Skip to content

I2P is not confined by AppArmor anymore

On Tails/Jessie, I2P is managed by a native systemd unit, that tries to confine I2P with AppArmor using AppArmorProfile=system_i2p. This is correct, except that AppArmor support was enabled in Debian’s systemd 218-4, so on Jessie this is a no-op, and as a result I2P is not confined at all.

For Tor, we’re affected as well and we do config/chroot_local-patches/apparmor-adjust-tor-profile.diff. Given the use of /usr/sbin/wrapper I don’t think this is applicable as-is for I2P, so I think that on Jessie, we need ExecStart to run a shell wrapper that uses aa-exec.

Feature Branch: bugfix/10925-I2P-AppArmor

Parent Task: #7724

Original created by @intrigeri on 10925 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information