mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-24 14:06:47 +01:00
doc: improve doc.
This commit is contained in:
parent
a3b1597364
commit
c68cdd14a3
6 changed files with 27 additions and 12 deletions
|
@ -35,7 +35,8 @@ most Linux based applications and processes.
|
||||||
* Debian 12
|
* Debian 12
|
||||||
* OpenSUSE Tumbleweed
|
* OpenSUSE Tumbleweed
|
||||||
- Support major desktop environments:
|
- Support major desktop environments:
|
||||||
* Currently only Gnome
|
* Gnome
|
||||||
|
* KDE *(work in progress)*
|
||||||
- Fully tested (Work in progress)
|
- Fully tested (Work in progress)
|
||||||
|
|
||||||
|
|
||||||
|
@ -68,7 +69,7 @@ as it is common to only confine the applications that face the internet and/or t
|
||||||
Building large set of AppArmor profiles:
|
Building large set of AppArmor profiles:
|
||||||
|
|
||||||
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
||||||
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))*
|
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,7 @@ There are over 50000 Linux packages and even more applications. It is simply not
|
||||||
|
|
||||||
**What to confine and why?**
|
**What to confine and why?**
|
||||||
|
|
||||||
We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
|
We take inspiration from the [Android/ChromeOS Security Model](https://arxiv.org/pdf/1904.05572v2.pdf), and we apply it to the Linux world. Modern [Linux security distributions](https://clip-os.org/en/) usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
|
||||||
|
|
||||||
This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
|
This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
|
||||||
|
|
||||||
|
|
|
@ -2,15 +2,12 @@
|
||||||
title: Enforce Mode
|
title: Enforce Mode
|
||||||
---
|
---
|
||||||
|
|
||||||
# Enforce Mode
|
|
||||||
|
|
||||||
The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
|
The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
|
||||||
|
|
||||||
!!! warning
|
!!! warning
|
||||||
|
|
||||||
When reporting issue. Please ensure the profiles are in complain mode
|
When reporting issue. Please ensure the profiles are in complain mode
|
||||||
|
|
||||||
## Install
|
|
||||||
|
|
||||||
#### :material-arch: Archlinux
|
#### :material-arch: Archlinux
|
||||||
|
|
||||||
|
@ -29,7 +26,15 @@ override_dh_auto_build:
|
||||||
make enforce
|
make enforce
|
||||||
```
|
```
|
||||||
|
|
||||||
#### :simple-suse: OpenSUSE & Partial install
|
#### :simple-suse: OpenSUSE
|
||||||
|
|
||||||
|
In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce`
|
||||||
|
```diff
|
||||||
|
- %make_build
|
||||||
|
+ make enforce
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Partial install
|
||||||
|
|
||||||
Use the `make enforce` command to build instead of `make`
|
Use the `make enforce` command to build instead of `make`
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,8 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
|
||||||
* [:material-debian: Debian 12](install.md#ubuntu-debian)
|
* [:material-debian: Debian 12](install.md#ubuntu-debian)
|
||||||
* [:simple-suse: OpenSUSE Tumbleweed](install.md#opensuse)
|
* [:simple-suse: OpenSUSE Tumbleweed](install.md#opensuse)
|
||||||
- Support all major desktop environments:
|
- Support all major desktop environments:
|
||||||
* Currently only :material-gnome: Gnome
|
- [x] :material-gnome: Gnome
|
||||||
|
- [ ] :simple-kde: KDE *(work in progress)*
|
||||||
- Fully tested (Work in progress)
|
- Fully tested (Work in progress)
|
||||||
|
|
||||||
**Presentations**
|
**Presentations**
|
||||||
|
@ -42,7 +43,7 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
|
||||||
Building large set of AppArmor profiles:
|
Building large set of AppArmor profiles:
|
||||||
|
|
||||||
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
|
||||||
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))*
|
- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
|
||||||
|
|
||||||
**Chat**
|
**Chat**
|
||||||
|
|
||||||
|
|
|
@ -106,7 +106,7 @@ sudo make profile-names...
|
||||||
|
|
||||||
- :material-arch: Archlinux `sudo pacman -R apparmor.d`
|
- :material-arch: Archlinux `sudo pacman -R apparmor.d`
|
||||||
- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d`
|
- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d`
|
||||||
|
- :simple-suse: OpenSUSE `sudo zypper remove apparmor.d`
|
||||||
|
|
||||||
[aur]: https://aur.archlinux.org/packages/apparmor.d-git
|
[aur]: https://aur.archlinux.org/packages/apparmor.d-git
|
||||||
[repo]: https://repo.pujol.io/
|
[repo]: https://repo.pujol.io/
|
||||||
|
|
|
@ -6,9 +6,17 @@ title: Report AppArmor logs
|
||||||
|
|
||||||
The **[aa-log](usage.md#apparmor-log)** tool reports all AppArmor `DENIED` and `ALLOWED`. It should be used to fix AppArmor related issues.
|
The **[aa-log](usage.md#apparmor-log)** tool reports all AppArmor `DENIED` and `ALLOWED`. It should be used to fix AppArmor related issues.
|
||||||
|
|
||||||
While testing, if something get wrong, you need to put the profile in complain mode, to that you can investigate, and it does not block your program.
|
While testing, if something get wrong, you need to put the profile in complain mode, so that you can investigate, and it does not block your program.
|
||||||
|
|
||||||
When creating [an issue on Github][newissue]. Please ensure you post a link to the [paste] of the AppArmor audit log: `/var/log/audit/audit.log`.
|
When creating [an issue on Github][newissue], please post a link to the [paste] of the audit log generated with:
|
||||||
|
```sh
|
||||||
|
aa-log -R
|
||||||
|
```
|
||||||
|
|
||||||
|
If this command produce nothing, try:
|
||||||
|
```sh
|
||||||
|
aa-log -s -R
|
||||||
|
```
|
||||||
|
|
||||||
[newissue]: https://github.com/roddhjav/apparmor.d/issues/new
|
[newissue]: https://github.com/roddhjav/apparmor.d/issues/new
|
||||||
[paste]: https://pastebin.com/
|
[paste]: https://pastebin.com/
|
||||||
|
|
Loading…
Reference in a new issue