How to use AppArmor for application security

· Category: Linux

Short answer

AppArmor uses profiles to restrict what files and capabilities an application can use, reducing exploit impact.

Steps

  1. Check AppArmor status:
sudo aa-status
  1. Generate a profile:
sudo aa-genprof /path/to/application
  1. Load a profile:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.myapp
  1. Enforce or complain mode:
sudo aa-enforce /etc/apparmor.d/usr.bin.myapp

Tips

  • Complain mode logs violations without blocking; use it for testing.
  • Ubuntu enables AppArmor by default.
  • Profiles are easier to write than SELinux policies for many admins.

Common issues

  • Overly restrictive profiles break legitimate application behavior.
  • Conflicts between AppArmor and SELinux: use one, not both.