Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 315

Unconfined (ux)
The child runs completely unconfined without any AppArmor profile
applied to the executed resource.
Choose the unconfined with clean exec (Ux) option to scrub the environ-
ment of environment variables that could modify execution behavior
when passed to the child process. This option introduces a security vul-
nerability that could be used to exploit AppArmor. Only use it as a last
resort.
mmap (m)
This permission denotes that the program running under the profile can
access the resource using the mmap system call with the flag
PROT_EXEC. This means that the data mapped in it can be executed.
You are prompted to include this permission if it is requested during a
profiling run.
Deny
Prevents the program from accessing the specified directory path entries.
AppArmor then continues to the next event.
Abort
Aborts aa-logprof, losing all rule changes entered so far and leaving all
profiles unmodified.
Finish
Closes aa-logprof, saving all rule changes entered so far and modifying
all profiles.
• Example 24.2, "Learning Mode Exception: Defining Execute Permissions
for an Entry" (page 302) shows AppArmor suggesting directory path entries
that have been accessed by the application being profiled. It might also require
you to define execute permissions for entries.
Building Profiles from the Command Line 301