apparmor/utils/aa-status.pod

# This publication is intellectual property of Novell Inc. and Canonical
# Ltd. Its contents can be duplicated, either in part or in whole, provided
# that a copyright label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
# shall be held liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#


=pod

=head1 NAME

aa-status - display various information about the current AppArmor
policy.

=head1 SYNOPSIS

B<aa-status> [option]

=head1 DESCRIPTION

B<aa-status> will report various aspects of the current state of
AppArmor confinement. By default, it displays the same information as if
the I<--verbose> argument were given. A sample of what this looks like
is:

  apparmor module is loaded.
  110 profiles are loaded.
  102 profiles are in enforce mode.
  8 profiles are in complain mode.
  Out of 129 processes running:
  13 processes have profiles defined.
  8 processes have profiles in enforce mode.
  5 processes have profiles in complain mode.

Other argument options are provided to report individual aspects, to
support being used in scripts.

=head1 OPTIONS

B<aa-status> accepts only one argument at a time out of:

=over 4

=item --enabled

returns error code if AppArmor is not enabled.

=item --profiled

displays the number of loaded AppArmor policies.

=item --enforced

displays the number of loaded enforcing AppArmor policies.

=item --complaining

displays the number of loaded non-enforcing AppArmor policies.

=item --verbose

displays multiple data points about loaded AppArmor policy
set (the default action if no arguments are given).

=item --json

displays multiple data points about loaded AppArmor policy
set in a JSON format, fit for machine consumption.

=item --pretty-json

same as --json, formatted to be readable by humans as well
as by machines.

=item --help

displays a short usage statement.

=back

=head1 EXIT STATUS

Upon exiting, B<aa-status> will set its exit status to the
following values:

=over 4

=item B<0>

if apparmor is enabled and policy is loaded.

=item B<1>

if apparmor is not enabled/loaded.

=item B<2>

if apparmor is enabled but no policy is loaded.

=item B<3>

if the apparmor control files aren't available under /sys/kernel/security/.

=item B<4>

if the user running the script doesn't have enough privileges to read
the apparmor control files.

=back

=head1 BUGS

B<aa-status> must be run as root to read the state of the loaded
policy from the apparmor module. It uses the /proc filesystem to determine
which processes are confined and so is susceptible to race conditions.

If you find any additional bugs, please report them at
L<https://bugs.launchpad.net/apparmor/+filebug>.

=head1 SEE ALSO

apparmor(7), apparmor.d(5), and
L<http://wiki.apparmor.net>.

=cut