[apparmor] Deny network bind in profile
john.johansen at canonical.com
Fri Jul 22 23:23:32 UTC 2016
On 07/22/2016 12:43 PM, Seth Arnold wrote:
> On Fri, Jul 22, 2016 at 08:11:08AM +0000, Georg Schoenberger wrote:
>> I am currently trying to deny a process from binding to network sockets.
>> Unfortunately the example from
>> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference does
>> not work for me:
>> * deny network bind inet,
>> A reload fails with "invalid network entry", if I am completely denying
>> "deny network inet" the profile reloads. I am using:
> Hi Georg,
> The wiki is primarily used as a place to brainstorm ideas. (The page name
I wouldn't call it brain storming, it is a wip that documents the current
state + dev work. Sadly some of that dev work hasn't landed and the
documentation has not been updated.
> is unfortunate as it gives the impression that it's a reference. It's
> not. The warning at the top is entirely too small...)
Hrmmm it was intended for reference however documentation in open source
is constantly in poor shape.
> The apparmor.d(5) manpage describes the policy language.
yes this is the best place. Even though it isn't complete either
> There's currently no way to deny specific network operations, such as bind
> or listen or connect, on IP protocols. Hopefully we'll one day be able to
> support more fine-grained networking rules, in which case we hope the
> language will look about like the wiki page, but that's still in the
> The best you can do is disable inet or inet6 entirely with the deny rules.
More information about the AppArmor