AppArmor is Mandatory Access Control (MAC) like security system for
Linux. AppArmor confines individual programs to a set of files,
capabilities, network access and rlimits, collectively known as
the AppArmor policy for the program, or simply as a profile. New
or modified policy can be applied to the running system without
a reboot. AppArmor aims to be easy to understand and use for most
common requirements by presenting its profiles in an administrator
AppArmor is selective in its confinement such that some programs on the
system may be confined, while others not. Selective confinement allows
an administrator the flexibility to turn off a problematic profile
for troubleshooting while leaving other parts of the system confined.
Unconfined programs are run under standard Linux Discretionary Access
Control (DAC) security. AppArmor augments traditional DAC in that
confined programs are evaluated under traditional DAC first and if
DAC allows the behavior then AppArmor policy consulted.
AppArmor supports per-profile learning (complain) mode to help users
write and maintain policy. Learning mode allows for a profile to be
created by running a program normally and learning its behavior. After
AppArmor has sufficiently learned the behavior, the profile may
be turned to enforcing mode. While the resulting profile may be
more lenient than a hand-crafted profile tailored for a specific
environment and application, learning mode can greatly reduce the
effort and knowledge needed to use AppArmor and add an important
layer of security.
Versions of AppArmor
There are two main versions of AppArmor the 2.x series (current) and
the 3.x series (development). The 2.x series has seen incremental
improvements over its life with only incremental breaks in
semantic compatibility. The 3.x series is a significant expansion of
AppArmor. Both of the main series use the same basic policy language,
with only minor semantic differences. The 3.x series allows for a
much expanded policy and fine-grained control.