Ubuntu

Limit inet and inet6 access by source or destination port

Reported by Lars Noodén on 2011-06-13
68
This bug affects 12 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: apparmor

This is a wishlist item / feature request.

Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help:

http://en.wikipedia.org/wiki/Systrace

http://www.systrace.org/

John Johansen (jjohansen) wrote :

Yes, this ability should be coming in Oneiric, and we will hopefully have some test kernels out soon.

Changed in apparmor (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged

Two years ago something "should be coming" - is it correctly understood that this feature is indefinitely on hold?

Jamie Strandboge (jdstrand) wrote :

It is safe to say it has been on hold, however, this work is still planned and will hopefully be implemented by 14.04.

John Johansen (jjohansen) wrote :

No, it has been repeatedly delayed but progress has been made on it. The new base network patch on which this functionality will be built is in testing. Further work is still needed to achieve better granularity but work is being done

Kai Müller (kmueller-z) wrote :

Hi,
can comment a little more on that, like what progress and where to find it? Can we expect to have it in future? Does it make sense to use dev package that converges with future versions of ubuntu? Just anything. If i can find it somewhere else, a link would help me a lot.

John Johansen (jjohansen) wrote :

like what progress and where to find it?
Its being developed as part of the upstream apparmor project. The socket labeling portion has landed in ubuntu saucy. This does not allow for control based on ports or addresses but is the basis for that work.

So what is done is a base socket labeling on which other functionality can be based. The next step would be basic address/port binding (server setting up an address), and then send address mediation. This may happen for ipv4 (not ipv6) with in the next month as part of a dev preview to get feedback on the mediation approach. It is unlikely this will make it into saucy.

Can we expect to have it in future?
yes

Does it make sense to use dev package that converges with future versions of ubuntu?
yes. The apparmor project has a ppa that developments appear in once they reach a beta state.
  https://launchpad.net/~apparmor-dev/+archive/apparmor-devel

Just anything. If i can find it somewhere else, a link would help me a lot.
the places to watch are the apparmor mailing list (its mostly a devel list but also takes general questions)
  <email address hidden>

and of course you can always watch the ppa. I wouldn't recommend using the ppa on a production system, at least not upgrading everytime its updated. There are times its stable and other times its not

Kai Müller (kmueller-z) wrote :

Thanks a lot!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers