[pkg-apparmor] Bug#1118355: Apparmor ignores IP, port, and peer settings

[John Doe]

Package: apparmor
Version: 4.1.0-1

When I configure IP addresses and ports in the section network
inet stream, Apparmor still allows connections to any addresses.

$ sudo cat /etc/apparmor.d/usr.bin.curl 
abi <abi/4.0>,

include <tunables/global>

/usr/bin/curl {
  include <abstractions/base>

  network (connect) inet stream ip=10.152.152.11 port=33862,
  network (create) inet stream ip=10.152.152.11 port=33862,
  network (getattr) inet stream ip=10.152.152.11 port=33862,
  network (getopt) inet stream ip=10.152.152.11 port=33862,
  network (receive) inet stream ip=10.152.152.11 port=58074
  peer=(ip=1.0.0.0 port=80), network (send) inet stream
  ip=10.152.152.11 port=58074 peer=(ip=1.0.0.0 port=80), network
  (setopt) inet stream ip=10.152.152.11 port=33862,

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/bin/curl mr,

}

$ curl 1.1.1.1
<html>
<head><title>301 Moved Permanently</title></head>

$ curl 127.0.0.1
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

The same behavior occurs when changing the settings to:
$ sudo cat /etc/apparmor.d/usr.bin.curl 
abi <abi/4.0>,

include <tunables/global>

/usr/bin/curl {
  include <abstractions/base>

  network inet stream ip=10.152.152.11 port=58074 peer=(ip=1.0.0.0
  port=80),

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/bin/curl mr,

}


This was detected on Debian 13, 6.12.48+deb13-amd64
And reproduced on Debian forky/sid, 6.16.12+deb14+1-amd64, libc6 2.41-12
And on Ubuntu 26.04, 6.17.0-5-generic, libc6 2.42-0ubuntu3, apparmor
5.0.0~alpha1-0ubuntu8.1

Is there a way to use Apparmor to allow connections to only one
specific IP:port?