genprof - profile generation utility for AppArmor
#name
NAME
#synopsis
SYNOPSIS
#options
OPTIONS
#description
DESCRIPTION
#bugs
BUGS
#see_also
SEE ALSO
NAME
genprof - profile generation utility for AppArmor
SYNOPSIS
genprof
<executable>
[
-d /path/to/profiles
]
OPTIONS
-d /path/to/profiles
You can use -d (or --dir) to specify where to look for the SubDomain profile set.
The directory /etc/subdomain.d is the default profile location.
DESCRIPTION
When running genprof, you must specify a program to profile.  If the
specified program is not a fully-qualified path, genprof will search $PATH
in order to find the program.
If a profile does not exist for the program, genprof will create an approximate profile using
autodep(1).
Genprof then:
- sets the profile to learning or complain mode
- reloads it into SubDomain
- marks the system log
- prompts you to execute the application to be profiled
in another terminal window, and exercise its functionality
- Gives you two menu options, (S)can for more SubDomain events
or (F)inish.
If you select ``S'' from the menu and system events exist in the log,
genprof will parse the learning mode log files. This will generate
a series of questions which you must answer to guide genprof in
generating the security profile.
After you finish selecting profile entries based on violations
that were detected during the program execution, genprof will reload
the profiles updated in learning  mode and prompts you, once again, with (S)can and
(F)inished. Repeat this cycle until all application functionality
has been exercised without generating access violations.
When you are finally ready to press (F)inished, genprof will set the main profile,
and any other profiles that were generated, into enforce mode and exit.
BUGS
If you find any bugs,
please report them to bugzilla at
http://bugs.wirex.com
http://bugs.wirex.com
.
SEE ALSO
subdomain(7), subdomain.d(5),
enforce(1), complain(1), change_hat(2), logprof(1), and logprof.conf(5).
genprof - profile generation utility for AppArmor
