apparmor 命令

常用示例

说明

AppArmor (Application Armor) is a Linux Security Module that provides Mandatory Access Control (MAC) for programs. It confines applications using per-program security profiles that restrict file access, network capabilities, and other system resources. Profiles operate in two modes: enforce mode blocks and logs violations, while complain mode only logs without blocking, useful for developing and testing new profiles. The aa-status command displays loaded profiles and their modes. Use aa-enforce and aa-complain to switch profile modes. The aa-genprof tool generates new profiles by running an application and learning its behavior, while aa-logprof refines existing profiles based on logged events. Profiles are stored in /etc/apparmor.d/ and loaded at boot. The AppArmor service manages profile loading via systemd on modern distributions.

参数

aa-status

Display the current state of AppArmor, including loaded profiles and their modes

aa-enforce _profile_

Set a profile to enforce mode (blocks policy violations)

aa-complain _profile_

Set a profile to complain mode (logs violations without blocking)

aa-disable _profile_

Disable a profile entirely

aa-genprof _executable_

Generate a new profile for an application interactively

aa-logprof

Update profiles based on events logged in complain mode

aa-unconfined

List processes running without AppArmor confinement

--verbose

Display detailed information (aa-status)

--enforced

Show only enforced profile count (aa-status)

--complaining

Show only complaining profile count (aa-status)