apparmor.d/README.md

102 lines
3.8 KiB
Markdown
Raw Normal View History

2021-04-02 19:13:03 +02:00
[<img src="https://gitlab.com/uploads/-/system/project/avatar/25600351/logo.png" align="right" height="110"/>][project]
# apparmor.d
[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard]
2021-04-02 19:13:03 +02:00
2021-05-09 16:08:26 +02:00
**Full set of AppArmor profiles**
2021-04-02 19:13:03 +02:00
> **Warning**: This project is still in its early development. Help is very
> welcome see the [documentation website](https://apparmor.pujol.io/) including
> its [development](https://apparmor.pujol.io/development) section.
2021-05-09 01:50:07 +02:00
## Description
2021-05-09 16:08:26 +02:00
**AppArmor.d** is a set of over 1400 AppArmor profiles which aims is to confine
most of Linux base applications and processes.
2021-05-09 16:08:26 +02:00
**Purpose**
2021-05-09 16:08:26 +02:00
- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`,
`polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`.
- Confine all Desktop environments
- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
- Confine some *"special"* user applications: web browser, file browser...
- Should not break a normal usage of the confined software
- Fully tested (Work in progress)
2021-05-09 16:08:26 +02:00
**Goals**
2021-05-09 01:50:07 +02:00
- Target both desktop and server
- Support all distributions that support AppArmor:
* Currently:
- Archlinux
- Ubuntu 22.04
- Debian 11
* Not (yet) tested on openSUSE
- Support all major desktop environments:
* Currently only Gnome
2021-04-02 19:13:03 +02:00
2022-09-13 19:14:58 +02:00
> This project is originaly based on the work from [Morfikov][upstream] and aims
> to extend it to more Linux distributions and desktop environements.
2021-04-02 19:13:03 +02:00
## Concepts
2021-04-02 19:13:03 +02:00
*One profile a day keeps the hacker away*
2021-04-02 19:13:03 +02:00
There are over 50000 Linux packages and even more applications. It is simply not
possible to write an AppArmor profile for all of them. Therefore, a question arises:
**What to confine and why?**
2022-02-08 22:13:31 +01:00
We take inspiration from the [Android/ChromeOS Security Model][android_model] and
we apply it to the Linux world. Modern [Linux security distribution][clipos] usually
consider an immutable core base image with a carefully set of selected applications.
Everything else should be sandboxed. Therefore, this project tries to confine all
the *core* applications you will usually find in a Linux system: all systemd services,
xwayland, network, bluetooth, your desktop environment... Non-core user applications
are out of scope as they should be sandboxed using a dedicated tool (minijail,
bubblewrap, toolbox...).
2021-04-02 19:13:03 +02:00
This is fundamentally different from how AppArmor is usually used on Linux server
as it is common to only confine the applications that face the internet and/or the users.
2021-04-02 19:13:03 +02:00
## Installation
Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install)
## Configuration
Please see [apparmor.pujol.io/configuration](https://apparmor.pujol.io/configuration)
2021-08-02 12:54:58 +02:00
## Usage
Please see [apparmor.pujol.io/usage](https://apparmor.pujol.io/usage)
2021-08-02 12:54:58 +02:00
2021-05-09 01:50:07 +02:00
## Contribution
Feedbacks, contributors, pull requests are all very welcome. Please read
[apparmor.pujol.io/development](https://apparmor.pujol.io/development)
for more details on the contribution process.
2021-05-09 01:50:07 +02:00
## License
This Project was initially based on Mikhail Morfikov's [apparmor profiles project][upstream]
and thus has the same license (GPL2).
2021-05-09 01:50:07 +02:00
[upstream]: https://gitlab.com/morfikov/apparmemall
[project]: https://gitlab.com/roddhjav/apparmor.d
[build]: https://gitlab.com/roddhjav/apparmor.d/badges/main/pipeline.svg?style=flat-square
[workflow]: https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Froddhjav%2Fapparmor.d%2Fbadge%3Fref%3Dmain&style=flat-square
[action]: https://actions-badge.atrox.dev/roddhjav/apparmor.d/goto?ref=main
[quality]: https://img.shields.io/badge/go%20report-A+-brightgreen.svg?style=flat-square
[goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d
2021-05-09 16:08:26 +02:00
[android_model]: https://arxiv.org/pdf/1904.05572
[clipos]: https://clip-os.org/en/
2022-07-03 19:55:21 +02:00
[write xor execute]: https://en.wikipedia.org/wiki/W%5EX