AppArmor ("Application") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It was included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.
It is a great tool to harden security for any of your applications on Linux, including Invisible Internet router.
Now we have added i2pd profile for AppArmor which you can just throw into your profiles directory and it will just work.
First, make sure you have AppArmor installed and working. Run the following:
If you have AppArmor, it should output
apparmor module is loaded. and list available rules.
After you have installed and enabled AppArmor, download and copy profile into your profiles directory. In Debian/Ubuntu:
wget -O usr.sbin.i2pd https://raw.githubusercontent.com/PurpleI2P/i2pd/openssl/contrib/apparmor/usr.sbin.i2pd && sudo cp usr.sbin.i2pd /etc/apparmor.d/
Finally, enable it:
sudo aa-enforce /usr/sbin/i2pd
Now, every behavior which is not allowed by the profile will be restricted and such event will be logged to syslog. You may want to periodically inspect logged events with the following command:
Generally, it should not show anything (which is good).
Our profile is designed for Debian/Ubuntu i2pd packages and was tested with basic i2pd behavior. You may want to customize it according to your specific situation.
Contributions are welcome at GitHub.