mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 15:33:47 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

doc: general update.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-08-30 20:38:30 +01:00
parent fe32720765
commit fb29e8ba74
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
14 changed files with 350 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -27,15 +27,15 @@
- Target both desktops and servers
- Support all distributions that support AppArmor:
* Arch Linux
* Ubuntu 22.04
* Debian 12
* OpenSUSE Tumbleweed
* [Arch Linux](https://apparmor.pujol.io/install#archlinux)
* [Ubuntu 24.04/22.04](https://apparmor.pujol.io/install#ubuntu)
* [Debian 12](https://apparmor.pujol.io/install#debian)
* [OpenSUSE Tumbleweed](https://apparmor.pujol.io/install#opensuse)
- Support for all major desktop environments:
* Gnome
* KDE
* XFCE *(work in progress)*
- Fully tested (Work in progress)
* Gnome (GDM)
* KDE (SDDM)
* XFCE (Lightdm) *(work in progress)*
- Fully tested *(work in progress)*
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.

8
docs/development/dbus.md
View File

@ -26,6 +26,14 @@ Access to common dbus interfaces is done using the abstractions under **[`abstra
For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive.
There is a trade of between security and maintenance to make:
- `aa:dbus talk` will generate less issue as it give full talk access
- `abstractions/bus/*` will provide more restriction, and possibly more issue.
Ideally, these rules should be automatically generated from either the dbus interface documentation or the program call.
## Dbus Directive
We use a special [directive](directives.md) to generate more advanced dbus access. The directive format is on purpose very similar to the AppArmor dbus rule.

19
docs/development/guidelines.md
View File

@ -78,7 +78,7 @@ The file block should be sorted as follows:
The dbus block should be sorted as follows:
- The system bus should be sorted *before* the session bus
- The bind rules should be sorted *after* the send & receive rules
- The bind rules should be sorted *after* send & receive rules
For DBus, try to determine peer's label when possible. E.g.:
```
@ -115,6 +115,23 @@ If there is no predictable label it can be omitted.
/var/lib/dbus/machine-id r,
```
#### :material-numeric-5-circle: Limit the use of `deny`
: The use of `deny` should be limited to the minimum:
- In MAC policies, we only allow access ([Rule :material-numeric-1-circle:](index.md#rule-mandatory-access-control "Mandatory Access Control"))
- `deny` rules are enforced even in complain mode,
- If it works on your machine does not mean it will work on others ([Rule :material-numeric-4-circle:](index.md#rule-distribution-and-devices-agnostic "Distribution and devices agnostic")).
#### :material-numeric-6-circle: Comments
: Ensure you only have useful comments. E.g.:
```
# Config files for foo
owner @{user_config_dirs}/foo/{,**} r,
```
Does not help, and if generalized it would add a lot of complexity to any profiles.
## Additional recommended documentation

2
docs/development/index.md
View File

@ -70,7 +70,7 @@ If you're looking to contribute to `apparmor.d` you can get started by going to
Here is the bare minimum for the program `foo`:
``` sh
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 You <your@email>
# Copyright (C) 2024 You <your@email>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,

31
docs/development/install.md
View File

@ -11,29 +11,40 @@ title: Installation
See `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`.
**:material-docker: Docker**
=== ":material-arch: Archlinux"
For any system with docker installed you can simply build the package with:
```sh
make package dist=<distribution>
```
Then you can install the package with `dpkg`, `pacman` or `rpm`.
**:material-arch: Arch Linux**
```sh
make pkg
```
**:material-ubuntu: Ubuntu & :material-debian: Debian**
=== ":material-ubuntu: Ubuntu"
```sh
make dpkg
```
**:simple-suse: openSUSE**
=== ":material-debian: Debian"
```sh
make dpkg
```
=== ":simple-suse: openSUSE"
```sh
make rpm
```
=== ":material-docker: Docker"
For any system with docker installed you can simply build the package with:
```sh
make package dist=<distribution>
```
Then you can install the package with `dpkg`, `pacman` or `rpm`.
## Profile flags

41
docs/development/structure.md
View File

@ -9,7 +9,7 @@ Description of common structure found across various AppArmor profiles
Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why.
These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theater.
These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theatre.
It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule:
```sh
@ -76,20 +76,17 @@ You do not protect these programs. *Protect the usage you have of these programs
[Toolbox]: https://containertoolbx.org/
## Open Resources
## Abstractions
The standard way to allow opening resource in this project is to use one of the
child-open profile. Eg: `@{open_path} rPx -> child-open,`
This project and the apparmor-profiles official project provide a large selection of abstractions to be included in profiles. They should be used.
They are available in the [`children`][children] group.
For instance, to allow download directory access, instead of writing:
```sh
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
```
You should write:
```sh
include <abstractions/user-download-strict>
```
* **`child-open`**: Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
* **`child-open-browsers`**: This version of child-open only allow to open browsers.
* **`child-open-help`**: This version of child-open only allow to open browsers and help programs.
* **`child-open-strict`**: This version of child-open only allow to open browsers & folders.
## Children profiles
@ -104,31 +101,11 @@ Usually, a child profile is in the [`children`][children] group. They have the f
Here is an overview of the current children profile:
1. **`child-open`**: To open resources. Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
2. **`child-pager`**: Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk.
3. **`child-systemctl`**: Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you.
## Browsers
Chromium based browsers share a similar structure. Therefore, they share the same abstraction: [`abstractions/chromium`][chromium] that includes most of the profile content.
This abstraction requires the following variables defined in the profile header:
```sh
@{name} = chromium
@{domain} = org.chromium.Chromium
@{lib_dirs} = @{lib}/chromium
@{config_dirs} = @{user_config_dirs}/chromium
@{cache_dirs} = @{user_cache_dirs}/chromium
```
If your application requires chromium to run (like electron) use [`abstractions/chromium-common`][chromium-common] instead.
[chromium]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium
[chromium-common]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium-common
## Udev rules
See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`.

40
docs/enforce.md
View File

@ -4,21 +4,25 @@ title: Enforce Mode
The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
!!! warning
!!! danger
- Please test in complain mode first and ensure your system boots!
- When reporting an issue, please ensure the affected profiles are in complain mode.
- You **must** test in complain mode first and ensure your system works as expected.
- You **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log) and [report](report.md) issues first.
- When reporting an issue, you **must** ensure the affected profiles are in complain mode.
#### :material-arch: Arch Linux
=== ":material-arch: Archlinux"
In the `PKGBUILD`, replace `make` by `make enforce`:
In `PKGBUILD`, replace `make` by `make enforce`:
```diff
- make DISTRIBUTION=arch
+ make enforce DISTRIBUTION=arch
```
#### :material-ubuntu: Ubuntu & :material-debian: Debian
Then, build the package with: `make pkg`
=== ":material-ubuntu: Ubuntu"
In `debian/rules`, add the following lines:
@ -27,14 +31,32 @@ override_dh_auto_build:
make enforce
```
#### :simple-suse: openSUSE
Then, build the package with: `make dpkg`
=== ":material-debian: Debian"
In `debian/rules`, add the following lines:
```make
override_dh_auto_build:
make enforce
```
Then, build the package with: `make dpkg`
=== ":simple-suse: openSUSE"
In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce`
In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce`
```diff
- %make_build
+ %make_build enforce
```
#### Partial install
Then, build the package with: `make rpm`
=== ":material-home: Partial Install"
Use the `make enforce` command to build instead of `make`
[aur]: https://aur.archlinux.org/packages/apparmor.d-git

34
docs/full-system-policy.md
View File

@ -31,7 +31,7 @@ Particularly:
- In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected.
## Install
## Installation
This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes.
@ -43,15 +43,18 @@ cache-loc /etc/apparmor/earlypolicy/
Optimize=compress-fast
```
**:material-arch: Arch Linux**
=== ":material-arch: Archlinux"
In `PKGBUILD`, replace `make` by `make full`:
```diff
- make
+ make full
```
**:material-ubuntu: Ubuntu & :material-debian: Debian**
Then, build the package with: `make pkg`
=== ":material-ubuntu: Ubuntu"
In `debian/rules`, add the following lines:
@ -60,20 +63,35 @@ override_dh_auto_build:
make full
```
**:simple-suse: openSUSE**
Then, build the package with: `make dpkg`
=== ":material-debian: Debian"
In `debian/rules`, add the following lines:
```make
override_dh_auto_build:
make full
```
Then, build the package with: `make dpkg`
=== ":simple-suse: openSUSE"
In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build full`
In `dists/apparmor.d.spec`, replace `%make_build` by `make full`
```diff
- %make_build
+ %make_build full
```
**Partial install**
Then, build the package with: `make rpm`
=== ":material-home: Partial Install"
Use the `make full` command to build instead of `make`
## Structure
The profiles dedicated for full system policies are maintained in the **[`_full`][full]** group.
@ -113,7 +131,7 @@ To work as intended, userland services started by `systemd --user` **should** ha
!!! info
To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`:
To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](development/structure.md#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`:
```
@{lib}/foo rPx -> systemd//&foo,
```

19
docs/index.md
View File

@ -2,13 +2,7 @@
title: AppArmor.d
---
<!-- https://youtu.be/9dqHOrM4KHo?t=146
Business Benefits of an LSM
- Increased IT productivity -> ????
- Regulatory Compliance
- Peace of mind: Protect against unknown threats and "zero-days" attacks -->
<style>.md-typeset .md-content__button { display: none; }</style>
**Full set of AppArmor profiles**
@ -34,13 +28,14 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
- Target both desktops and servers
- Support for all distributions that support AppArmor:
* [:material-arch: Arch Linux](install.md#archlinux)
* [:material-ubuntu: Ubuntu 22.04](install.md#ubuntu-debian)
* [:material-debian: Debian 12](install.md#ubuntu-debian)
* [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu)
* [:material-debian: Debian 12](install.md#debian)
* [:simple-suse: openSUSE Tumbleweed](install.md#opensuse)
- Support for all major desktop environments:
- [x] :material-gnome: Gnome
- [ ] :simple-kde: KDE *(work in progress)*
- Fully tested (Work in progress)
- [x] :material-gnome: Gnome (GDM)
- [x] :simple-kde: KDE (SDDM)
- [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)*
- Fully tested *(work in progress)*
**Presentations**

111
docs/install.md
View File

@ -2,15 +2,23 @@
title: Installation
---
!!! warning
To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page.
After installation, you **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log). You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions).
## Setup
!!! danger
Do **not** expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature.
Do **not** expect this project to work correctly on your desktop if your Desktop Environment (DE) and Display Manager (DM) are not supported. Your DE/DM might not load, and that would be a **feature**.
Due to the development stage of this project, the default package configuration installs all profiles in **complain** mode. The recommended installation workflow is as-follow:
1. [Install](#installation) *apparmor.d* in the (default) complain mode.
1. Configure [apparmor settings](configuration.md#apparmor) as well as your [personal directories](configuration.md#personal-directories).
1. Ensure you have reloaded the profiles in the kernel: `sudo systemctl restart apparmor.service`.
1. Reboot your system.
1. You **must** check for any AppArmor logs with [`aa-log`](usage.md#apparmor-log).
1. [Report](https://apparmor.pujol.io/report/) any raised logs.
1. Use the profiles in complain mode for a while (a week), regularly check for new AppArmor logs.
1. Only if there are no logs raised for your daily usage, install it in [enforce mode](enforce.md).
## Requirements
@ -22,32 +30,37 @@ An `AppArmor` supported Linux distribution is required. The default profiles and
The following desktop environments are supported:
- [x] :material-gnome: Gnome
- [x] :simple-kde: KDE
- [ ] :simple-xfce: XFCE *(work in progress)*
- [x] :material-gnome: Gnome (GDM)
- [x] :simple-kde: KDE (SDDM)
- [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)*
**Build dependency**
* Go >= 1.18
* Go >= 1.21
## :material-arch: Arch Linux
## Installation
=== ":material-arch: Archlinux"
`apparmor.d-git` is available in the [Arch User Repository][aur]:
```
```sh
yay -S apparmor.d-git # or your preferred AUR install method
```
Or without an AUR helper:
```sh
git clone https://aur.archlinux.org/apparmor.d-git.git
cd apparmor.d-git
makepkg -si
```
## :material-ubuntu: Ubuntu & :material-debian: Debian
=== ":material-ubuntu: Ubuntu"
Build the package from sources:
```sh
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone https://github.com/roddhjav/apparmor.d.git
@ -59,13 +72,41 @@ sudo dpkg -i ../apparmor.d_*.deb
!!! tip
If you have `devscripts` installed, you can use the one liner:
```sh
make dpkg
```
!!! warning
**Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different.
If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`.
=== ":material-debian: Debian"
Build the package from sources:
```sh
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone https://github.com/roddhjav/apparmor.d.git
cd apparmor.d
dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*.deb
```
!!! tip
If you have `devscripts` installed, you can use the one liner:
```sh
make dpkg
```
!!! note
Debian user may need golang from the backports repository to build:
You may need golang from the backports repository to build:
```sh
echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
sudo apt update
@ -76,19 +117,19 @@ sudo dpkg -i ../apparmor.d_*.deb
**Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different.
If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based.
If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`.
## :simple-suse: openSUSE
=== ":simple-suse: openSUSE"
openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS:
openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS
```sh
zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo
zypper refresh
zypper install apparmor.d
```
## Partial install
=== ":material-home: Partial"
For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.
@ -115,12 +156,30 @@ sudo make profile-names...
So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.
## Uninstall
## Uninstallation
- :material-arch: Arch Linux `sudo pacman -R apparmor.d`
- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d`
- :simple-suse: openSUSE `sudo zypper remove apparmor.d`
=== ":material-arch: Archlinux"
```sh
sudo pacman -R apparmor.d
```
=== ":material-ubuntu: Ubuntu"
```sh
sudo apt purge apparmor.d
```
=== ":material-debian: Debian"
```sh
sudo apt purge apparmor.d
```
=== ":simple-suse: openSUSE"
```sh
sudo zypper remove apparmor.d
```
[aur]: https://aur.archlinux.org/packages/apparmor.d-git
[repo]: https://repo.pujol.io/
[keys]: https://repo.pujol.io/gpgkey

30
docs/report.md
View File

@ -11,25 +11,39 @@ When creating [an issue on Github][newissue], please post a link to the [paste]
aa-log -R
```
If this command produce nothing, try:
```sh
aa-log -s -R
```
??? question "No logs with `aa-log`?"
If the log file is empty, check that Auditd is running:
```sh
sudo systemctl status auditd.service
```
If Auditd is disabled aa-log will not have new results, you can enable Auditd by doing the following command:
If Auditd is disabled aa-log will not have new results, you can enable Auditd with:
```sh
sudo systemctl enable auditd.service --now
```
You can get more logs with:
If this command produces nothing, use `-s` to provide all logs since boot time (provided that `journalctl` collected them):
```sh
aa-log -s -R
```
1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them)
2. `aa-log -R -f <nb>` where `<nb>` is `1`, `2`, `3` and `4` (the rotated audit log file)
??? question "No logs with `aa-log -s`?"
On certain distributions/configurations, AppArmor logs in journal could be taken over by *auditd* when it is installed. To overcome this, `systemd-journald-audit.socket` could be enabled:
```sh
sudo systemctl enable systemd-journald-audit.socket
```
You can get older logs with:
```sh
aa-log -R -f <nb>
```
Where `<nb>` is `1`, `2`, `3` and `4` (the rotated audit log file).
[newissue]: https://github.com/roddhjav/apparmor.d/issues/new
[paste]: https://pastebin.com/

4
docs/usage.md
View File

@ -76,9 +76,9 @@ ps (complain) user ps auxZ
## AppArmor Log
Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colorful way.
Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colourful way.
Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected.
Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions).
### Basic use

13
docs/variables.md
View File

@ -26,9 +26,10 @@ title: Variables References
| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` |
| Sync | `@{XDG_SYNC_DIR}` | `Sync` |
| Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` |
| Vm | `@{XDG_VM_DIR}` | `.vm`
| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares`
| Vm | `@{XDG_VM_DIR}` | `.vm` |
| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` |
| Disk images | `@{XDG_IMG_DIR}` | `images` |
| Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` |
### Dotfiles
@ -56,7 +57,7 @@ title: Variables References
| Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` |
| Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` |
| State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` |
| Build | `@{user_build_dirs}` | `/tmp/` |
| Build | `@{user_build_dirs}` | `/tmp//build/` |
| Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` |
| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` |
@ -80,9 +81,9 @@ title: Variables References
| Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` |
| Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` |
| Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` |
| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` |
| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` |
| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` |
| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` |
## System variables

7
mkdocs.yml
View File

@ -43,8 +43,10 @@ theme:
- content.action.edit
- content.code.annotate
- content.code.copy
- content.tabs.link
- content.tooltips
- navigation.indexes
- navigation.instant
- navigation.sections
- navigation.tabs
- navigation.top
@ -118,6 +120,9 @@ markdown_extensions:
format: !!python/name:pymdownx.superfences.fence_code_format
- pymdownx.tabbed:
alternate_style: true
slugify: !!python/object/apply:pymdownx.slugs.slugify
kwds:
case: lower
- pymdownx.tasklist:
custom_checkbox: true
@ -130,13 +135,13 @@ nav:
- install.md
- configuration.md
- usage.md
- report.md
- Advanced:
- variables.md
- enforce.md
- full-system-policy.md
- Troubleshooting:
- issues.md
- report.md
- recovery.md
- Development:
- development/index.md