add first costumer apparmor definition

2025-03-16 13:39:43 +01:00
parent e8482d5dd8
commit 2ad6919644
3 changed files with 55 additions and 1 deletions
--- a/ha_addon_dev/CHANGELOG.md
+++ b/ha_addon_dev/CHANGELOG.md
@@ -8,10 +8,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [unreleased]

 - add initial support for TSUN MS-3000
+- add initial apparmor support [#293](https://github.com/s-allius/tsun-gen3-proxy/issues/293)
 - add Modbus polling mode for DCU1000 [#292](https://github.com/s-allius/tsun-gen3-proxy/issues/292)
 - add Modbus scanning mode
 - allow `R47`serial numbers for GEN3 inverters
 - add watchdog for Add-ons
+- add first costumer apparmor definition
 - Respect logging.ini file, if LOG_ENV isn't set well [#288](https://github.com/s-allius/tsun-gen3-proxy/issues/288)
 - Remove trailing apostrophe in the log output [#288](https://github.com/s-allius/tsun-gen3-proxy/issues/288)
 - update AddOn base docker image to version 17.2.1
--- a/ha_addon_dev/apparmor.txt
+++ b/ha_addon_dev/apparmor.txt
@@ -0,0 +1,52 @@
+#include <tunables/global>
+
+profile tsun-proxy-dev flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  # Capabilities
+  file,
+  signal (send) set=(kill,term,int,hup,cont),
+
+  # S6-Overlay
+  /init ix,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /run/{,**} rwk,
+  /dev/tty rw,
+
+  # Bashio
+  /usr/lib/bashio/** ix,
+  /tmp/** rwk,
+
+  # Access to options.json and other files within your addon
+  /data/** rw,
+
+  # Start new profile for service
+  /usr/bin/myprogram cx -> myprogram,
+
+  profile myprogram flags=(attach_disconnected,mediate_deleted) {
+    #include <abstractions/base>
+
+    # Receive signals from S6-Overlay
+    signal (receive) peer=*_tsun-proxy-dev,
+
+    # Access to options.json and other files within your addon
+    /data/** rw,
+
+    # Access to mapped volumes specified in config.json
+    /share/** rw,
+
+    # Access required for service functionality
+    /usr/bin/myprogram r,
+    /bin/bash rix,
+    /bin/echo ix,
+    /etc/passwd r,
+    /dev/tty rw,
+  }
+}
--- a/ha_addon_dev/config.yaml
+++ b/ha_addon_dev/config.yaml
@@ -1,6 +1,6 @@
 name: TSUN-Proxy (Dev)
 description: MQTT Proxy for TSUN Photovoltaic Inverters
-version:  0.13.0-dev-2503161200 
+version:  0.13.0-dev-2503161333 
 image: docker.io/sallius/tsun-gen3-addon
 url: https://github.com/s-allius/tsun-gen3-proxy
 slug: tsun-proxy-dev