AppArmor Command-Line Utility
AppArmor is a Linux Security Module (LSM) that protects operating systems and applications from potential security breaches. It works by confining programs to a predetermined set of resources. This ensures that even if a program is compromised, its ability to cause harm is severely limited.
Managing AppArmor Profiles
The core of AppArmor's functionality lies in its profiles. These profiles define the specific rules and permissions for each application. You can manage these profiles using various command-line tools.
Activating AppArmor Profiles
To activate a profile and enforce its security policies, you can use the aa-enforce command. This command loads the specified profile, making the system actively monitor and restrict the application's behavior according to the profile's rules.
# To activate a profile:
sudo aa-enforce usr.bin.firefox
# or
export _PROFILE_='usr.bin.firefox' sudo $(rm /etc/apparmor.d/disable/$_PROFILE_ ; cat /etc/apparmor.d/$_PROFILE_ | apparmor_parser -a )Deactivating AppArmor Profiles
If you need to temporarily disable a profile, the aa-disable command is used. This command unloads the profile, allowing the application to run with its default system permissions. It's crucial to understand the security implications before disabling any profile.
# To disable a profile:
sudo aa-disable usr.bin.firefox
# or
export _PROFILE_='usr.bin.firefox' sudo $(ln -s /etc/apparmor.d/$_PROFILE_ /etc/apparmor.d/disable/ && apparmor_parser -R /etc/apparmor.d/$_PROFILE_)Checking AppArmor Status and Profiles
To get an overview of the current AppArmor status and to see which profiles are loaded and in what mode (enforce or complain), you can use the aa-status command. This is an essential tool for monitoring your system's security posture.
# To list profiles loaded:
sudo aa-status
# or
sudo apparmor_statusThe available profiles are typically located in the /etc/apparmor.d/ directory. Understanding the contents of these profiles is key to effectively managing your system's security.