How do you begin making a profile for a program when it crashes even in complain mode?

[odomingao]

I want to make a profile for Hyprland, however it crashes even in complain mode.

[roddhjav]

You may want to read the info div of https://apparmor.pujol.io/issues: a profile in complain mode cannot break the program it confines, however, there are some major exceptions:

• deny rules are enforced even in complain mode,
• attach_disconnected (and mediate_deleted) will break the program if they are required and missing in the profile,
• If AppArmor does not find the profile to transition rPx.

You can check these error in the log with: aa-log | grep error=

[odomingao]

Thanks, I've managed to make a basic profile for it. It's very surprising though, how it appearently doesn't even need explicit access to its own configuration file to work. It must be the power of the full /dev/tty access (even before granting it access to the bin directories it was still kinda working and it loaded my config). The profile:

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/Hyprland
profile hyprland /usr/bin/Hyprland flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/graphics>

  @{exec_path} mr,

  @{bin}/** rPUx,
  @{user_bin_dirs}/** rPUx,

  owner @{run}/user/@{uid}/hypr/** w,
  owner /dev/tty@{int} rw,

  include if exists <local/hyprland>
}

# vim:syntax=apparmor

EDIT - NVM. opening hyprland after a reboot breaks everything. At least now I'm getting logs, though.