source: debian/apparmor/i2p @ b340f4a

Last change on this file since b340f4a was 93cb2a0, checked in by zzz <zzz@…>, 3 years ago

Debian: Fix apparmor profile (ticket #1986)

  • Property mode set to 100644
File size: 4.3 KB
Line 
1# Last Modified: Sun Dec 06 12:30:32 2015
2# vim:syntax=apparmor et ts=4 sw=4
3
4  #include <abstractions/base>
5  #include <abstractions/fonts>
6  #include <abstractions/nameservice>
7  #include <abstractions/ssl_certs>
8
9  network inet stream,
10  network inet dgram,
11  network inet6 stream,
12  network inet6 dgram,
13
14  # Needed by Java
15  @{PROC}                                                 r,
16  owner @{PROC}/[0-9]*/                                   r,
17  owner @{PROC}/[0-9]*/status                             r,
18  @{PROC}/[0-9]*/net/ipv6_route                           r,
19  @{PROC}/[0-9]*/net/if_inet6                             r,
20  /sys/devices/system/cpu/                                r,
21  /sys/devices/system/cpu/**                              r,
22
23  /etc/ssl/certs/java/**                                  r,
24  /etc/timezone                                           r,
25  /usr/share/javazi/**                                    r,
26
27  /etc/java-*-openjdk/**                                  r,
28  /usr/lib/jvm/default-java/jre/bin/java                  rix,
29  /usr/lib/jvm/java-*-openjdk-*/jre/bin/java              rix,
30  /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool           rix,
31
32  # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
33  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java                rix,
34  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool             rix,
35
36  # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
37  /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
38  /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m,
39
40  # needed for I2P's graphs
41  /usr/share/java/java-atk-wrapper.jar                    r,
42
43  # I2P specific
44  /usr/share/i2p/**                                       r,
45
46  # Used by some plugins
47  /usr/share/java/eclipse-ecj-*.jar                       r,
48
49  # Tanuki java wrapper
50  /etc/i2p/wrapper.config                                 r,
51  /usr/sbin/wrapper                                       rix,
52  /usr/share/java/wrapper*.jar                            r,
53
54  # Dependent packages
55  /usr/share/java/libintl.jar                             r,
56  /usr/share/java/glassfish-appserv-jstl.jar              r,
57  /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar        r,
58  /usr/share/java/gnu-getopt.jar                          r,
59  /usr/share/java/gnu-getopt-*.jar                        r,
60  /usr/share/java/jetty9-*.jar                            r,
61  /usr/share/java/jsp-api-*.jar                           r,
62  /usr/share/java/servlet-api-*.jar                       r,
63  /usr/share/java/standard.jar                            r,
64  /usr/share/java/standard-*.jar                          r,
65  /usr/share/java/tomcat8-*.jar                           r,
66
67  # GeoIP data
68  /usr/share/GeoIP/*                                      r,
69
70  # Other /proc
71  @{PROC}/cpuinfo                                         r,
72  @{PROC}/net/if_inet6                                    r,
73
74  # 'm' is needed by the I2P-Bote plugin
75  /{,lib/live/mount/overlay/}tmp/                         rwm,
76  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/ rwk,
77  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/** rw,
78  owner /{,lib/live/mount/overlay/}tmp/wrapper*           rwk,
79  owner /{,lib/live/mount/overlay/}tmp/wrapper*/**        rw,
80  # Scrypt used by I2P-Bote
81  owner /{,lib/live/mount/overlay/}tmp/scrypt*            rwk,
82  owner /{,lib/live/mount/overlay/}tmp/scrypt*/**         rw,
83  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/        rwm,
84  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/**      rwkm,
85  # /graphs in the router console
86  owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp  rwk,
87
88  # Prevent spamming the logs
89  deny /dev/tty                                           rw,
90  deny /{,lib/live/mount/overlay/}var/tmp/                r,
91  deny @{PROC}/[0-9]*/fd/                                 r,
92  deny /usr/sbin/                                         r,
93  deny /var/cache/fontconfig/                             wk,
94
95  # Some versions of the Tanuki wrapper package will try to load these jars but
96  # they are  not needed by I2P. The deny rule here will prevent the logs from
97  # being spammed.
98  deny /usr/share/java/hamcrest*.jar                      r,
99  deny /usr/share/java/junit*.jar                         r,
Note: See TracBrowser for help on using the repository browser.