AppArmor
Welcome to the AppArmor security project wiki, the wiki for users and developers of the AppArmor security project.
Description
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.
More details about AppArmor can be found in the documentation
Getting AppArmor
Distributions and Ports
Distributions that include AppArmor:
- Annvix
- Arch Linux, documentation and Arch specific notes
- CentOs, documentation and CentOS specific notes
- Debian, documentation and Debian specific notes
- Gentoo
- openSUSE (integrated in default install), documentation and Suse specific notes
- Pardus Linux
- PLD
- Ubuntu (integrated in default install), documentation and Ubuntu specific notes
Any derivatives of these distributions should also have AppArmor available. Updated RPMS can be found at the openSUSE Build Service. These are not limited to SUSE distributions.
Source code
The AppArmor project source is split between the kernel module, available in the Linux kernel and git development tree and the user space tools available in launchpad.
Kernel
AppArmor is in the upstream kernel as of 2.6.36. Earlier releases are available in the kernel module git tree:
-
How to get the AppArmor kernel source
Note: the master branch is not stable and will be rebased from time to time. Release branches will be stable and will not be rebased.
The AppArmor v2.4 compatibility patches are available in the stable kernel branches. eg v3.4-aa2.8 or in the release tarballs in the kernel-patches directory.
Userspace
- Current development release 4.0.3
- Current stable release 3.1.7
- supported release: 3.0.13
- supported release: 2.13.11
Profiles
See the Profiles page for information about AppArmor profiles.
Documentation
AppArmor documentation for the project, including manuals, tutorials, technical documentation and more:
Reporting Bugs
- Bug tracking is hosted in GitLab at https://gitlab.com/apparmor/apparmor/-/issues
- Historical Bug Tracking is hosted in Launchpad at https://bugs.launchpad.net/apparmor. We still accept bugreports there, but GitLab is preferred.
- email
bugs@apparmor.net
it will forward to the appropriate people and/or the mailing list - security issues
security@apparmor.net
it will forward to the security team and NOT to a public list
Reporting Security Vulnerabilities
There are 3 ways that security bugs can be reported: as a bug on GitLab (preferred), on Launchpad or by mail.
On GitLab (preferred)
Open a new issue on GitLab at https://gitlab.com/apparmor/apparmor/-/issues.
When creating the issue, enable the checkbox
````This issue is confidential and should only be visible to team members with at least Reporter access.```
On Launchpad
On launchpad, create a new bug at https://bugs.launchpad.net/apparmor.
When creating the bug change the
This bug contains information that is:
Public
to Private Security
this will allow only you and the apparmor security team to see the bug, until it status is changed to Public Security by either you or the apparmor security team.
email (no account needed)
If the security issue contains information that is public or can be public. Send an email to
apparmor@lists.ubuntu.com
Emails to the list from addresses without an account will go into moderation, so there will be a delay before they hit the list but any email that isn't spam will be moderated through. There is no need to signup to be on the mailing list.
If the issue should may need an embargo you can send an email to
security@apparmor.net
Joining AppArmor
- Mailing list for discussing AppArmor development and use.
- The IRC channel is #apparmor on irc.oftc.net
- Bug Tracking - project apparmor on launchpad.net
- Translations - project apparmor on launchpad.net
- Code - project apparmor on GitLab
Meetings are held regularly on the IRC channel and are open to the everyone. Please see MeetingAgenda for times.
How to Contribute
Contributions to AppArmor are welcome. Anyone can pull the code from the git repository or from launchpad, and begin hacking on the code. Patches can be contributed by posting them to the mailing list for review or submitting a merge request on GitLab. Please see the CommitPolicy, Versioning, and Coding Style before sending patches.
Commit privileges to the git tree and GitLab master repository are restricted, but can be earned by any developer who is involved in the project.