ajust install package

packaging/ubuntu/bitoj-guards

@@ -0,0 +1,68 @@
+#include <tunables/global>
+
+# BitOJ guard profiles
+/usr/lib/bitoj/scripts/binary-guard {
+    #include <abstractions/bitoj>
+
+    /var/lib/bitoj/data/**/main mrix,
+    /usr/lib/bitoj/data/**/main mrix,
+}
+
+/usr/lib/bitoj/scripts/java-guard {
+    #include <abstractions/bitoj>
+    capability sys_ptrace,
+
+    /var/lib/bitoj/data/**/*.class mr,
+    /usr/lib/bitoj/data/**/*.class mr,
+    /usr/bin/java mrix,
+
+    /etc/passwd mr,
+    /etc/nsswitch.conf mr,
+    /etc/java*/* mr,
+    /proc/** mr,
+    /sys/** mr,
+    /usr/lib/jvm/**/** mr,
+    /usr/lib/jvm/java-6-sun*/jre/bin/* mrix,
+
+    /tmp/hsperfdata_ojrun*/ mrw,
+    /tmp/hsperfdata_ojrun*/* mrw,
+}
+
+/usr/lib/bitoj/scripts/mono-guard {
+    #include <abstractions/bitoj>
+
+    /var/lib/bitoj/data/**/main.exe mr,
+    /usr/lib/bitoj/data/**/main.exe mr,
+    /var/lib/bitoj/data/**/.wapi/ mrw,
+    /var/lib/bitoj/data/**/.wapi/* mrw,
+    /usr/lib/bitoj/data/**/.wapi/ mrw,
+    /usr/lib/bitoj/data/**/.wapi/* mrw,
+
+    /usr/bin/mono mrix,
+    /usr/lib/mono/2.0/* mr,
+    /usr/lib/mono/2.0/**/* mr,
+    /etc/mono/config mr,
+    /etc/nsswitch.conf mr,
+    /etc/passwd mr,
+    /proc/**/* mr,
+}
+
+/usr/lib/bitoj/scripts/python-guard {
+    #include <abstractions/bitoj>
+    #include <abstractions/python>
+
+    /var/lib/bitoj/data/**/main.py mr,
+    /usr/lib/bitoj/data/**/main.py mr,
+    /usr/bin/python2.5 mrix,
+    /usr/lib/python2.5/lib-dynload/** mr,
+}
+
+/usr/lib/bitoj/scripts/bash-guard {
+    #include <abstractions/bitoj>
+    #include <abstractions/bash>
+
+    /var/lib/bitoj/data/**/main.sh mr,
+    /usr/lib/bitoj/data/**/main.sh mr,
+    /bin/* mrix,
+    /usr/bin/* mrix,
+}

packaging/ubuntu/build-deb.sh

@@ -13,6 +13,7 @@ rm -rf "$BUILD_DIR" "$OUT_DIR"
 mkdir -p "$PKG_ROOT/DEBIAN" \
   "$PKG_ROOT/usr/lib/bitoj" \
   "$PKG_ROOT/etc/bitoj" \
+  "$PKG_ROOT/etc/apparmor.d" \
   "$PKG_ROOT/lib/systemd/system" \
   "$PKG_ROOT/var/lib/bitoj" \
   "$PKG_ROOT/var/log/bitoj"
@@ -24,6 +25,7 @@ cp "$SCRIPT_DIR/postrm" "$PKG_ROOT/DEBIAN/postrm"
 chmod 0755 "$PKG_ROOT/DEBIAN/postinst" "$PKG_ROOT/DEBIAN/prerm" "$PKG_ROOT/DEBIAN/postrm"
 
 cp "$SCRIPT_DIR/bitoj.service" "$PKG_ROOT/lib/systemd/system/bitoj.service"
+cp "$SCRIPT_DIR/bitoj-guards" "$PKG_ROOT/etc/apparmor.d/bitoj-guards"
 mkdir -p "$PKG_ROOT/usr/lib/tmpfiles.d"
 cp "$SCRIPT_DIR/tmpfiles.conf" "$PKG_ROOT/usr/lib/tmpfiles.d/bitoj.conf"
 

packaging/ubuntu/postinst

@@ -29,6 +29,17 @@ fi
 chown -R oj:oj /var/lib/bitoj || true
 chmod 755 /var/lib/bitoj /var/log/bitoj
 
+if [ -f /etc/apparmor.d/bitoj-guards ]; then
+  if command -v apparmor_parser >/dev/null 2>&1; then
+    apparmor_parser -r /etc/apparmor.d/bitoj-guards || true
+  fi
+  if command -v service >/dev/null 2>&1; then
+    service apparmor reload >/dev/null 2>&1 || true
+  elif [ -x /etc/init.d/apparmor ]; then
+    /etc/init.d/apparmor reload >/dev/null 2>&1 || true
+  fi
+fi
+
 if command -v systemctl >/dev/null 2>&1; then
   systemctl daemon-reload
   if command -v systemd-tmpfiles >/dev/null 2>&1; then

packaging/ubuntu/postrm

@@ -7,6 +7,12 @@ fi
 
 if [ "$1" = "purge" ]; then
   rm -rf /etc/bitoj
+  rm -f /etc/apparmor.d/bitoj-guards
+  if command -v service >/dev/null 2>&1; then
+    service apparmor reload >/dev/null 2>&1 || true
+  elif [ -x /etc/init.d/apparmor ]; then
+    /etc/init.d/apparmor reload >/dev/null 2>&1 || true
+  fi
 fi
 
 exit 0

scripts/run-guard.py

@@ -58,8 +58,7 @@ class RunGuard:
                 self.usepickle = True
 
         v = os.getenv('GUARD_RLIMIT_OFILE')
-        if v:
+        if v: self.ofile = int(v)
-            self.ofile = int(v)
         self.ldpreload = os.getenv('GUARD_LD_PRELOAD')
 
     def execute(self):