From c9cfbb4668953cd823511f9b060b0d39fb19fd95 Mon Sep 17 00:00:00 2001
From: Octavio Galland <octavio.galland@canonical.com>
Date: Mon, 3 Feb 2025 16:33:13 -0300
Subject: [PATCH] restrict networking to localhost

---
 profiles/apparmor.d/tar | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/tar b/profiles/apparmor.d/tar
index c42ac908c..444fea7d5 100644
--- a/profiles/apparmor.d/tar
+++ b/profiles/apparmor.d/tar
@@ -28,7 +28,8 @@ profile tar /usr/bin/tar {
   /opt/** ix,
 
   # tar can compress/extract files over rsh/ssh
-  network stream,
+  network stream ip=127.0.0.1,
+  network stream ip=::1,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/tar>