# Last Modified: Sun Dec 06 12:30:32 2015
# vim:syntax=apparmor et ts=4 sw=4

  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>

  # for launching browswers
  #include <abstractions/ubuntu-helpers>
  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-console-browsers>

  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,

  # Needed by Java
  @{PROC}                                                 r,
  owner @{PROC}/[0-9]*/                                   r,
  owner @{PROC}/[0-9]*/cgroup                             r,
  owner @{PROC}/[0-9]*/mountinfo                          r,
  owner @{PROC}/[0-9]*/status                             r,
  @{PROC}/[0-9]*/net/ipv6_route                           r,
  @{PROC}/[0-9]*/net/if_inet6                             r,
  /sys/devices/system/cpu/                                r,
  /sys/devices/system/cpu/**                              r,
  /sys/fs/cgroup/**                                       r,

  /etc/ssl/certs/java/**                                  r,
  /etc/timezone                                           r,
  /usr/share/javazi/**                                    r,

  /etc/java-*-openjdk/**                                  r,
  # Allow any JRE or JDK
  /usr/lib/jvm/*/bin/java                                 rix,
  /usr/lib/jvm/*/bin/keytool                              rix,
  /usr/lib/jvm/*/jre/bin/java                             rix,
  /usr/lib/jvm/*/jre/bin/keytool                          rix,

  # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
  /usr/lib/jvm/*/jre/lib/i386/client/classes.jsa          m,
  /usr/lib/jvm/*/jre/lib/i386/client/classes.jsa          m,

  # needed for I2P's graphs
  /usr/share/java/java-atk-wrapper.jar                    r,

  # I2P specific
  /usr/share/i2p/**                                       r,

  # Used by some plugins
  /usr/share/java/eclipse-ecj-*.jar                       r,

  # Tanuki java wrapper
  /etc/i2p/wrapper.config                                 r,
  /usr/sbin/wrapper                                       rix,
  /usr/share/java/wrapper*.jar                            r,

  # Dependent packages
  /usr/share/java/libintl.jar                             r,
  /usr/share/java/glassfish-appserv-jstl.jar              r,
  /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar        r,
  /usr/share/java/gnu-getopt.jar                          r,
  /usr/share/java/gnu-getopt-*.jar                        r,
  /usr/share/java/jetty9-*.jar                            r,
  /usr/share/java/json-simple.jar                         r,
  /usr/share/java/json-simple-*.jar                       r,
  /usr/share/java/jsp-api-*.jar                           r,
  /usr/share/java/servlet-api-*.jar                       r,
  /usr/share/java/standard.jar                            r,
  /usr/share/java/standard-*.jar                          r,
  /usr/share/java/tomcat8-*.jar                           r,
  /usr/share/java/tomcat9-*.jar                           r,
  /usr/share/java/taglibs-standard-*.jar                  r,
  /usr/share/flags/countries/16x11/*                      r,

  # GeoIP data
  /usr/share/GeoIP/*                                      r,

  # Other /proc
  @{PROC}/cpuinfo                                         r,
  @{PROC}/net/if_inet6                                    r,

  # 'm' is needed by the I2P-Bote plugin
  /{,lib/live/mount/overlay/}tmp/                         rwm,
  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/      rwk,
  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/**    rw,
  owner /{,lib/live/mount/overlay/}tmp/wrapper*           rwk,
  owner /{,lib/live/mount/overlay/}tmp/wrapper*/**        rw,
  # Scrypt used by I2P-Bote
  owner /{,lib/live/mount/overlay/}tmp/scrypt*            rwk,
  owner /{,lib/live/mount/overlay/}tmp/scrypt*/**         rw,

  # temp dir (service)
  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/        rwm,
  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/**      rwkm,
  # temp dir (non-service)
  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/         rwm,
  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/**       rwkm,
  # temp dir (Jetty default)
  owner /{,lib/live/mount/overlay/}tmp/jetty-*/           rwm,
  owner /{,lib/live/mount/overlay/}tmp/jetty-*/**         rwkm,

  # /graphs in the router console
  owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp  rwk,

  # Prevent spamming the logs
  deny /dev/tty                                           rw,
  deny /{,lib/live/mount/overlay/}var/tmp/                r,
  deny @{PROC}/[0-9]*/fd/                                 r,
  deny /usr/sbin/                                         r,
  deny /var/cache/fontconfig/                             wk,

  # Some versions of the Tanuki wrapper package will try to load these jars but
  # they are  not needed by I2P. The deny rule here will prevent the logs from
  # being spammed.
  deny /usr/share/java/hamcrest*.jar                      r,
  deny /usr/share/java/junit*.jar                         r,
