LXC 5.0.1, Android Q, Kernel 4.9
I have managed to start busybox lxc container on android in permissive mode. To be able to start the container in enforcing mode, I have created SE Linux policy with new domain for lxc, but the container fails to start due to neverallow rules for the domain. The issue starts with permission denied for auto mounts of proc and sys ( lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed).
8299 15:59:54.477334 mount("proc", "/proc/self/fd/21", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EACCES (Permission denied)
The following rules in the public and private domain.te block mounting of proc, sysfs and tmpfs filesystems.
public/domain.te
neverallow { domain -init } proc:{ file dir } mounton;
private/domain.te
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow {
domain
-apexd
recovery_only(`userdebug_or_eng(`-fastbootd')')
-init
-kernel
-otapreopt_chroot
-recovery
-update_engine
-vold
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
Has someone figured out a way to solve this.