4.6.3 Summary of Profiling Tools
All of the Novell AppArmor profiling utilities are provided by the
apparmor-utils
RPM package and are stored in
/usr/sbin
. The following sections introduce each
tool.
aa-autodep—Creating Approximate Profiles
This creates an approximate profile for the program or application selected. You can
generate approximate profiles for binary executables and interpreted script programs.
The resulting profile is called “approximate” because it does not necessarily contain
all of the profile entries that the program needs to be properly confined by Novell
AppArmor. The minimum aa-autodep approximate profile has at least a base include
directive, which contains basic profile entries needed by most programs. For certain
types of programs, aa-autodep generates a more expanded profile. The profile is gener-
ated by recursively calling
ldd(1)
on the executables listed on the command line.
To generate an approximate profile, use the aa-autodep program. The program argument
can be either the simple name of the program, which aa-autodep finds by searching
your shell's path variable, or it can be a fully qualified path. The program itself can be
of any type (ELF binary, shell script, Perl script, etc.). aa-autodep generates an approx-
imate profile to improve through the dynamic profiling that follows.
The resulting approximate profile is written to the
/etc/apparmor.d
directory using
the Novell AppArmor profile naming convention of naming the profile after the absolute
path of the program, replacing the forward slash (
/
) characters in the path with period
(
.
) characters. The general form of aa-autodep is to enter the following in a terminal
window when logged in as
root
:
aa-autodep [ -d
/path/to/profiles
] [
program1 program2
...]
If you do not enter the program name or names, you are prompted for them.
/path/to/profiles
overrides the default location of
/etc/apparmor.d
,
should you keep profiles in a location other than the default.
To begin profiling, you must create profiles for each main executable service that is
part of your application (anything that might start without being a child of another
program that already has a profile). Finding all such programs depends on the application
in question. Here are several strategies for finding such programs:
52
Novell AppArmor Administration Guide