AppArmor
What is AppArmor?
AppArmorA path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs.
AppArmor is a Linux Security Module that enforces mandatory access control through per-program profiles expressed in terms of file paths, capabilities, and network primitives, rather than the inode labels used by SELinux. Originating from Immunix, maintained by SUSE and Canonical, AppArmor is the default MAC framework on Ubuntu and openSUSE since the late 2000s. Profiles live under /etc/apparmor.d and can be loaded in enforce or complain mode, with helpers such as aa-genprof, aa-logprof, and aa-easyprof. Its path-based design is generally easier to write and audit than SELinux policy, at the cost of weaker semantics for renames, bind mounts, and chroots. AppArmor is used by snapd, libvirt, LXD, Firefox, and many distro packages.
● Examples
- 01
Ubuntu ships AppArmor profiles for Firefox, MySQL, and Evince by default.
- 02
snapd uses AppArmor (plus seccomp) to confine each installed snap package.
● Frequently asked questions
What is AppArmor?
A path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs. It belongs to the Cryptography category of cybersecurity.
What does AppArmor mean?
A path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs.
How does AppArmor work?
AppArmor is a Linux Security Module that enforces mandatory access control through per-program profiles expressed in terms of file paths, capabilities, and network primitives, rather than the inode labels used by SELinux. Originating from Immunix, maintained by SUSE and Canonical, AppArmor is the default MAC framework on Ubuntu and openSUSE since the late 2000s. Profiles live under /etc/apparmor.d and can be loaded in enforce or complain mode, with helpers such as aa-genprof, aa-logprof, and aa-easyprof. Its path-based design is generally easier to write and audit than SELinux policy, at the cost of weaker semantics for renames, bind mounts, and chroots. AppArmor is used by snapd, libvirt, LXD, Firefox, and many distro packages.
How do you defend against AppArmor?
Defences for AppArmor typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AppArmor?
Common alternative names include: AA.
● Related terms
- cryptography№ 1006
SELinux
Security-Enhanced Linux, an NSA-developed mandatory access control framework implemented via the Linux Security Module hooks and a type-enforcement policy.
- cryptography№ 979
seccomp
A Linux kernel facility that restricts which system calls a process can make, with the modern seccomp-BPF/eBPF mode enabling fine-grained per-syscall filters.
- identity-access№ 652
Mandatory Access Control (MAC)
An access-control model in which a central policy — not the resource owner — enforces access decisions based on classifications and clearances assigned to subjects and objects.
- cloud-security№ 213
Container Security
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
● See also
- № 120BPF LSM