AppArmor is a Linux security module that restricts the capabilities of individual applications. It uses mandatory access control (MAC) to provide an additional layer of security beyond traditional Unix permissions. AppArmor users profile to define what resources and privileges an application can access, effectively containing potential security breaches.

AppArmor is widely adopted in several popular Linux distros. Ubuntu, and openSUSE use it by default. Debian offer it as an optional security enhancement. Many other distros also support AppArmor, either by default or as an optional feature.

What is SecurityFS?

SecurityFS is a virtual filesystem in Linux used by AppArmor and other security models to manage security policies. Typically mounted at /sys/kernel/security. SecurityFS acts as an interface between kernel-level security mechanisms and user-level tools.

AppArmor uses SecurityFS to manage and enforce security policies. It provides a way for userspace tools to interact with the kernel to set, modify, and enforce these policies. Through SecurityFS, AppArmor can load profiles, switch between enforcement modes, report violations, and provide status information.

AppArmor in Proxmox VE

Proxmox Virtual Environment (a.k.a. Proxmox VE) is an open-source server virtualization environment. It leverages AppArmor to enhance the security of Linux Containers (LXCs). When creating or modifying LXC containers in Proxmox VE, adminstrators can enable AppArmor profile to restrict the container's access to system resources. This integration provides an extra layer of isolation between the host system and the containers, as well as between individual containers.

By default, Proxmox VE applies a standard AppArmor profile to LXC containers, which includes common restrictions and safe defaults. However, administrators can also create custom AppArmor profiles for specific containers, allowing for fine-grained control voer container permissions. THis flexibility enables Proxmox VE users to balance security and functionality, ensuring that containers have access to necessary resources while maintaining a strong security posture across the virtualized environment.