Installation
Setup¶
Danger
Do not expect this project to work correctly on your desktop if your Desktop Environment (DE) and Display Manager (DM) are not supported. Your DE/DM might not load, and that would be a feature.
Due to the development stage of this project, the default package configuration installs all profiles in complain mode. The recommended installation workflow is as-follow:
- Configure AppArmor AppArmor for apparmor.d.
- Install apparmor.d in the (default) complain mode.
- Configure your personal directories.
- Reboot your system.
- You must check for any AppArmor logs with
aa-log. - Report any raised logs.
- Use the profiles in complain mode for a while (a week), regularly check for new AppArmor logs.
- Only if there are no logs raised for your daily usage, install it in enforce mode.
Requirements¶
AppArmor
An AppArmor supported Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed.
Desktop environment
The following desktop environments are supported:
- Gnome (GDM)
- KDE (SDDM)
- XFCE (Lightdm) (work in progress)
Build dependency
- Go >= 1.23
- just >= 1.40.0
Configure AppArmor¶
As there are a lot of rules (~100k lines), it is recommended to enable fast caching compression of AppArmor profiles. Early policy load must also be enabled.
In /etc/apparmor/parser.conf ensure you have:
Or run:
echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf
echo 'cache-loc /etc/apparmor/earlypolicy/' | sudo tee -a /etc/apparmor/parser.conf
echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
Installation¶
apparmor.d is available in the Arch User Repository:
apparmor.d is available under the pkg.pujol.io debian repository. The repository is signed with my GPG key. Configure it as follows:
sudo apt-get install wget gnupg
wget -qO - https://pkg.pujol.io/debian/gpgkey \
| gpg --dearmor \
| sudo tee /usr/share/keyrings/roddhjav.gpg >/dev/null
cat <<-EOF | sudo tee /etc/apt/sources.list.d/roddhjav.sources
Types: deb
URIs: https://pkg.pujol.io/debian/repo
Suites: $(lsb_release -cs)
Components: main
Signed-By: /usr/share/keyrings/roddhjav.gpg
EOF
sudo apt-get update
Install the package:
Warning
Only Ubuntu 24.04, 25.10, and 26.04 are currently supported.
apparmor.d is available under the pkg.pujol.io debian repository. The repository is signed with my GPG key. Configure it as follows:
sudo apt-get install wget gnupg
wget -qO - https://pkg.pujol.io/debian/gpgkey \
| gpg --dearmor \
| sudo tee /usr/share/keyrings/roddhjav.gpg >/dev/null
cat <<-EOF | sudo tee /etc/apt/sources.list.d/roddhjav.sources
Types: deb
URIs: https://pkg.pujol.io/debian/repo
Suites: $(lsb_release -cs)
Components: main
Signed-By: /usr/share/keyrings/roddhjav.gpg
EOF
sudo apt-get update
Install the package:
Warning
Only trixie is currently supported.
openSUSE users need to add cboltz repo on OBS:
For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.
Warning
Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (rPx -> rPUx). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see #77)
For instance, sudo just local pass gives:
Warning: profile dependencies fallback to unconfined.
@{bin}/wl-{copy,paste} rPx,
@{bin}/xclip rPx,
@{python_path} rPx -> pass-import, # pass-import
@{pager_path} rPx -> child-pager,
'.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
wl-copy, xclip, pass-import, and child-pager if desired. Next: Configure your personal directories