Linux repositories inspector

apparmor - Mandatory Access Control (MAC) using Linux Security Module (LSM)

apparmor provides the system initialization scripts needed to use the AppArmor Mandatory Access Control system, including the AppArmor Parser which is required to convert AppArmor text profiles into machine-readable policies that are loaded into the kernel for use with the AppArmor Linux Security Module.
2.13.3
Arch iconArch rolling
2.13.2
Debian iconDebian 10.0
Manjaro iconManjaro rolling
Ubuntu iconUbuntu 19.04
Ubuntu iconUbuntu 19.10
2.12
Ubuntu iconUbuntu 18.04 LTS
Ubuntu iconUbuntu 18.10
2.11.0
Debian iconDebian 9.0
Ubuntu iconUbuntu 17.10
2.10.95
Ubuntu iconUbuntu 16.04 LTS
DistributionVersionSincePackageInstalledPackager
Arch iconArch rolling extra/osxz2.13.3-2Jul 11968 kiB3.76 MiB
Debian iconDebian 10.0 buster/maindeb2.13.2-10Apr 01525 kiB1.79 MiB
Debian iconDebian 9.0 stretch/maindeb2.11.0-3+deb9u22018-03-14513 kiB1.76 MiB
Manjaro iconManjaro rolling stable/communityxz2.13.2-2Jan 19952 kiB3.69 MiB
Manjaro iconManjaro rolling testing/communityxz2.13.2-2Jan 14952 kiB3.69 MiB
Manjaro iconManjaro rolling unstable/communityxz2.13.2-2Jan 14952 kiB3.69 MiB
Ubuntu iconUbuntu 17.10 artful/maindeb2.11.0-2ubuntu172017-11-10474 kiB1.8 MiB
Ubuntu iconUbuntu 17.10 artful-updates/maindeb2.11.0-2ubuntu17.12018-02-08473 kiB1.8 MiB
Ubuntu iconUbuntu 18.04 LTS bionic/maindeb2.12-4ubuntu52018-06-12476 kiB1.8 MiB
Ubuntu iconUbuntu 18.04 LTS bionic-security/maindeb2.12-4ubuntu5.1Jan 12475 kiB1.8 MiB
Ubuntu iconUbuntu 18.04 LTS bionic-updates/maindeb2.12-4ubuntu5.1Jan 12475 kiB1.8 MiB
Ubuntu iconUbuntu 18.10 cosmic/maindeb2.12-4ubuntu8Jan 14474 kiB1.82 MiB
Ubuntu iconUbuntu 19.04 disco/maindeb2.13.2-9ubuntu6Jun 17488 kiB1.88 MiB
Ubuntu iconUbuntu 19.04 disco-proposed/maindeb2.13.2-9ubuntu6.1Jun 24488 kiB1.88 MiB
Ubuntu iconUbuntu 19.10 eoan/maindeb2.13.2-9ubuntu7Jun 17489 kiB1.89 MiB
Ubuntu iconUbuntu 16.04 LTS xenial/maindeb2.10.95-0ubuntu22017-11-10434 kiB1.6 MiB
Ubuntu iconUbuntu 16.04 LTS xenial-security/maindeb2.10.95-0ubuntu2.11Jun 17440 kiB1.61 MiB
Ubuntu iconUbuntu 16.04 LTS xenial-updates/maindeb2.10.95-0ubuntu2.11Jun 17440 kiB1.61 MiB

Manual pages

aa-enabled(1)

aa-enabled - test whether AppArmor is enabled

aa-exec(1)

aa-exec - confine a program with the specified AppArmor profile

aa_change_hat(2)

aa_change_hat - change to or from a "hat" within a AppArmor profile

aa_change_profile(2)

aa_change_profile, aa_change_onexec - change a tasks profile

aa_find_mountpoint(2)

aa_is_enabled - determine if apparmor is available aa_find_mountpoint - find where the apparmor interface filesystem is mounted

aa_getcon(2)

aa_getprocattr_raw, aa_getprocattr - read and parse procattr data aa_getcon, aa_gettaskcon - get task confinement information aa_getpeercon - get the confinement of a socket’s other end (peer)

aa_query_label(2)

aa_query_label - query access permission associated with a label aa_query_file_path, aa_query_file_path_len - query access permissions of a file path aa_query_link_path, aa_query_link_path_len - query access permissions of a link path

aa_stack_profile(2)

aa_stack_profile, aa_stack_onexec - combine multiple profiles to confine a task

aa_splitcon(3)

aa_splitcon - split the confinement context into a label and mode

apparmor.d(5)

apparmor.d - syntax of security profiles for AppArmor.

apparmor.vim(5)

apparmor.vim - vim syntax highlighting file for AppArmor profiles

logprof.conf(5)

logprof.conf - configuration file for expert options that modify the behavior of the AppArmor aa-logprof(1) program.

subdomain.conf(5)

/etc/apparmor/subdomain.conf - configuration file for fine-tuning the behavior of the AppArmor security tool.

apparmor(7)

AppArmor - kernel enhancement to confine programs to a limited set of resources.

aa-audit(8)

aa-audit - set an AppArmor security profile to audit mode.

aa-autodep(8)

aa-autodep - guess basic AppArmor profile requirements

aa-cleanprof(8)

aa-cleanprof - clean an existing AppArmor security profile.

aa-complain(8)

aa-complain - set an AppArmor security profile to complain mode.

aa-decode(8)

aa-decode - decode hex-encoded in AppArmor log files

aa-disable(8)

aa-disable - disable an AppArmor security profile

aa-easyprof(8)

aa-easyprof - AppArmor profile generation made easy.

aa-enabled(8)

aa-enabled - test whether AppArmor is enabled

aa-enforce(8)

aa-enforce - set an AppArmor security profile to enforce mode from being disabled or complain mode.

aa-exec(8)

aa-exec - confine a program with the specified AppArmor profile

aa-genprof(8)

aa-genprof - profile generation utility for AppArmor

aa-logprof(8)

aa-logprof - utility for updating AppArmor security profiles

aa-mergeprof(8)

aa-mergeprof - merge AppArmor security profiles.

aa-notify(8)

aa-notify - display information about logged AppArmor messages.

aa-remove-unknown(8)

aa-remove-unknown - remove unknown AppArmor profiles

aa-status(8)

aa-status - display various information about the current AppArmor policy.

aa-teardown(8)

aa-teardown - unload all AppArmor profiles

aa-unconfined(8)

aa-unconfined - output a list of processes with tcp or udp ports that do not have AppArmor profiles loaded

apparmor_parser(8)

apparmor_parser - loads AppArmor profiles into the kernel

apparmor_status(8)

aa-status - display various information about the current AppArmor policy.

mod_apparmor(8)

mod_apparmor - fine-grained AppArmor confinement for Apache

Latest updates

Arch rolling icon

Arch rolling community/os: Version 2.13.3-2 removed

Jul 11
Arch rolling icon

Arch rolling extra/os: Version 2.13.3-2 introduced

Jul 11
Ubuntu 19.04 icon

Ubuntu 19.04 disco-proposed/main: Version 2.13.2-9ubuntu6.1 introduced

Jun 24
Arch rolling icon

Arch rolling community/os: Updated from 2.13.2-4 to 2.13.3-2

Jun 19
Ubuntu 19.10 icon

Ubuntu 19.10 eoan/main: Version 2.13.2-9ubuntu7 introduced

Jun 17
Arch rolling icon

Arch rolling community/os: Updated from 2.13.2-2 to 2.13.2-4

Jun 17
Ubuntu 19.04 icon

Ubuntu 19.04 disco/main: Updated from 2.13.2-9ubuntu5 to 2.13.2-9ubuntu6

Jun 17
Ubuntu 16.04 LTS icon

Ubuntu 16.04 LTS xenial-updates/main: Updated from 2.10.95-0ubuntu2.10 to 2.10.95-0ubuntu2.11

Jun 17
Ubuntu 16.04 LTS icon

Ubuntu 16.04 LTS xenial-security/main: Updated from 2.10.95-0ubuntu2.10 to 2.10.95-0ubuntu2.11

Jun 17
Ubuntu 19.04 icon

Ubuntu 19.04 disco/main: Updated from 2.13.2-9ubuntu4 to 2.13.2-9ubuntu5

Apr 03
  • ubuntu/dont-include-site-local-with-dovecot.patch: don't include local/ files in the dovecot extras profiles since the included path may not exist
Ubuntu 19.04 icon

Ubuntu 19.04 disco-proposed/main: Version 2.13.2-9ubuntu5 removed

Apr 03
Ubuntu 19.04 icon

Ubuntu 19.04 disco-proposed/main: Updated from 2.13.2-9ubuntu4 to 2.13.2-9ubuntu5

Apr 02
  • ubuntu/dont-include-site-local-with-dovecot.patch: don't include local/ files in the dovecot extras profiles since the included path may not exist
Ubuntu 19.04 icon

Ubuntu 19.04 disco-proposed/main: Version 2.13.2-9ubuntu4 reintroduced

Apr 02
  • debian/tests/control and debian/tests/compile-policy: don't test thunderbird since the Ubuntu packaging doesn't ship a profile
Ubuntu 19.04 icon

Ubuntu 19.04 disco/main: Updated from 2.12-4ubuntu10 to 2.13.2-9ubuntu4

Apr 02
  • debian/tests/control and debian/tests/compile-policy: don't test thunderbird since the Ubuntu packaging doesn't ship a profile
Ubuntu 19.04 icon

Ubuntu 19.04 disco-proposed/main: Version 2.13.2-9ubuntu4 removed

Apr 02
Debian 10.0 icon

Debian 10.0 buster/main: Updated from 2.13.2-9 to 2.13.2-10

Apr 01
  • Don't load AppArmor policy when running in a Debian Live environment that uses overlayfs (Closes: #922378).
    Rationale: the storage stack set up by live-boot with overlayfs is not supported by our AppArmor policy at the moment, resulting in breakage of confined software such as Evince and LibreOffice.
  • Ship nvidia_modprobe in enforce mode (Closes: #923273).
    • Rationale: as explained by Seth Arnold <> on #923273#32, profiles in complain mode can chew up essentially unlimited amounts of non-swappable kernel memory and huge amounts of IO bandwidth logging ALLOWED messages, which can in turn use large amounts of storage. This is why Ubuntu has applied this change already for their upcoming release.
    • Scope of this change: in Buster, this profile is used in one single place — the usr.lib.libreoffice.program.soffice.bin profile — for which it was developed and tested in the first place. So the risk and potential problematic impact of this change seems pretty low.
  • Cherry-pick the most important and non-invasive fixes from the upstream apparmor-2.13 maintenance branch:
    • base abstraction: allow mr on *.so* in common library paths,
      1. e. don't assume all common libraries' name starts with "lib".
      At the very least, this fixes Qt5 applications under some VirtualBox graphics configuration, where otherwise they would not start at all (Closes: Tails#16414).
      Upstream commits: 8dff7dc, 08f9d16
    • Fix 2 segfaults spotted upstream while writing automated tests for the multicache support (upstream MR!348):

      · in overlaydirat_for_each, segfault caused by repeatedly freeing

      the same memory area;

      · when loading policy cache files, due to incorrect size passed

      to qsort().

      Upstream commits: 5704fba, 01aec04

Ubuntu 19.04 icon

Ubuntu 19.04 disco-proposed/main: Updated from 2.13.2-9ubuntu3 to 2.13.2-9ubuntu4

Mar 27
  • debian/tests/control and debian/tests/compile-policy: don't test thunderbird since the Ubuntu packaging doesn't ship a profile
Ubuntu 19.04 icon

Ubuntu 19.04 disco-proposed/main: Updated from 2.13.2-9ubuntu2 to 2.13.2-9ubuntu3

Mar 27
  • debian/tests/control: try Ubuntu kernel but mark skip-not-installable
  • debian/apparmor-profiles.postinst: add back copying ubuntu-browsers.d/chromium-browser (LP: #1821920)
  • debian/apparmor.postrm: remove parser-created subdirs
Ubuntu 19.04 icon

Ubuntu 19.04 disco-proposed/main: Version 2.13.2-9ubuntu2 introduced

Mar 26
  • debian/debhelper/postrm-apparmor: don't quote the glob
  • debian/apparmor.preinst: remove cache files on upgrade to 2.13
Debian 10.0 icon

Debian 10.0 buster/main: Updated from 2.13.2-7 to 2.13.2-9

Mar 10
  • Revert "Add autopkgtest that checks if apparmor.service starts on package installation". It passes with the schroot and qemu backends locally but fails on ci.debian.net.

Related packages

apparmor-abstractions - AppArmor abstractions and directory structure
apparmor-debugsource - Debug sources for package apparmor
apparmor-docs - AppArmor Documentation package
apparmor-easyprof - AppArmor easyprof profiling tool
apparmor-easyprof-ubuntu - AppArmor easyprof templates for Ubuntu
apparmor-notify - AppArmor notification system
apparmor-parser - AppArmor userlevel parser utility
apparmor-parser-debuginfo - Debug information for package apparmor-parser
apparmor-parser-lang - Translations for package apparmor
apparmor-profiles - AppArmor profiles that are loaded into the apparmor kernel module
apparmor-profiles-extra - Extra profiles for AppArmor Security policies
apparmor-rpm-macros - RPM macros used to setup apparmor profiles
apparmor-utils - AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
apparmor-utils-lang - Translations for package apparmor
⇧ Top