Debian: confine daemon with apparmor (ticket #1061)

build.xml

@@ -67,7 +67,7 @@
             <echo message="The following command will install all of the dependencies for you:" />
             <echo message=" " />
             <echo message="apt-get install debhelper ant debconf default-jdk gettext libgmp3-dev po-debconf fakeroot build-essential \" />
-            <echo message="                   quilt libcommons-logging-java" />
+            <echo message="                   quilt libcommons-logging-java dh-apparmor" />
             <echo message=" " />
             <echo message="Once the dependencies are installed, run &quot;ant debian&quot;"/>
             <echo message="to patch the source and build the packages." />

debian/apparmor/i2p

@@ -0,0 +1,63 @@
+# Last Modified: Thu Jan 29 03:17:01 2015
+# vim:syntax=apparmor et ts=4 sw=4
+
+#include <abstractions/base>
+#include <abstractions/fonts>
+#include <abstractions/nameservice>
+#include <abstractions/ssl_certs>
+#include <abstractions/user-tmp>
+
+network inet stream,
+network inet6 stream,
+
+# Needed for Java
+@{PROC}                                                 r,
+@{PROC}/[0-9]*/net/if_inet6                             r,
+@{PROC}/[0-9]*/net/ipv6_route                           r,
+@{PROC}/[0-9]*/status                                   r,
+/dev/random                                             r,
+/dev/urandom                                            r,
+/sys/devices/system/cpu/                                r,
+/sys/devices/system/cpu/**                              r,
+
+/etc/ssl/certs/java/**                                  r,
+/etc/timezone                                           r,
+/usr/share/javazi/**                                    r,
+
+/etc/java-*-openjdk/**                                  r,
+/usr/lib/jvm/default-java/jre/bin/java                  rix,
+/usr/lib/jvm/java-*-openjdk-*/jre/bin/java              rix,
+/usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
+/usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool           rix,
+
+# Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
+/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java                rix,
+/usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool             rix,
+
+# needed for I2P's graphs
+/etc/fonts/**                                            r,
+/usr/share/java/java-atk-wrapper.jar                     r,
+
+# I2P specific
+/etc/default/i2p                                        r,
+/usr/share/i2p/**                                       r,
+# Used by some plugins
+/usr/share/java/eclipse-ecj-*.jar                       r,
+
+# Tanuki java wrapper
+/etc/i2p/wrapper.config                                 r,
+/usr/sbin/wrapper                                       rix,
+/usr/share/java/wrapper*.jar                            r,
+
+/{,var/}tmp/                                            rwm,
+owner /{,var/}tmp/**                                    rwklm,
+
+# Prevent spamming the logs
+deny /dev/tty                                           rw,
+deny @{PROC}/[0-9]*/fd/                                 r,
+deny /usr/sbin/                                         r,
+deny /var/cache/fontconfig/                             wk,
+
+# Used by some versions of the Tanuki wrapper, not needed by I2P
+deny /usr/share/java/hamcrest*.jar                      r,
+deny /usr/share/java/junit*.jar                         r,

debian/apparmor/system_i2p

@@ -0,0 +1,15 @@
+# vim:syntax=apparmor et
+#include <tunables/global>
+
+profile system_i2p {
+  #include <abstractions/i2p>
+
+  owner /{,lib/live/mount/overlay/}var/lib/i2p/** rwkl,
+  owner /{,lib/live/mount/overlay/}var/log/i2p/* rw,
+
+  owner /{,var/}run/i2p/{i2p,routerjvm}.pid rw,
+  owner /{,var/}run/i2p/router.ping rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/system_i2p>
+}

debian/apparmor/usr.bin.i2prouter

@@ -0,0 +1,48 @@
+# Last Modified: Thu Jan 29 03:17:01 2015
+# vim:syntax=apparmor et ts=8 sw=4
+
+#include <tunables/global>
+
+/usr/bin/i2prouter {
+  #include <abstractions/i2p>
+  capability sys_ptrace,
+
+  /usr/bin/i2prouter                    r,
+
+  @{PROC}/[0-9]*/stat                   r,
+  @{PROC}/[0-9]*/cmdline                r,
+  @{PROC}/uptime                        r,
+  @{PROC}/sys/kernel/pid_max            r,
+
+  /bin/{,b,d}ash                        rix,
+  /bin/cat                              rix,
+  /bin/grep                             rix,
+  /bin/mkdir                            rix,
+  /bin/ps                               rix,
+  /bin/rm                               rix,
+  /bin/sed                              rix,
+  /bin/sleep                            rix,
+  /bin/uname                            rix,
+  /bin/which                            rix,
+
+  /usr/bin/{,g,m}awk                    rix,
+  /usr/bin/cut                          rix,
+  /usr/bin/dirname                      rix,
+  /usr/bin/expr                         rix,
+  /usr/bin/id                           rix,
+  /usr/bin/ldd                          rix,
+  /usr/bin/tail                         rix,
+  /usr/bin/tr                           rix,
+
+  @{HOME}/.java/fonts/**                r,
+  owner  @{HOME}/.i2p/                  rw,
+  owner  @{HOME}/.i2p/**                rwk,
+
+  # Prevent spamming the logs
+  deny owner @{HOME}/.java/             wk,
+  deny @{HOME}/.fontconfig/             wk,
+  deny @{HOME}/.java/fonts/**           wk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.i2prouter>
+}

debian/changelog

@@ -1,8 +1,87 @@
-i2p (0.9.16-1) UNRELEASED; urgency=medium
+i2p (0.9.18-1) UNRELEASED; urgency=medium
 
   * New upstream release
+  * Confine with AppArmor
 
- -- Kill Your TV <killyourtv@i2pmail.org>  Thu, 30 Oct 2014 20:07:50 +0000
+ -- Kill Your TV <killyourtv@i2pmail.org>  Sun, 22 Feb 2015 00:00:00 +0000
+
+i2p (0.9.17-1) unstable; urgency=medium
+
+  * New Upstream Version
+    Changes
+    - Signed news
+    - ECDSA default for new server tunnels
+    - Reseeding now SSL-only by default
+    Bug Fixes
+    - Fix SSU sending corrupt ack-only packets with partial bitfields
+    - Fix SSU inbound connection fail from non-DSA router
+    - Don't select incompatible peers if we are a non-DSA router
+    - Fix EdDSA signature verification bug
+    - Set I2NP lookup type flags in all cases, not just when a reply tunnel is used
+    - Stop i2ptunnel server acceptor thread after close
+    - Fix bug preventing some plugins from stopping completely
+    - Fix SAM v3 bug causing failures in incoming connections
+    Other
+    - Add a warning in the console sidebar if ECDSA not supported
+    - Log warnings for Java 6 that we will eventually require Java 7
+    - Don't let proxied routers auto-floodfill
+    - Don't resend SSU acks that are too old
+    - Don't publish direct info in SSU address if introducers are required
+    - New default opentrackers in i2psnark
+    - Add support for specifiying data directory per-torrent in i2psnark
+    - Changes in streaming accept() error behavior
+    - Minor blockfile format changes
+    - New option for persistent random key to preserve peer ordering across restarts
+    - Translation updates
+    - Update GeoIP data
+
+ -- Kill Your TV <killyourtv@i2pmail.org>  Sun, 30 Nov 2014 22:20:06 +0000
+
+i2p (0.9.16-1) unstable; urgency=medium
+
+  * New Upstream Version
+    - Add support for stronger Router Info signatures
+    - Encrypt RI lookups and responses on faster boxes
+    - Require I2CP authorization for all messages when enabled (requires 0.9.11
+      or higher client)
+    - Disable TLSv3 and older ciphers for reseeding and other uses of SSL
+    - Use ECDSA by default for i2ptunnel IRC, SOCKS-IRC, and standard client
+      tunnels
+    - Don't prefer floodfills in some countries
+    - New column sorting, set-all priority buttons, and upload ratio display in
+      i2psnark
+    - Increase i2psnark tunnel default to 3 hops
+    - Implement bundling of multiple fragments in a single SSU message for
+      efficiency
+    - New add-to-addressbook links on netdb leaseset page
+    - Implement I2NP DatabaseLookupMessage search type field to improve lookup
+      efficiency
+    - CPUID fixes and updates for recent processors
+    - i2psnark fix magnet links with %-encoding
+    - Improve handling of SSU socket closing out from under us (hopefully fix
+      100% CPU)
+    - SSU bitfield handling fixes
+    - Fix HTTP header issues in i2psnark
+    - Fix rare NPE when building garlic message
+    - Fix console lockups (hopefully)
+    - Fix i2ptunnel js confirm-delete
+    - Move router data structures from i2p.jar to router.jar (breaks i2pcontrol
+      plugin)
+    - New router keys now stored in router.keys.dat (privKeys.dat format)
+      instead of router.keys
+    - Improve handling of unsupported encryption throughout
+    - More error checking of client I2CP messages by the router
+    - Initial work on hooks for pluggable transports
+    - Enforce request timestamp in tunnel build messages
+    - Re-enable message status in streaming, but treat no leaseset as a soft
+      failure for now
+    - Return unused DH keypairs to the pool for efficiency
+    - Raise failsafe tagset limit and improve deletion strategy when hit
+    - Change eepsite Jetty threadpool and queue configuration
+    - NTCP establishment refactoring in prep for NTCP2 and PT
+    - Jetty 8.1.16-v20140903
+    - Translation updates
+    - Update GeoIP data
 
 i2p (0.9.15-1) unstable; urgency=medium
 

debian/control

@@ -1,7 +1,7 @@
 Source: i2p
 Maintainer: Kill Your TV <killyourtv@i2pmail.org>
 Section: net
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
 Priority: optional
 Bugs: mailto:killyourtv@i2pmail.org
 Homepage: https://geti2p.net
@@ -10,6 +10,7 @@ Build-Depends: debhelper (>= 7.0.50~)
  ,ant-optional
  ,debconf
  ,default-jdk | openjdk-7-jdk | openjdk-6-jdk
+ ,dh-apparmor
  ,gettext
  ,libgmp3-dev
 # uncomment the next line for official builds
@@ -71,7 +72,7 @@ Architecture: all
 Section: net
 Priority: optional
 Depends: ${misc:Depends}, ${java:Depends}, ${shlibs:Depends},
- openjdk-7-jre-headless | openjdk-6-jre-headless | default-jre-headless | java7-runtime-headless | java6-runtime-headless, libecj-java
+ openjdk-8-jre-headless | openjdk-7-jre-headless | openjdk-6-jre-headless | default-jre-headless | java8-runtime-headless | java7-runtime-headless | java6-runtime-headless, libecj-java
 Replaces: i2p ( << 0.8.6-5)
 Breaks: i2p (<< 0.8.6-5)
 Recommends: libjbigi-jni, ttf-dejavu
@@ -86,7 +87,7 @@ Suggests: tor
  ,mail-reader
  ,news-reader
  ,polipo
- ,privox
+ ,privoxy
  ,robert
  ,syndie
  ,www-browser

debian/i2p.config

@@ -1,4 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh
+
+set -e
 # I2P package configuration script
 
 conffile="/etc/default/i2p"
@@ -10,16 +12,17 @@ if [ -e $conffile ]; then
     . $conffile
 
     # wrapper.config always takes priority
-        MEMORYLIMIT=$(sed -e '/^wrapper\.java\.maxmemory/!d' -e 's/^wrapper\.java\.maxmemory\ *=\ *//' /etc/i2p/wrapper.config)
-
+    MEMORYLIMIT=$(awk -F= '/^wrapper\.java\.maxmemory/{print $2}' /etc/i2p/wrapper.config)
 
     db_set i2p/daemon "$RUN_DAEMON"
     db_set i2p/user "$I2PUSER"
     db_set i2p/memory "$MEMORYLIMIT"
+    db_set i2p/aa "$CONFINE_WITH_APPARMOR"
 fi
 
 db_input medium i2p/daemon || true
 db_go
+
 db_get i2p/daemon || true
 if [ "$RET" = "true" ]; then
     db_input medium i2p/user || true
@@ -28,3 +31,8 @@ fi
 
 db_input medium i2p/memory || true
 db_go
+
+db_input medium i2p/aa || true
+db_go
+
+# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4

debian/i2p.dirs

@@ -0,0 +1 @@
+etc/apparmor.d/abstractions

debian/i2p.init

@@ -32,6 +32,7 @@ WRAPPERLOG="/var/log/i2p/wrapper.log"
 RUN_DAEMON="False"
 NICE=0
 I2PUSER="i2psvc"
+USE_AA="yes"
 
 I2P_ARGS="/etc/i2p/wrapper.config \
  wrapper.java.additional.1=-DloggerFilenameOverride=/var/log/i2p/log-router-@.txt \
@@ -43,31 +44,18 @@ I2P_ARGS="/etc/i2p/wrapper.config \
  wrapper.java.pidfile=$JVMPIDFILE \
  wrapper.daemonize=TRUE"
 
-[ -r /lib/lsb/init-functions ] && . /lib/lsb/init-functions
-[ -r /lib/init/vars.sh ] && . /lib/init/vars.sh
+. /lib/lsb/init-functions
+. /lib/init/vars.sh
 
 
 for ENV_FILE in /etc/environment /etc/default/locale; do
-[ -r "$ENV_FILE" ] || continue
-[ -s "$ENV_FILE" ] || continue
+    [ -r "$ENV_FILE" ] || continue
+    [ -s "$ENV_FILE" ] || continue
 
     for var in LANG LANGUAGE LC_ALL LC_CTYPE; do
         value=`egrep "^${var}=" "$ENV_FILE" | tail -n1 | cut -d= -f2`
         [ -n "$value" ] && eval export $var=$value
 
-# This is commented out for Ubuntu: Ubuntu still creates
-# /etc/environment in the most recent release
-# (currently 'Precise').
-#
-# TODO Add logic to automatically handle this
-#
-# Commented for Ubuntu since PPA packages 0.9-1$DISTRO1.
-# Packages for Debian systems will have this stanza uncommented.
-#
-#     if [ -n "$value" ] && [ "$ENV_FILE" = /etc/environment ]; then
-#         log_warning_msg "/etc/environment has been deprecated for locale information; use /etc/default/locale for $var=$value instead"
-#     fi
-
     done
 done
 
@@ -111,8 +99,29 @@ do_start()
     fi
     chown -Rf $I2PUSER:$I2PUSER  $I2PTEMP $RUN > /dev/null 2>&1
     chown -f -R $I2PUSER:i2psvc /var/log/$NAME > /dev/null 2>&1
-    TZ=UTC start-stop-daemon --start --quiet -c $I2PUSER --pidfile $PIDFILE --exec $DAEMON -n $NICE -- \
-        $I2P_ARGS || return 2
+    if [ "$USE_AA" = "yes" ] && \
+       [ -x /usr/sbin/aa-status ] && \
+       [ -x /usr/sbin/aa-exec ] && \
+       [ -e /etc/apparmor.d/system_i2p ] && \
+       /usr/sbin/aa-status --enabled ; then
+            AA="--startas /usr/sbin/aa-exec"
+            AA_ARGS="--profile=system_i2p -- $DAEMON"
+    else
+            AA=""
+            AA_ARGS=""
+    fi
+
+    TZ=UTC start-stop-daemon --start --quiet --chuid $I2PUSER --pidfile $PIDFILE $AA --exec $DAEMON --nicelevel $NICE -- \
+        $AA_ARGS $I2P_ARGS || return 2
+
+    # FIXME Temporary hack
+    # Files from /usr/share/i2p should have been copied, if need be, well before the 15 seconds are up.
+    if [ ! -f /var/lib/i2p/i2p-config/.perms ] && [ $I2PUSER = "i2psvc" ]; then
+        sleep 15
+        find /var/lib/i2p/ -type d -exec chmod 770 {} \;
+        find /var/lib/i2p/ -type f -exec chmod 660 {} \;
+        touch /var/lib/i2p/i2p-config/.perms
+    fi
 }
 
 do_stop()
@@ -124,7 +133,8 @@ do_stop()
     start-stop-daemon --stop --quiet --oknodo --retry=0/60/KILL/20 --exec $DAEMON
 
     rm -rf "$I2PTEMP" > /dev/null 2>&1
-    [ -d "$RUN" ] && rmdir --ignore-fail-on-non-empty "$RUN" > /dev/null 2>&1
+    [ -d "$RUN" ] && rm -f "$RUN/*" > /dev/null 2>&1
+    [ -d "$RUN" ] && rmdir "$RUN" > /dev/null 2>&1
 }
 
 do_dump()

debian/i2p.install

@@ -1,3 +1,6 @@
 pkg-temp/i2prouter usr/bin
 pkg-temp/wrapper.config etc/i2p
 pkg-temp/locale usr/share/i2p
+debian/apparmor/i2p etc/apparmor.d/abstractions
+debian/apparmor/usr.bin.i2prouter etc/apparmor.d
+debian/apparmor/system_i2p etc/apparmor.d

debian/i2p.postinst

@@ -6,7 +6,7 @@ I2PHOME=/var/lib/i2p
 I2PSYSUSER=i2psvc
 
 conffile="/etc/default/i2p"
-systemdservice="/lib/systemd/system/i2p.service"
+#systemdservice="/lib/systemd/system/i2p.service"
 
 # Source debconf library -- we have a Depends line
 # to make sure it is there...
@@ -25,6 +25,7 @@ case "$1" in
             echo >> $conffile
             echo "RUN_DAEMON=" >> $conffile
             echo "I2PUSER=" >> $conffile
+            echo "CONFINE_WITH_APPARMOR=" >> $conffile
             echo "# The next value is also wrapper.java.maxmemory in /etc/i2p/wrapper.config" >> $conffile
             echo "MEMORYLIMIT=" >> $conffile
         fi
@@ -35,6 +36,8 @@ case "$1" in
         I2PUSER="$RET"
         db_get i2p/memory
         MEMORYLIMIT="$RET"
+        db_get i2p/aa
+        CONFINE_WITH_APPARMOR="$RET"
 
         cp -a -f $conffile $conffile.tmp
 
@@ -46,6 +49,8 @@ case "$1" in
             echo "I2PUSER=" >> $conffile
         test -z "$MEMORYLIMIT" || grep -Eq '^ *MEMORYLIMIT=' $conffile || \
             echo "MEMORYLIMIT=" >> $conffile
+        test -z "$CONFINE_WITH_APPARMOR" || grep -Eq '^ *CONFINE_WITH_APPARMOR=' $conffile || \
+            echo "CONFINE_WITH_APPARMOR=" >> $conffile
 
         if [ -z $RUN_DAEMON ]; then
             RUN_DAEMON="false"
@@ -57,22 +62,23 @@ case "$1" in
         sed -e "s/^ *RUN_DAEMON=.*/RUN_DAEMON=\"$RUN_DAEMON\"/" \
             -e "s/^ *I2PUSER=.*/I2PUSER=\"$I2PUSER\"/" \
             -e "s/^ *MEMORYLIMIT=.*/MEMORYLIMIT=\"$MEMORYLIMIT\"/" \
+            -e "s/^ *CONFINE_WITH_APPARMOR=.*/CONFINE_WITH_APPARMOR=\"$CONFINE_WITH_APPARMOR\"/" \
             < $conffile > $conffile.tmp
         mv -f $conffile.tmp $conffile
 
-        if [ -e "$systemdservice" ]; then
-            sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
-            mv -f "$systemdservice.tmp" "$systemdservice"
-            chmod 0644 -f "$systemdservice"
-            if [ -x /bin/systemctl ]; then
-                    systemctl --system daemon-reload
-                    if [ $RUN_DAEMON = 'true' ]; then
-                            systemctl enable i2p.service
-                    else
-                            systemctl disable i2p.service
-                    fi
-            fi
-        fi
+#        if [ -e "$systemdservice" ]; then
+#            sed -e "s/User=.*/User=$I2PUSER/" < "$systemdservice" > "$systemdservice.tmp"
+#            mv -f "$systemdservice.tmp" "$systemdservice"
+#            chmod 0644 -f "$systemdservice"
+#            if grep -q 'systemd' /proc/1/comm > /dev/null 2>&1; then
+#                systemctl --system daemon-reload
+#                if [ $RUN_DAEMON = 'true' ]; then
+#                    systemctl enable i2p.service
+#                else
+#                    systemctl disable i2p.service
+#                fi
+#            fi
+#        fi
 
         sed -e "s/^ *wrapper\.java\.maxmemory=.*/wrapper\.java\.maxmemory=$MEMORYLIMIT/" \
             < /etc/i2p/wrapper.config > /etc/i2p/wrapper.config.tmp
@@ -117,3 +123,4 @@ esac
 #DEBHELPER#
 
 exit 0
+# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4

debian/i2p.templates

@@ -33,3 +33,10 @@ _Description: Memory that can be allocated to I2P:
  .
  High bandwidth routers, as well as routers with a lot of active torrents / plugins, may
  need to have this value increased.
+
+Template: i2p/aa
+Type: boolean
+Default: true
+_Description: Run I2P daemon confined with AppArmor
+ With this option enabled I2P will be sandboxed with AppArmor, restricting which files and
+ directories may be accessed by I2P.

debian/po/templates.pot

@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
+"Project-Id-Version: i2p\n"
 "Report-Msgid-Bugs-To: https://trac.i2p2.de/\n"
-"POT-Creation-Date: 2011-12-27 22:25+0000\n"
+"POT-Creation-Date: 2015-02-18 22:14+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -74,3 +74,17 @@ msgid ""
 "High bandwidth routers, as well as routers with a lot of active torrents / "
 "plugins, may need to have this value increased."
 msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../i2p.templates:5001
+msgid "Run I2P daemon confined with AppArmor"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../i2p.templates:5001
+msgid ""
+"With this option enabled I2P will be sandboxed with AppArmor, restricting "
+"which files and directories may be accessed by I2P."
+msgstr ""

debian/rules

@@ -103,6 +103,11 @@ createcopyright:
 override_dh_compress:
 	dh_compress -X.xsl -X.xml
 
+override_dh_install:
+	dh_install --list-missing
+	dh_apparmor --profile-name=system_i2p -pi2p
+	dh_apparmor --profile-name=usr.bin.i2prouter -pi2p
+
 override_dh_installchangelogs:
 	dh_installchangelogs history.txt