Document how to disable AppArmor
|Deletions are marked like this.||Additions are marked like this.|
|Line 23:||Line 23:|
|Enable the !AppArmor LSM:||Enable the !AppArmor Linux Security Modules (LSM):|
|/Contribute /Debug /HowToUse /OutReachyRound9 /Progress /Reportbug /UserStories|
A Debian 7 "Wheezy" or newer GNU/Linux system is required.
Install AppArmor userspace tools:
$ sudo apt install apparmor apparmor-utils
(If you intend to use automatic profile generation tools, also install auditd.)
Enable the AppArmor Linux Security Modules (LSM):
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot
In the future, this should be automated, see 702030
Inspect the current state
$ sudo aa-status
will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).
$ ps auxZ | grep -v '^unconfined'
will list running executables which are currently confined by an AppArmor profile.
Enable / install more profiles
Find more profiles:
in the apparmor-profiles-extra package (available in Jessie and newer);
in the apparmor-profiles package;
in the patches, with new profiles included, that were submitted to Debian;
- in Ubuntu.
AppArmor profiles live in /etc/apparmor.d/. One can use apparmor_parser(8) to insert them into the kernel. This is done automatically when installing packages that drop policy in /etc/apparmor.d/.
For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except deny rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:
cd /usr/share/doc/apparmor-profiles/extras cp -i *.* /etc/apparmor.d/ for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them upstream.
AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.
For more detailed instructions, please read the dedicated documentation for debugging AppArmor.
Report a bug
If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.
First, you can disable individual profiles with aa-disable.
But if you want to entirely disable AppArmor on your system, run:
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot