How to Enable or Disable AppArmor on Ubuntu 22.04 | 20.04 - LinuxCapable (2023)


AppArmor, or Application Armor, is a Linux kernel security module that provides mandatory access control for applications running on the Ubuntu operating system. It is a flexible and powerful security tool that helps to prevent software vulnerabilities and malicious attacks by confining applications to a limited set of resources on the system.

Today, AppArmor remains an essential tool for securing applications on Ubuntu. It is particularly important for organizations and individuals who want to ensure the privacy and security of sensitive data and prevent unauthorized access to sensitive systems. The AppArmor security model works by defining profiles for each application, which specify the permissions and resources that the application is allowed to access. This way, even if an application is compromised, the damage that can be done is limited to the resources defined in the profile.

Features of AppArmor on Ubuntu:

  • Flexible Configuration: AppArmor allows for creating custom profiles for each application, providing the ability to fine-tune security policies to meet specific requirements.
  • Mandatory Access Control: AppArmor enforces mandatory access control, meaning that applications can only access the resources defined in their profiles.
  • Ease of Use: AppArmor is designed to be easy to use, with a simple and intuitive configuration process.
  • Protection against Malicious Attacks: AppArmor helps to prevent malicious attacks by confining applications to a limited set of resources and permissions.
  • Improved System Security: By confining applications to a limited set of resources, AppArmor helps to improve overall system security and reduce the risk of unauthorized access.
  • Interoperability with Other Security Tools: AppArmor is designed to work with other security tools, such as SELinux and firewalls, providing an extra layer of protection.
  • Integration with the Linux Kernel: AppArmor is integrated with the Linux kernel, providing efficient and reliable security enforcement.

In this guide, you’ll discover how to enable or disable AppArmor profiles on Ubuntu 22.04 “Jammy Jellyfish” or Ubuntu 20.04 “Focal Fossa” using the command-line terminal, along with some helpful tips.

Table of Contents

Step 1: Install the Required Packages

To utilize the full range of AppArmor functionality, it is important to have the “apparmor-utils” package installed. Some of the commands discussed in this guide may not be available without this package. To install the package, open your terminal and run the following command.

sudo apt install apparmor-utils apparmor-notify apparmor-profiles apparmor-profiles-extra

Step 2: Check AppArmor Status

By default, Apparmor is installed and turned on when installing Ubuntu. To verify its status, use the following command.

systemctl status apparmor

Example output:


Verifying that AppArmor is working with systemd is an important first step. While there are other methods for checking the status of AppArmor, using the above command as a starting point is a good practice. Later in the guide, you will learn about different ways to check AppArmor, but this initial check provides a solid foundation for ensuring that the system is running as expected.

Next is a rundown on command systemd commands.

Stop Apparmor:

sudo systemctl stop apparmor

Disable Apparmor on system boot:

sudo systemctl disable apparmor

Start Apparmor:

sudo systemctl start apparmor

Enable Apparmor on system boot (default):

sudo systemctl enable apparmor

Restart AppArmor:

sudo systemctl restart apparmor

Reload Apparmor:

sudo systemctl reload apparmor

Step 3: Check AppArmor Profiles Loaded

Before making any changes to AppArmor, it’s crucial to check the status of its profiles. This can be accomplished by using the following command.

sudo apparmor_status

Example output:

apparmor module is loaded.63 profiles are loaded.45 profiles are in enforce mode. /snap/snapd/17883/usr/lib/snapd/snap-confine /snap/snapd/17883/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/17950/usr/lib/snapd/snap-confine /snap/snapd/17950/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince//sanitized_helper /usr/bin/man /usr/bin/pidgin /usr/bin/pidgin//sanitized_helper /usr/bin/totem /usr/bin/totem-audio-preview /usr/bin/totem-video-thumbnailer /usr/bin/totem//sanitized_helper /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/cups-browsed /{,usr/}sbin/dhclient apt-cacher-ng lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.firefox snap-update-ns.snap-store snap-update-ns.snapd-desktop-integration snap.firefox.firefox snap.firefox.geckodriver snap.firefox.hook.configure snap.firefox.hook.connect-plug-host-hunspell snap.firefox.hook.disconnect-plug-host-hunspell snap.snap-store.hook.configure snap.snap-store.snap-store snap.snap-store.ubuntu-software snap.snap-store.ubuntu-software-local-file snap.snapd-desktop-integration.hook.configure snap.snapd-desktop-integration.snapd-desktop-integration tcpdump18 profiles are in complain mode. /usr/bin/irssi avahi-daemon dnsmasq dnsmasq//libvirt_leaseshelper identd klogd mdnsd nmbd nscd php-fpm ping samba-bgqd smbd smbldap-useradd smbldap-useradd///etc/init.d/nscd syslog-ng syslogd traceroute0 profiles are in kill mode.0 profiles are in unconfined mode.3 processes have profiles defined.3 processes are in enforce mode. /usr/sbin/cups-browsed (1025) /snap/snapd-desktop-integration/49/usr/bin/snapd-desktop-integration (1632) snap.snapd-desktop-integration.snapd-desktop-integration /snap/snapd-desktop-integration/49/usr/bin/snapd-desktop-integration (1717) snap.snapd-desktop-integration.snapd-desktop-integration0 processes are in complain mode.0 processes are unconfined but have a profile defined.0 processes are in mixed mode.0 processes are in kill mode.

This command will provide you with the current status of AppArmor on your system, including which profiles are loaded, the mode in which they are running, and the number of processes associated with each profile. This information is essential for making informed decisions about enabling or disabling AppArmor on your Ubuntu system.

Another option for checking the status of AppArmor profiles is to use the aa-status command. This command will give you a more detailed and exact readout of the current status of AppArmor on your system.

sudo aa-status

Like before, this command will display the status of all the profiles loaded on your system, including the name of each profile, the mode in which it’s running (e.g., enforced, complain, or unconfined), and the number of processes associated with each profile. This information can be beneficial when troubleshooting AppArmor issues or determining which profiles are causing problems on your system.

In addition, it’s also recommended to back up your AppArmor profiles before making any changes. This can be done with the following command.

sudo cp -R /etc/apparmor.d /etc/apparmor.d.bak

This will create a backup of your AppArmor profiles in the /etc/apparmor.d.bak directory, so you can quickly revert to them in case of any issues. With this backup in place, you can safely proceed with enabling or disabling AppArmor on your Ubuntu system.

Step 4: Disable AppArmor Profile

If you need to disable a specific AppArmor profile, you can do so without disabling the entire security application. This is useful if a particular profile is causing issues on your system, but you still want to keep AppArmor enabled for other profiles.

First, navigate to the /etc/apparmor.d directory.

cd /etc/apparmor.d

Now, use the ls command to list the profiles in the /etc/apparmor.d directory.

ls -s

Example output:


This will give you a list of all the profiles stored in the directory. You can then choose the profile you want to disable and follow the abovementioned steps.

To disable a profile, you would use the following command.

sudo aa-disable /etc/apparmor.d/<profile-name>

For example, to disable the usr.sbin.cupsd profile, you can use the following command:

sudo aa-disable /etc/apparmor.d/usr.sbin.cupsd

Example output:

Disabling /etc/apparmor.d/usr.sbin.cupsd.

This will effectively disable the usr.sbin.cupsd profile, and the changes will take effect immediately. To view a list of the rules that are currently disabled, you can navigate to the /etc/apparmor.d/disable directory and use the ls command.

ls /etc/apparmor.d/disable

Example output:


This will give you a list of all the profiles that are currently disabled in AppArmor. You can use this list to keep track of which profiles you have disabled and for what reason.

Step 5: Enable AppArmor Profile

To re-enable a profile that has been disabled, you can use the following command.

sudo aa-enable /etc/apparmor.d/<profile-name>

The guide disabled usr.sbin.cupsd, so the example command will re-enable the profile.

sudo aa-enable /etc/apparmor.d/usr.sbin.cupsd

Example output:

Setting /etc/apparmor.d/usr.sbin.cupsd to enforce mode.

Further Learning with AppArmor Commands

After you have learned some of the basic commands of using AppArmor to disable or enable profiles and check their status, the guide will go over some of the most commonly used AppArmor commands and their usage.

Using the “aa-genprof” Command

The aa-genprof command generates a new AppArmor profile based on the current system activity. It logs all the application’s system calls and creates a new profile based on this log data. This is useful for creating profiles for new applications that do not yet have a profile defined.

Example: To generate a new profile for the application “firefox,” run the following command.

sudo aa-genprof firefox

Using the “aa-enforce” Command

The “aa-enforce” command enforces the AppArmor profiles on an Ubuntu system. This command is handy when you have changed your AppArmor profiles and want to immediately enforce the new policies without restarting the system.

Example: To enforce the current AppArmor profiles, run the following command.

sudo aa-enforce /etc/apparmor.d/*

Or enforce the profile individually.

sudo aa-enforce /etc/apparmor.d/<profile-name>

Using the “aa-disable” command

The aa-disable command is used to disable a specific AppArmor profile. When a profile is disabled, the restrictions and permissions that it imposes on the application it governs are no longer in effect. This can be useful if a profile is causing issues or if you need to allow the application more freedom temporarily.

To use the aa-disable command, pass it the name of the profile you want to disable. For example, you would run the following command to disable the profile for “Firefox.”

sudo aa-disable /etc/apparmor.d/firefox

It’s worth noting that disabling a profile is a temporary change, and the profile will be re-enabled if you reboot your system or restart the AppArmor service.

Using the “aa-complain” Command

The “aa-complain” command switches a profile to “complain mode.” AppArmor will still enforce the profile in this mode, but instead of denying access to restricted resources, it will log a message to the syslog. This can be useful for testing and debugging purposes, as it allows you to see what kind of access a profile would be blocking without actually blocking it.

Here’s an example of how to use the “aa-complain” command.

sudo aa-complain /etc/apparmor.d/usr.sbin.cupsd

In this example, the “aa-complain” command is being used to switch the “/usr/sbin/cupsd” profile to “complain mode.” Note that you will need to replace “usr.sbin.cupsd” with the name of the profile you wish to switch to “complain mode.”

Using the “aa-remove-unknown” command

The “aa-remove-unknown” command removes AppArmor profiles for unknown applications on an Ubuntu system. This command is useful when you want to clean up your AppArmor profile collection and remove any profiles that are no longer in use.

Here is an example of using the “aa-remove-unknown” command.

sudo aa-remove-unknown

The “aa-remove-unknown” command helps clean up your AppArmor profile collection on an Ubuntu system. Using this command, you can easily remove profiles for unknown applications, keeping your profile collection organized and up-to-date.

These are just a few examples of what you can accomplish with AppArmor commands. There is much more available to explore.


In conclusion, enabling or disabling AppArmor profiles on Ubuntu is simple and straightforward. By following the steps outlined in this guide, you can easily manage the security of your system and control which applications or services are protected by AppArmor. Whether you need to temporarily disable a profile for maintenance or troubleshooting or permanently remove protection for an application, the commands and tools discussed in this guide will help you achieve your goals.


You may also like:

  • How to Install SELinux on Ubuntu 22.04 | 20.04
  • How to Install ClamAV on Ubuntu 22.04 | 20.04
  • How to Install and Configure UFW Firewall on Ubuntu 22.04 | 20.04
  • How to Install Chkrootkit on Ubuntu 22.04 | 20.04
  • How to Build NGINX from Source on Ubuntu 22.04 or 20.04
  • How to Install Fail2Ban on Ubuntu 22.04 | 20.04


How to disable AppArmor on Ubuntu? ›

To disable AppArmor in the kernel to either:
  1. adjust your kernel boot command line (see /etc/default/grub) to include either.
  2. * 'apparmor=0'
  3. * 'security=XXX' where XXX can be "" to disable AppArmor or an alternative LSM name, eg. 'security="selinux"'
  4. remove the apparmor package with your package manager.
Jul 5, 2020

What is the command to disable AppArmor? ›

d -f apparmor remove – This command is used to unload the AppArmor kernel module. sudo service apparmor stop – This is an alternative command to stop the AppArmor service. sudo apt-get remove apparmor apparmor-utils -y – This command is used to remove the AppArmor software from your system.

How do I know if AppArmor is enabled? ›

Detect the state of AppArmor by inspecting /sys/kernel/security/apparmor/profiles . If cat /sys/kernel/security/apparmor/profiles reports a list of profiles, AppArmor is running. If it is empty and returns nothing, AppArmor is stopped.

Is AppArmor enabled by default? ›

AppArmor is installed and loaded by default. It uses profiles of an application to determine what files and permissions the application requires. Some packages will install their own profiles, and additional profiles can be found in the apparmor-profiles package.

How do I enable permissions in Ubuntu? ›

Type “sudo chmod a+rwx /path/to/file” into the terminal, replacing “/path/to/file” with the file you want to give permissions to everyone for, and press “Enter.” You can also use the command “sudo chmod -R a+rwx /path/to/folder” to give permissions to the selected folder and its files.

What is AppArmor in Ubuntu 22? ›

In Ubuntu 22.04, AppArmor is a powerful security framework that helps protect your system by enforcing mandatory access control policies. By properly configuring AppArmor, you can enhance the security of your Ubuntu system and protect it from potential threats.

Is it OK to disable AppArmor? ›

So long as you have not modified any of the software installed on the system to directly interact with AppArmor (checking permissions, policies, aliases, etc.), then you should be good to go.

What is AppArmor in Linux? ›

AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths.

How to install AppArmor in Ubuntu? ›

To check the AppArmor status, type the following command into the terminal:
  1. sudo apparmor_status.
  2. sudo apt install apparmor-utils.
  3. sudo aa-enforce /etc/apparmor.d/usr.sbin.rsyslogd.
  4. sudo ln -s /etc/apparmor.d/usr.sbin.rsyslogd /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.rsyslogd.
Nov 11, 2022

What can I use instead of AppArmor Linux? ›

  • Firejail. Free • Open Source. Virtualization Tool. Linux. ...
  • SELinux. Free • Open Source. Linux. 4 alternatives to SELinux. ...
  • grsecurity. Paid • Proprietary. Linux. ...
  • CLIP OS. Free • Open Source. Operating System. ...
  • Vulture. Free • Open Source. Firewall. ...
  • Smack. Free • Open Source. Linux. ...
  • TOMOYO Linux. Free • Open Source. Linux.
Jan 3, 2023

How do I remove AppArmor from Linux? ›

23.5 Deleting an AppArmor Profile
  1. If you are not currently logged in as root, enter su in a terminal window.
  2. Enter the root password when prompted.
  3. Go to the AppArmor directory with cd /etc/apparmor. ...
  4. Enter ls to view all the AppArmor profiles that are currently installed.
  5. Delete the profile with rm profilename.

How do I know if AppArmor is on Ubuntu? ›

AppArmor Status with aa-status Command

aa-status command will list the currently loaded AppArmor modules. For instance, here's how it looks on a system where AppArmor is inactive (Debian 9 in my case): root@debian9:~# aa-status apparmor module is loaded. apparmor filesystem is not mounted.

Should I use SELinux or AppArmor? ›

AppArmor is much easier to learn and use, so it is rarely -- if ever -- disabled. With that in mind, AppArmor is often considered the safer choice. However, admins that need more control should use SELinux. SELinux defines access controls for applications, processes and files on a system with security policies.

What is the default AppArmor profile? ›

The default AppArmor profile is attached to a program by its name, so a profile name must match the path to the application it is to confine. This profile will be automatically used whenever an unconfined process executes /usr/bin/foo .

Does Ubuntu use AppArmor or SELinux? ›

It's important to understand that certain Linux distributions default to either AppArmor or SELinux. For example, RHEL, Rocky Linux, AlmaLinux, CentOS Stream and Fedora all use SELinux. On the other hand, Ubuntu, Debian, SUSE Linux Enterprise Server, openSUSE and most all Ubuntu/Debian derivatives use AppArmor.

How to install language support in Ubuntu? ›

When you install Ubuntu, the language you select at installation gets installed together with English, but you can add further languages.
  1. Open the Activities overview and start typing Region & Language.
  2. Click on Region & Language to open the panel.
  3. Click the Manage Installed Languages button to open Language Support.

Does Ubuntu come with AppArmor? ›

AppArmor is an important security feature that's been included by default with Ubuntu since Ubuntu 7.10. However, it runs silently in the background, so you may not be aware of what it is and what it's doing.

Top Articles
Latest Posts
Article information

Author: Maia Crooks Jr

Last Updated: 21/09/2023

Views: 5591

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Maia Crooks Jr

Birthday: 1997-09-21

Address: 93119 Joseph Street, Peggyfurt, NC 11582

Phone: +2983088926881

Job: Principal Design Liaison

Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy

Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.