• NAME
• SYNOPSIS
• DESCRIPTION
• OPTIONS
• CONFIGURATION
• BUGS
• SEE ALSO

NAME

aa-notify - display information about logged AppArmor messages.

SYNOPSIS

aa-notify [option]

DESCRIPTION

aa-notify will display a summary or provide desktop notifications for AppArmor DENIED messages.

OPTIONS

aa-notify accepts the following arguments:

-p, --poll

poll AppArmor logs and display desktop notifications. Can be used with '-s' option to display a summary on startup.

--display $DISPLAY

set the DISPLAY environment variable to $DISPLAY (might be needed if sudo resets $DISPLAY)

--xauthority XAUTHORITY

set the XAUTHORITY environment variable (might be needed if sudo resets XAUTHORITY)

-f FILE, --file=FILE

search FILE for AppArmor messages

-l, --since-last

show summary since last login.

-s NUM, --since-days=NUM

show summary for last NUM of days.

-u USER, --user=USER

user to drop privileges to when running privileged. When used with the -p option, this should be set to the user that will receive desktop notifications. This has no effect when running under sudo.

-w NUM, --wait=NUM

wait NUM seconds before displaying notifications (for use with -p)

-m, --merge-notifications

Merge notification for improved readability (with -p)

-F, --foreground

Do not fork to the background

--prompt-filter operation

Which operations should use a popup prompt window instead of a system notification.

eg. --prompt-filter="userns"

--filter.TYPE FILTER

Apply filters as to select which apparmor messages should be allowed through based on which messages match the filter parameters (see also custom notification filtering in CONFIGURATION). Filters use Python's regular expression syntax.

Supported Filter TYPE:

profile - name of the profile =item mode - mode eg, DENIED, ALLOWED, STATUS -item operation - operation being mediated eg. open -item name - name of object, eg. file name /home/foo/bar -item denied - permissions that were denied -item family - socket family, eg. inet, inet6, netlink -item socket - socket type. eg. stream, dgram, rdm

-L, --local [{yes,no,auto}]

add rules to a local profiles instead of the real profiles. This simplify profiles' deployment by keeping local modifications self-contained. - yes: always use a local profile - no: never use a local profile - auto: use a local profile if the main profile already relies on a local profile

-v, --verbose

show messages with summaries.

debug

provide debug output

-h, --help

displays a short usage statement.

CONFIGURATION

System-wide configuration for aa-notify is done via /etc/apparmor/notify.conf:

# Set to 'no' to disable AppArmor notifications globally
show_notifications="yes"

# Special profiles used to remove privileges for unconfined binaries using user namespaces. Special profiles use Python's regular expression syntax. If unsure, leave as is.
userns_special_profiles="unconfined,unprivileged_userns,unpriv_.*"

# Theme for aa-notify GUI. See https://ttkthemes.readthedocs.io/en/latest/themes.html for available themes.
interface_theme="ubuntu"

# Binaries for which we ignore userns-related capability denials
ignore_denied_capability="sudo,su"

# Write change to local profiles if enabled to preserve regular profiles and simplify upgrades (yes, no, auto)
use_local_profiles="yes"

# OPTIONAL - kind of operations which display a popup prompt.
prompt_filter="userns"

# OPTIONAL - restrict using aa-notify to users in the given group
# (if not set, everybody who has permissions to read the logfile can use it)
# use_group="admin"

# OPTIONAL - custom notification message body
message_body="This is a custom notification message."

# OPTIONAL - custom notification message footer
message_footer="For more information visit https://foo.com"

# OPTIONAL - custom notification filtering
# Filters are used to reduce the output of information to only those entries that will match the filter. Filters use Python's regular expression syntax.
filter.profile="^(foo|bar)$"  # Match the profile:            Only shows notifications for profiles "foo" or "bar"
filter.mode="^STATUS$"        # Match the mode:               Only show notifications for "STATUS" messages, where mode can be:
      UNKNOWN         an unknown AppArmor mode
      ERROR           an error other than a regular denial occurred
      ALLOWED         a permissions request which did not match a rule, was allowed due to complain mode.
      DENIED          a permissions request was denied
      HINT            additional context information
      STATUS          some policy or enforcement change has occurred
      KILLED          a permission request was denied and the process that attempted the access was killed.
filter.operation="^open$"     # Match the operation:          Only shows notifications for "open" operation
filter.name="^(?!/usr/lib/)"  # Match the name:               Excludes notifications for names starting by "/usr/lib/"
filter.denied="^r$"           # Match the denied_mask:        Only shows notifications where "r", and only "r", was denied
filter.family="^inet$"        # Match the network family:     Only shows notifications for "inet" family
filter.socket="stream"        # Match the network socket type: Only shows notifications for "stream" sockets

Per-user configuration is done via $XDG_CONFIG_HOME/apparmor/notify.conf (or the deprecated ~/.apparmor/notify.conf if it exists):

# set to 'yes' to enable AppArmor DENIED notifications
show_notifications="yes"

BUGS

aa-notify needs to be able to read the logfiles containing the AppArmor DENIED messages.

If you find any additional bugs, please report them to Gitlab at https://gitlab.com/apparmor/apparmor/-/issues.

SEE ALSO

apparmor(7)