LinuxCommandLibrary

aa-disable

Disable AppArmor enforcement for a specific profile

TLDR

Disable profile

$ sudo aa-disable [path/to/profile1 path/to/profile2 ...]
copy

Disable profiles in a directory (defaults to /etc/apparmor.d)
$ sudo aa-disable --dir [path/to/profiles]
copy

SYNOPSIS

aa-disable [options] <profile>

PARAMETERS

-d DIR, --dir=DIR
    Look for profiles in custom directory DIR (default: /etc/apparmor.d)

-p, --profile
    Print the name of the profile that will be disabled, without disabling it

-h, --help
    Display usage help message

DESCRIPTION

The aa-disable command is a utility from the AppArmor security toolkit for Linux systems. AppArmor is a mandatory access control (MAC) system that restricts programs' capabilities by defining per-program profiles containing rules for file access, network operations, and more.

aa-disable disables enforcement of a specified AppArmor profile, both immediately (if active) and on boot. It achieves this by renaming the profile file in /etc/apparmor.d/ to end with .disable and moving it to the /etc/apparmor.d/disable/ directory. This prevents apparmor_parser from loading it during system startup or profile reloads.

Primarily used for troubleshooting, temporarily relaxing security, or decommissioning profiles. It requires root privileges via sudo and interacts with the running AppArmor kernel module. After disabling, the process transitions to unconfined mode if previously confined. Always verify status with aa-status post-execution.

CAVEATS

Requires root privileges (sudo). Does not unload active profiles from kernel without manual reload via apparmor_parser -R. Disabling on a running system may not immediately unenforce if profile is loaded; use aa-complain or aa-enforce for runtime changes. AppArmor must be enabled in kernel.

USAGE NOTES

Profile name is basename without path or extension, e.g., aa-disable usr.sbin.apache2 for /etc/apparmor.d/usr.sbin.apache2.
Combine with -p for dry-run: sudo aa-disable -p firefox.

VERIFICATION

Check with sudo aa-status or sudo apparmor_status. Disabled profiles appear in /etc/apparmor.d/disable/.

HISTORY

Developed as part of AppArmor utilities by Canonical for Ubuntu (introduced ~2009). Evolved from Immunix LSM (2000s), integrated into mainline Linux kernel since 2.6.36 (2010). aa-tools package standardized commands like aa-disable for profile management.

SEE ALSO

aa-enable(1), aa-enforce(1), aa-complain(1), aa-status(1), apparmor_parser(8)

Copied to clipboard