What is AppArmor in Ubuntu and how does it work?

AppArmor is a Linux kernel security module used in Ubuntu to restrict the capabilities of specific applications through per-program profiles. By enforcing Mandatory Access Control (MAC), it confines software to a limited set of files, network privileges, and system capabilities. This quick overview explores how AppArmor acts as a critical line of defense, ensuring that even if an application is compromised, the potential damage to the rest of the operating system is heavily contained.

The Role of Mandatory Access Control (MAC)

Traditional Linux security relies on Discretionary Access Control (DAC), which determines file permissions based on user and group ownership. Under DAC, if a malicious actor exploits a program running with root privileges, they gain full control over the system.

AppArmor introduces Mandatory Access Control (MAC). Instead of focusing on who is running the program, AppArmor focuses on what the program itself is allowed to do. It binds security policies directly to executable binaries, ensuring they can only perform actions explicitly permitted by their assigned profile, regardless of the user’s privilege level.

How AppArmor Profiles Protect the System

AppArmor operates using configuration files known as profiles. These profiles are simple text files stored in the /etc/apparmor.d/ directory. They define exactly what resources—such as files, directories, network sockets, or raw capabilities—a program can access.

AppArmor profiles typically run in one of two primary modes:

• Enforce Mode: The security policies are actively applied. Any unauthorized action attempted by the application is blocked immediately, and the event is logged.
• Complain Mode: The application is allowed to perform unauthorized actions, but a log entry is created detailing what would have been blocked. This mode is invaluable for testing and developing new profiles without breaking application functionality.

Key Benefits of AppArmor in Ubuntu

Ubuntu includes AppArmor by default because it provides robust security with minimal system overhead.

• Attack Surface Reduction: By confining web browsers, PDF readers, and server daemons, AppArmor prevents hijacked applications from accessing sensitive user data or system configuration files.
• Securing Containerized Applications: AppArmor plays a vital role in modern Ubuntu environments by isolating Snaps, Docker containers, and LXD instances from the host system.
• Ease of Management: Compared to other MAC systems like SELinux, AppArmor uses a path-based approach that is easier for administrators to read, write, and maintain.