{"id":13585714,"url":"https://github.com/mk-fg/apparmor-profiles","last_synced_at":"2025-04-23T23:31:36.829Z","repository":{"id":2391893,"uuid":"3358040","full_name":"mk-fg/apparmor-profiles","owner":"mk-fg","description":"My local AppArmor profiles for apps that can use those","archived":false,"fork":false,"pushed_at":"2024-02-03T15:51:05.000Z","size":232,"stargazers_count":66,"open_issues_count":0,"forks_count":17,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-02-14T21:14:52.985Z","etag":null,"topics":["apparmor-profile","desktop","linux","lsm","sandboxing","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mk-fg.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-02-05T07:00:16.000Z","updated_at":"2024-06-27T23:27:08.680Z","dependencies_parsed_at":"2023-10-14T18:45:55.869Z","dependency_job_id":"6de3ae0b-9a34-4185-845d-36bd4b356e81","html_url":"https://github.com/mk-fg/apparmor-profiles","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mk-fg%2Fapparmor-profiles","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mk-fg%2Fapparmor-profiles/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mk-fg%2Fapparmor-profiles/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mk-fg%2Fapparmor-profiles/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mk-fg","download_url":"https://codeload.github.com/mk-fg/apparmor-profiles/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250532051,"owners_count":21446107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apparmor-profile","desktop","linux","lsm","sandboxing","security"],"created_at":"2024-08-01T15:05:06.163Z","updated_at":"2025-04-23T23:31:36.793Z","avatar_url":"https://github.com/mk-fg.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"apparmor-profiles\n=================\n\nAppArmor profiles I use for binary or potentially complex/dangerous/exposed apps\nlike browsers, random electron and wine stuff, proprietary things, etc.\n\nRepository URLs:\n\n- https://github.com/mk-fg/apparmor-profiles\n- https://codeberg.org/mk-fg/apparmor-profiles\n- https://fraggod.net/code/git/apparmor-profiles\n\nOn the desktop, even confined to user's uid, such apps still get unwanted access\nto a lot of things in $HOME and can read a lot of poorly-secured files on the system\n(like /etc/passwd or some non-chmodded config), which is obviously undesirable,\nand what AppArmor can help to fix.\n\nSome profiles and abstractions are reused from upstreams like ubuntu, suse and\nvarious misc other repos, but often found them too lax or bloated for specific\nsystem (currently Arch Linux), allowing stuff like ``@{HOME}/** r``, so prefer to\nuse them just for reference, copying only obvious and safe access lines from there,\ngetting (or confirming) the rest from audit logs.\n\nMain doc on rule syntax:\nhttps://gitlab.com/apparmor/apparmor/wikis/AppArmor_Core_Policy_Reference\n\nI use apparmor_init_ script (under \"scripts\" dir) to load these profiles with\nsome caching and \"--override-policy-abi\" option to avoid needing boilerplate\nfor it in every file - they are intended to always work together anyway.\n\n.. _apparmor_init: scripts/apparmor_init\n\nImportant note\n--------------\n\nThis is more of a \"my configuration\" repository, and profiles here are mostly\nwritten in an ad-hoc fashion for my system, not to be generic fit for any linux\n(or even app usage scenario) out there.\n\nPlus I'm no security expert, so can - and do - miss some things, only making\nsure that the most obvious bad things can't happen (or will trigger a warning),\nnot trying to build super-secure system or anything, thinking of it more like\nbasic hygeine than hardening against a dedicated attacker.\n\nTherefore it might be wise to only use these profiles for reference\n(e.g. to get the general idea where app needs access), and not as a drop-in config.\n\nSome paths in profiles like @{HOME\\_GIT} and @{SYS\\_GIT} are specific to my\nsystems (configuration git repos), and can/should be removed or updated to some\nother local paths.\n\nSee also\n--------\n\n- Flatpak, Snap, AppImage, Docker/Podman - one of the goals of these containers\n  is security and isolation too, though usually not the primary one,\n  but LSMs like AppArmor/SELinux can be added there too, to help with that.\n\n- `Landlock LSM`_ - relatively new (2021) unprivileged-sandboxing LSM, kinda like\n  AppArmor except you load profile in a wrapper or when starting the app itself,\n  without needing uid=root or any fancy capabilities for it.\n\n.. _Landlock LSM: https://landlock.io/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmk-fg%2Fapparmor-profiles","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmk-fg%2Fapparmor-profiles","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmk-fg%2Fapparmor-profiles/lists"}