zzz/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Debian: confine daemon with apparmor (ticket #1061)

Browse Source
This commit is contained in:
kytv
2015-02-18 22:25:24 +00:00
parent bb9cef1e40
commit 29953ea5e4
15 changed files with 323 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
debian/apparmor/i2p vendored Normal file
View File

@@ -0,0 +1,63 @@
# Last Modified: Thu Jan 29 03:17:01 2015
# vim:syntax=apparmor et ts=4 sw=4
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/user-tmp>
network inet stream,
network inet6 stream,
# Needed for Java
@{PROC} r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/status r,
/dev/random r,
/dev/urandom r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/etc/ssl/certs/java/** r,
/etc/timezone r,
/usr/share/javazi/** r,
/etc/java-*-openjdk/** r,
/usr/lib/jvm/default-java/jre/bin/java rix,
/usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix,
/usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
/usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix,
# Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix,
# needed for I2P's graphs
/etc/fonts/** r,
/usr/share/java/java-atk-wrapper.jar r,
# I2P specific
/etc/default/i2p r,
/usr/share/i2p/** r,
# Used by some plugins
/usr/share/java/eclipse-ecj-*.jar r,
# Tanuki java wrapper
/etc/i2p/wrapper.config r,
/usr/sbin/wrapper rix,
/usr/share/java/wrapper*.jar r,
/{,var/}tmp/ rwm,
owner /{,var/}tmp/** rwklm,
# Prevent spamming the logs
deny /dev/tty rw,
deny @{PROC}/[0-9]*/fd/ r,
deny /usr/sbin/ r,
deny /var/cache/fontconfig/ wk,
# Used by some versions of the Tanuki wrapper, not needed by I2P
deny /usr/share/java/hamcrest*.jar r,
deny /usr/share/java/junit*.jar r,

15
debian/apparmor/system_i2p vendored Normal file
View File

@@ -0,0 +1,15 @@
# vim:syntax=apparmor et
#include <tunables/global>
profile system_i2p {
#include <abstractions/i2p>
owner /{,lib/live/mount/overlay/}var/lib/i2p/** rwkl,
owner /{,lib/live/mount/overlay/}var/log/i2p/* rw,
owner /{,var/}run/i2p/{i2p,routerjvm}.pid rw,
owner /{,var/}run/i2p/router.ping rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/system_i2p>
}

48
debian/apparmor/usr.bin.i2prouter vendored Normal file
View File

@@ -0,0 +1,48 @@
# Last Modified: Thu Jan 29 03:17:01 2015
# vim:syntax=apparmor et ts=8 sw=4
#include <tunables/global>
/usr/bin/i2prouter {
#include <abstractions/i2p>
capability sys_ptrace,
/usr/bin/i2prouter r,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/pid_max r,
/bin/{,b,d}ash rix,
/bin/cat rix,
/bin/grep rix,
/bin/mkdir rix,
/bin/ps rix,
/bin/rm rix,
/bin/sed rix,
/bin/sleep rix,
/bin/uname rix,
/bin/which rix,
/usr/bin/{,g,m}awk rix,
/usr/bin/cut rix,
/usr/bin/dirname rix,
/usr/bin/expr rix,
/usr/bin/id rix,
/usr/bin/ldd rix,
/usr/bin/tail rix,
/usr/bin/tr rix,
@{HOME}/.java/fonts/** r,
owner @{HOME}/.i2p/ rw,
owner @{HOME}/.i2p/** rwk,
# Prevent spamming the logs
deny owner @{HOME}/.java/ wk,
deny @{HOME}/.fontconfig/ wk,
deny @{HOME}/.java/fonts/** wk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.i2prouter>
}