"AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths."
To install AppArmor, run the command
# xbps-install -S apparmor
AppArmor is now installed, but it isn't turned on yet.
Set up AppArmor
1. Edit GRUB config
First, you'll need to edit your GRUB config:
# nano /etc/default/grub
Add "apparmor=1 security=apparmor" to the GRUB_CMDLINE_LINUX_DEFAULT string. For example, your GRUB_CMDLINE_LINUX_DEFAULT string may end up looking like this:
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 slub_debug=P page_poison=1 rd.auto=1 apparmor=1 security=apparmor"
Then you must remake the GRUB config:
# grub-mkconfig -o /boot/grub/grub.cfg
# hashboot index
2. Change AppArmor configuration
You'll need to put AppArmor into one of its 2 "on" states (complain and enforce):
# nano /etc/default/apparmor
Change "#APPARMOR=disable" to either "APPARMOR=complain" or "APPARMOR=enable". Make sure to remove the leading #.
After rebooting, AppArmor should load all profiles in /etc/apparmor.d and set AppArmor to the state you set in /etc/default/apparmor. Run the command
to verify AppArmor is working.