Apparmor with Posit Teams – Posit Support

Does Posit Teams work with Apparmor enabled?

Yes, Posit Workbench, Connect, and Package Manager work with the default configuration of Apparmor. It's worth noting that more restrictive, and custom Apparmor policies may require some testing to ensure full functionality of Posit Teams. However, at the time of writing, the default Apparmor policy works with full functionality of Posit Teams.

It's worth mentioning that Apparmor has not been developed by Posit, and is formally outside of our support SLA. That said, we hope that this article helps point you in the right direction.

Warning Messages

When running aa-status, you will see the following message with Package Manager:

1 processes are unconfined but have a profile defined.
    /opt/rstudio-pm/bin/rstudio-pm (10821) rstudio-pm

This warning message does not affect the functionality of Package Manager. It is stating that there is an Apparmor profile written for Posit Package Manager, however, it is not being restricted by this profile. Effectively, it is running without Apparmor protections enabled. Feel free to ignore this message, or alternatively, you can disable this as below:

sudo aa-disable /etc/apparmor.d/rstudio-pm

(Note that aa-disable is an Apparmor-utils package utility. This can be installed by running sudo apt install apparmor-utils)

Creating Custom Profiles

If you wish to create a custom profile for Posit Teams, then you can do so within the /etc/apparmor.d directory using the following services:

rstudio-server
rstudio-launcher
rstudio-pm
rstudio-connect

These may also be named as usr.bin.rstudio-pm, for example, or custom such as opt.rstudio-pm.bin.rstudio-pm. Once a file has been created for each service that you wish to monitor, you can run the below to start monitoring:

sudo apparmor_parser -r /etc/apparmor.d/YOUR_PROFILE

(replacing YOUR_PROFILE with the profile that you wish to audit).

It's a good idea to start each profile in complain mode to catch slowdowns or access issues without blocking them entirely:

sudo aa-complain /etc/apparmor.d/YOUR_PROFILE

From there, you can run the service, perform actions, and then review logging to see if there are any denials:

sudo dmesg | grep apparmor

sudo journalctl -xe | grep DENIED

Lastly, once you have a profile configured based on the above, you can set Apparmor back to enforce:

sudo aa-enforce /etc/apparmor.d/YOUR_PROFILE

Performance Bottlenecks

Apparmor is a security utility that reviews and logs applications on your server that opens files. As a result, you will notice performance differences when compared to servers that do not have Apparmor enabled. However, there are some steps that can be taken to help improve performance.

Preload profiles on boot

Ensure that Apparmor loads all profiles early in the boot process so they're compiled and cached before monitored services start:

sudo systemctl enable --now apparmor

Avoid repeated profile parsing

If you've made changes to a single Apparmor profile, use sudo apparmor_parser -r /etc/apparmor.d/YOUR_PROFILE, as opposed to reloading all profiles with sudo systemctl reload apparmor.

Disable unused profiles

Disable monitoring of profiles that you aren't using:

sudo aa-disable /etc/apparmor.d/YOUR_PROFILE