diff --git a/build.xml b/build.xml
index cb5c34688..07388d1b2 100644
--- a/build.xml
+++ b/build.xml
@@ -67,7 +67,7 @@
-
+
diff --git a/debian/NEWS b/debian/NEWS
index 38e309017..4f163c621 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -4,8 +4,8 @@ i2p (0.8.6-5) stable; urgency=low
Instead the file /etc/i2p/wrapper.config is used with the changes that used to
be in wrapper.service have been moved to the initscript. If you have changed
the amount of memory set aside for I2P, you'll need to make that change to
- /etc/i2p/wrapper.config.
-
+ /etc/i2p/wrapper.config.
+
The I2P router is now split into four different packages: i2p, i2p-doc,
i2p-router, and libjbigi.
diff --git a/debian/apparmor/i2p b/debian/apparmor/i2p
new file mode 100644
index 000000000..3c20c88f4
--- /dev/null
+++ b/debian/apparmor/i2p
@@ -0,0 +1,63 @@
+# Last Modified: Thu Jan 29 03:17:01 2015
+# vim:syntax=apparmor et ts=4 sw=4
+
+#include
+#include
+#include
+#include
+#include
+
+network inet stream,
+network inet6 stream,
+
+# Needed for Java
+@{PROC} r,
+@{PROC}/[0-9]*/net/if_inet6 r,
+@{PROC}/[0-9]*/net/ipv6_route r,
+@{PROC}/[0-9]*/status r,
+/dev/random r,
+/dev/urandom r,
+/sys/devices/system/cpu/ r,
+/sys/devices/system/cpu/** r,
+
+/etc/ssl/certs/java/** r,
+/etc/timezone r,
+/usr/share/javazi/** r,
+
+/etc/java-*-openjdk/** r,
+/usr/lib/jvm/default-java/jre/bin/java rix,
+/usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix,
+/usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
+/usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix,
+
+# Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
+/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
+/usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix,
+
+# needed for I2P's graphs
+/etc/fonts/** r,
+/usr/share/java/java-atk-wrapper.jar r,
+
+# I2P specific
+/etc/default/i2p r,
+/usr/share/i2p/** r,
+# Used by some plugins
+/usr/share/java/eclipse-ecj-*.jar r,
+
+# Tanuki java wrapper
+/etc/i2p/wrapper.config r,
+/usr/sbin/wrapper rix,
+/usr/share/java/wrapper*.jar r,
+
+/{,var/}tmp/ rwm,
+owner /{,var/}tmp/** rwklm,
+
+# Prevent spamming the logs
+deny /dev/tty rw,
+deny @{PROC}/[0-9]*/fd/ r,
+deny /usr/sbin/ r,
+deny /var/cache/fontconfig/ wk,
+
+# Used by some versions of the Tanuki wrapper, not needed by I2P
+deny /usr/share/java/hamcrest*.jar r,
+deny /usr/share/java/junit*.jar r,
diff --git a/debian/apparmor/system_i2p b/debian/apparmor/system_i2p
new file mode 100644
index 000000000..9af33b524
--- /dev/null
+++ b/debian/apparmor/system_i2p
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor et
+#include
+
+profile system_i2p {
+ #include
+
+ owner /{,lib/live/mount/overlay/}var/lib/i2p/** rwkl,
+ owner /{,lib/live/mount/overlay/}var/log/i2p/* rw,
+
+ owner /{,var/}run/i2p/{i2p,routerjvm}.pid rw,
+ owner /{,var/}run/i2p/router.ping rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include
+}
diff --git a/debian/apparmor/usr.bin.i2prouter b/debian/apparmor/usr.bin.i2prouter
new file mode 100644
index 000000000..b33d79631
--- /dev/null
+++ b/debian/apparmor/usr.bin.i2prouter
@@ -0,0 +1,48 @@
+# Last Modified: Thu Jan 29 03:17:01 2015
+# vim:syntax=apparmor et ts=8 sw=4
+
+#include
+
+/usr/bin/i2prouter {
+ #include
+ capability sys_ptrace,
+
+ /usr/bin/i2prouter r,
+
+ @{PROC}/[0-9]*/stat r,
+ @{PROC}/[0-9]*/cmdline r,
+ @{PROC}/uptime r,
+ @{PROC}/sys/kernel/pid_max r,
+
+ /bin/{,b,d}ash rix,
+ /bin/cat rix,
+ /bin/grep rix,
+ /bin/mkdir rix,
+ /bin/ps rix,
+ /bin/rm rix,
+ /bin/sed rix,
+ /bin/sleep rix,
+ /bin/uname rix,
+ /bin/which rix,
+
+ /usr/bin/{,g,m}awk rix,
+ /usr/bin/cut rix,
+ /usr/bin/dirname rix,
+ /usr/bin/expr rix,
+ /usr/bin/id rix,
+ /usr/bin/ldd rix,
+ /usr/bin/tail rix,
+ /usr/bin/tr rix,
+
+ @{HOME}/.java/fonts/** r,
+ owner @{HOME}/.i2p/ rw,
+ owner @{HOME}/.i2p/** rwk,
+
+ # Prevent spamming the logs
+ deny owner @{HOME}/.java/ wk,
+ deny @{HOME}/.fontconfig/ wk,
+ deny @{HOME}/.java/fonts/** wk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include
+}
diff --git a/debian/changelog b/debian/changelog
index d713f79e1..9843907ba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,87 @@
-i2p (0.9.16-1) UNRELEASED; urgency=medium
+i2p (0.9.18-1) UNRELEASED; urgency=medium
* New upstream release
+ * Confine with AppArmor
- -- Kill Your TV Thu, 30 Oct 2014 20:07:50 +0000
+ -- Kill Your TV Sun, 22 Feb 2015 00:00:00 +0000
+
+i2p (0.9.17-1) unstable; urgency=medium
+
+ * New Upstream Version
+ Changes
+ - Signed news
+ - ECDSA default for new server tunnels
+ - Reseeding now SSL-only by default
+ Bug Fixes
+ - Fix SSU sending corrupt ack-only packets with partial bitfields
+ - Fix SSU inbound connection fail from non-DSA router
+ - Don't select incompatible peers if we are a non-DSA router
+ - Fix EdDSA signature verification bug
+ - Set I2NP lookup type flags in all cases, not just when a reply tunnel is used
+ - Stop i2ptunnel server acceptor thread after close
+ - Fix bug preventing some plugins from stopping completely
+ - Fix SAM v3 bug causing failures in incoming connections
+ Other
+ - Add a warning in the console sidebar if ECDSA not supported
+ - Log warnings for Java 6 that we will eventually require Java 7
+ - Don't let proxied routers auto-floodfill
+ - Don't resend SSU acks that are too old
+ - Don't publish direct info in SSU address if introducers are required
+ - New default opentrackers in i2psnark
+ - Add support for specifiying data directory per-torrent in i2psnark
+ - Changes in streaming accept() error behavior
+ - Minor blockfile format changes
+ - New option for persistent random key to preserve peer ordering across restarts
+ - Translation updates
+ - Update GeoIP data
+
+ -- Kill Your TV Sun, 30 Nov 2014 22:20:06 +0000
+
+i2p (0.9.16-1) unstable; urgency=medium
+
+ * New Upstream Version
+ - Add support for stronger Router Info signatures
+ - Encrypt RI lookups and responses on faster boxes
+ - Require I2CP authorization for all messages when enabled (requires 0.9.11
+ or higher client)
+ - Disable TLSv3 and older ciphers for reseeding and other uses of SSL
+ - Use ECDSA by default for i2ptunnel IRC, SOCKS-IRC, and standard client
+ tunnels
+ - Don't prefer floodfills in some countries
+ - New column sorting, set-all priority buttons, and upload ratio display in
+ i2psnark
+ - Increase i2psnark tunnel default to 3 hops
+ - Implement bundling of multiple fragments in a single SSU message for
+ efficiency
+ - New add-to-addressbook links on netdb leaseset page
+ - Implement I2NP DatabaseLookupMessage search type field to improve lookup
+ efficiency
+ - CPUID fixes and updates for recent processors
+ - i2psnark fix magnet links with %-encoding
+ - Improve handling of SSU socket closing out from under us (hopefully fix
+ 100% CPU)
+ - SSU bitfield handling fixes
+ - Fix HTTP header issues in i2psnark
+ - Fix rare NPE when building garlic message
+ - Fix console lockups (hopefully)
+ - Fix i2ptunnel js confirm-delete
+ - Move router data structures from i2p.jar to router.jar (breaks i2pcontrol
+ plugin)
+ - New router keys now stored in router.keys.dat (privKeys.dat format)
+ instead of router.keys
+ - Improve handling of unsupported encryption throughout
+ - More error checking of client I2CP messages by the router
+ - Initial work on hooks for pluggable transports
+ - Enforce request timestamp in tunnel build messages
+ - Re-enable message status in streaming, but treat no leaseset as a soft
+ failure for now
+ - Return unused DH keypairs to the pool for efficiency
+ - Raise failsafe tagset limit and improve deletion strategy when hit
+ - Change eepsite Jetty threadpool and queue configuration
+ - NTCP establishment refactoring in prep for NTCP2 and PT
+ - Jetty 8.1.16-v20140903
+ - Translation updates
+ - Update GeoIP data
i2p (0.9.15-1) unstable; urgency=medium
diff --git a/debian/control b/debian/control
index c11c9edb2..6e24840d0 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,7 @@
Source: i2p
Maintainer: Kill Your TV
Section: net
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
Priority: optional
Bugs: mailto:killyourtv@i2pmail.org
Homepage: https://geti2p.net
@@ -10,6 +10,7 @@ Build-Depends: debhelper (>= 7.0.50~)
,ant-optional
,debconf
,default-jdk | openjdk-7-jdk | openjdk-6-jdk
+ ,dh-apparmor
,gettext
,libgmp3-dev
# uncomment the next line for official builds
@@ -71,7 +72,7 @@ Architecture: all
Section: net
Priority: optional
Depends: ${misc:Depends}, ${java:Depends}, ${shlibs:Depends},
- openjdk-7-jre-headless | openjdk-6-jre-headless | default-jre-headless | java7-runtime-headless | java6-runtime-headless, libecj-java
+ openjdk-8-jre-headless | openjdk-7-jre-headless | openjdk-6-jre-headless | default-jre-headless | java8-runtime-headless | java7-runtime-headless | java6-runtime-headless, libecj-java
Replaces: i2p ( << 0.8.6-5)
Breaks: i2p (<< 0.8.6-5)
Recommends: libjbigi-jni, ttf-dejavu
@@ -86,7 +87,7 @@ Suggests: tor
,mail-reader
,news-reader
,polipo
- ,privox
+ ,privoxy
,robert
,syndie
,www-browser
diff --git a/debian/i2p.config b/debian/i2p.config
index dab3fe2ac..efaf7b454 100755
--- a/debian/i2p.config
+++ b/debian/i2p.config
@@ -1,4 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh
+
+set -e
# I2P package configuration script
conffile="/etc/default/i2p"
@@ -7,24 +9,30 @@ conffile="/etc/default/i2p"
# Load config file if it exists
if [ -e $conffile ]; then
- . $conffile
+ . $conffile
- # wrapper.config always takes priority
- MEMORYLIMIT=$(sed -e '/^wrapper\.java\.maxmemory/!d' -e 's/^wrapper\.java\.maxmemory\ *=\ *//' /etc/i2p/wrapper.config)
+ # wrapper.config always takes priority
+ MEMORYLIMIT=$(awk -F= '/^wrapper\.java\.maxmemory/{print $2}' /etc/i2p/wrapper.config)
-
- db_set i2p/daemon "$RUN_DAEMON"
- db_set i2p/user "$I2PUSER"
- db_set i2p/memory "$MEMORYLIMIT"
+ db_set i2p/daemon "$RUN_DAEMON"
+ db_set i2p/user "$I2PUSER"
+ db_set i2p/memory "$MEMORYLIMIT"
+ db_set i2p/aa "$CONFINE_WITH_APPARMOR"
fi
db_input medium i2p/daemon || true
db_go
+
db_get i2p/daemon || true
if [ "$RET" = "true" ]; then
- db_input medium i2p/user || true
- db_go
+ db_input medium i2p/user || true
+ db_go
fi
db_input medium i2p/memory || true
db_go
+
+db_input medium i2p/aa || true
+db_go
+
+# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/debian/i2p.dirs b/debian/i2p.dirs
new file mode 100644
index 000000000..f69395602
--- /dev/null
+++ b/debian/i2p.dirs
@@ -0,0 +1 @@
+etc/apparmor.d/abstractions
diff --git a/debian/i2p.init b/debian/i2p.init
index 526bec58a..eac736f70 100755
--- a/debian/i2p.init
+++ b/debian/i2p.init
@@ -32,6 +32,7 @@ WRAPPERLOG="/var/log/i2p/wrapper.log"
RUN_DAEMON="False"
NICE=0
I2PUSER="i2psvc"
+USE_AA="yes"
I2P_ARGS="/etc/i2p/wrapper.config \
wrapper.java.additional.1=-DloggerFilenameOverride=/var/log/i2p/log-router-@.txt \
@@ -43,32 +44,19 @@ I2P_ARGS="/etc/i2p/wrapper.config \
wrapper.java.pidfile=$JVMPIDFILE \
wrapper.daemonize=TRUE"
-[ -r /lib/lsb/init-functions ] && . /lib/lsb/init-functions
-[ -r /lib/init/vars.sh ] && . /lib/init/vars.sh
+. /lib/lsb/init-functions
+. /lib/init/vars.sh
for ENV_FILE in /etc/environment /etc/default/locale; do
-[ -r "$ENV_FILE" ] || continue
-[ -s "$ENV_FILE" ] || continue
+ [ -r "$ENV_FILE" ] || continue
+ [ -s "$ENV_FILE" ] || continue
- for var in LANG LANGUAGE LC_ALL LC_CTYPE; do
- value=`egrep "^${var}=" "$ENV_FILE" | tail -n1 | cut -d= -f2`
- [ -n "$value" ] && eval export $var=$value
+ for var in LANG LANGUAGE LC_ALL LC_CTYPE; do
+ value=`egrep "^${var}=" "$ENV_FILE" | tail -n1 | cut -d= -f2`
+ [ -n "$value" ] && eval export $var=$value
-# This is commented out for Ubuntu: Ubuntu still creates
-# /etc/environment in the most recent release
-# (currently 'Precise').
-#
-# TODO Add logic to automatically handle this
-#
-# Commented for Ubuntu since PPA packages 0.9-1$DISTRO1.
-# Packages for Debian systems will have this stanza uncommented.
-#
-# if [ -n "$value" ] && [ "$ENV_FILE" = /etc/environment ]; then
-# log_warning_msg "/etc/environment has been deprecated for locale information; use /etc/default/locale for $var=$value instead"
-# fi
-
- done
+ done
done
# read config file
@@ -80,10 +68,10 @@ if [ -z "$RUN_DAEMON" ]; then
fi
case "$RUN_DAEMON" in
- [NnFf]*)
- log_action_msg "$DESC daemon disabled in /etc/default/$NAME".
- exit 0
- ;;
+ [NnFf]*)
+ log_action_msg "$DESC daemon disabled in /etc/default/$NAME".
+ exit 0
+ ;;
esac
# We need the wrapper. If it's not found, abort.
@@ -111,8 +99,29 @@ do_start()
fi
chown -Rf $I2PUSER:$I2PUSER $I2PTEMP $RUN > /dev/null 2>&1
chown -f -R $I2PUSER:i2psvc /var/log/$NAME > /dev/null 2>&1
- TZ=UTC start-stop-daemon --start --quiet -c $I2PUSER --pidfile $PIDFILE --exec $DAEMON -n $NICE -- \
- $I2P_ARGS || return 2
+ if [ "$USE_AA" = "yes" ] && \
+ [ -x /usr/sbin/aa-status ] && \
+ [ -x /usr/sbin/aa-exec ] && \
+ [ -e /etc/apparmor.d/system_i2p ] && \
+ /usr/sbin/aa-status --enabled ; then
+ AA="--startas /usr/sbin/aa-exec"
+ AA_ARGS="--profile=system_i2p -- $DAEMON"
+ else
+ AA=""
+ AA_ARGS=""
+ fi
+
+ TZ=UTC start-stop-daemon --start --quiet --chuid $I2PUSER --pidfile $PIDFILE $AA --exec $DAEMON --nicelevel $NICE -- \
+ $AA_ARGS $I2P_ARGS || return 2
+
+ # FIXME Temporary hack
+ # Files from /usr/share/i2p should have been copied, if need be, well before the 15 seconds are up.
+ if [ ! -f /var/lib/i2p/i2p-config/.perms ] && [ $I2PUSER = "i2psvc" ]; then
+ sleep 15
+ find /var/lib/i2p/ -type d -exec chmod 770 {} \;
+ find /var/lib/i2p/ -type f -exec chmod 660 {} \;
+ touch /var/lib/i2p/i2p-config/.perms
+ fi
}
do_stop()
@@ -124,7 +133,8 @@ do_stop()
start-stop-daemon --stop --quiet --oknodo --retry=0/60/KILL/20 --exec $DAEMON
rm -rf "$I2PTEMP" > /dev/null 2>&1
- [ -d "$RUN" ] && rmdir --ignore-fail-on-non-empty "$RUN" > /dev/null 2>&1
+ [ -d "$RUN" ] && rm -f "$RUN/*" > /dev/null 2>&1
+ [ -d "$RUN" ] && rmdir "$RUN" > /dev/null 2>&1
}
do_dump()
diff --git a/debian/i2p.install b/debian/i2p.install
index 49485c28e..314c225da 100644
--- a/debian/i2p.install
+++ b/debian/i2p.install
@@ -1,3 +1,6 @@
pkg-temp/i2prouter usr/bin
pkg-temp/wrapper.config etc/i2p
pkg-temp/locale usr/share/i2p
+debian/apparmor/i2p etc/apparmor.d/abstractions
+debian/apparmor/usr.bin.i2prouter etc/apparmor.d
+debian/apparmor/system_i2p etc/apparmor.d
diff --git a/debian/i2p.postinst b/debian/i2p.postinst
index 1cf9ef875..328926704 100755
--- a/debian/i2p.postinst
+++ b/debian/i2p.postinst
@@ -6,7 +6,7 @@ I2PHOME=/var/lib/i2p
I2PSYSUSER=i2psvc
conffile="/etc/default/i2p"
-systemdservice="/lib/systemd/system/i2p.service"
+#systemdservice="/lib/systemd/system/i2p.service"
# Source debconf library -- we have a Depends line
# to make sure it is there...
@@ -25,6 +25,7 @@ case "$1" in
echo >> $conffile
echo "RUN_DAEMON=" >> $conffile
echo "I2PUSER=" >> $conffile
+ echo "CONFINE_WITH_APPARMOR=" >> $conffile
echo "# The next value is also wrapper.java.maxmemory in /etc/i2p/wrapper.config" >> $conffile
echo "MEMORYLIMIT=" >> $conffile
fi
@@ -35,6 +36,8 @@ case "$1" in
I2PUSER="$RET"
db_get i2p/memory
MEMORYLIMIT="$RET"
+ db_get i2p/aa
+ CONFINE_WITH_APPARMOR="$RET"
cp -a -f $conffile $conffile.tmp
@@ -46,6 +49,8 @@ case "$1" in
echo "I2PUSER=" >> $conffile
test -z "$MEMORYLIMIT" || grep -Eq '^ *MEMORYLIMIT=' $conffile || \
echo "MEMORYLIMIT=" >> $conffile
+ test -z "$CONFINE_WITH_APPARMOR" || grep -Eq '^ *CONFINE_WITH_APPARMOR=' $conffile || \
+ echo "CONFINE_WITH_APPARMOR=" >> $conffile
if [ -z $RUN_DAEMON ]; then
RUN_DAEMON="false"
@@ -57,22 +62,23 @@ case "$1" in
sed -e "s/^ *RUN_DAEMON=.*/RUN_DAEMON=\"$RUN_DAEMON\"/" \
-e "s/^ *I2PUSER=.*/I2PUSER=\"$I2PUSER\"/" \
-e "s/^ *MEMORYLIMIT=.*/MEMORYLIMIT=\"$MEMORYLIMIT\"/" \
+ -e "s/^ *CONFINE_WITH_APPARMOR=.*/CONFINE_WITH_APPARMOR=\"$CONFINE_WITH_APPARMOR\"/" \
< $conffile > $conffile.tmp
mv -f $conffile.tmp $conffile
- if [ -e "$systemdservice" ]; then
- sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
- mv -f "$systemdservice.tmp" "$systemdservice"
- chmod 0644 -f "$systemdservice"
- if [ -x /bin/systemctl ]; then
- systemctl --system daemon-reload
- if [ $RUN_DAEMON = 'true' ]; then
- systemctl enable i2p.service
- else
- systemctl disable i2p.service
- fi
- fi
- fi
+# if [ -e "$systemdservice" ]; then
+# sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
+# mv -f "$systemdservice.tmp" "$systemdservice"
+# chmod 0644 -f "$systemdservice"
+# if grep -q 'systemd' /proc/1/comm > /dev/null 2>&1; then
+# systemctl --system daemon-reload
+# if [ $RUN_DAEMON = 'true' ]; then
+# systemctl enable i2p.service
+# else
+# systemctl disable i2p.service
+# fi
+# fi
+# fi
sed -e "s/^ *wrapper\.java\.maxmemory=.*/wrapper\.java\.maxmemory=$MEMORYLIMIT/" \
< /etc/i2p/wrapper.config > /etc/i2p/wrapper.config.tmp
@@ -117,3 +123,4 @@ esac
#DEBHELPER#
exit 0
+# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/debian/i2p.templates b/debian/i2p.templates
index 8ca20a0a9..7449c90d1 100644
--- a/debian/i2p.templates
+++ b/debian/i2p.templates
@@ -33,3 +33,10 @@ _Description: Memory that can be allocated to I2P:
.
High bandwidth routers, as well as routers with a lot of active torrents / plugins, may
need to have this value increased.
+
+Template: i2p/aa
+Type: boolean
+Default: true
+_Description: Run I2P daemon confined with AppArmor
+ With this option enabled I2P will be sandboxed with AppArmor, restricting which files and
+ directories may be accessed by I2P.
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
index 694e80342..e2f6ea992 100644
--- a/debian/po/templates.pot
+++ b/debian/po/templates.pot
@@ -6,9 +6,9 @@
#, fuzzy
msgid ""
msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
+"Project-Id-Version: i2p\n"
"Report-Msgid-Bugs-To: https://trac.i2p2.de/\n"
-"POT-Creation-Date: 2011-12-27 22:25+0000\n"
+"POT-Creation-Date: 2015-02-18 22:14+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME \n"
"Language-Team: LANGUAGE \n"
@@ -74,3 +74,17 @@ msgid ""
"High bandwidth routers, as well as routers with a lot of active torrents / "
"plugins, may need to have this value increased."
msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../i2p.templates:5001
+msgid "Run I2P daemon confined with AppArmor"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../i2p.templates:5001
+msgid ""
+"With this option enabled I2P will be sandboxed with AppArmor, restricting "
+"which files and directories may be accessed by I2P."
+msgstr ""
diff --git a/debian/rules b/debian/rules
index 447268238..537758661 100755
--- a/debian/rules
+++ b/debian/rules
@@ -103,6 +103,11 @@ createcopyright:
override_dh_compress:
dh_compress -X.xsl -X.xml
+override_dh_install:
+ dh_install --list-missing
+ dh_apparmor --profile-name=system_i2p -pi2p
+ dh_apparmor --profile-name=usr.bin.i2prouter -pi2p
+
override_dh_installchangelogs:
dh_installchangelogs history.txt