Mandatory Access Control (MAC)

AppArmor

Install

  • Install the apparmor package.

  • Add AppArmor to the Linux secuirty modules that will be used on boot along with the dependencies that should be loaded beforehand. This is normally done through GRUB.

    lsm=landlock,lockdown,yama,apparmor,bpf

  • Enable the service.

    $ sudo systemctl enable apparmor

  • Reboot the computer to complete the installation.

  • Verify that it is enabled and running.

    $ sudo aa-enabled
$ sudo aa-status

[1]

Profiles

  • View loaded profiles:

    $ sudo aa-status

  • Add a new profile:

    $ sudo apparmor_enforce -r /etc/apparmor.d/<PROFILE>

  • Find the actual name of a profile (it is not always the file name):

    $ grep -P ^profile /etc/apparmor.d/<PROFILE>

  • Enable a profile:

    $ sudo aa-enforce <PROFILE>

  • Disable a profile but keep logging enabled:

    $ sudo aa-complain <PROFILE>

  • Disable a profile completely:

    $ sudo ln -s /etc/apparmor.d/<PROFILE> /etc/apparmor.d/disable/
$ sudo apparmor_parser -R /etc/apparmor.d/<PROFILE>

[2]

  • Delete a profile [3]:

    $ sudo rm -f /etc/apparmor.d/<PROFILE>
$ sudo systemctl reload apparmor

Disable

For testing purposes, AppArmor can be temporarily disabled. Set the Linux kernel boot arguments to disable AppArmor.

apparmor=0

Alternatively, use a different MAC such as SELinux. Only one MAC implementation can be used on Linux at a time. [2]

security=selinux

[2]

Bibliography

  1. “AppArmor.” Arch Wiki. September 15, 2021. Accessed October 3, 2021. https://wiki.archlinux.org/title/AppArmor

  2. “AppArmor.” Ubuntu Community Help Wiki. July 5, 2020. https://help.ubuntu.com/community/AppArmor

  3. “Building Profiles from the Command Line.” openSUSE Security Guide. 2018. Accessed October 3, 2021. https://doc.opensuse.org/documentation/leap/archive/42.3/security/html/book.security/cha.apparmor.commandline.html