mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-01 06:45:38 +00:00
Update apparmor 5 config layout spec
John Johansen
@@ -2,3 +2,72 @@ The following document is a spec for apparmor 5 config and policy layout. See xx
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# configuration file location layout.
|
||||||
|
|
||||||
|
|
||||||
|
## default location
|
||||||
|
|
||||||
|
```
|
||||||
|
/etc/apparmor/
|
||||||
|
```
|
||||||
|
|
||||||
|
## global files
|
||||||
|
```
|
||||||
|
/etc/apparmor/<configuration file>
|
||||||
|
```
|
||||||
|
|
||||||
|
eg.
|
||||||
|
```
|
||||||
|
/etc/apparmor/parser.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
## policy configuration directory
|
||||||
|
|
||||||
|
The policy configuration directory allows for multiple policy locations to be specified. For each policy locations, local configuration overrides can be specified that override the default, and global config options.
|
||||||
|
|
||||||
|
proposed locations, choose one
|
||||||
|
|
||||||
|
```
|
||||||
|
/etc/apparmor/conf.d/
|
||||||
|
/etc/apparmor/config.d/
|
||||||
|
/etc/apparmor/policy.d/
|
||||||
|
/etc/apparmor/layout.d/
|
||||||
|
```
|
||||||
|
|
||||||
|
todo figure out if we have a subdir per policy location, or just a file
|
||||||
|
|
||||||
|
|
||||||
|
# configuration file format
|
||||||
|
|
||||||
|
## global
|
||||||
|
|
||||||
|
use/support existing configs, maybe also support what every is used for per policy configs if it is different.
|
||||||
|
|
||||||
|
## per policy configs
|
||||||
|
|
||||||
|
Todo figure out format used by the figuration files
|
||||||
|
|
||||||
|
### config options
|
||||||
|
|
||||||
|
* profiles - where this policy's profiles are stored
|
||||||
|
* cache - where this policy's cache is stored, can be used to disable cache as well
|
||||||
|
* includes - where the includes are for the policy (can be shared between policy locations)
|
||||||
|
** abstractions? - where are the abstractions (can be shared between policy locations)
|
||||||
|
** tunnables? - where are the tunnables stored.
|
||||||
|
* overlay - ??? separate from profiles or maybe just list of paths in profiles, like the $PATH env var
|
||||||
|
* priority - ??? priority vs loading of other profile locations. This is used to order independent policy locations, this is effectively an overlay
|
||||||
|
* managed - does apparmor manage this policy or an external entity
|
||||||
|
* r/w? - whether this location is writable? for overlays, to know where things can be written.
|
||||||
|
* compiler config options -
|
||||||
|
* genprof/logprof options -
|
||||||
|
*
|
||||||
|
|
||||||
|
# profile layout
|
||||||
|
|
||||||
|
how is profile laid out so its sane/admin friendly when there are 1600+ profiles.
|
||||||
|
|
||||||
|
# cache layout
|
||||||
|
|
||||||
|
link to cache layout doc. Update doc to use kernel as part of subdir name to make more human friendly
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user