LinuxCommandLibrary

aa-genprof

Generate AppArmor security profiles

TLDR

Start generating a profile for a program

$ sudo aa-genprof [program_path]
copy

Specify a custom directory for profiles
$ sudo aa-genprof [[-d|--dir]] /[path/to/profiles] [program_path]
copy

Specify a custom logfile for profiling
$ sudo aa-genprof [[-f|--file]] /[path/to/logfile] [program_path]
copy

Display help
$ aa-genprof [[-h|--help]]
copy

SYNOPSIS

aa-genprof [options] <program> [args]

PARAMETERS

-d DIR, --dir=DIR
    Look for AppArmor profiles in DIR instead of default directory.

-f FILE, --file=FILE
    Read profile(s) from FILE instead of disk.

-p PROF, --profile=PROF
    Use PROF as the profile name.

-i, --interactive
    Auto-respond 'Y' to profile subprocess prompts.

-n, --no-prompt
    Auto-respond 'N' to profile subprocess prompts.

-l FILE, --logfile=FILE
    Use FILE as log source instead of default.

--stack-size SIZE
    Set maximum log stack size to SIZE.

-D, --debug
    Enable debug output.

-h, --help
    Display usage help.

-v, --version
    Print version information.

DESCRIPTION

aa-genprof is a utility from the AppArmor security toolkit for Linux, designed to create initial enforcement profiles for unprofiled applications. It launches the target program in complain mode, where AppArmor logs denied access attempts to files, capabilities, and network sockets without blocking them. After exercising the program, users interrupt aa-genprof (Ctrl+C), and it scans logs (typically /var/log/syslog or /var/log/apparmor/deny) to propose profile rules. Interactively, it prompts to allow (Y/N/A) hat rules, building a basic profile iteratively. This learning mode simplifies profiling complex apps. Once sufficient data is collected, profiles can be refined with aa-logprof, tested in complain mode, and enforced. Ideal for securing services like web servers or custom binaries under AppArmor's MAC framework.

CAVEATS

Requires root privileges. AppArmor kernel module must be loaded and functional. Profiles start in complain mode; manually enforce with aa-enforce. May miss rare paths if not fully exercised.

TYPICAL WORKFLOW

1. sudo aa-genprof /usr/bin/program
2. Exercise all program features.
3. Press Ctrl+C to scan logs and tune.
4. Repeat steps 2-3.
5. Save, clean with aa-logprof, enforce.

HISTORY

Part of AppArmor, originally from Immunix project (1990s), commercialized by Novell/SUSE (~2005), integrated into Ubuntu mainline (~2009). aa-genprof introduced early in Ubuntu's AppArmor adoption for easy profile generation.

SEE ALSO

aa-logprof(8), aa-autodep(8), aa-complain(1), aa-enforce(1), aa-unconfined(1), apparmor_parser(8)

Copied to clipboard