chore: cosmetic.

README.md

@@ -7,15 +7,12 @@
 **Full set of AppArmor profiles**
 
 > [!WARNING]
-> This project is still in its early development. Help is very 
+> This project is still in its early development. Help is very welcome; see the [documentation website](https://apparmor.pujol.io/) including its [development](https://apparmor.pujol.io/development) section.
-> welcome; see the [documentation website](https://apparmor.pujol.io/) including
-> its [development](https://apparmor.pujol.io/development) section.
 
 
 ## Description 
 
-**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine
+**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
-most Linux based applications and processes.
 
 **Purpose**
 
@@ -40,29 +37,19 @@ most Linux based applications and processes.
 - Fully tested (Work in progress)
 
 
-> This project is originally based on the work from [Morfikov][upstream] and aims
+> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
-> to extend it to more Linux distributions and desktop environments.
 
 ## Concepts
 
 *One profile a day keeps the hacker away*
 
-There are over 50000 Linux packages and even more applications. It is simply not
+There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:
-possible to write an AppArmor profile for all of them. Therefore, a question arises:
 
 **What to confine and why?**
 
-We take inspiration from the [Android/ChromeOS Security Model][android_model] and
+We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
-we apply it to the Linux world. Modern [Linux security distributions][clipos] usually
-consider an immutable core base image with a carefully selected set of applications.
-Everything else should be sandboxed. Therefore, this project tries to confine all
-the *core* applications you will usually find in a Linux system: all systemd services,
-xwayland, network, bluetooth, your desktop environment... Non-core user applications
-are out of scope as they should be sandboxed using a dedicated tool (minijail,
-bubblewrap, toolbox...).
 
-This is fundamentally different from how AppArmor is usually used on Linux servers
+This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
-as it is common to only confine the applications that face the internet and/or the users.
 
 **Presentations**
 

apparmor.d/tunables/multiarch.d/paths

@@ -47,7 +47,6 @@
 @{open_path}  = @{bin}/exo-open @{bin}/xdg-open
 @{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
 
-# Experimental - May be modified/removed without notice
 # Coreutils programs that should not have dedicated profile
 @{coreutils}  = {,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
 @{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname du echo env expand

docs/development/guidelines.md

@@ -55,7 +55,7 @@ This rule order is taken from AppArmor with minor changes as we tend to:
 
 ### The file block
 
-The file block should be sorted as follow:
+The file block should be sorted as follows:
 
 | Order | Description | Example | Link |
 |:-----:|:-----------:|:-------:|:------:|
@@ -75,7 +75,7 @@ The file block should be sorted as follow:
 ### The dbus block
 
 
-The dbus block should be sorted as follow:
+The dbus block should be sorted as follows:
 
 - The system bus should be sorted *before* the session bus
 - The bind rules should be sorted *after* the send & receive rules
@@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.:
 dbus send bus=session path=/org/freedesktop/DBus
      interface=org.freedesktop.DBus
      member={RequestName,ReleaseName}
-     peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+     peer=(name=org.freedesktop.DBus, label=dbus-session),
 ```
 If there is no predictable label it can be omitted.
 
@@ -106,7 +106,7 @@ If there is no predictable label it can be omitted.
 
 `Sub profile`
 
-:   Sub profile should comes at the end of a profile.
+:   Sub profile should come at the end of a profile.
 
 `Similar purpose`
 
@@ -121,6 +121,7 @@ If there is no predictable label it can be omitted.
 
 * [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference)
 * [The OpenSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html)
+* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html
 * [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5)
 * [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/)
 * [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules)

pkg/aa/profile_test.go

@@ -105,7 +105,7 @@ func TestAppArmorProfile_String(t *testing.T) {
 						},
 						&File{Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", Access: "rm"},
 						&File{Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: "rw"},
-						&File{Path: "@{sys}/devices/pci[0-9]*/**/class", Access: "r"},
+						&File{Path: "@{sys}/devices/@{pci}/class", Access: "r"},
 						includeLocal1,
 					},
 				},

tests/string.aa

@@ -36,7 +36,7 @@ profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach
 
   /opt/intel/oneapi/compiler/*/linux/lib/*.so./* rm,
   @{PROC}/@{pid}/task/@{tid}/comm rw,
-  @{sys}/devices/pci[0-9]*/**/class r,
+  @{sys}/devices/@{pci}/class r,
 
   include if exists <local/foo>
 }