From 185187b608decd72450209fd3ee7b3e8b73a7ae9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 14:49:08 +0000 Subject: [PATCH] doc: rewrite full system policy section. --- docs/development/structure.md | 60 ++++++++++++++++++++++++++++------- 1 file changed, 49 insertions(+), 11 deletions(-) diff --git a/docs/development/structure.md b/docs/development/structure.md index 0773962a..0e1c0659 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -187,22 +187,60 @@ The possible solutions are: *Source: [AppArmor Wiki][apparmor-wiki]* -This feature is only enabled when the profiles are built with `make full`. The profiles for full system policies are maintained in the **[`_full`][full]** group. It consists of two extra main profiles: - -1. **`init`**: For systemd as PID 1 -2. **`systemd`**: For systemd as user - -All core required applications that need to be started by systemd (both as user or root) need to be present in these profiles. - -Early policy load should also be enabled. In `/etc/apparmor/parser.conf` -``` -cache-loc /etc/apparmor/earlypolicy/ -``` +### Enable !!! danger Full system policy is still under early development, do not run it outside a development VM! **You have been warned!!!** +This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load must be enabled, in `/etc/apparmor/parser.conf` ensure you have: +``` +write-cache +cache-loc /etc/apparmor/earlypolicy/ +``` + +### Structure + +The profiles for full system policies are maintained in the **[`_full`][full]** group. + +**systemd** + +In addition to systemd services (`systemd-*`) that have their own profiles, systemd itself, is confined using: + +- [x] **`systemd`**: For systemd as PID 1, designed such as: + - It allows internal systemd access, + - It allows starting all common root services. +- [ ] **`systemd-user`**: For `systemd --user`, designed such as: + - It allows internal systemd user access, + - It allows starting all common user services. + +These profiles are only intended to confine themselves. Any services started by systemd must have their corresponding profile. It means that for a given distribution, the following services must have profiles: + +- [ ] For `systemd`: +```sh +/usr/lib/systemd/system-generators/* +/usr/lib/systemd/system-environment-generators/* +/usr/lib/systemd/system/*.service +``` + +- [ ] For `systemd-user` +```sh +/usr/lib/systemd/user-environment-generators/* +/usr/lib/systemd/user-generators/* +/usr/lib/systemd/user/*.service +``` + +To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: +``` + @{lib}/foo rPx -> systemd//&foo, + ... +``` + +**Fallback** + +!!! warning "Work in Progress" + +In addition to systemd profiles, a full system policy needs to ensure that no program run in an unconfined state at any time. When full policy mode is enabled, special fallback profiles `default` and `default-user` are used to ensure this. PAM rule can be used to configure it further. [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full