Pekka Helenius a8ebcfceef | 4 years ago | |
---|---|---|
anbox_files | 4 years ago | |
androidOS_files | 4 years ago | |
LICENSE | 4 years ago | |
README.md | 4 years ago | |
installation-steps.md | 4 years ago |
This repository contains recommended Anbox configuration to run the program as securely as possible.
Many users misconfigure Anbox to run in privileged mode which permits real root access for Android system processes to a Linux system. Configuration in this repository contains proper settings to run Anbox in unprivileged mode, thus better protecting your Linux system from possibly malicious Android processes.
Additionally, this repository provides feature-patched Android OS image file for Anbox, and several other improvements.
PKGBUILD
file is Arch Linux specific file. Otherwise, you can use rest of the files on any Linux distribution.
Anbox installation steps are roughly described in Installation Steps.
Many files have originally been provided by anbox-git AUR package. However, small changes have been made.
Added [Network]
entry ConfigureWithoutCarrier=yes
Added IPv4 broadcast address 192.168.250.255
into [Address]
section
Removed IPMasquerade=yes
entry from [Address]
section. Depending on your network topology, you may want to keep this option. I don't need or use it.
[Service]
entry ExecStart=...
fromExecStart=/usr/bin/anbox container-manager --daemon --privileged --data-path=/var/lib/anbox
to
ExecStart=/usr/bin/anbox container-manager --daemon --data-path=/var/lib/anbox
Multiple security-related additions
Added [Unit]
entries
Wants=lxc.service
After=lxc.service
[Service]
entry Environment=ANBOX_FORCE_SERVER_SIDE_DECORATION=true
LXC container user and group mapping files /etc/subuid
and /etc/subgid
for Android OS container.
Simple wrapper script to be added into desktop startup program configuration. This is a simple work around script. If anbox-session-manager
Systemd service is launched before X11 session, launching the X11 session fails for unknown reasons. This script ensures that X11 session is launched before anbox-session-manager
Systemd service.
Place into /usr/local/bin/
folder.
patch_audio01_timing.patch & patch_audio02_pass-messenger.patch
patch_cm-helpmenu-unhidden.patch
container-manager
options in Anbox executable help menupatch_cm-privileged-warn.patch
not recommended
note into --privileged
parameter descriptionpatch_remove-unknown-opt.patch
Contains Android OS image file with additional patches. Base Android version is 7.1.1_r13
. The compiled image source code is purely based on Android Open Source Project codebase.
On Arch Linux, you can use anbox-image AUR package as reference to install this custom Android image. Or just simply copy the image into /var/lib/anbox/
, overriding the original Android OS image file android.img
.
Server-side decoration support
Audio timing fix for stream videos
Default Gallery app no longer pauses video playback when changing focus to another Android application
Avoid unnecessary Linux kernel warnings by removing unused Android-native features
Compiled Android OS image file android.img
with the following patches applied:
patch_audio01_timing.patch & patch_audio02_pass-messenger.patch
patch_gallery2_no-activity-checks.patch
com.android.gallery3d
as the pause functionality does not fit into Linux desktop environment when running multiple Android applications simultaneosly.Remove unnecessary cgroups and related mount points from containerized Android OS system. Remove cpusets.
dmesg
output and both options fail.