On 1/13/26 21:10, Fei Shao wrote:
Hi all, I write a profile for nginx like below: --------------------------------------------- profile /usr/sbin/nginx { include <abstractions/base>capability net_bind_service, capability setuid, capability setgid, capability dac_read_search, network inet tcp port=80, #<==this line /usr/sbin/nginx mrix, /etc/nginx/** r, /var/log/nginx/** rw, } --------------------------------------------- if put the "network inet tcp port=80" in usr.sbin.nginx file, the aa-enforce return is : --------------------------------------------- sudo aa-enforce usr.sbin.nginx ERROR: Invalid or unknown keywords in 'network inet tcp port=80 --------------------------------------------- so I have an issue about this, does apparmor support the port limit for app please?
it will depend on the version of apparmor you have, and the kernel. ATM the port limitation is not in the upstream kernel. In userspace you need a 4.1.x or newer userspace. You can get that info from packaging or running the command apparmor_parser -V. You will also need a kernel with the out of tree networking patch that has been in dev. Ubuntu is carrying the patch that allows this in their kernel. There needs to be another round of revision on the it, and the new version needs to be posted for review. this will not happen in time for the 6.20 kernel, but there is a chance it could happen for the 6.21 kernel.
Thanks Fei Shao
