Why is AppArmor considered useless?

Questions
1

@SkewedZeppelin just to understand better this statement. Are you saying that the out of the box functionality from AppArmor is weak but it can be strengthened OR are you say that AppArmor as a whole is weak and SELinux is superior by far?

Wouldn’t AppArmor be probably enough for those that don’t have big threats? I mean, just trying to understand what useless mean on this context.

2

Both AppArmor and SELinux are MACs but they are only as useful as they are configured.

In the case of AA, very few programs are confined by the default enabled/included policies on eg. Ubuntu.

Therefore they don’t offer much protection at all.

Please run aastatus like I mentioned and it’ll tell you which programs are confined.

1 Like
3

Are you aware of an equivalent command for SELinux that’ll give a nice overview like aastatus?

Edit: I see there is sestatus but it doesn’t seem comparable

4

Snaps contains AA embedded on it, right? Running aastatus also captures those packages polices?

Sorry, I’m very newbie to all of this.

5

@xe3
ps -auxZ

1 Like
6

One of the main things that I think is configured is the Firefox snap which has strict confinement.

1 Like
7

Ubuntu has ~3 oob confined running processes. Ubuntu basically just confines Firefox, Thunderbird, and generic snaps. And oh wow rsyslog.

ubuntu-24.04-desktop-amd64.iso 
$ sudo aa-status
apparmor module is loaded.
32 profiles are loaded.
27 profiles are in enforce mode.
   /snap/snapd/21465/usr/lib/snapd/snap-confine
   /snap/snapd/21465/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   rsyslogd
   snap-update-ns.firefox
   snap-update-ns.firmware-updater
   snap-update-ns.snap-store
   snap-update-ns.snapd-desktop-integration
   snap-update-ns.thunderbird
   snap-update-ns.ubuntu-desktop-bootstrap
   snap.firefox.firefox
   snap.firefox.geckodriver
   snap.firefox.hook.configure
   snap.firefox.hook.connect-plug-host-hunspell
   snap.firefox.hook.disconnect-plug-host-hunspell
   snap.firefox.hook.post-refresh
   snap.firmware-updater.firmware-notifier
   snap.firmware-updater.firmware-updater
   snap.firmware-updater.firmware-updater-app
   snap.firmware-updater.hook.configure
   snap.snap-store.hook.configure
   snap.snap-store.snap-store
   snap.snapd-desktop-integration.hook.configure
   snap.snapd-desktop-integration.snapd-desktop-integration
   snap.thunderbird.hook.configure
   snap.thunderbird.thunderbird
5 profiles are in complain mode.
   snap.ubuntu-desktop-bootstrap.os-prober
   snap.ubuntu-desktop-bootstrap.probert
   snap.ubuntu-desktop-bootstrap.subiquity-loadkeys
   snap.ubuntu-desktop-bootstrap.subiquity-server
   snap.ubuntu-desktop-bootstrap.ubuntu-desktop-bootstrap
0 profiles are in prompt mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
7 processes have profiles defined.
3 processes are in enforce mode.
   /usr/sbin/rsyslogd (1265) rsyslogd
   /snap/snapd-desktop-integration/157/usr/bin/snapd-desktop-integration (2912) snap.snapd-desktop-integration.snapd-desktop-integration
   /snap/snapd-desktop-integration/157/usr/bin/snapd-desktop-integration (3069) snap.snapd-desktop-integration.snapd-desktop-integration
4 processes are in complain mode.
   /usr/bin/bash (3251) snap.ubuntu-desktop-bootstrap.subiquity-server
   /snap/ubuntu-desktop-bootstrap/171/usr/bin/python3.10 (3284) snap.ubuntu-desktop-bootstrap.subiquity-server
   /usr/bin/bash (2535) snap.ubuntu-desktop-bootstrap.ubuntu-desktop-bootstrap
   /snap/ubuntu-desktop-bootstrap/171/bin/ubuntu_bootstrap (2692) snap.ubuntu-desktop-bootstrap.ubuntu-desktop-bootstrap
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.

Fedora has ~50 oob confined running processes.

Fedora-Workstation-Live-x86_64-40-1.14.iso 
$ ps -auxZ | grep -v -e kernel_t -e unconfined_t
LABEL                           USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
system_u:system_r:init_t:s0     root           1  2.2  0.6  65388 25772 ?        Ss   16:15   0:01 /usr/lib/systemd/systemd --switched-root --system --deserialize=40 rhgb
system_u:system_r:syslogd_t:s0  root         961  0.2  0.4  66532 17840 ?        Ss   16:15   0:00 /usr/lib/systemd/systemd-journald
system_u:system_r:systemd_userdbd_t:s0 root  989  0.0  0.1  16124  6144 ?        Ss   16:15   0:00 /usr/lib/systemd/systemd-userdbd
system_u:system_r:udev_t:s0-s0:c0.c1023 root 1003 0.1  0.3  36460 12780 ?        Ss   16:15   0:00 /usr/lib/systemd/systemd-udevd
system_u:system_r:init_t:s0     systemd+    1110  0.1  0.1  16424  7040 ?        Ss   16:15   0:00 /usr/lib/systemd/systemd-oomd
system_u:system_r:systemd_resolved_t:s0 systemd+ 1111 0.0  0.3 25792 15680 ?     Ss   16:15   0:00 /usr/lib/systemd/systemd-resolved
system_u:system_r:auditd_t:s0   root        1145  0.0  0.0  20028  2988 ?        S<sl 16:15   0:00 /usr/sbin/auditd
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 dbus 1158 0.0  0.1 10184 5012 ?  Ss   16:15   0:00 /usr/bin/dbus-broker-launch --scope system --audit
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 dbus 1159 0.2  0.1 8288 6220 ?   S    16:15   0:00 dbus-broker --log 4 --controller 9 --machine-id 7befb37e1b8a4bccba5bcaa6a57e12a5 --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit
system_u:system_r:avahi_t:s0    avahi       1161  0.0  0.1   7244  4224 ?        Ss   16:15   0:00 avahi-daemon: running [fedora.local]
system_u:system_r:unconfined_service_t:s0 root 1165 0.0  0.1 302804 5376 ?       SLsl 16:15   0:00 /usr/libexec/low-memory-monitor
system_u:system_r:policykit_t:s0 polkitd    1168  0.7  0.2 383960 11004 ?        Ssl  16:15   0:00 /usr/lib/polkit-1/polkitd --no-debug
system_u:system_r:unconfined_service_t:s0 root 1169 0.0  0.1 529976 6912 ?       Ssl  16:15   0:00 /usr/libexec/power-profiles-daemon
system_u:system_r:virt_qemu_ga_t:s0 root    1181  0.0  0.0  80592  3712 ?        Ssl  16:15   0:00 /usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hook
system_u:system_r:rtkit_daemon_t:s0 rtkit   1182  0.0  0.0  21568  3072 ?        SNsl 16:15   0:00 /usr/libexec/rtkit-daemon
system_u:system_r:accountsd_t:s0 root       1183  0.0  0.1 531296  7648 ?        Ssl  16:15   0:00 /usr/libexec/accounts-daemon
system_u:system_r:unconfined_service_t:s0 root 1185 0.0  0.1 527652 6272 ?       Ssl  16:15   0:00 /usr/libexec/switcheroo-control
system_u:system_r:init_t:s0     root        1186  0.1  0.1  16604  7424 ?        Ss   16:15   0:00 /usr/lib/systemd/systemd-homed
system_u:system_r:systemd_logind_t:s0 root  1187  0.1  0.2  20432 10368 ?        Ss   16:15   0:00 /usr/lib/systemd/systemd-logind
system_u:system_r:systemd_machined_t:s0 root 1188 0.1  0.1  16420  7424 ?        Ss   16:15   0:00 /usr/lib/systemd/systemd-machined
system_u:system_r:devicekit_disk_t:s0 root  1189  0.0  0.3 467948 13132 ?        Ssl  16:15   0:00 /usr/libexec/udisks2/udisksd
system_u:system_r:devicekit_power_t:s0 root 1193  0.0  0.2 535320  8576 ?        Ssl  16:15   0:00 /usr/libexec/upowerd
system_u:system_r:alsa_t:s0     root        1207  0.0  0.0   4572  2816 ?        SNs  16:15   0:00 /usr/sbin/alsactl -s -n 19 -c -E ALSA_CONFIG_PATH=/etc/alsa/alsactl.conf --initfile=/lib/alsa/init/00main rdaemon
system_u:system_r:avahi_t:s0    avahi       1208  0.0  0.0   7244  1288 ?        S    16:15   0:00 avahi-daemon: chroot helper
system_u:system_r:modemmanager_t:s0 root    1262  0.1  0.2 316524 11960 ?        Ssl  16:15   0:00 /usr/sbin/ModemManager
system_u:system_r:firewalld_t:s0 root       1264  0.4  1.0 359424 43524 ?        Ssl  16:15   0:00 /usr/bin/python3 -sP /usr/sbin/firewalld --nofork --nopid
system_u:system_r:chronyd_t:s0  chrony      1363  0.0  0.1  85056  4148 ?        S    16:15   0:00 /usr/sbin/chronyd -F 2
system_u:system_r:NetworkManager_t:s0 root  1367  0.1  0.4 551536 18864 ?        Ssl  16:15   0:00 /usr/sbin/NetworkManager --no-daemon
system_u:system_r:gssproxy_t:s0 root        1400  0.0  0.0 276764  3604 ?        Ssl  16:15   0:00 /usr/sbin/gssproxy -D
system_u:system_r:virtqemud_t:s0 root       1416  0.0  0.5 1400864 20540 ?       Ssl  16:15   0:00 /usr/sbin/virtqemud --timeout 120
system_u:system_r:xdm_t:s0-s0:c0.c1023 root 1419  0.0  0.2 532492  9088 ?        Ssl  16:15   0:00 /usr/sbin/gdm
system_u:system_r:xdm_t:s0-s0:c0.c1023 root 1433  0.0  0.2 466144 11264 ?        Sl   16:15   0:00 gdm-session-worker [pam/gdm-autologin]
system_u:system_r:unconfined_service_t:s0 root 1476 0.0  0.1 305740 6400 ?       Ssl  16:15   0:00 /usr/libexec/uresourced
system_u:system_r:init_t:s0     liveuser    1504  0.0  0.0  22192  3728 ?        S    16:15   0:00 (sd-pam)
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 liveuser 1531 0.0  0.0 9196 3968 ? Ss 16:15   0:00 /usr/bin/dbus-broker-launch --scope user
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 liveuser 1535 0.2  0.1 7324 4928 ? S 16:15   0:00 dbus-broker --log 4 --controller 9 --machine-id 7befb37e1b8a4bccba5bcaa6a57e12a5 --max-bytes 100000000000000 --max-fds 25000000000000 --max-matches 5000000000
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 liveuser 1730 0.0  0.0 9068 3840 ? S 16:16   0:00 /usr/bin/dbus-broker-launch --config-file=/usr/share/defaults/at-spi2/accessibility.conf --scope user
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 liveuser 1731 0.0  0.0 4980 2816 ? S 16:16   0:00 dbus-broker --log 4 --controller 9 --machine-id 7befb37e1b8a4bccba5bcaa6a57e12a5 --max-bytes 100000000000000 --max-fds 6400000 --max-matches 5000000000
system_u:system_r:colord_t:s0   colord      1733  0.0  0.2 534748 11332 ?        Ssl  16:16   0:00 /usr/libexec/colord
system_u:system_r:rpm_t:s0      root        1769  0.0  0.5 557184 23536 ?        Ssl  16:16   0:00 /usr/libexec/packagekitd
system_u:system_r:vdagent_t:s0  root        1864  0.2  0.1 157984  4360 ?        Ssl  16:16   0:00 /usr/sbin/spice-vdagentd
system_u:system_r:cupsd_t:s0-s0:c0.c1023 root 1899 0.0  0.2 253448 10368 ?       Ss   16:16   0:00 /usr/sbin/cupsd -l
system_u:system_r:pcscd_t:s0    root        1943  0.0  0.1 395752  6976 ?        Ssl  16:16   0:00 /usr/sbin/pcscd --foreground --auto-exit
unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 liveuser 1990 0.1  1.0 186428 41320 ? S 16:16   0:00 /usr/bin/Xwayland :0 -rootless -noreset -accessx -core -auth /run/user/1000/.mutter-Xwaylandauth.OTYPQ2 -listenfd 4 -listenfd 5 -displayfd 6 -initfd 7 -byteswappedclients -enable-ei-portal
system_u:system_r:sssd_t:s0     root        2096  0.0  0.2 245440  8704 ?        Ss   16:16   0:00 /usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files
system_u:system_r:geoclue_t:s0  geoclue     2139  0.0  0.3 897828 12472 ?        Ssl  16:16   0:00 /usr/libexec/geoclue
system_u:system_r:NetworkManager_t:s0 root  2159  0.0  0.1  14488  5376 ?        Ss   16:16   0:00 /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s
system_u:system_r:systemd_userdbd_t:s0 root 2256  0.0  0.1  16796  6912 ?        S    16:16   0:00 systemd-userwork: waiting...
system_u:system_r:systemd_userdbd_t:s0 root 2277  0.0  0.1  16796  6912 ?        S    16:16   0:00 systemd-userwork: waiting...
system_u:system_r:abrt_t:s0-s0:c0.c1023 root 2406 0.0  0.3 548608 13056 ?        Ssl  16:16   0:00 /usr/sbin/abrt-dbus -t133
system_u:system_r:systemd_userdbd_t:s0 root 2723  0.0  0.1  16524  6656 ?        S    16:16   0:00 systemd-userwork: waiting...
1 Like
8

The good thing about Apparmor is that roddhjav’s apparmor.d project is available with a lot of policies and active development.

1 Like
9

which is awesome, but people have to go out of their way to setup

it is asinine that there aren’t better defaults after all this time.

4 Likes