LINUX.ORG.RU
ФорумAdmin

i2p и apparmor - постоянный постинг в лог

 , ,


0

2

Имеется i2p на Ubuntu 18.04, в /var/log/syslog идет огромное количество (десятки в секунду) примерно следующих сообщений:

Jan 19 17:50:48 ubuntu-server kernel: [ 1657.064671] audit: type=1400 audit(1547909448.973:204220): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1503 comm="java" lport=12621 family="inet6" sock_type="dgram" protocol=17 requested_mask="receive" denied_mask="receive"
Jan 19 17:50:48 ubuntu-server kernel: [ 1657.065256] audit: type=1400 audit(1547909448.973:204221): apparmor="ALLOWED" operation="sendmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1503 comm="java" lport=12621 family="inet6" sock_type="dgram" protocol=17 requested_mask="send" denied_mask="send"
Apparmor-профили i2p:

stetzen@ubuntu-server:/etc/apparmor.d$ cat system_i2p
# Last Modified: Sun Dec 06 12:30:32 2015
# vim:syntax=apparmor et
#include <tunables/global>

profile system_i2p flags=(complain) {
  #include <abstractions/i2p>

  network,

  owner /{,lib/live/mount/overlay/}var/lib/i2p/** rwk,
  owner /{,lib/live/mount/overlay/}var/lib/i2p/i2p-config/eepsite/cgi-bin rix,
  owner /{,lib/live/mount/overlay/}var/log/i2p/* rw,

  owner /{,var/}run/i2p/{i2p,routerjvm}.pid rw,
  owner /{,var/}run/i2p/router.ping rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/system_i2p>
}
stetzen@stetzen-ubunru-server:/etc/apparmor.d$ cat abstractions/i2p
# Last Modified: Sun Dec 06 12:30:32 2015
# vim:syntax=apparmor et ts=4 sw=4

  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>

  # Needed by Java
  @{PROC}                                                 r,
  owner @{PROC}/[0-9]*/                                   r,
  owner @{PROC}/[0-9]*/status                             r,
  @{PROC}/[0-9]*/net/ipv6_route                           r,
  @{PROC}/[0-9]*/net/if_inet6                             r,
  /sys/devices/system/cpu/                                r,
  /sys/devices/system/cpu/**                              r,

  /etc/ssl/certs/java/**                                  r,
  /etc/timezone                                           r,
  /usr/share/javazi/**                                    r,

  /etc/java-*-openjdk/**                                  r,
  /usr/lib/jvm/default-java/jre/bin/java                  rix,
  /usr/lib/jvm/java-*-openjdk-*/jre/bin/java              rix,
  /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool           rix,

  # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java                rix,
  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool             rix,

  # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
  /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
  /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m,

  # needed for I2P's graphs
  /usr/share/java/java-atk-wrapper.jar                    r,

  # I2P specific
  /usr/share/i2p/**                                       r,

  # Used by some plugins
  /usr/share/java/eclipse-ecj-*.jar                       r,

  # Tanuki java wrapper
  /etc/i2p/wrapper.config                                 r,
  /usr/sbin/wrapper                                       rix,
  /usr/share/java/wrapper*.jar                            r,

  # Dependent packages
  /usr/share/java/libintl.jar                             r,
  /usr/share/java/glassfish-appserv-jstl.jar              r,
  /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar        r,
  /usr/share/java/gnu-getopt.jar                          r,
  /usr/share/java/gnu-getopt-*.jar                        r,
  /usr/share/java/jetty9-*.jar                            r,
  /usr/share/java/jsp-api-*.jar                           r,
  /usr/share/java/servlet-api-*.jar                       r,
  /usr/share/java/standard.jar                            r,
  /usr/share/java/standard-*.jar                          r,
  /usr/share/java/tomcat8-*.jar                           r,
  /usr/share/java/taglibs-standard-*.jar                  r,
  /usr/share/flags/countries/16x11/*                      r,

  # GeoIP data
  /usr/share/GeoIP/*                                      r,

  # Other /proc
  @{PROC}/cpuinfo                                         r,
  @{PROC}/net/if_inet6                                    r,

  # 'm' is needed by the I2P-Bote plugin
  /{,lib/live/mount/overlay/}tmp/                         rwm,
  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/ rwk,
  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_i2psvc/** rw,
  owner /{,lib/live/mount/overlay/}tmp/wrapper*           rwk,
  owner /{,lib/live/mount/overlay/}tmp/wrapper*/**        rw,
  # Scrypt used by I2P-Bote
  owner /{,lib/live/mount/overlay/}tmp/scrypt*            rwk,
  owner /{,lib/live/mount/overlay/}tmp/scrypt*/**         rw,

  # temp dir (service)
  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/        rwm,
  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/**      rwkm,
  # temp dir (non-service)
  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/         rwm,
  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/**       rwkm,

  # /graphs in the router console
  owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp  rwk,

  # Prevent spamming the logs
  deny /dev/tty                                           rw,
  deny /{,lib/live/mount/overlay/}var/tmp/                r,
  deny @{PROC}/[0-9]*/fd/                                 r,
  deny /usr/sbin/                                         r,
  deny /var/cache/fontconfig/                             wk,

  network inet,
  network inet6,


  # Some versions of the Tanuki wrapper package will try to load these jars but
  # they are  not needed by I2P. The deny rule here will prevent the logs from
  # being spammed.
  deny /usr/share/java/hamcrest*.jar                      r,
  deny /usr/share/java/junit*.jar                         r,

Насколько я понял из документации (вполне возможно, что неправильно), строки

  network inet,
  network inet6,
должны явным образом разрешить операции с сетью, но по какой-то непонятной мне причине этого не происходит, и операции с сетью обрабатываются как заперщенные операции в complain-mode. Куда копать, чтобы от этого избавиться?