From 622e99e04cd6f886a943ea43dfe7722f909cd164 Mon Sep 17 00:00:00 2001 From: Franck Nijhof Date: Mon, 17 Sep 2018 21:02:28 +0200 Subject: [PATCH] Adds host PID mode support for add-ons (#700) * :sparkles: Adds host PID mode support for add-ons. * :lock: Disables host PID mode when in protected mode * :vertical_traffic_light: Adds more negative rating weight to host PID mode --- API.md | 1 + hassio/addons/addon.py | 7 ++++++- hassio/addons/utils.py | 4 ++++ hassio/addons/validate.py | 3 ++- hassio/api/addons.py | 3 ++- hassio/const.py | 1 + hassio/docker/addon.py | 8 ++++++++ 7 files changed, 24 insertions(+), 3 deletions(-) diff --git a/API.md b/API.md index 1b69a9c8f..d8deb5cfc 100644 --- a/API.md +++ b/API.md @@ -472,6 +472,7 @@ Get all available addons. "options": "{}", "network": "{}|null", "host_network": "bool", + "host_pid": "bool", "host_ipc": "bool", "host_dbus": "bool", "privileged": ["NET_ADMIN", "SYS_ADMIN"], diff --git a/hassio/addons/addon.py b/hassio/addons/addon.py index 7e207ff94..62962db12 100644 --- a/hassio/addons/addon.py +++ b/hassio/addons/addon.py @@ -26,7 +26,7 @@ from ..const import ( ATTR_GPIO, ATTR_HOMEASSISTANT_API, ATTR_STDIN, ATTR_LEGACY, ATTR_HOST_IPC, ATTR_HOST_DBUS, ATTR_AUTO_UART, ATTR_DISCOVERY, ATTR_SERVICES, ATTR_APPARMOR, ATTR_DEVICETREE, ATTR_DOCKER_API, ATTR_FULL_ACCESS, - ATTR_PROTECTED, ATTR_ACCESS_TOKEN, + ATTR_PROTECTED, ATTR_ACCESS_TOKEN, ATTR_HOST_PID, SECURITY_PROFILE, SECURITY_DISABLE, SECURITY_DEFAULT) from ..coresys import CoreSysAttributes from ..docker.addon import DockerAddon @@ -307,6 +307,11 @@ class Addon(CoreSysAttributes): """Return True if addon run on host network.""" return self._mesh[ATTR_HOST_NETWORK] + @property + def host_pid(self): + """Return True if addon run on host PID namespace.""" + return self._mesh[ATTR_HOST_PID] + @property def host_ipc(self): """Return True if addon run on host IPC namespace.""" diff --git a/hassio/addons/utils.py b/hassio/addons/utils.py index b9f1a9437..7c2e4ba31 100644 --- a/hassio/addons/utils.py +++ b/hassio/addons/utils.py @@ -40,6 +40,10 @@ def rating_security(addon): if addon.host_network: rating += -1 + # Insecure PID namespace + if addon.host_pid: + rating += -2 + # Full Access if addon.with_full_access: rating += -2 diff --git a/hassio/addons/validate.py b/hassio/addons/validate.py index 4ff3d8cfa..43ee5c3cf 100644 --- a/hassio/addons/validate.py +++ b/hassio/addons/validate.py @@ -19,7 +19,7 @@ from ..const import ( ATTR_ARGS, ATTR_GPIO, ATTR_HOMEASSISTANT_API, ATTR_STDIN, ATTR_LEGACY, ATTR_HOST_DBUS, ATTR_AUTO_UART, ATTR_SERVICES, ATTR_DISCOVERY, ATTR_APPARMOR, ATTR_DEVICETREE, ATTR_DOCKER_API, ATTR_PROTECTED, - ATTR_FULL_ACCESS, ATTR_ACCESS_TOKEN, + ATTR_FULL_ACCESS, ATTR_ACCESS_TOKEN, ATTR_HOST_PID, PRIVILEGED_NET_ADMIN, PRIVILEGED_SYS_ADMIN, PRIVILEGED_SYS_RAWIO, PRIVILEGED_IPC_LOCK, PRIVILEGED_SYS_TIME, PRIVILEGED_SYS_NICE, PRIVILEGED_SYS_RESOURCE, PRIVILEGED_SYS_PTRACE) @@ -105,6 +105,7 @@ SCHEMA_ADDON_CONFIG = vol.Schema({ vol.Optional(ATTR_WEBUI): vol.Match(r"^(?:https?|\[PROTO:\w+\]):\/\/\[HOST\]:\[PORT:\d+\].*$"), vol.Optional(ATTR_HOST_NETWORK, default=False): vol.Boolean(), + vol.Optional(ATTR_HOST_PID, default=False): vol.Boolean(), vol.Optional(ATTR_HOST_IPC, default=False): vol.Boolean(), vol.Optional(ATTR_HOST_DBUS, default=False): vol.Boolean(), vol.Optional(ATTR_DEVICES): [vol.Match(r"^(.*):(.*):([rwm]{1,3})$")], diff --git a/hassio/api/addons.py b/hassio/api/addons.py index 0e630c0bb..af3a3b515 100644 --- a/hassio/api/addons.py +++ b/hassio/api/addons.py @@ -19,7 +19,7 @@ from ..const import ( ATTR_CPU_PERCENT, ATTR_MEMORY_LIMIT, ATTR_MEMORY_USAGE, ATTR_NETWORK_TX, ATTR_NETWORK_RX, ATTR_BLK_READ, ATTR_BLK_WRITE, ATTR_ICON, ATTR_SERVICES, ATTR_DISCOVERY, ATTR_APPARMOR, ATTR_DEVICETREE, ATTR_DOCKER_API, - ATTR_FULL_ACCESS, ATTR_PROTECTED, ATTR_RATING, + ATTR_FULL_ACCESS, ATTR_PROTECTED, ATTR_RATING, ATTR_HOST_PID, CONTENT_TYPE_PNG, CONTENT_TYPE_BINARY, CONTENT_TYPE_TEXT, REQUEST_FROM) from ..coresys import CoreSysAttributes @@ -140,6 +140,7 @@ class APIAddons(CoreSysAttributes): ATTR_BUILD: addon.need_build, ATTR_NETWORK: addon.ports, ATTR_HOST_NETWORK: addon.host_network, + ATTR_HOST_PID: addon.host_pid, ATTR_HOST_IPC: addon.host_ipc, ATTR_HOST_DBUS: addon.host_dbus, ATTR_PRIVILEGED: addon.privileged, diff --git a/hassio/const.py b/hassio/const.py index da4e15542..664798d27 100644 --- a/hassio/const.py +++ b/hassio/const.py @@ -114,6 +114,7 @@ ATTR_BUILD = 'build' ATTR_DEVICES = 'devices' ATTR_ENVIRONMENT = 'environment' ATTR_HOST_NETWORK = 'host_network' +ATTR_HOST_PID = 'host_pid' ATTR_HOST_IPC = 'host_ipc' ATTR_HOST_DBUS = 'host_dbus' ATTR_NETWORK = 'network' diff --git a/hassio/docker/addon.py b/hassio/docker/addon.py index 232721b72..53aa9e96a 100644 --- a/hassio/docker/addon.py +++ b/hassio/docker/addon.py @@ -165,6 +165,13 @@ class DockerAddon(DockerInterface): return 'host' return None + @property + def pid_mode(self): + """Return PID mode for addon.""" + if not self.addon.protected and self.addon.host_pid: + return 'host' + return None + @property def volumes(self): """Generate volumes for mappings.""" @@ -277,6 +284,7 @@ class DockerAddon(DockerInterface): ipc_mode=self.ipc, stdin_open=self.addon.with_stdin, network_mode=self.network_mode, + pid_mode=self.pid_mode, ports=self.ports, extra_hosts=self.network_mapping, devices=self.devices,