mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
132 lines
7.0 KiB
Markdown
132 lines
7.0 KiB
Markdown
---
|
|
title: Guidelines
|
|
---
|
|
|
|
## Common structure
|
|
|
|
AppArmor profiles can be written without any specific guidelines. However,
|
|
when you work with over 1400 profiles, you need a common structure among all the
|
|
profiles.
|
|
|
|
The logic behind it is that if a rule is present in a profile, it should only be
|
|
in one place, making profile review easier.
|
|
|
|
For example, if a program needs to run executables binary. The rules allowing it
|
|
can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It
|
|
is therefore easy to ensure some profile features such as:
|
|
|
|
* A profile has access to a given resource
|
|
* A profile enforces a strict [write xor execute] (W^X) policy.
|
|
|
|
It also improves compatibilities and makes personalization easier thanks to the
|
|
use of more variables.
|
|
|
|
## Guidelines
|
|
|
|
!!! note
|
|
|
|
This profile guideline is still evolving, feel free to propose improvements
|
|
as long as they do not vary too much from the existing rules.
|
|
|
|
In order to ensure a common structure across the profiles, all new profile **must**
|
|
follow the guidelines presented here.
|
|
|
|
The rules in the profile should be sorted in the rule ***block*** as follows:
|
|
|
|
| Order | Name | Example |
|
|
|:-----:|:----:|:-------:|
|
|
| **1** | [`include`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#include-statements) | [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+include+%3Cabstractions%2F&type=code) |
|
|
| **2** | [`set rlimit`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#rlimit-rules) | [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+set+rlimit&type=code) |
|
|
| **3** | [`capability`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#capability-rules) | [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+capability&type=code) |
|
|
| **4** | [`network`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#network-rules) | [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+%22network+%22&type=code) |
|
|
| **5** | [`mount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#mount-rules-apparmor-28-and-later) | [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+%22++mount+%22&type=code) |
|
|
| **6** | [`remount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#remount) | [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+remount&type=code) |
|
|
| **7** | [`umount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#umount)| [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+%22umount+%22&type=code) |
|
|
| **8** | [`pivot_root`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#pivot_root)| [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+pivot_root&type=code) |
|
|
| **9** | [`change_profile`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#change_profile)| [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+change_profile+&type=code) |
|
|
| **10** | [`signal`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#signals)| [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+%22signal+%22&type=code) |
|
|
| **11** | `ptrace`| [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+%22ptrace+%22&type=code) |
|
|
| **12** | `unix`| [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+%22unix+%22&type=code) |
|
|
| **13** | [`dbus`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#dbus-rules) | [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+dbus&type=code) |
|
|
| **14** | [`file`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#file-access-rules) | [:octicons-link-external-24:]() |
|
|
| **15** | local include | [:octicons-link-external-24:](https://github.com/search?q=repo%3Aroddhjav%2Fapparmor.d+NOT+path%3A*.md+include+if+exists+%3Clocal&type=code) |
|
|
|
|
|
|
This rule order is taken from AppArmor with minor changes as we tend to:
|
|
|
|
- Divide the file block in multiple subcategories
|
|
- Put the block with the longer rules (`files`, `dbus`) after the other blocks
|
|
|
|
### The file block
|
|
|
|
The file block should be sorted as follow:
|
|
|
|
| Order | Description | Example |
|
|
|:-----:|:-----------:|:-------:|
|
|
| **1** | The entry point of the profile | `@{exec_path} mr,` |
|
|
| **2** | The binaries and library required | `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`. It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules. |
|
|
| **3** | The shared resources | `/usr/share` |
|
|
| **4** | The system configuration | `/etc` |
|
|
| **5** | The system data | `/`, `/var`, `/boot` |
|
|
| **6** | The user data | `owner @{HOME}/` |
|
|
| **7** | The user configuration, cache and dotfiles | `@{user_cache_dirs}`, `@{user_config_dirs}`, `@{user_share_dirs}` |
|
|
| **8** | Temporary and runtime data | `/tmp/`, `@{run}/`, `/dev/shm/` |
|
|
| **9** | Sys files | `@{sys}/` |
|
|
| **10** | Proc files | `@{PROC}/` |
|
|
| **11** | Dev files | `/dev/` |
|
|
| **12** | Deny rules | `deny` |
|
|
|
|
### The dbus block
|
|
|
|
|
|
The dbus block should be sorted as follow:
|
|
|
|
- The system bus should be sorted *before* the session bus
|
|
- The bind rules should be sorted *after* the send & receive rules
|
|
|
|
For DBus, try to determine peer's label when possible. E.g.:
|
|
```
|
|
dbus send bus=session path=/org/freedesktop/DBus
|
|
interface=org.freedesktop.DBus
|
|
member={RequestName,ReleaseName}
|
|
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
|
```
|
|
If there is no predictable label it can be omitted.
|
|
|
|
### Profile rules
|
|
|
|
`bin, sbin & lib`
|
|
|
|
: - Do not use: `/usr/lib` or `/usr/bin` but `/{usr/,}bin/` or `/{usr/,}lib/`
|
|
- Do not use: `/usr/sbin` or `/sbin` but `/{usr/,}{s,}bin/`.
|
|
|
|
`Variables`
|
|
|
|
: Always use the apparmor variables.
|
|
|
|
`Sort`
|
|
|
|
: In a rule block, the rules must be alphabetically sorted.
|
|
|
|
`Sub profile`
|
|
|
|
: Sub profile should comes at the end of a profile.
|
|
|
|
`Similar purpose`
|
|
|
|
: When some rules share similar purpose, they may be sorted together. Eg:
|
|
```
|
|
/etc/machine-id r,
|
|
/var/lib/dbus/machine-id r,
|
|
```
|
|
|
|
|
|
## Additional recommended documentation
|
|
|
|
* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference)
|
|
* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5)
|
|
* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/)
|
|
* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules)
|
|
|
|
[write xor execute]: https://en.wikipedia.org/wiki/W%5EX
|