apparmor/binutils/aa-status.pod

# This publication is intellectual property of Novell Inc. and Canonical
# Ltd. Its contents can be duplicated, either in part or in whole, provided
# that a copyright label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
# shall be held liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#


=pod

=head1 NAME

aa-status - display various information about the current AppArmor
policy.

=head1 SYNOPSIS

B<aa-status> [option]

=head1 DESCRIPTION

B<aa-status> will report various aspects of the current state of
AppArmor confinement. By default, it displays the same information as if
the I<--verbose> argument were given. A sample of what this looks like
is:

  apparmor module is loaded.
  110 profiles are loaded.
  102 profiles are in enforce mode.
  8 profiles are in complain mode.
  Out of 129 processes running:
  13 processes have profiles defined.
  8 processes have profiles in enforce mode.
  5 processes have profiles in complain mode.

Other argument options are provided to report individual aspects, to
support being used in scripts.

=head1 OPTIONS

B<aa-status> accepts only one argument at a time out of:

=over 4

=item --enabled

returns error code if AppArmor is not enabled.

=item --profiled

displays the number of loaded AppArmor policies.

=item --enforced

displays the number of loaded enforcing AppArmor policies.

=item --complaining

displays the number of loaded non-enforcing AppArmor policies.

=item --kill

displays the number of loaded enforcing AppArmor policies that will
kill tasks on policy violations.

=item --prompt

displays the number of loaded enforcing AppArmor policies, with
fallback to userspace mediation.

=item --special-unconfined

displays the number of loaded non-enforcing AppArmor policies that are
in the special unconfined mode.

=item --process-mixed
displays the number of processes confined by profile stacks with
profiles in different modes.

=item --verbose

displays multiple data points about loaded AppArmor policy
set (the default action if no arguments are given).

=item --json

displays multiple data points about loaded AppArmor policy
set in a JSON format, fit for machine consumption.

=item --pretty-json

same as --json, formatted to be readable by humans as well
as by machines.

=item --show

what data sets to show information about. Currently I<processes>,
I<profiles>, I<all> for both processes and profiles. The default is
I<all>.

=item --count

display only counts for selected information.

=item --filter.mode=filter

Allows specifying a posix regular expression filter that will be
applied against the displayed processes and profiles apparmor profile
mode, reducing the output.

=item --filter.profiles=filter

Allows specifying a posix regular expression filter that will be
applied against the displayed processes and profiles confining
profile, reducing the output.

=item --filter.pid=filter

Allows specifying a posix regular expression filter that will be
applied against the displayed processes, so that only processes pids
matching the expression will be displayed.

=item --filter.exe=filter

Allows specifying a posix regular expression filter that will be
applied against the displayed processes, so that only processes
executable name matching the expression will be displayed.

=item --help

displays a short usage statement.

=back

=head1 EXIT STATUS

Upon exiting, B<aa-status> will set its exit status to the
following values:

=over 4

=item B<0>

if apparmor is enabled and policy is loaded.

=item B<1>

if apparmor is not enabled/loaded.

=item B<2>

if apparmor is enabled but no policy is loaded.

=item B<3>

if the apparmor control files aren't available under
/sys/kernel/security/.

=item B<4>

if the user running the script doesn't have enough privileges to read
the apparmor control files.

=item B<42>

if an internal error occurred.

=back

=head1 BUGS

B<aa-status> must be run as root to read the state of the loaded
policy from the apparmor module. It uses the /proc filesystem to
determine which processes are confined and so is susceptible to race
conditions.

If you find any additional bugs, please report them at
L<https://gitlab.com/apparmor/apparmor/-/issues>.

=head1 SEE ALSO

apparmor(7), apparmor.d(5), and
L<https://wiki.apparmor.net>.

=cut
update the man pages to: * add Canonical to the headers of the pod files touched * use aa_change_hat() instead of change_hat() (LP: #692216) * use http://wiki.apparmor.net in the SEE ALSO * use http://https://bugs.launchpad.net/apparmor/+filebug for bugs * prefix 'aa-' in SEE ALSO section for utilities (eg, 'aa-complain' for 'complain') 2010-12-20 13:47:09 -06:00			`# This publication is intellectual property of Novell Inc. and Canonical`
			`# Ltd. Its contents can be duplicated, either in part or in whole, provided`
			`# that a copyright label is visibly located on each copy.`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`#`
			`# All information found in this book has been compiled with utmost`
			`# attention to detail. However, this does not guarantee complete accuracy.`
update the man pages to: * add Canonical to the headers of the pod files touched * use aa_change_hat() instead of change_hat() (LP: #692216) * use http://wiki.apparmor.net in the SEE ALSO * use http://https://bugs.launchpad.net/apparmor/+filebug for bugs * prefix 'aa-' in SEE ALSO section for utilities (eg, 'aa-complain' for 'complain') 2010-12-20 13:47:09 -06:00			`# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators`
			`# shall be held liable for possible errors or the consequences thereof.`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`#`
			`# Many of the software and hardware descriptions cited in this book`
			`# are registered trademarks. All trade names are subject to copyright`
			`# restrictions and may be registered trade marks. SUSE LINUX GmbH`
update the man pages to: * add Canonical to the headers of the pod files touched * use aa_change_hat() instead of change_hat() (LP: #692216) * use http://wiki.apparmor.net in the SEE ALSO * use http://https://bugs.launchpad.net/apparmor/+filebug for bugs * prefix 'aa-' in SEE ALSO section for utilities (eg, 'aa-complain' for 'complain') 2010-12-20 13:47:09 -06:00			`# and Canonical Ltd. essentially adhere to the manufacturer's spelling.`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`#`
			`# Names of products and trademarks appearing in this book (with or without`
			`# specific notation) are likewise subject to trademark and trade protection`
			`# laws and may thus fall under copyright restrictions.`
			`#`


			`=pod`

			`=head1 NAME`

Here is a patch to standardize on all utils using the "aa-" prefix instead of a mix of symlinks to non-prefixed comands, and "apparmor_" prefixed commands. This also refactors the manpage generation slightly since we no longer need special cases for the manpages, and drops aa-eventd from the default list of tools to install (it also lacks a manpage). 2010-11-03 17:03:52 -07:00			`aa-status - display various information about the current AppArmor`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`policy.`

			`=head1 SYNOPSIS`

Here is a patch to standardize on all utils using the "aa-" prefix instead of a mix of symlinks to non-prefixed comands, and "apparmor_" prefixed commands. This also refactors the manpage generation slightly since we no longer need special cases for the manpages, and drops aa-eventd from the default list of tools to install (it also lacks a manpage). 2010-11-03 17:03:52 -07:00			`B<aa-status> [option]`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
			`=head1 DESCRIPTION`

Here is a patch to standardize on all utils using the "aa-" prefix instead of a mix of symlinks to non-prefixed comands, and "apparmor_" prefixed commands. This also refactors the manpage generation slightly since we no longer need special cases for the manpages, and drops aa-eventd from the default list of tools to install (it also lacks a manpage). 2010-11-03 17:03:52 -07:00			`B<aa-status> will report various aspects of the current state of`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`AppArmor confinement. By default, it displays the same information as if`
			`the I<--verbose> argument were given. A sample of what this looks like`
			`is:`

			`apparmor module is loaded.`
			`110 profiles are loaded.`
			`102 profiles are in enforce mode.`
			`8 profiles are in complain mode.`
			`Out of 129 processes running:`
			`13 processes have profiles defined.`
			`8 processes have profiles in enforce mode.`
			`5 processes have profiles in complain mode.`

			`Other argument options are provided to report individual aspects, to`
			`support being used in scripts.`

			`=head1 OPTIONS`

Here is a patch to standardize on all utils using the "aa-" prefix instead of a mix of symlinks to non-prefixed comands, and "apparmor_" prefixed commands. This also refactors the manpage generation slightly since we no longer need special cases for the manpages, and drops aa-eventd from the default list of tools to install (it also lacks a manpage). 2010-11-03 17:03:52 -07:00			`B<aa-status> accepts only one argument at a time out of:`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
			`=over 4`

			`=item --enabled`

			`returns error code if AppArmor is not enabled.`

			`=item --profiled`

			`displays the number of loaded AppArmor policies.`

			`=item --enforced`

			`displays the number of loaded enforcing AppArmor policies.`

			`=item --complaining`

			`displays the number of loaded non-enforcing AppArmor policies.`

aa-status: add support for kill and unconfined profile modes AppArmor 3 exposes kernel support for the kill and unconfined profile modes. Make sure aa-status has basic support for these modes. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> 2020-04-26 04:32:43 -07:00			`=item --kill`

aa-status: update man page with filter information Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-05-02 03:22:33 -07:00			`displays the number of loaded enforcing AppArmor policies that will`
			`kill tasks on policy violations.`

			`=item --prompt`

			`displays the number of loaded enforcing AppArmor policies, with`
			`fallback to userspace mediation.`
aa-status: add support for kill and unconfined profile modes AppArmor 3 exposes kernel support for the kill and unconfined profile modes. Make sure aa-status has basic support for these modes. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> 2020-04-26 04:32:43 -07:00
			`=item --special-unconfined`
aa-status: add output for for stacked processes in mixed mode Processes that are confined by multiple profiles in a stack can have more than one profile mode applied. Allow aa-status to report processes that are in a mixed profile confinement mode. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> 2020-04-26 04:20:47 -07:00
aa-status: update man page with filter information Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-05-02 03:22:33 -07:00			`displays the number of loaded non-enforcing AppArmor policies that are`
			`in the special unconfined mode.`
aa-status: add support for kill and unconfined profile modes AppArmor 3 exposes kernel support for the kill and unconfined profile modes. Make sure aa-status has basic support for these modes. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> 2020-04-26 04:32:43 -07:00
			`=item --process-mixed`
aa-status: add output for for stacked processes in mixed mode Processes that are confined by multiple profiles in a stack can have more than one profile mode applied. Allow aa-status to report processes that are in a mixed profile confinement mode. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> 2020-04-26 04:20:47 -07:00			`displays the number of processes confined by profile stacks with`
			`profiles in different modes.`

Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`=item --verbose`

			`displays multiple data points about loaded AppArmor policy`
			`set (the default action if no arguments are given).`

Add a JSON output option to aa-status Automated infrastructure management tools, such as Chef, Puppet, and so on, could use a way to check AppArmor status that is both high-level (meaning it does not rely on kernel interfaces in /proc) and machine- readable (meaning it does not require the complexity of parsing output of tools originally intended for human consumption). Adding a JSON variant of the standard aa-status output achieves both. 2016-03-24 10:59:45 -04:00			`=item --json`

			`displays multiple data points about loaded AppArmor policy`
			`set in a JSON format, fit for machine consumption.`

			`=item --pretty-json`

			`same as --json, formatted to be readable by humans as well`
			`as by machines.`

aa-status: update man page with filter information Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-05-02 03:22:33 -07:00			`=item --show`

			`what data sets to show information about. Currently I<processes>,`
			`I<profiles>, I<all> for both processes and profiles. The default is`
			`I<all>.`

			`=item --count`

			`display only counts for selected information.`

			`=item --filter.mode=filter`

			`Allows specifying a posix regular expression filter that will be`
binutils: aa-status processess->processes typofix Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-02-18 11:54:42 -08:00			`applied against the displayed processes and profiles apparmor profile`
aa-status: update man page with filter information Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-05-02 03:22:33 -07:00			`mode, reducing the output.`

			`=item --filter.profiles=filter`

			`Allows specifying a posix regular expression filter that will be`
binutils: aa-status processess->processes typofix Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-02-18 11:54:42 -08:00			`applied against the displayed processes and profiles confining`
aa-status: update man page with filter information Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-05-02 03:22:33 -07:00			`profile, reducing the output.`

			`=item --filter.pid=filter`

			`Allows specifying a posix regular expression filter that will be`
			`applied against the displayed processes, so that only processes pids`
			`matching the expression will be displayed.`

			`=item --filter.exe=filter`

			`Allows specifying a posix regular expression filter that will be`
			`applied against the displayed processes, so that only processes`
			`executable name matching the expression will be displayed.`

Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`=item --help`

			`displays a short usage statement.`

			`=back`

utils: update aa-status.pod to unify exit status and bugs sections Create an EXIT STATUS header and place the BUGS section after the EXIT STATUS section to match the style in aa-enabled.pod. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-By: Jamie Strandboge <jamie@canonical.com> 2017-07-31 17:44:52 +00:00			`=head1 EXIT STATUS`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
utils: update aa-status.pod to unify exit status and bugs sections Create an EXIT STATUS header and place the BUGS section after the EXIT STATUS section to match the style in aa-enabled.pod. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-By: Jamie Strandboge <jamie@canonical.com> 2017-07-31 17:44:52 +00:00			`Upon exiting, B<aa-status> will set its exit status to the`
Fix apparmor_status to report unconfined processes properly on the new lkml submission code and document possible return codes in the apparmor_status manpage. 2007-05-24 04:59:06 +00:00			`following values:`

This fixes a few typos in documentation that lintian noticed. 2010-11-04 14:27:30 -07:00			`=over 4`

update aa-status.pod for updated podchecker Bug-Ubuntu: https://launchpad.net/bugs/1707614 Signed-Off-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> 2017-07-31 10:19:45 -05:00			`=item B<0>`
Fix apparmor_status to report unconfined processes properly on the new lkml submission code and document possible return codes in the apparmor_status manpage. 2007-05-24 04:59:06 +00:00
			`if apparmor is enabled and policy is loaded.`

update aa-status.pod for updated podchecker Bug-Ubuntu: https://launchpad.net/bugs/1707614 Signed-Off-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> 2017-07-31 10:19:45 -05:00			`=item B<1>`
Fix apparmor_status to report unconfined processes properly on the new lkml submission code and document possible return codes in the apparmor_status manpage. 2007-05-24 04:59:06 +00:00
			`if apparmor is not enabled/loaded.`

update aa-status.pod for updated podchecker Bug-Ubuntu: https://launchpad.net/bugs/1707614 Signed-Off-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> 2017-07-31 10:19:45 -05:00			`=item B<2>`
Fix apparmor_status to report unconfined processes properly on the new lkml submission code and document possible return codes in the apparmor_status manpage. 2007-05-24 04:59:06 +00:00
			`if apparmor is enabled but no policy is loaded.`

update aa-status.pod for updated podchecker Bug-Ubuntu: https://launchpad.net/bugs/1707614 Signed-Off-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> 2017-07-31 10:19:45 -05:00			`=item B<3>`
Fix apparmor_status to report unconfined processes properly on the new lkml submission code and document possible return codes in the apparmor_status manpage. 2007-05-24 04:59:06 +00:00
aa-status: update man page with filter information Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-05-02 03:22:33 -07:00			`if the apparmor control files aren't available under`
			`/sys/kernel/security/.`
Fix apparmor_status to report unconfined processes properly on the new lkml submission code and document possible return codes in the apparmor_status manpage. 2007-05-24 04:59:06 +00:00
update aa-status.pod for updated podchecker Bug-Ubuntu: https://launchpad.net/bugs/1707614 Signed-Off-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> 2017-07-31 10:19:45 -05:00			`=item B<4>`
Fix apparmor_status to report unconfined processes properly on the new lkml submission code and document possible return codes in the apparmor_status manpage. 2007-05-24 04:59:06 +00:00
			`if the user running the script doesn't have enough privileges to read`
			`the apparmor control files.`

Merge Port aa-status from python to C This allows aa-status to be used without a python runtime to support things like https://bugs.launchpad.net/bugs/1865519 Fixes: https://bugs.launchpad.net/bugs/1865519 PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/473 Acked-by: John Johansen <john.johansen@canonical.com> 2020-04-24 05:43:47 +00:00			`=item B<42>`

			`if an internal error occurred.`

This fixes a few typos in documentation that lintian noticed. 2010-11-04 14:27:30 -07:00			`=back`

utils: update aa-status.pod to unify exit status and bugs sections Create an EXIT STATUS header and place the BUGS section after the EXIT STATUS section to match the style in aa-enabled.pod. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-By: Jamie Strandboge <jamie@canonical.com> 2017-07-31 17:44:52 +00:00			`=head1 BUGS`

			`B<aa-status> must be run as root to read the state of the loaded`
aa-status: update man page with filter information Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-05-02 03:22:33 -07:00			`policy from the apparmor module. It uses the /proc filesystem to`
			`determine which processes are confined and so is susceptible to race`
			`conditions.`
utils: update aa-status.pod to unify exit status and bugs sections Create an EXIT STATUS header and place the BUGS section after the EXIT STATUS section to match the style in aa-enabled.pod. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-By: Jamie Strandboge <jamie@canonical.com> 2017-07-31 17:44:52 +00:00
update the man pages to: * add Canonical to the headers of the pod files touched * use aa_change_hat() instead of change_hat() (LP: #692216) * use http://wiki.apparmor.net in the SEE ALSO * use http://https://bugs.launchpad.net/apparmor/+filebug for bugs * prefix 'aa-' in SEE ALSO section for utilities (eg, 'aa-complain' for 'complain') 2010-12-20 13:47:09 -06:00			`If you find any additional bugs, please report them at`
docs: update documentation to point bug reporting to gitlab Move suggested bug reporting from launchpad to gitlab Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> 2020-05-02 20:40:55 -07:00			`L<https://gitlab.com/apparmor/apparmor/-/issues>.`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
			`=head1 SEE ALSO`

			`apparmor(7), apparmor.d(5), and`
all: Use HTTPS links for apparmor.net Signed-off-by: Tyler Hicks <tyhicks@canonical.com> 2018-09-13 16:28:22 +00:00			`L<https://wiki.apparmor.net>.`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
			`=cut`