aa-decode

Decode a hex string

$ aa-decode [hexstring]

$ sudo aa-decode [logfile]

$ sudo aa-decode - < [logfile]

$ aa-decode [[-h|--help]]

aa-decode [options] <profile>

-h, --help
    Display usage information and exit.

-o, --output <output_file>
    Write decoded profile to specified file instead of stdout.

The aa-decode command is a utility from the AppArmor security toolkit on Linux systems. AppArmor is a Mandatory Access Control (MAC) system that confines programs to a limited set of resources via profiles.

AppArmor profiles can be compiled into a compact binary format using aa-compile or apparmor_parser, which is loaded into the kernel for enforcement. The aa-decode tool reverses this process, converting binary profiles back into their human-readable text format.

This is useful for debugging, auditing loaded profiles, or recovering original policy text when only binaries are available (e.g., from /sys/kernel/security/apparmor/.load or profile dumps). It helps administrators inspect rules without recompiling or reloading policies.

Typically run as root to access kernel-loaded profiles, it outputs the decoded profile to stdout or a file, preserving abstractions, includes, and comments where possible.

Requires read access to binary profile files; often needs root for kernel-loaded profiles in /sys/kernel/security/apparmor. Does not handle all profile versions perfectly.

aa-decode /etc/apparmor.d/usr.bin.firefox
Decodes a compiled Firefox profile to stdout.

aa-decode -o decoded_profile /sys/kernel/security/apparmor/.profiles/some_profile
Saves kernel-loaded profile to file.

Introduced with AppArmor utilities around 2009 by Canonical/Immunix. Evolved alongside AppArmor kernel module (v2.4+), now in Linux mainstream since kernel 2.6.36.

aa-compile(1), apparmor_parser(8), aa-status(1), aa-logprof(1)