Ubuntu

Apparmor configuration

Asked by Bernard Stafford

lsb_release -a; uname -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
Linux b3-VirtualBox 5.13.0-39-generic #44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

I installed the packages for Apparmor with synaptic package manager.
I only use Firefox browser.
I need to configure Apparmor for everything in enforce mode.. How do I accomplish this ?
sudo aa-status
apparmor module is loaded.
65 profiles are loaded.
43 profiles are in enforce mode.
   /snap/snapd/15177/usr/lib/snapd/snap-confine
   /snap/snapd/15177/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/bin/pidgin
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/bin/totem//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/apt-cacher-ng
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   chromium_browser//browser_java
   chromium_browser//browser_openjdk
   chromium_browser//sanitized_helper
   ippusbxd
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.snap-store
   snap.snap-store.hook.configure
   snap.snap-store.snap-store
   snap.snap-store.ubuntu-software
   snap.snap-store.ubuntu-software-local-file
22 profiles are in complain mode.
   /usr/bin/irssi
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   chromium_browser
   chromium_browser//chromium_browser_sandbox
   chromium_browser//lsb_release
   chromium_browser//xdgsettings
   identd
   klogd
   libreoffice-oopslash
   libreoffice-soffice
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
5 processes have profiles defined.
3 processes are in enforce mode.
   /usr/sbin/cups-browsed (754)
   /usr/sbin/cupsd (740)
   /snap/snap-store/558/usr/bin/snap-store (1444) snap.snap-store.ubuntu-software
2 processes are in complain mode.
   /usr/sbin/avahi-daemon (646) avahi-daemon
   /usr/sbin/avahi-daemon (683) avahi-daemon
0 processes are unconfined but have a profile defined.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#1

Quote from https://ubuntu.com/server/docs/security-apparmor

To place all profiles in enforce mode:
sudo aa-enforce /etc/apparmor.d/*

Revision history for this message
Bernard Stafford (bernard010) said (last edit ): 		#2

Thank You, Manfred Hampl, that solved my question.
I bookmarked the link you gave.