Changeset 29953ea


Ignore:
Timestamp:
Feb 18, 2015 10:25:24 PM (5 years ago)
Author:
kytv <kytv@…>
Branches:
master
Children:
6d58f9a
Parents:
bb9cef1
Message:

Debian: confine daemon with apparmor (ticket #1061)

Files:
4 added
11 edited

Legend:

Unmodified
Added
Removed
  • build.xml

    rbb9cef1 r29953ea  
    6868            <echo message=" " />
    6969            <echo message="apt-get install debhelper ant debconf default-jdk gettext libgmp3-dev po-debconf fakeroot build-essential \" />
    70             <echo message="                   quilt libcommons-logging-java" />
     70            <echo message="                   quilt libcommons-logging-java dh-apparmor" />
    7171            <echo message=" " />
    7272            <echo message="Once the dependencies are installed, run &quot;ant debian&quot;"/>
  • debian/NEWS

    rbb9cef1 r29953ea  
    55  be in wrapper.service have been moved to the initscript. If you have changed
    66  the amount of memory set aside for I2P, you'll need to make that change to
    7   /etc/i2p/wrapper.config. 
    8  
     7  /etc/i2p/wrapper.config.
     8
    99  The I2P router is now split into four different packages: i2p, i2p-doc,
    1010  i2p-router, and libjbigi.
  • debian/changelog

    rbb9cef1 r29953ea  
    1 i2p (0.9.16-1) UNRELEASED; urgency=medium
     1i2p (0.9.18-1) UNRELEASED; urgency=medium
    22
    33  * New upstream release
    4 
    5  -- Kill Your TV <killyourtv@i2pmail.org>  Thu, 30 Oct 2014 20:07:50 +0000
     4  * Confine with AppArmor
     5
     6 -- Kill Your TV <killyourtv@i2pmail.org>  Sun, 22 Feb 2015 00:00:00 +0000
     7
     8i2p (0.9.17-1) unstable; urgency=medium
     9
     10  * New Upstream Version
     11    Changes
     12    - Signed news
     13    - ECDSA default for new server tunnels
     14    - Reseeding now SSL-only by default
     15    Bug Fixes
     16    - Fix SSU sending corrupt ack-only packets with partial bitfields
     17    - Fix SSU inbound connection fail from non-DSA router
     18    - Don't select incompatible peers if we are a non-DSA router
     19    - Fix EdDSA signature verification bug
     20    - Set I2NP lookup type flags in all cases, not just when a reply tunnel is used
     21    - Stop i2ptunnel server acceptor thread after close
     22    - Fix bug preventing some plugins from stopping completely
     23    - Fix SAM v3 bug causing failures in incoming connections
     24    Other
     25    - Add a warning in the console sidebar if ECDSA not supported
     26    - Log warnings for Java 6 that we will eventually require Java 7
     27    - Don't let proxied routers auto-floodfill
     28    - Don't resend SSU acks that are too old
     29    - Don't publish direct info in SSU address if introducers are required
     30    - New default opentrackers in i2psnark
     31    - Add support for specifiying data directory per-torrent in i2psnark
     32    - Changes in streaming accept() error behavior
     33    - Minor blockfile format changes
     34    - New option for persistent random key to preserve peer ordering across restarts
     35    - Translation updates
     36    - Update GeoIP data
     37
     38 -- Kill Your TV <killyourtv@i2pmail.org>  Sun, 30 Nov 2014 22:20:06 +0000
     39
     40i2p (0.9.16-1) unstable; urgency=medium
     41
     42  * New Upstream Version
     43    - Add support for stronger Router Info signatures
     44    - Encrypt RI lookups and responses on faster boxes
     45    - Require I2CP authorization for all messages when enabled (requires 0.9.11
     46      or higher client)
     47    - Disable TLSv3 and older ciphers for reseeding and other uses of SSL
     48    - Use ECDSA by default for i2ptunnel IRC, SOCKS-IRC, and standard client
     49      tunnels
     50    - Don't prefer floodfills in some countries
     51    - New column sorting, set-all priority buttons, and upload ratio display in
     52      i2psnark
     53    - Increase i2psnark tunnel default to 3 hops
     54    - Implement bundling of multiple fragments in a single SSU message for
     55      efficiency
     56    - New add-to-addressbook links on netdb leaseset page
     57    - Implement I2NP DatabaseLookupMessage search type field to improve lookup
     58      efficiency
     59    - CPUID fixes and updates for recent processors
     60    - i2psnark fix magnet links with %-encoding
     61    - Improve handling of SSU socket closing out from under us (hopefully fix
     62      100% CPU)
     63    - SSU bitfield handling fixes
     64    - Fix HTTP header issues in i2psnark
     65    - Fix rare NPE when building garlic message
     66    - Fix console lockups (hopefully)
     67    - Fix i2ptunnel js confirm-delete
     68    - Move router data structures from i2p.jar to router.jar (breaks i2pcontrol
     69      plugin)
     70    - New router keys now stored in router.keys.dat (privKeys.dat format)
     71      instead of router.keys
     72    - Improve handling of unsupported encryption throughout
     73    - More error checking of client I2CP messages by the router
     74    - Initial work on hooks for pluggable transports
     75    - Enforce request timestamp in tunnel build messages
     76    - Re-enable message status in streaming, but treat no leaseset as a soft
     77      failure for now
     78    - Return unused DH keypairs to the pool for efficiency
     79    - Raise failsafe tagset limit and improve deletion strategy when hit
     80    - Change eepsite Jetty threadpool and queue configuration
     81    - NTCP establishment refactoring in prep for NTCP2 and PT
     82    - Jetty 8.1.16-v20140903
     83    - Translation updates
     84    - Update GeoIP data
    685
    786i2p (0.9.15-1) unstable; urgency=medium
  • debian/control

    rbb9cef1 r29953ea  
    22Maintainer: Kill Your TV <killyourtv@i2pmail.org>
    33Section: net
    4 Standards-Version: 3.9.5
     4Standards-Version: 3.9.6
    55Priority: optional
    66Bugs: mailto:killyourtv@i2pmail.org
     
    1111 ,debconf
    1212 ,default-jdk | openjdk-7-jdk | openjdk-6-jdk
     13 ,dh-apparmor
    1314 ,gettext
    1415 ,libgmp3-dev
     
    7273Priority: optional
    7374Depends: ${misc:Depends}, ${java:Depends}, ${shlibs:Depends},
    74  openjdk-7-jre-headless | openjdk-6-jre-headless | default-jre-headless | java7-runtime-headless | java6-runtime-headless, libecj-java
     75 openjdk-8-jre-headless | openjdk-7-jre-headless | openjdk-6-jre-headless | default-jre-headless | java8-runtime-headless | java7-runtime-headless | java6-runtime-headless, libecj-java
    7576Replaces: i2p ( << 0.8.6-5)
    7677Breaks: i2p (<< 0.8.6-5)
     
    8788 ,news-reader
    8889 ,polipo
    89  ,privox
     90 ,privoxy
    9091 ,robert
    9192 ,syndie
  • debian/i2p.config

    rbb9cef1 r29953ea  
    1 #!/bin/sh -e
     1#!/bin/sh
     2
     3set -e
    24# I2P package configuration script
    35
     
    810# Load config file if it exists
    911if [ -e $conffile ]; then
    10         . $conffile
     12    . $conffile
    1113
    12         # wrapper.config always takes priority
    13         MEMORYLIMIT=$(sed -e '/^wrapper\.java\.maxmemory/!d' -e 's/^wrapper\.java\.maxmemory\ *=\ *//' /etc/i2p/wrapper.config)
     14    # wrapper.config always takes priority
     15    MEMORYLIMIT=$(awk -F= '/^wrapper\.java\.maxmemory/{print $2}' /etc/i2p/wrapper.config)
    1416
    15 
    16         db_set i2p/daemon "$RUN_DAEMON"
    17         db_set i2p/user "$I2PUSER"
    18         db_set i2p/memory "$MEMORYLIMIT"
     17    db_set i2p/daemon "$RUN_DAEMON"
     18    db_set i2p/user "$I2PUSER"
     19    db_set i2p/memory "$MEMORYLIMIT"
     20    db_set i2p/aa "$CONFINE_WITH_APPARMOR"
    1921fi
    2022
    2123db_input medium i2p/daemon || true
    2224db_go
     25
    2326db_get i2p/daemon || true
    2427if [ "$RET" = "true" ]; then
    25         db_input medium i2p/user || true
    26         db_go
     28    db_input medium i2p/user || true
     29    db_go
    2730fi
    2831
    2932db_input medium i2p/memory || true
    3033db_go
     34
     35db_input medium i2p/aa || true
     36db_go
     37
     38# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
  • debian/i2p.init

    rbb9cef1 r29953ea  
    3333NICE=0
    3434I2PUSER="i2psvc"
     35USE_AA="yes"
    3536
    3637I2P_ARGS="/etc/i2p/wrapper.config \
     
    4445 wrapper.daemonize=TRUE"
    4546
    46 [ -r /lib/lsb/init-functions ] && . /lib/lsb/init-functions
    47 [ -r /lib/init/vars.sh ] && . /lib/init/vars.sh
     47. /lib/lsb/init-functions
     48. /lib/init/vars.sh
    4849
    4950
    5051for ENV_FILE in /etc/environment /etc/default/locale; do
    51 [ -r "$ENV_FILE" ] || continue
    52 [ -s "$ENV_FILE" ] || continue
    53 
    54  for var in LANG LANGUAGE LC_ALL LC_CTYPE; do
    55      value=`egrep "^${var}=" "$ENV_FILE" | tail -n1 | cut -d= -f2`
    56      [ -n "$value" ] && eval export $var=$value
    57 
    58 # This is commented out for Ubuntu: Ubuntu still creates
    59 # /etc/environment in the most recent release
    60 # (currently 'Precise').
    61 #
    62 # TODO Add logic to automatically handle this
    63 #
    64 # Commented for Ubuntu since PPA packages 0.9-1$DISTRO1.
    65 # Packages for Debian systems will have this stanza uncommented.
    66 #
    67 #     if [ -n "$value" ] && [ "$ENV_FILE" = /etc/environment ]; then
    68 #         log_warning_msg "/etc/environment has been deprecated for locale information; use /etc/default/locale for $var=$value instead"
    69 #     fi
    70 
    71  done
     52    [ -r "$ENV_FILE" ] || continue
     53    [ -s "$ENV_FILE" ] || continue
     54
     55    for var in LANG LANGUAGE LC_ALL LC_CTYPE; do
     56        value=`egrep "^${var}=" "$ENV_FILE" | tail -n1 | cut -d= -f2`
     57        [ -n "$value" ] && eval export $var=$value
     58
     59    done
    7260done
    7361
     
    8169
    8270case "$RUN_DAEMON" in
    83         [NnFf]*)
    84                 log_action_msg "$DESC daemon disabled in /etc/default/$NAME".
    85                 exit 0
    86                 ;;
     71    [NnFf]*)
     72        log_action_msg "$DESC daemon disabled in /etc/default/$NAME".
     73        exit 0
     74        ;;
    8775esac
    8876
     
    112100    chown -Rf $I2PUSER:$I2PUSER  $I2PTEMP $RUN > /dev/null 2>&1
    113101    chown -f -R $I2PUSER:i2psvc /var/log/$NAME > /dev/null 2>&1
    114     TZ=UTC start-stop-daemon --start --quiet -c $I2PUSER --pidfile $PIDFILE --exec $DAEMON -n $NICE -- \
    115         $I2P_ARGS || return 2
     102    if [ "$USE_AA" = "yes" ] && \
     103       [ -x /usr/sbin/aa-status ] && \
     104       [ -x /usr/sbin/aa-exec ] && \
     105       [ -e /etc/apparmor.d/system_i2p ] && \
     106       /usr/sbin/aa-status --enabled ; then
     107            AA="--startas /usr/sbin/aa-exec"
     108            AA_ARGS="--profile=system_i2p -- $DAEMON"
     109    else
     110            AA=""
     111            AA_ARGS=""
     112    fi
     113
     114    TZ=UTC start-stop-daemon --start --quiet --chuid $I2PUSER --pidfile $PIDFILE $AA --exec $DAEMON --nicelevel $NICE -- \
     115        $AA_ARGS $I2P_ARGS || return 2
     116
     117    # FIXME Temporary hack
     118    # Files from /usr/share/i2p should have been copied, if need be, well before the 15 seconds are up.
     119    if [ ! -f /var/lib/i2p/i2p-config/.perms ] && [ $I2PUSER = "i2psvc" ]; then
     120        sleep 15
     121        find /var/lib/i2p/ -type d -exec chmod 770 {} \;
     122        find /var/lib/i2p/ -type f -exec chmod 660 {} \;
     123        touch /var/lib/i2p/i2p-config/.perms
     124    fi
    116125}
    117126
     
    125134
    126135    rm -rf "$I2PTEMP" > /dev/null 2>&1
    127     [ -d "$RUN" ] && rmdir --ignore-fail-on-non-empty "$RUN" > /dev/null 2>&1
     136    [ -d "$RUN" ] && rm -f "$RUN/*" > /dev/null 2>&1
     137    [ -d "$RUN" ] && rmdir "$RUN" > /dev/null 2>&1
    128138}
    129139
  • debian/i2p.install

    rbb9cef1 r29953ea  
    22pkg-temp/wrapper.config etc/i2p
    33pkg-temp/locale usr/share/i2p
     4debian/apparmor/i2p etc/apparmor.d/abstractions
     5debian/apparmor/usr.bin.i2prouter etc/apparmor.d
     6debian/apparmor/system_i2p etc/apparmor.d
  • debian/i2p.postinst

    rbb9cef1 r29953ea  
    77
    88conffile="/etc/default/i2p"
    9 systemdservice="/lib/systemd/system/i2p.service"
     9#systemdservice="/lib/systemd/system/i2p.service"
    1010
    1111# Source debconf library -- we have a Depends line
     
    2626            echo "RUN_DAEMON=" >> $conffile
    2727            echo "I2PUSER=" >> $conffile
     28            echo "CONFINE_WITH_APPARMOR=" >> $conffile
    2829            echo "# The next value is also wrapper.java.maxmemory in /etc/i2p/wrapper.config" >> $conffile
    2930            echo "MEMORYLIMIT=" >> $conffile
     
    3637        db_get i2p/memory
    3738        MEMORYLIMIT="$RET"
     39        db_get i2p/aa
     40        CONFINE_WITH_APPARMOR="$RET"
    3841
    3942        cp -a -f $conffile $conffile.tmp
     
    4750        test -z "$MEMORYLIMIT" || grep -Eq '^ *MEMORYLIMIT=' $conffile || \
    4851            echo "MEMORYLIMIT=" >> $conffile
     52        test -z "$CONFINE_WITH_APPARMOR" || grep -Eq '^ *CONFINE_WITH_APPARMOR=' $conffile || \
     53            echo "CONFINE_WITH_APPARMOR=" >> $conffile
    4954
    5055        if [ -z $RUN_DAEMON ]; then
     
    5863            -e "s/^ *I2PUSER=.*/I2PUSER=\"$I2PUSER\"/" \
    5964            -e "s/^ *MEMORYLIMIT=.*/MEMORYLIMIT=\"$MEMORYLIMIT\"/" \
     65            -e "s/^ *CONFINE_WITH_APPARMOR=.*/CONFINE_WITH_APPARMOR=\"$CONFINE_WITH_APPARMOR\"/" \
    6066            < $conffile > $conffile.tmp
    6167        mv -f $conffile.tmp $conffile
    6268
    63         if [ -e "$systemdservice" ]; then
    64             sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
    65             mv -f "$systemdservice.tmp" "$systemdservice"
    66             chmod 0644 -f "$systemdservice"
    67             if [ -x /bin/systemctl ]; then
    68                     systemctl --system daemon-reload
    69                     if [ $RUN_DAEMON = 'true' ]; then
    70                             systemctl enable i2p.service
    71                     else
    72                             systemctl disable i2p.service
    73                     fi
    74             fi
    75         fi
     69#        if [ -e "$systemdservice" ]; then
     70#            sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
     71#            mv -f "$systemdservice.tmp" "$systemdservice"
     72#            chmod 0644 -f "$systemdservice"
     73#            if grep -q 'systemd' /proc/1/comm > /dev/null 2>&1; then
     74#                systemctl --system daemon-reload
     75#                if [ $RUN_DAEMON = 'true' ]; then
     76#                    systemctl enable i2p.service
     77#                else
     78#                    systemctl disable i2p.service
     79#                fi
     80#            fi
     81#        fi
    7682
    7783        sed -e "s/^ *wrapper\.java\.maxmemory=.*/wrapper\.java\.maxmemory=$MEMORYLIMIT/" \
     
    118124
    119125exit 0
     126# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
  • debian/i2p.templates

    rbb9cef1 r29953ea  
    3434 High bandwidth routers, as well as routers with a lot of active torrents / plugins, may
    3535 need to have this value increased.
     36
     37Template: i2p/aa
     38Type: boolean
     39Default: true
     40_Description: Run I2P daemon confined with AppArmor
     41 With this option enabled I2P will be sandboxed with AppArmor, restricting which files and
     42 directories may be accessed by I2P.
  • debian/po/templates.pot

    rbb9cef1 r29953ea  
    77msgid ""
    88msgstr ""
    9 "Project-Id-Version: PACKAGE VERSION\n"
     9"Project-Id-Version: i2p\n"
    1010"Report-Msgid-Bugs-To: https://trac.i2p2.de/\n"
    11 "POT-Creation-Date: 2011-12-27 22:25+0000\n"
     11"POT-Creation-Date: 2015-02-18 22:14+0000\n"
    1212"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
    1313"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
     
    7575"plugins, may need to have this value increased."
    7676msgstr ""
     77
     78#. Type: boolean
     79#. Description
     80#: ../i2p.templates:5001
     81msgid "Run I2P daemon confined with AppArmor"
     82msgstr ""
     83
     84#. Type: boolean
     85#. Description
     86#: ../i2p.templates:5001
     87msgid ""
     88"With this option enabled I2P will be sandboxed with AppArmor, restricting "
     89"which files and directories may be accessed by I2P."
     90msgstr ""
  • debian/rules

    rbb9cef1 r29953ea  
    104104        dh_compress -X.xsl -X.xml
    105105
     106override_dh_install:
     107        dh_install --list-missing
     108        dh_apparmor --profile-name=system_i2p -pi2p
     109        dh_apparmor --profile-name=usr.bin.i2prouter -pi2p
     110
    106111override_dh_installchangelogs:
    107112        dh_installchangelogs history.txt
Note: See TracChangeset for help on using the changeset viewer.