mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00

large set of apparmor rules for various distros

apparmor apparmor-profile apparmor-profiles hardening linux mandatory-access-control security

Find a file

curiosityseeker 98e59e9336 Akonadi and plasmashell updates (#163 ) * Update plasmashell * Update akonadi_akonotes_resource * Update akonadi_archivemail_agent * Update akonadi_birthdays_resource * Update akonadi_contacts_resource * Update akonadi_control * Update akonadi_followupreminder_agent * Update akonadi_ical_resource * Update akonadi_indexing_agent * Update akonadi_maildir_resource * Update akonadi_maildispatcher_agent * Update akonadi_mailfilter_agent * Update akonadi_mailmerge_agent * Update akonadi_migration_agent * Update akonadi_newmailnotifier_agent * Update akonadi_sendlater_agent * Update akonadi_unifiedmailbox_agent * Revert change * Revert change * Revert change * Revert change * Revert change and add dri-enumerate abstraction * Revert change * Revert change and add dri-enumerate abstraction * Revert change * Revert change * Revert change * Revert change * Revert change and add dri-enumerate abstraction * Revert change * Revert change * Revert change * Revert change * Removing /usr/share/icons/{,*} again Adding the audio abstraction * Adding the consoles abstraction * plasmashell: adding back /dev/shm/ r, and /dev/ptmx rw, * akonadi_mailfilter_agent: removing the user-tmp abstraction I haven't been able to observe new related requests. --------- Co-authored-by: Alex <roddhjav@users.noreply.github.com>		2023-06-14 21:46:34 +00:00
.github	ci(github): update deps & show more aa logs.	2023-03-03 12:13:57 +00:00
apparmor.d	Akonadi and plasmashell updates (#163 )	2023-06-14 21:46:34 +00:00
cmd	test(integration): initial version of integration tests manager	2023-05-06 13:23:16 +01:00
debian	build: drop lsb-release build deps.	2023-04-19 18:57:31 +01:00
dists	fix: ensure mount has the disconnected flag.	2023-06-14 22:31:00 +01:00
docs	doc: add link to the presentation in LSS-NA.	2023-06-13 17:11:30 +01:00
pkg	chore: fix go linter	2023-05-06 13:29:55 +01:00
root	feat(aa-log): update shell completion.	2023-04-19 19:02:42 +01:00
systemd	feat(systemd): Set profile name for ibus gnome service.	2022-10-15 23:16:30 +01:00
tests	tests: simplify test makefile.	2023-04-30 16:27:34 +01:00
.gitignore	chore: update gitignore.	2023-04-16 22:54:14 +01:00
.gitlab-ci.yml	doc: ensure page creation date is correct.	2023-05-07 21:23:01 +01:00
.golangci.yaml	chore: fix go linter	2023-05-06 13:29:55 +01:00
go.mod	feat(prebuild): make prebuild available as an external package.	2023-05-06 13:01:07 +01:00
go.sum	feat(prebuild): make prebuild available as an external package.	2023-05-06 13:01:07 +01:00
LICENSE	Cleanup license file.	2021-04-01 14:47:01 +01:00
Makefile	build: do not requite git to build.	2023-04-30 20:23:08 +01:00
mkdocs.yml	docs: add integration initial page.	2023-04-16 22:38:20 +01:00
PKGBUILD	build: minor improvment.	2023-04-19 18:58:50 +01:00
README.md	doc: add link to the presentation in LSS-NA.	2023-06-13 17:11:30 +01:00
requirements.txt	docs: initial documentation website.	2023-01-29 21:18:22 +00:00

README.md

apparmor.d

Full set of AppArmor profiles

Warning

welcome; see the documentation website including its development section.

Description

AppArmor.d is a set of over 1400 AppArmor profiles whose aim is to confine most Linux based applications and processes.

Purpose

Confine all root processes such as all systemd tools, bluetooth, dbus, polkit, NetworkManager, OpenVPN, GDM, rtkit, colord
Confine all Desktop environments
Confine all user services such as Pipewire, Gvfsd, dbus, xdg, xwayland
Confine some "special" user applications: web browser, file browser...
Should not break a normal usage of the confined software

Goals

Target both desktops and servers
Support all distributions that support AppArmor:
- Archlinux
- Ubuntu 22.04
- Debian 11
- OpenSUSE Tumbleweed
Support all major desktop environments:
- Currently only Gnome
Fully tested (Work in progress)

This project is originaly based on the work from Morfikov and aims to extend it to more Linux distributions and desktop environements.

Concepts

One profile a day keeps the hacker away

There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:

What to confine and why?

We take inspiration from the Android/ChromeOS Security Model and we apply it to the Linux world. Modern Linux security distributions usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the core applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).

This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.

Presentation

Building the largest working set of AppArmor profiles Linux Security Summit North America (LSS-NA 2023) (Slide)

Installation

Please see apparmor.pujol.io/install

Configuration

Please see apparmor.pujol.io/configuration

Usage

Please see apparmor.pujol.io/usage

Contribution

Feedbacks, contributors, pull requests are all very welcome. Please read apparmor.pujol.io/development for more details on the contribution process.

License

This Project was initially based on Mikhail Morfikov's apparmor profiles project and thus has the same license (GPL2).