TK
Docs
Top Tags

Disable APP Armor in Ubuntu

Disable app_armor on Ubuntu 24.04.01 also works with older releases

ubuntuapp_armordisable

What is AppArmor?

AppArmor (Application Armor) is a Linux Security Module (LSM) that provides Mandatory Access Control (MAC) security. It confines programs according to a set of rules that specify what files and capabilities a program can access. AppArmor is path-based, meaning it works with file paths rather than inode numbers (unlike SELinux).

Key Features:

  • Proactive defense: Restricts programs to a limited set of resources
  • Complain mode: Logs policy violations without enforcing them (useful for testing)
  • Enforce mode: Actively blocks unauthorized actions
  • Profile-based: Each application can have its own security profile

Why Disable AppArmor?

While disabling AppArmor is generally not recommended for production systems, there are specific scenarios where it might be necessary:

  1. Development/Testing: Troubleshooting application issues caused by security policies
  2. Legacy Applications: Software that doesn't work well with modern security frameworks
  3. Container Environments: Some container runtimes may conflict with AppArmor
  4. Debugging: Isolating whether AppArmor is causing specific application failures

Warning: Disabling AppArmor reduces system security. Consider using complain mode or adjusting profiles instead of complete disablement.

Disable app_armor

bash
1sudo nano /etc/default/grub
2GRUB_CMDLINE_LINUX="apparmor=0"
3sudo update-grub

Step-by-Step Explanation:

  1. Edit GRUB configuration: Opens the bootloader configuration file

Expected outputs:

  • Yes - AppArmor is enabled and enforcing
  • No - AppArmor is disabled

Additional Verification Commands

Check AppArmor Status in Detail

bash
1# View detailed AppArmor status
2sudo aa-status

This command shows:

  • Number of profiles loaded
  • Profiles in enforce mode
  • Profiles in complain mode
  • Processes with profiles

Check Kernel Parameters

bash
1# Verify if AppArmor is disabled in kernel parameters
2cat /proc/cmdline | grep apparmor

If disabled, you should see apparmor=0 in the output.

Check via systemd

bash
1# Check AppArmor service status
2sudo systemctl status apparmor

Look for Active: inactive (dead) if disabled.

Complain Mode (Recommended Alternative)

Instead of completely disabling AppArmor, consider using complain mode for specific profiles. This logs violations without blocking them:

bash
1# Put a specific profile in complain mode
2sudo aa-complain /etc/apparmor.d/usr.sbin.nginx
3

4# Put all profiles in complain mode
5sudo aa-complain /etc/apparmor.d/*

To return to enforce mode:

bash
1# Enforce a specific profile
2sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

Temporary Disable (Until Next Reboot)

For testing purposes, you can temporarily disable AppArmor without modifying GRUB:

bash
1# Unload all AppArmor profiles
2sudo systemctl stop apparmor
3

4# Or use the AppArmor service directly
5sudo service apparmor stop

This change will be reverted upon system reboot.

Viewing AppArmor Logs

AppArmor violations are logged to the system journal:

bash
1# View recent AppArmor denials
2sudo journalctl -xe | grep -i apparmor
3

4# Monitor AppArmor messages in real-time
5sudo journalctl -f | grep -i apparmor
6

7# View AppArmor denials from syslog
8sudo grep -i apparmor /var/log/syslog

Re-enabling AppArmor

If you need to re-enable AppArmor after disabling it:

Method 1: Remove GRUB parameter

bash
1# Edit GRUB config and remove apparmor=0
2sudo nano /etc/default/grub
3

4# Remove or comment out: GRUB_CMDLINE_LINUX="apparmor=0"
5# Update GRUB and reboot
6sudo update-grub
7sudo reboot

Method 2: Via systemd

bash
1sudo systemctl enable apparmor
2sudo systemctl start apparmor

Security Implications

Disabling AppArmor removes an important security layer:

  • Increased attack surface: Applications can access more resources than intended
  • Lateral movement: Compromised processes have fewer restrictions
  • Compliance issues: May violate security policies (PCI-DSS, HIPAA, etc.)
  • No confinement: Applications run with their full user privileges

Best Practices:

  1. Profile adjustment: Modify AppArmor profiles instead of disabling
  2. Complain mode: Use for debugging while maintaining visibility
  3. Targeted approach: Disable only for specific applications if needed
  4. Document: Record why AppArmor was disabled and when to re-enable
  5. Monitor: Implement alternative security measures if disabled

Troubleshooting Common AppArmor Issues

Issue: Application Won't Start

bash
1# Check if AppArmor is blocking
2sudo aa-status | grep <application-name>
3

4# View recent denials
5sudo dmesg | grep -i apparmor | grep -i denied

Issue: Permission Denied Errors

bash
1# Generate profile in complain mode
2sudo aa-genprof <application-path>
3

4# Run the application to capture its behavior
5# Press 'S' to scan logs and create profile

Issue: Docker Containers Failing

bash
1# Check Docker-specific AppArmor profile
2sudo aa-status | grep docker
3

4# Disable AppArmor for Docker (not recommended)
5# Add to /etc/docker/daemon.json:
6{
7  "security-opt": ["apparmor=unconfined"]
8}

Related Commands Reference

bash
1# List all AppArmor profiles
2sudo apparmor_status
3

4# Reload all AppArmor profiles
5sudo systemctl reload apparmor
6

7# Reload a specific profile
8sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
9

10# Disable a specific profile
11sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
12sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox

Platform Compatibility

  • ✅ Ubuntu 24.04 LTS (Noble Numbat)
  • ✅ Ubuntu 22.04 LTS (Jammy Jellyfish)
  • ✅ Ubuntu 20.04 LTS (Focal Fossa)
  • ✅ Ubuntu 18.04 LTS (Bionic Beaver)
  • ✅ Debian 12 (Bookworm) and newer
  • ✅ Linux Mint (based on Ubuntu versions above)Add kernel parameter: apparmor=0 disables AppArmor at boot time
  1. Update GRUB: Applies changes to the bootloader

After editing, your GRUB configuration should look similar to:

bash
1# Example GRUB configuration
2GRUB_DEFAULT=0
3GRUB_TIMEOUT=5
4GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
5GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
6GRUB_CMDLINE_LINUX="apparmor=0"

Important: After running sudo update-grub, you must reboot your system for changes to take effect.

bash
1sudo reboot

Alternative: Disable via systemd

If you prefer not to modify GRUB parameters, you can disable AppArmor using systemd:

bash
1# Stop AppArmor service
2sudo systemctl stop apparmor
3

4# Disable AppArmor from starting at boot
5sudo systemctl disable apparmor

To re-enable later:

bash
1sudo systemctl enable apparmor
2sudo systemctl start apparmor

Check is AA enabled?

bash
1aa-enabled