From 4217b38853255a0a59f3bcdabb42c3d11f7c651a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franc=CC=A7ois=20Bonelle?= <francois.bonelle@gmail.com>
Date: Fri, 25 Aug 2023 03:48:12 +0200
Subject: [PATCH] fix

---
 promtail/Dockerfile   | 31 +++++++++---------
 promtail/apparmor.txt | 73 +++++++++++++++----------------------------
 2 files changed, 43 insertions(+), 61 deletions(-)

diff --git a/promtail/Dockerfile b/promtail/Dockerfile
index a368109..d75ad3f 100644
--- a/promtail/Dockerfile
+++ b/promtail/Dockerfile
@@ -3,6 +3,12 @@ FROM ${BUILD_FROM}
 
 # Build arguments
 ARG BUILD_ARCH
+ARG BUILD_DATE
+ARG BUILD_DESCRIPTION
+ARG BUILD_NAME
+ARG BUILD_REF
+ARG BUILD_REPOSITORY
+ARG BUILD_VERSION
 ARG YQ_VERSION
 ARG PROMTAIL_VERSION
 
@@ -15,7 +21,6 @@ RUN set -eux; \
         unzip \
         ; \
     update-ca-certificates; \
-    \
     case "${BUILD_ARCH}" in \
         amd64)  BINARCH='amd64' ;; \
         armhf)   BINARCH='arm' ;; \
@@ -37,24 +42,14 @@ RUN set -eux; \
     unzip /tmp/promtail.zip -d /usr/bin; \
     mv /usr/bin/promtail-linux-${BINARCH} /usr/bin/promtail; \
     chmod +x /usr/bin/promtail; \
-    rm /tmp/promtail.zip
+    rm /tmp/promtail.zip; \
+    mkdir -p /data/promtail
 
 COPY rootfs /
 WORKDIR /data/promtail
 
 COPY s6-overlay /package/admin/s6-overlay-3.1.5.0/
 
-# Build arguments
-ARG BUILD_ARCH
-ARG BUILD_DATE
-ARG BUILD_DESCRIPTION
-ARG BUILD_NAME
-ARG BUILD_REF
-ARG BUILD_REPOSITORY
-ARG BUILD_VERSION
-
-USER root
-
 # Labels
 LABEL \
     io.hass.name="${BUILD_NAME}" \
@@ -62,4 +57,12 @@ LABEL \
     io.hass.arch="${BUILD_ARCH}" \
     io.hass.type="addon" \
     io.hass.version=${BUILD_VERSION} \
-    maintainer="fbonelle"
\ No newline at end of file
+    maintainer="fbonelle" \
+    org.opencontainers.image.title="${BUILD_NAME}" \
+    org.opencontainers.image.description="${BUILD_DESCRIPTION}" \
+    org.opencontainers.image.vendor="fbonelle's addons" \
+    org.opencontainers.image.authors="fbonelle" \
+    org.opencontainers.image.licenses="MIT" \
+    org.opencontainers.image.created=${BUILD_DATE} \
+    org.opencontainers.image.revision=${BUILD_REF} \
+    org.opencontainers.image.version=${BUILD_VERSION}
\ No newline at end of file
diff --git a/promtail/apparmor.txt b/promtail/apparmor.txt
index 95ca197..327b547 100644
--- a/promtail/apparmor.txt
+++ b/promtail/apparmor.txt
@@ -1,59 +1,38 @@
-include <tunables/global>
-
-# Docker overlay
-@{docker_root}=/docker/ /var/lib/docker/
-@{fs_root}=/ @{docker_root}/overlay2/*/diff/
-@{do_etc}=@{fs_root}/etc/
-@{do_opt}=@{fs_root}/opt/
-@{do_run}=@{fs_root}/{run,var/run}/
-@{do_usr}=@{fs_root}/usr/
-@{do_var}=@{fs_root}/var/
+#include <tunables/global>
 
 # Systemd Journal location
 @{journald}=/{run,var}/log/journal/{,**}
 
 profile promtail flags=(attach_disconnected,mediate_deleted) {
-  include <abstractions/base>
-  include <abstractions/bash>
+  #include <abstractions/base>
 
-  # Send signals to child services
-  signal (send) peer=@{profile_name}//*,
+  # Capabilities
+  file,
+  signal (send) set=(kill,term,int,hup,cont),
 
   # Network access
   network tcp,
   network udp,
 
   # S6-Overlay
-  /init                                   rix,
-  /bin/**                                 rix,
-  /usr/bin/**                             rix,
-  @{do_etc}/s6*/**                        r,
-  @{do_etc}/fix-attrs.d/{,**}             r,
-  @{do_etc}/cont-{init,finish}.d/{,**}    rwix,
-  @{do_etc}/services.d/{,**}              rwix,
-  @{do_run}/{s6,s6-rc*,service}/**        rix,
-  /command/**                             rix,
-  /package/**                             rix,
-  @{do_run}/{,**}                         rwk,
-  /dev/tty                                rw,
-  @{do_usr}/lib/locale/{,**}              r,
-  @{do_etc}/ssl/openssl.cnf               r,
-  @{do_etc}/{group,hosts,passwd}          r,
-  @{do_etc}/{host,nsswitch,resolv}.conf   r,
-  /dev/null                               k,
-
-  # https://github.com/hassio-addons/addon-debian-base/blob/main/base/rootfs/etc/cont-init.d/02-set-timezone.sh
-  # Wants to link /etc/localtime but apparmor sees a random hash so * it is.
-  @{do_etc}/*                             rw,
-  @{do_usr}/share/zoneinfo/{,**}          r,
+  /init ix,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /run/{,**} rwk,
+  /dev/tty rw,
 
   # Bashio
-  /usr/lib/bashio/**                      ix,
-  /tmp/**                                 rw,
+  /usr/lib/bashio/** ix,
+  /tmp/** rwk,
 
-  # Options.json & addon data
-  /data                                   r,
-  /data/**                                rw,
+  # Access to options.json and other files within your addon
+  /data/** rw,
 
   # Files needed for setup
   @{do_etc}/promtail/{,**}                rw,
@@ -61,11 +40,11 @@ profile promtail flags=(attach_disconnected,mediate_deleted) {
   /{share,ssl}/{,**}                      r,
   @{journald}                             r,
 
-  # Programs
-  /usr/bin/promtail                       cx -> promtail,
-  /usr/bin/yq                             Cx,
+  # Start new profile for service
+  /usr/bin/promtail cx -> promtail_profile,
+  /usr/bin/yq cx -> yq_profile,
 
-  profile promtail flags=(attach_disconnected,mediate_deleted) {
+profile promtail_profile flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
 
     # Receive signals from s6
@@ -100,7 +79,7 @@ profile promtail flags=(attach_disconnected,mediate_deleted) {
     @{do_etc}/ssl/certs/**    r,
   }
 
-  profile /usr/bin/yq flags=(attach_disconnected,mediate_deleted) {
+  profile yq_profile flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
 
     # Config files
@@ -113,4 +92,4 @@ profile promtail flags=(attach_disconnected,mediate_deleted) {
     @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
     /dev/null                             k,
   }
-}
+}
\ No newline at end of file