diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index 2506fed6..e672b245 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -33,21 +33,21 @@ follow the guidelines presented here. The rules in the profile should be sorted in the rule ***block*** as follows: -- `include` -- `set rlimit` -- `capability` -- `network` -- `mount` -- `remount` -- `umount` -- `pivot_root` -- `change_profile` -- `signal` -- `ptrace` -- `unix` -- `dbus` -- `file` -- local include +1. `include` +1. `set rlimit` +1. `capability` +1. `network` +1. `mount` +1. `remount` +1. `umount` +1. `pivot_root` +1. `change_profile` +1. `signal` +1. `ptrace` +1. `unix` +1. `dbus` +1. `file` +1. local include This rule order is taken from AppArmor with minor changes as we tend to: @@ -58,20 +58,20 @@ This rule order is taken from AppArmor with minor changes as we tend to: The file block should be sorted as follow: -- `@{exec_path} mr`, the entry point of the profile -- The binaries and library required: +1. `@{exec_path} mr`, the entry point of the profile +1. The binaries and library required: - `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`... - It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules. -- The shared resources: `/usr/share`... -- The system configuration: `/etc`... -- The system data: `/var`... -- The user data: `owner @{HOME}/`... -- The user configuration, cache and in general all dotfiles -- Temporary and runtime data: `/tmp/`, `@{run}/`, `/dev/shm/`... -- Sys files: `@{sys}/`... -- Proc files: `@{PROC}/`... -- Dev files: `/dev/`... -- Deny rules: `deny`... +1. The shared resources: `/usr/share`... +1. The system configuration: `/etc`... +1. The system data: `/var`... +1. The user data: `owner @{HOME}/`... +1. The user configuration, cache and in general all dotfiles +1. Temporary and runtime data: `/tmp/`, `@{run}/`, `/dev/shm/`... +1. Sys files: `@{sys}/`... +1. Proc files: `@{PROC}/`... +1. Dev files: `/dev/`... +1. Deny rules: `deny`... ### The dbus block diff --git a/docs/development/index.md b/docs/development/index.md index a7b0f523..fec826be 100644 --- a/docs/development/index.md +++ b/docs/development/index.md @@ -95,6 +95,6 @@ profile foo @{exec_path} { [git]: https://help.github.com/articles/set-up-git/ [project]: https://github.com/roddhjav/apparmor.d -[flags]: https://github.com/roddhjav/apparmor.d/blob/master/dists/flags/main.flags -[profiles-a-f]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/profiles-a-f -[groups]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/groups +[flags]: https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags +[profiles-a-f]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f +[groups]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups diff --git a/docs/development/structure.md b/docs/development/structure.md index f0b0991b..90650828 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -42,7 +42,25 @@ our profile: [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123) ``` aa linenums="123" - profile diff { + profile diff { + include + include + + /{usr/,}bin/ r, + /{usr/,}bin/pager mr, + /{usr/,}bin/less mr, + /{usr/,}bin/more mr, + /{usr/,}bin/diff mr, + + owner @{HOME}/.lesshs* rw, + + # Diff changed config files + /etc/** r, + + # For shell pwd + /root/ r, + + } ``` * In `pass`, as it is a dependency of pass. Here `diff` inherits pass' profile @@ -102,7 +120,7 @@ the following note: intended to be used only via `"Px -> child-open"` exec transitions from other profiles. -[children]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/groups/children +[children]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children Here is an overview of the current children profile: @@ -170,4 +188,4 @@ or root) need to be present in these profiles. [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy -[_full]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/groups/_full +[_full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full diff --git a/docs/enforce.md b/docs/enforce.md index 76b31fa6..c332f5a6 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -14,4 +14,4 @@ the `--complain` option to the configure script. Then build the package as usual ``` Do not worry, the profiles that are not considered stable are kept in complain mode. -They can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/master/dists/flags) directory. +They can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. diff --git a/docs/issues.md b/docs/issues.md index 76143ca5..c283c714 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -30,7 +30,7 @@ allow access of your home directory. This provides a basic protection against some packages (on the AUR) that may have rogue install script. -[pacman]: https://github.com/roddhjav/apparmor.d/blob/master/apparmor.d/groups/pacman/pacman +[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman ### Gnome can be very slow to start. diff --git a/docs/usage.md b/docs/usage.md index c0ae423a..fbabb38c 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -91,8 +91,7 @@ To read the AppArmor log from `/var/log/audit/audit.log`: aa-log ``` -To optionally filter a given profile name: `aa-log ` (zsh will -autocomplete the profile name): +To optionally filter a given profile name: `aa-log ` (your shell will autocomplete the profile name): ``` aa-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r