Apparmor Profiles Collection
I wanted to publish apparmor profiles I use, long time ago. But was scared it will decrease security level for me.
Most profiles you can find here are default Ubuntu apparmor profiles. Some are modified profiles, and some based on another 3-rd party profiles and some created from scratch.
I want this repository to became a place where people can share own profiles and link profiles from another sources here too.
Basically, some profiles needs modifications for your needs. I want this repository to became a good place to start, when you creating profile for yourself.
Its much easier when you have another profile to base on. Most profiles use abstractions here, and this makes profiles writing even easier.
Pull requests, are welcome here! Let's make apparmor profiles creation easier together. Its time to take back control on things in your own hands!
Most profile here are default profiles from Ubuntu. Possibly should work without a problem in most installations, but could be not enough restricted.
- usr.bin.chromium-browser, modified for android WebView debug support.
- usr.sbin.dnsmasq, modified for lxd network api support.
- usr.sbin.haveged, you need to add apparmor.service to haveged systemd unit to use this profile. Just like that:
Well tested profiles, I use mostly every day.
- usr.bin.firefox and usr.bin.firefox-trunk
- usr.bin.steam, you need to tweak username and steam library location, before use in your own environment. This profile support steam controller. And better use steam under separated user anyway, since most games like to store saves in
~/Documents, or in own separated folders in
~/.localfolders will be recycled with different games data. What I talking about is that private files abstractions don't play well with steam, and better use separated user with slightly modified abstraction.
Currectly inactive profiles. Could be fixed with slight fixes.
- opt.teamviewer9.tv_bin.script.teamviewer, teamviewer installed, from archive in /opt/, version bundled with wine. Version from deb/rpm profiles includes service, started with root rights, and I don't recommend it. Teamviewer work fine when you admin remote hoste, but will crash it, if someone try to connect to you. Possibly needs only slight modification, for new versions.
- usr.bin.jitsi, outdated
- usr.bin.odeskteam-qt4, client dropped
- usr.bin.skype, outdated. You need to run it in separated X session also, most likely. For example with xephyr or xpra.
- usr.bin.wuala, client dropped
- usr.bin.vlc, outdated. Possibly needs slight modification. Based on profile from insanitybit.com.
Possibly broken profiles
Broken profiles, not easy to fix.
- usr.bin.FoxitReader, should work fine with 1.1 version under old distros(for example with Ubuntu 14.04.x and 12.04.x). Broken with new FoxitReader versions and on newer distros.
- usr.bin.SpiderOak outdated, needs modification or rewriting.
- usr.bin.VirtualBox, works fine, but you need to disable it, on VB update, or when you installing extensions. Possibly will be outdated soon, since I didn't use VB. Based on profile from insanitybit.com.
- usr.bin.wine, totally broken.
- usr.bin.obfsproxy, broken. Inside tor abstraction currently.
- usr.bin.zuluCrypt-gui, broken. Not interested in fixing it.
- usr.share.smartgit.bin.smartgit.sh, broken. Just like pure git more. But I think it could be fixed with some modification.
You need to copy profile you need to use to
/etc/apparmor.d/, check it for abstractions, and copy abstractions if you need it, possibly slight tweak profile for you needs and you good to go.
Searching for more apparmor profiles
Basically some software in Ubuntu includes apparmor profiles, and its enough to just install it and activate profile after.
- Ubuntu apparmor-profiles bazaar branch
- insanitybit.com was popular resource for apparmor profiles back in days
- [Falcon-peregrinus/apparmor-profiles] (https://github.com/Falcon-peregrinus/apparmor-profiles)
- [mk-fg/apparmor-profiles] (https://github.com/mk-fg/apparmor-profiles)
- And more profiles on GitHub
About abstractions and private-files
With abstractions help you could make profiles faster and clear. For example for Xorg application you need X abstraction and profile for java application, could be real pain without java abstraction.
Check abstraction here.
Alongside with software abstractions there are private files abstraction to disable access to non quite restricted software, and to disable really sensative parts.
Also, you may find very useful user write/read abstraction to easy specify access to media and mount points and tmp for user.
Near future plans for this repository
Import well made profiles from upstream and another sources to this repository. Most likely from apparmor-profiles bazaar branch first. As always, pull requests are welcome here!