system group creation for android container device access needs to move out of the build scripts

Bug #1187750 reported by Oliver Grawert on 2013-06-05
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
livecd-rootfs (Ubuntu)
High
Unassigned

Bug Description

currently live-build/ubuntu-touch/hooks/02-add_user_to_groups.chroot has a hardcoded way of creating system groups for android device access in ubuntu-touch. since we want to build images for arches that are not necessarily using the android layer in the future this functionality needs to move into a postinst script of the lxc-android-config package instead.

in android kernel, drivers and binary userspace tools are using a hardcoded GID -> groupname mapping to manage device access
http://paste.ubuntu.com/5735451/ has the full list of group mapping to GIDs

it currently seems like we have to have at least a minimal set of these groups on the ubuntu side to have sockets and /dev entries mapped to the hardcoded GIDs the android side expects for granting access.

when discussing this migration the foundations team had massive concerns about using such a hardcoded mapping on the ubuntu side. while this bug is easily fixed by moving the script to the right package, further discussion is needed to find a conceptual solution that suits all parties and does not break devcie access and socket communication with android services.

Oliver Grawert (ogra) wrote :

subscribed canonical-foundations and the phone foundations teams since this requires discussion across both

Changed in livecd-rootfs (Ubuntu):
importance: Undecided → High
Colin Watson (cjwatson) wrote :

The stuff with changing the audio group's gid is particularly egregious. That will break as soon as the base-passwd package is upgraded. You must not ever change the gid of a global static group.

Colin Watson (cjwatson) wrote :

What interfaces does the Android side use to detect the calling group IDs? If there's any way to interpose some kind of shim there, that would be far preferable to a scheme requiring the group IDs to match between Android and Ubuntu; not least because the group IDs used here are all in the range reserved for use by users.

Changed in livecd-rootfs (Ubuntu):
status: New → Triaged
Stéphane Graber (stgraber) wrote :

Why was the audio group's gid changed? My understanding is that the Android kernel has hardcoded GIDs, not hardcoded names, so if we have to use those, we could certainly prefix the group names on the Ubuntu side to avoid name collision.

However, I agree with Colin that having those in the range reserved for user groups is problematic. One solution would be to move the user range to higher values (making the user/group IDs on touch devices start at 10000) which would avoid any potential clash but would lead to a difference in uids/gids between standard ubuntu and ubuntu touch.

Stéphane Graber (stgraber) wrote :

It may also be a good idea not to actually add all those groups to the system group list, but instead use something like libnss-extrausers in the nss stack to have a cleanly separate list of groups that's simply stacked on top of the system's by nss.

On Wed, Jun 05, 2013 at 12:16:05PM -0000, Colin Watson wrote:
> What interfaces does the Android side use to detect the calling group
> IDs?

My understanding is that these are not *detected* at all, but are instead
hard-coded in various kernel drivers. Hence the hard-coding also on the
userspace side.

Oliver Grawert (ogra) wrote :

http://android-dls.com/wiki/index.php?title=Android_UIDs_and_GIDs has the required mapping for the commonly used android groups

Oliver Grawert (ogra) wrote :

(that should be the most minimal list vs the full list pasted in the bug description)

Changed in livecd-rootfs (Ubuntu):
status: Triaged → In Progress
Changed in livecd-rootfs (Ubuntu):
status: In Progress → New
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers