How to Use AppArmor for Security on Arch Linux

In the realm of Linux security, AppArmor is one of the key tools available for implementing Mandatory Access Control (MAC). It provides a framework for restricting programs’ capabilities with per-program profiles, offering an additional layer of security beyond traditional Unix file permissions and discretionary access controls.

While AppArmor is most commonly associated with distributions like Ubuntu and openSUSE, it is also available on Arch Linux. This guide will walk you through how to install, configure, and manage AppArmor on Arch Linux to enhance system security.

What is AppArmor?

AppArmor (Application Armor) is a Linux kernel security module that restricts the capabilities of programs by enforcing security policies through profiles. These profiles define what resources a given program is allowed to access — such as files, directories, network access, and capabilities.

Unlike SELinux, which uses labeling and is often considered more complex, AppArmor uses path-based access controls, which many users find simpler to manage. AppArmor profiles can be customized to enforce different levels of restriction depending on the trustworthiness and needs of the application.

Why Use AppArmor on Arch Linux?

Arch Linux is known for its simplicity and user control, and while it doesn’t come with AppArmor pre-installed, it fully supports it through the kernel and user-space utilities. Using AppArmor on Arch can significantly reduce the risk of system compromise by confining potentially vulnerable or exposed applications.

With AppArmor, you can:

• Limit damage from exploited services
• Enforce least privilege on applications
• Monitor and audit application behavior
• Reduce the attack surface of your system

Prerequisites

Before diving into AppArmor setup, ensure you have:

• A system running Arch Linux (fully updated)
• Root or sudo privileges
• Basic familiarity with the terminal and text editing

Step 1: Install AppArmor Packages

Arch Linux provides the necessary AppArmor tools through the official repositories. Begin by installing the required packages:

sudo pacman -S apparmor apparmor-utils

You might also want to install audit for additional logging capabilities:

sudo pacman -S audit

Step 2: Enable AppArmor in the Kernel

Arch Linux does not enable AppArmor by default. You need to pass the appropriate kernel parameter to activate it at boot.

1. Edit your GRUB configuration:

sudo nano /etc/default/grub

2. Find the line that begins with GRUB_CMDLINE_LINUX_DEFAULT and add the following parameters:

apparmor=1 security=apparmor

For example:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet apparmor=1 security=apparmor"

3. Regenerate the GRUB configuration:

sudo grub-mkconfig -o /boot/grub/grub.cfg

4. Reboot your system:

sudo reboot

5. After rebooting, verify that AppArmor is active:

cat /sys/module/apparmor/parameters/enabled

If the output is Y, AppArmor is successfully enabled.

Step 3: Enable AppArmor Services

AppArmor uses a systemd service to load and enforce profiles. Enable and start the AppArmor service:

sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service

You can also enable the audit daemon if you installed it earlier:

sudo systemctl enable auditd
sudo systemctl start auditd

Step 4: Understanding AppArmor Profiles

AppArmor profiles are stored in /etc/apparmor.d/. Each file in this directory corresponds to a program and defines the rules that govern what it can and cannot do.

There are three profile modes:

• Enforce: The rules are strictly enforced.
• Complain: Violations are logged but not enforced — useful for testing.
• Unconfined: The application runs without any restrictions.

You can check the status of all loaded profiles with:

sudo apparmor_status

Step 5: Load and Manage Profiles

While AppArmor comes with a set of default profiles (mostly from Ubuntu), on Arch Linux, you may need to create or download profiles manually. Some popular profiles can be found in the AUR package apparmor-profiles.

To install it:

yay -S apparmor-profiles

After installation, load profiles with:

sudo apparmor_parser -r /etc/apparmor.d/*

To set a specific profile to enforce or complain mode:

sudo aa-enforce /etc/apparmor.d/usr.bin.foo
sudo aa-complain /etc/apparmor.d/usr.bin.foo

To unload a profile:

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.foo

Step 6: Creating Your Own AppArmor Profiles

If you want to create a custom profile for an application, you can use aa-genprof or aa-autodep.

Here’s a simple workflow using aa-genprof:

1. Run the target application in a special mode:

sudo aa-genprof /usr/bin/myapp

2. Follow the prompts to run your application and simulate normal usage. AppArmor will monitor and log access attempts.

3. Once you’ve finished, return to the terminal and walk through the prompts to allow or deny each type of access.

4. Save the generated profile.

This interactive method helps in building effective and non-breaking profiles.

Step 7: Monitoring and Troubleshooting

AppArmor logs are typically sent to the system journal. You can inspect them using:

journalctl -k | grep apparmor

Or, if you are using auditd, check:

sudo ausearch -m avc,apparmor

These logs are invaluable when tuning profiles or debugging why an application is not behaving as expected.

Step 8: Hardening with AppArmor

To enhance security, consider enabling AppArmor on:

• Web servers (e.g., Nginx, Apache)
• Database services (e.g., PostgreSQL, MySQL)
• Email servers (e.g., Postfix, Dovecot)
• Desktop applications exposed to the web (e.g., browsers, mail clients)

Here’s a small example of a restrictive profile for a script /usr/local/bin/backup.sh:

# /etc/apparmor.d/usr.local.bin.backup.sh
/usr/local/bin/backup.sh {
  # Run in enforce mode
  #include <tunables/global>

  capability dac_override,
  capability chown,
  
  /bin/bash rix,
  /usr/local/bin/backup.sh rix,
  /mnt/backup/ rw,
  /var/log/backup.log w,
}

After creating this file, load it with:

sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.backup.sh

And check that it’s active:

sudo apparmor_status

AppArmor vs SELinux

While both SELinux and AppArmor provide similar security functionality, they take different approaches. SELinux is label-based and very granular, but it comes with a steep learning curve. AppArmor, being path-based, is often more intuitive and easier to manage for users who need fast, effective confinement.

For Arch users who value control and customization, AppArmor strikes a good balance between usability and security.

Conclusion

AppArmor is a powerful and flexible security framework that can greatly improve the security posture of your Arch Linux system. By carefully defining what applications can access and perform, AppArmor minimizes the risk of exploitation and data leakage.

Although it requires some manual setup on Arch Linux, the benefits far outweigh the initial effort. Once enabled and configured, AppArmor can quietly and efficiently guard your system against many types of threats.

Whether you’re securing a personal laptop, a development environment, or a production server, AppArmor is an excellent addition to your Linux security toolkit.