Browse Source

Improve AppArmor profile

- give it a name
- import needed abstractions
- allow local additions
- cleanup
pull/1535/head
Anton Nesterov 5 years ago
parent
commit
0f309377ec
  1. 28
      contrib/apparmor/usr.sbin.i2pd

28
contrib/apparmor/usr.sbin.i2pd

@ -4,34 +4,22 @@
# #
#include <tunables/global> #include <tunables/global>
/usr/sbin/i2pd { profile i2pd /{usr/,}sbin/i2pd {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/openssl>
network inet dgram, #include <abstractions/nameservice>
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
/etc/gai.conf r,
/etc/host.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/resolv.conf r,
/run/resolvconf/resolv.conf r,
/run/systemd/resolve/resolv.conf r,
/run/systemd/resolve/stub-resolv.conf r,
# path specific (feel free to modify if you have another paths) # path specific (feel free to modify if you have another paths)
/etc/i2pd/** r, /etc/i2pd/** r,
/run/i2pd/i2pd.pid rwk,
/var/lib/i2pd/** rw, /var/lib/i2pd/** rw,
/var/log/i2pd/i2pd.log w, /var/log/i2pd/i2pd.log w,
/var/run/i2pd/i2pd.pid rwk, /{var/,}run/i2pd/i2pd.pid rwk,
/usr/sbin/i2pd mr, /{usr/,}sbin/i2pd mr,
/usr/share/i2pd/** r, @{system_share_dirs}/i2pd/** r,
# user homedir (if started not by init.d or systemd) # user homedir (if started not by init.d or systemd)
owner @{HOME}/.i2pd/ rw, owner @{HOME}/.i2pd/ rw,
owner @{HOME}/.i2pd/** rwk, owner @{HOME}/.i2pd/** rwk,
#include if exists <local/usr.sbin.i2pd>
} }

Loading…
Cancel
Save