aa-enforce

Enable profile

$ sudo aa-enforce [[-d|--dir]] [path/to/profile]

$ sudo aa-enforce [path/to/profile1 path/to/profile2 ...]

aa-enforce [OPTION]... PROFILE_PATH
or
aa-enforce [OPTION]... --dir DIRECTORY [--recursive]

-d, --dir
    Specifies a directory to scan for AppArmor profiles to enforce.

-r, --recursive
    Used with --dir to recursively scan subdirectories for profiles.

-h, --help
    Displays help information and exits.

-v, --verbose
    Increases verbosity of output.

-q, --quiet
    Suppresses most output messages.

--version
    Shows the command's version information and exits.

aa-enforce is a command-line utility used to activate the enforcement mode for one or more AppArmor profiles. When an AppArmor profile is in enforce mode, it actively mediates and restricts an application's behavior according to the rules defined in the profile. Any action that violates these rules will be denied, and an audit message will be generated. This contrasts with complain mode, where violations are only logged without preventing the action. Transitioning a profile from complain to enforce is a critical step in deploying AppArmor security, as it moves from passive monitoring to active protection. It's typically used after a profile has been thoroughly tested and refined in complain mode to avoid breaking legitimate application functionality. The command requires root privileges to operate, as it modifies kernel-level security policies.

Enforcing an AppArmor profile without proper testing can lead to applications breaking or misbehaving, as legitimate operations might be denied. It is highly recommended to develop and test profiles in complain mode first, using tools like aa-logprof to refine rules, before switching to enforce mode. Also, ensure the AppArmor service is running (e.g., using systemctl status apparmor).

AppArmor profiles are typically stored in the /etc/apparmor.d/ directory. When specifying PROFILE_PATH, you usually refer to a file within this directory or its subdirectories.

The aa-enforce command requires superuser privileges (e.g., using sudo) to modify kernel-level AppArmor policies.

AppArmor, and consequently aa-enforce, originated with Novell and was later adopted by distributions like Ubuntu. It serves as a Mandatory Access Control (MAC) system for Linux, providing an alternative to SELinux. Its development focuses on ease of use and profile creation, distinguishing it from other MAC systems.

aa-complain(8), aa-status(8), aa-logprof(8), apparmor_parser(8)