AppArmor 4.1 network rule not working as expected
Hello, I'm reaching out to seek help regarding an issue I've encountered with AppArmor network rules.
Environment Information:
- AppArmor version: 4.1.0~beta5
- Operating System: Ubuntu 24.04 LTS
- Kernel version: 6.11.0-24-generic
I've loaded the following profile in enforce mode:
abi <abi/4.0>,
#include <tunables/global>
profile demo-1 flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
capability,
file,
umount,
network,
audit deny network (connect) peer=(port=8080),
# audit deny network peer=(port=8080),
}
According to the man page, the rule audit deny network (connect) peer=(port=8080) should restrict the connection to the remote port 8080. However, during testing, I found that this rule did not work as expected. Instead of only blocking connections to port 8080, all port accesses were denied.
Here are the relevant audit logs:
kernel: audit: type=1400 audit(1745310721.354:814): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="demo-1" pid=11439 comm="apparmor_parser"
kernel: audit: type=1400 audit(1745310722.642:815): apparmor="DENIED" operation="connect" class="net" profile="demo-1" pid=11440 comm="curl" daddr=172.31.16.3 dest=8080 family="inet" sock_type="stream" protocol=6 requested="connect" denied="connect"
kernel: audit: type=1400 audit(1745310724.180:816): apparmor="DENIED" operation="connect" class="net" profile="demo-1" pid=11441 comm="curl" daddr=172.31.16.3 dest=80 family="inet" sock_type="stream" protocol=6 requested="connect" denied="connect"
I'm wondering if there is something wrong with my rule configuration. Could anyone help me figure out what's going on and how to correctly restrict access to a specific remote port?
Thank you in advance for your assistance!