felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

doc: general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-08-30 20:38:30 +01:00
parent fe32720765
commit fb29e8ba74
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
14 changed files with 350 additions and 223 deletions
Download patch file Download diff file Expand all files Collapse all files

19
docs/development/guidelines.md
View file

@ -78,7 +78,7 @@ The file block should be sorted as follows:
The dbus block should be sorted as follows:
- The system bus should be sorted *before* the session bus
- The bind rules should be sorted *after* the send & receive rules
- The bind rules should be sorted *after* send & receive rules
For DBus, try to determine peer's label when possible. E.g.:
```
@ -115,6 +115,23 @@ If there is no predictable label it can be omitted.
/var/lib/dbus/machine-id r,
```
#### :material-numeric-5-circle: Limit the use of `deny`
: The use of `deny` should be limited to the minimum:
- In MAC policies, we only allow access ([Rule :material-numeric-1-circle:](index.md#rule-mandatory-access-control "Mandatory Access Control"))
- `deny` rules are enforced even in complain mode,
- If it works on your machine does not mean it will work on others ([Rule :material-numeric-4-circle:](index.md#rule-distribution-and-devices-agnostic "Distribution and devices agnostic")).
#### :material-numeric-6-circle: Comments
: Ensure you only have useful comments. E.g.:
```
# Config files for foo
owner @{user_config_dirs}/foo/{,**} r,
```
Does not help, and if generalized it would add a lot of complexity to any profiles.
## Additional recommended documentation