How to Enable or Disable AppArmor on Ubuntu 22.04 | 20.04 - LinuxCapable (2023)

AppArmor, or Application Armor, is a Linux kernel security module that provides mandatory access control for applications running on the Ubuntu operating system. It is a flexible and powerful security tool that helps to prevent software vulnerabilities and malicious attacks by confining applications to a limited set of resources on the system.

Today, AppArmor remains an essential tool for securing applications on Ubuntu. It is particularly important for organizations and individuals who want to ensure the privacy and security of sensitive data and prevent unauthorized access to sensitive systems. The AppArmor security model works by defining profiles for each application, which specify the permissions and resources that the application is allowed to access. This way, even if an application is compromised, the damage that can be done is limited to the resources defined in the profile.

Features of AppArmor on Ubuntu:

• Flexible Configuration: AppArmor allows for creating custom profiles for each application, providing the ability to fine-tune security policies to meet specific requirements.
• Mandatory Access Control: AppArmor enforces mandatory access control, meaning that applications can only access the resources defined in their profiles.
• Ease of Use: AppArmor is designed to be easy to use, with a simple and intuitive configuration process.
• Protection against Malicious Attacks: AppArmor helps to prevent malicious attacks by confining applications to a limited set of resources and permissions.
• Improved System Security: By confining applications to a limited set of resources, AppArmor helps to improve overall system security and reduce the risk of unauthorized access.
• Interoperability with Other Security Tools: AppArmor is designed to work with other security tools, such as SELinux and firewalls, providing an extra layer of protection.
• Integration with the Linux Kernel: AppArmor is integrated with the Linux kernel, providing efficient and reliable security enforcement.

In this guide, you’ll discover how to enable or disable AppArmor profiles on Ubuntu 22.04 “Jammy Jellyfish” or Ubuntu 20.04 “Focal Fossa” using the command-line terminal, along with some helpful tips.

Step 1: Install the Required Packages

To utilize the full range of AppArmor functionality, it is important to have the “apparmor-utils” package installed. Some of the commands discussed in this guide may not be available without this package. To install the package, open your terminal and run the following command.

sudo apt install apparmor-utils apparmor-notify apparmor-profiles apparmor-profiles-extra

Step 2: Check AppArmor Status

By default, Apparmor is installed and turned on when installing Ubuntu. To verify its status, use the following command.

systemctl status apparmor

Example output:

Verifying that AppArmor is working with systemd is an important first step. While there are other methods for checking the status of AppArmor, using the above command as a starting point is a good practice. Later in the guide, you will learn about different ways to check AppArmor, but this initial check provides a solid foundation for ensuring that the system is running as expected.

Next is a rundown on command systemd commands.

Stop Apparmor:

sudo systemctl stop apparmor

Disable Apparmor on system boot:

sudo systemctl disable apparmor

Start Apparmor:

sudo systemctl start apparmor

Enable Apparmor on system boot (default):

sudo systemctl enable apparmor

Restart AppArmor:

sudo systemctl restart apparmor

Reload Apparmor:

sudo systemctl reload apparmor

Step 3: Check AppArmor Profiles Loaded

Before making any changes to AppArmor, it’s crucial to check the status of its profiles. This can be accomplished by using the following command.

sudo apparmor_status

Example output:

apparmor module is loaded.63 profiles are loaded.45 profiles are in enforce mode. /snap/snapd/17883/usr/lib/snapd/snap-confine /snap/snapd/17883/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/17950/usr/lib/snapd/snap-confine /snap/snapd/17950/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince//sanitized_helper /usr/bin/man /usr/bin/pidgin /usr/bin/pidgin//sanitized_helper /usr/bin/totem /usr/bin/totem-audio-preview /usr/bin/totem-video-thumbnailer /usr/bin/totem//sanitized_helper /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/cups-browsed /{,usr/}sbin/dhclient apt-cacher-ng lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.firefox snap-update-ns.snap-store snap-update-ns.snapd-desktop-integration snap.firefox.firefox snap.firefox.geckodriver snap.firefox.hook.configure snap.firefox.hook.connect-plug-host-hunspell snap.firefox.hook.disconnect-plug-host-hunspell snap.firefox.hook.post-refresh snap.snap-store.hook.configure snap.snap-store.snap-store snap.snap-store.ubuntu-software snap.snap-store.ubuntu-software-local-file snap.snapd-desktop-integration.hook.configure snap.snapd-desktop-integration.snapd-desktop-integration tcpdump18 profiles are in complain mode. /usr/bin/irssi avahi-daemon dnsmasq dnsmasq//libvirt_leaseshelper identd klogd mdnsd nmbd nscd php-fpm ping samba-bgqd smbd smbldap-useradd smbldap-useradd///etc/init.d/nscd syslog-ng syslogd traceroute0 profiles are in kill mode.0 profiles are in unconfined mode.3 processes have profiles defined.3 processes are in enforce mode. /usr/sbin/cups-browsed (1025) /snap/snapd-desktop-integration/49/usr/bin/snapd-desktop-integration (1632) snap.snapd-desktop-integration.snapd-desktop-integration /snap/snapd-desktop-integration/49/usr/bin/snapd-desktop-integration (1717) snap.snapd-desktop-integration.snapd-desktop-integration0 processes are in complain mode.0 processes are unconfined but have a profile defined.0 processes are in mixed mode.0 processes are in kill mode.

This command will provide you with the current status of AppArmor on your system, including which profiles are loaded, the mode in which they are running, and the number of processes associated with each profile. This information is essential for making informed decisions about enabling or disabling AppArmor on your Ubuntu system.

Another option for checking the status of AppArmor profiles is to use the aa-status command. This command will give you a more detailed and exact readout of the current status of AppArmor on your system.

sudo aa-status

Like before, this command will display the status of all the profiles loaded on your system, including the name of each profile, the mode in which it’s running (e.g., enforced, complain, or unconfined), and the number of processes associated with each profile. This information can be beneficial when troubleshooting AppArmor issues or determining which profiles are causing problems on your system.

In addition, it’s also recommended to back up your AppArmor profiles before making any changes. This can be done with the following command.

sudo cp -R /etc/apparmor.d /etc/apparmor.d.bak

This will create a backup of your AppArmor profiles in the /etc/apparmor.d.bak directory, so you can quickly revert to them in case of any issues. With this backup in place, you can safely proceed with enabling or disabling AppArmor on your Ubuntu system.

Step 4: Disable AppArmor Profile

If you need to disable a specific AppArmor profile, you can do so without disabling the entire security application. This is useful if a particular profile is causing issues on your system, but you still want to keep AppArmor enabled for other profiles.

First, navigate to the /etc/apparmor.d directory.

cd /etc/apparmor.d

Now, use the ls command to list the profiles in the /etc/apparmor.d directory.

ls -s

Example output:

This will give you a list of all the profiles stored in the directory. You can then choose the profile you want to disable and follow the abovementioned steps.

To disable a profile, you would use the following command.

sudo aa-disable /etc/apparmor.d/<profile-name>

For example, to disable the usr.sbin.cupsd profile, you can use the following command:

sudo aa-disable /etc/apparmor.d/usr.sbin.cupsd

Example output:

Disabling /etc/apparmor.d/usr.sbin.cupsd.

This will effectively disable the usr.sbin.cupsd profile, and the changes will take effect immediately. To view a list of the rules that are currently disabled, you can navigate to the /etc/apparmor.d/disable directory and use the ls command.

ls /etc/apparmor.d/disable

Example output:

This will give you a list of all the profiles that are currently disabled in AppArmor. You can use this list to keep track of which profiles you have disabled and for what reason.

Step 5: Enable AppArmor Profile

To re-enable a profile that has been disabled, you can use the following command.

sudo aa-enable /etc/apparmor.d/<profile-name>

The guide disabled usr.sbin.cupsd, so the example command will re-enable the profile.

sudo aa-enable /etc/apparmor.d/usr.sbin.cupsd

Example output:

Setting /etc/apparmor.d/usr.sbin.cupsd to enforce mode.

Further Learning with AppArmor Commands

After you have learned some of the basic commands of using AppArmor to disable or enable profiles and check their status, the guide will go over some of the most commonly used AppArmor commands and their usage.

Using the “aa-genprof” Command

The aa-genprof command generates a new AppArmor profile based on the current system activity. It logs all the application’s system calls and creates a new profile based on this log data. This is useful for creating profiles for new applications that do not yet have a profile defined.

Example: To generate a new profile for the application “firefox,” run the following command.

sudo aa-genprof firefox

Using the “aa-enforce” Command

The “aa-enforce” command enforces the AppArmor profiles on an Ubuntu system. This command is handy when you have changed your AppArmor profiles and want to immediately enforce the new policies without restarting the system.

Example: To enforce the current AppArmor profiles, run the following command.

sudo aa-enforce /etc/apparmor.d/*

Or enforce the profile individually.

sudo aa-enforce /etc/apparmor.d/<profile-name>

Using the “aa-disable” command

The aa-disable command is used to disable a specific AppArmor profile. When a profile is disabled, the restrictions and permissions that it imposes on the application it governs are no longer in effect. This can be useful if a profile is causing issues or if you need to allow the application more freedom temporarily.

To use the aa-disable command, pass it the name of the profile you want to disable. For example, you would run the following command to disable the profile for “Firefox.”

sudo aa-disable /etc/apparmor.d/firefox

It’s worth noting that disabling a profile is a temporary change, and the profile will be re-enabled if you reboot your system or restart the AppArmor service.

Using the “aa-complain” Command

The “aa-complain” command switches a profile to “complain mode.” AppArmor will still enforce the profile in this mode, but instead of denying access to restricted resources, it will log a message to the syslog. This can be useful for testing and debugging purposes, as it allows you to see what kind of access a profile would be blocking without actually blocking it.

Here’s an example of how to use the “aa-complain” command.

sudo aa-complain /etc/apparmor.d/usr.sbin.cupsd

In this example, the “aa-complain” command is being used to switch the “/usr/sbin/cupsd” profile to “complain mode.” Note that you will need to replace “usr.sbin.cupsd” with the name of the profile you wish to switch to “complain mode.”

Using the “aa-remove-unknown” command

The “aa-remove-unknown” command removes AppArmor profiles for unknown applications on an Ubuntu system. This command is useful when you want to clean up your AppArmor profile collection and remove any profiles that are no longer in use.

Here is an example of using the “aa-remove-unknown” command.

sudo aa-remove-unknown

The “aa-remove-unknown” command helps clean up your AppArmor profile collection on an Ubuntu system. Using this command, you can easily remove profiles for unknown applications, keeping your profile collection organized and up-to-date.

These are just a few examples of what you can accomplish with AppArmor commands. There is much more available to explore.

Conclusion

In conclusion, enabling or disabling AppArmor profiles on Ubuntu is simple and straightforward. By following the steps outlined in this guide, you can easily manage the security of your system and control which applications or services are protected by AppArmor. Whether you need to temporarily disable a profile for maintenance or troubleshooting or permanently remove protection for an application, the commands and tools discussed in this guide will help you achieve your goals.