Skip to content

Latest commit

 

History

History
158 lines (133 loc) · 10.8 KB

README.md

File metadata and controls

158 lines (133 loc) · 10.8 KB
Apparmor Profiles Collection

I wanted to publish apparmor profiles I use, long time ago. But was scared it will decrease security level for me. Most profiles you can find here are default Ubuntu apparmor profiles. Some are modified profiles, and some based on another 3-rd party profiles and some created from scratch. I want this repository to became a place where people can share own profiles and link profiles from another sources here too. Basically, some profiles needs modifications for your needs. I want this repository to became a good place to start, when you creating profile for yourself.
Its much easier when you have another profile to base on. Most profiles use abstractions here, and this makes profiles writing even easier.
Pull requests, are welcome here! Let's make apparmor profiles creation easier together. Its time to take back control on things in your own hands!

Profiles status

Default profiles

Most profile here are default profiles from Ubuntu. Possibly should work without a problem in most installations, but could be not enough restricted.

  • bin.ping
  • lightdm-guest-session
  • lxc-containers
  • sbin.dhclient
  • sbin.klogd
  • sbin.syslog-ng
  • sbin.syslogd
  • usr.bin.chromium-browser, modified for android WebView debug support.
  • usr.bin.i2prouter
  • usr.bin.lxc-start
  • usr.lib.dovecot.anvil
  • usr.lib.dovecot.config
  • usr.lib.dovecot.deliver
  • usr.lib.dovecot.dict
  • usr.lib.dovecot.dovecot-auth
  • usr.lib.dovecot.dovecot-lda
  • usr.lib.dovecot.imap
  • usr.lib.dovecot.imap-login
  • usr.lib.dovecot.lmtp
  • usr.lib.dovecot.managesieve
  • usr.lib.dovecot.managesieve-login
  • usr.lib.dovecot.pop3
  • usr.lib.dovecot.pop3-login
  • usr.lib.dovecot.ssl-params
  • usr.lib.libvirt.virt-aa-helper
  • usr.lib.lxd.lxd-bridge-proxy
  • usr.lib.telepathy
  • usr.sbin.avahi-daemon
  • usr.sbin.dnsmasq, modified for lxd network api support.
  • usr.sbin.dovecot
  • usr.sbin.haveged, you need to add apparmor.service to haveged systemd unit to use this profile. Just like that:
After=systemd-random-seed.service apparmor.service
  • usr.sbin.identd
  • usr.sbin.libvirtd
  • usr.sbin.mdnsd
  • usr.sbin.nmbd
  • usr.sbin.nscd
  • usr.sbin.rsyslogd
  • usr.sbin.smbd
  • usr.sbin.smbldap-useradd
  • usr.sbin.tcpdump
  • usr.sbin.traceroute
  • usr.sbin.wrapper

Active profiles

Well tested profiles, I use mostly every day.

  • system_tor
  • usr.bin.firefox and usr.bin.firefox-trunk
  • usr.bin.pidgin
  • usr.bin.quasselclient
  • usr.bin.steam, you need to tweak username and steam library location, before use in your own environment. This profile support steam controller. And better use steam under separated user anyway, since most games like to store saves in ~/Documents, or in own separated folders in ~ and your ~/.config and ~/.local folders will be recycled with different games data. What I talking about is that private files abstractions don't play well with steam, and better use separated user with slightly modified abstraction.
  • usr.sbin.privoxy
  • usr.bin.mupdf

Inactive profiles

Currectly inactive profiles. Could be fixed with slight fixes.

  • opt.teamviewer9.tv_bin.script.teamviewer, teamviewer installed, from archive in /opt/, version bundled with wine. Version from deb/rpm profiles includes service, started with root rights, and I don't recommend it. Teamviewer work fine when you admin remote hoste, but will crash it, if someone try to connect to you. Possibly needs only slight modification, for new versions.
  • usr.bin.jitsi, outdated
  • usr.bin.odeskteam-qt4, client dropped
  • usr.bin.skype, outdated. You need to run it in separated X session also, most likely. For example with xephyr or xpra.
  • usr.bin.wuala, client dropped
  • usr.bin.vlc, outdated. Possibly needs slight modification. Based on profile from insanitybit.com.

Possibly broken profiles

Broken profiles, not easy to fix.

Profile installation

You need to copy profile you need to use to /etc/apparmor.d/, check it for abstractions, and copy abstractions if you need it, possibly slight tweak profile for you needs and you good to go.

aa-enforce /etc/apparmor.d/usr.bin.profilenameyourneed 

Searching for more apparmor profiles

Basically some software in Ubuntu includes apparmor profiles, and its enough to just install it and activate profile after.

About abstractions and private-files

With abstractions help you could make profiles faster and clear. For example for Xorg application you need X abstraction and profile for java application, could be real pain without java abstraction.
Check abstraction here.
Alongside with software abstractions there are private files abstraction to disable access to non quite restricted software, and to disable really sensative parts.
Also, you may find very useful user write/read abstraction to easy specify access to media and mount points and tmp for user.
For example:

Some ideads for this repository

Import well made profiles from upstream and another sources to this repository. Most likely from apparmor-profiles bazaar branch first. As always, pull requests are welcome here!

Donation

Consider making a donation, if you like what I doing. I working remotely and income is unstable, so every little bit helps.

Also it would be nice if you provide, a note on admin@hda.me after making a donation with information what you like and what you want to improve. So, I would consider giving more time and support to particular project.

I also open to reasonable work offers, especially if offer would be close to a field or project I work with.

E-money & Fiat

Yandex Money

Donation on Yandex Money: https://money.yandex.ru/to/410015241627045)

Advanced Cash

Open https://wallet.advcash.com/pages/transfer/wallet and use mmail@sent.com in Specify the recipient's wallet or e-mail field

PayPal

Donation with PayPal: https://paypal.me/hdadonation

Payeer

Donation with Payeer: On https://payeer.com/en/account/send/ use P2865115 in Account, e-mail or phone number field

Cryptocurrency

Bitcoin

Address is 1N5czHaoSLukFSTq2ZJujaWGjkmBxv2dT9

Musicoin

Address is 0xf449f8c17a056e9bfbefe39637c38806246cb2c9

Ethereum

Address is 0x23459a89eAc054bdAC1c13eB5cCb39F42574C26a

Other

I could provide you with some relatively cheap "hardware" donation options directly to my PO Box, if you prefer real gifts. Ask for details on admin@hda.me