AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing both known and unknown application flaws from being exploited.
AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.
Many Linux distributions (e.g. Debian, Ubuntu, OpenSUSE) ship with AppArmor.
aa-status to see if your Linux distribution already has
$ aa-status apparmor module is loaded.
Since it is a kernel module it is usually not something users install
themselves. Individual users and system administrators might however want to
manage the application profiles which define what each application is allowed to
do by editing the files in
The list of currently active profiles can be easily checked with
Checking AppArmor log messages
Each time AppArmor denies applications from doing potentially harmful operations the event is logged. Depending on your system the AppArmor events can be seen in the syslog, auditd, kernel log or in journald logs.
$ sudo journalctl -fx audit: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/otto/.mozilla/firefox/ov37570l.default/cert8.db" pid=13172 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1001 ouid=1001
Desktop systems that have the tool
aa-notify installed can show events as
Debugging application problems
When debugging issues, the first step should always be to disable the AppArmor profile for the application and check if it had an effect. If not, the problem in the application was not related to AppArmor.
More details about AppArmor can be found in the wiki.