AA-EASYPROF

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

-t TEMPLATE, --template=TEMPLATE

Specify which template to use. May specify either a system template from /usr/share/apparmor/easyprof/templates or a filename for the template to use. If not specified, use /usr/share/apparmor/easyprof/templates/default.

-p POLICYGROUPS, --policy-groups=POLICYGROUPS

Specify POLICY as a comma-separated list of policy groups. See --list-templates for supported policy groups. The available policy groups are in /usr/share/apparmor/easyprof/policy. Policy groups are simply groupings of AppArmor rules or policies. They are similar to AppArmor abstractions, but usually encompass more policy rules.

-a ABSTRACTIONS, --abstractions=ABSTRACTIONS

Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is usually recommended you use policy groups instead, but this is provided as a convenience. AppArmor abstractions are located in /etc/apparmor.d/abstractions. See apparmor.d(5) for details.

-r PATH, --read-path=PATH

Specify a PATH to allow owner reads. May be specified multiple times. If the PATH ends in a '/', then PATH is treated as a directory and reads are allowed to all files under this directory. Can optionally use '/*' at the end of the PATH to only allow reads to files directly in PATH.

-w PATH, --write-dir=PATH

Like --read-path but also allow owner writes in additions to reads.

-n NAME, --name=NAME

Specify NAME of policy. If not specified, NAME is set to the name of the binary. The NAME of the policy is typically only used for profile meta data and does not specify the AppArmor profile name.

--profile-name=PROFILENAME

Specify the AppArmor profile name. When set, uses 'profile PROFILENAME' in the profile. When set and specifying a binary, uses 'profile PROFILENAME BINARY' in the profile. If not set, the binary will be used as the profile name and profile attachment.

--template-var="@{VAR}=VALUE"

Set VAR to VALUE in the resulting policy. This typically only makes sense if the specified template uses this value. May be specified multiple times.

--list-templates

List available templates.

--show-template

Display template specified with --template.

--templates-dir=PATH

Use PATH instead of system templates directory.

--include-templates-dir=PATH

Include PATH when searching for templates in addition to the system templates directory (or the one specified with --templates-dir). System templates will match before those in PATH.

--list-policy-groups

List available policy groups.

--show-policy-group

Display policy groups specified with --policy-groups.

--policy-groups-dir=PATH

Use PATH instead of system policy-groups directory.

--include-policy-groups-dir=PATH

Include PATH when searching for policy groups in addition to the system policy-groups directory (or the one specified with --policy-groups-dir). System policy-groups will match before those in PATH.

--policy-version=VERSION

Must be used with --policy-vendor and is used to specify the version of policy groups and templates. When specified, aa-easyprof looks for the subdirectory VENDOR/VERSION within the policy-groups and templates directory. The specified version must be a positive decimal number compatible with the JSON Number type. Eg, when using:

    $ aa-easyprof --templates-dir=/usr/share/apparmor/easyprof/templates \
                  --policy-groups-dir=/usr/share/apparmor/easyprof/policygroups \
                  --policy-vendor="foo" \
                  --policy-version=1.0

Then /usr/share/apparmor/easyprof/templates/foo/1.0 will be searched for templates and /usr/share/apparmor/easyprof/policygroups/foo/1.0 for policy groups.

--policy-vendor=VENDOR

Must be used with --policy-version and is used to specify the vendor for policy groups and templates. See --policy-version for more information.

--author

Specify author of the policy.

--copyright

Specify copyright of the policy.

--comment

Specify comment for the policy.

-m MANIFEST, --manifest=MANIFEST

aa-easyprof also supports using a JSON manifest file for specifying options related to policy. Unlike command line arguments, the JSON file may specify multiple profiles. The structure of the JSON is:

  {
    "security": {
      "profiles": {
        "<profile name 1>": {
          ... attributes specific to this profile ...
        },
        "<profile name 2>": {
          ...
        }
      }
    }
  }

Each profile JSON object (ie, everything under a profile name) may specify any fields related to policy. The ``security'' JSON container object is optional and may be omitted. An example manifest file demonstrating all fields is:

  {
    "security": {
      "profiles": {
        "com.example.foo": {
          "abstractions": [
            "audio",
            "gnome"
          ],
          "author": "Your Name",
          "binary": "/opt/foo/**",
          "comment": "Unstructured single-line comment",
          "copyright": "Unstructured single-line copyright statement",
          "name": "My Foo App",
          "policy_groups": [
            "networking",
            "user-application"
          ],
          "policy_vendor": "somevendor",
          "policy_version": 1.0,
          "read_path": [
            "/tmp/foo_r",
            "/tmp/bar_r/"
          ],
          "template": "user-application",
          "template_variables": {
            "APPNAME": "foo",
            "VAR1": "bar",
            "VAR2": "baz"
          },
          "write_path": [
            "/tmp/foo_w",
            "/tmp/bar_w/"
          ]
        }
      }
    }
  }

A manifest file does not have to include all the fields. Eg, a manifest file for an Ubuntu SDK application might be:

  {
    "security": {
      "profiles": {
        "com.ubuntu.developer.myusername.MyCoolApp": {
          "policy_groups": [
            "networking",
            "online-accounts"
          ],
          "policy_vendor": "ubuntu",
          "policy_version": 1.0,
          "template": "ubuntu-sdk",
          "template_variables": {
            "APPNAME": "MyCoolApp",
            "APPVERSION": "0.1.2"
          }
        }
      }
    }
  }

--verify-manifest

When used with --manifest, warn about potentially unsafe definitions in the manifest file.

--output-format=FORMAT

Specify either text (default if unspecified) for AppArmor policy output or json for JSON manifest format.

--output-directory=DIR

Specify output directory for profile. If unspecified, policy is sent to stdout.

EXAMPLES

    $ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" \
                  --policy-groups=opt-application,user-application \
                  /opt/foo/bin/FooApp

When using a manifest file:

    $ aa-easyprof --manifest=manifest.json

To output a manifest file based on aa-easyprof arguments:

    $ aa-easyprof --output-format=json \
                  --author="Your Name" \
                  --comment="Unstructured single-line comment" \
                  --copyright="Unstructured single-line copyright statement" \
                  --name="My Foo App" \
                  --profile-name="com.example.foo" \
                  --template="user-application" \
                  --policy-groups="user-application,networking" \
                  --abstractions="audio,gnome" \
                  --read-path="/tmp/foo_r" \
                  --read-path="/tmp/bar_r/" \
                  --write-path="/tmp/foo_w" \
                  --write-path=/tmp/bar_w/ \
                  --template-var="@{APPNAME}=foo" \
                  --template-var="@{VAR1}=bar" \
                  --template-var="@{VAR2}=baz" \
                  "/opt/foo/**"

BUGS

SEE ALSO

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

EXAMPLES

BUGS

SEE ALSO