mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-23 21:46:44 +01:00
chore: cosmetic.
This commit is contained in:
parent
c6717d2bab
commit
c9b87efebe
5 changed files with 13 additions and 26 deletions
25
README.md
25
README.md
|
@ -7,15 +7,12 @@
|
|||
**Full set of AppArmor profiles**
|
||||
|
||||
> [!WARNING]
|
||||
> This project is still in its early development. Help is very
|
||||
> welcome; see the [documentation website](https://apparmor.pujol.io/) including
|
||||
> its [development](https://apparmor.pujol.io/development) section.
|
||||
> This project is still in its early development. Help is very welcome; see the [documentation website](https://apparmor.pujol.io/) including its [development](https://apparmor.pujol.io/development) section.
|
||||
|
||||
|
||||
## Description
|
||||
|
||||
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine
|
||||
most Linux based applications and processes.
|
||||
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
|
||||
|
||||
**Purpose**
|
||||
|
||||
|
@ -40,29 +37,19 @@ most Linux based applications and processes.
|
|||
- Fully tested (Work in progress)
|
||||
|
||||
|
||||
> This project is originally based on the work from [Morfikov][upstream] and aims
|
||||
> to extend it to more Linux distributions and desktop environments.
|
||||
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
|
||||
|
||||
## Concepts
|
||||
|
||||
*One profile a day keeps the hacker away*
|
||||
|
||||
There are over 50000 Linux packages and even more applications. It is simply not
|
||||
possible to write an AppArmor profile for all of them. Therefore, a question arises:
|
||||
There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:
|
||||
|
||||
**What to confine and why?**
|
||||
|
||||
We take inspiration from the [Android/ChromeOS Security Model][android_model] and
|
||||
we apply it to the Linux world. Modern [Linux security distributions][clipos] usually
|
||||
consider an immutable core base image with a carefully selected set of applications.
|
||||
Everything else should be sandboxed. Therefore, this project tries to confine all
|
||||
the *core* applications you will usually find in a Linux system: all systemd services,
|
||||
xwayland, network, bluetooth, your desktop environment... Non-core user applications
|
||||
are out of scope as they should be sandboxed using a dedicated tool (minijail,
|
||||
bubblewrap, toolbox...).
|
||||
We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
|
||||
|
||||
This is fundamentally different from how AppArmor is usually used on Linux servers
|
||||
as it is common to only confine the applications that face the internet and/or the users.
|
||||
This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
|
||||
|
||||
**Presentations**
|
||||
|
||||
|
|
|
@ -47,7 +47,6 @@
|
|||
@{open_path} = @{bin}/exo-open @{bin}/xdg-open
|
||||
@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
|
||||
|
||||
# Experimental - May be modified/removed without notice
|
||||
# Coreutils programs that should not have dedicated profile
|
||||
@{coreutils} = {,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
|
||||
@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname du echo env expand
|
||||
|
|
|
@ -55,7 +55,7 @@ This rule order is taken from AppArmor with minor changes as we tend to:
|
|||
|
||||
### The file block
|
||||
|
||||
The file block should be sorted as follow:
|
||||
The file block should be sorted as follows:
|
||||
|
||||
| Order | Description | Example | Link |
|
||||
|:-----:|:-----------:|:-------:|:------:|
|
||||
|
@ -75,7 +75,7 @@ The file block should be sorted as follow:
|
|||
### The dbus block
|
||||
|
||||
|
||||
The dbus block should be sorted as follow:
|
||||
The dbus block should be sorted as follows:
|
||||
|
||||
- The system bus should be sorted *before* the session bus
|
||||
- The bind rules should be sorted *after* the send & receive rules
|
||||
|
@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.:
|
|||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-session),
|
||||
```
|
||||
If there is no predictable label it can be omitted.
|
||||
|
||||
|
@ -106,7 +106,7 @@ If there is no predictable label it can be omitted.
|
|||
|
||||
`Sub profile`
|
||||
|
||||
: Sub profile should comes at the end of a profile.
|
||||
: Sub profile should come at the end of a profile.
|
||||
|
||||
`Similar purpose`
|
||||
|
||||
|
@ -121,6 +121,7 @@ If there is no predictable label it can be omitted.
|
|||
|
||||
* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference)
|
||||
* [The OpenSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html)
|
||||
* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html
|
||||
* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5)
|
||||
* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/)
|
||||
* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules)
|
||||
|
|
|
@ -105,7 +105,7 @@ func TestAppArmorProfile_String(t *testing.T) {
|
|||
},
|
||||
&File{Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", Access: "rm"},
|
||||
&File{Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: "rw"},
|
||||
&File{Path: "@{sys}/devices/pci[0-9]*/**/class", Access: "r"},
|
||||
&File{Path: "@{sys}/devices/@{pci}/class", Access: "r"},
|
||||
includeLocal1,
|
||||
},
|
||||
},
|
||||
|
|
|
@ -36,7 +36,7 @@ profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach
|
|||
|
||||
/opt/intel/oneapi/compiler/*/linux/lib/*.so./* rm,
|
||||
@{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
@{sys}/devices/pci[0-9]*/**/class r,
|
||||
@{sys}/devices/@{pci}/class r,
|
||||
|
||||
include if exists <local/foo>
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue