#include <sys/apparmor.h>

       int aa_change_profile(const char *profile);

       int aa_change_onexec(const char *profile);

       Link with -lapparmor when compiling.

       An AppArmor profile applies to an executable program; if a portion of
       the program needs different access permissions than other portions, the
       program can "change profile" to a different profile. To change into a
       new profile, it can use the aa_change_profile() function to do so. It
       passes in a pointer to the profile to transition to. Transitioning to
       another profile via aa_change_profile() is permanent and the process is
       not permitted to transition back to the original profile. Confined
       programs wanting to use aa_change_profile() need to have rules
       permitting changing to the named profile. See apparmor.d(8) for

       If a program wants to return out of the current profile to the original
       profile, it should use aa_change_hat(2) instead.

       Open file descriptors are not remediated after a call to
       aa_change_profile() so the calling program must close(2) open file
       descriptors to ensure they are not available after calling
       aa_change_profile(). As aa_change_profile() is typically used just
       before execve(2), you may want to use open(2) or fcntl(2) with close-

       The aa_change_onexec() function is like the aa_change_profile()
       function except it specifies that the profile transition should take
       place on the next exec instead of immediately.  The delayed profile
       change takes precedence over any exec transition rules within the
       confining profile.  Delaying the profile boundary has a couple of
       advantages, it removes the need for stub transition profiles and the
       exec boundary is a natural security layer where potentially sensitive
       memory is unmapped.

       On success zero is returned. On error, -1 is returned, and errno(3) is
       set appropriately.

           The apparmor kernel module is not loaded or the communication via
           the /proc/*/attr/current file did not conform to protocol.

           Insufficient kernel memory was available.

        #include <string.h>
        #include <sys/apparmor.h>
        #include <sys/types.h>
        #include <sys/stat.h>
        #include <fcntl.h>
        #include <stdio.h>
        #include <unistd.h>

        int main(int argc, char * argv[])
                int fd;
                char buf[10];
                char *execve_args[4];

                printf("Before aa_change_profile():\n");
                if ((fd=open("/etc/passwd", O_RDONLY)) < 0) {
                       perror("Failure opening /etc/passwd");
                       return 1;

                /* Confirm for ourselves that we can really read /etc/passwd */
                memset(&buf, 0, 10);
                if (read(fd, &buf, 10) == -1) {
                        perror("Failure reading /etc/passwd");
                        return 1;
                buf[9] = '\0';
                printf("/etc/passwd: %s\n", buf);

                printf("After aa_change_profile():\n");

                /* change profile to the "i_cant_be_trusted_anymore" profile, which
                 * should not have read access to /etc/passwd. */
                if (aa_change_profile("i_cant_be_trusted_anymore") < 0) {
                    perror("Failure changing profile -- aborting");

                /* confirm that we cannot read /etc/passwd */
                execve_args[0] = "/usr/bin/head";
                execve_args[1] = "-1";
                execve_args[2] = "/etc/passwd";
                execve_args[3] = NULL;
                execve("/usr/bin/head", execve_args, NULL);

       This code example requires a profile similar to the following to be
       loaded with apparmor_parser(8):

        profile i_cant_be_trusted_anymore {
            /etc/ld.so.cache      mr,

        /usr/bin/head: cannot open `/etc/passwd' for reading: Permission denied

       If /tmp/change_p is to be confined as well, then the following profile
       can be used (in addition to the one for 'i_cant_be_trusted_anymore',

        # Confine change_p to be able to read /etc/passwd and aa_change_profile()
        # to the 'i_cant_be_trusted_anymore' profile.
        /tmp/change_p {
            /etc/ld.so.cache          mr,
            /lib/ld-*.so*             mrix,
            /lib/libc*.so*            mr,

            /etc/passwd               r,

            # Needed for aa_change_profile()
            /usr/lib/libapparmor*.so* mr,
            /proc/[0-9]*/attr/current w,
            change_profile -> i_cant_be_trusted_anymore,

       None known. If you find any, please report them at
       <http://https://bugs.launchpad.net/apparmor/+filebug>. Note that using
       aa_change_profile(2) without execve(2) provides no memory barriers
       between different areas of a program; if address space separation is
       required, then separate processes should be used.

       apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_hat(2) and

AppArmor 2.7.102                  2012-02-16              AA_CHANGE_PROFILE(2)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2017 Hurricane Electric. All Rights Reserved.