Implementing AppArmor for Enhanced Security on Armbian and Libre Computer's Le Potato SBC

Single Board Computers (SBCs) have been gaining popularity for their low power consumption and adequate performance in managing lightweight workloads. My recent experience migrating critical but lightweight workloads onto a Libre Computer Le Potato SBC has been highly positive. In this blog post, I share insights on running Armbian with AppArmor in enforced mode on this compact, stable and power-sipping board to enhance its security posture.

A great Rpi replacement!

Why Opt for Libre Computer’s Le Potato?

I have already written a more detailed article going over the reasons that lead me to chose Le Potato as my go-to SBC, and they were mainly three:

  1. Low price and no supply chain issue
  2. Great, first-tier support from Armbian
  3. Same form factor as the Rpi 3B

If you want more details, head over to my previous post!

Essential Security Hardening Measures

Before diving into AppArmor, it’s worth noting other security measures that you can implement:

  • Activate unattended security updates to ensure your system is always patched.
  • Secure SSH access by disallowing root login, enforcing key-based authentication, and limiting login attempts.
  • Employ firewalld for a dynamic firewall management system.
  • Use fail2ban to prevent brute-force attacks by monitoring log files and banning suspect IP addresses.
  • Implement remote monitoring with tools like netdata.
  • Upon you initial setup, audit and disable unnecessary services for minimal attack surface.
  • If utilizing Docker, consider running the Docker daemon in rootless mode to reduce privileges.

I have a personal preference for SELinux due to my daily use of Fedora and my deep dive into SELinux when preparing for the RHCSA certification. Nonetheless, given that Armbian is derived from Debian and comes with AppArmor out of the box, we’ll be leveraging AppArmor in this instance. Although my comfort zone lies with SELinux, AppArmor is a respectable and effective alternative for enforcing security policies, so let’s proceed with what’s readily available on our Armbian system. ;)

Focusing on AppArmor

To install AppArmor:

sudo apt install apparmor

Expect the following output during installation, showing success and completion:

Setting up apparmor (3.0.8-3) ...
Created symlink [...]
Reloading AppArmor profiles 

Proceed to enable AppArmor at boot by editing the armbianEnv.txt:

sudo su
echo "extraargs=apparmor=1 security=apparmor" >> /boot/armbianEnv.txt
update-initramfs -u

The system will rebuild the initramfs, which may take a few moments. Once done:

update-initramfs: Generating /boot/initrd.img-[kernel_version]-current-meson64
update-initramfs: Armbian: done.

After a system reboot, verify that AppArmor is active with:

guillaume@bastion:~$ sudo systemctl status apparmor.service
Active: active (exited) since Sat 2023-12-16 12:45:24 +08;

For Docker users, ensure that the AppArmor profile for Docker is active:

guillaume@bastion:~$ docker info
 Security Options:

Seeing apparmor listed under Security Options means that Docker is using AppArmor profiles, adding an additional layer of security.


Integrating AppArmor into your SBC hosted systems like the Libre Computer Le Potato exponentially increases your security capabilities. By following these steps and maintaining a secure environment, you can reap the benefits of SBCs without compromising on system integrity. Remember, security is an ongoing process, not a one-time setup, so always keep your systems monitored and updated.