Adds host PID mode support for add-ons (#700)

* ✨ Adds host PID mode support for add-ons. * 🔒 Disables host PID mode when in protected mode * 🚦 Adds more negative rating weight to host PID mode
2025-07-08 17:56:33 +00:00 · 2018-09-17 21:02:28 +02:00 · 2018-09-17 21:02:28 +02:00 · 622e99e04c
commit 622e99e04c
parent 061420f279
7 changed files with 24 additions and 3 deletions
--- a/API.md
+++ b/API.md
@ -472,6 +472,7 @@ Get all available addons.
    "options": "{}",
    "network": "{}|null",
    "host_network": "bool",
+    "host_pid": "bool",
    "host_ipc": "bool",
    "host_dbus": "bool",
    "privileged": ["NET_ADMIN", "SYS_ADMIN"],
--- a/hassio/addons/addon.py
+++ b/hassio/addons/addon.py
@ -26,7 +26,7 @@ from ..const import (
    ATTR_GPIO, ATTR_HOMEASSISTANT_API, ATTR_STDIN, ATTR_LEGACY, ATTR_HOST_IPC,
    ATTR_HOST_DBUS, ATTR_AUTO_UART, ATTR_DISCOVERY, ATTR_SERVICES,
    ATTR_APPARMOR, ATTR_DEVICETREE, ATTR_DOCKER_API, ATTR_FULL_ACCESS,
-    ATTR_PROTECTED, ATTR_ACCESS_TOKEN,
+    ATTR_PROTECTED, ATTR_ACCESS_TOKEN, ATTR_HOST_PID,
    SECURITY_PROFILE, SECURITY_DISABLE, SECURITY_DEFAULT)
 from ..coresys import CoreSysAttributes
 from ..docker.addon import DockerAddon
@ -307,6 +307,11 @@ class Addon(CoreSysAttributes):
        """Return True if addon run on host network."""
        return self._mesh[ATTR_HOST_NETWORK]

+    @property
+    def host_pid(self):
+        """Return True if addon run on host PID namespace."""
+        return self._mesh[ATTR_HOST_PID]
+
    @property
    def host_ipc(self):
        """Return True if addon run on host IPC namespace."""
--- a/hassio/addons/utils.py
+++ b/hassio/addons/utils.py
@ -40,6 +40,10 @@ def rating_security(addon):
    if addon.host_network:
        rating += -1

+    # Insecure PID namespace
+    if addon.host_pid:
+        rating += -2
+
    # Full Access
    if addon.with_full_access:
        rating += -2
--- a/hassio/addons/validate.py
+++ b/hassio/addons/validate.py
@ -19,7 +19,7 @@ from ..const import (
    ATTR_ARGS, ATTR_GPIO, ATTR_HOMEASSISTANT_API, ATTR_STDIN, ATTR_LEGACY,
    ATTR_HOST_DBUS, ATTR_AUTO_UART, ATTR_SERVICES, ATTR_DISCOVERY,
    ATTR_APPARMOR, ATTR_DEVICETREE, ATTR_DOCKER_API, ATTR_PROTECTED,
-    ATTR_FULL_ACCESS, ATTR_ACCESS_TOKEN,
+    ATTR_FULL_ACCESS, ATTR_ACCESS_TOKEN, ATTR_HOST_PID,
    PRIVILEGED_NET_ADMIN, PRIVILEGED_SYS_ADMIN, PRIVILEGED_SYS_RAWIO,
    PRIVILEGED_IPC_LOCK, PRIVILEGED_SYS_TIME, PRIVILEGED_SYS_NICE,
    PRIVILEGED_SYS_RESOURCE, PRIVILEGED_SYS_PTRACE)
@ -105,6 +105,7 @@ SCHEMA_ADDON_CONFIG = vol.Schema({
    vol.Optional(ATTR_WEBUI):
        vol.Match(r"^(?:https?|\[PROTO:\w+\]):\/\/\[HOST\]:\[PORT:\d+\].*$"),
    vol.Optional(ATTR_HOST_NETWORK, default=False): vol.Boolean(),
+    vol.Optional(ATTR_HOST_PID, default=False): vol.Boolean(),
    vol.Optional(ATTR_HOST_IPC, default=False): vol.Boolean(),
    vol.Optional(ATTR_HOST_DBUS, default=False): vol.Boolean(),
    vol.Optional(ATTR_DEVICES): [vol.Match(r"^(.*):(.*):([rwm]{1,3})$")],
--- a/hassio/api/addons.py
+++ b/hassio/api/addons.py
@ -19,7 +19,7 @@ from ..const import (
    ATTR_CPU_PERCENT, ATTR_MEMORY_LIMIT, ATTR_MEMORY_USAGE, ATTR_NETWORK_TX,
    ATTR_NETWORK_RX, ATTR_BLK_READ, ATTR_BLK_WRITE, ATTR_ICON, ATTR_SERVICES,
    ATTR_DISCOVERY, ATTR_APPARMOR, ATTR_DEVICETREE, ATTR_DOCKER_API,
-    ATTR_FULL_ACCESS, ATTR_PROTECTED, ATTR_RATING,
+    ATTR_FULL_ACCESS, ATTR_PROTECTED, ATTR_RATING, ATTR_HOST_PID,
    CONTENT_TYPE_PNG, CONTENT_TYPE_BINARY, CONTENT_TYPE_TEXT,
    REQUEST_FROM)
 from ..coresys import CoreSysAttributes
@ -140,6 +140,7 @@ class APIAddons(CoreSysAttributes):
            ATTR_BUILD: addon.need_build,
            ATTR_NETWORK: addon.ports,
            ATTR_HOST_NETWORK: addon.host_network,
+            ATTR_HOST_PID: addon.host_pid,
            ATTR_HOST_IPC: addon.host_ipc,
            ATTR_HOST_DBUS: addon.host_dbus,
            ATTR_PRIVILEGED: addon.privileged,
--- a/hassio/const.py
+++ b/hassio/const.py
@ -114,6 +114,7 @@ ATTR_BUILD = 'build'
 ATTR_DEVICES = 'devices'
 ATTR_ENVIRONMENT = 'environment'
 ATTR_HOST_NETWORK = 'host_network'
+ATTR_HOST_PID = 'host_pid'
 ATTR_HOST_IPC = 'host_ipc'
 ATTR_HOST_DBUS = 'host_dbus'
 ATTR_NETWORK = 'network'
--- a/hassio/docker/addon.py
+++ b/hassio/docker/addon.py
@ -165,6 +165,13 @@ class DockerAddon(DockerInterface):
            return 'host'
        return None

+    @property
+    def pid_mode(self):
+        """Return PID mode for addon."""
+        if not self.addon.protected and self.addon.host_pid:
+            return 'host'
+        return None
+
    @property
    def volumes(self):
        """Generate volumes for mappings."""
@ -277,6 +284,7 @@ class DockerAddon(DockerInterface):
            ipc_mode=self.ipc,
            stdin_open=self.addon.with_stdin,
            network_mode=self.network_mode,
+            pid_mode=self.pid_mode,
            ports=self.ports,
            extra_hosts=self.network_mapping,
            devices=self.devices,