On Fri, Jul 22, 2016 at 08:11:08AM +0000, Georg Schoenberger wrote: > I am currently trying to deny a process from binding to network sockets. > Unfortunately the example from > http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference does > not work for me: > * deny network bind inet, > A reload fails with "invalid network entry", if I am completely denying > "deny network inet" the profile reloads. I am using:
Hi Georg, The wiki is primarily used as a place to brainstorm ideas. (The page name is unfortunate as it gives the impression that it's a reference. It's not. The warning at the top is entirely too small...) The apparmor.d(5) manpage describes the policy language. There's currently no way to deny specific network operations, such as bind or listen or connect, on IP protocols. Hopefully we'll one day be able to support more fine-grained networking rules, in which case we hope the language will look about like the wiki page, but that's still in the future. The best you can do is disable inet or inet6 entirely with the deny rules. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
