I2P is not confined by AppArmor anymore
On Tails/Jessie, I2P is managed by a native systemd unit, that tries to
confine I2P with AppArmor using AppArmorProfile=system_i2p
. This is
correct, except that AppArmor support was enabled in Debian’s systemd
218-4, so on Jessie this is a no-op, and as a result I2P is not confined
at all.
For Tor, we’re affected as well and we do
config/chroot_local-patches/apparmor-adjust-tor-profile.diff
. Given
the use of /usr/sbin/wrapper
I don’t think this is applicable as-is
for I2P, so I think that on Jessie, we need ExecStart
to run a shell
wrapper that uses aa-exec
.
Feature Branch: bugfix/10925-I2P-AppArmor
Parent Task: #7724
Original created by @intrigeri on 10925 (Redmine)