Fix sphere-serial, just BBB for now. TODO: DevKit/Spheramid and dev m…

…achine
ninjasphere · Feb 9, 2015 · 3df8845 · 3df8845
1 parent ae8051d
commit 3df8845
Show file tree

Hide file tree

Showing 5 changed files with 209 additions and 6 deletions.
diff --git a/Makefile b/Makefile
@@ -28,4 +28,4 @@ snap: staging
 	snappy build staging-snappy
 
 remote: snap
-	snappy-remote --url=ssh://10.0.1.14 install ./ninjasphere_0.0.1_multi.snap
+	snappy-remote --url=ssh://10.0.1.14 install ./ninjasphere_0.0.2_multi.snap
diff --git a/template/bin/sphere-serial b/template/bin/sphere-serial
@@ -1,3 +1,5 @@
-#!/bin/sh
+#!/bin/bash
 
-echo -n TESTSERIAL
+[[ -f /sys/bus/i2c/devices/0-0050/eeprom ]] || { echo 24c256 0x50 > /sys/bus/i2c/devices/i2c-0/new_device; }
+
+xxd -g 2 -a -l 16 -seek 16 /sys/bus/i2c/devices/0-0050/eeprom | sed 's/^.* //' | sed -e 's/[.]//g' | tr -d '\n'
diff --git a/template/meta/ninjasphere.apparmor b/template/meta/ninjasphere.apparmor
@@ -7,7 +7,11 @@
         "@{PROC}/",
         "/etc/hosts.allow",
         "/etc/hosts.deny",
-	"/etc/passwd"
+	"/etc/passwd",
+        "/sys/bus/i2c/devices/0-0050/eeprom"
+    ],
+    "write_path": [
+        "/sys/bus/i2c/devices/i2c-0/new_device"
     ],
     "policy_groups": [
         "networking"

diff --git a/template/meta/package.yaml b/template/meta/package.yaml
@@ -1,7 +1,7 @@
 name: ninjasphere
 vendor: Theo Julienne <theo@ninjablocks.com>
 architecture: [amd64, armhf]
-version: 0.0.1
+version: 0.0.2
 icon: meta/nina.svg
 services:
  - name: mosquitto
@@ -26,7 +26,7 @@ integration:
   mqtt-bridgeify:
     apparmor: meta/ninjasphere.apparmor
   sphere-client:
-    apparmor: meta/ninjasphere.apparmor
+    apparmor-profile: meta/sphere-client.profile
   mosquitto:
     apparmor: meta/ninjasphere.apparmor
   redis-server:

diff --git a/template/meta/sphere-client.profile b/template/meta/sphere-client.profile
@@ -0,0 +1,197 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+# Specified profile variables
+@{APP_APPNAME}="sphere-client"
+@{APP_ID_DBUS}="ninjasphere_5fsphere_2dclient_5f0_2e0_2e2"
+@{APP_PKGNAME_DBUS}="ninjasphere"
+@{APP_PKGNAME}="ninjasphere"
+@{APP_VERSION}="0.0.2"
+@{CLICK_DIR}="{/apps,/custom/click,/oem,/usr/share/click/preinstalled}"
+
+profile "ninjasphere_sphere-client_0.0.2" {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/openssl>
+
+  # for python apps/services
+  #include <abstractions/python>
+  /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
+
+  # for perl apps/services
+  #include <abstractions/perl>
+  /usr/bin/perl{,5*} ixr,
+
+  # for bash 'binaries' (do *not* use abstractions/bash)
+  # user-specific bash files
+  /bin/bash ixr,
+  /bin/dash ixr,
+  /etc/bash.bashrc r,
+  /usr/share/terminfo/** r,
+  /etc/inputrc r,
+  deny @{HOME}/.inputrc r,
+  # Common utilities for shell scripts
+  /{,usr/}bin/{,g,m}awk ixr,
+  /{,usr/}bin/basename ixr,
+  /{,usr/}bin/bunzip2 ixr,
+  /{,usr/}bin/bzcat ixr,
+  /{,usr/}bin/bzdiff ixr,
+  /{,usr/}bin/bzgrep ixr,
+  /{,usr/}bin/bzip2 ixr,
+  /{,usr/}bin/cat ixr,
+  /{,usr/}bin/chmod ixr,
+  /{,usr/}bin/cmp ixr,
+  /{,usr/}bin/cp ixr,
+  /{,usr/}bin/cpio ixr,
+  /{,usr/}bin/cut ixr,
+  /{,usr/}bin/date ixr,
+  /{,usr/}bin/dd ixr,
+  /{,usr/}bin/diff{,3} ixr,
+  /{,usr/}bin/dir ixr,
+  /{,usr/}bin/dirname ixr,
+  /{,usr/}bin/echo ixr,
+  /{,usr/}bin/{,e,f,r}grep ixr,
+  /{,usr/}bin/env ixr,
+  /{,usr/}bin/expr ixr,
+  /{,usr/}bin/find ixr,
+  /{,usr/}bin/fmt ixr,
+  /{,usr/}bin/getopt ixr,
+  /{,usr/}bin/false ixr,
+  /{,usr/}bin/head ixr,
+  /{,usr/}bin/id ixr,
+  /{,usr/}bin/igawk ixr,
+  /{,usr/}bin/kill ixr,
+  /{,usr/}bin/ln ixr,
+  /{,usr/}bin/line ixr,
+  /{,usr/}bin/link ixr,
+  /{,usr/}bin/ls ixr,
+  /{,usr/}bin/md5sum ixr,
+  /{,usr/}bin/mkdir ixr,
+  /{,usr/}bin/mktemp ixr,
+  /{,usr/}bin/mv ixr,
+  /{,usr/}bin/pgrep ixr,
+  /{,usr/}bin/printenv ixr,
+  /{,usr/}bin/printf ixr,
+  /{,usr/}bin/ps ixr,
+  /{,usr/}bin/pwd ixr,
+  /{,usr/}bin/readlink ixr,
+  /{,usr/}bin/realpath ixr,
+  /{,usr/}bin/rev ixr,
+  /{,usr/}bin/rm ixr,
+  /{,usr/}bin/rmdir ixr,
+  /{,usr/}bin/sed ixr,
+  /{,usr/}bin/seq ixr,
+  /{,usr/}bin/sleep ixr,
+  /{,usr/}bin/sort ixr,
+  /{,usr/}bin/stat ixr,
+  /{,usr/}bin/tac ixr,
+  /{,usr/}bin/tail ixr,
+  /{,usr/}bin/tar ixr,
+  /{,usr/}bin/tee ixr,
+  /{,usr/}bin/test ixr,
+  /{,usr/}bin/tempfile ixr,
+  /{,usr/}bin/touch ixr,
+  /{,usr/}bin/tr ixr,
+  /{,usr/}bin/true ixr,
+  /{,usr/}bin/uname ixr,
+  /{,usr/}bin/uniq ixr,
+  /{,usr/}bin/unlink ixr,
+  /{,usr/}bin/unxz ixr,
+  /{,usr/}bin/unzip ixr,
+  /{,usr/}bin/vdir ixr,
+  /{,usr/}bin/wc ixr,
+  /{,usr/}bin/which ixr,
+  /{,usr/}bin/xz ixr,
+  /{,usr/}bin/yes ixr,
+  /{,usr/}bin/zcat ixr,
+  /{,usr/}bin/z{,e,f}grep ixr,
+  /{,usr/}bin/zip ixr,
+  /{,usr/}bin/zipgrep ixr,
+
+  # uptime
+  /{,usr/}bin/uptime ixr,
+  @{PROC}/uptime r,
+  @{PROC}/loadavg r,
+  # this is an information leak
+  deny /{,var/}run/utmp r,
+
+  # Miscellaneous accesses
+  /etc/mime.types r,
+  @{PROC}/sys/kernel/hostname r,
+  @{PROC}/sys/kernel/osrelease r,
+
+  # Read-only for the install directory
+  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
+  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
+  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrklix,
+
+  # Read-only home area for other versions
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/                  r,
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   r,
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix,
+
+  # Writable home area for this version.
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
+
+  # Read-only system area for other versions
+  /var/lib/apps/@{APP_PKGNAME}/   r,
+  /var/lib/apps/@{APP_PKGNAME}/** mrkix,
+
+  # TODO: the write on these is needed in case they doesn't exist, but means an
+  # app could adjust inode data and affect rollbacks.
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/         w,
+  /var/lib/apps/@{APP_PKGNAME}/                  w,
+
+  # Writable system area only for this version
+  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
+  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
+
+  # Writable temp area only for this version (launcher will create this
+  # directory on our behalf so only allow readonly on parent)
+  /tmp/snapps/@{APP_PKGNAME}/                  r,
+  /tmp/snapps/@{APP_PKGNAME}/**                rk,
+  /tmp/snapps/@{APP_PKGNAME}/@{APP_VERSION}/   rw,
+  /tmp/snapps/@{APP_PKGNAME}/@{APP_VERSION}/** mrwlkix,
+
+  # No abstractions specified
+
+  # Rules specified via policy groups
+  # Description: Can access the network
+  # Usage: common
+  #include <abstractions/nameservice>
+  #include <abstractions/ssl_certs>
+
+  @{PROC}/sys/net/core/somaxconn r,
+
+  # We want to explicitly deny access to NetworkManager because its DBus API
+  # gives away too much
+  deny dbus (receive, send)
+       bus=system
+       path=/org/freedesktop/NetworkManager,
+  deny dbus (receive, send)
+       bus=system
+       peer=(name=org.freedesktop.NetworkManager),
+
+  # Do the same for ofono (LP: #1226844)
+  deny dbus (receive, send)
+       bus=system
+       interface="org.ofono.Manager",
+
+  # Specified read permissions
+  /etc/hosts.allow rk,
+  /etc/hosts.deny rk,
+  /etc/passwd rk,
+  /sys/bus/i2c/devices/0-0050/eeprom rk,
+  /sys/devices/ocp/44e0b000.i2c/i2c-0/0-0050/eeprom rk,
+  @{PROC}/ rk,
+  @{PROC}/** rk,
+  @{PROC}/[0-9]*/stat rk,
+
+  # Specified write permissions
+  /sys/bus/i2c/devices/i2c-0/new_device rwk,
+
+  # Ninja
+  /{,usr/}bin/xxd ixr,
+}