May I ask you another portion of question about apparmor sockets?

   1. Is there some kind of docs which describe *named stream socket *armoring?
   Because I tried to armor named socket. AppArmor complains only about
   connection. But I cannot deny send/receive data through such socket. There
   is a lot of info about anonymous sockets on the Internet, though.
   2. So I tried anonymous datagram sockets. It is possible to deny
   send/receive and no data flow goes through the socket. And I have a
   question: is it possible to set up apparmor profile to complain every time
   when an app writes/reads from the socket?

2018-02-09 14:34 GMT+02:00 John Johansen <>:

> On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote:
> > Hi Jonh,
> >
> > But even if upstream backport from 4.10 to 4.4 does not contain
> out-of-tree patches, Xenial 4.4 has sockets support (*and probably
> namespaces support too*).
> >
> > Or am I wrong?
> >
> correct for socket support, the network and af_unix mediation patches
> are not present in the backport.
> as I noted
> >     the upstream backport series does not include the out of tree
> patches but those can be
> >     obtained from the apparmor project tree in the kernel patches
> directory
> >
> > <
> as for policy namespace support it has existed in various forms since
> apparmor was included in 2.6.36, its just a matter of what interfaces
> are supported the 4.11, 4.12, and 4.13 kernels each added support for
> newer interfaces and reworked apparmorfs to better support policy
> namespaces.
> Full support of apparmor policy around linux namespaces (mount, user,
> pid, ...) is still a wip
AppArmor mailing list
Modify settings or unsubscribe at:

Reply via email to