apparmor_parser

Load a profile into the kernel

$ sudo apparmor_parser [[-a|--add]] [profile_file]

$ sudo apparmor_parser [[-r|--replace]] [profile_file]

$ sudo apparmor_parser [[-R|--remove]] [profile_name]

$ sudo apparmor_parser [[-C|--complain]] [[-r|--replace]] [path/to/profile]

$ apparmor_parser [[-p|--preprocess]] [[-o|--ofile]] [path/to/output.cache] [[-Q|--skip-kernel-load]] [path/to/profile]

$ apparmor_parser [[-p|--preprocess]] [[-S|--stdout]] [[-Q|--skip-kernel-load]] [path/to/profile]

$ sudo apparmor_parser [[-r|--replace]] [[-T|--skip-read-cache]] [path/to/profile]

$ sudo apparmor_parser [[-r|--replace]] [[-W|--write-cache]] [[-L|--cache-loc]] /[path/to/cache] [path/to/profile]

apparmor_parser [options] profile ...

-a
    Add profile(s); replace if already loaded

-C
    Compile to binary file (.apparmor.bin), do not load

-c
    Compile and load into kernel (default behavior)

-d dir
    Dump machine-readable profiles to directory

-D dir
    Set AppArmor audit message directory

-f format
    Specify input format: text or binary

-i
    Ignore invalid profiles and continue

-k
    Keep temporary compilation files

-l
    Load profile regardless of cache state

-M bytes
    Set maximum memory for compilation

-N
    Disable stack size checking during parse

-P
    Print profile after parsing

-Q
    Reduce output verbosity

-r
    Replace existing profile(s)

-R
    Remove profile(s) from kernel

-T
    Test profile syntax without loading

-v
    Increase verbosity (repeat for more)

-w dir
    Write complain-mode violations to directory

The apparmor_parser command is the primary tool for managing AppArmor policy profiles on Linux systems using the AppArmor security module. AppArmor provides mandatory access control by confining programs to a limited set of resources through per-program profiles.

This utility reads human-readable policy files (typically from /etc/apparmor.d/), compiles them into an efficient binary format, and loads them into the kernel. By default, it replaces existing profiles or loads new ones. It supports adding, replacing, removing, or dumping profiles, as well as compilation-only mode for offline processing.

Key features include verbose output for debugging, memory-limited compilation for large profiles, custom input formats (text or binary), and auditing support. It ensures profiles are syntax-checked and optimized before kernel enforcement. Primarily used by system administrators and during package installation via tools like dpkg hooks in Ubuntu.

Requires root privileges and a loaded AppArmor kernel module (modprobe apparmor). Profiles enforce file permissions, network access, and capabilities, enhancing system security without modifying applications.

Requires root privileges and loaded AppArmor module. Syntax errors prevent loading. Binary profiles are architecture-specific. Large profiles may exceed memory limits.

apparmor_parser -a /etc/apparmor.d/usr.bin.myapp
apparmor_parser -r /etc/apparmor.d/home.bin.script
apparmor_parser -C -d /tmp profile
apparmor_parser -R badprofile

Profiles in /etc/apparmor.d/; compiled cache /etc/apparmor.d/usr.policy; binary .apparmor.bin

Originated from Immunix LSM (2000s), acquired by Novell/SUSE. Integrated into Ubuntu 8.04 (2008), mainlined in Linux kernel 2.6.36 (2010). Actively maintained by Canonical and community.

aa-status(8), aa-genprof(8), aa-logprof(8), aa-complain(8), apparmor.d(5), apparmor(7)