Provided by: apparmor-utils_4.1.0~beta1-0ubuntu3_all 
NAME
aa-unconfined - output a list of processes with tcp or udp ports that do not have AppArmor
profiles loaded
SYNOPSIS
aa-unconfined [options] [--with-ss | --with-netstat]
OPTIONS
--paranoid
Displays all processes visible from /proc filesystem, and whether they are confined by
a profile or "not confined". Equivalent to --show=all.
--show=(all|network|server|client)
Determines the set of processes to be displayed.
--show=all show all processes is equivalent to --paranoid
--show=network show only process with any sockets open.
--show=server show only processes with listening sockets open. This is the default
value if --show= or --paranoid are not specified.
--show=client show only processes with non-listening sockets open.
--with-ss
Use the ss(8) command to find processes listening on network sockets (the default).
--with-netstat
Use the netstat(8) command to find processes listening on network sockets. This is
also what aa-unconfined will fall back to when ss(8) is not available.
DESCRIPTION
aa-unconfined will use netstat(8) to determine which processes have open network sockets
and do not have AppArmor profiles loaded into the kernel.
BUGS
aa-unconfined must be run as root to retrieve the process executable link from the /proc
filesystem. This program is susceptible to race conditions of several flavours: an
unlinked executable will be mishandled; an executable started before an AppArmor profile
is loaded will not appear in the output, despite running without confinement; a process
that dies between the netstat(8) and further checks will be mishandled. This program only
lists processes using TCP and UDP. In short, this program is unsuitable for forensics use
and is provided only as an aid to profiling all network-accessible processes in the lab.
If you find any bugs, please report them at
<https://gitlab.com/apparmor/apparmor/-/issues>.
SEE ALSO
ss(8), netstat(8), apparmor(7), apparmor.d(5), aa_change_hat(2), and
<https://wiki.apparmor.net>.