AppArmorProfiles

AppArmor Profiles

AppArmor is installed and loaded by default starting with Ubuntu 7.10 (Gutsy). Some packages will install their own profiles (usually in enforcing mode), while additional profiles can be found in the apparmor-profiles and apparmor-profiles-extra packages from the Universe repository.

Supported profiles in main

Source package/binary

12.04 LTS

14.04 LTS

16.04 LTS

18.04 LTS

20.04 LTS

20.10

Akonadi (mysqld)

yes

yes

yes

yes

yes

yes

Apache (apache2)

yes1

yes1

yes1

yes1

yes

yes

Bind (named)

yes

yes

yes

yes

yes

yes

ClamAV (clamd,freshclam)

yes

yes

yes

yes

yes

yes

Cups (cupsd)

yes

yes

yes

yes

yes

yes

Evince

yes

yes

yes

yes

yes

yes

Firefox (firefox-3.5/firefox)

yes1

yes1

yes1

yes1

yes

yes

gdm-guest-session

N/A

N/A

yes

yes

yes

yes

ISC Dhcpd (dhcpd3/dhcpd)

yes

yes

yes

yes

yes

yes

ISC Dhcp client (dhclient3/dhclient)

yes

yes

yes

yes

yes

yes

juju

yes2

yes2

yes2

yes2

yes

yes

Libvirt (libvirtd and kvm/qemu guests)

yes

yes

yes

yes

yes

yes

Lightdm guest session

yes

yes

yes

--

--

--

LXC

yes3

yes3

yes3

yes3

yes

yes

MAAS dhcpd (dhcpd)

yes

yes

yes

yes

--

--

MySQL (mysqld)

yes

yes

yes

yes

yes

yes

NTP (ntpd)

yes

yes

yes

--

--

--

OpenLDAP (slapd)

yes

yes

yes

yes

yes

yes

quassel-core

yes

yes

yes

yes

yes

yes

rsyslog

yes1

yes1

yes1

yes1

yes

yes

tcpdump

yes

yes

yes

yes

yes

yes

Telepathy

yes

yes

yes

--

--

--

AppStore apps (click)4

--

yes

yes

--

--

--

Cups filters (cups-browsed)

--

yes

yes

yes

yes

yes

lightdm-remote-session-freerdp

--

yes

yes

--

--

--

lightdm-remote-session-uccsconfigure

--

yes

yes

--

--

--

media-hub

--

yes

yes

--

--

--

mediascanner2

--

yes

yes

--

--

--

squid3

--

yes1

yes1

yes1

yes

yes

sssd

--

yes1

yes1

yes1

yes

yes

StrongSwan (stroke/lookip)

--

yes

yes

yes

yes

yes

Telepathy (ofono)

--

yes

yes

yes

yes

yes

AppStore apps (snappy)5

--

--

yes

yes

yes

yes

libvirt (libvirt-lxc containers)

--

--

yes

yes

yes

yes

LXD

--

--

yes

yes

yes

yes

snap-confine (aka ubuntu-core-launcher)

--

--

yes

yes

yes

yes

ubuntu-download-manager (extractor)

--

--

yes

--

--

--

webbrowser-app

--

--

yes

--

--

--

chrony

--

--

--

yes

yes

yes

ippusbxd

--

--

--

yes

yes

yes

libreoffice6

--

--

--

yes

yes

yes

man-db

--

--

--

yes

yes

yes

mozc

--

--

--

yes

yes

yes

anope

--

--

--

--

--

yes

  1. Disabled by default and be opt-in for advanced users
  2. https://juju.ubuntu.com/AppArmor

  3. Preliminary support
  4. Ubuntu Touch apps in the Ubuntu AppStore are confined with AppArmor by default. See ApplicationConfinement for details

  5. Apps in the Ubuntu AppStore are confined with AppArmor by default. See the security guide for details

  6. Mixture of enforce and complain mode profiles

Community supported profiles

Some of the following profiles are found in the apparmor-profiles and apparmor-profiles-extra packages and these profiles usually are in complain mode and are in various stages of development, but can in general be used with some modification. Profiles in this list not from the apparmor-profiles package are community contributed or come from Debian.

Binary

12.04 LTS

14.04 LTS

16.04 LTS

18.04 LTS

20.04 LTS

20.10

avahi-daemon

yes

yes

yes

yes

yes

yes

chromium-browser

yes

yes

yes

yes

yes

yes

digikam

yes

yes

yes

yes

yes

yes

dnsmasq

yes

yes

yes

yes

yes

yes

dovecot

yes

yes

yes

yes

yes

yes

identd

yes

yes

yes

yes

yes

yes

klogd

yes

yes

yes

yes

yes

yes

mdnsd

yes

yes

yes

yes

yes

yes

nmbd

yes

yes

yes

yes

yes

yes

nscd

yes

yes

yes

yes

yes

yes

phpsysinfo1

yes

yes

yes

yes

yes

yes

ping

yes

yes

yes

yes

yes

yes

smbd

yes

yes

yes

yes

yes

yes

syslogd

yes

yes

yes

yes

yes

yes

syslog-ng

yes

yes

yes

yes

yes

yes

traceroute

yes

yes

yes

yes

yes

yes

fwknop

--

yes

yes

yes

yes

yes

pollen

--

yes

yes

yes

yes

yes

tor

--

yes

yes

yes

yes

yes

tlsdate

--

yes

yes

yes

yes

yes

vidalia

--

yes

yes

yes

yes

yes

apt-cacher-ng

--

--

yes

yes

yes

yes

gst-plugin-scanner

--

--

yes

yes

yes

yes

docker.io

--

--

yes

yes

yes

yes

torbrowser-launcher

--

--

yes

yes

yes

yes

aprx

--

--

--

yes

yes

yes

dhcpcanon

--

--

--

yes

yes

yes

ejabberd

--

--

--

yes

yes

yes

firejail

--

--

--

yes

yes

yes

irssi

--

--

--

yes

yes

yes

Lightdm guest session

--

--

--

yes

yes

yes

lightdm-remote-session-freerdp

--

--

--

yes

yes

yes

LXC

--

--

--

yes

yes

yes

ntpd

--

--

--

yes

yes

yes

pidgin

--

--

--

yes

yes

yes

Telepathy

--

--

--

yes

yes

yes

totem

--

--

--

yes

yes

yes

totem previewers

--

--

--

yes

yes

yes

cadvisor

--

--

--

--

yes

yes

containerd

--

--

--

--

yes

yes

game-data-packager

--

--

--

--

yes

yes

haveged

--

--

--

--

yes

yes

i2p

--

--

--

--

yes

yes

i2pd

--

--

--

--

yes

yes

inspircd

--

--

--

--

yes

yes

ioquake3

--

--

--

--

yes

yes

iortcw

--

--

--

--

yes

yes

kopanocore

--

--

--

--

yes

yes

kopano-webapp

--

--

--

--

yes

yes

lightdm-remote-session-x2go

--

--

--

--

yes

yes

mariadb

--

--

--

--

yes

yes

msmtp

--

--

--

--

yes

yes

ntpsec

--

--

--

--

yes

yes

onioncircuits

--

--

--

--

yes

yes

openntpd

--

--

--

--

yes

yes

postsrsd

--

--

--

--

yes

yes

ricochet-im

--

--

--

--

yes

yes

runc

--

--

--

--

yes

yes

spawn-fcgi

--

--

--

--

yes

yes

surf

--

--

--

--

yes

yes

unbound

--

--

--

--

yes

yes

url-dispatcher

--

--

--

--

yes

yes

ibus-hangul

--

--

--

--

yes

yes

MAAS dhcpd (dhcpd)

--

--

--

--

yes

yes

  1. Must be used with the apache2 profile and the libapache2-mod-apparmor module

Other profiles

Profiles in active development can be found in the public repository (see AppArmor Profiles). Unmaintained profiles can be found in /usr/share/doc/apparmor-profiles/extras directory of the apparmor-profiles package. Files from either location may not work at all and will likely require significant effort to run on your system.

Filing Bugs

When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor.


CategorySecurityTeam

SecurityTeam/KnowledgeBase/AppArmorProfiles (last edited 2020-10-26 01:49:03 by alexmurray)