mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00

large set of apparmor rules for various distros

apparmor apparmor-profile apparmor-profiles hardening linux mandatory-access-control security

Go to file

Alexandre Pujol 89abbae6bd Merge branch 'feat/aa' Improve go apparmor lib. * aa: (62 commits) feat(aa): handle appending value to defined variables. chore(aa): cosmetic. fix: userspace prebuild test. chore: cleanup unit test. feat(aa): improve log conversion. feat(aa): move conversion function to its own file & add unit tests. fix: go linter issue & not defined variables. tests(aa): improve aa unit tests. tests(aa): improve rules unit tests. feat(aa): ensure the prebuild jobs are working. feat(aa): add more unit tests. chore(aa): cleanup. feat(aa): Move sort, merge and format methods to the rules interface. feat(aa): add the hat template. feat(aa): add the Kind struct to manage aa rules. feat(aa): cleanup rules methods. feat(aa): add function to resolve include preamble. feat(aa): updaqte mount flags order. feat(aa): update default tunable selection. feat(aa): parse apparmor preamble files. ...		2024-05-30 19:29:34 +01:00
.github	ci: reenable build on ubuntu.	2024-05-08 20:47:45 +01:00
apparmor.d	Merge branch 'feat/aa'	2024-05-30 19:29:34 +01:00
cmd	chore: update go mod deps.	2024-04-28 00:04:42 +01:00
debian	Remove temp	2024-04-28 16:19:01 +02:00
dists	feat(profile): update steam profiles.	2024-05-18 15:02:20 +01:00
docs	doc: update supported DE.	2024-04-28 17:47:07 +01:00
pkg	Merge branch 'feat/aa'	2024-05-30 19:29:34 +01:00
root/usr/share	chore(aa-log): update shell completion.	2023-10-10 20:44:50 +01:00
systemd	fix: do not force early load of userdbd as it can cause issues.	2024-03-21 23:22:08 +00:00
tests	Merge branch 'feat/aa'	2024-05-30 19:29:34 +01:00
.gitignore	chore: update gitignore.	2024-04-02 13:44:27 +01:00
.gitlab-ci.yml	ci: reenable build on ubuntu.	2024-05-08 20:47:45 +01:00
.golangci.yaml	chore: improve linter settings & better packer VM build.	2023-09-29 20:55:24 +01:00
go.mod	fix: keep go 1.21.	2024-04-28 00:39:24 +01:00
go.sum	chore: update go sum.	2024-04-28 00:37:07 +01:00
LICENSE	Cleanup license file.	2021-04-01 14:47:01 +01:00
Makefile	tests: fix pkg outpout directory.	2024-03-17 23:20:05 +00:00
mkdocs.yml	doc: add the abstactions page.	2024-03-24 15:21:31 +00:00
PKGBUILD	build: ensure arch based build always works.	2023-07-08 22:59:54 +01:00
README.md	doc: update supported DE.	2024-04-28 17:47:07 +01:00
requirements.txt	doc: minify the doc website.	2023-10-09 22:07:45 +01:00

README.md

apparmor.d

Full set of AppArmor profiles

Warning

This project is still in its early development. Help is very welcome; see the documentation website including its development section.

Description

AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.

Purpose

Confine all root processes such as all systemd tools, bluetooth, dbus, polkit, NetworkManager, OpenVPN, GDM, rtkit, colord
Confine all Desktop environments
Confine all user services such as Pipewire, Gvfsd, dbus, xdg, xwayland
Confine some "special" user applications: web browser, file browser...
Should not break a normal usage of the confined software

Goals

Target both desktops and servers
Support all distributions that support AppArmor:
- Archlinux
- Ubuntu 22.04
- Debian 12
- OpenSUSE Tumbleweed
Support major desktop environments:
- Gnome
- KDE
- XFCE (work in progress)
Fully tested (Work in progress)

This project is originally based on the work from Morfikov and aims to extend it to more Linux distributions and desktop environments.

Concepts

One profile a day keeps the hacker away

There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:

What to confine and why?

We take inspiration from the Android/ChromeOS Security Model, and we apply it to the Linux world. Modern Linux security distributions usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the core applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).

This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.

Presentations

Building large set of AppArmor profiles:

Linux Security Summit North America (LSS-NA 2023) (Slide, Video)
Ubuntu Summit 2023 (Slide, Video)

Installation

Please see apparmor.pujol.io/install

Configuration

Please see apparmor.pujol.io/configuration

Usage

Please see apparmor.pujol.io/usage

Contribution

Feedbacks, contributors, pull requests are all very welcome. Please read apparmor.pujol.io/development for more details on the contribution process.

Development chat available on https://matrix.to/#/#apparmor.d:matrix.org

License

This Project was initially based on Mikhail Morfikov's apparmor profiles project and thus has the same license (GPL2).