Hardening HestiaCP with AppArmor

AppArmor is the default Mandatory Access Control module on Ubuntu, Debian, SuSE and other Linux distributions. Thanks to it, you can limit the filesystem access of a process. AppArmor is enabled by default in all Ubuntu versions and in Debian 10.

Currently HestiaCP simply adds an AppArmor one-liner for Bind9, but it would be a good idea to expand its use, e.g. to PHP-FPM and Exim4.

Below are some articles about using AppArmor:



There is a bug/regression in the Debian10 init scripts which prevents the loading of AppArmor inside containers (whereas on Debian9 CTs it loads correctly). It has prevented me from testing AppArmor for HestiaCP.

I’ve contacted the Debian AppArmor maintainers and they will look at it … eventually. Alternatively, I’ll setup another CT with Ubuntu 18.04 or 20.04.