.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "AA-EXEC 1"
.TH AA-EXEC 1 2025-04-16 "AppArmor 4.1.0" AppArmor
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
aa\-exec \- confine a program with the specified AppArmor profile
.SH SYNOPSIS
.IX Header "SYNOPSIS"
\&\fBaa-exec\fR [options] [\-\-] [\fI<command>\fR ...]
.SH DESCRIPTION
.IX Header "DESCRIPTION"
\&\fBaa-exec\fR is used to launch a program confined by the specified profile
and or namespace.  If both a profile and namespace are specified command
will be confined by profile in the new policy namespace.  If only a namespace
is specified, the profile name of the current confinement will be used.  If
neither a profile or namespace is specified command will be run using
standard profile attachment (ie. as if run without the aa-exec command).
.PP
If the arguments are to be pasted to the \fI<command>\fR being invoked
by aa-exec then \-\- should be used to separate aa-exec arguments from the
command.
  aa-exec \-p profile1 \-\- ls \-l
.SH "OPTIONS \fBaa-exec\fP accepts the following arguments:"
.IX Header "OPTIONS aa-exec accepts the following arguments:"
.IP "\-p PROFILE, \-\-profile=PROFILE" 4
.IX Item "-p PROFILE, --profile=PROFILE"
confine \fI<command>\fR with PROFILE. If the PROFILE is not specified
use the current profile name (likely unconfined).
.IP "\-n NAMESPACE, \-\-namespace=NAMESPACE" 4
.IX Item "-n NAMESPACE, --namespace=NAMESPACE"
use profiles in NAMESPACE.  This will result in confinement transitioning
to using the new profile namespace.
.IP "\-i, \-\-immediate" 4
.IX Item "-i, --immediate"
transition to PROFILE before doing executing \fI<command>\fR.  This
subjects the running of \fI<command>\fR to the exec transition rules
of the current profile.
.IP "\-v, \-\-verbose" 4
.IX Item "-v, --verbose"
show commands being performed
.IP "\-d, \-\-debug" 4
.IX Item "-d, --debug"
show commands and error codes
.IP \-\- 4
Signal the end of options and disables further option processing. Any
arguments after the \-\- are treated as arguments of the command.  This is
useful when passing arguments to the \fI<command>\fR being invoked by
aa-exec.
.SH RESTRICTIONS
.IX Header "RESTRICTIONS"
aa-exec uses \fR\f(BIaa_change_profile\fR\fI\|(3)\fR to change application confinement.
The use of \fI\fR\f(BIaa_change_profile\fR\fI\|(3)\fR may be restricted by policy in ways
that will cause failure or results different than expected.
.PP
Even when using \fIaa-exec\fR from unconfined restrictions in policy can
causes failure or the confinement entered to be different than requested
.PP
See the unpriviled unconfined restriction documentation for more detail.
https://gitlab.com/apparmor/apparmor/\-/wikis/unprivileged_unconfined_restriction
.SH STACKING
.IX Header "STACKING"
aa-exec can be used to setup a stack of profiles as confinement. When an
application is confined by a stack, all profiles in the stack are checked
as if they were the profile confining the application. The resulting
mediation is the intersection of what is allowed by each profile in the
stack.
.PP
The profiles in a stack are treated independently. Each profile can have
its own flags and profile transitions. During an exec each profile gets
to specify its transition and the results brought together to form a
new canonicalized stack.
.PP
The profile separator indicating a stack is the character sequence \fI//&\fR.
Thus a stack can be expressed using
.Sp
.Vb 6
\&  $ aa\-exec \-p "unconfined//&firefox" \-\- bash
\&  $ ps \-Z
\&  LABEL                               PID TTY          TIME CMD
\&  unconfined                        30714 pts/12   00:00:00 bash
\&  firefox//&unconfined (unconfined) 31160 pts/12   00:00:00 bash
\&  firefox//&unconfined (unconfined) 31171 pts/12   00:00:00 ps
.Ve
.SH NAMESPACES
.IX Header "NAMESPACES"
aa-exec can be used to enter confinement in another policy namespace
if the policy namespaces exists, is visible, and the profile exists in
the namespace. Note applications launched within the namespace will
not be able to exit the namespace, and may be restricted by additional
confinement around namespacing. Files and resources visible to the
parent that launches the application may not be visible in the policy
namespace resulting in access denials.
.PP
To enter a policy namespace the profile is prefixed with the namespace's
name, using a \fI:\fR prefix and suffix.
.PP
Eg.
.Sp
.Vb 6
\&  $ aa\-exec \-p :ex1:unconfined \-\- bash
\&  $ ps \-Z
\&  LABEL                               PID TTY          TIME CMD
\&  \-                                 30714 pts/12   00:00:00 bash
\&  unconfined                        34372 pts/12   00:00:00 bash
\&  unconfined                        34379 pts/12   00:00:00 ps
.Ve
.PP
Confinement of processes outside of the namespace may not be visible
in which case the confinement will be represented with a \-. If policy
is stacked only part of the confinement might be visible. However
confinement is usually fully visible from the parent policy namespace.
.PP
Eg. the confinement of the child can be queried in the parent to see
.Sp
.Vb 3
\&  $ ps \-Z 34372
\&  LABEL                               PID TTY      STAT   TIME COMMAND
\&  :ex1:unconfined                   34372 pts/12   S+     0:00 bash
.Ve
.PP
And in the case of stacking with namespaces
.Sp
.Vb 6
\&  $ aa\-exec \-p "unconfined//&:ex1:unconfined" \-\- bash
\&  $ ps \-Z
\&  LABEL                               PID TTY          TIME CMD
\&  \-                                 30714 pts/12   00:00:00 bash
\&  unconfined                        36298 pts/12   00:00:00 bash
\&  unconfined                        36305 pts/12   00:00:00 ps
.Ve
.PP
while from the parent namespace the full confinement can be seen
.Sp
.Vb 3
\&  $ ps \-Z 36298
\&  LABEL                               PID TTY      STAT   TIME COMMAND
\&  unconfined//&:ex1:unconfined      36298 pts/12   S+     0:00 bash
.Ve
.SH BUGS
.IX Header "BUGS"
If you find any bugs, please report them at
<https://gitlab.com/apparmor/apparmor/\-/issues>
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBapparmor\fR\|(7), \fBapparmor.d\fR\|(5), \fBaa_change_profile\fR\|(3),
\&\fBaa_change_onexec\fR\|(3) and <https://wiki.apparmor.net>.