mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 06:27:49 +01:00
Better goals description.
This commit is contained in:
parent
356f466c53
commit
a2dc24f61d
1 changed files with 21 additions and 16 deletions
37
README.md
37
README.md
|
@ -1,30 +1,23 @@
|
||||||
[<img src="https://gitlab.com/uploads/-/system/project/avatar/25600351/logo.png" align="right" height="110"/>][project]
|
[<img src="https://gitlab.com/uploads/-/system/project/avatar/25600351/logo.png" align="right" height="110"/>][project]
|
||||||
|
|
||||||
# apparmor.d
|
# apparmor.d [![][build]][project]
|
||||||
|
|
||||||
[![][build]][project]
|
**Full set of AppArmor profiles**
|
||||||
|
|
||||||
**Full set of apparmor profiles**
|
|
||||||
|
|
||||||
> Warning: This project is still in early development.
|
> Warning: This project is still in early development.
|
||||||
|
|
||||||
|
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
A set of over 800 apparmor profiles which aims is to confine most of Linux base
|
A set of over 800 AppArmor profiles which aims is to confine most of Linux base applications and processes.
|
||||||
applications and processes.
|
|
||||||
|
|
||||||
**Goals & Purpose**
|
**Goals & Purpose**
|
||||||
- All distribution that support Apparmor (currenlty Archlinux and Debian),
|
- Support all distribution that support AppArmor (currenlty Archlinux and Debian),
|
||||||
- Target both desktop and server,
|
- Target both desktop and server,
|
||||||
- Confine all root services (bluetooth, dbus, polkit, networkmanager...),
|
- Confine all root processes (bluetooth, dbus, polkit, networkmanager, systemd...),
|
||||||
- Confine all Desktop environments (currently only Gnome),
|
- Confine all Desktop environments (currently only Gnome),
|
||||||
- Fully tested (Work in progress),
|
|
||||||
- Should not break a normal usage of the confined software.
|
- Should not break a normal usage of the confined software.
|
||||||
|
- Fully tested (Work in progress),
|
||||||
These profiles strive to be fully functional with zero audit log warnings under
|
|
||||||
proper behavior. Functionality is not ignored. If functionality is not
|
|
||||||
explicitly blocked, then it's probably a bug in the profile and should be fixed.
|
|
||||||
|
|
||||||
**Note:** This work is part of a bigger linux security project.
|
**Note:** This work is part of a bigger linux security project.
|
||||||
|
|
||||||
|
@ -32,6 +25,15 @@ explicitly blocked, then it's probably a bug in the profile and should be fixed.
|
||||||
to extend it to more Linux distributions and desktop environements.
|
to extend it to more Linux distributions and desktop environements.
|
||||||
|
|
||||||
|
|
||||||
|
## Concepts
|
||||||
|
|
||||||
|
There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore a question arises: *What to confine and why?*
|
||||||
|
|
||||||
|
We take inspiration from the [Android/ChromeOS Security Model][android_model] and we apply it to the Linux world. Modern [linux security implementation][clipos] usually consider a core base image with a carefully set of selected applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap...).
|
||||||
|
|
||||||
|
This is fundamentally different from how AppArmor is used on Linux server as it is common to only confine the applications that face the internet and/or the users.
|
||||||
|
|
||||||
|
|
||||||
## Tests
|
## Tests
|
||||||
|
|
||||||
A full test suite to ensure compatibility across distributions and softwares is
|
A full test suite to ensure compatibility across distributions and softwares is
|
||||||
|
@ -42,7 +44,8 @@ still a work in progress.
|
||||||
**Requirements**
|
**Requirements**
|
||||||
* An `apparmor` based linux distribution.
|
* An `apparmor` based linux distribution.
|
||||||
* A `systemd` based linux distribution.
|
* A `systemd` based linux distribution.
|
||||||
* Base profiles and abstraction shipped with apparmor are supposed to be installed.
|
* Base profiles and abstractions shipped with AppArmor are supposed to be
|
||||||
|
installed.
|
||||||
|
|
||||||
**Archlinux**
|
**Archlinux**
|
||||||
|
|
||||||
|
@ -65,8 +68,7 @@ Feedbacks, contributors, pull requests, are all very welcome.
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
This program is based on Mikhail Morfikov's [apparmor profiles project][upstream]
|
This program is based on Mikhail Morfikov's [apparmor profiles project][upstream] and thus has the same license (GPL2).
|
||||||
and thus has the same license (GPL2).
|
|
||||||
|
|
||||||
```
|
```
|
||||||
Copyright (C) Alexandre PUJOL & Mikhail Morfikov
|
Copyright (C) Alexandre PUJOL & Mikhail Morfikov
|
||||||
|
@ -88,3 +90,6 @@ with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
[upstream]: https://gitlab.com/morfikov/apparmemall
|
[upstream]: https://gitlab.com/morfikov/apparmemall
|
||||||
[project]: https://gitlab.com/roddhjav/apparmor.d
|
[project]: https://gitlab.com/roddhjav/apparmor.d
|
||||||
[build]: https://gitlab.com/roddhjav/apparmor.d/badges/master/pipeline.svg?style=flat-square
|
[build]: https://gitlab.com/roddhjav/apparmor.d/badges/master/pipeline.svg?style=flat-square
|
||||||
|
|
||||||
|
[android_model]: https://arxiv.org/pdf/1904.05572
|
||||||
|
[clipos]: https://clip-os.org/en/
|
||||||
|
|
Loading…
Reference in a new issue