aa-complain

Set policy to complain mode

$ sudo aa-complain [path/to/profile1 path/to/profile2 ...]

$ sudo aa-complain [[-d|--dir]] [path/to/profiles]

aa-complain [OPTIONS] <file|profile> [<file|profile> ...]

-d, --dir <directory>
    Specifies a directory to scan for AppArmor profiles. The default directory is typically /etc/apparmor.d.

-r, --recurse
    Recursively scans specified directories for AppArmor profiles to apply the complain mode change.

--reload
    Forces a reload of the profile into the kernel after its mode has been changed. This is often implicit when specifying a profile file, but can be explicit for loaded profile names.

--no-reload
    Prevents the profile from being reloaded into the kernel after its mode is changed. This can be useful for advanced scripting or specific scenarios.

--force
    Bypasses confirmation prompts, especially when reloading profiles that are already loaded but in a different mode.

-v, --version
    Displays the version information for the AppArmor tools suite.

-h, --help
    Shows a summary of command usage and available options.

<file|profile>
    The path to an AppArmor profile file (e.g., /etc/apparmor.d/usr.bin.foo) or the name of an already loaded profile in the kernel.

aa-complain is an AppArmor utility designed to modify the enforcement mode of specified AppArmor profiles to 'complain' mode. In this mode, the AppArmor kernel module does not actively prevent actions that violate the profile's rules. Instead, it permits the actions while generating audit messages that record the violations. This functionality is invaluable for AppArmor administrators and developers, as it allows them to observe an application's behavior and identify necessary permissions without disrupting its operation. It's a crucial step for developing and debugging new AppArmor profiles before transitioning them to the stricter 'enforce' mode. Profiles can be specified either by their file path (e.g., /etc/apparmor.d/usr.bin.foo) or by their name if already loaded into the kernel.

• aa-complain requires root privileges (e.g., using sudo) to modify AppArmor policies at the kernel level.
  
• While in complain mode, no enforcement is applied; the system only logs policy violations. This means an application could still perform potentially harmful actions.
  
• Changes made using aa-complain are effective immediately but may not persist across system reboots unless the profile definition files themselves are permanently updated and reloaded upon boot.

Setting a profile to complain mode is a critical initial step in the AppArmor profile development workflow. Developers typically begin by placing a new or existing profile in complain mode using aa-complain. They then execute the application, allowing it to generate logs of all attempted file accesses and operations. These logs are subsequently analyzed using tools like aa-logprof or aa-genprof to automatically generate or refine profile rules. Once a satisfactory set of rules has been established, the profile can be switched back to enforcing mode using aa-enforce.

aa-complain is a core utility within the AppArmor security framework. AppArmor originated with Immunix, later acquired by Novell, and became a key security feature in SUSE Linux Enterprise Server and openSUSE distributions. It was integrated into the mainline Linux kernel in version 2.6.23. From its early development, aa-complain has been an indispensable tool, facilitating the iterative process of creating, testing, and refining AppArmor security profiles.

apparmor(7), aa-enforce(8), aa-disable(8), aa-logprof(8), aa-genprof(8), aa-status(8), apparmor_parser(8)