AppArmor is enabled by default in Buster
|Deletions are marked like this.||Additions are marked like this.|
|Line 23:||Line 23:|
|If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.
|Line 32:||Line 34:|
In the future, this should be automated, see DebianBug:702030
|/Contribute /Debug /HowToUse /OutReachyRound9 /Progress /Reportbug /UserStories|
A Debian 7 "Wheezy" or newer GNU/Linux system is required.
Install AppArmor userspace tools:
$ sudo apt install apparmor apparmor-utils
(If you intend to use automatic profile generation tools, also install auditd.)
If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.
Enable the AppArmor Linux Security Modules (LSM):
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot
Inspect the current state
$ sudo aa-status
will list all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined).
$ ps auxZ | grep -v '^unconfined'
will list running executables which are currently confined by an AppArmor profile.
Enable / install more profiles
Find more profiles:
in the apparmor-profiles-extra package (available in Jessie and newer);
in the apparmor-profiles package;
in the patches, with new profiles included, that were submitted to Debian;
- in Ubuntu.
AppArmor profiles live in /etc/apparmor.d/. One can use apparmor_parser(8) to insert them into the kernel. This is done automatically when installing packages that drop policy in /etc/apparmor.d/.
For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except deny rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:
cd /usr/share/doc/apparmor-profiles/extras cp -i *.* /etc/apparmor.d/ for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them upstream.
AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.
For more detailed instructions, please read the dedicated documentation for debugging AppArmor.
Report a bug
If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.
First, you can disable individual profiles with aa-disable.
But if you want to entirely disable AppArmor on your system, run:
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot