Adds support for privilege DAC_READ_SEARCH (#743)

* Adds support for privilege DAC_READ_SEARCH

* 🚑 Fixes security rating regarding privileges

hassio/addons/utils.py

@@ -7,7 +7,7 @@ import re
 from ..const import (
     SECURITY_DISABLE, SECURITY_PROFILE, PRIVILEGED_NET_ADMIN,
     PRIVILEGED_SYS_ADMIN, PRIVILEGED_SYS_RAWIO, PRIVILEGED_SYS_PTRACE,
-    ROLE_ADMIN, ROLE_MANAGER)
+    PRIVILEGED_DAC_READ_SEARCH, ROLE_ADMIN, ROLE_MANAGER)
 
 RE_SHA1 = re.compile(r"[a-f0-9]{8}")
 
@@ -29,8 +29,10 @@ def rating_security(addon):
         rating += 1
 
     # Privileged options
-    if addon.privileged in (PRIVILEGED_NET_ADMIN, PRIVILEGED_SYS_ADMIN,
-                            PRIVILEGED_SYS_RAWIO, PRIVILEGED_SYS_PTRACE):
+    if any(privilege in addon.privileged
+           for privilege in (PRIVILEGED_NET_ADMIN, PRIVILEGED_SYS_ADMIN,
+                             PRIVILEGED_SYS_RAWIO, PRIVILEGED_SYS_PTRACE,
+                             PRIVILEGED_DAC_READ_SEARCH)):
         rating += -1
 
     # API Hass.io role

hassio/addons/validate.py

@@ -23,7 +23,7 @@ from ..const import (
     ATTR_MACHINE,
     PRIVILEGED_NET_ADMIN, PRIVILEGED_SYS_ADMIN, PRIVILEGED_SYS_RAWIO,
     PRIVILEGED_IPC_LOCK, PRIVILEGED_SYS_TIME, PRIVILEGED_SYS_NICE,
-    PRIVILEGED_SYS_RESOURCE, PRIVILEGED_SYS_PTRACE,
+    PRIVILEGED_SYS_RESOURCE, PRIVILEGED_SYS_PTRACE, PRIVILEGED_DAC_READ_SEARCH,
     ROLE_DEFAULT, ROLE_HOMEASSISTANT, ROLE_MANAGER, ROLE_ADMIN)
 from ..validate import NETWORK_PORT, DOCKER_PORTS, ALSA_DEVICE, UUID_MATCH
 from ..services.validate import DISCOVERY_SERVICES
@@ -78,6 +78,7 @@ PRIVILEGED_ALL = [
     PRIVILEGED_SYS_NICE,
     PRIVILEGED_SYS_RESOURCE,
     PRIVILEGED_SYS_PTRACE,
+    PRIVILEGED_DAC_READ_SEARCH,
 ]
 
 ROLE_ALL = [

hassio/const.py

@@ -243,6 +243,7 @@ PRIVILEGED_SYS_TIME = 'SYS_TIME'
 PRIVILEGED_SYS_NICE = 'SYS_NICE'
 PRIVILEGED_SYS_RESOURCE = 'SYS_RESOURCE'
 PRIVILEGED_SYS_PTRACE = 'SYS_PTRACE'
+PRIVILEGED_DAC_READ_SEARCH = 'DAC_READ_SEARCH'
 
 FEATURES_SHUTDOWN = 'shutdown'
 FEATURES_REBOOT = 'reboot'