AppArmor is a Linux kernel security module that restricts program capabilities using per-program profiles.

AppArmor uses the Linux Security Modules (LSM) kernel interface and does not apply to all running applications on the system, only those with a profile created and assigned.

An additional package may be required to manage profiles:

sudo apt install apparmor-profiles -y

Profiles can allow or deny capabilities such as network access, and reading, writing, or executing files on matching paths.

sudo apparmor_status
sudo aa-status

Profiles are located at:

  • ls /etc/apparmor.d/*
  • ls /etc/apparmor.d/disable/*

Create a new profile for an application or script:

sudo aa-genprof /usr/sbin/httpd

Set a profile to complain or enforce mode:

sudo aa-complain /usr/sbin/httpd
sudo aa-enforce /usr/sbin/httpd

Load or reload an updated policy:

sudo apparmor_parser

Read the logs and prompt the user to permit any detected forbidden actions:

sudo aa-logprof

Merge policies:

sudo aa-mergeprof

Force stop and remove AppArmor:

sudo invoke-rc.d apparmor kill
sudo update-rc.d -f apparmor remove