aa-easyprof
AA-EASYPROF(8) AppArmor AA-EASYPROF(8)
NAME
aa-easyprof - AppArmor profile generation made easy.
SYNOPSIS
aa-easyprof [option] <path to binary>
DESCRIPTION
aa-easyprof provides an easy to use interface for AppArmor policy
generation. aa-easyprof supports the use of templates and policy groups
to quickly profile an application. Please note that while this tool can
help with policy generation, its utility is dependent on the quality of
the templates, policy groups and abstractions used. Also, this tool may
create policy which is less restricted than creating policy by hand or
with aa-genprof and aa-logprof.
OPTIONS
aa-easyprof accepts the following arguments:
-t TEMPLATE, --template=TEMPLATE
Specify which template to use. May specify either a system template
from /usr/share/apparmor/easyprof/templates or a filename for the
template to use. If not specified, use
/usr/share/apparmor/easyprof/templates/default.
-p POLICYGROUPS, --policy-groups=POLICYGROUPS
Specify POLICY as a comma-separated list of policy groups. See
--list-templates for supported policy groups. The available policy
groups are in /usr/share/apparmor/easyprof/policy. Policy groups
are simply groupings of AppArmor rules or policies. They are
similar to AppArmor abstractions, but usually encompass more policy
rules.
--parser PATH
Specify the PATH of the apparmor_parser binary to use when
verifying policy. If this option is not specified, aa-easyprof will
attempt to locate the path starting with /sbin/apparmor_parser.
-a ABSTRACTIONS, --abstractions=ABSTRACTIONS
Specify ABSTRACTIONS as a comma-separated list of AppArmor
abstractions. It is usually recommended you use policy groups
instead, but this is provided as a convenience. AppArmor
abstractions are located in /etc/apparmor.d/abstractions. See
apparmor.d(5) for details.
-b PATH, --base=PATH
Set the base PATH for resolving abstractions specified by
--abstractions. See the same option in apparmor_parser(8) for
details.
-I PATH, --Include=PATH
Add PATH to the search paths used for resolving abstractions
specified by --abstractions. See the same option in
apparmor_parser(8) for details.
-r PATH, --read-path=PATH
Specify a PATH to allow owner reads. May be specified multiple
times. If the PATH ends in a '/', then PATH is treated as a
directory and reads are allowed to all files under this directory.
Can optionally use '/*' at the end of the PATH to only allow reads
to files directly in PATH.
-w PATH, --write-dir=PATH
Like --read-path but also allow owner writes in additions to reads.
-n NAME, --name=NAME
Specify NAME of policy. If not specified, NAME is set to the name
of the binary. The NAME of the policy is typically only used for
profile meta data and does not specify the AppArmor profile name.
--profile-name=PROFILENAME
Specify the AppArmor profile name. When set, uses 'profile
PROFILENAME' in the profile. When set and specifying a binary, uses
'profile PROFILENAME BINARY' in the profile. If not set, the binary
will be used as the profile name and profile attachment.
--template-var="@{VAR}=VALUE"
Set VAR to VALUE in the resulting policy. This typically only makes
sense if the specified template uses this value. May be specified
multiple times.
--list-templates
List available templates.
--show-template
Display template specified with --template.
--templates-dir=PATH
Use PATH instead of system templates directory.
--include-templates-dir=PATH
Include PATH when searching for templates in addition to the system
templates directory (or the one specified with --templates-dir).
System templates will match before those in PATH.
--list-policy-groups
List available policy groups.
--show-policy-group
Display policy groups specified with --policy-groups.
--policy-groups-dir=PATH
Use PATH instead of system policy-groups directory.
--include-policy-groups-dir=PATH
Include PATH when searching for policy groups in addition to the
system policy-groups directory (or the one specified with
--policy-groups-dir). System policy-groups will match before those
in PATH.
--policy-version=VERSION
Must be used with --policy-vendor and is used to specify the
version of policy groups and templates. When specified, aa-easyprof
looks for the subdirectory VENDOR/VERSION within the policy-groups
and templates directory. The specified version must be a positive
decimal number compatible with the JSON Number type. Eg, when
using:
$ aa-easyprof --templates-dir=/usr/share/apparmor/easyprof/templates \
--policy-groups-dir=/usr/share/apparmor/easyprof/policygroups \
--policy-vendor="foo" \
--policy-version=1.0
Then /usr/share/apparmor/easyprof/templates/foo/1.0 will be
searched for templates and
/usr/share/apparmor/easyprof/policygroups/foo/1.0 for policy
groups.
--policy-vendor=VENDOR
Must be used with --policy-version and is used to specify the
vendor for policy groups and templates. See --policy-version for
more information.
--author
Specify author of the policy.
--copyright
Specify copyright of the policy.
--comment
Specify comment for the policy.
-m MANIFEST, --manifest=MANIFEST
aa-easyprof also supports using a JSON manifest file for specifying
options related to policy. Unlike command line arguments, the JSON
file may specify multiple profiles. The structure of the JSON is:
{
"security": {
"profiles": {
"<profile name 1>": {
... attributes specific to this profile ...
},
"<profile name 2>": {
...
}
}
}
}
Each profile JSON object (ie, everything under a profile name) may
specify any fields related to policy. The "security" JSON container
object is optional and may be omitted. An example manifest file
demonstrating all fields is:
{
"security": {
"profiles": {
"com.example.foo": {
"abstractions": [
"audio",
"gnome"
],
"author": "Your Name",
"binary": "/opt/foo/**",
"comment": "Unstructured single-line comment",
"copyright": "Unstructured single-line copyright statement",
"name": "My Foo App",
"policy_groups": [
"networking",
"user-application"
],
"policy_vendor": "somevendor",
"policy_version": 1.0,
"read_path": [
"/tmp/foo_r",
"/tmp/bar_r/"
],
"template": "user-application",
"template_variables": {
"APPNAME": "foo",
"VAR1": "bar",
"VAR2": "baz"
},
"write_path": [
"/tmp/foo_w",
"/tmp/bar_w/"
]
}
}
}
}
A manifest file does not have to include all the fields. Eg, a
manifest file for an Ubuntu SDK application might be:
{
"security": {
"profiles": {
"com.ubuntu.developer.myusername.MyCoolApp": {
"policy_groups": [
"networking",
"online-accounts"
],
"policy_vendor": "ubuntu",
"policy_version": 1.0,
"template": "ubuntu-sdk",
"template_variables": {
"APPNAME": "MyCoolApp",
"APPVERSION": "0.1.2"
}
}
}
}
}
--verify-manifest
When used with --manifest, warn about potentially unsafe
definitions in the manifest file.
--output-format=FORMAT
Specify either text (default if unspecified) for AppArmor policy
output or json for JSON manifest format.
--output-directory=DIR
Specify output directory for profile. If unspecified, policy is
sent to stdout.
EXAMPLES
Example usage for a program named 'foo' which is installed in /opt/foo:
$ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" \
--policy-groups=opt-application,user-application \
/opt/foo/bin/FooApp
When using a manifest file:
$ aa-easyprof --manifest=manifest.json
To output a manifest file based on aa-easyprof arguments:
$ aa-easyprof --output-format=json \
--author="Your Name" \
--comment="Unstructured single-line comment" \
--copyright="Unstructured single-line copyright statement" \
--name="My Foo App" \
--profile-name="com.example.foo" \
--template="user-application" \
--policy-groups="user-application,networking" \
--abstractions="audio,gnome" \
--read-path="/tmp/foo_r" \
--read-path="/tmp/bar_r/" \
--write-path="/tmp/foo_w" \
--write-path=/tmp/bar_w/ \
--template-var="@{APPNAME}=foo" \
--template-var="@{VAR1}=bar" \
--template-var="@{VAR2}=baz" \
"/opt/foo/**"
BUGS
If you find any additional bugs, please report them to GitLab at
<https://gitlab.com/apparmor/apparmor/-/issues>.
SEE ALSO
apparmor(7) apparmor.d(5)
AppArmor 3.0.4 2024-03-06 AA-EASYPROF(8)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2025
Hurricane Electric.
All Rights Reserved.