mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
doc: minor update.
This commit is contained in:
parent
4b23bccb47
commit
f5084ca150
@ -12,7 +12,9 @@ Default **system**, **session** and **accessibility** bus access are provided wi
|
|||||||
|
|
||||||
## Dbus Abstractions
|
## Dbus Abstractions
|
||||||
|
|
||||||
Access to common dbus interface is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read only* like view of it. For more access, use the dbus directive
|
Access to common dbus interface is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed.
|
||||||
|
|
||||||
|
For more access, simply use the [`dbus: talk`](#dbus-directive) directive.
|
||||||
|
|
||||||
## Dbus Directive
|
## Dbus Directive
|
||||||
|
|
||||||
@ -20,14 +22,16 @@ We use a special directive to generate (when running `make`) more advanced dbus
|
|||||||
|
|
||||||
**Directive format**
|
**Directive format**
|
||||||
```
|
```
|
||||||
# dbus: ( own | talk ) bus=( system | session ) name=AARE [label=AARE] [interface=AARE]
|
# dbus: ( own | talk ) bus=( system | session ) name=AARE [label=AARE] [interface=AARE] [path=AARE]
|
||||||
```
|
```
|
||||||
|
|
||||||
The directive format is on purpose very similar to apparmor dbus rules. However, there is some restrictions:
|
The directive format is on purpose very similar to apparmor dbus rules. However, there are some restrictions:
|
||||||
|
|
||||||
- `bus` and `name` are mandatory and will break the build if ignored.
|
- `bus` and `name` are mandatory and will break the build if ignored.
|
||||||
- For the *talk* sub directive, profile name under a `label` is also mandatory
|
- For the *talk* sub directive, profile name under a `label` is also mandatory
|
||||||
- `interface` can optionally be given when it is different to the dbus path.
|
- `interface` can optionally be given when it is different to the dbus path.
|
||||||
|
- `path` can optionally be given when it is different to the dbus name.
|
||||||
|
- It is still a comment: the rule must not end with a comma, multiline directive is not supported.
|
||||||
|
|
||||||
**Example:**
|
**Example:**
|
||||||
|
|
||||||
|
@ -152,14 +152,9 @@ Special care must be given as sometimes udev numbers are allocated dynamically b
|
|||||||
|
|
||||||
!!! note ""
|
!!! note ""
|
||||||
|
|
||||||
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/15e33a1fe6654f67a187cd5157c9968061b9511e/apparmor.d/groups/virt/libvirtd#L179-L184)
|
[apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188)
|
||||||
``` aa linenums="179"
|
``` aa linenums="179"
|
||||||
@{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254
|
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||||
@{run}/udev/data/c24[0-9]:@{int} r,
|
|
||||||
@{run}/udev/data/c25[0-4]:@{int} r,
|
|
||||||
@{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511
|
|
||||||
@{run}/udev/data/c4[0-9]*:@{int} r,
|
|
||||||
@{run}/udev/data/c5[0-9]*:@{int} r,
|
|
||||||
```
|
```
|
||||||
|
|
||||||
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||||
|
@ -6,7 +6,8 @@ The default package configuration installs all profiles in *complain* mode. This
|
|||||||
|
|
||||||
!!! warning
|
!!! warning
|
||||||
|
|
||||||
When reporting issue. Please ensure the profiles are in complain mode
|
- You need to test it in complain mode first and ensure your system boot!
|
||||||
|
- When reporting issue. Please ensure the profiles are in complain mode
|
||||||
|
|
||||||
|
|
||||||
#### :material-arch: Archlinux
|
#### :material-arch: Archlinux
|
||||||
|
@ -2,6 +2,13 @@
|
|||||||
title: AppArmor.d
|
title: AppArmor.d
|
||||||
---
|
---
|
||||||
|
|
||||||
|
<!-- https://youtu.be/9dqHOrM4KHo?t=146
|
||||||
|
|
||||||
|
Business Benefits of an LSM
|
||||||
|
|
||||||
|
- Increased IT productivity -> ????
|
||||||
|
- Regulatory Compliance
|
||||||
|
- Peace of mind: Protect against unknown threats and "zero-days" attacks -->
|
||||||
|
|
||||||
**Full set of AppArmor profiles**
|
**Full set of AppArmor profiles**
|
||||||
|
|
||||||
@ -10,13 +17,11 @@ title: AppArmor.d
|
|||||||
This project is still in its early development. Help is very welcome;
|
This project is still in its early development. Help is very welcome;
|
||||||
see [Development](development/index.md)
|
see [Development](development/index.md)
|
||||||
|
|
||||||
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine
|
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
|
||||||
most Linux based applications and processes.
|
|
||||||
|
|
||||||
**Purpose**
|
**Purpose**
|
||||||
|
|
||||||
- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`,
|
- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
|
||||||
`polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
|
|
||||||
- Confine all Desktop environments
|
- Confine all Desktop environments
|
||||||
- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
|
- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
|
||||||
- Confine some *"special"* user applications: web browser, file browser...
|
- Confine some *"special"* user applications: web browser, file browser...
|
||||||
|
Loading…
Reference in New Issue
Block a user