AppArmor
AppArmor is the default LSM on Ubuntu and Debian. Unlike SELinux's label-based model, AppArmor uses filesystem paths — making it simpler to understand and configure. Each profile defines what a specific program can do: which files it can read or write, which network connections it can make, which capabilities it can use.
AppArmor Profiles
How does AppArmor know which profile applies to which program?
Profiles are identified by the program's absolute path. When /usr/bin/nginx starts, AppArmor looks for a profile named "/usr/bin/nginx" (or an alias). If one exists, AppArmor applies it. If not, the program runs unconfined. Profile files are stored in /etc/apparmor.d/ and loaded into the kernel on boot.
# Check AppArmor status:
aa-status
# apparmor module is loaded.
# 35 profiles are loaded.
# 35 profiles are in enforce mode.
# /usr/bin/man
# /usr/sbin/tcpdump
# ...
# 0 profiles are in complain mode.
# 5 processes have profiles defined.
# 5 processes are in enforce mode.
# List all profiles:
ls /etc/apparmor.d/
# usr.bin.man usr.sbin.nginx usr.lib.snapd.snap-confine ...
# View a profile:
cat /etc/apparmor.d/usr.sbin.nginx
Profile Syntax
# /etc/apparmor.d/usr.sbin.nginx
#include <tunables/global>
/usr/sbin/nginx {
#include <abstractions/base>
#include <abstractions/nameservice>
# Capabilities allowed
capability net_bind_service,
capability setgid,
capability setuid,
# File access: path permission_flags
/etc/nginx/** r, # read config files
/var/log/nginx/*.log w, # write log files
/var/www/html/** r, # read web content
/run/nginx.pid rw, # PID file
/tmp/nginx/** rw, # temp files
# Network access
network tcp,
# Deny everything else (implicit)
}
# Permission flags:
# r = read w = write x = execute
# a = append l = link k = lock
# m = mmap executable
Enforce vs Complain Mode
# Complain mode: log violations but don't block (like SELinux permissive)
aa-complain /usr/sbin/nginx
# Enforce mode: block violations
aa-enforce /usr/sbin/nginx
# Check mode of a specific profile:
aa-status | grep nginx
# /usr/sbin/nginx (enforce)
# Reload a profile after editing:
apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
# Disable a profile entirely:
aa-disable /usr/sbin/nginx
# View AppArmor denials:
dmesg | grep "apparmor=DENIED"
# [1234.5] audit: type=1400 audit(123.456:789): apparmor="DENIED"
# operation="open" profile="/usr/sbin/nginx" name="/etc/shadow"
# pid=1234 comm="nginx" requested_mask="r" denied_mask="r"
Generating Profiles Automatically
# aa-genprof: interactive profile generator
aa-genprof /usr/bin/myapp
# Runs the app in complain mode
# Watches what it accesses
# Prompts you to allow/deny each access
# Generates a profile
# aa-logprof: update existing profile from logs
# Run app in complain mode first:
aa-complain /usr/bin/myapp
# Use the app normally...
# Then update profile from what was logged:
aa-logprof
# Scans /var/log/syslog or /var/log/audit/audit.log
# Suggests additions to the profile
Docker and AppArmor
# Docker applies docker-default AppArmor profile to all containers
# View it:
cat /etc/apparmor.d/docker-default
# Key rules in docker-default:
# - deny /proc/sysrq-trigger (can't trigger system requests)
# - deny /sys/fs/cgroup/** (can't escape cgroup)
# - deny @{PROC}/sys/kernel/shmmax (can't change shared memory)
# - deny mount (can't mount filesystems)
# Run container with custom AppArmor profile:
docker run --security-opt apparmor=my-profile myimage
# Run without AppArmor (unconfined):
docker run --security-opt apparmor=unconfined myimage
# Check active profile on a container:
docker inspect mycontainer --format '{{.HostConfig.SecurityOpt}}'
# [apparmor=docker-default]
Frequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.