android support

Author: branchseer

Cargo.lock

@@ -22,7 +22,7 @@ tokio = { workspace = true, features = ["net", "process", "io-util", "sync", "rt
 tokio-util = { workspace = true }
 which = { workspace = true, features = ["tracing"] }
 
-[target.'cfg(target_os = "linux")'.dependencies]
+[target.'cfg(any(target_os = "linux", target_os = "android"))'.dependencies]
 fspy_seccomp_unotify = { workspace = true, features = ["supervisor"] }
 nix = { workspace = true, features = ["uio"] }
 tokio = { workspace = true, features = ["bytes"] }

crates/fspy/Cargo.toml

@@ -1,9 +1,9 @@
 #![cfg_attr(target_os = "windows", feature(windows_process_extensions_main_thread_handle))]
-#![feature(once_cell_try)]
+#![cfg_attr(not(target_os = "android"), feature(once_cell_try))]
 
 pub mod error;
 
-#[cfg(not(target_env = "musl"))]
+#[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
 mod ipc;
 
 #[cfg(unix)]

crates/fspy/src/lib.rs

@@ -1,15 +1,15 @@
-#[cfg(target_os = "linux")]
+#[cfg(any(target_os = "linux", target_os = "android"))]
 mod syscall_handler;
 
 #[cfg(target_os = "macos")]
 mod macos_artifacts;
 
 use std::{io, path::Path};
 
-#[cfg(target_os = "linux")]
+#[cfg(any(target_os = "linux", target_os = "android"))]
 use fspy_seccomp_unotify::supervisor::supervise;
 use fspy_shared::ipc::PathAccess;
-#[cfg(not(target_env = "musl"))]
+#[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
 use fspy_shared::ipc::{NativeStr, channel::channel};
 #[cfg(target_os = "macos")]
 use fspy_shared_unix::payload::Artifacts;
@@ -19,12 +19,12 @@ use fspy_shared_unix::{
     spawn::handle_exec,
 };
 use futures_util::FutureExt;
-#[cfg(target_os = "linux")]
+#[cfg(any(target_os = "linux", target_os = "android"))]
 use syscall_handler::SyscallHandler;
 use tokio::task::spawn_blocking;
 use tokio_util::sync::CancellationToken;
 
-#[cfg(not(target_env = "musl"))]
+#[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
 use crate::ipc::{OwnedReceiverLockGuard, SHM_CAPACITY};
 use crate::{ChildTermination, Command, TrackedChild, arena::PathAccessArena, error::SpawnError};
 
@@ -33,7 +33,7 @@ pub struct SpyImpl {
     #[cfg(target_os = "macos")]
     artifacts: Artifacts,
 
-    #[cfg(not(target_env = "musl"))]
+    #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
     preload_path: Box<NativeStr>,
 }
 
@@ -42,8 +42,10 @@ impl SpyImpl {
     ///
     /// On musl targets, we don't build a preload library —
     /// only seccomp-based tracking is used.
-    pub fn init_in(#[cfg_attr(target_env = "musl", allow(unused))] dir: &Path) -> io::Result<Self> {
-        #[cfg(not(target_env = "musl"))]
+    pub fn init_in(
+        #[cfg_attr(any(target_os = "android", target_env = "musl"), allow(unused))] dir: &Path,
+    ) -> io::Result<Self> {
+        #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
         let preload_path = {
             use materialized_artifact::{Artifact, artifact};
 
@@ -54,7 +56,7 @@ impl SpyImpl {
         };
 
         Ok(Self {
-            #[cfg(not(target_env = "musl"))]
+            #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
             preload_path,
             #[cfg(target_os = "macos")]
             artifacts: {
@@ -74,24 +76,24 @@ impl SpyImpl {
         mut command: Command,
         cancellation_token: CancellationToken,
     ) -> Result<TrackedChild, SpawnError> {
-        #[cfg(target_os = "linux")]
+        #[cfg(any(target_os = "linux", target_os = "android"))]
         let supervisor = supervise::<SyscallHandler>().map_err(SpawnError::Supervisor)?;
 
-        #[cfg(not(target_env = "musl"))]
+        #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
         let (ipc_channel_conf, ipc_receiver) =
             channel(SHM_CAPACITY).map_err(SpawnError::ChannelCreation)?;
 
         let payload = Payload {
-            #[cfg(not(target_env = "musl"))]
+            #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
             ipc_channel_conf,
 
             #[cfg(target_os = "macos")]
             artifacts: self.artifacts.clone(),
 
-            #[cfg(not(target_env = "musl"))]
+            #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
             preload_path: self.preload_path.clone(),
 
-            #[cfg(target_os = "linux")]
+            #[cfg(any(target_os = "linux", target_os = "android"))]
             seccomp_payload: supervisor.payload().clone(),
         };
 
@@ -148,7 +150,7 @@ impl SpyImpl {
 
                 let arenas = std::iter::once(exec_resolve_accesses);
                 // Stop the supervisor and collect path accesses from it.
-                #[cfg(target_os = "linux")]
+                #[cfg(any(target_os = "linux", target_os = "android"))]
                 let arenas = arenas.chain(
                     supervisor
                         .stop()
@@ -160,12 +162,12 @@ impl SpyImpl {
 
                 // Lock the ipc channel after the child has exited.
                 // We are not interested in path accesses from descendants after the main child has exited.
-                #[cfg(not(target_env = "musl"))]
+                #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
                 let ipc_receiver_lock_guard =
                     OwnedReceiverLockGuard::lock_async(ipc_receiver).await?;
                 let path_accesses = PathAccessIterable {
                     arenas,
-                    #[cfg(not(target_env = "musl"))]
+                    #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
                     ipc_receiver_lock_guard,
                 };
 
@@ -179,7 +181,7 @@ impl SpyImpl {
 
 pub struct PathAccessIterable {
     arenas: Vec<PathAccessArena>,
-    #[cfg(not(target_env = "musl"))]
+    #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
     ipc_receiver_lock_guard: OwnedReceiverLockGuard,
 }
 
@@ -188,12 +190,12 @@ impl PathAccessIterable {
         let accesses_in_arena =
             self.arenas.iter().flat_map(|arena| arena.borrow_accesses().iter()).copied();
 
-        #[cfg(not(target_env = "musl"))]
+        #[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
         {
             let accesses_in_shm = self.ipc_receiver_lock_guard.iter_path_accesses();
             accesses_in_shm.chain(accesses_in_arena)
         }
-        #[cfg(target_env = "musl")]
+        #[cfg(any(target_os = "android", target_env = "musl"))]
         {
             accesses_in_arena
         }

crates/fspy/src/unix/mod.rs

@@ -1,13 +1,16 @@
-// Compile as an empty crate on non-unix targets and on musl (where seccomp
-// alone handles access tracking). Guarding the feature gate keeps rustc from
-// warning about unused features on those targets.
-#![cfg_attr(all(unix, not(target_env = "musl")), feature(c_variadic))]
+// Compile as an empty crate on non-unix targets, on android, and on musl
+// (where seccomp alone handles access tracking). Guarding the feature gate
+// keeps rustc from warning about unused features on those targets.
+#![cfg_attr(all(unix, not(target_os = "android"), not(target_env = "musl")), feature(c_variadic))]
 
-#[cfg(all(unix, not(target_env = "musl")))]
+#[cfg(all(unix, not(target_os = "android"), not(target_env = "musl")))]
 mod client;
-#[cfg(all(unix, not(target_env = "musl")))]
+
+#[cfg(all(unix, not(target_os = "android"), not(target_env = "musl")))]
 mod interceptions;
-#[cfg(all(unix, not(target_env = "musl")))]
+
+#[cfg(all(unix, not(target_os = "android"), not(target_env = "musl")))]
 mod libc;
-#[cfg(all(unix, not(target_env = "musl")))]
+
+#[cfg(all(unix, not(target_os = "android"), not(target_env = "musl")))]
 mod macros;

crates/fspy_preload_unix/src/lib.rs

@@ -4,7 +4,7 @@ version = "0.1.0"
 edition = "2024"
 publish = false
 
-[target.'cfg(target_os = "linux")'.dependencies]
+[target.'cfg(any(target_os = "android", target_os = "linux"))'.dependencies]
 wincode = { workspace = true, features = ["derive"] }
 libc = { workspace = true }
 nix = { workspace = true, features = ["process", "fs", "poll", "socket", "uio"] }

crates/fspy_seccomp_unotify/Cargo.toml

@@ -1,4 +1,4 @@
-#![cfg(target_os = "linux")]
+#![cfg(any(target_os = "android", target_os = "linux"))]
 
 #[cfg(any(feature = "supervisor", feature = "target"))]
 mod bindings;

crates/fspy_seccomp_unotify/src/lib.rs

@@ -7,6 +7,9 @@ use std::{
 };
 
 use libc::sock_filter;
+#[cfg(target_os = "android")]
+use libc::{PR_SET_NO_NEW_PRIVS, prctl};
+#[cfg(not(target_os = "android"))]
 use nix::sys::prctl::set_no_new_privs;
 use passfd::FdPassingExt;
 
@@ -19,7 +22,17 @@ use crate::{bindings::install_unotify_filter, payload::SeccompPayload};
 /// Returns an error if setting no-new-privs fails, the filter cannot be installed,
 /// or the IPC socket communication fails.
 pub fn install_target(payload: &SeccompPayload) -> nix::Result<()> {
+    #[cfg(not(target_os = "android"))]
     set_no_new_privs()?;
+
+    #[cfg(target_os = "android")]
+    {
+        let ret = unsafe { prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) };
+        if ret != 0 {
+            return Err(nix::Error::last());
+        }
+    }
+
     let sock_filters =
         payload.filter.0.iter().copied().map(sock_filter::from).collect::<Vec<sock_filter>>();
     let notify_fd = install_unotify_filter(&sock_filters)?;

crates/fspy_seccomp_unotify/src/target.rs

@@ -11,11 +11,13 @@ bitflags = { workspace = true }
 bstr = { workspace = true }
 bytemuck = { workspace = true, features = ["must_cast", "derive"] }
 native_str = { workspace = true }
-shared_memory = { workspace = true, features = ["logging"] }
 thiserror = { workspace = true }
 tracing = { workspace = true }
 uuid = { workspace = true, features = ["v4"] }
 
+[target.'cfg(not(target_os = "android"))'.dependencies]
+shared_memory = { workspace = true, features = ["logging"] }
+
 [target.'cfg(target_os = "windows")'.dependencies]
 bytemuck = { workspace = true }
 os_str_bytes = { workspace = true }

crates/fspy_shared/Cargo.toml

@@ -1,4 +1,4 @@
-#[cfg(not(target_env = "musl"))]
+#[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
 pub mod channel;
 mod native_path;
 use std::fmt::Debug;