How to create AppArmor profile for Nginx


AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

AppArmor profiles

AppArmor profiles are simple text files. Absolute paths as well as file globbing can be used when specifying file access. Most file access rules specify the type of access which is allowed: ‘r’ (read), ‘w’ (write), ‘m’ (memory map as executable), ‘k’ (file locking), ‘l’ (creation hard links), and ‘ix’ to execute another program with the new program inheriting policy. Other file access rules also exist such as ‘Px’ (execute under another profile, after cleaning the environment), ‘Cx’ (execute under a child profile, after cleaning the environment), and ‘Ux’ (execute unconfined, after cleaning the environment).


Practical example of AppArmor profile

First you need to install AppArmor:

sudo apt install apparmor apparmor-utils apparmor-profiles

Check status of AppArmor:

systemctl status apparmor

In our example we will not use aa-easyprof, since that is less restricted than when creating a profile manually or with aa-genprof.

In our demonstration we will generate simple profile for Nginx.

Before that check the status of AppArmor profiles:

sudo apparmor_status

As you can see AppArmor operates in the following two types of profile modes:

Enforce – In the enforce mode, system begins enforcing the rules and report the violation attempts in syslog or auditd (only if auditd is installed) and operation will not be permitted.

Complain – In the complain mode, system doesn’t enforce any rules. It will only log the violation attempts.

Generate your first AppArmor profile

We will use program called aa-genprof in one terminal, and second terminal will be used to perform actions by using Nginx.

sudo aa-genprof /usr/sbin/nginx

Profiling: /usr/sbin/nginx

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish

Meanwhile in switch to second terminal where you will need to restart Nginx:

sudo service nginx restart

Now press S to scan and by doing that you will be prompted several times to allow or deny a capability. Go step by step and read every request. At the end you will be asked to save profile. You will need to perform couple more actions like stoping, starting, reloading of Nginx to bind access control attributes to selected program.

After you finish creating a profile you will need to check and maybe do more edits.

cd /etc/apparmor.d/

Open profile named usr.sbin.nginx:

# Last Modified: Thu Jan 20 23:53:33 2022
#include <tunables/global>

/usr/sbin/nginx {
 #include <abstractions/base>
 #include <abstractions/dovecot-common>
 #include <abstractions/nameservice>
 #include <abstractions/nis>
 #include <abstractions/openssl>
 #include <abstractions/postfix-common>

 capability dac_override,

 /usr/sbin/nginx mr,
 /var/log/nginx/access.log w,
 /var/log/nginx/error.log w,
 /var/www/html/* r,
 owner /etc/nginx/* r,
 owner /etc/nginx/conf.d/ r,
 owner /etc/nginx/modules-enabled/ r,
 owner /etc/nginx/sites-available/* r,
 owner /etc/nginx/sites-enabled/* r,
 owner /proc/sys/kernel/random/boot_id r,
 owner /run/ rw,
 owner /usr/share/nginx/modules-available/* r,

Check if your website works:

curl localhost

Put your profile in complain mode until you are ready to change it to enforce mode:

sudo aa-complain /usr/sbin/nginx

Check status:

sudo aa-status

Reload AppArmor:

systemctl reload apparmor

For more information about AppArmor profiles visit Ubuntu website.

Alvosec is Block Producer for Proton

Download wallet and earn daily staking rewards.

vote for us

Ready for Action?

Don’t hesitate to contact us if you need more information.
Let's Go!
BTC: bc1qnn4zfqqtexl4fkjk2vz6tk74sn92x326wwn0ph

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram