Apparmor hassio (#10)

* Delete 0001-Autostart.patch

* Update apparmor.mk

* Update Config.in

* Create hassio-apparmor

* Update hassio-apparmor

* Update data.conf

* Delete etc-apparmor.d-containers.mount

* Delete etc-apparmor.d-containers.mount

* Delete hassio.conf

* Update hassio-apparmor

* Update Config.in

* Update Config.in

* Update hassio.mk

* Update hostapp.sh

* Update Config.in

* Update hassio.mk

* Update hassio.mk

* Create hassio-supervisor

* Update hassio-apparmor

* Update hassio-apparmor

* Update hassio-apparmor

* Update hassio-supervisor

* Update hassio-cli

* Update hassio-apparmor

* Update hassio-apparmor

* Create hassio-apparmor.service

* Update hassio-apparmor.service

* Delete apparmor.service

* Update local stuff

* Profile for CLI

* Update hassio.mk

* Update hassio.mk

* Update hassio-supervisor

* Update hassio-apparmor

buildroot-external/apparmor/hassio-supervisor

@@ -0,0 +1,59 @@
+#include <tunables/global>
+
+
+profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  #include <abstractions/python>
+
+  network inet tcp,
+
+  deny network raw,
+  deny network packet,
+
+  /usr/bin/python3 ix,
+  /usr/bin/socat cx,
+  /usr/bin/gdbus cx,
+
+  deny /bin/** wl,
+  deny /boot/** wl,
+  deny /dev/** wl,
+  deny /etc/** wl,
+  deny /home/** wl,
+  deny /lib/** wl,
+  deny /mnt/** wl,
+  deny /proc/** wl,
+  deny /root/** wl,
+  deny /sbin/** wl,
+  deny /tmp/** wl,
+  deny /sys/** wl,
+  deny /usr/** wl,
+
+  /data/** rw,
+  /var/run/docker.sock rw,
+
+  /proc/** r,
+  /sys/** r,
+
+  profile /usr/bin/socat {
+    #include <abstractions/base>
+
+    network inet udp,
+    network inet tcp,
+
+    deny network raw,
+    deny network packet,
+
+    deny /data/** r,
+  }
+
+  profile /usr/bin/gdbus {
+    #include <abstractions/base>
+    #include <abstractions/dbus>
+
+    deny network inet,
+
+    /var/run/dbus/system_bus_socket rw,
+
+    deny /data/** r,
+  }
+}

buildroot-external/busybox.config

@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
 # Busybox version: 1.27.2
-# Sun Apr 29 21:50:21 2018
+# Tue May  1 14:34:48 2018
 #
 CONFIG_HAVE_DOT_CONFIG=y
 
@@ -452,7 +452,7 @@ CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256
 # CONFIG_FEATURE_FIND_CONTEXT is not set
 # CONFIG_FEATURE_FIND_LINKS is not set
 CONFIG_GREP=y
-CONFIG_EGREP=y
+# CONFIG_EGREP is not set
 # CONFIG_FGREP is not set
 # CONFIG_FEATURE_GREP_CONTEXT is not set
 # CONFIG_XARGS is not set

buildroot-external/configs/ova_defconfig

@@ -68,7 +68,9 @@ BR2_PACKAGE_HASSIO=y
 BR2_PACKAGE_HASSIO_SUPERVISOR="homeassistant/amd64-hassio-supervisor"
 BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION="0.101"
 BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/qemux86-64-homeassistant"
+BR2_PACKAGE_HASSIO_SUPERVISOR_PROFILE="hassio-supervisor"
 BR2_PACKAGE_HASSIO_CLI="homeassistant/amd64-hassio-cli"
 BR2_PACKAGE_HASSIO_CLI_VERSION="0.1"
-BR2_PACKAGE_LIBAPPARMOR=y
+BR2_PACKAGE_HASSIO_CLI_PROFILE="docker-default"
+BR2_PACKAGE_HASSIO_APPARMOR_DIR="supervisor/apparmor"
 BR2_PACKAGE_APPARMOR=y

buildroot-external/package/apparmor/0001-Autostart.patch

@@ -1,25 +0,0 @@
-From 78ceb52ff4e5d4dbe003651b2193979114152763 Mon Sep 17 00:00:00 2001
-From: Pascal Vizeli <pvizeli@syshack.ch>
-Date: Mon, 30 Apr 2018 23:40:27 +0200
-Subject: [PATCH 1/1] Fix permission
-
----
- parser/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/parser/Makefile b/parser/Makefile
-index b18cfe4..7b7b519 100644
---- a/parser/Makefile
-+++ b/parser/Makefile
-@@ -383,7 +383,7 @@ install-indep: indep
- install-systemd:
- 	install -m 755 -d $(SYSTEMD_UNIT_DIR)
- 	install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
--	install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
-+	install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX)
- 	install -m 755 -d $(DESTDIR)/sbin
- 	install -m 755 aa-teardown $(DESTDIR)/sbin
- 
--- 
-2.7.4
-

buildroot-external/package/apparmor/Config.in

@@ -1,6 +1,6 @@
 config BR2_PACKAGE_APPARMOR
 	bool "apparmor"
-	depends on BR2_PACKAGE_LIBAPPARMOR
+	select BR2_PACKAGE_LIBAPPARMOR
 	help
 	  AppArmor gives you network application security via mandatory 
 	  access control for programs, protecting against the exploitation 

buildroot-external/package/apparmor/apparmor.mk

@@ -16,8 +16,9 @@ endef
 
 define APPARMOR_INSTALL_TARGET_CMDS
 	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/parser DESTDIR=$(TARGET_DIR) USE_SYSTEM=1 PREFIX=/usr install
-	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/parser DESTDIR=$(TARGET_DIR) USE_SYSTEM=1 PREFIX=/usr install-systemd
 	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/profiles DESTDIR=$(TARGET_DIR) PREFIX=/usr install
+
+	rm -rf $(TARGET_DIR)/usr/lib/apparmor
 endef
 
 $(eval $(generic-package))

buildroot-external/package/hassio/Config.in

@@ -1,4 +1,4 @@
-config BR2_PACKAGE_HASSIO
+menuconfig BR2_PACKAGE_HASSIO
 	bool "hassio-app"
 	help
 	  This is the Application layer they build the
@@ -23,6 +23,11 @@ config BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS
 	help
 	  Extended docker arguments to run the supervisor.
 
+config BR2_PACKAGE_HASSIO_SUPERVISOR_PROFILE
+	string "AppArmor supervisor profile"
+	help
+	  AppArmor profile for supervisor.
+
 config BR2_PACKAGE_HASSIO_CLI
 	string "cli docker image"
 	help
@@ -38,4 +43,14 @@ config BR2_PACKAGE_HASSIO_CLI_ARGS
 	help
 	  Extended docker arguments to run the cli.
 
+config BR2_PACKAGE_HASSIO_CLI_PROFILE
+	string "AppArmor cli profile"
+	help
+	  AppArmor profile for cli.
+
+config BR2_PACKAGE_HASSIO_APPARMOR_DIR
+	string "AppArmor profiles folder"
+	help
+	  AppArmor profiles folder for supervisor.
+
 endif

buildroot-external/package/hassio/builder/hostapp.sh

@@ -4,9 +4,12 @@ set -e
 SUPERVISOR=""
 SUPERVISOR_VERSION=""
 SUPERVISOR_ARGS=""
+SUPERVISOR_PROFILE=""
 CLI=""
 CLI_VERSION=""
 CLI_ARGS=""
+CLI_PROFILE=""
+APPARMOR=""
 DATA_IMG="/export/data.ext4"
 
 # Parse
@@ -25,6 +28,10 @@ while [[ $# -gt 0 ]]; do
             SUPERVISOR_ARGS=$2
             shift
             ;;
+        --supervisor-profile)
+            SUPERVISOR_PROFILE=$2
+            shift
+            ;;
         --cli)
             CLI=$2
             shift
@@ -37,6 +44,14 @@ while [[ $# -gt 0 ]]; do
             CLI_ARGS=$2
             shift
             ;;
+        --cli-profile)
+            CLI_PROFILE=$2
+            shift
+            ;;
+        --apparmor)
+            APPARMOR=$2
+            shift
+            ;;
         *)
             exit 1
             ;;
@@ -49,11 +64,12 @@ dd if=/dev/zero of=${DATA_IMG} bs=1G count=1
 mkfs.ext4 -L "hassio-data" -E lazy_itable_init=0,lazy_journal_init=0 ${DATA_IMG}
 
 # Mount / init file structs
-mount -o loop ${DATA_IMG} /mnt
+mkdir -p /mnt/data/
-mkdir -p /mnt/docker
+mount -o loop ${DATA_IMG} /mnt/data
+mkdir -p /mnt/data/docker
 
 # Run dockerd
-dockerd -s overlay2 -g /mnt/docker &
+dockerd -s overlay2 -g /mnt/data/docker &
 DOCKER_PID=$!
 
 DOCKER_COUNT=0
@@ -75,14 +91,23 @@ docker pull "${CLI}:${CLI_VERSION}"
 docker tag "${CLI}:${CLI_VERSION}" "${CLI}:latest"
 
 # Write config
-cat > /mnt/hassio.json <<- EOF
+cat > /mnt/data/hassio.json <<- EOF
 {
     "supervisor": "${SUPERVISOR}",
     "supervisor_args": "${SUPERVISOR_ARGS}",
+    "supervisor_apparmor": "${SUPERVISOR_PROFILE}",
     "cli": "${CLI}",
-    "cli_args": "${CLI_ARGS}"
+    "cli_args": "${CLI_ARGS}",
+    "cli_apparmor": "${CLI_PROFILE}",
+    "apparmor": "${APPARMOR}"
 }
 EOF
 
+# Setup AppArmor
+if [ ! -z "${APPARMOR}" ]; then
+    mkdir -p /mnt/data/${APPARMOR}
+    cp -f /apparmor/* /mnt/data/${APPARMOR}/
+fi
+
 # Finish
-kill -TERM $DOCKER_PID && wait $DOCKER_PID && umount /mnt
+kill -TERM $DOCKER_PID && wait $DOCKER_PID && umount /mnt/data

buildroot-external/package/hassio/hassio.mk

@@ -15,13 +15,19 @@ define HASSIO_BUILD_CMDS
 endef
 
 define HASSIO_INSTALL_TARGET_CMDS
-	docker run --rm --privileged -v ${BINARIES_DIR}:/export hassio-hostapps \
+	docker run --rm --privileged \
-		--supervisor ${BR2_PACKAGE_HASSIO_SUPERVISOR} \
+		-v $(BINARIES_DIR):/export \
-		--supervisor-version ${BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION} \
+		-v $(BR2_EXTERNAL_HASSIO_PATH)/apparmor:/apparmor \
-		--supervisor-args ${BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS} \
+		hassio-hostapps \
-		--cli ${BR2_PACKAGE_HASSIO_CLI} \
+		--supervisor $(BR2_PACKAGE_HASSIO_SUPERVISOR) \
-		--cli-version ${BR2_PACKAGE_HASSIO_CLI_VERSION} \
+		--supervisor-version $(BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION) \
-		--cli-args ${BR2_PACKAGE_HASSIO_CLI_ARGS}
+		--supervisor-args $(BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS) \
+		--supervisor-profile $(BR2_PACKAGE_HASSIO_SUPERVISOR_PROFILE) \
+		--cli $(BR2_PACKAGE_HASSIO_CLI) \
+		--cli-version $(BR2_PACKAGE_HASSIO_CLI_VERSION) \
+		--cli-args $(BR2_PACKAGE_HASSIO_CLI_ARGS) \
+		--cli-profile $(BR2_PACKAGE_HASSIO_CLI_PROFILE) \
+		--apparmor $(BR2_PACKAGE_HASSIO_APPARMOR_DIR)
 endef
 
 $(eval $(generic-package))

buildroot-external/rootfs-overlay/etc/systemd/system/apparmor.service.d/hassio.conf

@@ -1,2 +0,0 @@
-[Unit]
-RequiresMountsFor=/etc/apparmor.d/containers

buildroot-external/rootfs-overlay/etc/systemd/system/hassio-bind.target.wants/etc-apparmor.d-containers.mount

@@ -1 +0,0 @@
-/usr/lib/systemd/system/etc-apparmor.d-containers.mount

buildroot-external/rootfs-overlay/etc/systemd/system/multi-user.target.wants/apparmor.service

@@ -1 +0,0 @@
-/usr/lib/systemd/system/apparmor.service

buildroot-external/rootfs-overlay/etc/systemd/system/multi-user.target.wants/hassio-apparmor.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/hassio-apparmor.service

buildroot-external/rootfs-overlay/etc/tmpfiles.d/data.conf

@@ -1,3 +1,2 @@
 d /mnt/data/supervisor
 d /mnt/data/cli
-d /mnt/data/apparmor

buildroot-external/rootfs-overlay/usr/bin/hassio-cli

@@ -5,6 +5,7 @@ CONFIG_FILE=/mnt/data/hassio.json
 
 CLI="$(jq --raw-output '.cli' ${CONFIG_FILE})"
 DOCKER_ARGS="$(jq --raw-output '.cli_args // empty' ${CONFIG_FILE})"
+APPARMOR="$(jq --raw-output '.cli_apparmor // "docker-default"' ${CONFIG_FILE})"
 CLI_DATA=/mnt/data/cli
 
 mkdir -p ${CLI_DATA}
@@ -12,6 +13,7 @@ mkdir -p ${CLI_DATA}
 # Run CLI
 docker run \
     --rm -ti --init \
+    --security-opt apparmor="${APPARMOR}" \
     -v ${CLI_DATA}:/data \
     $DOCKER_ARGS \
     ${CLI}

buildroot-external/rootfs-overlay/usr/lib/systemd/system/etc-apparmor.d-containers.mount

@@ -1,14 +0,0 @@
-[Unit]
-Description=Supervisor persistent apparmor profiles
-Requires=mnt-data.mount apparmor.service
-After=mnt-data.mount
-Before=apparmor.service
-
-[Mount]
-What=/mnt/data/apparmor
-Where=/etc/apparmor.d/containers
-Type=none
-Options=bind
-
-[Install]
-WantedBy=hassio-bind.target

buildroot-external/rootfs-overlay/usr/lib/systemd/system/hassio-apparmor.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Hass.io AppArmor
+Wants=hassio-supervisor.service
+Before=docker.service hassio-supervisor.service
+RequiresMountsFor=/mnt/data
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/usr/sbin/hassio-apparmor
+
+[Install]
+WantedBy=multi-user.target

buildroot-external/rootfs-overlay/usr/sbin/hassio-apparmor

@@ -0,0 +1,47 @@
+#!/bin/sh
+set -e
+
+# Load configs
+CONFIG_FILE=/mnt/data/hassio.json
+
+# Read configs
+PROFILES_DIR="$(jq --raw-output '.apparmor // empty' ${CONFIG_FILE})"
+if [ -z "${PROFILES_DIR}" ]; then
+    exit 0
+fi
+
+PROFILES_DIR="/mnt/data/${PROFILES_DIR}"
+CACHE_DIR="${PROFILES_DIR}/cache"
+REMOVE_DIR="${PROFILES_DIR}/remove"
+
+# Check folder structure
+mkdir -p ${PROFILES_DIR}
+mkdir -p ${CACHE_DIR}
+mkdir -p ${REMOVE_DIR}
+
+# Load/Update exists/new profiles
+for profile in ${PROFILES_DIR}/*; do
+    if [ ! -f ${profile} ]; then
+        continue
+    fi
+
+    # Load Profile
+    if ! apparmor_parser -r -W -L ${CACHE_DIR} ${profile}; then
+        echo "[Error]: Can't load profile ${profile}"
+    fi
+done
+
+# Cleanup old profiles
+for profile in ${REMOVE_DIR}/*; do
+    if [ ! -f ${profile} ]; then
+        continue
+    fi
+
+    # Unload Profile
+    if apparmor_parser -R -W -L ${CACHE_DIR} ${profile}; then
+        if rm ${profile}; then
+            continue
+        fi
+    fi
+    echo "[Error]: Can't remove profile ${profile}"
+done

buildroot-external/rootfs-overlay/usr/sbin/hassio-supervisor

@@ -6,6 +6,7 @@ CONFIG_FILE=/mnt/data/hassio.json
 
 SUPERVISOR="$(jq --raw-output '.supervisor' ${CONFIG_FILE})"
 DOCKER_ARGS="$(jq --raw-output '.supervisor_args // empty' ${CONFIG_FILE})"
+APPARMOR="$(jq --raw-output '.supervisor_apparmor // "docker-default"' ${CONFIG_FILE})"
 
 # Init supervisor
 HASSIO_DATA=/mnt/data/supervisor
@@ -15,6 +16,7 @@ HASSIO_CONTAINER_ID=$(docker inspect --format='{{.Image}}' hassio_supervisor ||
 runSupervisor() {
     docker rm --force hassio_supervisor || true
     docker run --name hassio_supervisor \
+        --security-opt apparmor="${APPARMOR}" \
         -v /var/run/docker.sock:/var/run/docker.sock \
         -v /var/run/dbus:/var/run/dbus \
         -v ${HASSIO_DATA}:/data \