xref: /linux/Documentation/admin-guide/LSM/apparmor.rst (revision 3eb66e91a25497065c5322b1268cbc3953642227) 
126fccd9eSKees Cook========
226fccd9eSKees CookAppArmor
326fccd9eSKees Cook========
426fccd9eSKees Cook
526fccd9eSKees CookWhat is AppArmor?
626fccd9eSKees Cook=================
726fccd9eSKees Cook
826fccd9eSKees CookAppArmor is MAC style security extension for the Linux kernel.  It implements
926fccd9eSKees Cooka task centered policy, with task "profiles" being created and loaded
1026fccd9eSKees Cookfrom user space.  Tasks on the system that do not have a profile defined for
1126fccd9eSKees Cookthem run in an unconfined state which is equivalent to standard Linux DAC
1226fccd9eSKees Cookpermissions.
1326fccd9eSKees Cook
1426fccd9eSKees CookHow to enable/disable
1526fccd9eSKees Cook=====================
1626fccd9eSKees Cook
1726fccd9eSKees Cookset ``CONFIG_SECURITY_APPARMOR=y``
1826fccd9eSKees Cook
1926fccd9eSKees CookIf AppArmor should be selected as the default security module then set::
2026fccd9eSKees Cook
2126fccd9eSKees Cook   CONFIG_DEFAULT_SECURITY="apparmor"
2226fccd9eSKees Cook   CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
2326fccd9eSKees Cook
2426fccd9eSKees CookBuild the kernel
2526fccd9eSKees Cook
2626fccd9eSKees CookIf AppArmor is not the default security module it can be enabled by passing
2726fccd9eSKees Cook``security=apparmor`` on the kernel's command line.
2826fccd9eSKees Cook
2926fccd9eSKees CookIf AppArmor is the default security module it can be disabled by passing
3026fccd9eSKees Cook``apparmor=0, security=XXXX`` (where ``XXXX`` is valid security module), on the
3126fccd9eSKees Cookkernel's command line.
3226fccd9eSKees Cook
3326fccd9eSKees CookFor AppArmor to enforce any restrictions beyond standard Linux DAC permissions
3426fccd9eSKees Cookpolicy must be loaded into the kernel from user space (see the Documentation
3526fccd9eSKees Cookand tools links).
3626fccd9eSKees Cook
3726fccd9eSKees CookDocumentation
3826fccd9eSKees Cook=============
3926fccd9eSKees Cook
4026fccd9eSKees CookDocumentation can be found on the wiki, linked below.
4126fccd9eSKees Cook
4226fccd9eSKees CookLinks
4326fccd9eSKees Cook=====
4426fccd9eSKees Cook
4526fccd9eSKees CookMailing List - apparmor@lists.ubuntu.com
4626fccd9eSKees Cook
47*b896c54eSJordan GloverWiki - http://wiki.apparmor.net
4826fccd9eSKees Cook
49*b896c54eSJordan GloverUser space tools - https://gitlab.com/apparmor
5026fccd9eSKees Cook
51*b896c54eSJordan GloverKernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
52