Bug#1118355: marked as done (Apparmor ignores IP, port, and peer settings)

Mon, 20 Oct 2025 00:07:15 -0700 

Your message dated Mon, 20 Oct 2025 09:05:26 +0200
with message-id <874iruaw95.fsf@manticora>
and subject line Re: [pkg-apparmor] Bug#1118355: Apparmor ignores IP, port, and 
peer settings
has caused the Debian Bug report #1118355,
regarding Apparmor ignores IP, port, and peer settings
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1118355: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118355
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: apparmor
Version: 4.1.0-1

When I configure IP addresses and ports in the section network
inet stream, Apparmor still allows connections to any addresses.

$ sudo cat /etc/apparmor.d/usr.bin.curl 
abi <abi/4.0>,

include <tunables/global>

/usr/bin/curl {
  include <abstractions/base>

  network (connect) inet stream ip=10.152.152.11 port=33862,
  network (create) inet stream ip=10.152.152.11 port=33862,
  network (getattr) inet stream ip=10.152.152.11 port=33862,
  network (getopt) inet stream ip=10.152.152.11 port=33862,
  network (receive) inet stream ip=10.152.152.11 port=58074
  peer=(ip=1.0.0.0 port=80), network (send) inet stream
  ip=10.152.152.11 port=58074 peer=(ip=1.0.0.0 port=80), network
  (setopt) inet stream ip=10.152.152.11 port=33862,

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/bin/curl mr,

}

$ curl 1.1.1.1
<html>
<head><title>301 Moved Permanently</title></head>

$ curl 127.0.0.1
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

The same behavior occurs when changing the settings to:
$ sudo cat /etc/apparmor.d/usr.bin.curl 
abi <abi/4.0>,

include <tunables/global>

/usr/bin/curl {
  include <abstractions/base>

  network inet stream ip=10.152.152.11 port=58074 peer=(ip=1.0.0.0
  port=80),

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/bin/curl mr,

}


This was detected on Debian 13, 6.12.48+deb13-amd64
And reproduced on Debian forky/sid, 6.16.12+deb14+1-amd64, libc6 2.41-12
And on Ubuntu 26.04, 6.17.0-5-generic, libc6 2.42-0ubuntu3, apparmor
5.0.0~alpha1-0ubuntu8.1

Is there a way to use Apparmor to allow connections to only one
specific IP:port?

--- End Message ---
--- Begin Message --- 
Hi,

John Doe (2025-10-18):
> When I configure IP addresses and ports in the section network
> inet stream, Apparmor still allows connections to any addresses.

Quoting apparmor.d(5):

       Some features are not supported on Debian yet:

       Network Rules
       DBus rules
       Unix socket rules

Cheers,
-- 
intrigeri

--- End Message ---

Reply via email to