Generate an AppArmor Profile

Guide to generating a new AppArmor profile.

Creating a Profile

1. Use which <application name> to get the path of the application
2. Run sudo aa-genprof <path to application> to start the generation
   1. Alternatively use sudo aa-autodep <path to application> to create a profile for a constantly running application, like a webserver
3. Start the application as you would and use it for some time
4. After using the application for some time, run press the s key in the aa-genprof terminal to scan the audit logs for files the application accessed
5. You will see the results in the terminal, switch between them with the arrow keys
6. Depending on if you want to allow or deny access to that file, you can now press
   1. a to allow access
   2. d to deny access
7. You can now continue to press the s key to scan for new behavior
8. To finish profiling and create the profile, press the f key
9. Now run sudo aa-status to check if the new profile has been created

The profile has now been created. You can update all profiles using sudo aa-logprof, which scans for new, undocumented access to new files.

Running a Profile

To test the new profile, run sudo aa-complain <path to profile> to start it in complain mode. Or run sudo aa-enforce <path to profile> to use the profile in enforce mode.

Profiles are typically stored in /etc/apparmor.d.

Deleting a Profile

To delete a profile remove the corresponding file in the /etc/apparmor.d folder and restart AppArmor.