AppArmor
Introduction
AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts to syslogd. Profiles in complain mode will not enforce policy but instead report policy violation attempts.
AppArmor is different than other MAC systems on Linux in that it is path-based, allows for mixing of enforcement and complain mode profiles, uses include files to ease development and has a far lower barrier to entry than other popular MAC systems.
AppArmor in Ubuntu
AppArmor support was first introduced in Ubuntu 7.04, and is turned on by default in Ubuntu 7.10 and later. With each release, more and more profiles are shipped by default, and more are planned.
More Information
AppArmor Features (Ubuntu server edition product guide)
- Ubuntu 8.04 LTS (Hardy Heron)
- Ubuntu 8.10 (Intrepid Ibex)
- Ubuntu 9.04 (Jaunty Jackalope)
Specification: Specifications/AppArmor
Technical documentation can be found in /usr/share/doc/apparmor-docs/techdoc.pdf.gz from apparmor-profiles package