Configuration
AppArmor¶
As there are a lot of rules, it is recommended to enable caching AppArmor profiles. In /etc/apparmor/parser.conf
, add write-cache
and Optimize=compress-fast
.
echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf
echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
Info
See Speed up AppArmor Start on the Arch Wiki for more information:
Personal directories¶
Danger
You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings.
This project is designed in such a way that it is easy to personalize the directories your programs have access by defining a few variables.
The profiles heavily use the (largely extended) XDG directory variables defined in the Variables Reference page.
XDG variables overview
See Variables Reference page for more.
Description | Name | Value |
---|---|---|
Desktop | @{XDG_DESKTOP_DIR} | Desktop |
Download | @{XDG_DOWNLOAD_DIR} | Downloads |
Templates | @{XDG_TEMPLATES_DIR} | Templates |
Public | @{XDG_PUBLICSHARE_DIR} | Public |
Documents | @{XDG_DOCUMENTS_DIR} | Documents |
Music | @{XDG_MUSIC_DIR} | Music |
Pictures | @{XDG_PICTURES_DIR} | Pictures |
Videos | @{XDG_VIDEOS_DIR} | Videos |
Books | @{XDG_BOOKS_DIR} | Books |
Projects | @{XDG_PROJECTS_DIR} | Projects |
Screenshots | @{XDG_SCREENSHOTS_DIR} | @{XDG_PICTURES_DIR}/Screenshots |
Sync | @{XDG_SYNC_DIR} | Sync |
Torrents | @{XDG_TORRENTS_DIR} | Torrents |
Vm | @{XDG_VM_DIR} | .vm |
Wallpapers | @{XDG_WALLPAPERS_DIR} | @{XDG_PICTURES_DIR}/Wallpapers |
You can personalize these values.
First create the directory /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d
:
local
addition file in it where you define your own personal directories. Example: @{XDG_VIDEOS_DIR}+="Films"
@{XDG_MUSIC_DIR}+="Musique"
@{XDG_PICTURES_DIR}+="Images"
@{XDG_BOOKS_DIR}+="BD" "Comics"
@{XDG_PROJECTS_DIR}+="Git" "Papers"
Then restart the AppArmor service to reload the profiles in the kernel:
Examples
- For git support, you may want to add your
GO_PATH
in theXDG_PROJECTS_DIR
: - If you use Keepass, personalize
XDG_PASSWORD_STORE_DIR
with your password directory. Eg: - Add pacman integration with your AUR helper. Eg for
yay
:
Local profile extensions¶
You can extend any profile with your own rules by creating a file in the /etc/apparmor.d/local/
directory with the name of your profile. For example, to extend the foo
profile, create a file /etc/apparmor.d/local/foo
and add your rules in it.
Example
child-open
, a profile that allows other program to open resources (URL, picture, books...) with some predefined GUI application. To allow it to open URLs with Firefox, create the file/etc/apparmor.d/local/child-open
with:
Note
This is an example, no need to add Firefox into child-open
, it is already there.
Info
rPx
allows transition to the Firefox profile. Use rPUx
to allow transition to an unconfined state if you do not have the profile for a given program.
Then, reload the AppArmor rules with sudo systemctl restart AppArmor
.