chore: cosmetic.

This commit is contained in:
Alexandre Pujol 2024-03-16 19:27:45 +00:00
parent c6717d2bab
commit c9b87efebe
Failed to generate hash of commit
5 changed files with 13 additions and 26 deletions

View file

@ -7,15 +7,12 @@
**Full set of AppArmor profiles**
> [!WARNING]
> This project is still in its early development. Help is very
> welcome; see the [documentation website](https://apparmor.pujol.io/) including
> its [development](https://apparmor.pujol.io/development) section.
> This project is still in its early development. Help is very welcome; see the [documentation website](https://apparmor.pujol.io/) including its [development](https://apparmor.pujol.io/development) section.
## Description
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine
most Linux based applications and processes.
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
**Purpose**
@ -40,29 +37,19 @@ most Linux based applications and processes.
- Fully tested (Work in progress)
> This project is originally based on the work from [Morfikov][upstream] and aims
> to extend it to more Linux distributions and desktop environments.
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
## Concepts
*One profile a day keeps the hacker away*
There are over 50000 Linux packages and even more applications. It is simply not
possible to write an AppArmor profile for all of them. Therefore, a question arises:
There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:
**What to confine and why?**
We take inspiration from the [Android/ChromeOS Security Model][android_model] and
we apply it to the Linux world. Modern [Linux security distributions][clipos] usually
consider an immutable core base image with a carefully selected set of applications.
Everything else should be sandboxed. Therefore, this project tries to confine all
the *core* applications you will usually find in a Linux system: all systemd services,
xwayland, network, bluetooth, your desktop environment... Non-core user applications
are out of scope as they should be sandboxed using a dedicated tool (minijail,
bubblewrap, toolbox...).
We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
This is fundamentally different from how AppArmor is usually used on Linux servers
as it is common to only confine the applications that face the internet and/or the users.
This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
**Presentations**

View file

@ -47,7 +47,6 @@
@{open_path} = @{bin}/exo-open @{bin}/xdg-open
@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
# Experimental - May be modified/removed without notice
# Coreutils programs that should not have dedicated profile
@{coreutils} = {,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname du echo env expand

View file

@ -55,7 +55,7 @@ This rule order is taken from AppArmor with minor changes as we tend to:
### The file block
The file block should be sorted as follow:
The file block should be sorted as follows:
| Order | Description | Example | Link |
|:-----:|:-----------:|:-------:|:------:|
@ -75,7 +75,7 @@ The file block should be sorted as follow:
### The dbus block
The dbus block should be sorted as follow:
The dbus block should be sorted as follows:
- The system bus should be sorted *before* the session bus
- The bind rules should be sorted *after* the send & receive rules
@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.:
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
peer=(name=org.freedesktop.DBus, label=dbus-session),
```
If there is no predictable label it can be omitted.
@ -106,7 +106,7 @@ If there is no predictable label it can be omitted.
`Sub profile`
: Sub profile should comes at the end of a profile.
: Sub profile should come at the end of a profile.
`Similar purpose`
@ -121,6 +121,7 @@ If there is no predictable label it can be omitted.
* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference)
* [The OpenSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html)
* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html
* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5)
* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/)
* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules)

View file

@ -105,7 +105,7 @@ func TestAppArmorProfile_String(t *testing.T) {
},
&File{Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", Access: "rm"},
&File{Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: "rw"},
&File{Path: "@{sys}/devices/pci[0-9]*/**/class", Access: "r"},
&File{Path: "@{sys}/devices/@{pci}/class", Access: "r"},
includeLocal1,
},
},

View file

@ -36,7 +36,7 @@ profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach
/opt/intel/oneapi/compiler/*/linux/lib/*.so./* rm,
@{PROC}/@{pid}/task/@{tid}/comm rw,
@{sys}/devices/pci[0-9]*/**/class r,
@{sys}/devices/@{pci}/class r,
include if exists <local/foo>
}