TL;DR:
Please replace the old AppArmor network rule patches with
apparmor: patch to provide compatibility with v2.x net rules
Detailed version:
As you might know, support for network confinement with AppArmor went to the
upstream 4.17 kernel. However, network rule support will only be enabled with
AppArmor 3.0 userspace, which wasn't released yet. When using 2.x userspace,
network confinement will be _disabled_ and confined applications can do
_unlimited network access_. (I probably don't need to mention the security
implications.)
John Johansen posted a compatibility patch today, which replaces the old
AppArmor network patches the openSUSE kernel carries since years, and is needed
to keep network access confined with current AppArmor 2.x userspace.
--------------------------------------------------------------------
Subject: [apparmor] 4.17 net compat patches
Date: Wednesday, 11. Juli 2018, 07:28:40 CEST
From: John Johansen <john.johansen@canonical.com>
To: apparmor <apparmor@lists.ubuntu.com>
The v2.x network compatibility patches are finally up in what I hope is their
final form in the kernel.org git
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
branch: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
and the
kernel-patch/v4.17/ directory in the apparmor repo on gitlab.
https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches/v4.17
These patches are provided for distros and users who used the older v2.x
networking patches, and will never be upstreamed.
The first patch
apparmor: patch to provide compatibility with v2.x net rules
can be used on its own if af_unix mediation was never used. The last 2 patches
apparmor: af_unix mediation
apparmor: fix use after free in sk_peer_label
are needed for af_unix mediation compatibility
--------------------------------------------------------------------
Since we never had support for af_unix (only Ubuntu had it), we'll only need
the first patch to keep the network confinement.