{"id":10270,"date":"2022-03-15T10:16:06","date_gmt":"2022-03-15T09:16:06","guid":{"rendered":"https:\/\/www.credativ.de\/blog\/credativ-inside\/introduction-to-apparmor\/"},"modified":"2022-03-15T10:16:06","modified_gmt":"2022-03-15T09:16:06","slug":"introduction-to-apparmor","status":"publish","type":"post","link":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/","title":{"rendered":"Introduction to AppArmor"},"content":{"rendered":"

Fundamentally, access control under Linux is a simple matter:<\/p>\n

Files specify their access rights (execute, write, read) separately for their owner, their group, and finally, other users. Every process (whether a user’s shell or a system service) running on the system operates under a user ID and group ID, which are used for access control. <\/p>\n

A web server running with the permissions of user www-data<\/code> and group www-data<\/code> can thus be granted access to its configuration file in the directory \/etc<\/code>, its log file under \/log<\/code>, and the files to be delivered under \/var\/www<\/code>. The web server should not require more access rights for its operation. <\/p>\n

Nevertheless, whether due to misconfiguration or a security vulnerability, it could also access and deliver files belonging to other users and groups, as long as these are readable by everyone, as is technically the case, for example, with \/etc\/passwd<\/code>. Unfortunately, this cannot be prevented with traditional Discretionary Access Control<\/a> (DAC), as used in Linux and other Unix-like systems. <\/p>\n

However, since December 2003, the Linux kernel has offered a framework with the Linux Security Modules<\/em> (LSM), which allows for the implementation of Mandatory Access Control<\/a> (MAC), where rules can precisely specify which resources a process may access. AppArmor<\/a> implements such a MAC and has been included in the Linux kernel since 2010. While it was originally only used in SuSE and later Ubuntu, it has also been enabled by default in Debian since Buster<\/em> (2019). <\/p>\n

AppArmor<\/h1>\n

AppArmor checks and monitors, based on a profile, which permissions a program or script has on a system. A profile typically contains the rule set for a single program. For example, it defines how (read, write) files and directories may be accessed, whether a network socket may be created, or whether and to what extent other applications may be executed. All other actions not defined in the profile are denied. <\/p>\n

Profile Structure<\/h2>\n

The following listing (line numbers are not part of the file and serve only for orientation) shows the profile for a simple web server, whose program file is located under \/usr\/sbin\/httpd<\/code> is located.<\/p>\n

By default, AppArmor profiles are located in the directory \/etc\/apparmor.d<\/code> and are conventionally named after the path of the program file. The first slash is omitted, and all subsequent slashes are replaced by dots. The web server’s profile is therefore located in the file \/etc\/apparmor.d\/usr.sbin.httpd<\/code>. <\/p>\n

 1 include <tunables\/global>\n  2  \n 3 @{WEBROOT}=\/var\/www\/html\n  4  \n 5 profile httpd \/usr\/sbin\/httpd {\n 6 include <abstractions\/base>\n 7 include <abstractions\/nameservice>\n  8  \n 9 capability dac_override,\n10 capability dac_read_search,\n11 capability setgid,\n12 capability setuid,\n13\n14 \/usr\/sbin\/httpd mr,\n15\n16 \/etc\/httpd\/httpd.conf r,\n17 \/run\/httpd.pid rw,\n18  \n19 @{WEBROOT}\/** r,\n20\n21 \/var\/log\/httpd\/*.log w,\n22 }<\/pre>\n
Preamble<\/h3>\n
The instruction include<\/code> in line 1<\/em> inserts the content of other files in place, similar to the C preprocessor directive of the same name. If the filename is enclosed in angle brackets, as here, the specified path refers to the folder \/etc\/apparmor.d<\/code>; with quotation marks, the path is relative to the profile file. <\/p>\n
Occasionally, though now outdated, the notation #include<\/code> can still be found. However, since comments in AppArmor profiles begin with a #<\/code> and the rest of the line is ignored, the old notation leads to a contradiction: a supposedly commented-out #include<\/code> instruction would indeed be executed! Therefore, to comment out a include<\/code> instruction, a space after the #<\/code> is recommended.  <\/p>\n
The files in the subfolder tunables<\/code> typically contain variable and alias definitions that are used by multiple profiles and are defined in only one place, according to the Don’t Repeat Yourself principle<\/em> (DRY<\/em>).<\/p>\n
In line 2<\/em>, the variable @{WEBROOT}<\/code> is created with WEBROOT<\/code> and assigned the value \/var\/www\/html<\/code>. If other profiles, in addition to the current one, were to define rules for the webroot directory, it could instead be defined in its own file tunables<\/code> and included in the respective profiles. <\/p>\n
Profile Section<\/h3>\n
The profile section begins in line 5<\/em> with the keyword profile<\/code>. It is followed by the profile name, here httpd<\/code>, the path to the executable file, \/usr\/sbin\/httpd<\/code>, and optionally flags<\/em> that influence the profile’s behavior. The individual rules of the profile then follow, enclosed in curly braces. <\/p>\n
As before, in lines 6 and 7<\/em>, include<\/code> also inserts the content of the specified file in place. In the subfolder abstractions<\/code>, according to the DRY principle<\/em>, there are files with rule sets that appear repeatedly in the same form, as they cover both fundamental and specific functionalities. <\/p>\n
For example, in the file base<\/code>, access to various file systems such as \/dev<\/code>, \/proc<\/code>, and \/sys<\/code>, as well as to runtime libraries or some system-wide configuration files, is regulated. The file <\/x>, contrary to its naming, contains not only rules concerning name resolution but also those that permit network access in the first place. These two abstractions<\/em> are thus found in most profiles, especially those for network services.  <\/p>\n
Starting with line 9<\/em>, rules with the keyword capability<\/code> grant a program special privileges, known as capabilities<\/a>. Among these, setuid<\/code> and setgid<\/code> are certainly among the more well-known: they allow the program to change its own uid<\/em> and gid<\/em>; for example, a web server can start as root<\/em>, open the privileged port 80, and then drop its root privileges. dac_override<\/code> and dac_read_search<\/code> allow bypassing the checking of read, write, and execute permissions. Without this capability<\/em>, even a program running under uid<\/em> root<\/code> would not be able to access files regardless of their attributes, unlike what one is used to from the shell.  <\/p>\n
From line 14<\/em> onwards, there are rules that determine access permissions for paths (i.e., folders and files). The structure is quite simple: first, the path is specified, followed by a space and the abbreviations for the granted permissions. <\/p>\n
\n
Aside: Permissions<\/h4>\n
The following table provides a brief overview of the most common permissions:<\/p>\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n
 
Abbreviation<\/th>\nMeaning<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
r<\/code><\/td>\nread<\/td>\nread access<\/td>\n<\/tr>\n
w<\/code><\/td>\nwrite<\/td>\nwrite access<\/td>\n<\/tr>\n
a<\/code><\/td>\nappend<\/td>\nappending data<\/td>\n<\/tr>\n
x<\/code><\/td>\nexecute<\/td>\nexecute<\/td>\n<\/tr>\n
m<\/code><\/td>\nmemory map executable<\/td>\nmapping and executing the file’s content in memory<\/td>\n<\/tr>\n
k<\/code><\/td>\nlock<\/td>\nsetting a lock<\/td>\n<\/tr>\n
l<\/code><\/td>\nlink<\/td>\ncreating a link<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/section>\n
\n
Aside: Globbing<\/h4>\n
Paths can either be fully written out individually or multiple paths can be combined into one path using wildcards. This process, called globbing<\/em>, is also used by most shells today, so this notation should not cause any difficulties. <\/p>\n\n\n\n\n\n\n\n\n\n\n
Expression<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
\/dir\/file<\/code><\/td>\nrefers to exactly one file<\/td>\n<\/tr>\n
\/dir\/*<\/code><\/td>\nincludes all files within \/dir\/<\/code><\/td>\n<\/tr>\n
\/dir\/**<\/code><\/td>\nincludes all files within \/dir\/<\/code>, including subdirectories<\/td>\n<\/tr>\n
?<\/code><\/td>\nrepresents exactly one character<\/td>\n<\/tr>\n
{}<\/code><\/td>\nCurly braces allow for alternations<\/td>\n<\/tr>\n
[]<\/code><\/td>\nSquare brackets can be used for character classes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Examples:<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n
 
Expression<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
\/dir\/???<\/code><\/td>\nthus refers to all files in \/dir<\/code> whose filename is exactly 3 characters long<\/td>\n<\/tr>\n
\/dir\/*.{png,jpg}<\/code><\/td>\nrefers to all image files in \/dir<\/code> whose file extension is png<\/code> or jpg<\/code><\/td>\n<\/tr>\n
\/dir\/[abc]*<\/code><\/td>\nrefers to all files in \/dir<\/code> whose name begins with the letters a, b, or c<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/section>\n
For access to the program file \/usr\/sbin\/httpd<\/code>, the web server receives the permissions mr<\/code> in line 14<\/em>. The abbreviation r<\/code> stands for read<\/em> and means that the content of the file may be read; m<\/code> stands for memory map executable<\/em> and allows the content of the file to be loaded into memory and executed. <\/p>\n
Anyone who dares to look into the file \/etc\/apparmor.d\/abstractions\/base<\/code> will see that the permission m<\/code> is also necessary for loading libraries, among other things.<\/p><\/blockquote>\n
During startup, the web server will attempt to read its configuration from the file \/etc\/httpd.conf<\/code>. Since the path has r<\/code> permission for reading, AppArmor will allow this. Subsequently, httpd<\/code> writes its PID<\/em> to the file \/run\/httpd.pid<\/code>. The abbreviation w<\/code> naturally stands for write<\/em> and allows write operations on the path. (Lines 16, 17)<\/em>   <\/p>\n
The web server is intended to deliver files below the WEBROOT<\/code> directory. To avoid having to list all files and subdirectories individually, the wildcard **<\/code> can be used. The expression <\/x> in line 19<\/g> therefore stands for all files within and below the folder <\/x> \u2013 including subfolders and hidden files. Since it is a static website and the web server does not need to modify the files, only read permission is granted with r<\/code>.   <\/p>\n
As usual, all access to the web server is logged in the log files access.log<\/code> and error.log<\/code> in the directory \/var\/log\/httpd\/<\/code>. These are only written by the web server, so it is sufficient to set only write permission for the path \/var\/log\/httpd\/*<\/code> with w<\/code> in line 21<\/em>. <\/p>\n
With this, the profile is complete and ready for use. In addition to those shown here, there are a variety of other rule types with which the allowed behavior of a process can be precisely defined. <\/p>\n
Further information on profile structure can be found in the man page for apparmor.d<\/a> and in the Wiki article on the AppArmor Quick Profile Language<\/a>; a detailed description of all rules can be found in the AppArmor Core Policy Reference<\/a>.<\/p>\n
Creating a Profile<\/h2>\n
Some applications and packages already come with ready-made AppArmor profiles, while others still need to be adapted to specific circumstances. Still other packages do not come with any profiles at all \u2013 these must be created by the administrator themselves. <\/p>\n
To create a new AppArmor profile for an application, a very basic profile is usually created first, and AppArmor is instructed to treat it in the so-called complain mode<\/em>. Here, accesses that are not yet defined in the profile are recorded in the system’s log files. <\/p>\n
Based on these log entries, the profile can then be refined after some time, and if no more entries appear in the logs, AppArmor can be instructed to switch the profile to enforce mode<\/em>, enforce the rules listed therein, and block undefined accesses.<\/p>\n
Even though it is easily possible to create and adapt an AppArmor profile manually in a text editor, the package apparmor-utils<\/code><\/a> contains various helper programs that can facilitate the work: for example, aa-genprof<\/code> helps create a new profile, aa-complain<\/code> switches it to complain mode<\/em>, aa-logprof<\/code> helps search log files and add corresponding new rules to the profile, and aa-enforce<\/code> finally switches the profile to enforce mode<\/em>.<\/p>\n
In the next article of this series, we will create our own profile for the web server nginx<\/code> based on the foundations established here.<\/p>\n
We are Happy to Support You<\/h1>\n
Whether AppArmor, Debian, or PostgreSQL: with over 22+ years of development and service experience in the open source sector, credativ GmbH can professionally support you with unparalleled and individually configurable support, fully assisting you with all questions regarding your open source infrastructure.<\/p>\n
Do you have questions about our article or would you like credativ’s specialists to take a look at other software of your choice? Then feel free to visit us and contact us via our contact form<\/a> or send us an email at info@credativ.de<\/a>. <\/p>\n
About Credativ<\/h1>\n
credativ GmbH<\/a> is a vendor-independent consulting and service company based in M\u00f6nchengladbach. Since the successful merger with Instaclustr in 2021, credativ GmbH has been the European headquarters of the Instaclustr Group. <\/p>\n
The Instaclustr Group<\/a> helps companies realize their own large-scale applications thanks to managed platform solutions for open source technologies such as Apache Cassandra\u00ae, Apache Kafka\u00ae, Apache Spark\u2122, Redis\u2122, OpenSearch\u2122, Apache ZooKeeper\u2122, PostgreSQL\u00ae, and Cadence. Instaclustr combines a complete data infrastructure environment with practical expertise, support, and consulting to ensure continuous performance and optimization. By eliminating infrastructure complexity, companies are enabled to focus their internal development and operational resources on building innovative, customer-centric applications at lower costs. Instaclustr’s clients include some of the largest and most innovative Fortune 500 companies.   <\/p>\n","protected":false},"excerpt":{"rendered":"
Fundamentally, access control under Linux is a simple matter: Files specify their access rights (execute, write, read) separately for their owner, their group, and finally, other users. Every process (whether a user’s shell or a system service) running on the system operates under a user ID and group ID, which are used for access control. […]<\/p>\n","protected":false},"author":60,"featured_media":6587,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_improvement_type_select":"improve_an_existing","_thumb_yes_seoaic":false,"_frame_yes_seoaic":false,"seoaic_generate_description":"","seoaic_improve_instructions_prompt":"","seoaic_rollback_content_improvement":"","seoaic_idea_thumbnail_generator":"","thumbnail_generated":false,"thumbnail_generate_prompt":"","seoaic_article_description":"","seoaic_article_subtitles":[],"footnotes":""},"categories":[1883,1885],"tags":[1711,1775,1842,1761,1853,1861],"class_list":["post-10270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-debian-en","category-howtos-en","tag-apparmor-en","tag-debian-en","tag-linux-en","tag-open-source-en","tag-security","tag-ubuntu-en"],"acf":[],"yoast_head":"\nIntroduction to AppArmor - credativ\u00ae<\/title>\n<meta name=\"description\" content=\"Optimize your Linux security with Debian AppArmor and learn more about effective access control.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Introduction to AppArmor\" \/>\n<meta property=\"og:description\" content=\"Optimize your Linux security with Debian AppArmor and learn more about effective access control.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/\" \/>\n<meta property=\"og:site_name\" content=\"credativ\u00ae\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/credativDE\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-15T09:16:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/03\/2500x300_apparmor_einleitung.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2500\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jan Bolle\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@bollejansson\" \/>\n<meta name=\"twitter:site\" content=\"@credativde\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jan Bolle\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/\"},\"author\":{\"name\":\"Jan Bolle\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#\\\/schema\\\/person\\\/f33560ea675ef6722c4459154b42606e\"},\"headline\":\"Introduction to AppArmor\",\"datePublished\":\"2022-03-15T09:16:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/\"},\"wordCount\":1748,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/2500x300_apparmor_einleitung.png\",\"keywords\":[\"AppArmor\",\"Debian\",\"Linux\",\"Open Source\",\"Security\",\"Ubuntu\"],\"articleSection\":[\"Debian\",\"HowTos\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#respond\"]}],\"copyrightYear\":\"2022\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/\",\"name\":\"Introduction to AppArmor - credativ\u00ae\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/2500x300_apparmor_einleitung.png\",\"datePublished\":\"2022-03-15T09:16:06+00:00\",\"description\":\"Optimize your Linux security with Debian AppArmor and learn more about effective access control.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/2500x300_apparmor_einleitung.png\",\"contentUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/2500x300_apparmor_einleitung.png\",\"width\":2500,\"height\":300},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Introduction to AppArmor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\",\"name\":\"credativ GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\",\"name\":\"credativ\u00ae\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/credativDE\\\/\",\"https:\\\/\\\/x.com\\\/credativde\",\"https:\\\/\\\/mastodon.social\\\/@credativde\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/credativ-gmbh\",\"https:\\\/\\\/www.instagram.com\\\/credativ\\\/\"],\"description\":\"Die credativ GmbH ist ein f\u00fchrendes, auf Open Source Software spezialisiertes IT-Dienstleistungs- und Beratungsunternehmen. Wir bieten umfassende und professionelle Services, von Beratung und Infrastruktur-Betrieb \u00fcber 24\\\/7 Support bis hin zu individuellen L\u00f6sungen und Schulungen. Unser Fokus liegt auf dem ganzheitlichen Management von gesch\u00e4ftskritischen Open-Source-Systemen, darunter Betriebssysteme (z.B. Linux), Datenbanken (z.B. PostgreSQL), Konfigurationsmanagement (z.B. Ansible, Puppet) und Virtualisierung. Als engagierter Teil der Open-Source-Community unterst\u00fctzen wir unsere Kunden dabei, die Vorteile freier Software sicher, stabil und effizient in ihrer IT-Umgebung zu nutzen.\",\"legalName\":\"credativ GmbH\",\"foundingDate\":\"2025-03-01\",\"duns\":\"316387060\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"11\",\"maxValue\":\"50\"},\"address\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"51.1732374\",\"longitude\":\"6.392010099999999\"},\"telephone\":[\"+4921619174200\",\"08002733284\"],\"contactPoint\":{\"@type\":\"ContactPoint\",\"telephone\":\"08002733284\",\"email\":\"vertrieb@credativ.de\"},\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\"],\"opens\":\"09:00\",\"closes\":\"17:00\"},{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Saturday\",\"Sunday\"],\"opens\":\"00:00\",\"closes\":\"00:00\"}],\"email\":\"info@credativ.de\",\"areaServed\":\"D-A-CH\",\"vatID\":\"DE452151696\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#\\\/schema\\\/person\\\/f33560ea675ef6722c4459154b42606e\",\"name\":\"Jan Bolle\",\"description\":\"Jan arbeitet seit 2020 an Projekten des Support\u2013Teams und der Internen IT, nachdem er bereits sein Praktikum im Rahmen seines Informatikstudiums bei credativ absolvierte und auch seine Bachelorarbeit zum Thema Einmalpassw\u00f6rter, Zwei\u2013Faktor\u2013Authentisierung und OpenVPN bei credativ schrieb. Bereits zu Schulzeiten interessierte er sich f\u00fcr Freie Software, Netzwerke und Telekommunikation und richtete zusammen mit Mitsch\u00fclern ein Internetcaf\u00e9 ein, auf dessen Server und Clients Debian GNU\\\/Linux seinen Dienst verrichtete.\",\"sameAs\":[\"https:\\\/\\\/x.com\\\/bollejansson\"]},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#local-main-place-address\",\"streetAddress\":\"Hennes-Weisweiler-Allee 23\",\"addressLocality\":\"M\u00f6nchengladbach\",\"postalCode\":\"41179\",\"addressRegion\":\"Deutschland\",\"addressCountry\":\"DE\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/introduction-to-apparmor\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/credativ-logo-right.svg\",\"contentUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/credativ-logo-right.svg\",\"caption\":\"credativ\u00ae\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"M\u00f6nchengladbach\" \/>\n<meta name=\"geo.position\" content=\"51.1732374;6.392010099999999\" \/>\n<meta name=\"geo.region\" content=\"Germany\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Introduction to AppArmor - credativ\u00ae","description":"Optimize your Linux security with Debian AppArmor and learn more about effective access control.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/","og_locale":"en_US","og_type":"article","og_title":"Introduction to AppArmor","og_description":"Optimize your Linux security with Debian AppArmor and learn more about effective access control.","og_url":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/","og_site_name":"credativ\u00ae","article_publisher":"https:\/\/www.facebook.com\/credativDE\/","article_published_time":"2022-03-15T09:16:06+00:00","og_image":[{"width":2500,"height":300,"url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/03\/2500x300_apparmor_einleitung.png","type":"image\/png"}],"author":"Jan Bolle","twitter_card":"summary_large_image","twitter_creator":"@bollejansson","twitter_site":"@credativde","twitter_misc":{"Written by":"Jan Bolle","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#article","isPartOf":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/"},"author":{"name":"Jan Bolle","@id":"https:\/\/www.credativ.de\/en\/#\/schema\/person\/f33560ea675ef6722c4459154b42606e"},"headline":"Introduction to AppArmor","datePublished":"2022-03-15T09:16:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/"},"wordCount":1748,"commentCount":0,"publisher":{"@id":"https:\/\/www.credativ.de\/en\/#organization"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/03\/2500x300_apparmor_einleitung.png","keywords":["AppArmor","Debian","Linux","Open Source","Security","Ubuntu"],"articleSection":["Debian","HowTos"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#respond"]}],"copyrightYear":"2022","copyrightHolder":{"@id":"https:\/\/www.credativ.de\/#organization"}},{"@type":"WebPage","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/","url":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/","name":"Introduction to AppArmor - credativ\u00ae","isPartOf":{"@id":"https:\/\/www.credativ.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#primaryimage"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/03\/2500x300_apparmor_einleitung.png","datePublished":"2022-03-15T09:16:06+00:00","description":"Optimize your Linux security with Debian AppArmor and learn more about effective access control.","breadcrumb":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#primaryimage","url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/03\/2500x300_apparmor_einleitung.png","contentUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2022\/03\/2500x300_apparmor_einleitung.png","width":2500,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.credativ.de\/en\/"},{"@type":"ListItem","position":2,"name":"Introduction to AppArmor"}]},{"@type":"WebSite","@id":"https:\/\/www.credativ.de\/en\/#website","url":"https:\/\/www.credativ.de\/en\/","name":"credativ GmbH","description":"","publisher":{"@id":"https:\/\/www.credativ.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.credativ.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Organization","Place"],"@id":"https:\/\/www.credativ.de\/en\/#organization","name":"credativ\u00ae","url":"https:\/\/www.credativ.de\/en\/","logo":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#local-main-organization-logo"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/credativDE\/","https:\/\/x.com\/credativde","https:\/\/mastodon.social\/@credativde","https:\/\/www.linkedin.com\/company\/credativ-gmbh","https:\/\/www.instagram.com\/credativ\/"],"description":"Die credativ GmbH ist ein f\u00fchrendes, auf Open Source Software spezialisiertes IT-Dienstleistungs- und Beratungsunternehmen. Wir bieten umfassende und professionelle Services, von Beratung und Infrastruktur-Betrieb \u00fcber 24\/7 Support bis hin zu individuellen L\u00f6sungen und Schulungen. Unser Fokus liegt auf dem ganzheitlichen Management von gesch\u00e4ftskritischen Open-Source-Systemen, darunter Betriebssysteme (z.B. Linux), Datenbanken (z.B. PostgreSQL), Konfigurationsmanagement (z.B. Ansible, Puppet) und Virtualisierung. Als engagierter Teil der Open-Source-Community unterst\u00fctzen wir unsere Kunden dabei, die Vorteile freier Software sicher, stabil und effizient in ihrer IT-Umgebung zu nutzen.","legalName":"credativ GmbH","foundingDate":"2025-03-01","duns":"316387060","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"11","maxValue":"50"},"address":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"51.1732374","longitude":"6.392010099999999"},"telephone":["+4921619174200","08002733284"],"contactPoint":{"@type":"ContactPoint","telephone":"08002733284","email":"vertrieb@credativ.de"},"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday"],"opens":"09:00","closes":"17:00"},{"@type":"OpeningHoursSpecification","dayOfWeek":["Saturday","Sunday"],"opens":"00:00","closes":"00:00"}],"email":"info@credativ.de","areaServed":"D-A-CH","vatID":"DE452151696"},{"@type":"Person","@id":"https:\/\/www.credativ.de\/en\/#\/schema\/person\/f33560ea675ef6722c4459154b42606e","name":"Jan Bolle","description":"Jan arbeitet seit 2020 an Projekten des Support\u2013Teams und der Internen IT, nachdem er bereits sein Praktikum im Rahmen seines Informatikstudiums bei credativ absolvierte und auch seine Bachelorarbeit zum Thema Einmalpassw\u00f6rter, Zwei\u2013Faktor\u2013Authentisierung und OpenVPN bei credativ schrieb. Bereits zu Schulzeiten interessierte er sich f\u00fcr Freie Software, Netzwerke und Telekommunikation und richtete zusammen mit Mitsch\u00fclern ein Internetcaf\u00e9 ein, auf dessen Server und Clients Debian GNU\/Linux seinen Dienst verrichtete.","sameAs":["https:\/\/x.com\/bollejansson"]},{"@type":"PostalAddress","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#local-main-place-address","streetAddress":"Hennes-Weisweiler-Allee 23","addressLocality":"M\u00f6nchengladbach","postalCode":"41179","addressRegion":"Deutschland","addressCountry":"DE"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/introduction-to-apparmor\/#local-main-organization-logo","url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2025\/04\/credativ-logo-right.svg","contentUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2025\/04\/credativ-logo-right.svg","caption":"credativ\u00ae"}]},"geo.placename":"M\u00f6nchengladbach","geo.position":{"lat":"51.1732374","long":"6.392010099999999"},"geo.region":"Germany"},"_links":{"self":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts\/10270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/users\/60"}],"replies":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/comments?post=10270"}],"version-history":[{"count":0,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts\/10270\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/media\/6587"}],"wp:attachment":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/media?parent=10270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/categories?post=10270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/tags?post=10270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}