From 1223b7046772e32ecb4e57c1f8ffc66d5dec99ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 24 Apr 2023 12:18:57 +0100 Subject: [PATCH] docs: some clarrification. --- docs/development/structure.md | 9 ++++++--- docs/enforce.md | 16 ++++++++++++++++ docs/install.md | 6 ++++++ 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/docs/development/structure.md b/docs/development/structure.md index 47986346..df61301d 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -191,9 +191,7 @@ dynamically by the kernel. Therefore, the full range must be allowed: *Source: [AppArmor Wiki][apparmor-wiki]* -This feature is only enabled when the `--full` option is passed to -the `configure` script. The profiles for full system policies are maintained in -the **[`_full`][_full]** group. It consists of two extra main profiles: +This feature is only enabled when the profiles are built with `make full`. The profiles for full system policies are maintained in the **[`_full`][_full]** group. It consists of two extra main profiles: 1. **`init`**: For systemd as PID 1 2. **`systemd`**: For systemd as user @@ -201,6 +199,11 @@ the **[`_full`][_full]** group. It consists of two extra main profiles: All core required applications that need to be started by systemd (both as user or root) need to be present in these profiles. +Early policy load should also be enabled. In `/etc/apparmor/parser.conf` +``` +cache-loc /etc/apparmor/earlypolicy/ +``` + !!! danger Full system policy is still under early development, do not run it outside a diff --git a/docs/enforce.md b/docs/enforce.md index cf99a2e5..20987bc9 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -10,6 +10,8 @@ The default package configuration installs all profiles in *complain* mode. This When reporting issue. Please ensure the profiles are in complain mode +## Install + #### :material-arch: Archlinux In `PKGBUILD`, replace `make` by `make enforce`: @@ -30,3 +32,17 @@ override_dh_auto_build: #### :simple-suse: OpenSUSE & Partial install Use the `make enforce` command to build instead of `make` + +## Track profiles in complain mode + +The [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory tracks the profile that have been forced in complain mode. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be coma separated. + +For instance, to move `adb` in complain mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: +```sh +adb complain +``` + +Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`: +```sh +gnome-shell attach_disconnected,mediate_deleted,complain +``` diff --git a/docs/install.md b/docs/install.md index 55f13bac..9e99a519 100644 --- a/docs/install.md +++ b/docs/install.md @@ -20,6 +20,7 @@ abstractions shipped with AppArmor must be installed. The following desktop environments are supported: - [x] :material-gnome: Gnome + - [ ] :simple-kde: KDE *(work in progress)* Also, please note wayland has better support than xorg. @@ -31,6 +32,11 @@ Also, please note wayland has better support than xorg. ## :material-arch: Archlinux `apparmor.d-git` is available in the [Arch User Repository][aur]: +``` +yay -S apparmor.d-git # or your preferred AUR install method +``` + +Or without a AUR helper: ```sh git clone https://aur.archlinux.org/apparmor.d-git.git cd apparmor.d-git