From e2219f5a603f8ab291ecfb98300d949949f56f65 Mon Sep 17 00:00:00 2001
From: Theo Julienne <theo.julienne@gmail.com>
Date: Sun, 8 Feb 2015 22:31:19 -0800
Subject: [PATCH] Add sphere-serial support for Sphere/DevKit and fallback for
 dev machines.

---
 Makefile                             |   2 +-
 template/bin/sphere-serial           |  17 ++-
 template/meta/mqtt-bridgeify.profile | 198 +++++++++++++++++++++++++++
 template/meta/package.yaml           |   4 +-
 template/meta/sphere-client.profile  |   7 +-
 5 files changed, 220 insertions(+), 8 deletions(-)
 create mode 100644 template/meta/mqtt-bridgeify.profile

diff --git a/Makefile b/Makefile
index 739a465..928af3d 100644
--- a/Makefile
+++ b/Makefile
@@ -28,4 +28,4 @@ snap: staging
 	snappy build staging-snappy
 
 remote: snap
-	snappy-remote --url=ssh://10.0.1.14 install ./ninjasphere_0.0.2_multi.snap
+	snappy-remote --url=ssh://10.0.1.14 install ./ninjasphere_0.0.5_multi.snap
diff --git a/template/bin/sphere-serial b/template/bin/sphere-serial
index 6325eed..877b3cf 100755
--- a/template/bin/sphere-serial
+++ b/template/bin/sphere-serial
@@ -1,5 +1,18 @@
 #!/bin/bash
 
-[[ -f /sys/bus/i2c/devices/0-0050/eeprom ]] || { echo 24c256 0x50 > /sys/bus/i2c/devices/i2c-0/new_device; }
+if grep -q hwserial /proc/cmdline; then
+	# sphere
+	python -c 'import sys, base64; sys.stdout.write(base64.b32encode(open("/proc/cmdline","rb").read().split("hwserial=")[1].split(" ")[0][:16].decode("hex")).strip("="))'
+	exit 0
+fi
+
+if [[ -f /sys/bus/i2c/devices/i2c-0/new_device ]]; then # BeagleBone, not a great test
+	[[ -f /sys/bus/i2c/devices/0-0050/eeprom ]] || { echo 24c256 0x50 > /sys/bus/i2c/devices/i2c-0/new_device; }
+
+	xxd -g 2 -a -l 16 -seek 16 /sys/bus/i2c/devices/0-0050/eeprom | sed 's/^.* //' | sed -e 's/[.]//g' | tr -d '\n'
+	exit 0
+fi
+
+# fall back on using the default route's interface's MAC address
+echo -n DEVBOX; cat /sys/class/net/$(ip route get "8.8.8.8" | grep -Po '(?<=(dev )).*(?= src)' | tr -d '\n\t ')/address | tr -d ':'
 
-xxd -g 2 -a -l 16 -seek 16 /sys/bus/i2c/devices/0-0050/eeprom | sed 's/^.* //' | sed -e 's/[.]//g' | tr -d '\n'
diff --git a/template/meta/mqtt-bridgeify.profile b/template/meta/mqtt-bridgeify.profile
new file mode 100644
index 0000000..5abbfc1
--- /dev/null
+++ b/template/meta/mqtt-bridgeify.profile
@@ -0,0 +1,198 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+# Specified profile variables
+@{APP_APPNAME}="mqtt-bridgeify"
+@{APP_ID_DBUS}="ninjasphere_5fmqtt_2dbridgeify_5f0_2e0_2e5"
+@{APP_PKGNAME_DBUS}="ninjasphere"
+@{APP_PKGNAME}="ninjasphere"
+@{APP_VERSION}="0.0.5"
+@{CLICK_DIR}="{/apps,/custom/click,/oem,/usr/share/click/preinstalled}"
+
+profile "ninjasphere_mqtt-bridgeify_0.0.5" {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/openssl>
+
+  # for python apps/services
+  #include <abstractions/python>
+  /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
+
+  # for perl apps/services
+  #include <abstractions/perl>
+  /usr/bin/perl{,5*} ixr,
+
+  # for bash 'binaries' (do *not* use abstractions/bash)
+  # user-specific bash files
+  /bin/bash ixr,
+  /bin/dash ixr,
+  /etc/bash.bashrc r,
+  /usr/share/terminfo/** r,
+  /etc/inputrc r,
+  deny @{HOME}/.inputrc r,
+  # Common utilities for shell scripts
+  /{,usr/}bin/{,g,m}awk ixr,
+  /{,usr/}bin/basename ixr,
+  /{,usr/}bin/bunzip2 ixr,
+  /{,usr/}bin/bzcat ixr,
+  /{,usr/}bin/bzdiff ixr,
+  /{,usr/}bin/bzgrep ixr,
+  /{,usr/}bin/bzip2 ixr,
+  /{,usr/}bin/cat ixr,
+  /{,usr/}bin/chmod ixr,
+  /{,usr/}bin/cmp ixr,
+  /{,usr/}bin/cp ixr,
+  /{,usr/}bin/cpio ixr,
+  /{,usr/}bin/cut ixr,
+  /{,usr/}bin/date ixr,
+  /{,usr/}bin/dd ixr,
+  /{,usr/}bin/diff{,3} ixr,
+  /{,usr/}bin/dir ixr,
+  /{,usr/}bin/dirname ixr,
+  /{,usr/}bin/echo ixr,
+  /{,usr/}bin/{,e,f,r}grep ixr,
+  /{,usr/}bin/env ixr,
+  /{,usr/}bin/expr ixr,
+  /{,usr/}bin/find ixr,
+  /{,usr/}bin/fmt ixr,
+  /{,usr/}bin/getopt ixr,
+  /{,usr/}bin/false ixr,
+  /{,usr/}bin/head ixr,
+  /{,usr/}bin/id ixr,
+  /{,usr/}bin/igawk ixr,
+  /{,usr/}bin/kill ixr,
+  /{,usr/}bin/ln ixr,
+  /{,usr/}bin/line ixr,
+  /{,usr/}bin/link ixr,
+  /{,usr/}bin/ls ixr,
+  /{,usr/}bin/md5sum ixr,
+  /{,usr/}bin/mkdir ixr,
+  /{,usr/}bin/mktemp ixr,
+  /{,usr/}bin/mv ixr,
+  /{,usr/}bin/pgrep ixr,
+  /{,usr/}bin/printenv ixr,
+  /{,usr/}bin/printf ixr,
+  /{,usr/}bin/ps ixr,
+  /{,usr/}bin/pwd ixr,
+  /{,usr/}bin/readlink ixr,
+  /{,usr/}bin/realpath ixr,
+  /{,usr/}bin/rev ixr,
+  /{,usr/}bin/rm ixr,
+  /{,usr/}bin/rmdir ixr,
+  /{,usr/}bin/sed ixr,
+  /{,usr/}bin/seq ixr,
+  /{,usr/}bin/sleep ixr,
+  /{,usr/}bin/sort ixr,
+  /{,usr/}bin/stat ixr,
+  /{,usr/}bin/tac ixr,
+  /{,usr/}bin/tail ixr,
+  /{,usr/}bin/tar ixr,
+  /{,usr/}bin/tee ixr,
+  /{,usr/}bin/test ixr,
+  /{,usr/}bin/tempfile ixr,
+  /{,usr/}bin/touch ixr,
+  /{,usr/}bin/tr ixr,
+  /{,usr/}bin/true ixr,
+  /{,usr/}bin/uname ixr,
+  /{,usr/}bin/uniq ixr,
+  /{,usr/}bin/unlink ixr,
+  /{,usr/}bin/unxz ixr,
+  /{,usr/}bin/unzip ixr,
+  /{,usr/}bin/vdir ixr,
+  /{,usr/}bin/wc ixr,
+  /{,usr/}bin/which ixr,
+  /{,usr/}bin/xz ixr,
+  /{,usr/}bin/yes ixr,
+  /{,usr/}bin/zcat ixr,
+  /{,usr/}bin/z{,e,f}grep ixr,
+  /{,usr/}bin/zip ixr,
+  /{,usr/}bin/zipgrep ixr,
+
+  # uptime
+  /{,usr/}bin/uptime ixr,
+  @{PROC}/uptime r,
+  @{PROC}/loadavg r,
+  # this is an information leak
+  deny /{,var/}run/utmp r,
+
+  # Miscellaneous accesses
+  /etc/mime.types r,
+  @{PROC}/sys/kernel/hostname r,
+  @{PROC}/sys/kernel/osrelease r,
+
+  # Read-only for the install directory
+  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
+  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
+  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrklix,
+
+  # Read-only home area for other versions
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/                  r,
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   r,
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix,
+
+  # Writable home area for this version.
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
+
+  # Read-only system area for other versions
+  /var/lib/apps/@{APP_PKGNAME}/   r,
+  /var/lib/apps/@{APP_PKGNAME}/** mrkix,
+
+  # TODO: the write on these is needed in case they doesn't exist, but means an
+  # app could adjust inode data and affect rollbacks.
+  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/         w,
+  /var/lib/apps/@{APP_PKGNAME}/                  w,
+
+  # Writable system area only for this version
+  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
+  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
+
+  # Writable temp area only for this version (launcher will create this
+  # directory on our behalf so only allow readonly on parent)
+  /tmp/snapps/@{APP_PKGNAME}/                  r,
+  /tmp/snapps/@{APP_PKGNAME}/**                rk,
+  /tmp/snapps/@{APP_PKGNAME}/@{APP_VERSION}/   rw,
+  /tmp/snapps/@{APP_PKGNAME}/@{APP_VERSION}/** mrwlkix,
+
+  # No abstractions specified
+
+  # Rules specified via policy groups
+  # Description: Can access the network
+  # Usage: common
+  #include <abstractions/nameservice>
+  #include <abstractions/ssl_certs>
+
+  @{PROC}/sys/net/core/somaxconn r,
+
+  # We want to explicitly deny access to NetworkManager because its DBus API
+  # gives away too much
+  deny dbus (receive, send)
+       bus=system
+       path=/org/freedesktop/NetworkManager,
+  deny dbus (receive, send)
+       bus=system
+       peer=(name=org.freedesktop.NetworkManager),
+
+  # Do the same for ofono (LP: #1226844)
+  deny dbus (receive, send)
+       bus=system
+       interface="org.ofono.Manager",
+
+  # Specified read permissions
+  /etc/hosts.allow rk,
+  /etc/hosts.deny rk,
+  /etc/passwd rk,
+  /proc/cmdline rk,
+  /sys/bus/i2c/devices/0-0050/eeprom rk,
+  /sys/devices/ocp/44e0b000.i2c/i2c-0/0-0050/eeprom rk,
+  @{PROC}/ rk,
+  @{PROC}/** rk,
+  @{PROC}/[0-9]*/stat rk,
+
+  # Specified write permissions
+  /sys/bus/i2c/devices/i2c-0/new_device rwk,
+
+  # Ninja
+  /{,usr/}bin/xxd ixr,
+}
diff --git a/template/meta/package.yaml b/template/meta/package.yaml
index 4ea0156..9675c17 100644
--- a/template/meta/package.yaml
+++ b/template/meta/package.yaml
@@ -1,7 +1,7 @@
 name: ninjasphere
 vendor: Theo Julienne <theo@ninjablocks.com>
 architecture: [amd64, armhf]
-version: 0.0.2
+version: 0.0.5
 icon: meta/nina.svg
 services:
  - name: mosquitto
@@ -24,7 +24,7 @@ ports:
   required: 8000,1883,6379
 integration:
   mqtt-bridgeify:
-    apparmor: meta/ninjasphere.apparmor
+    apparmor-profile: meta/mqtt-bridgeify.profile
   sphere-client:
     apparmor-profile: meta/sphere-client.profile
   mosquitto:
diff --git a/template/meta/sphere-client.profile b/template/meta/sphere-client.profile
index c645e46..9f6f119 100644
--- a/template/meta/sphere-client.profile
+++ b/template/meta/sphere-client.profile
@@ -4,13 +4,13 @@
 
 # Specified profile variables
 @{APP_APPNAME}="sphere-client"
-@{APP_ID_DBUS}="ninjasphere_5fsphere_2dclient_5f0_2e0_2e2"
+@{APP_ID_DBUS}="ninjasphere_5fsphere_2dclient_5f0_2e0_2e5"
 @{APP_PKGNAME_DBUS}="ninjasphere"
 @{APP_PKGNAME}="ninjasphere"
-@{APP_VERSION}="0.0.2"
+@{APP_VERSION}="0.0.5"
 @{CLICK_DIR}="{/apps,/custom/click,/oem,/usr/share/click/preinstalled}"
 
-profile "ninjasphere_sphere-client_0.0.2" {
+profile "ninjasphere_sphere-client_0.0.5" {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/openssl>
@@ -183,6 +183,7 @@ profile "ninjasphere_sphere-client_0.0.2" {
   /etc/hosts.allow rk,
   /etc/hosts.deny rk,
   /etc/passwd rk,
+  /proc/cmdline rk,
   /sys/bus/i2c/devices/0-0050/eeprom rk,
   /sys/devices/ocp/44e0b000.i2c/i2c-0/0-0050/eeprom rk,
   @{PROC}/ rk,