Skip to content

Commit 21312e5

Browse files
authored
Enable AppArmor for Supervisor in devcontainers (#170)
Enable AppArmor support so apps developers can develop and test AppArmor profiles for their apps in the devcontainer environment. - Add mount-securityfs.service to mount securityfs inside the container (the kernel doesn't do this automatically in containers) - Add hassio-apparmor.service to download and load the hassio-supervisor profile from version.home-assistant.io on first boot - Install apparmor package in both devcontainer images - Switch supervisor_run from apparmor=unconfined to apparmor=hassio-supervisor Both services use ConditionSecurity=apparmor to gracefully skip on hosts without AppArmor kernel support.
1 parent 76651b0 commit 21312e5

File tree

7 files changed

+61
-2
lines changed

7 files changed

+61
-2
lines changed

apps/Dockerfile

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
1010
RUN \
1111
apt-get update \
1212
&& apt-get install -y --no-install-recommends \
13+
apparmor \
1314
dbus-broker \
1415
network-manager \
1516
libpulse0 \
@@ -52,6 +53,8 @@ RUN systemd-tmpfiles --create --prefix /var/log/journal
5253
# Enable services which are otherwise disabled by default
5354
RUN systemctl enable \
5455
haos-agent \
56+
hassio-apparmor \
57+
mount-securityfs \
5558
systemd-journal-gatewayd
5659

5760
STOPSIGNAL SIGRTMIN+3

apps/rootfs/usr/bin/supervisor_run

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ function run_supervisor() {
1313
--name hassio_supervisor \
1414
--privileged \
1515
--security-opt seccomp=unconfined \
16-
--security-opt apparmor=unconfined \
16+
--security-opt apparmor=hassio-supervisor \
1717
-v /run/docker.sock:/run/docker.sock:rw \
1818
-v /run/dbus:/run/dbus:ro \
1919
-v /run/supervisor:/run/os:rw \
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
[Unit]
2+
Description=Hass.io AppArmor
3+
ConditionSecurity=apparmor
4+
Wants=hassio-supervisor.service
5+
Requires=mount-securityfs.service
6+
After=mount-securityfs.service
7+
Before=docker.service hassio-supervisor.service
8+
9+
[Service]
10+
Type=oneshot
11+
RemainAfterExit=true
12+
ExecStart=/usr/sbin/hassio-apparmor
13+
14+
[Install]
15+
WantedBy=multi-user.target
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
[Unit]
2+
Description=Mount securityfs for AppArmor
3+
ConditionSecurity=apparmor
4+
DefaultDependencies=no
5+
Before=apparmor.service
6+
7+
[Service]
8+
Type=oneshot
9+
RemainAfterExit=true
10+
ExecStart=/bin/mount -t securityfs securityfs /sys/kernel/security
11+
12+
[Install]
13+
WantedBy=sysinit.target
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
#!/usr/bin/env bash
2+
set -e
3+
4+
PROFILES_DIR="/mnt/supervisor/apparmor"
5+
CACHE_DIR="${PROFILES_DIR}/cache"
6+
7+
mkdir -p "${PROFILES_DIR}"
8+
mkdir -p "${CACHE_DIR}"
9+
10+
# Download the hassio-supervisor profile if not present
11+
if [ ! -f "${PROFILES_DIR}/hassio-supervisor" ]; then
12+
curl -sf https://version.home-assistant.io/apparmor_stable.txt \
13+
-o "${PROFILES_DIR}/hassio-supervisor"
14+
fi
15+
16+
# Load existing profiles
17+
for profile in "${PROFILES_DIR}"/*; do
18+
if [ ! -f "${profile}" ]; then
19+
continue
20+
fi
21+
22+
if ! apparmor_parser -r -W -L "${CACHE_DIR}" "${profile}"; then
23+
echo "[Error]: Can't load profile ${profile}"
24+
fi
25+
done

supervisor/Dockerfile

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ RUN \
1919
RUN \
2020
apt-get update \
2121
&& apt-get install -y --no-install-recommends \
22+
apparmor \
2223
dbus-broker \
2324
network-manager \
2425
libpulse0 \
@@ -73,6 +74,8 @@ RUN systemd-tmpfiles --create --prefix /var/log/journal
7374
# Enable services which are otherwise disabled by default
7475
RUN systemctl enable \
7576
haos-agent \
77+
hassio-apparmor \
78+
mount-securityfs \
7679
systemd-journal-gatewayd
7780

7881
STOPSIGNAL SIGRTMIN+3

supervisor/rootfs/usr/bin/supervisor_run

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ function run_supervisor() {
4848
--name hassio_supervisor \
4949
--privileged \
5050
--security-opt seccomp=unconfined \
51-
--security-opt apparmor=unconfined \
51+
--security-opt apparmor=hassio-supervisor \
5252
-v /run/docker.sock:/run/docker.sock:rw \
5353
-v /run/dbus:/run/dbus:ro \
5454
-v /run/supervisor:/run/os:rw \

0 commit comments

Comments
 (0)