1 | # Last Modified: Sun Dec 06 12:30:32 2015 |
---|
2 | # vim:syntax=apparmor et ts=4 sw=4 |
---|
3 | |
---|
4 | #include <abstractions/base> |
---|
5 | #include <abstractions/fonts> |
---|
6 | #include <abstractions/nameservice> |
---|
7 | #include <abstractions/ssl_certs> |
---|
8 | |
---|
9 | network inet stream, |
---|
10 | network inet dgram, |
---|
11 | network inet6 stream, |
---|
12 | network inet6 dgram, |
---|
13 | |
---|
14 | # Needed by Java |
---|
15 | @{PROC} r, |
---|
16 | owner @{PROC}/[0-9]*/ r, |
---|
17 | owner @{PROC}/[0-9]*/status r, |
---|
18 | @{PROC}/[0-9]*/net/ipv6_route r, |
---|
19 | @{PROC}/[0-9]*/net/if_inet6 r, |
---|
20 | /sys/devices/system/cpu/ r, |
---|
21 | /sys/devices/system/cpu/** r, |
---|
22 | |
---|
23 | /etc/ssl/certs/java/** r, |
---|
24 | /etc/timezone r, |
---|
25 | /usr/share/javazi/** r, |
---|
26 | |
---|
27 | /etc/java-*-openjdk/** r, |
---|
28 | /usr/lib/jvm/default-java/jre/bin/java rix, |
---|
29 | /usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix, |
---|
30 | /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix, |
---|
31 | |
---|
32 | # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories |
---|
33 | /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix, |
---|
34 | /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix, |
---|
35 | |
---|
36 | # */client/classes.jsa is only found (and needed) in 32-bit JVMs. |
---|
37 | /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m, |
---|
38 | /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m, |
---|
39 | |
---|
40 | # needed for I2P's graphs |
---|
41 | /usr/share/java/java-atk-wrapper.jar r, |
---|
42 | |
---|
43 | # I2P specific |
---|
44 | /usr/share/i2p/** r, |
---|
45 | |
---|
46 | # Used by some plugins |
---|
47 | /usr/share/java/eclipse-ecj-*.jar r, |
---|
48 | |
---|
49 | # Tanuki java wrapper |
---|
50 | /etc/i2p/wrapper.config r, |
---|
51 | /usr/sbin/wrapper rix, |
---|
52 | /usr/share/java/wrapper*.jar r, |
---|
53 | |
---|
54 | # Dependent packages |
---|
55 | /usr/share/java/libintl.jar r, |
---|
56 | /usr/share/java/glassfish-appserv-jstl.jar r, |
---|
57 | /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar r, |
---|
58 | /usr/share/java/gnu-getopt.jar r, |
---|
59 | /usr/share/java/gnu-getopt-*.jar r, |
---|
60 | /usr/share/java/jetty9-*.jar r, |
---|
61 | /usr/share/java/jsp-api-*.jar r, |
---|
62 | /usr/share/java/servlet-api-*.jar r, |
---|
63 | /usr/share/java/standard.jar r, |
---|
64 | /usr/share/java/standard-*.jar r, |
---|
65 | /usr/share/java/tomcat8-*.jar r, |
---|
66 | /usr/share/java/taglibs-standard-*.jar r, |
---|
67 | /usr/share/flags/countries/16x11/* r, |
---|
68 | |
---|
69 | # GeoIP data |
---|
70 | /usr/share/GeoIP/* r, |
---|
71 | |
---|
72 | # Other /proc |
---|
73 | @{PROC}/cpuinfo r, |
---|
74 | @{PROC}/net/if_inet6 r, |
---|
75 | |
---|
76 | # 'm' is needed by the I2P-Bote plugin |
---|
77 | /{,lib/live/mount/overlay/}tmp/ rwm, |
---|
78 | owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/ rwk, |
---|
79 | owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/** rw, |
---|
80 | owner /{,lib/live/mount/overlay/}tmp/wrapper* rwk, |
---|
81 | owner /{,lib/live/mount/overlay/}tmp/wrapper*/** rw, |
---|
82 | # Scrypt used by I2P-Bote |
---|
83 | owner /{,lib/live/mount/overlay/}tmp/scrypt* rwk, |
---|
84 | owner /{,lib/live/mount/overlay/}tmp/scrypt*/** rw, |
---|
85 | |
---|
86 | # temp dir (service) |
---|
87 | owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/ rwm, |
---|
88 | owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/** rwkm, |
---|
89 | # temp dir (non-service) |
---|
90 | owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/ rwm, |
---|
91 | owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/** rwkm, |
---|
92 | |
---|
93 | # /graphs in the router console |
---|
94 | owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp rwk, |
---|
95 | |
---|
96 | # Prevent spamming the logs |
---|
97 | deny /dev/tty rw, |
---|
98 | deny /{,lib/live/mount/overlay/}var/tmp/ r, |
---|
99 | deny @{PROC}/[0-9]*/fd/ r, |
---|
100 | deny /usr/sbin/ r, |
---|
101 | deny /var/cache/fontconfig/ wk, |
---|
102 | |
---|
103 | # Some versions of the Tanuki wrapper package will try to load these jars but |
---|
104 | # they are not needed by I2P. The deny rule here will prevent the logs from |
---|
105 | # being spammed. |
---|
106 | deny /usr/share/java/hamcrest*.jar r, |
---|
107 | deny /usr/share/java/junit*.jar r, |
---|