From a8be57a1db3a91b4a35052c83907ba2f5532fd7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Oct 2023 00:13:30 +0100 Subject: [PATCH] doc: minor improvments. --- docs/concepts.md | 12 ++---------- docs/enforce.md | 4 ++-- docs/index.md | 2 +- docs/install.md | 15 ++++++++++++--- docs/issues.md | 2 +- docs/usage.md | 15 +++++++++------ 6 files changed, 27 insertions(+), 23 deletions(-) diff --git a/docs/concepts.md b/docs/concepts.md index 1a6320db..da239730 100644 --- a/docs/concepts.md +++ b/docs/concepts.md @@ -11,17 +11,9 @@ possible to write an AppArmor profile for all of them. Therefore, a question ari **What to confine and why?** -We take inspiration from the [Android/ChromeOS Security Model][android_model] and -we apply it to the Linux world. Modern [Linux security distributions][clipos] usually -consider an immutable core base image with a carefully selected set of applications. -Everything else should be sandboxed. Therefore, this project tries to confine all -the *core* applications you will usually find in a Linux system: all systemd services, -xwayland, network, bluetooth, your desktop environment... Non-core user applications -are out of scope as they should be sandboxed using a dedicated tool (minijail, -bubblewrap, toolbox...). +We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...). -This is fundamentally different from how AppArmor is usually used on Linux servers -as it is common to only confine the applications that face the internet and/or the users. +This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users. [android_model]: https://arxiv.org/pdf/1904.05572 diff --git a/docs/enforce.md b/docs/enforce.md index 20987bc9..730e5ddc 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -4,7 +4,7 @@ title: Enforce Mode # Enforce Mode -The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial install. Once you have tested it and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. +The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. !!! warning @@ -35,7 +35,7 @@ Use the `make enforce` command to build instead of `make` ## Track profiles in complain mode -The [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory tracks the profile that have been forced in complain mode. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be coma separated. +The [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory tracks the profile that have been forced in complain mode. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be comma separated. For instance, to move `adb` in complain mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: ```sh diff --git a/docs/index.md b/docs/index.md index 7d50ff99..91bd45e0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -23,7 +23,7 @@ most Linux based applications and processes. - Confine some *"special"* user applications: web browser, file browser... - Should not break a normal usage of the confined software -See the [Concepts](concepts) page for more detail on the architecture. +See the [Concepts](concepts)' page for more detail on the architecture. **Goals** diff --git a/docs/install.md b/docs/install.md index 22e13692..92df2784 100644 --- a/docs/install.md +++ b/docs/install.md @@ -19,7 +19,7 @@ The following desktop environments are supported: - [x] :material-gnome: Gnome - [ ] :simple-kde: KDE *(work in progress)* -Also, please note wayland has better support than xorg. +Also, please note Wayland has better support than Xorg. **Build dependencies** @@ -33,7 +33,7 @@ Also, please note wayland has better support than xorg. yay -S apparmor.d-git # or your preferred AUR install method ``` -Or without a AUR helper: +Or without an AUR helper: ```sh git clone https://aur.archlinux.org/apparmor.d-git.git cd apparmor.d-git @@ -49,7 +49,7 @@ sudo apt install apparmor-profiles build-essential config-package-dev debhelper git clone https://github.com/roddhjav/apparmor.d.git cd apparmor.d dpkg-buildpackage -b -d --no-sign -sudo dpkg -i ../apparmor.d_*_all.deb +sudo dpkg -i ../apparmor.d_*.deb ``` !!! tip @@ -59,9 +59,18 @@ sudo dpkg -i ../apparmor.d_*_all.deb make dpkg ``` +!!! note + + Debian user may need golang from the backports repository to build: + ```sh + echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list + sudo apt update + sudo apt install -t bookworm-backports golang-go + ``` ## :simple-suse: OpenSUSE +OpenSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS ```sh zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo zypper refresh diff --git a/docs/issues.md b/docs/issues.md index c21e0d34..f9424e29 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -27,7 +27,7 @@ error: could not get current working directory This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. -According the Archlinux guideline, on Archlinux, packages cannot install files under `/home/`. Therefore the [`pacman`][pacman] profile purposely does not allow access of your home directory. +According to the Archlinux guideline, on Archlinux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. This provides a basic protection against some packages (on the AUR) that may have rogue install script. diff --git a/docs/usage.md b/docs/usage.md index a9b52b86..e20714b1 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -12,15 +12,17 @@ sudo aa-status It should give something like: ``` apparmor module is loaded. -1441 profiles are loaded. -112 profiles are in enforce mode. +1613 profiles are loaded. +1050 profiles are in enforce mode. + ... +563 profiles are in complain mode. ... 0 profiles are in kill mode. 0 profiles are in unconfined mode. -155 processes have profiles defined. -14 processes are in enforce mode. +170 processes have profiles defined. +140 processes are in enforce mode. ... -141 processes are in complain mode. +30 processes are in complain mode. ... 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. @@ -104,7 +106,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules] [profile] +aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] Review AppArmor generated messages in a colorful way. Supports logs from auditd, systemd, syslog as well as dbus session events. @@ -119,4 +121,5 @@ Options: -f, --file FILE Set a logfile or a suffix to the default log file. -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. + -R, --raw Print the raw log without any formatting. ```