installation steps are roughly described in [Installation Steps](installation-steps.md).
## Anbox files
Subdirectory [anbox_files](anbox_files). Many files have originally been provided by [anbox-git AUR package](https://aur.archlinux.org/packages/anbox-git/). However, small changes have been made.
- Removed `IPMasquerade=yes` entry from `[Address]` section. Depending on your network topology, you may want to keep this option. I don't need or use it.
#### # [anbox-container-manager.service](anbox_files/anbox-container-manager.service) (Systemd service file)
- **Purpose**. If `anbox-session-manager` Systemd service is launched _before_ X11 session, launching the X11 session fails. This script ensures that X11 session is launched _before_`anbox-session-manager` Systemd service, fixing the issue.
- Place into `/usr/local/bin/` folder and set as executable (`chmod +x <file/path>`).
`PKGBUILD` file is for Arch Linux. Rest of the files work on any Linux distribution.
LXC container user and group mapping files `/etc/subuid` and `/etc/subgid` for Android OS container.
## Android OS image files
#### # anbox-session-manager (shell script)
Get pre-built, patched images from [https://fjordtek.com/public/applications/anbox/images/](https://fjordtek.com/public/applications/anbox/images/). All images are based on [Android Open Source Project codebase](https://android.googlesource.com/).
Simple wrapper script to be added into desktop startup program configuration. This is a simple work around script. If `anbox-session-manager` Systemd service is launched _before_ X11 session, launching the X11 session fails for unknown reasons. This script ensures that X11 session is launched _before_`anbox-session-manager` Systemd service.
Patch files in [androidOS_files](androidOS_files) are for developers willing to build their own Android OS image file. See [buildscript.sh](androidOS_files/buildscript.sh) for rough step-by-step details. Patch file descriptions below.
Place into `/usr/local/bin/` folder and set as executable (`chmod +x <file/path>`).
Android OS image file target location for Anbox: `/var/lib/anbox/android.img`
@ -78,20 +47,12 @@ Place into `/usr/local/bin/` folder and set as executable (`chmod +x <file/path>
| [patch_window-restored.patch](anbox_files/patch_window-restored.patch) | Some Android applications such as [NewPipe](https://github.com/TeamNewPipe/NewPipe) require `SDL_WINDOWEVENT_RESTORED` handling so that application window contents are correctly rendered after minimize/maximize operations. |
| [patch_window-icons.patch](anbox_files/patch_window-icons.patch) | Set SDL window icon property for each application window by using application specific PNG icons. Adds value for `_NET_WM_ICON` property in X11 environment (`xprop` command). |
## Android OS files
Subdirectory [androidOS_files](androidOS_files). Contains Android OS image file build instructions and additional patches. You find patched Android image along with additional information and possible other images on [https://fjordtek.com/public/applications/anbox/images/](https://fjordtek.com/public/applications/anbox/images/).
Compiled Android image source code is purely based on [Android Open Source Project codebase](https://android.googlesource.com/).
On Arch Linux, you can use [anbox-image AUR package](https://aur.archlinux.org/packages/anbox-image/). If you want to use the patched image, use either provided [anbox-image-custom PKGBUILD](androidOS_files/anbox-image-custom/PKGBUILD) or simply directly copy the patched Android image file into `/var/lib/anbox/` as `android.img`.
### Patch files
## Android OS image - Patch files
Provided patch files are applied to the patched Android OS image file `android_7.1.1_r13_patched.img` ([direct link](https://fjordtek.com/public/applications/anbox/images/android_7.1.1_r13_patched.img)). The patch files are as follows:
Applied to the patched Android OS image file `android_7.1.1_r13_patched.img` ([direct link](https://fjordtek.com/public/applications/anbox/images/android_7.1.1_r13_patched.img)):
| [patch_audio01_timing.patch](androidOS_files/patch_audio01_timing.patch), [patch_audio02_pass-messenger.patch](androidOS_files/patch_audio02_pass-messenger.patch) | As above |
| [patch_audio01_timing.patch](androidOS_files/patch_audio01_timing.patch), [patch_audio02_pass-messenger.patch](androidOS_files/patch_audio02_pass-messenger.patch) | As for Anbox (above) |
| [patch_gallery2_no-activity-checks.patch](androidOS_files/patch_gallery2_no-activity-checks.patch) | Remove video & audio pause functionality from default Android OS system application `com.android.gallery3d` as the pause functionality does not fit into Linux desktop environment when running multiple Android applications simultaneously. |
| [patch_initcgroups.patch](androidOS_files/patch_initcgroups.patch) | Remove unnecessary cgroups and related mount points from containerized Android OS system. Remove cpusets. Both options generate unnecessary Linux main system kernel `dmesg` output and both options fail. |
