aa-enforce

Enable AppArmor enforcement mode on a profile

TLDR

Enable profile

$ sudo aa-enforce [[-d|--dir]] [path/to/profile]

Enable profiles

$ sudo aa-enforce [path/to/profile1 path/to/profile2 ...]

SYNOPSIS

aa-enforce [options] [profile ...]

PARAMETERS

-d, --dir DIR
Look for AppArmor profiles in directory DIR instead of default.

-h, --help
Print usage information and exit.

aa-enforce is a utility from the AppArmor suite, a Linux kernel security module that restricts programs' capabilities with per-program profiles. This command sets specified AppArmor profiles to enforce mode, where the kernel actively blocks unauthorized file access, network operations, and other actions defined in the profile.

In contrast to complain mode (set via aa-complain), which only logs violations without blocking, enforce mode provides mandatory access control for enhanced security. Profiles are typically stored in /etc/apparmor.d/ and must be loaded into the kernel beforehand, often via systemctl reload apparmor or apparmor_parser.

Running aa-enforce profile_name changes the mode for that profile. Without arguments, it sets all loaded profiles to enforce mode, making it useful for transitioning from development/testing (complain) to production. It requires root privileges and updates the kernel's AppArmor data structures dynamically without reloading profiles.

Ideal for securing services like web servers or SSH after profile tuning with aa-logprof. Always verify with aa-status post-execution to confirm modes and loaded profiles.

aa-enforce

Enable AppArmor enforcement mode on a profile

TLDR

SYNOPSIS

PARAMETERS

DESCRIPTION

CAVEATS

EXAMPLES

EXIT CODES

HISTORY

SEE ALSO