The problem I'm considering is the following (openSuSE 10.3): Some proprietary software is based on the client-server model, the communication takes place via a TCP socket. Since I don't want to trust this software too much, I've restricted file access of both the client and server via AppArmor profiles. Unfortunately, both components need "network inet(6) stream" facility due to the TCP socket usage. But this means there is no possibility to prevent remote TCP communication any more?! So although file accesses are restricted, there is no way to stop that software from sending e.g. usage statistics or other confidential information to somewhere. The only possibility I can see right now is to block outbound TCP traffic via iptables using e.g. "--cmd-owner" matching rules. But the man page says this is broken on SMP machines, hence not useable. Is there any way to restrict network access to either a specific interface (lo) or to "local" destination via AppArmor? If not, this might be a useful extension as the usage case described above is certainly quite common. Regards, Andreas Bolsch