AppArmor

AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).

Kernel
While the Linux kernel has supported AppArmor for quite some time, some recent changes have been made that make working with AppArmor profiles much more user friendly. It is therefore highly recommended to use >=-3.10 or any other kernel >=3.12.

Activate the following kernel options:

Note that the Enable AppArmor 2.4 compatability option is only required with hardened-sources before 3.12

Emerge
Install the userspace tools. It contains the profile parser and init script:

Emerging the following package is recommended, but not required. This package contains additional userspace utilities to assist with profile management:

Additional software

 * - The core library to support the userspace utilities
 * - A collection of pre-built profiles contributed by the AppArmor community

Enabling AppArmor
If you did not select AppArmor as the default security module and set the boot parameter default value in the kernel configuration, you will need to enable AppArmor manually at boot time.

GRUB 2
Apply changes by running:

securityfs
securityfs is the filesystem used by Linux kernel security modules. The init script mounts it automatically if it is not already, but some may prefer to do it manually:

OpenRC
Adding it to boot runlevel:

Working with profiles
Profiles are stored as simple text files in. They may take any name, and may be stored in subdirectories - you may organised them however it suits you.

Profiles are referred to by name, including any parent subdirectories if present.

Automatic control
The init script will automatically load all profiles located in your profile directory. Unless specifically specified otherwise, each profile will be loaded in enforce mode.

Manual control
To activate a profile, simply set it to enforce mode:

Similarly, to deactivate a profile, simply set it to complain mode.

The current status of your profiles may be viewed using :