[apparmor] Deny network bind in profile

Seth Arnold seth.arnold at canonical.com
Fri Jul 22 19:43:24 UTC 2016

On Fri, Jul 22, 2016 at 08:11:08AM +0000, Georg Schoenberger wrote:
> I am currently trying to deny a process from binding to network sockets.
> Unfortunately the example from
> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference does
> not work for me:
> * deny network bind inet,
> A reload fails with "invalid network entry", if I am completely denying
> "deny network inet" the profile reloads. I am using:

Hi Georg,

The wiki is primarily used as a place to brainstorm ideas. (The page name
is unfortunate as it gives the impression that it's a reference. It's
not. The warning at the top is entirely too small...)

The apparmor.d(5) manpage describes the policy language.

There's currently no way to deny specific network operations, such as bind
or listen or connect, on IP protocols. Hopefully we'll one day be able to
support more fine-grained networking rules, in which case we hope the
language will look about like the wiki page, but that's still in the

The best you can do is disable inet or inet6 entirely with the deny rules.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160722/1dadda80/attachment.pgp>

More information about the AppArmor mailing list