mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
doc: improve doc.
This commit is contained in:
Alexandre Pujol
parent
a3b1597364
commit
c68cdd14a3
@ -35,7 +35,8 @@ most Linux based applications and processes.
|
||||
* Debian 12
|
||||
* OpenSUSE Tumbleweed
|
||||
- Support major desktop environments:
|
||||
* Currently only Gnome
|
||||
* Gnome
|
||||
* KDE *(work in progress)*
|
||||
- Fully tested (Work in progress)
|
||||
|
||||
|
||||
@ -68,7 +69,7 @@ as it is common to only confine the applications that face the internet and/or t
|
||||
Building large set of AppArmor profiles:
|
||||
|
||||
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
||||
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))*
|
||||
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
|
||||
|
||||
## Installation
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ There are over 50000 Linux packages and even more applications. It is simply not
|
||||
|
||||
**What to confine and why?**
|
||||
|
||||
We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
|
||||
We take inspiration from the [Android/ChromeOS Security Model](https://arxiv.org/pdf/1904.05572v2.pdf), and we apply it to the Linux world. Modern [Linux security distributions](https://clip-os.org/en/) usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
|
||||
|
||||
This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
|
||||
|
||||
|
||||
@ -2,15 +2,12 @@
|
||||
title: Enforce Mode
|
||||
---
|
||||
|
||||
# Enforce Mode
|
||||
|
||||
The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
|
||||
|
||||
!!! warning
|
||||
|
||||
When reporting issue. Please ensure the profiles are in complain mode
|
||||
|
||||
## Install
|
||||
|
||||
#### :material-arch: Archlinux
|
||||
|
||||
@ -29,7 +26,15 @@ override_dh_auto_build:
|
||||
make enforce
|
||||
```
|
||||
|
||||
#### :simple-suse: OpenSUSE & Partial install
|
||||
#### :simple-suse: OpenSUSE
|
||||
|
||||
In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce`
|
||||
```diff
|
||||
- %make_build
|
||||
+ make enforce
|
||||
```
|
||||
|
||||
#### Partial install
|
||||
|
||||
Use the `make enforce` command to build instead of `make`
|
||||
|
||||
|
||||
@ -34,7 +34,8 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
|
||||
* [:material-debian: Debian 12](install.md#ubuntu-debian)
|
||||
* [:simple-suse: OpenSUSE Tumbleweed](install.md#opensuse)
|
||||
- Support all major desktop environments:
|
||||
* Currently only :material-gnome: Gnome
|
||||
- [x] :material-gnome: Gnome
|
||||
- [ ] :simple-kde: KDE *(work in progress)*
|
||||
- Fully tested (Work in progress)
|
||||
|
||||
**Presentations**
|
||||
@ -42,7 +43,7 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
|
||||
Building large set of AppArmor profiles:
|
||||
|
||||
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
||||
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))*
|
||||
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
|
||||
|
||||
**Chat**
|
||||
|
||||
|
||||
@ -106,7 +106,7 @@ sudo make profile-names...
|
||||
|
||||
- :material-arch: Archlinux `sudo pacman -R apparmor.d`
|
||||
- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d`
|
||||
|
||||
- :simple-suse: OpenSUSE `sudo zypper remove apparmor.d`
|
||||
|
||||
[aur]: https://aur.archlinux.org/packages/apparmor.d-git
|
||||
[repo]: https://repo.pujol.io/
|
||||
|
||||
@ -6,9 +6,17 @@ title: Report AppArmor logs
|
||||
|
||||
The **[aa-log](usage.md#apparmor-log)** tool reports all AppArmor `DENIED` and `ALLOWED`. It should be used to fix AppArmor related issues.
|
||||
|
||||
While testing, if something get wrong, you need to put the profile in complain mode, to that you can investigate, and it does not block your program.
|
||||
While testing, if something get wrong, you need to put the profile in complain mode, so that you can investigate, and it does not block your program.
|
||||
|
||||
When creating [an issue on Github][newissue]. Please ensure you post a link to the [paste] of the AppArmor audit log: `/var/log/audit/audit.log`.
|
||||
When creating [an issue on Github][newissue], please post a link to the [paste] of the audit log generated with:
|
||||
```sh
|
||||
aa-log -R
|
||||
```
|
||||
|
||||
If this command produce nothing, try:
|
||||
```sh
|
||||
aa-log -s -R
|
||||
```
|
||||
|
||||
[newissue]: https://github.com/roddhjav/apparmor.d/issues/new
|
||||
[paste]: https://pastebin.com/
|
||||
|
||||
Loading…
Reference in New Issue
Block a user