AppArmor

You can enable the AppArmor by setting CONFIG_SECURITY_APPARMOR=y. If you are a kernel builder, you can set CONFIG_DEFAULT_SECURITY="apparmor" and build the kernel to make the AppArmor the default LSM on your kernel.

If you can run aa-status command, you can guess the AppArmor is enabled in your system. If you can see Y when running cat /sys/module/apparmor/parameters/enabled, you can say the AppArmor is enabled in your system.

You can browse which profiles are applied in each processes by running ps -efZ. ps -ef command is available in most of Linux system, but passing -Z option is a key.

Finally, you can find apparmor.d directories in /etc/apparmor.d and each users' home directories.

There are two modes in AppArmor operation: Enforce mode, and complain mode.

Since the characteristics of mandatory , sometimes it can interfere programs' behavior. So the AppArmor supports the "complain" mode; It does not block behaviors of programs even if programs violates the rule.

So if you really have to make the AppArmor work and protect from unintended behavior, be sure to run profiles in Enforce mode.

deny rules in AppArmor profiles work even in complain mode.

The system-wide AppArmor profiles are located in /etc/apparmor.d/, and $HOME/apparmor.d/ if the system uses user policies.

The AppArmor is enabled in Ubuntu 24.04 by default.