Add-On Security Calculation

Hi,
I wanted to know how Add-On Security Rating worked. Documentation is sparse on the topic so here’s the current values

All Add-ons start with a base security rating of 5. You can increase or decrease this number via methods listed below.

add +2 to security rating
ingress: true (overrides auth_api rating below)

add +1 to security rating
auth_api: true
apparmor.txt present in addon

add -1 to security rating
apparmor: false (overrides apparmor.txt presence)
privilege: contains one or more of [NET_ADMIN, SYS_ADMIN, SYS_RAWIO, SYS_PTRACE, SYS_MODULE, or DAC_READ_SEARCH] (applies only once)
hassio_role: manager (overrides admin below)
host_network:true

add -2 to security rating
hassio_role: admin
host_pid: true
full_access:true

Automatic rating of 1
docker_api: true

Finally, the score is limited to a range of +1 to +6. If you’ve managed to go lower than 0 or higher than 6 your score will be constrained to a value between 1 and 6.

Source: https://github.com/home-assistant/supervisor/blob/8d8587ca29bd32594af0ec2649486d205ef0dfab/supervisor/addons/utils.py#L28

How to arbitrarily add security:

1. Declare ingress:true in the config.json and add this line into your run.sh

fun() {  while true; do nc -l -p 8099 -e  echo -e 'HTTP/1.1 200 OK\r\nServer: DeskPiPro\r\nDate:$(date)\r\nContent-Type: text/html; charset=UTF8\r\nCache-Control: no-store, no cache, must-revalidate\r\n\r\n<!DOCTYPE html><html><body><p>For some reason this improves security rating for Home Assistant, so I am using it.</body></html>\r\n\n\n'; done }; fun&

This is what you will see on the web interface

2. create an apparmor.txt file by declaring “/path/to/resource.ext rwix,” or “/path/to/folder** rwix”

Theoretically, one could request full_access:true, apply these items above, and still attain a rating of 6.