-
Notifications
You must be signed in to change notification settings - Fork 0
/
Apparmor-profile-everything.mw
60 lines (41 loc) · 3.1 KB
/
Apparmor-profile-everything.mw
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
{{Header}} __NOINDEX__
{{title|title=
apparmor-profile-everything
}}
{{#seo:
|description=Full System AppArmor Policy
|image=Mandatoryaccesscontrol.jpg
}}
[[File:Mandatoryaccesscontrol.jpg|thumb]]
{{intro|
<code>apparmor-profile-everything</code> is an AppArmor policy to confine all user space processes on the system. This allows users to enforce a strong security model and follow the principle of least privilege. An AppArmor policy for the init and systemd is loaded in the initramfs, which then applies to all other processes. Specific policies for many system services/applications are also enforced.
<u>Planned replacement:</u> [[apparmor.d|<code>apparmor.d</code>]]
}}
{{archived}}
= Deprecated =
apparmor-profile-everything is deprecated!
It might become replaced by apparmor.d, see
* https://github.com/roddhjav/apparmor.d/issues/252
* https://forums.whonix.org/t/apparmor-d-full-set-of-apparmor-profiles-1500-profiles/17389
* https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/481
= Design =
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = '''Note:''' <code>apparmor-profile-everything</code> is still in development and breakage is likely. It is currently only recommended for developers.
}}
This full system AppArmor policy imitates design ideas that are already present in other operating systems such as Android and attempts to make something similar available on desktop Linux.
In addition to locking down user space, this also protects the kernel as it restricts access to kernel interfaces like <code>/proc</code> or <code>/sys</code>, thereby making kernel pointer and other leaks much less likely. However, this does not and cannot confine the kernel or initramfs.
This AppArmor policy is expected to be used in combination with other security technologies such as a hardened kernel, strong sandboxing architecture, verified boot and so on.
<code>apparmor-profile-everything</code> supports different boot modes: aadebug and superroot. aadebug allows certain permissions necessary for advanced debugging and superroot relaxes the policy substantially, even making bypasses possible. It is highly recommended to stick to the default boot mode.
It also contains a wrapper to restrict apt, as apt requires permissions that may be abused to circumvent the policy. When updating or installing applications, the rapt command must be used.
= Platform Support =
<code>apparmor-profile-everything</code> is currently broken in {{q_project_name_long}}. madaidan developed it for non-Qubes environment.
Nobody is working on {{q_project_name_short}} support at present, see: [https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581 Qubes-Whonix Security Disadvantages - Help Wanted!]
= References =
* https://github.com/roddhjav/apparmor.d
* https://forums.whonix.org/t/using-apparmor-profile-everything-on-debian-buster/8650
* https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]