How to Enable & Disable AppArmor on Ubuntu 22.04 LTS

Ubuntu operating systems come with AppArmor, a Linux kernel security module that allows the system administrator to restrict programs’ capabilities with per-program profiles. Profiles can allow network access, raw socket access, and permission to read, write, or execute files on matching paths. Rhel family users would notice this is similar to Selinux; however, they work differently and have pros and cons.

The following will cover enabling and disabling AppArmor and individual profiles on Ubuntu 22.04 LTS Jammy Jellyfish. Usually, most users would not need to adjust any settings with AppArmor, but if the need arises, some simple commands are needed in the tutorial will explain.

Update Ubuntu

Before proceeding, it is good to update your system to avoid any conflicts and for good practice.

sudo apt update && sudo apt upgrade -y

Check Apparmor Status

By default, Apparmor is installed and turned on when installing Ubuntu, and you can verify its status using the following command.

systemctl status apparmor

Example output:

How to Enable & Disable AppArmor on Ubuntu 22.04 LTS

Next is a rundown on command systemctl commands.

Stop Apparmor:

sudo systemctl stop apparmor

Disable Apparmor on system boot:

sudo systemctl disable apparmor

Start Apparmor:

sudo systemctl start apparmor

Apparmor on system boot (default):

sudo systemctl enable apparmor

Restart Apparmor:

sudo systemctl restart apparmor

Reload Apparmor:

sudo systemctl reload apparmor

AppArmor Profiles Status

The first part of the tutorial is to check the status of Apparmor profiles, which will show what profiles are loaded and in enforce mode. In your terminal, use the following command.

sudo apparmor_status

Example output:

How to Enable & Disable AppArmor on Ubuntu 22.04 LTS

Alternatively, you can use the aa-status command, which will give you the exact readout:

sudo aa-status

Note you will see an extensive list of profiles in the output. You will often refer back to this command when checking if profiles are enabled or disabled in the future.

Disable & Enable Apparmor Profiles

If you need to disable a specific Apparmor profile, this can be individually achieved without disabling the entire security application. First, you will need to navigate to the /etc/apparmor.d directory as follows:

cd /etc/apparmor.d

Now using the ls command, print out a list of profiles that exist in this directory:

ls -s

Example output:

How to Enable & Disable AppArmor on Ubuntu 22.04 LTS

For example, to disable usr.sbin.cupsd profile. To do this, use the following command:

sudo ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/disable/usr.sbin.cupsd

Using the apparmor_status command, you can see usr.sbin.cupsd removed in your profile list.

sudo apparmor_status | grep usr.sbin.cup

Example output with profile removed:

How to Enable & Disable AppArmor on Ubuntu 22.04 LTS

As above, cupds profile is removed. Further on, you will re-enable this at the end of the tutorial.

If you like to see a list of rules that are disabled, navigate to the directory /etc/apparmor.d/disable.

cd /etc/apparmor.d/disable

Then print a list using the ls -s command again.

Example output:

How to Enable & Disable AppArmor on Ubuntu 22.04 LTS

If you need to re-enable this profile or any other profile that is disabled, use the following command:

sudo rm /etc/apparmor.d/disable/usr.sbin.cupsd
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd

Re-use the app status command to see the profile back:

sudo apparmor_status | grep usr.sbin.cup

Output with profile back:

How to Enable & Disable AppArmor on Ubuntu 22.04 LTS

As above, the cupsd profile is now activated again.

Comments and Conclusion

In this tutorial, you have learned how to disable and enable profiles and the AppArmor application itself. If you have issues relating to the AppArmor application, it is a handy skill to know but be careful, and things can go wrong. A good suggestion will be to install Timeshift or a similar backup application if you need to roll back.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!