mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
147 lines
4.3 KiB
Text
147 lines
4.3 KiB
Text
|
# This publication is intellectual property of Canonical Ltd. Its contents
|
||
|
|
# can be duplicated, either in part or in whole, provided that a copyright
|
||
|
|
# label is visibly located on each copy.
|
||
|
|
#
|
||
|
|
# All information found in this book has been compiled with utmost
|
||
|
|
# attention to detail. However, this does not guarantee complete accuracy.
|
||
|
|
# Neither Canonical Ltd, the authors, nor the translators shall be held
|
||
|
|
# liable for possible errors or the consequences thereof.
|
||
|
|
#
|
||
|
|
# Many of the software and hardware descriptions cited in this book
|
||
|
|
# are registered trademarks. All trade names are subject to copyright
|
||
|
|
# restrictions and may be registered trade marks. Canonical Ltd
|
||
|
|
# essentially adheres to the manufacturer's spelling.
|
||
|
|
#
|
||
|
|
# Names of products and trademarks appearing in this book (with or without
|
||
|
|
# specific notation) are likewise subject to trademark and trade protection
|
||
|
|
# laws and may thus fall under copyright restrictions.
|
||
|
|
#
|
||
|
|
|
||
|
|
=pod
|
||
|
|
|
||
|
|
=head1 NAME
|
||
|
|
|
||
|
|
aa-easyprof - AppArmor profile generation made easy.
|
||
|
|
|
||
|
|
=head1 SYNOPSIS
|
||
|
|
|
||
|
|
B<aa-easyprof> [option] <path to binary>
|
||
|
|
|
||
|
|
=head1 DESCRIPTION
|
||
|
|
|
||
|
|
B<aa-easyprof> provides an easy to use interface for AppArmor policy
|
||
|
|
generation. B<aa-easyprof> supports the use of templates and policy groups to
|
||
|
|
quickly profile an application. Please note that while this tool can help
|
||
|
|
with policy generation, its utility is dependent on the quality of the
|
||
|
|
templates, policy groups and abstractions used. Also, this tool may create
|
||
|
|
policy which is less restricted than creating policy by hand or with
|
||
|
|
B<aa-genprof> and B<aa-logprof>.
|
||
|
|
|
||
|
|
=head1 OPTIONS
|
||
|
|
|
||
|
|
B<aa-easyprof> accepts the following arguments:
|
||
|
|
|
||
|
|
=over 4
|
||
|
|
|
||
|
|
=item -t TEMPLATE, --template=TEMPLATE
|
||
|
|
|
||
|
|
Specify which template to use. May specify either a system template from
|
||
|
|
/usr/share/apparmor/easyprof/templates or a filename for the template to
|
||
|
|
use. If not specified, use /usr/share/apparmor/easyprof/templates/default.
|
||
|
|
|
||
|
|
=item -p POLICYGROUPS, --policy-groups=POLICYGROUPS
|
||
|
|
|
||
|
|
Specify POLICY as a comma-separated list of policy groups. See --list-templates
|
||
|
|
for supported policy groups. The available policy groups are in
|
||
|
|
/usr/share/apparmor/easyprof/policy. Policy groups are simply groupings of
|
||
|
|
AppArmor rules or policies. They are similar to AppArmor abstractions, but
|
||
|
|
usually encompass more policy rules.
|
||
|
|
|
||
|
|
=item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
|
||
|
|
|
||
|
|
Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is
|
||
|
|
usually recommended you use policy groups instead, but this is provided as a
|
||
|
|
convenience. AppArmor abstractions are located in /etc/apparmor.d/abstractions.
|
||
|
|
See apparmor.d(5) for details.
|
||
|
|
|
||
|
|
=item -r PATH, --read-path=PATH
|
||
|
|
|
||
|
|
Specify a PATH to allow owner reads. May be specified multiple times. If the
|
||
|
|
PATH ends in a '/', then PATH is treated as a directory and reads are allowed
|
||
|
|
to all files under this directory. Can optionally use '/*' at the end of the
|
||
|
|
PATH to only allow reads to files directly in PATH.
|
||
|
|
|
||
|
|
=item -w PATH, --write-dir=PATH
|
||
|
|
|
||
|
|
Like --read-path but also allow owner writes in additions to reads.
|
||
|
|
|
||
|
|
=item -n NAME, --name=NAME
|
||
|
|
|
||
|
|
Specify NAME of policy. If not specified, NAME is set to the name of the
|
||
|
|
binary. The NAME of the policy is often used as part of the path in the
|
||
|
|
various templates.
|
||
|
|
|
||
|
|
=item --template-var="@{VAR}=VALUE"
|
||
|
|
|
||
|
|
Set VAR to VALUE in the resulting policy. This typically only makes sense if
|
||
|
|
the specified template uses this value. May be specified multiple times.
|
||
|
|
|
||
|
|
=item --list-templates
|
||
|
|
|
||
|
|
List available templates.
|
||
|
|
|
||
|
|
=item --show-template=TEMPLATE
|
||
|
|
|
||
|
|
Display template specified with --template.
|
||
|
|
|
||
|
|
=item --templates-dir=PATH
|
||
|
|
|
||
|
|
Use PATH instead of system templates directory.
|
||
|
|
|
||
|
|
=item --list-policy-groups
|
||
|
|
|
||
|
|
List available policy groups.
|
||
|
|
|
||
|
|
=item --show-policy-group
|
||
|
|
|
||
|
|
Display policy groups specified with --policy.
|
||
|
|
|
||
|
|
=item --policy-groups-dir=PATH
|
||
|
|
|
||
|
|
Use PATH instead of system policy-groups directory.
|
||
|
|
|
||
|
|
=item --author
|
||
|
|
|
||
|
|
Specify author of the policy.
|
||
|
|
|
||
|
|
=item --copyright
|
||
|
|
|
||
|
|
Specify copyright of the policy.
|
||
|
|
|
||
|
|
=item --comment
|
||
|
|
|
||
|
|
Specify comment for the policy.
|
||
|
|
|
||
|
|
=back
|
||
|
|
|
||
|
|
=head1 EXAMPLE
|
||
|
|
|
||
|
|
Example usage for a program named 'foo' which is installed in /opt/foo:
|
||
|
|
|
||
|
|
=over
|
||
|
|
|
||
|
|
$ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" --policy-groups=opt-application,user-application /opt/foo/bin/FooApp
|
||
|
|
|
||
|
|
=back
|
||
|
|
|
||
|
|
=head1 BUGS
|
||
|
|
|
||
|
|
If you find any additional bugs, please report them to Launchpad at
|
||
|
|
L<https://bugs.launchpad.net/apparmor/+filebug>.
|
||
|
|
|
||
|
|
=head1 SEE ALSO
|
||
|
|
|
||
|
|
apparmor(7) apparmor.d(5)
|
||
|
|
|
||
|
|
=cut
|