large set of apparmor rules for various distros
Go to file
curiosityseeker 7b018a60bd
Update pacman (#193)
* Update pacman

`@{exec_path} mr,` is causing the following errors:

```
ALLOWED pacman exec owner /usr/bin/pacman -> pacman//null-/usr/bin/pacman comm=bash requested_mask=x denied_mask=x
ALLOWED pacman//null-/usr/bin/pacman file_inherit owner /dev/pts/4 comm=pacman requested_mask=wr denied_mask=wr
ALLOWED pacman//null-/usr/bin/pacman file_mmap owner /usr/bin/pacman comm=pacman requested_mask=r denied_mask=r
ALLOWED pacman//null-/usr/bin/pacman file_mmap owner /usr/lib/ld-linux-x86-64.so.2 comm=pacman requested_mask=r denied_mask=r
ALLOWED pacman//null-/usr/bin/pacman open owner /etc/ld.so.preload comm=pacman requested_mask=r denied_mask=r
ALLOWED pacman//null-/usr/bin/pacman getattr owner /etc/ld.so.preload comm=pacman requested_mask=r denied_mask=r
ALLOWED pacman//null-/usr/bin/pacman open owner /etc/ld.so.cache comm=pacman requested_mask=r denied_mask=r
ALLOWED pacman//null-/usr/bin/pacman getattr owner /etc/ld.so.cache comm=pacman requested_mask=r denied_mask=r
ALLOWED pacman//null-/usr/bin/pacman open owner /usr/lib/libalpm.so.13.0.2 comm=pacman requested_mask=r denied_mask=r
ALLOWED pacman//null-/usr/bin/pacman getattr owner /usr/lib/libalpm.so.13.0.2 comm=pacman requested_mask=r denied_mask=r

etc.
```
`@{exec_path} mrix,`  fixes it. 

Commits for new profiles for `checkrebuild` and `pkgfile`  will follow.

* Fix pacman update

* Update apparmor.d/groups/pacman/pacman

Co-authored-by: Alex <roddhjav@users.noreply.github.com>

---------

Co-authored-by: Alex <roddhjav@users.noreply.github.com>
2023-08-17 18:49:56 +00:00
.github ci(github): update deps & show more aa logs. 2023-03-03 12:13:57 +00:00
apparmor.d Update pacman (#193) 2023-08-17 18:49:56 +00:00
cmd fix: go test. 2023-08-17 19:15:21 +01:00
debian build: drop lsb-release build deps. 2023-04-19 18:57:31 +01:00
dists fix: ensure some required flags are set. 2023-08-17 18:45:41 +01:00
docs Fix xdg user dirs (#186) 2023-08-17 18:28:10 +00:00
pkg feat(aa-log): resolve all main apparmor vars in log. 2023-08-17 19:12:02 +01:00
root/usr/share feat: do not set autostart or read access to log by default 2023-07-23 16:37:09 +01:00
systemd feat(systemd): Set profile name for ibus gnome service. 2022-10-15 23:16:30 +01:00
tests feat(aa-log): show target in log, show access as owner too. 2023-07-20 23:45:14 +01:00
.gitignore chore: update gitignore. 2023-04-16 22:54:14 +01:00
.gitlab-ci.yml ci: ensure tests pkg are not run in parallel. 2023-06-18 11:40:32 +01:00
.golangci.yaml chore: fix go linter 2023-05-06 13:29:55 +01:00
go.mod feat(prebuild): make prebuild available as an external package. 2023-05-06 13:01:07 +01:00
go.sum feat(prebuild): make prebuild available as an external package. 2023-05-06 13:01:07 +01:00
LICENSE Cleanup license file. 2021-04-01 14:47:01 +01:00
Makefile ci: ensure tests pkg are not run in parallel. 2023-06-18 11:40:32 +01:00
mkdocs.yml docs: add integration initial page. 2023-04-16 22:38:20 +01:00
PKGBUILD build: ensure arch based build always works. 2023-07-08 22:59:54 +01:00
README.md feat: support for debian 12, drop support for debian 11. 2023-06-18 11:44:56 +01:00
requirements.txt docs: initial documentation website. 2023-01-29 21:18:22 +00:00

apparmor.d

Full set of AppArmor profiles

Warning

: This project is still in its early development. Help is very welcome; see the documentation website including its development section.

Description

AppArmor.d is a set of over 1400 AppArmor profiles whose aim is to confine most Linux based applications and processes.

Purpose

  • Confine all root processes such as all systemd tools, bluetooth, dbus, polkit, NetworkManager, OpenVPN, GDM, rtkit, colord
  • Confine all Desktop environments
  • Confine all user services such as Pipewire, Gvfsd, dbus, xdg, xwayland
  • Confine some "special" user applications: web browser, file browser...
  • Should not break a normal usage of the confined software

Goals

  • Target both desktops and servers
  • Support all distributions that support AppArmor:
    • Archlinux
    • Ubuntu 22.04
    • Debian 12
    • OpenSUSE Tumbleweed
  • Support all major desktop environments:
    • Currently only Gnome
  • Fully tested (Work in progress)

This project is originaly based on the work from Morfikov and aims to extend it to more Linux distributions and desktop environements.

Concepts

One profile a day keeps the hacker away

There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:

What to confine and why?

We take inspiration from the Android/ChromeOS Security Model and we apply it to the Linux world. Modern Linux security distributions usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the core applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).

This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.

Presentation

Installation

Please see apparmor.pujol.io/install

Configuration

Please see apparmor.pujol.io/configuration

Usage

Please see apparmor.pujol.io/usage

Contribution

Feedbacks, contributors, pull requests are all very welcome. Please read apparmor.pujol.io/development for more details on the contribution process.

License

This Project was initially based on Mikhail Morfikov's apparmor profiles project and thus has the same license (GPL2).