AppArmor Commands
AppArmor security profile management and troubleshooting commands.
Status & Information
sudo aa-statusShow AppArmor status and loaded profiles
sudo aa-enabledCheck if AppArmor is enabled
cat /sys/kernel/security/apparmor/profilesList all loaded profiles
cat /sys/module/apparmor/parameters/enabledCheck kernel module status
sudo apparmor_statusAlternative status command
dmesg | grep apparmorView AppArmor kernel messages
journalctl -k | grep apparmorView AppArmor journal logs
Profile Modes
sudo aa-enforce /etc/apparmor.d/usr.bin.firefoxSet profile to enforce mode
sudo aa-complain /etc/apparmor.d/usr.bin.firefoxSet profile to complain mode
sudo aa-disable /etc/apparmor.d/usr.bin.firefoxDisable a profile
sudo aa-audit /etc/apparmor.d/usr.bin.firefoxSet profile to audit mode
sudo aa-enforce /etc/apparmor.d/*Enforce all profiles
sudo aa-complain /etc/apparmor.d/*Set all profiles to complain
Profile Management
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefoxReload a specific profile
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefoxRemove/unload a profile
sudo apparmor_parser /etc/apparmor.d/usr.bin.firefoxLoad a profile
sudo apparmor_parser -r /etc/apparmor.d/Reload all profiles
sudo systemctl reload apparmorReload AppArmor service
sudo systemctl restart apparmorRestart AppArmor service
Profile Generation
sudo aa-genprof /usr/bin/myappGenerate profile for application
sudo aa-autodep /usr/bin/myappCreate basic profile skeleton
sudo aa-logprofUpdate profiles from logs (interactive)
sudo aa-easyprof --template=user-application /usr/bin/myappGenerate profile from template
sudo aa-unconfinedList unconfined processes with network access
sudo aa-unconfined --paranoidList all unconfined processes
Service Control
sudo systemctl start apparmorStart AppArmor service
sudo systemctl stop apparmorStop AppArmor service
sudo systemctl enable apparmorEnable AppArmor at boot
sudo systemctl disable apparmorDisable AppArmor at boot
sudo systemctl status apparmorCheck AppArmor service status
sudo update-rc.d apparmor defaultsEnable AppArmor (SysV init)
Logging & Debugging
sudo tail -f /var/log/syslog | grep apparmorMonitor AppArmor logs
sudo tail -f /var/log/audit/audit.log | grep apparmorMonitor audit logs
sudo aa-notify -s 1 -vShow AppArmor notifications
sudo ausearch -m avc -ts recentSearch recent denials
sudo dmesg | grep -i deniedView kernel denial messages
cat /var/log/kern.log | grep apparmorCheck kernel log for AppArmor
Profile Utilities
sudo aa-decode <hex_string>Decode hex-encoded path from logs
sudo aa-exec -p profile_name -- commandRun command under specific profile
sudo aa-cleanprof /etc/apparmor.d/usr.bin.myappClean up profile rules
sudo aa-mergeprof profile1 profile2Merge two profiles
apparmor_parser -p /etc/apparmor.d/usr.bin.myappParse and display profile
Namespace & Policy
cat /proc/self/attr/currentShow current process confinement
cat /proc/<pid>/attr/currentShow process confinement by PID
sudo aa-features-abi /etc/apparmor.d/abi/3.0Show feature ABI
ls /etc/apparmor.d/tunables/List tunable variables
ls /etc/apparmor.d/abstractions/List available abstractions
Configuration Files
ls /etc/apparmor.d/List all profile files
cat /etc/apparmor/parser.confView parser configuration
sudo nano /etc/apparmor.d/local/<profile>Edit local overrides
ls /etc/apparmor.d/disable/List disabled profiles
sudo ln -s /etc/apparmor.d/usr.bin.myapp /etc/apparmor.d/disable/Disable profile via symlink
Common Profiles
sudo apt install apparmor-profilesInstall additional profiles (Debian/Ubuntu)
sudo apt install apparmor-profiles-extraInstall extra profiles
sudo aa-enforce /etc/apparmor.d/usr.sbin.nginxEnforce nginx profile
sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2Enforce Apache profile
sudo aa-enforce /etc/apparmor.d/usr.sbin.mysqldEnforce MySQL profile