2.5 Network Access Control
AppArmor allows mediation of network access based on the address type and family. The following illustrates the network access rule syntax:
network [[<domain>][<type
>][<protocol
>]]
|
Supported domains: inet, ax25, ipx, appletalk, netrom, bridge, x25, inet6, rose, netbeui, security, key, packet, ash, econet, atmsvc, sna, irda, pppox, wanpipe, bluetooth |
|
Supported types: stream, dgram, seqpacket, rdm, raw, packet |
|
Supported protocols: tcp, udp, icmp |
The AppArmor tools support only family and type specification. The AppArmor
module emits only network domain
type in access denied
messages. And only these are output by the profile generation tools, both
YaST and command line.
The following examples illustrate possible network-related rules to be used in AppArmor profiles. Note that the syntax of the last two are not currently supported by the AppArmor tools.
network, network inet tcp
, network tcp
,
|
Allow all networking. No restrictions applied with regards to domain, type, or protocol. |
|
Allow general use of IPv4 networking. |
|
Allow general use of IPv6 networking. |
|
Allow the use of IPv4 TCP networking. |
|
Allow the use of IPv4 TCP networking, paraphrasing the rule above. |
|
Allow the use of both IPv4 and IPv6 TCP networking. |