mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 06:16:03 +00:00
Update apparmor 5 config layout spec
John Johansen
@@ -2,3 +2,72 @@ The following document is a spec for apparmor 5 config and policy layout. See xx
|
||||
|
||||
|
||||
|
||||
# configuration file location layout.
|
||||
|
||||
|
||||
## default location
|
||||
|
||||
```
|
||||
/etc/apparmor/
|
||||
```
|
||||
|
||||
## global files
|
||||
```
|
||||
/etc/apparmor/<configuration file>
|
||||
```
|
||||
|
||||
eg.
|
||||
```
|
||||
/etc/apparmor/parser.conf
|
||||
```
|
||||
|
||||
## policy configuration directory
|
||||
|
||||
The policy configuration directory allows for multiple policy locations to be specified. For each policy locations, local configuration overrides can be specified that override the default, and global config options.
|
||||
|
||||
proposed locations, choose one
|
||||
|
||||
```
|
||||
/etc/apparmor/conf.d/
|
||||
/etc/apparmor/config.d/
|
||||
/etc/apparmor/policy.d/
|
||||
/etc/apparmor/layout.d/
|
||||
```
|
||||
|
||||
todo figure out if we have a subdir per policy location, or just a file
|
||||
|
||||
|
||||
# configuration file format
|
||||
|
||||
## global
|
||||
|
||||
use/support existing configs, maybe also support what every is used for per policy configs if it is different.
|
||||
|
||||
## per policy configs
|
||||
|
||||
Todo figure out format used by the figuration files
|
||||
|
||||
### config options
|
||||
|
||||
* profiles - where this policy's profiles are stored
|
||||
* cache - where this policy's cache is stored, can be used to disable cache as well
|
||||
* includes - where the includes are for the policy (can be shared between policy locations)
|
||||
** abstractions? - where are the abstractions (can be shared between policy locations)
|
||||
** tunnables? - where are the tunnables stored.
|
||||
* overlay - ??? separate from profiles or maybe just list of paths in profiles, like the $PATH env var
|
||||
* priority - ??? priority vs loading of other profile locations. This is used to order independent policy locations, this is effectively an overlay
|
||||
* managed - does apparmor manage this policy or an external entity
|
||||
* r/w? - whether this location is writable? for overlays, to know where things can be written.
|
||||
* compiler config options -
|
||||
* genprof/logprof options -
|
||||
*
|
||||
|
||||
# profile layout
|
||||
|
||||
how is profile laid out so its sane/admin friendly when there are 1600+ profiles.
|
||||
|
||||
# cache layout
|
||||
|
||||
link to cache layout doc. Update doc to use kernel as part of subdir name to make more human friendly
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user