Today's article is probably a bad idea, but it's not the first bad idea I've written about.

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,497
Reaction score
9,994
Credits
95,326
Today, we learn to remove AppArmor - which you probably shouldn't do. I figure if you need help removing AppArmor, you probably aren't the best candidate to remove AppArmor. But, here we are... You now have instructions should you decide to go down that path. This is Linux, you are free to make all the bad decisions you want. Well, until something breaks...


I do love me some feedback.
 


I must say, I like the disclaimer in the title :)

In RHEL based systems, we don't have appArmor, we have SElinux.
I've never tried to "remove" SElinux, I don't even know if it's possible. But I have certainly disabled it
on a number of systems. So far it hasn't really caused any problems.

For home systems, appArmor probably doesn't matter a lot.
For systems that have direct ingress from the internet. I probably would leave it turned on. :)
Along with all the usual firewall precautions.
 
For home systems, appArmor probably doesn't matter a lot.

Not too much, unless you end up with something compromised. It is (for some applications) an extra level of security and that's not a bad thing. Odds are that the things protected won't become compromised, but if they do...

It also doesn't eat a ton of resources, so there's no good reason not to leave it running.
 
Here's what it looks like in Ubuntu 22.04 LTS.
Code:
ubuntu@Dell-OptiPlex-XE:~$ sudo apparmor_status
[sudo] password for ubuntu:
apparmor module is loaded.
43 profiles are loaded.
41 profiles are in enforce mode.
/snap/snapd/15177/usr/lib/snapd/snap-confine
/snap/snapd/15177/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snapd/16010/usr/lib/snapd/snap-confine
/snap/snapd/16010/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/{,usr/}sbin/dhclient
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.firefox
snap-update-ns.snap-store
snap-update-ns.snapd-desktop-integration
snap.firefox.firefox
snap.firefox.geckodriver
snap.firefox.hook.configure
snap.snap-store.hook.configure
snap.snap-store.snap-store
snap.snap-store.ubuntu-software
snap.snap-store.ubuntu-software-local-file
snap.snapd-desktop-integration.hook.configure
snap.snapd-desktop-integration.snapd-desktop-integration
tcpdump
2 profiles are in complain mode.
libreoffice-oosplash
libreoffice-soffice
0 profiles are in kill mode.
0 profiles are in unconfined mode.
15 processes have profiles defined.
15 processes are in enforce mode.
/usr/sbin/cups-browsed (892)
/usr/sbin/cupsd (734)
/snap/firefox/1443/usr/lib/firefox/firefox (13628) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (13758) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (13787) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (13937) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (14435) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (14762) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (14928) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15133) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15187) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15224) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15282) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15296) snap.firefox.firefox
/snap/snapd-desktop-integration/14/bin/snapd-desktop-integration (1352) snap.snapd-desktop-integration.snapd-desktop-integration
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
ubuntu@Dell-OptiPlex-XE:~$
 
Interesting - and very relevant. I didn't check in anything that's using Snap applications and yet I see it has profiles for various Snaps.

This I did not know.

If I weighed this new information, then it'd be even worse to remove AppArmor on those systems.

I did not know this. Now I do. Thanks!
 
snapd installs apparmor profiles when it gets installed, at least it does on Debian.

At the moment I do not have snapd installed. Flatpak is similar.
 
snapd installs apparmor profiles when it gets installed, at least it does on Debian.

Yeah, that's what I've been learning. I did not know Snaps did that. I had no idea.
 

Members online


Top