jeans/operating-system
jeans/operating-system
1
0
Fork 0
mirror of https://github.com/home-assistant/operating-system.git synced 2025-07-27 06:56:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use apparmor from s3

Browse Source
This commit is contained in:
Pascal Vizeli 2018-06-20 13:28:30 +00:00
parent 2abbbbd1fa
commit ed5a5033dd
11 changed files with 40 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
buildroot-external/apparmor/hassio-supervisor
View File

@ -1,78 +0,0 @@
#include <tunables/global>
profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/python>
network,
deny network raw,
signal (send) set=(kill,term),
/bin/busybox ix,
/usr/bin/python{,3,3.[0-9]} ix,
/usr/bin/git cx,
/usr/bin/socat cx,
/usr/bin/gdbus cx,
deny /proc/** wl,
deny /root/** wl,
deny /sys/** wl,
/** r,
/tmp/** rw,
/data/** rw,
/usr/lib/python{,3,3.[0-9]}/** mr,
/{,var/}run/docker.sock rw,
capability net_bind_service,
profile /usr/bin/socat flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network inet udp,
network inet tcp,
deny network raw,
deny network packet,
signal (receive) set=(kill,term),
capability net_bind_service,
/lib/* mr,
/usr/bin/socat mr,
}
profile /usr/bin/gdbus flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/dbus>
unix (send, receive) type=stream,
/usr/bin/gdbus mr,
/lib/* mr,
/** r,
/{,var/}run/dbus/system_bus_socket rw,
}
profile /usr/bin/git flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network,
deny network raw,
/bin/busybox ix,
/usr/bin/git mr,
/usr/libexec/git-core/* ix,
deny /data/homeassistant rw,
deny /data/ssl rw,
/** r,
/lib/* mr,
/data/addons/** lrw,
capability dac_override,
}
}

1
buildroot-external/configs/ova_defconfig
View File

@ -75,6 +75,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/amd64-hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107" BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/qemux86-64-homeassistant" BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/qemux86-64-homeassistant"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor" BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
BR2_PACKAGE_HASSOS_CLI="homeassistant/amd64-hassio-cli" BR2_PACKAGE_HASSOS_CLI="homeassistant/amd64-hassio-cli"
BR2_PACKAGE_HASSOS_CLI_VERSION="3" BR2_PACKAGE_HASSOS_CLI_VERSION="3"
BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default" BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"

1
buildroot-external/configs/rpi0_w_defconfig
View File

@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107" BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi-homeassistant" BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi-homeassistant"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor" BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli" BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
BR2_PACKAGE_HASSOS_CLI_VERSION="3" BR2_PACKAGE_HASSOS_CLI_VERSION="3"
BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default" BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"

1
buildroot-external/configs/rpi2_defconfig
View File

@ -83,6 +83,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107" BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi2-homeassistant" BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi2-homeassistant"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor" BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli" BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
BR2_PACKAGE_HASSOS_CLI_VERSION="3" BR2_PACKAGE_HASSOS_CLI_VERSION="3"
BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default" BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"

1
buildroot-external/configs/rpi3_64_defconfig
View File

@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/aarch64-hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107" BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi3-64-homeassistant" BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi3-64-homeassistant"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor" BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
BR2_PACKAGE_HASSOS_CLI="homeassistant/aarch64-hassio-cli" BR2_PACKAGE_HASSOS_CLI="homeassistant/aarch64-hassio-cli"
BR2_PACKAGE_HASSOS_CLI_VERSION="3" BR2_PACKAGE_HASSOS_CLI_VERSION="3"
BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default" BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"

1
buildroot-external/configs/rpi3_defconfig
View File

@ -84,6 +84,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107" BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi3-homeassistant" BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi3-homeassistant"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor" BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli" BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
BR2_PACKAGE_HASSOS_CLI_VERSION="3" BR2_PACKAGE_HASSOS_CLI_VERSION="3"
BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default" BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"

1
buildroot-external/configs/rpi_defconfig
View File

@ -83,6 +83,7 @@ BR2_PACKAGE_HASSOS_SUPERVISOR="homeassistant/armhf-hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107" BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION="107"
BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi-homeassistant" BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS="-e HOMEASSISTANT_REPOSITORY=homeassistant/raspberrypi-homeassistant"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor" BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE="hassio-supervisor"
BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL="http://s3.amazonaws.com/hassio-version/apparmor.txt"
BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli" BR2_PACKAGE_HASSOS_CLI="homeassistant/armhf-hassio-cli"
BR2_PACKAGE_HASSOS_CLI_VERSION="3" BR2_PACKAGE_HASSOS_CLI_VERSION="3"
BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default" BR2_PACKAGE_HASSOS_CLI_PROFILE="docker-default"

12
buildroot-external/package/hassos/Config.in
View File

@ -28,6 +28,11 @@ config BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE
help help
AppArmor profile for supervisor. AppArmor profile for supervisor.
config BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL
string "AppArmor supervisor profile URL"
help
AppArmor profile for supervisor url.
config BR2_PACKAGE_HASSOS_CLI config BR2_PACKAGE_HASSOS_CLI
string "cli docker image" string "cli docker image"
help help
@ -48,9 +53,14 @@ config BR2_PACKAGE_HASSOS_CLI_PROFILE
help help
AppArmor profile for cli. AppArmor profile for cli.
config BR2_PACKAGE_HASSOS_CLI_PROFILE_URL
string "AppArmor cli profile url"
help
AppArmor profile for cli url.
config BR2_PACKAGE_HASSOS_APPARMOR_DIR config BR2_PACKAGE_HASSOS_APPARMOR_DIR
string "AppArmor profiles folder" string "AppArmor profiles folder"
help help
AppArmor profiles folder for supervisor. AppArmor profiles folder for HassOS.
endif endif

2
buildroot-external/package/hassos/builder/Dockerfile
View File

@ -2,7 +2,7 @@ FROM alpine:3.7
# Install packages # Install packages
RUN apk add --no-cache \ RUN apk add --no-cache \
bash coreutils e2fsprogs bash coreutils e2fsprogs curl
RUN apk add --no-cache --repository http://nl.alpinelinux.org/alpine/v3.7/community \ RUN apk add --no-cache --repository http://nl.alpinelinux.org/alpine/v3.7/community \
docker docker

21
buildroot-external/package/hassos/builder/hostapp.sh
View File

@ -5,10 +5,12 @@ SUPERVISOR=""
SUPERVISOR_VERSION="" SUPERVISOR_VERSION=""
SUPERVISOR_ARGS="" SUPERVISOR_ARGS=""
SUPERVISOR_PROFILE="" SUPERVISOR_PROFILE=""
SUPERVISOR_PROFILE_URL=""
CLI="" CLI=""
CLI_VERSION="" CLI_VERSION=""
CLI_ARGS="" CLI_ARGS=""
CLI_PROFILE="" CLI_PROFILE=""
CLI_PROFILE_URL=""
APPARMOR="" APPARMOR=""
DATA_IMG="/export/data.ext4" DATA_IMG="/export/data.ext4"
@ -32,6 +34,10 @@ while [[ $# -gt 0 ]]; do
SUPERVISOR_PROFILE=$2 SUPERVISOR_PROFILE=$2
shift shift
;; ;;
--supervisor-profile-url)
SUPERVISOR_PROFILE_URL=$2
shift
;;
--cli) --cli)
CLI=$2 CLI=$2
shift shift
@ -48,6 +54,10 @@ while [[ $# -gt 0 ]]; do
CLI_PROFILE=$2 CLI_PROFILE=$2
shift shift
;; ;;
--cli-profile-url)
CLI_PROFILE_URL=$2
shift
;;
--apparmor) --apparmor)
APPARMOR=$2 APPARMOR=$2
shift shift
@ -106,7 +116,16 @@ EOF
# Setup AppArmor # Setup AppArmor
if [ ! -z "${APPARMOR}" ]; then if [ ! -z "${APPARMOR}" ]; then
mkdir -p /mnt/data/${APPARMOR} mkdir -p /mnt/data/${APPARMOR}
cp -f /apparmor/* /mnt/data/${APPARMOR}/
# Supervisor
if [ ! -z "${SUPERVISOR_PROFILE_URL}" ]; then
curl -L -o /mnt/data/${APPARMOR}/${SUPERVISOR_PROFILE} ${SUPERVISOR_PROFILE_URL}
fi
# CLI
if [ ! -z "${CLI_PROFILE_URL}" ]; then
curl -L -o /mnt/data/${APPARMOR}/${CLI_PROFILE} ${CLI_PROFILE_URL}
fi
fi fi
# Finish # Finish

3
buildroot-external/package/hassos/hassos.mk
View File

@ -17,16 +17,17 @@ endef
define HASSOS_INSTALL_TARGET_CMDS define HASSOS_INSTALL_TARGET_CMDS
docker run --rm --privileged \ docker run --rm --privileged \
-v $(BINARIES_DIR):/export \ -v $(BINARIES_DIR):/export \
-v $(BR2_EXTERNAL_HASSOS_PATH)/apparmor:/apparmor \
hassos-hostapps \ hassos-hostapps \
--supervisor $(BR2_PACKAGE_HASSOS_SUPERVISOR) \ --supervisor $(BR2_PACKAGE_HASSOS_SUPERVISOR) \
--supervisor-version $(BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION) \ --supervisor-version $(BR2_PACKAGE_HASSOS_SUPERVISOR_VERSION) \
--supervisor-args $(BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS) \ --supervisor-args $(BR2_PACKAGE_HASSOS_SUPERVISOR_ARGS) \
--supervisor-profile $(BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE) \ --supervisor-profile $(BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE) \
--supervisor-profile-url $(BR2_PACKAGE_HASSOS_SUPERVISOR_PROFILE_URL) \
--cli $(BR2_PACKAGE_HASSOS_CLI) \ --cli $(BR2_PACKAGE_HASSOS_CLI) \
--cli-version $(BR2_PACKAGE_HASSOS_CLI_VERSION) \ --cli-version $(BR2_PACKAGE_HASSOS_CLI_VERSION) \
--cli-args $(BR2_PACKAGE_HASSOS_CLI_ARGS) \ --cli-args $(BR2_PACKAGE_HASSOS_CLI_ARGS) \
--cli-profile $(BR2_PACKAGE_HASSOS_CLI_PROFILE) \ --cli-profile $(BR2_PACKAGE_HASSOS_CLI_PROFILE) \
--cli-profile-url $(BR2_PACKAGE_HASSOS_CLI_PROFILE_URL) \
--apparmor $(BR2_PACKAGE_HASSOS_APPARMOR_DIR) --apparmor $(BR2_PACKAGE_HASSOS_APPARMOR_DIR)
endef endef