On Ubuntu 20.04 (apparmor 2.13.3, kernel 5.4.0-14.17-generic) without audit, it is now enforced:
$ rm -f /tmp/foo ; echo 'profile test (complain) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo touch: cannot touch '/tmp/foo': Permission denied ls: cannot access '/tmp/foo': No such file or directory
but with audit, they still are not:
$ rm -f /tmp/foo ; echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo /tmp/foo
On Ubuntu 20.04 (apparmor 2.13.3, kernel 5.4.0-14. 17-generic) without audit, it is now enforced:
$ rm -f /tmp/foo ; echo 'profile test (complain) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
ls: cannot access '/tmp/foo': No such file or directory
but with audit, they still are not:
$ rm -f /tmp/foo ; echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo
/tmp/foo