Understanding AppArmor: Linux Security for Containers
A deep dive into AppArmor, the Linux Security Module that powers Bifrost's container protection, and how it provides mandatory access control for your workloads.
Maria Svensson
bifrost security
AppArmor is a Linux Security Module (LSM) that provides mandatory access control (MAC) for programs. It’s one of the key technologies that powers Bifrost’s container protection. In this post, we’ll explore what AppArmor is, how it works, and why it’s ideal for container security.
What is AppArmor?
AppArmor is a security framework that restricts programs’ capabilities through per-program profiles. Unlike traditional discretionary access control (DAC) where users decide permissions, AppArmor enforces policies regardless of what the user or program wants to do.
Each AppArmor profile defines:
- File access: Which files and directories a program can read, write, or execute
- Capabilities: Which Linux capabilities (like
CAP_NET_ADMIN) a program can use - Network access: What network operations are permitted
- Signals: Which signals can be sent or received
How AppArmor Differs from SELinux
Both AppArmor and SELinux are Linux Security Modules, but they take different approaches:
| Aspect | AppArmor | SELinux |
|---|---|---|
| Policy model | Path-based | Label-based |
| Complexity | Simpler profiles | More complex policies |
| Learning curve | Easier to understand | Steeper learning curve |
| Default on | Ubuntu, SUSE | RHEL, Fedora, CentOS |
AppArmor’s path-based model makes profiles more human-readable and easier to debug, which is why we chose it for Bifrost.
AppArmor Profile Example
Here’s a simplified example of what an AppArmor profile looks like:
profile my-app flags=(attach_disconnected) {
# Allow reading common libraries
/lib/** r,
/usr/lib/** r,
# Allow reading app files
/app/** r,
/app/bin/my-app ix,
# Allow writing to specific directories
/tmp/** rw,
/var/log/my-app/** w,
# Network access
network inet tcp,
network inet udp,
# Deny everything else by default
}Why Manual Profile Creation is Hard
Writing AppArmor profiles manually is challenging because:
- You need to know every file your app accesses: Including all libraries, config files, and temporary files
- Profiles break when applications change: A new dependency or feature can cause profile violations
- Testing is time-consuming: You need to exercise every code path to discover all required permissions
- Over-permissive profiles are tempting: It’s easier to allow more than needed than to debug denials
How Bifrost Automates This
Bifrost solves these challenges by:
- Observing actual behavior: Using eBPF to trace exactly what your application does
- Generating precise profiles: Creating profiles that match observed behavior, nothing more
- Updating automatically: Detecting when applications change and updating profiles accordingly
- Providing safe defaults: Starting in learning mode before enforcing
Getting Started with AppArmor
If you’re running Kubernetes on Ubuntu or another distribution with AppArmor support, you’re already set up. Bifrost handles all the profile generation and management—you just need to add an annotation to your deployments:
annotations:
bifrost.io/protect: "true"Learn more about getting started with Bifrost or try it free for 14 days.
Tags
Ready to see runtime security in action?
bifrost automatically generates tailored security profiles for your containers and cuts CVE noise by up to 90%. Free trial, no credit card required.