felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

doc: minor documentation update.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-19 17:54:02 +02:00
parent f183ae709f
commit 033354314f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
4 changed files with 38 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/configuration.md
View file

@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a
**Example**
By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`:
By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`:
1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it:
```sh

8
docs/development/roadmap.md
View file

@ -22,13 +22,13 @@ This is the current list of features that must be implemented to get to a stable
- [ ] **General improvements**
- [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235)
- [ ] The apt/dpkg profiles needs to be reworked
- [x] The apt/dpkg profiles needs to be reworked
- [ ] Build system
- [ ] Continuous release on the main branch, ~2 releases per week
- [ ] Provide packages repo for ubuntu/debian
- [ ] Provide complain/enforced packages version
- [ ] Add a `just` target to install the profiles in the right place
- [x] Add a `just` target to install the profiles in the right place
- [ ] Fully drop the Makefile in favor of `just`
## Next features
@ -41,9 +41,9 @@ This is the current list of features that must be implemented to get to a stable
- [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone.
- [ ] Add a prompt listener to handle the user data access.
- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)**
- [x] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)**
- [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing
- [ ] Remove the `default` profile
- [x] Remove the `default` profile
## Done

31
docs/development/vm.md
View file

@ -14,22 +14,42 @@ $ just
```
Available recipes:
help # Show this help message
clean # Remove all build artifacts
[build]
build # Build the go programs
enforce # Prebuild the profiles in enforced mode
complain # Prebuild the profiles in complain mode
fsp # Prebuild the profiles in FSP mode
install # Install the profiles
fsp-complain # Prebuild the profiles in FSP mode (complain)
fsp-debug # Prebuild the profiles in FSP mode (debug)
[install]
install # Install prebuild profiles
local +names # Locally install prebuild profiles
dev name # Prebuild, install, and load a dev profile
[packages]
pkg # Build & install apparmor.d on Arch based systems
dpkg # Build & install apparmor.d on Debian based systems
rpm # Build & install apparmor.d on OpenSUSE based systems
package dist # Build the package in a clean OCI container
[tests]
tests # Run the unit tests
init dist flavor # Install dependencies for the bats integration tests
integration dist flavor # Run the integration tests on the machine
[linter]
lint # Run the linters
check # Run style checks on the profiles
[docs]
man # Generate the man pages
docs # Build the documentation
serve # Serve the documentation
clean # Remove all build artifacts
package dist # Build the package in a clean OCI container
[vm]
img dist flavor # Build the VM image
create dist flavor # Create the machine
up dist flavor # Start a machine
@ -40,13 +60,8 @@ Available recipes:
list # List the machines
images # List the VM images
available # List the VM images that can be created
init dist flavor # Install dependencies for the bats integration tests
integration dist flavor # Run the integration tests on the machine
get_ip dist flavor
get_osinfo dist
See https://apparmor.pujol.io/development/ for more information.
```
## Requirements

10
docs/full-system-policy.md
View file

@ -137,6 +137,16 @@ To work as intended, userland services started by `systemd --user` **should** ha
@{lib}/foo rPx -> systemd//&foo,
```
### Role Based Access Control (RBAC)
In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are:
- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files.
- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory.
- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory.
### Fallback
In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: