Ubuntu 22.04
Sponsored Link

AppArmor : Enable / Disable Profiles2022/12/16
 
It's possible to enable or disable each profile if you don't need.
[1] Install a package which includes tools for AppArmor settings.
root@dlp:~#
apt -y install apparmor-utils
[2] Disable a profile which is currently loaded.
root@dlp:~#
aa-status 

apparmor module is loaded.
13 profiles are loaded.
13 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
# configuration files for each profile are under the directory below

root@dlp:~#
ll /etc/apparmor.d 

total 92
drwxr-xr-x  8 root root  4096 Dec 15 15:53 ./
drwxr-xr-x 97 root root  4096 Dec 15 11:14 ../
drwxr-xr-x  2 root root  4096 Sep 19 12:51 abi/
drwxr-xr-x  4 root root 12288 Sep 19 12:51 abstractions/
drwxr-xr-x  2 root root  4096 Dec 15 15:43 disable/
drwxr-xr-x  2 root root  4096 Mar 10  2022 force-complain/
drwxr-xr-x  2 root root  4096 Sep 19 12:51 local/
-rw-r--r--  1 root root  1339 Mar 10  2022 lsb_release
-rw-r--r--  1 root root  1189 Mar 10  2022 nvidia_modprobe
-rw-r--r--  1 root root  3461 Jul 19 16:54 sbin.dhclient
drwxr-xr-x  5 root root  4096 Sep 19 12:51 tunables/
-rw-r--r--  1 root root  3465 Dec 15 15:53 usr.bin.man
-rw-r--r--  1 root root  1421 Jun 21  2021 usr.bin.tcpdump
-rw-r--r--  1 root root 28486 Nov 28 13:53 usr.lib.snapd.snap-confine.real
-rw-r--r--  1 root root  1592 Nov 16  2021 usr.sbin.rsyslogd
# for example, disable [/usr/bin/man]

root@dlp:~#
aa-disable /usr/bin/man

Disabling /usr/bin/man.
root@dlp:~#
aa-status 

apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
# disabled profile is moved to the directory below

root@dlp:~#
ll /etc/apparmor.d/disable 

total 8
drwxr-xr-x 2 root root 4096 Dec 15 13:14 ./
drwxr-xr-x 8 root root 4096 Dec  8 10:33 ../
lrwxrwxrwx 1 root root   27 Dec 15 13:14 usr.bin.man -> /etc/apparmor.d/usr.bin.man
lrwxrwxrwx 1 root root   33 Apr 21  2022 usr.sbin.rsyslogd -> /etc/apparmor.d/usr.sbin.rsyslogd
[3] Enable a profile which is currently disabled.
root@dlp:~#
aa-status 

apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
# for example, enable [/usr/bin/man] with [enforce] mode
# [enforce] mode : allow only actions that are defined in a profile
# [complain] mode : denied actions are logged but they are not actually denied

root@dlp:~#
aa-enforce /usr/bin/man

Setting /usr/bin/man to enforce mode.
root@dlp:~#
aa-status 

apparmor module is loaded.
13 profiles are loaded.
13 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
Matched Content