Comment # 1 on bug 1208011 from Christian Boltz

(In reply to C J from comment #0)
> The option to edit profiles described here is missing ?
> 
> https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-
> apparmor-yast.html

Right. The YaST module for AppArmor was rewritten some years ago (the old
version was basically unmaintained, and unmaintainable, because it was based on
obsolete AppArmor code).

During that rewrite, the feature to edit a profile was dropped - not a big loss
IMHO because any text editor is better ;-)


@documentation team: please update the documentation about YaST2 AppArmor ;-)
(AFAIK Leap also has the rewritten YaST module, but please double-check to be
sure)


> I am trying to block the internet access for an app.
> 
> 1. How can I do this in Tumbleweed?

You can edit the file in /etc/apparmor.d/ directly (use vim if you want syntax
hightlighting, but in general any editor will work).

You'll need rules like
    deny network inet stream,
    deny network inet6 stream,

Afterwards run   rcapparmor reload   to reload the updated profile.

You can also use aa-logprof to update the profile.

For completeness: If the profile is in enforce mode (and your profile doesn't
have any rule or abstraction that allows network access), then those deny rules
"just" silence the logging because the default is to deny everything that is
not allowed.

> 2. Even better if you can tell me: How to allow LAN connections (so the app
> can access the network printer, scanner etc...) but block outgoing to the
> public internet.

You can use network rules to allow or deny network connections, but
unfortunately it's not possible to specify IPs or network ranges in the network
rules (yet, it's on the upstream wishlist).