Roadmap

All active development efforts experience a constant hustle to update and improve. AppArmor strives to add new features – the current version has evolved from its nascent stage, which was bogged down with huge performance overhead to the kernel/CPU, as it was written in plain text. Version 2 added a compile state machine, which guaranteed execution time by restricting the CPU overload.

Version 3, which is currently in development, will add multiple cache support. Enhanced networking support will bring fine-grained access to networking, which will allow you to monitor network-oriented applications and will also grant access to specific port calls. Support for ZFS database operations, Cgroups, and chroot will add additional capabilities for security-minded users.

Conclusion

MACs, if implemented properly, can provide a very well defined security ring that can render any attack useless or make the damage very predictable. AppArmor creates a whitelist that can ward off any major damage and be independent of user and system, and it creates very lean and simple application-specific rules that are easy to discern and implement.

The only gripe with AppArmor is that it offers a limited security solution out of the box. It may work very well in a limited environment, but the need to manually create profiles in a more exhaustive setup can be cumbersome at best. Creating profiles for so many variables can be a daunting task and may ward off interest in using AppArmor in the first place. However, development of new profiles is an ongoing process; more profile features are being added with each passing release.

Does AppArmor guarantee security? Yes and no. Security will always be on an unstable footing, and this article has only scratched the surface towards securing your system. The price of freedom and security is eternal vigilance.