.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "AA-GENPROF 8" .TH AA-GENPROF 8 2024-08-15 "AppArmor 4.0.3" AppArmor .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME aa\-genprof \- profile generation utility for AppArmor .SH SYNOPSIS .IX Header "SYNOPSIS" \&\fBaa-genprof \fR\f(BI\fR\fB [\fR\f(BI\-d /path/to/profiles\fR\fB] [\fR\f(BI\-f /path/to/logfile\fR\fB]\fR .SH OPTIONS .IX Header "OPTIONS" \&\fB\-d \-\-dir /path/to/profiles\fR .PP .Vb 2 \& Specifies where to look for the AppArmor security profile set. \& Defaults to /etc/apparmor.d. .Ve .PP \&\fB\-f \-\-file /path/to/logfile\fR .PP .Vb 6 \& Specifies the location of logfile. \& Default locations are read from F. \& Typical defaults are: \& /var/log/audit/audit.log \& /var/log/syslog \& /var/log/messages .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" When running aa-genprof, you must specify a program to profile. If the specified program is not a fully-qualified path, aa-genprof will search \f(CW$PATH\fR in order to find the program. .PP If a profile does not exist for the program, aa-genprof will create one using \&\fBaa\-autodep\fR\|(1). .PP Genprof will then: .PP .Vb 1 \& \- set the profile to complain mode \& \& \- write a mark to the system log \& \& \- instruct the user to start the application to \& be profiled in another window and exercise its functionality .Ve .PP It then presents the user with two options, (S)can system log for entries to add to profile and (F)inish. .PP If the user selects (S)can or hits return, aa-genprof will parse the complain mode logs and iterate through generated violations using \fBaa\-logprof\fR\|(1). .PP After the user finishes selecting profile entries based on violations that were detected during the program execution, aa-genprof will reload the updated profiles in complain mode and again prompt the user for (S)can and (F)inish. This cycle can then be repeated as necessary until all application functionality has been exercised without generating access violations. .PP When the user eventually hits (F)inish, aa-genprof will set the main profile, and any other profiles that were generated, into enforce mode and exit. .SH BUGS .IX Header "BUGS" If you find any bugs, please report them at . .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBapparmor\fR\|(7), \fBapparmor.d\fR\|(5), \fBaa\-enforce\fR\|(1), \fBaa\-complain\fR\|(1), \fBaa\-disable\fR\|(1), \&\fBaa_change_hat\fR\|(2), \fBaa\-logprof\fR\|(1), \fBlogprof.conf\fR\|(5), and .