mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
large set of apparmor rules for various distros
972 Commits 7 Branches 0 Tags 14 MiB
Go 81.3%
Shell 9.7%
Jinja 4%
HCL 2.6%
Makefile 1.9%
Other 0.5%
14ff96a88a
Go to file
Alexandre Pujol 14ff96a88a
doc: most of the readme content have moved.
2023-01-29 22:13:58 +00:00
.github ci: set dev version number in github action. 2023-01-28 19:21:18 +00:00
apparmor.d minor syntax fix (#112) 2023-01-29 10:53:41 +00:00
cmd/aa-log feat(aa-log): better error formating. 2022-10-16 12:11:07 +01:00
debian build(debian): ensure some profile from upstream are not enabled. 2023-01-27 22:25:28 +00:00
dists complain 2023-01-28 15:25:01 +00:00
docs docs: initial documentation website. 2023-01-29 21:18:22 +00:00
root feat(aa-log): update shell completion. 2022-10-15 17:29:49 +01:00
systemd feat(systemd): Set profile name for ibus gnome service. 2022-10-15 23:16:30 +01:00
tests test(aa-log): cleanup dummy journalctl. 2022-10-16 12:47:00 +01:00
.gitignore chore: update gitignore. 2022-10-19 13:29:06 +01:00
.gitlab-ci.yml docs: initial documentation website. 2023-01-29 21:18:22 +00:00
.golangci.yaml ci: ignore SA1019 to support compatibility with Debian. 2022-08-20 14:35:28 +01:00
configure fix: I am stupid. 2023-01-28 19:11:50 +00:00
CONTRIBUTING.md docs: update profile guidelines. 2022-11-05 17:29:07 +00:00
go.mod Move go code to a more common directory. 2021-11-23 20:20:06 +00:00
LICENSE Cleanup license file. 2021-04-01 14:47:01 +01:00
Makefile feat: rewrite the local installation method. 2023-01-28 22:29:33 +00:00
mkdocs.yml doc: most of the readme content have moved. 2023-01-29 22:13:58 +00:00
PKGBUILD build: move build logic in the Makefile. 2022-10-15 23:11:31 +01:00
README.md doc: most of the readme content have moved. 2023-01-29 22:13:58 +00:00
requirements.txt docs: initial documentation website. 2023-01-29 21:18:22 +00:00

README.md

apparmor.d

Full set of AppArmor profiles

Warning

: This project is still in its early development. Help is very welcome see the documentation website including its development section.

Description

AppArmor.d is a set of over 1400 AppArmor profiles which aims is to confine most of Linux base applications and processes.

Purpose

  • Confine all root processes such as all systemd tools, bluetooth, dbus, polkit, NetworkManager, OpenVPN, GDM, rtkit, colord.
  • Confine all Desktop environments
  • Confine all user services such as Pipewire, Gvfsd, dbus, xdg, xwayland
  • Confine some "special" user applications: web browser, file browser...
  • Should not break a normal usage of the confined software
  • Fully tested (Work in progress)

Goals

  • Target both desktop and server
  • Support all distributions that support AppArmor:
    • Currently:
      • Archlinux
      • Ubuntu 22.04
      • Debian 11
    • Not (yet) tested on openSUSE
  • Support all major desktop environments:
    • Currently only Gnome

This project is originaly based on the work from Morfikov and aims to extend it to more Linux distributions and desktop environements.

Concepts

One profile a day keeps the hacker away

There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:

What to confine and why?

We take inspiration from the Android/ChromeOS Security Model and we apply it to the Linux world. Modern Linux security distribution usually consider an immutable core base image with a carefully set of selected applications. Everything else should be sandboxed. Therefore, this project tries to confine all the core applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).

This is fundamentally different from how AppArmor is usually used on Linux server as it is common to only confine the applications that face the internet and/or the users.

Installation

Please see apparmor.pujol.io/install

Configuration

Please see apparmor.pujol.io/configuration

Usage

Please see apparmor.pujol.io/usage

Contribution

Feedbacks, contributors, pull requests are all very welcome. Please read the https://apparmor.pujol.io/development for more details on the contribution process.

License

This Project was initially based on Mikhail Morfikov's apparmor profiles project and thus has the same license (GPL2).