docs: initial documentation website.
This commit is contained in:
Alexandre Pujol
parent
3c3f164e91
commit
ecf82c7176
17 changed files with 1143 additions and 0 deletions
30
docs/concepts.md
Normal file
30
docs/concepts.md
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
title: Concepts
|
||||
---
|
||||
|
||||
# Concepts
|
||||
|
||||
*One profile a day keeps the hacker away*
|
||||
|
||||
There are over 50000 Linux packages and even more applications. It is simply not
|
||||
possible to write an AppArmor profile for all of them. Therefore, a question arises:
|
||||
|
||||
**What to confine and why?**
|
||||
|
||||
We take inspiration from the [Android/ChromeOS Security Model][android_model] and
|
||||
we apply it to the Linux world. Modern [Linux security distribution][clipos] usually
|
||||
consider an immutable core base image with a carefully set of selected applications.
|
||||
Everything else should be sandboxed. Therefore, this project tries to confine all
|
||||
the *core* applications you will usually find in a Linux system: all systemd services,
|
||||
xwayland, network, bluetooth, your desktop environment... Non-core user applications
|
||||
are out of scope as they should be sandboxed using a dedicated tool (minijail,
|
||||
bubblewrap, toolbox...).
|
||||
|
||||
This is fundamentally different from how AppArmor is usually used on Linux server
|
||||
as it is common to only confine the applications that face the internet and/or the users.
|
||||
|
||||
|
||||
[android_model]: https://arxiv.org/pdf/1904.05572
|
||||
[clipos]: https://clip-os.org/en/
|
||||
[write xor execute]: https://en.wikipedia.org/wiki/W%5EX
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue