This project is part of protected desktop for organization infrastructure (including diskless node infrastructure), that also include IMA/EVM (with Gentoo binhost integration), IMA+AA integration and organization's network services with client's remote attestation (that are parts of another projects and not included in this one).
- Best to deploy with Secure Boot (early boot AppArmor initialization before root mount and real init are supported).
- Best to deploy with IMA/EVM (if you can make it to work), see Matthew Garrett's patch for AA+IMA integration.
- All system processes covered by security profiles (including started before AppArmor initialization, kernel's processes, etc).
- Full system coverage, unconfined processes are not allowed (only confined to confined transitions are allowed).
- Inherited processes transition (ix/Ix) not allowed for better restrictions (with several exceptions).
- Aimed to OpenRC (systemd not supported, since it much harder to isolate).
- RBAC with uid/fsuid on all processes transitions (no need to worry about 12 named transitions AA's limit, since all transitions are 'named' by uid).
- Profiles grouped by Gentoo packages names for easy manipulations (see utils folder).
- Gentoo sys-apps/dbus package should be revised in order to build with "--enable-apparmor" configuration flag.
- Project based on Ubuntu kernel AppArmor sources (vanilla kernel still don't have all features).
- Project's AA profiles required patched kernel in order to work (see patches folder) and NOT compatible with Ubuntu/Suse kernel (and vice versa).
- Documentation on Russian, may be translated to English in future (I didn't planned make it public, and don't have time for translation now).