Skip to content

nobody43/apparmor-profiles

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

80 Commits

abstractions/3rd

abstractions/3rd

 
 

local

local

 
 

systemd/system

systemd/system

 
 

tunables/3rd

tunables/3rd

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

murmurd

murmurd

 
 

usr.bin.curl

usr.bin.curl

 
 

usr.bin.ristretto

usr.bin.ristretto

 
 

usr.lib.systemd.systemd-timesyncd

usr.lib.systemd.systemd-timesyncd

 
 

usr.local.bin.gallery-dl

usr.local.bin.gallery-dl

 
 

usr.local.bin.linux_czkawka

usr.local.bin.linux_czkawka

 
 

usr.local.bin.youtube-dl

usr.local.bin.youtube-dl

 
 

usr.local.bin.youtubedl-gui

usr.local.bin.youtubedl-gui

 
 

usr.sbin.openvpn

usr.sbin.openvpn

 
 

usr.sbin.yadifad

usr.sbin.yadifad

 
 

Repository files navigation

apparmor-profiles

This repository is an experimental downstream of apparmor.d project.

Prerequisites

# apt install apparmor-utils

Testing

# mv usr.bin.curl /etc/apparmor.d/
# aa-complain /etc/apparmor.d/usr.bin.curl

Error log is /var/log/syslog by default.

Installation

# aa-enforce /etc/apparmor.d/usr.bin.curl

Profiles

curl

WARNING: custom applications might fail without adjustment!

Dependencies

  • abstractions/3rd/nameservice-strict

Compatibility

  • Pi-hole (commented out by default)

Tested on

  • Debian 10
  • Armbian Buster
  • Xubuntu 21.04 (commented out by default)

czkawka

Snap releases are not supported.

Dependencies

  • abstractions/3rd/file-chooser
  • abstractions/3rd/nameservice-strict
  • local/usr.lib.libreoffice.program.soffice.bin
  • usr.bin.ristretto

Options

  • write access on home
  • interactive file-chooser dialog
  • opening files with xdg-open
  • various sanitized_helper transitions
  • disabled dbus-overwrite

Tested on

  • Xubuntu 21.04
  • Ubuntu 21.04

ristretto

Options

  • file deletion by write access
  • editing with dash transition
  • disabled interactive file-chooser dialog

Tested on

  • Debian 10
  • Xubuntu 21.04-21.10

openvpn

Without NetworkManager. Without interactive credentials supplying, so be sure to provide them in config with auth-user-pass.

Dependencies

  • abstractions/3rd/nameservice-strict

Tested on

  • Debian 10-11

yadifad

Without transfers.

Tested on

  • Debian 10-11

youtube-dl

No auto-update and debug. No access to browser cookies ATM.

Dependencies

  • abstractions/3rd/nameservice-strict

Options

  • disabled --exec
  • disabled .netrc auth

Compatibility

  • yt-dlp

Tested on

  • Debian 10
  • Xubuntu 21.04-21.10
  • Ubuntu 21.04

youtubedl-gui

Flatpack releases are not supported.

Dependencies

  • abstractions/3rd/nameservice-strict
  • usr.local.bin.youtube-dl

Options

  • disabled interactive file-chooser dialog
  • disabled dbus-overwrite
  • disabled qt5-settings-write
  • disabled network access

Tested on

  • Debian 10
  • Xubuntu 21.04-21.10
  • Ubuntu 21.04

gallery-dl

pip version only.

Tested on

  • Debian 10
  • Xubuntu 21.10

systemd-timesyncd

Tested on

  • Debian 10-11
  • Xubuntu 21.10

murmurd

No DBus or ICE.

Tested on

  • Debian 11

Links

About

Improve your system's security.

Topics

linux security openvpn curl youtube-dl hardening apparmor ristretto mandatory-access-control murmurd systemd-timesyncd yadifa apparmor-profiles gallery-dl czkawka

Resources

Readme

License

GPL-2.0 license
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published