mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-24 10:55:37 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

doc: add roadmap and prebuilt pages.

Browse source
This commit is contained in:
Alexandre Pujol 2025-02-23 20:10:21 +01:00
parent 2f5637bd65
commit b10f2df5ec
Failed to generate hash of commit
3 changed files with 215 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

152
docs/development/build.md Normal file
View file

@ -0,0 +1,152 @@
---
title: Building the profiles
---
The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers.
The build system is fully configurable, general usage can be seen with:
```sh
go run ./cmd/prebuild -h
```
```
aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4]
Prebuild apparmor.d profiles for a given distribution and apply
internal built-in directives.
Options:
-h, --help Show this help message and exit.
-c, --complain Set complain flag on all profiles.
-e, --enforce Set enforce flag on all profiles.
-a, --abi ABI Target apparmor ABI.
-f, --full Set AppArmor for full system policy.
-F, --file Only prebuild a given file.
Prepare tasks:
configure - Set distribution specificities
setflags - Set flags on some profiles
fsp - Configure AppArmor for full system policy
merge - Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory
overwrite - Overwrite dummy upstream profiles
synchronise - Initialize a new clean apparmor.d build directory
ignore - Ignore profiles and files from:
systemd-default - Configure systemd unit drop in files to a profile for some units
systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor
Build tasks:
abi3 - Convert all profiles from abi 4.0 to abi 3.0
attach - Re-attach disconnected path
complain - Set complain flag on all profiles
enforce - All profiles have been enforced
fsp - Prevent unconfined transitions in profile rules
hotfix - Temporary fix for #74, #80 & #235
userspace - Resolve variable in profile attachments
Directive:
#aa:dbus own bus=<bus> name=<name> [interface=AARE] [path=AARE]
#aa:dbus talk bus=<bus> name=<name> label=<profile> [interface=AARE] [path=AARE]
#aa:exec [P|U|p|u|PU|pu|] profiles...
#aa:only filters...
#aa:exclude filters...
#aa:stack [X] profiles...
```
## Prepare Tasks
### **`synchronise`**
Initialize a new clean `apparmor.d` build directory in `.build/`.
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`ignore`**
Ignore profiles and files as defined in the `dist/ignore` directory. See [workflow](workflow.md#ignore-profiles).
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`merge`**
Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse.
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`configure`**
Set distribution specificities as defined in [`pkg/prebuild/prepare/configure.go`](https://github.com/roddhjav/apparmor.d/blob/main/pkg/prebuild/prepare/configure.go)
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`setflags`**
Set flags on profiles as defined in the [flags manifest](workflow.md#profile-flags).
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`overwrite`**
Overwrite (dummy) upstream profiles as defined in `dist/overwrite`.
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`systemd-default`**
Install systemd unit drop in files from `systemd/default`. They configure the various dbus daemon to use specific profiles.
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`systemd-early`**
Install systemd unit drop in files from `systemd/early` to ensure some services start after AppArmor. THis task will be removed in the future, as it will not be needed any more.
*Enabled by default. Can be disabled in `pkg/prebuild/cli/cli.go`*
### **`fsp`**
Configure AppArmor for full system policy.
*Enable with the `--full` option in the prebuild command.*
## Build Tasks
### **`abi3`**
This task will convert all profiles from `abi/4.0` to `abi/3.0`. The rules not supported by `abi/3.0` are commented in the build profiles.
*Enable with the `--abi 3` option in the prebuild command.*
### **`complain | enforce`**
Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as CTF or (very) high security VM.
*Enable with the `--complain` or `--enforce` option in the prebuild command.*
### **`userspace`**
Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that does not support identical variable in the profiles attachments.
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`attach`**
This task reattaches disconnected paths. See [#559](https://github.com/roddhjav/apparmor.d/issues/559):
- Add the `attach_disconnected.path` flag on all profiles with the `attach_disconnected` flag
- Add the attached/base abstraction in the profile
- For compatibility, non-disconnected profile will have the `@{att}` variable set to `/`
*Enabled when abi >= 4.0*
### **`hotfix`**
Temporary fix for #74, #80 & #235. Only an issue on Gnome, can be disabled on server.
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`fsp`**
Prevent unconfined transitions in profile rules.
*Enable with the `--full` option in the prebuild command.*

60
docs/development/roadmap.md Normal file
View file

@ -0,0 +1,60 @@
---
title: Roadmap
---
## Toward a stable release
This is the current list of features that must be implemented to get to a stable release
- [ ] **Play machine**
- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)**
- [x] Move most profiles into groups such that
- [ ] New simplified build system to generate the packages with profile dependencies check
- [ ] **Tests**
- [x] Tests VM for all supported targets (see [tests/vm](vm.md))
- [ ] Small integration tests for all core profiles (see [tests/integration](integration.md))
- [ ] **Documentation**
- [ ] Initial draft of the security model and goal
- [ ] General documentation improvements
- [ ] **General improvements**
- [ ] Provide a proper fix for #74, #80 & #235
- [ ] The apt/dpkg profiles needs to be reworked
## Next features
- [ ] **Conditions**
- [ ] Integrate the new condition feature in the profiles and restrict them a lot according to the application actually in use. Eg: `Gnome | KDE`, `X11 | Wayland`, etc.
- [ ] Create a new `aa-config` tool, similar to seboolean, to manage various settings, based on conditions.
- [ ] **User Data**
- [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone.
- [ ] Add a prompt listener to handle the user data access.
- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)**
- [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing
- [ ] Remove the `default` profile
## Done
**Abstractions**
- [x] New `audio-client` and `audio-server` abstractions
- [x] New desktop agnostic `desktop` abstraction for all common access for any GUI app.
- [x] New `graphics` abstraction, hardware-agnostic. Fully replace and restrict the old `opencl` abstractions
- [x] All new abstractions are documented in the [abstractions](abstractions.md) page
**Dbus**
- [x] New `dbus-{system,session,accessibility}` profiles. Works regardless of the dbus implementation in use.
- [x] New talk directive: Allow the application to talk to session services. (send to)
- [x] New own directive: Allow the application to own session services under the given name. (receive, send, bind)
- [x] New `bus-{system,session,accessibility}` abstraction to be used in the profiles
**Directives**
- [x] Add directive. See the [directive](directives.md) page

3
mkdocs.yml
View file

@ -152,6 +152,7 @@ nav:
- recovery.md - recovery.md
- Development: - Development:
- development/index.md - development/index.md
- development/roadmap.md
- Profiles: - Profiles:
- development/workflow.md - development/workflow.md
- development/guidelines.md - development/guidelines.md
@ -160,6 +161,8 @@ nav:
- development/directives.md - development/directives.md
- development/dbus.md - development/dbus.md
- development/recommendations.md - development/recommendations.md
- Packages:
- development/build.md
- Tests: - Tests:
- development/tests.md - development/tests.md
- development/integration.md - development/integration.md