[apparmor] [ISSUE]Does apparmor support the port limit for app please?
Fei Shao
robinshao007 at 163.com
Wed Jan 14 09:00:38 UTC 2026
Hi John,
I checked my system version. It is UBUNTU 2404 and the apparmor version
is 4.0.1. It is smaller than 4.1, so it doesn't support it.
I will check it in newer version.
Thanks.
Fei Shao
在 2026-01-14 14:44, John Johansen 写道:
> On 1/13/26 21:10, Fei Shao wrote:
>> Hi all,
>> I write a profile for nginx like below:
>> ---------------------------------------------
>> profile /usr/sbin/nginx {
>> include <abstractions/base>
>>
>>
>> capability net_bind_service,
>> capability setuid,
>> capability setgid,
>>
>> capability dac_read_search,
>>
>>
>> network inet tcp port=80, #<==this line
>> /usr/sbin/nginx mrix,
>> /etc/nginx/** r,
>> /var/log/nginx/** rw,
>> }
>> ---------------------------------------------
>>
>> if put the "network inet tcp port=80" in usr.sbin.nginx file, the
>> aa-enforce return is :
>>
>> ---------------------------------------------
>> sudo aa-enforce usr.sbin.nginx
>> ERROR: Invalid or unknown keywords in 'network inet tcp port=80
>> ---------------------------------------------
>>
>> so I have an issue about this, does apparmor support the port limit
>> for app please?
>>
>
> it will depend on the version of apparmor you have, and the kernel.
> ATM the port
> limitation is not in the upstream kernel.
>
> In userspace you need a 4.1.x or newer userspace. You can get that
> info from packaging
> or running the command apparmor_parser -V. You will also need a kernel
> with the out of
> tree networking patch that has been in dev.
>
> Ubuntu is carrying the patch that allows this in their kernel. There
> needs to be another
> round of revision on the it, and the new version needs to be posted
> for review. this will
> not happen in time for the 6.20 kernel, but there is a chance it could
> happen for the 6.21
> kernel.
>
>>
>> Thanks
>>
>> Fei Shao
>>
>>
>
More information about the AppArmor
mailing list