Back to Blog
LinuxUbuntuSecuritySysAdminTutorial

AppArmor on Ubuntu: write, enforce and debug profiles

Complete tutorial on AppArmor in Ubuntu. Learn aa-status, aa-genprof, complain/enforce modes, audit logs.

Daniel Urbano
November 29, 2025
8 min read
AppArmor on Ubuntu: write, enforce and debug profiles

AppArmor on Ubuntu: Write, Enforce, and Debug Profiles

Introduction

AppArmor is a powerful security module for the Linux kernel that provides a framework for enforcing mandatory access control (MAC) policies. It is designed to restrict the capabilities of programs based on their profiles, which define what resources they can access, helping to mitigate the impact of security vulnerabilities. This matters because it enhances the overall security posture of systems by limiting the potential damage that can be caused by compromised applications.

AppArmor is particularly useful in environments where security is paramount, such as servers, cloud deployments, and systems handling sensitive data. It is included in many Linux distributions, especially Ubuntu, where it is enabled by default. In this tutorial, we will cover how to write, enforce, and debug AppArmor profiles effectively.

Prerequisites

  • Ubuntu Version: This tutorial is applicable for Ubuntu 20.04 LTS (Focal Fossa) and later versions.
  • Required Packages: apparmor, apparmor-utils, and auditd.
  • Permissions: You need root permissions to manage AppArmor profiles.
  • Risks: Misconfigured profiles can lead to application failures or security vulnerabilities if not properly tested.

Core Concepts

  • Profile: A set of rules that defines what resources an application can access.
  • Complain Mode: A mode where violations are logged but not enforced, useful for testing profiles.
  • Enforce Mode: A mode where violations are actively blocked.
  • Audit Logs: Logs generated by AppArmor that provide insights into policy violations and application behavior.
  • aa-status: A command that shows the status of AppArmor profiles and their modes.

Syntax/Commands

Command Description
aa-status Check the status of AppArmor profiles.
aa-genprof <app> Generate a basic profile for the specified app.
aa-enforce <profile> Switch a profile to enforce mode.
aa-complain <profile> Switch a profile to complain mode.
aa-logprof Update profiles based on audit logs.
apparmor_parser Load and parse AppArmor profiles.

Practical Examples

1. Check AppArmor Status

# Check the status of all AppArmor profiles
sudo aa-status

This command displays the current status of all loaded profiles, including whether they are in complain or enforce mode.

2. Generate a Profile for an Application

# Generate a profile for the Firefox application
sudo aa-genprof firefox

This command initiates a wizard to create a new AppArmor profile for Firefox, allowing you to define permissions interactively.

3. Switch a Profile to Enforce Mode

# Set the Firefox profile to enforce mode
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

Switching to enforce mode means that any access violations will be blocked, enhancing security.

4. Switch a Profile to Complain Mode

# Set the Firefox profile to complain mode
sudo aa-complain /etc/apparmor.d/usr.bin.firefox

In this mode, violations are logged but not enforced, allowing you to test the profile without disrupting the application.

5. View Audit Logs

# View AppArmor audit logs for violations
sudo cat /var/log/syslog | grep apparmor

This command filters the syslog to show only AppArmor-related messages, helping identify issues with profiles.

6. Update Profile from Logs

# Update the Firefox profile based on logged violations
sudo aa-logprof

This command analyzes the current audit logs and suggests updates to the profile based on the recorded violations.

7. Load a Custom Profile

# Load a custom AppArmor profile
sudo apparmor_parser -r /etc/apparmor.d/my_custom_profile

This command parses and loads a custom profile into the AppArmor system, enforcing its rules.

8. Disable a Profile

# Disable the Firefox profile
sudo aa-disable /etc/apparmor.d/usr.bin.firefox

This command unloads the profile and stops AppArmor from enforcing any rules for this application.

Real-World Scenarios

Scenario 1: Securing a Web Server

An organization runs a web server using Nginx. To enhance security, an AppArmor profile is created that restricts Nginx's access to specific directories and files, reducing the risk of file system compromises.

  1. Generate the profile using aa-genprof nginx.
  2. Test the web server in complain mode to log any access violations.
  3. Refine the profile based on logs using aa-logprof.
  4. Switch to enforce mode to lock down Nginx's permissions.

Scenario 2: Isolating a Development Environment

A developer uses a specific application that requires access to certain system resources. By creating a custom AppArmor profile, the developer limits the application's access to only necessary resources, minimizing potential security risks.

  1. Generate the profile using aa-genprof <app>.
  2. Test in complain mode to gather information about necessary permissions.
  3. Adjust the profile based on audit logs.
  4. Load the customized profile with apparmor_parser.

Scenario 3: Monitoring System Behavior

An administrator wants to monitor an application for any unusual behavior. By placing the application in complain mode, the administrator can gather insights into access patterns and adjust the profile accordingly.

  1. Use aa-complain <app> to place the application in complain mode.
  2. Monitor logs using sudo cat /var/log/syslog | grep apparmor.
  3. Update the profile as needed to block unwanted access.

Best Practices

  1. Start with Complain Mode: Always start in complain mode to gather data before enforcing strict rules.
  2. Regularly Review Audit Logs: Monitor logs to identify potential issues or required adjustments to profiles.
  3. Use Specific Paths: Define access based on specific file paths rather than broad categories to minimize risk.
  4. Backup Profiles: Keep backups of important profiles to quickly restore functionality if needed.
  5. Test Changes: Always test profile changes in a controlled environment before deploying to production systems.

Common Errors

  1. Error: AppArmor parser error: Unable to open file...

    • Cause: The specified profile does not exist or has incorrect permissions.
    • Fix: Verify the profile path and permissions.

  2. Error: DENIED ... (permission denied)

    • Cause: The application tried to access a resource not allowed by its profile.
    • Fix: Update the profile to allow the necessary access.

  3. Error: Failed to load AppArmor profile...

    • Cause: Syntax error in the profile file.
    • Fix: Check the profile for syntax errors and correct them.

  4. Error: profile not found

    • Cause: The profile is not loaded or has been disabled.
    • Fix: Ensure that the profile is enabled and correctly loaded.

Related Commands

Command Description
systemctl status apparmor Check the status of the AppArmor service.
aa-logprof Analyze logs for profile updates.
apparmor_status Display the status of AppArmor in a summary form.
aa-disable Disable an AppArmor profile.

Automation Script

Here’s a complete bash script to automate the creation and management of an AppArmor profile for an application named my_app.

#!/bin/bash

# Script to manage AppArmor profile for my_app

PROFILE_PATH="/etc/apparmor.d/usr.bin.my_app"

# Check if AppArmor is running
if ! systemctl is-active apparmor; then
    echo "AppArmor is not running. Starting AppArmor..."
    sudo systemctl start apparmor
fi

# Generate a profile if it doesn't exist
if [ ! -f "$PROFILE_PATH" ]; then
    echo "Generating profile for my_app..."
    sudo aa-genprof my_app
fi

# Switch to enforce mode
echo "Switching my_app profile to enforce mode..."
sudo aa-enforce $PROFILE_PATH

# Display status
echo "Current AppArmor status:"
sudo aa-status

# Monitor logs
echo "Monitoring AppArmor logs..."
tail -f /var/log/syslog | grep apparmor

# End of script

Conclusion

In this tutorial, we explored the fundamental aspects of AppArmor on Ubuntu, including how to write, enforce, and debug profiles. By leveraging AppArmor, you can significantly enhance the security of your applications and system. The best practices and real-world scenarios provided will help you implement AppArmor effectively in your environment.

Next Steps

  • Experiment with creating and modifying profiles for different applications.
  • Monitor AppArmor logs regularly to stay informed about application behavior.
  • Explore integration with other security tools for a layered security approach.

References