{ "mode": "man", "parameter": "apparmor_xattrs", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/apparmor_xattrs/7/json", "generated": "2026-05-30T07:10:52Z", "sections": { "NAME": { "content": "apparmorxattrs - AppArmor profile xattr(7) matching\n", "subsections": [] }, "DESCRIPTION": { "content": "AppArmor profiles can conditionally match files based on the presence and value of extended\nattributes in addition to file path. The following profile applies to any file under\n\"/usr/bin\" where the \"security.apparmor\" extended attribute has the value \"trusted\":\n\nprofile trusted /usr/bin/* xattrs=(security.apparmor=\"trusted\") {\n# ...\n}\n\nNote that \"security.apparmor\" and \"trusted\" are arbitrary, and profiles can match based on\nthe value of any attribute.\n\nThe xattrs value may also contain a path regex:\n\nprofile trusted /usr/bin/* xattrs=(user.trust=\"tier/*\") {\n\n# ...\n}\n\nThe getfattr(1) and setfattr(1) tools can be used to view and manage xattr values:\n\n$ setfattr -n 'security.apparmor' -v 'trusted' /usr/bin/example-tool\n$ getfattr --absolute-names -d -m - /usr/bin/example-tool\n# file: usr/bin/example-tool\nsecurity.apparmor=\"trusted\"\n\nThe priority of each profile is determined by the length of the path, then the number of\nxattrs specified. A more specific path is preferred over xattr matches:\n\n# Highest priority, longest path.\nprofile example1 /usr/bin/example-tool {\n# ...\n}\n\n# Lower priority than the longer path, but higher priority than a rule\n# with fewer xattr matches.\nprofile example2 /usr/ xattrs=(\nsecurity.apparmor=\"trusted\"\nuser.domain=\"\"\n) {\n# ...\n}\n\n# Lowest priority. Same path length as the second profile, but has\n# fewer xattr matches.\nprofile example2 /usr/ {\n# ...\n}\n\nxattr matching requires the following kernel feature:\n\n/sys/kernel/security/apparmor/features/domain/attachconditions/xattr\n", "subsections": [] }, "KNOWN ISSUES": { "content": "AppArmor profiles currently can't reliably match extended attributes with binary values such\nas security.evm and security.ima. In the future AppArmor may gain the ability to match based\non the presence of certain attributes while ignoring their values.\n", "subsections": [] }, "SEE ALSO": { "content": "apparmor(8), apparmorparser(8), apparmor.d(5), xattr(7), aa-autodep(1), clean(1), auditd(8),\ngetfattr(1), setfattr(1), and .\n\n\n\nAppArmor 3.0.4 2025-08-15 APPARMORXATTRS(7)", "subsections": [] } }, "summary": "apparmorxattrs - AppArmor profile xattr(7) matching", "flags": [], "examples": [], "see_also": [ { "name": "apparmor", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/apparmor/8/json" }, { "name": "apparmorparser", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/apparmorparser/8/json" }, { "name": "apparmor.d", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/apparmor.d/5/json" }, { "name": "xattr", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/xattr/7/json" }, { "name": "aa-autodep", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/aa-autodep/1/json" }, { "name": "clean", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/clean/1/json" }, { "name": "auditd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/auditd/8/json" }, { "name": "getfattr", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/getfattr/1/json" }, { "name": "setfattr", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/setfattr/1/json" } ] }