doc: improve doc.

This commit is contained in:
Alexandre Pujol 2024-01-27 23:13:43 +00:00
parent a3b1597364
commit c68cdd14a3
Failed to generate hash of commit
6 changed files with 27 additions and 12 deletions

View file

@ -35,7 +35,8 @@ most Linux based applications and processes.
* Debian 12 * Debian 12
* OpenSUSE Tumbleweed * OpenSUSE Tumbleweed
- Support major desktop environments: - Support major desktop environments:
* Currently only Gnome * Gnome
* KDE *(work in progress)*
- Fully tested (Work in progress) - Fully tested (Work in progress)
@ -68,7 +69,7 @@ as it is common to only confine the applications that face the internet and/or t
Building large set of AppArmor profiles: Building large set of AppArmor profiles:
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
## Installation ## Installation

View file

@ -10,7 +10,7 @@ There are over 50000 Linux packages and even more applications. It is simply not
**What to confine and why?** **What to confine and why?**
We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...). We take inspiration from the [Android/ChromeOS Security Model](https://arxiv.org/pdf/1904.05572v2.pdf), and we apply it to the Linux world. Modern [Linux security distributions](https://clip-os.org/en/) usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users. This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.

View file

@ -2,15 +2,12 @@
title: Enforce Mode title: Enforce Mode
--- ---
# Enforce Mode
The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
!!! warning !!! warning
When reporting issue. Please ensure the profiles are in complain mode When reporting issue. Please ensure the profiles are in complain mode
## Install
#### :material-arch: Archlinux #### :material-arch: Archlinux
@ -29,7 +26,15 @@ override_dh_auto_build:
make enforce make enforce
``` ```
#### :simple-suse: OpenSUSE & Partial install #### :simple-suse: OpenSUSE
In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce`
```diff
- %make_build
+ make enforce
```
#### Partial install
Use the `make enforce` command to build instead of `make` Use the `make enforce` command to build instead of `make`

View file

@ -34,7 +34,8 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
* [:material-debian: Debian 12](install.md#ubuntu-debian) * [:material-debian: Debian 12](install.md#ubuntu-debian)
* [:simple-suse: OpenSUSE Tumbleweed](install.md#opensuse) * [:simple-suse: OpenSUSE Tumbleweed](install.md#opensuse)
- Support all major desktop environments: - Support all major desktop environments:
* Currently only :material-gnome: Gnome - [x] :material-gnome: Gnome
- [ ] :simple-kde: KDE *(work in progress)*
- Fully tested (Work in progress) - Fully tested (Work in progress)
**Presentations** **Presentations**
@ -42,7 +43,7 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
Building large set of AppArmor profiles: Building large set of AppArmor profiles:
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
**Chat** **Chat**

View file

@ -106,7 +106,7 @@ sudo make profile-names...
- :material-arch: Archlinux `sudo pacman -R apparmor.d` - :material-arch: Archlinux `sudo pacman -R apparmor.d`
- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d` - :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d`
- :simple-suse: OpenSUSE `sudo zypper remove apparmor.d`
[aur]: https://aur.archlinux.org/packages/apparmor.d-git [aur]: https://aur.archlinux.org/packages/apparmor.d-git
[repo]: https://repo.pujol.io/ [repo]: https://repo.pujol.io/

View file

@ -6,9 +6,17 @@ title: Report AppArmor logs
The **[aa-log](usage.md#apparmor-log)** tool reports all AppArmor `DENIED` and `ALLOWED`. It should be used to fix AppArmor related issues. The **[aa-log](usage.md#apparmor-log)** tool reports all AppArmor `DENIED` and `ALLOWED`. It should be used to fix AppArmor related issues.
While testing, if something get wrong, you need to put the profile in complain mode, to that you can investigate, and it does not block your program. While testing, if something get wrong, you need to put the profile in complain mode, so that you can investigate, and it does not block your program.
When creating [an issue on Github][newissue]. Please ensure you post a link to the [paste] of the AppArmor audit log: `/var/log/audit/audit.log`. When creating [an issue on Github][newissue], please post a link to the [paste] of the audit log generated with:
```sh
aa-log -R
```
If this command produce nothing, try:
```sh
aa-log -s -R
```
[newissue]: https://github.com/roddhjav/apparmor.d/issues/new [newissue]: https://github.com/roddhjav/apparmor.d/issues/new
[paste]: https://pastebin.com/ [paste]: https://pastebin.com/