I2P_Developers/i2p.i2p
3
1
Fork 11
Code Issues 339 Pull Requests 13 Actions 6 Packages Projects Releases Wiki Activity

Debian: confine daemon with apparmor (ticket #1061)

Browse Source
This commit is contained in:
kytv
2015-02-18 22:25:24 +00:00
parent bb9cef1e40
commit 29953ea5e4
15 changed files with 323 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
build.xml
View File

@ -67,7 +67,7 @@
<echo message="The following command will install all of the dependencies for you:" />
<echo message=" " />
<echo message="apt-get install debhelper ant debconf default-jdk gettext libgmp3-dev po-debconf fakeroot build-essential \" />
<echo message=" quilt libcommons-logging-java" />
<echo message=" quilt libcommons-logging-java dh-apparmor" />
<echo message=" " />
<echo message="Once the dependencies are installed, run &quot;ant debian&quot;"/>
<echo message="to patch the source and build the packages." />

4
debian/NEWS vendored
View File

@ -4,8 +4,8 @@ i2p (0.8.6-5) stable; urgency=low
Instead the file /etc/i2p/wrapper.config is used with the changes that used to
be in wrapper.service have been moved to the initscript. If you have changed
the amount of memory set aside for I2P, you'll need to make that change to
/etc/i2p/wrapper.config.
/etc/i2p/wrapper.config.
The I2P router is now split into four different packages: i2p, i2p-doc,
i2p-router, and libjbigi.

63
debian/apparmor/i2p vendored Normal file
View File

@ -0,0 +1,63 @@
# Last Modified: Thu Jan 29 03:17:01 2015
# vim:syntax=apparmor et ts=4 sw=4
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/user-tmp>
network inet stream,
network inet6 stream,
# Needed for Java
@{PROC} r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/status r,
/dev/random r,
/dev/urandom r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/etc/ssl/certs/java/** r,
/etc/timezone r,
/usr/share/javazi/** r,
/etc/java-*-openjdk/** r,
/usr/lib/jvm/default-java/jre/bin/java rix,
/usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix,
/usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
/usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix,
# Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix,
# needed for I2P's graphs
/etc/fonts/** r,
/usr/share/java/java-atk-wrapper.jar r,
# I2P specific
/etc/default/i2p r,
/usr/share/i2p/** r,
# Used by some plugins
/usr/share/java/eclipse-ecj-*.jar r,
# Tanuki java wrapper
/etc/i2p/wrapper.config r,
/usr/sbin/wrapper rix,
/usr/share/java/wrapper*.jar r,
/{,var/}tmp/ rwm,
owner /{,var/}tmp/** rwklm,
# Prevent spamming the logs
deny /dev/tty rw,
deny @{PROC}/[0-9]*/fd/ r,
deny /usr/sbin/ r,
deny /var/cache/fontconfig/ wk,
# Used by some versions of the Tanuki wrapper, not needed by I2P
deny /usr/share/java/hamcrest*.jar r,
deny /usr/share/java/junit*.jar r,

15
debian/apparmor/system_i2p vendored Normal file
View File

@ -0,0 +1,15 @@
# vim:syntax=apparmor et
#include <tunables/global>
profile system_i2p {
#include <abstractions/i2p>
owner /{,lib/live/mount/overlay/}var/lib/i2p/** rwkl,
owner /{,lib/live/mount/overlay/}var/log/i2p/* rw,
owner /{,var/}run/i2p/{i2p,routerjvm}.pid rw,
owner /{,var/}run/i2p/router.ping rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/system_i2p>
}

48
debian/apparmor/usr.bin.i2prouter vendored Normal file
View File

@ -0,0 +1,48 @@
# Last Modified: Thu Jan 29 03:17:01 2015
# vim:syntax=apparmor et ts=8 sw=4
#include <tunables/global>
/usr/bin/i2prouter {
#include <abstractions/i2p>
capability sys_ptrace,
/usr/bin/i2prouter r,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/pid_max r,
/bin/{,b,d}ash rix,
/bin/cat rix,
/bin/grep rix,
/bin/mkdir rix,
/bin/ps rix,
/bin/rm rix,
/bin/sed rix,
/bin/sleep rix,
/bin/uname rix,
/bin/which rix,
/usr/bin/{,g,m}awk rix,
/usr/bin/cut rix,
/usr/bin/dirname rix,
/usr/bin/expr rix,
/usr/bin/id rix,
/usr/bin/ldd rix,
/usr/bin/tail rix,
/usr/bin/tr rix,
@{HOME}/.java/fonts/** r,
owner @{HOME}/.i2p/ rw,
owner @{HOME}/.i2p/** rwk,
# Prevent spamming the logs
deny owner @{HOME}/.java/ wk,
deny @{HOME}/.fontconfig/ wk,
deny @{HOME}/.java/fonts/** wk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.i2prouter>
}

83
debian/changelog vendored
View File

@ -1,8 +1,87 @@
i2p (0.9.16-1) UNRELEASED; urgency=medium
i2p (0.9.18-1) UNRELEASED; urgency=medium
* New upstream release
* Confine with AppArmor
-- Kill Your TV <killyourtv@i2pmail.org> Thu, 30 Oct 2014 20:07:50 +0000
-- Kill Your TV <killyourtv@i2pmail.org> Sun, 22 Feb 2015 00:00:00 +0000
i2p (0.9.17-1) unstable; urgency=medium
* New Upstream Version
Changes
- Signed news
- ECDSA default for new server tunnels
- Reseeding now SSL-only by default
Bug Fixes
- Fix SSU sending corrupt ack-only packets with partial bitfields
- Fix SSU inbound connection fail from non-DSA router
- Don't select incompatible peers if we are a non-DSA router
- Fix EdDSA signature verification bug
- Set I2NP lookup type flags in all cases, not just when a reply tunnel is used
- Stop i2ptunnel server acceptor thread after close
- Fix bug preventing some plugins from stopping completely
- Fix SAM v3 bug causing failures in incoming connections
Other
- Add a warning in the console sidebar if ECDSA not supported
- Log warnings for Java 6 that we will eventually require Java 7
- Don't let proxied routers auto-floodfill
- Don't resend SSU acks that are too old
- Don't publish direct info in SSU address if introducers are required
- New default opentrackers in i2psnark
- Add support for specifiying data directory per-torrent in i2psnark
- Changes in streaming accept() error behavior
- Minor blockfile format changes
- New option for persistent random key to preserve peer ordering across restarts
- Translation updates
- Update GeoIP data
-- Kill Your TV <killyourtv@i2pmail.org> Sun, 30 Nov 2014 22:20:06 +0000
i2p (0.9.16-1) unstable; urgency=medium
* New Upstream Version
- Add support for stronger Router Info signatures
- Encrypt RI lookups and responses on faster boxes
- Require I2CP authorization for all messages when enabled (requires 0.9.11
or higher client)
- Disable TLSv3 and older ciphers for reseeding and other uses of SSL
- Use ECDSA by default for i2ptunnel IRC, SOCKS-IRC, and standard client
tunnels
- Don't prefer floodfills in some countries
- New column sorting, set-all priority buttons, and upload ratio display in
i2psnark
- Increase i2psnark tunnel default to 3 hops
- Implement bundling of multiple fragments in a single SSU message for
efficiency
- New add-to-addressbook links on netdb leaseset page
- Implement I2NP DatabaseLookupMessage search type field to improve lookup
efficiency
- CPUID fixes and updates for recent processors
- i2psnark fix magnet links with %-encoding
- Improve handling of SSU socket closing out from under us (hopefully fix
100% CPU)
- SSU bitfield handling fixes
- Fix HTTP header issues in i2psnark
- Fix rare NPE when building garlic message
- Fix console lockups (hopefully)
- Fix i2ptunnel js confirm-delete
- Move router data structures from i2p.jar to router.jar (breaks i2pcontrol
plugin)
- New router keys now stored in router.keys.dat (privKeys.dat format)
instead of router.keys
- Improve handling of unsupported encryption throughout
- More error checking of client I2CP messages by the router
- Initial work on hooks for pluggable transports
- Enforce request timestamp in tunnel build messages
- Re-enable message status in streaming, but treat no leaseset as a soft
failure for now
- Return unused DH keypairs to the pool for efficiency
- Raise failsafe tagset limit and improve deletion strategy when hit
- Change eepsite Jetty threadpool and queue configuration
- NTCP establishment refactoring in prep for NTCP2 and PT
- Jetty 8.1.16-v20140903
- Translation updates
- Update GeoIP data
i2p (0.9.15-1) unstable; urgency=medium

7
debian/control vendored
View File

@ -1,7 +1,7 @@
Source: i2p
Maintainer: Kill Your TV <killyourtv@i2pmail.org>
Section: net
Standards-Version: 3.9.5
Standards-Version: 3.9.6
Priority: optional
Bugs: mailto:killyourtv@i2pmail.org
Homepage: https://geti2p.net
@ -10,6 +10,7 @@ Build-Depends: debhelper (>= 7.0.50~)
,ant-optional
,debconf
,default-jdk | openjdk-7-jdk | openjdk-6-jdk
,dh-apparmor
,gettext
,libgmp3-dev
# uncomment the next line for official builds
@ -71,7 +72,7 @@ Architecture: all
Section: net
Priority: optional
Depends: ${misc:Depends}, ${java:Depends}, ${shlibs:Depends},
openjdk-7-jre-headless | openjdk-6-jre-headless | default-jre-headless | java7-runtime-headless | java6-runtime-headless, libecj-java
openjdk-8-jre-headless | openjdk-7-jre-headless | openjdk-6-jre-headless | default-jre-headless | java8-runtime-headless | java7-runtime-headless | java6-runtime-headless, libecj-java
Replaces: i2p ( << 0.8.6-5)
Breaks: i2p (<< 0.8.6-5)
Recommends: libjbigi-jni, ttf-dejavu
@ -86,7 +87,7 @@ Suggests: tor
,mail-reader
,news-reader
,polipo
,privox
,privoxy
,robert
,syndie
,www-browser

28
debian/i2p.config vendored
View File

@ -1,4 +1,6 @@
#!/bin/sh -e
#!/bin/sh
set -e
# I2P package configuration script
conffile="/etc/default/i2p"
@ -7,24 +9,30 @@ conffile="/etc/default/i2p"
# Load config file if it exists
if [ -e $conffile ]; then
. $conffile
. $conffile
# wrapper.config always takes priority
MEMORYLIMIT=$(sed -e '/^wrapper\.java\.maxmemory/!d' -e 's/^wrapper\.java\.maxmemory\ *=\ *//' /etc/i2p/wrapper.config)
# wrapper.config always takes priority
MEMORYLIMIT=$(awk -F= '/^wrapper\.java\.maxmemory/{print $2}' /etc/i2p/wrapper.config)
db_set i2p/daemon "$RUN_DAEMON"
db_set i2p/user "$I2PUSER"
db_set i2p/memory "$MEMORYLIMIT"
db_set i2p/daemon "$RUN_DAEMON"
db_set i2p/user "$I2PUSER"
db_set i2p/memory "$MEMORYLIMIT"
db_set i2p/aa "$CONFINE_WITH_APPARMOR"
fi
db_input medium i2p/daemon || true
db_go
db_get i2p/daemon || true
if [ "$RET" = "true" ]; then
db_input medium i2p/user || true
db_go
db_input medium i2p/user || true
db_go
fi
db_input medium i2p/memory || true
db_go
db_input medium i2p/aa || true
db_go
# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4

1
debian/i2p.dirs vendored Normal file
View File

@ -0,0 +1 @@
etc/apparmor.d/abstractions

66
debian/i2p.init vendored
View File

@ -32,6 +32,7 @@ WRAPPERLOG="/var/log/i2p/wrapper.log"
RUN_DAEMON="False"
NICE=0
I2PUSER="i2psvc"
USE_AA="yes"
I2P_ARGS="/etc/i2p/wrapper.config \
wrapper.java.additional.1=-DloggerFilenameOverride=/var/log/i2p/log-router-@.txt \
@ -43,32 +44,19 @@ I2P_ARGS="/etc/i2p/wrapper.config \
wrapper.java.pidfile=$JVMPIDFILE \
wrapper.daemonize=TRUE"
[ -r /lib/lsb/init-functions ] && . /lib/lsb/init-functions
[ -r /lib/init/vars.sh ] && . /lib/init/vars.sh
. /lib/lsb/init-functions
. /lib/init/vars.sh
for ENV_FILE in /etc/environment /etc/default/locale; do
[ -r "$ENV_FILE" ] || continue
[ -s "$ENV_FILE" ] || continue
[ -r "$ENV_FILE" ] || continue
[ -s "$ENV_FILE" ] || continue
for var in LANG LANGUAGE LC_ALL LC_CTYPE; do
value=`egrep "^${var}=" "$ENV_FILE" | tail -n1 | cut -d= -f2`
[ -n "$value" ] && eval export $var=$value
for var in LANG LANGUAGE LC_ALL LC_CTYPE; do
value=`egrep "^${var}=" "$ENV_FILE" | tail -n1 | cut -d= -f2`
[ -n "$value" ] && eval export $var=$value
# This is commented out for Ubuntu: Ubuntu still creates
# /etc/environment in the most recent release
# (currently 'Precise').
#
# TODO Add logic to automatically handle this
#
# Commented for Ubuntu since PPA packages 0.9-1$DISTRO1.
# Packages for Debian systems will have this stanza uncommented.
#
# if [ -n "$value" ] && [ "$ENV_FILE" = /etc/environment ]; then
# log_warning_msg "/etc/environment has been deprecated for locale information; use /etc/default/locale for $var=$value instead"
# fi
done
done
done
# read config file
@ -80,10 +68,10 @@ if [ -z "$RUN_DAEMON" ]; then
fi
case "$RUN_DAEMON" in
[NnFf]*)
log_action_msg "$DESC daemon disabled in /etc/default/$NAME".
exit 0
;;
[NnFf]*)
log_action_msg "$DESC daemon disabled in /etc/default/$NAME".
exit 0
;;
esac
# We need the wrapper. If it's not found, abort.
@ -111,8 +99,29 @@ do_start()
fi
chown -Rf $I2PUSER:$I2PUSER $I2PTEMP $RUN > /dev/null 2>&1
chown -f -R $I2PUSER:i2psvc /var/log/$NAME > /dev/null 2>&1
TZ=UTC start-stop-daemon --start --quiet -c $I2PUSER --pidfile $PIDFILE --exec $DAEMON -n $NICE -- \
$I2P_ARGS || return 2
if [ "$USE_AA" = "yes" ] && \
[ -x /usr/sbin/aa-status ] && \
[ -x /usr/sbin/aa-exec ] && \
[ -e /etc/apparmor.d/system_i2p ] && \
/usr/sbin/aa-status --enabled ; then
AA="--startas /usr/sbin/aa-exec"
AA_ARGS="--profile=system_i2p -- $DAEMON"
else
AA=""
AA_ARGS=""
fi
TZ=UTC start-stop-daemon --start --quiet --chuid $I2PUSER --pidfile $PIDFILE $AA --exec $DAEMON --nicelevel $NICE -- \
$AA_ARGS $I2P_ARGS || return 2
# FIXME Temporary hack
# Files from /usr/share/i2p should have been copied, if need be, well before the 15 seconds are up.
if [ ! -f /var/lib/i2p/i2p-config/.perms ] && [ $I2PUSER = "i2psvc" ]; then
sleep 15
find /var/lib/i2p/ -type d -exec chmod 770 {} \;
find /var/lib/i2p/ -type f -exec chmod 660 {} \;
touch /var/lib/i2p/i2p-config/.perms
fi
}
do_stop()
@ -124,7 +133,8 @@ do_stop()
start-stop-daemon --stop --quiet --oknodo --retry=0/60/KILL/20 --exec $DAEMON
rm -rf "$I2PTEMP" > /dev/null 2>&1
[ -d "$RUN" ] && rmdir --ignore-fail-on-non-empty "$RUN" > /dev/null 2>&1
[ -d "$RUN" ] && rm -f "$RUN/*" > /dev/null 2>&1
[ -d "$RUN" ] && rmdir "$RUN" > /dev/null 2>&1
}
do_dump()

3
debian/i2p.install vendored
View File

@ -1,3 +1,6 @@
pkg-temp/i2prouter usr/bin
pkg-temp/wrapper.config etc/i2p
pkg-temp/locale usr/share/i2p
debian/apparmor/i2p etc/apparmor.d/abstractions
debian/apparmor/usr.bin.i2prouter etc/apparmor.d
debian/apparmor/system_i2p etc/apparmor.d

35
debian/i2p.postinst vendored
View File

@ -6,7 +6,7 @@ I2PHOME=/var/lib/i2p
I2PSYSUSER=i2psvc
conffile="/etc/default/i2p"
systemdservice="/lib/systemd/system/i2p.service"
#systemdservice="/lib/systemd/system/i2p.service"
# Source debconf library -- we have a Depends line
# to make sure it is there...
@ -25,6 +25,7 @@ case "$1" in
echo >> $conffile
echo "RUN_DAEMON=" >> $conffile
echo "I2PUSER=" >> $conffile
echo "CONFINE_WITH_APPARMOR=" >> $conffile
echo "# The next value is also wrapper.java.maxmemory in /etc/i2p/wrapper.config" >> $conffile
echo "MEMORYLIMIT=" >> $conffile
fi
@ -35,6 +36,8 @@ case "$1" in
I2PUSER="$RET"
db_get i2p/memory
MEMORYLIMIT="$RET"
db_get i2p/aa
CONFINE_WITH_APPARMOR="$RET"
cp -a -f $conffile $conffile.tmp
@ -46,6 +49,8 @@ case "$1" in
echo "I2PUSER=" >> $conffile
test -z "$MEMORYLIMIT" || grep -Eq '^ *MEMORYLIMIT=' $conffile || \
echo "MEMORYLIMIT=" >> $conffile
test -z "$CONFINE_WITH_APPARMOR" || grep -Eq '^ *CONFINE_WITH_APPARMOR=' $conffile || \
echo "CONFINE_WITH_APPARMOR=" >> $conffile
if [ -z $RUN_DAEMON ]; then
RUN_DAEMON="false"
@ -57,22 +62,23 @@ case "$1" in
sed -e "s/^ *RUN_DAEMON=.*/RUN_DAEMON=\"$RUN_DAEMON\"/" \
-e "s/^ *I2PUSER=.*/I2PUSER=\"$I2PUSER\"/" \
-e "s/^ *MEMORYLIMIT=.*/MEMORYLIMIT=\"$MEMORYLIMIT\"/" \
-e "s/^ *CONFINE_WITH_APPARMOR=.*/CONFINE_WITH_APPARMOR=\"$CONFINE_WITH_APPARMOR\"/" \
< $conffile > $conffile.tmp
mv -f $conffile.tmp $conffile
if [ -e "$systemdservice" ]; then
sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
mv -f "$systemdservice.tmp" "$systemdservice"
chmod 0644 -f "$systemdservice"
if [ -x /bin/systemctl ]; then
systemctl --system daemon-reload
if [ $RUN_DAEMON = 'true' ]; then
systemctl enable i2p.service
else
systemctl disable i2p.service
fi
fi
fi
# if [ -e "$systemdservice" ]; then
# sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
# mv -f "$systemdservice.tmp" "$systemdservice"
# chmod 0644 -f "$systemdservice"
# if grep -q 'systemd' /proc/1/comm > /dev/null 2>&1; then
# systemctl --system daemon-reload
# if [ $RUN_DAEMON = 'true' ]; then
# systemctl enable i2p.service
# else
# systemctl disable i2p.service
# fi
# fi
# fi
sed -e "s/^ *wrapper\.java\.maxmemory=.*/wrapper\.java\.maxmemory=$MEMORYLIMIT/" \
< /etc/i2p/wrapper.config > /etc/i2p/wrapper.config.tmp
@ -117,3 +123,4 @@ esac
#DEBHELPER#
exit 0
# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4

7
debian/i2p.templates vendored
View File

@ -33,3 +33,10 @@ _Description: Memory that can be allocated to I2P:
.
High bandwidth routers, as well as routers with a lot of active torrents / plugins, may
need to have this value increased.
Template: i2p/aa
Type: boolean
Default: true
_Description: Run I2P daemon confined with AppArmor
With this option enabled I2P will be sandboxed with AppArmor, restricting which files and
directories may be accessed by I2P.

18
debian/po/templates.pot vendored
View File

@ -6,9 +6,9 @@
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Project-Id-Version: i2p\n"
"Report-Msgid-Bugs-To: https://trac.i2p2.de/\n"
"POT-Creation-Date: 2011-12-27 22:25+0000\n"
"POT-Creation-Date: 2015-02-18 22:14+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@ -74,3 +74,17 @@ msgid ""
"High bandwidth routers, as well as routers with a lot of active torrents / "
"plugins, may need to have this value increased."
msgstr ""
#. Type: boolean
#. Description
#: ../i2p.templates:5001
msgid "Run I2P daemon confined with AppArmor"
msgstr ""
#. Type: boolean
#. Description
#: ../i2p.templates:5001
msgid ""
"With this option enabled I2P will be sandboxed with AppArmor, restricting "
"which files and directories may be accessed by I2P."
msgstr ""

5
debian/rules vendored
View File

@ -103,6 +103,11 @@ createcopyright:
override_dh_compress:
dh_compress -X.xsl -X.xml
override_dh_install:
dh_install --list-missing
dh_apparmor --profile-name=system_i2p -pi2p
dh_apparmor --profile-name=usr.bin.i2prouter -pi2p
override_dh_installchangelogs:
dh_installchangelogs history.txt