On 2/21/25 08:29, verblasst8kni...@icloud.com wrote:
Hello everyone,
I am currently trying to restrict specific ports and IP addresses with AppArmor
4.0.1 under Ubuntu 24.04 LTS (64 bit). Unfortunately, I keep getting syntax
errors when I try to create profiles and am stuck.
I assume by this you mean you are using genprof/logprof to create a profile?
Unfortunately genprof/logporf in apparmor-4.0 do not support for fine grained
network mediation
you can manually build policy from the logs, or install a new version of the
apparmor userspace.
The easiest way to that on Ubuntu is install from the apparmor-backports ppa
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports
you might also want to install apparmor-notify, it will give you notifications
and a simple gui to add the occassional new rule. You will however need to
change the default configuration (which is tuned to only notify on unprivileged
user namespace denials).
to modify the config copy /etc/apparmor/notify.conf to
$HOME/.config/apparmor/notify.conf
and edit the file
You can just comment out
filter.operation="userns"
by adding a #.
You will then need to kill and restart the notifier
$ killall aa-notify
$ aa-notify -p -w 2
if you find notifications annoying, you can always edit the filters or uninstall
I have already seen profiles in some forums where this seems to work -
individual IPs and ports were successfully restricted there. I'm wondering if
this is generally possible in my environment or if I'm missing something.
It should be possible, with the caveat that the tooling doesn't support it.
System environment:
- Ubuntu 24.04 LTS 64 bit
- AppArmor 4.0.1
- VirtualBox (Ryzen 5 5500, 3070ti, 16gb ram)
I would really appreciate any help or examples.
Best regards
