Mandatory Access Control with AppArmor


All active development efforts experience a constant hustle to update and improve. AppArmor strives to add new features – the current version has evolved from its nascent stage, which was bogged down with huge performance overhead to the kernel/CPU, as it was written in plain text. Version 2 added a compile state machine, which guaranteed execution time by restricting the CPU overload.

Version 3, which is currently in development, will add multiple cache support. Enhanced networking support will bring fine-grained access to networking, which will allow you to monitor network-oriented applications and will also grant access to specific port calls. Support for ZFS database operations, Cgroups, and chroot will add additional capabilities for security-minded users.


MACs, if implemented properly, can provide a very well defined security ring that can render any attack useless or make the damage very predictable. AppArmor creates a whitelist that can ward off any major damage and be independent of user and system, and it creates very lean and simple application-specific rules that are easy to discern and implement.

The only gripe with AppArmor is that it offers a limited security solution out of the box. It may work very well in a limited environment, but the need to manually create profiles in a more exhaustive setup can be cumbersome at best. Creating profiles for so many variables can be a daunting task and may ward off interest in using AppArmor in the first place. However, development of new profiles is an ongoing process; more profile features are being added with each passing release.

Does AppArmor guarantee security? Yes and no. Security will always be on an unstable footing, and this article has only scratched the surface towards securing your system. The price of freedom and security is eternal vigilance.

The Author

Shashwat Pant is a freelance writer, coder, and analyst. He loves to read about technology and geopolitics.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • AppArmor

    After penetrating a remote system, intruders might think they are home and dry, but AppArmor spoils the fun, locking the miscreants in a virtual cage.

  • AppArmor

    When an attacker succeeds in infecting a victim’s system, the attacker inherits the victim’s privileges. App Armor beats the attack by reducing the potential victim’s privileges to a minimum.

  • AppArmor vs. SELinux

    Security Enhanced Linux or App Armor? Linux Magazine invited two well-known personalities from Red Hat and Novell to debate the merits of their security systems.

  • Novell Dismisses AppArmor Developer

    Two years after acquiring the company that developed AppArmor Novell has dismissed the developer behind the security technology.

  • Container Security

    A recent flurry of activity in the container space raises several interesting questions about security among a number of operational aspects in the enterprise environment.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More