i2p.i2p/debian/apparmor/i2p

# Last Modified: Sun Apr 12 22:08:32 2015
# vim:syntax=apparmor et ts=4 sw=4

  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>
  #include <abstractions/user-tmp>

  network inet stream,
  network inet6 stream,

  # Needed by Java
  @{PROC}                                                 r,
  owner @{PROC}/[0-9]*/                                   r,
  owner @{PROC}/[0-9]*/status                             r,
  @{PROC}/[0-9]*/net/ipv6_route                           r,
  @{PROC}/[0-9]*/net/if_inet6                             r,
  /sys/devices/system/cpu/                                r,
  /sys/devices/system/cpu/**                              r,

  /etc/ssl/certs/java/**                                  r,
  /etc/timezone                                           r,
  /usr/share/javazi/**                                    r,

  /etc/java-*-openjdk/**                                  r,
  /usr/lib/jvm/default-java/jre/bin/java                  rix,
  /usr/lib/jvm/java-*-openjdk-*/jre/bin/java              rix,
  /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool           rix,

  # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java                rix,
  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool             rix,

  # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
  /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
  /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m,

  # needed for I2P's graphs
  /usr/share/java/java-atk-wrapper.jar                    r,

  # I2P specific
  /usr/share/i2p/**                                       r,

  # Used by some plugins
  /usr/share/java/eclipse-ecj-*.jar                       r,

  # Tanuki java wrapper
  /etc/i2p/wrapper.config                                 r,
  /usr/sbin/wrapper                                       rix,
  /usr/share/java/wrapper*.jar                            r,

  # 'm' is needed by the I2P-Bote plugin
  /{,var/}tmp/                                            rwm,
  owner /{,var/}tmp/**                                    rwklm,

  # Prevent spamming the logs
  deny /dev/tty                                           rw,
  deny @{PROC}/[0-9]*/fd/                                 r,
  deny /usr/sbin/                                         r,
  deny /var/cache/fontconfig/                             wk,

  # Used by some versions of the Tanuki wrapper, not needed by I2P
  deny /usr/share/java/hamcrest*.jar                      r,
  deny /usr/share/java/junit*.jar                         r,
updates to apparmor profiles - hardening (restrict access to proc to owner) - removing files covered by abstractions - indentation per apparmor profile style 2015-04-14 01:00:10 +00:00			`# Last Modified: Sun Apr 12 22:08:32 2015`
Debian: confine daemon with apparmor (ticket #1061) 2015-02-18 22:25:24 +00:00			`# vim:syntax=apparmor et ts=4 sw=4`

fix indentation of i2p abstraction 2015-05-21 16:44:00 +00:00			`#include <abstractions/base>`
			`#include <abstractions/fonts>`
			`#include <abstractions/nameservice>`
			`#include <abstractions/ssl_certs>`
			`#include <abstractions/user-tmp>`
Debian: confine daemon with apparmor (ticket #1061) 2015-02-18 22:25:24 +00:00
fix indentation of i2p abstraction 2015-05-21 16:44:00 +00:00			`network inet stream,`
			`network inet6 stream,`
Debian: confine daemon with apparmor (ticket #1061) 2015-02-18 22:25:24 +00:00
updates to apparmor profiles - hardening (restrict access to proc to owner) - removing files covered by abstractions - indentation per apparmor profile style 2015-04-14 01:00:10 +00:00			`# Needed by Java`
fixes to apparmor profile for `i2prouter` 2015-04-14 18:50:45 +00:00			`@{PROC} r,`
updates to apparmor profiles - hardening (restrict access to proc to owner) - removing files covered by abstractions - indentation per apparmor profile style 2015-04-14 01:00:10 +00:00			`owner @{PROC}/[0-9]*/ r,`
			`owner @{PROC}/[0-9]*/status r,`
tweak to debian apparmor rules 2015-04-17 14:15:05 +00:00			`@{PROC}/[0-9]*/net/ipv6_route r,`
			`@{PROC}/[0-9]*/net/if_inet6 r,`
updates to apparmor profiles - hardening (restrict access to proc to owner) - removing files covered by abstractions - indentation per apparmor profile style 2015-04-14 01:00:10 +00:00			`/sys/devices/system/cpu/ r,`
			`/sys/devices/system/cpu/** r,`

			`/etc/ssl/certs/java/** r,`
			`/etc/timezone r,`
			`/usr/share/javazi/** r,`

			`/etc/java--openjdk/* r,`
			`/usr/lib/jvm/default-java/jre/bin/java rix,`
			`/usr/lib/jvm/java--openjdk-/jre/bin/java rix,`
			`/usr/lib/jvm/java--openjdk-/jre/bin/keytool rix,`

			`# Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories`
			`/usr/lib/jvm/jdk--oracle-/jre/bin/java rix,`
			`/usr/lib/jvm/jdk--oracle-/jre/bin/keytool rix,`

			`# */client/classes.jsa is only found (and needed) in 32-bit JVMs.`
			`/usr/lib/jvm/java--openjdk-/jre/lib/i386/client/classes.jsa m,`
			`/usr/lib/jvm/java--oracle-/jre/lib/i386/client/classes.jsa m,`

			`# needed for I2P's graphs`
			`/usr/share/java/java-atk-wrapper.jar r,`

			`# I2P specific`
			`/usr/share/i2p/** r,`

			`# Used by some plugins`
			`/usr/share/java/eclipse-ecj-*.jar r,`

			`# Tanuki java wrapper`
			`/etc/i2p/wrapper.config r,`
			`/usr/sbin/wrapper rix,`
			`/usr/share/java/wrapper*.jar r,`

			`# 'm' is needed by the I2P-Bote plugin`
			`/{,var/}tmp/ rwm,`
			`owner /{,var/}tmp/** rwklm,`

			`# Prevent spamming the logs`
			`deny /dev/tty rw,`
			`deny @{PROC}/[0-9]*/fd/ r,`
			`deny /usr/sbin/ r,`
			`deny /var/cache/fontconfig/ wk,`

			`# Used by some versions of the Tanuki wrapper, not needed by I2P`
			`deny /usr/share/java/hamcrest*.jar r,`
			`deny /usr/share/java/junit*.jar r,`