doc: minor improvments.

docs/concepts.md

@@ -11,17 +11,9 @@ possible to write an AppArmor profile for all of them. Therefore, a question ari
 
 **What to confine and why?**
 
-We take inspiration from the [Android/ChromeOS Security Model][android_model] and
+We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment...  Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
-we apply it to the Linux world. Modern [Linux security distributions][clipos] usually
-consider an immutable core base image with a carefully selected set of applications.
-Everything else should be sandboxed. Therefore, this project tries to confine all
-the *core* applications you will usually find in a Linux system: all systemd services,
-xwayland, network, bluetooth, your desktop environment... Non-core user applications
-are out of scope as they should be sandboxed using a dedicated tool (minijail,
-bubblewrap, toolbox...).
 
-This is fundamentally different from how AppArmor is usually used on Linux servers
+This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
-as it is common to only confine the applications that face the internet and/or the users.
 
 
 [android_model]: https://arxiv.org/pdf/1904.05572

docs/enforce.md

@@ -4,7 +4,7 @@ title: Enforce Mode
 
 # Enforce Mode
 
-The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial install. Once you have tested it and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
+The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
 
 !!! warning
 
@@ -35,7 +35,7 @@ Use the `make enforce` command to build instead of `make`
 
 ## Track profiles in complain mode
 
-The [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory tracks the profile that have been forced in complain mode. It is used for profile that are not considered stable. Files in this directory should respect the following format: `<profile> <flags>`, flags should be coma separated.
+The [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory tracks the profile that have been forced in complain mode. It is used for profile that are not considered stable. Files in this directory should respect the following format: `<profile> <flags>`, flags should be comma separated.
 
 For instance, to move `adb` in complain mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line:
 ```sh

docs/index.md

@@ -23,7 +23,7 @@ most Linux based applications and processes.
 - Confine some *"special"* user applications: web browser, file browser...
 - Should not break a normal usage of the confined software
 
-See the [Concepts](concepts) page for more detail on the architecture.
+See the [Concepts](concepts)' page for more detail on the architecture.
 
 **Goals**
 

docs/install.md

@@ -19,7 +19,7 @@ The following desktop environments are supported:
   - [x] :material-gnome: Gnome
   - [ ] :simple-kde: KDE *(work in progress)*
 
-Also, please note wayland has better support than xorg.
+Also, please note Wayland has better support than Xorg.
 
 **Build dependencies**
 
@@ -33,7 +33,7 @@ Also, please note wayland has better support than xorg.
 yay -S apparmor.d-git  # or your preferred AUR install method
 ```
 
-Or without a AUR helper:
+Or without an AUR helper:
 ```sh
 git clone https://aur.archlinux.org/apparmor.d-git.git
 cd apparmor.d-git
@@ -49,7 +49,7 @@ sudo apt install apparmor-profiles build-essential config-package-dev debhelper
 git clone https://github.com/roddhjav/apparmor.d.git
 cd apparmor.d
 dpkg-buildpackage -b -d --no-sign
-sudo dpkg -i ../apparmor.d_*_all.deb
+sudo dpkg -i ../apparmor.d_*.deb
 ```
 
 !!! tip
@@ -59,9 +59,18 @@ sudo dpkg -i ../apparmor.d_*_all.deb
     make dpkg
     ```
 
+!!! note
+
+    Debian user may need golang from the backports repository to build:
+    ```sh
+    echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
+    sudo apt update
+    sudo apt install -t bookworm-backports golang-go
+    ```
 
 ## :simple-suse: OpenSUSE
 
+OpenSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS
 ```sh
 zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo
 zypper refresh

docs/issues.md

@@ -27,7 +27,7 @@ error: could not get current working directory
 
 This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory.
 
-According the Archlinux guideline, on Archlinux, packages cannot install files under `/home/`. Therefore the [`pacman`][pacman] profile purposely does not allow access of your home directory.
+According to the Archlinux guideline, on Archlinux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory.
 
 This provides a basic protection against some packages (on the AUR) that may have rogue install script.
 

docs/usage.md

@@ -12,15 +12,17 @@ sudo aa-status
 It should give something like:
 ```
 apparmor module is loaded.
-1441 profiles are loaded.
+1613 profiles are loaded.
-112 profiles are in enforce mode.
+1050 profiles are in enforce mode.
+   ...
+563 profiles are in complain mode.
    ...
 0 profiles are in kill mode.
 0 profiles are in unconfined mode.
-155 processes have profiles defined.
+170 processes have profiles defined.
-14 processes are in enforce mode.
+140 processes are in enforce mode.
    ...
-141 processes are in complain mode.
+30 processes are in complain mode.
    ...
 0 processes are unconfined but have a profile defined.
 0 processes are in mixed mode.
@@ -104,7 +106,7 @@ DENIED  dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
 ### Help
 
 ```
-aa-log [-h] [--systemd] [--file file] [--rules] [profile]
+aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile]
 
     Review AppArmor generated messages in a colorful way. Supports logs from
     auditd, systemd, syslog as well as dbus session events.
@@ -119,4 +121,5 @@ Options:
     -f, --file FILE    Set a logfile or a suffix to the default log file.
     -s, --systemd      Parse systemd logs from journalctl.
     -r, --rules        Convert the log into AppArmor rules.
+    -R, --raw          Print the raw log without any formatting.
 ```