Opened 3 years ago

Closed 3 years ago

#1986 closed defect (fixed)

[deb] Apparmor profile for Debian needs to be updated

Reported by: Vasyl Kaigorodov Owned by: zzz
Priority: major Milestone: 0.9.31
Component: package/debian Version: 0.9.29
Keywords: Cc:
Parent Tickets: Sensitive: no

Description (last modified by Vasyl Kaigorodov)

Latest I2P package fails to start on Apparmor-enabled systems due to the Apparmor profile.
Following files are in question:

/usr/share/java/gnu-getopt-1.0.14.jar
/usr/share/java/libintl.jar
/usr/share/java/servlet-api-3.0.jar
/usr/share/java/jetty8-continuation-8.1.16.v20140903.jar
/usr/share/java/jetty8-deploy-8.1.16.v20140903.jar
/usr/share/java/jetty8-http-8.1.16.v20140903.jar
/usr/share/java/jetty8-deploy-8.1.16.v20140903.jar
/usr/share/java/jetty8-xml-8.1.16.v20140903.jar
/usr/share/java/jetty8-io-8.1.16.v20140903.jar
/usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar

In addition, access to /var/lib/GeoIP{,v6}.dat should be granted. This does not affect normal I2P operation, except that country falgs are not displayed in Peers list in the confole for example.

  1. Does I2P need access to all the JARs listed? http://bazaar.launchpad.net/~i2p.packages/i2p/trunk/view/head:/debian/apparmor/i2p lines 78,79 suggest that some JARs from /usr/share/java/ should not be loaded.
  2. I can submit a patch for this, which monotone branch I should use?

Subtickets

Change History (7)

comment:1 Changed 3 years ago by Vasyl Kaigorodov

Description: modified (diff)

comment:2 Changed 3 years ago by zzz

Milestone: undecided0.9.31
Status: newaccepted

Not that it really matters what you base the patch on, since the apparmor files haven't been updated in a year and a half. I've never touched them, even while making a huge amount of debian packaging changes, so it's no surprise that it's broken. The move from jetty 8 to jetty 9 is just part of the problem.

In general, generating a patch from the current head of trunk (from github or monotone) is best, but from the 0.9.30 release source (from github, monotone, geti2p.net/get, debian repo or ubuntu PPA, …) works also.

thanks

comment:3 Changed 3 years ago by Eche|on

Just to note: the i2p monotone branch is i2p.i2p ;-)

comment:4 Changed 3 years ago by zzz

I'll do this. No patch from OP required.

comment:5 Changed 3 years ago by zzz

Status: acceptedtesting

In f87026014920e36649ffe2da8050a785bd772b46 to be 0.9.30-4

Please test and report results.

Patch:

#
# old_revision [c291d4c7bb733551cfea7d38d91b825bdea9dc29]
#
# patch "debian/apparmor/i2p"
#  from [94c7f1390941dc5f36ea168e7654e9e5d0a53336]
#    to [3e14c360b29b7fc449c79a1340357f98352d17c1]
#
============================================================
--- debian/apparmor/i2p	94c7f1390941dc5f36ea168e7654e9e5d0a53336
+++ debian/apparmor/i2p	3e14c360b29b7fc449c79a1340357f98352d17c1
@@ -51,6 +51,26 @@
   /usr/sbin/wrapper                                       rix,
   /usr/share/java/wrapper*.jar                            r,
 
+  # Dependent packages
+  /usr/share/java/libintl.jar                             r,
+  /usr/share/java/glassfish-appserv-jstl.jar              r,
+  /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar        r,
+  /usr/share/java/gnu-getopt.jar                          r,
+  /usr/share/java/gnu-getopt-*.jar                        r,
+  /usr/share/java/jetty9-*.jar                            r,
+  /usr/share/java/jsp-api-*.jar                           r,
+  /usr/share/java/servlet-api-*.jar                       r,
+  /usr/share/java/standard.jar                            r,
+  /usr/share/java/standard-*.jar                          r,
+  /usr/share/java/tomcat8-*.jar                           r,
+
+  # GeoIP data
+  /usr/share/GeoIP/*                                      r,
+
+  # Other /proc
+  @{PROC}/cpuinfo                                         r,
+  @{PROC}/net/if_inet6                                    r,
+
   # 'm' is needed by the I2P-Bote plugin
   /{,lib/live/mount/overlay/}tmp/                         rwm,
   owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/ rwk,

comment:6 Changed 3 years ago by Vasyl Kaigorodov

I would suggest stricter rule for GeoIP:

/usr/share/GeoIP/GeoIP{,v6}.dat r,

Otherwise - tested, works well.
Also, out of curiosity - why allow reads to /proc/cpuinfo and /proc/net/if_inet6 ?

comment:7 Changed 3 years ago by zzz

Resolution: fixed
Status: testingclosed

Thanks for review and testing. I added the whole GeoIP directory to make it simpler, and because we might use the other files in there someday soon… we've been talking about ASN-aware peer selection for a while now. The cpuinfo is for CPU detection on ARM; the if_inet6 is to figure out which IPv6 addresses are temporary and deprecated, there's no Java API for that. I tried hard to think of any other files we access while I was working on this… it's not easy to search the code for that. Obviously it's easy to forget to update the apparmor config when we add a file access. And it appears that the i2p-bote plugin adds another layer of complexity, I wonder if other plugins do as well.

Closing as fixed, thanks again. If you spot any other problems you can open a new ticket or reopen this one.

Note: See TracTickets for help on using tickets.