How can I parse apparmor profile?

I want to see the restrictions of apparmor for dhclient for example

I tried to run

 apparmor_parser -p /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data

I got :

AppArmor parser error for /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data in profile /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data at line 1: Lexer found unexpected character: '' (0x4) in state: INITIAL

How can I see restrictions of apparmor to some process ? by looking at /sys/kernel/security/apparmor/policy/profiles/ directory

Asked By: vtable


The profiles in /etc/apprmor.d are the text form that is meant to be edited by humans and that (typically) depend on large include files.

The generated profiles are cached in a parser-specific directory and are mostly not human readable.

The parser usually loads the binary profile (either compiled right away or loaded from the cache) into the kernel using the apparmorfs file system special files like .load or .replace.

Given the right kernel configuration you can also view the binary profiles loaded into the kernel but equally their contents are mostly not readable by humans as they are entirely binary and use two complex encodings inside.

If you are interested you can learn more by reading the source code of the linux kernel (security/apparmor/policy_unpack.c) the AppArmor parser (parser/parser_interface.c) and using your favourite hex editor to look at the raw bytes.

I’ve started a project do provide human-readable analysis of binary profiles at but at current stage it is only interesting to Go developers. I will release a tool based on that library that can decompile any profile, as much as such profiles can be-decompiled, as optimisations turn much of the human readable rules into a complex state machine.

My best advice right now would be to focus on the text of the profile in /etc/apparmor.d

Answered By: Zygmunt Krynicki
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.