Skip to content



As there are a lot of rules, it is recommended to enable caching AppArmor profiles. In /etc/apparmor/parser.conf, add write-cache and Optimize=compress-fast.

echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf
echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf


See Speed up AppArmor Start on the Arch Wiki for more information:

Personal directories

This project is designed in such a way that it is easy to personalize the directories your programs have access by defining a few variables.

The profiles heavily use the (largely extended) XDG directory variables defined in the Variables Reference page.

XDG variables overview

See Variables Reference page for more.

Description Name Value
Desktop @{XDG_DESKTOP_DIR} Desktop
Download @{XDG_DOWNLOAD_DIR} Downloads
Templates @{XDG_TEMPLATES_DIR} Templates
Documents @{XDG_DOCUMENTS_DIR} Documents
Music @{XDG_MUSIC_DIR} Music
Pictures @{XDG_PICTURES_DIR} Pictures
Videos @{XDG_VIDEOS_DIR} Videos
Books @{XDG_BOOKS_DIR} Books
Projects @{XDG_PROJECTS_DIR} Projects
Screenshots @{XDG_SCREENSHOTS_DIR} @{XDG_PICTURES_DIR}/Screenshots
Sync @{XDG_SYNC_DIR} Sync
Torrents @{XDG_TORRENTS_DIR} Torrents
Vm @{XDG_VM_DIR} .vm

You can personalize these values by creating a file such as: /etc/apparmor.d/tunables/xdg-user-dirs.d/local where you define your own personal directories. Example:

@{XDG_BOOKS_DIR}+="BD" "Comics"
@{XDG_PROJECTS_DIR}+="Git" "Papers"

Then restart the apparmor service to reload the profiles in the kernel:

sudo systemctl restart apparmor.service


  • For git support, you may want to add your GO_PATH in the XDG_PROJECTS_DIR:
  • If you use Keepass, personalize XDG_PASSWORD_STORE_DIR with your password directory. Eg:
  • Add pacman integration with your AUR helper. Eg for yay:

Local profile extensions

You can extend any profile with your own rules by creating a file in the /etc/apparmor.d/local/ directory with the name of your profile. For example, to extend the foo profile, create a file /etc/apparmor.d/local/foo and add your rules in it.


  • child-open, a profile that allows other program to open resources (URL, picture, books...) with some predefined GUI application. To allow it to open URLs with Firefox, create the file /etc/apparmor.d/local/child-open with:
      @{bin}/firefox rPx,


This is an example, no need to add Firefox into child-open, it is already there.


rPx allows transition to the Firefox profile. Use rPUx to allow transition to an unconfined state if you do not have the profile for a given program.

Then, reload the apparmor rules with sudo systemctl restart apparmor.