AppArmor is a Linux Security Module (LSM) that provides mandatory access control through path-based profiles. It is conceptually similar to SELinux but chooses a different design: where SELinux assigns labels to files and processes, AppArmor writes profiles that name file paths directly. The result is a system that is generally considered easier to learn and configure, at the cost of less flexibility.
AppArmor is the default MAC system on Ubuntu, Debian, SUSE, and a few others. Profiles live in /etc/apparmor.d/ and use a declarative syntax:
#include <tunables/global>
/usr/bin/myapp {
#include <abstractions/base>
capability net_bind_service,
network inet tcp,
/etc/myapp/** r,
/var/log/myapp/ w,
owner /home/*/myapp-data/** rw,
}
Useful commands:
sudo aa-status # show loaded profiles
sudo aa-enforce /etc/apparmor.d/usr.bin.myapp
sudo aa-complain /etc/apparmor.d/usr.bin.myapp
sudo aa-logprof # interactive profile tuning
Both SELinux and AppArmor add meaningful defence-in-depth on top of Unix permissions. Which is "better" is a perennial debate; in practice, you usually use whichever your distribution chose, and benefit from it.
Related terms: SELinux, mac, security
Discussed in:
- Chapter 18: Security and Hardening — Mandatory Access Control: SELinux and AppArmor
Also defined in: Textbook of Linux