AppArmor Profiles

AppArmor cheatsheet — create profiles, set enforce/complain mode, check status with aa-status. Lock down applications with mandatory access control on Linux.

6 min read

What it is

AppArmor is a Mandatory Access Control (MAC) system that confines programs to a predetermined set of resources. You reach for AppArmor when you need to harden the security of specific applications by restricting their access to files, network sockets, and capabilities.

Installation

Linux

AppArmor is typically pre-installed on many Linux distributions. If not, you can install it using your distribution’s package manager.

Debian/Ubuntu:

sudo apt update
sudo apt install apparmor apparmor-utils

Fedora/CentOS/RHEL:

sudo dnf install apparmor apparmor-utils
# or for older systems
sudo yum install apparmor apparmor-utils

Arch Linux:

sudo pacman -S apparmor apparmor-utils

After installation, ensure the AppArmor module is loaded:

sudo modprobe apparmor

And check its status:

sudo aa-status

Mac/Windows

AppArmor is a Linux-specific security module and is not available on macOS or Windows.

Core Concepts

Profiles

These are the configuration files that define the security policy for a specific application. They specify what resources the application is allowed or denied access to. Profiles are typically stored in /etc/apparmor.d/.

Modes

AppArmor profiles can operate in two primary modes:

  • Enforce Mode: The profile is actively enforced. Violations are logged and the action is denied.
  • Complain Mode: The profile is not actively enforced. Violations are logged, but the action is allowed. This mode is useful for testing and debugging profiles.

Paths and Globbing

AppArmor uses a specific syntax for specifying file paths and patterns within profiles.

  • Exact Paths: /usr/bin/firefox
  • Globbing:
    • *: Matches any sequence of characters except /. /home/*/documents matches /home/user/documents but not /home/user/subdir/documents.
    • **: Matches any sequence of characters, including /. /var/log/** matches /var/log/syslog and /var/log/apache2/access.log.
    • ?: Matches any single character except /. /tmp/file?.txt matches /tmp/file1.txt but not /tmp/file10.txt.
    • {}: Matches any of the comma-separated strings. /etc/{nginx,apache2}/nginx.conf matches /etc/nginx/nginx.conf and /etc/apache2/apache2.conf.

Permissions

Within a profile, permissions are granted or denied for specific file access operations. Common permissions include:

  • r: read
  • w: write
  • m: mmap (memory map)
  • k: lock
  • x: execute
  • l: link
  • p: ptrace (process tracing)
  • P: append
  • D: delete

Capabilities

AppArmor can also restrict Linux capabilities, which are distinct privileges that allow a process to perform specific privileged operations without granting it full root access. Examples include cap_net_raw, cap_sys_admin.

Commands / Usage

Managing Profiles

  • Load a profile:

    sudo apparmor_parser -a /etc/apparmor.d/usr.sbin.nginx

    Loads the specified profile into the kernel.

  • Reload a profile (after edits):

    sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx

    Reloads the specified profile, applying changes.

  • Unload a profile:

    sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.nginx

    Removes the specified profile from the kernel.

  • Put a profile into complain mode:

    sudo aa-complain /etc/apparmor.d/usr.sbin.nginx

    Changes the mode of the specified profile to 'complain'.

  • Put a profile into enforce mode:

    sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

    Changes the mode of the specified profile to 'enforce'.

  • Disable a profile (effectively unload):

    sudo aa-disable /etc/apparmor.d/usr.sbin.nginx

    Disables the profile. This is similar to unloading but the profile file remains in place.

  • Enable a profile (effectively load):

    sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

    Enables a previously disabled profile.

  • List all loaded profiles and their modes:

    sudo aa-status

    Provides a comprehensive overview of AppArmor’s status, including loaded profiles, their modes, and PIDs.

  • Generate a new profile for an application:

    sudo aa-genprof /usr/sbin/nginx

    Starts an interactive process to generate a new AppArmor profile for the specified executable. It runs the application and prompts you to allow or deny access to resources it attempts to use.

  • Generate a profile from existing logs:

    sudo aa-logprof

    Analyzes AppArmor audit logs (from complain mode) and prompts you to create or update profiles based on the logged events.

Profile Syntax Examples (within /etc/apparmor.d/*)

  • Allow reading from a directory:

    /usr/bin/firefox r,

  • Allow read and write to a specific file:

    /etc/myapp/config.conf rw,

  • Allow read and write to all files in a directory:

    /var/log/myapp/** rw,

  • Allow execution of a specific binary:

    /usr/local/bin/myscript ix,

  • Deny all access to a path:

    /tmp/sensitive_data/** deny,

  • Allow network access:

    # Allow binding to port 80
network inet stream ep,
# Allow connecting to any IPv4 address on port 443
network inet tcp addr 0.0.0.0:443 connect,

  • Allow specific capabilities:

    capability sys_ptrace,

Common Patterns

  • Enforce a profile for a web server:

    sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

    Ensure your Nginx profile is actively protecting the server.

  • Debug a problematic application by putting its profile in complain mode:

    sudo aa-complain /etc/apparmor.d/path.to.application

    If the application misbehaves, check /var/log/audit/audit.log or journalctl for AppArmor denials.

  • Generate a profile for a new service interactively:

    sudo aa-genprof /usr/bin/your_new_service

    Run your service, perform its typical operations, and then exit the service. aa-genprof will present prompts for each access attempt.

  • Refine a profile based on logs:

    sudo aa-logprof

    After running an application in complain mode and generating logs, run aa-logprof to create or update the profile rules.

  • View current AppArmor status and active profiles:

    sudo aa-status

    Always a good first step to check what’s currently running.

  • Reload all AppArmor profiles after system updates or manual edits:

    sudo systemctl reload apparmor

    This command reloads all profiles managed by the AppArmor service.

Gotchas

  • Profile Naming Convention: Profiles are typically named based on the executable’s path, with slashes replaced by dots. For example, /usr/sbin/nginx becomes usr.sbin.nginx.
  • Profile Location: Profiles must reside in /etc/apparmor.d/.
  • aa-genprof and aa-logprof Prompts: Be very careful when answering the prompts. Granting too much access weakens security. If unsure, deny access and refine later.
  • Executable Path Changes: If an application’s executable path changes (e.g., due to an update), its AppArmor profile might need to be updated or re-associated.
  • ptrace Permission: The ptrace permission is highly sensitive as it allows one process to inspect and control another. Be very restrictive with it.
  • Network Rules: AppArmor network rules can be complex. Ensure you understand the network rule syntax for bind, connect, and specific protocols/ports.
  • auditd or systemd-journald: AppArmor logs are typically sent to the system audit daemon (auditd) or systemd-journald. You’ll need to check these logs to see denials (especially when in complain mode).
    sudo journalctl -f -u auditd
# or if using auditd directly
sudo ausearch -m AVC,APPARMOR -ts recent
  • Wildcard (**) Behavior: The ** wildcard matches zero or more directory components, including the root directory if it’s at the beginning of a path. Be mindful of its scope.
  • Profile Reloading: After editing a profile file, you must reload it using apparmor_parser -r or restart the apparmor service for changes to take effect. Simply saving the file is not enough.