From 033354314f0e98b9f9e00ce240a634b42d731b9c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:54:02 +0200 Subject: [PATCH] doc: minor documentation update. --- docs/configuration.md | 2 +- docs/development/roadmap.md | 8 ++++---- docs/development/vm.md | 31 +++++++++++++++++++++++-------- docs/full-system-policy.md | 10 ++++++++++ 4 files changed, 38 insertions(+), 13 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index fd8a5d38c..5e1c7992f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a **Example** -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: 1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 75cbcdd10..b42467e3d 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -22,13 +22,13 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [ ] The apt/dpkg profiles needs to be reworked + - [x] The apt/dpkg profiles needs to be reworked - [ ] Build system - [ ] Continuous release on the main branch, ~2 releases per week - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - - [ ] Add a `just` target to install the profiles in the right place + - [x] Add a `just` target to install the profiles in the right place - [ ] Fully drop the Makefile in favor of `just` ## Next features @@ -41,9 +41,9 @@ This is the current list of features that must be implemented to get to a stable - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. - [ ] Add a prompt listener to handle the user data access. -- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** +- [x] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - - [ ] Remove the `default` profile + - [x] Remove the `default` profile ## Done diff --git a/docs/development/vm.md b/docs/development/vm.md index 66630022e..1edddba76 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -14,22 +14,42 @@ $ just ``` Available recipes: help # Show this help message + clean # Remove all build artifacts + + [build] build # Build the go programs enforce # Prebuild the profiles in enforced mode complain # Prebuild the profiles in complain mode fsp # Prebuild the profiles in FSP mode - install # Install the profiles + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) + + [install] + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile + + [packages] pkg # Build & install apparmor.d on Arch based systems dpkg # Build & install apparmor.d on Debian based systems rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container + + [tests] tests # Run the unit tests + init dist flavor # Install dependencies for the bats integration tests + integration dist flavor # Run the integration tests on the machine + + [linter] lint # Run the linters check # Run style checks on the profiles + + [docs] man # Generate the man pages docs # Build the documentation serve # Serve the documentation - clean # Remove all build artifacts - package dist # Build the package in a clean OCI container + + [vm] img dist flavor # Build the VM image create dist flavor # Create the machine up dist flavor # Start a machine @@ -40,13 +60,8 @@ Available recipes: list # List the machines images # List the VM images available # List the VM images that can be created - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine - get_ip dist flavor - get_osinfo dist See https://apparmor.pujol.io/development/ for more information. - ``` ## Requirements diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 016ed8ada..b523a1c38 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -137,6 +137,16 @@ To work as intended, userland services started by `systemd --user` **should** ha @{lib}/foo rPx -> systemd//&foo, ``` +### Role Based Access Control (RBAC) + +In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: + +- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. + +- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. + +- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory. + ### Fallback In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: