Update for s6 v3 and add apparmor (#41)

* Update for s6 v3 and add apparmor * Adjust from feedback * Tweak service functionality instructions * Logging in finish script * Remove etc/s6 as not used anymore * Update example/rootfs/etc/services.d/example/finish Co-authored-by: Franck Nijhof <frenck@frenck.nl> Co-authored-by: Pascal Vizeli <pvizeli@syshack.ch> Co-authored-by: Franck Nijhof <frenck@frenck.nl>
2022-05-13 06:03:05 -04:00
parent 9bce8fa493
commit c2d080e2b2
8 changed files with 85 additions and 11 deletions
--- a/example/CHANGELOG.md
+++ b/example/CHANGELOG.md
@@ -1,5 +1,11 @@
 <!-- https://developers.home-assistant.io/docs/add-ons/presentation#keeping-a-changelog -->
 ## 1.2.0
 - Add an apparmor profile
 - Update to 3.15 base image with s6 v3
 - Add a sample script to run as service and constrain in aa profile
 ## 1.1.0
 - Updates
--- a/example/DOCS.md
+++ b/example/DOCS.md
@@ -5,3 +5,6 @@
 This add-on really does nothing. It is just an example.
 When started it will print the configured message or "Hello world" in the log.
 It will also print "All done!" in `/share/example_addon_output.txt` to show
 simple example of the usage of `map` in addon config.
--- a/example/apparmor.txt
+++ b/example/apparmor.txt
@@ -0,0 +1,57 @@
 #include <tunables/global>
 profile example flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  # Capabilities
  file,
  signal (send) set=(kill,term,int,hup,cont),
  # S6-Overlay
  /init ix,
  /bin/** ix,
  /usr/bin/** ix,
  /run/{s6,s6-rc*,service}/** ix,
  /package/** ix,
  /command/** ix,
  /etc/services.d/** rwix,
  /etc/cont-init.d/** rwix,
  /etc/cont-finish.d/** rwix,
  /run/{,**} rwk,
  /dev/tty rw,
  # Bashio
  /usr/lib/bashio/** ix,
  /tmp/** rwk,
  # Access to options.json and other files within your addon
  /data/** rw,
  # Start new profile for service
  /usr/bin/my_program cx -> my_program,
  profile my_program flags=(attach_disconnected,mediate_deleted) {
    #include <abstractions/base>
    # Receive signals from S6-Overlay
    signal (receive) peer=*_example,
    # Access to options.json and other files within your addon
    /data/** rw,
    # Access to mapped volumes specified in config.json
    /share/** rw,
    # Access required for service functionality
    # Note: List was built by doing the following:
    # 1. Add what is obviously needed based on what is in the script
    # 2. Add `complain` as a flag to this profile temporarily and run the addon
    # 3. Review the audit log with `journalctl _TRANSPORT="audit" -g 'apparmor="ALLOWED"'` and add other access as needed
    # Remember to remove the `complain` flag when you are done
    /usr/bin/my_program r,
    /bin/bash rix,
    /bin/echo ix,
    /etc/passwd r,
    /dev/tty rw,
  }
 }
--- a/example/build.yaml
+++ b/example/build.yaml
@@ -1,10 +1,10 @@
 # https://developers.home-assistant.io/docs/add-ons/configuration#add-on-dockerfile
 build_from:
-  aarch64: "ghcr.io/home-assistant/aarch64-base:3.14"
+  aarch64: "ghcr.io/home-assistant/aarch64-base:3.15"
-  amd64: "ghcr.io/home-assistant/amd64-base:3.14"
+  amd64: "ghcr.io/home-assistant/amd64-base:3.15"
-  armhf: "ghcr.io/home-assistant/armhf-base:3.14"
+  armhf: "ghcr.io/home-assistant/armhf-base:3.15"
-  armv7: "ghcr.io/home-assistant/armv7-base:3.14"
+  armv7: "ghcr.io/home-assistant/armv7-base:3.15"
-  i386: "ghcr.io/home-assistant/i386-base:3.14"
+  i386: "ghcr.io/home-assistant/i386-base:3.15"
 labels:
  org.opencontainers.image.title: "Home Assistant Add-on: Example add-on"
  org.opencontainers.image.description: "Example add-on to use as a blueprint for new add-ons."
--- a/example/config.yaml
+++ b/example/config.yaml
@@ -1,6 +1,6 @@
 # https://developers.home-assistant.io/docs/add-ons/configuration#add-on-config
 name: Example add-on
-version: "1.1.0"
+version: "1.2.0"
 slug: example
 description: Example add-on
 url: "https://github.com/home-assistant/addons-example/tree/main/example"
@@ -11,6 +11,8 @@ arch:
  - amd64
  - i386
 init: false
 map:
  - share:rw
 options:
  message: "Hello world..."
 schema:
--- a/example/rootfs/etc/services.d/example/finish
+++ b/example/rootfs/etc/services.d/example/finish
@@ -1,9 +1,12 @@
-#!/usr/bin/execlineb -S1
+#!/usr/bin/env bashio
 # ==============================================================================
 # Take down the S6 supervision tree when example fails
 # s6-overlay docs: https://github.com/just-containers/s6-overlay
 # ==============================================================================
 if { s6-test ${1} -ne 0 }
 if { s6-test ${1} -ne 256 }
-s6-svscanctl -t /var/run/s6/services
+if [[ "$1" -ne 0 ]] && [[ "$1" -ne 256 ]]; then
  bashio::log.warning "Halt add-on"
  /run/s6/basedir/bin/halt
 fi
 bashio::log.info "Service restart after closing"
--- a/example/rootfs/etc/services.d/example/run
+++ b/example/rootfs/etc/services.d/example/run
@@ -16,4 +16,4 @@ message=$(bashio::config 'message')
 bashio::log.info "${message:="Hello World..."}"
 ## Run your program
-# exec my_program --with-params
+exec /usr/bin/my_program
--- a/example/rootfs/usr/bin/my_program
+++ b/example/rootfs/usr/bin/my_program
@@ -0,0 +1,3 @@
 #!/bin/bash
 echo "All done!" > /share/example_addon_output.txt
		`@@ -0,0 +1,3 @@`
							`#!/bin/bash`

							`echo "All done!" > /share/example_addon_output.txt`