How are Apparmor and chmod related, if at all?

Solution 1:

chmod and AppArmor are entirely different tools for entirely different purposes.

chmod is just a simple system utility used to set the access permissions for files and goes back quite some ways (I want to say decades, and likely originated in Unix). Standard linux resource permissions apply a principal called Role Based Access Control (RBAC). Users are placed in groups, and access decisions are made using either their ownership of a resource, or their group membership (everyone is a member of the Other group). In particular, under RBAC (by itself), a users applications all run with the same rights the user has, and there is no way to change that.

For many organizations however, a more strict form of access control is desired. Mandatory Access Control (MAC) is different from RBAC, in that everything needs explicit permission to access all the resources its allowed to use. This includes users and processes, such that applications do not automatically run with all the capability the user has. The AppArmor or SELinux MAC can apply policies that change the capabilities of the application to limit or perhaps even exceed the users rights in a way that impacts only specific applications.

so chmod is a core system utility used to control RBAC, whereas MAC is an additional layer you can use to augment the security of the system by restricting apps to only what that app needs to run. RBAC is designed to balance complexity and administrator effort with the security it yields, whereas MAC is designed to allow you to make very complex policies that reflect the real needs of the users and applications, but has a much higher management/administrative cost.

Note that many systems ship AppArmor or SELinux by default, but they are rarely configured to actually do anything (there are no restrictive policies enforced). On those systems you must choose to use and configure the MAC.

Hope that helps