From c2d080e2b288adffa696dc5dede3fbc47c537720 Mon Sep 17 00:00:00 2001
From: Mike Degatano <michael.degatano@gmail.com>
Date: Fri, 13 May 2022 06:03:05 -0400
Subject: [PATCH] Update for s6 v3 and add apparmor (#41)

* Update for s6 v3 and add apparmor

* Adjust from feedback

* Tweak service functionality instructions

* Logging in finish script

* Remove etc/s6 as not used anymore

* Update example/rootfs/etc/services.d/example/finish

Co-authored-by: Franck Nijhof <frenck@frenck.nl>

Co-authored-by: Pascal Vizeli <pvizeli@syshack.ch>
Co-authored-by: Franck Nijhof <frenck@frenck.nl>
---
 example/CHANGELOG.md                         |  6 +++
 example/DOCS.md                              |  3 ++
 example/apparmor.txt                         | 57 ++++++++++++++++++++
 example/build.yaml                           | 10 ++--
 example/config.yaml                          |  4 +-
 example/rootfs/etc/services.d/example/finish | 11 ++--
 example/rootfs/etc/services.d/example/run    |  2 +-
 example/rootfs/usr/bin/my_program            |  3 ++
 8 files changed, 85 insertions(+), 11 deletions(-)
 create mode 100644 example/apparmor.txt
 mode change 100644 => 100755 example/rootfs/etc/services.d/example/finish
 mode change 100644 => 100755 example/rootfs/etc/services.d/example/run
 create mode 100755 example/rootfs/usr/bin/my_program

diff --git a/example/CHANGELOG.md b/example/CHANGELOG.md
index 6e3f281..beaf414 100644
--- a/example/CHANGELOG.md
+++ b/example/CHANGELOG.md
@@ -1,5 +1,11 @@
 <!-- https://developers.home-assistant.io/docs/add-ons/presentation#keeping-a-changelog -->
 
+## 1.2.0
+
+- Add an apparmor profile
+- Update to 3.15 base image with s6 v3
+- Add a sample script to run as service and constrain in aa profile
+
 ## 1.1.0
 
 - Updates
diff --git a/example/DOCS.md b/example/DOCS.md
index e73650e..b8432c3 100644
--- a/example/DOCS.md
+++ b/example/DOCS.md
@@ -5,3 +5,6 @@
 This add-on really does nothing. It is just an example.
 
 When started it will print the configured message or "Hello world" in the log.
+
+It will also print "All done!" in `/share/example_addon_output.txt` to show
+simple example of the usage of `map` in addon config.
diff --git a/example/apparmor.txt b/example/apparmor.txt
new file mode 100644
index 0000000..e788a6c
--- /dev/null
+++ b/example/apparmor.txt
@@ -0,0 +1,57 @@
+#include <tunables/global>
+
+profile example flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  # Capabilities
+  file,
+  signal (send) set=(kill,term,int,hup,cont),
+
+  # S6-Overlay
+  /init ix,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /run/{,**} rwk,
+  /dev/tty rw,
+
+  # Bashio
+  /usr/lib/bashio/** ix,
+  /tmp/** rwk,
+
+  # Access to options.json and other files within your addon
+  /data/** rw,
+
+  # Start new profile for service
+  /usr/bin/my_program cx -> my_program,
+
+  profile my_program flags=(attach_disconnected,mediate_deleted) {
+    #include <abstractions/base>
+
+    # Receive signals from S6-Overlay
+    signal (receive) peer=*_example,
+
+    # Access to options.json and other files within your addon
+    /data/** rw,
+
+    # Access to mapped volumes specified in config.json
+    /share/** rw,
+
+    # Access required for service functionality
+    # Note: List was built by doing the following:
+    # 1. Add what is obviously needed based on what is in the script
+    # 2. Add `complain` as a flag to this profile temporarily and run the addon
+    # 3. Review the audit log with `journalctl _TRANSPORT="audit" -g 'apparmor="ALLOWED"'` and add other access as needed
+    # Remember to remove the `complain` flag when you are done
+    /usr/bin/my_program r,
+    /bin/bash rix,
+    /bin/echo ix,
+    /etc/passwd r,
+    /dev/tty rw,
+  }
+}
\ No newline at end of file
diff --git a/example/build.yaml b/example/build.yaml
index 8d23b29..cdca316 100644
--- a/example/build.yaml
+++ b/example/build.yaml
@@ -1,10 +1,10 @@
 # https://developers.home-assistant.io/docs/add-ons/configuration#add-on-dockerfile
 build_from:
-  aarch64: "ghcr.io/home-assistant/aarch64-base:3.14"
-  amd64: "ghcr.io/home-assistant/amd64-base:3.14"
-  armhf: "ghcr.io/home-assistant/armhf-base:3.14"
-  armv7: "ghcr.io/home-assistant/armv7-base:3.14"
-  i386: "ghcr.io/home-assistant/i386-base:3.14"
+  aarch64: "ghcr.io/home-assistant/aarch64-base:3.15"
+  amd64: "ghcr.io/home-assistant/amd64-base:3.15"
+  armhf: "ghcr.io/home-assistant/armhf-base:3.15"
+  armv7: "ghcr.io/home-assistant/armv7-base:3.15"
+  i386: "ghcr.io/home-assistant/i386-base:3.15"
 labels:
   org.opencontainers.image.title: "Home Assistant Add-on: Example add-on"
   org.opencontainers.image.description: "Example add-on to use as a blueprint for new add-ons."
diff --git a/example/config.yaml b/example/config.yaml
index 7dfbf1a..b034b08 100644
--- a/example/config.yaml
+++ b/example/config.yaml
@@ -1,6 +1,6 @@
 # https://developers.home-assistant.io/docs/add-ons/configuration#add-on-config
 name: Example add-on
-version: "1.1.0"
+version: "1.2.0"
 slug: example
 description: Example add-on
 url: "https://github.com/home-assistant/addons-example/tree/main/example"
@@ -11,6 +11,8 @@ arch:
   - amd64
   - i386
 init: false
+map:
+  - share:rw
 options:
   message: "Hello world..."
 schema:
diff --git a/example/rootfs/etc/services.d/example/finish b/example/rootfs/etc/services.d/example/finish
old mode 100644
new mode 100755
index 3400ad7..d63c017
--- a/example/rootfs/etc/services.d/example/finish
+++ b/example/rootfs/etc/services.d/example/finish
@@ -1,9 +1,12 @@
-#!/usr/bin/execlineb -S1
+#!/usr/bin/env bashio
 # ==============================================================================
 # Take down the S6 supervision tree when example fails
 # s6-overlay docs: https://github.com/just-containers/s6-overlay
 # ==============================================================================
-if { s6-test ${1} -ne 0 }
-if { s6-test ${1} -ne 256 }
 
-s6-svscanctl -t /var/run/s6/services
+if [[ "$1" -ne 0 ]] && [[ "$1" -ne 256 ]]; then
+  bashio::log.warning "Halt add-on"
+  /run/s6/basedir/bin/halt
+fi
+
+bashio::log.info "Service restart after closing"
diff --git a/example/rootfs/etc/services.d/example/run b/example/rootfs/etc/services.d/example/run
old mode 100644
new mode 100755
index 5e6460a..6c329bd
--- a/example/rootfs/etc/services.d/example/run
+++ b/example/rootfs/etc/services.d/example/run
@@ -16,4 +16,4 @@ message=$(bashio::config 'message')
 bashio::log.info "${message:="Hello World..."}"
 
 ## Run your program
-# exec my_program --with-params
+exec /usr/bin/my_program
diff --git a/example/rootfs/usr/bin/my_program b/example/rootfs/usr/bin/my_program
new file mode 100755
index 0000000..a287b13
--- /dev/null
+++ b/example/rootfs/usr/bin/my_program
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "All done!" > /share/example_addon_output.txt