From 4623da695e480dffc7542ef7536a56770a857e60 Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Wed, 2 Apr 2025 10:28:17 -0700
Subject: [PATCH] utils: add unprivileged_userns to aa-notify list of special
 profiles

Both the unconfined profile and unprivileged_userns are part of the
default notify.conf, so the default fallback when no configurations are
present should also match this default.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 utils/aa-notify | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/utils/aa-notify b/utils/aa-notify
index 8bac650bf..f3570fd6f 100755
--- a/utils/aa-notify
+++ b/utils/aa-notify
@@ -1013,7 +1013,8 @@ def main():
     if 'userns_special_profiles' in config['']:
         userns_special_profiles = config['']['userns_special_profiles'].strip().split(',')
     else:
-        userns_special_profiles = ['unconfined']  # By default, unconfined is the only special profile
+        # By default, unconfined and unprivileged_userns are the special profiles
+        userns_special_profiles = ['unconfined', 'unprivileged_userns']
 
     if 'ignore_denied_capability' in config['']:
         ignore_denied_capability = config['']['ignore_denied_capability'].strip().split(',')