AppArmor (Application Armor) is a Linux Security Module (LSM) that provides a practical, easy-to-use Mandatory Access Control (MAC) framework for restricting the capabilities of applications. Unlike SELinux, which relies on complex policies, AppArmor simplifies security by using profile-based access control.
Key Features
- Profile-Based Access Control: AppArmor restricts application behavior based on predefined profiles.
- Path-Based Security Policies: Unlike SELinux, which uses labels, AppArmor policies are based on file paths.
- Learning Mode: Allows administrators to create security profiles by observing application behavior.
- Fine-Grained Access Control: Provides detailed permission controls over file access, network connections, and capabilities.
- User-Friendly Management: Easier to configure and deploy compared to SELinux.
How AppArmor Works
AppArmor uses security profiles that define which files, capabilities, and network accesses an application is allowed. These profiles are enforced at the kernel level, restricting an application’s ability to perform unauthorized actions.
Profile Types
- Enforcing Mode: Actively restricts application behavior based on defined rules.
- Complain Mode: Logs policy violations without enforcing restrictions, useful for debugging.
Use Cases
Securing System Services
AppArmor is commonly used to confine system services such as web servers and databases, preventing unauthorized access to sensitive files.
Isolating User Applications
Applications such as browsers and email clients can be restricted to reduce the impact of potential exploits.
Protecting Containers
AppArmor can be integrated into container security frameworks like Docker and LXC to enforce strict isolation between workloads.
Managing AppArmor Profiles
Checking Status
To verify if AppArmor is running:
sudo aa-status
Loading a Profile
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
Setting a Profile to Complain Mode
sudo aa-complain /etc/apparmor.d/usr.bin.firefox
Enforcing a Profile
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
Example AppArmor Profile
A simple profile to restrict Firefox:
#include <tunables/global>
/usr/bin/firefox {
include <abstractions/base>
# Allow read access to user files
/home/*/Downloads/ r,
/home/*/Documents/ r,
# Deny access to sensitive files
deny /etc/shadow,
deny /root/,
}
This profile restricts Firefox’s access, allowing it to read user files but preventing access to system-critical files.
Comparison with Other LSMs
| Feature | AppArmor | SELinux | Landlock |
|---|---|---|---|
| MAC Enforcement | Yes | Yes | Yes |
| Path-Based Rules | Yes | No | No |
| Ease of Use | High | Low | Medium |
| Unprivileged Use | No | No | Yes |
Unlike SELinux, which requires complex labeling, AppArmor’s path-based model makes it more accessible to users while still providing strong security.
Conclusion
AppArmor is a practical and efficient security module for Linux systems, offering fine-grained control over application behavior through easily manageable security profiles. Its user-friendly approach makes it an attractive choice for system administrators looking to enhance security without the complexity of other LSMs like SELinux. Whether securing system services, isolating applications, or protecting containers, AppArmor provides a robust layer of defense against unauthorized access and potential exploits.