CME-304

AppArmor (Enforcing Profile)

Harden OS/Kernel High Confidence

Description

Path-based mandatory access control that restricts per-application file, network, and capability access. Each application runs under a profile defining allowed operations.

CVSS Vector Impacts

Metric Transition Rationale
Scope (S) C U Process confined to profile-defined resources
Confidentiality (C) H L Cannot read files outside profile allowlist

CWE Relationships

CWE-269 CWE-284

Verification

Check AppArmor status and profile enforcement

$ aa-status --enforced 2>/dev/null | head -5
# Expected: profiles are in enforce mode
Platform: debian
← CME-303: SELinux Booleans (Restrictive) CME-401: System-wide Crypto Policy (FUTURE) →