AppArmor

will be used in postmarketOS to sandbox applications, so they don't have more rights than necessary. Integration is in development, eventually it will be enabled by default.

As of writing, profiles are stored in the postmarketos-apparmor-profiles repository. Right now this contains all AppArmor profiles in postmarketOS, there is not yet a place to store Alpine specific AppArmor profiles (this is being discussed here).

Installation
Make sure your kernel has apparmor support enabled. Then install apparmor and the profiles:

Reboot and verify that it runs:

Modifying profiles
Profiles are stored in. See the quick guide to get an idea of how the profile language works.

After modifying a profile, reload it with:

Violations are logged to. Rules with  cause violations not to be logged (meaning you will only find the unexpected violations in the log).