AppArmorProfiles
AppArmor Profiles
AppArmor is installed and loaded by default starting with Ubuntu 7.10 (Gutsy). Some packages will install their own profiles (usually in enforcing mode), while additional profiles can be found in the apparmor-profiles and apparmor-profiles-extra packages from the Universe repository.
Supported profiles in main
Source package/binary |
8.04 LTS |
9.04 |
9.10 |
10.04 LTS |
10.10 |
11.04 |
11.10 |
12.04 LTS |
12.10 |
13.04 |
13.10 |
14.04 LTS |
14.10 |
15.04 |
15.10 |
16.04 |
16.10 |
17.04 |
Cups (cupsd) |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
OpenLDAP (slapd) |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
MySQL (mysqld) |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Bind (named) |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Akonadi (mysqld) |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
ClamAV (clamd,freshclam) |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
gdm-guest-session |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
yes |
yes |
yes |
yes |
tcpdump |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
ISC Dhcpd (dhcpd3/dhcpd) |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
ISC Dhcp client (dhclient3/dhclient) |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Evince |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
NTP (ntpd)1 |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Firefox (firefox-3.5/firefox) |
-- |
-- |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
Libvirt (libvirtd and kvm/qemu guests) |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Apache (apache2) |
-- |
-- |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
Telepathy |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Lightdm guest session |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
juju |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes3 |
yes3 |
yes3 |
yes3 |
yes3 |
yes3 |
yes3 |
yes3 |
yes3 |
yes3 |
yes3 |
rsyslog |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
quassel-core |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
LXC |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes4 |
yes4 |
yes4 |
yes4 |
yes4 |
yes4 |
yes4 |
yes4 |
yes4 |
yes4 |
yes4 |
MAAS dhcpd (dhcpd) |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
squid3 |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
yes2 |
lightdm-remote-session-freerdp |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
lightdm-remote-session-uccsconfigure |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
AppStore apps (click)5 |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Cups filters (cups-browsed) |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Telepathy (ofono) |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
sssd |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
StrongSwan (stroke/lookip) |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
media-hub |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
mediascanner2 |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
libvirt (libvirt-lxc containers) |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
ubuntu-download-manager (extractor) |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
LXD |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
snap-confine (aka ubuntu-core-launcher) |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
AppStore apps (snappy)6 |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
AppStore frameworks (snappy)7 |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
no7 |
no7 |
no7 |
no7 |
webbrowser-app |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
A complain-mode only profile was provided in the apparmor-profiles package in Ubuntu 9.04 and earlier
- Will be disabled by default and be opt-in for advanced users
- Preliminary support
Ubuntu Touch apps in the Ubuntu AppStore are confined with AppArmor by default. See ApplicationConfinement for details
Ubuntu Core and Personal apps in the Ubuntu AppStore are confined with AppArmor by default. See the security guide for details
Frameworks for Ubuntu Core 15.04 are confined with AppArmor by default and they may also provide AppArmor policy for apps to use. Ubuntu Core 16 and latter use a different mechanism where all snaps of 'type: app' use templated prolicy provided via snapd
Community supported profiles
Some of the following profiles are found in the apparmor-profiles and apparmor-profiles-extra packages and these profiles usually are in complain mode and are in various stages of development, but can in general be used with some modification. Profiles in this list not from the apparmor-profiles package are community contributed or come from Debian.
Binary |
8.04 LTS |
9.04 |
9.10 |
10.04 LTS |
10.10 |
11.04 |
11.10 |
12.04 LTS |
12.10 |
13.04 |
13.10 |
14.04 LTS |
14.10 |
15.04 |
15.10 |
16.04 |
16.10 |
avahi-daemon |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
dnsmasq |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
identd |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
klogd |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
mdnsd |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
nmbd |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
nscd |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
ntpd1 |
yes |
yes |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
|
ping |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
smbd |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
syslogd |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
syslog-ng |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
traceroute |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
dovecot |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
phpsysinfo2 |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
chromium-browser |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
digikam |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
tor |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
vidalia |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
fwknop |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
|
pollen |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
|
tlsdate |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
yes |
|
torbrowser-launcher |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
|
docker.io |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
yes |
|
apt-cacher-ng |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
|
gst-plugin-scanner |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
|
irssi |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
|
pidgin |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
|
totem |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
|
totem previewers |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
yes |
yes |
yes |
An enforcing profile for ntpd moved to the ntp package in Ubuntu 9.10
- Must be used with the apache2 profile and the libapache2-mod-apparmor module
Other profiles
Profiles in active development can be found in the public repository (see AppArmor Profiles). Unmaintained profiles can be found in /usr/share/doc/apparmor-profiles/extras directory of the apparmor-profiles package. Files from either location may not work at all and will likely require significant effort to run on your system.
Filing Bugs
When filing bugs against an installed apparmor profile, please see: https://wiki.ubuntu.com/DebuggingApparmor.