v 1.0.4

Remove privileged access + custom app armor (+3 security points)

repository.yaml

@@ -1,3 +1,3 @@
-name: Home Assistant Khadas Tools
+name: Home Assistant Khadas Tools (dev)
 url: "https://github.com/Nicooow/homeassistant-khadas-tools"
 maintainer: nicow

vim3-fan-controller/apparmor.txt

@@ -0,0 +1,35 @@
+#include <tunables/global>
+
+profile khadas-vim3-fan flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  capability,
+  file,
+
+  # S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /proc/self/attr/** mrwkl,
+
+  # Files required
+  /dev/i2c-0 mrwkl,
+
+  # Data access
+  /data/** rw,
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

vim3-fan-controller/config.yaml

@@ -1,6 +1,6 @@
 name: "Khadas VIM3 Fan Controller"
 description: "Control the fan of the Khadas VIM3"
-version: "1.0.3"
+version: "1.0.4"
 slug: "khadas-vim3-fan"
 init: false
 arch:
@@ -9,10 +9,8 @@ arch:
   - armhf
   - armv7
   - i386
-log_level: info
+# apparmor: true # already default to true
 startup: services
-privileged:
-  - SYS_ADMIN
 devices:
   - /dev/i2c-0
 ingress: true