App Armor

Overview

AppArmor is a Linux Linux/Containerization/LSM implementation that enforces mandatory access control (MAC) using path-based rules. It constrains what a program can do even if UNIX permissions would otherwise allow it.

Mental Model

DAC (standard Linux permissions): “who owns this file, and what mode bits apply?” MAC (AppArmor/SELinux): “even if you could access it, are you allowed by policy?”

How AppArmor Works

A policy is a profile attached to a program (by executable path). The kernel consults the profile on sensitive actions (file access, signals, mounts, networking, capabilities). Profiles typically run in one of two modes:

enforce: violations are blocked
complain: violations are logged (useful for building profiles)

What It Can Restrict

File paths (read/write/execute), including glob patterns. Capabilities (e.g., deny CAP_SYS_ADMIN even if granted). Mount operations and pivot_root (hardening for containers). Signals/ptrace interactions. Some network operations (varies by policy/features).

Operational Notes

AppArmor is common on Ubuntu/Debian-based systems and integrates well with systemd and container runtimes. Docker often loads an AppArmor profile like docker-default when AppArmor is enabled.

Tooling

aa-status show whether AppArmor is enabled and which profiles are loaded. aa-enforce / aa-complain switch profile modes. aa-logprof help generate profiles from audit logs.

Relationship to Containers

Namespaces isolate “what you can see”; AppArmor helps enforce “what you may do”. Typical defense-in-depth stack: