About profiles

AppArmor profiles are the core mechanism used to enforce security policies on your system. A profile is a text file that contains a comprehensive set of rules defining exactly what a specific application can or cannot do, such as which files it can access, which network protocols it can use, and which Linux capabilities it requires.

By confining an application with an AppArmor profile, you ensure that the Linux kernel actively intercepts and restricts the application's operations to its defined bounds. Even if an application is compromised, the profile limits the potential blast radius, protecting your operating system and other running processes.

In this section

This section provides in-depth references and guides on the AppArmor profile language and its policy structure.

• Profile Types and Syntax: Learn the fundamentals of profile definitions, including attached and unattached profiles, flags, modes, and how to use includes and variables.
• Profile Variants: Understand how to manage different variants of policies for different environments.
• Profiles Abstractions: Discover how to reuse common policy snippets (abstractions) to keep your profiles clean, modular, and maintainable.
• Policy Layout: Navigate the standard AppArmor policy directory structure and understand how configuration files and abstractions are organized on your system.