From ed5a5033dde54b027048137ba4ae58e49bf5646d Mon Sep 17 00:00:00 2001
From: Pascal Vizeli <pvizeli@syshack.ch>
Date: Wed, 20 Jun 2018 13:28:30 +0000
Subject: [PATCH] Use apparmor from s3

---
 buildroot-external/apparmor/hassio-supervisor | 78 -------------------
 buildroot-external/configs/ova_defconfig      |  1 +
 buildroot-external/configs/rpi0_w_defconfig   |  1 +
 buildroot-external/configs/rpi2_defconfig     |  1 +
 buildroot-external/configs/rpi3_64_defconfig  |  1 +
 buildroot-external/configs/rpi3_defconfig     |  1 +
 buildroot-external/configs/rpi_defconfig      |  1 +
 buildroot-external/package/hassos/Config.in   | 12 ++-
 .../package/hassos/builder/Dockerfile         |  2 +-
 .../package/hassos/builder/hostapp.sh         | 21 ++++-
 buildroot-external/package/hassos/hassos.mk   |  3 +-
 11 files changed, 40 insertions(+), 82 deletions(-)
 delete mode 100644 buildroot-external/apparmor/hassio-supervisor

diff --git a/buildroot-external/apparmor/hassio-supervisor b/buildroot-external/apparmor/hassio-supervisor
deleted file mode 100644
index c06a9dc49..000000000
--- a/buildroot-external/apparmor/hassio-supervisor
+++ /dev/null
@@ -1,78 +0,0 @@
-#include <tunables/global>
-
-profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-
-  network,
-  deny network raw,
-
-  signal (send) set=(kill,term),
-
-  /bin/busybox ix,
-  /usr/bin/python{,3,3.[0-9]} ix,
-  /usr/bin/git cx,
-  /usr/bin/socat cx,
-  /usr/bin/gdbus cx,
-
-  deny /proc/** wl,
-  deny /root/** wl,
-  deny /sys/** wl,
-
-  /** r,
-  /tmp/** rw,
-  /data/** rw,
-  /usr/lib/python{,3,3.[0-9]}/** mr,
-  /{,var/}run/docker.sock rw,
-
-  capability net_bind_service,
-
-  profile /usr/bin/socat flags=(attach_disconnected,mediate_deleted) {
-    #include <abstractions/base>
-
-    network inet udp,
-    network inet tcp,
-
-    deny network raw,
-    deny network packet,
-
-    signal (receive) set=(kill,term),
-    capability net_bind_service,
-
-    /lib/* mr,
-    /usr/bin/socat mr,
-  }
-
-  profile /usr/bin/gdbus flags=(attach_disconnected,mediate_deleted) {
-    #include <abstractions/base>
-    #include <abstractions/dbus>
-
-    unix (send, receive) type=stream,
-
-    /usr/bin/gdbus mr,
-    /lib/* mr,
-    /** r,
-
-    /{,var/}run/dbus/system_bus_socket rw,
-  }
-
-  profile /usr/bin/git flags=(attach_disconnected,mediate_deleted) {
-    #include <abstractions/base>
-
-    network,
-    deny network raw,
-
-    /bin/busybox ix,
-    /usr/bin/git mr,
-    /usr/libexec/git-core/* ix,
-
-    deny /data/homeassistant rw,
-    deny /data/ssl rw,
-
-    /** r,
-    /lib/* mr,
-    /data/addons/** lrw,
-
-    capability dac_override,
-  }
-}
diff --git a/buildroot-external/configs/ova_defconfig b/buildroot-external/configs/ova_defconfig
index c44c5fc42..55adda9fc 100644
--- a/buildroot-external/configs/ova_defconfig
+++ b/buildroot-external/configs/ova_defconfig
@@ -75,6 +75,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/amd64-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/qemux86-64-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/amd64-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
diff --git a/buildroot-external/configs/rpi0_w_defconfig b/buildroot-external/configs/rpi0_w_defconfig
index fae1ecff8..357b44b41 100644
--- a/buildroot-external/configs/rpi0_w_defconfig
+++ b/buildroot-external/configs/rpi0_w_defconfig
@@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
diff --git a/buildroot-external/configs/rpi2_defconfig b/buildroot-external/configs/rpi2_defconfig
index a96cebdd2..6acf08a0a 100644
--- a/buildroot-external/configs/rpi2_defconfig
+++ b/buildroot-external/configs/rpi2_defconfig
@@ -83,6 +83,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi2-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
diff --git a/buildroot-external/configs/rpi3_64_defconfig b/buildroot-external/configs/rpi3_64_defconfig
index 88340db37..9aa4db114 100644
--- a/buildroot-external/configs/rpi3_64_defconfig
+++ b/buildroot-external/configs/rpi3_64_defconfig
@@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/aarch64-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi3-64-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/aarch64-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
diff --git a/buildroot-external/configs/rpi3_defconfig b/buildroot-external/configs/rpi3_defconfig
index 39c1b814c..ad7e73aae 100644
--- a/buildroot-external/configs/rpi3_defconfig
+++ b/buildroot-external/configs/rpi3_defconfig
@@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi3-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
diff --git a/buildroot-external/configs/rpi_defconfig b/buildroot-external/configs/rpi_defconfig
index b9a25400c..c81d34f83 100644
--- a/buildroot-external/configs/rpi_defconfig
+++ b/buildroot-external/configs/rpi_defconfig
@@ -83,6 +83,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
 BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
 BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi-homeassistant"
 BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
+BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
 BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
 BR2_PACKAGE_HASSOS_CLI_VERSION="3"
 BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"
diff --git a/buildroot-external/package/hassos/Config.in b/buildroot-external/package/hassos/Config.in
index 6d5c8298d..098988066 100644
--- a/buildroot-external/package/hassos/Config.in
+++ b/buildroot-external/package/hassos/Config.in
@@ -28,6 +28,11 @@ config BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE
 	help
 	  AppArmor profile for supervisor.
 
+config BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL
+	string "AppArmor supervisor profile URL"
+	help
+	  AppArmor profile for supervisor url.
+
 config BR2_PACKAGE_HASSOS_CLI
 	string "cli docker image"
 	help
@@ -48,9 +53,14 @@ config BR2_PACKAGE_HASSOS_CLI_PROFILE
 	help
 	  AppArmor profile for cli.
 
+config BR2_PACKAGE_HASSOS_CLI_PROFILE_URL
+	string "AppArmor cli profile url"
+	help
+	  AppArmor profile for cli url.
+
 config BR2_PACKAGE_HASSOS_APPARMOR_DIR
 	string "AppArmor profiles folder"
 	help
-	  AppArmor profiles folder for supervisor.
+	  AppArmor profiles folder for HassOS.
 
 endif
diff --git a/buildroot-external/package/hassos/builder/Dockerfile b/buildroot-external/package/hassos/builder/Dockerfile
index e2ca34998..f97a86b1d 100644
--- a/buildroot-external/package/hassos/builder/Dockerfile
+++ b/buildroot-external/package/hassos/builder/Dockerfile
@@ -2,7 +2,7 @@ FROM alpine:3.7
 
 # Install packages
 RUN apk add --no-cache \
-    bash coreutils e2fsprogs
+    bash coreutils e2fsprogs curl
 RUN apk add --no-cache --repository http://nl.alpinelinux.org/alpine/v3.7/community \
     docker
 
diff --git a/buildroot-external/package/hassos/builder/hostapp.sh b/buildroot-external/package/hassos/builder/hostapp.sh
index f140bc989..b0c1eac3f 100755
--- a/buildroot-external/package/hassos/builder/hostapp.sh
+++ b/buildroot-external/package/hassos/builder/hostapp.sh
@@ -5,10 +5,12 @@ SUPERVISOR=""
 SUPERVISOR_VERSION=""
 SUPERVISOR_ARGS=""
 SUPERVISOR_PROFILE=""
+SUPERVISOR_PROFILE_URL=""
 CLI=""
 CLI_VERSION=""
 CLI_ARGS=""
 CLI_PROFILE=""
+CLI_PROFILE_URL=""
 APPARMOR=""
 DATA_IMG="/export/data.ext4"
 
@@ -32,6 +34,10 @@ while [[ $# -gt 0 ]]; do
             SUPERVISOR_PROFILE=$2
             shift
             ;;
+        --supervisor-profile-url)
+            SUPERVISOR_PROFILE_URL=$2
+            shift
+            ;;
         --cli)
             CLI=$2
             shift
@@ -48,6 +54,10 @@ while [[ $# -gt 0 ]]; do
             CLI_PROFILE=$2
             shift
             ;;
+        --cli-profile-url)
+            CLI_PROFILE_URL=$2
+            shift
+            ;;
         --apparmor)
             APPARMOR=$2
             shift
@@ -106,7 +116,16 @@ EOF
 # Setup AppArmor
 if [ ! -z "${APPARMOR}" ]; then
     mkdir -p /mnt/data/${APPARMOR}
-    cp -f /apparmor/* /mnt/data/${APPARMOR}/
+
+    # Supervisor
+    if [ ! -z "${SUPERVISOR_PROFILE_URL}" ]; then
+        curl -L -o /mnt/data/${APPARMOR}/${SUPERVISOR_PROFILE} ${SUPERVISOR_PROFILE_URL}
+    fi
+
+    # CLI
+    if [ ! -z "${CLI_PROFILE_URL}" ]; then
+        curl -L -o /mnt/data/${APPARMOR}/${CLI_PROFILE} ${CLI_PROFILE_URL}
+    fi
 fi
 
 # Finish
diff --git a/buildroot-external/package/hassos/hassos.mk b/buildroot-external/package/hassos/hassos.mk
index dc32946a9..68f9946c6 100644
--- a/buildroot-external/package/hassos/hassos.mk
+++ b/buildroot-external/package/hassos/hassos.mk
@@ -17,16 +17,17 @@ endef
 define HASSOS_INSTALL_TARGET_CMDS
 	docker run --rm --privileged \
 		-v $(BINARIES_DIR):/export \
-		-v $(BR2_EXTERNAL_HASSOS_PATH)/apparmor:/apparmor \
 		hassos-hostapps \
 		--supervisor $(BR2_PACKAGE_HASSOS_SUPERVISOR) \
 		--supervisor-version $(BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION) \
 		--supervisor-args $(BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS) \
 		--supervisor-profile $(BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE) \
+		--supervisor-profile-url $(BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL) \
 		--cli $(BR2_PACKAGE_HASSOS_CLI) \
 		--cli-version $(BR2_PACKAGE_HASSOS_CLI_VERSION) \
 		--cli-args $(BR2_PACKAGE_HASSOS_CLI_ARGS) \
 		--cli-profile $(BR2_PACKAGE_HASSOS_CLI_PROFILE) \
+		--cli-profile-url $(BR2_PACKAGE_HASSOS_CLI_PROFILE_URL) \
 		--apparmor $(BR2_PACKAGE_HASSOS_APPARMOR_DIR)
 endef