Generate profiles with aa-genprof

The AppArmor utilities (apparmor-utils) is a suite of tools for creating, monitoring, and maintaining profiles. These tools allow you to interactively generate policies by learning from system logs.

In this guide, you will learn: - How to generate an AppArmor profile with aa-genprof - How to debug and refine the profile - How to submit the profile to the open database of AppArmor profile

Prerequisites

Install apparmor-utils

Prepare a test plan

When writing profiles for applications, it is important to understand what behavior of your application you want to limit. Make sure you write down all the functionality your application has, such as:

Start, stop, and restart the application
Use every command-line option available
Open files, save files, and perform standard operations with files

You can also use dedicated test suites such as make test or autopkgtest for testing your application if available.

Generate an empty profile with `aa-genprof`

aa-genprof is the primary tool for creating a new profile from scratch. It creates a profile in a complain mode.

Create a new profile for ping application:

sudo aa-genprof /usr/bin/ping

The output of this command will guide your through a profile creation:

Updating AppArmor profiles in /etc/apparmor.d.
Writing updated profile for /usr/bin/ping.
Setting /usr/bin/ping to complain mode.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Profiling: /usr/bin/ping

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in 
order to scan the system logs for AppArmor events. 

For each AppArmor event, you will be given the 
opportunity to choose whether the access should be 
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish

Important

Do not close the terminal window with aa-genprof until you are finished with testing your application.

Test your application

In a new terminal window, test your application by executing your test plan. AppArmor will log every event that you can use for writing a profile.

For example, let's run ping:

sudo ping example.com

Test and refine your profile

Go back to the terminal window with aa-genprof and press S.

The output will display the name of the application, command that was used and permissions based on what the command does.

Reading log entries from /var/log/syslog.
Complain-mode changes:

Profile:    /usr/bin/ping
Capability: net_raw
Severity:   8

 [1 - capability net_raw,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish

You can now select whether this feature should be allowed, denied, ignored, and so on.

Let's deny ping the ability to open raw sockets and press D. You will be prompted to assign rules for all of the logged events.

Once there are no more events associated with your application, you will be prompted to review your profile, save it, or restart the process:

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /usr/bin/ping]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for /usr/bin/ping.

Press S to save the changes to the profile, you will see:

Writing updated profile for /usr/bin/ping.

If you open a new terminal window and try running ping, you will receive an error:

ping example.com
ping: socktype: SOCK_RAW
ping: socket: Operation not permitted
ping: => missing cap_net_raw+p capability or setuid?

Ship profiles

If you are developing profile for an application that you develop or for an application that is not covered by an AppArmor profile by default but can be useful for other users, we encourage you to submit it to the AppArmor repository. The profile will then be maintained by the community and can be readily shipped into many distributions.