#1986 closed defect (fixed)

[deb] Apparmor profile for Debian needs to be updated

Reported by: vk Owned by: zzz
Priority: major Milestone: 0.9.31
Component: package/debian Version: 0.9.29
Keywords: Cc:
Parent Tickets:

Description (last modified by vk)

Latest I2P package fails to start on Apparmor-enabled systems due to the Apparmor profile.
Following files are in question:


In addition, access to /var/lib/GeoIP{,v6}.dat should be granted. This does not affect normal I2P operation, except that country falgs are not displayed in Peers list in the confole for example.

  1. Does I2P need access to all the JARs listed? http://bazaar.launchpad.net/~i2p.packages/i2p/trunk/view/head:/debian/apparmor/i2p lines 78,79 suggest that some JARs from /usr/share/java/ should not be loaded.
  2. I can submit a patch for this, which monotone branch I should use?


Change History (7)

comment:1 Changed 23 months ago by vk

  • Description modified (diff)

comment:2 Changed 23 months ago by zzz

  • Milestone changed from undecided to 0.9.31
  • Status changed from new to accepted

Not that it really matters what you base the patch on, since the apparmor files haven't been updated in a year and a half. I've never touched them, even while making a huge amount of debian packaging changes, so it's no surprise that it's broken. The move from jetty 8 to jetty 9 is just part of the problem.

In general, generating a patch from the current head of trunk (from github or monotone) is best, but from the 0.9.30 release source (from github, monotone, geti2p.net/get, debian repo or ubuntu PPA, ...) works also.


comment:3 Changed 23 months ago by echelon

Just to note: the i2p monotone branch is i2p.i2p ;-)

comment:4 Changed 23 months ago by zzz

I'll do this. No patch from OP required.

comment:5 Changed 23 months ago by zzz

  • Status changed from accepted to testing

In f87026014920e36649ffe2da8050a785bd772b46 to be 0.9.30-4

Please test and report results.


# old_revision [c291d4c7bb733551cfea7d38d91b825bdea9dc29]
# patch "debian/apparmor/i2p"
#  from [94c7f1390941dc5f36ea168e7654e9e5d0a53336]
#    to [3e14c360b29b7fc449c79a1340357f98352d17c1]
--- debian/apparmor/i2p	94c7f1390941dc5f36ea168e7654e9e5d0a53336
+++ debian/apparmor/i2p	3e14c360b29b7fc449c79a1340357f98352d17c1
@@ -51,6 +51,26 @@
   /usr/sbin/wrapper                                       rix,
   /usr/share/java/wrapper*.jar                            r,
+  # Dependent packages
+  /usr/share/java/libintl.jar                             r,
+  /usr/share/java/glassfish-appserv-jstl.jar              r,
+  /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar        r,
+  /usr/share/java/gnu-getopt.jar                          r,
+  /usr/share/java/gnu-getopt-*.jar                        r,
+  /usr/share/java/jetty9-*.jar                            r,
+  /usr/share/java/jsp-api-*.jar                           r,
+  /usr/share/java/servlet-api-*.jar                       r,
+  /usr/share/java/standard.jar                            r,
+  /usr/share/java/standard-*.jar                          r,
+  /usr/share/java/tomcat8-*.jar                           r,
+  # GeoIP data
+  /usr/share/GeoIP/*                                      r,
+  # Other /proc
+  @{PROC}/cpuinfo                                         r,
+  @{PROC}/net/if_inet6                                    r,
   # 'm' is needed by the I2P-Bote plugin
   /{,lib/live/mount/overlay/}tmp/                         rwm,
   owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/ rwk,

comment:6 Changed 23 months ago by vk

I would suggest stricter rule for GeoIP:

/usr/share/GeoIP/GeoIP{,v6}.dat r,

Otherwise - tested, works well.
Also, out of curiosity - why allow reads to /proc/cpuinfo and /proc/net/if_inet6 ?

comment:7 Changed 23 months ago by zzz

  • Resolution set to fixed
  • Status changed from testing to closed

Thanks for review and testing. I added the whole GeoIP directory to make it simpler, and because we might use the other files in there someday soon... we've been talking about ASN-aware peer selection for a while now. The cpuinfo is for CPU detection on ARM; the if_inet6 is to figure out which IPv6 addresses are temporary and deprecated, there's no Java API for that. I tried hard to think of any other files we access while I was working on this... it's not easy to search the code for that. Obviously it's easy to forget to update the apparmor config when we add a file access. And it appears that the i2p-bote plugin adds another layer of complexity, I wonder if other plugins do as well.

Closing as fixed, thanks again. If you spot any other problems you can open a new ticket or reopen this one.

Note: See TracTickets for help on using tickets.