AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).
While the Linux kernel has supported AppArmor for quite some time, some recent changes have been made that make working with AppArmor profiles much more user friendly. It is therefore highly recommended to use >=sys-kernel/hardened-sources-3.10 or any other kernel >=3.12.
You need to activate the following kernel options:
Note that the Enable AppArmor 2.4 compatability option is only required with hardened-sources before 3.12
- sys-libs/libapparmor - the core library to support the userspace utilities
- sys-apps/apparmor - the profile parser and init script (required)
- sys-apps/apparmor-utils - additional userspace utilities to assist with profile management (recommended)
- sec-policy/apparmor-profiles - a collection of pre-built profiles contributed by the AppArmor community
If you did not select AppArmor as the default security module and set the boot parameter default value in the kernel configuration, you will need to enable AppArmor manually at boot time.
You should apply changes by running:
securityfs is the filesystem used by Linux kernel security modules. The init script mounts it automatically if it is not already, but you may prefer to do it manually:
Adding it to boot runlevel:
Working with profiles
Profiles are stored as simple text files in /etc/apparmor.d. They may take any name, and may be stored in subdirectories - you may organise them however it suits you.
Profiles are referred to by name, including any parent subdirectories if present.
The init script will automatically load all profiles located in your profile directory. Unless specifically specified otherwise, each profile will be loaded in enforce mode.
To activate a profile, simply set it to enforce mode:
Similarly, to deactivate a profile, simply set it to complain mode.
The current status of your profiles may be viewed using aa-status: