large set of apparmor rules for various distros
Go to file
2021-06-29 20:04:51 +01:00
apparmor.d Add the systemd-tty-ask-password-agent profile. 2021-06-29 20:04:51 +01:00
debian Dev temporary version scheme. 2021-05-09 00:39:00 +01:00
root Better aa-log completion. 2021-04-29 20:58:03 +01:00
systemd Ensure some systemd services do not start before apparmor rules are loaded. 2021-04-02 10:34:59 +01:00
.gitignore Better install params. 2021-05-01 14:27:14 +01:00
.gitlab-ci.yml Fix CI build. 2021-04-03 23:51:57 +01:00
configure Rewrite the configure process. 2021-05-16 21:15:34 +01:00
LICENSE Cleanup license file. 2021-04-01 14:47:01 +01:00
PKGBUILD Dev temporary version scheme. 2021-05-09 00:39:00 +01:00
profiles.flags Rewrite the configure process. 2021-05-16 21:15:34 +01:00
profiles.ignore Ignore apps profile. As they purposelly are out of scope. 2021-05-16 21:26:33 +01:00
README.md Better goals description. 2021-05-09 15:08:26 +01:00

apparmor.d

Full set of AppArmor profiles

Warning: This project is still in early development.

Description

A set of over 800 AppArmor profiles which aims is to confine most of Linux base applications and processes.

Goals & Purpose

  • Support all distribution that support AppArmor (currenlty Archlinux and Debian),
  • Target both desktop and server,
  • Confine all root processes (bluetooth, dbus, polkit, networkmanager, systemd...),
  • Confine all Desktop environments (currently only Gnome),
  • Should not break a normal usage of the confined software.
  • Fully tested (Work in progress),

Note: This work is part of a bigger linux security project.

This project is based on the excellent work from Morfikov and aims to extend it to more Linux distributions and desktop environements.

Concepts

There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore a question arises: What to confine and why?

We take inspiration from the Android/ChromeOS Security Model and we apply it to the Linux world. Modern linux security implementation usually consider a core base image with a carefully set of selected applications. Everything else should be sandboxed. Therefore, this project tries to confine all the core applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap...).

This is fundamentally different from how AppArmor is used on Linux server as it is common to only confine the applications that face the internet and/or the users.

Tests

A full test suite to ensure compatibility across distributions and softwares is still a work in progress.

Installation

Requirements

  • An apparmor based linux distribution.
  • A systemd based linux distribution.
  • Base profiles and abstractions shipped with AppArmor are supposed to be installed.

Archlinux

Build and install the package with:

makepkg -si

Debian

Build using standard Debian package build tools:

dpkg-buildpackage -b -d -us -ui --sign-key=<gpg-id>

Contribution

Feedbacks, contributors, pull requests, are all very welcome.

License

This program is based on Mikhail Morfikov's apparmor profiles project and thus has the same license (GPL2).

Copyright (C)  Alexandre PUJOL & Mikhail Morfikov

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.