Installation
Setup¶
Danger
Do not expect this project to work correctly on your desktop if your Desktop Environment (DE) and Display Manager (DM) are not supported. Your DE/DM might not load, and that would be a feature.
Due to the development stage of this project, the default package configuration installs all profiles in complain mode. The recommended installation workflow is as-follow:
- Configure AppArmor AppArmor for apparmor.d.
- Install apparmor.d in the (default) complain mode.
- Configure your personal directories.
- Reboot your system.
- You must check for any AppArmor logs with
aa-log. - Report any raised logs.
- Use the profiles in complain mode for a while (a week), regularly check for new AppArmor logs.
- Only if there are no logs raised for your daily usage, install it in enforce mode.
Requirements¶
AppArmor
An AppArmor supported Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed.
Desktop environment
The following desktop environments are supported:
- Gnome (GDM)
- KDE (SDDM)
- XFCE (Lightdm) (work in progress)
Build dependency
- Go >= 1.21
Configure AppArmor¶
As there are a lot of rules (~80k lines), it is recommended to enable fast caching compression of AppArmor profiles. In /etc/apparmor/parser.conf, add write-cache and Optimize=compress-fast:
echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf
echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
Installation¶
apparmor.d-git is available in the Arch User Repository:
Or without an AUR helper:
Build the package from sources:
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone https://github.com/roddhjav/apparmor.d.git
cd apparmor.d
dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*.deb
Warning
Beware: do not install a .deb made for Debian on Ubuntu, the packages are different.
If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting DISTRIBUTION=ubuntu.
Build the package from sources:
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone https://github.com/roddhjav/apparmor.d.git
cd apparmor.d
dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*.deb
Note
You may need golang from the backports repository to build:
Warning
Beware: do not install a .deb made for Ubuntu on Debian, the packages are different.
If your distribution is based on Debian, you may want to manually set the target distribution by exporting DISTRIBUTION=debian.
openSUSE users need to add cboltz repo on OBS:
For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.
Warning
Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (rPx -> rPUx). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see #77)
For instance, sudo make pass gives:
Warning: profile dependencies fallback to unconfined.
@{bin}/wl-{copy,paste} rPx,
@{bin}/xclip rPx,
@{bin}/python3.@{int} rPx -> pass-import, # pass-import
@{pager_path} rPx -> child-pager,
'.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
wl-copy, xclip, pass-import, and child-pager if desired. Next: Configure your personal directories