mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/utils/aa-easyprof.pod
Jamie Strandboge 1db463f4de This patchset is broken into 4 parts: 
* the application, library, documentation and installation script
* the initial templates and policy groups. This will undoubtedly need
  refinement as we get feedback from users. Initial policy is based on Ubuntu's
  Application Review Board (ARB) requirements[2].
* tests for the library
* Makefile integration

Templates are stored in /usr/share/apparmor/easyprof/templates and policy
groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via
/etc/apparmor/easyprof.conf.

The aa-easyprof.pod has complete documentation on usage with some
additional information in utils/easyprof/README (mostly duplicated
here).

Testing can be performed in a number of ways:
$ cd utils ; make check # runs unit tests and pyflakes

Unit tests manually:
$ ./test/test-aa-easyprof.py

In source manual testing:
$ ./aa-easyprof --templates-dir=./easyprof/templates \
                --policy-groups-dir=./easyprof/policygroups \
                ... \
                /opt/foo/bin/foo

Post-install manual testing:
$ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install
$ cd /tmp/test
$ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \
    --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \
    --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \
    /opt/bin/foo

(you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid
specifying --templates-dir and --policy-groups-dir).

Committing this now based on conversation with John and Steve.

Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00

146 lines
4.3 KiB
Text
Raw Blame History

# This publication is intellectual property of Canonical Ltd. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither Canonical Ltd, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. Canonical Ltd
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
=pod
=head1 NAME
aa-easyprof - AppArmor profile generation made easy.
=head1 SYNOPSIS
B<aa-easyprof> [option] <path to binary>
=head1 DESCRIPTION
B<aa-easyprof> provides an easy to use interface for AppArmor policy
generation. B<aa-easyprof> supports the use of templates and policy groups to
quickly profile an application. Please note that while this tool can help
with policy generation, its utility is dependent on the quality of the
templates, policy groups and abstractions used. Also, this tool may create
policy which is less restricted than creating policy by hand or with
B<aa-genprof> and B<aa-logprof>.
=head1 OPTIONS
B<aa-easyprof> accepts the following arguments:
=over 4
=item -t TEMPLATE, --template=TEMPLATE
Specify which template to use. May specify either a system template from
/usr/share/apparmor/easyprof/templates or a filename for the template to
use. If not specified, use /usr/share/apparmor/easyprof/templates/default.
=item -p POLICYGROUPS, --policy-groups=POLICYGROUPS
Specify POLICY as a comma-separated list of policy groups. See --list-templates
for supported policy groups. The available policy groups are in
/usr/share/apparmor/easyprof/policy. Policy groups are simply groupings of
AppArmor rules or policies. They are similar to AppArmor abstractions, but
usually encompass more policy rules.
=item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is
usually recommended you use policy groups instead, but this is provided as a
convenience. AppArmor abstractions are located in /etc/apparmor.d/abstractions.
See apparmor.d(5) for details.
=item -r PATH, --read-path=PATH
Specify a PATH to allow owner reads. May be specified multiple times. If the
PATH ends in a '/', then PATH is treated as a directory and reads are allowed
to all files under this directory. Can optionally use '/*' at the end of the
PATH to only allow reads to files directly in PATH.
=item -w PATH, --write-dir=PATH
Like --read-path but also allow owner writes in additions to reads.
=item -n NAME, --name=NAME
Specify NAME of policy. If not specified, NAME is set to the name of the
binary. The NAME of the policy is often used as part of the path in the
various templates.
=item --template-var="@{VAR}=VALUE"
Set VAR to VALUE in the resulting policy. This typically only makes sense if
the specified template uses this value. May be specified multiple times.
=item --list-templates
List available templates.
=item --show-template=TEMPLATE
Display template specified with --template.
=item --templates-dir=PATH
Use PATH instead of system templates directory.
=item --list-policy-groups
List available policy groups.
=item --show-policy-group
Display policy groups specified with --policy.
=item --policy-groups-dir=PATH
Use PATH instead of system policy-groups directory.
=item --author
Specify author of the policy.
=item --copyright
Specify copyright of the policy.
=item --comment
Specify comment for the policy.
=back
=head1 EXAMPLE
Example usage for a program named 'foo' which is installed in /opt/foo:
=over
$ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" --policy-groups=opt-application,user-application /opt/foo/bin/FooApp
=back
=head1 BUGS
If you find any additional bugs, please report them to Launchpad at
L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7) apparmor.d(5)
=cut
Reference in a new issue View git blame Copy permalink