How can I tell that apparmor is working?

To know the status of your app-armor , type this command in your terminal.

sudo apparmor_status

for example , sample output:enter image description here

To give working performance of Apparmor I think there is no Measurement tool.As I know we have to detect it by the things happening around with your PC I mean something abnormal.


To address this subquestion: How can I tell if it's working well?

Apparmor profiles are a work in progress. Consequently, the goal posts are moving. Please take a look at Poking Holes in AppArmor Profiles and the response of Canonical's Jamie Strandboge here. I hope these two links will give you an idea of the complexity of the issue.

Whether you wish to retain the subquestion as part of your question is your decision.

Apologies in advance for this "non-answer".

Edit to further illustrate why this subquestion is, to say the least, dependent on context:

Consider one of the most popular programs: Firefox. It has a profile but it is shipped in complain mode and not in enforce mode. In other words, Apparmor does nothing for Firefox out of the box. The reason is stated here, albeit briefly:

The end-user impact for users in default installations will be non-existent. The firefox package will ship in complain-mode during the development cycle and before release (or at some point in the cycle) be updated to be disabled. Users must opt-in to using the profile and therefore should know that AppArmor confinement could cause firefox to behave unexpectedly.

Next, consider what happens when an average user who just "heard" or "read" about Apparmor puts the profile in enforce mode. No doubt there's a sense of achievement.

Then, look at this bug from 2010, ignoring the rude bits. Notice the title: "firefox apparmor profile is too lenient". Read on for the rationale, in part, in Comment #4:

AppArmor can protect against many things. The firefox profile protects against execution of arbitrary code by the browser and reading/writing of files you do not own (eg /etc/passwd), reading/writing sensitive files like the user's gnome-keyring, ssh keys, gnupg keys, history files, swp, backup files, rc files and to files in the standard PATH. It also confines add-ons and extensions to the above. Firefox is integrated into the Desktop and so it must be allowed to open helper programs and access the user's data. The profile is by default general purpose with the design being:
* when enabled, it significantly improves the security of firefox as is
* it provides a starting point for people to confine firefox how they want to
* the implementation gives the user the ability to fine-tune it to be as strict as desired
Of course firefox can be locked down more to protect the user's data. We could make it so that it could only write to ~/Downloads and read from ~/Public. However, this deviates from upstream's design, would likely put Ubuntu's Mozilla branding at stake, and most importantly frustrate users. Is Ubuntu's profile a "violation of the idea of apparmor"? Of course not -- it is protecting user's from various attacks and many forms of information disclosure. It is a distribution requirement to provide a functional browser. It is a distribution choice to not break it with too-aggressive security protections. It is a user's/administrator's choice to configure the profile for her environment.

Similar arguments apply to Evince.