felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: update abstraction page.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-01 23:00:37 +01:00
parent b51576139b
commit baad12a754
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 96 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

95
docs/development/abstractions.md
View file

@ -43,9 +43,67 @@ A full set of rules for all chromium based browsers. It works as a *function* an
If your application requires chromium to run use [`common/chromium`](#commonchromium) or [`common/electron`](#commonelectron) If your application requires chromium to run use [`common/chromium`](#commonchromium) or [`common/electron`](#commonelectron)
instead. instead.
### **`app/firefox`**
Similar to `app/chromium` but for Firefox based browsers (and thunderbird). It requires the same *arguments* as `app/chromium`:
## Context helper
These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case.
### **`app/editor`**
A minimal set of rules for profiles including terminal editor. It is intended to be used in profiles or sub-profiles that need to edit file using the user editor of choice. The following editors are supported:
- neo vim
- vim
- nano
```sh
@{editor_path} rCx -> editor,
profile editor {
include <abstractions/base>
include <abstractions/app/editor>
include if exists <local/<profile_name>_editor>
}
```
### **`app/kmod`**
A minimal set of rules for profiles that need to load kernel modules. It is intended to be used in profiles or sub-profiles that need to load kernel modules for a very specific action:
```sh
@{bin}/modprobe rCx -> kmod,
profile kmod {
include <abstractions/base>
include <abstractions/app/kmod>
include if exists <local/<profile_name>_kmod>
}
```
### **`app/open`**
Set of rules for `child-open-*` profiles. It should usually not be used directly in a profile.
### **`app/pgrep`** ### **`app/pgrep`**
Minimal set of rules for pgrep/pkill. It is intended to be used in profiles or sub-profiles that need to use `pgrep` or `pkill` for a very specific action:
```sh
@{bin}/pgrep rCx -> pgrep,
profile pgrep {
include <abstractions/base>
include <abstractions/app/pgrep>
include if exists <local/<profile_name>_pgrep>
}
```
### **`app/sudo`** ### **`app/sudo`**
@ -61,6 +119,22 @@ A minimal set of rules for profiles including internal `sudo`. Interactive sudo
} }
``` ```
### **`app/pkexec`**
A minimal set of rules for profiles including internal `pkexec`. Like `app/sudo`, it should be used in profiles or sub-profiles that need to elevate their privileges using `pkexec` for a very specific action:
```sh
@{bin}/pkexec rCx -> pkexec,
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
include if exists <local/<profile_name>_pkexec>
}
```
### **`app/systemctl`** ### **`app/systemctl`**
An alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows: An alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows:
@ -75,6 +149,20 @@ An alternative solution for [child-systemctl](structure.md#children-profiles), w
} }
``` ```
### **`app/udevadm`**
A minimal set of rules for profiles including internal `udevadm` as read-only. It is intended to be used in profiles or sub-profiles that need to use `udevadm` for a very specific action:
```sh
@{bin}/udevadm rCx -> udevadm,
profile udevadm {
include <abstractions/base>
include <abstractions/app/udevadm>
include if exists <local/<profile_name>_udevadm>
}
```
## Common Dependencies ## Common Dependencies
@ -207,6 +295,9 @@ Common rules for interactive shell using bash.
Common rules for interactive shell using zsh. Common rules for interactive shell using zsh.
### **`fish`**
Common rules for interactive shell using fish.
## System ## System
@ -222,6 +313,10 @@ Use this abstraction instead of upstream `abstractions/nameservice` as upstream
Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpose of this abstraction is to list all GUI program that can open resources. Ultimately, only sandbox manager program such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpose of this abstraction is to list all GUI program that can open resources. Ultimately, only sandbox manager program such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
### **`app-launcher-root`**
### **`app-launcher-user`**
## Devices ## Devices

2
docs/development/dbus.md
View file

@ -28,7 +28,7 @@ For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive.
There is a trade of between security and maintenance to make: There is a trade of between security and maintenance to make:
- `aa:dbus talk` will generate less issue as it give full talk access - `aa:dbus talk` will generate less issue as it gives full talk access
- `abstractions/bus/*` will provide more restriction, and possibly more issue. - `abstractions/bus/*` will provide more restriction, and possibly more issue.
Ideally, these rules should be automatically generated from either the dbus interface documentation or the program call. Ideally, these rules should be automatically generated from either the dbus interface documentation or the program call.