AppArmor Documentation

Welcome to the official AppArmor documentation. AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing both known and unknown application flaws from being exploited.

AppArmor supplements the traditional Unix Discretionary Access Control (DAC) model by providing Mandatory Access Control (MAC). It has been included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

To achieve this, AppArmor confines individual programs to a defined set of allowed operations described in a per-application profile. These rules are comprehensive and can mediate a wide variety of interactions, including filesystem access, Linux capabilities, network sockets, DBus messaging, inter-process communication (IPC) and many more.

AppArmor policy is enforced by the kernel and cannot be bypassed or modified by the confined application itself, limiting the impact even if the application is compromised.

What does it look like in practice?

Each time AppArmor denies an operation, it logs the event. Depending on your system configuration, events may appear in the kernel log, syslog, auditd, or journald:

sudo journalctl -fx -k --grep=apparmor

Example log entry:

apparmor="DENIED" operation="open" profile="firefox" name="/etc/shadow" pid=1234 comm="firefox" requested_mask="r" denied_mask="r"

If a profile is causing unexpected application failures, switching it to complain mode lets you identify missing rules without blocking the application.

Where to go next

• Getting Started: New to apparmor ? Start here.
• Basic Concepts: Learn the basic AppArmor concepts.
• Fixing Denials: Learn how to read the logs and update a profile to resolve access denials.
• LSM Introduction: A description of where AppArmor fits in the Linux security stack.