AppArmor
E37339
AppArmor is a Linux kernel security module that confines programs to a limited set of resources using per-application security profiles to reduce the impact of vulnerabilities and attacks.
Statements (70)
| Predicate | Object |
|---|---|
| instanceOf |
Linux security module
ⓘ
kernel security module ⓘ mandatory access control system ⓘ |
| advantage |
easier profile management
ⓘ
per-application configuration ⓘ |
| comparedTo | SELinux ⓘ |
| configurationFile | /etc/apparmor/parser.conf ⓘ |
| controls |
capabilities
ⓘ
execution of programs ⓘ file system access ⓘ mount operations ⓘ network access ⓘ ptrace permissions ⓘ signal permissions ⓘ |
| designApproach | path-based confinement ⓘ |
| developer |
Canonical Ltd.
ⓘ
Immunix ⓘ Novell ⓘ SUSE ⓘ |
| distributionSupport |
Arch Linux
ⓘ
Debian ⓘ Fedora Linux ⓘ
surface form:
Fedora
SUSE ⓘ
surface form:
SUSE Linux Enterprise
Ubuntu ⓘ openSUSE ⓘ |
| documentation | https://gitlab.com/apparmor/apparmor/-/wikis/home ⓘ |
| feature |
capability rules
ⓘ
complain mode ⓘ dbus rules ⓘ enforce mode ⓘ file path rules ⓘ hat subprofiles ⓘ learning mode ⓘ mount rules ⓘ network rules ⓘ profile abstractions ⓘ profile inheritance ⓘ profile stacking ⓘ profile templates ⓘ ptrace rules ⓘ signal rules ⓘ |
| implements | Linux Security Modules API ⓘ |
| introducedInMainlineKernelVersion | 2.6.36 ⓘ |
| kernelInterface | /sys/kernel/security/apparmor ⓘ |
| license | GNU General Public License ⓘ |
| logSource |
kernel audit subsystem
ⓘ
syslog ⓘ |
| operatingSystem | Linux ⓘ |
| primaryGoal |
application confinement
ⓘ
least privilege enforcement ⓘ mitigation of software vulnerabilities ⓘ |
| profileDirectory | /etc/apparmor.d ⓘ |
| securityModel |
mandatory access control
ⓘ
path-based access control ⓘ |
| sourceCodeRepository | https://gitlab.com/apparmor/apparmor ⓘ |
| supports |
confinement of containers
ⓘ
confinement of desktop applications ⓘ confinement of system services ⓘ profile mediation for individual binaries ⓘ |
| usedBy | Snap packages on Ubuntu ⓘ |
| usedFor |
reducing impact of application compromises
ⓘ
restricting access to system resources ⓘ |
| userSpaceTool |
aa-complain
ⓘ
aa-disable ⓘ aa-enforce ⓘ aa-genprof ⓘ aa-logprof ⓘ aa-status ⓘ apparmor_parser ⓘ |
| uses | per-application security profiles ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.