Debian: confine daemon with apparmor (ticket #1061)

2015-02-18 22:25:24 +00:00
parent bb9cef1e40
commit 29953ea5e4
15 changed files with 323 additions and 62 deletions
--- a/debian/i2p.postinst
+++ b/debian/i2p.postinst
@@ -6,7 +6,7 @@ I2PHOME=/var/lib/i2p
 I2PSYSUSER=i2psvc

 conffile="/etc/default/i2p"
-systemdservice="/lib/systemd/system/i2p.service"
+#systemdservice="/lib/systemd/system/i2p.service"

 # Source debconf library -- we have a Depends line
 # to make sure it is there...
@@ -25,6 +25,7 @@ case "$1" in
            echo >> $conffile
            echo "RUN_DAEMON=" >> $conffile
            echo "I2PUSER=" >> $conffile
+            echo "CONFINE_WITH_APPARMOR=" >> $conffile
            echo "# The next value is also wrapper.java.maxmemory in /etc/i2p/wrapper.config" >> $conffile
            echo "MEMORYLIMIT=" >> $conffile
        fi
@@ -35,6 +36,8 @@ case "$1" in
        I2PUSER="$RET"
        db_get i2p/memory
        MEMORYLIMIT="$RET"
+        db_get i2p/aa
+        CONFINE_WITH_APPARMOR="$RET"

        cp -a -f $conffile $conffile.tmp

@@ -46,6 +49,8 @@ case "$1" in
            echo "I2PUSER=" >> $conffile
        test -z "$MEMORYLIMIT" || grep -Eq '^ *MEMORYLIMIT=' $conffile || \
            echo "MEMORYLIMIT=" >> $conffile
+        test -z "$CONFINE_WITH_APPARMOR" || grep -Eq '^ *CONFINE_WITH_APPARMOR=' $conffile || \
+            echo "CONFINE_WITH_APPARMOR=" >> $conffile

        if [ -z $RUN_DAEMON ]; then
            RUN_DAEMON="false"
@@ -57,22 +62,23 @@ case "$1" in
        sed -e "s/^ *RUN_DAEMON=.*/RUN_DAEMON=\"$RUN_DAEMON\"/" \
            -e "s/^ *I2PUSER=.*/I2PUSER=\"$I2PUSER\"/" \
            -e "s/^ *MEMORYLIMIT=.*/MEMORYLIMIT=\"$MEMORYLIMIT\"/" \
+            -e "s/^ *CONFINE_WITH_APPARMOR=.*/CONFINE_WITH_APPARMOR=\"$CONFINE_WITH_APPARMOR\"/" \
            < $conffile > $conffile.tmp
        mv -f $conffile.tmp $conffile

-        if [ -e "$systemdservice" ]; then
-            sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
-            mv -f "$systemdservice.tmp" "$systemdservice"
-            chmod 0644 -f "$systemdservice"
-            if [ -x /bin/systemctl ]; then
-                    systemctl --system daemon-reload
-                    if [ $RUN_DAEMON = 'true' ]; then
-                            systemctl enable i2p.service
-                    else
-                            systemctl disable i2p.service
-                    fi
-            fi
-        fi
+#        if [ -e "$systemdservice" ]; then
+#            sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
+#            mv -f "$systemdservice.tmp" "$systemdservice"
+#            chmod 0644 -f "$systemdservice"
+#            if grep -q 'systemd' /proc/1/comm > /dev/null 2>&1; then
+#                systemctl --system daemon-reload
+#                if [ $RUN_DAEMON = 'true' ]; then
+#                    systemctl enable i2p.service
+#                else
+#                    systemctl disable i2p.service
+#                fi
+#            fi
+#        fi

        sed -e "s/^ *wrapper\.java\.maxmemory=.*/wrapper\.java\.maxmemory=$MEMORYLIMIT/" \
            < /etc/i2p/wrapper.config > /etc/i2p/wrapper.config.tmp
@@ -117,3 +123,4 @@ esac
 #DEBHELPER#

 exit 0
+# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4