AppArmor is an easy-to-use Linux application security system. Restricts applications to use certain resources (network, files, etc.)

All coomands listed below need to be executed as root (or with sudo).

Table of Contents


  • Install apparmor (also apparmor-utils if available) using your system’s package manager.
  • Then, enable apparmor.service.
      systemctl enable apparmor.service
  • Add this parameter to your kernel init by editing /etc/default/grub and appending the following to GRUB_CMDLINE_LINUX_DEFAULT (Ubuntu seems to update kernel parameters automatically):
      # For Debian
      apparmor=1 security=apparmor
      # For Arch Linux
  • Finally, reboot.

Basic example

In this example, I am going to allow a program to read or write files inside a folder. By default, AppArmor profiles deny access to any file. Create a profile file for that program. The filename will be the full path of the program executable, replacing / with . (and removing the first /).

vim /etc/apparmor.d/usr.bin.myprogram

Edit the file:

#include <tunables/global>

/usr/bin/myprogram {
  #include <abstractions/base>
  /usr/bin/myprogram r,
  /home/user/folder/* rw,
  • You need to specify read access to your program.
  • include statements define base rules that are common for several profiles. The # is optional.
  • You can add comments with #.

After saving the file and closing the editor, run:

aa-enforce /usr/bin/myprogram


  • aa-easyprof: creates profile templates. If it’s not installed, check for apparmor-easyprof package in the repositories. To create a template, run:
      aa-easyprof /usr/bin/myprogram > /etc/apparmor.d/usr.bin.myprogram
  • aa-logprof: checks apparmor logs to find how to fix an AppArmor security profile. You can accept or deny the changes.
      # aa-logprof
      Reading log entries from /var/log/syslog.
      Updating AppArmor profiles in /etc/apparmor.d.
      Complain-mode changes:
      Enforce-mode changes:
      Profile:  /usr/bin/nano
      Path:     /usr/share/nano/extra/debian.nanorc
      New Mode: owner r
      Severity: unknown
      [1 - owner /usr/share/nano/extra/debian.nanorc r,]
      (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
      Adding owner /usr/share/nano/extra/debian.nanorc r, to profile.
  • aa-genprof: similar to aa-easyprof, with the checking process of aa-logprof.
      aa-genprof /usr/bin/myprogram
  • aa-complain: does not apply the profile, but logs access violations.
      aa-complain /usr/bin/myprogram

If you have any suggestion, feel free to contact me via social media or email.