The Comprehensive Guide To AppArmor: Part 1

Uzair Shamim
Information & Technology
2 min readJul 28, 2016

This post has been migrated to my new blog that you can find here:

https://pureooze.com/blog/posts/2016-07-28-the-comprehensive-guide-to-apparmor-p1/

I wanted to do this post on the basics of AppArmor and how to get started with using it on your system. This post started as a very small guide on AppArmor but as I wrote it I felt more and more convinced it needed details to explain various features and issues. As such it has now ended up as a comprehensive guide on how to start using and understanding the AppArmor tools.

In case you don’t know what AppArmor is, the official wiki provides a decent explanation:

AppArmor is an mandatory access control (MAC) like security system for Linux. It is designed to work with standard Unix discretionary access control (DAC) permissions while being easy to use and deploy, by allowing an admin to confine only specific applications.

Essentially AppArmor provides MAC functionality to Linux and is used to supplement the traditional DAC (file permissions) functionality that the OS provides. Using the most basic AppArmor tools an administrator can create and deploy AppArmor profiles to restrict access for specific processes. For example one could restrict the web browser to only let users access files in their home directories. This would prevent a scenario where Alice would try to upload or share files owned by Bob without his knowledge.

Like all things that require attention to detail good defense requires a lot of practice and research.

Getting Started

To run AppArmor the first step is the same as all other software, make sure that it is installed. OpenSUSE and Ubuntu have it installed and enabled by default but other distros may vary. Installing AppArmor is usually as simple as checking if a distro has a package for it, then downloading and installing the package. Note that the kernel must be compiled with support for AppArmor.

Once AppArmor is running you can make sure the service is running using:

systemctl status apparmor  # Checks status of the AppArmor service and tells you if it is enabled on bootsystemctl start apparmor  # Starts the servicesystemctl enable apparmor  # Makes apparmor start on boot

This will ensure that the system is always up and running with AppArmor ready to enforce profiles.

To read the rest of this post it can be found on my new blog here:

https://pureooze.com/blog/posts/2016-07-28-the-comprehensive-guide-to-apparmor-p1/

--

--

Responses (5)