Generate AppArmor profiles by monitoring program behavior
Start generating a profile for a program
sudo aa-genprof [/path/to/program]
Specify a custom directory for profiles
sudo aa-genprof -d [/path/to/profiles] [/path/to/program]
Specify a custom logfile for profiling
sudo aa-genprof -f [/path/to/logfile] [/path/to/program]
aa-genprof executable [-d /path/to/profiles] [-f /path/to/logfile]
aa-genprof is a profile generation utility for AppArmor that automates the creation of security profiles by monitoring program behavior. If no profile exists, it creates one using aa-autodep. It then sets the profile to complain mode, writes a mark to the system log, and instructs the user to exercise the application in another window.
When the user selects (S)can, aa-genprof parses complain mode logs and iterates through violations using aa-logprof. When (F)inish is selected, all generated profiles are set to enforce mode.
-d, --dir /path/to/profiles
Specifies where to look for the AppArmor security profile set; defaults to /etc/apparmor.d
-f, --file /path/to/logfile
Specifies the location of the logfile; default locations are read from /etc/apparmor/logprof.conf
-h, --help
Display help information
/etc/apparmor/logprof.conf
Controls default logfile location, repository settings, and other options used during profile generation.
Profile generation requires running the target application through all its normal operations to capture the necessary access patterns. Incomplete testing may result in profiles that block legitimate functionality. Requires root privileges.
Part of the apparmor-utils package for managing application security profiles on Linux systems.
aa-logprof(8), aa-enforce(8), aa-complain(8), aa-disable(8), aa-mergeprof(8), aa-status(8), aa-unconfined(8), apparmor(7)