This project is part of a protected desktop for organizational infrastructure (including diskless node infrastructure), that also includes IMA/EVM (with Gentoo binhost integration), IMA+AA integration, and organizational network services with client remote attestation (that are part of other projects and not included in this one).
- Best deployed with Secure Boot (early boot AppArmor initialization before root mount and real init are supported).
- Best deployed with IMA/EVM (if you can make it work); see Matthew Garrett's patch for AA+IMA integration.
- All system processes are covered by security profiles (including those started before AppArmor initialization, kernel processes, etc.).
- Full system coverage; unconfined processes are not allowed (only confined-to-confined transitions are allowed).
- Inherited process transitions (ix/Ix) are not allowed for better restrictions (with several exceptions).
- Aimed at OpenRC (systemd is not supported, since it is much harder to isolate).
- RBAC with uid/fsuid on all process transitions (no need to worry about AA's 12 named transitions limit, since all transitions are 'named' by uid).
- Profiles are grouped by Gentoo package names for easy manipulation (see utils folder).
- The Gentoo sys-apps/dbus package should be revised in order to build with the "--enable-apparmor" configuration flag.
- The project is based on Ubuntu kernel AppArmor sources (vanilla kernel still doesn't have all features).
- The project's AA profiles require a patched kernel in order to work (see patches folder) and are NOT compatible with Ubuntu/Suse kernel (and vice versa).