apparmor.d/README.md

96 lines
3.6 KiB
Markdown
Raw Normal View History

2021-04-02 19:13:03 +02:00
[<img src="https://gitlab.com/uploads/-/system/project/avatar/25600351/logo.png" align="right" height="110"/>][project]
2021-05-09 16:08:26 +02:00
# apparmor.d [![][build]][project]
2021-04-02 19:13:03 +02:00
2021-05-09 16:08:26 +02:00
**Full set of AppArmor profiles**
2021-04-02 19:13:03 +02:00
2021-05-09 01:50:07 +02:00
> Warning: This project is still in early development.
## Description
2021-05-09 16:08:26 +02:00
A set of over 800 AppArmor profiles which aims is to confine most of Linux base applications and processes.
2021-05-09 01:50:07 +02:00
**Goals & Purpose**
2021-05-09 16:08:26 +02:00
- Support all distribution that support AppArmor (currenlty Archlinux and Debian),
2021-05-09 01:50:07 +02:00
- Target both desktop and server,
2021-05-09 16:08:26 +02:00
- Confine all root processes (bluetooth, dbus, polkit, networkmanager, systemd...),
2021-05-09 01:50:07 +02:00
- Confine all Desktop environments (currently only Gnome),
- Should not break a normal usage of the confined software.
2021-05-09 16:08:26 +02:00
- Fully tested (Work in progress),
2021-05-09 01:50:07 +02:00
**Note:** This work is part of a bigger linux security project.
> This project is based on the excellent work from [Morfikov][upstream] and aims
to extend it to more Linux distributions and desktop environements.
2021-05-09 16:08:26 +02:00
## Concepts
There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore a question arises: *What to confine and why?*
We take inspiration from the [Android/ChromeOS Security Model][android_model] and we apply it to the Linux world. Modern [linux security implementation][clipos] usually consider a core base image with a carefully set of selected applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap...).
This is fundamentally different from how AppArmor is used on Linux server as it is common to only confine the applications that face the internet and/or the users.
2021-05-09 01:50:07 +02:00
## Tests
A full test suite to ensure compatibility across distributions and softwares is
still a work in progress.
2021-04-02 19:13:03 +02:00
## Installation
**Requirements**
* An `apparmor` based linux distribution.
* A `systemd` based linux distribution.
2021-05-09 16:08:26 +02:00
* Base profiles and abstractions shipped with AppArmor are supposed to be
installed.
2021-04-02 19:13:03 +02:00
**Archlinux**
Build and install the package with:
```sh
makepkg -si
```
**Debian**
Build using standard Debian package build tools:
```sh
dpkg-buildpackage -b -d -us -ui --sign-key=<gpg-id>
```
2021-05-09 01:50:07 +02:00
## Contribution
Feedbacks, contributors, pull requests, are all very welcome.
## License
2021-05-09 16:08:26 +02:00
This program is based on Mikhail Morfikov's [apparmor profiles project][upstream] and thus has the same license (GPL2).
2021-05-09 01:50:07 +02:00
```
Copyright (C) Alexandre PUJOL & Mikhail Morfikov
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
```
[upstream]: https://gitlab.com/morfikov/apparmemall
[project]: https://gitlab.com/roddhjav/apparmor.d
[build]: https://gitlab.com/roddhjav/apparmor.d/badges/master/pipeline.svg?style=flat-square
2021-05-09 16:08:26 +02:00
[android_model]: https://arxiv.org/pdf/1904.05572
[clipos]: https://clip-os.org/en/