AppArmor

When compiling the kernel, it is required to set at least the following options:

CONFIG_SECURITY_APPARMOR=y
CONFIG_AUDIT=y

To enable the AppArmor Linux security model by default and omit the need to set kernel parameters, additionally set the CONFIG_LSM option and specify apparmor as the first "major" module in the list:

CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor,bpf"

To test if AppArmor has been correctly enabled:

$ aa-enabled

Yes

To display the current loaded status use :

To load (enforce or complain), unload, reload, cache and stat profiles use . The default action () is to load a new profile in enforce mode, loading it in complain mode is possible using the -C switch, in order to overwrite an existing profile use the -r option and to remove a profile use . Each action may also apply to multiple profiles. Refer to man page for more information.

Disable AppArmor by unloading all profiles for the current session:

# aa-teardown 

To prevent AppArmor profiles from loading at the next boot disable apparmor.service. To prevent the kernel from loading AppArmor, remove the kernel parameter that was added when setting up AppArmor.

To create new profiles the Audit framework should be running. This is because Arch Linux adopted systemd and does not do kernel logging to file by default. AppArmor can grab kernel audit logs from the userspace auditd daemon, allowing you to build a profile.

New AppArmor profiles can be created by utilizing or . The profile is first created in complain mode: in this mode policy violations are only reported but not enforced. The rules are interactively created by the tool available in package. Finally the profile should be set into enforce mode with . In this mode the policy defined by the rules in the respecting profile are enforced. If necessary, additional rules can be added by repeatedly executing , or the profile can be set back to complain mode with aa-complain(8). Detailed guide about using those tools is available at AppArmor wiki - Profiling with tools.

Note that also offers deny rules which are actually not strictly necessary as according to the basic AppArmor logic everything is forbidden what is not explicitly allowed by a rule. However, deny rules serve two purposes:

1. deny rules take precedence over allow rules. They are often used in many abstractions located in in order to block any access to important folders/files. This makes sure that inadvertently created allow rules do not make a profile too permissive.
2. deny rules silence logging and make subsequent runs of aa-logprof less noisy. It is important to keep in mind that deny rules are enforced also in complain mode - hence, if an application does not work properly even in complain mode it should be checked if a deny rule in the profile or in one of the included abstractions is the culprit.

Alternatively profiles may be also created manually, see guide available at AppArmor wiki - Profiling by hand.

In addition to the default profiles in /etc/apparmor.d/, there are more predefined profiles in . Note that those are not necessarily deemed production-ready, so manual intervention or usage of may be required.

Profiles are human readable text files residing under /etc/apparmor.d/ describing how binaries should be treated when executed. A basic profile looks similar to this:

Strings preceded by a symbol are variables defined by abstractions (), tunables () or by the profile itself. includes other profile-files directly. Paths followed by a set of characters are access permissions. Pattern matching is done using AppArmor's globbing syntax.

Most common use cases are covered by the following statements:

• — read: read data
• — write: create, delete, write to a file and extend it
• m — memory map executable: memory map a file executable
• — execute: execute file; needs to be preceded by a qualifier

Remember that those permission do not allow binaries to exceed the permission dictated by the Discretionary Access Control (DAC).

This is merely a short overview, for a more detailed guide be sure to have a look at the man page and documentation.

The notification daemon displays desktop notifications whenever AppArmor denies a program access. To automatically start aa-notify daemon on login follow below steps:

Install the Audit framework and enable and start the userspace Linux Audit daemon. Allow your desktop user to read audit logs in by adding it to audit user group:

# groupadd -r audit
# gpasswd -a user audit

Add audit group to :

Install and .

Create a desktop launcher with the below content:

Reboot and check if the aa-notify process is running:

$ pgrep -ax aa-notify

For more information, see .

Since AppArmor has to translate the configured profiles into a binary format it may significantly increase the boot time. You can check current AppArmor startup time with:

$ systemd-analyze blame | grep apparmor

To enable caching AppArmor profiles, uncomment:

To change default cache location add:

Reboot and check AppArmor startup time again to see improvement:

$ systemd-analyze blame | grep apparmor

See Samba#Permission issues on AppArmor.

Audit framework logs may have the special character . There is a AppArmor bug report, but a workaround is to run:

# aa-logprof -f <(sed 's/\x1d.*//' < /var/log/audit/audit.log)