AppArmor 4.1 network rule not working as expected

Hello, I'm reaching out to seek help regarding an issue I've encountered with AppArmor network rules.

Environment Information:

  • AppArmor version: 4.1.0~beta5
  • Operating System: Ubuntu 24.04 LTS
  • Kernel version: 6.11.0-24-generic

I've loaded the following profile in enforce mode:

abi <abi/4.0>,
#include <tunables/global>

profile demo-1 flags=(attach_disconnected,mediate_deleted) {

  #include <abstractions/base>

  capability,
  file,
  umount,

  network,
  audit deny network (connect) peer=(port=8080),
  # audit deny network peer=(port=8080),
}

According to the man page, the rule audit deny network (connect) peer=(port=8080) should restrict the connection to the remote port 8080. However, during testing, I found that this rule did not work as expected. Instead of only blocking connections to port 8080, all port accesses were denied.

Here are the relevant audit logs:

kernel: audit: type=1400 audit(1745310721.354:814): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="demo-1" pid=11439 comm="apparmor_parser"
kernel: audit: type=1400 audit(1745310722.642:815): apparmor="DENIED" operation="connect" class="net" profile="demo-1" pid=11440 comm="curl" daddr=172.31.16.3 dest=8080 family="inet" sock_type="stream" protocol=6 requested="connect" denied="connect"
kernel: audit: type=1400 audit(1745310724.180:816): apparmor="DENIED" operation="connect" class="net" profile="demo-1" pid=11441 comm="curl" daddr=172.31.16.3 dest=80 family="inet" sock_type="stream" protocol=6 requested="connect" denied="connect"

I'm wondering if there is something wrong with my rule configuration. Could anyone help me figure out what's going on and how to correctly restrict access to a specific remote port?

Thank you in advance for your assistance!