# Last Modified: Sun Dec 06 12:30:32 2015 # vim:syntax=apparmor et ts=4 sw=4 #include #include #include #include # for launching browswers #include #include #include network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, # Needed by Java @{PROC} r, owner @{PROC}/[0-9]*/ r, owner @{PROC}/[0-9]*/cgroup r, owner @{PROC}/[0-9]*/mountinfo r, owner @{PROC}/[0-9]*/status r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/if_inet6 r, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, /sys/fs/cgroup/** r, /etc/ssl/certs/java/** r, /etc/timezone r, /usr/share/javazi/** r, /etc/java-*-openjdk/** r, # Allow any JRE or JDK /usr/lib/jvm/*/bin/java rix, /usr/lib/jvm/*/bin/keytool rix, /usr/lib/jvm/*/jre/bin/java rix, /usr/lib/jvm/*/jre/bin/keytool rix, # */client/classes.jsa is only found (and needed) in 32-bit JVMs. /usr/lib/jvm/*/jre/lib/i386/client/classes.jsa m, /usr/lib/jvm/*/jre/lib/i386/client/classes.jsa m, # needed for I2P's graphs /usr/share/java/java-atk-wrapper.jar r, # I2P specific /usr/share/i2p/** r, # Used by some plugins /usr/share/java/eclipse-ecj-*.jar r, # Tanuki java wrapper /etc/i2p/wrapper.config r, /usr/sbin/wrapper rix, /usr/share/java/wrapper*.jar r, # Dependent packages /usr/share/java/libintl.jar r, /usr/share/java/glassfish-appserv-jstl.jar r, /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar r, /usr/share/java/gnu-getopt.jar r, /usr/share/java/gnu-getopt-*.jar r, /usr/share/java/jetty9-*.jar r, /usr/share/java/json-simple.jar r, /usr/share/java/json-simple-*.jar r, /usr/share/java/jsp-api-*.jar r, /usr/share/java/servlet-api-*.jar r, /usr/share/java/standard.jar r, /usr/share/java/standard-*.jar r, /usr/share/java/tomcat8-*.jar r, /usr/share/java/tomcat9-*.jar r, /usr/share/java/taglibs-standard-*.jar r, /usr/share/flags/countries/16x11/* r, # GeoIP data /usr/share/GeoIP/* r, # Other /proc @{PROC}/cpuinfo r, @{PROC}/net/if_inet6 r, # 'm' is needed by the I2P-Bote plugin /{,lib/live/mount/overlay/}tmp/ rwm, owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/ rwk, owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/** rw, owner /{,lib/live/mount/overlay/}tmp/wrapper* rwk, owner /{,lib/live/mount/overlay/}tmp/wrapper*/** rw, # Scrypt used by I2P-Bote owner /{,lib/live/mount/overlay/}tmp/scrypt* rwk, owner /{,lib/live/mount/overlay/}tmp/scrypt*/** rw, # temp dir (service) owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/ rwm, owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/** rwkm, # temp dir (non-service) owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/ rwm, owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/** rwkm, # temp dir (Jetty default) owner /{,lib/live/mount/overlay/}tmp/jetty-*/ rwm, owner /{,lib/live/mount/overlay/}tmp/jetty-*/** rwkm, # /graphs in the router console owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp rwk, # Prevent spamming the logs deny /dev/tty rw, deny /{,lib/live/mount/overlay/}var/tmp/ r, deny @{PROC}/[0-9]*/fd/ r, deny /usr/sbin/ r, deny /var/cache/fontconfig/ wk, # Some versions of the Tanuki wrapper package will try to load these jars but # they are not needed by I2P. The deny rule here will prevent the logs from # being spammed. deny /usr/share/java/hamcrest*.jar r, deny /usr/share/java/junit*.jar r,