Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 061

AppArmor

Reviewed byCybersecurity entrepreneur & security researcher

What is AppArmor?

AppArmorA path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs.


AppArmor is a Linux Security Module (LSM) that enforces mandatory access control through per-program profiles expressed in terms of file paths, capabilities, and network primitives, rather than the inode labels used by SELinux. Originating from Immunix, maintained by SUSE and Canonical, AppArmor is the default MAC framework on Ubuntu and openSUSE since the late 2000s and has been in the mainline kernel since 2.6.36. Profiles live under /etc/apparmor.d and can be loaded in enforce or complain (log-only) mode, with helpers such as aa-genprof, aa-logprof, and aa-easyprof. Its path-based design is generally easier to write and audit than SELinux policy, at the cost of weaker semantics for renames, bind mounts, and chroots.

In containers, Docker generates and loads a docker-default profile into tmpfs for every container in enforce mode unless overridden with --security-opt apparmor=; it blocks writes to sensitive paths such as /proc/sysrq-trigger and /sys, working alongside seccomp and dropped capabilities as defense-in-depth. AppArmor is also used by snapd, libvirt, LXD, and Firefox. Its limits are real: because rules match paths rather than the underlying object, hard links and mount tricks can sometimes evade a profile, and a profile is only as good as its rules — overly broad globs (for example allowing /** rwk) defeat the point. CVE-2019-5736 (the runc host-binary overwrite) illustrated that container escapes can occur in areas a default profile does not cover, which is why AppArmor is layered with seccomp, user namespaces, and read-only mounts rather than relied on alone.

flowchart TB
  P[Process exec] --> K[Kernel LSM hook]
  K --> Q{Profile loaded?}
  Q -- No --> U[Unconfined: normal DAC]
  Q -- Yes --> M{Action in profile?}
  M -- Enforce mode --> R{Allowed?}
  R -- Yes --> A[Permit]
  R -- No --> D[Deny + audit log]
  M -- Complain mode --> L[Permit + log violation]

A typical workflow runs a new profile in complain mode, exercises the app, then uses aa-logprof to turn the logged accesses into rules before switching to enforce.

Examples

  1. 01

    Ubuntu ships AppArmor profiles for Firefox, MySQL, and Evince by default.

  2. 02

    snapd uses AppArmor (plus seccomp) to confine each installed snap package.

Frequently asked questions

What is AppArmor?

A path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs. It belongs to the Cryptography category of cybersecurity.

What does AppArmor mean?

A path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs.

How do you defend against AppArmor?

Defences for AppArmor typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for AppArmor?

Common alternative names include: AA.

Related terms

See also