Linux Security Summit North America 2023

This talk tells the story of how we build the largest working set of apparmor profiles. The default set of apparmor profiles in Linux is small. It makes Apparmor less useful to prevent thread. apparmor.d is a work in progress project that aims to provide a full set of profiles tailored for all major Linux distributions: Debian, Ubuntu, OpenSUSE, Archlinux and Ubuntu Core. It includes over 1400 profiles; together, they ensure that most Linux processes remain confined. In this talk, we will be going over the main challenges we faced while working on these profiles. The security architecture of the profiles. How did we select the program to confine and why? As there are over 50000 Linux packages, we need to carefully select the profiles to write. How we use integration testing that uses Go, some VM and hundreds of both manually created and automatically generated tests to ensure the profiles do not break your setup. The profiles, tooling and documentation for the project has been published at https://github.com/roddhjav/apparmor.d