[apparmor] [ISSUE]Does apparmor support the port limit for app please?

[John Johansen]

On 1/13/26 21:10, Fei Shao wrote:
> Hi all,
> I write a profile for nginx like below:
> ---------------------------------------------
> profile /usr/sbin/nginx {
>    include <abstractions/base>
> 
> 
>    capability net_bind_service,
>    capability setuid,
>    capability setgid,
> 
>    capability dac_read_search,
> 
> 
>    network inet tcp port=80,   #<==this line
>    /usr/sbin/nginx mrix,
> /etc/nginx/** r,
> /var/log/nginx/** rw,
> }
> ---------------------------------------------
> 
> if put the "network inet tcp port=80" in usr.sbin.nginx file, the aa-enforce return is :
> 
> ---------------------------------------------
> sudo aa-enforce usr.sbin.nginx
> ERROR: Invalid or unknown keywords in 'network  inet tcp port=80
> ---------------------------------------------
> 
> so I have an issue about this, does apparmor support the port limit for app please?
> 

it will depend on the version of apparmor you have, and the kernel. ATM the port
limitation is not in the upstream kernel.

In userspace you need a 4.1.x or newer userspace. You can get that info from packaging
or running the command apparmor_parser -V. You will also need a kernel with the out of
tree networking patch that has been in dev.

Ubuntu is carrying the patch that allows this in their kernel. There needs to be another
round of revision on the it, and the new version needs to be posted for review. this will
not happen in time for the 6.20 kernel, but there is a chance it could happen for the 6.21
kernel.

> 
> Thanks
> 
> Fei Shao
> 
>