large set of apparmor rules for various distros
Find a file
2024-10-03 11:47:58 +01:00
.github ci: reenable build on ubuntu. 2024-05-08 20:47:45 +01:00
apparmor.d feat(profile): rewrite all xdg script profiles. 2024-10-03 11:47:58 +01:00
cmd build: set default ABI to abi4. 2024-10-02 16:44:15 +01:00
debian chore: small fixes and cosmetic. 2024-06-04 20:01:05 +01:00
dists feat(profile): update all profile to abi 4.0 by default. 2024-10-02 14:04:08 +01:00
docs build: reorganise build: abi4, fallback, prebuild cli 2024-10-02 16:22:46 +01:00
pkg fix(aa-log): ensure we also split quote in log value 2024-10-02 21:06:45 +01:00
root/usr/share doc: add man page for aa-log. 2024-09-25 23:17:44 +01:00
systemd fix: do not force early load of userdbd as it can cause issues. 2024-03-21 23:22:08 +00:00
tests fix(aa-log): ensure we also split quote in log value 2024-10-02 21:06:45 +01:00
.gitignore chore: update gitignore. 2024-04-02 13:44:27 +01:00
.gitlab-ci.yml ci: set token for git-committers 2024-09-26 20:20:20 +01:00
.golangci.yaml chore: improve linter settings & better packer VM build. 2023-09-29 20:55:24 +01:00
go.mod fix: keep go 1.21. 2024-04-28 00:39:24 +01:00
go.sum chore: update go sum. 2024-04-28 00:37:07 +01:00
LICENSE Cleanup license file. 2021-04-01 14:47:01 +01:00
Makefile fix(build): fix path in make dev. 2024-10-02 21:25:01 +01:00
mkdocs.yml docs: add development workflow. 2024-10-02 01:08:06 +01:00
PKGBUILD build: ensure arch based build always works. 2023-07-08 22:59:54 +01:00
README.md doc: general update. 2024-08-30 20:38:30 +01:00
requirements.txt doc: add git-committers extension. 2024-09-25 22:33:32 +01:00

apparmor.d

Full set of AppArmor profiles

Warning

This project is still in its early development. Help is very welcome; see the documentation website including its development section.

Description

AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.

Purpose

  • Confine all root processes such as all systemd tools, bluetooth, dbus, polkit, NetworkManager, OpenVPN, GDM, rtkit, colord
  • Confine all Desktop environments
  • Confine all user services such as Pipewire, Gvfsd, dbus, xdg, xwayland
  • Confine some "special" user applications: web browsers, file managers, etc
  • Should not break a normal usage of the confined software

Goals

This project is originally based on the work from Morfikov and aims to extend it to more Linux distributions and desktop environments.

Concepts

One profile a day keeps the hacker away

There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:

What to confine and why?

We take inspiration from the Android/ChromeOS Security Model, and we apply it to the Linux world. Modern Linux security distributions usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the core applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).

This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.

Presentations

Building the largest set of AppArmor profiles:

Installation

Please see apparmor.pujol.io/install

Configuration

Please see apparmor.pujol.io/configuration

Usage

Please see apparmor.pujol.io/usage

Contribution

Feedbacks, contributors, pull requests are all very welcome. Please read apparmor.pujol.io/development for more details on the contribution process.

Development chat available on https://matrix.to/#/#apparmor.d:matrix.org

License

This Project was initially based on Mikhail Morfikov's apparmor profiles project and thus has the same license (GPL2).