#Last Modified: Sun Dec 06 12:30:32 2015 # vim:syntax=apparmor et ts=8 sw=4 #include $INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) { #include #include #include #include capability sys_ptrace, network inet stream, network inet6 stream, $INSTALL_PATH/ r, $INSTALL_PATH/{i2psvc,wrapper} rmix, owner $INSTALL_PATH/** rwkm, # Needed for Java owner @{PROC} r, owner @{PROC}/[0-9]*/ r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/cmdline r, @{PROC}/uptime r, @{PROC}/sys/kernel/pid_max r, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, /dev/random r, /dev/urandom r, @{PROC}/1/comm r, /etc/ssl/certs/java/** r, /etc/timezone r, /usr/share/javazi/** r, # Debian /etc/java-{6,7,8}-openjdk/** r, /usr/lib/jvm/default-java/jre/bin/java rix, # Debian, Ubuntu, openSUSE /usr/lib{,32,64}/jvm/java-*-openjdk-*/jre/bin/java rix, /usr/lib{,32,64}/jvm/java-*-openjdk-*/jre/bin/keytool rix, # Raspbian /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix, /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix, # Fonts are needed for I2P's graphs /usr/share/java/java-atk-wrapper.jar r, # Used by some plugins /usr/share/java/eclipse-ecj-*.jar r, /{,var/}tmp/ rwm, owner /{,var/}tmp/** rwkm, /{,usr/}bin/{,b,d}ash rix, /{,usr/}bin/cat rix, /{,usr/}bin/cut rix, /{,usr/}bin/dirname rix, /{,usr/}bin/expr rix, /{,usr/}bin/{,g,m}awk rix, /{,usr/}bin/grep rix, /{,usr/}bin/id rix, /{,usr/}bin/ldd rix, /{,usr/}bin/ls rix, /{,usr/}bin/mkdir rix, /{,usr/}bin/nohup rix, /{,usr/}bin/ps rix, /{,usr/}bin/rm rix, /{,usr/}bin/sed rix, /{,usr/}bin/sleep rix, /{,usr/}bin/tail rix, /{,usr/}bin/tr rix, /{,usr/}bin/uname rix, /{,usr/}bin/which rix, @{HOME}/.java/fonts/** r, owner @{HOME}/.i2p/ rw, owner @{HOME}/.i2p/** rwk, # Prevent spamming the logs deny owner @{HOME}/.java/ wk, deny @{HOME}/.fontconfig/ wk, deny @{HOME}/.java/fonts/** w, deny /dev/tty rw, deny /dev/pts/[0-9]* rw, deny @{PROC}/[0-9]*/fd/ r, deny /usr/local/share/fonts/ r, deny /var/cache/fontconfig/ wk, # Used by some versions of the Tanuki wrapper but never used by I2P deny /usr/share/java/hamcrest*.jar r, deny /usr/share/java/junit*.jar r, }