Installation
Warning
To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the Enforce Mode page.
After installation, you must regularly check AppArmor log with aa-log
. You can also configure a desktop notification on denied actions.
Danger
Do not expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature.
Requirements¶
AppArmor
An AppArmor
supported Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed.
Desktop environment
The following desktop environments are supported:
- Gnome
- KDE
- XFCE (work in progress)
Build dependency
- Go >= 1.18
Arch Linux¶
apparmor.d-git
is available in the Arch User Repository:
Or without an AUR helper:
Ubuntu & Debian¶
Build the package from sources:
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone https://github.com/roddhjav/apparmor.d.git
cd apparmor.d
dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*.deb
Note
Debian user may need golang from the backports repository to build:
Warning
Beware: do not install a .deb
made for Debian on Ubuntu, the packages are different.
If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting DISTRIBUTION=debian
if is Debian based, or DISTRIBUTION=ubuntu
if it is Ubuntu based.
openSUSE¶
openSUSE users need to add cboltz repo on OBS
zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo
zypper refresh
zypper install apparmor.d
Partial install¶
For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.
Warning
Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (rPx
-> rPUx
). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see #77)
For instance, sudo make pass
gives:
Warning: profile dependencies fallback to unconfined.
@{bin}/wl-{copy,paste} rPx,
@{bin}/xclip rPx,
@{bin}/python3.@{int} rPx -> pass-import, # pass-import
@{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
'.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
wl-copy
, xclip
, pass-import
, and child-pager
if desired. Uninstall¶
- Arch Linux
sudo pacman -R apparmor.d
- Ubuntu & Debian
sudo apt purge apparmor.d
- openSUSE
sudo zypper remove apparmor.d