APPARMOR - Base Documentation
Managing AppArmor Profiles
AppArmor uses profiles to define the access controls for programs. These profiles specify what resources (such as files, network ports, etc.) a program can access and what actions it can perform. Profiles are written in a human-readable format and can be customized to suit the needs of specific applications.
Viewing AppArmor Status
To check the status of AppArmor on your system, use the following command:
sudo apparmor_status
This command provides a summary of the current state of AppArmor, including the number of enforced, complain, and disabled profiles, along with their associated applications.
Listing Profiles
To list all available AppArmor profiles, use:
sudo aa-status
This command will display the current AppArmor profiles, indicating which are in "enforce" mode (actively restricting applications) and which are in "complain" mode (only logging policy violations).
Loading and Unloading Profiles
You can load or unload AppArmor profiles with the following commands:
- To load a profile:
sudo apparmor_parser -r /etc/apparmor.d/<profile_name>
- To unload a profile:
sudo apparmor_parser -R /etc/apparmor.d/<profile_name>
The `-r` flag reloads a profile, while the `-R` flag removes it from the system.
Editing Profiles
AppArmor profiles are typically located in the `/etc/apparmor.d/` directory. To edit a profile, use any text editor:
sudo nano /etc/apparmor.d/<profile_name>
Once you have edited the profile, reload it to apply the changes:
sudo apparmor_parser -r /etc/apparmor.d/<profile_name>
Creating a New Profile
To create a new AppArmor profile for an application, use the following steps:
- Generate a profile using the `aa-genprof` tool:
sudo aa-genprof <application_name>
- Follow the interactive prompts to set up the profile. The tool will help create a basic profile based on the program's current behavior.
- Once the profile is generated, edit it to fine-tune the permissions and constraints according to your security needs.
- Finally, load the new profile:
sudo apparmor_parser -r /etc/apparmor.d/<profile_name>
AppArmor Modes
AppArmor operates in different modes, each with a specific level of enforcement. The two primary modes are "enforce" and "complain."
Enforce Mode
In enforce mode, AppArmor actively enforces the security policy defined in the profile. Any access request that violates the profile will be denied, and an event will be logged.
To switch a profile to enforce mode, use the following command:
sudo aa-enforce /etc/apparmor.d/<profile_name>
Complain Mode
In complain mode, AppArmor does not block any access but logs policy violations. This mode is useful for debugging or testing profiles without risking disruption to the application.
To switch a profile to complain mode, use:
sudo aa-complain /etc/apparmor.d/<profile_name>
Disabled Mode
Profiles can be disabled entirely, which means AppArmor will not enforce or log any policy violations for the program. This mode is typically not recommended for security but may be useful for troubleshooting.
To disable a profile:
sudo aa-disable /etc/apparmor.d/<profile_name>
Troubleshooting AppArmor
When AppArmor is causing issues, troubleshooting is required to identify the cause and resolve it.
Common AppArmor Issues
- **Application Crashes or Failures Due to AppArmor**:
If an application fails to start or behaves incorrectly after AppArmor enforcement, check the logs to identify which operation was blocked. You can view AppArmor logs by inspecting the system log files:
sudo less /var/log/syslog | grep apparmor
Look for lines indicating "DENIED" or "ALLOWED" and examine what actions are being blocked.
- **Missing Permissions in Profiles**:
If the application is being denied access to necessary resources, you may need to update its profile to allow specific permissions. For example, if an application requires access to a specific directory, add the following to its profile:
/path/to/directory/** rw,
This grants read and write permissions to the directory.
- **Profile is in Complain Mode**:
If AppArmor is not blocking an action but is only logging it, the profile may be in complain mode. To switch the profile to enforce mode, use:
sudo aa-enforce /etc/apparmor.d/<profile_name>
- **Check Profile Syntax**:
If there are syntax errors in an AppArmor profile, it may prevent it from loading properly. Use the following command to check for syntax issues:
sudo apparmor_parser -r /etc/apparmor.d/<profile_name>
If errors are detected, fix them in the profile file and reload the profile.
Reverting Changes in AppArmor
If you've made changes to a profile that are causing issues, you can revert to the default version by removing the custom profile and reloading the default one.
To remove a custom profile:
sudo rm /etc/apparmor.d/<profile_name>
Then, reload the default profile or use the `aa-genprof` tool to regenerate it.
Useful Links
- [Official AppArmor Documentation](https://gitlab.com/apparmor/apparmor)
- [AppArmor Wiki on Ubuntu](https://wiki.ubuntu.com/AppArmor)
- [AppArmor Manual Pages](http://man7.org/linux/man-pages/man7/apparmor.7.html)
- [AppArmor GitHub Repository](https://github.com/apparmor/apparmor)
- [AppArmor Community Forum](https://discourse.ubuntu.com/c/security/apparmor/)
- [AppArmor and SELinux Comparison](https://wiki.archlinux.org/title/AppArmor#AppArmor_vs_SELinux)
