aa-easyprof (8)
Leading comments
Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) Standard preamble: ========================================================================
NAME
aa-easyprof - AppArmor profile generation made easy.SYNOPSIS
aa-easyprof [option] <path to binary>DESCRIPTION
aa-easyprof provides an easy to use interface for AppArmor policy generation. aa-easyprof supports the use of templates and policy groups to quickly profile an application. Please note that while this tool can help with policy generation, its utility is dependent on the quality of the templates, policy groups and abstractions used. Also, this tool may create policy which is less restricted than creating policy by hand or with aa-genprof and aa-logprof.OPTIONS
aa-easyprof accepts the following arguments:- -t TEMPLATE,--template=TEMPLATE
- Specify which template to use. May specify either a system template from /usr/share/apparmor/easyprof/templates or a filename for the template to use. If not specified, use /usr/share/apparmor/easyprof/templates/default.
- -p POLICYGROUPS,--policy-groups=POLICYGROUPS
-
Specify POLICYas a comma-separated list of policy groups. See --list-templates for supported policy groups. The available policy groups are in /usr/share/apparmor/easyprof/policy. Policy groups are simply groupings of AppArmor rules or policies. They are similar to AppArmor abstractions, but usually encompass more policy rules.
- -a ABSTRACTIONS,--abstractions=ABSTRACTIONS
-
Specify ABSTRACTIONSas a comma-separated list of AppArmor abstractions. It is usually recommended you use policy groups instead, but this is provided as a convenience. AppArmor abstractions are located in /etc/apparmor.d/abstractions. See apparmor.d(5) for details.
- -r PATH,--read-path=PATH
-
Specify a PATHto allow owner reads. May be specified multiple times. If thePATHends in a '/', thenPATHis treated as a directory and reads are allowed to all files under this directory. Can optionally use '/*' at the end of thePATHto only allow reads to files directly inPATH.
- -w PATH,--write-dir=PATH
- Like --read-path but also allow owner writes in additions to reads.
- -n NAME,--name=NAME
-
Specify NAMEof policy. If not specified,NAMEis set to the name of the binary. TheNAMEof the policy is typically only used for profile meta data and does not specify the AppArmor profile name.
- --profile-name=PROFILENAME
-
Specify the AppArmor profile name. When set, uses 'profile PROFILENAME' in the profile. When set and specifying a binary, uses 'profilePROFILENAME BINARY' in the profile. If not set, the binary will be used as the profile name and profile attachment.
- --template-var=@{VAR}=VALUE
-
Set VARtoVALUEin the resulting policy. This typically only makes sense if the specified template uses this value. May be specified multiple times.
- --list-templates
- List available templates.
- --show-template
- Display template specified with --template.
- --templates-dir=PATH
-
Use PATHinstead of system templates directory.
- --include-templates-dir=PATH
-
Include PATHwhen searching for templates in addition to the system templates directory (or the one specified with --templates-dir). System templates will match before those inPATH.
- --list-policy-groups
- List available policy groups.
- --show-policy-group
- Display policy groups specified with --policy-groups.
- --policy-groups-dir=PATH
-
Use PATHinstead of system policy-groups directory.
- --include-policy-groups-dir=PATH
-
Include PATHwhen searching for policy groups in addition to the system policy-groups directory (or the one specified with --policy-groups-dir). System policy-groups will match before those inPATH.
- --policy-version=VERSION
-
Must be used with --policy-vendor and is used to specify the version of policy
groups and templates. When specified, aa-easyprof looks for the subdirectory
VENDOR/VERSIONwithin the policy-groups and templates directory. The specified version must be a positive decimal number compatible with theJSONNumber type. Eg, when using:
$ aa-easyprof --templates-dir=/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/usr/share/apparmor/easyprof/policygroups \ --policy-vendor="foo" \ --policy-version=1.0Then /usr/share/apparmor/easyprof/templates/foo/1.0 will be searched for templates and /usr/share/apparmor/easyprof/policygroups/foo/1.0 for policy groups.
- --policy-vendor=VENDOR
- Must be used with --policy-version and is used to specify the vendor for policy groups and templates. See --policy-version for more information.
- --author
- Specify author of the policy.
- --copyright
- Specify copyright of the policy.
- --comment
- Specify comment for the policy.
- -m MANIFEST,--manifest=MANIFEST
-
aa-easyprof also supports using a JSONmanifest file for specifying options related to policy. Unlike command line arguments, theJSONfile may specify multiple profiles. The structure of theJSONis:
{ "security": { "profiles": { "<profile name 1>": { ... attributes specific to this profile ... }, "<profile name 2>": { ... } } } }Each profile
JSONobject (ie, everything under a profile name) may specify any fields related to policy. The ``security''JSONcontainer object is optional and may be omitted. An example manifest file demonstrating all fields is:{ "security": { "profiles": { "com.example.foo": { "abstractions": [ "audio", "gnome" ], "author": "Your Name", "binary": "/opt/foo/**", "comment": "Unstructured single-line comment", "copyright": "Unstructured single-line copyright statement", "name": "My Foo App", "policy_groups": [ "networking", "user-application" ], "policy_vendor": "somevendor", "policy_version": 1.0, "read_path": [ "/tmp/foo_r", "/tmp/bar_r/" ], "template": "user-application", "template_variables": { "APPNAME": "foo", "VAR1": "bar", "VAR2": "baz" }, "write_path": [ "/tmp/foo_w", "/tmp/bar_w/" ] } } } }A manifest file does not have to include all the fields. Eg, a manifest file for an Ubuntu
SDKapplication might be:{ "security": { "profiles": { "com.ubuntu.developer.myusername.MyCoolApp": { "policy_groups": [ "networking", "online-accounts" ], "policy_vendor": "ubuntu", "policy_version": 1.0, "template": "ubuntu-sdk", "template_variables": { "APPNAME": "MyCoolApp", "APPVERSION": "0.1.2" } } } } } - --verify-manifest
- When used with --manifest, warn about potentially unsafe definitions in the manifest file.
- --output-format=FORMAT
-
Specify either text (default if unspecified) for AppArmor policy output or
json for JSONmanifest format.
- --output-directory=DIR
- Specify output directory for profile. If unspecified, policy is sent to stdout.
EXAMPLES
Example usage for a program named 'foo' which is installed in /opt/foo:
$ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" \
--policy-groups=opt-application,user-application \
/opt/foo/bin/FooApp
When using a manifest file:
$ aa-easyprof --manifest=manifest.json
To output a manifest file based on aa-easyprof arguments:
$ aa-easyprof --output-format=json \
--author="Your Name" \
--comment="Unstructured single-line comment" \
--copyright="Unstructured single-line copyright statement" \
--name="My Foo App" \
--profile-name="com.example.foo" \
--template="user-application" \
--policy-groups="user-application,networking" \
--abstractions="audio,gnome" \
--read-path="/tmp/foo_r" \
--read-path="/tmp/bar_r/" \
--write-path="/tmp/foo_w" \
--write-path=/tmp/bar_w/ \
--template-var="@{APPNAME}=foo" \
--template-var="@{VAR1}=bar" \
--template-var="@{VAR2}=baz" \
"/opt/foo/**"