Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Palimaka <kensington@gentoo.org>2013-04-18 05:50:14 +1000
committerMichael Palimaka <kensington@gentoo.org>2013-04-18 05:50:14 +1000
commitfb010c56f2e220404d281dfeef0eb90cff66ad45 (patch)
tree92fa4a1cfa7bf6cc492e7697ec33b35acfff0be1
parentAdd orc use flag to the faq (diff)
downloadhardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.tar.gz
hardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.tar.bz2
hardened-docs-fb010c56f2e220404d281dfeef0eb90cff66ad45.zip
AppArmor guide has been moved to the wiki.
Diffstat
-rw-r--r--html/apparmor.html222
-rw-r--r--xml/apparmor.xml204
2 files changed, 0 insertions, 426 deletions
diff --git a/html/apparmor.html b/html/apparmor.html
deleted file mode 100644
index 291adb9..0000000
--- a/html/apparmor.html
+++ /dev/null
@@ -1,222 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Documentation
---
- Gentoo AppArmor Guide</title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
- This document is a work in progress and should not be considered official yet.
- </p></td></tr></table>
-<br><h1>Gentoo AppArmor Guide</h1>
-<form name="contents" action="http://www.gentoo.org">
-<b>Content</b>:
- <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
-<option value="#doc_chap2">2. Initial setup</option>
-<option value="#doc_chap3">3. Working with profiles</option></select>
-</form>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Introduction</p>
-<p>
-AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
-</p>
-<p>
-For each file path you specify, AppArmor will permit it only the permissions you grant.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample profile</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# ------------------------------------------------------------------
-# Copyright (C) 2002-2009 Novell/SUSE
-# Copyright (C) 2010 Canonical Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-# ------------------------------------------------------------------
-
-#include &lt;tunables/global&gt;
-
-/sbin/klogd {
- #include &lt;abstractions/base&gt;
-
- capability sys_admin, # for backward compatibility with kernel &lt;= 2.6.37
- capability syslog,
-
- network inet stream,
-
- /boot/System.map* r,
- @{PROC}/kmsg r,
- @{PROC}/kallsyms r,
- /dev/tty rw,
-
- /sbin/klogd rmix,
- /var/log/boot.msg rwl,
- /{,var/}run/klogd.pid krwl,
- /{,var/}run/klogd/klogd.pid krwl,
- /{,var/}run/klogd/kmsg r,
-}
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
- </span>Initial setup</p>
-<p class="secthead"><a name="doc_chap2_sect1">Kernel patching</a></p>
-<p>
-From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
-it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
-profiles - deactivation, listing, init script etc. will not work.
-</p>
-<p>
-The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <span class="code" dir="ltr">hardened-sources</span>,
-the patches will not cleanly apply. For convenience, a rebased version of the patches is
-<a href="https://github.com/kensington/apparmor-grsec/tarball/master">available</a>.
-</p>
-<p class="secthead"><a name="doc_chap2_sect2">Install utilities</a></p>
-<p>
-The AppArmor userspace utilities currently live in the
-<a href="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</a>.
-You should install layman, and then add the <span class="code" dir="ltr">hardened-dev</span> overlay:
-
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install userspace utilities</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">layman -a hardened-dev</span>
-# <span class="code-input">emerge apparmor-utils</span>
-<span class="code-comment">You will probably also wish to install some profiles to get started:</span>
-# <span class="code-input">emerge apparmor-profiles</span>
-</pre></td></tr>
-</table>
-
-</p>
-<p class="secthead"><a name="doc_chap2_sect3">Further configuration</a></p>
-<p>
-You may wish to edit the configuation files located in <span class="code" dir="ltr">/etc/apparmor</span>, however
-the default values will suit most users.
-</p>
-<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
- </span>Working with profiles</p>
-<p>
-Profiles are stored as simple text files in <span class="code" dir="ltr">/etc/apparmor.d</span>. They may take any name, and may be stored
-in subdirectories - you may organise them however it suits you.
-</p>
-<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Sample profile directory listing</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-/etc/apparmor.d $ <span class="code-input">ls</span>
-abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd
-apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd
-bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd
-disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd
-local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
-</pre></td></tr>
-</table>
-<p>
-Profiles are referred to by name, including any parent subdirectories if present.
-</p>
-<p class="secthead"><a name="doc_chap3_sect2">Manual control</a></p>
-<p>
-To activate a profile, simply set it to enforce mode.
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile activation</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">aa-enforce usr.sbin.dnsmasq</span>
-Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
-</pre></td></tr>
-</table>
-</p>
-<p>
-Similarly, to deactive a profile, simply set it to complain mode.
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile deactivation</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">aa-complain usr.sbin.dnsmasq</span>
-Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
-</pre></td></tr>
-</table>
-</p>
-<p>
-The current status of your profiles may be viewed using <span class="code" dir="ltr">aa-status</span>.
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Profile status listing</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">aa-status</span>
-apparmor module is loaded.
-6 profiles are loaded.
-5 profiles are in enforce mode.
- /bin/ping
- /sbin/klogd
- /sbin/syslog-ng
- /usr/sbin/dnsmasq
- /usr/sbin/identd
-1 profiles are in complain mode.
- /usr/sbin/lspci
-1 processes have profiles defined.
-1 processes are in enforce mode.
- /usr/sbin/dnsmasq (12905)
-0 processes are in complain mode.
-0 processes are unconfined but have a profile defined.
-</pre></td></tr>
-</table>
-</p>
-<p class="secthead"><a name="doc_chap3_sect3">Automatic control</a></p>
-<p>
-The provided init script will automatically load all profiles located in your profile directory.
-Unless specifically specified otherwise, each profile will be loaded in enforce mode.
-</p>
-<br><p class="copyright">
- The contents of this document, unless otherwise expressly stated, are
- licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0">CC-BY-SA-3.0</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
- </p>
-<!--
- <rdf:RDF xmlns="http://web.resource.org/cc/"
- xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-
- <License rdf:about="http://creativecommons.org/licenses/by-sa/3.0/">
-
- <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
- <permits rdf:resource="http://web.resource.org/cc/Distribution" />
- <requires rdf:resource="http://web.resource.org/cc/Notice" />
- <requires rdf:resource="http://web.resource.org/cc/Attribution" />
- <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
- <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
- </License>
- </rdf:RDF>
---><br>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="apparmor.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Page updated July 10, 2012</p></td></tr>
-<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
-This guide provides a brief overview of AppArmor, and gives information
-on how to install and configure it on Gentoo.
-</p></td></tr>
-<tr><td align="left" class="topsep"><p class="alttext">
- <a href="mailto:kensington@gentoo.org" class="altlink"><b>Michael Palimaka</b></a>
-<br><i>Author</i><br></p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/xml/apparmor.xml b/xml/apparmor.xml
deleted file mode 100644
index 032f1f3..0000000
--- a/xml/apparmor.xml
+++ /dev/null
@@ -1,204 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header$ -->
-
-<guide disclaimer="draft" link="apparmor.xml" lang="en">
-<title>Gentoo AppArmor Guide</title>
-
-<author title="Author">
- <mail link="kensington@gentoo.org">Michael Palimaka</mail>
-</author>
-
-<abstract>
-This guide provides a brief overview of AppArmor, and gives information
-on how to install and configure it on Gentoo.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
-<license version="3.0"/>
-
-<version>1</version>
-<date>2012-07-10</date>
-
-<chapter>
-<title>Introduction</title>
-
-<section>
-<body>
-<p>
-AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
-</p>
-<p>
-For each file path you specify, AppArmor will permit it only the permissions you grant.
-</p>
-<pre caption="Sample profile">
-# ------------------------------------------------------------------
-# Copyright (C) 2002-2009 Novell/SUSE
-# Copyright (C) 2010 Canonical Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-# ------------------------------------------------------------------
-
-#include &lt;tunables/global&gt;
-
-/sbin/klogd {
- #include &lt;abstractions/base&gt;
-
- capability sys_admin, # for backward compatibility with kernel &lt;= 2.6.37
- capability syslog,
-
- network inet stream,
-
- /boot/System.map* r,
- @{PROC}/kmsg r,
- @{PROC}/kallsyms r,
- /dev/tty rw,
-
- /sbin/klogd rmix,
- /var/log/boot.msg rwl,
- /{,var/}run/klogd.pid krwl,
- /{,var/}run/klogd/klogd.pid krwl,
- /{,var/}run/klogd/kmsg r,
-}
-</pre>
-</body>
-</section>
-
-</chapter>
-
-<chapter>
-<title>Initial setup</title>
-
-<section>
-<title>Kernel patching</title>
-<body>
-<p>
-From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
-it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
-profiles - deactivation, listing, init script etc. will not work.
-</p>
-<p>
-The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <c>hardened-sources</c>,
-the patches will not cleanly apply. For convenience, a rebased version of the patches is
-<uri link="https://github.com/kensington/apparmor-grsec/tarball/master">available</uri>.
-</p>
-</body>
-</section>
-
-<section>
-<title>Install utilities</title>
-<body>
-<p>
-The AppArmor userspace utilities currently live in the
-<uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</uri>.
-You should install layman, and then add the <c>hardened-dev</c> overlay:
-
-<pre caption="Install userspace utilities">
-# <i>layman -a hardened-dev</i>
-# <i>emerge apparmor-utils</i>
-<comment>You will probably also wish to install some profiles to get started:</comment>
-# <i>emerge apparmor-profiles</i>
-</pre>
-
-</p>
-</body>
-</section>
-
-<section>
-<title>Further configuration</title>
-<body>
-<p>
-You may wish to edit the configuation files located in <c>/etc/apparmor</c>, however
-the default values will suit most users.
-</p>
-</body>
-</section>
-
-</chapter>
-
-<chapter>
-<title>Working with profiles</title>
-
-<section>
-<body>
-<p>
-Profiles are stored as simple text files in <c>/etc/apparmor.d</c>. They may take any name, and may be stored
-in subdirectories - you may organise them however it suits you.
-</p>
-
-<pre caption="Sample profile directory listing">
-/etc/apparmor.d $ <i>ls</i>
-abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd
-apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd
-bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd
-disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd
-local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
-</pre>
-
-<p>
-Profiles are referred to by name, including any parent subdirectories if present.
-</p>
-</body>
-</section>
-
-<section>
-<title>Manual control</title>
-<body>
-
-<p>
-To activate a profile, simply set it to enforce mode.
-<pre caption="Manual profile activation">
-# <i>aa-enforce usr.sbin.dnsmasq</i>
-Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
-</pre>
-</p>
-
-<p>
-Similarly, to deactive a profile, simply set it to complain mode.
-<pre caption="Manual profile deactivation">
-# <i>aa-complain usr.sbin.dnsmasq</i>
-Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
-</pre>
-</p>
-
-<p>
-The current status of your profiles may be viewed using <c>aa-status</c>.
-<pre caption="Profile status listing">
-# <i>aa-status</i>
-apparmor module is loaded.
-6 profiles are loaded.
-5 profiles are in enforce mode.
- /bin/ping
- /sbin/klogd
- /sbin/syslog-ng
- /usr/sbin/dnsmasq
- /usr/sbin/identd
-1 profiles are in complain mode.
- /usr/sbin/lspci
-1 processes have profiles defined.
-1 processes are in enforce mode.
- /usr/sbin/dnsmasq (12905)
-0 processes are in complain mode.
-0 processes are unconfined but have a profile defined.
-</pre>
-</p>
-
-</body>
-</section>
-
-<section>
-<title>Automatic control</title>
-<body>
-<p>
-The provided init script will automatically load all profiles located in your profile directory.
-Unless specifically specified otherwise, each profile will be loaded in enforce mode.
-</p>
-</body>
-</section>
-
-</chapter>
-
-</guide>