AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles.

It has been partially included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

AppArmor is offered in part as an alternative to SELinux, which critics consider difficult for administrators to set up and maintain.

Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux.

[citation needed] For example, SELinux requires a filesystem that supports "security labels", and thus cannot provide access control for files mounted via NFS.

One important difference: SELinux identifies file system objects by inode number instead of path.

Isolation of processes can also be accomplished by mechanisms like virtualization; the One Laptop per Child (OLPC) project, for example, sandboxes individual applications in lightweight Vserver.

In May 2005 Novell acquired Immunix and rebranded SubDomain as AppArmor and began code cleaning and rewriting for the inclusion in the Linux kernel.