Skip to content

Configure AppArmor and fix a denial

In this guide, you will learn:

  • How to troubleshoot AppArmor denials
  • How to fix AppArmor denials

Prerequisites

Install apparmor-utils and apparmor-notify: 

sudo apt-get install apparmor-utils apparmor-notify

Why AppArmor?

AppArmor proactively protects your operating system and applications by restricting unwanted or risky behavior of the application.

For example, your PDF viewer needs to read PDF files, but it definitely shouldn't be reading your SSH keys or installing software. If there is a vulnerability in the viewer and someone tries to exploit it and perform malicious operations, AppArmor blocks such behavior.

These rules are defined in AppArmor profiles.

There are profiles for widespread software that are available in Linux distributions by default, you can write and create your own profiles for the applications that don't have them or you can modify existing profiles.

To start, let us see if AppArmor is present and enabled on your system.

Verify that AppArmor is enabled on your system

AppArmor is available on many distributions (Ubuntu, Debian, openSUSE, ...).

Check your status: 

sudo aa-status
You should see a list of applications like firefox, evince, or cups in enforce mode. These applications are protected by AppArmor.

AppArmor broke my application!

AppArmor rules are defined in profiles. Profiles are text files that define what an application is allowed to do. You can check which profiles are currently enabled with sudo aa-status and view them with cat /etc/apparmor.d/<my_profile>.

Sometimes a security profile might be too restrictive and cause an application to fail (e.g., a file cannot be opened, or it cannot connect to the network).

For more in-depth information about how profiles, see Profiles.

Configure notifications for your system

To be able to efficiently track what AppArmor blocks, it is recommended you use aa-notify tool. aa-notify integrates with your graphical desktop environment and sends notifications about AppArmor denials through your regular notification system.

Note

Some advanced aa-notify features such as --merge-notifications or actionable notifications are available only in the 5.0 or newer version of aa-notify. You can always use aa-logprof instead of aa-notify.

First, let's temporarily disable kernel rate limiting:

# sysctl -w kernel.printk_ratelimit=0
# sysctl -w kernel.printk_ratelimit_burst=100000
Kernel rate limiting is a kernel mechanism that controls the frequency of messages printed to the log. If it is enabled, the kernel might limit the logs you are able to see. It is normally not necessary if you are using auditd but it is recommended to disable it for the purpose of this tutorial.

Install and run aa-notify:

aa-notify --poll --merge-notifications
Each time an action is blocked by AppArmor, you will get an actionable desktop notification. You can then allow the action or deny it.

If you system has many applications protected with AppArmor profiles, the number of notifications can be overwhelming.

Create a filter for the notifications to only show the notifications you are interested in:

  • --filter.profile PROFILE: regular expression to match the profile
  • --filter.mode MODE: regular expression to match the mode
  • --filter.operation OPERATION: regular expression to match the operation
  • --filter.name NAME: regular expression to match the name
  • --filter.denied DENIED: regular expression to match the denied mask
  • --filter.family FAMILY: regular expression to match the network family
  • --filter.socket SOCKET: regular expression to match the network socket type

For example, if you are only interested to see denials for the curl application:

aa-notify --poll --merge-notifications --filter.profile /usr/bin/curl

For in-depth information about how you can monitor your system, see Monitoring.

Fix a denial with aa-notify

If aa-notify is available and configured on your system, click on the notification popup to see what actions are available for you -- you can ignore, allow or continue denying the operation that triggered denial.

Fix a denial without aa-notify

If aa-notify is not available on your system or does not integrate with your Desktop environment, you can modify the profile file directly.

Check the logs

To confirm that AppArmor is the cause, find a log entry with the denial message:

sudo journalctl -fx | grep "DENIED"
An example of a log entry:

[11332.683886] audit: type=1400 audit(1768214339.499:511): apparmor="DENIED" operation="mknod" class="file" profile="curl" name="/unsupported" pid=17786 comm="curl" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
According to the entry, curl application attempted to create a file /unsupported which was denied by AppArmor.

Important

Always check if AppArmor is blocking a legitimate action. Do not disable profiles or change profiles without careful consideration. Default AppArmor profiles are designed to keep your system secure.

Update and reload the profile

  1. Create or open the file /etc/apparmor.d/local/curl in a text editor and add the rule to allow the requested action: 
    /unsupported w
  2. Reload the profile with sudo apparmor_parser -r /etc/apparmor.d/curl.

Congratulations! You've just fixed your first AppArmor-related issue.