From 11c323015056181b3862b496f7f9cfbcccdc7c61 Mon Sep 17 00:00:00 2001
From: kytv <kytv@mail.i2p>
Date: Tue, 14 Apr 2015 01:00:10 +0000
Subject: [PATCH] updates to apparmor profiles
- hardening (restrict access to proc to owner)
- removing files covered by abstractions
- indentation per apparmor profile style
---
apps/apparmor/home.i2p.i2prouter | 25 +++----
debian/apparmor/i2p | 106 +++++++++++++++---------------
debian/apparmor/usr.bin.i2prouter | 8 ++-
3 files changed, 67 insertions(+), 72 deletions(-)
diff --git a/apps/apparmor/home.i2p.i2prouter b/apps/apparmor/home.i2p.i2prouter
index 561709d7f1..b31f3adbaa 100644
--- a/apps/apparmor/home.i2p.i2prouter
+++ b/apps/apparmor/home.i2p.i2prouter
@@ -1,4 +1,4 @@
-# Last Modified: Mon, 16 Feb 2015
+# Last Modified: Sun Apr 12 22:08:32 2015
# vim:syntax=apparmor et ts=8 sw=4
#include <tunables/global>
@@ -18,20 +18,20 @@ $INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) {
owner $INSTALL_PATH/** rwklm,
# Needed for Java
- @{PROC} r,
- @{PROC}/[0-9]*/net/if_inet6 r,
- @{PROC}/[0-9]*/net/ipv6_route r,
- @{PROC}/[0-9]*/status r,
- @{PROC}/[0-9]*/stat r,
- @{PROC}/[0-9]*/cmdline r,
- @{PROC}/1/comm r,
+ owner @{PROC} r,
+ owner @{PROC}/[0-9]*/ r,
+ owner @{PROC}/[0-9]*/status r,
+ owner @{PROC}/[0-9]*/stat r,
+ owner @{PROC}/[0-9]*/cmdline r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/pid_max r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
+
/dev/random r,
/dev/urandom r,
+ @{PROC}/1/comm r,
/etc/ssl/certs/java/** r,
/etc/timezone r,
@@ -51,16 +51,7 @@ $INSTALL_PATH/{i2prouter,runplain.sh} flags=(complain) {
# Fonts are needed for I2P's graphs
- /etc/fonts/** r,
- /usr/share/fontconfig/ r,
- /usr/share/fontconfig/** r,
- /usr/share/fonts/ r,
- /usr/share/fonts/** r,
- /usr/share/fonts/truetype/ r,
- /usr/share/fonts/truetype/** r,
/usr/share/java/java-atk-wrapper.jar r,
- /var/cache/fontconfig/ r,
- /var/cache/fontconfig/** r,
# Used by some plugins
/usr/share/java/eclipse-ecj-*.jar r,
diff --git a/debian/apparmor/i2p b/debian/apparmor/i2p
index 3c20c88f4d..c0a9edec9b 100644
--- a/debian/apparmor/i2p
+++ b/debian/apparmor/i2p
@@ -1,4 +1,4 @@
-# Last Modified: Thu Jan 29 03:17:01 2015
+# Last Modified: Sun Apr 12 22:08:32 2015
# vim:syntax=apparmor et ts=4 sw=4
#include <abstractions/base>
@@ -10,54 +10,56 @@
network inet stream,
network inet6 stream,
-# Needed for Java
-@{PROC} r,
-@{PROC}/[0-9]*/net/if_inet6 r,
-@{PROC}/[0-9]*/net/ipv6_route r,
-@{PROC}/[0-9]*/status r,
-/dev/random r,
-/dev/urandom r,
-/sys/devices/system/cpu/ r,
-/sys/devices/system/cpu/** r,
-
-/etc/ssl/certs/java/** r,
-/etc/timezone r,
-/usr/share/javazi/** r,
-
-/etc/java-*-openjdk/** r,
-/usr/lib/jvm/default-java/jre/bin/java rix,
-/usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix,
-/usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
-/usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix,
-
-# Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
-/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
-/usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix,
-
-# needed for I2P's graphs
-/etc/fonts/** r,
-/usr/share/java/java-atk-wrapper.jar r,
-
-# I2P specific
-/etc/default/i2p r,
-/usr/share/i2p/** r,
-# Used by some plugins
-/usr/share/java/eclipse-ecj-*.jar r,
-
-# Tanuki java wrapper
-/etc/i2p/wrapper.config r,
-/usr/sbin/wrapper rix,
-/usr/share/java/wrapper*.jar r,
-
-/{,var/}tmp/ rwm,
-owner /{,var/}tmp/** rwklm,
-
-# Prevent spamming the logs
-deny /dev/tty rw,
-deny @{PROC}/[0-9]*/fd/ r,
-deny /usr/sbin/ r,
-deny /var/cache/fontconfig/ wk,
-
-# Used by some versions of the Tanuki wrapper, not needed by I2P
-deny /usr/share/java/hamcrest*.jar r,
-deny /usr/share/java/junit*.jar r,
+ # Needed by Java
+ owner @{PROC} r,
+ owner @{PROC}/[0-9]*/ r,
+ owner @{PROC}/[0-9]*/status r,
+ /dev/random r,
+ /dev/urandom r,
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/** r,
+
+ /etc/ssl/certs/java/** r,
+ /etc/timezone r,
+ /usr/share/javazi/** r,
+
+ /etc/java-*-openjdk/** r,
+ /usr/lib/jvm/default-java/jre/bin/java rix,
+ /usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix,
+ /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix,
+
+ # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
+ /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
+ /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix,
+
+ # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
+ /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
+ /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m,
+
+ # needed for I2P's graphs
+ /usr/share/java/java-atk-wrapper.jar r,
+
+ # I2P specific
+ /usr/share/i2p/** r,
+
+ # Used by some plugins
+ /usr/share/java/eclipse-ecj-*.jar r,
+
+ # Tanuki java wrapper
+ /etc/i2p/wrapper.config r,
+ /usr/sbin/wrapper rix,
+ /usr/share/java/wrapper*.jar r,
+
+ # 'm' is needed by the I2P-Bote plugin
+ /{,var/}tmp/ rwm,
+ owner /{,var/}tmp/** rwklm,
+
+ # Prevent spamming the logs
+ deny /dev/tty rw,
+ deny @{PROC}/[0-9]*/fd/ r,
+ deny /usr/sbin/ r,
+ deny /var/cache/fontconfig/ wk,
+
+ # Used by some versions of the Tanuki wrapper, not needed by I2P
+ deny /usr/share/java/hamcrest*.jar r,
+ deny /usr/share/java/junit*.jar r,
diff --git a/debian/apparmor/usr.bin.i2prouter b/debian/apparmor/usr.bin.i2prouter
index b33d796316..ae1b1e2bbe 100644
--- a/debian/apparmor/usr.bin.i2prouter
+++ b/debian/apparmor/usr.bin.i2prouter
@@ -1,4 +1,4 @@
-# Last Modified: Thu Jan 29 03:17:01 2015
+# Last Modified: Sun Apr 12 22:08:32 2015
# vim:syntax=apparmor et ts=8 sw=4
#include <tunables/global>
@@ -9,8 +9,10 @@
/usr/bin/i2prouter r,
- @{PROC}/[0-9]*/stat r,
- @{PROC}/[0-9]*/cmdline r,
+ @{PROC}/1/comm r,
+ owner @{PROC}/[0-9]*/ r,
+ owner @{PROC}/[0-9]*/stat r,
+ owner @{PROC}/[0-9]*/cmdline r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/pid_max r,
--
GitLab