Man page - aa-notify(8)

Packages contains this manual

Package:  apparmor-notify
apt-get install apparmor-notify

Manuals in package:
• aa-notify(8)
Documentations in package:
• apparmor-notify

Manual

AA-NOTIFY

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
CONFIGURATION
BUGS
SEE ALSO

---

NAME

aa-notify - display information about logged AppArmor messages.

SYNOPSIS

aa-notify [option]

DESCRIPTION

aa-notify will display a summary or provide desktop notifications for AppArmor DENIED messages.

OPTIONS

aa-notify accepts the following arguments:
-p, --poll

poll AppArmor logs and display desktop notifications. Can be used with ’-s’ option to display a summary on startup.

--display $DISPLAY

set the DISPLAY environment variable to $DISPLAY (might be needed if sudo resets $DISPLAY)

-f FILE, --file=FILE

search FILE for AppArmor messages

-l, --since-last

show summary since last login.

-s NUM, --since-days=NUM

show summary for last NUM of days.

-u USER, --user=USER

user to drop privileges to when running privileged. When used with the -p option, this should be set to the user that will receive desktop notifications. This has no effect when running under sudo.

-w NUM, --wait=NUM

wait NUM seconds before displaying notifications (for use with -p)

-v, --verbose

show messages with summaries.

-h, --help

displays a short usage statement.

CONFIGURATION

System-wide configuration for aa-notify is done via /etc/apparmor/notify.conf:

# Set to 'no' to disable AppArmor notifications globally
show_notifications="yes"
# Special profiles used to remove privileges for unconfined binaries using user namespaces. If unsure, leave as is.
userns_special_profiles="unconfined,unprivileged_userns"
# Theme for aa-notify GUI. See https://ttkthemes.readthedocs.io/en/latest/themes.html for available themes.
interface_theme="ubuntu"
# Binaries for which we ignore userns-related capability denials
ignore_denied_capability="sudo,su"
# OPTIONAL - kind of operations which display a popup prompt.
prompt_filter="userns"
# OPTIONAL - restrict using aa-notify to users in the given group
# (if not set, everybody who has permissions to read the logfile can use it)
# use_group="admin"
# OPTIONAL - custom notification message body
message_body="This is a custom notification message."
# OPTIONAL - custom notification message footer
message_footer="For more information visit https://foo.com"
# OPTIONAL - custom notification filtering
# Filters are used to reduce the output of information to only those entries that will match the filter. Filters use Python's regular expression syntax.
filter.profile="ˆ(foo|bar)$" # Match the profile: Only shows notifications for profiles "foo" or "bar"
filter.operation="ˆopen$" # Match the operation: Only shows notifications for "open" operation
filter.name="ˆ(?!/usr/lib/)" # Match the name: Excludes notifications for names starting by "/usr/lib/"
filter.denied="ˆr$" # Match the denied_mask: Only shows notifications where "r", and only "r", was denied
filter.family="ˆinet$" # Match the network family: Only shows notifications for "inet" family
filter.socket="stream" # Match the network socket type: Only shows notifications for "stream" sockets

Per-user configuration is done via $XDG_CONFIG_HOME/apparmor/notify.conf (or the deprecated ˜/.apparmor/notify.conf if it exists):

# set to 'yes' to enable AppArmor DENIED notifications
show_notifications="yes"

BUGS

aa-notify needs to be able to read the logfiles containing the AppArmor DENIED messages.

If you find any additional bugs, please report them to Gitlab at <https://gitlab.com/apparmor/apparmor/-/issues>.

SEE ALSO

apparmor (7)

---