{"id":16387056,"url":"https://github.com/oxagast/apparmor","last_synced_at":"2025-02-22T10:18:54.735Z","repository":{"id":92320484,"uuid":"396735956","full_name":"oxagast/apparmor","owner":"oxagast","description":"Copy of the GitLab AppArmor Repo","archived":false,"fork":false,"pushed_at":"2021-08-16T10:20:40.000Z","size":5329,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-11T22:56:59.319Z","etag":null,"topics":["apparmor","linux-security-module","security"],"latest_commit_sha":null,"homepage":"https://apparmor.net/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oxagast.png","metadata":{"files":{"readme":"README.md","changelog":"changehat/mod_apparmor/COPYING.LGPL","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-16T10:11:49.000Z","updated_at":"2022-11-09T02:43:12.000Z","dependencies_parsed_at":"2023-05-16T20:45:24.327Z","dependency_job_id":null,"html_url":"https://github.com/oxagast/apparmor","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxagast%2Fapparmor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxagast%2Fapparmor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxagast%2Fapparmor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxagast%2Fapparmor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oxagast","download_url":"https://codeload.github.com/oxagast/apparmor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240156882,"owners_count":19756857,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apparmor","linux-security-module","security"],"created_at":"2024-10-11T04:24:47.381Z","updated_at":"2025-02-22T10:18:54.712Z","avatar_url":"https://github.com/oxagast.png","language":"Python","readme":"# AppArmor\n\n[![Build status](https://gitlab.com/apparmor/apparmor/badges/master/build.svg)](https://gitlab.com/apparmor/apparmor/commits/master)\n[![Overall test coverage](https://gitlab.com/apparmor/apparmor/badges/master/coverage.svg)](https://gitlab.com/apparmor/apparmor/pipelines)\n[![Core Infrastructure Initiative Best Practices](https://bestpractices.coreinfrastructure.org/projects/1699/badge)](https://bestpractices.coreinfrastructure.org/projects/1699)\n\n------------\nIntroduction\n------------\nAppArmor protects systems from insecure or untrusted processes by\nrunning them in restricted confinement, while still allowing processes\nto share files, exercise privilege and communicate with other processes.\nAppArmor is a Mandatory Access Control (MAC) mechanism which uses the\nLinux Security Module (LSM) framework. The confinement's restrictions\nare mandatory and are not bound to identity, group membership, or object\nownership. The protections provided are in addition to the kernel's\nregular access control mechanisms (including DAC) and can be used to\nrestrict the superuser.\n\nThe AppArmor kernel module and accompanying user-space tools are\navailable under the GPL license (the exception is the libapparmor\nlibrary, available under the LGPL license, which allows change_hat(2)\nand change_profile(2) to be used by non-GPL binaries).\n\nFor more information, you can read the techdoc.pdf (available after\nbuilding the parser) and by visiting the https://apparmor.net/ web\nsite.\n\n----------------\nGetting in Touch\n----------------\n\nPlease send all complaints, feature requests, rants about the software,\nand questions to the\n[AppArmor mailing list](https://lists.ubuntu.com/mailman/listinfo/apparmor).\n\nBug reports can be filed against the AppArmor project on\n[GitLab](https://gitlab.com/apparmor/apparmor/-/issues) or reported to the mailing\nlist directly for those who wish not to register for an account on\nGitLab. See the\n[wiki page](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-bugs)\nfor more information.\n\nSecurity issues can be filed in GitLab by opening up a new [issue](https://gitlab.com/apparmor/apparmor/-/issues) and selecting the tick box ```This issue is confidential and should only be visible to team members with at least Reporter access.``` or directed to `security@apparmor.net`. Additional details can be found\nin the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).\n\n\n--------------\nPrivacy Policy\n--------------\n\nThe AppArmor security project respects users privacy and data and does not collect data from or on its users beyond what is required for a given component to function.\n\nThe AppArmor kernel security module will log violations to the audit subsystem, and those will be logged/forwarded/recorded on the user's system(s) according to how the administrator has logging configured. Again this is not forwarded to or collected by the AppArmor project.\n\nThe AppArmor userspace tools do not collect information on the system user beyond the logs and information needed to interact with the user. This is not forwarded to, nor collected by the AppArmor project.\n\nUsers may submit information as part of an email, bug report or merge request, etc. and that will be recorded as part of the mailing list, bug/issue tracker, or code repository but only as part of a user initiated action.\n\nThe AppArmor project does not collect information from contributors beyond their interactions with the AppArmor project, code, and community. However contributors are subject to the terms and conditions and privacy policy of the individual platforms (currently GitLab) should they choose to contribute through those platforms. And those platforms may collect data on the user that the AppArmor project does not.\n\nCurrently GitLab requires a user account to submit patches or report bugs and issues. If a contributor does not wish to create an account for these platforms the mailing list is available. Membership in the list is not required. Content from non-list members will be sent to moderation, to ensure that it is on topic, so there may be a delay in choosing to interact in this way.\n\n\n-------------\nSource Layout\n-------------\n\nAppArmor consists of several different parts:\n\n```\nbinutils/\tsource for basic utilities written in compiled languages\nchangehat/\tsource for using changehat with Apache, PAM and Tomcat\ncommon/\t\tcommon makefile rules\ndesktop/\tempty\nkernel-patches/\tcompatibility patches for various kernel versions\nlibraries/\tlibapparmor source and language bindings\nparser/\t\tsource for parser/loader and corresponding documentation\nprofiles/\tconfiguration files, reference profiles and abstractions\ntests/\t\tregression and stress testsuites\nutils/\t\thigh-level utilities for working with AppArmor\n```\n\n--------------------------------------\nImportant note on AppArmor kernel code\n--------------------------------------\n\nWhile most of the kernel AppArmor code has been accepted in the\nupstream Linux kernel, a few important pieces were not included. These\nmissing pieces unfortunately are important bits for AppArmor userspace\nand kernel interaction; therefore we have included compatibility\npatches in the kernel-patches/ subdirectory, versioned by upstream\nkernel (2.6.37 patches should apply cleanly to 2.6.38 source).\n\nWithout these patches applied to the kernel, the AppArmor userspace\nwill not function correctly.\n\n------------------------------------------\nBuilding and Installing AppArmor Userspace\n------------------------------------------\n\nTo build and install AppArmor userspace on your system, build and install in\nthe following order. Some systems may need to export various python-related\nenvironment variables to complete the build. For example, before building\nanything on these systems, use something along the lines of:\n\n```\n$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)\n$ export PYTHON=/usr/bin/python3\n$ export PYTHON_VERSION=3\n$ export PYTHON_VERSIONS=python3\n```\n\n### libapparmor:\n\n```\n$ cd ./libraries/libapparmor\n$ sh ./autogen.sh\n$ sh ./configure --prefix=/usr --with-perl --with-python # see below\n$ make\n$ make check\n$ make install\n```\n\n[an additional optional argument to libapparmor's configure is --with-ruby, to\ngenerate Ruby bindings to libapparmor.]\n\n\n### Binary Utilities:\n\n```\n$ cd binutils\n$ make\n$ make check\n$ make install\n```\n\n### Parser:\n\n```\n$ cd parser\n$ make\t\t# depends on libapparmor having been built first\n$ make check\n$ make install\n```\n\n\n### Utilities:\n\n```\n$ cd utils\n$ make\n$ make check PYFLAKES=/usr/bin/pyflakes3\n$ make install\n```\n\n### Apache mod_apparmor:\n\n```\n$ cd changehat/mod_apparmor\n$ make\t\t# depends on libapparmor having been built first\n$ make install\n```\n\n\n### PAM AppArmor:\n\n```\n$ cd changehat/pam_apparmor\n$ make\t\t# depends on libapparmor having been built first\n$ make install\n```\n\n\n### Profiles:\n\n```\n$ cd profiles\n$ make\n$ make check\t# depends on the parser having been built first\n$ make install\n```\n\n[Note that for the parser, binutils, and utils, if you only wish to build/use\n some of the locale languages, you can override the default by passing\n the LANGS arguments to make; e.g. make all install \"LANGS=en_US fr\".]\n\n-------------------\nAppArmor Testsuites\n-------------------\n\nA number of testsuites are in the AppArmor sources. Most have documentation on\nusage and how to update and add tests. Below is a quick overview of their\nlocation and how to run them.\n\n\nRegression tests\n----------------\nFor details on structure and adding tests, see\ntests/regression/apparmor/README.\n\nTo run:\n\n### Regression tests - using apparmor userspace installed on host\n```\n$ cd tests/regression/apparmor (requires root)\n$ make USE_SYSTEM=1\n$ sudo make tests USE_SYSTEM=1\n$ sudo bash open.sh -r\t # runs and saves the last testcase from open.sh\n```\n\n### Regression tests - using apparmor userspace from the tree.\n- [build libapparmor](#libapparmor)\n- [build binutils](#binary-utilities)\n- [build apparmor parser](#parser)\n- [build Pam apparmor](#pam-apparmor)\n\n```\n$ cd tests/regression/apparmor (requires root)\n$ make\n$ sudo make tests\n$ sudo bash open.sh -r\t # runs and saves the last testcase from open.sh\n```\n\nParser tests\n------------\nFor details on structure and adding tests, see parser/tst/README.\n\nTo run:\n\n```\n$ cd parser/tst\n$ make\n$ make tests\n```\n\nLibapparmor\n-----------\nFor details on structure and adding tests, see libraries/libapparmor/README.\n\n```\n$ cd libraries/libapparmor\n$ make check\n```\n\nUtils\n-----\nTests for the Python utilities exist in the test/ subdirectory.\n\n```\n$ cd utils\n$ make check\n```\n\nThe aa-decode utility to be tested can be overridden by\nsetting up environment variable APPARMOR_DECODE; e.g.:\n\n```\n$ APPARMOR_DECODE=/usr/bin/aa-decode make check\n```\n\nProfile checks\n--------------\nA basic consistency check to ensure that the parser and aa-logprof parse\nsuccessfully the current set of shipped profiles. The system or other\nparser and logprof can be passed in by overriding the PARSER and LOGPROF\nvariables.\n\n```\n$ cd profiles\n$ make \u0026\u0026 make check\n```\n\nStress Tests\n------------\nTo run AppArmor stress tests:\n\n```\n$ make all\n```\n\nUse these:\n\n```\n$ ./change_hat\n$ ./child\n$ ./kill.sh\n$ ./open\n$ ./s.sh\n```\n\nOr run all at once:\n\n```\n$ ./stress.sh\n```\n\nPlease note that the above will stress the system so much it may end up\ninvoking the OOM killer.\n\nTo run parser stress tests (requires /usr/bin/ruby):\n\n```\n$ ./stress.sh\n```\n\n(see stress.sh -h for options)\n\nCoverity Support\n----------------\nCoverity scans are available to AppArmor developers at\nhttps://scan.coverity.com/projects/apparmor.\n\nIn order to submit a Coverity build for analysis, the cov-build binary\nmust be discoverable from your PATH. See the \"To Setup\" section of\nhttps://scan.coverity.com/download?tab=cxx to obtain a pre-built copy of\ncov-build.\n\nTo generate a compressed tarball of an intermediate Coverity directory:\n\n```\n$ make coverity\n```\n\nThe compressed tarball is written to\napparmor-\u003cSNAPSHOT_VERSION\u003e-cov-int.tar.gz, where \u003cSNAPSHOT_VERSION\u003e\nis something like 2.10.90~3328, and must be uploaded to\nhttps://scan.coverity.com/projects/apparmor/builds/new for analysis. You must\ninclude the snapshot version in Coverity's project build submission form, in\nthe \"Project Version\" field, so that it is quickly obvious to all AppArmor\ndevelopers what snapshot of the AppArmor repository was used for the analysis.\n\n-----------------------------------------------\nBuilding and Installing AppArmor Kernel Patches\n-----------------------------------------------\n\nTODO\n\n\n-----------------\nRequired versions\n-----------------\n\nThe AppArmor userspace utilities are written with some assumptions about\ninstalled and available versions of other tools. This is a (possibly\nincomplete) list of known version dependencies:\n\nThe Python utilities require a minimum of Python 3.3.\n\nThe aa-notify tool's Python dependencies can be satisfied by installing the\nfollowing packages (Debian package names, other distros may vary):\n* python3-notify2\n* python3-psutil\n\nPerl is no longer needed since none of the utilities shipped to end users depend\non it anymore.\n\nMost shell scripts are written for POSIX-compatible sh. aa-decode expects\nbash, probably version 3.2 and higher.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foxagast%2Fapparmor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foxagast%2Fapparmor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foxagast%2Fapparmor/lists"}