AppArmor is a Linux Security Module (LSM) built into the Ubuntu kernel that restricts what programs can do. Ubuntu 24.04 LTS ships with AppArmor enabled by default and includes profiles for many common applications. This guide explains how to view, enable, and create AppArmor profiles.
Tested and valid on:
- Ubuntu 24.04 LTS
Prerequisites
- Ubuntu 24.04 LTS server
- A user with sudo privileges
Step 1 – Verify AppArmor is Active
Check AppArmor status:
sudo aa-statusStep 2 – Install AppArmor Utilities
Install the tools for managing profiles:
sudo apt install apparmor-utils apparmor-profiles apparmor-profiles-extra -yStep 3 – View Loaded Profiles
List all loaded profiles and their modes:
sudo aa-status | head -30Step 4 – Enable a Profile in Enforce Mode
Enable an existing profile for an application:
sudo aa-enforce /usr/sbin/nginxStep 5 – Switch a Profile to Complain Mode
Complain mode logs violations without enforcing:
sudo aa-complain /usr/sbin/nginxStep 6 – Disable a Profile
Disable a specific profile:
sudo aa-disable /usr/sbin/nginxStep 7 – Create a New Profile
Use aa-genprof to generate a profile for an application:
sudo aa-genprof /usr/local/bin/myappRun the application in another terminal, then press S to scan events and F to finish.
Step 8 – Reload Profiles After Changes
Reload all AppArmor profiles:
sudo systemctl reload apparmorConclusion
AppArmor is now actively protecting applications on Ubuntu 24.04 LTS. Profiles confine what each application can read, write, and execute — limiting the damage from security vulnerabilities.
