Commit 26fccd9e authored by Kees Cook's avatar Kees Cook Committed by Jonathan Corbet

doc: ReSTify apparmor.txt

Adjusts for ReST markup and moves under LSM admin guide.
Acked-by: default avatarJohn Johansen <john.johansen@canonical.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
parent 229fd05c
--- What is AppArmor? --- ========
AppArmor
========
What is AppArmor?
=================
AppArmor is MAC style security extension for the Linux kernel. It implements AppArmor is MAC style security extension for the Linux kernel. It implements
a task centered policy, with task "profiles" being created and loaded a task centered policy, with task "profiles" being created and loaded
...@@ -6,34 +11,41 @@ from user space. Tasks on the system that do not have a profile defined for ...@@ -6,34 +11,41 @@ from user space. Tasks on the system that do not have a profile defined for
them run in an unconfined state which is equivalent to standard Linux DAC them run in an unconfined state which is equivalent to standard Linux DAC
permissions. permissions.
--- How to enable/disable --- How to enable/disable
=====================
set ``CONFIG_SECURITY_APPARMOR=y``
set CONFIG_SECURITY_APPARMOR=y If AppArmor should be selected as the default security module then set::
If AppArmor should be selected as the default security module then CONFIG_DEFAULT_SECURITY="apparmor"
set CONFIG_DEFAULT_SECURITY="apparmor" CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
and CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
Build the kernel Build the kernel
If AppArmor is not the default security module it can be enabled by passing If AppArmor is not the default security module it can be enabled by passing
security=apparmor on the kernel's command line. ``security=apparmor`` on the kernel's command line.
If AppArmor is the default security module it can be disabled by passing If AppArmor is the default security module it can be disabled by passing
apparmor=0, security=XXXX (where XXX is valid security module), on the ``apparmor=0, security=XXXX`` (where ``XXXX`` is valid security module), on the
kernel's command line kernel's command line.
For AppArmor to enforce any restrictions beyond standard Linux DAC permissions For AppArmor to enforce any restrictions beyond standard Linux DAC permissions
policy must be loaded into the kernel from user space (see the Documentation policy must be loaded into the kernel from user space (see the Documentation
and tools links). and tools links).
--- Documentation --- Documentation
=============
Documentation can be found on the wiki. Documentation can be found on the wiki, linked below.
--- Links --- Links
=====
Mailing List - apparmor@lists.ubuntu.com Mailing List - apparmor@lists.ubuntu.com
Wiki - http://apparmor.wiki.kernel.org/ Wiki - http://apparmor.wiki.kernel.org/
User space tools - https://launchpad.net/apparmor User space tools - https://launchpad.net/apparmor
Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
...@@ -33,4 +33,5 @@ the one "major" module (e.g. SELinux) if there is one configured. ...@@ -33,4 +33,5 @@ the one "major" module (e.g. SELinux) if there is one configured.
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
apparmor
SELinux SELinux
...@@ -4,8 +4,6 @@ Smack.txt ...@@ -4,8 +4,6 @@ Smack.txt
- documentation on the Smack Linux Security Module. - documentation on the Smack Linux Security Module.
Yama.txt Yama.txt
- documentation on the Yama Linux Security Module. - documentation on the Yama Linux Security Module.
apparmor.txt
- documentation on the AppArmor security extension.
keys-ecryptfs.txt keys-ecryptfs.txt
- description of the encryption keys for the ecryptfs filesystem. - description of the encryption keys for the ecryptfs filesystem.
keys-request-key.txt keys-request-key.txt
......
...@@ -11560,6 +11560,7 @@ W: apparmor.wiki.kernel.org ...@@ -11560,6 +11560,7 @@ W: apparmor.wiki.kernel.org
T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
S: Supported S: Supported
F: security/apparmor/ F: security/apparmor/
F: Documentation/admin-guide/LSM/apparmor.rst
LOADPIN SECURITY MODULE LOADPIN SECURITY MODULE
M: Kees Cook <keescook@chromium.org> M: Kees Cook <keescook@chromium.org>
......
...@@ -226,7 +226,7 @@ void aa_dfa_free_kref(struct kref *kref) ...@@ -226,7 +226,7 @@ void aa_dfa_free_kref(struct kref *kref)
* @flags: flags controlling what type of accept tables are acceptable * @flags: flags controlling what type of accept tables are acceptable
* *
* Unpack a dfa that has been serialized. To find information on the dfa * Unpack a dfa that has been serialized. To find information on the dfa
* format look in Documentation/security/apparmor.txt * format look in Documentation/admin-guide/LSM/apparmor.rst
* Assumes the dfa @blob stream has been aligned on a 8 byte boundary * Assumes the dfa @blob stream has been aligned on a 8 byte boundary
* *
* Returns: an unpacked dfa ready for matching or ERR_PTR on failure * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
* License. * License.
* *
* AppArmor uses a serialized binary format for loading policy. To find * AppArmor uses a serialized binary format for loading policy. To find
* policy format documentation look in Documentation/security/apparmor.txt * policy format documentation see Documentation/admin-guide/LSM/apparmor.rst
* All policy is validated before it is used. * All policy is validated before it is used.
*/ */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment