1
# This publication is intellectual property of Canonical Ltd. Its contents
2
# can be duplicated, either in part or in whole, provided that a copyright
3
# label is visibly located on each copy.
5
# All information found in this book has been compiled with utmost
6
# attention to detail. However, this does not guarantee complete accuracy.
7
# Neither Canonical Ltd, the authors, nor the translators shall be held
8
# liable for possible errors or the consequences thereof.
10
# Many of the software and hardware descriptions cited in this book
11
# are registered trademarks. All trade names are subject to copyright
12
# restrictions and may be registered trade marks. Canonical Ltd
13
# essentially adheres to the manufacturer's spelling.
15
# Names of products and trademarks appearing in this book (with or without
16
# specific notation) are likewise subject to trademark and trade protection
17
# laws and may thus fall under copyright restrictions.
25
aa-exec - confine a program with the specified AppArmor profile
29
B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
33
B<aa-exec> is used to launch a program confined by the specified profile
34
and or namespace. If both a profile and namespace are specified command
35
will be confined by profile in the new policy namespace. If only a namespace
36
is specified, the profile name of the current confinement will be used. If
37
neither a profile or namespace is specified command will be run using
38
standard profile attachment (ie. as if run without the aa-exec command).
40
If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
41
by aa-exec then -- should be used to separate aa-exec arguments from the
43
aa-exec -p profile1 -- ls -l
46
B<aa-exec> accepts the following arguments:
50
=item -p PROFILE, --profile=PROFILE
52
confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
53
use the current profile name (likely unconfined).
55
=item -n NAMESPACE, --namespace=NAMESPACE
57
use profiles in NAMESPACE. This will result in confinement transitioning
58
to using the new profile namespace.
60
=item -f FILE, --file=FILE
62
a file or directory containing profiles to load before confining the program.
66
transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
67
subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
68
of the current profile.
72
show commands being performed
76
show commands and error codes
80
Signal the end of options and disables further option processing. Any
81
arguments after the -- are treated as arguments of the command. This is
82
useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
87
If you find any bugs, please report them at
88
L<http://https://bugs.launchpad.net/apparmor/+filebug>.
92
aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
93
aa_change_onexec(3) and L<http://wiki.apparmor.net>.