# This publication is intellectual property of Novell Inc. and Canonical # Ltd. Its contents can be duplicated, either in part or in whole, provided # that a copyright label is visibly located on each copy. # # All information found in this book has been compiled with utmost # attention to detail. However, this does not guarantee complete accuracy. # Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators # shall be held liable for possible errors or the consequences thereof. # # Many of the software and hardware descriptions cited in this book # are registered trademarks. All trade names are subject to copyright # restrictions and may be registered trade marks. SUSE LINUX GmbH # and Canonical Ltd. essentially adhere to the manufacturer's spelling. # # Names of products and trademarks appearing in this book (with or without # specific notation) are likewise subject to trademark and trade protection # laws and may thus fall under copyright restrictions. # =pod =head1 NAME aa-status - display various information about the current AppArmor policy. =head1 SYNOPSIS B [option] =head1 DESCRIPTION B will report various aspects of the current state of AppArmor confinement. By default, it displays the same information as if the I<--verbose> argument were given. A sample of what this looks like is: apparmor module is loaded. 110 profiles are loaded. 102 profiles are in enforce mode. 8 profiles are in complain mode. Out of 129 processes running: 13 processes have profiles defined. 8 processes have profiles in enforce mode. 5 processes have profiles in complain mode. Other argument options are provided to report individual aspects, to support being used in scripts. =head1 OPTIONS B accepts only one argument at a time out of: =over 4 =item --enabled returns error code if AppArmor is not enabled. =item --profiled displays the number of loaded AppArmor policies. =item --enforced displays the number of loaded enforcing AppArmor policies. =item --complaining displays the number of loaded non-enforcing AppArmor policies. =item --kill displays the number of loaded enforcing AppArmor policies that will kill tasks on policy violations. =item --prompt displays the number of loaded enforcing AppArmor policies, with fallback to userspace mediation. =item --special-unconfined displays the number of loaded non-enforcing AppArmor policies that are in the special unconfined mode. =item --process-mixed displays the number of processes confined by profile stacks with profiles in different modes. =item --verbose displays multiple data points about loaded AppArmor policy set (the default action if no arguments are given). =item --json displays multiple data points about loaded AppArmor policy set in a JSON format, fit for machine consumption. =item --pretty-json same as --json, formatted to be readable by humans as well as by machines. =item --show what data sets to show information about. Currently I, I, I for both processes and profiles. The default is I. =item --count display only counts for selected information. =item --filter.mode=filter Allows specifying a posix regular expression filter that will be applied against the displayed processess and profiles apparmor profile mode, reducing the output. =item --filter.profiles=filter Allows specifying a posix regular expression filter that will be applied against the displayed processess and profiles confining profile, reducing the output. =item --filter.pid=filter Allows specifying a posix regular expression filter that will be applied against the displayed processes, so that only processes pids matching the expression will be displayed. =item --filter.exe=filter Allows specifying a posix regular expression filter that will be applied against the displayed processes, so that only processes executable name matching the expression will be displayed. =item --help displays a short usage statement. =back =head1 EXIT STATUS Upon exiting, B will set its exit status to the following values: =over 4 =item B<0> if apparmor is enabled and policy is loaded. =item B<1> if apparmor is not enabled/loaded. =item B<2> if apparmor is enabled but no policy is loaded. =item B<3> if the apparmor control files aren't available under /sys/kernel/security/. =item B<4> if the user running the script doesn't have enough privileges to read the apparmor control files. =item B<42> if an internal error occurred. =back =head1 BUGS B must be run as root to read the state of the loaded policy from the apparmor module. It uses the /proc filesystem to determine which processes are confined and so is susceptible to race conditions. If you find any additional bugs, please report them at L. =head1 SEE ALSO apparmor(7), apparmor.d(5), and L. =cut