apparmor.d - Full set of AppArmor profiles (~ 1500 profiles)

Patrick · October 24, 2023, 12:04pm

roddhjav · October 24, 2023, 7:19pm

Author of apparmor.d here. Supporting whonix in apparmor.d is planned, but in pause due to time constraint (and a few technical issues). See: Full system policy profile - Question · roddhjav/apparmor.d · Discussion #233 · GitHub

Patrick · October 25, 2023, 5:54pm

Wow, that’s awesome!

Patrick · November 15, 2023, 11:49am

github.com/roddhjav/apparmor.d

porting upstream profiles to apparmor.d?

opened 11:40AM - 15 Nov 23 UTC

adrelanos

@monsieuremre commented on [58b5773](https://github.com/roddhjav/apparmor.d/comm…it/58b577385e68f9aeeba5fafc8a87c30b90cc8e17) [yesterday](https://github.com/roddhjav/apparmor.d/commit/58b577385e68f9aeeba5fafc8a87c30b90cc8e17#commitcomment-132491733) > [...] Maybe stuff like [sdwdate](https://github.com/Kicksecure/sdwdate). Most whonix utils have their profiles. I think @roddhjav would be open to having those profiles ported into here, if you are into that kind of thing. If not, it might be necessary to add these profiles as install dependencies for the `.deb` target produced for whonix/kicksecure.

Patrick · November 16, 2023, 2:00am

github.com/roddhjav/apparmor.d

review apparmor profiles by Kicksecure / Whonix

opened 01:45AM - 16 Nov 23 UTC

adrelanos

As mentioned in https://github.com/roddhjav/apparmor.d/issues/250 Not sure ho…w useful it is to create such a list. Links might change over the years (do to file name changes, removed profiles, added profiles). Might be more useful within derivative-maker source code folder to run something like this: find . -type f -not -iwholename '*.git*' | grep apparmor.d Here is the list: https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/whonix-firewall https://github.com/Whonix/whonix-firewall/tree/master/etc/apparmor.d/abstractions/whonix-firewall https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/system_tor.anondist https://github.com/Whonix/anon-gw-anonymizer-config/tree/master/etc/apparmor.d/local/usr.bin.obfsproxy.anondist https://github.com/Whonix/onion-grater/tree/master/etc/apparmor.d/usr.lib.onion-grater https://github.com/Whonix/kloak/tree/master/etc/apparmor.d/usr.sbin.kloak https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.sdwdate https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/usr.bin.url_to_unixtime https://github.com/Kicksecure/sdwdate/tree/master/etc/apparmor.d/abstractions/url_to_unixtime https://github.com/Kicksecure/bootclockrandomization/tree/master/etc/apparmor.d/bootclockrandomization https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/usr.bin.tor-circuit-established-check https://github.com/Kicksecure/helper-scripts/tree/master/etc/apparmor.d/abstractions/tor-circuit-established-check https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/anondist https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/live-mode https://github.com/Kicksecure/apparmor-profile-dist/tree/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist https://github.com/Kicksecure/apparmor-profile-dist/blob/master/etc/apparmor.d/abstractions/base.d/kicksecure https://github.com/Kicksecure/security-misc/tree/master/etc/apparmor.d/tunables/home.d/security-misc https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.libexec.systemcheck.canary https://github.com/Kicksecure/systemcheck/tree/master/etc/apparmor.d/usr.bin.systemcheck https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/usr.bin.timesanitycheck https://github.com/Kicksecure/timesanitycheck/tree/master/etc/apparmor.d/abstractions/timesanitycheck https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/sandbox-app-launcher https://github.com/Kicksecure/sandbox-app-launcher/tree/master/etc/apparmor.d/abstractions/sandbox-app-launcher https://github.com/Kicksecure/apparmor-profile-thunderbird/tree/master/etc/apparmor.d/local/usr.bin.thunderbird https://github.com/Kicksecure/apparmor-profile-torbrowser/tree/master/etc/apparmor.d/home.tor-browser.firefox https://github.com/Kicksecure/apparmor-profile-hexchat/tree/master/etc/apparmor.d/usr.bin.hexchat

Patrick · March 6, 2024, 12:04pm

Patrick · March 6, 2024, 12:19pm

github.com/roddhjav/apparmor.d

build process should not require a network connection

opened 12:19PM - 06 Mar 24 UTC

adrelanos

dpkg-buildpackage -b -d --no-sign ``` go: downloading golang.org/x/exp v0.0.…0-20240222234643-814bf88cf225 go: downloading github.com/arduino/go-paths-helper v1.12.0 go: downloading github.com/pkg/errors v0.9.1 ``` This is probably a blocker for `apparmor.d` be eligible to be added to `packages.debian.org`. Quote https://wiki.debian.org/buildd > no network -- most buildds will have no network access available. Your package build+test process must not attempt to use the network or assume that any network interface is available. More references: * https://lists.debian.org/debian-devel/2016/09/msg00082.html * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830568 * https://www.debian.org/doc/debian-policy/policy.pdf * > For packages in the main archive, required targets must not attempt network access, except, via the loopback interface, to services on the build host that have been started by the build. Ubuntu might inherit the same policy. Fedora has a similar policy. Quote https://docs.fedoraproject.org/en-US/packaging-guidelines/#_build_time_network_access > Packages in the Fedora buildsystem are built in a mock chroot with no access to the internet. Packages must not depend or or use any network resources that they don’t themselves create (i.e., for tests). In no cases should source code be downloaded from any external sources, only from the lookaside cache and/or the Fedora git repository. It can be assumed that many other distributions have similar policies. Embedded code copies are also not permissible in Debian as per: https://wiki.debian.org/EmbeddedCopies So what is the right way to package this? I don't know. For Debian, most likely, all build and runtime dependencies would need to be packages and uploaded to `packages.debian.org` separately. Ideally, apparmor.d would not require any dependencies unavailable from official distribution package repositories. For Kicksecure, Whonix, the same policies have been inherited.

Patrick · March 6, 2024, 1:14pm

Debian request for packaging:
RFP: apparmor.d - Full set of AppArmor profiles (~ 1500 profiles)

Patrick · March 7, 2024, 12:28pm