doc: minor update.

This commit is contained in:
Alexandre Pujol 2024-02-23 20:14:21 +00:00
parent 4b23bccb47
commit f5084ca150
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
4 changed files with 20 additions and 15 deletions

View File

@ -12,7 +12,9 @@ Default **system**, **session** and **accessibility** bus access are provided wi
## Dbus Abstractions ## Dbus Abstractions
Access to common dbus interface is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read only* like view of it. For more access, use the dbus directive Access to common dbus interface is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed.
For more access, simply use the [`dbus: talk`](#dbus-directive) directive.
## Dbus Directive ## Dbus Directive
@ -20,14 +22,16 @@ We use a special directive to generate (when running `make`) more advanced dbus
**Directive format** **Directive format**
``` ```
# dbus: ( own | talk ) bus=( system | session ) name=AARE [label=AARE] [interface=AARE] # dbus: ( own | talk ) bus=( system | session ) name=AARE [label=AARE] [interface=AARE] [path=AARE]
``` ```
The directive format is on purpose very similar to apparmor dbus rules. However, there is some restrictions: The directive format is on purpose very similar to apparmor dbus rules. However, there are some restrictions:
- `bus` and `name` are mandatory and will break the build if ignored. - `bus` and `name` are mandatory and will break the build if ignored.
- For the *talk* sub directive, profile name under a `label` is also mandatory - For the *talk* sub directive, profile name under a `label` is also mandatory
- `interface` can optionally be given when it is different to the dbus path. - `interface` can optionally be given when it is different to the dbus path.
- `path` can optionally be given when it is different to the dbus name.
- It is still a comment: the rule must not end with a comma, multiline directive is not supported.
**Example:** **Example:**

View File

@ -152,14 +152,9 @@ Special care must be given as sometimes udev numbers are allocated dynamically b
!!! note "" !!! note ""
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184) [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188)
``` aa linenums="179" ``` aa linenums="179"
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/c24[0-9]:@{int} r,
@{run}/udev/data/c25[0-4]:@{int} r,
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
@{run}/udev/data/c4[0-9]*:@{int} r,
@{run}/udev/data/c5[0-9]*:@{int} r,
``` ```
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt [kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt

View File

@ -6,7 +6,8 @@ The default package configuration installs all profiles in *complain* mode. This
!!! warning !!! warning
When reporting issue. Please ensure the profiles are in complain mode - You need to test it in complain mode first and ensure your system boot!
- When reporting issue. Please ensure the profiles are in complain mode
#### :material-arch: Archlinux #### :material-arch: Archlinux

View File

@ -2,6 +2,13 @@
title: AppArmor.d title: AppArmor.d
--- ---
<!-- https://youtu.be/9dqHOrM4KHo?t=146
Business Benefits of an LSM
- Increased IT productivity -> ????
- Regulatory Compliance
- Peace of mind: Protect against unknown threats and "zero-days" attacks -->
**Full set of AppArmor profiles** **Full set of AppArmor profiles**
@ -10,13 +17,11 @@ title: AppArmor.d
This project is still in its early development. Help is very welcome; This project is still in its early development. Help is very welcome;
see [Development](development/index.md) see [Development](development/index.md)
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine **AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
most Linux based applications and processes.
**Purpose** **Purpose**
- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, - Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
`polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
- Confine all Desktop environments - Confine all Desktop environments
- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` - Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
- Confine some *"special"* user applications: web browser, file browser... - Confine some *"special"* user applications: web browser, file browser...