Provided by: apparmor-easyprof_2.10.95-0ubuntu1_all bug


       aa-easyprof - AppArmor profile generation made easy.


       aa-easyprof [option] <path to binary>


       aa-easyprof provides an easy to use interface for AppArmor policy
       generation. aa-easyprof supports the use of templates and policy groups
       to quickly profile an application. Please note that while this tool can
       help with policy generation, its utility is dependent on the quality of
       the templates, policy groups and abstractions used. Also, this tool may
       create policy which is less restricted than creating policy by hand or
       with aa-genprof and aa-logprof.


       aa-easyprof accepts the following arguments:

       -t TEMPLATE, --template=TEMPLATE
           Specify which template to use. May specify either a system template
           from /usr/share/apparmor/easyprof/templates or a filename for the
           template to use. If not specified, use

       -p POLICYGROUPS, --policy-groups=POLICYGROUPS
           Specify POLICY as a comma-separated list of policy groups. See
           --list-templates for supported policy groups. The available policy
           groups are in /usr/share/apparmor/easyprof/policy. Policy groups
           are simply groupings of AppArmor rules or policies. They are
           similar to AppArmor abstractions, but usually encompass more policy

       -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
           Specify ABSTRACTIONS as a comma-separated list of AppArmor
           abstractions. It is usually recommended you use policy groups
           instead, but this is provided as a convenience. AppArmor
           abstractions are located in /etc/apparmor.d/abstractions.  See
           apparmor.d(5) for details.

       -r PATH, --read-path=PATH
           Specify a PATH to allow owner reads. May be specified multiple
           times. If the PATH ends in a '/', then PATH is treated as a
           directory and reads are allowed to all files under this directory.
           Can optionally use '/*' at the end of the PATH to only allow reads
           to files directly in PATH.

       -w PATH, --write-dir=PATH
           Like --read-path but also allow owner writes in additions to reads.

       -n NAME, --name=NAME
           Specify NAME of policy. If not specified, NAME is set to the name
           of the binary. The NAME of the policy is typically only used for
           profile meta data and does not specify the AppArmor profile name.

           Specify the AppArmor profile name. When set, uses 'profile
           PROFILENAME' in the profile. When set and specifying a binary, uses
           'profile PROFILENAME BINARY' in the profile. If not set, the binary
           will be used as the profile name and profile attachment.

           Set VAR to VALUE in the resulting policy. This typically only makes
           sense if the specified template uses this value. May be specified
           multiple times.

           List available templates.

           Display template specified with --template.

           Use PATH instead of system templates directory.

           Include PATH when searching for templates in addition to the system
           templates directory (or the one specified with --templates-dir).
           System templates will match before those in PATH.

           List available policy groups.

           Display policy groups specified with --policy-groups.

           Use PATH instead of system policy-groups directory.

           Include PATH when searching for policy groups in addition to the
           system policy-groups directory (or the one specified with
           --policy-groups-dir). System policy-groups will match before those
           in PATH.

           Must be used with --policy-vendor and is used to specify the
           version of policy groups and templates. When specified, aa-easyprof
           looks for the subdirectory VENDOR/VERSION within the policy-groups
           and templates directory. The specified version must be a positive
           decimal number compatible with the JSON Number type.  Eg, when

               $ aa-easyprof --templates-dir=/usr/share/apparmor/easyprof/templates \
                             --policy-groups-dir=/usr/share/apparmor/easyprof/policygroups \
                             --policy-vendor="foo" \

           Then /usr/share/apparmor/easyprof/templates/foo/1.0 will be
           searched for templates and
           /usr/share/apparmor/easyprof/policygroups/foo/1.0 for policy

           Must be used with --policy-version and is used to specify the
           vendor for policy groups and templates. See --policy-version for
           more information.

           Specify author of the policy.

           Specify copyright of the policy.

           Specify comment for the policy.

       -m MANIFEST, --manifest=MANIFEST
           aa-easyprof also supports using a JSON manifest file for specifying
           options related to policy. Unlike command line arguments, the JSON
           file may specify multiple profiles. The structure of the JSON is:

               "security": {
                 "profiles": {
                   "<profile name 1>": {
                     ... attributes specific to this profile ...
                   "<profile name 2>": {

           Each profile JSON object (ie, everything under a profile name) may
           specify any fields related to policy. The "security" JSON container
           object is optional and may be omitted. An example manifest file
           demonstrating all fields is:

               "security": {
                 "profiles": {
                   "": {
                     "abstractions": [
                     "author": "Your Name",
                     "binary": "/opt/foo/**",
                     "comment": "Unstructured single-line comment",
                     "copyright": "Unstructured single-line copyright statement",
                     "name": "My Foo App",
                     "policy_groups": [
                     "policy_vendor": "somevendor",
                     "policy_version": 1.0,
                     "read_path": [
                     "template": "user-application",
                     "template_variables": {
                       "APPNAME": "foo",
                       "VAR1": "bar",
                       "VAR2": "baz"
                     "write_path": [

           A manifest file does not have to include all the fields. Eg, a
           manifest file for an Ubuntu SDK application might be:

               "security": {
                 "profiles": {
                   "com.ubuntu.developer.myusername.MyCoolApp": {
                     "policy_groups": [
                     "policy_vendor": "ubuntu",
                     "policy_version": 1.0,
                     "template": "ubuntu-sdk",
                     "template_variables": {
                       "APPNAME": "MyCoolApp",
                       "APPVERSION": "0.1.2"

           When used with --manifest, warn about potentially unsafe
           definitions in the manifest file.

           Specify either text (default if unspecified) for AppArmor policy
           output or json for JSON manifest format.

           Specify output directory for profile. If unspecified, policy is
           sent to stdout.


       Example usage for a program named 'foo' which is installed in /opt/foo:

           $ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" \
                         --policy-groups=opt-application,user-application \

       When using a manifest file:

           $ aa-easyprof --manifest=manifest.json

       To output a manifest file based on aa-easyprof arguments:

           $ aa-easyprof --output-format=json \
                         --author="Your Name" \
                         --comment="Unstructured single-line comment" \
                         --copyright="Unstructured single-line copyright statement" \
                         --name="My Foo App" \
                         --profile-name="" \
                         --template="user-application" \
                         --policy-groups="user-application,networking" \
                         --abstractions="audio,gnome" \
                         --read-path="/tmp/foo_r" \
                         --read-path="/tmp/bar_r/" \
                         --write-path="/tmp/foo_w" \
                         --write-path=/tmp/bar_w/ \
                         --template-var="@{APPNAME}=foo" \
                         --template-var="@{VAR1}=bar" \
                         --template-var="@{VAR2}=baz" \


       If you find any additional bugs, please report them to Launchpad at


       apparmor(7) apparmor.d(5)