Skip to content

History of AppArmor

Chronology of important events affecting AppArmor development:

  • AppArmor's predecessor SubDomain began life as a Grad project
  • 1998 WireX founded by Joonees Chay and Crispin Cowan to commercialize SubDomain, and develop other security extensions to Linux.
    • WireX produced Immunix a secure Linux distribution based on Red Hat Linux using StackGuard, FormatGuard, and SubDomain
    • WireX involved in creation of LSM
  • In early 2004 WireX rebranded to Immunix and then dropped its Linux distribution, refocusing instead on providing SubDomain for SuSE linux.
  • SubDomain rewritten to use LSM, despite WireX involvement in creating the LSM the porting of AppArmor to the LSM was done late after the LSM was created for political reasons. This meant that LSM was less than optimal for AppArmor and the feedback that could have improved the LSM during its development never occured.
  • A YaST GUI implemented for SubDomain on SuSE linux
  • In May 2005 Novell acquired Immunix and rebranded SubDomain as AppArmor and began cleaningup/rewritting the code for upstream linux kernel inclusion
  • AppArmor 2.0.1 released - based on SubDomain 2.0 code with AppArmor rebranding
  • AppArmor 2.1 released. Large portions of the kernel module where rewritten to use a new custom dfa based matching engine (dropping pcre for licencing reasons) and with name lookup being based on a large patch to vfs and LSM which passed the vfsmnt through into all of the relevant LSM hooks).
  • May 2007 Apparmor becomes the default LSM for SUSE Linux 10.1 (openSUSE)
  • October 2007 Apparmor becomes the default LSM in Ubuntu 7.10.
  • In October 2007 Novell layed-off most of the development team working on AppArmor, and re-assigned the remaining developers putting AppArmor in development mode.
  • June 2008 Novell releases AppArmor 2.3 released using another iteration of the vfs patches, and extension to the matching engine
  • In May 2009 Canonical Inc. picks up AppArmor maintenance and development.
  • Fall 2009 AppArmor 2.4 released. Based on a large update/rewrite to of the AppArmor 2.3 kernel module, it was updated to for creds, and the LSM path_security hooks.
  • July 2010 AppArmor security module merged into security-next tree. Core functionality accepted into official Linux 2.6.36 kernel. A few compatibility small patches are needed to work with current userspace.
  • In May 2012 apparmor v2.8 is released and notably enables support for mount rules
  • In May 2013 AppArmor is integrated to Debian Wheezy, but not yet enabled by default.
  • In September 2014 apparmor v2.9 is released and notably enables support for dbus, ptrace, signal and unix abstract sockets rules
  • In January 2017 apparmor v2.11 is released and notably enables support for policy stacking
  • In April 2018 apparmor v2.13 is released and notably enables support for conditional includes
  • In October 2020 apparmor v3.0 is released and notably enables support for v8 network socket rules, xattrs attachement conditionnals
  • In April 2024 apparmor v4.0 is released and notably enables support for fine-grained POSIX mqueue, user namespace, io_uring mediation