[apparmor] Prevent log message about ALLOWED apparmor events?

[John Johansen]

On 2/6/25 06:11, John Johansen wrote:
> On 2/6/25 05:33, Troels Arvin wrote:
>> Hello,
>>
>> On some Ubuntu 22 and 24 systems, syslog is being cluttered with messages like this which is completely uninteresting:
>>
>> Feb 05 16:17:01 myhost.example.com audit[353829]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/420747/cmdline" pid=353829 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>>
>> I would certainly like to know about DENIED events, but how can I have apparmor/audit stop logging about ALLOWED events?
>>
> 
> At the moment there is NOT a global auditing control, like "quiet_denied". The "quiet" control will do it, but also stop logging of DENIED.
> 
> So the only way to stop ALLOWED events is to stop generating them by either enforcing the profile
>      aa-enforce ...
>    or
>      removing the complain flag and reloading the profile.
> 
> or unloading the profile.
> 
> 
> 
I can also add that there is a patch floating around to provide a "quiet_complain" control, along with the ability to control per profile, instead of just the global control but landing it just hasn't been a priority with all of the other stuff that needs to land.