Use apparmor from s3

2025-07-24 13:36:31 +00:00 · 2018-06-20 13:28:30 +00:00 · 2018-06-20 13:28:30 +00:00 · ed5a5033dd
commit ed5a5033dd
parent 2abbbbd1fa
11 changed files with 40 additions and 82 deletions
--- a/buildroot-external/apparmor/hassio-supervisor
+++ b/buildroot-external/apparmor/hassio-supervisor
@ -1,78 +0,0 @@
-#include <tunables/global>
-
-profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-
-  network,
-  deny network raw,
-
-  signal (send) set=(kill,term),
-
-  /bin/busybox ix,
-  /usr/bin/python{,3,3.[0-9]} ix,
-  /usr/bin/git cx,
-  /usr/bin/socat cx,
-  /usr/bin/gdbus cx,
-
-  deny /proc/** wl,
-  deny /root/** wl,
-  deny /sys/** wl,
-
-  /** r,
-  /tmp/** rw,
-  /data/** rw,
-  /usr/lib/python{,3,3.[0-9]}/** mr,
-  /{,var/}run/docker.sock rw,
-
-  capability net_bind_service,
-
-  profile /usr/bin/socat flags=(attach_disconnected,mediate_deleted) {
-    #include <abstractions/base>
-
-    network inet udp,
-    network inet tcp,
-
-    deny network raw,
-    deny network packet,
-
-    signal (receive) set=(kill,term),
-    capability net_bind_service,
-
-    /lib/* mr,
-    /usr/bin/socat mr,
-  }
-
-  profile /usr/bin/gdbus flags=(attach_disconnected,mediate_deleted) {
-    #include <abstractions/base>
-    #include <abstractions/dbus>
-
-    unix (send, receive) type=stream,
-
-    /usr/bin/gdbus mr,
-    /lib/* mr,
-    /** r,
-
-    /{,var/}run/dbus/system_bus_socket rw,
-  }
-
-  profile /usr/bin/git flags=(attach_disconnected,mediate_deleted) {
-    #include <abstractions/base>
-
-    network,
-    deny network raw,
-
-    /bin/busybox ix,
-    /usr/bin/git mr,
-    /usr/libexec/git-core/* ix,
-
-    deny /data/homeassistant rw,
-    deny /data/ssl rw,
-
-    /** r,
-    /lib/* mr,
-    /data/addons/** lrw,
-
-    capability dac_override,
-  }
-}
--- a/buildroot-external/configs/ova_defconfig
+++ b/buildroot-external/configs/ova_defconfig
@ -75,6 +75,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/amd64-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/qemux86-64-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/amd64-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
--- a/buildroot-external/configs/rpi0_w_defconfig
+++ b/buildroot-external/configs/rpi0_w_defconfig
@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
--- a/buildroot-external/configs/rpi2_defconfig
+++ b/buildroot-external/configs/rpi2_defconfig
@ -83,6 +83,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi2-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
--- a/buildroot-external/configs/rpi3_64_defconfig
+++ b/buildroot-external/configs/rpi3_64_defconfig
@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/aarch64-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi3-64-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/aarch64-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
--- a/buildroot-external/configs/rpi3_defconfig
+++ b/buildroot-external/configs/rpi3_defconfig
@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi3-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
--- a/buildroot-external/configs/rpi_defconfig
+++ b/buildroot-external/configs/rpi_defconfig
@ -83,6 +83,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
--- a/buildroot-external/package/hassos/Config.in
+++ b/buildroot-external/package/hassos/Config.in
@ -28,6 +28,11 @@ config BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE
 	help
 	  AppArmor profile for supervisor.

+config BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL
+	string "AppArmor supervisor profile URL"
+	help
+	  AppArmor profile for supervisor url.
+
 config BR2_PACKAGE_HASSOS_CLI
 	string "cli docker image"
 	help
@ -48,9 +53,14 @@ config BR2_PACKAGE_HASSOS_CLI_PROFILE
 	help
 	  AppArmor profile for cli.

+config BR2_PACKAGE_HASSOS_CLI_PROFILE_URL
+	string "AppArmor cli profile url"
+	help
+	  AppArmor profile for cli url.
+
 config BR2_PACKAGE_HASSOS_APPARMOR_DIR
 	string "AppArmor profiles folder"
 	help
-	  AppArmor profiles folder for supervisor.
+	  AppArmor profiles folder for HassOS.

 endif
--- a/buildroot-external/package/hassos/builder/Dockerfile
+++ b/buildroot-external/package/hassos/builder/Dockerfile
@ -2,7 +2,7 @@ FROM alpine:3.7

 # Install packages
 RUN apk add --no-cache \
-    bash coreutils e2fsprogs
+    bash coreutils e2fsprogs curl
 RUN apk add --no-cache --repository http://nl.alpinelinux.org/alpine/v3.7/community \
    docker

--- a/buildroot-external/package/hassos/builder/hostapp.sh
+++ b/buildroot-external/package/hassos/builder/hostapp.sh
@ -5,10 +5,12 @@ SUPERVISOR=""
 SUPERVISOR_VERSION=""
 SUPERVISOR_ARGS=""
 SUPERVISOR_PROFILE=""
+SUPERVISOR_PROFILE_URL=""
 CLI=""
 CLI_VERSION=""
 CLI_ARGS=""
 CLI_PROFILE=""
+CLI_PROFILE_URL=""
 APPARMOR=""
 DATA_IMG="/export/data.ext4"

@ -32,6 +34,10 @@ while [[ $# -gt 0 ]]; do
            SUPERVISOR_PROFILE=$2
            shift
            ;;
+        --supervisor-profile-url)
+            SUPERVISOR_PROFILE_URL=$2
+            shift
+            ;;
        --cli)
            CLI=$2
            shift
@ -48,6 +54,10 @@ while [[ $# -gt 0 ]]; do
            CLI_PROFILE=$2
            shift
            ;;
+        --cli-profile-url)
+            CLI_PROFILE_URL=$2
+            shift
+            ;;
        --apparmor)
            APPARMOR=$2
            shift
@ -106,7 +116,16 @@ EOF
 # Setup AppArmor
 if [ ! -z "${APPARMOR}" ]; then
    mkdir -p /mnt/data/${APPARMOR}
-    cp -f /apparmor/* /mnt/data/${APPARMOR}/
+
+    # Supervisor
+    if [ ! -z "${SUPERVISOR_PROFILE_URL}" ]; then
+        curl -L -o /mnt/data/${APPARMOR}/${SUPERVISOR_PROFILE} ${SUPERVISOR_PROFILE_URL}
+    fi
+
+    # CLI
+    if [ ! -z "${CLI_PROFILE_URL}" ]; then
+        curl -L -o /mnt/data/${APPARMOR}/${CLI_PROFILE} ${CLI_PROFILE_URL}
+    fi
 fi

 # Finish
--- a/buildroot-external/package/hassos/hassos.mk
+++ b/buildroot-external/package/hassos/hassos.mk
@ -17,16 +17,17 @@ endef
 define HASSOS_INSTALL_TARGET_CMDS
 	docker run --rm --privileged \
 		-v $(BINARIES_DIR):/export \
-		-v $(BR2_EXTERNAL_HASSOS_PATH)/apparmor:/apparmor \
 		hassos-hostapps \
 		--supervisor $(BR2_PACKAGE_HASSOS_SUPERVISOR) \
 		--supervisor-version $(BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION) \
 		--supervisor-args $(BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS) \
 		--supervisor-profile $(BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE) \
+		--supervisor-profile-url $(BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL) \
 		--cli $(BR2_PACKAGE_HASSOS_CLI) \
 		--cli-version $(BR2_PACKAGE_HASSOS_CLI_VERSION) \
 		--cli-args $(BR2_PACKAGE_HASSOS_CLI_ARGS) \
 		--cli-profile $(BR2_PACKAGE_HASSOS_CLI_PROFILE) \
+		--cli-profile-url $(BR2_PACKAGE_HASSOS_CLI_PROFILE_URL) \
 		--apparmor $(BR2_PACKAGE_HASSOS_APPARMOR_DIR)
 endef