Provided by: apparmor-easyprof_2.10.95-0ubuntu2_all bug

NAME

       aa-easyprof - AppArmor profile generation made easy.

SYNOPSIS

       aa-easyprof [option] <path to binary>

DESCRIPTION

       aa-easyprof provides an easy to use interface for AppArmor policy generation. aa-easyprof
       supports the use of templates and policy groups to quickly profile an application. Please
       note that while this tool can help with policy generation, its utility is dependent on the
       quality of the templates, policy groups and abstractions used. Also, this tool may create
       policy which is less restricted than creating policy by hand or with aa-genprof and aa-
       logprof.

OPTIONS

       aa-easyprof accepts the following arguments:

       -t TEMPLATE, --template=TEMPLATE
           Specify which template to use. May specify either a system template from
           /usr/share/apparmor/easyprof/templates or a filename for the template to use. If not
           specified, use /usr/share/apparmor/easyprof/templates/default.

       -p POLICYGROUPS, --policy-groups=POLICYGROUPS
           Specify POLICY as a comma-separated list of policy groups. See --list-templates for
           supported policy groups. The available policy groups are in
           /usr/share/apparmor/easyprof/policy. Policy groups are simply groupings of AppArmor
           rules or policies. They are similar to AppArmor abstractions, but usually encompass
           more policy rules.

       -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
           Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is usually
           recommended you use policy groups instead, but this is provided as a convenience.
           AppArmor abstractions are located in /etc/apparmor.d/abstractions.  See apparmor.d(5)
           for details.

       -r PATH, --read-path=PATH
           Specify a PATH to allow owner reads. May be specified multiple times. If the PATH ends
           in a '/', then PATH is treated as a directory and reads are allowed to all files under
           this directory. Can optionally use '/*' at the end of the PATH to only allow reads to
           files directly in PATH.

       -w PATH, --write-dir=PATH
           Like --read-path but also allow owner writes in additions to reads.

       -n NAME, --name=NAME
           Specify NAME of policy. If not specified, NAME is set to the name of the binary. The
           NAME of the policy is typically only used for profile meta data and does not specify
           the AppArmor profile name.

       --profile-name=PROFILENAME
           Specify the AppArmor profile name. When set, uses 'profile PROFILENAME' in the
           profile. When set and specifying a binary, uses 'profile PROFILENAME BINARY' in the
           profile. If not set, the binary will be used as the profile name and profile
           attachment.

       --template-var="@{VAR}=VALUE"
           Set VAR to VALUE in the resulting policy. This typically only makes sense if the
           specified template uses this value. May be specified multiple times.

       --list-templates
           List available templates.

       --show-template
           Display template specified with --template.

       --templates-dir=PATH
           Use PATH instead of system templates directory.

       --include-templates-dir=PATH
           Include PATH when searching for templates in addition to the system templates
           directory (or the one specified with --templates-dir). System templates will match
           before those in PATH.

       --list-policy-groups
           List available policy groups.

       --show-policy-group
           Display policy groups specified with --policy-groups.

       --policy-groups-dir=PATH
           Use PATH instead of system policy-groups directory.

       --include-policy-groups-dir=PATH
           Include PATH when searching for policy groups in addition to the system policy-groups
           directory (or the one specified with --policy-groups-dir). System policy-groups will
           match before those in PATH.

       --policy-version=VERSION
           Must be used with --policy-vendor and is used to specify the version of policy groups
           and templates. When specified, aa-easyprof looks for the subdirectory VENDOR/VERSION
           within the policy-groups and templates directory. The specified version must be a
           positive decimal number compatible with the JSON Number type.  Eg, when using:

               $ aa-easyprof --templates-dir=/usr/share/apparmor/easyprof/templates \
                             --policy-groups-dir=/usr/share/apparmor/easyprof/policygroups \
                             --policy-vendor="foo" \
                             --policy-version=1.0

           Then /usr/share/apparmor/easyprof/templates/foo/1.0 will be searched for templates and
           /usr/share/apparmor/easyprof/policygroups/foo/1.0 for policy groups.

       --policy-vendor=VENDOR
           Must be used with --policy-version and is used to specify the vendor for policy groups
           and templates. See --policy-version for more information.

       --author
           Specify author of the policy.

       --copyright
           Specify copyright of the policy.

       --comment
           Specify comment for the policy.

       -m MANIFEST, --manifest=MANIFEST
           aa-easyprof also supports using a JSON manifest file for specifying options related to
           policy. Unlike command line arguments, the JSON file may specify multiple profiles.
           The structure of the JSON is:

             {
               "security": {
                 "profiles": {
                   "<profile name 1>": {
                     ... attributes specific to this profile ...
                   },
                   "<profile name 2>": {
                     ...
                   }
                 }
               }
             }

           Each profile JSON object (ie, everything under a profile name) may specify any fields
           related to policy. The "security" JSON container object is optional and may be
           omitted. An example manifest file demonstrating all fields is:

             {
               "security": {
                 "profiles": {
                   "com.example.foo": {
                     "abstractions": [
                       "audio",
                       "gnome"
                     ],
                     "author": "Your Name",
                     "binary": "/opt/foo/**",
                     "comment": "Unstructured single-line comment",
                     "copyright": "Unstructured single-line copyright statement",
                     "name": "My Foo App",
                     "policy_groups": [
                       "networking",
                       "user-application"
                     ],
                     "policy_vendor": "somevendor",
                     "policy_version": 1.0,
                     "read_path": [
                       "/tmp/foo_r",
                       "/tmp/bar_r/"
                     ],
                     "template": "user-application",
                     "template_variables": {
                       "APPNAME": "foo",
                       "VAR1": "bar",
                       "VAR2": "baz"
                     },
                     "write_path": [
                       "/tmp/foo_w",
                       "/tmp/bar_w/"
                     ]
                   }
                 }
               }
             }

           A manifest file does not have to include all the fields. Eg, a manifest file for an
           Ubuntu SDK application might be:

             {
               "security": {
                 "profiles": {
                   "com.ubuntu.developer.myusername.MyCoolApp": {
                     "policy_groups": [
                       "networking",
                       "online-accounts"
                     ],
                     "policy_vendor": "ubuntu",
                     "policy_version": 1.0,
                     "template": "ubuntu-sdk",
                     "template_variables": {
                       "APPNAME": "MyCoolApp",
                       "APPVERSION": "0.1.2"
                     }
                   }
                 }
               }
             }

       --verify-manifest
           When used with --manifest, warn about potentially unsafe definitions in the manifest
           file.

       --output-format=FORMAT
           Specify either text (default if unspecified) for AppArmor policy output or json for
           JSON manifest format.

       --output-directory=DIR
           Specify output directory for profile. If unspecified, policy is sent to stdout.

EXAMPLES

       Example usage for a program named 'foo' which is installed in /opt/foo:

           $ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" \
                         --policy-groups=opt-application,user-application \
                         /opt/foo/bin/FooApp

       When using a manifest file:

           $ aa-easyprof --manifest=manifest.json

       To output a manifest file based on aa-easyprof arguments:

           $ aa-easyprof --output-format=json \
                         --author="Your Name" \
                         --comment="Unstructured single-line comment" \
                         --copyright="Unstructured single-line copyright statement" \
                         --name="My Foo App" \
                         --profile-name="com.example.foo" \
                         --template="user-application" \
                         --policy-groups="user-application,networking" \
                         --abstractions="audio,gnome" \
                         --read-path="/tmp/foo_r" \
                         --read-path="/tmp/bar_r/" \
                         --write-path="/tmp/foo_w" \
                         --write-path=/tmp/bar_w/ \
                         --template-var="@{APPNAME}=foo" \
                         --template-var="@{VAR1}=bar" \
                         --template-var="@{VAR2}=baz" \
                         "/opt/foo/**"

BUGS

       If you find any additional bugs, please report them to Launchpad at
       <https://bugs.launchpad.net/apparmor/+filebug>.

SEE ALSO

       apparmor(7) apparmor.d(5)