AppArmor#

Prerequisite — Mandatory Access Control (MAC): Standard Linux permissions (rwx, owner/group) are Discretionary Access Control (DAC) — the file owner decides who can access it. Mandatory Access Control adds a system-wide layer on top: the administrator defines what each program is allowed to do, regardless of the user running it. Even if a program runs as root, MAC can restrict it to only its expected files and operations. AppArmor is Linux’s MAC system on Ubuntu and Debian.

Concepts#

What Is AppArmor?#

AppArmor confines individual programs to a limited set of resources — files, network access, capabilities. If a program is compromised, AppArmor limits the damage it can do.

Without AppArmor:
  Compromised web server → attacker can read /etc/shadow, write anywhere

With AppArmor:
  Compromised web server → attacker can only access files the profile allows

AppArmor is enabled by default on Ubuntu and Debian (since Debian 10).

AppArmor Status# 

# Check if AppArmor is active
sudo aa-status

# Output shows:
# - Number of loaded profiles
# - Profiles in enforce mode
# - Profiles in complain mode
# - Processes with profiles

# Alternative
sudo apparmor_status

Profile Modes#

Mode Behavior
Enforce Violations are blocked and logged
Complain Violations are logged but allowed (useful for testing)
Unconfined No restrictions (no profile loaded)

Viewing Profiles#

Profiles are stored in /etc/apparmor.d/:

ls /etc/apparmor.d/

# Profile names match the program path with dots:
# usr.sbin.mysqld → profile for /usr/sbin/mysqld
# usr.bin.firefox → profile for /usr/bin/firefox

Reading a Profile# 

cat /etc/apparmor.d/usr.sbin.tcpdump

A simplified profile looks like:

/usr/sbin/tcpdump {
    # Include common rules
    #include <abstractions/base>
    #include <abstractions/nameservice>

    # Allow reading
    /etc/tcpdump/** r,
    /usr/sbin/tcpdump mr,

    # Allow writing captures
    /tmp/*.pcap w,

    # Network access
    network raw,

    # Deny everything else (implicit)
}

Key syntax:

  • r — read
  • w — write
  • m — memory map executable
  • k — lock
  • l — link
  • ix — inherit execute
  • px — profile execute (switch to another profile)
  • ux — unconfined execute

Managing Profiles# 

# Install management tools
sudo apt install -y apparmor-utils

# Set a profile to enforce mode
sudo aa-enforce /etc/apparmor.d/usr.sbin.tcpdump

# Set a profile to complain mode (log only, don't block)
sudo aa-complain /etc/apparmor.d/usr.sbin.tcpdump

# Disable a profile
sudo aa-disable /etc/apparmor.d/usr.sbin.tcpdump

# Reload all profiles
sudo systemctl reload apparmor

# Reload a specific profile
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.tcpdump

Creating a Profile#

AppArmor can help generate a profile by watching a program:

# Step 1: Generate a skeleton profile and set to complain mode
sudo aa-genprof /usr/bin/myapp

# Step 2: In another terminal, run the program and exercise all its features
/usr/bin/myapp --do-things

# Step 3: Back in aa-genprof, press 'S' to scan for events
# It will ask you to Allow/Deny each access, building the profile

# Step 4: Save and set to enforce mode

For a simpler approach:

# Create a profile in complain mode
sudo aa-autodep /usr/bin/myapp
sudo aa-complain /usr/bin/myapp

# Use the program normally for a while
# Then review and refine:
sudo aa-logprof

# When satisfied, switch to enforce:
sudo aa-enforce /usr/bin/myapp

Viewing AppArmor Logs# 

# AppArmor events in system log
grep -i apparmor /var/log/syslog | tail -20

# Using journalctl
journalctl | grep -i apparmor | tail -20

# Audit log (if auditd is installed)
grep -i apparmor /var/log/audit/audit.log 2>/dev/null | tail -10

# Denied actions show as DENIED:
# apparmor="DENIED" operation="open" profile="/usr/sbin/tcpdump" name="/etc/shadow"

Common Pre-Installed Profiles#

Ubuntu and Debian ship profiles for several programs:

# Install additional profiles
sudo apt install -y apparmor-profiles apparmor-profiles-extra

# These add profiles for:
# - Network services (named, ntpd)
# - Browsers (firefox)  
# - Databases (mysqld, postgres)
# - And many more

Abstractions#

Profiles use abstractions — reusable sets of rules for common needs:

ls /etc/apparmor.d/abstractions/

# Common abstractions:
# base         — fundamental system access (libc, locale, etc.)
# nameservice  — DNS, NSS, /etc/hosts
# authentication — PAM, /etc/shadow access
# user-tmp     — access to /tmp

Lab#

Exercise 1: Check AppArmor Status# 

# Is AppArmor active?
sudo aa-status | head -20

# How many profiles are loaded?
sudo aa-status | grep "profiles are loaded"

# Which processes are confined?
sudo aa-status | grep -A 100 "processes are in"

Exercise 2: Explore Profiles# 

# List profile files
ls /etc/apparmor.d/ | head -20

# Read a profile
cat /etc/apparmor.d/usr.sbin.tcpdump 2>/dev/null || echo "Profile not found — try another"

# List abstractions
ls /etc/apparmor.d/abstractions/ | head -15

Exercise 3: Switch Profile Modes# 

# Install management tools
sudo apt install -y apparmor-utils

# Find an enforced profile
sudo aa-status | grep enforce

# Switch one to complain mode (replace with an actual profile on your system)
# sudo aa-complain /etc/apparmor.d/usr.sbin.tcpdump

# Check status
# sudo aa-status | grep tcpdump

# Switch back to enforce
# sudo aa-enforce /etc/apparmor.d/usr.sbin.tcpdump

Exercise 4: View AppArmor Logs# 

# Check for any AppArmor events
journalctl | grep -i apparmor | tail -10

# Check for denied actions
journalctl | grep -i "apparmor.*DENIED" | tail -10

Review#

1. What is AppArmor?

A Mandatory Access Control (MAC) system that confines programs to a limited set of resources. Each program gets a profile defining what files, network access, and capabilities it can use. Even root-owned processes are restricted.

2. What is the difference between enforce and complain modes?

Enforce blocks and logs policy violations. Complain logs violations but allows them. Use complain mode to test new profiles without breaking the application, then switch to enforce.

3. Where are AppArmor profiles stored?

/etc/apparmor.d/. Profile filenames correspond to the program path with slashes replaced by dots (e.g., usr.sbin.mysqld for /usr/sbin/mysqld).

4. How do you check which programs are confined by AppArmor?

sudo aa-status. It lists all loaded profiles, their modes (enforce/complain), and which running processes have profiles applied.

5. How do you create a profile for a new program?

Use sudo aa-genprof /path/to/program. It creates a skeleton profile in complain mode, watches the program’s behavior, and interactively asks you to allow or deny each access. Save the profile and switch to enforce mode when ready.

Previous: Firewall Deep Dive | Next: SSH Hardening and fail2ban