aa-easyprof - AppArmor profile generation made easy.
aa-easyprof [option] <path to binary>
aa-easyprof provides an easy to use interface for AppArmor
policy generation. aa-easyprof supports the use of templates and
policy groups to quickly profile an application. Please note that while this
tool can help with policy generation, its utility is dependent on the
quality of the templates, policy groups and abstractions used. Also, this
tool may create policy which is less restricted than creating policy by hand
or with aa-genprof and aa-logprof.
aa-easyprof accepts the following arguments:
- -t TEMPLATE,
--template=TEMPLATE
- Specify which template to use. May specify either a system template from
/usr/share/apparmor/easyprof/templates or a filename for the template to
use. If not specified, use
/usr/share/apparmor/easyprof/templates/default.
- -p POLICYGROUPS,
--policy-groups=POLICYGROUPS
- Specify POLICY as a comma-separated list of policy groups. See
--list-templates for supported policy groups. The available policy groups
are in /usr/share/apparmor/easyprof/policy. Policy groups are simply
groupings of AppArmor rules or policies. They are similar to AppArmor
abstractions, but usually encompass more policy rules.
- --parser PATH
- Specify the PATH of the apparmor_parser binary to use when verifying
policy. If this option is not specified, aa-easyprof will attempt to
locate the path starting with /sbin/apparmor_parser.
- -a ABSTRACTIONS,
--abstractions=ABSTRACTIONS
- Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions.
It is usually recommended you use policy groups instead, but this is
provided as a convenience. AppArmor abstractions are located in
/etc/apparmor.d/abstractions. See apparmor.d(5) for details.
- -b PATH, --base=PATH
- Set the base PATH for resolving abstractions specified by --abstractions.
See the same option in apparmor_parser(8) for details.
- -I PATH, --Include=PATH
- Add PATH to the search paths used for resolving abstractions specified by
--abstractions. See the same option in apparmor_parser(8) for
details.
- -r PATH, --read-path=PATH
- Specify a PATH to allow owner reads. May be specified multiple times. If
the PATH ends in a '/', then PATH is treated as a directory and reads are
allowed to all files under this directory. Can optionally use '/*' at the
end of the PATH to only allow reads to files directly in PATH.
- -w PATH, --write-dir=PATH
- Like --read-path but also allow owner writes in additions to reads.
- -n NAME, --name=NAME
- Specify NAME of policy. If not specified, NAME is set to the name of the
binary. The NAME of the policy is typically only used for profile meta
data and does not specify the AppArmor profile name.
- --profile-name=PROFILENAME
- Specify the AppArmor profile name. When set, uses 'profile PROFILENAME' in
the profile. When set and specifying a binary, uses 'profile PROFILENAME
BINARY' in the profile. If not set, the binary will be used as the profile
name and profile attachment.
- --template-var="@{VAR}=VALUE"
- Set VAR to VALUE in the resulting policy. This typically only makes sense
if the specified template uses this value. May be specified multiple
times.
- --list-templates
- List available templates.
- --show-template
- Display template specified with --template.
- --templates-dir=PATH
- Use PATH instead of system templates directory.
- --include-templates-dir=PATH
- Include PATH when searching for templates in addition to the system
templates directory (or the one specified with --templates-dir). System
templates will match before those in PATH.
- --list-policy-groups
- List available policy groups.
- --show-policy-group
- Display policy groups specified with --policy-groups.
- --policy-groups-dir=PATH
- Use PATH instead of system policy-groups directory.
- --include-policy-groups-dir=PATH
- Include PATH when searching for policy groups in addition to the system
policy-groups directory (or the one specified with --policy-groups-dir).
System policy-groups will match before those in PATH.
- --policy-version=VERSION
- Must be used with --policy-vendor and is used to specify the version of
policy groups and templates. When specified, aa-easyprof looks for
the subdirectory VENDOR/VERSION within the policy-groups and templates
directory. The specified version must be a positive decimal number
compatible with the JSON Number type. Eg, when using:
$ aa-easyprof --templates-dir=/usr/share/apparmor/easyprof/templates \
--policy-groups-dir=/usr/share/apparmor/easyprof/policygroups \
--policy-vendor="foo" \
--policy-version=1.0
Then /usr/share/apparmor/easyprof/templates/foo/1.0 will be
searched for templates and
/usr/share/apparmor/easyprof/policygroups/foo/1.0 for policy groups.
- --policy-vendor=VENDOR
- Must be used with --policy-version and is used to specify the vendor for
policy groups and templates. See --policy-version for more
information.
- --author
- Specify author of the policy.
- --copyright
- Specify copyright of the policy.
- Specify comment for the policy.
- -m MANIFEST,
--manifest=MANIFEST
- aa-easyprof also supports using a JSON manifest file for specifying
options related to policy. Unlike command line arguments, the JSON file
may specify multiple profiles. The structure of the JSON is:
{
"security": {
"profiles": {
"<profile name 1>": {
... attributes specific to this profile ...
},
"<profile name 2>": {
...
}
}
}
}
Each profile JSON object (ie, everything under a profile name)
may specify any fields related to policy. The "security" JSON
container object is optional and may be omitted. An example manifest
file demonstrating all fields is:
{
"security": {
"profiles": {
"com.example.foo": {
"abstractions": [
"audio",
"gnome"
],
"author": "Your Name",
"binary": "/opt/foo/**",
"comment": "Unstructured single-line comment",
"copyright": "Unstructured single-line copyright statement",
"name": "My Foo App",
"policy_groups": [
"networking",
"user-application"
],
"policy_vendor": "somevendor",
"policy_version": 1.0,
"read_path": [
"/tmp/foo_r",
"/tmp/bar_r/"
],
"template": "user-application",
"template_variables": {
"APPNAME": "foo",
"VAR1": "bar",
"VAR2": "baz"
},
"write_path": [
"/tmp/foo_w",
"/tmp/bar_w/"
]
}
}
}
}
A manifest file does not have to include all the fields. Eg, a
manifest file for an Ubuntu SDK application might be:
{
"security": {
"profiles": {
"com.ubuntu.developer.myusername.MyCoolApp": {
"policy_groups": [
"networking",
"online-accounts"
],
"policy_vendor": "ubuntu",
"policy_version": 1.0,
"template": "ubuntu-sdk",
"template_variables": {
"APPNAME": "MyCoolApp",
"APPVERSION": "0.1.2"
}
}
}
}
}
- --verify-manifest
- When used with --manifest, warn about potentially unsafe definitions in
the manifest file.
- --output-format=FORMAT
- Specify either text (default if unspecified) for AppArmor policy
output or json for JSON manifest format.
- --output-directory=DIR
- Specify output directory for profile. If unspecified, policy is sent to
stdout.
Example usage for a program named 'foo' which is installed in
/opt/foo:
$ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" \
--policy-groups=opt-application,user-application \
/opt/foo/bin/FooApp
When using a manifest file:
$ aa-easyprof --manifest=manifest.json
To output a manifest file based on aa-easyprof arguments:
$ aa-easyprof --output-format=json \
--author="Your Name" \
--comment="Unstructured single-line comment" \
--copyright="Unstructured single-line copyright statement" \
--name="My Foo App" \
--profile-name="com.example.foo" \
--template="user-application" \
--policy-groups="user-application,networking" \
--abstractions="audio,gnome" \
--read-path="/tmp/foo_r" \
--read-path="/tmp/bar_r/" \
--write-path="/tmp/foo_w" \
--write-path=/tmp/bar_w/ \
--template-var="@{APPNAME}=foo" \
--template-var="@{VAR1}=bar" \
--template-var="@{VAR2}=baz" \
"/opt/foo/**"
If you find any additional bugs, please report them to Launchpad
at <https://bugs.launchpad.net/apparmor/+filebug>.