Opened 4 years ago
Closed 4 years ago
#1986 closed defect (fixed)
[deb] Apparmor profile for Debian needs to be updated
Reported by: | Vasyl Kaigorodov | Owned by: | zzz |
---|---|---|---|
Priority: | major | Milestone: | 0.9.31 |
Component: | package/debian | Version: | 0.9.29 |
Keywords: | Cc: | ||
Parent Tickets: | Sensitive: | no |
Description (last modified by )
Latest I2P package fails to start on Apparmor-enabled systems due to the Apparmor profile.
Following files are in question:
/usr/share/java/gnu-getopt-1.0.14.jar
/usr/share/java/libintl.jar
/usr/share/java/servlet-api-3.0.jar
/usr/share/java/jetty8-continuation-8.1.16.v20140903.jar
/usr/share/java/jetty8-deploy-8.1.16.v20140903.jar
/usr/share/java/jetty8-http-8.1.16.v20140903.jar
/usr/share/java/jetty8-deploy-8.1.16.v20140903.jar
/usr/share/java/jetty8-xml-8.1.16.v20140903.jar
/usr/share/java/jetty8-io-8.1.16.v20140903.jar
/usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar
In addition, access to /var/lib/GeoIP{,v6}.dat should be granted. This does not affect normal I2P operation, except that country falgs are not displayed in Peers list in the confole for example.
- Does I2P need access to all the JARs listed? http://bazaar.launchpad.net/~i2p.packages/i2p/trunk/view/head:/debian/apparmor/i2p lines 78,79 suggest that some JARs from /usr/share/java/ should not be loaded.
- I can submit a patch for this, which monotone branch I should use?
Subtickets
Change History (7)
comment:1 Changed 4 years ago by
Description: | modified (diff) |
---|
comment:2 Changed 4 years ago by
Milestone: | undecided → 0.9.31 |
---|---|
Status: | new → accepted |
comment:5 Changed 4 years ago by
Status: | accepted → testing |
---|
In f87026014920e36649ffe2da8050a785bd772b46 to be 0.9.30-4
Please test and report results.
Patch:
# # old_revision [c291d4c7bb733551cfea7d38d91b825bdea9dc29] # # patch "debian/apparmor/i2p" # from [94c7f1390941dc5f36ea168e7654e9e5d0a53336] # to [3e14c360b29b7fc449c79a1340357f98352d17c1] # ============================================================ --- debian/apparmor/i2p 94c7f1390941dc5f36ea168e7654e9e5d0a53336 +++ debian/apparmor/i2p 3e14c360b29b7fc449c79a1340357f98352d17c1 @@ -51,6 +51,26 @@ /usr/sbin/wrapper rix, /usr/share/java/wrapper*.jar r, + # Dependent packages + /usr/share/java/libintl.jar r, + /usr/share/java/glassfish-appserv-jstl.jar r, + /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar r, + /usr/share/java/gnu-getopt.jar r, + /usr/share/java/gnu-getopt-*.jar r, + /usr/share/java/jetty9-*.jar r, + /usr/share/java/jsp-api-*.jar r, + /usr/share/java/servlet-api-*.jar r, + /usr/share/java/standard.jar r, + /usr/share/java/standard-*.jar r, + /usr/share/java/tomcat8-*.jar r, + + # GeoIP data + /usr/share/GeoIP/* r, + + # Other /proc + @{PROC}/cpuinfo r, + @{PROC}/net/if_inet6 r, + # 'm' is needed by the I2P-Bote plugin /{,lib/live/mount/overlay/}tmp/ rwm, owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/ rwk,
comment:6 Changed 4 years ago by
I would suggest stricter rule for GeoIP:
/usr/share/GeoIP/GeoIP{,v6}.dat r,
Otherwise - tested, works well.
Also, out of curiosity - why allow reads to /proc/cpuinfo and /proc/net/if_inet6 ?
comment:7 Changed 4 years ago by
Resolution: | → fixed |
---|---|
Status: | testing → closed |
Thanks for review and testing. I added the whole GeoIP directory to make it simpler, and because we might use the other files in there someday soon… we've been talking about ASN-aware peer selection for a while now. The cpuinfo is for CPU detection on ARM; the if_inet6 is to figure out which IPv6 addresses are temporary and deprecated, there's no Java API for that. I tried hard to think of any other files we access while I was working on this… it's not easy to search the code for that. Obviously it's easy to forget to update the apparmor config when we add a file access. And it appears that the i2p-bote plugin adds another layer of complexity, I wonder if other plugins do as well.
Closing as fixed, thanks again. If you spot any other problems you can open a new ticket or reopen this one.
Not that it really matters what you base the patch on, since the apparmor files haven't been updated in a year and a half. I've never touched them, even while making a huge amount of debian packaging changes, so it's no surprise that it's broken. The move from jetty 8 to jetty 9 is just part of the problem.
In general, generating a patch from the current head of trunk (from github or monotone) is best, but from the 0.9.30 release source (from github, monotone, geti2p.net/get, debian repo or ubuntu PPA, …) works also.
thanks