Apparmor profiles collection
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
apparmor.d
README.md

README.md

Apparmor Profiles Collection

I wanted to publish apparmor profiles I use, long time ago. But was scared it will decrease security level for me. Most profiles you can find here are default Ubuntu apparmor profiles. Some are modified profiles, and some based on another 3-rd party profiles and some created from scratch. I want this repository to became a place where people can share own profiles and link profiles from another sources here too. Basically, some profiles needs modifications for your needs. I want this repository to became a good place to start, when you creating profile for yourself.
Its much easier when you have another profile to base on. Most profiles use abstractions here, and this makes profiles writing even easier.
Pull requests, are welcome here! Let's make apparmor profiles creation easier together. Its time to take back control on things in your own hands!

Profiles status

Default profiles

Most profile here are default profiles from Ubuntu. Possibly should work without a problem in most installations, but could be not enough restricted.

  • bin.ping
  • lightdm-guest-session
  • lxc-containers
  • sbin.dhclient
  • sbin.klogd
  • sbin.syslog-ng
  • sbin.syslogd
  • usr.bin.chromium-browser, modified for android WebView debug support.
  • usr.bin.i2prouter
  • usr.bin.lxc-start
  • usr.lib.dovecot.anvil
  • usr.lib.dovecot.config
  • usr.lib.dovecot.deliver
  • usr.lib.dovecot.dict
  • usr.lib.dovecot.dovecot-auth
  • usr.lib.dovecot.dovecot-lda
  • usr.lib.dovecot.imap
  • usr.lib.dovecot.imap-login
  • usr.lib.dovecot.lmtp
  • usr.lib.dovecot.managesieve
  • usr.lib.dovecot.managesieve-login
  • usr.lib.dovecot.pop3
  • usr.lib.dovecot.pop3-login
  • usr.lib.dovecot.ssl-params
  • usr.lib.libvirt.virt-aa-helper
  • usr.lib.lxd.lxd-bridge-proxy
  • usr.lib.telepathy
  • usr.sbin.avahi-daemon
  • usr.sbin.dnsmasq, modified for lxd network api support.
  • usr.sbin.dovecot
  • usr.sbin.haveged, you need to add apparmor.service to haveged systemd unit to use this profile. Just like that:
After=systemd-random-seed.service apparmor.service
  • usr.sbin.identd
  • usr.sbin.libvirtd
  • usr.sbin.mdnsd
  • usr.sbin.nmbd
  • usr.sbin.nscd
  • usr.sbin.rsyslogd
  • usr.sbin.smbd
  • usr.sbin.smbldap-useradd
  • usr.sbin.tcpdump
  • usr.sbin.traceroute
  • usr.sbin.wrapper

Active profiles

Well tested profiles, I use mostly every day.

  • system_tor
  • usr.bin.firefox and usr.bin.firefox-trunk
  • usr.bin.pidgin
  • usr.bin.quasselclient
  • usr.bin.steam, you need to tweak username and steam library location, before use in your own environment. This profile support steam controller. And better use steam under separated user anyway, since most games like to store saves in ~/Documents, or in own separated folders in ~ and your ~/.config and ~/.local folders will be recycled with different games data. What I talking about is that private files abstractions don't play well with steam, and better use separated user with slightly modified abstraction.
  • usr.sbin.privoxy
  • usr.bin.mupdf

Inactive profiles

Currectly inactive profiles. Could be fixed with slight fixes.

  • opt.teamviewer9.tv_bin.script.teamviewer, teamviewer installed, from archive in /opt/, version bundled with wine. Version from deb/rpm profiles includes service, started with root rights, and I don't recommend it. Teamviewer work fine when you admin remote hoste, but will crash it, if someone try to connect to you. Possibly needs only slight modification, for new versions.
  • usr.bin.jitsi, outdated
  • usr.bin.odeskteam-qt4, client dropped
  • usr.bin.skype, outdated. You need to run it in separated X session also, most likely. For example with xephyr or xpra.
  • usr.bin.wuala, client dropped
  • usr.bin.vlc, outdated. Possibly needs slight modification. Based on profile from insanitybit.com.

Possibly broken profiles

Broken profiles, not easy to fix.

Profile installation

You need to copy profile you need to use to /etc/apparmor.d/, check it for abstractions, and copy abstractions if you need it, possibly slight tweak profile for you needs and you good to go.

aa-enforce /etc/apparmor.d/usr.bin.profilenameyourneed 

Searching for more apparmor profiles

Basically some software in Ubuntu includes apparmor profiles, and its enough to just install it and activate profile after.

About abstractions and private-files

With abstractions help you could make profiles faster and clear. For example for Xorg application you need X abstraction and profile for java application, could be real pain without java abstraction.
Check abstraction here.
Alongside with software abstractions there are private files abstraction to disable access to non quite restricted software, and to disable really sensative parts.
Also, you may find very useful user write/read abstraction to easy specify access to media and mount points and tmp for user.
For example:

Near future plans for this repository

Import well made profiles from upstream and another sources to this repository. Most likely from apparmor-profiles bazaar branch first. As always, pull requests are welcome here!