AppArmor, formerly from Immunix (acquired by Novell in 2005), provides profile-based security enforcement for individual applications in SUSE Linux. In brief, AppArmor allows administrators to craft security profiles for any and all applications for which enforced access controls are deemed necessary; security profiles that then control--externally to the applications themselves--what resources the application may or may not have access to as it runs, and what types of access are allowed. In this way, though a particular application may still be effected by certain security vulnerabilities or vulnerable to attack by hackers, the effects of such an attack can be contained to only those resources (files and/or specific capabilities) that are deemed as acceptable in the security profile for the application.

The security mediation itself operates at the kernel level, via Immunix's Linux Security Modules interface (LSM). In brief, LSM provides a kernel API, allowing loadable modules (such as AppArmor) to perform security authentication as the result of a query from within the kernel itself; a query that is generated whenever a request by a user level process leads to access to an important deep kernel data structure, such as task descriptors or inodes.

Security profiles can contain both the types of actions allowed by an application, as well the names of files (wildcards are supported) that can be accessed by the application and what types of access (read, write, execute, etc.) will be allowed. For parent level processes that may execute child processes (such as Apache triggering a sendmail call, for example), the parent process can be set such that children will be called with their own profiles, automatically inherit the parent's profile, or run unprofiled. Additionally, specific modules allow individual profiles to be assigned to interpreted scripts executed within Apache (allowing the scripts to execute with their own profiles as opposed to executing with the Apache profile) for mod_perl, mod_python, and mod_php.

The creation of security profiles is facilitated through two primary tools:

- genprof: Allows for the initial generation of a base profile via an automated analysis of the application, followed by a "learning mode," where the profile settings are not actually enforced. While in learning mode, the application developer or tester can make normal use of the program to be secured, with AppArmor automatically creating an event log detailing the types of access needed by the application. After this, a "scan" feature allows genprof to read the events and interactively query the user as to how it should respond in the future to each of the events generated (such as allowing read access only to a specific file, or perhaps a wildcard match of a particular file name).

- logprof: Similar to genprof, but examines the current system log for AppArmor events, asking the user how they wish to handle those events in the future (as in genprof).

Other features of AppArmor include an "Unconfined" tool that assists administrators in the automatic location of unprotected network applications (those listening on a network port), and predefined default profiles for common SUSE Linux programs.

AppArmor is available now; it is a free offering now included within Novell SUSE Linux Enterprise Server (9,sp3 and later), and as an open source offering for developers. Paid support options are available from Novell.