mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-12 07:17:13 +01:00
doc: update abstraction structure to the last changes.
This commit is contained in:
parent
0ae7b68dc8
commit
601b62e93a
2 changed files with 75 additions and 38 deletions
|
@ -19,28 +19,13 @@ This project and the apparmor profile official project provide a large selection
|
||||||
|
|
||||||
All of these abstractions can be extended by a system admin by adding rules in a file under `/etc/apparmor.d/<name>.d` where `<name>` is the name of one of these abstractions.
|
All of these abstractions can be extended by a system admin by adding rules in a file under `/etc/apparmor.d/<name>.d` where `<name>` is the name of one of these abstractions.
|
||||||
|
|
||||||
|
|
||||||
## Application helper
|
## Application helper
|
||||||
|
|
||||||
### **`bwrap`**
|
Abstraction that aim at including a complete set of rule for a given program. The calling profile only need to add rules dependant of its use case/program.
|
||||||
|
|
||||||
Minimal set of rules for sandboxed program using `bwrap`. A profile using this abstraction still needs to set:
|
It is mostly useful for program often used in sub profile or for forks based on the same upstream.
|
||||||
|
|
||||||
- The flag: `attach_disconnected`
|
### **`app/chromium`**
|
||||||
- Bwrap execution: `@{bin}/bwrap rix,`
|
|
||||||
|
|
||||||
### **`bwrap-app`**
|
|
||||||
|
|
||||||
Common rules for unknown userland UI applications sandboxed using `bwrap`.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
|
|
||||||
This abstraction is wide on purpose. It is meant to be used by sandboxed applications that have no way to restrict access depending on the application being confined.
|
|
||||||
|
|
||||||
**Do not use it for classic profile.**
|
|
||||||
|
|
||||||
|
|
||||||
### **`chromium`**
|
|
||||||
|
|
||||||
Full set of rules for all chromium based browsers. It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile:
|
Full set of rules for all chromium based browsers. It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile:
|
||||||
|
|
||||||
|
@ -55,13 +40,14 @@ Full set of rules for all chromium based browsers. It works as a *function* and
|
||||||
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||||
```
|
```
|
||||||
|
|
||||||
If your application requires chromium to run (like electron) use [`chromium-common`](#chromium-common) instead.
|
If your application requires chromium to run use [`common/chromium`](#commonchromium) or [`common/electron`](#commonelectron)
|
||||||
|
instead.
|
||||||
|
|
||||||
### **`chromium-common`**
|
|
||||||
|
|
||||||
Minimal set of rules for chromium based application such as electron. Handle access for internal sandbox.
|
### **`app/pgrep`**
|
||||||
|
|
||||||
### **`sudo`**
|
|
||||||
|
### **`app/sudo`**
|
||||||
|
|
||||||
Minimal set of rules for profile including internal `sudo`. Interactive sudo need more rules. It is intended to be used in profile or sub profile that need to elevate their privileges using `sudo` or `su` for a very specific action:
|
Minimal set of rules for profile including internal `sudo`. Interactive sudo need more rules. It is intended to be used in profile or sub profile that need to elevate their privileges using `sudo` or `su` for a very specific action:
|
||||||
```sh
|
```sh
|
||||||
|
@ -69,15 +55,13 @@ Minimal set of rules for profile including internal `sudo`. Interactive sudo nee
|
||||||
|
|
||||||
profile root {
|
profile root {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/sudo>
|
include <abstractions/app/sudo>
|
||||||
|
|
||||||
@{bin}/sudo rm,
|
|
||||||
|
|
||||||
include if exists <local/<profile_name>_root>
|
include if exists <local/<profile_name>_root>
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
### **`systemctl`**
|
### **`app/systemctl`**
|
||||||
|
|
||||||
Alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provide too much/not enough access. This abstraction should be used by a sub profile as follows:
|
Alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provide too much/not enough access. This abstraction should be used by a sub profile as follows:
|
||||||
```sh
|
```sh
|
||||||
|
@ -85,13 +69,68 @@ Alternative solution for [child-systemctl](structure.md#children-profiles), when
|
||||||
|
|
||||||
profile systemctl {
|
profile systemctl {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/systemctl>
|
include <abstractions/app/systemctl>
|
||||||
|
|
||||||
include if exists <local/<profile_name>_systemctl>
|
include if exists <local/<profile_name>_systemctl>
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Common Dependencies
|
||||||
|
|
||||||
|
On the contrary of [`abstractions/app/`](#application-helper), abstractions in this directory are expected to provide a minimal set of rules to make a program using a dependency work.
|
||||||
|
|
||||||
|
### **`common/app`**
|
||||||
|
|
||||||
|
Common rules for unknown userland UI applications sandboxed using `bwrap`.
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
|
||||||
|
This abstraction is wide on purpose. It is meant to be used by sandboxed applications that have no way to restrict access depending on the application being confined.
|
||||||
|
|
||||||
|
**Do not use it for classic profile.**
|
||||||
|
|
||||||
|
|
||||||
|
### **`common/apt`**
|
||||||
|
|
||||||
|
Minimal access to apt sources, preferences and configuration.
|
||||||
|
|
||||||
|
### **`common/bwrap`**
|
||||||
|
|
||||||
|
Minimal set of rules for sandboxed program using `bwrap`. A profile using this abstraction still needs to set:
|
||||||
|
|
||||||
|
- The flag: `attach_disconnected`
|
||||||
|
- Bwrap execution: `@{bin}/bwrap rix,`
|
||||||
|
|
||||||
|
|
||||||
|
### **`common/chromium`**
|
||||||
|
|
||||||
|
Minimal set of rules for chromium based application. Handle access for internal sandbox.
|
||||||
|
|
||||||
|
|
||||||
|
### **`common/electron`**
|
||||||
|
|
||||||
|
Minimal set of rules for all electron based UI application. It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile:
|
||||||
|
|
||||||
|
!!! note ""
|
||||||
|
|
||||||
|
[apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/e979fe05b06f525e5a65c767b4eabe5600147355/apparmor.d/profile-s-z/spotify#L10-L13)
|
||||||
|
``` sh linenums="10"
|
||||||
|
@{name} = spotify
|
||||||
|
@{lib_dirs} = /opt/@{name}
|
||||||
|
@{config_dirs} = @{user_config_dirs}/@{name}
|
||||||
|
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||||
|
```
|
||||||
|
|
||||||
|
### **`common/systemd`**
|
||||||
|
|
||||||
|
Common set of rules for internal systemd suite.
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
|
||||||
|
It should **only** be used by the systemd suite.
|
||||||
|
|
||||||
|
|
||||||
## Audio
|
## Audio
|
||||||
|
|
||||||
### **`audio-client`**
|
### **`audio-client`**
|
||||||
|
@ -142,7 +181,14 @@ Permissions for querying dconf settings with write access.
|
||||||
|
|
||||||
!!! warning
|
!!! warning
|
||||||
|
|
||||||
This abstractions are only required when an interactive shell is started. Classic shell scripts do not need them.
|
These abstractions are only required when an interactive shell is started. Classic shell scripts do not need them.
|
||||||
|
|
||||||
|
|
||||||
|
Only use [`shells`](#shells), other abstractions are software dependant and should not usually be used directly.
|
||||||
|
|
||||||
|
### **`shells`**
|
||||||
|
|
||||||
|
Common rules for interactive shells.
|
||||||
|
|
||||||
### **`bash-strict`**
|
### **`bash-strict`**
|
||||||
|
|
||||||
|
@ -163,15 +209,6 @@ Many programs wish to perform nameservice like operations, such as looking up us
|
||||||
|
|
||||||
Use this abstraction instead of upstream `abstractions/nameservice` as upstream abstraction also provide full network access which is not needed for a lot of programs.
|
Use this abstraction instead of upstream `abstractions/nameservice` as upstream abstraction also provide full network access which is not needed for a lot of programs.
|
||||||
|
|
||||||
### **`systemd-common`**
|
|
||||||
|
|
||||||
Common set of rules for internal systemd suite.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
|
|
||||||
It should **only** be used by the systemd suite.
|
|
||||||
|
|
||||||
|
|
||||||
### **`app-open`**
|
### **`app-open`**
|
||||||
|
|
||||||
Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpose of this abstraction is to list all GUI program that can open resources. Ultimately, only sandbox manager program such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
|
Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpose of this abstraction is to list all GUI program that can open resources. Ultimately, only sandbox manager program such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
|
||||||
|
|
|
@ -133,7 +133,7 @@ The `exec` directive is useful to allow executing transition to a profile withou
|
||||||
```sh
|
```sh
|
||||||
# Stacked profile: systemd-oomd
|
# Stacked profile: systemd-oomd
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/systemd-common>
|
include <abstractions/common/systemd>
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
capability kill,
|
capability kill,
|
||||||
unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom,
|
unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom,
|
||||||
|
|
Loading…
Reference in a new issue