From beffdb9fe175a93164bd88ee0fafe1a22595ed15 Mon Sep 17 00:00:00 2001
From: r4sas <r4sas@i2pmail.org>
Date: Mon, 18 Dec 2023 10:06:49 +0000
Subject: [PATCH] [apparmor] add profile for docker container

Author: corona@mail.i2p

Signed-off-by: r4sas <r4sas@i2pmail.org>
---
 contrib/apparmor/docker-i2pd | 42 ++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 contrib/apparmor/docker-i2pd

diff --git a/contrib/apparmor/docker-i2pd b/contrib/apparmor/docker-i2pd
new file mode 100644
index 00000000..8e34298a
--- /dev/null
+++ b/contrib/apparmor/docker-i2pd
@@ -0,0 +1,42 @@
+# _________________________________________
+# /  Copy this file to the right location   \
+# | then load with:                         |
+# |                                         |
+# | apparmor_parser -r -W                   |
+# | /etc/apparmor.d/docker-i2pd             |
+# |                                         |
+# | docker run --security-opt               |
+# | "apparmor=docker-i2pd" ...              |
+# | purplei2p/i2pd                          |
+# |                                         |
+# \ And "aa-status" to verify it's loaded.  /
+#  -----------------------------------------
+#         \   ^__^
+#          \  (oo)\_______
+#             (__)\       )\/\
+#                 ||----w |
+#                 ||     ||
+
+#include <tunables/global>
+
+profile docker-i2pd flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  #include <abstractions/openssl>
+  #include <abstractions/nameservice>
+
+  /bin/busybox ix,
+  /usr/local/bin/i2pd ix,
+  /entrypoint.sh ixr,
+
+  /i2pd_certificates/** r,
+
+  /home/i2pd/data/** rw,
+
+  /home/i2pd/data/i2pd.pid k,
+
+  deny /home/i2pd/data/i2pd.conf w,
+  deny /home/i2pd/data/tunnels.conf w,
+  deny /home/i2pd/data/tunnels.d/** w,
+  deny /home/i2pd/data/certificates/** w,
+  deny /home/i2pd/data/i2pd.log r,
+}