I2P Address: [http://git.idk.i2p]

Skip to content
Snippets Groups Projects
Commit 11c32301 authored by kytv's avatar kytv
Browse files

updates to apparmor profiles 

- hardening (restrict access to proc to owner)
- removing files covered by abstractions
- indentation per apparmor profile style
parent dd99978b
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
apps/apparmor/home.i2p.i2prouter
+ 8
17
View file @ 11c32301
# Last Modified: Mon, 16 Feb 2015 # Last Modified: Sun Apr 12 22:08:32 2015
# vim:syntax=apparmor et ts=8 sw=4 # vim:syntax=apparmor et ts=8 sw=4
#include <tunables/global> #include <tunables/global>
...@@ -18,20 +18,20 @@ $INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) { ...@@ -18,20 +18,20 @@ $INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) {
owner $INSTALL_PATH/** rwklm, owner $INSTALL_PATH/** rwklm,
# Needed for Java # Needed for Java
@{PROC} r, owner @{PROC} r,
@{PROC}/[0-9]*/net/if_inet6 r, owner @{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/net/ipv6_route r, owner @{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/1/comm r,
@{PROC}/uptime r, @{PROC}/uptime r,
@{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/pid_max r,
/sys/devices/system/cpu/ r, /sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r, /sys/devices/system/cpu/** r,
/dev/random r, /dev/random r,
/dev/urandom r, /dev/urandom r,
@{PROC}/1/comm r,
/etc/ssl/certs/java/** r, /etc/ssl/certs/java/** r,
/etc/timezone r, /etc/timezone r,
...@@ -51,16 +51,7 @@ $INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) { ...@@ -51,16 +51,7 @@ $INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) {
# Fonts are needed for I2P's graphs # Fonts are needed for I2P's graphs
/etc/fonts/** r,
/usr/share/fontconfig/ r,
/usr/share/fontconfig/** r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/fonts/truetype/ r,
/usr/share/fonts/truetype/** r,
/usr/share/java/java-atk-wrapper.jar r, /usr/share/java/java-atk-wrapper.jar r,
/var/cache/fontconfig/ r,
/var/cache/fontconfig/** r,
# Used by some plugins # Used by some plugins
/usr/share/java/eclipse-ecj-*.jar r, /usr/share/java/eclipse-ecj-*.jar r,
......
debian/apparmor/i2p
+ 54
52
View file @ 11c32301
# Last Modified: Thu Jan 29 03:17:01 2015 # Last Modified: Sun Apr 12 22:08:32 2015
# vim:syntax=apparmor et ts=4 sw=4 # vim:syntax=apparmor et ts=4 sw=4
#include <abstractions/base> #include <abstractions/base>
...@@ -10,54 +10,56 @@ ...@@ -10,54 +10,56 @@
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
# Needed for Java # Needed by Java
@{PROC} r, owner @{PROC} r,
@{PROC}/[0-9]*/net/if_inet6 r, owner @{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/net/ipv6_route r, owner @{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/status r, /dev/random r,
/dev/random r, /dev/urandom r,
/dev/urandom r, /sys/devices/system/cpu/ r,
/sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r,
/sys/devices/system/cpu/** r,
/etc/ssl/certs/java/** r,
/etc/ssl/certs/java/** r, /etc/timezone r,
/etc/timezone r, /usr/share/javazi/** r,
/usr/share/javazi/** r,
/etc/java-*-openjdk/** r,
/etc/java-*-openjdk/** r, /usr/lib/jvm/default-java/jre/bin/java rix,
/usr/lib/jvm/default-java/jre/bin/java rix, /usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix,
/usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix, /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix,
/usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
/usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix, # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
# Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix,
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix, # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
/usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
# needed for I2P's graphs /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m,
/etc/fonts/** r,
/usr/share/java/java-atk-wrapper.jar r, # needed for I2P's graphs
/usr/share/java/java-atk-wrapper.jar r,
# I2P specific
/etc/default/i2p r, # I2P specific
/usr/share/i2p/** r, /usr/share/i2p/** r,
# Used by some plugins
/usr/share/java/eclipse-ecj-*.jar r, # Used by some plugins
/usr/share/java/eclipse-ecj-*.jar r,
# Tanuki java wrapper
/etc/i2p/wrapper.config r, # Tanuki java wrapper
/usr/sbin/wrapper rix, /etc/i2p/wrapper.config r,
/usr/share/java/wrapper*.jar r, /usr/sbin/wrapper rix,
/usr/share/java/wrapper*.jar r,
/{,var/}tmp/ rwm,
owner /{,var/}tmp/** rwklm, # 'm' is needed by the I2P-Bote plugin
/{,var/}tmp/ rwm,
# Prevent spamming the logs owner /{,var/}tmp/** rwklm,
deny /dev/tty rw,
deny @{PROC}/[0-9]*/fd/ r, # Prevent spamming the logs
deny /usr/sbin/ r, deny /dev/tty rw,
deny /var/cache/fontconfig/ wk, deny @{PROC}/[0-9]*/fd/ r,
deny /usr/sbin/ r,
# Used by some versions of the Tanuki wrapper, not needed by I2P deny /var/cache/fontconfig/ wk,
deny /usr/share/java/hamcrest*.jar r,
deny /usr/share/java/junit*.jar r, # Used by some versions of the Tanuki wrapper, not needed by I2P
deny /usr/share/java/hamcrest*.jar r,
deny /usr/share/java/junit*.jar r,
debian/apparmor/usr.bin.i2prouter
+ 5
3
View file @ 11c32301
# Last Modified: Thu Jan 29 03:17:01 2015 # Last Modified: Sun Apr 12 22:08:32 2015
# vim:syntax=apparmor et ts=8 sw=4 # vim:syntax=apparmor et ts=8 sw=4
#include <tunables/global> #include <tunables/global>
...@@ -9,8 +9,10 @@ ...@@ -9,8 +9,10 @@
/usr/bin/i2prouter r, /usr/bin/i2prouter r,
@{PROC}/[0-9]*/stat r, @{PROC}/1/comm r,
@{PROC}/[0-9]*/cmdline r, owner @{PROC}/[0-9]*/ r,
owner @{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/cmdline r,
@{PROC}/uptime r, @{PROC}/uptime r,
@{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/pid_max r,
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Base32 Address: [http://7qeve4v2chmjdqlwpa3vl7aojf3nodbku7vepnjwrsxljzqipz6a.b32.i2p] Onion Address: [http://47ggr2fa3vnwfyhvgskzdmr3i32eijwymxohtxsls45dulmriwxszjad.onion]