Apparmor hassio (#10)

* Delete 0001-Autostart.patch * Update apparmor.mk * Update Config.in * Create hassio-apparmor * Update hassio-apparmor * Update data.conf * Delete etc-apparmor.d-containers.mount * Delete etc-apparmor.d-containers.mount * Delete hassio.conf * Update hassio-apparmor * Update Config.in * Update Config.in * Update hassio.mk * Update hostapp.sh * Update Config.in * Update hassio.mk * Update hassio.mk * Create hassio-supervisor * Update hassio-apparmor * Update hassio-apparmor * Update hassio-apparmor * Update hassio-supervisor * Update hassio-cli * Update hassio-apparmor * Update hassio-apparmor * Create hassio-apparmor.service * Update hassio-apparmor.service * Delete apparmor.service * Update local stuff * Profile for CLI * Update hassio.mk * Update hassio.mk * Update hassio-supervisor * Update hassio-apparmor
2018-05-01 22:39:30 +02:00
parent 862bc04173
commit b0212beec3
19 changed files with 192 additions and 63 deletions
--- a/buildroot-external/package/apparmor/0001-Autostart.patch
+++ b/buildroot-external/package/apparmor/0001-Autostart.patch
@@ -1,25 +0,0 @@
-From 78ceb52ff4e5d4dbe003651b2193979114152763 Mon Sep 17 00:00:00 2001
-From: Pascal Vizeli <pvizeli@syshack.ch>
-Date: Mon, 30 Apr 2018 23:40:27 +0200
-Subject: [PATCH 1/1] Fix permission
-
---
- parser/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/parser/Makefile b/parser/Makefile
-index b18cfe4..7b7b519 100644
--- a/parser/Makefile
-+++ b/parser/Makefile
-@@ -383,7 +383,7 @@ install-indep: indep
- install-systemd:
- 	install -m 755 -d $(SYSTEMD_UNIT_DIR)
- 	install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
-	install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
-+	install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX)
- 	install -m 755 -d $(DESTDIR)/sbin
- 	install -m 755 aa-teardown $(DESTDIR)/sbin
- 
-- 
-2.7.4
-
--- a/buildroot-external/package/apparmor/Config.in
+++ b/buildroot-external/package/apparmor/Config.in
@@ -1,6 +1,6 @@
 config BR2_PACKAGE_APPARMOR
 	bool "apparmor"
-	depends on BR2_PACKAGE_LIBAPPARMOR
+	select BR2_PACKAGE_LIBAPPARMOR
 	help
 	  AppArmor gives you network application security via mandatory 
 	  access control for programs, protecting against the exploitation 
--- a/buildroot-external/package/apparmor/apparmor.mk
+++ b/buildroot-external/package/apparmor/apparmor.mk
@@ -16,8 +16,9 @@ endef

 define APPARMOR_INSTALL_TARGET_CMDS
 	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/parser DESTDIR=$(TARGET_DIR) USE_SYSTEM=1 PREFIX=/usr install
-	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/parser DESTDIR=$(TARGET_DIR) USE_SYSTEM=1 PREFIX=/usr install-systemd
 	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D)/profiles DESTDIR=$(TARGET_DIR) PREFIX=/usr install
+
+	rm -rf $(TARGET_DIR)/usr/lib/apparmor
 endef

 $(eval $(generic-package))
--- a/buildroot-external/package/hassio/Config.in
+++ b/buildroot-external/package/hassio/Config.in
@@ -1,4 +1,4 @@
-config BR2_PACKAGE_HASSIO
+menuconfig BR2_PACKAGE_HASSIO
 	bool "hassio-app"
 	help
 	  This is the Application layer they build the
@@ -23,6 +23,11 @@ config BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS
 	help
 	  Extended docker arguments to run the supervisor.

+config BR2_PACKAGE_HASSIO_SUPERVISOR_PROFILE
+	string "AppArmor supervisor profile"
+	help
+	  AppArmor profile for supervisor.
+
 config BR2_PACKAGE_HASSIO_CLI
 	string "cli docker image"
 	help
@@ -38,4 +43,14 @@ config BR2_PACKAGE_HASSIO_CLI_ARGS
 	help
 	  Extended docker arguments to run the cli.

+config BR2_PACKAGE_HASSIO_CLI_PROFILE
+	string "AppArmor cli profile"
+	help
+	  AppArmor profile for cli.
+
+config BR2_PACKAGE_HASSIO_APPARMOR_DIR
+	string "AppArmor profiles folder"
+	help
+	  AppArmor profiles folder for supervisor.
+
 endif
--- a/buildroot-external/package/hassio/builder/hostapp.sh
+++ b/buildroot-external/package/hassio/builder/hostapp.sh
@@ -4,9 +4,12 @@ set -e
 SUPERVISOR=""
 SUPERVISOR_VERSION=""
 SUPERVISOR_ARGS=""
+SUPERVISOR_PROFILE=""
 CLI=""
 CLI_VERSION=""
 CLI_ARGS=""
+CLI_PROFILE=""
+APPARMOR=""
 DATA_IMG="/export/data.ext4"

 # Parse
@@ -25,6 +28,10 @@ while [[ $# -gt 0 ]]; do
            SUPERVISOR_ARGS=$2
            shift
            ;;
+        --supervisor-profile)
+            SUPERVISOR_PROFILE=$2
+            shift
+            ;;
        --cli)
            CLI=$2
            shift
@@ -37,6 +44,14 @@ while [[ $# -gt 0 ]]; do
            CLI_ARGS=$2
            shift
            ;;
+        --cli-profile)
+            CLI_PROFILE=$2
+            shift
+            ;;
+        --apparmor)
+            APPARMOR=$2
+            shift
+            ;;
        *)
            exit 1
            ;;
@@ -49,11 +64,12 @@ dd if=/dev/zero of=${DATA_IMG} bs=1G count=1
 mkfs.ext4 -L "hassio-data" -E lazy_itable_init=0,lazy_journal_init=0 ${DATA_IMG}

 # Mount / init file structs
-mount -o loop ${DATA_IMG} /mnt
-mkdir -p /mnt/docker
+mkdir -p /mnt/data/
+mount -o loop ${DATA_IMG} /mnt/data
+mkdir -p /mnt/data/docker

 # Run dockerd
-dockerd -s overlay2 -g /mnt/docker &
+dockerd -s overlay2 -g /mnt/data/docker &
 DOCKER_PID=$!

 DOCKER_COUNT=0
@@ -75,14 +91,23 @@ docker pull "${CLI}:${CLI_VERSION}"
 docker tag "${CLI}:${CLI_VERSION}" "${CLI}:latest"

 # Write config
-cat > /mnt/hassio.json <<- EOF
+cat > /mnt/data/hassio.json <<- EOF
 {
    "supervisor": "${SUPERVISOR}",
    "supervisor_args": "${SUPERVISOR_ARGS}",
+    "supervisor_apparmor": "${SUPERVISOR_PROFILE}",
    "cli": "${CLI}",
-    "cli_args": "${CLI_ARGS}"
+    "cli_args": "${CLI_ARGS}",
+    "cli_apparmor": "${CLI_PROFILE}",
+    "apparmor": "${APPARMOR}"
 }
 EOF

+# Setup AppArmor
+if [ ! -z "${APPARMOR}" ]; then
+    mkdir -p /mnt/data/${APPARMOR}
+    cp -f /apparmor/* /mnt/data/${APPARMOR}/
+fi
+
 # Finish
-kill -TERM $DOCKER_PID && wait $DOCKER_PID && umount /mnt
+kill -TERM $DOCKER_PID && wait $DOCKER_PID && umount /mnt/data
--- a/buildroot-external/package/hassio/hassio.mk
+++ b/buildroot-external/package/hassio/hassio.mk
@@ -15,13 +15,19 @@ define HASSIO_BUILD_CMDS
 endef

 define HASSIO_INSTALL_TARGET_CMDS
-	docker run --rm --privileged -v ${BINARIES_DIR}:/export hassio-hostapps \
-		--supervisor ${BR2_PACKAGE_HASSIO_SUPERVISOR} \
-		--supervisor-version ${BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION} \
-		--supervisor-args ${BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS} \
-		--cli ${BR2_PACKAGE_HASSIO_CLI} \
-		--cli-version ${BR2_PACKAGE_HASSIO_CLI_VERSION} \
-		--cli-args ${BR2_PACKAGE_HASSIO_CLI_ARGS}
+	docker run --rm --privileged \
+		-v $(BINARIES_DIR):/export \
+		-v $(BR2_EXTERNAL_HASSIO_PATH)/apparmor:/apparmor \
+		hassio-hostapps \
+		--supervisor $(BR2_PACKAGE_HASSIO_SUPERVISOR) \
+		--supervisor-version $(BR2_PACKAGE_HASSIO_SUPERVISOR_VERSION) \
+		--supervisor-args $(BR2_PACKAGE_HASSIO_SUPERVISOR_ARGS) \
+		--supervisor-profile $(BR2_PACKAGE_HASSIO_SUPERVISOR_PROFILE) \
+		--cli $(BR2_PACKAGE_HASSIO_CLI) \
+		--cli-version $(BR2_PACKAGE_HASSIO_CLI_VERSION) \
+		--cli-args $(BR2_PACKAGE_HASSIO_CLI_ARGS) \
+		--cli-profile $(BR2_PACKAGE_HASSIO_CLI_PROFILE) \
+		--apparmor $(BR2_PACKAGE_HASSIO_APPARMOR_DIR)
 endef

 $(eval $(generic-package))