apparmor
Prerequisites
Ensure apparmor daemon is running
$ systemctl status apparmor
$ systemctl start apparmorInstall neccessary tools
$ apt install apparmor-utilsDefault firefox profile shipped with Kali Linux
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/firefox>
}
1. Generate a starting profile
Creates a profile in
/etc/apparmor.dwith the naming convention where the slashes (/) are converted to dots (.)
Eg. /usr/bin/firefox -> usr.bin.firefox
$ aa-autodep [path-to-binary]
# eg.
$ aa-autodep /usr/bin/firefoxDefault profile
Generated on Kali Linux (Kali 6.12.25-1kali1 (2025-04-30))
usr.bin.firefox
abi <abi/4.0>,
include <tunables/global>
/usr/bin/firefox flags=(complain) {
include <abstractions/base>
include <abstractions/bash>
/usr/bin/dash ix,
/usr/bin/firefox r,
}2. Optionally, load the profile using aa-genprof or aa-logprof
aa-genprof or aa-logprofThe
aa-genproftool usesaa-logprofunder the hood to augment the profile
Generate a new profile according to logs from the specified log file
For
/usr/bin/firefox, I usedaa-autodepinstead ofaa-genprofto generate the starting profile. This is because there are too many file reads from firefox (as shown in the log file), thusaa-genprofdisplays too much output.
$ aa-genprof [executable] --file /path/to/logfile
# eg.
$ aa-genprof /usr/bin/firefox --file /var/log/syslogUpdate the existing profile
$ aa-logprof --file /path/to/logfile
# eg.
$ aa-logprof --file /var/log/syslog3. View the profile and manually edit the configurations
$ cd /etc/apparmor.d
# /usr/bin/firefox -> usr.bin.firefox
$ vim usr.bin.firefox
# ********************************
# ** My current profile
abi <abi/4.0>,
include <tunables/global>
profile firefox /{usr/{bin,lib/firefox{,-esr}},opt/firefox}/firefox{,-esr,-bin}
{
userns,
#include <abstractions/base> # seems to not be required
# ~~~~~~~~~~~~~~~~~~~~~
# ALLOW FIREFOX-ESR FILES
# ~~~~~~~~~~~~~~~~~~~~~
/usr/lib/firefox-esr/firefox-esr ix,
/usr/lib/firefox-esr/glxtest ix,
/usr/lib/firefox-esr/minidump-analyzer ix,
# ~~~~~~~~~~~~~~~~~~~~~
# ALLOW HOME DIR FILES
# ~~~~~~~~~~~~~~~~~~~~~
@{HOME}/.local/share/** wrmkix,
@{HOME}/.config/** wrmkix,
@{HOME}/.cache/.mozilla/** r,
@{HOME}/.mozilla/** rwmkix,
# ~~~~~~~~~~~~~~~~~~~~~
# ALLOW OTHER FILES - to refined: make the file accesses more fine-tuned
# ~~~~~~~~~~~~~~~~~~~~~
owner /tmp/** rwkmix,
/tmp/firefox-esr/** rwkmix,
/etc/** r,
/proc/** rw,
/usr/share/** r,
/usr/local/share/** r,
/var/cache/fontconfig/** r,
/sys/** r,
/var/** r,
/dev/** rw,
owner /run/user/@{uid}/** rw, # owner keyword
# ~~~~~~~~~~~~~~~~~~~~~
# DENY
# ~~~~~~~~~~~~~~~~~~~~~
deny /etc/ssh/** rwkmx,
deny /etc/passwd rwkmx,
deny /etc/network/** rwkmx,
deny /etc/NetworkManager/** rwkmx,
deny /proc/version r,
# ~~~~~~~~~~~~~~~~~~~~~
# CAPABILITY
# ~~~~~~~~~~~~~~~~~~~~~
capability sys_admin,
capability sys_chroot,
# ~~~~~~~~~~~~~~~~~~~~~
# NETWORK
# ~~~~~~~~~~~~~~~~~~~~~
# network netlink raw, # ~raw sockets - requested by Firefox, but not neccessary
network inet dgram, # UDP
network inet stream, # TCP
# Site-specific additions and overrides. See local/README for details.
include if exists <local/firefox>
}
# deny /proc/version rwlk,
}
# ********************************
Abstractions
The include <abstraction/...> statement allows reusable profile configurations to be defined. They can be found under /etc/apparmor.d/abstractions .
Profile language
Refer to the documentation for more information on what each statement in the profile configuration mean:
4. Load and enforce the profile
# Load the profile
$ apparmor_parser -r /etc/apparmor.d/[profile]
# enforce the profile
$ aa-enforce [profile]
# eg.
$ apparmor_parse -r /etc/apparmor.d/usr.bin.firefox
$ aa-enforce /usr/bin/firefoxapparmor_parser
Used to compile the profile (understood by the kernel), and load it into the kernel
-rflag: To update the existing profile in the kernel
This flag is required if an AppArmor definition by the same name already exists in the kernel; used to replace the definition already in the kernel with the definition given on standard input.
5. View the status
$ aa-status
apparmor modules are loaded
XX profiles are loaded.
X profiles are in enforce mode.
...
/usr/bin/firefox
...
...
...6. View the logs and manually update the profile
After loading the profile into the kernel, we can run the application (controlled by apparmor in enforce mode), and view the logs for any DENIED error messages:
Install required packages
$ apt install rsyslog
$ systemctl start rsyslog
Filter the logs
$ cat /var/log/syslog | grep [executable] | grep -P T[timestamp]\w*
# eg. firefox at 1800 HRS
$ cat /var/log/syslog | grep firefox | grep -P T18:\w*
$ cat /var/log/syslog | grep firefox | grep DENIED | grep -P T18:\w* # view DENIED View the logs in real-time
$ tail -f /var/log/syslog | grep -E 'firefox|DENIED' From the error messages, we can update the profile linked to the executable accordingly.
Example
Given the following error message:
xxxx : apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/xxxx/xxxx" ... comm="firefox-esr" requested_mask="w" denied_mask="w" The message tells us that firefox-esr is trying to write (w) to /proc/xxxx/xxxx, but got DENIED access. To fix this issue, we can add a rule to the profile:
/proc/** w,For more information on file pattern matching, refer to the documentation on the File Globbing section:
7. Verify the apparmor configurations
...
Example
Given the configurations in place for firefox, we can now open up a window and check if the file restrictions are working.
...
8. Other useful commands
Refer to the documentation link at the start of this page
$ aa-disable
$ aa-audit
...Last updated