1

I decided to give AppArmor a try and while it works great at restricting file access, signals handling etc., it completely ignores any network rules. It doesn't complain about anything, but it also doesn't restrict network access.

According to Arch forum, network rules used to work in old kernels, but they were later disabled for some reason. They suggest to compile the kernel with some patches to re-enable the functionality.

Could anybody please give me more insight into the reasons AppArmor network rules were disabled? And since compiling a custom kernel is always a bit of an inconvenience (not impossible though, especially on NixOS), are there any plans to re-enable it? If I wait for a couple of months, is there a chance the rules will be supported by stock upstream kernel? Thanks!

Vojtech Kane
  • 143
  • 1
  • 5

2 Answers2

1

As of today, the documentation contains parts for unreleased features. Therefore some network policies work (usually the simple ones like "allow all TCP"), some don't.

Vojtech Kane
  • 143
  • 1
  • 5
0

This is how I understand it: Since apparmor follows a whitelist approach, new mediation features added to the kernel module means more stuff is blocked. So that can lead to unexpected problems when upgrading the kernel. Apparmor therefore ignores all rules introduced after kernel v4.17 unless the policy file states a newer version.

With arch linux, you should have apparmor 3, so with a policy file like this:

abi <abi/3.0>,

policy /some/binary {
  
}

The task shouldn't have network access. There are some more details here

moritz
  • 113
  • 1
  • 5