Security Model

Waydroid utilizes several standard Linux security mechanisms to confine the Android container and protect the host system.

AppArmor

Waydroid provides AppArmor profiles to enforce Mandatory Access Control (MAC) on the container and the applications running within it. These profiles restrict what system resources and files can be accessed.

The installation provides three main profiles, located in data/configs/apparmor_profiles/:

1. lxc-waydroid: This is the primary profile applied to the LXC container itself. It defines a broad set of permissions required for the Android system to boot and function, including access to necessary device nodes (/dev/**), network capabilities, and mount operations.

   # Example from lxc-waydroid profile
   profile lxc-waydroid flags=(attach_disconnected, complain, mediate_deleted) {
     # Transition to other profiles for specific processes
     /system/bin/app_process Pix -> lxc-waydroid//&android_app,
     /system/bin/adbd Pix -> lxc-waydroid//&adbd,
   
     # General permissions
     network,
     unix,
     mount,
     capability sys_admin,
     ...
   }

2. android_app: This profile is applied to general Android applications (those started by app_process). It is more restrictive than the main LXC profile, denying actions like pivot_root and access to D-Bus, while allowing access to typical Android data directories (/data/**, /storage/**).

3. adbd: A specific profile for the Android Debug Bridge Daemon (adbd), granting it the permissions it needs to function, such as ptrace capabilities for debugging.

Local amendments to these policies can be made. The profiles include stubs like #include <local/lxc-waydroid> which allow system administrators to extend the rules without modifying the upstream files.

Seccomp

Waydroid applies a seccomp (secure computing mode) filter to the container to restrict the system calls (syscalls) that processes within the container are allowed to make. This helps to reduce the kernel's attack surface from within the container.

The seccomp profile is defined in data/configs/waydroid.seccomp and primarily operates on a blacklist model, blocking dangerous or unnecessary syscalls.

# Example from waydroid.seccomp
2
blacklist
init_module
finit_module
delete_module
_sysctl
kexec_file_load
kexec_load
reboot
open_by_handle_at errno 38
...

This prevents containerized processes from performing highly privileged operations like loading kernel modules or rebooting the system.

PolicyKit

For privileged actions initiated by a user, Waydroid integrates with PolicyKit (polkit). This allows unprivileged users to perform specific administrative actions (like initializing Waydroid with custom OTA channels) after authenticating, without needing full sudo access for the entire command.

The policy is defined in dbus/id.waydro.Container.policy.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">

<policyconfig>
  <action id="id.waydro.Initializer.Init">
    <description>Waydroid Initialization</description>
    <message>Initialize Waydroid with user-provided OTA channels. Do you trust the source?</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
</policyconfig>

This configuration ensures that potentially risky operations require explicit administrator authentication, following the principle of least privilege.