LinuxCommandLibrary

aa-cleanprof

Clean unused AppArmor profiles

TLDR

Clean a profile to remove unused rules

$ sudo aa-cleanprof [profile_name]
copy

Clean multiple profiles at once
$ sudo aa-cleanprof [profile1 profile2 ...]
copy

Specify the directory containing profiles
$ sudo aa-cleanprof [[-d|--dir]] /[path/to/profiles] [profile_name]
copy

Run silently without prompts
$ sudo aa-cleanprof [[-s|--silent]] [profile_name]
copy

Prevent profile reload after cleaning
$ sudo aa-cleanprof --no-reload [profile_name]
copy

Display help
$ aa-cleanprof [[-h|--help]]
copy

SYNOPSIS

aa-cleanprof [ -d | --debug ] [ profile ... ]

PARAMETERS

-d, --debug
    Print verbose debugging output

-h, --help
    Display usage help and exit

--version
    Output version information and exit

DESCRIPTION

aa-cleanprof is a utility from the AppArmor security toolkit for Linux, designed to remove profile files that are no longer actively loaded in the kernel. AppArmor enforces Mandatory Access Control (MAC) by confining applications via profiles stored in /etc/apparmor.d/. Over time, unloaded or obsolete profiles can clutter this directory.

The command queries the kernel's loaded profiles via /sys/kernel/security/apparmor/.profiles (or equivalent interface) and cross-references them against filesystem entries with extensions like .prof or names matching profiles. Unmatched files are deleted to maintain a clean configuration directory.

When invoked without arguments, it processes all eligible profiles. Specifying profile names (e.g., /usr/bin/app) limits cleanup to those. This is useful post-development, after purging kernel modules, or during system maintenance.

Key benefits include reducing disk usage and preventing accidental loading of stale policies. However, it performs irreversible deletions without backup, so verify loaded status with aa-status first. Integrated into AppArmor utils package, it's essential for administrators managing confinement policies at scale.

(~180 words)

CAVEATS

Permanently deletes files without backup.
Run only after confirming profiles are unloaded (check with aa-status).
Aborts if AppArmor not loaded or no changes needed.

EXAMPLE USAGE

aa-cleanprof # Clean all unused
aa-cleanprof /usr/bin/firefox # Target specific profile

PROFILE LOCATION

Targets /etc/apparmor.d/; custom dirs require manual handling.

HISTORY

Part of AppArmor utilities since version 2.1 (circa 2009), developed by Canonical and community for Ubuntu. Evolved with kernel LSM integration; current in AppArmor 3.x.

SEE ALSO

aa-status(8), aa-genprof(8), aa-logprof(8), apparmor_parser(8)

Copied to clipboard