1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

Remove link to archived Kicksecure repository for AppArmor profiles (#254)

* Remove link to deprecated Kicksecure AppArmor profile repo

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Add apparmor.d mention as a reference

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Remove mentions of Whonix sandboxed app launcher and AppArmor profiles

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

---------

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>
This commit is contained in:
friendly-rabbit-35 2024-06-16 15:49:53 -07:00 committed by GitHub
parent 074f5d1813
commit cbe365251d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 4 deletions

View File

@ -102,6 +102,4 @@ Fedora Workstation and Silverblue's European counterpart. These are rolling rele
Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [boot clock randomization](https://www.kicksecure.com/wiki/Boot_Clock_Randomization), [encrypted swap](https://github.com/Whonix/swap-file-creator), hardened boot parameters, and hardened kernel settings. One downside of Whonix is that it still inherits outdated packages with lots of downstream patching from Debian. Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [boot clock randomization](https://www.kicksecure.com/wiki/Boot_Clock_Randomization), [encrypted swap](https://github.com/Whonix/swap-file-creator), hardened boot parameters, and hardened kernel settings. One downside of Whonix is that it still inherits outdated packages with lots of downstream patching from Debian.
Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system.
Although Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has [various disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. Although Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has [various disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors.

View File

@ -175,10 +175,10 @@ Note that, unlike Android, traditional desktop Linux distributions typically do
### Making Your Own Policies/Profiles ### Making Your Own Policies/Profiles
You can make your own AppArmor profiles, SELinux policies, [bubblewrap](https://github.com/containers/bubblewrap) profiles, and [seccomp](https://docs.kernel.org/userspace-api/seccomp_filter.html) blacklist to have better confinement of applications. This is an advanced and sometimes tedious task, but there are various projects you could use as reference: You can make your own AppArmor profiles, SELinux policies, [bubblewrap](https://github.com/containers/bubblewrap) profiles, and [seccomp](https://docs.kernel.org/userspace-api/seccomp_filter.html) blacklists to have better confinement of applications. This is an advanced and sometimes tedious task, but there are various projects you could use as reference:
- [Kicksecure's apparmor-profile-everything](https://github.com/Kicksecure/apparmor-profile-everything)
- [Krathalans AppArmor profiles](https://github.com/krathalan/apparmor-profiles) - [Krathalans AppArmor profiles](https://github.com/krathalan/apparmor-profiles)
- [roddhjav's AppArmor profiles](https://github.com/roddhjav/apparmor.d)
- [noatsecures SELinux templates](https://github.com/noatsecure/hardhat-selinux-templates) - [noatsecures SELinux templates](https://github.com/noatsecure/hardhat-selinux-templates)
- [Seirdys bubblewrap scripts](https://sr.ht/~seirdy/bwrap-scripts) - [Seirdys bubblewrap scripts](https://sr.ht/~seirdy/bwrap-scripts)