As there are a lot of rules, it is recommended to enable caching AppArmor profiles. In
See Speed up AppArmor Start on the Arch Wiki for more information:
This project is designed in such a way that it is easy to personalize the directories your programs have access by defining a few variables.
The profiles heavily use the (largely extended) XDG directory variables defined in the Variables Reference page.
XDG variables overview
See Variables Reference page for more.
|Desktop|| || |
|Download|| || |
|Templates|| || |
|Public|| || |
|Documents|| || |
|Music|| || |
|Pictures|| || |
|Videos|| || |
|Books|| || |
|Projects|| || |
|Screenshots|| || |
|Sync|| || |
|Torrents|| || |
|Vm|| || |
|Wallpapers|| || |
You can personalize these values by creating a file such as:
/etc/apparmor.d/tunables/xdg-user-dirs.d/local where you define your own personal directories. Example:
Then restart the apparmor service to reload the profiles in the kernel:
- For git support, you may want to add your
- If you use Keepass, personalize
XDG_PASSWORD_STORE_DIRwith your password directory. Eg:
- Add pacman integration with your AUR helper. Eg for
Local profile extensions¶
You can extend any profile with your own rules by creating a file in the
/etc/apparmor.d/local/ directory with the name of your profile. For example, to extend the
foo profile, create a file
/etc/apparmor.d/local/foo and add your rules in it.
child-open, a profile that allows other program to open resources (URL, picture, books...) with some predefined GUI application. To allow it to open URLs with Firefox, create the file
This is an example, no need to add Firefox into
child-open, it is already there.
rPx allows transition to the Firefox profile. Use
rPUx to allow transition to an unconfined state if you do not have the profile for a given program.
Then, reload the apparmor rules with
sudo systemctl restart apparmor.