diff --git a/apparmor-5-config-layout-spec.md b/apparmor-5-config-layout-spec.md index 64ee8e3..c9e2c23 100644 --- a/apparmor-5-config-layout-spec.md +++ b/apparmor-5-config-layout-spec.md @@ -2,3 +2,72 @@ The following document is a spec for apparmor 5 config and policy layout. See xx +# configuration file location layout. + + +## default location + +``` +/etc/apparmor/ +``` + +## global files +``` +/etc/apparmor/ +``` + +eg. +``` +/etc/apparmor/parser.conf +``` + +## policy configuration directory + +The policy configuration directory allows for multiple policy locations to be specified. For each policy locations, local configuration overrides can be specified that override the default, and global config options. + +proposed locations, choose one + +``` +/etc/apparmor/conf.d/ +/etc/apparmor/config.d/ +/etc/apparmor/policy.d/ +/etc/apparmor/layout.d/ +``` + +todo figure out if we have a subdir per policy location, or just a file + + +# configuration file format + +## global + +use/support existing configs, maybe also support what every is used for per policy configs if it is different. + +## per policy configs + +Todo figure out format used by the figuration files + +### config options + +* profiles - where this policy's profiles are stored +* cache - where this policy's cache is stored, can be used to disable cache as well +* includes - where the includes are for the policy (can be shared between policy locations) +** abstractions? - where are the abstractions (can be shared between policy locations) +** tunnables? - where are the tunnables stored. +* overlay - ??? separate from profiles or maybe just list of paths in profiles, like the $PATH env var +* priority - ??? priority vs loading of other profile locations. This is used to order independent policy locations, this is effectively an overlay +* managed - does apparmor manage this policy or an external entity +* r/w? - whether this location is writable? for overlays, to know where things can be written. +* compiler config options - +* genprof/logprof options - +* + +# profile layout + +how is profile laid out so its sane/admin friendly when there are 1600+ profiles. + +# cache layout + +link to cache layout doc. Update doc to use kernel as part of subdir name to make more human friendly + +