Gentoo Logo

Disclaimer : This document is not valid and is not maintained anymore.

Gentoo AppArmor Guide


1.  Obsolete

This document is obsolete and is no longer updated, and is kept for historical purposes only. An updated version is available on the wiki.

2.  Introduction

AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.

For each file path you specify, AppArmor will permit it only the permissions you grant.

Code Listing 2.1: Sample profile

# ------------------------------------------------------------------
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2010 Canonical Ltd.
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
# ------------------------------------------------------------------

#include <tunables/global>

/sbin/klogd {
  #include <abstractions/base>

  capability sys_admin, # for backward compatibility with kernel <= 2.6.37
  capability syslog,

  network inet stream,

  /boot/*     r,
  @{PROC}/kmsg          r,
  @{PROC}/kallsyms      r,
  /dev/tty              rw,

  /sbin/klogd           rmix,
  /var/log/boot.msg     rwl,
  /{,var/}run/    krwl,
  /{,var/}run/klogd/ krwl,
  /{,var/}run/klogd/kmsg   r,

3.  Initial setup

Kernel patching

From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate profiles - deactivation, listing, init script etc. will not work.

The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as hardened-sources, the patches will not cleanly apply. For convenience, a rebased version of the patches is available.

Install utilities

The AppArmor userspace utilities currently live in the Hardened development overlay. You should install layman, and then add the hardened-dev overlay:

Code Listing 1.1: Install userspace utilities

# layman -a hardened-dev
# emerge apparmor-utils
You will probably also wish to install some profiles to get started:
# emerge apparmor-profiles

Further configuration

You may wish to edit the configuation files located in /etc/apparmor, however the default values will suit most users.

4.  Working with profiles

Profiles are stored as simple text files in /etc/apparmor.d. They may take any name, and may be stored in subdirectories - you may organise them however it suits you.

Code Listing 4.1: Sample profile directory listing

/etc/apparmor.d $ ls
abstractions  program-chunks  usr.lib.apache2.mpm-prefork.apache2  usr.lib.dovecot.managesieve-login  usr.sbin.dovecot  usr.sbin.nscd
apache2.d     sbin.klogd      usr.lib.dovecot.deliver              usr.lib.dovecot.pop3               usr.sbin.identd   usr.sbin.ntpd      sbin.syslog-ng  usr.lib.dovecot.dovecot-auth         usr.lib.dovecot.pop3-login         usr.sbin.lspci    usr.sbin.smbd
disable       sbin.syslogd    usr.lib.dovecot.imap                 usr.sbin.avahi-daemon              usr.sbin.mdnsd    usr.sbin.smbldap-useradd
local         tunables        usr.lib.dovecot.imap-login           usr.sbin.dnsmasq                   usr.sbin.nmbd     usr.sbin.traceroute

Profiles are referred to by name, including any parent subdirectories if present.

Manual control

To activate a profile, simply set it to enforce mode.

Code Listing 1.1: Manual profile activation

# aa-enforce usr.sbin.dnsmasq
Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.

Similarly, to deactivate a profile, simply set it to complain mode.

Code Listing 1.1: Manual profile deactivation

# aa-complain usr.sbin.dnsmasq
Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.

The current status of your profiles may be viewed using aa-status.

Code Listing 1.1: Profile status listing

# aa-status
apparmor module is loaded.
6 profiles are loaded.
5 profiles are in enforce mode.
1 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/dnsmasq (12905)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Automatic control

The provided init script will automatically load all profiles located in your profile directory. Unless specifically specified otherwise, each profile will be loaded in enforce mode.


Page updated April 17, 2013

Summary: This guide provides a brief overview of AppArmor, and gives information on how to install and configure it on Gentoo.

Michael Palimaka

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.