Skip to content



To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the Enforce Mode page.

After installation, you must regularly check AppArmor log with aa-log. You can also configure a desktop notification on denied actions.


Do not expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature.



An AppArmor supported Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed.

Desktop environment

The following desktop environments are supported:

  • Gnome
  • KDE
  • XFCE (work in progress)

Build dependency

  • Go >= 1.18

Arch Linux

apparmor.d-git is available in the Arch User Repository:

yay -S apparmor.d-git  # or your preferred AUR install method

Or without an AUR helper:

git clone
cd apparmor.d-git
makepkg -si

Ubuntu & Debian

Build the package from sources:

sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone
cd apparmor.d
dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*.deb


If you have devscripts installed, you can use the one liner:

make dpkg


Debian user may need golang from the backports repository to build:

echo 'deb bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
sudo apt update
sudo apt install -t bookworm-backports golang-go


Beware: do not install a .deb made for Debian on Ubuntu, the packages are different.

If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting DISTRIBUTION=debian if is Debian based, or DISTRIBUTION=ubuntu if it is Ubuntu based.


openSUSE users need to add cboltz repo on OBS

zypper addrepo
zypper refresh
zypper install apparmor.d

Partial install

For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.

sudo make profile-names...


Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (rPx -> rPUx). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see #77)

For instance, sudo make pass gives:

Warning: profile dependencies fallback to unconfined.
@{bin}/wl-{copy,paste} rPx,
@{bin}/xclip           rPx,
@{bin}/python3.@{int} rPx -> pass-import,  # pass-import
    @{bin}/pager         rPx -> child-pager,
    @{bin}/less          rPx -> child-pager,
    @{bin}/more          rPx -> child-pager,
'.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
So, you can install the additional profiles wl-copy, xclip, pass-import, and child-pager if desired.


  • Arch Linux sudo pacman -R apparmor.d
  • Ubuntu & Debian sudo apt purge apparmor.d
  • openSUSE sudo zypper remove apparmor.d