[apparmor] Supporting network permissions and address expressions?
Jaehyun Nam
namjh at 0x010.com
Mon Jan 18 13:52:25 UTC 2021
Hello Sylvain,
This is the profile that I tried to apply
abi <abi/3.0>,
#include <tunables/global>
profile test /home/namjh/apparmor-test/apparmor-bash/bash {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#deny /bin/touch x,
deny /bin/sleep x,
#deny network tcp dst 172.16.99.106,
#deny network tcp dst 172.16.99.106:80,
#deny network tcp src 172.16.99.105 dst 172.16.99.106,
deny network tcp src 172.16.99.105:* dst 172.16.99.106:80,
}
When I commented out all network rules, it worked fine.
However, once I enabled each of the network rules, I got this error message.
AppArmor parser error for /etc/apparmor.d/apparmor-bash-profile in profile /etc/apparmor.d/apparmor-bash-profile at line 16: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE
Thanks,
Jaehyun
> 2021. 1. 18. 오후 10:41, Sylvain Leroux <sylvain at chicoree.fr> 작성:
>
> Hi Jaehyun,
>
> Could you post the profile with your changes?
>
> Regards,
> - Sylvain
>
> On 18/01/2021 12:55, Jaehyun Nam wrote:
>> Hello all,
>>
>> I’m trying to use network permissions and ip address expressions in AppArmor profiles.
>> Unfortunately, whenever I tried to apply such things, AppArmor showed
>> “syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE”.
>>
>> While those syntaxes are described in the apparmor core policy reference,
>> it seems that there is no corresponding syntax even in apparmor-3.0.0-0ubuntu1 (with Linux Kernel 5.8.0-38-generic, Ubuntu 20.10).
>>
>> Could anyone help me solve this problem?
>>
>> Thanks,
>> Jaehyun
>>
More information about the AppArmor
mailing list