aa-disable

Disable profile

$ sudo aa-disable [path/to/profile1 path/to/profile2 ...]

$ sudo aa-disable --dir [path/to/profiles]

aa-disable [OPTIONS] <profile_path> [<profile_path>...]

<profile_path>
    Path to one or more AppArmor profile files (e.g., /etc/apparmor.d/usr.bin.firefox) to be disabled. Multiple paths can be specified, separated by spaces.

-d <directory>, --dir <directory>
    Specify an alternative base directory where AppArmor profiles are stored, instead of the default location (typically `/etc/apparmor.d/`).

-h, --help
    Display a brief help message and exit.

The aa-disable command is part of the AppArmor security framework on Linux. AppArmor is a Mandatory Access Control (MAC) system that allows system administrators to restrict program capabilities with per-program profiles.

When a profile is 'enforced', AppArmor applies the rules defined within it to the associated application, limiting its access to system resources. aa-disable serves to unload one or more AppArmor profiles from the kernel and move their corresponding files from the `enforce` directory (e.g., `/etc/apparmor.d/enforce/`) to the `disable` directory (e.g., `/etc/apparmor.d/disable/`). This action effectively removes the security restrictions imposed by the profile, allowing the program to run with its default system permissions.

It is commonly used for debugging applications, troubleshooting AppArmor-related issues, or temporarily relaxing security policies when compatibility problems arise. Using aa-disable requires root privileges.

Disabling AppArmor profiles significantly reduces the security posture of the system or the affected application, potentially exposing it to vulnerabilities that the profile was designed to mitigate.

While aa-disable unloads the profile from the kernel, processes already running under the previously enforced profile might not immediately reflect the change until they are restarted. It is recommended to restart affected services or the system for full effect.

This command requires root privileges (e.g., via sudo) to operate.

When a profile is disabled using aa-disable, it is not deleted from the system. Instead, its file is moved to a 'disabled' subdirectory (e.g., /etc/apparmor.d/disable/). This allows for easy re-enforcement later using the aa-enforce command without needing to recreate the profile.

AppArmor was originally developed by Immunix and later acquired by Novell in 2005. It was integrated into the openSUSE distribution and subsequently adopted by Ubuntu as its default MAC system. The aa-disable utility, along with other aa-* commands, is part of the apparmor-utils package, which provides a set of tools for managing AppArmor profiles. Its development has progressed with AppArmor itself, aiming to simplify profile management for system administrators.

aa-enforce(8), aa-complain(8), aa-status(8), aa-logprof(8), apparmor_parser(8)