Provided by: apparmor_4.0.1really4.0.1-0ubuntu0.24.04.3_amd64 bug

NAME

       aa-status - display various information about the current AppArmor policy.

SYNOPSIS

       aa-status [option]

DESCRIPTION

       aa-status will report various aspects of the current state of AppArmor confinement. By
       default, it displays the same information as if the --verbose argument were given. A
       sample of what this looks like is:

         apparmor module is loaded.
         110 profiles are loaded.
         102 profiles are in enforce mode.
         8 profiles are in complain mode.
         Out of 129 processes running:
         13 processes have profiles defined.
         8 processes have profiles in enforce mode.
         5 processes have profiles in complain mode.

       Other argument options are provided to report individual aspects, to support being used in
       scripts.

OPTIONS

       aa-status accepts only one argument at a time out of:

       --enabled
           returns error code if AppArmor is not enabled.

       --profiled
           displays the number of loaded AppArmor policies.

       --enforced
           displays the number of loaded enforcing AppArmor policies.

       --complaining
           displays the number of loaded non-enforcing AppArmor policies.

       --kill
           displays the number of loaded enforcing AppArmor policies that will kill tasks on
           policy violations.

       --prompt
           displays the number of loaded enforcing AppArmor policies, with fallback to userspace
           mediation.

       --special-unconfined
           displays the number of loaded non-enforcing AppArmor policies that are in the special
           unconfined mode.

       --process-mixed displays the number of processes confined by profile stacks with profiles
       in different modes.
       --verbose
           displays multiple data points about loaded AppArmor policy set (the default action if
           no arguments are given).

       --json
           displays multiple data points about loaded AppArmor policy set in a JSON format, fit
           for machine consumption.

       --pretty-json
           same as --json, formatted to be readable by humans as well as by machines.

       --show
           what data sets to show information about. Currently processes, profiles, all for both
           processes and profiles. The default is all.

       --count
           display only counts for selected information.

       --filter.mode=filter
           Allows specifying a posix regular expression filter that will be applied against the
           displayed processess and profiles apparmor profile mode, reducing the output.

       --filter.profiles=filter
           Allows specifying a posix regular expression filter that will be applied against the
           displayed processess and profiles confining profile, reducing the output.

       --filter.pid=filter
           Allows specifying a posix regular expression filter that will be applied against the
           displayed processes, so that only processes pids matching the expression will be
           displayed.

       --filter.exe=filter
           Allows specifying a posix regular expression filter that will be applied against the
           displayed processes, so that only processes executable name matching the expression
           will be displayed.

       --help
           displays a short usage statement.

EXIT STATUS

       Upon exiting, aa-status will set its exit status to the following values:

       0   if apparmor is enabled and policy is loaded.

       1   if apparmor is not enabled/loaded.

       2   if apparmor is enabled but no policy is loaded.

       3   if the apparmor control files aren't available under /sys/kernel/security/.

       4   if the user running the script doesn't have enough privileges to read the apparmor
           control files.

       42  if an internal error occurred.

BUGS

       aa-status must be run as root to read the state of the loaded policy from the apparmor
       module. It uses the /proc filesystem to determine which processes are confined and so is
       susceptible to race conditions.

       If you find any additional bugs, please report them at
       <https://gitlab.com/apparmor/apparmor/-/issues>.

SEE ALSO

       apparmor(7), apparmor.d(5), and <https://wiki.apparmor.net>.