source: debian/apparmor/i2p @ 6ca38307

Last change on this file since 6ca38307 was 6ca38307, checked in by zzz <zzz@…>, 2 years ago

Debian: AppArmor? updates (ticket #2319)

  • Property mode set to 100644
File size: 5.2 KB
Line 
1# Last Modified: Sun Dec 06 12:30:32 2015
2# vim:syntax=apparmor et ts=4 sw=4
3
4  #include <abstractions/base>
5  #include <abstractions/fonts>
6  #include <abstractions/nameservice>
7  #include <abstractions/ssl_certs>
8
9  # for launching browswers
10  #include <abstractions/ubuntu-helpers>
11  #include <abstractions/ubuntu-browsers>
12  #include <abstractions/ubuntu-console-browsers>
13
14  network inet stream,
15  network inet dgram,
16  network inet6 stream,
17  network inet6 dgram,
18
19  # Needed by Java
20  @{PROC}                                                 r,
21  owner @{PROC}/[0-9]*/                                   r,
22  owner @{PROC}/[0-9]*/cgroup                             r,
23  owner @{PROC}/[0-9]*/mountinfo                          r,
24  owner @{PROC}/[0-9]*/status                             r,
25  @{PROC}/[0-9]*/net/ipv6_route                           r,
26  @{PROC}/[0-9]*/net/if_inet6                             r,
27  /sys/devices/system/cpu/                                r,
28  /sys/devices/system/cpu/**                              r,
29  /sys/fs/cgroup/**                                       r,
30
31  /etc/ssl/certs/java/**                                  r,
32  /etc/timezone                                           r,
33  /usr/share/javazi/**                                    r,
34
35  /etc/java-*-openjdk/**                                  r,
36  /usr/lib/jvm/default-java/jre/bin/java                  rix,
37  /usr/lib/jvm/java-*-openjdk-*/jre/bin/java              rix,
38  /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool           rix,
39
40  # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
41  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java                rix,
42  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool             rix,
43
44  # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
45  /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
46  /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m,
47
48  # needed for I2P's graphs
49  /usr/share/java/java-atk-wrapper.jar                    r,
50
51  # I2P specific
52  /usr/share/i2p/**                                       r,
53
54  # Used by some plugins
55  /usr/share/java/eclipse-ecj-*.jar                       r,
56
57  # Tanuki java wrapper
58  /etc/i2p/wrapper.config                                 r,
59  /usr/sbin/wrapper                                       rix,
60  /usr/share/java/wrapper*.jar                            r,
61
62  # Dependent packages
63  /usr/share/java/libintl.jar                             r,
64  /usr/share/java/glassfish-appserv-jstl.jar              r,
65  /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar        r,
66  /usr/share/java/gnu-getopt.jar                          r,
67  /usr/share/java/gnu-getopt-*.jar                        r,
68  /usr/share/java/jetty9-*.jar                            r,
69  /usr/share/java/json-simple.jar                         r,
70  /usr/share/java/json-simple-*.jar                       r,
71  /usr/share/java/jsp-api-*.jar                           r,
72  /usr/share/java/servlet-api-*.jar                       r,
73  /usr/share/java/standard.jar                            r,
74  /usr/share/java/standard-*.jar                          r,
75  /usr/share/java/tomcat8-*.jar                           r,
76  /usr/share/java/tomcat9-*.jar                           r,
77  /usr/share/java/taglibs-standard-*.jar                  r,
78  /usr/share/flags/countries/16x11/*                      r,
79
80  # GeoIP data
81  /usr/share/GeoIP/*                                      r,
82
83  # Other /proc
84  @{PROC}/cpuinfo                                         r,
85  @{PROC}/net/if_inet6                                    r,
86
87  # 'm' is needed by the I2P-Bote plugin
88  /{,lib/live/mount/overlay/}tmp/                         rwm,
89  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/      rwk,
90  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/**    rw,
91  owner /{,lib/live/mount/overlay/}tmp/wrapper*           rwk,
92  owner /{,lib/live/mount/overlay/}tmp/wrapper*/**        rw,
93  # Scrypt used by I2P-Bote
94  owner /{,lib/live/mount/overlay/}tmp/scrypt*            rwk,
95  owner /{,lib/live/mount/overlay/}tmp/scrypt*/**         rw,
96
97  # temp dir (service)
98  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/        rwm,
99  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/**      rwkm,
100  # temp dir (non-service)
101  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/         rwm,
102  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/**       rwkm,
103  # temp dir (Jetty default)
104  owner /{,lib/live/mount/overlay/}tmp/jetty-*/           rwm,
105  owner /{,lib/live/mount/overlay/}tmp/jetty-*/**         rwkm,
106
107  # /graphs in the router console
108  owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp  rwk,
109
110  # Prevent spamming the logs
111  deny /dev/tty                                           rw,
112  deny /{,lib/live/mount/overlay/}var/tmp/                r,
113  deny @{PROC}/[0-9]*/fd/                                 r,
114  deny /usr/sbin/                                         r,
115  deny /var/cache/fontconfig/                             wk,
116
117  # Some versions of the Tanuki wrapper package will try to load these jars but
118  # they are  not needed by I2P. The deny rule here will prevent the logs from
119  # being spammed.
120  deny /usr/share/java/hamcrest*.jar                      r,
121  deny /usr/share/java/junit*.jar                         r,
Note: See TracBrowser for help on using the repository browser.