source: debian/apparmor/i2p

Last change on this file was 428fb26, checked in by zzz <zzz@…>, 18 months ago

Debian: AppArmor? fix for Oracle JVM (ticket #2319)
Allow any JRE or JDK to work

  • Property mode set to 100644
File size: 5.0 KB
Line 
1# Last Modified: Sun Dec 06 12:30:32 2015
2# vim:syntax=apparmor et ts=4 sw=4
3
4  #include <abstractions/base>
5  #include <abstractions/fonts>
6  #include <abstractions/nameservice>
7  #include <abstractions/ssl_certs>
8
9  # for launching browswers
10  #include <abstractions/ubuntu-helpers>
11  #include <abstractions/ubuntu-browsers>
12  #include <abstractions/ubuntu-console-browsers>
13
14  network inet stream,
15  network inet dgram,
16  network inet6 stream,
17  network inet6 dgram,
18
19  # Needed by Java
20  @{PROC}                                                 r,
21  owner @{PROC}/[0-9]*/                                   r,
22  owner @{PROC}/[0-9]*/cgroup                             r,
23  owner @{PROC}/[0-9]*/mountinfo                          r,
24  owner @{PROC}/[0-9]*/status                             r,
25  @{PROC}/[0-9]*/net/ipv6_route                           r,
26  @{PROC}/[0-9]*/net/if_inet6                             r,
27  /sys/devices/system/cpu/                                r,
28  /sys/devices/system/cpu/**                              r,
29  /sys/fs/cgroup/**                                       r,
30
31  /etc/ssl/certs/java/**                                  r,
32  /etc/timezone                                           r,
33  /usr/share/javazi/**                                    r,
34
35  /etc/java-*-openjdk/**                                  r,
36  # Allow any JRE or JDK
37  /usr/lib/jvm/*/jre/bin/java                             rix,
38  /usr/lib/jvm/*/jre/bin/keytool                          rix,
39
40  # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
41  /usr/lib/jvm/*/jre/lib/i386/client/classes.jsa          m,
42  /usr/lib/jvm/*/jre/lib/i386/client/classes.jsa          m,
43
44  # needed for I2P's graphs
45  /usr/share/java/java-atk-wrapper.jar                    r,
46
47  # I2P specific
48  /usr/share/i2p/**                                       r,
49
50  # Used by some plugins
51  /usr/share/java/eclipse-ecj-*.jar                       r,
52
53  # Tanuki java wrapper
54  /etc/i2p/wrapper.config                                 r,
55  /usr/sbin/wrapper                                       rix,
56  /usr/share/java/wrapper*.jar                            r,
57
58  # Dependent packages
59  /usr/share/java/libintl.jar                             r,
60  /usr/share/java/glassfish-appserv-jstl.jar              r,
61  /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar        r,
62  /usr/share/java/gnu-getopt.jar                          r,
63  /usr/share/java/gnu-getopt-*.jar                        r,
64  /usr/share/java/jetty9-*.jar                            r,
65  /usr/share/java/json-simple.jar                         r,
66  /usr/share/java/json-simple-*.jar                       r,
67  /usr/share/java/jsp-api-*.jar                           r,
68  /usr/share/java/servlet-api-*.jar                       r,
69  /usr/share/java/standard.jar                            r,
70  /usr/share/java/standard-*.jar                          r,
71  /usr/share/java/tomcat8-*.jar                           r,
72  /usr/share/java/tomcat9-*.jar                           r,
73  /usr/share/java/taglibs-standard-*.jar                  r,
74  /usr/share/flags/countries/16x11/*                      r,
75
76  # GeoIP data
77  /usr/share/GeoIP/*                                      r,
78
79  # Other /proc
80  @{PROC}/cpuinfo                                         r,
81  @{PROC}/net/if_inet6                                    r,
82
83  # 'm' is needed by the I2P-Bote plugin
84  /{,lib/live/mount/overlay/}tmp/                         rwm,
85  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/      rwk,
86  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/**    rw,
87  owner /{,lib/live/mount/overlay/}tmp/wrapper*           rwk,
88  owner /{,lib/live/mount/overlay/}tmp/wrapper*/**        rw,
89  # Scrypt used by I2P-Bote
90  owner /{,lib/live/mount/overlay/}tmp/scrypt*            rwk,
91  owner /{,lib/live/mount/overlay/}tmp/scrypt*/**         rw,
92
93  # temp dir (service)
94  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/        rwm,
95  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/**      rwkm,
96  # temp dir (non-service)
97  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/         rwm,
98  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/**       rwkm,
99  # temp dir (Jetty default)
100  owner /{,lib/live/mount/overlay/}tmp/jetty-*/           rwm,
101  owner /{,lib/live/mount/overlay/}tmp/jetty-*/**         rwkm,
102
103  # /graphs in the router console
104  owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp  rwk,
105
106  # Prevent spamming the logs
107  deny /dev/tty                                           rw,
108  deny /{,lib/live/mount/overlay/}var/tmp/                r,
109  deny @{PROC}/[0-9]*/fd/                                 r,
110  deny /usr/sbin/                                         r,
111  deny /var/cache/fontconfig/                             wk,
112
113  # Some versions of the Tanuki wrapper package will try to load these jars but
114  # they are  not needed by I2P. The deny rule here will prevent the logs from
115  # being spammed.
116  deny /usr/share/java/hamcrest*.jar                      r,
117  deny /usr/share/java/junit*.jar                         r,
Note: See TracBrowser for help on using the repository browser.