AppArmor Basics

1. Introduction

AppArmor is a Linux kernel security module that provides a mandatory access control (MAC) framework. It is used to restrict the capabilities of applications, thereby enhancing system security by controlling the programs' permissions.

2. What is AppArmor?

AppArmor is designed to protect the operating system and its users from malicious software. It works by defining profiles for programs, which specify the files and resources that a particular program can access.

3. Key Concepts

• **Profiles**: Configuration files defining the access rights of applications.
• **Modes**: Two operational modes for profiles:
  • Enforce Mode: Denies access if it violates the profile.
  • Complain Mode: Logs violations but allows access.
• **Namespace**: A set of profiles that apply to a specific program or application.

4. Installation

To install AppArmor on Ubuntu, run the following commands:

sudo apt update
sudo apt install apparmor apparmor-utils

After installation, ensure that AppArmor is enabled:

sudo systemctl start apparmor
sudo systemctl enable apparmor

5. Configuration

To create a new profile, use the following command:

sudo aa-genprof 

After running this command, follow the prompts to define the application's permissions. You can also manually edit the profile located in:

/etc/apparmor.d/

To load or reload a profile, use:

sudo apparmor_parser -r /etc/apparmor.d/

6. Best Practices

1. Always run applications in Complain Mode initially to gather logs.
2. Regularly review and update profiles based on application changes.
3. Use the AppArmor utilities to monitor compliance and violations.
4. Limit permissions to only what is necessary for each application.

7. FAQ