AppArmor Utils is a suite of command-line tools that makes managing AppArmor profiles easier. These utilities let you generate, refine and maintain the security policies that confine applications.
Why Use AppArmor Utils?
- Simplified profile creation: The
aa-genproftool lets you generate a profile in "learning" mode. - Easy maintenance:
aa-logprofanalyzes the logs to help you update existing profiles. - State management: Easily switch a profile from
complainmode (logging only) toenforcemode (active blocking).
Prerequisites
- Operating system: A Linux distribution with AppArmor (Ubuntu, Debian, openSUSE...).
- Privileges: Root access or sudo privileges.
- AppArmor: The AppArmor service must be installed and enabled.
Installing AppArmor Utils
The apparmor-utils package is usually installed alongside AppArmor. If not, install it manually:
# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y apparmor-utilsCreating a Profile with aa-genprof
This is the main tool for creating a new profile for an application that doesn't have one.
Step 1: Launch the Profile Generator
Suppose you want to confine the tcpdump utility. Run aa-genprof, pointing it to the binary:
sudo aa-genprof /usr/sbin/tcpdumpStep 2: Trigger the Application's Actions
In another terminal, run the application and perform the actions you want to allow. For example:
sudo tcpdump -i eth0 -c 5Step 3: Scan the Logs and Build the Profile
Go back to the first terminal (the one running aa-genprof) and press the `S` key (Scan). The tool will analyze the system logs looking for events generated by `tcpdump`.
For each event, aa-genprof will ask whether you want to Allow it, Deny it, Ignore it, and so on. Answer the questions to progressively build your profile.
Step 4: Save and Activate the Profile
Once you have handled all the events, press `F` (Finish) to save the profile to /etc/apparmor.d/. The profile will automatically be set to enforce mode.
Your application is now confined by AppArmor. You can check its status with
sudo aa-status.
Updating a Profile with aa-logprof
If a confined application needs new permissions (for example after an update), aa-logprof is the tool you need.
Simply run it:
sudo aa-logprofJust like aa-genprof, it will scan the logs and offer to allow or deny the actions that were blocked by the existing profile.
Managing Profile Modes
You can easily change a profile's mode.
Switch to complain Mode (Non-Blocking)
sudo aa-complain /etc/apparmor.d/usr.sbin.tcpdumpIn this mode, violations are logged but not blocked. This is useful for testing a profile without breaking the application.
Switch to enforce Mode (Blocking)
sudo aa-enforce /etc/apparmor.d/usr.sbin.tcpdumpThis is the standard production mode, where the rules are strictly applied.
Disable a Profile
sudo aa-disable /etc/apparmor.d/usr.sbin.tcpdumpNote that the profile file name in
/etc/apparmor.d/ replaces the `/` characters with `.` characters (e.g. /usr/sbin/tcpdump becomes usr.sbin.tcpdump).
Conclusion
The apparmor-utils tools are essential for working efficiently with AppArmor. They turn the potentially complex task of creating and maintaining profiles into an interactive, guided process. Mastering aa-genprof and aa-logprof is the key to securing your Linux applications effectively.
Comments