aa-unconfined

List unconfined processes using the ss command (default)

$ sudo aa-unconfined

$ sudo aa-unconfined --with-netstat

$ sudo aa-unconfined --paranoid

$ aa-unconfined [[-h|--help]]

aa-unconfined [options]

-f, --full
    Display full command lines instead of truncated names

--help
    Show usage message and exit

--version
    Print version number and exit

aa-unconfined is a command-line utility from the AppArmor security toolkit on Linux systems. AppArmor is a kernel-based Mandatory Access Control (MAC) mechanism that confines programs to a limited set of resources defined in security profiles, reducing the impact of exploits and errors.

This tool identifies and lists processes running unconfined, meaning they lack an active AppArmor profile and operate without these restrictions. Unconfined processes can access the full system resources available to their user, potentially increasing security risks.

Primarily used by system administrators for auditing and hardening: scan for services or applications that should be profiled (e.g., web servers, databases). Default output shows PID, effective user ID, and truncated command name. With options, it provides full command lines or version info.

Requires AppArmor kernel module loaded (check with aa-status). Relies on /proc filesystem and AppArmor status files under /sys/kernel/security/apparmor. Common on Ubuntu/Debian; install via apparmor-utils package.

Requires AppArmor loaded and procfs mounted; non-root users see only their processes. Output empty if no unconfined processes or all confined. Not real-time; snapshot at invocation.

aa-unconfined
1 root /sbin/init
1234 user /usr/bin/bash

If none: no unconfined processes.

Ubuntu/Debian: sudo apt install apparmor-utils
Fedora: sudo dnf install apparmor-utils

Part of AppArmor-utils since ~2009 (Immunix origins 1998, Novell/SUSE integration 2005, Canonical/Ubuntu mainstream 2009+). Evolved for easier profile management.

aa-status(8), aa-enabled(8), apparmor_status(8), logprof(8)