Enable AppArmor for Supervisor in devcontainers (#170)

Enable AppArmor support so apps developers can develop and test
AppArmor profiles for their apps in the devcontainer environment.

- Add mount-securityfs.service to mount securityfs inside the container
  (the kernel doesn't do this automatically in containers)
- Add hassio-apparmor.service to download and load the hassio-supervisor
  profile from version.home-assistant.io on first boot
- Install apparmor package in both devcontainer images
- Switch supervisor_run from apparmor=unconfined to
  apparmor=hassio-supervisor

Both services use ConditionSecurity=apparmor to gracefully skip on
hosts without AppArmor kernel support.

Author: agners

apps/Dockerfile

@@ -10,6 +10,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN \
     apt-get update \
     && apt-get install -y --no-install-recommends \
+        apparmor \
         dbus-broker \
         network-manager \
         libpulse0 \
@@ -52,6 +53,8 @@ RUN systemd-tmpfiles --create --prefix /var/log/journal
 # Enable services which are otherwise disabled by default
 RUN systemctl enable \
     haos-agent \
+    hassio-apparmor \
+    mount-securityfs \
     systemd-journal-gatewayd
 
 STOPSIGNAL SIGRTMIN+3

apps/rootfs/usr/bin/supervisor_run

@@ -13,7 +13,7 @@ function run_supervisor() {
         --name hassio_supervisor \
         --privileged \
         --security-opt seccomp=unconfined \
-        --security-opt apparmor=unconfined \
+        --security-opt apparmor=hassio-supervisor \
         -v /run/docker.sock:/run/docker.sock:rw \
         -v /run/dbus:/run/dbus:ro \
         -v /run/supervisor:/run/os:rw \

common/rootfs_supervisor/etc/systemd/system/hassio-apparmor.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Hass.io AppArmor
+ConditionSecurity=apparmor
+Wants=hassio-supervisor.service
+Requires=mount-securityfs.service
+After=mount-securityfs.service
+Before=docker.service hassio-supervisor.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/usr/sbin/hassio-apparmor
+
+[Install]
+WantedBy=multi-user.target

common/rootfs_supervisor/etc/systemd/system/mount-securityfs.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Mount securityfs for AppArmor
+ConditionSecurity=apparmor
+DefaultDependencies=no
+Before=apparmor.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/bin/mount -t securityfs securityfs /sys/kernel/security
+
+[Install]
+WantedBy=sysinit.target

common/rootfs_supervisor/usr/sbin/hassio-apparmor

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -e
+
+PROFILES_DIR="/mnt/supervisor/apparmor"
+CACHE_DIR="${PROFILES_DIR}/cache"
+
+mkdir -p "${PROFILES_DIR}"
+mkdir -p "${CACHE_DIR}"
+
+# Download the hassio-supervisor profile if not present
+if [ ! -f "${PROFILES_DIR}/hassio-supervisor" ]; then
+    curl -sf https://version.home-assistant.io/apparmor_stable.txt \
+        -o "${PROFILES_DIR}/hassio-supervisor"
+fi
+
+# Load existing profiles
+for profile in "${PROFILES_DIR}"/*; do
+    if [ ! -f "${profile}" ]; then
+        continue
+    fi
+
+    if ! apparmor_parser -r -W -L "${CACHE_DIR}" "${profile}"; then
+        echo "[Error]: Can't load profile ${profile}"
+    fi
+done

supervisor/Dockerfile

@@ -19,6 +19,7 @@ RUN \
 RUN \
     apt-get update \
     && apt-get install -y --no-install-recommends \
+        apparmor \
         dbus-broker \
         network-manager \
         libpulse0 \
@@ -73,6 +74,8 @@ RUN systemd-tmpfiles --create --prefix /var/log/journal
 # Enable services which are otherwise disabled by default
 RUN systemctl enable \
     haos-agent \
+    hassio-apparmor \
+    mount-securityfs \
     systemd-journal-gatewayd
 
 STOPSIGNAL SIGRTMIN+3

supervisor/rootfs/usr/bin/supervisor_run

@@ -48,7 +48,7 @@ function run_supervisor() {
         --name hassio_supervisor \
         --privileged \
         --security-opt seccomp=unconfined \
-        --security-opt apparmor=unconfined \
+        --security-opt apparmor=hassio-supervisor \
         -v /run/docker.sock:/run/docker.sock:rw \
         -v /run/dbus:/run/dbus:ro \
         -v /run/supervisor:/run/os:rw \