Update for s6 v3 and add apparmor (#41)

* Update for s6 v3 and add apparmor * Adjust from feedback * Tweak service functionality instructions * Logging in finish script * Remove etc/s6 as not used anymore * Update example/rootfs/etc/services.d/example/finish Co-authored-by: Franck Nijhof <frenck@frenck.nl> Co-authored-by: Pascal Vizeli <pvizeli@syshack.ch> Co-authored-by: Franck Nijhof <frenck@frenck.nl>
2022-05-13 06:03:05 -04:00
parent 9bce8fa493
commit c2d080e2b2
8 changed files with 85 additions and 11 deletions
--- a/example/CHANGELOG.md
+++ b/example/CHANGELOG.md
@@ -1,5 +1,11 @@
 <!-- https://developers.home-assistant.io/docs/add-ons/presentation#keeping-a-changelog -->

+## 1.2.0
+
+- Add an apparmor profile
+- Update to 3.15 base image with s6 v3
+- Add a sample script to run as service and constrain in aa profile
+
 ## 1.1.0

 - Updates
--- a/example/DOCS.md
+++ b/example/DOCS.md
@@ -5,3 +5,6 @@
 This add-on really does nothing. It is just an example.

 When started it will print the configured message or "Hello world" in the log.
+
+It will also print "All done!" in `/share/example_addon_output.txt` to show
+simple example of the usage of `map` in addon config.
--- a/example/apparmor.txt
+++ b/example/apparmor.txt
@@ -0,0 +1,57 @@
+#include <tunables/global>
+
+profile example flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  # Capabilities
+  file,
+  signal (send) set=(kill,term,int,hup,cont),
+
+  # S6-Overlay
+  /init ix,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /run/{,**} rwk,
+  /dev/tty rw,
+
+  # Bashio
+  /usr/lib/bashio/** ix,
+  /tmp/** rwk,
+
+  # Access to options.json and other files within your addon
+  /data/** rw,
+
+  # Start new profile for service
+  /usr/bin/my_program cx -> my_program,
+
+  profile my_program flags=(attach_disconnected,mediate_deleted) {
+    #include <abstractions/base>
+
+    # Receive signals from S6-Overlay
+    signal (receive) peer=*_example,
+
+    # Access to options.json and other files within your addon
+    /data/** rw,
+
+    # Access to mapped volumes specified in config.json
+    /share/** rw,
+
+    # Access required for service functionality
+    # Note: List was built by doing the following:
+    # 1. Add what is obviously needed based on what is in the script
+    # 2. Add `complain` as a flag to this profile temporarily and run the addon
+    # 3. Review the audit log with `journalctl _TRANSPORT="audit" -g 'apparmor="ALLOWED"'` and add other access as needed
+    # Remember to remove the `complain` flag when you are done
+    /usr/bin/my_program r,
+    /bin/bash rix,
+    /bin/echo ix,
+    /etc/passwd r,
+    /dev/tty rw,
+  }
+}
--- a/example/build.yaml
+++ b/example/build.yaml
@@ -1,10 +1,10 @@
 # https://developers.home-assistant.io/docs/add-ons/configuration#add-on-dockerfile
 build_from:
-  aarch64: "ghcr.io/home-assistant/aarch64-base:3.14"
-  amd64: "ghcr.io/home-assistant/amd64-base:3.14"
-  armhf: "ghcr.io/home-assistant/armhf-base:3.14"
-  armv7: "ghcr.io/home-assistant/armv7-base:3.14"
-  i386: "ghcr.io/home-assistant/i386-base:3.14"
+  aarch64: "ghcr.io/home-assistant/aarch64-base:3.15"
+  amd64: "ghcr.io/home-assistant/amd64-base:3.15"
+  armhf: "ghcr.io/home-assistant/armhf-base:3.15"
+  armv7: "ghcr.io/home-assistant/armv7-base:3.15"
+  i386: "ghcr.io/home-assistant/i386-base:3.15"
 labels:
  org.opencontainers.image.title: "Home Assistant Add-on: Example add-on"
  org.opencontainers.image.description: "Example add-on to use as a blueprint for new add-ons."
--- a/example/config.yaml
+++ b/example/config.yaml
@@ -1,6 +1,6 @@
 # https://developers.home-assistant.io/docs/add-ons/configuration#add-on-config
 name: Example add-on
-version: "1.1.0"
+version: "1.2.0"
 slug: example
 description: Example add-on
 url: "https://github.com/home-assistant/addons-example/tree/main/example"
@@ -11,6 +11,8 @@ arch:
  - amd64
  - i386
 init: false
+map:
+  - share:rw
 options:
  message: "Hello world..."
 schema:
--- a/example/rootfs/etc/services.d/example/finish
+++ b/example/rootfs/etc/services.d/example/finish
@@ -1,9 +1,12 @@
-#!/usr/bin/execlineb -S1
+#!/usr/bin/env bashio
 # ==============================================================================
 # Take down the S6 supervision tree when example fails
 # s6-overlay docs: https://github.com/just-containers/s6-overlay
 # ==============================================================================
-if { s6-test ${1} -ne 0 }
-if { s6-test ${1} -ne 256 }

-s6-svscanctl -t /var/run/s6/services
+if [[ "$1" -ne 0 ]] && [[ "$1" -ne 256 ]]; then
+  bashio::log.warning "Halt add-on"
+  /run/s6/basedir/bin/halt
+fi
+
+bashio::log.info "Service restart after closing"
--- a/example/rootfs/etc/services.d/example/run
+++ b/example/rootfs/etc/services.d/example/run
@@ -16,4 +16,4 @@ message=$(bashio::config 'message')
 bashio::log.info "${message:="Hello World..."}"

 ## Run your program
-# exec my_program --with-params
+exec /usr/bin/my_program
--- a/example/rootfs/usr/bin/my_program
+++ b/example/rootfs/usr/bin/my_program
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "All done!" > /share/example_addon_output.txt