CR: P16g AppArmor Deployment — Verification

Pre-Change Checklist

Check Status

Check	Status
`cat /sys/kernel/security/lsm` shows no `apparmor` in LSM stack	[ ]
`aa-enabled` returns "No" or command not found	[ ]
`pacman -Qs apparmor` shows no installed packages	[ ]
`cat /proc/cmdline` has no `apparmor=1` or `security=apparmor`	[ ]
All user processes have unrestricted access to `~/.secrets/`, `~/.gnupg/`, `~/.age/`	[ ]
Kernel has `CONFIG_SECURITY_APPARMOR=y`: `zgrep CONFIG_SECURITY_APPARMOR /proc/config.gz`	[ ]

cat /sys/kernel/security/lsm shows no apparmor in LSM stack

[ ]

aa-enabled returns "No" or command not found

[ ]

pacman -Qs apparmor shows no installed packages

[ ]

cat /proc/cmdline has no apparmor=1 or security=apparmor

[ ]

All user processes have unrestricted access to ~/.secrets/, ~/.gnupg/, ~/.age/

[ ]

Kernel has CONFIG_SECURITY_APPARMOR=y: zgrep CONFIG_SECURITY_APPARMOR /proc/config.gz

[ ]

Post-Change Checklist

Check Status

Check	Status
`cat /sys/kernel/security/lsm` includes `apparmor`	[ ]
`systemctl is-active apparmor` returns `active`	[ ]
`sudo aa-status \| head -5` shows >0 profiles loaded	[ ]
`grep apparmor /proc/cmdline` shows `apparmor=1`	[ ]
`sudo aa-status \| grep -c enforce` shows >0 enforce-mode profiles	[ ]
Boot parameters updated in all 3 entries (arch, fallback, LTS)	[ ]
`acpi_mask_gpe=0x6E` present in all 3 boot entries	[ ]
Browser profiles (Firefox, Chrome, Chromium) in enforce mode with credential store denies	[ ]
`docker info \| grep -i apparmor` shows AppArmor listed as security option	[ ]
Applications function normally under AppArmor confinement	[ ]

cat /sys/kernel/security/lsm includes apparmor

[ ]

systemctl is-active apparmor returns active

[ ]

sudo aa-status | head -5 shows >0 profiles loaded

[ ]

grep apparmor /proc/cmdline shows apparmor=1

[ ]

sudo aa-status | grep -c enforce shows >0 enforce-mode profiles

[ ]

Boot parameters updated in all 3 entries (arch, fallback, LTS)

[ ]

acpi_mask_gpe=0x6E present in all 3 boot entries

[ ]

Browser profiles (Firefox, Chrome, Chromium) in enforce mode with credential store denies

[ ]

docker info | grep -i apparmor shows AppArmor listed as security option

[ ]

Applications function normally under AppArmor confinement

[ ]

Verification Commands

Check Command Expected

Check	Command	Expected
LSM stack	`cat /sys/kernel/security/lsm`	Includes `apparmor`
Service active	`systemctl is-active apparmor`	`active`
Profiles loaded	`sudo aa-status \| head -5`	>0 profiles in enforce/complain
Boot parameter	`grep apparmor /proc/cmdline`	`apparmor=1`
Credential deny	`sudo aa-status \| grep -c enforce`	>0 enforce-mode profiles
Docker integration	`docker info \| grep -i apparmor`	AppArmor listed as security option

LSM stack

cat /sys/kernel/security/lsm

Includes apparmor

Service active

systemctl is-active apparmor

active

Profiles loaded

sudo aa-status | head -5

>0 profiles in enforce/complain

Boot parameter

grep apparmor /proc/cmdline

apparmor=1

Credential deny

sudo aa-status | grep -c enforce

>0 enforce-mode profiles

Docker integration

docker info | grep -i apparmor

AppArmor listed as security option