Merge pull request #14 from home-assistant/dev

Beta Release build 0.2

.github/move.yml

@@ -0,0 +1,13 @@
+# Configuration for move-issues - https://github.com/dessant/move-issues
+
+# Delete the command comment. Ignored when the comment also contains other content
+deleteCommand: true
+# Close the source issue after moving
+closeSourceIssue: true
+# Lock the source issue after moving
+lockSourceIssue: false
+# Set custom aliases for targets
+# aliases:
+#   r: repo
+#   or: owner/repo
+

README.md

@@ -1,22 +1,25 @@
 # WORK IN PROGRESS!
 
 # Hass.io OS
-Hass.io OS based on buildroot. It's a hypervisor for docker and support many kind of IoT hardware. It is also available as Virtual Appliance. It's optimazed for embedded system and high security. You can update the system simple with OTA updates or offline Updates.
+Hass.io OS based on [buildroot](https://buildroot.org/). It's a hypervisor for Docker and supports various kind of IoT hardware. It is also available as virtual appliance. The whole system is optimized for embedded system and  security. You can update the system simple with OTA updates or offline updates.
 
 ## Focus
+
 - Linux kernel 4.15
 - Barebox as bootloader
 - RAUC for OTA updates
-- SquashFS LZ4 for filesystem
+- SquashFS LZ4 as filesystem
 - Docker 17.12.1
+- AppArmor protected
 - ZRAM LZ4 for /tmp, /var, swap
 - Run every supervisor
 
 ## Schemas
 ![](misc/hassio-os-partition.png?raw=true)
 
-## Config
+## Configuration
-Create a USB stick with a partition "hassio-config". This partition can include follow files:
+
+Create a USB stick with a partition named "hassio-config". This partition can include follow files:
 
 - network-* (NetworkManager keyfiles)
 - known_hosts (SSH)
@@ -26,7 +29,8 @@ Create a USB stick with a partition "hassio-config". This partition can include
 
 ## Supervisor/Cli
 
-Provide a `hassio.json` on your data partition they can/need follow struct:
+Provide a file with the name `hassio.json` in your data partition and the following structure:
+
 ```json
 {
   "supervisor": "repo/image",
@@ -37,10 +41,10 @@ Provide a `hassio.json` on your data partition they can/need follow struct:
 ```
 
 # Building
-Running sudo `./enter.sh` will get you into the build docker container.   
+Running `sudo ./enter.sh` will get you into the build Docker container.   
 `make -C /build/buildroot BR2_EXTERNAL=/build/buildroot-external xy_defconfig`
 
-From outside the docker container, while it is still running you can use `./getimage.sh` to get the output image.
+From outside the Docker container, while it is still running you can use `./getimage.sh` to get the output image.
 
 ## Helpers
 

buildroot-external/Config.in

@@ -1,2 +1,4 @@
 source "$BR2_EXTERNAL_HASSIO_PATH/package/mingetty/Config.in"
 source "$BR2_EXTERNAL_HASSIO_PATH/package/hassio/Config.in"
+source "$BR2_EXTERNAL_HASSIO_PATH/package/libapparmor/Config.in"
+source "$BR2_EXTERNAL_HASSIO_PATH/package/apparmor/Config.in"

buildroot-external/apparmor/hassio-supervisor

@@ -0,0 +1,75 @@
+#include <tunables/global>
+
+profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  #include <abstractions/python>
+
+  network,
+  deny network raw,
+
+  signal (send) set=(kill,term),
+
+  /bin/busybox ix,
+  /usr/bin/python{,3,3.[0-9]} ix,
+  /usr/bin/git cx,
+  /usr/bin/socat cx,
+  /usr/bin/gdbus cx,
+
+  deny /proc/** wl,
+  deny /root/** wl,
+  deny /sys/** wl,
+
+  /** r,
+  /tmp/** rw,
+  /data/** rw,
+  /{,var/}run/docker.sock rw,
+
+  capability net_bind_service,
+
+  profile /usr/bin/socat flags=(attach_disconnected,mediate_deleted) {
+    #include <abstractions/base>
+
+    network inet udp,
+    network inet tcp,
+
+    deny network raw,
+    deny network packet,
+
+    signal (receive) set=(kill,term),
+    capability net_bind_service,
+
+    /lib/* mr,
+    /usr/bin/socat mr,
+  }
+
+  profile /usr/bin/gdbus flags=(attach_disconnected,mediate_deleted) {
+    #include <abstractions/base>
+    #include <abstractions/dbus>
+
+    unix (send, receive) type=stream,
+
+    /usr/bin/gdbus mr,
+    /lib/* mr,
+    /{,var/}run/dbus/system_bus_socket rw,
+  }
+
+  profile /usr/bin/git flags=(attach_disconnected,mediate_deleted) {
+    #include <abstractions/base>
+
+    network,
+    deny network raw,
+
+    /bin/busybox ix,
+    /usr/bin/git mr,
+    /usr/libexec/git-core/* ix,
+
+    deny /data/homeassistant rw,
+    deny /data/ssl rw,
+
+    /** r,
+    /lib/* mr,
+    /data/addons/** lrw,
+
+    capability dac_override,
+  }
+}

buildroot-external/barebox-env/bin/init

@@ -2,19 +2,10 @@
 
 export PATH=/env/bin
 
-global autoboot_timeout
-global boot.default
 global linux.bootargs.base
-global linux.bootargs.console
-#linux.bootargs.dyn.* will be cleared at the beginning of boot
 global linux.bootargs.dyn.root
-global editcmd
-
-[ -z "${global.autoboot_timeout}" ] && global.autoboot_timeout=3
-magicvar -a global.autoboot_timeout "timeout in seconds before automatic booting"
-[ -z "${global.boot.default}" ] && global.boot.default="system0"
-[ -z "${global.editcmd}" ] && global.editcmd=sedit
 
+# Init board specific stuff
 [ -e /env/config-board ] && /env/config-board
 
 # Autostart
@@ -22,11 +13,12 @@ for i in /env/init/*; do
 	. $i
 done
 
-echo -e -n "\nHit any key to stop autoboot: "
+echo "- Hit m for menu or wait for autoboot -"
-timeout -a $global.autoboot_timeout
+timeout -a 1 -s -v key
-autoboot="$?"
 
-if [ "$autoboot" = 0 ]; then
+# Run menu
+if [ "${key}" != "m" ]; then
     boot
 fi
 
+menutree

buildroot-external/barebox-env/menu/00-boot-auto/action

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+boot

buildroot-external/barebox-env/menu/00-boot-auto/title

@@ -0,0 +1 @@
+Autoboot

buildroot-external/barebox-env/menu/10-boot-system0/action

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+boot system0

buildroot-external/barebox-env/menu/10-boot-system0/title

@@ -0,0 +1 @@
+Boot System 0

buildroot-external/barebox-env/menu/20-boot-system1/action

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+boot system1

buildroot-external/barebox-env/menu/20-boot-system1/title

@@ -0,0 +1 @@
+Boot System 1

buildroot-external/barebox-env/menu/30-shell/action

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "Enter 'exit' to get back to the menu"
+
+sh

buildroot-external/barebox-env/menu/30-shell/title

@@ -0,0 +1 @@
+Shell

buildroot-external/barebox-env/menu/title

@@ -0,0 +1 @@
+Hass.io OS boot Menu:

buildroot-external/barebox-env/nv/autoboot_timeout

@@ -1 +0,0 @@
-2

buildroot-external/barebox-env/nv/editcmd

@@ -0,0 +1 @@
+sedit

buildroot-external/board/ova/barebox-env/boot/system0

@@ -1,5 +1,5 @@
 #!/bin/sh
 
 global bootm.image="/mnt/disk1/boot/bzImage"
-global linux.bootargs.dyn.root="root=/dev/sda2 rootfstype=squashfs ro"
+global linux.bootargs.dyn.root="root=PARTUUID=8d3d53e3-6d49-4c38-8349-aff6859e82fd rootfstype=squashfs ro"
 

buildroot-external/board/ova/barebox-env/boot/system1

@@ -1,4 +1,4 @@
 #!/bin/sh
 
 global bootm.image="/mnt/disk2/boot/bzImage"
-global linux.bootargs.dyn.root="root=/dev/sda3 rootfstype=squashfs ro"
+global linux.bootargs.dyn.root="root=PARTUUID=a3ec664e-32ce-4665-95ea-7ae90ce9aa20 rootfstype=squashfs ro"

buildroot-external/board/ova/barebox-state.dts

@@ -12,8 +12,7 @@
                 compatible = "barebox,state";
                 backend = <&backend_state>;
                 backend-type = "raw";
-                backend-stridesize = <1024>;
+                backend-stridesize = <4048>;
-		backend-storage-type = "direct";
 
 		bootstate {
 			#address-cells = <1>;
@@ -39,7 +38,7 @@
 				remaining_attempts@8 {
 					reg = <0x8 0x4>;
 					type = "uint32";
-					default = <3>;
+					default = <0>;
 				};
 				priority@c {
 					reg = <0xc 0x4>;

buildroot-external/board/ova/barebox.config

@@ -3,12 +3,11 @@ CONFIG_MMU=y
 CONFIG_MALLOC_SIZE=0x0
 CONFIG_MALLOC_TLSF=y
 CONFIG_PROMPT="hassio-os:"
-CONFIG_GLOB=y
-CONFIG_GLOB_SORT=y
 CONFIG_CMDLINE_EDITING=y
 CONFIG_AUTO_COMPLETE=y
+CONFIG_MENU=y
+# CONFIG_TIMESTAMP is not set
 CONFIG_BOOTM_SHOW_TYPE=y
-CONFIG_BOOTM_OFTREE=y
 CONFIG_FLEXIBLE_BOOTARGS=y
 # CONFIG_PARTITION_DISK_DOS is not set
 CONFIG_PARTITION_DISK_EFI=y
@@ -17,17 +16,18 @@ CONFIG_PARTITION_DISK_EFI=y
 CONFIG_DEFAULT_ENVIRONMENT_PATH="/build/buildroot-external/board/ova/barebox-env /build/buildroot-external/barebox-env"
 CONFIG_STATE=y
 CONFIG_BOOTCHOOSER=y
+# CONFIG_CMD_VERSION is not set
 CONFIG_CMD_BOOT=y
 CONFIG_CMD_UIMAGE=y
 CONFIG_CMD_AUTOMOUNT=y
 CONFIG_CMD_NV=y
 CONFIG_CMD_EXPORT=y
 CONFIG_CMD_GLOBAL=y
-CONFIG_CMD_MAGICVAR=y
 CONFIG_CMD_BASENAME=y
 CONFIG_CMD_DIRNAME=y
 CONFIG_CMD_READLINK=y
 CONFIG_CMD_GETOPT=y
+CONFIG_CMD_MENUTREE=y
 CONFIG_CMD_TIMEOUT=y
 CONFIG_CMD_DETECT=y
 CONFIG_CMD_STATE=y

buildroot-external/board/ova/info

@@ -0,0 +1,3 @@
+BOARD_ID=ova
+BOARD_NAME="Open Virtual Appliance"
+CHASSIS=vm

buildroot-external/board/ova/patches/dt-utils/0001-get-devicetree-from-file.patch

@@ -0,0 +1,123 @@
+From 405590bdb7ae434798010458e810c415e4e99db4 Mon Sep 17 00:00:00 2001
+From: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+Date: Fri, 30 Jun 2017 16:53:34 +0200
+Subject: barebox-state: get devicetree from file
+
+Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+
+diff --git a/src/barebox-state.c b/src/barebox-state.c
+index e68b8cb..3622e76 100644
+--- a/src/barebox-state.c
++++ b/src/barebox-state.c
+@@ -308,7 +308,7 @@ static int state_set_var(struct state *state, const char *var, const char *val)
+ }
+ 
+ 
+-struct state *state_get(const char *name, bool readonly, bool auth)
++struct state *state_get(const char *name, const char *filename, bool readonly, bool auth)
+ {
+ 	struct device_node *root, *node, *partition_node;
+ 	char *path;
+@@ -320,11 +320,19 @@ struct state *state_get(const char *name, bool readonly, bool auth)
+ 	off_t offset;
+ 	size_t size;
+ 
+-	root = of_read_proc_devicetree();
+-	if (IS_ERR(root)) {
+-		pr_err("Unable to read devicetree. %s\n",
+-				strerror(-PTR_ERR(root)));
+-		return ERR_CAST(root);
++	if (filename) {
++		void *fdt;
++
++		fdt = read_file(filename, NULL);
++		if (fdt)
++			root = of_unflatten_dtb(fdt);
++	} else {
++		root = of_read_proc_devicetree();
++		if (IS_ERR(root)) {
++			pr_err("Unable to read devicetree. %s\n",
++			       strerror(-PTR_ERR(root)));
++			return ERR_CAST(root);
++		}
+ 	}
+ 
+ 	of_set_root_node(root);
+@@ -387,6 +395,7 @@ static struct option long_options[] = {
+ 	{"get",		required_argument,	0,	'g' },
+ 	{"set",		required_argument,	0,	's' },
+ 	{"name",	required_argument,	0,	'n' },
++	{"input",	required_argument,	0,	'i' },
+ 	{"dump",	no_argument,		0,	'd' },
+ 	{"dump-shell",	no_argument,		0,	OPT_DUMP_SHELL },
+ 	{"verbose",	no_argument,		0,	'v' },
+@@ -402,6 +411,7 @@ static void usage(char *name)
+ "-g, --get <variable>                      get the value of a variable\n"
+ "-s, --set <variable>=<value>              set the value of a variable\n"
+ "-n, --name <name>                         specify the state to use (default=\"state\"). Multiple states are allowed.\n"
++"-i, --input <name>                        load the devicetree from a file instead of using the system devicetree.\n"
+ "-d, --dump                                dump the state\n"
+ "--dump-shell                              dump the state suitable for shell sourcing\n"
+ "-v, --verbose                             increase verbosity\n"
+@@ -439,12 +449,13 @@ int main(int argc, char *argv[])
+ 	bool readonly = true;
+ 	int pr_level = 5;
+ 	int auth = 1;
++	const char *dtb = NULL;
+ 
+ 	INIT_LIST_HEAD(&sg_list);
+ 	INIT_LIST_HEAD(&state_list.list);
+ 
+ 	while (1) {
+-		c = getopt_long(argc, argv, "hg:s:dvn:qf", long_options, &option_index);
++		c = getopt_long(argc, argv, "hg:s:i:dvn:qf", long_options, &option_index);
+ 		if (c < 0)
+ 			break;
+ 		switch (c) {
+@@ -490,6 +501,9 @@ int main(int argc, char *argv[])
+ 			++nr_states;
+ 			break;
+ 		}
++		case 'i':
++			dtb = strdup(optarg);
++			break;
+ 		case ':':
+ 		case '?':
+ 		default:
+@@ -530,7 +544,7 @@ int main(int argc, char *argv[])
+ 	}
+ 
+ 	list_for_each_entry(state, &state_list.list, list) {
+-		state->state = state_get(state->name, readonly, auth);
++		state->state = state_get(state->name, dtb, readonly, auth);
+ 		if (!IS_ERR(state->state) && !state->name)
+ 			state->name = state->state->name;
+ 		if (IS_ERR(state->state)) {
+diff --git a/src/barebox-state.h b/src/barebox-state.h
+index bd89cf4..a0f49a5 100644
+--- a/src/barebox-state.h
++++ b/src/barebox-state.h
+@@ -1,7 +1,7 @@
+ #ifndef __BAREBOX_STATE__
+ #define __BAREBOX_STATE__
+ 
+-struct state *state_get(const char *name, bool readonly, bool auth);
++struct state *state_get(const char *name, const char *file, bool readonly, bool auth);
+ char *state_get_var(struct state *state, const char *var);
+ 
+ #endif /* __BAREBOX_STATE__ */
+diff --git a/src/keystore-blob.c b/src/keystore-blob.c
+index 028dd8b..4572431 100644
+--- a/src/keystore-blob.c
++++ b/src/keystore-blob.c
+@@ -30,7 +30,7 @@ int keystore_get_secret(const char *name, const unsigned char **key, int *key_le
+ 	if (!state) {
+ 		struct state *tmp;
+ 
+-		tmp = state_get(keystore_state_name, true, false);
++		tmp = state_get(keystore_state_name, NULL, true, false);
+ 		if (IS_ERR(tmp))
+ 			return  PTR_ERR(tmp);
+ 		state = tmp;
+-- 
+cgit v0.10.2

buildroot-external/board/ova/patches/dt-utils/0002-support-finding-devices-by-partuuid.patch

@@ -0,0 +1,33 @@
+From 26148417fab419a0c7f301fb8f2be015324d5374 Mon Sep 17 00:00:00 2001
+From: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+Date: Fri, 30 Jun 2017 16:53:17 +0200
+Subject: libdt: support finding devices by partuuid
+
+Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+
+diff --git a/src/libdt.c b/src/libdt.c
+index 3adeed2..2bc6cc1 100644
+--- a/src/libdt.c
++++ b/src/libdt.c
+@@ -2393,6 +2393,18 @@ int of_get_devicepath(struct device_node *partition_node, char **devpath, off_t
+ 	 */
+ 	node = partition_node->parent;
+ 
++	if (of_device_is_compatible(node, "fixed-partitions")) {
++		const char *uuid;
++
++		/* when partuuid is specified short-circuit the search for the cdev */
++		ret = of_property_read_string(partition_node, "partuuid", &uuid);
++		if (!ret) {
++			*devpath = basprintf("/dev/disk/by-partuuid/%s", uuid);
++
++			return 0;
++		}
++	}
++
+ 	/*
+ 	 * Respect flash "partitions" subnode. Use parent of parent in this
+ 	 * case.
+-- 
+cgit v0.10.2
+

buildroot-external/board/ova/patches/rauc/0001-add-i-argument-to.patch

@@ -0,0 +1,36 @@
+From c9d56ea8fccf72e1c5d1f224f965e1a8e84d1b7f Mon Sep 17 00:00:00 2001
+From: Pascal Vizeli <pvizeli@syshack.ch>
+Date: Wed, 9 May 2018 21:54:58 +0200
+Subject: [PATCH 1/1] add -i argument to  barebox-state call
+
+---
+ src/bootchooser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/bootchooser.c b/src/bootchooser.c
+index d5efc0c..c57c2f7 100644
+--- a/src/bootchooser.c
++++ b/src/bootchooser.c
+@@ -77,6 +77,9 @@ static gboolean barebox_state_get(const gchar* bootname, BareboxSlotState *bb_st
+ 	g_ptr_array_add(args, g_strdup_printf(BOOTSTATE_PREFIX ".%s.priority", bootname));
+ 	g_ptr_array_add(args, g_strdup("-g"));
+ 	g_ptr_array_add(args, g_strdup_printf(BOOTSTATE_PREFIX ".%s.remaining_attempts", bootname));
++
++	g_ptr_array_add(args, g_strdup("-i"));
++	g_ptr_array_add(args, g_strdup("/mnt/boot/EFI/barebox/state.dtb"));
+ 	g_ptr_array_add(args, NULL);
+ 
+ 	sub = g_subprocess_newv((const gchar * const *)args->pdata,
+@@ -170,6 +173,9 @@ static gboolean barebox_state_set(GPtrArray *pairs, GError **error)
+ 		g_ptr_array_add(args, g_strdup("-s"));
+ 		g_ptr_array_add(args, g_strdup(pairs->pdata[i]));
+ 	}
++
++	g_ptr_array_add(args, g_strdup("-i"));
++	g_ptr_array_add(args, g_strdup("/mnt/boot/EFI/barebox/state.dtb"));
+ 	g_ptr_array_add(args, NULL);
+ 
+ 	sub = g_subprocess_newv((const gchar * const *)args->pdata,
+-- 
+2.7.4
+

buildroot-external/board/ova/post-build.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-set -e
-
-SCRIPT_DIR=${BR2_EXTERNAL_HASSIO_PATH}/scripts
-BOARD_DIR="$(dirname $0)"
-
-. ${SCRIPT_DIR}/rootfs_layer.sh
-
-# HassioOS tasks
-fix_rootfs
-install_hassio_cli
-
-cp ${BOARD_DIR}/rauc.conf ${TARGET_DIR}/etc/rauc/system.conf

buildroot-external/board/ova/post-image.sh

@@ -2,10 +2,15 @@
 set -e
 
 SCRIPT_DIR=${BR2_EXTERNAL_HASSIO_PATH}/scripts
-BOARD_DIR="$(dirname $0)"
+BOARD_DIR=${2}
 BOOT_DATA=${BINARIES_DIR}/boot
 
 . ${SCRIPT_DIR}/hdd_image.sh
+. ${BR2_EXTERNAL_HASSIO_PATH}/info
+. ${BOARD_DIR}/info
+
+# Filename
+IMAGE_FILE=hassio-${BOARD_ID}_${VERSION_MAJOR}.${VERSION_BUILD}.vmdk
 
 # Init boot data
 rm -rf ${BOOT_DATA}
@@ -21,4 +26,4 @@ hassio_overlay_image ${BINARIES_DIR}
 
 hassio_hdd_image ${BINARIES_DIR} ${BINARIES_DIR}/harddisk.img 6
 
-qemu-img convert -O vmdk ${BINARIES_DIR}/harddisk.img ${BINARIES_DIR}/hassio-os.vmdk
+qemu-img convert -O vmdk ${BINARIES_DIR}/harddisk.img ${BINARIES_DIR}/${IMAGE_FILE}

buildroot-external/board/ova/rootfs-overlay/etc/rauc.conf

@@ -1,5 +1,5 @@
 [system]
-compatible=Hass.io OS OVA
+compatible=Hass.io-OS ova
 bootloader=barebox
 
 [keyring]

buildroot-external/busybox.config

@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
 # Busybox version: 1.27.2
-# Tue Apr 17 18:57:21 2018
+# Tue May  1 14:34:48 2018
 #
 CONFIG_HAVE_DOT_CONFIG=y
 
@@ -606,13 +606,13 @@ CONFIG_GETOPT=y
 CONFIG_FEATURE_GETOPT_LONG=y
 CONFIG_HEXDUMP=y
 CONFIG_FEATURE_HEXDUMP_REVERSE=y
-CONFIG_HD=y
+# CONFIG_HD is not set
-CONFIG_XXD=y
+# CONFIG_XXD is not set
-CONFIG_HWCLOCK=y
+# CONFIG_HWCLOCK is not set
-CONFIG_FEATURE_HWCLOCK_LONG_OPTIONS=y
+# CONFIG_FEATURE_HWCLOCK_LONG_OPTIONS is not set
 # CONFIG_FEATURE_HWCLOCK_ADJTIME_FHS is not set
 CONFIG_IONICE=y
-CONFIG_IPCRM=y
+# CONFIG_IPCRM is not set
 CONFIG_IPCS=y
 # CONFIG_LAST is not set
 # CONFIG_FEATURE_LAST_FANCY is not set
@@ -648,9 +648,9 @@ CONFIG_FEATURE_MOUNT_FLAGS=y
 # CONFIG_FEATURE_MOUNT_FSTAB is not set
 # CONFIG_FEATURE_MOUNT_OTHERTAB is not set
 # CONFIG_MOUNTPOINT is not set
-CONFIG_NSENTER=y
+# CONFIG_NSENTER is not set
-CONFIG_FEATURE_NSENTER_LONG_OPTS=y
+# CONFIG_FEATURE_NSENTER_LONG_OPTS is not set
-CONFIG_PIVOT_ROOT=y
+# CONFIG_PIVOT_ROOT is not set
 CONFIG_RDATE=y
 CONFIG_RDEV=y
 CONFIG_READPROFILE=y
@@ -674,14 +674,14 @@ CONFIG_FEATURE_TASKSET_FANCY=y
 CONFIG_UEVENT=y
 CONFIG_UMOUNT=y
 CONFIG_FEATURE_UMOUNT_ALL=y
-CONFIG_UNSHARE=y
+# CONFIG_UNSHARE is not set
 # CONFIG_WALL is not set
 
 #
 # Common options for mount/umount
 #
 CONFIG_FEATURE_MOUNT_LOOP=y
-CONFIG_FEATURE_MOUNT_LOOP_CREATE=y
+# CONFIG_FEATURE_MOUNT_LOOP_CREATE is not set
 # CONFIG_FEATURE_MTAB_SUPPORT is not set
 CONFIG_VOLUMEID=y
 
@@ -750,10 +750,10 @@ CONFIG_FEATURE_CROND_DIR=""
 # CONFIG_FLASHCP is not set
 CONFIG_HDPARM=y
 CONFIG_FEATURE_HDPARM_GET_IDENTITY=y
-CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF=y
+# CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF is not set
-CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF=y
+# CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF is not set
-CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET=y
+# CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET is not set
-CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF=y
+# CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF is not set
 CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA=y
 # CONFIG_I2CGET is not set
 # CONFIG_I2CSET is not set
@@ -780,7 +780,7 @@ CONFIG_FEATURE_LESS_MAXLINES=0
 # CONFIG_MT is not set
 CONFIG_NANDWRITE=y
 CONFIG_NANDDUMP=y
-CONFIG_PARTPROBE=y
+# CONFIG_PARTPROBE is not set
 # CONFIG_RAIDAUTORUN is not set
 # CONFIG_READAHEAD is not set
 # CONFIG_RFKILL is not set
@@ -1069,7 +1069,7 @@ CONFIG_ASH_TEST=y
 CONFIG_ASH_HELP=y
 CONFIG_ASH_GETOPTS=y
 CONFIG_ASH_CMDCMD=y
-CONFIG_CTTYHACK=y
+# CONFIG_CTTYHACK is not set
 # CONFIG_HUSH is not set
 # CONFIG_HUSH_BASH_COMPAT is not set
 # CONFIG_HUSH_BRACE_EXPANSION is not set

buildroot-external/configs/ova_defconfig

@@ -1,18 +1,19 @@
 BR2_x86_64=y
 BR2_CCACHE=y
 BR2_CCACHE_DIR="$(TOPDIR)/ccache"
-BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_HASSIO_PATH)/patches"
+BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_HASSIO_PATH)/patches $(BR2_EXTERNAL_HASSIO_PATH)/board/ova/patches"
 BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
 BR2_GCC_VERSION_7_X=y
 BR2_TOOLCHAIN_BUILDROOT_CXX=y
-BR2_TARGET_GENERIC_HOSTNAME="hassio.local"
+BR2_TARGET_GENERIC_HOSTNAME="hassio"
 BR2_TARGET_GENERIC_ISSUE="Welcome to Hass.io"
 BR2_INIT_SYSTEMD=y
 BR2_TARGET_GENERIC_GETTY_PORT="tty1"
 # BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW is not set
-BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_HASSIO_PATH)/rootfs-overlay/"
+BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_HASSIO_PATH)/rootfs-overlay $(BR2_EXTERNAL_HASSIO_PATH)/board/ova/rootfs-overlay"
-BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL_HASSIO_PATH)/board/ova/post-build.sh"
+BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL_HASSIO_PATH)/scripts/post-build.sh"
 BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_HASSIO_PATH)/board/ova/post-image.sh"
+BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_EXTERNAL_HASSIO_PATH)/board/ova"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_HASSIO_PATH)/board/ova/kernel.config"
@@ -22,8 +23,6 @@ BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
 BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
 BR2_PACKAGE_BUSYBOX_CONFIG="$(BR2_EXTERNAL_HASSIO_PATH)/busybox.config"
 BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES=y
-BR2_PACKAGE_ALSA_UTILS=y
-BR2_PACKAGE_LZ4=y
 BR2_PACKAGE_JQ=y
 BR2_PACKAGE_DOSFSTOOLS=y
 BR2_PACKAGE_E2FSPROGS=y
@@ -67,7 +66,11 @@ BR2_PACKAGE_HOST_RAUC=y
 BR2_PACKAGE_MINGETTY=y
 BR2_PACKAGE_HASSIO=y
 BR2_PACKAGE_HASSIO_SUPERVISOR="homeassistant/amd64-hassio-supervisor"
-BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION="0.101"
+BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION="103.3"
 BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/qemux86-64-homeassistant"
+BR2_PACKAGE_HASSIO_SUPERVISOR_PROFILE="hassio-supervisor"
 BR2_PACKAGE_HASSIO_CLI="homeassistant/amd64-hassio-cli"
-BR2_PACKAGE_HASSIO_CLI_VERSION="0.1"
+BR2_PACKAGE_HASSIO_CLI_VERSION="3"
+BR2_PACKAGE_HASSIO_CLI_PROFILE="docker-default"
+BR2_PACKAGE_HASSIO_APPARMOR_DIR="supervisor/apparmor"
+BR2_PACKAGE_APPARMOR=y

buildroot-external/info

@@ -0,0 +1,6 @@
+VERSION_MAJOR=0
+VERSION_BUILD=2
+
+HASSIO_NAME="Hass.io-OS"
+
+DEPLOYMENT=development

buildroot-external/package/apparmor/Config.in

@@ -0,0 +1,9 @@
+config BR2_PACKAGE_APPARMOR
+	bool "apparmor"
+	select BR2_PACKAGE_LIBAPPARMOR
+	help
+	  AppArmor gives you network application security via mandatory 
+	  access control for programs, protecting against the exploitation 
+	  of software flaws and compromised systems.
+
+	  http://apparmor.net

buildroot-external/package/apparmor/apparmor.mk

@@ -0,0 +1,24 @@
+#############################################################
+#
+# apparmor
+#
+#############################################################
+APPARMOR_VERSION = v2.13
+APPARMOR_SITE = git://git.launchpad.net/apparmor
+APPARMOR_LICENSE = GPL-2
+APPARMOR_LICENSE_FILES = LICENSE
+APPARMOR_DEPENDENCIES = libapparmor
+
+define APPARMOR_BUILD_CMDS
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) PATH=$(BR_PATH) $(MAKE) -C $(@D)/parser USE_SYSTEM=1 YACC=bison LEX=flex 
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/profiles
+endef
+
+define APPARMOR_INSTALL_TARGET_CMDS
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/parser DESTDIR=$(TARGET_DIR) USE_SYSTEM=1 PREFIX=/usr install
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/profiles DESTDIR=$(TARGET_DIR) PREFIX=/usr install
+
+	rm -rf $(TARGET_DIR)/usr/lib/apparmor
+endef
+
+$(eval $(generic-package))

buildroot-external/package/hassio/Config.in

@@ -1,4 +1,4 @@
-config BR2_PACKAGE_HASSIO
+menuconfig BR2_PACKAGE_HASSIO
 	bool "hassio-app"
 	help
 	  This is the Application layer they build the
@@ -23,6 +23,11 @@ config BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS
 	help
 	  Extended docker arguments to run the supervisor.
 
+config BR2_PACKAGE_HASSIO_SUPERVISOR_PROFILE
+	string "AppArmor supervisor profile"
+	help
+	  AppArmor profile for supervisor.
+
 config BR2_PACKAGE_HASSIO_CLI
 	string "cli docker image"
 	help
@@ -38,4 +43,14 @@ config BR2_PACKAGE_HASSIO_CLI_ARGS
 	help
 	  Extended docker arguments to run the cli.
 
+config BR2_PACKAGE_HASSIO_CLI_PROFILE
+	string "AppArmor cli profile"
+	help
+	  AppArmor profile for cli.
+
+config BR2_PACKAGE_HASSIO_APPARMOR_DIR
+	string "AppArmor profiles folder"
+	help
+	  AppArmor profiles folder for supervisor.
+
 endif

buildroot-external/package/hassio/builder/hostapp.sh

@@ -4,9 +4,12 @@ set -e
 SUPERVISOR=""
 SUPERVISOR_VERSION=""
 SUPERVISOR_ARGS=""
+SUPERVISOR_PROFILE=""
 CLI=""
 CLI_VERSION=""
 CLI_ARGS=""
+CLI_PROFILE=""
+APPARMOR=""
 DATA_IMG="/export/data.ext4"
 
 # Parse
@@ -25,6 +28,10 @@ while [[ $# -gt 0 ]]; do
             SUPERVISOR_ARGS=$2
             shift
             ;;
+        --supervisor-profile)
+            SUPERVISOR_PROFILE=$2
+            shift
+            ;;
         --cli)
             CLI=$2
             shift
@@ -37,6 +44,14 @@ while [[ $# -gt 0 ]]; do
             CLI_ARGS=$2
             shift
             ;;
+        --cli-profile)
+            CLI_PROFILE=$2
+            shift
+            ;;
+        --apparmor)
+            APPARMOR=$2
+            shift
+            ;;
         *)
             exit 1
             ;;
@@ -49,17 +64,16 @@ dd if=/dev/zero of=${DATA_IMG} bs=1G count=1
 mkfs.ext4 -L "hassio-data" -E lazy_itable_init=0,lazy_journal_init=0 ${DATA_IMG}
 
 # Mount / init file structs
-mount -o loop ${DATA_IMG} /mnt
+mkdir -p /mnt/data/
-mkdir -p /mnt/docker
+mount -o loop ${DATA_IMG} /mnt/data
-mkdir -p /mnt/supervisor
+mkdir -p /mnt/data/docker
-mkdir -p /mnt/cli
 
 # Run dockerd
-dockerd -s overlay2 -g /mnt/docker 2> /dev/null &
+dockerd -s overlay2 -g /mnt/data/docker &
 DOCKER_PID=$!
 
-until docker info >/dev/null 2>&1; do
 DOCKER_COUNT=0
+until docker info >/dev/null 2>&1; do
     if [ ${DOCKER_COUNT} -gt 30 ]; then
         exit 1
     fi
@@ -77,14 +91,23 @@ docker pull "${CLI}:${CLI_VERSION}"
 docker tag "${CLI}:${CLI_VERSION}" "${CLI}:latest"
 
 # Write config
-cat > /mnt/hassio.json <<- EOF
+cat > /mnt/data/hassio.json <<- EOF
 {
     "supervisor": "${SUPERVISOR}",
     "supervisor_args": "${SUPERVISOR_ARGS}",
+    "supervisor_apparmor": "${SUPERVISOR_PROFILE}",
     "cli": "${CLI}",
-    "cli_args": "${CLI_ARGS}"
+    "cli_args": "${CLI_ARGS}",
+    "cli_apparmor": "${CLI_PROFILE}",
+    "apparmor": "${APPARMOR}"
 }
 EOF
 
+# Setup AppArmor
+if [ ! -z "${APPARMOR}" ]; then
+    mkdir -p /mnt/data/${APPARMOR}
+    cp -f /apparmor/* /mnt/data/${APPARMOR}/
+fi
+
 # Finish
-kill -TERM $DOCKER_PID && wait $DOCKER_PID && umount /mnt
+kill -TERM $DOCKER_PID && wait $DOCKER_PID && umount /mnt/data

buildroot-external/package/hassio/hassio.mk

@@ -15,13 +15,19 @@ define HASSIO_BUILD_CMDS
 endef
 
 define HASSIO_INSTALL_TARGET_CMDS
-	docker run --rm --privileged -v ${BINARIES_DIR}:/export hassio-hostapps \
+	docker run --rm --privileged \
-		--supervisor ${BR2_PACKAGE_HASSIO_SUPERVISOR} \
+		-v $(BINARIES_DIR):/export \
-		--supervisor-version ${BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION} \
+		-v $(BR2_EXTERNAL_HASSIO_PATH)/apparmor:/apparmor \
-		--supervisor-args ${BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS} \
+		hassio-hostapps \
-		--cli ${BR2_PACKAGE_HASSIO_CLI} \
+		--supervisor $(BR2_PACKAGE_HASSIO_SUPERVISOR) \
-		--cli-version ${BR2_PACKAGE_HASSIO_CLI_VERSION} \
+		--supervisor-version $(BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION) \
-		--cli-args ${BR2_PACKAGE_HASSIO_CLI_ARGS}
+		--supervisor-args $(BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS) \
+		--supervisor-profile $(BR2_PACKAGE_HASSIO_SUPERVISOR_PROFILE) \
+		--cli $(BR2_PACKAGE_HASSIO_CLI) \
+		--cli-version $(BR2_PACKAGE_HASSIO_CLI_VERSION) \
+		--cli-args $(BR2_PACKAGE_HASSIO_CLI_ARGS) \
+		--cli-profile $(BR2_PACKAGE_HASSIO_CLI_PROFILE) \
+		--apparmor $(BR2_PACKAGE_HASSIO_APPARMOR_DIR)
 endef
 
 $(eval $(generic-package))

buildroot-external/package/libapparmor/Config.in

@@ -0,0 +1,8 @@
+config BR2_PACKAGE_LIBAPPARMOR
+	bool "libapparmor"
+	help
+	  AppArmor gives you network application security via mandatory 
+	  access control for programs, protecting against the exploitation 
+	  of software flaws and compromised systems.
+
+	  http://apparmor.net

buildroot-external/package/libapparmor/libapparmor.mk

@@ -0,0 +1,18 @@
+#############################################################
+#
+# libapparmor
+#
+#############################################################
+LIBAPPARMOR_VERSION = v2.13
+LIBAPPARMOR_SITE = git://git.launchpad.net/apparmor
+LIBAPPARMOR_LICENSE = GPL-2
+LIBAPPARMOR_LICENSE_FILES = LICENSE
+LIBAPPARMOR_INSTALL_STAGING = YES
+LIBAPPARMOR_INSTALL_TARGET = NO
+LIBAPPARMOR_DEPENDENCIES = host-flex
+LIBAPPARMOR_SUBDIR = libraries/libapparmor
+LIBAPPARMOR_CONF_ENV = ac_cv_func_reallocarray=no
+LIBAPPARMOR_AUTORECONF = YES
+LIBAPPARMOR_CONF_OPTS = --enable-static
+
+$(eval $(autotools-package))

buildroot-external/patches/systemd/0001-Allow-hostname-on-ro.patch

@@ -0,0 +1,41 @@
+From 525b60af3320de3cc1f1145fe31a2de07b61faf6 Mon Sep 17 00:00:00 2001
+From: Pascal Vizeli <pvizeli@syshack.ch>
+Date: Sat, 28 Apr 2018 00:20:08 +0200
+Subject: [PATCH 1/1] Allow hostname on ro
+
+---
+ src/hostname/hostnamed.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
+index d9ad2fb..87fae35 100644
+--- a/src/hostname/hostnamed.c
++++ b/src/hostname/hostnamed.c
+@@ -289,6 +289,7 @@ static int context_update_kernel_hostname(Context *c) {
+ static int context_write_data_static_hostname(Context *c) {
+ 
+         assert(c);
++        FILE *f = NULL;
+ 
+         if (isempty(c->data[PROP_STATIC_HOSTNAME])) {
+ 
+@@ -297,7 +298,15 @@ static int context_write_data_static_hostname(Context *c) {
+ 
+                 return 0;
+         }
+-        return write_string_file_atomic_label("/etc/hostname", c->data[PROP_STATIC_HOSTNAME]);
++
++        f = fopen("/etc/hostname", "w");
++        if (f == NULL)
++                return -ENOENT;
++
++        fputs(c->data[PROP_STATIC_HOSTNAME], f);
++        fclose(f);
++
++	return 0;
+ }
+ 
+ static int context_write_data_machine_info(Context *c) {
+-- 
+2.7.4
+

buildroot-external/rootfs-overlay/etc/apparmor.d/containers/.empty

@@ -0,0 +1 @@
+

buildroot-external/rootfs-overlay/etc/systemd/system/hassio-bind.target.wants/etc-hostname.mount

@@ -0,0 +1 @@
+/usr/lib/systemd/system/etc-hostname.mount

buildroot-external/rootfs-overlay/etc/systemd/system/hassio-bind.target.wants/etc-hosts.mount

@@ -0,0 +1 @@
+/usr/lib/systemd/system/etc-hosts.mount

buildroot-external/rootfs-overlay/etc/systemd/system/hassio-supervisor.service.d/rauc.conf

@@ -0,0 +1,2 @@
+[Unit]
+OnFailure=rauc-bad.service

buildroot-external/rootfs-overlay/etc/systemd/system/multi-user.target.wants/hassio-apparmor.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/hassio-apparmor.service

buildroot-external/rootfs-overlay/etc/systemd/system/multi-user.target.wants/rauc.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/rauc.service

buildroot-external/rootfs-overlay/etc/systemd/system/timers.target.wants/rauc-good.timer

@@ -0,0 +1 @@
+/usr/lib/systemd/system/rauc-good.timer

buildroot-external/rootfs-overlay/etc/tmpfiles.d/data.conf

@@ -0,0 +1,2 @@
+d /mnt/data/supervisor
+d /mnt/data/cli

buildroot-external/rootfs-overlay/etc/tmpfiles.d/hostname.conf

@@ -0,0 +1,2 @@
+C /mnt/overlay/etc/hostname - - - - /etc/hostname
+C /mnt/overlay/etc/hosts - - - - /etc/hosts

buildroot-external/rootfs-overlay/usr/lib/systemd/system/etc-hostname.mount

@@ -0,0 +1,14 @@
+[Unit]
+Description=Hostname persistent configuration
+Requires=mnt-overlay.mount
+After=mnt-overlay.mount systemd-tmpfiles-setup.service
+Before=network.target
+
+[Mount]
+What=/mnt/overlay/etc/hostname
+Where=/etc/hostname
+Type=none
+Options=bind
+
+[Install]
+WantedBy=hassio-bind.target

buildroot-external/rootfs-overlay/usr/lib/systemd/system/etc-hosts.mount

@@ -0,0 +1,14 @@
+[Unit]
+Description=Hosts persistent configuration
+Requires=mnt-overlay.mount
+After=mnt-overlay.mount systemd-tmpfiles-setup.service
+Before=network.target
+
+[Mount]
+What=/mnt/overlay/etc/hosts
+Where=/etc/hosts
+Type=none
+Options=bind
+
+[Install]
+WantedBy=hassio-bind.target

buildroot-external/rootfs-overlay/usr/lib/systemd/system/hassio-apparmor.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Hass.io AppArmor
+Wants=hassio-supervisor.service
+Before=docker.service hassio-supervisor.service
+RequiresMountsFor=/mnt/data
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/usr/sbin/hassio-apparmor
+
+[Install]
+WantedBy=multi-user.target

buildroot-external/rootfs-overlay/usr/lib/systemd/system/hassio-expand.service

@@ -5,7 +5,7 @@ Before=mnt-data.mount
 
 [Service]
 Type=oneshot
-ExecStart=-/sbin/hassio-expand
+ExecStart=/sbin/hassio-expand
 RemainAfterExit=true
 
 [Install]

buildroot-external/rootfs-overlay/usr/lib/systemd/system/hassio-supervisor.service

@@ -1,8 +1,10 @@
 [Unit]
 Description=Hass.io supervisor
 Requires=docker.service
-After=docker.service
+After=docker.service dbus.socket
 RequiresMountsFor=/mnt/data
+StartLimitIntervalSec=60
+StartLimitBurst=5
 
 [Service]
 Type=simple

buildroot-external/rootfs-overlay/usr/lib/systemd/system/mnt-data.mount

@@ -1,9 +1,9 @@
 [Unit]
 Description=Hassio data partition
-Requires=hassio-expand.service
+Wants=hassio-expand.service
 DefaultDependencies=no
 After=hassio-expand.service
-Before=umount.target
+Before=umount.target systemd-tmpfiles-setup.service
 Conflicts=umount.target
 
 [Mount]

buildroot-external/rootfs-overlay/usr/lib/systemd/system/mnt-overlay.mount

@@ -1,7 +1,7 @@
 [Unit]
 Description=Hassio overlay partition
 DefaultDependencies=no
-Before=umount.target
+Before=umount.target systemd-tmpfiles-setup.service
 Conflicts=umount.target
 
 [Mount]

buildroot-external/rootfs-overlay/usr/lib/systemd/system/rauc-bad.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Rauc mark bad
+Requires=rauc.service
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rauc status mark-bad
+ExecStartPost=/usr/bin/systemctl reboot

buildroot-external/rootfs-overlay/usr/lib/systemd/system/rauc-good.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Hassio rauc good 
+Requires=hassio-supervisor.service rauc.service
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rauc status mark-good

buildroot-external/rootfs-overlay/usr/lib/systemd/system/rauc-good.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Rauc mark boot partition as good
+
+[Timer]
+OnBootSec=1min
+
+[Install]
+WantedBy=timers.target

buildroot-external/rootfs-overlay/usr/sbin/hassio-apparmor

@@ -0,0 +1,47 @@
+#!/bin/sh
+set -e
+
+# Load configs
+CONFIG_FILE=/mnt/data/hassio.json
+
+# Read configs
+PROFILES_DIR="$(jq --raw-output '.apparmor // empty' ${CONFIG_FILE})"
+if [ -z "${PROFILES_DIR}" ]; then
+    exit 0
+fi
+
+PROFILES_DIR="/mnt/data/${PROFILES_DIR}"
+CACHE_DIR="${PROFILES_DIR}/cache"
+REMOVE_DIR="${PROFILES_DIR}/remove"
+
+# Check folder structure
+mkdir -p ${PROFILES_DIR}
+mkdir -p ${CACHE_DIR}
+mkdir -p ${REMOVE_DIR}
+
+# Load/Update exists/new profiles
+for profile in ${PROFILES_DIR}/*; do
+    if [ ! -f ${profile} ]; then
+        continue
+    fi
+
+    # Load Profile
+    if ! apparmor_parser -r -W -L ${CACHE_DIR} ${profile}; then
+        echo "[Error]: Can't load profile ${profile}"
+    fi
+done
+
+# Cleanup old profiles
+for profile in ${REMOVE_DIR}/*; do
+    if [ ! -f ${profile} ]; then
+        continue
+    fi
+
+    # Unload Profile
+    if apparmor_parser -R -W -L ${CACHE_DIR} ${profile}; then
+        if rm ${profile}; then
+            continue
+        fi
+    fi
+    echo "[Error]: Can't remove profile ${profile}"
+done

buildroot-external/rootfs-overlay/usr/sbin/hassio-cli

@@ -5,6 +5,7 @@ CONFIG_FILE=/mnt/data/hassio.json
 
 CLI="$(jq --raw-output '.cli' ${CONFIG_FILE})"
 DOCKER_ARGS="$(jq --raw-output '.cli_args // empty' ${CONFIG_FILE})"
+APPARMOR="$(jq --raw-output '.cli_apparmor // "docker-default"' ${CONFIG_FILE})"
 CLI_DATA=/mnt/data/cli
 
 mkdir -p ${CLI_DATA}
@@ -12,6 +13,7 @@ mkdir -p ${CLI_DATA}
 # Run CLI
 docker run \
     --rm -ti --init \
+    --security-opt apparmor="${APPARMOR}" \
     -v ${CLI_DATA}:/data \
     $DOCKER_ARGS \
     ${CLI}

buildroot-external/rootfs-overlay/usr/sbin/hassio-supervisor

@@ -6,15 +6,22 @@ CONFIG_FILE=/mnt/data/hassio.json
 
 SUPERVISOR="$(jq --raw-output '.supervisor' ${CONFIG_FILE})"
 DOCKER_ARGS="$(jq --raw-output '.supervisor_args // empty' ${CONFIG_FILE})"
+APPARMOR="$(jq --raw-output '.supervisor_apparmor // "docker-default"' ${CONFIG_FILE})"
 
 # Init supervisor
 HASSIO_DATA=/mnt/data/supervisor
 HASSIO_IMAGE_ID=$(docker inspect --format='{{.Id}}' ${SUPERVISOR})
 HASSIO_CONTAINER_ID=$(docker inspect --format='{{.Image}}' hassio_supervisor || echo "")
 
+# Fix wrong AppArmor profiles
+if ! grep ${APPARMOR} /sys/kernel/security/apparmor/profiles > /dev/null; then
+    APPARMOR=docker-default
+fi
+
 runSupervisor() {
     docker rm --force hassio_supervisor || true
     docker run --name hassio_supervisor \
+        --security-opt apparmor="${APPARMOR}" \
         -v /var/run/docker.sock:/var/run/docker.sock \
         -v /var/run/dbus:/var/run/dbus \
         -v ${HASSIO_DATA}:/data \

buildroot-external/scripts/hdd_image.sh

@@ -1,7 +1,13 @@
 #!/bin/bash
 
-BOOT_SIZE=32M
+BOOT_UUID="b3dd0952-733c-4c88-8cba-cab9b8b4377f"
 BOOTSTATE_UUID="33236519-7F32-4DFF-8002-3390B62C309D"
+SYSTEM0_UUID="8d3d53e3-6d49-4c38-8349-aff6859e82fd"
+SYSTEM1_UUID="a3ec664e-32ce-4665-95ea-7ae90ce9aa20"
+OVERLAY_UUID="f1326040-5236-40eb-b683-aaa100a9afcf"
+DATA_UUID="a52a4597-fa3a-4851-aefd-2fbe9f849079"
+
+BOOT_SIZE=32M
 BOOTSTATE_SIZE=8M
 SYSTEM_SIZE=256M
 OVERLAY_SIZE=64M
@@ -44,15 +50,15 @@ function hassio_hdd_image() {
 
     # Partition layout
     boot_offset="$(sgdisk -F ${hdd_img})"
-    sgdisk -n 1:0:+${BOOT_SIZE} -c 1:"hassio-boot" -t 1:"C12A7328-F81F-11D2-BA4B-00A0C93EC93B" ${hdd_img}
+    sgdisk -n 1:0:+${BOOT_SIZE} -c 1:"hassio-boot" -t 1:"C12A7328-F81F-11D2-BA4B-00A0C93EC93B" -u 1:${BOOT_UUID} ${hdd_img}
     rootfs_offset="$(sgdisk -F ${hdd_img})"
-    sgdisk -n 2:0:+${SYSTEM_SIZE} -c 2:"hassio-system0" -t 2:"0FC63DAF-8483-4772-8E79-3D69D8477DE4" ${hdd_img}
+    sgdisk -n 2:0:+${SYSTEM_SIZE} -c 2:"hassio-system0" -t 2:"0FC63DAF-8483-4772-8E79-3D69D8477DE4" -u 2:${SYSTEM0_UUID} ${hdd_img}
-    sgdisk -n 3:0:+${SYSTEM_SIZE} -c 3:"hassio-system1" -t 3:"0FC63DAF-8483-4772-8E79-3D69D8477DE4" ${hdd_img}
+    sgdisk -n 3:0:+${SYSTEM_SIZE} -c 3:"hassio-system1" -t 3:"0FC63DAF-8483-4772-8E79-3D69D8477DE4" -u 3:${SYSTEM1_UUID} ${hdd_img}
     sgdisk -n 4:0:+${BOOTSTATE_SIZE} -c 4:"hassio-bootstate" -u 4:${BOOTSTATE_UUID} ${hdd_img}
     overlay_offset="$(sgdisk -F ${hdd_img})"
-    sgdisk -n 5:0:+${OVERLAY_SIZE} -c 5:"hassio-overlay" -t 5:"0FC63DAF-8483-4772-8E79-3D69D8477DE4" ${hdd_img}
+    sgdisk -n 5:0:+${OVERLAY_SIZE} -c 5:"hassio-overlay" -t 5:"0FC63DAF-8483-4772-8E79-3D69D8477DE4" -u 5:${OVERLAY_UUID} ${hdd_img}
     data_offset="$(sgdisk -F ${hdd_img})"
-    sgdisk -n 6:0:+${DATA_SIZE} -c 6:"hassio-data" -t 6:"0FC63DAF-8483-4772-8E79-3D69D8477DE4" ${hdd_img}
+    sgdisk -n 6:0:+${DATA_SIZE} -c 6:"hassio-data" -t 6:"0FC63DAF-8483-4772-8E79-3D69D8477DE4" -u 6:${DATA_UUID} ${hdd_img}
     sgdisk -v
 
     # Write Images

buildroot-external/scripts/post-build.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+set -e
+
+SCRIPT_DIR=${BR2_EXTERNAL_HASSIO_PATH}/scripts
+BOARD_DIR=${2}
+
+. ${SCRIPT_DIR}/rootfs_layer.sh
+. ${BR2_EXTERNAL_HASSIO_PATH}/info
+. ${BOARD_DIR}/info
+
+# Hass.io OS tasks
+fix_rootfs
+install_hassio_cli
+
+# Write os-release
+(
+    echo "NAME=Hass.io"
+    echo "VERSION=\"${VERSION_MAJOR}.${VERSION_BUILD} (${BOARD_NAME})\""
+    echo "ID=hassio-os"
+    echo "VERSION_ID=${VERSION_MAJOR}.${VERSION_BUILD}"
+    echo "PRETTY_NAME=\"${HASSIO_NAME} ${VERSION_MAJOR}.${VERSION_BUILD}\""
+    echo "CPE_NAME=cpe:2.3:o:home_assistant:hassio:${VERSION_MAJOR}.${VERSION_BUILD}:*:${DEPLOYMENT}:*:*:*:${BOARD_ID}:*"
+    echo "HOME_URL=https://hass.io/"
+    echo "VARIANT=\"Hass.io ${BOARD_NAME}\""
+    echo "VARIANT_ID=${BOARD_ID}"
+) > ${TARGET_DIR}/usr/lib/os-release
+
+# Write machine-info
+(
+    echo "CHASSIS=${CHASSIS}"
+    echo "DEPLOYMENT=${DEPLOYMENT}"
+) > ${TARGET_DIR}/etc/machine-info

buildroot-external/scripts/rootfs_layer.sh

@@ -5,10 +5,25 @@ function fix_rootfs() {
     # Cleanup DHCP service, we don't need this with NetworkManager
     rm -rf ${TARGET_DIR}/etc/systemd/system/multi-user.target.wants/dhcpcd.service
     rm -rf ${TARGET_DIR}/usr/lib/systemd/system/dhcpcd.service
+
+    # Cleanup etc
+    rm -rf ${TARGET_DIR}/etc/init.d
+    rm -rf ${TARGET_DIR}/etc/modules-load.d
+    rm -rf ${TARGET_DIR}/etc/network
+    rm -rf ${TARGET_DIR}/etc/X11
+    rm -rf ${TARGET_DIR}/etc/xdg
+
+    # Cleanup root
+    rm -rf ${TARGET_DIR}/media
+    rm -rf ${TARGET_DIR}/srv
+    rm -rf ${TARGET_DIR}/opt
+
+    # Fix tempfs
+    sed -i "/srv/d" ${TARGET_DIR}/usr/lib/tmpfiles.d/home.conf
 }
 
 
 function install_hassio_cli() {
 
-    sed -i "s|\(root.*\)/bin/sh|\1/usr/bin/hassio-cli|" ${TARGET_DIR}/etc/passwd
+    sed -i "s|\(root.*\)/bin/sh|\1/usr/sbin/hassio-cli|" ${TARGET_DIR}/etc/passwd
 }

buildroot-patches/0013-Add-apparmor-support-to-docker.patch

@@ -0,0 +1,60 @@
+From a5d50577d81efeccb4904e6b56793f84b7e3e89f Mon Sep 17 00:00:00 2001
+From: Pascal Vizeli <pvizeli@syshack.ch>
+Date: Tue, 1 May 2018 23:35:05 +0200
+Subject: [PATCH 1/1] Add apparmor support to docker
+
+---
+ package/docker-containerd/docker-containerd.mk | 1 +
+ package/docker-engine/docker-engine.mk         | 2 +-
+ package/runc/runc.mk                           | 3 +--
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/package/docker-containerd/docker-containerd.mk b/package/docker-containerd/docker-containerd.mk
+index 230307d..9be658d 100644
+--- a/package/docker-containerd/docker-containerd.mk
++++ b/package/docker-containerd/docker-containerd.mk
+@@ -18,6 +18,7 @@ DOCKER_CONTAINERD_MAKE_ENV = $(HOST_GO_TARGET_ENV) \
+ 	GOBIN="$(@D)/bin" \
+ 	GOPATH="$(DOCKER_CONTAINERD_GOPATH)"
+ 
++DOCKER_CONTAINERD_BUILD_TAGS = apparmor
+ DOCKER_CONTAINERD_GLDFLAGS = \
+ 	-X github.com/containerd/containerd.GitCommit=$(DOCKER_CONTAINERD_COMMIT)
+ 
+diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk
+index e3dde03..d500e71 100644
+--- a/package/docker-engine/docker-engine.mk
++++ b/package/docker-engine/docker-engine.mk
+@@ -27,7 +27,7 @@ DOCKER_ENGINE_GLDFLAGS = \
+ 	-X github.com/docker/cli/cli.GitCommit=$(DOCKER_ENGINE_VERSION) \
+ 	-X github.com/docker/cli/cli.Version=$(DOCKER_ENGINE_VERSION)
+ 
+-DOCKER_ENGINE_BUILD_TAGS = cgo exclude_graphdriver_zfs autogen
++DOCKER_ENGINE_BUILD_TAGS = cgo exclude_graphdriver_zfs autogen apparmor
+ DOCKER_ENGINE_BUILD_TARGETS = cli:docker
+ DOCKER_ENGINE_BUILD_TARGET_PARSE = \
+ 		export targetpkg=$$(echo $(target) | cut -d: -f1); \
+diff --git a/package/runc/runc.mk b/package/runc/runc.mk
+index f19fc5f..1ab0b70 100644
+--- a/package/runc/runc.mk
++++ b/package/runc/runc.mk
+@@ -18,6 +18,7 @@ RUNC_MAKE_ENV = $(HOST_GO_TARGET_ENV) \
+ 	GOPATH="$(RUNC_GOPATH)" \
+ 	PATH=$(BR_PATH)
+ 
++RUNC_GOTAGS = cgo apparmor
+ RUNC_GLDFLAGS = \
+ 	-X main.gitCommit=$(RUNC_VERSION)
+ 
+@@ -26,8 +27,6 @@ RUNC_GLDFLAGS += -extldflags '-static'
+ RUNC_GOTAGS += static_build
+ endif
+ 
+-RUNC_GOTAGS = cgo
+-
+ ifeq ($(BR2_PACKAGE_LIBSECCOMP),y)
+ RUNC_GOTAGS += seccomp
+ RUNC_DEPENDENCIES += libseccomp host-pkgconf
+-- 
+2.7.4
+

buildroot-patches/0014-package-rauc-Version-bump-to-0.4.patch

@@ -0,0 +1,34 @@
+Version 0.4 supports bootloader updates to eMMC boot partitions.
+
+Signed-off-by: Jim Brennan <jbrennan at impinj.com>
+---
+ package/rauc/rauc.hash | 4 ++--
+ package/rauc/rauc.mk   | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/package/rauc/rauc.hash b/package/rauc/rauc.hash
+index 91d7c1d62e..a16340f185 100644
+--- a/package/rauc/rauc.hash
++++ b/package/rauc/rauc.hash
+@@ -1,3 +1,3 @@
+ # Locally calculated, after verifying against
+-# https://github.com/rauc/rauc/releases/download/v0.3/rauc-0.3.tar.xz.asc
+-sha256 dc01bfb08b1830376782f9a51cfec290171519267ab97cc909435da9ac6d6d98 rauc-0.3.tar.xz
++# https://github.com/rauc/rauc/releases/download/v0.4/rauc-0.4.tar.xz.asc
++sha256 89656b6330ac1f31293d450f5179896397c588ab52e77ec229382a6abd125d35 rauc-0.4.tar.xz
+diff --git a/package/rauc/rauc.mk b/package/rauc/rauc.mk
+index 63fbc53022..f1705a8c33 100644
+--- a/package/rauc/rauc.mk
++++ b/package/rauc/rauc.mk
+@@ -4,7 +4,7 @@
+ #
+ ################################################################################
+ 
+-RAUC_VERSION = 0.3
++RAUC_VERSION = 0.4
+ RAUC_SITE = https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)
+ RAUC_SOURCE = rauc-$(RAUC_VERSION).tar.xz
+ RAUC_LICENSE = LGPL-2.1
+-- 
+2.11.0
+

buildroot/package/docker-containerd/docker-containerd.mk

@@ -18,6 +18,7 @@ DOCKER_CONTAINERD_MAKE_ENV = $(HOST_GO_TARGET_ENV) \
 	GOBIN="$(@D)/bin" \
 	GOPATH="$(DOCKER_CONTAINERD_GOPATH)"
 
+DOCKER_CONTAINERD_BUILD_TAGS = apparmor
 DOCKER_CONTAINERD_GLDFLAGS = \
 	-X github.com/containerd/containerd.GitCommit=$(DOCKER_CONTAINERD_COMMIT)
 

buildroot/package/docker-engine/docker-engine.mk

@@ -27,7 +27,7 @@ DOCKER_ENGINE_GLDFLAGS = \
 	-X github.com/docker/cli/cli.GitCommit=$(DOCKER_ENGINE_VERSION) \
 	-X github.com/docker/cli/cli.Version=$(DOCKER_ENGINE_VERSION)
 
-DOCKER_ENGINE_BUILD_TAGS = cgo exclude_graphdriver_zfs autogen
+DOCKER_ENGINE_BUILD_TAGS = cgo exclude_graphdriver_zfs autogen apparmor
 DOCKER_ENGINE_BUILD_TARGETS = cli:docker
 DOCKER_ENGINE_BUILD_TARGET_PARSE = \
 		export targetpkg=$$(echo $(target) | cut -d: -f1); \

buildroot/package/rauc/rauc.hash

@@ -1,3 +1,3 @@
 # Locally calculated, after verifying against
-# https://github.com/rauc/rauc/releases/download/v0.3/rauc-0.3.tar.xz.asc
+# https://github.com/rauc/rauc/releases/download/v0.4/rauc-0.4.tar.xz.asc
-sha256 dc01bfb08b1830376782f9a51cfec290171519267ab97cc909435da9ac6d6d98 rauc-0.3.tar.xz
+sha256 89656b6330ac1f31293d450f5179896397c588ab52e77ec229382a6abd125d35 rauc-0.4.tar.xz

buildroot/package/rauc/rauc.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-RAUC_VERSION = 0.3
+RAUC_VERSION = 0.4
 RAUC_SITE = https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)
 RAUC_SOURCE = rauc-$(RAUC_VERSION).tar.xz
 RAUC_LICENSE = LGPL-2.1

buildroot/package/runc/runc.mk

@@ -18,6 +18,7 @@ RUNC_MAKE_ENV = $(HOST_GO_TARGET_ENV) \
 	GOPATH="$(RUNC_GOPATH)" \
 	PATH=$(BR_PATH)
 
+RUNC_GOTAGS = cgo apparmor
 RUNC_GLDFLAGS = \
 	-X main.gitCommit=$(RUNC_VERSION)
 
@@ -26,8 +27,6 @@ RUNC_GLDFLAGS += -extldflags '-static'
 RUNC_GOTAGS += static_build
 endif
 
-RUNC_GOTAGS = cgo
-
 ifeq ($(BR2_PACKAGE_LIBSECCOMP),y)
 RUNC_GOTAGS += seccomp
 RUNC_DEPENDENCIES += libseccomp host-pkgconf

scripts/enter.sh

@@ -1,3 +1,4 @@
 #!/bin/bash
+modprobe overlayfs
 docker build -t hassbuildroot .
 docker run -it --rm --privileged -v "$(pwd):/build" hassbuildroot bash

scripts/ovf-create.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+VboxManage createvm --name Hass.io --ostype Linux_64 --register
+VBoxManage modifyvm Hass.io --cpus 2 --memory 1048 --firmware efi
+VBoxManage modifyvm Hass.io --nic1 bridged
+VBoxManage storageattach Hass.io --storagectl "SATA Controller" --device 0 --port 0 --type vmdk --medium $1
+
+VBoxManage export Hass.io --ovf20 --vendor "Home Assistant" --vendorurl "http://hass.io" --output $2

scripts/update-dtb.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+dtc -O dtb -o buildroot-external/board/ova/barebox-state.dtb buildroot-external/board/ova/barebox-state.dts