AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.

AppArmor was first made available to Ubuntu in Ubuntu 7.04 in Universe.

Further information about AppArmor can be found on the AppArmor project's wiki.

AppArmor is installed and loaded by default in Hardy. Some packages will install their own 'enforcing' profiles. Additional profiles can be found in the package apparmor-profiles from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor

• Enable the Universe repository.
• Install apparmor-profiles. Click the link to install, or see InstallingSoftware for more installation options.

AppArmor is installed and loaded by default in Gutsy. Some packages will install their own profiles. Additional profiles can be found in the package apparmor-profiles from the Universe repository. When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor

• Enable the Universe repository.
• Install apparmor-profiles. Click the link to install, or see InstallingSoftware for more installation options.

AppArmor is not included by default in the Feisty kernel. It needs to be compiled manually.

• Enable the Universe repository.
• Install apparmor-modules-source and module-assistant packages. Click the links to install, or see InstallingSoftware for more installation options.
• Compile the apparmor kernel module :

sudo m-a -v -t prepare
sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

• Install apparmor-profiles, apparmor-utils and apparmor packages. Click the links to install, or see InstallingSoftware for more installation options.

To install the latest apparmor packages on feisty, the packages have to be rebuilt. See latest apparmor utilities for feisty (LP #116627).

When a new kernel is installed or when a new version of apparmor-module-source is installed, the apparmor module has to be recompiled :

sudo m-a -v -t -f build apparmor-modules
sudo m-a -v -t install apparmor-modules

In order to make sure that all running processes are protected, the system must then be rebooted.

All of the following commands should be executed from a terminal.

sudo apparmor_status

sudo aa-complain /path/to/bin

Example:

sudo aa-complain /bin/ping

sudo aa-complain /etc/apparmor.d/*

sudo aa-enforce /path/to/bin

Example:

sudo aa-enforce /bin/ping

sudo aa-enforce /etc/apparmor.d/*

GLOBIGNORE="*profile.name"
sudo aa-enforce /etc/apparmor.d/*

Example:

GLOBIGNORE="*bin.ping"
sudo aa-enforce /etc/apparmor.d/*

Systems should not generally need to have AppArmor disabled entirely. It is highly recommended that users leave AppArmor enabled and put the problematic profile into complain mode (see above), then file a bug using the procedures found in https://wiki.ubuntu.com/DebuggingApparmor. If AppArmor must be disabled (eg to use SELinux instead), users can:

sudo invoke-rc.d apparmor kill
sudo update-rc.d -f apparmor remove

On Ubuntu 8.10 (Intrepid) and Ubuntu 9.04 (Jaunty):

sudo invoke-rc.d apparmor stop
sudo update-rc.d -f apparmor remove

Using

kill

with Ubuntu 8.10 or later gives the following error:

Killing AppArmor module - failed, AppArmor is builtin: Failed.

On Ubuntu 9.10 and later, you can either:

• adjust your kernel boot command line (see /boot/grub/menul.lst for Grub or ```/boot/grub/grub.cfg``` for Grub 2) to include either
  • 'apparmor=0'
  • 'security=XXX' where XXX can be “” to disable AppArmor or an alternative LSM name, eg. 'security=“selinux”'
• remove the ```apparmor``` package with your package manager. Do not 'purge' apparmor if you think you might want to reenable AppArmor at a later date

sudo invoke-rc.d apparmor start
sudo update-rc.d apparmor start 37 S .

sudo invoke-rc.d apparmor reload

sudo apparmor_parser -r /etc/apparmor.d/profile.name

Example:

sudo apparmor_parser -r /etc/apparmor.d/bin.ping

sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name

Example:

sudo ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/bin.ping

By default, profiles are enabled (ie loaded into the kernel and applied to processes).

sudo rm /etc/apparmor.d/disable/profile.name
sudo apparmor_parser -r /etc/apparmor.d/profile.name

Example:

sudo rm /etc/apparmor.d/disable/bin.ping
sudo apparmor_parser -r /etc/apparmor.d/bin.ping

Profiles can found in

/etc/apparmor.d

. These are simple text files and can be edited either with a text editor, or by using

aa-logprof

.

Some customization can be made in

/etc/apparmor.d/tunables/

. When updating profiles, it is important to use these when appropriate. For example, rather than using a rule like:

  /home/*/ r,

use:

  @{HOME}/ r,

After updating a profile, be sure to reload it (see above).

The location of home directories can be tuned in

/etc/apparmor.d/tunables/home

.

Restart the listed processes. Rebooting will also fix the problem.

AppArmor can only track and protect processes that are started after the kernel module has been loaded. After the apparmor packages have been installed, apparmor will be started. But running processes won't be protected by AppArmor. Either restarting the processes or rebooting will fix this.

You can also apply a profile to an already running process by issuing the following command:

sudo sh -c "echo 'setprofile /path/to/bin' > /proc/pid/attr/current"

Since Ubuntu 9.10 (Karmic), AppArmor ships with a profile for Firefox which is disabled by default.

You can enable it using the following command:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow.

Some standard test cases are : * starting the program * stopping the program * reloading the program * testing all the command supported by the init script In the case of graphical programs, your test cases should also include anything you normally do. Downloading and opening files, saving files, uploading files, using plugins, saving configurations changes, and launching other programs are all possibilities.

Use aa-genprof to generate a new profile.

From a terminal, use the command aa-genprof:

sudo aa-genprof executable

Example:

sudo aa-genprof slapd

The man page has more information:

man aa-genprof

.

To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor package:

• Include your test plan and testcases.
• Attach your new profile to the bug.

Please see https://wiki.ubuntu.com/ApparmorProfileMigration

When the program is misbehaving, audit messages are sent to the log files. The program aa-logprof can be used to scan log files for AppArmor audit messages, review them and update the profiles.

sudo aa-logprof

The man page has more information :

man aa-logprof

When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor

• Intro to AppArmor for Geeks - detailed usage of apparmor.
• AppArmor now in Feisty - small tutorial about generating a new profile for evince.

• AppArmor Profile Repository - Find some sample profiles for some common applications done by members of the Ubuntu community.

Source: https://help.ubuntu.com/community/AppArmor