- 1 Installation
- 2 Disabling
- 3 Configuration
- 4 Security considerations
- 5 Tips and tricks
- 6 More Info
- 7 Links
- 8 See also
When compiling the kernel, it is required to at least set the following options:
CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_DEFAULT_SECURITY_APPARMOR=y CONFIG_AUDIT=y
For those new or altered variables to not get overridden, place them at the bottom of the config file or adjust the previous invocations accordingly.
Instead of setting
CONFIG_DEFAULT_SECURITY_APPARMOR, you can also set kernel boot parameters:
The userspace tools and libraries to control AppArmor are supplied by theAUR package.
The package is a split package which consists of following sub-packages:
- apparmor (meta package)
To load all AppArmor profiles on startup, enable
After reboot you can test if AppArmor is really enabled using this command as root:
# cat /sys/module/apparmor/parameters/enabled Y
(Y=enabled, N=disabled, no such file = module not in kernel)
To disable AppArmor for the current session, stop
apparmor.service, or disable it to prevent it from starting at the next boot.
Alternatively you may choose to disable the kernel modules required by AppArmor by appending
apparmor=0 security="" to the kernel boot parameters.
Creating new profiles
To create new profiles using
auditd.service from the package must be running. This is because Arch Linux adopted systemd and doesn't do kernel logging to file by default. Apparmor can grab kernel audit logs from the userspace auditd daemon, allowing you to build a profile.
To get kernel audit logs, you'll need to have rules in place to monitor the desired application. Most often a basic rule configured with will suffice:
# auditctl -a exit,always -F arch=b64 -S all -F path=/usr/bin/chromium -F key=MonitorChromium
but be sure to read Audit framework#Adding rules if this is unfamiliar to you.
To load, unload, reload, cache and stat profiles use
apparmor_parser. The default action (
-a) is to load a new profile, in order to overwrite an existing profile use the
-r option and to remove a profile use
-R. Each action may also apply to multiple profiles. Refer to man page for more information.
AppArmor can be circumvented via hardlinks in the standard POSIX security model. However, the kernel included the ability to prevent this vulnerability via the following settings:
... fs.protected_hardlinks = 1 fs.protected_symlinks = 1
Patches distributions like Ubuntu have applied to their kernels as workarounds as not needed anymore.
Tips and tricks
Get desktop notification on DENIED actions
To get a notification on your desktop whenever AppArmor enters a "DENIED" log entry start the notify daemon by
# aa-notify -p --display $DISPLAY
This daemon must be started at each boot.
Since AppArmor has to translate the configured profiles into a binary format it may take some time to load them. Besides being bothersome for the user, it may also increases the boot time significantly!
To circumvent some of those problems AppArmor can cache profiles in
/etc/apparmor.d/cache/. However this behaviour is disabled by default therefore it must be done manually with
apparmor_parser. In order to write to the cache use
-W (overwrite existing profiles with
-T) and reload the profiles using
-r. Refer to #Parsing profiles for a brief overview of additional arguments.
AppArmor, like most other LSMs, supplements rather than replaces the default Discretionary access control. As such it's impossible to grant a process more privileges than it had in the first place.
Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and it's variants) use SELinux which requires good userspace integration to work properly. People tend to agree that it is also much much harder to configure correctly.
Taking a common example - A new Flash vulnerability: If you were to browse to a malicious website AppArmor can prevent the exploited plugin from accessing anything that may contain private information. In almost all browsers, plugins run out of process which makes isolating them much easier.
AppArmor profiles (usually) get stored in easy to read text files in
Every breach of policy triggers a message in the system log, and many distributions also integrate it into DBUS so that you get real-time violation warnings popping up on your desktop.
- Home Page
- AppArmor Core Policy Reference — Detailed description of available options in a profile
- Ubuntu Tutorial — General overview of available utilities and profile creation
- Ubuntu Wiki — Basic command overview
- AppArmor Verions — Version overview and links to the respective release notes
- — Structure of the AppArmor configuration directory
- — The most fundamental AppArmor utility to load, unload, cache and stat profiles
- Kernel Interfaces — Low level interfaces to the AppArmor kernel module
- Apparmor Profile Migration — Emergence of profiles
- Build Instructions for CentOS
- wikipedia:Linux Security Modules — Linux kernel module on which basis AppArmor is build upon
- Launchpad Project Page
- Contributing — Introduction to git mechanics and on how to contribute
- FS#21406 — Initial discussion about the introduction of AppArmor