This is a big WIP. I am working on porting all apparmor.d profiles (which need porting) to Asahi.
Every folder BUT succeeding-boot-disable/
has incomplete profiles adjusted for Asahi Linux devices (it will probably break anything but an M1 pro for now) (and adjusted for ALARM, also in general ARCH package tidbits).
succeeding-boot-disable/
is currently filled out as such because on an M1 it SHOULD allow boot to proceed, but without internet currently.
disable/
is for the actual disables which are required at MINIMUM.
Expect that this WILL break your system in some way.
You contribute by breaking your system.
Setup:
- Kernel must support apparmor (default Asahi does).
- Add Apparmor kernel args
lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1
and rebuild stuff. - Build the
apparmor.d-git
package. pacman -S apparmor
. Start the service!pacman -U
it (FOLLOW THEIR INSTRUCTIONS ON GITHUB).systemctl enable apparmor
.- Have a side Asahi install ready in case you need to mount & disable Apparmor.
git clone
this repo, cd into dir, and then eitherinstall-disabled
orinstall-production
, probably the former first to have everything running, because latter might freeze your system, since it hasdisable
disables. Whichever you choose, uninstall with the equivalent -*
- You can run
make check
(with args if need be) to see if all files have been placed properly
(did I miss anything?)
Contributing:
shutdown -h now
.- Boot, if boot does not work, use the side install and disable the thing.
- Find out what caused the freeze by disabling profiles. For example, you can binary "search" the bottom half of the profiles (abc sorted)
find . -maxdepth 1 -not -type d | sort -h | tail -n 515 | xargs ln -rst disable
(there is I think exactly 1030 profiles in total). aa-log | grep DENIED
might also help, this helps more though if boot was successful.- You should also
echo "" > /var/log/audit/audit.log
before rebooting to get the newest logs.
- Disable profiles you can't fix. Add those really needed disable (and not convenience
succeeding-boot-disable/
) todisable
. - Only add changes to
local
,disable
(or.d
files, in the other subfolders).
- You should be able to write your changes in the repo, make install- whichever you used, and then uninstall should catch too if you don't remove the file later.
- MAKE SURE that you:
- Where possible ADD ERRORS above the rules so we have a REFERENCE to see why the rules were added.
- ABSTRACT OUT as much as possible by checking the profiles which are getting DENIED and seeing whether the rules should be added in the PROFILE or as ABSTRACTIONS or TUNABLES or the like.
Main pain points:
- Firmware and identifying what profiles are using it. This is due to different filepaths.
- Arch / ALARM package filepath differences (meaning, both arch in comparison to apparmor.d and I guess ALARM).
Happy contributing!