apparmor_parser

Load a profile into the kernel

$ sudo apparmor_parser [[-a|--add]] [profile_file]

$ sudo apparmor_parser [[-r|--replace]] [profile_file]

$ sudo apparmor_parser [[-R|--remove]] [profile_name]

$ sudo apparmor_parser [[-C|--complain]] [[-r|--replace]] [path/to/profile]

$ apparmor_parser [[-p|--preprocess]] [[-o|--ofile]] [path/to/output.cache] [[-Q|--skip-kernel-load]] [path/to/profile]

$ apparmor_parser [[-p|--preprocess]] [[-S|--stdout]] [[-Q|--skip-kernel-load]] [path/to/profile]

$ sudo apparmor_parser [[-r|--replace]] [[-T|--skip-read-cache]] [path/to/profile]

$ sudo apparmor_parser [[-r|--replace]] [[-W|--write-cache]] [[-L|--cache-loc]] [/path/to/cache] [path/to/profile]

apparmor_parser [options] [file ...]

-a, --add
    Add policies. If a profile with the same name already exists, it is replaced unless -r is used exclusively.

-r, --replace
    Replace existing policies. This option requires the profile to already be loaded in the kernel.

-R, --remove
    Remove profiles from the kernel. Policies will no longer be enforced or monitored after removal.

-p, --parse-only
    Parse policy files without loading them into the kernel. This mode is useful for syntax checking and validation.

-C, --complain
    Set the specified profiles to complain mode. In this mode, policy violations are logged but not prevented.

-E, --enforce
    Set the specified profiles to enforce mode. In this mode, policy violations are actively blocked by the kernel.

-I

apparmor_parser is a fundamental utility for managing AppArmor security profiles on Linux systems. It serves as the primary tool for compiling and manipulating AppArmor policy files, translating human-readable rules into a binary format understood by the AppArmor kernel module. Its core functions include loading new policies, replacing existing ones with updated versions, and removing profiles from the kernel. This command is also invaluable for developing and debugging policies, offering modes to simply parse files for syntax errors without making live system changes. By facilitating the dynamic loading and unloading of security profiles, apparmor_parser enables administrators to enforce fine-grained access control policies for applications, enhancing system security and mitigating potential vulnerabilities.

Using apparmor_parser to load or unload policies typically requires root privileges.
Incorrectly configured or malformed policies can lead to application malfunction or system instability.
The AppArmor kernel module must be loaded and enabled for policies to take effect and be managed.

AppArmor profiles can operate in 'enforce' or 'complain' mode. apparmor_parser provides direct command-line options (-C for complain, -E for enforce) to switch profiles between these modes, affecting how policy violations are handled (blocked vs. logged).

Complex AppArmor policies often utilize 'includes' to organize and reuse common policy rules. The -I option is critical for specifying additional directories where the parser should search for these included policy fragments, ensuring proper compilation of modular policy sets.

AppArmor, and subsequently apparmor_parser, originated from Novell's security efforts, providing a profile-based mandatory access control system for Linux. From its early development, the parser has been a cornerstone utility, enabling the conversion of human-readable policy rules into a format understood by the kernel. It has continuously evolved to support new AppArmor features and policy syntax, becoming an indispensable tool for managing system security profiles across various Linux distributions.

aa-enforce(8), aa-complain(8), aa-logprof(8), apparmor(7), apparmor.d(5)