No description

Find a file

Alexandre Pujol f183ae709f chore: fix linter issue.		2025-07-18 11:37:26 -06:00
.github	ci: use fsp instead of full command.	2025-07-07 00:52:29 +02:00
apparmor.d	chore: fix linter issue.	2025-07-18 11:37:26 -06:00
cmd	build: default target to apparmor 4.1	2025-04-13 12:12:45 +02:00
debian	build(debian): cleanup depends.	2025-04-04 21:53:13 +02:00
dists	chore(profile): rename netplan.script to netplan.	2025-06-17 00:22:34 +02:00
docs	chore: replace make full by make fsp.	2025-07-07 00:09:34 +02:00
pkg	chore: cleanup linter issue.	2025-06-16 23:42:30 +02:00
share	doc: update aa-log man page.	2025-04-27 14:35:46 +02:00
systemd	feat(fsp): update systemd user drop in files with AppArmorProfile set to the target profile.	2025-05-29 23:52:40 +02:00
tests	tests: add test file for whois.	2025-07-18 11:37:26 -06:00
.gitignore	chore: update gitignore.	2024-04-02 13:44:27 +01:00
.gitlab-ci.yml	ci: use fsp instead of full command.	2025-07-07 00:52:29 +02:00
.golangci.yaml	fix: linter fix.	2025-04-05 00:01:27 +02:00
go.mod	chore: update to go 1.23 as a minimum.	2025-04-04 22:11:11 +02:00
go.sum	chore: all external go module have been removed.	2024-10-19 22:58:47 +01:00
Justfile	build: add just command for local and dev install.	2025-07-18 11:37:26 -06:00
LICENSE	Cleanup license file.	2021-04-01 14:47:01 +01:00
Makefile	chore: replace make full by make fsp.	2025-07-07 00:09:34 +02:00
mkdocs.yml	doc: hide the date of revision on the front page.	2025-05-17 18:44:59 +02:00
PKGBUILD	build: improve `just install`	2025-05-18 19:33:58 +02:00
README.md	doc: add link to the play machine.	2025-04-16 00:11:15 +02:00
requirements.txt	doc: add git-committers extension.	2024-09-25 22:33:32 +01:00

README.md

apparmor.d

Full set of AppArmor profiles

Warning

This project is still in its early development. Help is very welcome; see the documentation website including its development section.

Description

AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.

Purpose

Confine all root processes such as all systemd tools, bluetooth, dbus, polkit, NetworkManager, OpenVPN, GDM, rtkit, colord
Confine all Desktop environments
Confine all user services such as Pipewire, Gvfsd, dbus, xdg, xwayland
Confine some "special" user applications: web browsers, file managers, etc
Should not break a normal usage of the confined software

Goals

Target both desktops and servers
Support all distributions that support AppArmor:
Support for all major desktop environments:
- Gnome (GDM)
- KDE (SDDM)
- XFCE (Lightdm) (work in progress)
Fully tested

Demo

You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/

This project is originally based on the work from Morfikov and aims to extend it to more Linux distributions and desktop environments.

Concepts

One profile a day keeps the hacker away

There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:

What to confine and why?

We take inspiration from the Android/ChromeOS Security Model, and we apply it to the Linux world. Modern Linux security distributions usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the core applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).

This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.

Presentations

Building the largest set of AppArmor profiles:

Linux Security Summit North America (LSS-NA 2023) (Slide, Video)
Ubuntu Summit 2023 (Slide, Video)

Installation

Please see apparmor.pujol.io/install

Configuration

Please see apparmor.pujol.io/configuration

Usage

Please see apparmor.pujol.io/usage

Contribution

Feedbacks, contributors, pull requests are all very welcome. Please read apparmor.pujol.io/development for more details on the contribution process.

Development chat available on https://matrix.to/#/#apparmor.d:matrix.org

License

This Project was initially based on Mikhail Morfikov's apparmor profiles project and thus has the same license (GPL2).