AppArmorProfiles

AppArmor Profiles

AppArmor is installed and loaded by default starting with Ubuntu 7.10 (Gutsy). Some packages will install their own profiles (usually in enforcing mode), while additional profiles can be found in the apparmor-profiles and apparmor-profiles-extra packages from the Universe repository.

Supported profiles in main

Source package/binary

8.04 LTS

9.04

9.10

10.04 LTS

10.10

11.04

11.10

12.04 LTS

12.10

13.04

13.10

14.04 LTS

14.10

15.04

15.10

Cups (cupsd)

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

OpenLDAP (slapd)

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

MySQL (mysqld)

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Bind (named)

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Akonadi (mysqld)

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

ClamAV (clamd,freshclam)

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

gdm-guest-session

--

yes

yes

yes

yes

yes

yes

N/A

N/A

N/A

N/A

N/A

N/A

N/A

yes

tcpdump

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

ISC Dhcpd (dhcpd3/dhcpd)

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

ISC Dhcp client (dhclient3/dhclient)

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Evince

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

NTP (ntpd)1

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Firefox (firefox-3.5/firefox)

--

--

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

Libvirt (libvirtd and kvm/qemu guests)

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Apache (apache2)

--

--

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

Telepathy

--

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

Lightdm guest session

--

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

juju

--

--

--

--

--

--

--

yes3

yes3

yes3

yes3

yes3

yes3

yes3

yes3

rsyslog

--

--

--

--

--

--

--

yes2

yes2

yes2

yes2

yes2

yes2

yes2

yes2

quassel-core

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

yes

LXC

--

--

--

--

--

--

--

yes4

yes4

yes4

yes4

yes4

yes4

yes4

yes4

MAAS dhcpd (dhcpd)

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

yes

squid3

--

--

--

--

--

--

--

--

yes2

yes2

yes2

yes2

yes2

yes2

yes2

lightdm-remote-session-freerdp

--

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

lightdm-remote-session-uccsconfigure

--

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

AppStore apps (click)5

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

Cups filters (cups-browsed)

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

Telepathy (ofono)

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

sssd

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

StrongSwan (stroke/lookip)

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

media-hub

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

mediascanner2

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

libvirt (containers)

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

ubuntu-download-manager (extractor)

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

  1. A complain-mode only profile was provided in the apparmor-profiles package in Ubuntu 9.04 and earlier

  2. Will be disabled by default and be opt-in for advanced users
  3. https://juju.ubuntu.com/AppArmor

  4. Preliminary support
  5. Apps in the Ubuntu AppStore are confined with AppArmor by default. See ApplicationConfinement for details

Community supported profiles

Some of the following profiles are found in the apparmor-profiles and apparmor-profiles-extra packages and these profiles usually are in complain mode and are in various stages of development, but can in general be used with some modification. Profiles in this list not from the apparmor-profiles package are community contributed or come from Debian.

Binary

8.04 LTS

9.04

9.10

10.04 LTS

10.10

11.04

11.10

12.04 LTS

12.10

13.04

13.10

14.04 LTS

14.10

15.04

15.10

avahi-daemon

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

dnsmasq

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

identd

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

klogd

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

mdnsd

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

nmbd

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

nscd

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

ntpd1

yes

yes

--

--

--

--

--

--

--

--

--

--

--

--

yes

ping

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

smbd

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

syslogd

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

syslog-ng

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

traceroute

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

dovecot

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

phpsysinfo2

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

chromium-browser

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

digikam

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

tor

--

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

vidalia

--

--

--

--

--

--

--

--

yes

yes

yes

yes

yes

yes

yes

fwknop

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

pollen

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

tlsdate

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

yes

torbrowser-launcher

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

docker.io

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

yes

apt-cacher-ng

--

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

gst-plugin-scanner

--

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

irssi

--

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

pidgin

--

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

totem

--

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

totem previewers

--

--

--

--

--

--

--

--

--

--

--

--

--

yes

yes

  1. An enforcing profile for ntpd moved to the ntp package in Ubuntu 9.10

  2. Must be used with the apache2 profile and the libapache2-mod-apparmor module

Other profiles

Profiles in active development can be found in the public repository (see AppArmor Profiles). Unmaintained profiles can be found in /usr/share/doc/apparmor-profiles/extras directory of the apparmor-profiles package. Files from either location may not work at all and will likely require significant effort to run on your system.

Filing Bugs

When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor.


CategorySecurityTeam

SecurityTeam/KnowledgeBase/AppArmorProfiles (last edited 2015-05-05 11:52:27 by mdeslaur)