aa-easyprof(8)


NAME

   aa-easyprof - AppArmor profile generation made easy.

SYNOPSIS

   aa-easyprof [option] <path to binary>

DESCRIPTION

   aa-easyprof provides an easy to use interface for AppArmor policy
   generation. aa-easyprof supports the use of templates and policy groups
   to quickly profile an application. Please note that while this tool can
   help with policy generation, its utility is dependent on the quality of
   the templates, policy groups and abstractions used. Also, this tool may
   create policy which is less restricted than creating policy by hand or
   with aa-genprof and aa-logprof.

OPTIONS

   aa-easyprof accepts the following arguments:

   -t TEMPLATE, --template=TEMPLATE
       Specify which template to use. May specify either a system template
       from /usr/share/apparmor/easyprof/templates or a filename for the
       template to use. If not specified, use
       /usr/share/apparmor/easyprof/templates/default.

   -p POLICYGROUPS, --policy-groups=POLICYGROUPS
       Specify POLICY as a comma-separated list of policy groups. See
       --list-templates for supported policy groups. The available policy
       groups are in /usr/share/apparmor/easyprof/policy. Policy groups
       are simply groupings of AppArmor rules or policies. They are
       similar to AppArmor abstractions, but usually encompass more policy
       rules.

   -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
       Specify ABSTRACTIONS as a comma-separated list of AppArmor
       abstractions. It is usually recommended you use policy groups
       instead, but this is provided as a convenience. AppArmor
       abstractions are located in /etc/apparmor.d/abstractions.  See
       apparmor.d(5) for details.

   -r PATH, --read-path=PATH
       Specify a PATH to allow owner reads. May be specified multiple
       times. If the PATH ends in a '/', then PATH is treated as a
       directory and reads are allowed to all files under this directory.
       Can optionally use '/*' at the end of the PATH to only allow reads
       to files directly in PATH.

   -w PATH, --write-dir=PATH
       Like --read-path but also allow owner writes in additions to reads.

   -n NAME, --name=NAME
       Specify NAME of policy. If not specified, NAME is set to the name
       of the binary. The NAME of the policy is typically only used for
       profile meta data and does not specify the AppArmor profile name.

   --profile-name=PROFILENAME
       Specify the AppArmor profile name. When set, uses 'profile
       PROFILENAME' in the profile. When set and specifying a binary, uses
       'profile PROFILENAME BINARY' in the profile. If not set, the binary
       will be used as the profile name and profile attachment.

   --template-var="@{VAR}=VALUE"
       Set VAR to VALUE in the resulting policy. This typically only makes
       sense if the specified template uses this value. May be specified
       multiple times.

   --list-templates
       List available templates.

   --show-template
       Display template specified with --template.

   --templates-dir=PATH
       Use PATH instead of system templates directory.

   --include-templates-dir=PATH
       Include PATH when searching for templates in addition to the system
       templates directory (or the one specified with --templates-dir).
       System templates will match before those in PATH.

   --list-policy-groups
       List available policy groups.

   --show-policy-group
       Display policy groups specified with --policy-groups.

   --policy-groups-dir=PATH
       Use PATH instead of system policy-groups directory.

   --include-policy-groups-dir=PATH
       Include PATH when searching for policy groups in addition to the
       system policy-groups directory (or the one specified with
       --policy-groups-dir). System policy-groups will match before those
       in PATH.

   --policy-version=VERSION
       Must be used with --policy-vendor and is used to specify the
       version of policy groups and templates. When specified, aa-easyprof
       looks for the subdirectory VENDOR/VERSION within the policy-groups
       and templates directory. The specified version must be a positive
       decimal number compatible with the JSON Number type.  Eg, when
       using:

           $ aa-easyprof --templates-dir=/usr/share/apparmor/easyprof/templates \
                         --policy-groups-dir=/usr/share/apparmor/easyprof/policygroups \
                         --policy-vendor="foo" \
                         --policy-version=1.0

       Then /usr/share/apparmor/easyprof/templates/foo/1.0 will be
       searched for templates and
       /usr/share/apparmor/easyprof/policygroups/foo/1.0 for policy
       groups.

   --policy-vendor=VENDOR
       Must be used with --policy-version and is used to specify the
       vendor for policy groups and templates. See --policy-version for
       more information.

   --author
       Specify author of the policy.

   --copyright
       Specify copyright of the policy.

   --comment
       Specify comment for the policy.

   -m MANIFEST, --manifest=MANIFEST
       aa-easyprof also supports using a JSON manifest file for specifying
       options related to policy. Unlike command line arguments, the JSON
       file may specify multiple profiles. The structure of the JSON is:

         {
           "security": {
             "profiles": {
               "<profile name 1>": {
                 ... attributes specific to this profile ...
               },
               "<profile name 2>": {
                 ...
               }
             }
           }
         }

       Each profile JSON object (ie, everything under a profile name) may
       specify any fields related to policy. The "security" JSON container
       object is optional and may be omitted. An example manifest file
       demonstrating all fields is:

         {
           "security": {
             "profiles": {
               "com.example.foo": {
                 "abstractions": [
                   "audio",
                   "gnome"
                 ],
                 "author": "Your Name",
                 "binary": "/opt/foo/**",
                 "comment": "Unstructured single-line comment",
                 "copyright": "Unstructured single-line copyright statement",
                 "name": "My Foo App",
                 "policy_groups": [
                   "networking",
                   "user-application"
                 ],
                 "policy_vendor": "somevendor",
                 "policy_version": 1.0,
                 "read_path": [
                   "/tmp/foo_r",
                   "/tmp/bar_r/"
                 ],
                 "template": "user-application",
                 "template_variables": {
                   "APPNAME": "foo",
                   "VAR1": "bar",
                   "VAR2": "baz"
                 },
                 "write_path": [
                   "/tmp/foo_w",
                   "/tmp/bar_w/"
                 ]
               }
             }
           }
         }

       A manifest file does not have to include all the fields. Eg, a
       manifest file for an Ubuntu SDK application might be:

         {
           "security": {
             "profiles": {
               "com.ubuntu.developer.myusername.MyCoolApp": {
                 "policy_groups": [
                   "networking",
                   "online-accounts"
                 ],
                 "policy_vendor": "ubuntu",
                 "policy_version": 1.0,
                 "template": "ubuntu-sdk",
                 "template_variables": {
                   "APPNAME": "MyCoolApp",
                   "APPVERSION": "0.1.2"
                 }
               }
             }
           }
         }

   --verify-manifest
       When used with --manifest, warn about potentially unsafe
       definitions in the manifest file.

   --output-format=FORMAT
       Specify either text (default if unspecified) for AppArmor policy
       output or json for JSON manifest format.

   --output-directory=DIR
       Specify output directory for profile. If unspecified, policy is
       sent to stdout.

EXAMPLES

   Example usage for a program named 'foo' which is installed in /opt/foo:

       $ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" \
                     --policy-groups=opt-application,user-application \
                     /opt/foo/bin/FooApp

   When using a manifest file:

       $ aa-easyprof --manifest=manifest.json

   To output a manifest file based on aa-easyprof arguments:

       $ aa-easyprof --output-format=json \
                     --author="Your Name" \
                     --comment="Unstructured single-line comment" \
                     --copyright="Unstructured single-line copyright statement" \
                     --name="My Foo App" \
                     --profile-name="com.example.foo" \
                     --template="user-application" \
                     --policy-groups="user-application,networking" \
                     --abstractions="audio,gnome" \
                     --read-path="/tmp/foo_r" \
                     --read-path="/tmp/bar_r/" \
                     --write-path="/tmp/foo_w" \
                     --write-path=/tmp/bar_w/ \
                     --template-var="@{APPNAME}=foo" \
                     --template-var="@{VAR1}=bar" \
                     --template-var="@{VAR2}=baz" \
                     "/opt/foo/**"

BUGS

   If you find any additional bugs, please report them to Launchpad at
   <https://bugs.launchpad.net/apparmor/+filebug>.

SEE ALSO

   apparmor(7) apparmor.d(5)





Opportunity


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.





Free Software


Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.


Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.





Free Books


The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.


Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.





Education


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.


Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.