AppArmor.d

Full set of AppArmor profiles

AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.

Purpose¶

• Confine all root processes such as all systemd tools, bluetooth, dbus, polkit, NetworkManager, OpenVPN, GDM, rtkit, colord
• Confine all Desktop environments
• Confine all user services such as Pipewire, Gvfsd, dbus, xdg, xwayland
• Confine some "special" user applications: web browsers, file managers, etc
• Should not break a normal usage of the confined software

See the Concepts' page for more detail on the architecture.

Goals¶

• Target both desktops and servers
• Support for all distributions that support AppArmor:
  • Arch Linux
  • Ubuntu 24.04/22.04
  • Debian 12
  • openSUSE Tumbleweed
• Support for all major desktop environments:
  • Gnome (GDM)
  • KDE (SDDM)
  • XFCE (Lightdm) (work in progress)
• Fully tested

Demo¶

You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/

Presentations¶

Building the largest set of AppArmor profiles:

• Linux Security Summit North America (LSS-NA 2023) (Slide, Video)
• Ubuntu Summit 2023 (Slide, Video)

Chat¶

A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org