Author AppArmor Profiles

AppArmor profiles can be written using a variety of approaches: AppArmor policy language, Bane and/or aa-logprof.

Core Policy Reference

AppArmor wiki provides the guidelines and semantics for AppArmor policy enforcement and reference profile language which can be found at below link.


bane is an AppArmor profile generator for Docker that uses a simplified profile language. This could be used for generating a profile using an easy-to-read configuration file.

Generate a profile using aa-logprof

  1. Create a profile with name <appname>-profile under /etc/apparmor.d, which denies everything.

    For example:

    #include <tunables/global>
    profile <appname>-profile flags=(attach_disconnected, complain) {
     #include <abstractions/base>
  2. Use apparmor_parser to load the above created profile in complain mode:

    apparmor_parser -q /etc/apparmor.d/<profilename>
  3. Attach the profile to the pod, launch the pod and perform the pod’s allowed operations.

  4. Below permission change needs to be done by a user with sudo capability (e.g. ‘sysadmin’ user) to allow a sys_protected group member (e.g. ‘sysadmin’ user) to update the profile using aa-logprof.

    sudo setfacl -m g:sys_protected:rwx /etc/apparmor.d/
  5. Use aa-logprof to update the profile as follows:

    aa-logprof -f <(sed 's/kernel: notice/kernel:/' < /var/log/kern.log)

    This would update the profile under /etc/apparmor.d.

  6. Add the updated profile in the policy section of the AppArmor CRD after changing complain to enforce and load it in enforced mode as specified in Load a profile in enforce mode across all hosts using SPO.

Example profiles 1

Below is an example of a sample profile which adds Linux capabilities, network access rule, process limit, and file access.

# This loads a file containing variable definitions.
include <tunables/home>

# profile name
profile Sample_profile flags=(attach_disconnected, mediate_deleted) {
    # This keyword allows to include rules from other files -
    #include <abstractions/base>

    # enables POSIX.1e draft capabilitie. application can change process UIDs and GIDs s
    capability setuid,
    capability setgid,

    # network access IPv4 TCP and IPv4 UPD is allowed -
    network inet dgram,
    network inet stream,

    # rlimit stack size is limited to 5KB
    rlimit stack >= 5K,

    # file permissions application can read and write to ~/myfile and it can execute ~/app
    @{HOME}/myfile rw,
    @{HOME}/app    ix,

Example profiles 2

Below is an example profile of tcpdump a packet analyzer application. The rules are more focused on Linux capabilities and Network access.

#include <tunables/global>

/usr/sbin/tcpdump {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability net_raw,
  capability setuid,
  capability setgid,
  capability dac_override,
  network raw,
  network packet,

  # for -D
  capability sys_module,
  @{PROC}/bus/usb/ r,
  @{PROC}/bus/usb/** r,

  # for -F and -w
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  @{HOME}/ r,
  @{HOME}/** rw,

  /usr/sbin/tcpdump r,