From 955657fd8760cac1d966be37978d5c9f0e71ee59 Mon Sep 17 00:00:00 2001
From: Stefan Allius <122395479+s-allius@users.noreply.github.com>
Date: Sun, 16 Mar 2025 13:11:03 +0100
Subject: [PATCH] add first costumer apparmor definition (#296)

* add first costumer apparmor definition

* add initial apparmor support
---
 CHANGELOG.md                       |  2 ++
 ha_addons/Makefile                 | 13 +++++++-
 ha_addons/templates/apparmor.jinja | 52 ++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 ha_addons/templates/apparmor.jinja

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9c5f8c2..29d8d32 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,10 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+- add initial apparmor support [#293](https://github.com/s-allius/tsun-gen3-proxy/issues/293)
 - add Modbus polling mode for DCU1000 [#292](https://github.com/s-allius/tsun-gen3-proxy/issues/292)
 - add Modbus scanning mode
 - allow `R47`serial numbers for GEN3 inverters
 - add watchdog for Add-ons
+- add first costumer apparmor definition
 - Respect logging.ini file, if LOG_ENV isn't set well [#288](https://github.com/s-allius/tsun-gen3-proxy/issues/288)
 - Remove trailing apostrophe in the log output [#288](https://github.com/s-allius/tsun-gen3-proxy/issues/288)
 - update AddOn base docker image to version 17.2.1
diff --git a/ha_addons/Makefile b/ha_addons/Makefile
index 44e5b78..34dbb85 100644
--- a/ha_addons/Makefile
+++ b/ha_addons/Makefile
@@ -66,7 +66,7 @@ clean:
 # Build the local add-on with a rootfs and config.yaml
 # The rootfs is needed to build the add-on Docker container 
 # 
-local_add_on: rootfs $(ADDON_PATH)/config.yaml
+local_add_on: rootfs $(ADDON_PATH)/config.yaml $(ADDON_PATH)/apparmor.txt
 
 # collect source files 
 SRC_FILES := $(wildcard $(SRC_PROXY)/*.py)\
@@ -100,6 +100,9 @@ $(DST)/requirements.txt : $(SRC)/requirements.txt
 $(ADDON_PATH)/%.yaml: $(TEMPL)/%.jinja $(TEMPL)/.data.json
 	$(JINJA) --strict -D AppVersion=$(VERSION) -D BuildID=$(BUILD_ID) --format=json $^ -o $@
 
+$(ADDON_PATH)/%.txt: $(TEMPL)/%.jinja $(TEMPL)/.data.json
+	$(JINJA) --strict --format=json $^ -o $@
+
 # build a common data.json file from STAGE depending source files
 # don't touch the destination if the checksum of src and dst is equal
 $(TEMPL)/.data.json: FORCE
@@ -115,31 +118,37 @@ FORCE : ;
 repro_files = DOCS.md icon.png logo.png translations/de.yaml translations/en.yaml rootfs/run.sh
 repro_root = CHANGELOG.md LICENSE.md
 repro_templates = config.yaml
+repro_apparmor = apparmor.txt
 repro_subdirs = translations rootfs
 repro_vers = debug dev rc rel
 
 repro_all_files := $(foreach dir,$(repro_vers), $(foreach file,$(repro_files),$(INST_BASE)/ha_addon_$(dir)/$(file)))
 repro_root_files := $(foreach dir,$(repro_vers), $(foreach file,$(repro_root),$(INST_BASE)/ha_addon_$(dir)/$(file)))
 repro_all_templates := $(foreach dir,$(repro_vers), $(foreach file,$(repro_templates),$(INST_BASE)/ha_addon_$(dir)/$(file)))
+repro_all_apparmor := $(foreach dir,$(repro_vers), $(foreach file,$(repro_apparmor),$(INST_BASE)/ha_addon_$(dir)/$(file)))
 repro_all_subdirs := $(foreach dir,$(repro_vers), $(foreach file,$(repro_subdirs),$(INST_BASE)/ha_addon_$(dir)/$(file)))
 
 debug: $(foreach file,$(repro_subdirs),$(INST_BASE)/ha_addon_debug/$(file)) \
        $(foreach file,$(repro_templates),$(INST_BASE)/ha_addon_debug/$(file)) \
+       $(foreach file,$(repro_apparmor),$(INST_BASE)/ha_addon_debug/$(file)) \
 	   $(foreach file,$(repro_files),$(INST_BASE)/ha_addon_debug/$(file)) \
 	   $(foreach file,$(repro_root),$(INST_BASE)/ha_addon_debug/$(file))
 
 dev: $(foreach file,$(repro_subdirs),$(INST_BASE)/ha_addon_dev/$(file)) \
      $(foreach file,$(repro_templates),$(INST_BASE)/ha_addon_dev/$(file)) \
+     $(foreach file,$(repro_apparmor),$(INST_BASE)/ha_addon_dev/$(file)) \
 	 $(foreach file,$(repro_files),$(INST_BASE)/ha_addon_dev/$(file)) \
 	 $(foreach file,$(repro_root),$(INST_BASE)/ha_addon_dev/$(file))
 
 rc: $(foreach file,$(repro_subdirs),$(INST_BASE)/ha_addon_rc/$(file)) \
     $(foreach file,$(repro_templates),$(INST_BASE)/ha_addon_rc/$(file)) \
+    $(foreach file,$(repro_apparmor),$(INST_BASE)/ha_addon_rc/$(file)) \
 	$(foreach file,$(repro_files),$(INST_BASE)/ha_addon_rc/$(file)) \
 	$(foreach file,$(repro_root),$(INST_BASE)/ha_addon_rc/$(file))
 
 rel: $(foreach file,$(repro_subdirs),$(INST_BASE)/ha_addon_rel/$(file)) \
      $(foreach file,$(repro_templates),$(INST_BASE)/ha_addon_rel/$(file)) \
+     $(foreach file,$(repro_apparmor),$(INST_BASE)/ha_addon_rel/$(file)) \
 	 $(foreach file,$(repro_files),$(INST_BASE)/ha_addon_rel/$(file)) \
 	 $(foreach file,$(repro_root),$(INST_BASE)/ha_addon_rel/$(file))
 
@@ -149,6 +158,8 @@ $(repro_all_subdirs) :
 $(repro_all_templates) : $(INST_BASE)/ha_addon_%/config.yaml: $(TEMPL)/config.jinja $(TEMPL)/%_data.json $(SRC)/.version FORCE
 	$(JINJA) --strict -D AppVersion=$(VERSION)-$* -D BuildID=$(BUILD_ID) $< $(filter %.json,$^) -o $@
 
+$(repro_all_apparmor) : $(INST_BASE)/ha_addon_%/apparmor.txt: $(TEMPL)/apparmor.jinja $(TEMPL)/%_data.json
+	$(JINJA) --strict $< $(filter %.json,$^) -o $@
 
 $(filter $(INST_BASE)/ha_addon_debug/%,$(repro_root_files)) : $(INST_BASE)/ha_addon_debug/% : ../%
 	cp $< $@
diff --git a/ha_addons/templates/apparmor.jinja b/ha_addons/templates/apparmor.jinja
new file mode 100644
index 0000000..25ac8e0
--- /dev/null
+++ b/ha_addons/templates/apparmor.jinja
@@ -0,0 +1,52 @@
+#include <tunables/global>
+
+profile {{slug}} flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  # Capabilities
+  file,
+  signal (send) set=(kill,term,int,hup,cont),
+
+  # S6-Overlay
+  /init ix,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /run/{,**} rwk,
+  /dev/tty rw,
+
+  # Bashio
+  /usr/lib/bashio/** ix,
+  /tmp/** rwk,
+
+  # Access to options.json and other files within your addon
+  /data/** rw,
+
+  # Start new profile for service
+  /usr/bin/myprogram cx -> myprogram,
+
+  profile myprogram flags=(attach_disconnected,mediate_deleted) {
+    #include <abstractions/base>
+
+    # Receive signals from S6-Overlay
+    signal (receive) peer=*_{{slug}},
+
+    # Access to options.json and other files within your addon
+    /data/** rw,
+
+    # Access to mapped volumes specified in config.json
+    /share/** rw,
+
+    # Access required for service functionality
+    /usr/bin/myprogram r,
+    /bin/bash rix,
+    /bin/echo ix,
+    /etc/passwd r,
+    /dev/tty rw,
+  }
+}
\ No newline at end of file