AppArmor

Official Website | Docs | Wiki

Install the apparmor-utils package as well

Some common commands are:

• aa-enabled: Is apparmor enabled or not
• aa-status: Display the status of profile enforcement
• aa-genprof: Create an apparmor profile
• aa-logprof: Update and existing profile
• aa-complain: Set a profile in complain mode
• aa-enforce: Set a profile in enforce mode
• apparmor_parser <-r|-a> /path/to/profileto reload or add a profile

A profile in apparmor can run in various modes:

• complain: Apparmor allows a process to perform almost all tasks but will log them as events in the audit log. It will still enforce any explicit deny rules in a profile.
• unconfined: Allows a program to perform any task and will not log it
• enforced: Apparmor enforces the rules specified in the profile

Common apparmor permissions

• r: read
• w: write
• k: lock
• ux: unconstrained execute
• Ux: unconstrained execute -scrub
• px: discrete profile execute
• Px: discrete profile execute -scrub
• ix: inherit execute
• cx: local seecurity profile
• l: link
• a: append
• m: memory map

Apparmor profiles are stored in /etc/apparmor.d by default

It also adds the -Z option to commands like ps to show what profile is being used in different applications and in what mode