On 07/22/2016 12:43 PM, Seth Arnold wrote: > On Fri, Jul 22, 2016 at 08:11:08AM +0000, Georg Schoenberger wrote: >> I am currently trying to deny a process from binding to network sockets. >> Unfortunately the example from >> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference does >> not work for me: >> * deny network bind inet, >> A reload fails with "invalid network entry", if I am completely denying >> "deny network inet" the profile reloads. I am using: > > Hi Georg, > > The wiki is primarily used as a place to brainstorm ideas. (The page name
I wouldn't call it brain storming, it is a wip that documents the current state + dev work. Sadly some of that dev work hasn't landed and the documentation has not been updated. > is unfortunate as it gives the impression that it's a reference. It's > not. The warning at the top is entirely too small...) > Hrmmm it was intended for reference however documentation in open source is constantly in poor shape. > The apparmor.d(5) manpage describes the policy language. > yes this is the best place. Even though it isn't complete either > There's currently no way to deny specific network operations, such as bind > or listen or connect, on IP protocols. Hopefully we'll one day be able to > support more fine-grained networking rules, in which case we hope the > language will look about like the wiki page, but that's still in the > future. > > The best you can do is disable inet or inet6 entirely with the deny rules. > > Thanks > > > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
