veilor-org/veilor-os

Fork 0

Commit graph

Author	SHA1	Message	Date
s8n	eafb8b7aa1	sec: AppArmor v0.6 stub — load profiles in complain mode Per docs/research/2026-05-05-agent-wave/04-hardening-tier-2.md (v0.6 scope item 1). Adds: - apparmor-parser apparmor-utils apparmor-profiles to %packages in BOTH kickstart/veilor-os.ks (live ks) and overlay/usr/local/bin/ veilor-installer (generated install ks heredoc). - scripts/40-apparmor.sh — wires aa-complain on every veilor-shipped profile. Idempotent. "loaded, present, nothing breaks". - overlay/etc/apparmor.d/veilor.d/firefox — 1-liner stub (binary confinement marker only; full policy post-v0.6). - overlay/etc/apparmor.d/veilor.d/thunderbird — same pattern. - Wired 40-apparmor.sh into install %post chain after 30-apply-v03-theme.sh. Complain mode means: profiles loaded, kernel logs syscall denials but does NOT enforce. Operator can review audit.log post-install to inform v0.7 policy authoring.	2026-05-06 11:15:30 +01:00

Author

SHA1

Message

Date

s8n

eafb8b7aa1

sec: AppArmor v0.6 stub — load profiles in complain mode

Per docs/research/2026-05-05-agent-wave/04-hardening-tier-2.md (v0.6
scope item 1).

Adds:
  - apparmor-parser apparmor-utils apparmor-profiles to %packages in
    BOTH kickstart/veilor-os.ks (live ks) and overlay/usr/local/bin/
    veilor-installer (generated install ks heredoc).
  - scripts/40-apparmor.sh — wires aa-complain on every veilor-shipped
    profile. Idempotent. "loaded, present, nothing breaks".
  - overlay/etc/apparmor.d/veilor.d/firefox — 1-liner stub (binary
    confinement marker only; full policy post-v0.6).
  - overlay/etc/apparmor.d/veilor.d/thunderbird — same pattern.
  - Wired 40-apparmor.sh into install %post chain after
    30-apply-v03-theme.sh.

Complain mode means: profiles loaded, kernel logs syscall denials but
does NOT enforce. Operator can review audit.log post-install to
inform v0.7 policy authoring.

2026-05-06 11:15:30 +01:00

1 commit