aa-remove-unknown

Perform a dry run to see which profiles would be removed

$ sudo aa-remove-unknown -n

$ sudo aa-remove-unknown

$ aa-remove-unknown [[-h|--help]]

aa-remove-unknown [profile]

profile
    Optional profile name to remove (if unknown). Omitting removes all unknown profiles.

The aa-remove-unknown command is a utility from the AppArmor security toolkit for Linux systems. AppArmor is a mandatory access control (MAC) system that confines programs to a limited set of resources via per-program profiles.

During system upgrades, package installations, or manual profile management, AppArmor profiles may be loaded into the kernel but lack corresponding source files on disk (typically in /etc/apparmor.d/). These are called 'unknown' profiles. They can clutter the kernel's profile list, consume memory, and complicate status checks with tools like aa-status.

aa-remove-unknown safely identifies and unloads these profiles from the running kernel without affecting valid profiles that have matching files. If invoked without arguments, it removes all unknown profiles. Specifying a profile name targets only that one, if it's unknown.

This command requires root privileges (use sudo) and interacts directly with the AppArmor kernel interface via /sys/kernel/security/apparmor. It's particularly useful post-upgrade to clean up obsolete profiles, ensuring a tidy AppArmor state. No recompilation or reloading of profiles occurs; it's purely a removal operation.

Word count: ~180

Requires root privileges; only removes profiles without disk files; will not unload enforce/complain profiles with sources; use aa-status to verify before/after.

sudo aa-remove-unknown
Removes all unknown profiles.

sudo aa-remove-unknown /usr/bin/foo
Removes specific unknown profile.

Run aa-status before and after to confirm unknown profiles (marked with ? or (unknown)) are gone.

Introduced in AppArmor 2.x utilities (circa 2009 by Canonical/SUSE); evolved with AppArmor mainlining in Linux kernel 2.6.36+ (2010); current versions in apparmor-utils package for Ubuntu, Debian, etc.

aa-status(8), aa-enforce(8), aa-complain(8), apparmor_parser(8), aa-autodep(8)