AppArmor

AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).

Kernel
While the Linux kernel has supported AppArmor for quite some time, some recent changes have been made that make working with AppArmor profiles much more user friendly. It is therefore highly recommended to use >=-3.10 or any other kernel >=3.12.

Configuration
You need to activate the following kernel options:

Note that the Enable AppArmor 2.4 compatability option is only required with hardened-sources before 3.12

Packages

 * - the core library to support the userspace utilities
 * - the profile parser and init script (required)
 * - additional userspace utilities to assist with profile management (recommended)
 * - a collection of pre-built profiles contributed by the AppArmor community

Enabling AppArmor
If you did not select AppArmor as the default security module and set the boot parameter default value in the kernel configuration, you will need to enable AppArmor manually at boot time.

GRUB 2
You should apply changes by running:

securityfs
securityfs is the filesystem used by Linux kernel security modules. The init script mounts it automatically if it is not already, but you may prefer to do it manually:

Boot service
Adding it to boot runlevel:

Working with profiles
Profiles are stored as simple text files in. They may take any name, and may be stored in subdirectories - you may organise them however it suits you.

Profiles are referred to by name, including any parent subdirectories if present.

Automatic control
The init script will automatically load all profiles located in your profile directory. Unless specifically specified otherwise, each profile will be loaded in enforce mode.

Manual control
To activate a profile, simply set it to enforce mode:

Similarly, to deactivate a profile, simply set it to complain mode.

The current status of your profiles may be viewed using :