linux/Documentation/admin-guide/LSM/apparmor.rst

========
AppArmor
========

What is AppArmor?
=================

AppArmor is MAC style security extension for the Linux kernel.  It implements
a task centered policy, with task "profiles" being created and loaded
from user space.  Tasks on the system that do not have a profile defined for
them run in an unconfined state which is equivalent to standard Linux DAC
permissions.

How to enable/disable
=====================

set ``CONFIG_SECURITY_APPARMOR=y``

If AppArmor should be selected as the default security module then set::

   CONFIG_DEFAULT_SECURITY="apparmor"
   CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1

Build the kernel

If AppArmor is not the default security module it can be enabled by passing
``security=apparmor`` on the kernel's command line.

If AppArmor is the default security module it can be disabled by passing
``apparmor=0, security=XXXX`` (where ``XXXX`` is valid security module), on the
kernel's command line.

For AppArmor to enforce any restrictions beyond standard Linux DAC permissions
policy must be loaded into the kernel from user space (see the Documentation
and tools links).

Documentation
=============

Documentation can be found on the wiki, linked below.

Links
=====

Mailing List - apparmor@lists.ubuntu.com

Wiki - http://wiki.apparmor.net

User space tools - https://gitlab.com/apparmor

Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			`========`
			`AppArmor`
			`========`

			`What is AppArmor?`
			`=================`
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
			`AppArmor is MAC style security extension for the Linux kernel. It implements`
			`a task centered policy, with task "profiles" being created and loaded`
			`from user space. Tasks on the system that do not have a profile defined for`
			`them run in an unconfined state which is equivalent to standard Linux DAC`
			`permissions.`

doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			`How to enable/disable`
			`=====================`

			set ``CONFIG_SECURITY_APPARMOR=y``
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			`If AppArmor should be selected as the default security module then set::`
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			`CONFIG_DEFAULT_SECURITY="apparmor"`
			`CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1`
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
			`Build the kernel`

			`If AppArmor is not the default security module it can be enabled by passing`
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			``security=apparmor`` on the kernel's command line.
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
			`If AppArmor is the default security module it can be disabled by passing`
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			``apparmor=0, security=XXXX`` (where ``XXXX`` is valid security module), on the
			`kernel's command line.`
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
			`For AppArmor to enforce any restrictions beyond standard Linux DAC permissions`
			`policy must be loaded into the kernel from user space (see the Documentation`
			`and tools links).`

doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			`Documentation`
			`=============`
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			`Documentation can be found on the wiki, linked below.`
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00			`Links`
			`=====`
AppArmor: update Maintainer and Documentation Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 01:48:09 +04:00
			`Mailing List - apparmor@lists.ubuntu.com`
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00
apparmor: update git and wiki locations in AppArmor docs The apparmor information in the apparmor.rst file is out of date. Update it to the correct git reference for the master apparmor tree. Update the wiki location to use apparmor.net which forwards to the current wiki location on gitlab.com. Update user space tools address to gitlab.com. Signed-off-by: Jordan Glover <Golden_Miller83@protonmail.ch> Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-05-05 15:22:16 +03:00			`Wiki - http://wiki.apparmor.net`
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00
apparmor: update git and wiki locations in AppArmor docs The apparmor information in the apparmor.rst file is out of date. Update it to the correct git reference for the master apparmor tree. Update the wiki location to use apparmor.net which forwards to the current wiki location on gitlab.com. Update user space tools address to gitlab.com. Signed-off-by: Jordan Glover <Golden_Miller83@protonmail.ch> Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-05-05 15:22:16 +03:00			`User space tools - https://gitlab.com/apparmor`
doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 14:51:45 +03:00
apparmor: update git and wiki locations in AppArmor docs The apparmor information in the apparmor.rst file is out of date. Update it to the correct git reference for the master apparmor tree. Update the wiki location to use apparmor.net which forwards to the current wiki location on gitlab.com. Update user space tools address to gitlab.com. Signed-off-by: Jordan Glover <Golden_Miller83@protonmail.ch> Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-05-05 15:22:16 +03:00			`Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor`