AppArmor (Application Armor) is a Mandatory Access Control (MAC) system for Linux, built into the kernel. It confines programs to a limited set of resources, thereby reducing the attack surface in the event of a compromise.
Why Use AppArmor?
- Defense in depth: Adds a layer of security beyond traditional permissions (read, write, execute).
- Simplicity: Considered easier to learn and manage than its alternative, SELinux. Profiles are based on file paths.
- Pre-configured: Many distributions (such as Ubuntu) ship with AppArmor profiles pre-enabled for common services.
Prerequisites
- Operating system: A Linux distribution that supports AppArmor (Ubuntu, Debian, openSUSE...).
- Privileges: Root access or sudo privileges.
Installation and Activation
Step 1: Check the AppArmor status
AppArmor is often installed and enabled by default. Check its status:
sudo apparmor_status
# More modern alias: sudo aa-statusThis command lists the loaded profiles and their mode (enforce or complain).
Step 2: Installation
If AppArmor is not installed, you can install it via your package manager:
# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y apparmor apparmor-utilsStep 3: Enabling the service
Make sure the AppArmor service is enabled at boot:
sudo systemctl enable apparmor
sudo systemctl start apparmorThe service is now running and the default profiles are being applied.
Managing AppArmor profiles
Profiles are text files located in /etc/apparmor.d/ that define the permissions for a specific application.
The two operating modes
enforcemode: The default mode. AppArmor strictly applies the profile rules and blocks any unauthorized action.complainmode: Permissive mode. AppArmor does not block any action, but logs the violations in the system logs. This is ideal for testing and developing new profiles.
Changing a profile's mode
# Switch the Firefox profile to complain mode
sudo aa-complain /etc/apparmor.d/usr.bin.firefox
# Switch the profile back to enforce mode
sudo aa-enforce /etc/apparmor.d/usr.bin.firefoxReloading profiles
After modifying a profile, you must reload it for the changes to take effect:
# -r for "replace"
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefoxTo reload all profiles:
sudo systemctl reload apparmorAnalyzing the logs
Violations of AppArmor rules are recorded in the kernel logs. This is the primary source of information for debugging a profile.
# Using journalctl
sudo journalctl -k | grep "apparmor="DENIED""
# Or directly in the log files
sudo grep "apparmor="DENIED"" /var/log/audit/audit.log
sudo grep "apparmor="DENIED"" /var/log/syslogEach "DENIED" log line will give you valuable information about the denied operation, the profile concerned and the process.
Creating a profile from scratch can be complex. It is recommended to use the tools from the
apparmor-utils package, such as aa-genprof and aa-logprof, which greatly simplify this process.
Conclusion
AppArmor is a fundamental security building block for any modern Linux system. By confining applications, it drastically limits the potential damage of a security flaw. Although setting it up may seem intimidating, using existing profiles and utilities like aa-status and aa-complain makes it accessible and highly effective.
Comments