From bb9cef1e40102ddd3859d12f9ed67b26217a7a1b Mon Sep 17 00:00:00 2001
From: kytv <kytv@mail.i2p>
Date: Wed, 18 Feb 2015 21:38:25 +0000
Subject: [PATCH] Add example apparmor profile (ticket #1092)

---
 apps/apparmor/home.i2p.i2prouter   | 108 +++++++++++++++++++++++++++++
 build.xml                          |   1 +
 installer/install.xml              |   1 +
 installer/resources/postinstall.sh |   5 +-
 4 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100644 apps/apparmor/home.i2p.i2prouter

diff --git a/apps/apparmor/home.i2p.i2prouter b/apps/apparmor/home.i2p.i2prouter
new file mode 100644
index 000000000..561709d7f
--- /dev/null
+++ b/apps/apparmor/home.i2p.i2prouter
@@ -0,0 +1,108 @@
+# Last Modified: Mon, 16 Feb 2015
+# vim:syntax=apparmor et ts=8 sw=4
+
+#include <tunables/global>
+
+$INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/fonts>
+  #include <abstractions/nameservice>
+  #include <abstractions/ssl_certs>
+
+  capability sys_ptrace,
+  network inet stream,
+  network inet6 stream,
+
+  $INSTALL_PATH/                                          r,
+  $INSTALL_PATH/{i2psvc,wrapper}                          rmix,
+  owner $INSTALL_PATH/**                                  rwklm,
+
+  # Needed for Java
+  @{PROC}                                                 r,
+  @{PROC}/[0-9]*/net/if_inet6                             r,
+  @{PROC}/[0-9]*/net/ipv6_route                           r,
+  @{PROC}/[0-9]*/status                                   r,
+  @{PROC}/[0-9]*/stat                                     r,
+  @{PROC}/[0-9]*/cmdline                                  r,
+  @{PROC}/1/comm                                          r,
+  @{PROC}/uptime                                          r,
+  @{PROC}/sys/kernel/pid_max                              r,
+  /sys/devices/system/cpu/                                r,
+  /sys/devices/system/cpu/**                              r,
+  /dev/random                                             r,
+  /dev/urandom                                            r,
+
+
+  /etc/ssl/certs/java/**                                  r,
+  /etc/timezone                                           r,
+  /usr/share/javazi/**                                    r,
+
+  # Debian
+  /etc/java-{6,7,8}-openjdk/**                            r,
+  /usr/lib/jvm/default-java/jre/bin/java                  rix,
+
+  # Debian, Ubuntu, openSUSE
+  /usr/lib{,32,64}/jvm/java-*-openjdk-*/jre/bin/java      rix,
+  /usr/lib{,32,64}/jvm/java-*-openjdk-*/jre/bin/keytool   rix,
+
+  # Raspbian
+  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java                rix,
+  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool             rix,
+
+
+  # Fonts are needed for I2P's graphs
+  /etc/fonts/**                                           r,
+  /usr/share/fontconfig/                                  r,
+  /usr/share/fontconfig/**                                r,
+  /usr/share/fonts/                                       r,
+  /usr/share/fonts/**                                     r,
+  /usr/share/fonts/truetype/                              r,
+  /usr/share/fonts/truetype/**                            r,
+  /usr/share/java/java-atk-wrapper.jar                    r,
+  /var/cache/fontconfig/                                  r,
+  /var/cache/fontconfig/**                                r,
+
+  # Used by some plugins
+  /usr/share/java/eclipse-ecj-*.jar                       r,
+
+  /{,var/}tmp/                                            rwm,
+  owner /{,var/}tmp/**                                    rwklm,
+
+  /{,usr/}bin/{,b,d}ash                                   rix,
+  /{,usr/}bin/cat                                         rix,
+  /{,usr/}bin/cut                                         rix,
+  /{,usr/}bin/dirname                                     rix,
+  /{,usr/}bin/expr                                        rix,
+  /{,usr/}bin/{,g,m}awk                                   rix,
+  /{,usr/}bin/grep                                        rix,
+  /{,usr/}bin/id                                          rix,
+  /{,usr/}bin/ldd                                         rix,
+  /{,usr/}bin/ls                                          rix,
+  /{,usr/}bin/mkdir                                       rix,
+  /{,usr/}bin/nohup                                       rix,
+  /{,usr/}bin/ps                                          rix,
+  /{,usr/}bin/rm                                          rix,
+  /{,usr/}bin/sed                                         rix,
+  /{,usr/}bin/sleep                                       rix,
+  /{,usr/}bin/tail                                        rix,
+  /{,usr/}bin/tr                                          rix,
+  /{,usr/}bin/uname                                       rix,
+  /{,usr/}bin/which                                       rix,
+
+  @{HOME}/.java/fonts/**                                  r,
+  owner  @{HOME}/.i2p/                                    rw,
+  owner  @{HOME}/.i2p/**                                  rwk,
+
+  # Prevent spamming the logs
+  deny owner @{HOME}/.java/                               wk,
+  deny @{HOME}/.fontconfig/                               wk,
+  deny @{HOME}/.java/fonts/**                             w,
+  deny /dev/tty                                           rw,
+  deny /dev/pts/[0-9]*                                    rw,
+  deny @{PROC}/[0-9]*/fd/                                 r,
+  deny /usr/local/share/fonts/                            r,
+  deny /var/cache/fontconfig/                             wk,
+  # Used by some versions of the Tanuki wrapper but never used by I2P
+  deny /usr/share/java/hamcrest*.jar                      r,
+  deny /usr/share/java/junit*.jar                         r,
+}
diff --git a/build.xml b/build.xml
index c26e1ee48..cb5c34688 100644
--- a/build.xml
+++ b/build.xml
@@ -1135,6 +1135,7 @@
         <copy file="history.txt" todir="pkg-temp/" overwrite="true" />
         <mkdir dir="pkg-temp/scripts" />
         <copy file="apps/proxyscript/i2pProxy.pac" todir="pkg-temp/scripts/" />
+        <copy file="apps/apparmor/home.i2p.i2prouter" todir="pkg-temp/scripts/" />
         <copy file="installer/resources/startconsole.html" todir="pkg-temp/docs/" />
         <copy file="installer/resources/start.ico" todir="pkg-temp/docs/" />
         <copy file="installer/resources/console.ico" todir="pkg-temp/docs/" />
diff --git a/installer/install.xml b/installer/install.xml
index 0f5629d49..addf70fc5 100644
--- a/installer/install.xml
+++ b/installer/install.xml
@@ -129,6 +129,7 @@
               and the izpack docs for some guidance.
              -->
             <parsable targetfile="$INSTALL_PATH/wrapper.config" type="plain" />
+            <parsable targetfile="$INSTALL_PATH/scripts/home.i2p.i2prouter" type="plain"> <os family="unix" /> </parsable>
             <parsable targetfile="$INSTALL_PATH/i2prouter" type="shell"> <os family="unix" /> </parsable>
             <parsable targetfile="$INSTALL_PATH/eepget" type="shell"> <os family="unix" /> </parsable>
             <parsable targetfile="$INSTALL_PATH/eepget.bat" type="shell" os="windows" />
diff --git a/installer/resources/postinstall.sh b/installer/resources/postinstall.sh
index a58a19223..21a23d686 100644
--- a/installer/resources/postinstall.sh
+++ b/installer/resources/postinstall.sh
@@ -111,10 +111,11 @@ if [ ! `echo $HOST_OS  |grep osx` ]; then
     rm -f *i2p_service_osx.command
     rm -f net.i2p.router.plist.template
     #rm -f I2P\ Router\ Console.webloc
+else
+    # The example apparmor profile is useless on OSX
+    rm -f ./scripts/home.i2p.i2prouter
 fi
 
-# no, let's not start the router from the install script any more
-# ./i2prouter start
 rm -f ./osid
 rm -f ./postinstall.sh
 exit 0