AppArmor

AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).

Patches
While the Linux kernel already supports AppArmor natively, the userspace utilities depend on a number of patches produced by the AppArmor developers that have not yet been accepted upstream. Depending upon the version of the kernel you are using, the patches are included in the AppArmor tarball, or can be found in version-specific git branches.

These patches do not apply cleanly to so a rebased version for the latest kernel is provided for convenience.

Configuration
You need to activate the following kernel options:

Note that the Enable AppArmor 2.4 compatability option will only be available if you are using the kernel patches.

Packages

 * - the core library to support the userspace utilities
 * - the profile parser and init script (required)
 * - additional userspace utilities to assist with profile management (recommended)
 * - a collection of pre-built profiles contributed by the AppArmor community

Enabling AppArmor
If you did not select AppArmor as the default security module and set the boot parameter default value in the kernel configuration, you will need to enable AppArmor manually at boot time.

GRUB 2
You should apply changes by running:

securityfs
securityfs is the filesystem used by Linux kernel security modules. The init script mounts it automatically if it is not already, but you may prefer to do it manually:

Boot service
Adding it to boot runlevel:

Working with profiles
Profiles are stored as simple text files in. They may take any name, and may be stored in subdirectories - you may organise them however it suits you.

Profiles are referred to by name, including any parent subdirectories if present.

Automatic control
The init script will automatically load all profiles located in your profile directory. Unless specifically specified otherwise, each profile will be loaded in enforce mode.

Manual control
To activate a profile, simply set it to enforce mode:

Similarly, to deactivate a profile, simply set it to complain mode.

The current status of your profiles may be viewed using :