Translation(s): none
This page describes how to use AppArmor on Debian.
Contents
Install software
AppArmor is available in Debian since Debian 7 "Wheezy".
Install AppArmor userspace tools:
auditd (If you intend to use automatic profile generation tools)
Enable AppArmor
If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.
Enable the AppArmor Linux Security Modules (LSM):
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot
Inspect the current state
List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):
$ sudo aa-status
List running executables which are currently confined by an AppArmor profile:
$ ps auxZ | grep -v '^unconfined'
List of processes with tcp or udp ports that do not have AppArmor profiles loaded:
$ sudo aa-unconfined
Enable / install more profiles
AppArmor profiles live in /etc/apparmor.d/. Some packages automatically install their own profiles in this directory. To install more profiles:
apparmor-profiles-extra provides and enables Debian-specific (not upstreamed) profiles.
apparmor-profiles provides various experimental profiles, and enables some by default.
Check the equivalent Ubuntu packages
Check newly submitted pacthes/profiles for AppArmor in Debian
For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except deny rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:
cd /usr/share/doc/apparmor-profiles/extras cp -i *.* /etc/apparmor.d/ for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them upstream.
Debug
AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.
For more detailed instructions, please read the dedicated documentation for debugging AppArmor.
Report a bug
If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.
Learn more
Learn more or start contributing.
Disable AppArmor
First, you can disable individual profiles with aa-disable.
But if you want to entirely disable AppArmor on your system, run:
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot
See also
apparmor_parser(8) manpage