AppArmor

• https://debian-handbook.info/browse/stable/sect.apparmor.html#sect.apparmor-principles

AppArmor is a Mandatory Access Control (MAC) system built on Linux’s LSM (Linux Security Modules) interface. In practice, the kernel queries AppArmor before each system call to know whether the process is authorized to do the given operation. Through this mechanism, AppArmor confines programs to a limited set of resources.

AppArmor applies a set of rules (known as “profile”) on each program. The profile applied by the kernel depends on the installation path of the program being executed. Contrary to SELinux (discussed in Section 14.5, “Introduction to SELinux”), the rules applied do not depend on the user. All users face the same set of rules when they are executing the same program (but traditional user permissions still apply and might result in different behavior!).

AppArmor profiles are stored in /etc/apparmor.d/ and they contain a list of access control rules on resources that each program can make use of. The profiles are compiled and loaded into the kernel by the apparmor_parser command. Each profile can be loaded either in enforcing or complaining mode. The former enforces the policy and reports violation attempts, while the latter does not enforce the policy but still logs the system calls that would have been denied.

To load all AppArmor profiles on startup, enable its systemd service (enabled by default on Debian)

systemctl enable apparmor

Find out if AppArmor is enabled (returns Y if true) or with the aa-enabled(1) command

cat /sys/module/apparmor/parameters/enabled

Check the current state of AppArmor with aa-status(8)

# aa-status
apparmor module is loaded.
18 profiles are loaded.
18 profiles are in enforce mode.
 ...
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Profiles are stored under /etc/apparmor.d, on Debian install apparmor-profiles package to add profiles managed by the AppArmor community and apparmor-profiles-extra for profiles developed by Debian and Ubuntu.

Install apparmor-utils package on Debian to manage profiles

Links for creating new profiles:

• https://gitlab.com/apparmor/apparmor/-/wikis/QuickProfileLanguage
• https://debian-handbook.info/browse/stable/sect.apparmor.html#sect.apparmor-new-profile
• https://wiki.archlinux.org/title/AppArmor#Auditing_and_generating_profiles

Use aa-status(8) to list all loaded profiles for applications/processes and their status (enforced, complain, unconfined)

aa-status

List running executables that are confined by a profile

ps auxZ | grep -v '^unconfined'

Use aa-unconfined(8) to list processes with tcp/udp ports that are not confined

aa-unconfined

• https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles

Since AppArmor has to translate the configured profiles into a binary format it may significantly increase the boot time. You can check current AppArmor startup time with systemd-analyze(1)

systemd-analyze blame | grep apparmor

• https://apparmor.net/
• https://debian-handbook.info/browse/stable/sect.apparmor.html
• https://gitlab.com/apparmor/apparmor/-/wikis/home
• https://wiki.archlinux.org/title/AppArmor
• https://wiki.debian.org/AppArmor