aa-genprof

Start generating a profile for a program

$ sudo aa-genprof [program_path]

$ sudo aa-genprof -d /path/to/profiles [program_path]

$ sudo aa-genprof -f /path/to/logfile [program_path]

aa-genprof executable [-d /path/to/profiles] [-f /path/to/logfile]

aa-genprof is a profile generation utility for AppArmor that automates the creation of security profiles by monitoring program behavior. When invoked with a program name, the tool searches the system PATH if needed, then creates a new profile or works with an existing one.
The workflow involves setting the profile to complain mode, logging access violations during program execution, and iteratively refining the profile through user-guided scanning of system logs until all functionality has been exercised without violations.

-d, --dir /path/to/profiles

Specifies where to look for the AppArmor security profile set; defaults to /etc/apparmor.d

Specifies the location of the logfile; default locations are read from /etc/apparmor/logprof.conf

Display help information

/etc/apparmor/logprof.conf

Controls default logfile location, repository settings, and other options used during profile generation.

Profile generation requires running the target application through all its normal operations to capture the necessary access patterns. Incomplete testing may result in profiles that block legitimate functionality.

Part of the AppArmor utilities package for managing application security profiles on Linux systems.

aa-logprof(8), aa-enforce(8), aa-complain(8), aa-disable(8), apparmor(7)