What | Removed | Added |
---|---|---|
Assignee | suse-beta@cboltz.de | fs@suse.com |
(In reply to C J from comment #0) > The option to edit profiles described here is missing ? > > https://doc.opensuse.org/documentation/leap/security/html/book-security/cha- > apparmor-yast.html Right. The YaST module for AppArmor was rewritten some years ago (the old version was basically unmaintained, and unmaintainable, because it was based on obsolete AppArmor code). During that rewrite, the feature to edit a profile was dropped - not a big loss IMHO because any text editor is better ;-) @documentation team: please update the documentation about YaST2 AppArmor ;-) (AFAIK Leap also has the rewritten YaST module, but please double-check to be sure) > I am trying to block the internet access for an app. > > 1. How can I do this in Tumbleweed? You can edit the file in /etc/apparmor.d/ directly (use vim if you want syntax hightlighting, but in general any editor will work). You'll need rules like deny network inet stream, deny network inet6 stream, Afterwards run rcapparmor reload to reload the updated profile. You can also use aa-logprof to update the profile. For completeness: If the profile is in enforce mode (and your profile doesn't have any rule or abstraction that allows network access), then those deny rules "just" silence the logging because the default is to deny everything that is not allowed. > 2. Even better if you can tell me: How to allow LAN connections (so the app > can access the network printer, scanner etc...) but block outgoing to the > public internet. You can use network rules to allow or deny network connections, but unfortunately it's not possible to specify IPs or network ranges in the network rules (yet, it's on the upstream wishlist).