AppArmor Basics

AppArmor is a Mandatory Access Control (MAC) security system that can restrict any application's behavior based on a policy defined specifically for it through a text file called a profile. Because AppArmor policies are defined by the administrator and are enforced by the kernel, the protection provided by AppArmor confinement cannot be disabled by the application itself.

The MAC approach used by AppArmor complements the traditional Discretionary Access Control (DAC) Unix/Linux permission system where the application owner defines the permissions for the application and the files it uses. DAC cannot protect from application misbehavior, which is where AppArmor comes in.

While full system confinement is possible, AppArmor allows for incremental deployment by confining only specific applications. This is a deliberate trade-off in policy versus ease of deployment, allowing administrators to secure specific exposed applications quickly (like web servers) without complex full-system configuration. Furthermore, AppArmor profiles aim to be easy to read and write, providing users and administrators with an easily actionable way to improve their security posture.

Apparmor profiles allow to enforce fine-grained access controls for many resources (files, network, ipc, capabilities, etc.). They are defined in plain text and are easy to read and audit. Because AppArmor profiles support powerful abstractions and can be written with the help of tools, they are also easy to write and maintain.