| genprof - profile generation utility for AppArmor |
genprof - profile generation utility for AppArmor
genprof <executable> [-d /path/to/profiles]
-d /path/to/profiles
You can use -d (or --dir) to specify where to look for the SubDomain profile set. The directory /etc/subdomain.d is the default profile location.
When running genprof, you must specify a program to profile. If the specified program is not a fully-qualified path, genprof will search $PATH in order to find the program.
If a profile does not exist for the program, genprof will create an approximate profile using autodep(1).
Genprof then:
- sets the profile to learning or complain mode - reloads it into SubDomain
- marks the system log
- prompts you to execute the application to be profiled
in another terminal window, and exercise its functionality
- Gives you two menu options, (S)can for more SubDomain events
or (F)inish.
If you select ``S'' from the menu and system events exist in the log, genprof will parse the learning mode log files. This will generate a series of questions which you must answer to guide genprof in generating the security profile.
After you finish selecting profile entries based on violations that were detected during the program execution, genprof will reload the profiles updated in learning mode and prompts you, once again, with (S)can and (F)inished. Repeat this cycle until all application functionality has been exercised without generating access violations.
When you are finally ready to press (F)inished, genprof will set the main profile, and any other profiles that were generated, into enforce mode and exit.
subdomain(7), subdomain.d(5), enforce(1), complain(1), change_hat(2), logprof(1), and logprof.conf(5).
| genprof - profile generation utility for AppArmor |