1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
# This publication is intellectual property of Novell Inc. and Canonical
# Ltd. Its contents can be duplicated, either in part or in whole, provided
# that a copyright label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
# shall be held liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
=pod
=head1 NAME
aa-genprof - profile generation utility for AppArmor
=head1 SYNOPSIS
B<aa-genprof I<E<lt>executableE<gt>> [I<-d /path/to/profiles>] [I<-f /path/to/logfile>]>
=head1 OPTIONS
B<-d --dir /path/to/profiles>
Specifies where to look for the AppArmor security profile set.
Defaults to /etc/apparmor.d.
B<-f --file /path/to/logfile>
Specifies the location of logfile.
Default locations are read from F</etc/apparmor/logprof.conf>.
Typical defaults are:
/var/log/audit/audit.log
/var/log/syslog
/var/log/messages
=head1 DESCRIPTION
When running aa-genprof, you must specify a program to profile. If the
specified program is not a fully-qualified path, aa-genprof will search $PATH
in order to find the program.
If a profile does not exist for the program, aa-genprof will create one using
aa-autodep(1).
Genprof will then:
- set the profile to complain mode
- write a mark to the system log
- instruct the user to start the application to
be profiled in another window and exercise its functionality
It then presents the user with two options, (S)can system log for entries
to add to profile and (F)inish.
If the user selects (S)can or hits return, aa-genprof will parse
the complain mode logs and iterate through generated violations
using aa-logprof(1).
After the user finishes selecting profile entries based on violations
that were detected during the program execution, aa-genprof will reload
the updated profiles in complain mode and again prompt the user for (S)can and
(F)inish. This cycle can then be repeated as necessary until all application
functionality has been exercised without generating access violations.
When the user eventually hits (F)inish, aa-genprof will set the main profile,
and any other profiles that were generated, into enforce mode and exit.
=head1 BUGS
If you find any bugs, please report them at
L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), aa-disable(1),
aa_change_hat(2), aa-logprof(1), logprof.conf(5), and
L<http://wiki.apparmor.net>.
=cut
|