AppArmor is a Linux kernel Security Module (LSM) which provides mandatory access control.

Programs are restricted on the basis of profiles, which are traditionally stored under /etc/apparmor.d/, using filenames which correspond to the path to the binary being protected by the profile (/usr/bin/foobar/etc/apparmor.d/usr.bin.foobar).

Profiles can be configured in different modes: enforce, disabled, or complain (log, but don't enforce).

This role is primarily geared towards allowing other roles to perform customizations of existing profiles, and allowing administrators to selectively enable/disable profiles.