apparmor.d/README.md

[<img src="https://gitlab.com/uploads/-/system/project/avatar/25600351/logo.png" align="right" height="110"/>][project]

# apparmor.d

[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard]

**Full set of AppArmor profiles**

> **Warning**: This project is still in its early development. Help is very 
> welcome; see the [documentation website](https://apparmor.pujol.io/) including
> its [development](https://apparmor.pujol.io/development) section.


## Description 

**AppArmor.d** is a set of over 1400 AppArmor profiles whose aim is to confine
most Linux based applications and processes.

**Purpose**

- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`,
  `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
- Confine all Desktop environments
- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
- Confine some *"special"* user applications: web browser, file browser...
- Should not break a normal usage of the confined software

**Goals**

- Target both desktops and servers
- Support all distributions that support AppArmor:
    * Archlinux
    * Ubuntu 22.04
    * Debian 11
    * OpenSUSE Tumbleweed
- Support all major desktop environments:
    * Currently only Gnome
- Fully tested (Work in progress)


> This project is originaly based on the work from [Morfikov][upstream] and aims
> to extend it to more Linux distributions and desktop environements.

## Concepts

*One profile a day keeps the hacker away*

There are over 50000 Linux packages and even more applications. It is simply not
possible to write an AppArmor profile for all of them. Therefore, a question arises:

**What to confine and why?**

We take inspiration from the [Android/ChromeOS Security Model][android_model] and
we apply it to the Linux world. Modern [Linux security distributions][clipos] usually
consider an immutable core base image with a carefully selected set of applications.
Everything else should be sandboxed. Therefore, this project tries to confine all
the *core* applications you will usually find in a Linux system: all systemd services,
xwayland, network, bluetooth, your desktop environment... Non-core user applications
are out of scope as they should be sandboxed using a dedicated tool (minijail,
bubblewrap, toolbox...).

This is fundamentally different from how AppArmor is usually used on Linux servers
as it is common to only confine the applications that face the internet and/or the users.

**Presentation**

- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))

## Installation

Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install)

## Configuration

Please see [apparmor.pujol.io/configuration](https://apparmor.pujol.io/configuration)

## Usage

Please see [apparmor.pujol.io/usage](https://apparmor.pujol.io/usage)

## Contribution

Feedbacks, contributors, pull requests are all very welcome. Please read
[apparmor.pujol.io/development](https://apparmor.pujol.io/development) 
for more details on the contribution process.


## License

This Project was initially based on Mikhail Morfikov's [apparmor profiles project][upstream]
and thus has the same license (GPL2).

[upstream]: https://gitlab.com/morfikov/apparmemall
[project]: https://gitlab.com/roddhjav/apparmor.d
[build]: https://gitlab.com/roddhjav/apparmor.d/badges/main/pipeline.svg?style=flat-square
[workflow]: https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Froddhjav%2Fapparmor.d%2Fbadge%3Fref%3Dmain&style=flat-square
[action]: https://actions-badge.atrox.dev/roddhjav/apparmor.d/goto?ref=main
[quality]: https://img.shields.io/badge/go%20report-A+-brightgreen.svg?style=flat-square
[goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d

[android_model]: https://arxiv.org/pdf/1904.05572
[clipos]: https://clip-os.org/en/
[write xor execute]: https://en.wikipedia.org/wiki/W%5EX
New Readme. 2021-04-02 19:13:03 +02:00			`[<img src="https://gitlab.com/uploads/-/system/project/avatar/25600351/logo.png" align="right" height="110"/>][project]`

Use web based goreport to linter check. 2021-11-30 19:36:04 +01:00			`# apparmor.d`

doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard]`
New Readme. 2021-04-02 19:13:03 +02:00
Better goals description. 2021-05-09 16:08:26 +02:00			`Full set of AppArmor profiles`
New Readme. 2021-04-02 19:13:03 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`> Warning: This project is still in its early development. Help is very`
docs: multiple english corrections. Co-authored-by: Thomas LAURENT <thomas.laurent@ucdconnect.ie> 2023-01-31 22:13:35 +01:00			`> welcome; see the [documentation website](https://apparmor.pujol.io/) including`
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`> its [development](https://apparmor.pujol.io/development) section.`
Update Readme. 2021-05-09 01:50:07 +02:00

doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`## Description`
Better goals description. 2021-05-09 16:08:26 +02:00
docs: multiple english corrections. Co-authored-by: Thomas LAURENT <thomas.laurent@ucdconnect.ie> 2023-01-31 22:13:35 +01:00			`AppArmor.d is a set of over 1400 AppArmor profiles whose aim is to confine`
			`most Linux based applications and processes.`
Better goals description. 2021-05-09 16:08:26 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`Purpose`
Better goals description. 2021-05-09 16:08:26 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`,
docs: multiple english corrections. Co-authored-by: Thomas LAURENT <thomas.laurent@ucdconnect.ie> 2023-01-31 22:13:35 +01:00			`polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`- Confine all Desktop environments`
			- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
			`- Confine some "special" user applications: web browser, file browser...`
			`- Should not break a normal usage of the confined software`
Better goals description. 2021-05-09 16:08:26 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`Goals`
Update Readme. 2021-05-09 01:50:07 +02:00
docs: multiple english corrections. Co-authored-by: Thomas LAURENT <thomas.laurent@ucdconnect.ie> 2023-01-31 22:13:35 +01:00			`- Target both desktops and servers`
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`- Support all distributions that support AppArmor:`
docs: add support for OpenSUSE. 2023-02-05 01:22:21 +01:00			`* Archlinux`
			`* Ubuntu 22.04`
			`* Debian 11`
			`* OpenSUSE Tumbleweed`
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`- Support all major desktop environments:`
			`* Currently only Gnome`
docs: multiple english corrections. Co-authored-by: Thomas LAURENT <thomas.laurent@ucdconnect.ie> 2023-01-31 22:13:35 +01:00			`- Fully tested (Work in progress)`
New Readme. 2021-04-02 19:13:03 +02:00
build: default to complain mode. 2022-09-13 19:14:58 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`> This project is originaly based on the work from [Morfikov][upstream] and aims`
			`> to extend it to more Linux distributions and desktop environements.`
New Readme. 2021-04-02 19:13:03 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`## Concepts`
New Readme. 2021-04-02 19:13:03 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`One profile a day keeps the hacker away`
New Readme. 2021-04-02 19:13:03 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`There are over 50000 Linux packages and even more applications. It is simply not`
			`possible to write an AppArmor profile for all of them. Therefore, a question arises:`
doc: recommand using the AUR to install on Archlinux. 2022-09-13 19:28:27 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`What to confine and why?`
Add the troubleshooting section. 2022-02-08 22:13:31 +01:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`We take inspiration from the [Android/ChromeOS Security Model][android_model] and`
docs: multiple english corrections. Co-authored-by: Thomas LAURENT <thomas.laurent@ucdconnect.ie> 2023-01-31 22:13:35 +01:00			`we apply it to the Linux world. Modern [Linux security distributions][clipos] usually`
			`consider an immutable core base image with a carefully selected set of applications.`
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`Everything else should be sandboxed. Therefore, this project tries to confine all`
			`the core applications you will usually find in a Linux system: all systemd services,`
			`xwayland, network, bluetooth, your desktop environment... Non-core user applications`
			`are out of scope as they should be sandboxed using a dedicated tool (minijail,`
			`bubblewrap, toolbox...).`
New Readme. 2021-04-02 19:13:03 +02:00
docs: multiple english corrections. Co-authored-by: Thomas LAURENT <thomas.laurent@ucdconnect.ie> 2023-01-31 22:13:35 +01:00			`This is fundamentally different from how AppArmor is usually used on Linux servers`
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`as it is common to only confine the applications that face the internet and/or the users.`
New Readme. 2021-04-02 19:13:03 +02:00
doc: add link to the presentation in LSS-NA. 2023-06-13 18:11:30 +02:00			`Presentation`

			`- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))`
Add 'pick', a tooll to install some AppArmor profiles. 2021-12-05 20:17:53 +01:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`## Installation`
Explain single profile installation (#85) * Explain single profile installation * Update README.md 2022-10-17 23:43:36 +02:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install)`
feat: rewrite the local installation method. 2023-01-28 23:29:33 +01:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`## Configuration`
Add 'pick', a tooll to install some AppArmor profiles. 2021-12-05 20:17:53 +01:00
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`Please see [apparmor.pujol.io/configuration](https://apparmor.pujol.io/configuration)`
Add 'pick', a tooll to install some AppArmor profiles. 2021-12-05 20:17:53 +01:00
Add usage section. 2021-08-02 12:54:58 +02:00			`## Usage`

doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`Please see [apparmor.pujol.io/usage](https://apparmor.pujol.io/usage)`
Add usage section. 2021-08-02 12:54:58 +02:00
Update Readme. 2021-05-09 01:50:07 +02:00			`## Contribution`

chore: remove former contributing file. 2023-01-29 23:36:16 +01:00			`Feedbacks, contributors, pull requests are all very welcome. Please read`
			`[apparmor.pujol.io/development](https://apparmor.pujol.io/development)`
			`for more details on the contribution process.`
Update Readme. 2021-05-09 01:50:07 +02:00

			`## License`

doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`This Project was initially based on Mikhail Morfikov's [apparmor profiles project][upstream]`
			`and thus has the same license (GPL2).`
Update Readme. 2021-05-09 01:50:07 +02:00
			`[upstream]: https://gitlab.com/morfikov/apparmemall`
			`[project]: https://gitlab.com/roddhjav/apparmor.d`
doc: most of the readme content have moved. 2023-01-29 23:13:58 +01:00			`[build]: https://gitlab.com/roddhjav/apparmor.d/badges/main/pipeline.svg?style=flat-square`
chore: remove former contributing file. 2023-01-29 23:36:16 +01:00			`[workflow]: https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Froddhjav%2Fapparmor.d%2Fbadge%3Fref%3Dmain&style=flat-square`
			`[action]: https://actions-badge.atrox.dev/roddhjav/apparmor.d/goto?ref=main`
Use web based goreport to linter check. 2021-11-30 19:36:04 +01:00			`[quality]: https://img.shields.io/badge/go%20report-A+-brightgreen.svg?style=flat-square`
			`[goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d`
Better goals description. 2021-05-09 16:08:26 +02:00
			`[android_model]: https://arxiv.org/pdf/1904.05572`
			`[clipos]: https://clip-os.org/en/`
doc: improve current doc. 2022-07-03 19:55:21 +02:00			`[write xor execute]: https://en.wikipedia.org/wiki/W%5EX`