[Bug]: `termux-am` fails to build after the enablement of AppArmor

[robertkirkman]

Problem description

Unfortunately, it has been discovered that the package termux-am is no longer building without errors after AppArmor and fuse-overlayfs were enabled in this PR:

• ci: use fuse-overlayfs to reduce runtime storage used by builder #28602

The error that is occurring is this error:

Welcome to Gradle 8.10.2!

Here are the highlights of this release:
 - Support for Java 23
 - Faster configuration cache
 - Better configuration cache reports

For more details see https://docs.gradle.org/8.10.2/release-notes.html

Checking the license for package Android SDK Build-Tools 30.0.3 in /home/builder/lib/android-sdk-9123335/licenses
License for package Android SDK Build-Tools 30.0.3 accepted.
Preparing "Install Android SDK Build-Tools 30.0.3 (revision: 30.0.3)".
Warning: Failed to read or create install properties file.
Checking the license for package Android SDK Platform 33 in /home/builder/lib/android-sdk-9123335/licenses
License for package Android SDK Platform 33 accepted.
Preparing "Install Android SDK Platform 33 (revision: 3)".
Warning: Failed to read or create install properties file.

FAILURE: Build failed with an exception.

* What went wrong:
Could not determine the dependencies of task ':app:lintVitalReportRelease'.
> Failed to install the following SDK components:
      platforms;android-33 Android SDK Platform 33
      build-tools;30.0.3 Android SDK Build-Tools 30.0.3
  Install the missing components using the SDK manager in Android Studio.


* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org./

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.


For more on this, please refer to https://docs.gradle.org/8.10.2/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
BUILD FAILED in 24s
Error: Process completed with exit code 1.

Failed build with vanilla termux-packages at a recent commit:

https://github.com/owokitty/termux-packages/actions/runs/23630612426/job/68828936548

Successful build with this patch applied to minimally revert #28602 :

https://github.com/owokitty/termux-packages/actions/runs/23632386570/job/68834482567

--- a/scripts/build/toolchain/termux_setup_toolchain_29.sh
+++ b/scripts/build/toolchain/termux_setup_toolchain_29.sh
@@ -133,7 +133,7 @@ termux_setup_toolchain_29() {
 	[ -d "${TERMUX_STANDALONE_TOOLCHAIN}-work" ] || mkdir -p "${TERMUX_STANDALONE_TOOLCHAIN}-work"
 
 
-	if ! mountpoint -q "${TERMUX_STANDALONE_TOOLCHAIN}"; then
+	if false; then
 		fuse-overlayfs \
 			"${TERMUX_STANDALONE_TOOLCHAIN}" \
 			-o lowerdir="${NDK}/toolchains/llvm/prebuilt/linux-x86_64" \
@@ -145,12 +146,17 @@ termux_setup_toolchain_29() {
 		return
 	fi
 
+	rm -rf "${TERMUX_STANDALONE_TOOLCHAIN}"
+
 	local _NDK_ARCHNAME=$TERMUX_ARCH
 	if [ "$TERMUX_ARCH" = "aarch64" ]; then
 		_NDK_ARCHNAME=arm64
 	elif [ "$TERMUX_ARCH" = "i686" ]; then
 		_NDK_ARCHNAME=x86
 	fi
+	cp "$NDK/toolchains/llvm/prebuilt/linux-x86_64" "${TERMUX_STANDALONE_TOOLCHAIN}" -r
+	cp "$NDK/source.properties" "${TERMUX_STANDALONE_TOOLCHAIN}"
+
 	# Remove android-support header wrapping not needed on android-21:
 	rm -Rf $TERMUX_STANDALONE_TOOLCHAIN/sysroot/usr/local
 
--- a/scripts/run-docker.sh
+++ b/scripts/run-docker.sh
@@ -92,7 +92,7 @@ if [ "$UNAME" = Darwin ]; then
 	SEC_OPT=""
 else
 	REPOROOT="$(dirname $(readlink -f $0))/../"
-	SEC_OPT=" --security-opt seccomp=$REPOROOT/scripts/profile.json --security-opt apparmor=_custom-termux-package-builder-$CONTAINER_NAME --cap-add CAP_SYS_ADMIN --device /dev/fuse"
+	SEC_OPT=" --security-opt seccomp=$REPOROOT/scripts/profile.json"
 fi
 
 if [ "${CI:-}" = "true" ]; then
@@ -138,6 +138,7 @@ if [ -z "$APPARMOR_PARSER" ] || ! $SUDO aa-status --enabled; then
        echo "         Avoid executing untrusted code in the container"
        APPARMOR_PARSER=""
 fi
+APPARMOR_PARSER=""
 
 load_apparmor_profile() {
        local profile_path="$1"

Demonstration of the error in termux-packages PRs GitHub Actions rather than workflow dispatch GitHub Actions:

• revbump(main/termux-am): test building with AppArmor enabled #29117

What steps will reproduce the bug?

scripts/run-docker.sh ./build-package.sh -I -f termux-am on a system that has AppArmor enabled

What is the expected behavior?

termux-am should be possible to build in the official termux-packages GitHub Actions, and on local computers without having to manually figure out how to disable AppArmor and apply a patch like that

System information

GitHub Actions with Ubuntu and AppArmor and fuse-overlayfs

[robertkirkman]

CC: @thunder-coding

[robertkirkman]

Possibly related to the positioning of the source.properties file