Hi John,
I checked my system version. It is UBUNTU 2404 and the apparmor version
is 4.0.1. It is smaller than 4.1, so it doesn't support it.
I will check it in newer version.
Thanks.
Fei Shao
在 2026-01-14 14:44, John Johansen 写道:
On 1/13/26 21:10, Fei Shao wrote:
Hi all,
I write a profile for nginx like below:
---------------------------------------------
profile /usr/sbin/nginx {
include <abstractions/base>
capability net_bind_service,
capability setuid,
capability setgid,
capability dac_read_search,
network inet tcp port=80, #<==this line
/usr/sbin/nginx mrix,
/etc/nginx/** r,
/var/log/nginx/** rw,
}
---------------------------------------------
if put the "network inet tcp port=80" in usr.sbin.nginx file, the
aa-enforce return is :
---------------------------------------------
sudo aa-enforce usr.sbin.nginx
ERROR: Invalid or unknown keywords in 'network inet tcp port=80
---------------------------------------------
so I have an issue about this, does apparmor support the port limit
for app please?
it will depend on the version of apparmor you have, and the kernel.
ATM the port
limitation is not in the upstream kernel.
In userspace you need a 4.1.x or newer userspace. You can get that
info from packaging
or running the command apparmor_parser -V. You will also need a kernel
with the out of
tree networking patch that has been in dev.
Ubuntu is carrying the patch that allows this in their kernel. There
needs to be another
round of revision on the it, and the new version needs to be posted
for review. this will
not happen in time for the 6.20 kernel, but there is a chance it could
happen for the 6.21
kernel.
Thanks
Fei Shao
