[pkg-apparmor] Bug#807369: apparmor: Apparmor "deny network" not working in Jessie
intrigeri
intrigeri at debian.org
Tue Dec 8 13:36:19 UTC 2015
Hi,
Adam Jvok wrote (08 Dec 2015 06:49:23 GMT) :
> Does this imply that 'deny network' isn't going to work in any future debian
> unless someone has published a patch before the kernel is built
> (Or, unless this functionality goes in the kernel proper, eliminating the need for
> a patch.)?
The latter.
> Are there any plans to rectify this?
It's been a longstanding item on AppArmor kernel hackers' todo list to
upstream this patch. I don't know what's the current best-case ETA.
> Without a fix it may be time to drop apparmor in favor of something else.
Mediating network access would be a welcome bonus feature, but it's
not part of the core set of functionality that made me personally
start working on AppArmor in Debian.
But if your needs are different, then of course nobody forces you to
use AppArmor instead of some more appropriate tool. For example,
a private network namespace should do the job.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list