$ sudo apparmor_parser -r /tmp/profile && sudo aa-exec -p foo go run /tmp/main.go
then see this denial:
audit: type=1400 audit(1434479051.291:326): apparmor="DENIED" operation="capable" profile="foo" pid=30185 comm="go" capability=12 capname="net_admin"
Running it as non-root does not show the denial. Eg,
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p foo go run /tmp/main.go
I was wrong about net/http. This is the simplest reproducer:
$ cat /tmp/profile
profile "foo" {
network,
ptrace,
signal,
file,
}
$ cat /tmp/main.go
package main
func main() {
}
$ sudo apparmor_parser -r /tmp/profile && sudo aa-exec -p foo go run /tmp/main.go
then see this denial: 1.291:326) : apparmor="DENIED" operation="capable" profile="foo" pid=30185 comm="go" capability=12 capname="net_admin"
audit: type=1400 audit(143447905
Running it as non-root does not show the denial. Eg,
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p foo go run /tmp/main.go