AppArmor is one of the LSM(Linux Security Modules) enabling mandatory access control(MAC) by restricting the range of files that can read, write, send signals, and so on. These 'restrictions' are called Profiles.
It was merged into the Linux kernel 2.6.36, release on October 2010.
1. How To Enable or How To Check if the AppArmor is enabled
You can enable the AppArmor by setting CONFIG_SECURITY_APPARMOR=y
. If you are a kernel builder, you can set CONFIG_DEFAULT_SECURITY="apparmor"
and build the kernel to make the AppArmor the default LSM on your kernel.
If you can run aa-status
command, you can guess the AppArmor is enabled in your system. If you can see Y
when running cat /sys/module/apparmor/parameters/enabled
, you can say the AppArmor is enabled in your system.
You can browse which profiles are applied in each processes by running ps -efZ
. ps -ef
command is available in most of Linux system, but passing -Z
option is a key.
Finally, you can find apparmor.d
directories in /etc/apparmor.d
and each users' home directories.
2. Modes
There are two modes in AppArmor operation: Enforce mode, and complain mode.
Since the characteristics of mandatory , sometimes it can interfere programs' behavior. So the AppArmor supports the "complain" mode; It does not block behaviors of programs even if programs violates the rule.
So if you really have to make the AppArmor work and protect from unintended behavior, be sure to run profiles in Enforce mode.
deny
rules in AppArmor profiles work even in complain mode.
3. Profiles
The system-wide AppArmor profiles are located in /etc/apparmor.d/
, and $HOME/apparmor.d/
if the system uses user policies.
4. Reference
-
The Linux Kernel Documentation You might want to see AppArmor Wiki instead.
The AppArmor is enabled in Ubuntu 24.04 by default.