Skip to content

Installation

Danger

In order to not break your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the Enforce Mode page.

Requirements

AppArmor

An apparmor based Linux distribution is required. The basic profiles and abstractions shipped with AppArmor must be installed.

Desktop environment

The following desktop environments are supported:

  • Gnome
  • KDE (work in progress)

Build dependencies

  • Go >= 1.18

Archlinux

apparmor.d-git is available in the Arch User Repository: 

yay -S apparmor.d-git  # or your preferred AUR install method

Or without an AUR helper: 

git clone https://aur.archlinux.org/apparmor.d-git.git
cd apparmor.d-git
makepkg -si

Ubuntu & Debian

Build the package from sources: 

sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone https://github.com/roddhjav/apparmor.d.git
cd apparmor.d
dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*.deb

Tip

If you have devscripts installed, you can use the one liner: 

make dpkg

Note

Debian user may need golang from the backports repository to build: 

echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
sudo apt update
sudo apt install -t bookworm-backports golang-go

OpenSUSE

OpenSUSE users need to add cboltz repo on OBS 

zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo
zypper refresh
zypper install apparmor.d

Partial install

For test purposes, you can install specific profiles with the following commands. Abstractions, tunables, and most of the OS dependent post-processing is managed.

make
sudo make profile-names...

Warning

Partial installation is discouraged because profile dependencies are not fetched. To prevent some apparmor issues, the dependencies are automatically switched to unconfined (rPx -> rPUx). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see #77)

For instance, sudo make pass gives: 

Warning: profile dependencies fallback to unconfined.
@{bin}/wl-{copy,paste} rPx,
@{bin}/xclip           rPx,
@{bin}/python3.[0-9]* rPx -> pass-import,  # pass-import
    @{bin}/pager         rPx -> child-pager,
    @{bin}/less          rPx -> child-pager,
    @{bin}/more          rPx -> child-pager,
'.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
So, you can install the additional profiles wl-copy, xclip, pass-import, and child-pager if desired.

Uninstall

  • Archlinux sudo pacman -R apparmor.d
  • Ubuntu & Debian sudo apt purge apparmor.d