AppArmorProfiles
|
Size: 19312
Comment: remove EOL releases
|
Size: 19157
Comment: alphabetize within release
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 11: | Line 11: |
| || Akonadi (mysqld) || yes || yes || yes || yes || yes || yes || || Apache (apache2) || yes^1^ || yes^1^ || yes^1^ || yes^1^ || yes || yes || |
|
| Line 12: | Line 14: |
| || ClamAV (clamd,freshclam) || yes || yes || yes || yes || yes || yes || | |
| Line 13: | Line 16: |
| || MySQL (mysqld) || yes || yes || yes || yes || yes || yes || || OpenLDAP (slapd) || yes || yes || yes || yes || yes || yes || || Akonadi (mysqld) || yes || yes || yes || yes || yes || yes || || ClamAV (clamd,freshclam) || yes || yes || yes || yes || yes || yes || |
|| Evince || yes || yes || yes || yes || yes || yes || || Firefox (firefox-3.5/firefox) || yes^1^ || yes^1^ || yes^1^ || yes^1^ || yes || yes || |
| Line 20: | Line 21: |
| || tcpdump || yes || yes || yes || yes || yes || yes || || Apache (apache2) || yes^1^ || yes^1^ || yes^1^ || yes^1^ || yes || yes || || Evince || yes || yes || yes || yes || yes || yes || || Firefox (firefox-3.5/firefox) || yes^1^ || yes^1^ || yes^1^ || yes^1^ || yes || yes || |
|| juju || yes^2^ || yes^2^ || yes^2^ || yes^2^ || yes || yes || |
| Line 25: | Line 23: |
| || NTP (ntpd) || yes || yes || yes || -- || -- || -- || | |
| Line 27: | Line 24: |
| || Telepathy || yes || yes || yes || -- || -- || -- || || juju || yes^2^ || yes^2^ || yes^2^ || yes^2^ || yes || yes || |
|
| Line 31: | Line 26: |
| || MySQL (mysqld) || yes || yes || yes || yes || yes || yes || || NTP (ntpd) || yes || yes || yes || -- || -- || -- || || OpenLDAP (slapd) || yes || yes || yes || yes || yes || yes || |
|
| Line 33: | Line 31: |
| || tcpdump || yes || yes || yes || yes || yes || yes || || Telepathy || yes || yes || yes || -- || -- || -- || || AppStore apps (click)^4^ || -- || yes || yes || -- || -- || -- || || Cups filters (cups-browsed) || -- || yes || yes || yes || yes || yes || |
|
| Line 35: | Line 37: |
| || squid3 || -- || yes^1^ || yes^1^ || yes^1^ || yes || yes || || AppStore apps (click)^4^ || -- || yes || yes || -- || -- || -- || || Cups filters (cups-browsed) || -- || yes || yes || yes || yes || yes || || Telepathy (ofono) || -- || yes || yes || yes || yes || yes || |
|
| Line 41: | Line 39: |
| || squid3 || -- || yes^1^ || yes^1^ || yes^1^ || yes || yes || | |
| Line 43: | Line 42: |
| || Telepathy (ofono) || -- || yes || yes || yes || yes || yes || || AppStore apps (snappy)^5^ || -- || -- || yes || yes || yes || yes || |
|
| Line 44: | Line 45: |
| || ubuntu-download-manager (extractor) || -- || -- || yes || -- || -- || -- || || AppStore apps (snappy)^5^ || -- || -- || yes || yes || yes || yes || |
|
| Line 48: | Line 47: |
| || ubuntu-download-manager (extractor) || -- || -- || yes || -- || -- || -- || | |
| Line 65: | Line 65: |
| || chromium-browser || yes || yes || yes || yes || yes || yes || || digikam || yes || yes || yes || yes || yes || yes || |
|
| Line 66: | Line 68: |
| || dovecot || yes || yes || yes || yes || yes || yes || | |
| Line 71: | Line 74: |
| || ntpd || -- || -- || -- || yes || yes || yes || | || phpsysinfo^1^ || yes || yes || yes || yes || yes || yes || |
| Line 77: | Line 80: |
| || dovecot || yes || yes || yes || yes || yes || yes || || phpsysinfo^1^ || yes || yes || yes || yes || yes || yes || || chromium-browser || yes || yes || yes || yes || yes || yes || || digikam || yes || yes || yes || yes || yes || yes || || tor || -- || yes || yes || yes || yes || yes || || vidalia || -- || yes || yes || yes || yes || yes || |
|
| Line 85: | Line 82: |
| || tor || -- || yes || yes || yes || yes || yes || | |
| Line 86: | Line 84: |
| || torbrowser-launcher || -- || -- || yes || yes || yes || yes || || docker.io || -- || -- || yes || yes || yes || yes || |
|| vidalia || -- || yes || yes || yes || yes || yes || |
| Line 90: | Line 87: |
| || docker.io || -- || -- || yes || yes || yes || yes || || torbrowser-launcher || -- || -- || yes || yes || yes || yes || || aprx || -- || -- || -- || yes || yes || yes || || dhcpcanon || -- || -- || -- || yes || yes || yes || || ejabberd || -- || -- || -- || yes || yes || yes || || firejail || -- || -- || -- || yes || yes || yes || || irssi || -- || -- || -- || yes || yes || yes || |
|
| Line 93: | Line 97: |
| || irssi || -- || -- || -- || yes || yes || yes || | || ntpd || -- || -- || -- || yes || yes || yes || |
| Line 98: | Line 102: |
| || apt-cacher-ng || -- || -- || -- || yes || yes || yes || || aprx || -- || -- || -- || yes || yes || yes || || dhcpcanon || -- || -- || -- || yes || yes || yes || || ejabberd || -- || -- || -- || yes || yes || yes || || firejail || -- || -- || -- || yes || yes || yes || || lightdm-remote-session-x2go || -- || -- || -- || -- || yes || yes || |
|
| Line 115: | Line 113: |
| || lightdm-remote-session-x2go || -- || -- || -- || -- || yes || yes || |
AppArmor Profiles
AppArmor is installed and loaded by default starting with Ubuntu 7.10 (Gutsy). Some packages will install their own profiles (usually in enforcing mode), while additional profiles can be found in the apparmor-profiles and apparmor-profiles-extra packages from the Universe repository.
Supported profiles in main
Source package/binary |
12.04 LTS |
14.04 LTS |
16.04 LTS |
18.04 LTS |
19.04 |
19.10 |
Akonadi (mysqld) |
yes |
yes |
yes |
yes |
yes |
yes |
Apache (apache2) |
yes1 |
yes1 |
yes1 |
yes1 |
yes |
yes |
Bind (named) |
yes |
yes |
yes |
yes |
yes |
yes |
ClamAV (clamd,freshclam) |
yes |
yes |
yes |
yes |
yes |
yes |
Cups (cupsd) |
yes |
yes |
yes |
yes |
yes |
yes |
Evince |
yes |
yes |
yes |
yes |
yes |
yes |
Firefox (firefox-3.5/firefox) |
yes1 |
yes1 |
yes1 |
yes1 |
yes |
yes |
gdm-guest-session |
N/A |
N/A |
yes |
yes |
yes |
yes |
ISC Dhcpd (dhcpd3/dhcpd) |
yes |
yes |
yes |
yes |
yes |
yes |
ISC Dhcp client (dhclient3/dhclient) |
yes |
yes |
yes |
yes |
yes |
yes |
juju |
yes2 |
yes2 |
yes2 |
yes2 |
yes |
yes |
Libvirt (libvirtd and kvm/qemu guests) |
yes |
yes |
yes |
yes |
yes |
yes |
Lightdm guest session |
yes |
yes |
yes |
-- |
-- |
-- |
LXC |
yes3 |
yes3 |
yes3 |
yes3 |
yes |
yes |
MAAS dhcpd (dhcpd) |
yes |
yes |
yes |
yes |
yes |
-- |
MySQL (mysqld) |
yes |
yes |
yes |
yes |
yes |
yes |
NTP (ntpd) |
yes |
yes |
yes |
-- |
-- |
-- |
OpenLDAP (slapd) |
yes |
yes |
yes |
yes |
yes |
yes |
quassel-core |
yes |
yes |
yes |
yes |
yes |
yes |
rsyslog |
yes1 |
yes1 |
yes1 |
yes1 |
yes |
yes |
tcpdump |
yes |
yes |
yes |
yes |
yes |
yes |
Telepathy |
yes |
yes |
yes |
-- |
-- |
-- |
AppStore apps (click)4 |
-- |
yes |
yes |
-- |
-- |
-- |
Cups filters (cups-browsed) |
-- |
yes |
yes |
yes |
yes |
yes |
lightdm-remote-session-freerdp |
-- |
yes |
yes |
-- |
-- |
-- |
lightdm-remote-session-uccsconfigure |
-- |
yes |
yes |
-- |
-- |
-- |
media-hub |
-- |
yes |
yes |
-- |
-- |
-- |
mediascanner2 |
-- |
yes |
yes |
-- |
-- |
-- |
squid3 |
-- |
yes1 |
yes1 |
yes1 |
yes |
yes |
sssd |
-- |
yes1 |
yes1 |
yes1 |
yes |
yes |
StrongSwan (stroke/lookip) |
-- |
yes |
yes |
yes |
yes |
yes |
Telepathy (ofono) |
-- |
yes |
yes |
yes |
yes |
yes |
AppStore apps (snappy)5 |
-- |
-- |
yes |
yes |
yes |
yes |
libvirt (libvirt-lxc containers) |
-- |
-- |
yes |
yes |
yes |
yes |
LXD |
-- |
-- |
yes |
yes |
yes |
yes |
snap-confine (aka ubuntu-core-launcher) |
-- |
-- |
yes |
yes |
yes |
yes |
ubuntu-download-manager (extractor) |
-- |
-- |
yes |
-- |
-- |
-- |
webbrowser-app |
-- |
-- |
yes |
-- |
-- |
-- |
chrony |
-- |
-- |
-- |
yes |
yes |
yes |
ippusbxd |
-- |
-- |
-- |
yes |
yes |
yes |
libreoffice6 |
-- |
-- |
-- |
yes |
yes |
yes |
man-db |
-- |
-- |
-- |
yes |
yes |
yes |
mozc |
-- |
-- |
-- |
yes |
yes |
yes |
- Disabled by default and be opt-in for advanced users
- Preliminary support
Ubuntu Touch apps in the Ubuntu AppStore are confined with AppArmor by default. See ApplicationConfinement for details
Apps in the Ubuntu AppStore are confined with AppArmor by default. See the security guide for details
- Mixture of enforce and complain mode profiles
Community supported profiles
Some of the following profiles are found in the apparmor-profiles and apparmor-profiles-extra packages and these profiles usually are in complain mode and are in various stages of development, but can in general be used with some modification. Profiles in this list not from the apparmor-profiles package are community contributed or come from Debian.
Binary |
12.04 LTS |
14.04 LTS |
16.04 LTS |
18.04 LTS |
19.04 |
19.10 |
avahi-daemon |
yes |
yes |
yes |
yes |
yes |
yes |
chromium-browser |
yes |
yes |
yes |
yes |
yes |
yes |
digikam |
yes |
yes |
yes |
yes |
yes |
yes |
dnsmasq |
yes |
yes |
yes |
yes |
yes |
yes |
dovecot |
yes |
yes |
yes |
yes |
yes |
yes |
identd |
yes |
yes |
yes |
yes |
yes |
yes |
klogd |
yes |
yes |
yes |
yes |
yes |
yes |
mdnsd |
yes |
yes |
yes |
yes |
yes |
yes |
nmbd |
yes |
yes |
yes |
yes |
yes |
yes |
nscd |
yes |
yes |
yes |
yes |
yes |
yes |
phpsysinfo1 |
yes |
yes |
yes |
yes |
yes |
yes |
ping |
yes |
yes |
yes |
yes |
yes |
yes |
smbd |
yes |
yes |
yes |
yes |
yes |
yes |
syslogd |
yes |
yes |
yes |
yes |
yes |
yes |
syslog-ng |
yes |
yes |
yes |
yes |
yes |
yes |
traceroute |
yes |
yes |
yes |
yes |
yes |
yes |
fwknop |
-- |
yes |
yes |
yes |
yes |
yes |
pollen |
-- |
yes |
yes |
yes |
yes |
yes |
tor |
-- |
yes |
yes |
yes |
yes |
yes |
tlsdate |
-- |
yes |
yes |
yes |
yes |
yes |
vidalia |
-- |
yes |
yes |
yes |
yes |
yes |
apt-cacher-ng |
-- |
-- |
yes |
yes |
yes |
yes |
gst-plugin-scanner |
-- |
-- |
yes |
yes |
yes |
yes |
docker.io |
-- |
-- |
yes |
yes |
yes |
yes |
torbrowser-launcher |
-- |
-- |
yes |
yes |
yes |
yes |
aprx |
-- |
-- |
-- |
yes |
yes |
yes |
dhcpcanon |
-- |
-- |
-- |
yes |
yes |
yes |
ejabberd |
-- |
-- |
-- |
yes |
yes |
yes |
firejail |
-- |
-- |
-- |
yes |
yes |
yes |
irssi |
-- |
-- |
-- |
yes |
yes |
yes |
Lightdm guest session |
-- |
-- |
-- |
yes |
yes |
yes |
lightdm-remote-session-freerdp |
-- |
-- |
-- |
yes |
yes |
yes |
LXC |
-- |
-- |
-- |
yes |
yes |
yes |
ntpd |
-- |
-- |
-- |
yes |
yes |
yes |
pidgin |
-- |
-- |
-- |
yes |
yes |
yes |
Telepathy |
-- |
-- |
-- |
yes |
yes |
yes |
totem |
-- |
-- |
-- |
yes |
yes |
yes |
totem previewers |
-- |
-- |
-- |
yes |
yes |
yes |
cadvisor |
-- |
-- |
-- |
-- |
yes |
yes |
containerd |
-- |
-- |
-- |
-- |
yes |
yes |
game-data-packager |
-- |
-- |
-- |
-- |
yes |
yes |
haveged |
-- |
-- |
-- |
-- |
yes |
yes |
i2p |
-- |
-- |
-- |
-- |
yes |
yes |
i2pd |
-- |
-- |
-- |
-- |
yes |
yes |
inspircd |
-- |
-- |
-- |
-- |
yes |
yes |
ioquake3 |
-- |
-- |
-- |
-- |
yes |
yes |
iortcw |
-- |
-- |
-- |
-- |
yes |
yes |
kopanocore |
-- |
-- |
-- |
-- |
yes |
yes |
kopano-webapp |
-- |
-- |
-- |
-- |
yes |
yes |
lightdm-remote-session-x2go |
-- |
-- |
-- |
-- |
yes |
yes |
mariadb |
-- |
-- |
-- |
-- |
yes |
yes |
msmtp |
-- |
-- |
-- |
-- |
yes |
yes |
ntpsec |
-- |
-- |
-- |
-- |
yes |
yes |
onioncircuits |
-- |
-- |
-- |
-- |
yes |
yes |
openntpd |
-- |
-- |
-- |
-- |
yes |
yes |
postsrsd |
-- |
-- |
-- |
-- |
yes |
yes |
ricochet-im |
-- |
-- |
-- |
-- |
yes |
yes |
runc |
-- |
-- |
-- |
-- |
yes |
yes |
spawn-fcgi |
-- |
-- |
-- |
-- |
yes |
yes |
surf |
-- |
-- |
-- |
-- |
yes |
yes |
unbound |
-- |
-- |
-- |
-- |
yes |
yes |
url-dispatcher |
-- |
-- |
-- |
-- |
yes |
yes |
ibus-hangul |
-- |
-- |
-- |
-- |
-- |
yes |
MAAS dhcpd (dhcpd) |
-- |
-- |
-- |
-- |
-- |
yes |
- Must be used with the apache2 profile and the libapache2-mod-apparmor module
Other profiles
Profiles in active development can be found in the public repository (see AppArmor Profiles). Unmaintained profiles can be found in /usr/share/doc/apparmor-profiles/extras directory of the apparmor-profiles package. Files from either location may not work at all and will likely require significant effort to run on your system.
Filing Bugs
When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor.
SecurityTeam/KnowledgeBase/AppArmorProfiles (last edited 2020-10-26 01:49:03 by alexmurray)