Table of Contents

AppArmor is an easy-to-use Linux application security system. Restricts applications to use certain resources (network, files, etc.)

All coomands listed below need to be executed as root (or with sudo).

Installation

  • Install apparmor (also apparmor-utils if available) using your system’s package manager.
  • Then, enable apparmor.service.
    systemctl enable apparmor.service
  • Add this parameter to your kernel init by editing /etc/default/grub and appending the following to GRUB_CMDLINE_LINUX_DEFAULT (Ubuntu seems to update kernel parameters automatically):
    # For Debian
    apparmor=1 security=apparmor
    # For Arch Linux
    lsm=landlock,lockdown,yama,integrity,apparmor,bpf
  • Finally, reboot.

Basic example

In this example, I am going to allow a program to read or write files inside a folder. By default, AppArmor profiles deny access to any file. Create a profile file for that program. The filename will be the full path of the program executable, replacing / with . (and removing the first /).

vim /etc/apparmor.d/usr.bin.myprogram

Edit the file:

#include <tunables/global>

/usr/bin/myprogram {
  #include <abstractions/base>
  /usr/bin/myprogram r,
  /home/user/folder/* rw,
}
  • You need to specify read access to your program.
  • include statements define base rules that are common for several profiles. The # is optional.
  • You can add comments with #.

After saving the file and closing the editor, run:

aa-enforce /usr/bin/myprogram

Utilities

  • aa-easyprof: creates profile templates. If it’s not installed, check for apparmor-easyprof package in the repositories. To create a template, run:
    aa-easyprof /usr/bin/myprogram > /etc/apparmor.d/usr.bin.myprogram
  • aa-logprof: checks apparmor logs to find how to fix an AppArmor security profile. You can accept or deny the changes.
    # aa-logprof
    Reading log entries from /var/log/syslog.
    Updating AppArmor profiles in /etc/apparmor.d.
    Complain-mode changes:
    Enforce-mode changes:

    Profile:  /usr/bin/nano
    Path:     /usr/share/nano/extra/debian.nanorc
    New Mode: owner r
    Severity: unknown

    [1 - owner /usr/share/nano/extra/debian.nanorc r,]
    (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
    Adding owner /usr/share/nano/extra/debian.nanorc r, to profile.
  • aa-genprof: similar to aa-easyprof, with the checking process of aa-logprof.
    aa-genprof /usr/bin/myprogram
  • aa-complain: does not apply the profile, but logs access violations.
    aa-complain /usr/bin/myprogram

If you have any suggestion, feel free to contact me via social media or email.