echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add example apparmor profile (ticket #1092)

Browse Source
This commit is contained in:
kytv
2015-02-18 21:38:25 +00:00
parent ece2f1484c
commit bb9cef1e40
4 changed files with 113 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
apps/apparmor/home.i2p.i2prouter Normal file
View File

@ -0,0 +1,108 @@
# Last Modified: Mon, 16 Feb 2015
# vim:syntax=apparmor et ts=8 sw=4
#include <tunables/global>
$INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
capability sys_ptrace,
network inet stream,
network inet6 stream,
$INSTALL_PATH/ r,
$INSTALL_PATH/{i2psvc,wrapper} rmix,
owner $INSTALL_PATH/** rwklm,
# Needed for Java
@{PROC} r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/1/comm r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/pid_max r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/dev/random r,
/dev/urandom r,
/etc/ssl/certs/java/** r,
/etc/timezone r,
/usr/share/javazi/** r,
# Debian
/etc/java-{6,7,8}-openjdk/** r,
/usr/lib/jvm/default-java/jre/bin/java rix,
# Debian, Ubuntu, openSUSE
/usr/lib{,32,64}/jvm/java-*-openjdk-*/jre/bin/java rix,
/usr/lib{,32,64}/jvm/java-*-openjdk-*/jre/bin/keytool rix,
# Raspbian
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix,
# Fonts are needed for I2P's graphs
/etc/fonts/** r,
/usr/share/fontconfig/ r,
/usr/share/fontconfig/** r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/fonts/truetype/ r,
/usr/share/fonts/truetype/** r,
/usr/share/java/java-atk-wrapper.jar r,
/var/cache/fontconfig/ r,
/var/cache/fontconfig/** r,
# Used by some plugins
/usr/share/java/eclipse-ecj-*.jar r,
/{,var/}tmp/ rwm,
owner /{,var/}tmp/** rwklm,
/{,usr/}bin/{,b,d}ash rix,
/{,usr/}bin/cat rix,
/{,usr/}bin/cut rix,
/{,usr/}bin/dirname rix,
/{,usr/}bin/expr rix,
/{,usr/}bin/{,g,m}awk rix,
/{,usr/}bin/grep rix,
/{,usr/}bin/id rix,
/{,usr/}bin/ldd rix,
/{,usr/}bin/ls rix,
/{,usr/}bin/mkdir rix,
/{,usr/}bin/nohup rix,
/{,usr/}bin/ps rix,
/{,usr/}bin/rm rix,
/{,usr/}bin/sed rix,
/{,usr/}bin/sleep rix,
/{,usr/}bin/tail rix,
/{,usr/}bin/tr rix,
/{,usr/}bin/uname rix,
/{,usr/}bin/which rix,
@{HOME}/.java/fonts/** r,
owner @{HOME}/.i2p/ rw,
owner @{HOME}/.i2p/** rwk,
# Prevent spamming the logs
deny owner @{HOME}/.java/ wk,
deny @{HOME}/.fontconfig/ wk,
deny @{HOME}/.java/fonts/** w,
deny /dev/tty rw,
deny /dev/pts/[0-9]* rw,
deny @{PROC}/[0-9]*/fd/ r,
deny /usr/local/share/fonts/ r,
deny /var/cache/fontconfig/ wk,
# Used by some versions of the Tanuki wrapper but never used by I2P
deny /usr/share/java/hamcrest*.jar r,
deny /usr/share/java/junit*.jar r,
}

1
build.xml
View File

@ -1135,6 +1135,7 @@
<copy file="history.txt" todir="pkg-temp/" overwrite="true" />
<mkdir dir="pkg-temp/scripts" />
<copy file="apps/proxyscript/i2pProxy.pac" todir="pkg-temp/scripts/" />
<copy file="apps/apparmor/home.i2p.i2prouter" todir="pkg-temp/scripts/" />
<copy file="installer/resources/startconsole.html" todir="pkg-temp/docs/" />
<copy file="installer/resources/start.ico" todir="pkg-temp/docs/" />
<copy file="installer/resources/console.ico" todir="pkg-temp/docs/" />

1
installer/install.xml
View File

@ -129,6 +129,7 @@
and the izpack docs for some guidance.
-->
<parsable targetfile="$INSTALL_PATH/wrapper.config" type="plain" />
<parsable targetfile="$INSTALL_PATH/scripts/home.i2p.i2prouter" type="plain"> <os family="unix" /> </parsable>
<parsable targetfile="$INSTALL_PATH/i2prouter" type="shell"> <os family="unix" /> </parsable>
<parsable targetfile="$INSTALL_PATH/eepget" type="shell"> <os family="unix" /> </parsable>
<parsable targetfile="$INSTALL_PATH/eepget.bat" type="shell" os="windows" />

5
installer/resources/postinstall.sh
View File

@ -111,10 +111,11 @@ if [ ! `echo $HOST_OS |grep osx` ]; then
rm -f *i2p_service_osx.command
rm -f net.i2p.router.plist.template
#rm -f I2P\ Router\ Console.webloc
else
# The example apparmor profile is useless on OSX
rm -f ./scripts/home.i2p.i2prouter
fi
# no, let's not start the router from the install script any more
# ./i2prouter start
rm -f ./osid
rm -f ./postinstall.sh
exit 0