doc: minor update.

2024-11-14 23:43:56 +01:00 · 2023-02-11 19:00:14 +00:00 · 2023-02-11 19:00:14 +00:00 · 2242c2185a
commit 2242c2185a
parent f40a2ef457
6 changed files with 54 additions and 37 deletions
--- a/docs/development/guidelines.md
+++ b/docs/development/guidelines.md
@ -33,21 +33,21 @@ follow the guidelines presented here.

 The rules in the profile should be sorted in the rule ***block*** as follows:

- `include`
- `set rlimit`
- `capability`
- `network`
- `mount`
- `remount`
- `umount`
- `pivot_root`
- `change_profile`
- `signal`
- `ptrace`
- `unix`
- `dbus`
- `file`
- local include
+1. `include`
+1. `set rlimit`
+1. `capability`
+1. `network`
+1. `mount`
+1. `remount`
+1. `umount`
+1. `pivot_root`
+1. `change_profile`
+1. `signal`
+1. `ptrace`
+1. `unix`
+1. `dbus`
+1. `file`
+1. local include

 This rule order is taken from AppArmor with minor changes as we tend to:

@ -58,20 +58,20 @@ This rule order is taken from AppArmor with minor changes as we tend to:

 The file block should be sorted as follow:

- `@{exec_path} mr`, the entry point of the profile
- The binaries and library required:
+1. `@{exec_path} mr`, the entry point of the profile
+1. The binaries and library required:
    - `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`...
    - It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules.
- The shared resources: `/usr/share`...
- The system configuration: `/etc`...
- The system data: `/var`...
- The user data: `owner @{HOME}/`...
- The user configuration, cache and in general all dotfiles
- Temporary and runtime data: `/tmp/`, `@{run}/`, `/dev/shm/`...
- Sys files: `@{sys}/`...
- Proc files: `@{PROC}/`... 
- Dev files: `/dev/`...
- Deny rules: `deny`...
+1. The shared resources: `/usr/share`...
+1. The system configuration: `/etc`...
+1. The system data: `/var`...
+1. The user data: `owner @{HOME}/`...
+1. The user configuration, cache and in general all dotfiles
+1. Temporary and runtime data: `/tmp/`, `@{run}/`, `/dev/shm/`...
+1. Sys files: `@{sys}/`...
+1. Proc files: `@{PROC}/`... 
+1. Dev files: `/dev/`...
+1. Deny rules: `deny`...

 ### The dbus block

--- a/docs/development/index.md
+++ b/docs/development/index.md
@ -95,6 +95,6 @@ profile foo @{exec_path} {
 [git]: https://help.github.com/articles/set-up-git/
 [project]: https://github.com/roddhjav/apparmor.d

-[flags]: https://github.com/roddhjav/apparmor.d/blob/master/dists/flags/main.flags
-[profiles-a-f]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/profiles-a-f
-[groups]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/groups
+[flags]: https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags
+[profiles-a-f]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f
+[groups]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups
--- a/docs/development/structure.md
+++ b/docs/development/structure.md
@ -42,7 +42,25 @@ our profile:

    [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123)
    ``` aa linenums="123"
-    profile diff { 
+    profile diff {
+      include <abstractions/base>
+      include <abstractions/consoles>
+
+      /{usr/,}bin/       r,
+      /{usr/,}bin/pager mr,
+      /{usr/,}bin/less  mr,
+      /{usr/,}bin/more  mr,
+      /{usr/,}bin/diff  mr,
+
+      owner @{HOME}/.lesshs* rw,
+
+      # Diff changed config files
+      /etc/** r,
+
+      # For shell pwd
+      /root/ r,
+
+    }
    ```

 * In `pass`, as it is a dependency of pass. Here `diff` inherits pass' profile 
@ -102,7 +120,7 @@ the following note:
    intended to be used only via `"Px -> child-open"` exec transitions
    from other profiles. 

-[children]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/groups/children
+[children]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children

 Here is an overview of the current children profile:

@ -170,4 +188,4 @@ or root) need to be present in these profiles.


 [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy
-[_full]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/groups/_full
+[_full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full
--- a/docs/enforce.md
+++ b/docs/enforce.md
@ -14,4 +14,4 @@ the `--complain` option to the configure script. Then build the package as usual
 ```

 Do not worry, the profiles that are not considered stable are kept in complain mode.
-They can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/master/dists/flags) directory.
+They can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
--- a/docs/issues.md
+++ b/docs/issues.md
@ -30,7 +30,7 @@ allow access of your home directory.
 This provides a basic protection against some packages (on the AUR) that may have
 rogue install script.

-[pacman]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/groups/pacman/pacman
+[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman


 ### Gnome can be very slow to start.
--- a/docs/usage.md
+++ b/docs/usage.md
@ -91,8 +91,7 @@ To read the AppArmor log from `/var/log/audit/audit.log`:
 aa-log
 ```

-To optionally filter a given profile name: `aa-log <profile-name>` (zsh will
-autocomplete the profile name):
+To optionally filter a given profile name: `aa-log <profile-name>` (your shell will autocomplete the profile name):
 ```
 aa-log dnsmasq
 DENIED  dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r