Opened 2 years ago
Closed 2 years ago
#1986 closed defect (fixed)
[deb] Apparmor profile for Debian needs to be updated
| Reported by: | vk | Owned by: | zzz |
|---|---|---|---|
| Priority: | major | Milestone: | 0.9.31 |
| Component: | package/debian | Version: | 0.9.29 |
| Keywords: | Cc: | ||
| Parent Tickets: |
Description (last modified by vk)
Latest I2P package fails to start on Apparmor-enabled systems due to the Apparmor profile.
Following files are in question:
/usr/share/java/gnu-getopt-1.0.14.jar
/usr/share/java/libintl.jar
/usr/share/java/servlet-api-3.0.jar
/usr/share/java/jetty8-continuation-8.1.16.v20140903.jar
/usr/share/java/jetty8-deploy-8.1.16.v20140903.jar
/usr/share/java/jetty8-http-8.1.16.v20140903.jar
/usr/share/java/jetty8-deploy-8.1.16.v20140903.jar
/usr/share/java/jetty8-xml-8.1.16.v20140903.jar
/usr/share/java/jetty8-io-8.1.16.v20140903.jar
/usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar
In addition, access to /var/lib/GeoIP{,v6}.dat should be granted. This does not affect normal I2P operation, except that country falgs are not displayed in Peers list in the confole for example.
- Does I2P need access to all the JARs listed? http://bazaar.launchpad.net/~i2p.packages/i2p/trunk/view/head:/debian/apparmor/i2p lines 78,79 suggest that some JARs from /usr/share/java/ should not be loaded.
- I can submit a patch for this, which monotone branch I should use?
Subtickets
Change History (7)
comment:1 Changed 2 years ago by vk
- Description modified (diff)
comment:2 Changed 2 years ago by zzz
- Milestone changed from undecided to 0.9.31
- Status changed from new to accepted
comment:3 Changed 2 years ago by echelon
Just to note: the i2p monotone branch is i2p.i2p ;-)
comment:4 Changed 2 years ago by zzz
I'll do this. No patch from OP required.
comment:5 Changed 2 years ago by zzz
- Status changed from accepted to testing
In f87026014920e36649ffe2da8050a785bd772b46 to be 0.9.30-4
Please test and report results.
Patch:
#
# old_revision [c291d4c7bb733551cfea7d38d91b825bdea9dc29]
#
# patch "debian/apparmor/i2p"
# from [94c7f1390941dc5f36ea168e7654e9e5d0a53336]
# to [3e14c360b29b7fc449c79a1340357f98352d17c1]
#
============================================================
--- debian/apparmor/i2p 94c7f1390941dc5f36ea168e7654e9e5d0a53336
+++ debian/apparmor/i2p 3e14c360b29b7fc449c79a1340357f98352d17c1
@@ -51,6 +51,26 @@
/usr/sbin/wrapper rix,
/usr/share/java/wrapper*.jar r,
+ # Dependent packages
+ /usr/share/java/libintl.jar r,
+ /usr/share/java/glassfish-appserv-jstl.jar r,
+ /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar r,
+ /usr/share/java/gnu-getopt.jar r,
+ /usr/share/java/gnu-getopt-*.jar r,
+ /usr/share/java/jetty9-*.jar r,
+ /usr/share/java/jsp-api-*.jar r,
+ /usr/share/java/servlet-api-*.jar r,
+ /usr/share/java/standard.jar r,
+ /usr/share/java/standard-*.jar r,
+ /usr/share/java/tomcat8-*.jar r,
+
+ # GeoIP data
+ /usr/share/GeoIP/* r,
+
+ # Other /proc
+ @{PROC}/cpuinfo r,
+ @{PROC}/net/if_inet6 r,
+
# 'm' is needed by the I2P-Bote plugin
/{,lib/live/mount/overlay/}tmp/ rwm,
owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/ rwk,
comment:6 Changed 2 years ago by vk
I would suggest stricter rule for GeoIP:
/usr/share/GeoIP/GeoIP{,v6}.dat r,
Otherwise - tested, works well.
Also, out of curiosity - why allow reads to /proc/cpuinfo and /proc/net/if_inet6 ?
comment:7 Changed 2 years ago by zzz
- Resolution set to fixed
- Status changed from testing to closed
Thanks for review and testing. I added the whole GeoIP directory to make it simpler, and because we might use the other files in there someday soon... we've been talking about ASN-aware peer selection for a while now. The cpuinfo is for CPU detection on ARM; the if_inet6 is to figure out which IPv6 addresses are temporary and deprecated, there's no Java API for that. I tried hard to think of any other files we access while I was working on this... it's not easy to search the code for that. Obviously it's easy to forget to update the apparmor config when we add a file access. And it appears that the i2p-bote plugin adds another layer of complexity, I wonder if other plugins do as well.
Closing as fixed, thanks again. If you spot any other problems you can open a new ticket or reopen this one.
Not that it really matters what you base the patch on, since the apparmor files haven't been updated in a year and a half. I've never touched them, even while making a huge amount of debian packaging changes, so it's no surprise that it's broken. The move from jetty 8 to jetty 9 is just part of the problem.
In general, generating a patch from the current head of trunk (from github or monotone) is best, but from the 0.9.30 release source (from github, monotone, geti2p.net/get, debian repo or ubuntu PPA, ...) works also.
thanks