[apparmor] Supporting network permissions and address expressions?
John Johansen
john.johansen at canonical.com
Mon Jan 18 23:24:39 UTC 2021
On 1/18/21 5:52 AM, Jaehyun Nam wrote:
> Hello Sylvain,
>
> This is the profile that I tried to apply
>
> abi <abi/3.0>,
>
> #include <tunables/global>
>
> profile test /home/namjh/apparmor-test/apparmor-bash/bash {
> #include <abstractions/base>
> #include <abstractions/bash>
> #include <abstractions/consoles>
>
> #deny /bin/touch x,
> deny /bin/sleep x,
>
> #deny network tcp dst 172.16.99.106,
> #deny network tcp dst 172.16.99.106:80,
> #deny network tcp src 172.16.99.105 dst 172.16.99.106,
> deny network tcp src 172.16.99.105:* dst 172.16.99.106:80,
> }
>
> When I commented out all network rules, it worked fine.
> However, once I enabled each of the network rules, I got this error message.
>
> AppArmor parser error for /etc/apparmor.d/apparmor-bash-profile in profile /etc/apparmor.d/apparmor-bash-profile at line 16: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE
>
Unfortunately, fine grained network (address based mediation) for network rules did not make it into the apparmor 3.0 release so this is unsupported atm. And yes the reference manual needs some serious revisions.
More information about the AppArmor
mailing list