chore: cosmetic.
This commit is contained in:
Alexandre Pujol
parent
c6717d2bab
commit
c9b87efebe
5 changed files with 13 additions and 26 deletions
25
README.md
25
README.md
|
|
@ -7,15 +7,12 @@
|
|||
**Full set of AppArmor profiles**
|
||||
|
||||
> [!WARNING]
|
||||
> This project is still in its early development. Help is very
|
||||
> welcome; see the [documentation website](https://apparmor.pujol.io/) including
|
||||
> its [development](https://apparmor.pujol.io/development) section.
|
||||
> This project is still in its early development. Help is very welcome; see the [documentation website](https://apparmor.pujol.io/) including its [development](https://apparmor.pujol.io/development) section.
|
||||
|
||||
|
||||
## Description
|
||||
|
||||
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine
|
||||
most Linux based applications and processes.
|
||||
**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
|
||||
|
||||
**Purpose**
|
||||
|
||||
|
|
@ -40,29 +37,19 @@ most Linux based applications and processes.
|
|||
- Fully tested (Work in progress)
|
||||
|
||||
|
||||
> This project is originally based on the work from [Morfikov][upstream] and aims
|
||||
> to extend it to more Linux distributions and desktop environments.
|
||||
> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
|
||||
|
||||
## Concepts
|
||||
|
||||
*One profile a day keeps the hacker away*
|
||||
|
||||
There are over 50000 Linux packages and even more applications. It is simply not
|
||||
possible to write an AppArmor profile for all of them. Therefore, a question arises:
|
||||
There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:
|
||||
|
||||
**What to confine and why?**
|
||||
|
||||
We take inspiration from the [Android/ChromeOS Security Model][android_model] and
|
||||
we apply it to the Linux world. Modern [Linux security distributions][clipos] usually
|
||||
consider an immutable core base image with a carefully selected set of applications.
|
||||
Everything else should be sandboxed. Therefore, this project tries to confine all
|
||||
the *core* applications you will usually find in a Linux system: all systemd services,
|
||||
xwayland, network, bluetooth, your desktop environment... Non-core user applications
|
||||
are out of scope as they should be sandboxed using a dedicated tool (minijail,
|
||||
bubblewrap, toolbox...).
|
||||
We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
|
||||
|
||||
This is fundamentally different from how AppArmor is usually used on Linux servers
|
||||
as it is common to only confine the applications that face the internet and/or the users.
|
||||
This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
|
||||
|
||||
**Presentations**
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue