| 1 | # Last Modified: Thu May 21 18:30:32 2015 |
|---|
| 2 | # vim:syntax=apparmor et ts=4 sw=4 |
|---|
| 3 | |
|---|
| 4 | #include <abstractions/base> |
|---|
| 5 | #include <abstractions/fonts> |
|---|
| 6 | #include <abstractions/nameservice> |
|---|
| 7 | #include <abstractions/ssl_certs> |
|---|
| 8 | |
|---|
| 9 | network inet stream, |
|---|
| 10 | network inet6 stream, |
|---|
| 11 | |
|---|
| 12 | # Needed by Java |
|---|
| 13 | @{PROC} r, |
|---|
| 14 | owner @{PROC}/[0-9]*/ r, |
|---|
| 15 | owner @{PROC}/[0-9]*/status r, |
|---|
| 16 | @{PROC}/[0-9]*/net/ipv6_route r, |
|---|
| 17 | @{PROC}/[0-9]*/net/if_inet6 r, |
|---|
| 18 | /sys/devices/system/cpu/ r, |
|---|
| 19 | /sys/devices/system/cpu/** r, |
|---|
| 20 | |
|---|
| 21 | /etc/ssl/certs/java/** r, |
|---|
| 22 | /etc/timezone r, |
|---|
| 23 | /usr/share/javazi/** r, |
|---|
| 24 | |
|---|
| 25 | /etc/java-*-openjdk/** r, |
|---|
| 26 | /usr/lib/jvm/default-java/jre/bin/java rix, |
|---|
| 27 | /usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix, |
|---|
| 28 | /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix, |
|---|
| 29 | |
|---|
| 30 | # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories |
|---|
| 31 | /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix, |
|---|
| 32 | /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix, |
|---|
| 33 | |
|---|
| 34 | # */client/classes.jsa is only found (and needed) in 32-bit JVMs. |
|---|
| 35 | /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m, |
|---|
| 36 | /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m, |
|---|
| 37 | |
|---|
| 38 | # needed for I2P's graphs |
|---|
| 39 | /usr/share/java/java-atk-wrapper.jar r, |
|---|
| 40 | |
|---|
| 41 | # I2P specific |
|---|
| 42 | /usr/share/i2p/** r, |
|---|
| 43 | |
|---|
| 44 | # Used by some plugins |
|---|
| 45 | /usr/share/java/eclipse-ecj-*.jar r, |
|---|
| 46 | |
|---|
| 47 | # Tanuki java wrapper |
|---|
| 48 | /etc/i2p/wrapper.config r, |
|---|
| 49 | /usr/sbin/wrapper rix, |
|---|
| 50 | /usr/share/java/wrapper*.jar r, |
|---|
| 51 | |
|---|
| 52 | # 'm' is needed by the I2P-Bote plugin |
|---|
| 53 | /{,lib/live/mount/overlay/}tmp/ rwm, |
|---|
| 54 | owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/ rwm, |
|---|
| 55 | owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/** rwklm, |
|---|
| 56 | |
|---|
| 57 | # Prevent spamming the logs |
|---|
| 58 | deny /dev/tty rw, |
|---|
| 59 | deny @{PROC}/[0-9]*/fd/ r, |
|---|
| 60 | deny /usr/sbin/ r, |
|---|
| 61 | deny /var/cache/fontconfig/ wk, |
|---|
| 62 | |
|---|
| 63 | # Some versions of the Tanuki wrapper package will try to load these jars but |
|---|
| 64 | # they are not needed by I2P. The deny rule here will prevent the logs from |
|---|
| 65 | # being spammed. |
|---|
| 66 | deny /usr/share/java/hamcrest*.jar r, |
|---|
| 67 | deny /usr/share/java/junit*.jar r, |
|---|
