AppArmor, also known as Application Armor, is a Linux kernel security module that provides mandatory access control for applications running on the Ubuntu operating system. It is a flexible and powerful security tool that helps to prevent software vulnerabilities and malicious attacks by confining applications to a limited set of resources on the system.
The development of AppArmor dates back to the early 2000s when it was created as an alternative to traditional Unix/Linux access control models. At the time, Linux was becoming increasingly popular as a server platform, and there was a growing need for better security solutions to protect against malware and unauthorized access. In response, the AppArmor project was launched, and it quickly gained popularity due to its ease of use and flexible configuration options.
Today, AppArmor remains an essential tool for securing applications on Ubuntu. It is particularly important for organizations and individuals who want to ensure the privacy and security of sensitive data and prevent unauthorized access to sensitive systems. The AppArmor security model works by defining profiles for each application, which specify the permissions and resources that the application is allowed to access. This way, even if an application is compromised, the damage that can be done is limited to the resources defined in the profile.
Features of AppArmor on Ubuntu:
- Flexible Configuration: AppArmor allows for the creation of custom profiles for each application, providing the ability to fine-tune security policies to meet specific requirements.
- Mandatory Access Control: AppArmor enforces mandatory access control, which means that applications are only allowed to access the resources defined in their profiles.
- Ease of Use: AppArmor is designed to be easy to use, with a simple and intuitive configuration process.
- Protection against Malicious Attacks: AppArmor helps to prevent malicious attacks by confining applications to a limited set of resources and permissions.
- Improved System Security: By confining applications to a limited set of resources, AppArmor helps to improve overall system security and reduce the risk of unauthorized access.
- Interoperability with Other Security Tools: AppArmor is designed to work with other security tools, such as SELinux and firewalls, providing an extra layer of protection.
- Integration with the Linux Kernel: AppArmor is integrated with the Linux kernel, providing efficient and reliable security enforcement.
In this guide, you’ll discover how to enable or disable AppArmor profiles on Ubuntu 22.04 “Jammy Jellyfish” or Ubuntu 20.04 “Focal Fossa” using the command-line terminal, along with some helpful tips.
Table of Contents
Step 1: Install the Required Packages
To utilize the full range of AppArmor functionality, it is important to have the “apparmor-utils” package installed. Some of the commands discussed in this guide may not be available without this package. To install the package, open your terminal and run the following command.
sudo apt install apparmor-utils apparmor-notify apparmor-profiles apparmor-profiles-extraStep 2: Check AppArmor Status
By default, Apparmor is installed and turned on when installing Ubuntu. To verify its status, use the following command.
systemctl status apparmorExample output:
Verifying that AppArmor is working with systemd is an important first step. While there are other methods for checking the status of AppArmor, using the above command as a starting point is a good practice. Later in the guide, you will learn about different ways to check AppArmor, but this initial check provides a solid foundation for ensuring that the system is running as expected.
Next is a rundown on command systemd commands.
Stop Apparmor:
sudo systemctl stop apparmorDisable Apparmor on system boot:
sudo systemctl disable apparmorStart Apparmor:
sudo systemctl start apparmorEnable Apparmor on system boot (default):
sudo systemctl enable apparmorRestart AppArmor:
sudo systemctl restart apparmorReload Apparmor:
sudo systemctl reload apparmorStep 3: Check AppArmor Profiles Loaded
Before making any changes to AppArmor, it’s crucial to check the status of its profiles. This can be accomplished by using the following command.
sudo apparmor_statusExample output:
apparmor module is loaded.
63 profiles are loaded.
45 profiles are in enforce mode.
/snap/snapd/17883/usr/lib/snapd/snap-confine
/snap/snapd/17883/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snapd/17950/usr/lib/snapd/snap-confine
/snap/snapd/17950/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/{,usr/}sbin/dhclient
apt-cacher-ng
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.firefox
snap-update-ns.snap-store
snap-update-ns.snapd-desktop-integration
snap.firefox.firefox
snap.firefox.geckodriver
snap.firefox.hook.configure
snap.firefox.hook.connect-plug-host-hunspell
snap.firefox.hook.disconnect-plug-host-hunspell
snap.firefox.hook.post-refresh
snap.snap-store.hook.configure
snap.snap-store.snap-store
snap.snap-store.ubuntu-software
snap.snap-store.ubuntu-software-local-file
snap.snapd-desktop-integration.hook.configure
snap.snapd-desktop-integration.snapd-desktop-integration
tcpdump
18 profiles are in complain mode.
/usr/bin/irssi
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
0 profiles are in kill mode.
0 profiles are in unconfined mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/cups-browsed (1025)
/snap/snapd-desktop-integration/49/usr/bin/snapd-desktop-integration (1632) snap.snapd-desktop-integration.snapd-desktop-integration
/snap/snapd-desktop-integration/49/usr/bin/snapd-desktop-integration (1717) snap.snapd-desktop-integration.snapd-desktop-integration
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
This command will provide you with the current status of AppArmor on your system, including which profiles are loaded, the mode in which they are running, and the number of processes associated with each profile. This information is essential for making informed decisions about enabling or disabling AppArmor on your Ubuntu system.
Another option for checking the status of AppArmor profiles is to use the aa-status command. This command will give you a more detailed and exact readout of the current status of AppArmor on your system.
sudo aa-statusLike before, this command will display the status of all the profiles loaded on your system, including the name of each profile, the mode in which it’s running (e.g., enforced, complain, or unconfined), and the number of processes associated with each profile. This information can be beneficial when troubleshooting AppArmor issues or determining which profiles are causing problems on your system.
In addition, it’s also recommended to back up your AppArmor profiles before making any changes. This can be done with the following command.
sudo cp -R /etc/apparmor.d /etc/apparmor.d.bak
This will create a backup of your AppArmor profiles in the /etc/apparmor.d.bak directory, so you can quickly revert to them in case of any issues. With this backup in place, you can safely proceed with enabling or disabling AppArmor on your Ubuntu system.
Step 4: Disable AppArmor Profile
If you need to disable a specific AppArmor profile, you can do so without disabling the entire security application. This is useful if a particular profile is causing issues on your system, but you still want to keep AppArmor enabled for other profiles.
First, navigate to the /etc/apparmor.d directory.
cd /etc/apparmor.dNow, use the ls command to list the profiles in the /etc/apparmor.d directory.
ls -sExample output:
This will give you a list of all the profiles stored in the directory. You can then choose the profile you want to disable and follow the abovementioned steps.
To disable a profile, you would use the following command.
sudo aa-disable /etc/apparmor.d/<profile-name>For example, to disable the usr.sbin.cupsd profile, you can use the following command:
sudo aa-disable /etc/apparmor.d/usr.sbin.cupsd
Example output:
Disabling /etc/apparmor.d/usr.sbin.cupsd.
This will effectively disable the usr.sbin.cupsd profile, and the changes will take effect immediately. To view a list of the rules that are currently disabled, you can navigate to the /etc/apparmor.d/disable directory and use the ls command.
ls /etc/apparmor.d/disableExample output:
This will give you a list of all the profiles that are currently disabled in AppArmor. You can use this list to keep track of which profiles you have disabled and for what reason.
Step 5: Enable AppArmor Profile
To re-enable a profile that has been disabled, you can use the following command.
sudo aa-enable /etc/apparmor.d/<profile-name>
The guide disabled usr.sbin.cupsd, so the example command will re-enable the profile.
sudo aa-enable /etc/apparmor.d/usr.sbin.cupsdExample output:
Setting /etc/apparmor.d/usr.sbin.cupsd to enforce mode.
Further Learning with AppArmor Commands
After you have learned some of the basic commands of using AppArmor to disable or enable profiles and check their status, the guide will go over some of the most commonly used AppArmor commands and their usage.
Using the “aa-genprof” Command
The aa-genprof command generates a new AppArmor profile based on the current system activity. It logs all the application’s system calls and creates a new profile based on this log data. This is useful for creating profiles for new applications that do not yet have a profile defined.
Example: To generate a new profile for the application “firefox,” run the following command.
sudo aa-genprof firefox
Using the “aa-enforce” Command
The “aa-enforce” command enforces the AppArmor profiles on an Ubuntu system. This command is handy when you have changed your AppArmor profiles and want to immediately enforce the new policies without restarting the system.
Example: To enforce the current AppArmor profiles, run the following command.
sudo aa-enforce /etc/apparmor.d/*
Or enforce the profile individually.
sudo aa-enforce /etc/apparmor.d/<profile-name>Using the “aa-disable” command
The aa-disable command is used to disable a specific AppArmor profile. When a profile is disabled, the restrictions and permissions that it imposes on the application it governs are no longer in effect. This can be useful if a profile is causing issues or if you need to allow the application more freedom temporarily.
To use the aa-disable command, pass it the name of the profile you want to disable. For example, you would run the following command to disable the profile for “Firefox.”
sudo aa-disable /etc/apparmor.d/firefox
It’s worth noting that disabling a profile is a temporary change, and the profile will be re-enabled if you reboot your system or restart the AppArmor service.
Using the “aa-complain” Command
The “aa-complain” command switches a profile to “complain mode.” AppArmor will still enforce the profile in this mode, but instead of denying access to restricted resources, it will log a message to the syslog. This can be useful for testing and debugging purposes, as it allows you to see what kind of access a profile would be blocking without actually blocking it.
Here’s an example of how to use the “aa-complain” command.
sudo aa-complain /etc/apparmor.d/usr.sbin.cupsdIn this example, the “aa-complain” command is being used to switch the “/usr/sbin/cupsd” profile to “complain mode.” Note that you will need to replace “usr.sbin.cupsd” with the name of the profile you wish to switch to “complain mode.”
Using the “aa-remove-unknown” command
The “aa-remove-unknown” command removes AppArmor profiles for unknown applications on an Ubuntu system. This command is useful when you want to clean up your AppArmor profile collection and remove any profiles that are no longer in use.
Here is an example of using the “aa-remove-unknown” command.
sudo aa-remove-unknown
The “aa-remove-unknown” command helps clean up your AppArmor profile collection on an Ubuntu system. Using this command, you can easily remove profiles for unknown applications, keeping your profile collection organized and up-to-date.
These are just a few examples of what you can accomplish with AppArmor commands. There is much more available to explore.
Conclusion
In conclusion, enabling or disabling AppArmor profiles on Ubuntu is simple and straightforward. By following the steps outlined in this guide, you can easily manage the security of your system and control which applications or services are protected by AppArmor. Whether you need to temporarily disable a profile for maintenance or troubleshooting or permanently remove protection for an application, the commands and tools discussed in this guide will help you achieve your goals.
By learning how to enable or disable AppArmor profiles on Ubuntu, you can gain a deeper understanding of the AppArmor security system and how it works. This knowledge can be highly beneficial in several scenarios, including system administration, security management, and software development. Whether you’re a seasoned Linux user or a newcomer to the platform, understanding how to manage AppArmor profiles is an important skill in your toolkit.
Frequently Asked Questions
Is AppArmor enabled by default on Ubuntu?
Yes, AppArmor is enabled by default on Ubuntu.
What are the benefits of using AppArmor on Ubuntu?
The benefits of using AppArmor on Ubuntu include an additional layer of security for your system, protection against malicious or poorly designed applications, prevention of sensitive data from being accessed by applications, and protection against critical system files from being modified or deleted by applications.
What are the drawbacks of using AppArmor on Ubuntu?
The drawbacks of using AppArmor on Ubuntu include increased complexity of the system, overhead in terms of performance, and difficulty in configuring AppArmor rules.
Why does Ubuntu not use SELinux by default?
Ubuntu has traditionally used AppArmor as its default security mechanism due to its ease of use and flexibility. SELinux is a more complex system requiring a deeper understanding of Linux security and more resources to implement and maintain. However, AppArmor and SELinux provide effective security for Linux systems, and the choice between them often comes down to personal preference and the specific requirements of a given system.
What has better performance, AppArmor or SELinux?
In terms of performance, AppArmor is generally considered less resource-intensive than SELinux, but this will depend on the specifics of the system and the workload being run. AppArmor is designed to be fast and lightweight, while SELinux offers more extensive security features. Ultimately, either system’s performance will depend on your specific requirements and configuration.
What is more secure, AppArmor or SELinux, for a Ubuntu system?
AppArmor and SELinux provide effective security for Ubuntu systems, but the choice between them will depend on your system’s specific needs and requirements. SELinux offers a more robust security model, with fine-grained control over system resources and the ability to enforce complex security policies. However, this added complexity can make SELinux more difficult to use and maintain. On the other hand, AppArmor is designed to be simple and user-friendly while providing strong security for most applications and services.
Is AppArmor necessary on Ubuntu?
While AppArmor is not strictly necessary on Ubuntu, it is highly recommended for most users. AppArmor provides an additional layer of security for your system and can help prevent malware and other malicious activities from compromising your system. Additionally, it can help control access to sensitive resources and data, such as network ports, files, and system calls. Ultimately, whether or not to use AppArmor will depend on your specific security needs and the applications and services running on your system.