2015-12-06 17:45:31 +00:00
|
|
|
# Last Modified: Sun Dec 06 12:30:32 2015
|
2015-02-18 22:25:24 +00:00
|
|
|
# vim:syntax=apparmor et ts=4 sw=4
|
|
|
|
|
|
2015-05-21 16:44:00 +00:00
|
|
|
#include <abstractions/base>
|
|
|
|
|
#include <abstractions/fonts>
|
|
|
|
|
#include <abstractions/nameservice>
|
|
|
|
|
#include <abstractions/ssl_certs>
|
2015-02-18 22:25:24 +00:00
|
|
|
|
2019-01-16 20:10:36 +00:00
|
|
|
# for launching browswers
|
|
|
|
|
#include <abstractions/ubuntu-helpers>
|
|
|
|
|
#include <abstractions/ubuntu-browsers>
|
|
|
|
|
#include <abstractions/ubuntu-console-browsers>
|
|
|
|
|
|
2015-05-21 16:44:00 +00:00
|
|
|
network inet stream,
|
2015-08-02 15:04:08 +00:00
|
|
|
network inet dgram,
|
2015-05-21 16:44:00 +00:00
|
|
|
network inet6 stream,
|
2015-08-02 15:04:08 +00:00
|
|
|
network inet6 dgram,
|
2015-02-18 22:25:24 +00:00
|
|
|
|
2015-04-14 01:00:10 +00:00
|
|
|
# Needed by Java
|
2015-04-14 18:50:45 +00:00
|
|
|
@{PROC} r,
|
2015-04-14 01:00:10 +00:00
|
|
|
owner @{PROC}/[0-9]*/ r,
|
2019-01-16 20:10:36 +00:00
|
|
|
owner @{PROC}/[0-9]*/cgroup r,
|
|
|
|
|
owner @{PROC}/[0-9]*/mountinfo r,
|
2015-04-14 01:00:10 +00:00
|
|
|
owner @{PROC}/[0-9]*/status r,
|
2015-04-17 14:15:05 +00:00
|
|
|
@{PROC}/[0-9]*/net/ipv6_route r,
|
|
|
|
|
@{PROC}/[0-9]*/net/if_inet6 r,
|
2015-04-14 01:00:10 +00:00
|
|
|
/sys/devices/system/cpu/ r,
|
|
|
|
|
/sys/devices/system/cpu/** r,
|
2019-01-16 20:10:36 +00:00
|
|
|
/sys/fs/cgroup/** r,
|
2015-04-14 01:00:10 +00:00
|
|
|
|
|
|
|
|
/etc/ssl/certs/java/** r,
|
|
|
|
|
/etc/timezone r,
|
|
|
|
|
/usr/share/javazi/** r,
|
|
|
|
|
|
|
|
|
|
/etc/java-*-openjdk/** r,
|
2019-02-01 13:11:12 +00:00
|
|
|
# Allow any JRE or JDK
|
2019-11-24 16:20:09 +00:00
|
|
|
/usr/lib/jvm/*/bin/java rix,
|
|
|
|
|
/usr/lib/jvm/*/bin/keytool rix,
|
2019-02-01 13:11:12 +00:00
|
|
|
/usr/lib/jvm/*/jre/bin/java rix,
|
|
|
|
|
/usr/lib/jvm/*/jre/bin/keytool rix,
|
2015-04-14 01:00:10 +00:00
|
|
|
|
|
|
|
|
# */client/classes.jsa is only found (and needed) in 32-bit JVMs.
|
2019-02-01 13:11:12 +00:00
|
|
|
/usr/lib/jvm/*/jre/lib/i386/client/classes.jsa m,
|
|
|
|
|
/usr/lib/jvm/*/jre/lib/i386/client/classes.jsa m,
|
2015-04-14 01:00:10 +00:00
|
|
|
|
|
|
|
|
# needed for I2P's graphs
|
|
|
|
|
/usr/share/java/java-atk-wrapper.jar r,
|
|
|
|
|
|
|
|
|
|
# I2P specific
|
|
|
|
|
/usr/share/i2p/** r,
|
|
|
|
|
|
|
|
|
|
# Used by some plugins
|
|
|
|
|
/usr/share/java/eclipse-ecj-*.jar r,
|
|
|
|
|
|
|
|
|
|
# Tanuki java wrapper
|
|
|
|
|
/etc/i2p/wrapper.config r,
|
|
|
|
|
/usr/sbin/wrapper rix,
|
|
|
|
|
/usr/share/java/wrapper*.jar r,
|
|
|
|
|
|
2017-05-10 16:53:36 +00:00
|
|
|
# Dependent packages
|
|
|
|
|
/usr/share/java/libintl.jar r,
|
|
|
|
|
/usr/share/java/glassfish-appserv-jstl.jar r,
|
|
|
|
|
/usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar r,
|
|
|
|
|
/usr/share/java/gnu-getopt.jar r,
|
|
|
|
|
/usr/share/java/gnu-getopt-*.jar r,
|
|
|
|
|
/usr/share/java/jetty9-*.jar r,
|
2019-01-16 20:10:36 +00:00
|
|
|
/usr/share/java/json-simple.jar r,
|
|
|
|
|
/usr/share/java/json-simple-*.jar r,
|
2017-05-10 16:53:36 +00:00
|
|
|
/usr/share/java/jsp-api-*.jar r,
|
|
|
|
|
/usr/share/java/servlet-api-*.jar r,
|
|
|
|
|
/usr/share/java/standard.jar r,
|
|
|
|
|
/usr/share/java/standard-*.jar r,
|
|
|
|
|
/usr/share/java/tomcat8-*.jar r,
|
2019-01-16 20:10:36 +00:00
|
|
|
/usr/share/java/tomcat9-*.jar r,
|
2017-11-25 19:42:10 +00:00
|
|
|
/usr/share/java/taglibs-standard-*.jar r,
|
2018-09-29 19:44:23 +00:00
|
|
|
/usr/share/flags/countries/16x11/* r,
|
2017-05-10 16:53:36 +00:00
|
|
|
|
|
|
|
|
# GeoIP data
|
|
|
|
|
/usr/share/GeoIP/* r,
|
|
|
|
|
|
|
|
|
|
# Other /proc
|
|
|
|
|
@{PROC}/cpuinfo r,
|
|
|
|
|
@{PROC}/net/if_inet6 r,
|
|
|
|
|
|
2015-04-14 01:00:10 +00:00
|
|
|
# 'm' is needed by the I2P-Bote plugin
|
2015-06-06 21:31:38 +00:00
|
|
|
/{,lib/live/mount/overlay/}tmp/ rwm,
|
2019-01-16 20:10:36 +00:00
|
|
|
owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/ rwk,
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/** rw,
|
2015-08-02 15:04:08 +00:00
|
|
|
owner /{,lib/live/mount/overlay/}tmp/wrapper* rwk,
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/wrapper*/** rw,
|
|
|
|
|
# Scrypt used by I2P-Bote
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/scrypt* rwk,
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/scrypt*/** rw,
|
2018-09-29 19:44:23 +00:00
|
|
|
|
|
|
|
|
# temp dir (service)
|
2015-06-06 21:31:38 +00:00
|
|
|
owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/ rwm,
|
2015-12-06 03:01:31 +00:00
|
|
|
owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/** rwkm,
|
2018-09-29 19:44:23 +00:00
|
|
|
# temp dir (non-service)
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/ rwm,
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/** rwkm,
|
2019-01-16 20:10:36 +00:00
|
|
|
# temp dir (Jetty default)
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/jetty-*/ rwm,
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/jetty-*/** rwkm,
|
2018-09-29 19:44:23 +00:00
|
|
|
|
2015-12-06 03:03:01 +00:00
|
|
|
# /graphs in the router console
|
|
|
|
|
owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp rwk,
|
2015-04-14 01:00:10 +00:00
|
|
|
|
|
|
|
|
# Prevent spamming the logs
|
|
|
|
|
deny /dev/tty rw,
|
2015-06-13 15:05:28 +00:00
|
|
|
deny /{,lib/live/mount/overlay/}var/tmp/ r,
|
2015-04-14 01:00:10 +00:00
|
|
|
deny @{PROC}/[0-9]*/fd/ r,
|
|
|
|
|
deny /usr/sbin/ r,
|
|
|
|
|
deny /var/cache/fontconfig/ wk,
|
|
|
|
|
|
2015-05-21 17:24:32 +00:00
|
|
|
# Some versions of the Tanuki wrapper package will try to load these jars but
|
|
|
|
|
# they are not needed by I2P. The deny rule here will prevent the logs from
|
|
|
|
|
# being spammed.
|
2015-04-14 01:00:10 +00:00
|
|
|
deny /usr/share/java/hamcrest*.jar r,
|
|
|
|
|
deny /usr/share/java/junit*.jar r,
|
