[pkg-apparmor] Bug#807369: apparmor: Apparmor "deny network" not working in Jessie

Adam Jvok ajvok1 at gmail.com
Tue Dec 8 01:14:22 UTC 2015 

Subject: apparmor: Apparmor "deny network" not working in Jessie
Package: apparmor
Version: 2.9.0-3
Severity: normal

Dear Maintainer,

I would like to prevent a program being able to access the network by using
apparmor.
I've used apparmor successfully in the past for non-network stuff but
am having some trouble with this.

Here's an example of the issue....

/etc/apparmor.d/usr.bin.wget
========================
/usr/bin/wget {
# Stop apparmor complaining about some non-network stuff...
/dev/urandom r,
/lib/** mr,
/usr/lib/** mr,
/etc/** r,

# Attempt to disable network access...
deny network ,
deny network inet,
deny network inet6,
deny network raw,
deny network tcp,
deny network stream,
}
========================
apparmor_parser -r /etc/apparmor.d/usr.bin.wget

Then test with...
/usr/bin/wget -qO- http://www.google.com

Which I would expect to fail, as I've apparently denied network access.
But it returns the page from google anyway.

Problem initially raised in forum:
http://forums.debian.net/viewtopic.php?f=10&t=126027

Looking at the source for the apparmor package in Jessie, I see it contains
a number of 'kernel_patches', but not one for the current Jessie kernel
(I have all security updates applied to date).
The patches for other versions contain 'basic-networking-rules.patch'.
I am suspicious that the lack of such a patch might be the root of the 
problem.

Thanks for looking at this.

-- System Information:
Debian Release: 8.0
   APT prefers stable
   APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_HK.utf8, LC_CTYPE=en_HK.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  initramfs-tools        0.120
ii  libapparmor-perl       2.9.0-3
ii  libc6                  2.19-18
ii  lsb-base               4.1+Debian13+nmu1
ii  python3                3.4.2-2

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-docs            2.9.0-3
ii  apparmor-profiles        2.9.0-3
ii  apparmor-profiles-extra  1.4
ii  apparmor-utils           2.9.0-3

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20151208/a80648f4/attachment.html>

More information about the pkg-apparmor-team mailing list