Skip to content

Integrate and manage AppArmor in your environment

AppArmor is a Mandatory Access Control (MAC) system that allows you to tightly restrict applications' behavior to only the expected behavior. AppArmor complements other security mechanisms already deployed on your system or fleet to improve your overall security.

In this guide you will learn: - How AppArmor Protects Your Fleet - How to Integrate AppArmor into your Environment - How to Manage Profiles

Prerequisites

How AppArmor protects your fleet

AppArmor functions as a Linux Security Module (LSM). It mediates access to all system resources (files, network, capabilities, etc.) based on the loaded profiles for your applications.

How AppArmor reduces the impact of vulnerabilities

If a new or existing vulnerability is present on your environment, AppArmor can help reducing its severity by two means

  1. Blocking the attack vector: Because AppArmor allows reducing the set of allowed operations of applications to the bare minimum, the attack vector is often in an already blocked feature and therefore not exploitable. In other cases, when a vulnerability is found, it is possible to update the profile to block the attack vector(s) without blocking any legitimate behavior.
  2. Limiting the impact of the attack: If an attacker still manages to exploit a vulnerability, the application remains bound to its profile and therefore cannot perform any action outside of what is allowed by its profile, reducing the impact of the compromise. For example, by defining fine-grained rules (e.g., "my webserver can only connect to MySQL on port 3306"), AppArmor restricts the ability of a compromised process to probe or perform lateral movement on internal systems.

AppArmor logs

AppArmor logs provide fine-grained system-level behavioral logs. This data source provides an additional layer of security information that complements existing network-level logs. An AppArmor log entry indicates that a process attempted an action that was not explicitly allowed by its profile, which can be helpful to detect and respond to security incidents.

Integration environment

AppArmor is readily integrated into many Linux distributions and container platforms.

Machine fleets (VMs / Bare Metal)

In real-life scenarios, AppArmor introduces a very low performance overhead, often unnoticeable.

  • Deployment: Profiles can be distributed by storing them in /etc/apparmor.d/
  • Activation: Profiles are loaded in the kernel on boot or manually using sudo apparmor_parser -r /etc/apparmor.d/profile

Containers

Both Docker and LXC/LXD containers enable AppArmor by default.

  • Default Profile: Containers run with a default profile (docker-default or lxc-container-default) that provides a baseline of restrictions (e.g., blocking writes to /proc).
  • Custom Profiles: You can run containers with a custom profile for stronger isolation:
    • Docker: docker run --security-opt apparmor=my-custom-profile my_container
    • LXC: Set lxc.apparmor.profile = my-profile in the container configuration.

Container orchestrators

AppArmor is also supported by container orchestrations platforms. For instance, Kubernetes treats AppArmor as a first-class citizen

  • Node Levels: Load profiles on your worker nodes.
  • Pod Definition: enforce profiles via annotations or the securityContext field: 
    securityContext:
  appArmorProfile:
    type: Localhost
    localhostProfile: my-custom-profile

Managing profiles

Installing profiles

Your distribution already ships profiles for many applications. You can check the status of all profiles on your system with sudo aa-status.

Many distributions also provide a package with additional profiles, for example apparmor-profiles-extra on Debian/Ubuntu.

Additionally, a community-maintained repository of profiles is available at apparmor.d. Note that these profiles are not always perfect, so you should always test them before deploying them in production.

Finally, if you don't find any profile for your application, you can write your own. See Confine Your First Application.

Customizing policies

In order to modify a profile, either because you want to harden it for your particular use case or because you want to support a behavior that is legitimate for your application but not allowed by the profile, you can create a local include.

Example: Allowing curl to write to a specific directory.

  1. Create or edit /etc/apparmor.d/local/curl
  2. Add the rule /curl-output/** w,
  3. Reload the profile: sudo apparmor_parser -r /etc/apparmor.d/curl

By modifying a local override rather than the main profile, changes are preserved through updates and you can review your modifications in seconds.

To go further