sec: AppArmor v0.6 stub — load profiles in complain mode #11

Merged

s8n merged 1 commit from feat/sec-apparmor-v06-stubs into main 2026-05-06 13:47:32 +01:00

Conversation 0 Commits 1 Files changed 5 +111

s8n commented 2026-05-06 11:15:50 +01:00

Owner

Copy link

v0.6 hardening tier 2 item 1 per docs/research/2026-05-05-agent-wave/04-hardening-tier-2.md.

Adds apparmor-parser/utils/profiles to both ks files, scripts/40-apparmor.sh (idempotent, complain-mode only), and 1-line firefox+thunderbird stubs at overlay/etc/apparmor.d/veilor.d/. Wired into install %post chain after 30-apply-v03-theme.sh.

v0.6 scope: 'loaded, present, nothing breaks'. Real policy authoring is v0.7+.

v0.6 hardening tier 2 item 1 per docs/research/2026-05-05-agent-wave/04-hardening-tier-2.md. Adds apparmor-parser/utils/profiles to both ks files, scripts/40-apparmor.sh (idempotent, complain-mode only), and 1-line firefox+thunderbird stubs at overlay/etc/apparmor.d/veilor.d/. Wired into install %post chain after 30-apply-v03-theme.sh. v0.6 scope: 'loaded, present, nothing breaks'. Real policy authoring is v0.7+.

s8n added 1 commit 2026-05-06 11:15:50 +01:00

sec: AppArmor v0.6 stub — load profiles in complain mode ... dfda66ac7e

Per docs/research/2026-05-05-agent-wave/04-hardening-tier-2.md (v0.6
scope item 1).

Adds:
  - apparmor-parser apparmor-utils apparmor-profiles to %packages in
    BOTH kickstart/veilor-os.ks (live ks) and overlay/usr/local/bin/
    veilor-installer (generated install ks heredoc).
  - scripts/40-apparmor.sh — wires aa-complain on every veilor-shipped
    profile. Idempotent. "loaded, present, nothing breaks".
  - overlay/etc/apparmor.d/veilor.d/firefox — 1-liner stub (binary
    confinement marker only; full policy post-v0.6).
  - overlay/etc/apparmor.d/veilor.d/thunderbird — same pattern.
  - Wired 40-apparmor.sh into install %post chain after
    30-apply-v03-theme.sh.

Complain mode means: profiles loaded, kernel logs syscall denials but
does NOT enforce. Operator can review audit.log post-install to
inform v0.7 policy authoring.

s8n merged commit a125e46c5e into main 2026-05-06 13:47:32 +01:00

s8n referenced this pull request from a commit 2026-05-06 13:47:33 +01:00

Merge pull request 'sec: AppArmor v0.6 stub — load profiles in complain mode' (#11) from feat/sec-apparmor-v06-stubs into main

s8n referenced this pull request from a commit 2026-05-07 04:07:47 +01:00

v0.6: pre-stage veilor-update + veilor-doctor CLI tools (#11)

s8n referenced this pull request from a commit 2026-05-07 04:07:47 +01:00

Merge pull request 'sec: AppArmor v0.6 stub — load profiles in complain mode' (#11) from feat/sec-apparmor-v06-stubs into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: veilor-org/veilor-os#11

No description provided.