From b29f579865ea158a2e43c156a2d1739ce6137bb2 Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Fri, 18 Sep 2020 20:13:28 +0200 Subject: [PATCH] add README file --- README | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 README diff --git a/README b/README new file mode 100644 index 00000000..4905f039 --- /dev/null +++ b/README @@ -0,0 +1,20 @@ +------------ +Introduction +------------ +This repository contains various AppArmor profiles, which aim is to confine linux applications. This +work started a few years ago, but still some of the profiles should be considered experimental, +though most of them work well, at least on my system (Xserver/Openbox setup). Whether any of the +profiles will work on your linux, it depends. Basically the software you use matters a lot, for +instance, major desktop environments (KDE/GNOME) are known to cause troubles, and additional rules +probably will be required to make an app work under such DE. Probably many profiles are also +missing some rules because I'm not able to check and test every app in its every detail -- it +simply takes a lot of time. + +The profile rules basically try to map files that a certain application wants to use. Not all the +files are required for an app to make it work, and in some cases giving access to certain files can +be dangerous for both security and privacy. I'm making the file maps just to know how an app works +(what files it tries to use), and whether (or not) it makes some suspicious actions by trying to +read or write exotic locations. With AppArmor everything is clear what apps are trying to do in the +system. When you know what files are used, you can try to deny those you think that can be blocked, +and at some point you get a more strict profiles which provide a better security and privacy, but +of course it will take time.