AppArmor is a Linux security module that restricts application privileges to enhance system security. 1. It enforces mandatory access controls via security profiles that define permitted file, directory, network, and system call access. 2. Profiles operate in enforce mode (blocking violations) or complain mode (logging only, for testing). 3. Profiles are stored in /etc/apparmor.d/, use abstractions for common rules, and should follow least privilege. 4. Key commands include sudo apparmor_status to check status, sudo aa-complain and sudo aa-enforce to toggle modes, and sudo aa-autodep with sudo aa-logprof to generate and refine profiles from logs. 5. Best practices include checking logs for denials, avoiding unnecessary profile disabling, testing in complain mode, and combining AppArmor with other security measures. AppArmor is user-friendly, path-based, and well-integrated in Ubuntu and SUSE, making it a practical choice for application confinement.

AppArmor is a Linux security module designed to protect your system by restricting what individual applications can do. Unlike full system hardening tools, AppArmor focuses on confining specific programs—limiting their access to files, directories, network resources, and system calls—even if they’re compromised. If you're running Ubuntu, SUSE, or another Debian-based distribution, chances are AppArmor is already installed and quietly working in the background.

Here’s a practical guide to understanding and using AppArmor to improve your system’s application security.

What AppArmor Does (and Why You Need It)

At its core, AppArmor applies mandatory access controls (MAC) to programs using security profiles. These profiles define exactly what an application is allowed to do—like which files it can read or write, whether it can bind to network ports, or if it can execute other programs.

Without such controls, a vulnerable app (like a web server or browser) could be exploited to access sensitive data, install malware, or pivot to other parts of the system. AppArmor reduces that risk by ensuring even a compromised app can't go beyond its defined permissions.

For example:

• The firefox profile might allow access to your Downloads folder and temporary directories—but not to /etc/shadow or your SSH keys.
• The docker daemon might be restricted to specific device files and container directories, preventing container breakout attempts.

It’s not a replacement for firewalls or user permissions, but it adds a strong layer of defense-in-depth.

How AppArmor Profiles Work

AppArmor uses plain-text policy files called profiles. Each profile corresponds to a program and specifies allowed paths, capabilities, and network access.

Profiles operate in one of two modes:

• Enforce mode: The rules are actively enforced. Violations are blocked and logged.
• Complain mode: The rules aren’t enforced, but violations are logged. Useful for testing.

A simple profile snippet might look like this:

/usr/bin/myapp {
  #include <abstractions/base>
  /tmp/ rw,
  /opt/myapp/** r,
  /var/log/myapp.log w,
  network inet stream,
}

This says:

• Include standard base abstractions (common rules)
• Allow read/write to /tmp
• Read-only access to anything under /opt/myapp/
• Write access to a specific log file
• Permit TCP network connections

Profiles are stored in /etc/apparmor.d/, and compiled into binary format loaded into the kernel via the AppArmor kernel module.

Managing AppArmor on Your System

Most operations are handled through command-line tools. Here are the essentials:

1. Check AppArmor Status

sudo apparmor_status

This shows how many profiles are loaded, how many are in enforce/complain mode, and which processes are confined.

2. Put a Profile in Complain Mode (for Testing)

sudo aa-complain /usr/bin/firefox

Useful when creating or modifying a profile—you can see what the app tries to do without breaking it.

3. Put a Profile Back in Enforce Mode

sudo aa-enforce /usr/bin/firefox

4. Generate a Profile from Logs (Learning Mode)

If a profile doesn’t exist, you can let AppArmor learn what an app does:

sudo aa-autodep /usr/local/bin/myapp
sudo aa-logprof

• aa-autodep creates a basic skeleton.
• aa-logprof reads access violations from logs and helps you approve or deny them interactively.

5. Reload or Disable a Profile

After editing:

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.myapp

To disable a profile entirely:

sudo ln -s /etc/apparmor.d/usr.bin.myapp /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.myapp

Common Pitfalls and Best Practices

• Don’t disable profiles just because something breaks. Instead, check logs (/var/log/syslog or journalctl) for AppArmor denials and adjust the profile.
• Use abstractions. AppArmor includes reusable abstractions (in /etc/apparmor.d/abstractions/) for common tasks like DNS, Python, or user-homes. Include them to avoid reinventing the wheel.
• Keep profiles minimal. Grant only the access necessary—principle of least privilege.
• Monitor logs regularly. Use tools like dmesg | grep apparmor or grep "apparmor" /var/log/syslog to catch unexpected denials.
• Test in complain mode first—especially on production systems.

Is AppArmor Right for You?

AppArmor is easier to set up than SELinux, especially for beginners. It uses path-based access control (vs SELinux’s label-based), which makes writing and debugging profiles more intuitive.

It’s well-integrated into Ubuntu and SUSE, with many default profiles already in place for services like CUPS, Docker, MySQL, and snapd. If you're on one of these distros, you're likely already benefiting from it.

That said, it’s not a magic bullet. You still need to:

• Keep software updated
• Practice good user permission hygiene
• Combine with other tools (like firewalls or auditd)

But for straightforward application confinement with low overhead, AppArmor is a solid, practical choice.

Basically, AppArmor gives you fine-grained control over what your apps can do—without requiring a security PhD to use. Start by checking what’s already protected, review the logs, and gradually tighten or add profiles where needed. It’s not flashy, but it quietly stops a lot of bad stuff.

The above is the detailed content of A Guide to AppArmor for Linux Application Security. For more information, please follow other related articles on the PHP Chinese website!