Enabling AppAmor

EmilioL · February 28, 2025, 11:03pm

Hi
I was wondering how do I enable AppAmor to gain some extra security, I tried a couple of months ago but I never managed to do so ? I would appreciate some tips and tricks.

Omig · March 1, 2025, 12:36am

Do you know this site? https://wiki.archlinux.org/title/AppArmor

anon93652015 · March 1, 2025, 12:48am

What @Omig said. Pretty much anything you’d like to learn is on the Arch Wiki. If you have already read it and couldn’t understand it, that’s where we come in.

Based on what I remember reading just about 2 weeks ago is that if you want to use AppArmor or SELinux, it’s better to use a distro that enables it from the start. It’s not straight-forward on Arch distros.

EmilioL · March 1, 2025, 1:26am

Ok yes that’s pretty unfortunate because I really like Endeavor OS but I do need and care about security.

anon93652015 · March 1, 2025, 1:39am

You could install a distro that uses AppArmor or SELinux, then use EndeavourOS/Arch through Distrobox. That way, your base system is secure in the way you want, while still getting access to the latest packages.

cactux · March 1, 2025, 2:31am

@EmilioL

I did this using the instruction from the link posted before.

sudo pacman -S apparmor
sudo systemctl enable apparmor
sudo systemctl start apparmor

You need to add kernel parameters:

lsm=landlock,lockdown,yama,integrity,apparmor,bpf

I use Grub so I added these to /etc/default/grub in the line GRUB_CMDLINE_LINUX_DEFAULT
and then ran: sudo grub-mkconfig -o /boot/grub/grub.cfg

If you use systemd-boot, the instructions are in EndeavourOS Wiki:

https://discovery.endeavouros.com/installation/systemd-boot/2022/12/

I don’t know if this is all you need to do.
When I check:

$ aa-enabled
Yes

$ sudo aa-status
[sudo] password for cactux:          
apparmor module is loaded.
161 profiles are loaded.
65 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   dovecot
   dovecot-anvil
   dovecot-auth
   dovecot-config
   dovecot-deliver
   dovecot-dict
   dovecot-director
   dovecot-doveadm-server
   dovecot-dovecot-auth
   dovecot-dovecot-lda
   dovecot-dovecot-lda//sendmail
   dovecot-imap
   dovecot-imap-login
   dovecot-lmtp
   dovecot-log
   dovecot-managesieve
   dovecot-managesieve-login
   dovecot-pop3
   dovecot-pop3-login
   dovecot-replicator
   dovecot-script-login
   dovecot-ssl-params
   dovecot-stats
   firejail-default
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   php-fpm
   ping
   plasmashell
   plasmashell//QtWebEngineProcess
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   unix-chkpwd
   unprivileged_userns
   winbindd
   zgrep
   zgrep//helper
   zgrep//sed
4 profiles are in complain mode.
   transmission-cli
   transmission-daemon
   transmission-gtk
   transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
92 profiles are in unconfined mode.
   1password
   Discord
   MongoDB Compass
   QtWebEngineProcess
   balena-etcher
   brave
   buildah
   busybox
   cam
   ch-checkns
   ch-run
   chrome
   chromium
   crun
   devhelp
   element-desktop
   epiphany
   evolution
   firefox
   flatpak
   foliate
   geary
   github-desktop
   goldendict
   ipa_verify
   kchmviewer
   keybase
   lc-compliance
   libcamerify
   linux-sandbox
   loupe
   lxc-attach
   lxc-create
   lxc-destroy
   lxc-execute
   lxc-stop
   lxc-unshare
   lxc-usernsexec
   mmdebstrap
   msedge
   nautilus
   notepadqq
   obsidian
   opam
   opera
   pageedit
   podman
   polypane
   privacybrowser
   qcam
   qmapshack
   qutebrowser
   rootlesskit
   rpm
   rssguard
   runc
   sbuild
   sbuild-abort
   sbuild-adduser
   sbuild-apt
   sbuild-checkpackages
   sbuild-clean
   sbuild-createchroot
   sbuild-destroychroot
   sbuild-distupgrade
   sbuild-hold
   sbuild-shell
   sbuild-unhold
   sbuild-update
   sbuild-upgrade
   scide
   signal-desktop
   slack
   slirp4netns
   steam
   stress-ng
   surfshark
   systemd-coredump
   thunderbird
   toybox
   trinity
   tup
   tuxedo-control-center
   userbindmount
   uwsgi-core
   vdens
   virtiofsd
   vivaldi-bin
   vpnns
   vscode
   wike
   wpcom
26 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
26 processes are unconfined but have a profile defined.

anon93652015 · March 1, 2025, 2:44am

Well this certainly seems simple enough, and rereading the AppArmor wiki, also seems simple. So, I guess I read the SELInux wiki and thought they were both complicated, because SELinux has a bunch of AUR packages that you need to use it effectively.

EmilioL · March 1, 2025, 1:26pm

Hi sorry my late reply I have been out of town, but I will try taking a look at this explain and install. I also saved the Arch wiki that is gold to have all that info

EmilioL · March 13, 2025, 9:45pm

Hi I tried to install appamor and make it work, but for some reason I could not make it work, man its a pain on arch based linux distros