Ubuntu operating systems come with AppArmor, a Linux kernel security module that allows the system administrator to restrict programs’ capabilities with per-program profiles. Profiles can allow network access, raw socket access, and permission to read, write, or execute files on matching paths. Rhel family users would notice this is similar to Selinux; however, they work a bit differently and have pros and cons each.
The following will cover how to enable and disable AppArmor and individual profiles; normally, most users would not need to adjust any settings with AppArmor, but if the need arises, some simple commands are all needed in the tutorial will explain.
- Recommended OS: Ubuntu 20.04 – optional (Ubuntu 21.04)
- User account: A user account with sudo or root access.
Working with AppArmor System Commands
By default, Apparmor is installed and turned on when installing Ubuntu. To verify its status using the following command:
sudo systemctl status apparmor
Next is a rundown on command systemctl commands:
To stop Apparmor:
sudo systemctl stop apparmor
To disable Apparmor on system boot:
sudo systemctl disable apparmor
To start Apparmor:
sudo systemctl start apparmor
To enable Apparmor on system boot (default):
sudo systemctl enable apparmor
To restart Apparmor:
sudo systemctl restart apparmor
To reload Apparmor:
sudo systemctl reload apparmor
Verify AppArmor Profiles Status
First, its ideal to see the status of Apparmor profiles which can be done using the following systemctl command:
apparmor module is loaded.
39 profiles are loaded.
37 profiles are in enforce mode.
Alternatively, you can use the aa-status command, which will give you the same readout:
Note, you will see a large list of profiles in the output. You will often refer back to this command when checking if profiles are enabled or disabled in the future.
Disable and Enable Apparmor Profiles
If you need to disable a certain Apparmor profile, this can be individually achieved without disabling the entire security application. First, you will need to navigate to the /etc/apparmor.d directory as follows:
Now using the ls command, print out a list of profiles that exist in this directory:
sudo ls -s
For example, to disable usr.sbin.cupsd profile. To do this, use the following command:
sudo ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/disable/usr.sbin.cupsd
Now using the apparmor_status command, you can see usr.sbin.cupsd is removed in your profile list.
Example output with profile removed:
1 processes are in enforce mode.
2 processes are in enforce mode.
If you like to see a list of rules that are disabled, navigate to the directory /etc/apparmor.d/disable and use the ls command:
If you need to re-enable this profile or any other profile that is disabled, use the following command:
sudo rm /etc/apparmor.d/disable/usr.sbin.cupsd
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
You will need to reboot your system to see the profile back in the apparmor_status command:
sudo reboot now
Refund the app command to see the profile back:
Output with profile back:
2 processes are in enforce mode.
Comments and Conclusion
In the tutorial, you have learned how to disable and enable profiles along with the AppArmor application itself; if you need to do this, most users will never need to even think about this; however, it’s a handy skill to learn if you are having issues relating to the AppArmor application.