Today's article is probably a bad idea, but it's not the first bad idea I've written about.

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,485
Reaction score
5,741
Credits
52,173
Today, we learn to remove AppArmor - which you probably shouldn't do. I figure if you need help removing AppArmor, you probably aren't the best candidate to remove AppArmor. But, here we are... You now have instructions should you decide to go down that path. This is Linux, you are free to make all the bad decisions you want. Well, until something breaks...


I do love me some feedback.
 


dos2unix

Well-Known Member
Joined
May 3, 2019
Messages
1,455
Reaction score
1,061
Credits
9,014
I must say, I like the disclaimer in the title :)

In RHEL based systems, we don't have appArmor, we have SElinux.
I've never tried to "remove" SElinux, I don't even know if it's possible. But I have certainly disabled it
on a number of systems. So far it hasn't really caused any problems.

For home systems, appArmor probably doesn't matter a lot.
For systems that have direct ingress from the internet. I probably would leave it turned on. :)
Along with all the usual firewall precautions.
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,485
Reaction score
5,741
Credits
52,173
For home systems, appArmor probably doesn't matter a lot.

Not too much, unless you end up with something compromised. It is (for some applications) an extra level of security and that's not a bad thing. Odds are that the things protected won't become compromised, but if they do...

It also doesn't eat a ton of resources, so there's no good reason not to leave it running.
 

Bartman

Well-Known Member
Joined
Mar 14, 2022
Messages
397
Reaction score
351
Credits
2,775
Here's what it looks like in Ubuntu 22.04 LTS.
Code:
[email protected]:~$ sudo apparmor_status
[sudo] password for ubuntu:
apparmor module is loaded.
43 profiles are loaded.
41 profiles are in enforce mode.
/snap/snapd/15177/usr/lib/snapd/snap-confine
/snap/snapd/15177/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snapd/16010/usr/lib/snapd/snap-confine
/snap/snapd/16010/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/{,usr/}sbin/dhclient
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.firefox
snap-update-ns.snap-store
snap-update-ns.snapd-desktop-integration
snap.firefox.firefox
snap.firefox.geckodriver
snap.firefox.hook.configure
snap.snap-store.hook.configure
snap.snap-store.snap-store
snap.snap-store.ubuntu-software
snap.snap-store.ubuntu-software-local-file
snap.snapd-desktop-integration.hook.configure
snap.snapd-desktop-integration.snapd-desktop-integration
tcpdump
2 profiles are in complain mode.
libreoffice-oosplash
libreoffice-soffice
0 profiles are in kill mode.
0 profiles are in unconfined mode.
15 processes have profiles defined.
15 processes are in enforce mode.
/usr/sbin/cups-browsed (892)
/usr/sbin/cupsd (734)
/snap/firefox/1443/usr/lib/firefox/firefox (13628) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (13758) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (13787) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (13937) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (14435) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (14762) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (14928) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15133) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15187) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15224) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15282) snap.firefox.firefox
/snap/firefox/1443/usr/lib/firefox/firefox (15296) snap.firefox.firefox
/snap/snapd-desktop-integration/14/bin/snapd-desktop-integration (1352) snap.snapd-desktop-integration.snapd-desktop-integration
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
[email protected]:~$
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,485
Reaction score
5,741
Credits
52,173
Interesting - and very relevant. I didn't check in anything that's using Snap applications and yet I see it has profiles for various Snaps.

This I did not know.

If I weighed this new information, then it'd be even worse to remove AppArmor on those systems.

I did not know this. Now I do. Thanks!
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,485
Reaction score
5,741
Credits
52,173

craigevil

Well-Known Member
Joined
Feb 24, 2021
Messages
373
Reaction score
369
Credits
2,580
snapd installs apparmor profiles when it gets installed, at least it does on Debian.

At the moment I do not have snapd installed. Flatpak is similar.
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,485
Reaction score
5,741
Credits
52,173
snapd installs apparmor profiles when it gets installed, at least it does on Debian.

Yeah, that's what I've been learning. I did not know Snaps did that. I had no idea.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation


Top