3721d12a5d
* Create abstraction for lxqt desktop group
first file for the LXQT 2.0 desktop group
* Update lxqt
* xdg-desktop abstraction added
* removing tabs
* Create startlxqt
starter file for LXQT Desktop
* Create startlxqt
* fixing startlxqt
I use sddm as display manager
I cant remove the other file - only use graphical env., sorry
After startlxqt i would add 2 lines to sddm to enable the start of LXQT desktop
* Delete apparmor.d/profiles-s-z/startlxqt
* indented by 2 spaces (like other entries)
* Update sddm
Enable sddm to start an lxqt desktop session
* Create lxqt-session
lxqt-session to be started by startlxqt. Display manager: sddm
* Update lxqt-session
* Update lxqt-session
* removed trailing whitespace
* Update kscreen_backend_launcher to support lxqt desktop
is needed for several complaints:
DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r
DENIED kscreen_backend_launcher open /usr/share/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r
DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r
DENIED kscreen_backend_launcher open /usr/share/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r
* Update lxqt-session
* Create lxqt-panel
* Update lxqt-panel
* Update lxqt-panel
* Update lxqt-panel
* fix conflicting x
* Update lxqt-panel
add child-open
* remove include <abstractions/app-launcher-user>
you think its too permissive to have app-launcher-user here, right?
* Update lxqt-panel
add needed programs
* Update lxqt-panel
turning back to layout of corresponding xfce file.
* Create lxqt-globalkeysd
* Create lxqt-about
* Create lxqt-leave
* Create lxqt-runner
* Update lxqt-leave
* Update lxqt-runner
* Update lxqt-globalkeysd
* remove video in lxqt-about
* Update lxqt-about
* Update lxqt-runner
* remove abstr. in lxqt-globalkeysd
* remove abstr. in lxqt-runner
* remove abstr. in lxqt-leave
* Create lxqt-config-notificationd
* Create lxqt-config-locale
* Create lxqt-config-printer
* Create lxqt-config-file-associations
* Create lxqt-config-powermanagement
* enable wayland-session for lxqt 2.1
startlxqtwayland for starting the session, support for labwc and kwin_wayland
* Update lxqt-config-printer
* Update lxqt-config-powermanagement
* Update sddm
* Update sddm
* adapt pci-rules
ok, havent seen this profile yet. I will change that in lxqt-powermanagement as well and check the other profiles
* Update lxqt-config-powermanagement
* Update lxqt-config-powermanagement
* Update lxqt-config-powermanagement
* Update lxqt-config-powermanagement
|
||
|---|---|---|
| .github | ||
| apparmor.d | ||
| cmd | ||
| debian | ||
| dists | ||
| docs | ||
| pkg | ||
| share | ||
| systemd | ||
| tests | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .golangci.yaml | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| Makefile | ||
| mkdocs.yml | ||
| PKGBUILD | ||
| README.md | ||
| requirements.txt | ||
apparmor.d
Full set of AppArmor profiles
Warning
This project is still in its early development. Help is very welcome; see the documentation website including its development section.
Description
AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
Purpose
- Confine all root processes such as all
systemdtools,bluetooth,dbus,polkit,NetworkManager,OpenVPN,GDM,rtkit,colord - Confine all Desktop environments
- Confine all user services such as
Pipewire,Gvfsd,dbus,xdg,xwayland - Confine some "special" user applications: web browsers, file managers, etc
- Should not break a normal usage of the confined software
Goals
- Target both desktops and servers
- Support all distributions that support AppArmor:
- Support for all major desktop environments:
- Gnome (GDM)
- KDE (SDDM)
- XFCE (Lightdm) (work in progress)
- Fully tested (work in progress)
This project is originally based on the work from Morfikov and aims to extend it to more Linux distributions and desktop environments.
Concepts
One profile a day keeps the hacker away
There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:
What to confine and why?
We take inspiration from the Android/ChromeOS Security Model, and we apply it to the Linux world. Modern Linux security distributions usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the core applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
Presentations
Building the largest set of AppArmor profiles:
Installation
Please see apparmor.pujol.io/install
Configuration
Please see apparmor.pujol.io/configuration
Usage
Please see apparmor.pujol.io/usage
Contribution
Feedbacks, contributors, pull requests are all very welcome. Please read apparmor.pujol.io/development for more details on the contribution process.
Development chat available on https://matrix.to/#/#apparmor.d:matrix.org
License
This Project was initially based on Mikhail Morfikov's apparmor profiles project and thus has the same license (GPL2).