From 6ca383071bf26331e0a943389cc0a33ea4e2ebd0 Mon Sep 17 00:00:00 2001 From: zzz Date: Wed, 16 Jan 2019 20:10:36 +0000 Subject: [PATCH] Debian: AppArmor updates (ticket #2319) --- debian/apparmor/i2p | 18 ++++++++++++++++-- debian/apparmor/usr.bin.i2prouter | 5 +++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/debian/apparmor/i2p b/debian/apparmor/i2p index cc73de43e..22ca60f17 100644 --- a/debian/apparmor/i2p +++ b/debian/apparmor/i2p @@ -6,6 +6,11 @@ #include #include + # for launching browswers + #include + #include + #include + network inet stream, network inet dgram, network inet6 stream, @@ -14,11 +19,14 @@ # Needed by Java @{PROC} r, owner @{PROC}/[0-9]*/ r, + owner @{PROC}/[0-9]*/cgroup r, + owner @{PROC}/[0-9]*/mountinfo r, owner @{PROC}/[0-9]*/status r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/if_inet6 r, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, + /sys/fs/cgroup/** r, /etc/ssl/certs/java/** r, /etc/timezone r, @@ -58,11 +66,14 @@ /usr/share/java/gnu-getopt.jar r, /usr/share/java/gnu-getopt-*.jar r, /usr/share/java/jetty9-*.jar r, + /usr/share/java/json-simple.jar r, + /usr/share/java/json-simple-*.jar r, /usr/share/java/jsp-api-*.jar r, /usr/share/java/servlet-api-*.jar r, /usr/share/java/standard.jar r, /usr/share/java/standard-*.jar r, /usr/share/java/tomcat8-*.jar r, + /usr/share/java/tomcat9-*.jar r, /usr/share/java/taglibs-standard-*.jar r, /usr/share/flags/countries/16x11/* r, @@ -75,8 +86,8 @@ # 'm' is needed by the I2P-Bote plugin /{,lib/live/mount/overlay/}tmp/ rwm, - owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/ rwk, - owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/** rw, + owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/ rwk, + owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/** rw, owner /{,lib/live/mount/overlay/}tmp/wrapper* rwk, owner /{,lib/live/mount/overlay/}tmp/wrapper*/** rw, # Scrypt used by I2P-Bote @@ -89,6 +100,9 @@ # temp dir (non-service) owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/ rwm, owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/** rwkm, + # temp dir (Jetty default) + owner /{,lib/live/mount/overlay/}tmp/jetty-*/ rwm, + owner /{,lib/live/mount/overlay/}tmp/jetty-*/** rwkm, # /graphs in the router console owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp rwk, diff --git a/debian/apparmor/usr.bin.i2prouter b/debian/apparmor/usr.bin.i2prouter index 9fb11d452..8b9f08da5 100644 --- a/debian/apparmor/usr.bin.i2prouter +++ b/debian/apparmor/usr.bin.i2prouter @@ -20,7 +20,7 @@ /bin/cat rix, /bin/grep rix, /bin/mkdir rix, - /bin/ps rix, + /bin/ps rUx, /bin/rm rix, /bin/sed rix, /bin/sleep rix, @@ -34,7 +34,8 @@ /usr/bin/dirname rix, /usr/bin/expr rix, /usr/bin/id rix, - /usr/bin/ldd rix, + # should replace this in i2prouter with something safer + /usr/bin/ldd rUx, /usr/bin/tail rix, /usr/bin/tr rix,