How to Use AppArmor for Application Security

How to Use AppArmor for Application Security

AppArmor is a mandatory access control framework that confines applications to a limited set of resources. It adds an essential security layer to your Breeze by restricting what programs can access, even if they are compromised.

Checking AppArmor Status

sudo apparmor_status
sudo aa-enabled

Profile Modes

• Enforce — violations are blocked and logged
• Complain — violations are logged but allowed (useful for testing)

Creating a Profile

Generate a profile for a specific application:

# Install utilities
sudo apt-get install -y apparmor-utils

# Generate a profile interactively
sudo aa-genprof /usr/sbin/nginx

Run the application through its normal operations in another terminal, then return to aa-genprof to finalize the profile.

Managing Profiles

# Set a profile to enforce mode
sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

# Set to complain mode for testing
sudo aa-complain /etc/apparmor.d/usr.sbin.nginx

# Reload all profiles
sudo systemctl reload apparmor

Viewing Denials

# Check kernel logs for AppArmor denials
sudo dmesg | grep apparmor
sudo journalctl -k | grep DENIED

Start with complain mode on your Breeze to identify what access an application needs, then switch to enforce mode once the profile is tuned.