LinuxCommandLibrary

aa-mergeprof

Merge AppArmor profiles

TLDR

Merge one or more profile files into the default profile directory

$ sudo aa-mergeprof [file1 file2 ...]
copy

Merge profile files into a specific directory
$ sudo aa-mergeprof [[-d|--dir]] /[path/to/profiles] [file1 file2 ...]
copy

Display help
$ aa-mergeprof [[-h|--help]]
copy

SYNOPSIS

aa-mergeprof [-d DIR] [--base BASE] [-o FILE] [--verify] [--check] BASEPROF [PROFILE ...]

PARAMETERS

-d DIR, --dir DIR
    Use profiles from directory DIR (default: /etc/apparmor.d)

--base BASE
    Treat BASE as the base profile name instead of first argument

-o FILE, --output FILE
    Write merged profile to FILE instead of stdout

--verify
    Verify syntax of merged profile after generation

--check
    Check if merged profile parses without errors

--help
    Display usage information

--version
    Show version information

DESCRIPTION

aa-mergeprof is a utility from the AppArmor suite, a Linux kernel security module that provides mandatory access control (MAC) by confining programs to a limited set of resources. This command merges multiple AppArmor profile files into a single profile, using the first specified profile as the base. Rules from subsequent profiles are appended and conflicts are resolved by selecting the most restrictive rule (e.g., deny over allow, deeper path glob over shallower).

It is particularly useful for combining profile fragments from different sources, such as package-provided profiles, custom rules, or profiles generated by tools like aa-genprof. The output is a unified profile that can be loaded into the kernel via apparmor_parser. By default, it writes to stdout, allowing easy redirection to a file.

Key benefits include simplifying profile management in complex environments and ensuring consistent policy application. Users should verify the merged profile syntax before deployment to avoid security gaps or syntax errors.

CAVEATS

Merging prioritizes restrictive rules but may result in overly permissive profiles if base lacks rules; always verify with --verify or apparmor_parser. Non-existent profiles cause errors.

EXAMPLE

aa-mergeprof base.prof extra.rules > merged.prof
Combines base.prof with rules from extra.rules.

HISTORY

Part of AppArmor utilities since version 2.0 (circa 2009), developed by Canonical/SUSE for Ubuntu/SLE integration. Evolved with AppArmor kernel module; current in apparmor-utils package.

SEE ALSO

aa-genprof(8), aa-logprof(8), aa-complain(1), apparmor_parser(8)

Copied to clipboard